how-to block ads
|
|
Uniqs:
26425 |
Share Topic
 |
 |
|
|
|
 R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
| reply to eburger68
Re: IE-SPYAD: Preliminary Findings I am forced to believe you are right!! In my opinion "explicit consent" and "opt-out" are completely incongruous and definitely not synonymous. And I believe I speak for the average citizen.
For Microsoft to use terminology such as "explicit consent" to mean "you have not explicitly told us you didn't want us publishing your information" is beyond horse-hockey and instead more related to excrement from another farm animal!
I have checked out several other sites (see your IM) and many sites do not yet have Compact Policies that W3C thinks are valid! That seems strange to me -- I think they were given plenty of notice.
I really like your post above and your analysis of this situation. It seems to cover the issues very well. The only things I might add are the information that by default "Trusted sites" ALLOWS all third-party cookies, and that an Import file is the only way around this. Also, it appears to me that even if you use an Import file you STILL can set the "per site" options on the Privacy tab. In that case, an IE-SpyAds list there might STILL be very useful. I will know more about this next week.
As for my Web site, I have a Web site and if you go to it is say "Coming soon"!:) I was busy working on it when IE6 came out and I got a little side-tracked!
[text was edited by author 2001-09-02 16:36:08] | |
 CNZSchnook's KiwiPremium
join:2001-07-07
Kakanui, NZ | reply to eburger68
Re: Suggested Settings Thank you for that amazingly detailed explanation and great advice!
I have just followed your recommendations re setting up the Restricted Zone (using IE Spyad) and the Opt-in approach to the Internet Zone.
One question - when you say to block all cookies under the privacy tab, do you mean session cookies as well? I currently have first and third party cookies blocked but session cookies allowed. Should I uncheck that box?
One final question. If I allow a trusted site to use cookies by placing them in the Trusted Zone (or by leaving them in the Internet Zone with specific permission to use cookies - by putting them in Managed Sites) will third party cookies from that site be blocked? I am just trying to get my head around this and am wanting to make sure that I am *not* giving third party cookies access by allowing the original website cookie access.
Any enlightenment greatly appreciated!
--
CNZ | |
| reply to R2
Re: IE-SPYAD: Preliminary Findings R2:
You wrote:
said by R2:
The only things I might add are the information that by default "Trusted sites" ALLOWS all third-party cookies, and that an Import file is the only way around this. Also, it appears to me that even if you use an Import file you STILL can set the "per site" options on the Privacy tab. In that case, an IE-SpyAds list there might STILL be very useful. I will know more about this next week.
Ahh, but that's not the case, at least not according to the tests I ran. Check out that "Opt-In" column in the table on my web page. For the "Opt-In" trial I purposely added all the primary (first-party) sites (whatis.techtarget.com, www.news.com, www.lycos.com, www.dogpile.com, www.zdnet.com) to my Trusted zone (and I unloaded IE-SPYAD). Third-party cookies were still blocked! That's why I wrote: "Thus, it appears that one can use the Trusted zone selectively to allow specific servers to set their own cookies without having to accept all other third-party cookies loaded through that site."
The key here is that I also set the Privacy tab Advanced settings to "override automatic cookie handling" with blocks for both first-party and third-party cookies.
Given this ability to use the Trusted zone for specific sites without necessarily having to accept all third-party cookies, I don't see that one has to load an Import list of sites to the Web Sites box at all. As long as your Privacy tab settings are set restrictively, you should be fine, even with the primary (first-party) site that you happen to be visiting in the Trusted zone.
Eric L. Howes | |
| reply to CNZ
Re: Suggested Settings CNZ:
You asked:
said by CNZ:
One question - when you say to block all cookies under the privacy tab, do you mean session cookies as well? I currently have first and third party cookies blocked but session cookies allowed. Should I uncheck that box?
That's up to you. In the tests I ran, session cookies were blocked (the box was unchecked), but if you prefer to allow session cookies, I suppose you could without fear that they'd stick around to plague you beyond your current session.
said by CNZ:
One final question. If I allow a trusted site to use cookies by placing them in the Trusted Zone (or by leaving them in the Internet Zone with specific permission to use cookies - by putting them in Managed Sites) will third party cookies from that site be blocked? I am just trying to get my head around this and am wanting to make sure that I am *not* giving third party cookies access by allowing the original website cookie access.
According to the tests I ran, it is not necessarily the case that the Trusted zone will override all else when it comes to third-party cookies. See my response to R2 above. For the "Opt-In" I explicitly added the first-party site to my Trusted zone while keeping my Privacy tab Advanced settings restrictive. Result: the first-party cookies were accepted (no surprise), but the third-party cookies (even the ones from Doubleclick) were blocked.
Now, I didn't try using IE-SPYAD in conjunction with the Trusted zone. I suspect, however, that third-party cookies from sites in the Restricted zone would still be blocked, even with the primary, first-party site in the Trusted zone.
Keep in mind, though, that it's entirely possible that I've botched my analysis here, so keep an eye out for R2's response.
Eric L. Howes | |
| Thanks very very much Eric and R2. I really appreciate all of the work you guys are doing on this topic. I'm beginning to feel optomistic that I might be able to configure IE6 in a way that I will be hapy with. | |
 ExidorPremium
join:2001-05-04
Brampton, ON
| reply to R2
Re: 3-letter token updates said by R2:
So, what is IND? I have no idea and I cannot find it on the W3C site.
Referencing compact policies
quote:
compact-retention =
"NOR" no-retention
"STP" stated-purpose
"LEG" legal-requirement
"BUS" business-practices
"IND" indefinitely
[text was edited by author 2001-09-02 19:38:06] | |
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | oem2- Thank you! DUH! How could I miss that?? (Where's the 'embarrassed' Smilie?) I even ran "Search" on the W3C pages and kept coming up with no clear answer. I think that is called "missing the tree because your are too far in the forest" -- or something.;)
___________________________________________
CNZ- Because they are not retained, session cookies are generally thought to be safe and I believe the general consensus is that there are 'OK' to use. Besides, some sites require them to be functional. However, as Eric says, it's your decision.
Personally, I would like to allow only 'first-party' session cookies (more on that later), but you will note that choice was REMOVED from us in the Advanced box (the choice DID exist in the "Security Privacy beta" of IE5.5). That seems silly to me since it would have taken minimal effort to make it a separate choice for both first- and third-party cookies in IE6.
___________________________________________
Eric- Let me first clear something up -- I think I was also WRONG on my interpretation of "first-party" -- and I think yours was correct (more on that in my next post).
Please allow me to give you some feedback on your IE6/P3P trial page. I am not entirely sure I can explain all of your results, but I think you need a fourth trial -- and maybe more. First, I do not see why the www.news.com cookie was EVER set if it has NO Compact Policy! Was this a typo? -- I hope so, otherwise I am very confused.
Second, I think you have rather convincingly shown that IE-SPYADS is capable of blocking the most egregious third-party sites. Bravo! This is EXCELLENT and EXTREMELY IMPORTANT news. Even if the user has chosen to block all cookies in the Internet zone, he/she could still need this to block nasty third-party cookies in the Trusted sites.
Given IE6's inherent ability to allow third-party cookies, IE-SPYADS appears to be an essential constituent of every computer running IE6! Using IE6 without IE-SPYADS is like driving a car without a seat-belt. Even if you are using another method to block cookies, IE-SPYADS would serve as excellent second line of defense.
Speaking of other methods, another trial you could run would be using the the Default settings with Martin's Host file. I think both you and I know the results would be similar to using IE-SPYADS, but it would be nice to prove it. Since the Hosts file is "subdomain specific" and the Restricted sites is NOT, there will ALWAYS be a role for IE-SPYADS.
It might help to clarify how the "Opt-in" trial really worked. Why did it block those third-party cookies? And how did you know it? Did that "Eye-con" appear on the status bar and inform you that cookies were blocked? [again, sorry I cannot yet test this myself...]
My point is this: are the third-party cookies blocked by the Internet zone's restrictive settings or by setting the Privacy tab to block all cookies? You changed two variables in that trial -- which one was responsible for blocking these cookies? For example, at whatis.techtarget.com the doubleclick cookie could be blocked because ad.doubleclik.net is in the Internet zone and you have blocked cookies in this zone. Alternatively, since that cookie is set by loading the doubleclick ad with javascript, that cookie could have been blocked because you have Active Scripting set to "Disable".
I would recommend running the test again doing each of these things separately. I think I know the answer, but when it comes to IE6 I cannot be sure!
Two more quick things: 1) Typo: "if only to control the use of Active, Java, and scripting" -- ActiveX.
2) "As these default settings offer little protection from cookies, users who do not customize IE6's Security Zone and Privacy tab settings will see little change in the level of privacy surrounding their web surfing".
I think even at baseline the change in Privacy is for the worse. The way I read it, the Default settings cause all NEW cookies to be "un-leashed". Since Microsoft defines "leashed" as "can only be accessed in a first-party context", I must assume all "un-leased" cookies can now be accessed by any third-party! So any third-party site can access any other site's cookie -- unless it is leashed. Am I reading too much into this?? | | |
|
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
| reply to Lex Luthor
Re: IE6 and Cookies As I stated, I believe I was wrong in my above post about what makes up "first-party" and "third-party". But because of this there is an interesting discrepancy.
Microsoft's pop-up definition of first-party is "Top-level URL of a Webpage", and the definition of third-party is "URL that is not the top-level URL on a Web page".
They also define them here:Internet Explorer 6 defines first-party content as that associated with the host domain. Third-party content originates from any other domain. They add a note which spells this out further:The URLs, www.wideworldimporters.com and toys.wideworldimporters.com, both contain the same minimal domain, wideworldimporters.com. Content that shares the same minimal domain as the host domain is considered first-party content. Likewise, cookies set from these domains are considered first-party cookies. Minimal domains must have the same top-level domain (TLD). Some common examples of TLDs are .com, .net, and .org. OK, so this pretty clearly shows that my interpretation was just plain WRONG!
But now there is one big problem. Read this part:Different P3P policies can be specified for different aspects of a Web service. For example, a Web site can have different policies for its home page and its search page. Now, am I interpreting this correctly? To me,this says that home.ripyouoff.com can have a different Compact Policy than search.ripyouoff.com. Is that how I should interpret this?
OK, so what if bogusgoodcompactpolicy.ripyouoff.com is the Home page and it has a very good sounding Compact Policy. But on that page is a link to an image from stealyourprivacy.ripyouoff.com, and this image link has a SET COOKIE command in it. Since you went to the Home page first and since it had an "acceptable" Compact Policy, you will now get a cookie from stealyourprivacy.ripyouoff.com -- because you have accepted first-party cookies -- and since this is the same top-level domain, this is "first-party".
Oh, by-the-way this second page has a different Compact Policy than the first page. It says it collects all the information it can about you and sells it to every Telemarketer in the world, plus it posts your information on every porn site imaginable.
Am I seeing this correct, or am I lost in the forest again?? This seems ludicrous.
[text was edited by author 2001-09-03 11:04:08] | |
| reply to R2
Re: 3-letter token updates said by R2:
Eric- Let me first clear something up -- I think I was also WRONG on my interpretation of "first-party" -- and I think yours was correct (more on that in my next post).
That's funny -- I was just getting ready to post and tell you that I was beginning to think YOU were right on the first/third-party definition question.
One of MS's pages has a section on "first and third-party context" ( »msdn.microsoft.com/library/defau···ture.asp ). There they give the following gloss on the question:
"The URLs, www.wideworldimporters.com and toys.wideworldimporters.com, both contain the same minimal domain, wideworldimporters.com. Content that shares the same minimal domain as the host domain is considered first-party content. Likewise, cookies set from these domains are considered first-party cookies. Minimal domains must have the same top-level domain (TLD). Some common examples of TLDs are .com, .net, and .org."
So, it appears that IE6 does sort first-party from third-party based on domain.
said by R2:
Please allow me to give you some feedback on your IE6/P3P trial page. I am not entirely sure I can explain all of your results, but I think you need a fourth trial -- and maybe more.
I'm already planning to do more, and some with a new set of web sites.
said by R2:
First, I do not see why the www.news.com cookie was EVER set if it has NO Compact Policy! Was this a typo? -- I hope so, otherwise I am very confused.
Nope, that's no typo. I just checked www.news.com again: IE6 reports that it can't find any privacy info and that I should contact the web site directly (or something to that effect).
The same MS document as I quoted above specifies that that with the Medium Privacy tab setting, first-party cookies without a compact policy will be accepted, but leashed. Thus, it's no surprise that IE6 should have cookies from news.com in my first two trials. As for the third (the Opt-In trial), I had explicitly placed www.news.com in the Trusted zone, so IE6 should have accepted the cookie from that domain.
said by R2:
Second, I think you have rather convincingly shown that IE-SPYADS is capable of blocking the most egregious third-party sites. Bravo! This is EXCELLENT and EXTREMELY IMPORTANT news. Even if the user has chosen to block all cookies in the Internet zone, he/she could still need this to block nasty third-party cookies in the Trusted sites.
It is excellent news. I was thinking about what you had initially said about the Trusted zone's forcing one to accept third-party cookies and realized that such a policy, if true, would effectively render the Trusted zone useless for most people. It didn't sound right, and I'm glad to know it isn't.
said by R2:
Given IE6's inherent ability to allow third-party cookies, IE-SPYADS appears to be an essential constituent of every computer running IE6! Using IE6 without IE-SPYADS is like driving a car without a seat-belt. Even if you are using another method to block cookies, IE-SPYADS would serve as excellent second line of defense.
IE-SPYAD is ONE potential solution (thanks for the plug!), but it isn't the only one. I think the "Opt-In" method is another perfectly workable solution, though IE-SPYADS could be used (as you say) as a backup method.
One issue I haven't heard much about yet: how well do the most popular third-party filtering programs work with IE6? Perhaps a topic for another thread.
said by R2:
Speaking of other methods, another trial you could run would be using the the Default settings with Martin's Host file. I think both you and I know the results would be similar to using IE-SPYADS, but it would be nice to prove it. Since the Hosts file is "subdomain specific" and the Restricted sites is NOT, there will ALWAYS be a role for IE-SPYADS.
That's one potential trial, but it wouldn't be high on my list simply because the HOSTS file works at the networking level, so its performance is fairly predictable. It would be nice to run a trial, though, just to demonstrate as much, as you say.
said by R2:
It might help to clarify how the "Opt-in" trial really worked. Why did it block those third-party cookies? And how did you know it? Did that "Eye-con" appear on the status bar and inform you that cookies were blocked? [again, sorry I cannot yet test this myself...]
The "Opt-In" trial is the simplest to interpret from where I'm sitting. Given that I had chosen to "override automatic cookie handling" with the Automatic settings of the Privacy tab and block all first-party and third-party cookies without exception, the only cookies that could have been allowed through were from sites added to the Trusted zone. And that's exactly what I saw.
These results are entirely consistent with the previous "IE-SPYADS" trial in that these trials tell us that both the Restricted and Trusted zones take precedence over the Privacy tab settings: put a site in the Trusted zone and its cookies will be allowed; put a site in the Restricted zone and its cookies will be blocked -- no matter what the Privacy tab settings allow or block.
said by R2:
My point is this: are the third-party cookies blocked by the Internet zone's restrictive settings or by setting the Privacy tab to block all cookies? You changed two variables in that trial -- which one was responsible for blocking these cookies? For example, at whatis.techtarget.com the doubleclick cookie could be blocked because ad.doubleclik.net is in the Internet zone and you have blocked cookies in this zone. Alternatively, since that cookie is set by loading the doubleclick ad with javascript, that cookie could have been blocked because you have Active Scripting set to "Disable".
Ahhhh! That's an angle I hadn't considered. It is, as you point out, entirely possible that some cookies were blocked because JavaScript was disabled, but I'm suspect that if such were the case, the cookies would never even show up or "register" with IE6. That is, they wouldn't be blocked or allowed -- the cookies would simply never be requested. Now, I did see examples of that -- the "Opt-In" column records those as "--", meaning that there was no cookie from that site/domain on that trial. I was wondering why that was the case, and your JavaScript explanation helps to answer that question.
said by R2:
I would recommend running the test again doing each of these things separately. I think I know the answer, but when it comes to IE6 I cannot be sure!
I agree. It might not be until much later today, though.
said by R2:
Two more quick things: 1) Typo: "if only to control the use of Active, Java, and scripting" -- ActiveX.
Thanks. Taken care of.
said by R2:
2) "As these default settings offer little protection from cookies, users who do not customize IE6's Security Zone and Privacy tab settings will see little change in the level of privacy surrounding their web surfing".
I think even at baseline the change in Privacy is for the worse. The way I read it, the Default settings cause all NEW cookies to be "un-leashed". Since Microsoft defines "leashed" as "can only be accessed in a first-party context", I must assume all "un-leased" cookies can now be accessed by any third-party! So any third-party site can access any other site's cookie -- unless it is leashed. Am I reading too much into this??
Wow. That's a reading of MS's documents that I hadn't considered. If true, that would be a monumental change in the handling of cookies. It would, in effect, break the "golden rule" of cookies, which is that a site can only read its own cookies. Such a change would be a serious cause for alarm, and I would expect privacy advocates everywhere to be up in arms.
Here's my interpretation of the same question: I think what MS means by "leashed" is that a site can only read/use its OWN cookies in a first-party context. In other words, if a site sets a cookie on a user, it can only read/use that cookie when the user is visiting that particular site as a first-party site, not another site when that initial site might be a third-party.
By "unleashed" I take MS to mean that a site can read/use its OWN cookies in a first-party or third-party context. That is, a site can read/use its own cookies whether the user is visiting that site directly or whether the user is visiting another site which happens to use that first site (say) for advertising purposes.
Example: let's say that IE6 decided that doubleclick.net cookies would be leashed (it doesn't, but let's just imagine this minor utopia for purposes of this example). Now, if I visit www.doubleclick.net (making it a first-party), doubleclick.net could read/use its cookie. If I visit whatis.techtarget.com, which uses Doubleclick as an advertiser (making it a third-party), doubleclick.net would not be able to read/use its own cookie.
That's the way I see it, anyway.
As far as whether IE6 "straight-out-of-the-box" represents an improvement in users' privacy: in some respects IE6 does offer a very marginal improvement inasmuch as it will block SOME third-party cookies which previous versions of IE didn't. The net effect of IE6's complicated cookie handling scheme, however, is to make things even more confusing for the typical home user, which is why I wrote:
"IE6 arguably represents a step backwards in the struggle to offer internet users a reliable means of ensuring their online privacy."
Thanks for all your input and helpful commentary. If/when you manage to get an IE6 page running on your site, please let me know as I look forward to being able to link to it from mine.
Eric L. Howes | |
| reply to R2
Re: IE6 and Cookies R2:
OK, we both found the same passage from one of MS's documents (nice coincidence, that), so I take it the first-party vs. third-party question is settled.
The next issue you raise is nettlesome:
said by R2:
But now there is one big problem. Read this part:Different P3P policies can be specified for different aspects of a Web service. For example, a Web site can have different policies for its home page and its search page. Now, am I interpreting this correctly? To me,this says that home.ripyouoff.com can have a different Compact Policy than search.ripyouoff.com. Is that how I should interpret this?
I think you're entirely right in your interpretation of this. In fact, I seem to recall reading that this has been an issue on some sites even before IE6 and P3P entered the game. It's a bit of a bait-and-switch tactic, and sites haven't always been the most upfront about alerting users to shifting privacy terms.
IE6 does, in theory, give the user an advantage in this situation, though, that s/he didn't have before: namely, if the user is in the habit of using the Privacy Report menu option, s/he just might catch on to these shenanigans. Without IE6, one has to be very good about reading fine print and paying attention to slippery wording in human-readable privacy policies.
said by R2:
OK, so what if bogusgoodcompactpolicy.ripyouoff.com is the Home page and it has a very good sounding Compact Policy. But on that page is a link to an image from stealyourprivacy.ripyouoff.com, and this image link has a SET COOKIE command in it. Since you went to the Home page first and since it had an "acceptable" Compact Policy, you will now get a cookie from stealyourprivacy.ripyouoff.com -- because you have accepted first-party cookies -- and since this is the same top-level domain, this is "first-party".
Oh, by-the-way this second page has a different Compact Policy than the first page. It says it collects all the information it can about you and sells it to every Telemarketer in the world, plus it posts your information on every porn site imaginable.
Am I seeing this correct, or am I lost in the forest again?? This seems ludicrous.
[text was edited by author 2001-09-03 11:04:08]
Hmmm. I tend to think that IE6 would recognize the difference in compact policies and cookie requests, even though the two sub-sites of that one larger domain are related. If the second site had a compact policy which didn't satisfy IE6's criteria for accepting first-party cookies, it wouldn't be accepted as is. In other words, just because you enter a domain through one site doesn't give the entire domain cart blanche to do a switcheroo on IE6 and slip through cookies and compact policies from secondary sites in the same domain based on the compact policy and cookie policy of the initial site you used.
Again, this is one that would have to be tested. Finding a web site which did this sort of thing would be a time-consuming task, though.
Best,
Eric L. Howes | |
 Lex LuthorPremium,Mod
join:2000-09-17
Hicksville, NY
kudos:3
OptimumOnline
Users find Hot Deals
Users find Hot Dea..
Requests for Hot D..
| reply to eburger68
Re: 3-letter token updates said by eburger68:
Opt-In
------
Yet another way to protect one's privacy from online marketers in IE6 is to enforce an "opt-in" policy by setting IE6's Internet zone and Privacy tab options very restrictively. Once the Internet zone options were set to "block" or "prompt" and the Privacy tab's "automatic cookie handling" was overriden with "block" settings for both first-party and third-party cookies, cookies from online advertisers and marketers were uniformly blocked, even though the primary site being visited had been added to the Trusted zone. Thus, it appears that one can use the Trusted zone selectively to allow specific servers to set their own cookies without having to accept all other third-party cookies loaded through that site.
Eric L. Howes
I can't believe I started this all! 
In my opinion, this is clearly the easiest/best way to go. I'm curious why this doesn't work for some of you. I allow NO cookies im my privacy tab. Nothing gets though except for 1st party cookies for sites I allow in my trusted zone.
In addition, I do allow session cookies and that lets me use shopping carts at most commerce sites without having to add that site to my trusted zone. I figure that in one session, there isn't too much bad tracking info someone can get from me. Most of the trackers don't bothering using session cookies.
I have about 10 sites in my trusted zone and everything else works great. Little maintenance, easy to learn, don't see the drawbacks of this method. | |
| said by Lex Luthor:
I can't believe I started this all!
In my opinion, this is clearly the easiest/best way to go. I'm curious why this doesn't work for some of you. I allow NO cookies im my privacy tab. Nothing gets though except for 1st party cookies for sites I allow in my trusted zone.
In addition, I do allow session cookies and that lets me use shopping carts at most commerce sites without having to add that site to my trusted zone. I figure that in one session, there isn't too much bad tracking info someone can get from me. Most of the trackers don't bothering using session cookies.
I have about 10 sites in my trusted zone and everything else works great. Little maintenance, easy to learn, don't see the drawbacks of this method.
I think you're right that the "Opt-In" method is one of the easiest ways to go. For beginning users it is arguably the simplest, as long as they understand the concept of the Trusted zone.
Anyone who attempted to use these new Privacy tab settings as Microsoft apparently intends them to be used would need to consider shelling out some serious money to hire an outside consultant on a full time basis just to manage the Security zones and Privacy tab in his/her browser.
Best,
Eric L. Howes | |
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
| reply to Lex Luthor
Re: IE6 and Cookies Lex, I am glad this got started. Thanks:)
I must agree with the OptOut method. That seems to be the most logical. I wish I knew the "un-leashed" definition more clearly. It just sounded weird...
As to the bait-and-switch CP's -- well, what is the point of accepting "first-party" cookies from the whole domain if IE6 has to check the CP of each page? That seems strange also. If they say they will accept ALL first-party cookies, I do not think we are not guaranteed it will look at all pages' CP. I certainly HOPE it does... Although with the Opt-Out method, it is a moot point.
[text was edited by author 2001-09-03 17:46:28] | |
Lex LuthorPremium,Mod
join:2000-09-17
Hicksville, NY
kudos:3 Host:
OptimumOnline
Users find Hot Deals
Users find Hot Dea..
Requests for Hot D..
| reply to Lex Luthor
Re: 3-letter token updates said by Lex Luthor:
In addition, I do allow session cookies and that lets me use shopping carts at most commerce sites without having to add that site to my trusted zone. I figure that in one session, there isn't too much bad tracking info someone can get from me. Most of the trackers don't bothering using session cookies.
can this cause me security problems? | |
Reviews:
 ·Comcast
| reply to Lex Luthor
Re: IE6 and Cookies I have been following this thread since Lex 1st posted it. I do not wish to ask this question on wrong forum but, would any of this possibly be the reason I can no longer get any downloads thru IE? It started with upgrade tp 5.5SP2 , thought download to IE6.0(beta)would fix it but no. Page with download usually opens looking like Java not working with partial icon in upper left corner. I put 5.5sp2 on 3 machines I have and all do same thing. Even D/L's from MSFT's own pages are rejected, for lack of a better word. Thanx for any comment and again I apologize if this is wrong spot.
--
"Ol Sgt. Frank (ret)....... | |
| reply to R2
R2:
Still haven't gotten around to running any more tests.
said by R2:
As to the bait-and-switch CP's -- well, what is the point of accepting "first-party" cookies from the whole domain if IE6 has to check the CP of each page? That seems strange also. If they say they will accept ALL first-party cookies, I do not think we are not guaranteed it will look at all pages' CP. I certainly HOPE it does... Although with the Opt-Out method, it is a moot point.
I do not think IE6 would have to look at an entire domain's range of compact policies, because, as your illustration above (discrepancy.jpg) makes clear, compact policies and cookies are tied to the specific subdomain.domain.com, not the entire domain.com. First-party vs. third-party, which is based on only the domain.com, is merely a means of classifying sites/cookies.
That's certainly what I saw (or think I saw) when I did those trials with IE6. In particular, look at what happened when I went to www.zdnet.com: separate cookies for several different subdomains of zdnet.com.
Of course, all of this assumes that the site is being honest and forthright in the compact policies that it presents to IE6. As you've pointed out several times now, a site could report anything it wants in its compact policy or compact policies (should it have different ones for various subdomains) without any immediate fear that the user could discover things were otherwise.
Yet another reason to skip the P3P dance altogether and go the Opt-In route to enforce one's own privacy policy.
Eric L. Howes
| |
| reply to Lex Luthor
Re: 3-letter token updates said by Lex Luthor:
can this cause me security problems?
No serious problems so far as I can see, as long as we're talking about session cookies. I suppose a site could go on a data-mining expedition, compare the credit card # and name you used on with one cookie, and then make a connection with a cookie used on another occasion. They would be able to do this, however, based on the consistent credit card and name you supplied, not on any of the session cookies used.
Perhaps someone more knowledgeable in the ways of ecommerce could step in here.
Eric L. Howes | |
| reply to sgtfrank
Re: IE6 and Cookies SgtFrank:
said by sgtfrank:
I have been following this thread since Lex 1st posted it. I do not wish to ask this question on wrong forum but, would any of this possibly be the reason I can no longer get any downloads thru IE? It started with upgrade tp 5.5SP2 , thought download to IE6.0(beta)would fix it but no. Page with download usually opens looking like Java not working with partial icon in upper left corner. I put 5.5sp2 on 3 machines I have and all do same thing. Even D/L's from MSFT's own pages are rejected, for lack of a better word. Thanx for any comment and again I apologize if this is wrong spot.
I've performed several downloads through IE6 at this point (with various different mixes of security and privacy settings) and not had a problem.
First thing to check would be the "File download" option for your security zones. Make sure it's set to "Enable" for the zone you happen to be in when you attempt a download. (Tools >> Internet Options >> Security >> Custom Level...)
It would also help if we could get a better description of what is happening when your attempted downloads are "rejected." What error messages are you getting?
Best,
Eric L. Howes | |
Reviews:
·Comcast
| Eric,
The only option where 'download' was not checked was under restricted sites where almost everything is disabled. I tried that anyway but no change. What I get is not an error msg. but what appears to be actual page to download from but it is blank except for an icon that looks like Java is not working. Java works everywhere else. I tried to copy page to show here but it did not copy. This is same on all 3 of my computers. 5.5SP2 and 6.0 ver. of IE. Old 5.5 was fine. I have a beta ver. of IE 6.0 I got from AOL to beta test but I had problem before that. Unless latest 6.0GM ver. would make a difference, but I doubt it. Thanx for you attempt to help.
--
"Ol Sgt. Frank (ret)....... | |
R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1 | sgtfrank- IE6 downloads work fine for me also. I am not sure what is causing that problem.
I think people initially thought IE6 was having problems downloading image files correctly (only the placeholder was seen), but in the end I think it ended up being a problem with IE6 interacting with Norton Internet Security. The solution was to lower the security settings in NIS.
I believe the IE6 implementation of P3P is limited ONLY to cookie control through the "Compact Policy". In the future the "Full Policy" supposedly will be able to control more than just cookies. So at the present time, I do not think IE6 should be interfering with download specifically because of P3P.
_____________________________________________
Eric- I believe my interpretation of "un-leashing" is overly paranoid. The key word is 'context'. So with IE6, new cookies are unleashed -- meaning that they can NOW be accessed in the third-party context as well as the usual first-party context. Is there any benefit to us, the consumers, for this to occur? I am not sure there is. Using an Import file can force all new cookies to be leashed, and PERHAPS this is useful...
After what I have learned, I just seem to think IE6 is GUILTY until proven innocent!
Thanks for accompanying me on this long, strange trip! | |
|
