Comments on: The Phorm “Webwise” System http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/ Security Research, Computer Laboratory, University of Cambridge Fri, 16 May 2008 12:42:27 +0000 http://wordpress.org/?v=2.5.1 By: Ciara http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29155 Ciara Wed, 14 May 2008 17:37:54 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29155 Has anyone even looked at how this is going to affect businesses? I know that where I work, such a deep intrusion into what business we do with other companies and what is sent between us would NOT be welcomed. Matter of fact, considering much of it is proprietary, it may even be grounds for a lawsuit if they're attempting deep analysis of data packets. Has anyone even looked at how this is going to affect businesses? I know that where I work, such a deep intrusion into what business we do with other companies and what is sent between us would NOT be welcomed. Matter of fact, considering much of it is proprietary, it may even be grounds for a lawsuit if they’re attempting deep analysis of data packets.

]]> By: BT Customer (not much longer) http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29093 BT Customer (not much longer) Mon, 28 Apr 2008 11:26:20 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29093 Forgive me if I'm wrong, but with regard to using HTTPS. If the Customer uses HTTPS did not part of your summary describe that the Phorm System cannot remove the UID from an HTTPS transaction. This leaves the door open for any HTTPS Website (rogue or otherwise) to match the UID to a Real IP address or E-mail account, with or without the help of Javascript. The use of Javascript could also lead in some cases to the Computer Users Account name being discovered! How can this be called an advancement in Privacy as the ISP's are trying to claim. Forgive me if I’m wrong, but with regard to using HTTPS.
If the Customer uses HTTPS did not part of your summary describe that the Phorm System cannot remove the UID from an HTTPS transaction.

This leaves the door open for any HTTPS Website (rogue or otherwise) to match the UID to a Real IP address or E-mail account, with or without the help of Javascript.

The use of Javascript could also lead in some cases to the Computer Users Account name being discovered!

How can this be called an advancement in Privacy as the ISP’s are trying to claim.

]]> By: Chris Lawrence http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29086 Chris Lawrence Sun, 27 Apr 2008 17:03:32 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29086 Thankyou for your work looking at Phorm, it is really appreciated. Thankyou for your work looking at Phorm, it is really appreciated.

]]> By: Andy http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29065 Andy Fri, 25 Apr 2008 15:32:54 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29065 If Phorm adds an extra cookie without the web site owners or customers knowledge and that causes a problem (there are maximum numbers of cookies in all browsers except safari) who would be held accountable. Here's a silly example (because you'd be mad to implement something this way; you should be using HTTPS; and I have wildly exaggerated the possible consequences). Let's say I run a charity web site, my 20th cookie holds the currency for a donation via bank transfer. The Phorm cookie is added without my knowledge, which means that the IE6 browser (limited to 20 cookies per domain) drops the currency cookie (now cookie 21). My web site happily transfers 50,000 pounds to Save the White Whale instead of 50,000 pesetas. The customer is bankrupted by hideously unfair overdraft charges but Ahab is confounded once more. Who should the customer sue? P.S. You could presumably disable the Phorm cookie by adjusting the JavaScript to delete the webwise cookie if it finds it. Phorm would do it's infinite loop detection and blacklist the web site. I didn't want to include code for that in case my ISP took umbrage and disconnected me. If Phorm adds an extra cookie without the web site owners or customers knowledge and that causes a problem (there are maximum numbers of cookies in all browsers except safari) who would be held accountable.

Here’s a silly example (because you’d be mad to implement something this way; you should be using HTTPS; and I have wildly exaggerated the possible consequences). Let’s say I run a charity web site, my 20th cookie holds the currency for a donation via bank transfer. The Phorm cookie is added without my knowledge, which means that the IE6 browser (limited to 20 cookies per domain) drops the currency cookie (now cookie 21). My web site happily transfers 50,000 pounds to Save the White Whale instead of 50,000 pesetas. The customer is bankrupted by hideously unfair overdraft charges but Ahab is confounded once more.

Who should the customer sue?

P.S.
You could presumably disable the Phorm cookie by adjusting the JavaScript to delete the webwise cookie if it finds it. Phorm would do it’s infinite loop detection and blacklist the web site. I didn’t want to include code for that in case my ISP took umbrage and disconnected me.

]]> By: Andy Towler http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29064 Andy Towler Fri, 25 Apr 2008 13:53:39 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29064 Sorry, didn't see comment 75 before I posted 76. We seem to have both hit on the same area - so I guess I'm kind of right, but would need to see if they changed the name/value of the false first-party cookie after they go live. Thanks for the feedback :) Sorry, didn’t see comment 75 before I posted 76. We seem to have both hit on the same area - so I guess I’m kind of right, but would need to see if they changed the name/value of the false first-party cookie after they go live. Thanks for the feedback :)

]]> By: Andy Towler http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29063 Andy Towler Fri, 25 Apr 2008 13:50:07 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29063 Me again. I've now read your comprehensive PDF document (thanks for making it public). I may be missing something, but I now figure that, as a website developer, if I set a cookie on all my domains with the name "webwise" and the value "OPTED_OUT" then pages in these domains will not be diverted/profiled, even if a person is visiting them via a phormed ISP. I got this from paragraph 28 of your document. If my interpretation is wrong, please add a comment to let me (and others) know - many thanks. Me again. I’ve now read your comprehensive PDF document (thanks for making it public).

I may be missing something, but I now figure that, as a website developer, if I set a cookie on all my domains with the name “webwise” and the value “OPTED_OUT” then pages in these domains will not be diverted/profiled, even if a person is visiting them via a phormed ISP.

I got this from paragraph 28 of your document. If my interpretation is wrong, please add a comment to let me (and others) know - many thanks.

]]> By: Richard Clayton http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29062 Richard Clayton Fri, 25 Apr 2008 12:59:50 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29062 If you don't want Phorm (or any of the other packet sniffing systems) to read your page, use https. Simple and straightforward and that should be an end to it. More complex (and very Phorm-specific) disruption would involve changing the content of Phorm's cookies (the ones in your website's domain). However, until there is an operational trial, you cannot be sure what the deployed technology will exactly be. If you don’t want Phorm (or any of the other packet sniffing systems) to read your page, use https. Simple and straightforward and that should be an end to it.

More complex (and very Phorm-specific) disruption would involve changing the content of Phorm’s cookies (the ones in your website’s domain). However, until there is an operational trial, you cannot be sure what the deployed technology will exactly be.

]]> By: Andy Towler http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29061 Andy Towler Fri, 25 Apr 2008 12:51:52 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29061 Comment 72 is an interesting way of detecting the phormjacking of your page. However, I'd be even more interested in a way to *prevent* it. Anyone found anything? Comment 72 is an interesting way of detecting the phormjacking of your page. However, I’d be even more interested in a way to *prevent* it. Anyone found anything?

]]> By: Andy http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29060 Andy Fri, 25 Apr 2008 12:27:57 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29060 Apparently, it dislike the "return found;" line in the function as well. Apparently, it dislike the “return found;” line in the function as well.

]]> By: Andy http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29059 Andy Fri, 25 Apr 2008 12:26:01 +0000 http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/#comment-29059 Excellent explanation of the Phorm process. Assuming it is accurate, then I believe the following JavaScript added to a web page will warn if Phorm has added a cookie. I've left out the script tags in case the blog software dislikes them. function hasPhormCookie() { var found = false; var c = document.cookie if (c.length>0) { // If phorm change the name of the cookie they insert // you need to change the comparison string to match if (c.indexOf("webwise=", 0)>-1) { found=true; } } } if (hasPhormCookie()==true) { document.write("Phorm is monitoring your traffic"); } Excellent explanation of the Phorm process. Assuming it is accurate, then I believe the following JavaScript added to a web page will warn if Phorm has added a cookie. I’ve left out the script tags in case the blog software dislikes them.

function hasPhormCookie()
{
var found = false;
var c = document.cookie
if (c.length>0)
{
// If phorm change the name of the cookie they insert
// you need to change the comparison string to match
if (c.indexOf(”webwise=”, 0)>-1)
{
found=true;
}
}
}

if (hasPhormCookie()==true)
{
document.write(”Phorm is monitoring your traffic”);
}

]]>