Comments on: Stealing Phorm Cookies

By: Mel

Mel — Thu, 01 May 2008 14:54:57 +0000

@Pete Austin, When you navigate to a website, Phorm’s system will redirect your browser to webwise.net (unless it has already forged a tracking cookie in that website’s domain).

Webwise.net is also used to ask if you want to opt-in or “opt-out”.

So if you block webwise.net in the hosts file, when you attempt to visit any website your browser will try to open 127.0.0.1, and report an error.

See Richard Clayton’s account of how phorm works- The phorm webwise system

I’m no artist (far from it in fact), but I’ve previously had a stab at drawing a diagram in an attempt to show how webwise works -
Phorm Webwise Diagram if it is of any help.

I’m also not convinced that using public proxies as a work around is a good idea. There’s no guarantee the proxy/exit node isn’t using Phorm. In fact one of the forum posts that appeared to have been corrupted with javascript as a result of the early sysip.net tests had “I.PUBLICPROXY” as the ISP variable.

(my appologies for the O/T post.)

By: Pete Austin

Pete Austin — Tue, 29 Apr 2008 16:11:09 +0000

@richard
At home I use a hosts file that maps literally thousands of domains to 127.0.0.1 with no obvious bad effects. I think it speeds up my browsing. Here’s one example:
http://www.mvps.org/winhelp2002/hosts.htm

Phorm are in the ad-serving business, and mapping domains in this way blocks adverts, so it’s not surprising that they would not recommend it.

By: Richard Clayton

Richard Clayton — Sat, 26 Apr 2008 14:53:12 +0000

@fred

a) your countermeasure using 127.0.0.1 is not recommended by Phorm, will slow down your browsing and BT claim (probably wrongly) will prevent you browsing at all. It’s also rather Windows specific

b) your other countermeasures will be more effective, but have little to do with the topic of this article.

By: fred

fred — Sat, 26 Apr 2008 10:53:10 +0000

Phorm counter-measures

Edit your ‘Hosts’ file…

Start –> Run –> Type:

notepad “c:\windows\system32\drivers\etc\hosts”

Add the following line to the bottom of the file:

127.0.0.1 oix.net
127.0.0.1 oix.com
127.0.0.1 phorm.com
127.0.0.1 webwise.net
127.0.0.1 webwise.com
127.0.0.1 sysip.net
127.0.0.1 qkilbdr.net
127.0.0.1 121media.com
127.0.0.1 openinternetalliance.com
127.0.0.1 openinternetalliance.net
127.0.0.1 youcanoptin.com
127.0.0.1 youcanoptin.net
127.0.0.1 youcanoptout.com
127.0.0.1 youcanoptout.net

File –> Save

File –> Exit

(You may, at first, have go into the file’s temporary and untick the ‘Read-only’ box).

(HEY MOD! Have I got the first bit right, this time)?

Visit http://www.dephormation.org.uk/ and Download the Dephormation v1.6 Firefox Add On.

“The Dephormation Add On ensures that your decision to permanently opt out of Phorm profiling cannot be undone in Firefox.

Optionally, the Add On can also alert you to sites using Phorm/ Webwise/ OIX profile based advertising.

With each page you view in your browser, a Phorm ‘opt out’ cookie is set automatically, and the Phorm UID cookie is randomised. Even if you delete all your cookies regularly”.

Visit http://www.torproject.org/ and install TorBrowser, a Windows Browser Bundle (Containing Tor, Torbutton, Polipo, and Firefox).

By: Dennis Jackson

Dennis Jackson — Thu, 24 Apr 2008 16:59:42 +0000

Have I missed something?

Looking at the technical description, the Phorm system could easily block me from browsing any web sites. At step 15, my firewall (or content filter such as SurfControl) may not allow access to webwise.net. If my firewall blocks webwise.net then the redirected request will never happen and my attempt to visit http://www.cnn.com will fail. I can only get to desired web sites by changing my firewall to also allow access to webwise.net.

There are many organisations that implement a whitelist to limit sites that can be browsed at work. Vendors (such as SurfControl) supply dynamic blacklists and whitelists of sites. What is the incentive to include webwise.net in any whitelist?

Unless I add webwise.net to the whielist in my firewall my access to the Internet is blocked. Transparent - no. Friendly - no. Trivial change to T&C - no.

By: Barrie Dempster

Barrie Dempster — Thu, 24 Apr 2008 08:53:01 +0000

I don’t see how encrypting the cookie would help, unless it was encrypted on-the-fly for each request which would probably be quite impractical.

Tracking this information in cookies effectively injected into another domains cookie space is riddled with problems. There’s just no way Phorm can control the requests and prevent the 3rd parties gathering information.

Barrie

By: david M

david M — Wed, 23 Apr 2008 16:00:46 +0000

http://www.openrightsgroup.org/2008/04/23/fipr-calls-on-home-office-to-withdraw-misleading-advice-on-phorm/
FIPR calls on Home Office to withdraw misleading advice on Phorm
Posted by Becky in Computer Law, Data Protection, Net Neutrality, Privacy, Regulation of Investigatory Powers Act at April 23rd, 2008

By: Jamie Hunter

Jamie Hunter — Wed, 23 Apr 2008 08:28:10 +0000

Hi RIchard,

Thanks for your work on Phorm and for speaking at the public meeting on Tuesday night. I note that 80/20 Thinking have yet to provide any video footage of the event despite it being over a week since the public meeting.

I was able to film four of the speeches, including yours and have posted these unedited at http://tobymeres.net

By: david M

david M — Wed, 23 Apr 2008 07:09:50 +0000

BTW Richard did you see Alexander’s post yet

http://www.cableforum.co.uk/board/12/33628733-virgin-media-phorm-webwise-adverts-updated-page-299.html#post34535819

“Kent turned up late”…

“He said (and I quote) “he [Richard Clayton] thinks Phorm is the best thing to ever happen with online advertising” (I kid you not).”"

By: Mel

Mel — Wed, 23 Apr 2008 00:20:28 +0000

Incidently a full-stop has got into your my slides url my slides here

And I messed up my own URL :o)

Phorm-bugs?