Wildcard DNS, Session Management And Prior Art 177
Alowishus asks: "A company called sevenval has an interesting, but obvious, use of Wildcard A-Records in the DNS to encode Web session management IDs in the hostname of the site. Interesting, because if you are using relative URLs on your site, you do not need to do anything (i.e. setting a cookie or appending GET parameters) after the initial redirect to maintain a user session. See www.fahrschulportal.de for an example. Sevenval is applying for a patent on this technique, and Kristian Kohntopp, the author of a PHP session management library, is looking for prior art. He would like to find uses of hostnames that encode state or session information. Has anyone seen this before? It's an exceptionally useful technique, and I'd hate to see its use restricted by another improper software patent.
"
Re:unpoison --- What about the search engines? (Score:1)
Is this a search engine advantage or disadvantage?
BTW... I do like the idea of wildcard DNS hostnames, oddly enough. If there is no prior art, hats off to this guy.
Good thing (Score:1)
Now aren't session vars in URLs prior art? (Score:1)
I think not! The fact that you have to use a wildcard DNS entry and some scripts to rediscover the session identifier in this part of the URL doesn't make it patentable, IMHO.
Just compare:
http://12345.myhost.com/blah.htm
http://www.myhost.com/12345/blah.htm
http://www.myhost.com/blah.htm?s=12345
http://www.myhost.com/blah.cgi/12345
I don't see the big difference...
Re:unpoison (not depoison) (Score:1)
Amazon.com has been doing cookie tasks w/o cookies (Score:1)
what i want... (Score:1)
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Re:Now aren't session vars in URLs prior art? (Score:1)
the last two require that you change your links. the second might be accomplished with some nifty rewriting and might work very much like the first (7val) without the DNS trouble. it'll still break caching.
Other ways to accomplish the same thing... (Score:1)
There are ways to do this using mod_rewrite, and they're probably better for ya in the long run.
I don't think it's unique enough an idea to support a patent, especially considering the way in which it is implemented: a wildcard DNS. _That_ has a lot of prior art.
Prior Art (was: Calculator in the URL) (Score:1)
This is really OLD stuff.
I put the calculator in the URL up along with rfc-in-a-url, clock-in-a-URL, and my calculator-in-a-URL up in 1998!
DYNAMIC URL:S ARE AS OLD AS SLICED BREAD.
A patent of this would be as silly as trying to patent dynamic content in the webpages or decimal URL:s (http://195.3565592/ [195.3565592]). My site is more than 1 year of prior art.
http://x42.com/ [x42.com]
Re:Calculator in the URL (Score:1)
BUT: Some proxies, firewalls etc block WIERD chars in urls, like $, and paretheses.
/magnus
Re:This is real nit-picking, but... (Score:1)
But all patents are bad! Copyrights protect specific expressions of an idea, and that's a good thing. Patents protect an idea itself, and this takes the idea of intellectual property way too far. Nobody should own an idea, at best you should own your expression of it. I do not believe there is such thing as a proper use of patent law -- the idea is flawed to begin with. Software patents are not a special case, requiring patent law to be fixed. They simply make more glaringly obvious the flaws that have always existed in patent law. It's a bad idea from the start. It shouldn't be fixed, it should be dropped...
--
Re:Other ways to accomplish the same thing... (Score:1)
Actually, intelligent site design gets around the cachability aspect; simply refer all your images (or other multimedia content, such as audio or video) to the master host by explicit URL references. Or, better yet, send all "large data" requests to a separate hostname entirely, which you could then optionally build out as a distributed file-serving cluster to handle increasing demand over time.
My creations... (Score:1)
Inspired by a "useless trick of the year"-page, which gave the possibiliy of making matemathical calculations only using the hostname, I got inspired for about a year ago to make my own utilities.
My domain is trc.dk (a danish roleplaying club; nevermind that
http://something.a.trc.dk/
Perform a search for "something" in AltaVista
http://something.b.trc.dk/
Perform a search for "something" in AltaVista (text-only)
http://something.g.trc.dk/
Perform a search for "something" in Google
http://something.l.trc.dk/
Perform a search for "something" in Google, using the "I Feel Lucky-feature"
http://something.i.trc.dk/
Perform a search for a movie named "something" in IMDb (Internet Movie Database)
http://something.j.trc.dk/
Perform a search for "something" in Jubii (danish search-engine)
http://someone.k.trc.dk/
Perform a lookup for the name "someone" in a edition of the danish "White Pages"
http://slashdot.org.s.trc.dk/
Perform a check of what webserver, "slashdot.org" is running.
http://slashdot.org.q.trc.dk/
Perform a HTTP-query for "slashdot.org"
These "tools" have been a great aid, and saved a lot of time. There really isn't any reason first going to the Altavista/Google/IMDb-frontpage, just to submit some data. Then rather go to the result-page.
Oh yeah, I like bookmarklets too
STEEM did something like this awhile ago... (Score:1)
I think you can still take a look at a demo copy of it in our portfolio. Located on http://STEEM.COM [steem.com]. Check out... it's a beautiful page that unfortunately I had nothing to do with designing. :)
---
When it comes to patents.... (Score:1)
Re:IM SO SICK OF PEOPLE COMPLAINING (Score:1)
--
Re:Amazon.com has been doing cookie tasks w/o cook (Score:1)
Sites that run on NT and ASP can't do this simply because ASP's built-in session management requires that cookies be enabled. If they aren't, it will just stick you inside of a redirecting loop. The redirecting loop is easily fixed with a "please enable cookies" message. Anything beyond that... well...
Naturally, there are ways around this, but they require elaborate hacks, generating every link on your page yourself, and so on. In other words, rewriting the session management on your own. You cannot manually retrieve or switch sessions.
Java, on the other hand, allows you to create a session object by just knowing the session ID. It also has automatic URL rewriting, that can be always, never, or no-cookies-only enabled. And you also have full control over this, so you can tweak it as needed.
I definitely agree with you about the cookie-only sites. I understand that there are many good uses for cookies, but I like to choose whether I want the site to store cookies on my computer, not the other way around. I just run a proxy that blocks all cookies on all sites except for the ones I specify. If a site requires cookies to browse, I usually leave and don't come back.
--
Re:DNS record.. (Score:1)
--
Re:Useless for SSL (Score:1)
Re:It's been called "URL Poisoning" (Score:1)
There's a web site http://www.lemuria.org/Software/unpoison [lemuria.org] that calls this technique "URL Poisoning" and mentions that this could be considered a Bad Thing, because using this technique, people cannot easily "opt out" from being profiled, as you can by, say, disabling cookies in your browser.
Refer to the above link for an explanation of URL Poisoning, and for a pointer to a Squid redirector plugin that can be used to disable URL poisoning.
I personally don't have any opinion on this; I can see how it can be used, as well as how it could be abused. [shrug]
--
Check with Dave Winer at userland.com (Score:1)
An example of this product in practice is at: http://www.editthispage.com/ [editthispage.com]
I have email an describing .... (Score:1)
IANAL but I think this could be considered very similar and Goto.com has a bunch of money (I think) and maybe if they were made aware they would want to fight it.
I'd be happy to provide my email but I doubt a dated email from someone's sent folder is proof of prior art in the laws eye.
Citrix
Prior Art (Score:1)
There is a Bugtraq posting in 1998 where Oskar Pearson describes a way of tunneling through a Firewall ** by encoding data into DNS-Names ** (and Replies).
I think this could be considerd as a "superset" of the sevenval.de idea.
bye..adrian
I did this in 1996 (Score:1)
*.sevenval.com Fun with location posioning (Score:1)
You can change the characters in that semingly random bunch of chars that they use, such as
http://X199DAASOFTWARE84PATENTS71CBLOW3E.sevenv
*grins*
As long as it remains the same length, you can replace mostly of the garbage with words..
Enjoy.
Re:unpoison (not depoison) (Score:1)
- dynamic content doesn't get cached by proxies, but images present in dynamic pages get very well cached. With location poisoning, this caching is not possible. So caching matters!
- HTTP and DNS are protocols, while HTML is a language. There are standards and standards.
- Abusing of the DNS protocol is like using the <B>-tag to do italics (it can be done with style-sheets), while adding a new <BLINK>-tag is in no way an abuse of standards (BLINK was not defined previously for other purposes).
Oh, you're using your mouse with your toes... now I understand the whole 'feel free to flame'. I didn't see this post marked as 'funny'. Hey, moderators, moderate this as funny!Re:Possible candidate (Score:1)
Re:Calculator in the URL (Score:1)
Re:Useless for SSL (Score:1)
(But if you do this, then you still end up needing to use some traditional state mechanisms to pass around on the billing server. Oh well.)
Re:unpoison (not depoison) (Score:1)
Speeching as a cache admin for a large(ish) ISP, most dynamic content isn't *that* dynamic. Even if the page has user specific entries on it, the images are probably cachable - think slashdot, I (probably) have my preferences on what slashboxs I get set as different from yours, however the icons for story sections can (and should) be cached as those won't be dynamic.
As for the 404 error for footfetish.com, well if you haven't paid then you're not going to get access - so permission denied is kind of appropriate
Re:Useless for SSL (Score:1)
Re:Now aren't session vars in URLs prior art? (Score:1)
http://www.myshop.com:625/some/file.html
I wouldn't be too surprised if someone would get a patent on this _unguessable_ way to store a session identifier into the URL.
It is indeed very much the same to fetch the session id from the URL, regardingless where it's located. And making a redirect to such an URL in case no session id is present, is also no rocket science. All this will be less than 10 lines of code.
The DNS method combines two advantages: You don't need to produce relative links, and you don't have to rely on cookies.
But I don't think that it's worth a patent, it's really obvious. And if anything that is not too complicated would be patented, we would need even more lawyers than we already have.
I hereby claim the patent on putting beer into the fridge.
Kai
lbnamed users: You done this? (Score:1)
lbnamed: parameters via DNS (Score:1)
See where "random.stanford.edu" is shown, where "100.random.stanford.edu" will return a TXT entry with a random number in a 100-number range, and "10.random.stanford.edu" will use only a 10-number range. There's also a "passwd.ns.stanford.edu" example which mentions a database.
This example is not attached to HTML, but it does show that the concept of using DNS to give information to a server was published in 1995.
Re:Is this really groundbreakingly useful? (Score:1)
agreed, but no more than session tracking done through URLS like this :
"http://slashdot.org/comments.pl?sid=00/03/05/2
and surely it would really bugger up users trying to bookmark the site (stale sessions could stay in bookmarks for a LONG time).
No. If the session id expires then just assign them a new one on reconnect and if they try to access any previous session information let them know it has expired. Same as it works now. But it works if people have cookies turned off.
Personally I think it's a great idea. If it was obvious, how come no one used it before? This falls into the area I would think is patentable.
Opting out (Score:1)
I suspect that it shouldn't be too hard to add the ability to "unpoison" URLs to the Internet JunkBuster. The author of Unpoison himself suggests that it should be rewritten in C or some other non-interpreted language for performance reasons.
Re:Improper? (Score:1)
Re:aka "Location Poisoning", not good (Score:1)
And yet, Microsoft thrives.
Flamebait aside, companies have nothing to lose by implementing this. The customers and people who connect to them are screwed, but for many companies, the extra information gleaned about customers may be a worthwhile exchange for the extra technical hassle.
Ah, so that's how they get the netcraft figures! (Score:1)
Title: Use of wildcard DNS records to generate high server usage charts
Description:
for i = 1 to 100,000,000,000
launch_netcraft_test(www$i.myserver.com)
next
Desired result:
next month's news...
"Server X showed a 98% increase in usage in web sites globally, driven mostly by a large number of new sites in the myserver.com domain."
--
OT: speaking of prior art (Score:1)
caching of all that (Score:1)
Re:Calculator in the URL (Score:1)
Example of Prior art (Score:1)
Re:Calculator in the URL (Score:1)
Re:Looking at the arguments (Score:1)
While you can reduce the overall poisioning of the net that this technique causes by serving images from a non-poisoned host, the fact is that if I run a large proxy server, and a lot of people visit sites using this technique, that site is going to cost me a huge amount of money in forced hardware upgrades, because every session is taking up a host space in my proxy cache. Plus, there's the extra DNS traffic, which isn't much, but overall, location poisoning SUCKS [fuckingsucks.net]
Personally, I would set up all proxies to deny a site using this technique.
Maybe, it's obvious, maybe it isn't, but Sevenval SUCKS!!! [fuckingsucks.net]. If there's one thing that the recent Doubleclick nonsense shows, it's that the general public will only stand for getting the shaft on privacy issues for so long. And the location poisoning technique is too obvious, so people will raise a stink.
It's one thing to patent a sucky technique, but since the technique sucks too much to have real commercial value, you can just let this thing die on it's own, sucking for air.
Bottle caps (Score:1)
Re:Possible candidate (Score:1)
-
We cannot reason ourselves out of our basic irrationality. All we can do is learn the art of being irrational in a reasonable way.
Re:Other DNS abuse by sevenval (Score:1)
< label>
ie a name starting with a letter. This is to prevent problems with older software (eg MTA's). It's not a hard requirement.
There's also some "prior art" e.g. 3com.com.
Re:On a related abuse of DNS... (Score:1)
You'll probably find your browser ate a couple of angle brackets in the perl statement. It should read:
perl -e 'while(<>){print pack("H32",$_)}'
Prior Art... (Score:1)
Before some of us started hacking the server there was no context but the ip numbers. If I remember right it took a seperate server per ip number and at that time that did mean a seperate interface.
Talk to the people who did the early virtual IP addresses as this was discussesed.
Too bad deja* isn't that old. (why does it have all my '95 postings but not all the '96 or current postings? and aparently broken html on the new(TM) power search)
Re:Neat, but different (Score:1)
So it's neat, but only for geeks. Whereas the patent app. is neat, but only for 'expletive-deleted' marketeers.
EZ
-'Press Ctrl-Alt-Del to log in..'
privacy violation and laws (Score:2)
the whole Location Poisoning scheme is a mighty tracking system. since your ID stays the same among various sites, they can cooperate and pool the data you entered. your address here, your buying habbits there, a questionaire over there and the words you entered in that search engine - doubleclick was nothing, they only get the sites you visit, not what you enter there.
7val claims that they'll require customers to sign a contract that they won't do that. which to me has the base purpose of removing *7val* from responsibility. this SCREAMS abuse. I bet it will be used for profiling as described above.
now since (2nd thing not mentioned) 7val is in germany and applying for european patent, the EUROPEAN patent law applies, NOT the US which has been quoted here. in european patent law, patents can be refused if they are overtly abusive. for example, you couldn't patent something if it's only use is illegal. since Location Poisoning begs to be abused, and the "advantage" of following visitors even when they leave your site is one of its strong marketing points, I do believe a point can be made for the patent to be abusive in nature.
Re:Neat, but different (Score:2)
Might be prior art (Score:2)
This is a demonstration of having a dynamic subdomain to be the input of a program on the web. What this also demonstrates is that you really can send weird stuff on the url even in a subdomain name. (Note: There's no cgi-param-passing-here or path-info.)
It's a demonstration of technology this broad: dynamic subdomain being the input of a program. Well, that's exactly what 7val is doing. So what if the program does something specific - it's still a web program that "tracks sessions" instead of a web program that "does math". Web programs that "track sessions" are nothing new. The only new part is the dynamic subdomain, for which there is prior art.
The author of the domain math software was aware of other potential uses for this ground breaking technology, clear from his description in italics above, and only used the calculator example to demonstrate that it could be the input to any program. Ergo prior art.
QED!
Re:This is real nit-picking, but... (Score:2)
Re: (Score:2)
Re:Useless for SSL (Score:2)
Brilliant point. Forgot about this.
What these i... are claiming is to "revolutionize web commerce". What are they talking about? What commerce without sertificates and encryption? Relying on HTTP-Referrer which is supplied by the browser so any kid can fake it maybe?
If this gets enough publicity they are not getting any money. Which is good (TM).
Looking at the arguments (Score:2)
The author states that "Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic." This is true, but the situation isn't as dire as you might think at first blush. Without having any numbers to back up my claim, I'm going to assert that in the average web transaction (from DNS lookup to the last request fulfillment on a single page), transmission of images takes up the vast majority of the bandwidth used. If the page author serves images from a central location (<img src="http://images.etcetra.org/blah.gif">) they'll still be cached normally by web proxies. So, it's bad, but it can be mitigated somewhat by clever design.
On the other hand, I detest what this does to bookmarks. Bleah.
In the end, I don't see this technology as having much value, even if you strip out all the negatives. Even if you don't have to screw around with passing cookies or GET args as session identifiers, you still need to change state in your database for any reasonably useful application (read: shopping cart). If you can set something like that up, then there's no reason you couldn't have set up some other, less objectionable form of session management.
request for information (Score:2)
--Shoeboy
Let's all make stuff like this (Score:2)
Actually maybe I can change GPLTrans to use this...something like http://helloworld.english2spanish.translator.cx/
or maybe http://www.yahoo.com.english2spanish.translator.c
(note those URL's do not work in reality)
Re:Possible candidate (Score:2)
First one to send me php code to split into a string array wins... well... hrm. nothing.
Example of bad practice (Score:2)
IF this kind of attitude was used in previous years, we would be nowhere right now. The Internet would not have happened.
Nobody patented the use of putting stateful information in the path portion of a URL, why should they be able to do it in the host portion?
NO PATENTS! PATENTS should be for REAL RESEARCH, that costs REAL DOLLARS.
One could argue that this is no different than a web server differentiating between virtual websites based on the hostname. The 'state' that is stored in the hostname is the one that determines which site is being visited, (as opposed to a simple IP lookup). This is not something patentable, and should not be patented.
What's the definition of state? (Score:2)
The internet pace does have a disadvantage in that it is impossible to weed out *bad* or useless ideas out of the volume generated every day. How many inventions actually become a commercial success? Building a better mousetrap does not always equate to getting rid of more mice.
LL
Other DNS abuse by sevenval (Score:2)
This is real nit-picking, but... (Score:2)
I understand it's all in the name of humor (and the icon is indeed very funny), but I also think that the icon unconsciously biases any posters or readers to think of any patent to be trivial, or frivolous.
Patent laws need to be fixed, but that doesn't mean all patents are bad. If I had a patent on some groundbreaking device, I would hate to get the attention of Slashdot, who would pigeonhole my creation with an icon of patenting knifes and forks.
Re:This is real nit-picking, but... (Score:2)
akamai (Score:2)
Re:Other DNS abuse by sevenval (Score:2)
Goto Network Solutions [networksolutions.com] and attempt to register any name starting with a digit. Indeed, the name could be completely digits (i.e. 411.com). However, try to begin a name with a dash; you'll see it doesn't work.
Prior art (Score:2)
I still have the source code for the little DNS server I wrote that received and decoded that traffic back into its consitituent components. I'll sign an affidavit if need be.
BTW, as a hacker, I've already found several ways of breaking this scheme after a few moments of trying. (Heck, one of the flaws I already solved in my implementation mentioned above; stupid of them). Therefore, you can attack the patent. Their implementation is still rough, so simply find flaws in it and patent the solutions ($500). When they fix their implementation, sue 'em.
Damn (Score:2)
However on this basis I note that it must be "obvious", certainly it never occured to me that others might not have thought of it. Unfortunately this isn't enough I guess, and I never implemented anything to test the idea, so..no prior art from me. Sorry
Re:But obvious!? (Score:2)
RYan
Hope this helps (Score:2)
They make a server side web development toolkit for Delphi developers, that uses state management, wild card ids, no cookies, and supports server clustering (among their own app servers). They have been doing this since Delphi 2 as far as I can tell. They are not the only either, but I can't remember the names of the other companies doing this.
prior art in PHP/Apache (Score:2)
I think it used mod_rewrite, but I could be mistaken.
Eric
Want to work at Transmeta? Hedgefund.net? Priceline?
Re:Calculator in the URL - prior art (Score:2)
Re:aka "Location Poisoning", not good (Score:2)
Indeed, I'm not too concerned about this being patented since the URL http://bgfv3wz0.software-patents-are-bad.com/ has no obvious advantage over http://www.software-patents-are-bad.com/bgfv3wz0/.
A few weeks ago I was on a talker (toth.org.uk) discussing ways of storing client information, and someone suggested "storing a session ID at the start of the URL", meaning the second URL above. We, of course, joked that he had meant at the start of the domain name and that could be done using DNS wildcards but - ho! ho! ho! - what a damned stupid idea that would be.
Not exactly prior art since it wasn't that long ago and in any case toth doesn't log, but still that makes it obvious in my book. Same problem as ever though: what's "obvious" to a bunch of web developers who read RFCs is not generally "obvious" to bunch of patent clerks who read the National Enquirer.
--
This comment was brought to you by And Clover.
Not for saving state, for tracking users. (Score:2)
"...offers an absolutely new possibility in customer tracking, that is simple to install on the webserver, and poses no security risk to the user, like, e.g. a cookie. Every visitor will be assigned their own personal hostname upon visiting the page."
I don't see this as a being for the purpose of knowing who you are dealing with when you are actually serving the pages (allthough no doubt it could be used for that), but rather that you can make this change to your webserver, and then you have a very simple method of looking at what individual users did from your log files. For example, how many pages does the average user visit? It would require a lot of overhead in cookies and stuff while the user is doing the reading to be able to tell that. Add sevenval's software, and you just have to change the places where the user enters, then you can more easily analyse your log files.
I didn't read the whole page because my german sucks, so maybe this is just a side point, but it seems like it would be a cool ability to have.
--Kevin
On a related abuse of DNS... (Score:2)
Re:aka "Location Poisoning", not good (Score:2)
This is such a bad tecnology that only the really clueless will buy it. Anyone tried editing the "server name" string? No problem. Oops I'm suddenly a different customer in 7val's eyes.
Session tracking is not evil by itself. Abused tracking is, of course, but this is such a clumsy method that it is not likely to spread.
Re:But obvious!? (Score:2)
The distinction I would draw is whether the 3 things stuck together are doing something new or not: the ball in the mouse is just a ball, but it's doing a very un-ball-like thing (ok, sometimes I drag'em across the desk, but... ha ha) So, is an answering machine patentable? maybe a little piece having to do with answering the phone with a switch, maybe some of the "algorithms" (mechanical or otherwise) for juggling the tape... but I would pretty much think that once tape recording is invented, it's obvious that it can tape phone calls.
I realize I'm talking about a fuzzy standard, but I'm just moving the fuzzy line that will always exist. Here's how I think of obviousness: I don't think the idea "phone answering machine" is patentable on it's own (and I think the patent office agrees). So, if you as an engineer are given the task "build phone answering machine" and you think "tape recorder" and anyone would think "tape recorder", well that's obvious. If I tell you "the UI has too many clicks to buy a book" and you show me how you'd do one click using cookies, it's hard to imagine that how you did it would be anything but obvious. The idea is not patentable.
This wildcard DNS seems more clever than one-click ordering, but really only because it's weirder. The feature was sitting there, and the multihosting webservers are just sitting there. Here's one for you: let's patent one-click ordering using wildcard DNS! You see, all the technologies exist but we'd be combining them in a novel way, using no cookies! We could even use it for an affiliate bookstore program!
There's some similarity between engineers piecing together parts to build things and lawyers building their cases. They don't allow patents on novel legal defenses. Unfortunately, they seem to hold sway over the rest of us and they are as a rule stupider than engineers and they don't give us the same protection for our toolboxes that they give themselves. Oh, IANAL.
Re:But obvious!? (Score:2)
But this DNS trick, like Amazon and cookies and confirms, doesn't invent anything. The feature of the DNS they are using was invented by someone else. Cookies were invented by someone else. Am I rambling here? I'm just trying to explore the space. A few years ago, I heard about a patent that was something like "using a hard disk to store digitized telephone messages". I hear that and think, "give a patent to the hard disk guy, to the A/D guy, and to the telephone guy. But using technologies in combination to do what they were invented to do is not patentable, even if it's clever."
Storing state in DNS (Score:2)
Isn't that exactly what the Fox project's IP-over-DNS thing does? (As referenced in the Firewall Piercing Mini-HOWTO, 27 November 1998.)
--Dave
Re:IM SO SICK OF PEOPLE COMPLAINING (Score:2)
2nd of all, I developed a system for user management (not session, but very similar) based on wildcard DNS aliases (A Records). In my system, a user comes to the site via username.mysite.com and then logs in to his/her personal section. This is prior art! As soon as I get my client's permission, I'll post more info on the SIMPLE, OBVIOUS process I used. Furthermore, this is not hindsight, I devised the system on my own, with no external help.
Answert to "Why is this useful?" (Score:3)
- it makes pages fairly uncacheable in a central proxy while at the same time retaining local cacheability of the pages, thus keeping the back button alive
- you do not have to propagate the session id manually, but only have to use relative links in your pages. This will even would on static pages.
- you can easily log by host and get customer tracking with current tools
Sevenval implements this with a wildcard A-record in the DNS system, which has been around for quite some time, and an initial 302 redirect to a unique hostname. That hostname is long (a 128 bit value) and randomly generated, making it unguessable. Changing the hostname will simply restart your session, as with any other session tracking systems.
© Copyright 1999 Kristian Köhntopp
DNS record.. (Score:3)
I don't see anything even remotely dynamic below, but their hostname is extremely dynamic when viewing their webpage. I would assume its the * record, but what sort of application generates the hostname?
2000011802 ; serial
8H ; refresh
2H ; retry
1W ; expiry
1D ) ; minimum
1D IN NS ns.buy-world.de.
1D IN NS ns.r-tec.net.
1D IN MX 1 wilson.office.sevenval.de.
1D IN A 195.122.187.3
* 1D IN HINFO "IBM-PC" "UNIX"
1D IN A 195.122.187.3
cvsserver 1D IN A 62.96.224.212
1D IN HINFO "IBM-PC" "UNIX"
*.cologne 1D IN A 62.96.224.211
1D IN HINFO "IBM-PC" "UNIX"
wilson.office 1D IN A 62.96.224.210
1D IN HINFO "IBM-PC" "UNIX"
tim.office 1D IN A 62.96.224.222
1D IN HINFO "IBM-PC" "UNIX"
EraseMe
It's been called "URL Poisoning" (Score:3)
Refer to the above link for an explanation of URL Poisoning, and for a pointer to a Squid redirector plugin that can be used to disable URL poisoning.
I personally don't have any opinion on this; I can see how it can be used, as well as how it could be abused. [shrug]
--
Improper? (Score:3)
-----------
"You can't shake the Devil's hand and say you're only kidding."
Re:depoison... and THIS(!) (Score:3)
This site works with all text I have tried, separated by periods. I don't know how long it's been up, but it has been there for quite a while.
I got cher prior art right here... bookpool.com (Score:3)
--
depoison (Score:3)
unpoison (not depoison) (Score:3)
Freshmeat Application Page [freshmeat.net] reads as follows:
unpoison.pl is a simple Squid redirector plugin that disables (and returns the favor of) a new customer-tracking scheme developed by 7val.com that the author has labeled "Location Poisoning". The Web page explains how Location Poisoning works and why the author considers it a Bad Thing(tm).
The App home page [lemuria.org] gives more information, including the patent request by 7val.com
AOL doing this for years -- serious prior art (Score:3)
Is this really groundbreakingly useful? (Score:4)
If I understand it correctly, it simply replaces the session ID normally stored in as a cookie/get-var in the hostname.
This would lead to extremely user-unfriendly domain names, and surely it would really bugger up users trying to bookmark the site (stale sessions could stay in bookmarks for a LONG time).
Also, its simply not as efficient as session IDs, which after one unfriendly GET, tend to store their results in a cookie which is transparently passed around. Surely dynamic DNS would all have to have really low TTLs and generally slow down site access if you have to do a large number of DNS lookups (which can be the slowest stage in an http access cycle?)
As I see it, the only problem with the session-id method is that it complicates serverside scripting, but with simply superb tools like PHPLIB [netuse.de] all those details are abstracted away from the user. And also PHP4 [php.net] has built in session handling to simplify things further. IIS has similar modules for ASP developers, and I'm sure others exist forother scripting languages (mod_perl? dunno
So while this might be of interest to some specific applications, I can't see it revolutionising the whole ecommerce industry with its cunning "new" user tracking system.
But then again, I might be talking bull
Re:IM SO SICK OF PEOPLE COMPLAINING (Score:4)
No one uses dns encoding because it poisons dns caches. Remember, dns lookups that aren't cached on a nearby server require sending a request/response from at least two other machines. Here's what a session might look like.
////////////////////
First query the local server. Very fast since the connection is probably ethernet.
me -> dns.ryans.dhs.org
Now my local dns goes off and searches for the ip address.
Local dns queries the root servers.
dns.ryans.dhs.org -> b.root-servers.net
dns.ryans.dhs.org ns1-auth.sprintlink.net
dns.ryans.dhs.org - ns1-auth.sprintlink.net
Local dns sends me the answer
me - dns.ryans.dhs.org
Start tcp session
////////////
As you can see, the name lookup needed one short-haul and two long-haul roundtrips. If it was cached only one short-haul conversation would have been needed.
Ryan
Calculator in the URL - prior art (Score:4)
Useless for SSL (Score:4)
I've been doing this. (Score:4)
This has been one of the features I've been trying to hype for our new Web server cluster. I love wildcard A records. There not only useful for non-cookie sessions (I *hate* cookies.) but I have been playing with them to support being able to "log out" an HTTP authenticated connection. (So you'd authenticate with auth1234.foo.com and then the server could invalidate your authentication with that specific host name.)
I have public examples of my use of wildcard A records through purdue.org:
Possible candidate (Score:5)
http://type.something.here.real ly.fuckingsucks.net/ [fuckingsucks.net]
(and sorry for the sailor talk).
Replace "type.something.here" with, say, a company name.
...j
Re:unpoison (not depoison) (Score:5)
As customer, you are paying, so that the company owning the web-pages can profile you. Not only is tracking the default, there also is no way out, no "I don't wanna be tracked" button.
Ok, so I definitely don't understand all of this "location poisoning" technology, but I don't see anywhere that they are getting more information about you (IP address, pages viewed, etc...) than any other web site collects. Don't know about your friends and coworkers, but all the major websites that I've heard of and interviewed with do major tracking (300Gb data warehouses and such) of all hits and don't offer an opt-out option. How is this different?
With "paying" I do literally mean money and time. Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic. More traffic means waiting longer for pages to appear, and if you pay for your traffic (most small businesses do) it also means you are paying money that you shouldn't have to pay.
So what if I use this for dynamic content? In that case, caching doesn't matter anyway.
Location Poisoning also abuses HTTP and DNS standards.
Last time I checked, most of what web developers do abuses standards (mainly html) Ever noticed that client side scripting gets buried in comment tags? That's actually part of the standard, but it doesn't make it any less fucked up.
The reply to an initial request is a 302 error code, reserved for "Temporarily Moved" documents. Giving this reply is somewhat akin to a lie by the remote webserver.
Yeah, just like how giving me "permission denied" is a bit of a lie on footfetish.com, what they ought to be sending me is the (forget the number) "payment required" http response. Those bastards!
Abusing standards for one-sided gains should not be endorsed. It undermines the standards and punishes those who try to respect them.
How do you feel about all the html tags that netscape introduced? That was an abuse of the html standards process, but it's hard to deny that it dramatically improved the web. Why should http standards be different?
Location Poisoning tries to transparently add states to a stateless protocol. This is a bit like dehydrated water - sounds interesting, but doesn't make much sense.
Come on, every web developer I know spends time trying to establish states on this stateless protocol. Like cookies are an elegan solution.
There are several ways to add states to HTTP, but they are far from transparent. So it appears that in the long (by IT standards) history of the web, absolutely everyone missed this quite simple solution? Hardly a believable claim, is it?
Quite possible. I improve my throughput by using the mouse with my toes. My coworkers insist they've never heard of anything so daft.
Finally, Location Poisoning is a proprietary solution. If you use it, you are binding yourself to one partner. If at a later date you wish to work with someone else, you will have to completely redesign and re-implement your whole customer tracking system. Other mechanisms are open and can be taken over by your new partner. Location Poisoning is patented (or will be soon), and thus can't be used by someone else.
Ever talked to a mac user. They're all pretty relaxed about being married to a single company. (OK, so they were pretty nervous about it a few years ago, but really)
If I'm missing the point here, feel free to flame.
--Shoeboy
Calculator in the URL (Score:5)
http://$urlcalc(about).x42.com/ [x42.com]
According to the copyright notice on the page, this has been up since 1998-06-23, and has won the "Useless site of the year award" for 1998.
Perhaps it wasn't so useless after all.
aka "Location Poisoning", not good (Score:5)
Check out this article [lemuria.org] for a counter argument to this approach.
Quoting from that page:
Why you should oppose Location Poisoning as a customerAs customer, you are paying, so that the company owning the web-pages can profile you. Not only is tracking the default, there also is no way out, no "I don't wanna be tracked" button.
With "paying" I do literally mean money and time. Location Poisoning disables proxy servers, DNS caching and other mechanisms that reduce the amount of net traffic. More traffic means waiting longer for pages to appear, and if you pay for your traffic (most small businesses do) it also means you are paying money that you shouldn't have to pay.
Location Poisoning also abuses HTTP and DNS standards. The reply to an initial request is a 302 error code, reserved for "Temporarily Moved" documents. Giving this reply is somewhat akin to a lie by the remote webserver.
Abusing standards for one-sided gains should not be endorsed. It undermines the standards and punishes those who try to respect them.
Location Poisoning also undermines the purpose of DNS and hostnames. Instead of using DNS to give human-readable names of server machines ("www.lemuria.org" instead of 195.244.121.251), it abuses the DNS to identify a client machine - i.e. you, the customer.