Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

DoubleClick Workaround: IDcide 241

No cookies with offsite GIFs: that's the privacy solution implemented by IDcide (take a moment to register the pun, OK, there ya go). Here's technical background on offsite cookies; here's the CNNstory; here's the software FAQ (it's only available for Windows/MSIE). If you're not sure why offsite cookies matter, you must read this. And, not to rain on IDcide's revenue model -- their product does other stuff too -- but why isn't offsite cookie rejection built into all browsers? Anyone from Mozilla want to talk about this?
This discussion has been archived. No new comments can be posted.

DoubleClick Workaround: IDcide

Comments Filter:
  • by Anonymous Coward
    Here's a similar program. It doesn't deal with DoubleClick - instead it removes Aureate "spyware" from your system (win32 only). More info/download here [grc.com]
  • by Anonymous Coward
    The banner ad at the top of CNN's website (I suppose not since you alll got them blocked already). I thought it was pretty funny though.

    Also I like the quote from their president...

    "We found out that this is a big issue when we started working on another personalization tool that infringed on privacy," says co-founder Ron Perry.

    Am I the only one who has doubts about installing this thing? Closed source, patent-pending technology from a group that was involved in infringing-now-protecting our privacy(I'll be honest I didn't see any mention of the license on their website, but I didn't see any source offered either). Sure there are ways of finding out if this thing works, and I'm sure I'll hear about it if they don't via a Slashdot headline, but screw being an early adopter for this one...
  • I can't think of any good reason, other than ads, to send a cookie with a graphic image

    Sometimes you might want to set more than one cookie. The cookie spec doesn't allow for more than one per set of headers.

    But the whole off-site/originating server thing is nonsense anyway; a simple workaround for sites would be to have some proxy happening on their server to a Doubleshit or whatever server, simply passing info between the two. Your browser would then accept the cookie but the data is still getting to and from Doubleclick.

    Cookies suck anyway - find a web site with a real designer who can make your session last for the whole time you're at the site without using cookies. Cookies were only for per-session permanence anyway.

    Ciao

  • Amiga IBrowse has this neat feature [telia.com]. I hope Mozilla follows with something similar.

    --
  • Otto wrote:

    The option they NEED, and the one I described, is simple: Only accept cookies originating from the same server as the page being viewed. Or perhaps, disallow cookies with non-HTML files. I can't think of any good reason, other than ads, to send a cookie with a graphic image.

    Actually, I co-maintain a small site [xoom.com] which uses cookies in off-site non-html files. This is used to customize the style sheet used in some otherwise static HTML documents placed on a separate server. The style sheet doesn't set any cookies, of course, but it does rely on the browser to send the cookies as part of the HTTP request. I can think of similar uses of cookies to choose between different image files based on the cookies set in the browser.

    Ignoring "SetCookie" headers in off-site/image file responses, as you suggested, is probably okay, although someone could probably think of a non-advertising related case where that functionality is useful. Just make sure not to kill the (IMHO very) useful functionality described in the previous paragraph.

  • by Samus ( 1382 )
    It mentions in their faq Patent pending technology. I wonder what the pending patents cover?
  • Actually, it doesn't work that way either. At least not with Nutscrape. Theoretically.

    The Preferences dialog box in Netscape 4.x reads "Only accept cookies originating from the same server as the page being viewed." So, let's say that the page's URL is http://foo.com/qux.html. qux.html has an IMG tag that refers to http://bar.com/cgi-bin/adcrap?blahblah, causing Netscape to open a new HTTP connection to bar.com. bar.com may send a cookie to Netscape, but if you chose the option mentioned above (not the default, BTW), this cookie won't be accepted, because the page came from foo.com, not bar.com.

    This is only theory. I hope this is how Nutscrape actually works. If it doesn't, screw Nutscrape.

  • Unfortunately, I don't have M14 on this machine, but I installed it at work 2 days ago and could swear there's an option to refuse cookies that orginate from sites other than the current one.

    Anyone else got M14 installed and can check?

  • In argumentation, begging the question usually refers to a statement in which "the truth of the conclusion is assumed by the premises" (Stephen's Guide to Logical Fallacies -- Begging the Question [intrepidsoftware.com]).

    For example, stating "I hate school because it sucks" is begging the question.

    Kythe
    (Remove "x"'s from
  • Strange... I have it on my NAT box, with no problems.

    ---

  • Mozilla has cookie management, a sidebar, an open-source development model, built-in RDF for real-time updates to data in the sidebar (see f.e. the bookmarks tab), and an article on how to do it [xml.com].

    That means the only thing they are missing is you writing the code. Go to it!

  • What we really need is a list of domains and subnets to which we may silently refuse cookies.

    Mozilla does this. In the Preferences, under Advanced->Cookies I choose "Accept only cookies that get sent back to the original server" AND "Warn me before accepting cookies." This will enable the cookie manager. Now when ANYONE offers you a cookie, not only can you accept or reject the cookie, you can tell Mozilla to remember your decision.

    You can then go to Tasks->Personal Managers->Cookie Manager to manager your cookies. From there you can view and delete cookies under the "Stored Cookies" tab. Under the "Website Settings" tab you can see which sites can or can't set cookies. By deleting entries from here you will be questioned about it the next time the site tries to set a cookie.

    For example, The only cookie I have stored is the user cookie from /., also /. is the only site allowed to set cookies. For the first several sessions the user has to make a bunch of choices on who can and can't set cookies. But since these are remembered between sessions, eventually you don't have to bother with cookie choices to much.

    I think this is a great method of managing cookies, I don't see need for anything else, nor can I think of anything else that could be added.

    JungleBoy
  • I hate to sound like a pedant around here, but it's worth pointing out that since IDcide is closed source, you are relying on your trust of their company to determine that there aren't any "hidden" features to this software. It's not too farfetched to imagine that this utility is also secretly sending out private information, just the thing the user is trying to prevent by using it.

    As another poster noticed, this program modifies your cookies with something about "qbots.com", which turns out to be a parent company.

    I'm sure a little packet sniffing could turn up something...

  • I've found it works better when I *don't* have a local webserver getting the requests. So the thing to do if you're using a local Apache, is to tell your apache explicitly to bind to the 127.0.0.1 address, and use your /etc/hosts to redirect doubleclick and others to 127.0.0.2 (note the 2). it's still on the 'lo' interface, so it doesn't get out to the network, but apache won't get the hit.
  • There is an image checkbox that does the same thing! Which blocks images (read ads) from servers that aren't the originating server.

    It is not useful (at least until it is possible to fine tune it), because many of the web sites (like /.) have a separate server for images, highly tuned for a static data (khttpd?). So with these sites it would be the same like disabling loading the images at all.

    I think there should be a more fine-grained solution. And why implement any in browser, when there is a separate one (JunkBuster [waldherr.org], available even in RPM format).
    --

  • *.doubleclick is kinda harsh... but then i guess you'd never want to go to their website to read stuff like their press releases where maybe they'll announce something that retroactively rights their wrongs...
  • And I just imagined newbie following your advice, then deciding to go to DoubleClicks website to find out what all the fuss is about, only to see a big welcome to apache page.

    As for my logic, I know... It can get rather twisted logic sometimes.

    But a LOT of websites exist only because of monies they get from DoubleClick. You may not like it, but it's the simple truth.
  • I thought your original tip was for editing your hosts file?

    Anyways, did you hear that DoubleClicks CEO stepped forward publicly and put his foot in his mouth by saying that he had grossly miscalculated the effects that his company's actions would have on people's fears about losing their privacy and vowed to discontinue all of their data merging/matching programs?

    Yes, DoubleClicks site isn't the best place to find commentary about what they were doing wrong, but its' a great place to look to find out 1- their side of the story, and 2 - what they're doing about it.
  • ...based on my own habit of locking the cookie file...

    I'd never thought of that. I'll try it :)

  • Presumably each site is free to decide the data format of it's cookies... looking through my own cookies I see some contain plain text while others are non human readable... making passing false info to the enemy tricky...

    BTW, can sites read all cookies... or are they somehow limited by the browser to the ones they themselves set?

  • Yep, iCab is fairly sweet. I'm looking forward to when they finish the feature set.

    BTW, have you ever, ever ever seen iCab smile?

  • I'm afraid that you are wrong... The HTTP pipe is there while loading the page and the cookie does get sent back. (and again if you click on the ad...)
  • There is a simple solution to the banner ad problem (GIF's and cookies)
    I use Internet Junkbuster witch is OSS. IJB home [junkbuster.com] I can specify domains that are banned as well as regular expressions to ban anything from a site.
    I do not see anything from doubleclick, blockstackers etc. That keeps my privacy as well as speed up my page loading...
  • I decide. "I Dee cide". Read the capital letters individually.
  • M14 is ancient history. They are old pretty much already the next day after they get released. That's why you should always get a nightly build. Especially if it's a long time since the last milestone.

    In my Mozilla build 2000031715 the cookie setting is: "Accept only cookies that get sent back to the originating server" while M14 had that old setting you mentioned.

  • I used to keep my cookies symlinked to /dev/null.
    Cookies?
    Sure, I'll take you're cookies. I just put them right over here...
  • First of all, has anyone gathered a list of site using doubleclick? This should be easy enough to get, given the fact that said sites will reference doubleclick in some IMG tag. Soon we could have a complete list of all their business relations, and potentially use that data for something, maybe. Anyway, I figure it just might be interesting to turn the tables on them, and since it would be a new compilation of information, the copyright ownership would not be theirs.

    Now, if the browsers didn't pass cross-domain or cross-host HTTP referer information on requests that also had a cookie, we could could still get the benefits of cookies within a site, but the request for the ad image would have no referer data. What would DoubleClick do with no referer info? Refuse to give is the ad image? :-)

    Since I just happen to be setting up a squid proxy this week, and I always compile primary services from the latest source code, I figure I'll take a peek under the hood and see how easy it would be to make it modify the request so that if the domain of the cookie and the domain of the referer do not match, discard one or the other, or both, of them before sending on the request.

  • Not only is their product not available where I want it (Linux/Mozilla), I saw this on their FAQ page:
    "IDcide's
    patent-pending technology automatically distinguishes between persistent cookies sent to the site you are visiting and persistent cookies that are sent to external sites. "
    Hmmm. Seems to me if the code I am presently working on (which allows the user to set a preference on my site as to whether or not they wish to receive third party ads/cookies/etc., participate in demographic surveys, etc.), then I might be in violation of a patent. Or if I take the same logic and create a plug in for Mozilla, I'm in violation of patent law. [If I were to reverse engineer the technique (which I don't need to), who knows how many laws I'll be in violation of by the time this type of crap is over...]

    So IDCide? No, I decided already -- skip it, and find some prior art to defeat their patent as well.

  • Erm.. Not sure what you're using, but that option is NOT in Netscape 4.6...

    There's a "Accept only cookies that get sent back to the originating server" option, but if the GIF comes from another server, then it's all good.

    This should actually be real simple to implement. In your cookie routine, do something like: if (cookie.hostname != address_bar.hostname) return without_setting_the_damn_cookie..

    Or something like that...

    ---
  • I think it's great that all of these companies are creating products that do all these things but I *STILL* think junkbuster is the best solution. I would prefer that I only get cookies from the sites I allow and that's it. Nothing more. junkbuster follows the best security model. Denied unless explicitly allowed. There are average users here at the office who still have dialup at home and have installed the win32 version. If they can do it, anyone can.
  • Even better - what about a simple Perl script that you would run a couple of times a day that would trawl through your cookies file and simply fill the data field with useless junk (or even better, carefully encoded incorrect values)
  • Good post, but if you are quoting JRRT, your
    sig should say "Not all those who wander are lost" instead of "Not all those who wonder are lost".
  • I have a much simpler method of disabling cookies...just make your cookies file read-only.
    I have stuck my Slashdot cookie and one or two more for sites I want to autologin to and then read onlyify (sic) my .netscape/cookies file - and it works. Sites that insist on sending you cookies work fine but nothing is saved....
    just my two euros...

    tom
  • Doesn't exactly sound revolutionary to me. In fact, this sounds a lot like what the Junkbuster proxy can do, which runs on Linux and Windows, can also block ads, and is released under the GPL. http://www.junkbuster.com [junkbuster.com].
  • And this sometimes happens with Slashdot, of all places! Anyone know why? Ideas for a fix? (Junkbuster is out, only 64MB RAM here :-(

    64MB is *PLENTY* of RAM for Junkbuster. I run it on my work machine, a PII-266 Linux box with only 32MB. I just checked with top, and Junkbuster is only using a little over a meg of RAM (1332K). And that overhead is more than made up for by the bandwidth, memory, and disk space that was formerly being used to load and display banner ads. I can't recommend Junkbuster highly enough.

  • These days, there are lots more ways for the AD authorities to set cookies on your machine. Just to think of a few:
    IFrame Ads
    Layer Ads
    Javascript includes
    I like the idea of blocking the AD domains better.
  • I thought a similar function was already implemented in Edit -> Preferences -> Advanced -> 'Only accept cookies originating from the same server as the page being viewed'
  • Or any of the squid filters.
    I like sleezeball [linux.kz] but the idea is generally understood and sound.
    Are there any publicly available proxies that filter ads? Has anyone written a filter that specifically looks for image cookies and filters them?
    What a public service this would be!
  • The biggest problem with Junkbuster is that you can't configure it to ACCEPT cookies. There's an option for it, but it doesn't seem to work (at least not the version I'm running--is there a newer one?)
    --
  • Proxomitron is an implementation of a very simple but effective concept. It filters the HTML (body as well as headers) coming in and going out.

    It's only for Windows (which I use) as far as I know, but the idea should be easily implementable on any platform. The real brains are the configuration file (i.e., what tags to filter).
  • Um, M14 says "Only accept cookies that get sent back to the originating server". I don't think they changed the meaning of "originating server" by swapping the location of "only" and "accept".

    Can you test the version of Mozilla that you are running? I would be interested to find out if they changed this "originating server" business to mean what everyone assumes it does instead of what it actually means.

    Actually, now that I think about it, I am more scared than ever. Does that radio button mean that cookies are normally allowed to be sent to a non-originating server? I fail to see why anyone would ever want to allow that.

    Mike
  • I do the same thing, but I don't allow cookies in the default(internet) zone. If a site ever complains "you need to enable cookies", then I put them in my trusted sites folder if I think it is worth going to that site.

    Actually, I allow per-session cookies but not persistent ones. Most well-behaved web sites are ok with this, but I wish more people would follow a more polite cookie checking scheme:

    if (!set_persistent_cookie)
    if (!set_temp_cookie)
    show_the_you_need_cookie_page

    Mike
  • Wouldn't it be easier just to disable downloading images that are 468x60? This fixes the problems with ads in general. :)

    -jfedor
  • by Anonymous Coward
    Somebody should build a graphical interface for Junkbuster, and I'm sure a lot more people would use it. Editing config files by hand is a job most non-geeks won't ever like -- or even know how -- to do.
  • Cookies are broken. They've outlived their usefulness, and are hopelessly open for abuse.

    I have two suggestions:

    • For single-session state tracking, cookies serve a purpose -- in fact this is largely what they were designed for. To this end, allowing cookies -- for the duration of a single browser session and possibly less -- may be a legitimate use.
    • For authentication and account-state tracking, stronger, more user-controlled, and less spoofable means are required. One technology already exists -- public key encryption and challenge-response based authentication.

    The first suggestion would allow cookies to be used to track navigation and state through a single session at a site. The functionality is already available in a browser such as Netscape Navigator if you link your cookie file to /dev/null (Linux/Unix) or to a directory (Windows). Cookies are accepted but not permanently stored on your system. The upside is that cookie-dependant features of sites work. The downside is that state such as user ID and passwords have to be re-entered for each browser session.

    PKE/CRA would work based on public/private key pairs, as with PGP. A user could generate as many or few of these key pairs, and optionally share them (both public and private) with other users, as desired. On entering a site requiring registration, the user could choose the key (the session identity) to send the site. If a private, secret identity is chosen, the session is personal. If a generally known key (say, cypherpunks) is sent, the session is authenticated, but not private. The remainder of the session is transacted over secure links (SSL), and cookie or other state-tracking could be used to register and/or log activity.

    The strength of this scheme is allowing a user to specify both the degree of authentication, and identity authenticated used when browsing sites. If desired, keys could be generated and destroyed on a regular basis, reducing the utility of any tracking of keys. Control over whether to authenticate, who to authenticate to, and who to authenticate as, is left to the user.

    Existing browser technology has been driven very strongly by server-side interestes -- user tracking, profiling, and e-commerce vendor desires. The interests of the user have not been represented, and are only partially filled by such patches as IDcide and Junkbuster [junkbuster.com] (I'm another satisfied JB user). We've got the source, and with it the ability to reclaim the power.

    What part of "Gestalt" don't you understand?

  • If anyone wants to see an intelligent way of handling cookies, take a look at iCab on the Mac. Very extensive rules and it is not too over-bearing. I can set it up to accept all cookies from slashdot.org, and reject all from doubleclick.com without any problems. You can view, edit, and delete individual cookies.

    http://www.icab.de/
  • I could understand the outcry about cookie tracking if this data was being used to spam me or send me junk mail. But I've been regularly purchasing online since 1996 and it is blatantly obvious that it isn't being used for spam (some of us might even welcome some relevant spam; all I seem to get is kiddie porn ads and adverts for American cable channels- hmm my nearest US cable dealer is 5,000km away- actually, no, scratch that; all spam sucks). But this data isn't being used for spam or junk mail. It is just plain old MARKET RESEARCH. Market research is good. They find out what we like and offer us more of it. They find out what we think sucks and kill it off. This is A Good Thing, provided they don't spam/junkmail me, which they don't. Instead of adverts for irrelevent products, I get adverts for things I might be interested in. Is this evil? FFS no! Heck half the time I count those interesting adverts as NEWS not annoyances! Okay so I'm sensible and I always put in nospam email and postal addresses, unless I'm actually buying something. But it doesn't take a genius to take those kinds of steps, and you certainly don't need to download yet more taskbar lint to tie up the already unstable Win32 platform. Cookie tracking is NOT a threat. So you loose a bit of privacy. So what? You think regular high street shops don't track your visa card number? You wanna go back to a cash based society? Get real.

    --

  • As long as these programs return valid data, they will be a danger to themselves and others.

    Why not just feed their database with bogus data?

    Just write a perl script to change the ID number for doubleclick and all the other ad sites to some random value. Change it early and often. Soon, the data will be worth little to nothing.

    Screwing with the data is the only way to be sure!
  • No. Read the article [slashdot.org] I wrote last October. The problem is that you can be viewing a page on Site X with a gif from Site DC. The gif gets its own cookie.

    It's good you bring this up. The language:

    "Only accept cookies from the site being viewed"

    is misleading and wrong. That's why it was changed to "accept only cookies that get sent back to the originating server" in the latest Netscape. More techically accurate. Doesn't solve the problem.

    Jamie McCarthy

  • Not to discount anything else you said, but it is possible to send multiple cookies with a response. According to Netscape's spec [netscape.com], "Multiple Set-Cookie headers can be issued in a single server response."

    Now, whether that runs into problems with HTTP header restrictions (section 4.2 of either HTTP spec), that's another question. Multiple Set-Cookie: headers *may* be collapsed into one header with comma-separated cookies, which is a problem if any cookie field has a comma in it (expires, path). But such an event is unlikely, so you're probably safe to send multiple Set-Cookie: headers.

  • That doesn't work for the long term; companies will just learn to make an DNS alias like myads.mysite.com CNAME ads.doubleclick.net. What we need is selective cookie settings, as in "these domains get to set cookies, any others don't, or the other way round), and for embedded content (not only images, but java, html in ilayers, and anything else that a browser will pull automatically when loading a page). Mozilla has something like this for cookies and images, but it doesn't seem to be working yet; at least I couldn't get the user interface for it to work on a daily snapshot a few days ago.
  • After reading the Windows 2001 thread, I realized you missed one...

    127.0.0.1 goatse.cx

    Jay (=
  • ~> cat .junkbuster/block.ini
    www.ctc.123hostme.com
    ads.1for1.com
    www.adbucks.com
    www.adclub.net
    ads.admonitor.net
    a8.g.akamaitech.net
    ads.web.aol.com
    [ many hosts and domains snipped, including *.doubleclick.com]
    bannervip.webjump.com
    ads.ztnet.com
    # LA Times and others
    *.*/RealMedia
    # CNN, C|Net.. etc
    *.*/adclick.html
    *.*/adclick
    *.*/ads
    *.*/Ads
    *.*/*/banners
    *.*/BannerAds
    *.*/banner1.gif
    *.*/groupbanners.phtml
    # the nation
    *.thenation.com/images/aj
    # slashdot.org
    209.207.224.220
    # salon.com
    208.178.101.41
    208.178.101.42
    208.178.101.43
    208.178.101.44
    208.178.101.45
    ~> cat .junkbuster/cookie.ini
    slashdot.org
    slashcode.com
    www.fcmail.com
    >yahoo.com
    >baiting.org
    # note that putting a > means no new cookies will be accepted, but old ones will be reported back (useful to be able to play yahoo games, but avoid yahoo ad tracking :-)
  • This sometimes happens on Slashdot because Slashdot sometimes sends Doubleclick ads. I think it's just the ones for various IBM services. However, I have to say that I'm a bit bothered by it. As a rule, I have Netscape ask whenever someone sends me a cookie, so it is very visible to me when a site uses them. Usually, Slashdot is an easy site to read, since I almost never get sent a cookie (which forces me to click the "Cancel" button) except when logging in (which I don't mind at all.) In the past month, I've gotten several cookies from Doubleclick when loading Slashdot, though. Like I said, it seems to be ads for IBM when I do get them. I don't think I've gotten one in the last couple of weeks though, so maybe it's been stopped.
  • This feature is very nice, and I'm glad to see it implemented. Something else that would be nice would be the ability to set user-defined timeouts on cookies from certain domains. Some web sites pretty much require you to accept the cookies for them to work properly. It would be cool if you could set the expiration time for these sites to some short, reasonable length of time like two or three hours. This would allow you to browse around the site, but when you came back to that site the next day, you would be a new "ID". Result: no long term tracking of who you are. It really bugs me the expiration dates that most sites put on their cookies. Here's an example from news.com:

    The server www.news.com
    wishes to set a cookie that will be sent
    to any server in the domain .news.com
    The name and value of the cookie are:
    s_cur_1_0=0101sisi09537483561aecd3Jx4+POyJakrM2d xqik1qehn5zVyp56a4Ln5crU5M7Rxq2pm5yWp6eppW 0=

    This cookie will persist until Wed Dec 30 17:00:03 2037

    Do you wish to allow the cookie to be set?

    What the fuck? 2037? There is no rational reason to expect that this cookie would be useful in any way whatsoever in 2037. If more sites (any sites??) used rational expiration dates I might have more respect for cookies. As it is, I only accept them when there is a direct benefit to me personally.

  • Why not just create a cookie file that is NFS mounted, and allow free read/write access to it? Even better would be a plugin for browsers that says "for these domains, use this cookie file (NFS mounted) and for all others (ones you care about), use that cookie file.

    Or vice versa depending on your particular cares and concerns. :)

  • The little "Do you want to accept a cookie from x" window in Mozilla has a "Remember this decision" checkbox, which will make it accept or deny all cookies from server x in the future. There is also a very nice cookie management screen which lets you see your saved cookies, delete them, and specify perma-banned hosts.
  • Yet another reason to go "off-the-grid".... that is, decentralizing in yet another way.

    Some time ago, reading one of those alternative-energy magazines, I read speculations that not only was the time coming when people could live "off-the-grid", but that it'd be quite an industry. I wasn't sure at the time, but when I think about this in the context of going off the grid being a decentralization, I can suddenly see a parallel between that idea and the Personal Computer revolution. And PCs have spawned quite an industry...

    Just a thought. So, does anyone know anything about getting off the grid?
    And keeping an internet connection at the same time? :)

  • I did exactly that a while ago, after seeing it suggested here. In the case of Linux, it would of course involve the /etc/hosts file.

    For some reason, however, whenever I hit a site with a DoubleClick banner (ad.doubleclick.net is included in the kill list) the browser immediately forwards to a 404 Not Found page, served up by the webserver on my machine. I hit Back, and immediately it returns to the 404.

    And this sometimes happens with Slashdot, of all places! Anyone know why? Ideas for a fix? (Junkbuster is out, only 64MB RAM here :-(
  • Netscape 4.x has an option which will let you allow cookies only from the domain which they originated from. Images, while they may be grabbed from another domain are considered to be within the "domain" of the whole page.

    So if I'm at foo.com, and foo.com/index.html has an IMG tag linking to doubleclick.net, doubleclick.net's cookie will not be sent back to doubleclick.net.

    I don't recall if it will just be sent back to foo.com, or if it goes into the bit bucket...
  • Actually, the specified option does precisely that. The "originating server" is considered as the server that the page came from, not the server that the image came from.

  • There's a good website that details this very method for several different operating systems. The nice part is that it already has a nice long list of various advertisement domains that you can cut and paste and not have to deal with again.

    Web Ad Blocking Under Linux/Unix, BeOS, MacOS, and Windows [csuchico.edu]
  • You misunderstand HTTP.

    I need to open an HTTP connection to get an image from doubleclick.net. At that time, any cookies I have for doubleclick.net are sent to them, and new cookies can be set for doubleclick.net because I have an HTTP connection to doubleclick.net. The browser doesn't care where it's chasing the IMG tag from, it just knows that on this HTTP connection, it's talking to doubleclick.net. The fact that foo.com pointed me there is irrelevant.

    What we really need is a list of domains and subnets to which we may silently refuse cookies. Banning cookies on IMG requests isn't enough, as many of these sites use mini-javascript bits or other embedded crap in addition to images.

  • I downloaded that power tools [microsoft.com] thing you are talking about. It looks like it will make it pretty easy to add sites to the restricted/trusted list, but it still won't add the sites that the ad GIF's are being loaded from.

    Also, if you manually edit the site list, you can enter a domain name and it will include all the sites in that domain. For example, if you want to block www1.company.com and www2.company.com, you can just enter *.company.com and it will block everything in that domain.

    Unfortunately, it only works for domains with one period. You can't block *.ads.company.com.

    Mike

  • That doesn't work in M14. There is an "Only accept cookies from originating server" box, but as discussed numerous times on this thread, ads.doubleclick.com is the originating server for the image file.

    I tested this as follows(in M14 on win95):

    1. I opened up the cookie manager in M14 and deleted all my cookies.
    2. I clicked the box that says "only accept cookies from the originating server".
    3. I went to www.washingtonpost.com.
    4. I opened up the cookie manager again, and there was a fresh new cookie baked up by doubleclick.net
    I hope that Mozilla offers some new solutions to the cookie problem. Currently, I use IE 5 on windows, specifically because it has better support for denying cookies. I use the "Security Zones" to deny most sites from offering me any cookies. I have the sites set up as follows:
    • Internet This is the default. No persistent cookies, allow temporary cookies.
    • Trusted sites This is where I stick sites that I want to allow cookies from, such as slashdot.org. I reset the "trusted" settings so they are more like the standard ones. I allow any cookies from these sites.
    • Restricted This is where doubleclick et al go. I don't allow anything from these sites; no cookies, no javascript, no java, nothing.
    I know that this is not a perfect system, but for me it has worked better than using /etc/hosts.

    On Linux I have to use netscape, so I have some cron jobs that clean out my cookies.txt file. This is far from safe, but at least they can't track me for days.

    mike

  • Junkbuster is pretty cool, however for some reason it likes to hose the TCP stack on my NAT Linux box causing a reboot to be had, but it plays nice on my desktop Linux box :P

    Wanted to use it for proxying the whole LAN, but I guess one machine is better then none :P

    -- iCEBaLM
  • As a happy user of CookiePal [kburra.com] I recommend it as a cookie filter for windows users. Pops up a window when first seeing a cookie from a new site - you select to allow, deny, forever deny, or forever allow. Also lets you edit your view/delete your existing cookies.
    You make the settings once, it applies them regardless of the browser you are using.
    Here's a review [zdnet.com] of version 1.0 (version 1.5 current). Its not free, but its cheap. $15 USD.
  • With the option you describe set I copied my cookie file to a backup, and then I bounced around msnbc.com until I had seen a few ads. Here's the diff file:
    % diff cookies cookies.old

    5d4

    < www.msnbc.com FALSE /news FALSE 1262347200 LastPopUpDate 953750708849

    8a8,9

    < .msnbc.com TRUE / FALSE 1893455999 MC1 GUID=8A1A06F7A9C54784B38990B4DC73444D

    < .msn.com TRUE / FALSE 1065294000 MC1
    V=2&GUID=8A1A06F7A9C54784B38990B4DC73444D

    < .msnbc.com TRUE / FALSE 1893455999 P1 0


    Note the second to last cookie from msn.com, which is not in the msnbc.com domain. I have also noticed this phenomenon with doubleckick cookies (before I started blocking them). Maybe netscape intended the "only from originating domain" to work as you describe, but clearly it only checks to see if the cookie is being set for the domain to which the HTTP request is being sent, which is useless for blocking cookies attatched to images.


    -rpl

  • That post did not exist when I wrote my post - there was only 1 post when I started, and I thought mine was relevant, and it included more information than the aforementioned post anyway. And my post has generated more conversation so it must be worth something :-)
  • I find that (e.g., zdnet.co.uk cacks out, but zdnet.com is fine, but both use doubleclick) - I found out why! In the html for the cacky pages, they use the <layer> tag to embed a whole html web pages (containing the advert only) inside the current page - to bypass this you have to hit ESC after the page is loaded, but before the computer has given up on the advert and gives a 404. This probably only works on windows though, because it is so slow to respond and I don't run a webserver under it in general! What you really want is an option in browsers to ignore layer tags completely - that would get rid of 50% of adverts immediately!
  • This is funny. I have killed of doubleclcik etc in Windows by aliasing ads.doubleclick.net etc to 127.0.0.1 in a hosts file. I have just submitted a comment and windows in its dumbness tried to get a doubleclick advert (inside the evil layer tag no less) and failed, and brought up the IE failed to load page message (even though the rest of the page had loaded fine - Netscape doesn't suffer from this).

    Here is my hosts file:

    127.0.0.1 localhost
    127.0.0.1 www.doubleclick.net
    127.0.0.1 ad.doubleclick.com
    127.0.0.1 ad.doubleclick.net
    127.0.0.1 ad.uk.doubleclick.net
    127.0.0.1 ad.uk.doubleclick.com
    127.0.0.1 ad.preferences.com
    127.0.0.1 ad.washingtonpost.com
    127.0.0.1 adbot.theonion.com
    127.0.0.1 adpick.switchboard.com
    127.0.0.1 ads.doubleclick.com
    127.0.0.1 ads.doubleclick.net
    127.0.0.1 ads.i33.com
    127.0.0.1 ads.infospace.com
    127.0.0.1 ads.msn.com
    127.0.0.1 ads.switchboard.com
    127.0.0.1 ads.washingtonpost.com
    127.0.0.1 *.doubleclick.net
    127.0.0.1 *.doubleclick.com

    Helps sometimes, but not all the time, and I have to hit ESC when loading The Register... :-(

  • Cookie managment would be a great plus for any next gen browser. Having filtering built *into* the browser is great for non-savy users who know enough to want to protect their privacy but don't know how to set up abox w/ junkbuster. The only browser that I've seen that does this well is iCAB for the mac (others?). By well I mean:
    1. It allows deny, accept, or allow for session on all cookies
    2. you can set it to deny cookies from certain domains, or _only accept_ cookies from certain domains (slashdot anyone ;) ). Net effect, site by site cookie managment for those who want it. It also lets you read the value of the cookie in the browser.

    As an added bonus, iCab also allows you to filter images.
    Cookie and image filtering are at the top of my pretty please list for mozilla. Any browser that supports these is the one I'll use. Is it easier for my mother to set up junkbuster , or set it up in her already existing browser program?
  • > The option they NEED, and the one I described, is simple: Only accept cookies originating from the same server as the page being viewed.

    Well, guess what, that was the intent of that option. Only trouble: it only worked with image tags. However, there are other ways than img tags that can be used to include ads in pages. One way, which has become very popular lately is to use <script src="http://ad.doubleclick.net/..."> tags. These have unfortunately been forgotten by netscape, and can still be used for those pesky offsite cookies. Hopefully, a fix will be included in one of the next versions.

  • FYI, lynx also provides an "Yes/No/Always/Never/Ask" kind of option for handling cookies on a domain-by-domain level.
  • but why isn't offsite cookie rejection built into all browsers?

    Microsoft is blackmailing DoubleClick. :-)

    There's a thread [w3.org] on the www-talk list about this at the moment. Though it's easy to remove cookies from <img>-derived HTTP requests, other features such as frames are not as easy. For example, a banner ad frame at the top of the page is likely, and could easily be passed URI information from the frameset. Disallowing cookies on subframes, however, would break sites running under the likes of AskJeeves, where the 'real' site is viewed as part of a frameset.

    I don't know if IDcide prevents cookies being passed to sites in subframes, or just images. Probably the latter since it's the most common case at the moment. But frame, layer, object, embed and applet have the same problems.

    Given that we were discussing embedded-object-cookie-rejection on www-talk as an obvious way to circumvent cookie abuse, it's somewhat worrying that IDcide Inc. might have a patent on it:

    IDcide's patent-pending technology allows cookies to be blocked according to the site you're visiting, not according to where the cookies came from!

    (From the FAQ.)

    but why isn't offsite cookie rejection built into all browsers?

    Alternative answer: because IDcide have patented it?

    I can't see anything on www.patents.ibm.com yet, so it's unclear whether IDcide have indeed applied for a patent on cookie rejection, or whether it's some technical implementation detail.


    --
    This comment was brought to you by And Clover.
  • I'm personally using Junkbuster on my side and while Netscape crashes less frequently with it (a nice by-product) and I see less banner (there's a modification that replaces banners with 1x1 gif), there is no way that it can do something really important: Javascript filtering

    e.g. those pops up a window when you leave a site, those obfuscate the status bar with junk messages, those who does not allow right-clicking to reveal source, etc.

    There is Proxomitron on Windows. How about us? Is there anything as powerful as that? I've heard that Webfilter (formerly known as NoShit) does it but people says it takes an aweful amount of CPU. Anyone with the experience?

    Don't want to admit, but Junkbuster is child's play compared to Proxomitron. Only if they release the source....
  • Actually you can, well since Version 1.2 according to the docs (and it works for me on version 2.0.2). Just add the URL of the server you want to accept to the "cookiefile". You can use masks there, too, and if you don't care about privacy just an asterisk (*) on a line by itself will allow all cookies. If there is no cookiefile specified, all cookies will be denied (this could be how you're setup). If you go to http://www.junkbuster.com/cgi-bin /show-proxy-args [junkbuster.com] and have Junk Buster running, it will list the arguments that server is running with. Check out their site [junkbuster.com], they have pretty good docs there.
  • I wish I had the time to simply say I'll do it ... but I already have another Open Source project I haven't put enough time into. :)

    I promise you this - if no one else codes this by the time Mozilla is beyond beta, I WILL get this done.

  • Like I said above (in responses to my own post), WHOOHOO! If no one else whips together the dynamic cookie sidebar, I'll do it (just not very soon, so maybe someone else should.) :)

  • ... enough people actually picked up on it. A realistic take on the web browsing public would guess that very few people taking enough interest to use this. Sure, most /. readers probably would love it, but looking at the info they bring in overall, the signal to noise ratio would still be pretty high overall.

    All this would guarantee is that the advertiser's profiles on you would be senseless, and would probably result in you getting your Aunt Susie's mass emails about crocheting and little puppy sweaters. Eeeeww. *grin*

  • chmod 400 .netscape/cookies

    It works under AIX, anyway... after doing that, I went to www.userfriendly.org [userfriendly.org] and clicked on the doubleclick banner ad. After I came back here, I double-checked: no doubleclick cookies (I edited my cookies file to get rid of all the doubleclick cookies first!).

    If I want to accept a cookie, I'll have to undo that temporarily, I suppose.

    Nels
  • Not only is JunkBuster free, it runs on (gasp) other browsers than just IE, and (BIG HUGE GASP) more platforms than just Windows!

    That e-mail address again is support@idcide.com so you can remind them that they need to do better about cross-platform and cross-browser support.

  • Offsite cookies do have a legit use. You'll see sites that are from the same company but under different domains (this happens often after an aquisition, like geocities and yahoo) use them so you can log in once for all the related sites. You may want to block the REF-BY field. This field is rarely used to provide any benefit to the user, but is used to track a user's path through the site. Of course, DoubleClick encodes site information in the URL of the image, too, so they'll know which site you're on separate from REF-BY info. I browse the web through a proxy that blocks ref-by always. Why should people know what terms I searched on, for example, when I find their page?

    --- Speaking only for myself,
  • by Chris Hiner ( 4273 ) on Wednesday March 22, 2000 @08:05AM (#1182707) Homepage
    I use a similar hosts file, and I setup apache using a rewrite rule to send back a 1x1 transparent gif file for any requests. I have it send a tiny html file for any requests for asp/htm/html files to avoid problems with frames and such.

    It'd be possible to have it not rewrite if it was pointing to one of your real pages.

    I just havn't gotten around to setting up junkbuster, because this works so well. (And most of the time from home I browse with images off, which helps alot)
  • by crow ( 16139 ) on Wednesday March 22, 2000 @07:52AM (#1182708) Homepage Journal
    I've done that, and I've taken it one step further. I installed a web server, and set it to respond with a 1x1 transparent gif to all requests. So most pages with ads show up with a blank space.

    Of course, I did this on Linux, but it should work the same under Windows. I just set my 404 error document to be the transparent gif.

    I suppose I should set the error document to be a redirect to http://localhost/null.gif, which would keep my web cache from getting so cluttered.

    Now we just need a good comprehensive list of advertising sites that we can all use.
  • by Tackhead ( 54550 ) on Wednesday March 22, 2000 @09:39AM (#1182709)
    TomV wrote:
    > 127.0.0.1 [adserver] # fsck 'em all

    Better yet, try:

    The Ultimate HOSTS file [deja.com]

    I dunno about the IP address the original USENET poster put in there. I replaced it with 127.0.0.1 and run a "web server" on my own box that responds only to requests from localhost and returns a 1x1 transparent .GIF instead.

    One addendum: I was surprised to see an ad one day, and also had to add ad-adex[0-9].flycast.com instead of just ad-adex3.flycast.com to the list.

    Seriously, when was the last time you ever wanted to see "content" from any of these sites? Blackhole 'em all.

  • by gothic ( 64149 ) on Wednesday March 22, 2000 @07:27AM (#1182710)
    That is not the perfect solution though. Don't forget to include you cannot be running httpd on port 80 if you do that. I use to have those in my hosts file, and I also run a web server, and there were many pages that wouldn't properly load because of it. What would happen is that the page would start loading, and (This didn't happen on all sites) then it would go full screen into my webserver stating that I didn't have permission to access so and so resource or that the file didn't exist (I setup very restrictive permissions since it is private).

    On the other hand, if someone has a solution to this, I would be highly interested in hearing it.
  • by |deity| ( 102693 ) on Wednesday March 22, 2000 @07:35AM (#1182711) Homepage
    in retrospect I think that if other ways of storing information had been used we would be better off. Have any of you tried to run a browser with cookies turned completely off. Their are *many* sites that will not even let you look around. I could live with haveing to log in to slashdot everyday and maybe haveing to log in to a couple of other sites that I have an account on, what I can't stand is the idea that people and corporations are able to some extent track what I do or where go while on the internet.

    Privacy should be by default not something that you have to beg for or opt out of programs to get. "Opt out", people should have to Opt in. Ad companies say that consumers want targeted adds. I don't, if I want to buy something I don't mind searching a little or doing some research. If your a company that uses banner advertising I choose not to buy from you more then I might otherwise.

    When I want to buy a product I want to buy it for the right reasons. It should be the best quality and value around. I don't want to buy something because company foo has better phsychologists then company bar. If you don't think advertising works your wrong. Companies that will downsize to save a few bucks will continue with costly advertizing campaigns because they know that they work.

    There are things in life and yes even things on the internet that are worse then cookies. Losing my privacy is one of the things that I hate the most about this new "information age" we live in. I have emails that I don't want, phone calls that I don't want, mail that I don't want, and tv commercials that I don't want. All of them trying to sell me services or things that I really don't want.

  • by Anomalous Canard ( 137695 ) on Wednesday March 22, 2000 @11:19AM (#1182712)
    but why isn't offsite cookie rejection built into all browsers?

    Once you get out of .com, .net and .org and into national domains, how do you define what is offsite?

    This issue came up on bugtraq when someone found an "evil" cookie on their machine that was sent to all sites in *.com.au. (or *.co.au -- whatever). Two top level domains is insufficient to distinguish different sites in .au and .uk, but it is sufficient in, say, .ca. Even three is insufficient in *.us. *.nyc.ny.us are machines run by lots of different people. Should browsers contain policy for every TLD?

    Anomalous: inconsistent with or deviating from what is usual, normal, or expected
  • by Anonymous Coward on Wednesday March 22, 2000 @08:24AM (#1182713)
    I noticed that after I installed IDcide, all of the new cookies I receive are for the ".qbots.com" domain.

    For example, I previously had a cookie for "moviefone.com" which contained my zip code. Now I have one for "moviefone.com.role1.jar.qbots.com" which seems to have some additional information it it.

    qbots.com is owned by IDcide (just go to www.qbots.com [qbots.com]).

    Maybe I'm just being paranoid...
  • by jelwell ( 2152 ) on Wednesday March 22, 2000 @07:51AM (#1182714)
    Mozilla has a lot of really nice features as far as cookies are concerned. First of all <B>YES</B> Mozilla has a checkbox to only "Accept cookies that get sent back to the originating server only". (Get this: There is an image checkbox that does the same thing! Which blocks images (read ads) from servers that aren't the originating server)

    Not only does it slice and dice, Mozilla allows you to view your stored cookies - and delete them wholesale or individually.

    You can also ad whole domains that you would like to block images from. And, although the interface isn't quite complete, you can ad domains that you will <b>always</B> block cookies from too. One post I saw wanted the ability to view cookies and delete them real time in the sidebar. It would be trivially easy to skin a new Mozilla that has the Cookie Manager window in the sidebar so that you could actively watch cookies and delete them in real time.

    Joseph Elwell.

    <A HREF="http://www.mozilla.org">Make it better.</A>
  • by pen ( 7191 ) on Wednesday March 22, 2000 @09:32AM (#1182715)
    Opera [opera.com] 4.0 for Win32 has such features already. You can reject all cookies, ask it to prompt you, or reject all. You can also set it to reject all cookies from a specified server. Not only that, but you can set it to reject all "foreign" cookies - ones that are included with things other than the page, such as images.

    It also notifies you of invalid cookies being set and why they're invalid. I tried using Hotmail and Opera reported 4 or 5 invalid cookies.

    And if that's not enough, you can always turn to the Internet Junkbuster [junkbusters.org] for the ultimate filtering solution.

    --

  • by Otto ( 17870 ) on Wednesday March 22, 2000 @07:54AM (#1182716) Homepage Journal
    Hmm. Well. Nope, it doesn't.

    Okay. I didn't know what to believe, so I tried a little test. I don't normally use netscape anyway, but I do have it installed.

    I killed the cookie text file. Just deleted it. Start up Netscape (blank home page), so no cookies yet. Change the setting in the preferences. This is Communicator 4.6 for Windows, BTW. Go to a page I know had a doubleclick banner: http://www.userfriendly.org/static/
    Look again, voila, a cookie file. Open it up: There's the doubleclick cookie all right.

    They may have changed the behavior in later versions, I dunno. But the behavior I see is exactly what the option says. Allow cookies that get sent back only to originating server. The cookie originated at doubleclick.net, NOT at userfriendly.org.

    A cookie is not set in HTML, it's set in the HTTP headers. You get those headers with every single web request, be it GIF or HTML.

    The option they NEED, and the one I described, is simple: Only accept cookies originating from the same server as the page being viewed. Or perhaps, disallow cookies with non-HTML files. I can't think of any good reason, other than ads, to send a cookie with a graphic image.

    ---
  • by ottffssent ( 18387 ) on Wednesday March 22, 2000 @08:16AM (#1182717)
    First, edit your cookies file and take out all the cookies you don't want.

    Second, copy the cookies file somewhere else.

    Third, write a script, batch file, etc. to copy the copied cookies.txt into your browser's directory before you run your browser.

    Fourth, if you find a site thta gives you a cookie you want, copy that line to the cookies.txt file that gets copied over.


    That way, while you *do* get cookies, and they *do* get set and sent back to whatever site, every time you open up your browser, you effectively become a new person since there's no cookie to track you between sessions anymore.
  • by kaphka ( 50736 ) <1nv7b001@sneakemail.com> on Wednesday March 22, 2000 @09:30AM (#1182718)
    I post this every time there's a cookie article, and it's probably redundant, but it might help some people...

    I set my "Internet Zone" security settings to prompt before accepting cookies. Whenever somebody tries to send me a cookie, the cookie dialog comes up. If it's coming from the site that I'm actually visiting, I accept it (and I never have to see it again.) If it's coming from doubleclick.net or the like, I refuse it, and then I add that domain to the "Restricted Zone". From then on, IE automatically refuses cookies from that domain (and also disables Javascript, ActiveX, etc.)

    My only complaint is that adding the domain to my "restricted" list is a separate step; it would be nice if I could just click "No, and block all future cookies," and be done with it. But if you're using IE anyway, and you don't want to mess with third party programs, this method works pretty well.
  • by P_Simm ( 97858 ) on Wednesday March 22, 2000 @07:16AM (#1182719)
    Something I'd LOVE to see in Mozilla (and I'd even consider using IE if they were the first to do this) :

    Have a small text sidebar or window that displays changes to cookies AS THEY HAPPEN, and allow us to delete these cookies from this interface. This could be a small, simple text window built in to, say, the button bar. A small floating independant text box would work well too. The key here is, it's small and out of the way so that we can have it on WHILE we browse, and it gives us dynamic information on our cookies which we can intelligently control.

    Of course this would NOT be on by default, since the average user would just mess up their web-based email cookies and complain. But give us advanced users something to work with here.

  • by TomV ( 138637 ) on Wednesday March 22, 2000 @07:16AM (#1182720)
    From HOSTS...

    127.0.0.1 ad.doubleclick.net #spamfilter
    127.0.0.1 m.doubleclick.net #spamfilter
    127.0.0.1 ad.webprovider.com #spamfilter
    127.0.0.1 image.linkexchange.com #spamfilter
    127.0.0.1 jeeves.flycast.com #spamfilter
    127.0.0.1 www.flycast.com #spamfilter
    127.0.0.1 www.burstmedia.com #spamfilter
    127.0.0.1 www.247media.com #spamfilter
    127.0.0.1 www.ad-venture.com #spamfilter
    127.0.0.1 www.adauction.com #spamfilter
    127.0.0.1 www.adsdaq.com #spamfilter
    127.0.0.1 a32.g.a.yimg.com #spamfilter YahooAds
    127.0.0.1 www.pagecount.com #spamfilter
    127.0.0.1 www1.pagecount.com #spamfilter
    127.0.0.1 www2.pagecount.com #spamfilter
    127.0.0.1 www3.pagecount.com #spamfilter
    127.0.0.1 www4.pagecount.com #spamfilter
    127.0.0.1 ad.linkexchange.com.com #spamfilter
    127.0.0.1 www.smartclicks.com #spamfilter
    127.0.0.1 mojofarm.mediaplex.com #spamfilter
    127.0.0.1 www.etour.com #spamfilter ads in GetRight

    ____________
    TomV

  • In Australia there are pilot projects where utility companies (Electricty, water, gas) have the capacity to backchannel data via their metering devices. This back channel could also be used for TV ratings, satellite downlinks (for Internet Access), security system monitoring and much more. Add FlyBuys to this. So, not only would your favourite TV shows, Internet sites would be known, the times you are home, when you are most likely to be sitting on the toilet, etc. can also be inferred by compiling the information fed back thorugh such a back channel. It will not be long before many databases are amalgamated - FlyBuys, Debt Collection, TV Ratings, Personal Information ,etc. Think of the possibilities then.
  • by Booker ( 6173 ) on Wednesday March 22, 2000 @07:18AM (#1182722) Homepage
    I've been using Junkbuster [junkbusters.com] for quite a while now. It's awesome, and it's free.

    ---

  • by bifurcator ( 80430 ) on Wednesday March 22, 2000 @08:10AM (#1182723)

    Why not go one step further? If companies like DoubleClick want to collect information on you through cookies, let them.

    One thing I imagine you could is actively contaminate the personal information that they are managing to collect on you. How would you do that? You could set up a shared cookie repository somewhere on the web. Everytime a banner network plants a cookie on your machine, you could submit it to the repository. Everytime you are about to send a cookie back to the same banner network, you would get grab someone else's cookie from the repository and send it to the unsuspecting banner ad server.

    To reiterate, if you were to send your Aunt Susie's cookie to DoubleClick everytime their banner ad displays on your page, you would contaminate Aunt Susie's personal profile in the DoubleClick database.

    If a lot of people were to cooperate in this way, they could render their personal profiles totally useless to advertisers, because the signal to noise ratio would be very low.

Invest in physics -- own a piece of Dirac!

Working...