Forums
| BadPhorm - When good ISPs go bad! :: Forums :: Phorm Discussion :: Tech Talk |
|
<< Previous thread | Next thread >> |
| Catch 22 - New Phorm detection code | ||
|
Moderators: Jim Murray, narcosis, felixcatuk, Sammy, revrob
|
| Author | Post | ||
| felixcatuk |
| ||
felixcatuk   Registered Member #95 Joined: Wed Mar 05 2008, 12:03AMPosts: 2593 | I've coded up an idea that many people have suggested to me, and I know many have produced similar examples previously. This is a pure server side solution based on two cookies, and detecting the presence or absence of the webwise uid. But I've made the code generate realistic webwise UIDs, and use an ever changing name/value pair for the tell tale. The server side code deliberately sets a bogus Webwise UID cookie (assuming Phorm will attempt to hide their phorged cookie by stripping it from server requests). A second tell tale cookie is set, using an ever-changing name and value. If neither cookie is returned, the user has blocked cookies for the site. If the tell tale cookie is returned, but does not compute, the connection is being corrupted. If the tell tale cookie is returned, but not the Webwise cookie, you know Phorm is active on the connection. Code/details are available here; https://www.dephormation.org.uk/index.php?page=44 [ Edited Sat Nov 15 2008, 11:45PM ] | ||
| Back to top | | ||
| felixcatuk |
| ||
| felixcatuk Registered Member #95 Joined: Wed Mar 05 2008, 12:03AMPosts: 2593 | Thinking about it, it would probably be disruptive enough to simply set the tell tale to something very very generic like "username=zyx", or "session=xyz", "shopping_cart="xyz", or "JSESSIONID_bta=xyz" for Phorm to fear meddling with it. Agh. These muppets must be stopped. STOP PHORM [ Edited Sun Nov 16 2008, 12:12AM ] | ||
| Back to top | | ||
| felixcatuk |
| ||
| felixcatuk Registered Member #95 Joined: Wed Mar 05 2008, 12:03AMPosts: 2593 | Updated the code to incorporate Mel's excellent UID algorithm, and also added a default which sets the UID to opted out... so to ensure the user isn't involuntarily opted in to Phorm. | ||
| Back to top | | ||
| Fanjita |
| ||
 Registered Member #555 Joined: Fri Oct 03 2008, 12:50AMPosts: 36 | Not so sure about the disruption caused by the telltale occasionally being invalid. Obviously having a changing value for it helps to avoid detection, but do you actually care what the value is that gets returned? I can't see any value in phorm manipulating the value of that cookie - if they noticed it's there, they should just do chicanery with their own cookie, rather than yours. I think it's probably best to ignore the value found there. This would avoid the monthly errors, making a much more visitor-friendly system for no cost in security. One visit a month your cookie will disappear due to the name change and need to be updated to the new name, but that's the case already so there's no less security than currently. One other issue - you're going to be leaving a lot of cookie litter around. Best to set an expiry time of a month on these cookies that are only valid for a month...! | ||
| Back to top | | ||
Powered by e107 Forum System