funsec mailing list archives

Re: New IE8

From: David Dagon <dagon () cc gatech edu>
Date: Thu, 28 Aug 2008 15:14:27 -0400

On Thu, Aug 28, 2008 at 11:04:25AM -0500, Big R wrote:

"smarter address bar that uses previous history to try and predict
the requested URL."  Scary?


A nice observation.  But you need a thicker tin foil hat, my friend.
Here: use mine.  Wear it when reviewing this post.

We read at:

  http://blogs.msdn.com/ie/archive/2008/08/25/ie8-and-privacy.aspx

that web-bug tracking is addressed in IE8 beta2.

  a) InPrivate Blocking attempts to stop web bugs using a simple
     threshold algorithm.  (If an object is loaded by N sites, perhaps
     N==10 in IE8 beta2, then the resource is deemed a tracking
     object.)

  b) This logic, when available in 90% of the world's desktops, will
     significantly thwart the best intentions of those hoping to spray
     ads on eyeballs: doubleclick, analytic companies, etc.

Got that?  Ok, now put that tin foil hat on now: InPrivate Blocking,
while no doubt welcomed by /. readers, privacy advocates and adblock
users, is secret revenge for the Yahoo deal.  ("If we can't buy a
high-quality ad network, we'll cut off their oxygen and block their
trackers--only MS affiliate trackers will be whitelisted."  And again,
readers are reminded of the scope of this mailing list: *fun*sec@.)

But if 'InPrivate Blocking' ever defaults to whitelist tracking
objects affiliated with the desktop vendor, then this thread would no
doubt move to other, more serious mailing lists.  (For our sake, let's
hope Ben Edelman reads funsec.)

Now, without wearing that tinfoil hat, look closely at "InPrivate
Subscriptions", where readers can "augment" their privacy by
"delegat[ing] these [granular privacy] decisions to publishers" of
block lists.  I.e., instead of blocking/allowing selected tracking
objects, one can instead subscribe to (opaque) services that
whitelists/blacklists resource objects.

Since anyone can publish an XML InPrivate Subscription for IE8, this
is not unlike the chaotic adblock filter subscription offerings,
except the "InPrivate Subscription" providers are not well defined,
and their financial relation to the desktop creator is now yet
known[0].  On the mo' zilla side, I trust just a fraction of the block
lists at:

   http://adblockplus.org/en/subscriptions

but I can at present identify almost all the authors of these lists.
Hopefully the "InPrivate Subscription" providers will be as
transparent.  Hopefully the "Privacy Industry" (adblock, MS/IE8's
team, Firefox) will listen to "Big Privacy's" lobbyists (EFF, the
younger, pre-2003 Scott McNealy, Edelman, etc.), and adopt an ethical
standard:

  -- adblock lists must show the provenance of the adblock list:
     SAML tokens, x509 certs, Liberty Alliance specifications, pgp
     keys, rfc1324 ideas ... pick your flame war.

  -- an adblock list provider shall have no financial relationship
     to any ad network.

For my part, I've loaded some honeypots with IE8
(9a2b14b0f8219d55d013babe60459d13 IE8-WindowsXP-x86-ENU.exe
8.0.6001.18241 beta 2), turned on permutations of InPrivate Blocking
options, hooked up a python PAMIE driver, and am logging the types of
ads that get loaded/blocked.

Now, in the full spirit of funsec@, I'd like offer my ultimate
solution to web privacy: deliver all webpages to US viewers encoded in
1080p video format; no more html.  The privacy of my video rentals is
protected by the Video Privacy Protection Act.  I'd like similar
protection for my text-viewing.  Since medium trumps message, the US
users can avoid the slow cost of penumbral rights adjudication, and
broadcast the web in HighDef.  At least with 'Web-2.1080p', your
privacy rights are clear.



[0] Here, I exclude Ad Muncher, Scott Lemmon's wonderful Proxomitron,
    greasymoneky, InternetJunkbuster, and the mix of GPL, commercial,
    and free-beer filtering proxies.

-- 
David Dagon              /"\                          "When cryptography
dagon () cc gatech edu      \ /  ASCII RIBBON CAMPAIGN    is outlawed, bayl
Ph.D. Student             X     AGAINST HTML MAIL      bhgynjf jvyy unir
Georgia Inst. of Tech.   / \                           cevinpl."
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

New IE8 Big R (Aug 28)
- Re: New IE8 Valdis . Kletnieks (Aug 28)
  - Re: New IE8 Alex Eckelberry (Aug 28)
    - Re: New IE8 James Matthews (Aug 28)
- Re: New IE8 David Dagon (Aug 28)