funsec mailing list archives
Re: New IE8
From: David Dagon <dagon () cc gatech edu>
Date: Thu, 28 Aug 2008 15:14:27 -0400
On Thu, Aug 28, 2008 at 11:04:25AM -0500, Big R wrote:
"smarter address bar that uses previous history to try and predict the requested URL." Scary?
A nice observation. But you need a thicker tin foil hat, my friend. Here: use mine. Wear it when reviewing this post. We read at: http://blogs.msdn.com/ie/archive/2008/08/25/ie8-and-privacy.aspx that web-bug tracking is addressed in IE8 beta2. a) InPrivate Blocking attempts to stop web bugs using a simple threshold algorithm. (If an object is loaded by N sites, perhaps N==10 in IE8 beta2, then the resource is deemed a tracking object.) b) This logic, when available in 90% of the world's desktops, will significantly thwart the best intentions of those hoping to spray ads on eyeballs: doubleclick, analytic companies, etc. Got that? Ok, now put that tin foil hat on now: InPrivate Blocking, while no doubt welcomed by /. readers, privacy advocates and adblock users, is secret revenge for the Yahoo deal. ("If we can't buy a high-quality ad network, we'll cut off their oxygen and block their trackers--only MS affiliate trackers will be whitelisted." And again, readers are reminded of the scope of this mailing list: *fun*sec@.) But if 'InPrivate Blocking' ever defaults to whitelist tracking objects affiliated with the desktop vendor, then this thread would no doubt move to other, more serious mailing lists. (For our sake, let's hope Ben Edelman reads funsec.) Now, without wearing that tinfoil hat, look closely at "InPrivate Subscriptions", where readers can "augment" their privacy by "delegat[ing] these [granular privacy] decisions to publishers" of block lists. I.e., instead of blocking/allowing selected tracking objects, one can instead subscribe to (opaque) services that whitelists/blacklists resource objects. Since anyone can publish an XML InPrivate Subscription for IE8, this is not unlike the chaotic adblock filter subscription offerings, except the "InPrivate Subscription" providers are not well defined, and their financial relation to the desktop creator is now yet known[0]. On the mo' zilla side, I trust just a fraction of the block lists at: http://adblockplus.org/en/subscriptions but I can at present identify almost all the authors of these lists. Hopefully the "InPrivate Subscription" providers will be as transparent. Hopefully the "Privacy Industry" (adblock, MS/IE8's team, Firefox) will listen to "Big Privacy's" lobbyists (EFF, the younger, pre-2003 Scott McNealy, Edelman, etc.), and adopt an ethical standard: -- adblock lists must show the provenance of the adblock list: SAML tokens, x509 certs, Liberty Alliance specifications, pgp keys, rfc1324 ideas ... pick your flame war. -- an adblock list provider shall have no financial relationship to any ad network. For my part, I've loaded some honeypots with IE8 (9a2b14b0f8219d55d013babe60459d13 IE8-WindowsXP-x86-ENU.exe 8.0.6001.18241 beta 2), turned on permutations of InPrivate Blocking options, hooked up a python PAMIE driver, and am logging the types of ads that get loaded/blocked. Now, in the full spirit of funsec@, I'd like offer my ultimate solution to web privacy: deliver all webpages to US viewers encoded in 1080p video format; no more html. The privacy of my video rentals is protected by the Video Privacy Protection Act. I'd like similar protection for my text-viewing. Since medium trumps message, the US users can avoid the slow cost of penumbral rights adjudication, and broadcast the web in HighDef. At least with 'Web-2.1080p', your privacy rights are clear. [0] Here, I exclude Ad Muncher, Scott Lemmon's wonderful Proxomitron, greasymoneky, InternetJunkbuster, and the mix of GPL, commercial, and free-beer filtering proxies. -- David Dagon /"\ "When cryptography dagon () cc gatech edu \ / ASCII RIBBON CAMPAIGN is outlawed, bayl Ph.D. Student X AGAINST HTML MAIL bhgynjf jvyy unir Georgia Inst. of Tech. / \ cevinpl." _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- New IE8 Big R (Aug 28)
- Re: New IE8 Valdis . Kletnieks (Aug 28)
- Re: New IE8 Alex Eckelberry (Aug 28)
- Re: New IE8 James Matthews (Aug 28)
- Re: New IE8 Alex Eckelberry (Aug 28)
- Re: New IE8 David Dagon (Aug 28)
- Re: New IE8 Valdis . Kletnieks (Aug 28)