Re: Unverifiable Transactions / Cookie draft from Rob Hartill on 1997-03-16 (ietf-http-wg@w3.org from January to March 1997)

From: Rob Hartill <robh@imdb.com>
Date: Sun, 16 Mar 1997 02:50:57 +0000 (GMT)
To: http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.NEB.3.95.970316015647.18601A-100000@localhost.imdb.com>

On Sat, 15 Mar 1997, Koen Holtman wrote:

> >Of course
> >smaller providers will now have to absorb what amounts to double the
> >cost per transaction due to their servers have to act as a middle man
> >for advertising.
> 
> The cost would not be doubled: the image could still come from
> doubleclick by means of 302 redirection.

It'd be more than "double" for many sites. If they're currently out
of the loop there's no overhead. If they become part of the loop and
have to do a '302' redirect then they have some new overhead. That's
worse than double.

Bringing the "smaller" site into the loop also introduces problems
with some proxies and browser caches which will hit the content site
to get the "302" but use a cache instead of proceeding to the advertisers
site. There are ways around that. From experience I can assure you they
aren't 100% satisfactory.

For the record, my company is part of the Doubleclick network and we already
use 302s. I dislike ad cookies myself, but I do accept them (temporarily
that is - my cookie file is read-only so I get fresh ones each session).
This is a must for me because I have to do a lot of link validating and
content checking of other sites. I often end up with dozens of cookies
by the time I'm done and dread to think what kind of user profile I'd
collect considering the diversity of site I have to check.

I don't know if this is possible, but we might end up with something
crazy like the following as a way to set the cookie behind the user's
back..

- user visits content site 'X'.
- X sees user hasn't got X's cookie so bounces user to ad site Y
- ad site Y sets its cookie and redirects user back to content site X
- content site X sets its own cookie.

So the user goes on a quick (unseen perhaps) trip to set the cookies
needed to get us back to where we are today.

> 1) If you visit search engine X, your browser allows doubleclick
>    to know what you are doing!

That's not quite fair. Doubleclick won't know what you're doing other
than visiting one of its network sites.

> 2) If you visit search engine X, your browser allows search engine X
>    to know what you are doing!

Perhaps a more scary scenario would be

3) If you visit search engine X, they will monitor your activities on
behalf of DoubleClick.

It's not what's going to happen, but if network sites end up being
"cookie proxies" on behalf of another company, then the suspicion might
be there.

--
Rob Hartill   Internet Movie Database (Ltd)
http://us.imdb.com/                   -  Free cookies for selected users.
http://us.imdb.com/usr/sweepstake     -  Win a 56k X2 modem. Free draw.

Received on Saturday, 15 March 1997 18:53:43 UTC