Slashdot Mirror
Netscape 6 is Spyware?
spoon00 writes: "AOL is collecting information on what Netscape 6 users are searching for on sites like google.com. IP address, the date Netscape was installed and a unique ID number are other bits of information AOL is also collecting."
Don't use it. Uninstall NS6 and use Mozilla instead. Same browser - without the unnecessary extra crud AOL bundles into it anyhow.
In IE 5.5 or 6.0, if you click the SEARCH button, then click CUSTOMIZE in the panel that appears, you can choose which engine that IE uses to search for you. If you then click AUTOSEARCH SETTINGS you can set a default search engine.
Once this is done, you can type search terms in the URL box, and if they can't be somehow interpreted as a hostname or domain name, they get routed to your favorite search engine.
But not directly! They go through the host auto.search.msn.com. You can see this quite easily even if you don't have a sniffer. Simply edit your HOSTS file under Windows to redirect the name auto.search.msn.com to some other address, like the loopback address (127.0.0.1). Once you do this, your auto-searches will start failing with 404's, and you will see the URL they use to do the redirection.
I've wondered for a long time what Microsoft does with this data. Fortunately, if you are willing to do a little registry hacking and a tiny bit of extra typing, you CAN avoid this in IE. You can create keywords like "google" that you type first in the URL box, before your search term, and these are redirected from your chosen registry setting to the search engine. These do NOT redirect through MSN so Microsoft can't spy on you. Instead of typing just the "my search term" in the URL box, you type "g my search term" and it goes right to google (or whatever).
This latter ability has existed since IE 3.0, but in current versions of IE it has NOTHING configured in it by default. However, if you download this free tool from Microsoft, it adds a way to configure them. Why is this hidden off as a free download instead of included with IE? Dunno, but feel free to insert your favorite conspiracy theory here.
I asked on the mozilla newsgroups, someone did look at the code and saw nothing.
Another person ran behind a firewall which asked about all connections. Netscape6 clearly went to an AOL address before connecting to Google. Mozilla went straight to Google.
So while I personally haven't looked in the code, I'm pretty confident Mozilla is playing it straight on this one.
You know if Mozilla is sending data to AOL or not by sniffing for it with tcpdump or ethereal, etc.
No funny packets? Don't bother sifting the source if you're not already involved.
Johnny Quest has two Daddies.
The only thing SPAMers invented was spam and new techiques to spam.
Cookies are not a part of the HTTP protocol. They are an extension that was originated at Netscape and deployed without any consultation in the IETF HTTP working group.
Netscape knew that there were privacy issues with cookies but simply did not care. Until PGP cookie cutter came out the only way to turn off cookies was to have the browser ask you each time if you would accept them.
Looking for an Information Security student project suggestion?
Try http://dotcrimeManifesto.com/
Mozilla and Netscape may seem identical, but they are very different:
Even though it was started by Netscape, and Netscape employees make up a significant portion of its developers, mozilla.org is the independent and nonprofit organization to oversee the open source development of the Mozilla browser and its related technologies. mozilla.org's products are free for any company, organization, or individual, to use. They are free to create their own branded products based on mozilla.org's goods. mozilla.org's products are all open source and are meant for developers and testers, not the average computer user.
Also keep in mind that mozilla.org recieves contributions from such large corporations such as IBM and Sun Microsystems, and countless small firms and volunteers.
Netscape Communications is a commercial company, and they make commercial products for regular computer users and businesses.
This is where the distinction between Mozilla and Netscape seems to blur to some people:
In order for Netscape to make Netscape 6 they have to use mozilla.org's work. This involves getting that code from mozilla.org, adding modifications and non-open source parts such as plug-ins, branding it with the appropriate logos and copyrights, testing and stabilizing it, and then release it for download. In other words, Netscape 6 is based on Mozilla, but Netscape 6 is not Mozilla, and Mozilla is not Netscape 6.
This method is similar to how Linux distributors, such as Red Hat, make their own branded and commercial releases of Linux, since Red Hat is not Linux, and Linux is not Red Hat. Red Hat merely uses Linux, and Linux developers have no control over what Red Hat does.
The nature of Mozilla and mozilla.org also allows anyone to create a product based on Mozilla. For example, Nokia and Intel demonstrated prototype Internet appliances in late-1999 using Mozilla. Because of Mozilla's modularity, a scaled down version of Mozilla was the browser used in these test products.
There's 10 types of people in this world, those who understand binary and those who don't.
Whenever I am forced to use an IE on yet another corporate PC I get, I always go to the Tools/Internet Options/Advanced, and change some things to suit my taste on presentation and security (to the extent you can get the latter with IE...)
security/more anonymous browsing
DISABLE Install On Demand
DISABLE Page Hit Counting
DISABLE Page Transitions
presentation
DON'T Show Friendly HTTP messages
(I want the plain servers response back, unedited, dammit!)
DON'T Show Friendly URLs
DON'T Use Smooth Scrolling (smooth scrolling makes my eyes SORE!!!)
Search From Address Toolbar:
DON'T Search From Address Toolbar
(This is the one that completely toggles the autosearch off.)
Security:
turn all the certificate checks and alerts on
also I use the "High" security zone settings for casual browsing
VKh
Well, I just did packet traces, and the results are troubling.
It's for real. No error reporting, no background windows. Search with the button, info goes to Netscape. Search without it, and you don't see the spyware traffic. But it gets worse.
I haven't tested this with the Linux version of Mozilla, so this might be a weird code overlap issue, but Win32 Mozilla build 2002030403 does the same thing.
So i was curious about what was actually being sent to AOL when one did a google search from the netscape bar. Here's the HTTP request: /fwd/lksidus_gg/http://www.google.com/search?q=tes tpriv9&sourceid=mozilla-search HTTP/1.1
GET
Host: info.netscape.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010726 Netscape6/6.1
Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, image/png, image/jpeg, image/gif;q=0.2, text/plain;q=0.8, text/css, */*;q=0.1
Accept-Language: en-us
Accept-Encoding: gzip,deflate,compress,identity
Accept-Charset: ISO-8859-1, utf-8;q=0.66, *;q=0.66
Keep-Alive: 300
Connection: keep-alive
There's also the usual data stuffed in the TCPIP header, such as IP address. There are some additional g'day requests to info.netscape.com which might contain unique ID information and would also be matched to TCPIP header info, but if there are any explicit UIDs in this packet i must be missing em.
The developers probably had a good reason for setting things up this way: If the URL for a search engine changed, they could always update their fwd script and prevent users from going to a broken page. Unfortunately, this means data gets sent to a site other than that intended by the user. A much better way of doing this would be for the client to check for updates to the search URLs and store them locally.
Just some thoughts.
JS - IBM Metaverse devteam
The opinions expressed here are mine & not necessarily representative of IBM