1997-05-18 - Re: referers and W3 (fwd)

Header Data

From: Hal Finney <hal@rain.org>
To: cypherpunks@cyberpass.net
Message Hash: 1a02c3d0772774f1d45d49dfb226c2560a5238b3b73f019daddd34907d00ca88
Message ID: <199705182021.NAA04042@crypt.hfinney.com>
Reply To: N/A
UTC Datetime: 1997-05-18 20:42:03 UTC
Raw Date: Mon, 19 May 1997 04:42:03 +0800

Raw message

From: Hal Finney <hal@rain.org>
Date: Mon, 19 May 1997 04:42:03 +0800
To: cypherpunks@cyberpass.net
Subject: Re: referers and W3 (fwd)
Message-ID: <199705182021.NAA04042@crypt.hfinney.com>
MIME-Version: 1.0
Content-Type: text/plain


Rich Graves, <llurch@networking.stanford.edu>, writes:
> A friend who webmasters a large site that is implementing referer-specific
> content sent me this when I mentioned the cpunks/cryptography thread of a
> few months back. I basically agree with the W3C. While user education on the
> potential privacy threat is essential, I do not believe that Netscape should
> violate published technical standards. There are also privacy and property
> issues from the server's perspective.

I'm not sure what Netscape action you are referring to, but if it is
giving the users the option to block the Referer tag, RFC2068, which is
HTTP/1.1, already endorses this:

     Note: Because the source of a link may be private information or
     may reveal an otherwise private information source, it is strongly
     recommended that the user be able to select whether or not the
     Referer field is sent. For example, a browser client could have a
     toggle switch for browsing openly/anonymously, which would
     respectively enable/disable the sending of Referer and From
     information.

and later:

   We suggest, though do not require, that a convenient toggle interface
   be provided for the user to enable or disable the sending of From and
   Referer information.

I use Eric Murray's fine "cookie jar" privacy program when I am web
browsing on my Linux system (http://www.lne.com/ericm/cookie_jar/).
It blocks cookies and advertisements via a very flexible config file
mechanism.  It also eliminates other privacy-revealing outgoing data,
including Referer, and could be easily modified to play all kinds of
games with Referer for the adventurous.

In the news recently, Ticketron is blocking links from some Microsoft
affiliated sites due to a disagreement about licensing.  I don't know the
details of how it is done technically, but possibly it is done by looking
at the Referer tag to see if the user linked from the Microsoft site.
If so, this would be a good example of the browser sending information
which is detrimental to the user.

Hal






Thread