Idea for tracking sites

rick752 · Post by **rick752** » Sat Nov 18, 2006 6:39 pm

While I was thinking about blocking or not blocking global "tracking" sites, I was torn between not wanting to block someone's simple stats and wanting to stop the 'spyware' behavior of some overzealous tracking services. Some people like the idea of those filters while others don't want them at all .... especially if they are a webmaster who uses a service just to count his hits.

After thinking about all of that, I may have come up with a solution and would like a little feedback about it.

First:
I think that a simple community-made filter (all of us just adding what we considered to be "non-ads" to it would be the easiest way to do it). The list should end up fairly small and should be simple to make. It would be an optional filter for users to add.

Doing that would free up our regular filters so that we wouldn't have to deal with these annoyances and it would give users the choice of 'opting in' or not.

But now we have the problem of people who track hits through their sites with these stat companies .... how do you block something from putting a global cookie tracker on a computer but still allow people to get their hits?

....how about by blocking the script only in the stat counter, NOT the image

Most stat servers have 2 different items ... a script and an image.
A random example of typical stats tracking code on a page would usually be:

Code: Select all

http://www.stats.com/tracking.js
AND
http://www.stats.com/tracking.gif

The image will 'hit' throughout the site, but only the script could set a local cookie. Would everyone be happy if the tracker was listed as:

Code: Select all

stats.com/$script

... which would only eliminate the script address but not the image one.

There would be no cookie set and the webmaster would still be able to record his site hits! Does it make sense?

*EDIT* The second part of the above post is an ignorant error of what I originally thought of how cookies were served. You can follow my "buffoonery" below in the "Rick, the Moron" posts

lavanzo · Post by **lavanzo** » Sat Nov 18, 2006 7:30 pm

And what about HTTP cookies? You do not need a script to place a cookie. Even a simple picture can place a HTTP cookie for tracking.

rick752 · Post by **rick752** » Sat Nov 18, 2006 7:35 pm

lavanzo wrote:Even a simple picture can place a HTTP cookie for tracking.

Is that true? I didn't know that was possible anymore (really).

If that is true, could the cookie be re-read on another site using the same tracker company without the script ... only the image?

lavanzo · Post by **lavanzo** » Sat Nov 18, 2006 7:41 pm

http://en.wikipedia.org/wiki/HTTP_cookie

lavanzo · Post by **lavanzo** » Sat Nov 18, 2006 7:55 pm

Every web master, can generate own statistics, simply by using log stats from the server or by making own php stats. This way he easily can track all users that visit his site and nobody can avoid being tracked. You even cannot notice this as a visitor, because all actions happen server side, without cookies, scripts, etc.

But using third party servers for statistics is always a bad thing.

rick752 · Post by **rick752** » Sat Nov 18, 2006 8:06 pm

lavanzo wrote:Every web master, can generate own statistics, simply by using log stats from the server or by making own php stats. This way he easily can track all users that visit his site and nobody can avoid being tracked. You even cannot notice this as a visitor, because all actions happen server side, without cookies, scripts, etc.

But using third party servers for statistics is always a bad thing.

I understand that, but a lot of webmasters do not have access to their own log files if their site is hosted third-party ... and some 'big bosses' like the nice, organized, graphical interface that an outside service can offer (been there)

And, lavanzo, I've been reading a lot on the image/cookie thing ('cause now I am curious) and I am finding a bit of a 'gray area' here:

From what I've been reading, I don't think an image can actually SET a cookie .... but it WILL respond to one that has ALREADY been set from that server.

*MORE*
No cookie ... no 3rd party tracking across multiple domains. And they don't have access to YOUR log files ... they need THEIR 3rd-party image to generate their own 'log file'. But they really want the script to generate a cookie and compile their own 'tracking' info.

lavanzo · Post by **lavanzo** » Sat Nov 18, 2006 8:42 pm

If you do not believe it, I will show it for you:

Delete all cookies and clear your cache. Then open this following link, simply by pasting it into your address bar:
[Mod removed link. It stretched the page.]

It will load a 1x1 image and place a cookie from a advertiser.

You can take a look at the source, no script, only <img>, nothing more.

Now you should believe me, that it is possible, to place and read a cookie, simply by inserting a image. And if you do not trust a stranger. Simply wait for Wladimir Palant, he will say the same and I am sure, that you will trust him...

rick752 · Post by **rick752** » Sat Nov 18, 2006 8:53 pm

But that is HTML code. Of course if I activate that I will get a cookie from it.

THERE ARE NO 3RD-PARTY HTML CODES ON THE PAGES ... only JS and GIF.

If the only thing that is allowed on a page is the 3rd-party IMAGE, then where would THIS code that you are showing me come from .... In the the image itself?????????

*more*
I thought file-spoofing like that was patched.
Is there a way you can embed that in a gif file and still have it initiate?

rick752 · Post by **rick752** » Sat Nov 18, 2006 9:27 pm

*MODS*
Please truncate the 7th post link. The link is irrelevant (page width)

rick752 · Post by **rick752** » Sat Nov 18, 2006 9:41 pm

If you are able to 'spoof' an html mime through an image extension by using:

Code: Select all

data:text/html.....

... in the header.

Then instead of:

Code: Select all

stats.com/$script

... it would now become:

Code: Select all

stats.com/$script,document

... your move

lavanzo · Post by **lavanzo** » Sat Nov 18, 2006 9:54 pm

Oh man... you try to be the best filterset maker, but have you no idea how the web works...

The address is no spoof or whatever, it is simply a website boiled to a link, so that I do not need webspace in order to show you the problem. And it is not easy to show this within the forum, since it is not allowed to include everything into a posting. And I do not have a webspace to create a testcase on my own.

But my patience with your ignorance is exhausted, perhaps your master Wladimir Palant will be willing to explain everything in detail for you.

rick752 · Post by **rick752** » Sat Nov 18, 2006 10:03 pm

Ok

Maybe I'm missing something here.

I've never pretended to know "everything about everything" (as this self-degrading post would attest). That would be foolish for ANYONE to make that claim.

I am not trying to 'battle' with you ... I am trying to understand something I am not seeing (yet?).

If you ask most who know me, they will tell you that I will ALWAYS admit if I am wrong. If I am, then "I am".

BUT .... please help me understand what you are telling me as I cannot for the life of me figure out what I am missing in this conversation.

You seem to know something that I don't quite understand.

I guess the big question is: "Is what you are trying to tell me a problem "in the wild" relative to my original post"?

lavanzo · Post by **lavanzo** » Sat Nov 18, 2006 10:11 pm

OK, my last try. Clear cache and cookies. When you load this site, you get a cookie from seekport.de.
No hack, no script, no spoof, no freakin link. Only a simple *.gif.

address: http://www.seekport.de/img/seekport_logo.gif

rick752 · Post by **rick752** » Sat Nov 18, 2006 10:58 pm

Thank you, lavanzo.

You are 100% absolutely correct!

This was something I did not know. You have helped immensely in an area that I probably didn't understand fully. Don't forget, that I'm just blocking ads (which I think I'm pretty damn good at) ... the cookies are just a nice 'by-product'. I never pretended to understand them fully.

But don't tell me that I don't understand anything .. I understand quite a bit ... probably a lot more than you may give me credit for at the moment (I just kinda missed that class at school .. so to speak).

Is the reason for the cookie creation from that image simply because the request for the image came from the cookie's server and because of that request, the browser will automatically accept the cookie from that server? (I think I said that right).

Thank you for taking the time to give me an example (even through the insults

). I always listen to someone who knows more about a single particular thing than myself. I have no 'false-pride'. You have made me a little smarter.

Thanks (I think

)

*more* Explanation:
I was always under the impression that cookies had to either be served through a script or by a visit to the server's domain ... I didn't realize that ANY request from the undesirable server could result in a cookie being dropped in a browser. Live and learn!

lavanzo · Post by **lavanzo** » Sat Nov 18, 2006 11:23 pm

rick752 wrote:Is the reason for the cookie creation from that image simply because the request for the image came from the cookie's server and because of that request, the browser will automatically accept the cookie from that server? (I think I said that right).

Yes. And this works with every HTTP request. So the same applies to CSS, HTML, pictures, scripts, objects (flash/java), programs. Simply everything you send/receive through HTTP.

There are only two possibilities to avoid this: blocking cookies (with browser/firewall/proxy) or not to send the request (with other word: block that thing).