Previous Thread
Next Thread
Print Thread
Hop To
Anonymous
Unregistered
Anonymous
Unregistered
Is INFOPOP is collecting data from users' browser's history?..........

Personally I doubt it but a few users are concerned that infopop is collecting data from users' browers... see the thread below... Infopop please respond.

click here

Anonymous
Unregistered
Anonymous
Unregistered
Both UBB.threads and UBB.classic check HTTP_REFERER in a few places.

I don't think there's anything sinister about this. I've done it myself in scripts I've written. It can be useful in helping the script keep track of which page a user came from, so the script knows what action to perform. It can also be useful in making it a little harder for people to hack form-based scripts by spoofing forms.

Some firewalls, proxies, and browsers allow blocking of HTTP_REFERER output, which could confuse the script.

Anonymous
Unregistered
Anonymous
Unregistered
Dave, that makes sound logic to me...

Neither do I feel that infopop is doing anything sinister...

Anonymous
Unregistered
Anonymous
Unregistered
Dave,

I just wanted to say thanks. This helped me to make sense of some problems I have had.

Swamp,

Infopop is not "farming data" from the boards. It's not like data is being gathered and sent back to some secret Infopop base, where they correlate all the data, and then sell it to someone.

In the normal course of the functions of the boards, you have to come from one page to get to another. If, for instance, you saved a 'reply' page, and then spoofed some of the info in that page's code, you could possibly pretend to be someone else, and make a post in their name. But with HTTP_REFERER being checked, the forum script has a way of verifying that you are who you claim to be.

For example, you had to login when you arrived. (Or you have a permanent cookie, and don't have to log in.) In either case, there was a point where you entered the board. Then you went from one page to another, to another, etc. Now, if someone were to just drop a reply to a post, in your name, in out of the blue... The script would not recognize it's validity. Because "you", (the fake you), did not come from the correct page. If "you" had come from the correct previous page, and the correct previous page before that, then you would have no problem. But to just spoof a form, and drop it in cold, will get "you" nowhere.

So, in this case, yes, the forum could simply read your cookie, and see that you are you, and let you make the reply. But, I have already seen cookies spoofed. If someone can spoof a form, they can spoof a cookie. Having that HTTP_REFERER as a backup, extra security step, only makes sense.

Anonymous
Unregistered
Anonymous
Unregistered
Hi swamp,

Rest assured the answer is a big, fat no!

<img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

Anonymous
Unregistered
Anonymous
Unregistered
Natalia, as I indicated earlier I don't feel that Infopop is doing anything underhanded.. I only brought this up this issue because some users on my boards had some concerns..

And I might add that Infopop and its management has always treated me extremely well...

Anonymous
Unregistered
Anonymous
Unregistered
</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Originally posted by natalia:
Hi swamp,

Rest assured the answer is a big, fat _no_!

<img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" /> </font><hr /></blockquote><font size="" face="">I am the person that posted the message on Swamp's board. Here's what I can tell you.

I don't believe the earlier posts about using this for navagation purposes is correct. If I restrict the Browser Privacy on my computer, I can still log in, browse all pages in the forum, send private messages, and edit previous posts I have made. There are no navagation issues whatsoever from using "Browser Privacy."

The problem occurs when one attempts to post new topics or add replies to an existing topic. This behavior DID NOT OCCUR until Swamp recently upgraded his software. With my Browser Privacy turned on I can still post at many other forums that use previous versions - leading me to believe at some point you guys knew how to handle not having this information.

It sounds to me like there may be a "bug" in this release and this is not by application design. When you try to post with Browser Privacy on here is the message that you get:

We cannot proceed.

The host you are trying to send the input from is not a valid host.

Please use your back button to return to the previous page.


As I'm sure you would agree people's privacy must be respected and I don't think it's acceptable to say you have to submit this information to be able to use the product.

Anonymous
Unregistered
Anonymous
Unregistered
One more thing, the product you are using here does not require "Browser Privacy" to be off.

Swamp's site is using UBB.threadsâ„¢ 6.0

[This message was edited by Da Buzz on June 11, 2002 at 11:24 AM.]

Anonymous
Unregistered
Anonymous
Unregistered
Some members on my site get the same message, i've even had that message myself before. I'm not quite sure why but it happens randomly to people it seems. We are currently running UBBT 5.5.1 so I dont think its a UBBT 6.0 issue at all.

~SiRacer~<BR>Webmaster<BR>ClubSi.com

Anonymous
Unregistered
Anonymous
Unregistered
</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Originally posted by ClubSi:
Some members on my site get the same message, i've even had that message myself before. I'm not quite sure why but it happens randomly to people it seems. We are currently running UBBT 5.5.1 so I dont think its a UBBT 6.0 issue at all.

</font><hr /></blockquote><font size="" face="">I don't know what version Swamp was running before. Maybe he will chime back in and tell us. Whatever version it was though didn't have this problem. It's not random on 6.0 as it will happen every time until you turn off "Browser Security."

Anonymous
Unregistered
Anonymous
Unregistered
the previous version was 5.5.1 and am now running 6.0...

And as I said, I personally don't believe there is a valid security issue concern...

Anonymous
Unregistered
Anonymous
Unregistered
</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Originally posted by swamp:
the previous version was 5.5.1 and am now running 6.0...

And as I said, I personally don't believe there is a valid security issue concern...</font><hr /></blockquote><font size="" face="">I don't think you are understanding what this means. Even if THEIR product is not a security concern, to post with their product you have to open up YOUR computer to give away information that some consider private, and info that is totally useless for your board. I still cannot figure out why a Bulletin Board would care about the last site you visited.

How many users will abandon forums if they can't post? I actually spent the time to figure out why I couldn't post on yours. My guess is quite a few people won't bother if they can't post.

I am curious for someone from Infopop to chime back in and say if this behavior is by design or is a bug.

Anonymous
Unregistered
Anonymous
Unregistered
Seems to be causing a MAJOR problem - if everytime you visit a UBB.Threads site you have to lower the defences on your PC, and configure your firewall to accept anything from that one site, before long someone will take advantage of this.

Not only is it bad for security, it also means that people will stop visiting UBB.Threads sites.

B.

Anonymous
Unregistered
Anonymous
Unregistered
configure your firewall to accept anything from that one site

If we're still talking about HTTP_REFERER, that's information that your browser sends to the server.

It's only sent when you click on a link on a web page. For example, if you click a link on site A that goes to site B, then site B would (potentially) know that you came from site A.

It's not sent when you use a bookmark, a windows shortcut, or type a URL into the browser's address bar. If you use a bookmark to access site B, then site B does not know which page you last viewed.

So if you're concerned about a site running UBB.threads knowing "where you've been", you can simply use a bookmark to access the site.

Anonymous
Unregistered
Anonymous
Unregistered
Not concerend at all about threads knowing where I have been.

That is not the issue here.

The issue is that without lowering the security on your computer it is virtually impossible (if not impossible) to post a message or vote on any version 6 copy of Threads.

I am not sure what firewall (if any) you are using, but in order for me to post on a threads site, I MUST configure my software to allow access TO/FROM that site from/to my computer.

What is to stop that webmaster abusing that additional permission that I have just given his website to talk to my computer.

B.

Anonymous
Unregistered
Anonymous
Unregistered
I use IE 5.5. I think I have to place Infopop forums that I post to in the trusted sites zone (security level medium), not sure. I normally browse with security level high.

I use Zone Alarm Pro 2.6.362 as a firewall (for now), with no special reduced security settings required for Infopop sites.

I also use the browser filter Proxomitron, which gives a much finer degree of control over browser input/output. I may have had to relax some of Prox's settings for Infopop forums, such as allowing cookies.

Anonymous
Unregistered
Anonymous
Unregistered
</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Originally posted by Dave_L:
I use IE 5.5. I think I have to place Infopop forums that I post to in the trusted sites zone (security level medium), not sure. I normally browse with security level high.

I use Zone Alarm Pro 2.6.362 as a firewall (for now), with no special reduced security settings required for Infopop sites.

I also use the browser filter Proxomitron, which gives a much finer degree of control over browser input/output. I may have had to relax some of Prox's settings for Infopop forums, such as allowing cookies.</font><hr /></blockquote><font size="" face="">Try this Dave. go to Swamp's Board and see if you can post. Those of us with Norton Firewall COULD post before Swamp upgraded to UBB Threads 6.0, and now we cannot unless we allow sites to invade our "Browser Privacy"

Anonymous
Unregistered
Anonymous
Unregistered
I was able to post there as an unregistered user, without changing my security settings.

I don't know anything about Norton firewall, or what its settings are.

(BTW, you don't really need to quote the entire post when replying. <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" /> )

Anonymous
Unregistered
Anonymous
Unregistered
</font><blockquote><font size="1" face="">quote:</font><hr /><font size="" face="">Originally posted by Dave_L:
I don't know anything about Norton firewall, or what its settings are.</font><hr /></blockquote><font size="" face="">Obviously more secure than yours <img border="0" title="" alt="[Razz]" src="images/icons/tongue.gif" />

The issue here is that Infopop have gone VERY quiet on this subject. Perhaps they know something, and are not prepared to admit it?

Unless it is a bug?

Come on Infopop please tell us...

B.

Anonymous
Unregistered
Anonymous
Unregistered
In general, I'm a strong advocate of privacy and security.

But as a web programmer, I know that being able to communicate with a client's browser to read HTTP_REFERER and to read and set cookies is useful.

So I have mixed feelings about it. <img border="0" title="" alt="[Smile]" src="images/icons/smile.gif" />

Anonymous
Unregistered
Anonymous
Unregistered
I was able to post and I have my high security. Didn't even need to register. I use McAfee across the board.

Thanks. Bushhog

Anonymous
Unregistered
Anonymous
Unregistered
Bushhog, Please try to post as a registered member... I think that the registered members' post tracking feature (little red numers that shows unread and/or new posts) could possibly be what is raising the security issues...

Website administrator of: <A HREF="http://www.HuntAmerica.com" TARGET=_blank>www.HuntAmerica.com</A> <BR>E-Mail <A HREF="mailto:Webmaster@HuntAmerica.com">Webmaster@HuntAmerica.com</A>

Anonymous
Unregistered
Anonymous
Unregistered
So, are you complaining that you can't post to the board because *you* have set your own settings such that *you* aren't sending UBBthreads a normal HTTP_REFERER ?

If so, I think it's a bit anal to be complaining here about it. It is certainly not a "security risk" to pass HTTP_REFERER - I believe UBBt simply uses the HTTP_REFERER check to see if posts are coming from forms on its own site (protecting against casual forms on other sites setup to post to a remote UBB server for abusive or other purposes). Yes, I know it's not a great way of checking as it can be spoofed by the agent, but it'll stop the casual person.

Finally, if you (or Swamp) are that concerned, turn the damn check off:

// Do you want to disable the referer check? Only disable this if you have
// many users that are unable to post due to firewall/proxy servers
// manipulating their referer variable.
$config['disablerefer'] = "0";

And I think you owe Infopop an apology for accusing them of spying on you.

Paul.

Anonymous
Unregistered
Anonymous
Unregistered
Bonzo,

Definitive answer is no - we do not collect data remotely.

This is the HTTP_REFER check as was noted above which Rick wrote in long ago as a solid way to improve the overall forum security.

Plain and simple. It's a good model and I love it.

Regards,

Brett Harris
Infopop Corporation

Anonymous
Unregistered
Anonymous
Unregistered
Did I claim that you were collecting data???

All I said was that IP have gone very quiet on the subject - if this is an accusation then perhaps you feel some sort of guilt <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />

B.

Anonymous
Unregistered
Anonymous
Unregistered
As a long time satisfied customer of Infopop I can without reservation say that I have the utmost confidence in their integrity...

Infopop has treated me extremely well and has gone the extra mile to assist me when assistance was needed...

Best Regards, Marshall Talbott
webmaster of www.HuntAmerica.com

Anonymous
Unregistered
Anonymous
Unregistered
Well, Swamp, I was able to register and post. Maybe whatever was wrong has been fixed? I have McAfee virus scan and firewall set to high security. Hope everything turns out ok (very nice site!).

Thanks. Bushhog

Joined: Jun 2006
Posts: 9,242
Likes: 1
R
Former Developer
Former Developer
R Offline
Joined: Jun 2006
Posts: 9,242
Likes: 1
We check the HTTP_REFER (when that option is ON) to make sure that the post or action called came from your board and not from a form someone setup on another website. It is not tracked, it is not kept in the database, it is not stored. You can turn it off in the admin area if you as an admin are not comfortable withj this check.

This OpenTopic board is built on entirely different architecture and we can use other means to check where you are posting from.

Honor The Victims

Anonymous
Unregistered
Anonymous
Unregistered
The whole HTTP_REFERER issue is mute: ALL web sites track the HTTP_REFERER! As a web master I can tell you that if you go to my web site, and I know your IP address (not difficult to obtain), then I can tell where you came from... and it's no big deal. All the referer tells me is that you were sent from some site to mine. Maybe that site posted a link to an article on my web page and you clicked the link. Who cares. It tells me nothing about you, except that if you went to my site you're probably a geek <img border="0" title="" alt="[Wink]" src="images/icons/wink.gif" />

I don't see what the big deal is. If you go into a department store at the mall people can see what store you came from. Are you going to reqire everyone at the mall to wear blinders to protect your privacy?...

I understand the importance of privacy, but I think this is an issue of someone making a mountain out of a moll hill...

Networking with an Attitude<BR><A HREF="http://www.dalantech.com" TARGET=_blank>Da LAN Tech</A>


Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
3 members (rootman, Gizmo, Nightcrawler), 562 guests, and 186 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)