RE: Re[6]: [newbie] Privacy in linux?
I like the idea of a realtimeblacklist of the tracking sites linked to squid or similiar. something that blockes the nasties but allows the good guys to do business as usual. rgds Franki -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of rikona Sent: Tuesday, 10 June 2003 4:26 AM To: Frankie Subject: Re[6]: [newbie] Privacy in linux? Hello Frankie, Sunday, June 8, 2003, 11:54:45 PM, you wrote: F I made a point of not using cookies on our gateway.. For the simple F reason that you can't guarantee that the user will accept them or F that the client is capable of accepting them.. Agreed. I block most cookies, but know to allow them for transactions. F personally I deny any cookie that isn't set to expire within a day F of being set. Good practice, from my view. Most cookies are not like that, however, the worst being from the trackers. Theirs usually are set to hang around for 20-30 years. :-) F You are correct about often the same techniques being used for F spying, its sad that that is the case, but that doesn't mean that F ecommerce should stop using them. I understand your point of view. There is a problem on both sides. M$ is not in an advertising blitz to convince the masses that they are a nice company. They are addressing the issue of trust by mass advertising. F Wait till paladium hits us.. then it will all be digitally signed F and available to M$ and all its advertisers (agreed to via EULA) F and the web will suck worse. Don't get me started on Palladium. A huge disaster in the making, IMHO, at least for users. Important as a key part of the M$ takeover, though. F How do we validate that it was YOU that submitted that info if you F show up as blank in all validation??? I agree that this a complicated issue, especially for a gateway. Do you like the personal certificate idea, assuming it can be turned on (for transactions) and off (for privacy while surfing) by the user? F To make sure all the communication between the users browser, the F cart, and the payment gatway is all legit is a difficult task. Agreed. F so our gateway does a number of IP tests to ensure that should you F be a nasty character, we at least have a starting point to come F after you. Here's where we have the trouble. The same techniques that you would like, and need, are EXACTLY the tools that permit horrendous invasion of privacy. I'm not sure I see a good way around that except for strong legislation, and that is extremely unlikely. Why? Well, the government LOVES to spy and and would LOVE to control its population - they're not going to be for restricting snooping. Business Loves to spy also, and says it 'needs' it (yeah, right) - they're not going to be for restricting it either. When these two get together, watch out, we're in trouble. F The web can be a nasty place for online stores.. don't punish the F good guys (the ones that don't spam you silly or track you for F advertising purposes). It might be nice to have a site that rates other sites from the privacy point of view, but I'm afraid the lawyers would attack it in less than 50 milliseconds. :-) F (our security was not limited to the above, we also created hashkeys of all F form data to be validated at both ends to ensure its not changed and a F number of other tests as well.. but nothing is perfect, we just have to do F the best we can.) It is nice to hear your side of this. Any ideas for a win - win solution, good for both sides? -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Privacy in linux?
On Monday 09 Jun 2003 12:28 am, rikona wrote: Hello, There has been discussion about security, but little about privacy. Granted, Mandrake seems FAR less intrusive then M$ when updating, and with 'call home' programs. Thank you, thank you, Mandrake. It would seem that the primary risk is in the browser, chats, and perhaps in email. I'm starting to look at privoxy for increasing privacy in browsing. If anyone has used it, are there pre-configured files set up to protect against the common privacy leaks? Has anyone had experience in using the host file to block ads/snoops? Does it hang the browser in waiting for the localhost to time out if the host file is used [this is a problem in Opera, at least]. Has anyone used a DNS proxy to block ads/snoops? If so, are there pre-configured files for the common ad servers? How secure are the various 'wallet' programs in linux? I note that the Mozilla 'wallet' seems to point back to a server at Mozilla - not so hot, I'd think. In email, do any of the email clients go to the web for HTML references that might be in email? Finally, what has to be configured so that my local info is not sent with, say, finger, or some other probe? Did I miss any other privacy considerations for linux? In my experience privoxy works great out of the box for the vast majority of sites. I find it particularly easy to use with Opera and Galeon because those browsers allow you to put 'bookmarklets' on your task bar to get quick access to the privoxy config if you want to toggle privoxy, or customise its settings. I also find Opera runs faster with privoxy because it no longer waits for the last advert to arrive before rendering the page. (Although I think the latest Opera7.11 no longer has that issue anyway, and is in my opinion a *seriously* good browser) After using privoxy for some time I am always shocked when I use a computer away from home at how many adverts there are around the web. Privoxy makes surfing much more peaceful :-) derek -- -- www.jennings.homelinux.net Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: Re[4]: [newbie] Privacy in linux?
Hi again, I made a point of not using cookies on our gateway.. For the simple reason that you can't guarantee that the user will accept them or that the client is capable of accepting them.. personally I deny any cookie that isn't set to expire within a day of being set. You are correct about often the same techniques being used for spying, its sad that that is the case, but that doesn't mean that ecommerce should stop using them. Wait till paladium hits us.. then it will all be digitally signed and available to M$ and all its advertisers (agreed to via EULA) and the web will suck worse. quote I was talking about a different issue. It is true that my stored 'privacy info' is either blank or wrong, but the info I submit is correct. I also selectively accept SESSION cookies to store this info for the transaction. I DON'T accept it if this personal info is coded to stay in my computer until 2025. :-) Wouldn't an encrypted SESSION cookie take care of your concerns, assuming you could get enough user trust to accept it? /quote How do we validate that it was YOU that submitted that info if you show up as blank in all validation??? Cookies are not safe.. a combination of SSL, server session files and other things are far more secure. having said that, many clients dont' have their own payment gateways and rely on third party servers like the one I worked for. Problem is that they usually have some sort of cart, that links to the payment gateway. which links back to the cart (for receipts/email etc) So, we have HTML/forms that are part of the cart which must be validated by the cart as having been from the cart itself, then we have communication to the gateway (usually SSL by this stage) to be validated, and finially we have the return form the gateway to the cart. (usually not SSL unless they have their own Cert) To make sure all the communication between the users browser, the cart, and the payment gatway is all legit is a difficult task. Also take logging into account. our gateway stores no personally identity info at all, it does log IP address and the exact time of the transaction for some fraud info.. if someone tries funny business we need to know as much about them as possible.. so our gateway does a number of IP tests to ensure that should you be a nasty character, we at least have a starting point to come after you. The point is that if you don't have some valid data, we can't allow you to use the gateway because then we'd be opening the doors to all manner of fraud attempts. Right now, if you try using our gateway with any required info blocked, our gateway will redirect you to a page telling you why you can't be allowed to purchase. The web can be a nasty place for online stores.. don't punish the good guys (the ones that don't spam you silly or track you for advertising purposes). (our security was not limited to the above, we also created hashkeys of all form data to be validated at both ends to ensure its not changed and a number of other tests as well.. but nothing is perfect, we just have to do the best we can.) regards Franki Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: Re[2]: [newbie] Privacy in linux?
On Sun, 2003-06-08 at 21:52, Frankie wrote: Hi Rikona, You are quiet right, for normal browsing you have (or should have) the right to be nobody. but for any sort of shopping, you are hurting youself more then anyone else by blocking any means to make sure you are who you say you are. Thats a very basic example, but you can see how being able to get your IP, referer and whatnot can make it much much harder for someone else to pretend to be you. Its still possibly to spoof all that, but it is much more complicated. If you shopping as nobody, your very easy to copy aren't you??? But most of the time (and this is one of the reasons that I will not buy on line) they want a lot of information before you can even price check an item rgds Franki -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of rikona Sent: Monday, 9 June 2003 12:13 PM To: Frankie Subject: Re[2]: [newbie] Privacy in linux? Hello Frankie, Sunday, June 8, 2003, 7:08:01 PM, you wrote: F privacy in browsering is cool.. And getting rarer with time. :-((( F just keep in mind that you have no right to expect ecommerce apps to work if F you make all authentication methods non functional... If I'm ordering something, I don't expect to be anonymous, of course, but why do I have to be authenticated if I am just visiting a site? Why would you force me to accept a cookie from someone who is trying to track my every move on the net? Why would I want to accept a script designed to snoop in my computer as much as possible? If I have trouble with a site, I'll go to another one. One usually gets a few in Google. :-) If EVERY site I find is disfunctional, I'll buy it locally if I can. If not, I'll call their 800 number and read the item from the screen. If at all possible, I will NOT deal with an intrusive merchant! F We have precious little authentication methods available to us now. F If people all start spoofing their details online then no-one can F expect this stuff to work anymore. Why not? Perhaps I am not understanding what you mean by authentication. F my point is turn it off when using online apps. It would seem as though that is where it is needed most. Am I missing something? It seems as though the basis for placing ads is to track every move of the user. A bit like someone following me around. I drive to a store, they record the path I took to get there. When I get out of the car, they follow me in the store. They record everything I look at in the store, especially if I pick it up, and if I come back to look that gets recorded too. If I buy something, the purchase is recorded. In many cases the name, address, phone, email address are sent to the advertiser to sell on some list for spammers. Now if someone was doing that physically, would you not object and consider it an invasion of privacy? Please tell me why it is so hard to build an app that just lets me visit and look around anonymously. -- Thank you, rikonamailto:[EMAIL PROTECTED] __ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com -- Aron Smith [EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Privacy in linux?
On Monday 09 Jun 2003 7:28 am, Derek Jennings wrote: On Monday 09 Jun 2003 12:28 am, rikona wrote: Hello, There has been discussion about security, but little about privacy. Granted, Mandrake seems FAR less intrusive then M$ when updating, and with 'call home' programs. Thank you, thank you, Mandrake. snip /snip Has anyone had experience in using the host file to block ads/snoops? Does it hang the browser in waiting for the localhost to time out if the host file is used [this is a problem in Opera, at least]. Ok, in konqueror this works a charm. I'm currently blocked from banner spam etc from over 6000 servers all listed in my /etc/host file. Copy it across and you're set to go. Browsing has speeded up nicely thanks to this. It also helps as this is the only spot in my county that cannot get adsl services so every bit helps. If you want a copy derek then email me off-list and I'll send you a very up-to-date copy as I added about 25 more servers to it only yesterday. Regards magnet Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Privacy in linux?
On Monday 09 Jun 2003 3:31 pm, you wrote: On Monday 09 Jun 2003 7:28 am, Derek Jennings wrote: On Monday 09 Jun 2003 12:28 am, rikona wrote: Hello, There has been discussion about security, but little about privacy. Granted, Mandrake seems FAR less intrusive then M$ when updating, and with 'call home' programs. Thank you, thank you, Mandrake. snip /snip Has anyone had experience in using the host file to block ads/snoops? Does it hang the browser in waiting for the localhost to time out if the host file is used [this is a problem in Opera, at least]. Ok, in konqueror this works a charm. I'm currently blocked from banner spam etc from over 6000 servers all listed in my /etc/host file. Copy it across and you're set to go. Browsing has speeded up nicely thanks to this. It also helps as this is the only spot in my county that cannot get adsl services so every bit helps. If you want a copy derek then email me off-list and I'll send you a very up-to-date copy as I added about 25 more servers to it only yesterday. Regards magnet Hmm... got that wrong in last post. typo... Its actually 16000 servers. See, it's kinda comprehensive coz spam bugs me out. Regards magnet Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Privacy in linux?
Hello Derek, Sunday, June 8, 2003, 11:28:06 PM, you wrote: DJ In my experience privoxy works great out of the box for the vast DJ majority of sites. Nice to hear. Ever use Proxomitron in Win? If so, how does it compare? DJ (Although I think the latest Opera7.11 no longer has that issue DJ anyway, and is in my opinion a *seriously* good browser) Agreed, I like Opera too, but have not upgraded yet. :-) DJ After using privoxy for some time I am always shocked when I use a computer DJ away from home at how many adverts there are around the web. Privoxy makes DJ surfing much more peaceful :-) That was exactly my experience in surfing with linux. :-) I haven't seen all that flashing junk for years. I really need to fix it. Do you use a host file and/or DNS filtering as well? -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[6]: [newbie] Privacy in linux?
Hello Frankie, Sunday, June 8, 2003, 11:54:45 PM, you wrote: F I made a point of not using cookies on our gateway.. For the simple F reason that you can't guarantee that the user will accept them or F that the client is capable of accepting them.. Agreed. I block most cookies, but know to allow them for transactions. F personally I deny any cookie that isn't set to expire within a day F of being set. Good practice, from my view. Most cookies are not like that, however, the worst being from the trackers. Theirs usually are set to hang around for 20-30 years. :-) F You are correct about often the same techniques being used for F spying, its sad that that is the case, but that doesn't mean that F ecommerce should stop using them. I understand your point of view. There is a problem on both sides. M$ is not in an advertising blitz to convince the masses that they are a nice company. They are addressing the issue of trust by mass advertising. F Wait till paladium hits us.. then it will all be digitally signed F and available to M$ and all its advertisers (agreed to via EULA) F and the web will suck worse. Don't get me started on Palladium. A huge disaster in the making, IMHO, at least for users. Important as a key part of the M$ takeover, though. F How do we validate that it was YOU that submitted that info if you F show up as blank in all validation??? I agree that this a complicated issue, especially for a gateway. Do you like the personal certificate idea, assuming it can be turned on (for transactions) and off (for privacy while surfing) by the user? F To make sure all the communication between the users browser, the F cart, and the payment gatway is all legit is a difficult task. Agreed. F so our gateway does a number of IP tests to ensure that should you F be a nasty character, we at least have a starting point to come F after you. Here's where we have the trouble. The same techniques that you would like, and need, are EXACTLY the tools that permit horrendous invasion of privacy. I'm not sure I see a good way around that except for strong legislation, and that is extremely unlikely. Why? Well, the government LOVES to spy and and would LOVE to control its population - they're not going to be for restricting snooping. Business Loves to spy also, and says it 'needs' it (yeah, right) - they're not going to be for restricting it either. When these two get together, watch out, we're in trouble. F The web can be a nasty place for online stores.. don't punish the F good guys (the ones that don't spam you silly or track you for F advertising purposes). It might be nice to have a site that rates other sites from the privacy point of view, but I'm afraid the lawyers would attack it in less than 50 milliseconds. :-) F (our security was not limited to the above, we also created hashkeys of all F form data to be validated at both ends to ensure its not changed and a F number of other tests as well.. but nothing is perfect, we just have to do F the best we can.) It is nice to hear your side of this. Any ideas for a win - win solution, good for both sides? -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[4]: [newbie] Privacy in linux?
Hello Aron, Monday, June 9, 2003, 4:50:42 AM, you wrote: AS But most of the time (and this is one of the reasons that I will AS not buy on line) they want a lot of information before you can AS even price check an item True - I also find this very irritating! Never buy from such places - there are almost always others. -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Privacy in linux?
Hello, There has been discussion about security, but little about privacy. Granted, Mandrake seems FAR less intrusive then M$ when updating, and with 'call home' programs. Thank you, thank you, Mandrake. It would seem that the primary risk is in the browser, chats, and perhaps in email. I'm starting to look at privoxy for increasing privacy in browsing. If anyone has used it, are there pre-configured files set up to protect against the common privacy leaks? Has anyone had experience in using the host file to block ads/snoops? Does it hang the browser in waiting for the localhost to time out if the host file is used [this is a problem in Opera, at least]. Has anyone used a DNS proxy to block ads/snoops? If so, are there pre-configured files for the common ad servers? How secure are the various 'wallet' programs in linux? I note that the Mozilla 'wallet' seems to point back to a server at Mozilla - not so hot, I'd think. In email, do any of the email clients go to the web for HTML references that might be in email? Finally, what has to be configured so that my local info is not sent with, say, finger, or some other probe? Did I miss any other privacy considerations for linux? -- Best regards, rikona mailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: [newbie] Privacy in linux?
privacy in browsering is cool.. just keep in mind that you have no right to expect ecommerce apps to work if you make all authentication methods non functional... Its a tough call, as a user, I know that for the most part, I'd prefer to be anonymous but as an e-commerce developer I know how hard it is to safely code apps that work when users have blocked any method of authenticating them.. (like zonealarm and other personal firewalls and the HTTP_REFERER env variable, or IP faking methods etc.. ) We have precious little authentication methods available to us now. If people all start spoofing their details online then no-one can expect this stuff to work anymore. my point is turn it off when using online apps. rgds Franki -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of rikona Sent: Monday, 9 June 2003 7:29 AM To: [EMAIL PROTECTED] Subject: [newbie] Privacy in linux? Hello, There has been discussion about security, but little about privacy. Granted, Mandrake seems FAR less intrusive then M$ when updating, and with 'call home' programs. Thank you, thank you, Mandrake. It would seem that the primary risk is in the browser, chats, and perhaps in email. I'm starting to look at privoxy for increasing privacy in browsing. If anyone has used it, are there pre-configured files set up to protect against the common privacy leaks? Has anyone had experience in using the host file to block ads/snoops? Does it hang the browser in waiting for the localhost to time out if the host file is used [this is a problem in Opera, at least]. Has anyone used a DNS proxy to block ads/snoops? If so, are there pre-configured files for the common ad servers? How secure are the various 'wallet' programs in linux? I note that the Mozilla 'wallet' seems to point back to a server at Mozilla - not so hot, I'd think. In email, do any of the email clients go to the web for HTML references that might be in email? Finally, what has to be configured so that my local info is not sent with, say, finger, or some other probe? Did I miss any other privacy considerations for linux? -- Best regards, rikona mailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[2]: [newbie] Privacy in linux?
Hello Frankie, Sunday, June 8, 2003, 7:08:01 PM, you wrote: F privacy in browsering is cool.. And getting rarer with time. :-((( F just keep in mind that you have no right to expect ecommerce apps to work if F you make all authentication methods non functional... If I'm ordering something, I don't expect to be anonymous, of course, but why do I have to be authenticated if I am just visiting a site? Why would you force me to accept a cookie from someone who is trying to track my every move on the net? Why would I want to accept a script designed to snoop in my computer as much as possible? If I have trouble with a site, I'll go to another one. One usually gets a few in Google. :-) If EVERY site I find is disfunctional, I'll buy it locally if I can. If not, I'll call their 800 number and read the item from the screen. If at all possible, I will NOT deal with an intrusive merchant! F We have precious little authentication methods available to us now. F If people all start spoofing their details online then no-one can F expect this stuff to work anymore. Why not? Perhaps I am not understanding what you mean by authentication. F my point is turn it off when using online apps. It would seem as though that is where it is needed most. Am I missing something? It seems as though the basis for placing ads is to track every move of the user. A bit like someone following me around. I drive to a store, they record the path I took to get there. When I get out of the car, they follow me in the store. They record everything I look at in the store, especially if I pick it up, and if I come back to look that gets recorded too. If I buy something, the purchase is recorded. In many cases the name, address, phone, email address are sent to the advertiser to sell on some list for spammers. Now if someone was doing that physically, would you not object and consider it an invasion of privacy? Please tell me why it is so hard to build an app that just lets me visit and look around anonymously. -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
RE: Re[2]: [newbie] Privacy in linux?
Hi Rikona, I worked for a payment gateway.. and was costantly having to adjust our apps to handle blocking firewalls and stuff that end users have (and we did NO tracking of our clients customers at all other then what was necessary for security) The problem is that we need to ensure that the user that started a transaction is the same user that paid for it, and ended it and the one that got the receipt. By trying different stores with all your privacy info blank, and finding one that worked, you are most likely picking the one that will end up getting your card details posted on the net somewhere. (meaning the one with the least security in place) You are quiet right, for normal browsing you have (or should have) the right to be nobody. but for any sort of shopping, you are hurting youself more then anyone else by blocking any means to make sure you are who you say you are. Say for example, that you have just purchased something online and paid for it.. you do all this while blocking all your auth data, and proxying your IP address... Then someone steals your session with the cart and enters their delivery address. They get the goods you paid for. Thats a very basic example, but you can see how being able to get your IP, referer and whatnot can make it much much harder for someone else to pretend to be you. Its still possibly to spoof all that, but it is much more complicated. If you shopping as nobody, your very easy to copy aren't you??? rgds Franki -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of rikona Sent: Monday, 9 June 2003 12:13 PM To: Frankie Subject: Re[2]: [newbie] Privacy in linux? Hello Frankie, Sunday, June 8, 2003, 7:08:01 PM, you wrote: F privacy in browsering is cool.. And getting rarer with time. :-((( F just keep in mind that you have no right to expect ecommerce apps to work if F you make all authentication methods non functional... If I'm ordering something, I don't expect to be anonymous, of course, but why do I have to be authenticated if I am just visiting a site? Why would you force me to accept a cookie from someone who is trying to track my every move on the net? Why would I want to accept a script designed to snoop in my computer as much as possible? If I have trouble with a site, I'll go to another one. One usually gets a few in Google. :-) If EVERY site I find is disfunctional, I'll buy it locally if I can. If not, I'll call their 800 number and read the item from the screen. If at all possible, I will NOT deal with an intrusive merchant! F We have precious little authentication methods available to us now. F If people all start spoofing their details online then no-one can F expect this stuff to work anymore. Why not? Perhaps I am not understanding what you mean by authentication. F my point is turn it off when using online apps. It would seem as though that is where it is needed most. Am I missing something? It seems as though the basis for placing ads is to track every move of the user. A bit like someone following me around. I drive to a store, they record the path I took to get there. When I get out of the car, they follow me in the store. They record everything I look at in the store, especially if I pick it up, and if I come back to look that gets recorded too. If I buy something, the purchase is recorded. In many cases the name, address, phone, email address are sent to the advertiser to sell on some list for spammers. Now if someone was doing that physically, would you not object and consider it an invasion of privacy? Please tell me why it is so hard to build an app that just lets me visit and look around anonymously. -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re[4]: [newbie] Privacy in linux?
Hello Frankie, Sunday, June 8, 2003, 9:52:39 PM, you wrote: F Hi Rikona, F I worked for a payment gateway.. and was costantly having to adjust our apps F to handle blocking firewalls and stuff that end users have (and we did F NO tracking of our clients customers at all other then what was necessary F for security) F The problem is that we need to ensure that the user that started a F transaction is the same user that paid for it, and ended it and the F one that got the receipt. Aha - I understand a bit better what you are trying to say. I do agree with what you are trying to do, and see the need for it. As I said, I have fewer problems with actual purchases. A number of the payment gateways have a different business model and don't need to snoop as much. F By trying different stores with all your privacy info blank, and finding F one that worked, you are most likely picking the one that will end up F getting your card details posted on the net somewhere. (meaning the one with F the least security in place) I was talking about a different issue. It is true that my stored 'privacy info' is either blank or wrong, but the info I submit is correct. I also selectively accept SESSION cookies to store this info for the transaction. I DON'T accept it if this personal info is coded to stay in my computer until 2025. :-) Wouldn't an encrypted SESSION cookie take care of your concerns, assuming you could get enough user trust to accept it? F but for any sort of shopping, you are hurting youself more then F anyone else by blocking any means to make sure you are who you say F you are. Agreed. The problem is that many sites use these same techniques to do rather obnoxious things, such as send your actual personal info to advertisers via a script. The key problem: As a user, it is hard to know who to trust, isn't it? Works both ways, doesn't it? Surfer, beware. Any ideas for fixing this? Side note - M$ is heavily advertising, and the message is 'we're a nice company'. They realize M$ is not trusted, and they may have a PR campaign to get people to trust them. This is key if they are to take over the net, as they apparently would like to do, or snoop quite heavily into people's lives. F Thats a very basic example, but you can see how being able to get F your IP, referer and whatnot can make it much much harder for F someone else to pretend to be you. Its still possibly to spoof all F that, but it is much more complicated. Agreed. We were addressing somewhat different issues, with the overlap that comes with really intrusive sites doing what you are doing, but for different ends. For example, better security techniques to solve your problem are coming. However, they might also be used to install things that the user may not be able to change or remove, or to get access to even more of MY computer for whatever the site wants to do, and even force us to read ads. The M$ EULA for XP already has you agree that M$ can do this, and more. It has great potential for misuse, and since there is a great deal of money to be made by misusing it, guess what will happen. :-((( -- Thank you, rikonamailto:[EMAIL PROTECTED] Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com