IP addresses and personal information (was Re: [LINK] Fwd: On Line Opinion - 16 February 2007)

Irene Graham rene.lk at libertus.net
Sat Feb 24 21:27:17 AEDT 2007 

On Sat, 24 Feb 2007 19:10:21 +1100, rchirgwin at ozemail.com.au wrote:
> I think the two are either similar or the same - here I will admit that
> I'm dancing on the edge of my technical grasp, so if I'm shot down in
> flames, I'll probably sign off with Spike Milligan's epitaph - but:
>
> Whether it's via Javascript or something else, I have seen Websites
> launch Port 443 (ie, SSL) sessions in a redirect when you visit.
> Roughly it went like this:
>
> User > visits site foobar.com
> Foobar.com > redirects user to hitcounter site on Port 443 Hitcounter
> site > redirects user back to Foobar.com User sees Foobar.com load in
> the browser.
>
> Because no page loads, the redirect isn't visible to the user unless:
> a) you're running the sort of firewall that has a live monitor (Tiny
> Personal Firewall was nice for this); or
> b) the browser settings pop up a "you are about to enter / leave a
> secure site" each time SSL is invoked.
>
> And yes, imrworldwide.com was one of the sites I observed using this;
> Telstra is or used to be a customer.
>
> Now, this doesn't preclude the Javascript; the JS may simply be
> activating the Port 443 communication instead of the browser; here I'm
> beyond my expertise!

Thanks for info. I don't think I've ever notice any of these things using 
Port 443, but that certainly doesn't mean none of them are, or haven't 
been.

imrworldwide.com scripts are on smh.com.au and news.com.au - the pages on 
those sites link, apparently by HTTP, not HTTPS, to scripts that are hosted 
on imrworldwide.com and I've no idea what those scripts do. The site 
visitor doesn't see those linked files being loaded/run (but may notice it 
in e.g. a firewall log). It seems quite possible they could be launching 
Port 443 sessions. I've long had that site and other such sites blocked via 
Outpost firewall and I also use userjs to block some other unwanted 
javascript activity (and I'm disinclined to disable all this stuff for 
testing purposes because I'll probably forget how I had it all set up!)

I can't remember where dgmaustralia stuff may be found - haven't seen it in 
my firewall blocking logs anywhere near as much as imrworldwide.com lately.

> And finally, because my observation of this is out of date (I have
> posted to Link but it was some time back), it may be that this is an
> obsolete hit-count technique. I would be interested to know if it
> persists...

So would I. I'd also be interested to know what it was doing even if it 
isn't still in use.

Irene

More information about the Link mailing list