Date:        10/11/97 9:42:10 PM
From:        Alan Cox <alan@DIAMONDAGE.CYMRU.NET>
Subject:     BoS:      IE4 and channels
To:          ("<best-of-security@cyber.com.au>"@LOCAL)


Just a teaser to start with: Most folks will remember the netscape java
bug that allowed you to snoop on what people where visiting. Well IE4.0
goes a bit further than this - Logging of your actions, even when you
would otherwise be shielded by proxies is _BUILT_ _IN_

The channel definition format (.CDF)
http://www.microsoft.com/standards/cdf-f.htm

includes a LOGTARGET feature that allows a web site provider to make
your browser deliver logs of your usage via an http post or put. Even hits
from cache are logged.

This is all not so good and getting worse. Not only is the information posted
material you wouldn't want to give to a provider it also being http post/put
normally is spoofable anyway.

Unanswered question for next time - or for folks with more time than me
to follow up

o       Can you put other sites in your channel definition and get logs of
        when they read your competitor site

Alan