*** Techno-Geek Warning ***

The following lengthy article discusses technical details that may cause your head to explode. I take no responsibility for cleaning the walls after you read this.

************************

As promised, Steve Gibson has published his explanation of what Phorm Inc. is doing to enable “Behavioral Targeting” for its advertising network that leverages equipment it installs in ISP facilities for tracking and targeting ALL user web surfing.

Here are my three levels of interpretation, so you can choose to read further or not:

  1. At the highest level, Phorm is enabling a more targeted marketing database that relies on analysis of your web requests, AND on the content of pages you view through a given ISP. The ISPs can make a lot of money from this model. Phorm claims that they do not store the information they see, and any profiling data about you is anonymized. If you trust them and your ISP, and don’t mind that they are doing this without your consent, you won’t see it as being much worse than what Double-Click does to profile you, except that they can see virtually EVERY site you visit, including the information going in and coming out.
  2. At a somewhat more technical level, even though they say they do not store the information you send and receive, it is technically possible for them to do this. Furthermore, because of your relationship with the ISP, the potential is there for a very high correlation of your surfing activity and the personal information your ISP already knows about you. This opens up two serious risks that people may not immediately appreciate. It enables the potentially complete reconstruction of your electronic life for access, not only by authorities, but by criminal elements who will try to exploit any security vulnerabilities in this complex technical process.
  3. At the very technical level described below - provided it becomes an acceptable way of doing business - this approach changes the inherent design of the Web through the bypassing of cookie usage limitations, and creates new flows of information that will need to be secured,

So, here is my interpretation of Steve Gibson’s interpretation of the Phorm Inc. technology, on the Security Now Podcast - Episode #151, whose transcript you can read in all its extremely detailed and emotionally infused glory at http://www.grc.com/sn/sn-151.htm (search on the literal string “P-h-o-r-m” to find where the discussion starts).

  1. Phorm gets your ISP to put specialized equipment (e.g. a web proxy server) in-line so it can see all traffic flowing between you and the Web
  2. You make a request to ANY website
  3. Phorm proxy looks for a cookie belonging to webwise.net (a company owned by Phorm)
  4. Since you don’t have one, it masqurades as the site you were trying to reach, and sends the browser a HTTP 307 Temporary Redirect message to the webwise.net website, with the ultimate destination URL enclosed
  5. The webwise.net site sets a first-party cookie from its own domain, containing a unique random number that it can use to identify you anonymously, and does another 307 redirect with the ultimate URL still in tow
  6. The Phorm proxy finds the webwise.net cookie, sets a new first-party cookie in the domain name of the original intended site you wanted to visit, and does another 307 redirect to the original destination site
  7. When the redirect occurs, the proxy finds the cookie it injected before, records your ID from the cookie, and the site you are requesting to visit, and strips off the cookie before passing it on as a legitimate request
  8. When the response comes back from the site, the page content is analyzed, and a tally is done to identify categories of information that are being served to you, with the assumption that this is content you are interested in
  9. Steps 2 through 8 above are repeated for every new website you visit
  10. As you arrive at sites that are associated with Phorm’s ad network, they can recognize you and serve content that reflects the categories you have in your profile

A few things to note:

  1. Your browser will have a first-party cookie from webwise corresponding to every domain you have visited (e.g. turning off 3rd party cookies will not prevent this)
  2. Even if you clear those cookies, the next request you make will still go through the same process. However, they will have to try to re-associate you with the next series of cookies, probably by IP address, I would think
  3. Unless they implement some mechanism to opt-out, this technology can’t be bypassed.
  4. I have already seen some recent mention of vulnerabilities being demonstrated with similar “Provider-in-the-Middle” approaches to “helping” people who mis-type URLs by redirecting them to subdomains not managed by the original domain owner (see http://www.darkreading.com/document.asp?doc_id=151497)
  5. SSL connections can not be intercepted this way, YET! But could they be?
  6. Laptops roaming from a home ISP, to an office, to a wi-fi cafe may end up having two or three sets of webwise cookies. Or, depending on the pervasiveness of the Phorm network and architecture, Phorm may be able to correlate all of them, since it will see any pre-existing webwise cookies eventually, even if accessed from a different ISP.
  7. The websites you visit will have no knowledge of the intrusion, with the blatant exception that, if you use SSL, or access the web from a non-Phorm partner ISP, the site will see cookies from its domain that it doesn’t know what to do with, because it didn’t actually issue them. Furthermore, they will have the webwise.net cookie with your id in them.

There’s no question this is an innovative way around the cookie domain restriction problem, but it can only be done by having direct access to the data stream, in order to inject responses and masquerade as virtually any domain.

My biggest concern, technologically, is that with all this complexity, this will be a rich source of vulnerabilities for hackers to exploit if it isn’t done well.

Thanks to Steve Gibson for taking the time to explain. As a disclaimer, I recognize that my interpretation of Steve’s interpretation will probably not be completely accurate, and I’m assuming Steve has done his homework (a pretty safe assumption). So, in this respect, my interpretation is hearsay. I have not verified it through any other sources.

I think (and hope) this is going to be an interesting battle.