Re: Client <-> Server-generated Session IDs

Terje Norderhaug (Norderhaug.CHI@xerox.com)
Fri, 28 Jul 1995 11:45:15 -0800

At 6:00 AM 7/28/95, rep@iexist.att.com wrote:
>Terje <Norderhaug.CHI@Xerox.com> wrote:
>> At 8:10 AM 7/27/95, rep@iexist.att.com wrote:
>> >I must be missing something because I don't see the connection between
>> >privacy and the client vs. server generation of a Session ID.[...]

>> At some point in time you might find yourself filling out personal
>> information in a form. With session ids accross servers it become possible
>> to trace your excact steps on the web by merging the entries with the same
>> id in the logfiles from the various services. Even more so if the id is
>> kept between sessions.
>
>Thanks for the explanation; now I think I understand the concern. But is
>that trace likely in practice?

Yes.

>It assumes a) that Session IDs are unique
>across the entire Web (at least over the time interval of the trace),

Part of the discussion is regarding to what scope the ids should be unique.
This is a design decision under control partly by some of the people on
this list.

> b) the server owners (who might be competing businesses) are willing to
>sell/share the log files,

Companies today are trading their customer lists... and the government is
doing their best to keep it posssible for them to listen into your private
telephone conversation. No reason to be naive about business and government
interests when it comes to using such data, nor the willingness to sell
valuable information.

>and c) it is worth enough to somebody to examine all
>the log files of the Web looking for Session ID correlations.

If the logfiles are available in a standard format, the effort will be
rather low to examine a hugh number of logfiles and databases. Compare to
the effort in making a search-index for the entire web...

>It seems to me
>that if somebody was that interested, it would be far easier for them to buy or
>steal the information from my Internet Service Provider who has access (already
>correlated and unambiguously attributed to my PC/workstation) to every packet
>sent and received.

That is if they already have targetted you. For most business it is a lot
more interesting to get a list of people that have shown a pattern, such as
visisted a specific combination of services.

-- Terje <Norderhaug.CHI@Xerox.com>
<URL:http://www.ifi.uio.no/~terjen/>