Okay, I know cookies, when enabled, can give web sites lots of info. But let’s say I have cookies disabled. I visit Web Site A and they immediately know my IP address. Is there any other information they can glean just by my having visited their site? Does any web site I visit know:
My phone number?
My computer’s model and manufacturer?
The serial numbers of my computer’s innards?
What ISP I’m using?
Any other specific information about my computer?
[sub]This question has been brought to you by PSCOP (Paranoid Schizophrenics for Computer Privacy) and the letter “C.”[/sub]
They know your IP address because, if they didn’t, how would they communicate with you? Your IP is essentially the “return address” on the packets sent to the web server. As for your other questions:
No.
No.
No.
Possibly. From your IP address, they can (if they consult a database) at least tell what backbone provider you’re coming from. Finding out what ISP you’re on may or may not be possible depending on many factors, into which I will not delve right now.
They know what browser software you’re using, and what OS family. That’s pretty much it.
BTW: Sites cannot get “lots of info” using cookies. The only info they can get is information put there by them.
In other words:
You: give me this web page.
Server: Here you go. Have a cookie to go with it.
(At a later point)
You: give me this web page. By the way, here’s the cookie you gave me last time.
Now, it’s true that cookies can and have been used nefariously. For example, ad companies that provide banner ads to multiple sites have been known to use them to profile what sites you visit. This is due to a flaw in the implimentation of the cookie protocol, which should never have allowed cookies to be sent with images.
They can do nothing of the kind (Handy, where do you get this stuff? Are you trying to scare people?). Your hard drive is spinning (actually, it’s always spinning if your machine is on; what the light indicates is that it’s being accessed) because the information that is read off the Net gets written (cached) to disk. This way, if you visit the same site again in the near future, it will read it off your hard disk, which is faster than going back to the network (this is an oversimplfied explanation, but you get the idea). The disk access could also be your operating system swapping.
A site with certain software can access your Pentium III’s serial number despite Intel’s claims that their little patch fixes things. There is a site here that just accesses it and giving it back to you on a cookie without compromising your security. Not having a Pentium III on my internet computer, I myself can’t test it. Maybe someone can. Big Brother Inside is another site with more in-depth information. Intel claims software patches fix it. Not that I trust them, of course. The only thing to do now is wait for Intel to physically remove the serial number from its new P-IIIs and stop trying to hide it with software.
:: Damning Intel for making the Celeron so crappy and the P-III a security risk. ::
OK, I ran a little program on one of the servers here at school that prints all incoming information to the screen. When I directed a web browser at the correct port for it, to see what the browser sent, this is what it said:
Also, it knows the following information:The active server port number is 1475
The active server IP ADDRESS is 128.213.7.2
The client port number is 24802
The client IP ADDRESS is 128.113.102.35
Which would be its own (i.e. the server’s) IP address and port number, as well as the web browser’s.
The above was done with Netscape on a Unix system. I’m not sure what info IE makes available. All other information would have to be sent by your computer. What you can get a web browser to tell a server depends on the browser and the security settings you have for it. If your computer’s hard drive is being accessed, it is because a program on your computer itself is accessing it.
To access your hard drive, a web server would have to get you (or your computer at least) to do so. It can’t just look around on its own. Even then, it would have to then send the information out as well.
If you’re really curious what your browser is sending along, I’ve got a little CGI running on my home machine which will echo all the environment variables beginning with “HTTP_” and “REMOTE_”:
The HTTP_ variables correspond to HTTP headers your browser sent. The REMOTE_ variables are a couple interesting bits of information provided by the CGI interface. I reserve the right to remove this or kill the little toy webserver I’m running if too many people flood my poor little home PC. It shouldn’t be THAT interesting, but you never know.
Notes:
The HTTP_USER_AGENT info is what tells somebody which browser you are using.
The HTTP_REFERER tells which page you linked from - if you follow that link, it should point back to the SDMB.
HTTP_HOST is self explanatory.
If my site had set a cookie on your machine, there would be an HTTP_COOKIE which would simply return whatever strings I had set on your machine, usually used to allow me to dig up any information I’m keeping around about from past interactions based on an ID kept in the cookie. Note that this would allow me to get your phone number, for instance, only if you had given it to me sometime in the past.
… but Steve Gibson is. http://grc.com/
You can go to his website and explore the security vulnerabilities in your system (click on Shields Up). Apparently, by default, Win 95/98 PCs are set up to be internet servers; there is the possibility that hackers could get access to your hard drive with most set ups.
Disabling your network capabilities (on a home PC) and installing a personal firewall (free from Zone Alarm for home users) eliminates this risk.
I have no affiliation with Gibson Research Corp and learned of the website from PC World.