Friday, 16 May 2008

Nebuad's opt-out

I thought I'd have a quick look at one of Phorm's rivals, Nebuad.

Apparently much like Phorm, Nebuad uses a cookie based opt-out. Opting out or back-in is achieved by requesting a URL, in response to which Nebuad's server sends your browser its opt-out, or opt-in cookies...

Surprisingly, the opt-in /opt-out pages are indexed by google:

The above search no longer works try

Also cookie "h" is no longer set.

WARNING: if your ISP uses Nebuad and you've already opted-out, then opening the second search result shown in google ( will almost certainly opt you back in.

WARNING: I've just noticed that Firefox has a page pre-fetch feature which might result in the opt-in page being accessed and the cookie changed just by clicking on the google search above (depends on which link appears first I think)- if you click on the link above, please make sure you opt-out afterwards.

Nebuad's opt-in/opt page can be found here:-

Opting in creates 2 sets of 5 cookies, "o","u","c","h","w", one set in "", and the other in the "" subdomain. Opting out sets "o"="9" and deletes the other cookies.

o = 0 appears to indicate opted in.
o = 9 indicates opted out.

My guess is "o" might be a set of binary flags eg

bit #0 = 1 - don't track
bit #3 = 1 - don't show targetted adverts.

'c' is the name of an adserver.
'h' and 'u' are set to matching 14 digit numbers.
'w' is another 14 digit number, which appears to count upwards (could be a date and time perhaps?).

Different sets of numbers are generated for the a and b subdomains.

If you look at the bottom of the opt-in page you'll see the actual opt-in urls passed using a couple of <script> tags right at the very bottom after the closing html tag, the browser will request these urls and the server will set the cookies in the response and close the connection (no actual javascript is returned by the response).

<script language="JavaScript" src=""></script>
<script language="JavaScript" src=""></script>

And for the opt-out page.

<script language="JavaScript" src=""></script>
<script language="JavaScript" src=""></script>

There does not appear to be any measures in place to prevent an "evil" website from opting you back-in using the same method - try clicking on Google's cached optin_done link and check for cookies.