RE: ACTION-231 OPEN Start a discussion about including descriptions of the information divulged to websites by user-agents from Doyle, Bill on 2007-06-12 (public-wsc-wg@w3.org from June 2007)

From: Doyle, Bill <wdoyle@mitre.org>
Date: Tue, 12 Jun 2007 12:07:10 -0400
To: "Johnathan Nightingale" <johnath@mozilla.com>, <public-wsc-wg@w3.org>
Message-ID: <518C60F36D5DBC489E91563736BA4B5801814A8F@IMCSRV5.MITRE.ORG>
Thx!
 
All good points. Just putting the information out to generate
discussion and see if something can be done to improve security
posture.
 
Yes, the same info that is used by web sites to make things work is
used by malicious web sites to compromise the environment. One though
is that "safe" modes of operation could also limit data that is exposed
or available.
 
Appreciate the response. 
 
Bill D.
 



________________________________

	From: Johnathan Nightingale [mailto:johnath@mozilla.com] 
	Sent: Tuesday, June 12, 2007 11:15 AM
	To: Doyle, Bill
	Subject: Re: ACTION-231 OPEN Start a discussion about including
descriptions of the information divulged to websites by user-agents
	
	
	I don't dispute that this information goes out, nor that it
does so largely without users' knowledge.  My questions for any
would-be recommendation of this type are: 

	a) Can limiting this information be done in any way without
breaking the web?  Plugins announcing their presence, user agent
strings, referrer strings, and javascript support are all pieces of
information that web sites frequently want to know, and that our users,
by interacting with those sites, probably don't want to see broken.  I
wouldn't want a recommendation included that we know, on its face, that
browser vendors won't implement.

	b) Even in the absence of explicit disclosure (e.g. http
headers describing the user agent and its software environment) there
are a variety of fingerprinting attacks that can be used to determine
this type of information (e.g. trying some recent javascript construct,
and watching for errors, trying to set a cookie and then reloading to
see if it stuck.)  Would conformance require countermeasures here too?
Are such things even possible?

	c) Aside from limiting the disclosure itself which is maybe not
even what is envisioned, can *informing* the user of these things, most
of which, by definition, are computerspeak, lead them to make better
decisions?  We have it as a goal to reduce the number of situations
where trust decisions have to be made by the user, but this would seem
to introduce a new one.  That's not immediately inappropriate, if it's
a decision that was being badly made for them before now, but I would
be interested to hear more about how we make this something users can
understand.

	That's not intended to be stop-energy - just discussion points.

	Cheers,

	Johnathan

	
	---
	Johnathan Nightingale
	Human Shield
	johnath@mozilla.com



	On 11-Jun-07, at 4:41 PM, Doyle, Bill wrote:


		
		In the current user agent environment, security details
and privacy information can be extracted by a web site without the
user's permission or knowledge. The user agent environment and many
privacy details are readily available to a web site. The information
can used to support the compromise of a user's security posture in
several ways; two methods are included below.
		

		1.	The operating environment details (e.g. User
Agent info. Plug-ins, Email addresses) can be presented back to a user
in order to make a malicious web site appear friendly such as a
previously visited site or a site trying to help the user. A malicious
site can use this information to further compromise of the user's
security posture by making the user make incorrect downstream security
decisions.

		

			a.	Links to update software or software to
fix operating environment that actually contain additional malware. 
			b.	Email (gained by the site) can be used
to send to the user links that need to be immediately acted upon. The
email  can be designed to further confuse the user and gain additional
privacy information or account details.

		

		2.	A web site can make use of critical flaws in
the User Agent environment that can lead to complete compromise of the
users operating environment allowing remote code execution. A malicious
web site can compromise the users operating environment without any
user interaction besides taking the initial link that lead them to the
site. Exploits include the following components. 

			a.	Plug-ins 
			b.	User Agent itself

		
		Sample operating environment and user agent details
given to a web site is listed below. Information with bold x was valid
information determined by a web site but blocked from further
distribution.  Because application and version information is provided
by User Agent to a web site, a malicious web site can determine if it
has a exploit that matches any of the user agent software components
and proceed to compromise the user agent if a match is found.
		
		Environmental variables:
		HTTP_ACCEPT = */*
		HTTP_ACCEPT_LANGUAGE = en-us
		HTTP_CACHE_CONTROL = max-age=259200
		HTTP_CONNECTION = keep-alive
		HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
		HTTP_VIA = 1.0 xxxxx.xxx.xxx:80 (squid/2.5.STABLE6)
		HTTP_X_FORWARDED_FOR = xxx.xx.xxx.xx
		REMOTE_ADDR = xx.xxx.xx.xx
		REMOTE_PORT = xxxxx
		REQUEST_METHOD = GET
		SERVER_PROTOCOL = HTTP/1.0
		Derived Information:
		It appears you are not using Tor
		Your Gmail Email Address: xxx@xxx.com
		Your Real Email Address: undefined
		Browser detection: 
		IE7.0 not detected 
		
		
		JavaScript Version: 1.3
		Browser type: Microsoft Internet Explorer
		User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
		System Language: en-us
		Cookies Enabled: true
		Application Version: 4.0 (compatible; MSIE 6.0; Windows
NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
		Platform: Win32
		Application Code Name: Mozilla
		Application Minor Version: ;SP2;
		On line: true
		Application Code Name: Mozilla
		Java Enabled: true
		Your Intranet IP: 
		Currently using Internet Explorer and it is your
default browser.
		
		Firefox plugin detection: <atta269b.gif>
		JavaScript variables: 
		Window width = 1001
		Window height = 557
		Available Screen Height = 960
		Available Screen Width = 1280
		Color Depth = 32
		
		Plug-ins 
		
		Plugin_Flash 
		 Version 9 (Version 9,0,28,0) 
		Plugin_Flash 
		 Version 9 (Version 9,0,28,0) 
		Plugin_FlashVerEx  9,0,28,0 
		Plugin_Director 
		 Not installed 
		Plugin_DirectorVerEx 
		Plugin_QuickTime 
		 Not determinable. Either QT is not installed or a
version prior to 4.1.1 is installed. 
		Plugin_QuickTimeVerEx  
		Plugin_Acrobat 
		 Installed (Version 8.0.0) 
		Plugin_AcrobatVerEx 
		 8.0.0 
		Plugin_RealPlayer 
		 RealPlayer 10 installed (build 6.0.12.1483) 
		Plugin_RealPlayerBuild 
		 6.0.12.1483 
		Plugin_MediaPlayer 
		 Installed (Version 10.0.0.4036) 
		Plugin_MediaPlayerVerEx 
		 10.0.0.4036 
		Plugin_Flip4Mac 
		 Not installed 
		Plugin_JavaVer 
		 Not tested 
		Plugin_iPIXViewer 
		 Not installed 
		Plugin_SVGViewer 
		 Not installed 
		Plugin_CrystalReports 
		 Not installed 
		Plugin_Viewpoint 
		 Not installed 
		Plugin_Authorware 
		 Not installed 
		Plugin_Mapguide 
		 Not installed 
		Plugin_Citrix 
		 Not installed 
		Plugin_Custom 
		 Not installed
Received on Tuesday, 12 June 2007 16:07:19 UTC