RE: ACTION-231 OPEN Start a discussion about including descriptions of the information divulged to websites by user-agents from Mary Ellen Zurko on 2007-06-13 (public-wsc-wg@w3.org from June 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Wed, 13 Jun 2007 08:42:46 -0400
To: wdoyle@mitre.org
Cc: public-wsc-wg@w3.org
Message-ID: <OFE54C9434.1F1ECB1C-ON852572F9.0045B392-852572F9.0045D5A1@LocalDomain>
Interesting thought Bill. 

My initial reaction to looking through the data is, what the heck is email 
doing in information that's given in the clear to every web site. Am I 
misreading it? I would have thought best practice would be to encode any 
personal information (and for me, and in the days of spam, my email is 
personal) in cookies. Can anyone explain that one? 


          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




"Doyle, Bill" <wdoyle@mitre.org> 
Sent by: public-wsc-wg-request@w3.org
06/12/2007 12:07 PM

To
"Johnathan Nightingale" <johnath@mozilla.com>, <public-wsc-wg@w3.org>
cc

Subject
RE: ACTION-231 OPEN Start a discussion about including descriptions of the 
information divulged to websites by user-agents






Thx!
 
All good points. Just putting the information out to generate discussion 
and see if something can be done to improve security posture.
 
Yes, the same info that is used by web sites to make things work is used 
by malicious web sites to compromise the environment. One though is that 
"safe" modes of operation could also limit data that is exposed or 
available.
 
Appreciate the response. 
 
Bill D.
 

From: Johnathan Nightingale [mailto:johnath@mozilla.com] 
Sent: Tuesday, June 12, 2007 11:15 AM
To: Doyle, Bill
Subject: Re: ACTION-231 OPEN Start a discussion about including 
descriptions of the information divulged to websites by user-agents

I don't dispute that this information goes out, nor that it does so 
largely without users' knowledge.  My questions for any would-be 
recommendation of this type are: 

a) Can limiting this information be done in any way without breaking the 
web?  Plugins announcing their presence, user agent strings, referrer 
strings, and javascript support are all pieces of information that web 
sites frequently want to know, and that our users, by interacting with 
those sites, probably don't want to see broken.  I wouldn't want a 
recommendation included that we know, on its face, that browser vendors 
won't implement.

b) Even in the absence of explicit disclosure (e.g. http headers 
describing the user agent and its software environment) there are a 
variety of fingerprinting attacks that can be used to determine this type 
of information (e.g. trying some recent javascript construct, and watching 
for errors, trying to set a cookie and then reloading to see if it stuck.) 
 Would conformance require countermeasures here too?  Are such things even 
possible?

c) Aside from limiting the disclosure itself which is maybe not even what 
is envisioned, can *informing* the user of these things, most of which, by 
definition, are computerspeak, lead them to make better decisions?  We 
have it as a goal to reduce the number of situations where trust decisions 
have to be made by the user, but this would seem to introduce a new one. 
That's not immediately inappropriate, if it's a decision that was being 
badly made for them before now, but I would be interested to hear more 
about how we make this something users can understand.

That's not intended to be stop-energy - just discussion points.

Cheers,

Johnathan

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com



On 11-Jun-07, at 4:41 PM, Doyle, Bill wrote:

In the current user agent environment, security details and privacy 
information can be extracted by a web site without the user?s permission 
or knowledge. The user agent environment and many privacy details are 
readily available to a web site. The information can used to support the 
compromise of a user?s security posture in several ways; two methods are 
included below.
1.      The operating environment details (e.g. User Agent info. Plug-ins, 
Email addresses) can be presented back to a user in order to make a 
malicious web site appear friendly such as a previously visited site or a 
site trying to help the user. A malicious site can use this information to 
further compromise of the user?s security posture by making the user make 
incorrect downstream security decisions.
a.      Links to update software or software to fix operating environment 
that actually contain additional malware. 
b.      Email (gained by the site) can be used to send to the user links 
that need to be immediately acted upon. The email  can be designed to 
further confuse the user and gain additional privacy information or 
account details.
2.      A web site can make use of critical flaws in the User Agent 
environment that can lead to complete compromise of the users operating 
environment allowing remote code execution. A malicious web site can 
compromise the users operating environment without any user interaction 
besides taking the initial link that lead them to the site. Exploits 
include the following components. 
a.      Plug-ins 
b.      User Agent itself
Sample operating environment and user agent details given to a web site is 
listed below. Information with bold x was valid information determined by 
a web site but blocked from further distribution.  Because application and 
version information is provided by User Agent to a web site, a malicious 
web site can determine if it has a exploit that matches any of the user 
agent software components and proceed to compromise the user agent if a 
match is found.
Environmental variables:
HTTP_ACCEPT = */*
HTTP_ACCEPT_LANGUAGE = en-us
HTTP_CACHE_CONTROL = max-age=259200
HTTP_CONNECTION = keep-alive
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; 
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
HTTP_VIA = 1.0 xxxxx.xxx.xxx:80 (squid/2.5.STABLE6)
HTTP_X_FORWARDED_FOR = xxx.xx.xxx.xx
REMOTE_ADDR = xx.xxx.xx.xx
REMOTE_PORT = xxxxx
REQUEST_METHOD = GET
SERVER_PROTOCOL = HTTP/1.0
Derived Information:
It appears you are not using Tor
Your Gmail Email Address: xxx@xxx.com
Your Real Email Address: undefined
Browser detection: 
IE7.0 not detected 

JavaScript Version: 1.3
Browser type: Microsoft Internet Explorer
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 2.0.50727; .NET CLR 3.0.04506.30)
System Language: en-us
Cookies Enabled: true
Application Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET 
CLR 2.0.50727; .NET CLR 3.0.04506.30)
Platform: Win32
Application Code Name: Mozilla
Application Minor Version: ;SP2;
On line: true
Application Code Name: Mozilla
Java Enabled: true
Your Intranet IP: 
Currently using Internet Explorer and it is your default browser.
Firefox plugin detection: <atta269b.gif>
JavaScript variables: 
Window width = 1001
Window height = 557
Available Screen Height = 960
Available Screen Width = 1280
Color Depth = 32
Plug-ins 
Plugin_Flash 
 Version 9 (Version 9,0,28,0) 
Plugin_Flash 
 Version 9 (Version 9,0,28,0) 
Plugin_FlashVerEx  9,0,28,0 
Plugin_Director 
 Not installed 
Plugin_DirectorVerEx 
Plugin_QuickTime 
 Not determinable. Either QT is not installed or a version prior to 4.1.1 
is installed. 
Plugin_QuickTimeVerEx 
Plugin_Acrobat 
 Installed (Version 8.0.0) 
Plugin_AcrobatVerEx 
 8.0.0 
Plugin_RealPlayer 
 RealPlayer 10 installed (build 6.0.12.1483) 
Plugin_RealPlayerBuild 
 6.0.12.1483 
Plugin_MediaPlayer 
 Installed (Version 10.0.0.4036) 
Plugin_MediaPlayerVerEx 
 10.0.0.4036 
Plugin_Flip4Mac 
 Not installed 
Plugin_JavaVer 
 Not tested 
Plugin_iPIXViewer 
 Not installed 
Plugin_SVGViewer 
 Not installed 
Plugin_CrystalReports 
 Not installed 
Plugin_Viewpoint 
 Not installed 
Plugin_Authorware 
 Not installed 
Plugin_Mapguide 
 Not installed 
Plugin_Citrix 
 Not installed 
Plugin_Custom 
 Not installed
Received on Wednesday, 13 June 2007 12:42:57 UTC