- From: Doyle, Bill <wdoyle@mitre.org>
- Date: Tue, 12 Jun 2007 12:07:10 -0400
- To: "Johnathan Nightingale" <johnath@mozilla.com>, <public-wsc-wg@w3.org>
- Message-ID: <518C60F36D5DBC489E91563736BA4B5801814A8F@IMCSRV5.MITRE.ORG>
Thx! All good points. Just putting the information out to generate discussion and see if something can be done to improve security posture. Yes, the same info that is used by web sites to make things work is used by malicious web sites to compromise the environment. One though is that "safe" modes of operation could also limit data that is exposed or available. Appreciate the response. Bill D. ________________________________ From: Johnathan Nightingale [mailto:johnath@mozilla.com] Sent: Tuesday, June 12, 2007 11:15 AM To: Doyle, Bill Subject: Re: ACTION-231 OPEN Start a discussion about including descriptions of the information divulged to websites by user-agents I don't dispute that this information goes out, nor that it does so largely without users' knowledge. My questions for any would-be recommendation of this type are: a) Can limiting this information be done in any way without breaking the web? Plugins announcing their presence, user agent strings, referrer strings, and javascript support are all pieces of information that web sites frequently want to know, and that our users, by interacting with those sites, probably don't want to see broken. I wouldn't want a recommendation included that we know, on its face, that browser vendors won't implement. b) Even in the absence of explicit disclosure (e.g. http headers describing the user agent and its software environment) there are a variety of fingerprinting attacks that can be used to determine this type of information (e.g. trying some recent javascript construct, and watching for errors, trying to set a cookie and then reloading to see if it stuck.) Would conformance require countermeasures here too? Are such things even possible? c) Aside from limiting the disclosure itself which is maybe not even what is envisioned, can *informing* the user of these things, most of which, by definition, are computerspeak, lead them to make better decisions? We have it as a goal to reduce the number of situations where trust decisions have to be made by the user, but this would seem to introduce a new one. That's not immediately inappropriate, if it's a decision that was being badly made for them before now, but I would be interested to hear more about how we make this something users can understand. That's not intended to be stop-energy - just discussion points. Cheers, Johnathan --- Johnathan Nightingale Human Shield johnath@mozilla.com On 11-Jun-07, at 4:41 PM, Doyle, Bill wrote: In the current user agent environment, security details and privacy information can be extracted by a web site without the user's permission or knowledge. The user agent environment and many privacy details are readily available to a web site. The information can used to support the compromise of a user's security posture in several ways; two methods are included below. 1. The operating environment details (e.g. User Agent info. Plug-ins, Email addresses) can be presented back to a user in order to make a malicious web site appear friendly such as a previously visited site or a site trying to help the user. A malicious site can use this information to further compromise of the user's security posture by making the user make incorrect downstream security decisions. a. Links to update software or software to fix operating environment that actually contain additional malware. b. Email (gained by the site) can be used to send to the user links that need to be immediately acted upon. The email can be designed to further confuse the user and gain additional privacy information or account details. 2. A web site can make use of critical flaws in the User Agent environment that can lead to complete compromise of the users operating environment allowing remote code execution. A malicious web site can compromise the users operating environment without any user interaction besides taking the initial link that lead them to the site. Exploits include the following components. a. Plug-ins b. User Agent itself Sample operating environment and user agent details given to a web site is listed below. Information with bold x was valid information determined by a web site but blocked from further distribution. Because application and version information is provided by User Agent to a web site, a malicious web site can determine if it has a exploit that matches any of the user agent software components and proceed to compromise the user agent if a match is found. Environmental variables: HTTP_ACCEPT = */* HTTP_ACCEPT_LANGUAGE = en-us HTTP_CACHE_CONTROL = max-age=259200 HTTP_CONNECTION = keep-alive HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) HTTP_VIA = 1.0 xxxxx.xxx.xxx:80 (squid/2.5.STABLE6) HTTP_X_FORWARDED_FOR = xxx.xx.xxx.xx REMOTE_ADDR = xx.xxx.xx.xx REMOTE_PORT = xxxxx REQUEST_METHOD = GET SERVER_PROTOCOL = HTTP/1.0 Derived Information: It appears you are not using Tor Your Gmail Email Address: xxx@xxx.com Your Real Email Address: undefined Browser detection: IE7.0 not detected JavaScript Version: 1.3 Browser type: Microsoft Internet Explorer User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) System Language: en-us Cookies Enabled: true Application Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30) Platform: Win32 Application Code Name: Mozilla Application Minor Version: ;SP2; On line: true Application Code Name: Mozilla Java Enabled: true Your Intranet IP: Currently using Internet Explorer and it is your default browser. Firefox plugin detection: <atta269b.gif> JavaScript variables: Window width = 1001 Window height = 557 Available Screen Height = 960 Available Screen Width = 1280 Color Depth = 32 Plug-ins Plugin_Flash Version 9 (Version 9,0,28,0) Plugin_Flash Version 9 (Version 9,0,28,0) Plugin_FlashVerEx 9,0,28,0 Plugin_Director Not installed Plugin_DirectorVerEx Plugin_QuickTime Not determinable. Either QT is not installed or a version prior to 4.1.1 is installed. Plugin_QuickTimeVerEx Plugin_Acrobat Installed (Version 8.0.0) Plugin_AcrobatVerEx 8.0.0 Plugin_RealPlayer RealPlayer 10 installed (build 6.0.12.1483) Plugin_RealPlayerBuild 6.0.12.1483 Plugin_MediaPlayer Installed (Version 10.0.0.4036) Plugin_MediaPlayerVerEx 10.0.0.4036 Plugin_Flip4Mac Not installed Plugin_JavaVer Not tested Plugin_iPIXViewer Not installed Plugin_SVGViewer Not installed Plugin_CrystalReports Not installed Plugin_Viewpoint Not installed Plugin_Authorware Not installed Plugin_Mapguide Not installed Plugin_Citrix Not installed Plugin_Custom Not installed
Received on Tuesday, 12 June 2007 16:07:19 UTC