Re: ACTION-231 OPEN Start a discussion about including descriptions of the information divulged to websites by user-agents from Johnathan Nightingale on 2007-06-13 (public-wsc-wg@w3.org from June 2007)

From: Johnathan Nightingale <johnath@mozilla.com>
Date: Wed, 13 Jun 2007 09:46:46 -0400
To: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: wdoyle@mitre.org, public-wsc-wg@w3.org
Message-Id: <1CD1B510-43CF-44BA-AB29-B3F563754F59@mozilla.com>
The email information isn't something sent by the browser, at least  
not directly - inspecting the source code of the tool that builds  
these pages ( http://ha.ckers.org/mr-t ) it appears that they are  
taking advantage of some gmail/mhtml information disclosure setup.   
It doesn't work for me in Minefield (FF3 build) or FF2, so I can't  
really shed more light than that.  It looks like there are commented  
out sections of the script that tried similar things with msn/yahoo,  
so I suspect the site rides the exploits-of-the-month.

Cheers,

J

---
Johnathan Nightingale
Human Shield
johnath@mozilla.com



On 13-Jun-07, at 8:42 AM, Mary Ellen Zurko wrote:

>
> Interesting thought Bill.
>
> My initial reaction to looking through the data is, what the heck  
> is email doing in information that's given in the clear to every  
> web site. Am I misreading it? I would have thought best practice  
> would be to encode any personal information (and for me, and in the  
> days of spam, my email is personal) in cookies. Can anyone explain  
> that one?
>
>
>           Mez
>
> Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
> Lotus/WPLC Security Strategy and Patent Innovation Architect
>
>
>
> "Doyle, Bill" <wdoyle@mitre.org>
> Sent by: public-wsc-wg-request@w3.org
> 06/12/2007 12:07 PM
>
> To
> "Johnathan Nightingale" <johnath@mozilla.com>, <public-wsc-wg@w3.org>
> cc
> Subject
> RE: ACTION-231 OPEN Start a discussion about including descriptions  
> of the information divulged to websites by user-agents
>
>
>
>
>
> Thx!
>
> All good points. Just putting the information out to generate  
> discussion and see if something can be done to improve security  
> posture.
>
> Yes, the same info that is used by web sites to make things work is  
> used by malicious web sites to compromise the environment. One  
> though is that "safe" modes of operation could also limit data that  
> is exposed or available.
>
> Appreciate the response.
>
> Bill D.
>
>
> From: Johnathan Nightingale [mailto:johnath@mozilla.com]
> Sent: Tuesday, June 12, 2007 11:15 AM
> To: Doyle, Bill
> Subject: Re: ACTION-231 OPEN Start a discussion about including  
> descriptions of the information divulged to websites by user-agents
>
> I don't dispute that this information goes out, nor that it does so  
> largely without users' knowledge.  My questions for any would-be  
> recommendation of this type are:
>
> a) Can limiting this information be done in any way without  
> breaking the web?  Plugins announcing their presence, user agent  
> strings, referrer strings, and javascript support are all pieces of  
> information that web sites frequently want to know, and that our  
> users, by interacting with those sites, probably don't want to see  
> broken.  I wouldn't want a recommendation included that we know, on  
> its face, that browser vendors won't implement.
>
> b) Even in the absence of explicit disclosure (e.g. http headers  
> describing the user agent and its software environment) there are a  
> variety of fingerprinting attacks that can be used to determine  
> this type of information (e.g. trying some recent javascript  
> construct, and watching for errors, trying to set a cookie and then  
> reloading to see if it stuck.)  Would conformance require  
> countermeasures here too?  Are such things even possible?
>
> c) Aside from limiting the disclosure itself which is maybe not  
> even what is envisioned, can *informing* the user of these things,  
> most of which, by definition, are computerspeak, lead them to make  
> better decisions?  We have it as a goal to reduce the number of  
> situations where trust decisions have to be made by the user, but  
> this would seem to introduce a new one.  That's not immediately  
> inappropriate, if it's a decision that was being badly made for  
> them before now, but I would be interested to hear more about how  
> we make this something users can understand.
>
> That's not intended to be stop-energy - just discussion points.
>
> Cheers,
>
> Johnathan
>
> ---
> Johnathan Nightingale
> Human Shield
> johnath@mozilla.com
>
>
>
> On 11-Jun-07, at 4:41 PM, Doyle, Bill wrote:
>
> In the current user agent environment, security details and privacy  
> information can be extracted by a web site without the user’s  
> permission or knowledge. The user agent environmentand many privacy  
> details are readily available to a web site. The information can  
> used to support the compromise of a user’s security posture in  
> several ways; two methods are included below.
> 1.        The operating environment details (e.g. User Agent info.  
> Plug-ins, Email addresses) can be presented back to a user in order  
> to make a malicious web site appear friendly such as a previously  
> visited site or a site trying to help the user. A malicious site  
> can use this information to further compromise of the user’s  
> security posture by making the user make incorrect downstream  
> security decisions.
> a.        Links to update software or software to fix operating  
> environment that actually contain additional malware.
> b.        Email (gained by the site) can be used to send to the  
> user links that need to be immediately acted upon. The email  can  
> be designed to further confuse the user and gain additional privacy  
> information or account details.
> 2.        A web site can make use of critical flaws in the User  
> Agent environment that can lead to complete compromise of the users  
> operating environment allowing remote code execution. A malicious  
> web site can compromise the users operating environment without any  
> user interaction besides taking the initial link that lead them to  
> the site. Exploits include the following components.
> a.        Plug-ins
> b.        User Agent itself
> Sample operating environmentand user agent detailsgiven to a web  
> site is listed below.Information with bold x was valid information  
> determined by a web site but blocked from further distribution.  
> Because application and version information is provided by User  
> Agent to a web site, a malicious web site can determine if it has a  
> exploit that matches any of the user agent software components and  
> proceed to compromise the user agent if a match is found.
> Environmental variables:
> HTTP_ACCEPT = */*
> HTTP_ACCEPT_LANGUAGE = en-us
> HTTP_CACHE_CONTROL = max-age=259200
> HTTP_CONNECTION = keep-alive
> HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 6.0; Windows NT  
> 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
> HTTP_VIA = 1.0 xxxxx.xxx.xxx:80 (squid/2.5.STABLE6)
> HTTP_X_FORWARDED_FOR = xxx.xx.xxx.xx
> REMOTE_ADDR = xx.xxx.xx.xx
> REMOTE_PORT = xxxxx
> REQUEST_METHOD = GET
> SERVER_PROTOCOL = HTTP/1.0
> Derived Information:
> It appears you are not using Tor
> Your Gmail Email Address: xxx@xxx.com
> Your Real Email Address: undefined
> Browser detection:
> IE7.0 not detected
>
> JavaScript Version: 1.3
> Browser type: Microsoft Internet Explorer
> User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;  
> SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
> System Language: en-us
> Cookies Enabled: true
> Application Version: 4.0 (compatible; MSIE 6.0; Windows NT 5.1;  
> SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
> Platform: Win32
> Application Code Name: Mozilla
> Application Minor Version: ;SP2;
> On line: true
> Application Code Name: Mozilla
> Java Enabled: true
> Your Intranet IP:
> Currently using Internet Explorer and it is your default browser.
> Firefox plugin detection: <atta269b.gif>
> JavaScript variables:
> Window width = 1001
> Window height = 557
> Available Screen Height = 960
> Available Screen Width = 1280
> Color Depth = 32
> Plug-ins
> Plugin_Flash
>  Version 9 (Version 9,0,28,0)
> Plugin_Flash
>  Version 9 (Version 9,0,28,0)
> Plugin_FlashVerEx  9,0,28,0
> Plugin_Director
>  Not installed
> Plugin_DirectorVerEx
> Plugin_QuickTime
>  Not determinable. Either QT is not installed or a version prior to  
> 4.1.1 is installed.
> Plugin_QuickTimeVerEx
> Plugin_Acrobat
>  Installed (Version 8.0.0)
> Plugin_AcrobatVerEx
>  8.0.0
> Plugin_RealPlayer
>  RealPlayer 10 installed (build 6.0.12.1483)
> Plugin_RealPlayerBuild
>  6.0.12.1483
> Plugin_MediaPlayer
>  Installed (Version 10.0.0.4036)
> Plugin_MediaPlayerVerEx
>  10.0.0.4036
> Plugin_Flip4Mac
>  Not installed
> Plugin_JavaVer
>  Not tested
> Plugin_iPIXViewer
>  Not installed
> Plugin_SVGViewer
>  Not installed
> Plugin_CrystalReports
>  Not installed
> Plugin_Viewpoint
>  Not installed
> Plugin_Authorware
>  Not installed
> Plugin_Mapguide
>  Not installed
> Plugin_Citrix
>  Not installed
> Plugin_Custom
>  Not installed
>
>
>
>
>
>
Received on Wednesday, 13 June 2007 13:47:15 UTC