On Fri, Dec 25, 2009 at 05:46:22PM +0000, corvid wrote:
bb wrote:
*On http://www.dillo.org/ I found the item News and a remark:
03-Jul-2009 Dillo-2.1.1 has been released to provide a security fix for malicious images. I am not shure what is meant with **malicious images? Are this so called Web bugs? If yes - how is the blocking done?
Here's the advisory about the image size problem: http://www.ocert.org/advisories/ocert-2009-008.html
I think there are some strategies possible to prevent a browser from a Web Bug attack:
1. Dont allow to load gifs or pngs from another URL as the actual page comes from. (I think to remember that firefox **originally **had such an option - not available in the actual version.)
Here's the beginning of a thread and a patch experimenting with this: http://lists.auriga.wearlab.de/pipermail/dillo-dev/2009-September/006844.htm... (the "same host" option was found to be useless, but I'm still interested in "same domain")
2. I think one might prepare HTML/CSS not to load such gifs or pngs smaller than say about 5x5. Do you think such a measure is feasible in Dillo and could that really stop Web Bugs? But I think that there should not be a problem to make Web Bugs larger than 1x1pixel as long as they are transparent - may be I am wrong, I am just a simple minded user, not a web professional. So such a limit might be useless?
AFAIS your analysis is correct. There's no problem in increasing the web bug image size, specially on these broadband days... Personally I have hopes on restricting resource loading from other sites, but as corvid cites, it's non trivial and requires careful thought. As a highly interested user, you may gather some information on web bugs, techniques to avoid them etc. and post a summary of your findings here. That would help a lot. We have the knowledge on how to code dillo and restricted time to work on it. If you can help us everybody gains.
Here's a post and patch experimenting with rejecting images with a dimension of 0: http://lists.auriga.wearlab.de/pipermail/dillo-dev/2009-December/007101.html
Are there other ideas? I am highly interested in that Web Bug problem.
I'm glad to hear this, since user interest may encourage things to happen...
I'm very interested in this topic, although haven't found free time these days... -- Cheers Jorge.-