Jorge Arellano Cid schrieb:
On Fri, Dec 25, 2009 at 05:46:22PM +0000, corvid wrote:
bb wrote:
*On http://www.dillo.org/ I found the item News and a remark:
03-Jul-2009 Dillo-2.1.1 has been released to provide a security fix for malicious images. I am not shure what is meant with **malicious images? Are this so called Web bugs? If yes - how is the blocking done?
Here's the advisory about the image size problem: http://www.ocert.org/advisories/ocert-2009-008.html
I think there are some strategies possible to prevent a browser from a Web Bug attack:
1. Dont allow to load gifs or pngs from another URL as the actual page comes from. (I think to remember that firefox **originally **had such an option - not available in the actual version.)
Here's the beginning of a thread and a patch experimenting with this: http://lists.auriga.wearlab.de/pipermail/dillo-dev/2009-September/006844.htm...
(the "same host" option was found to be useless, but I'm still interested in "same domain")
2. I think one might prepare HTML/CSS not to load such gifs or pngs smaller than say about 5x5. Do you think such a measure is feasible in Dillo and could that really stop Web Bugs? But I think that there should not be a problem to make Web Bugs larger than 1x1pixel as long as they are transparent - may be I am wrong, I am just a simple minded user, not a web professional. So such a limit might be useless?
AFAIS your analysis is correct. There's no problem in increasing the web bug image size, specially on these broadband days...
Personally I have hopes on restricting resource loading from other sites, but as corvid cites, it's non trivial and requires careful thought.
As a highly interested user, you may gather some information on web bugs, techniques to avoid them etc. and post a summary of your findings here. That would help a lot. We have the knowledge on how to code dillo and restricted time to work on it. If you can help us everybody gains.
Here's a post and patch experimenting with rejecting images with a dimension of 0: http://lists.auriga.wearlab.de/pipermail/dillo-dev/2009-December/007101.html
Are there other ideas? I am highly interested in that Web Bug problem.
I'm glad to hear this, since user interest may encourage things to happen...
I'm very interested in this topic, although haven't found free time these days...
Thank you for your response. The begin of my web bug adventure was some curiousity as I gamed around with http://livehttpheaders.mozdev.org. I found some strange things, and momentarily felt like the guy in "The blue velvet", finding an cut ear and come into touch with an strange and eval world outside a wardrobe. The real eval things can only be done by javascript - so dillo is on the save side. It may be of general Interest: I found as a countermeasure the plugin ghostery for firefox. ghostery has a large list of known web bugs and can block it. Most of that software one may find is googles urchin.js, but ggogle has a new software ga.js. There was even launched "Turn Key Web Analytics In A Box" on Friday, December 18, 2009, see http://www.coradiant.com/news/091209_analyticsbox.htm. The List of web bugs you can find: http://code.google.com/p/ghostery/source/browse/trunk/firefox/ghostery-statu... One may check out a read-only working copy anonymously over HTTP: http://code.google.com/p/ghostery/source/checkout As I just pointed out, a dillo user cannot be tracked by any javascript code. But even a simple Web Bug with a http-rquest to a tracking server can get a lot of Information about the request AFAIK that is client IP address, certainly the request date/time, the page requested, HTTP code, bytes served, user agent, and referer. So the tracker knows the URL of the page containing the bug and allows the server to determine which particular Web page the user has accessed. But more, the URL of the bug can be appended with an arbitrary string in various ways with extra information to identify the loading conditions of the bug. This extra information can be added while sending the page or by JavaScript scripts after the download (but as ponted out - no Javascript with Dillo). Web bugs can also be used in combination with HTTP cookies (if there are any) like any other object transferred using the HTTP protocol. One might say, use a proxy. But I found that nearly all of the free proxys are real trojans and sending such web bugs, most often in the advertising pictures. I asked a couple of the providers of free proxy services. The usual answer was, that they do not send web bugs, but the bad advertisers do. And usually they offered ma thei payed service that is free of advertising. And very often that web bug requests will NOT be send via the proxy!! You sent me an option switch to forbid dillo to request another domain as that of the actually used page: http://lists.auriga.wearlab.de/pipermail/dillo-dev/2009-September/006844.htm... How can I patch Dillo in this way? It might be useful to have that as an option in Dillo, I am shure not every user is comfortable with that restriction. Seasons greetings BB