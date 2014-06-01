from the just-use-lynx-and-elm dept.
Jake Archibald writes in his blog about the bigger problem presented by importing third-party content into web pages. Even CSS is a problem as a CSS keylogger demo showed the other day.
A few days ago there was a lot of chatter about a 'keylogger' built in CSS.
Some folks called for browsers to 'fix' it. Some folks dug a bit deeper and saw that it only affected sites built in React-like frameworks, and pointed the finger at React. But the real problem is thinking that third party content is 'safe'.
While most are acutely aware, yet ignore, the danger presentd by third-party javascript and javascript in general, most forget about CSS. Jake reminds us and walks through quite a few exampled of how CSS can be misused by third-parties exporting it.
Source : Third party CSS is not safe
(Score: 1, Informative) by Anonymous Coward on Wednesday February 28, @06:21PM (9 children)
Why should I trust a website in the first place? NoScript applies to the website I am visiting as much as it does to anything it implements from a 3rd party.
(Score: 4, Informative) by RS3 on Wednesday February 28, @06:30PM (8 children)
NoScript doesn't stop 3rd-party css. Here's an example from a dice.com page:
link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto+Condensed"
(Score: 3, Interesting) by zocalo on Wednesday February 28, @07:02PM (2 children)
(Score: 3, Informative) by zocalo on Wednesday February 28, @07:15PM (1 child)
* * css allow
to:
* 1st-party css allow
click "Save", then click "Commit".
(Score: 3, Informative) by RamiK on Wednesday February 28, @07:49PM
Just install uMatrix+uBlock instead of NoScript+AdAway and get the same feature-set but with a UI that lets you allow/disallow CSS per-domain or even sub-domain with four clicks of the button.
(Score: 2, Informative) by nitehawk214 on Wednesday February 28, @07:58PM (1 child)
uMatrix does not block 3rd party CSS by default. You can enable it, but it breaks nearly every website.
(Score: 3, Informative) by DannyB on Wednesday February 28, @08:59PM
A fun uMatrix tip.
I've noticed a number of anti-adblocking sites. I go to their page and the site briefly appears, and then is immediately replaced by a fully white background that says
Something interfered with this website loading.
I simply turn off 1st party scripts, refresh, and everything seems good.
In the past, and for years, in some cases I could simply View --> Page Style --> No Style. But no longer.
uMatrix is so much better than AdBlock -- if you are a geek. It gives you a lot finer control. The ability to individually indicate whether to accept cookies, frames, CSS, HTML, media, even XHR from any site that the page attempts to load from.
(Score: 2) by tangomargarine on Wednesday February 28, @08:24PM
RequestPolicy even blocks first-party CSS, so I would think they probably block third as well.
I run AdBlock*+NoScript+RequestPolicy on Pale Moon.
*whatever the generic version for PM is called
(Score: 0) by Anonymous Coward on Wednesday February 28, @08:28PM (1 child)
This is such a non-issue for browser users, there's hardly any point in blocking 3rd-party CSS at the browser level.
This "CSS keylogger" depends on Javascript code running on the page to actually capture any keystrokes -- that script has to assign them to an element attribute so the CSS attribute selector can act upon it. Apparently some "web frameworks" do exactly this with password input elements, thus enabling styles to depend on the user's keystrokes in certain situations. Since styles can request external resources, a malicious stylesheet can make the user's browser reveal which styles were applied.
Sometimes servers send various secrets in attribute values (usually in hidden input elements). A stylesheet could potentially exfiltrate those values in a similar manner, without depending on any Javascript.
(Score: 3, Informative) by DannyB on Wednesday February 28, @09:15PM
It didn't seem to me like any JavaScript was required. Did you see the CSS example in TFA?
Suppose you had a single input field <input type="password"/>
In the example CSS . . .
This CSS, without any JavaScript, would match your input field named "password". It would match only if the value in the password ended in the letter "a". If so, it would fetch a URL ending in "a".
Now duplicate that 3 line snippet, and replicate it for every character you might type as a password. Send this CSS stylesheet to the browser.
Now, as you type each character of your password into the field, the "last character" of the field will match a different style rule, which will trigger loading a different background image from the URL. Now, all background images returned could be a 1x1 pixel transparent PNG. My evil.com server will get the URL hits asking for the transparent image for each character of your password as you type it.
I could further augment this stylesheet to have a similar set of rules, but to slightly different URLs so that I could capture every character you type into the "username" field as well.
I simply log all these URL hits in my database. I sort them by IP address, then by time. I'll notice a number of character hits, from you, grouped together in short time intervals (when you were typing), first in the username field, then in the password field. Poof! I now have your login credentials -- by sending you nothing more than a CSS file!
(Score: 5, Insightful) by Justin Case on Wednesday February 28, @06:33PM (8 children)
Between malice and incompetence, almost everything that uses electricity is getting damn hard to batten down.
Trusty old desktop went belly up this week. Looking for a new one, almost all of them (so far) have built-in wireless that can't be hardware-switch disabled.
A Garmin GPS I bought less than a year ago fried its internal file system. You can't just pop an SD card and replace it with a good backup, because Garmin does not want their shitty proprietary software copied, not even by the legitimate buyer.
Increasingly web sites don't work on any sane defensive configuration.
My bank is requiring me to do things using an app or a website, both of which are impossible to audit much less trust. Same for my health insurance company.
I am increasingly understanding that RMS has been right all along, and about the only option remaining is to go full Amish.
Don't expect government to fix anything. Government gives corporations permission to exist and limited liability.
(Score: 2) by RS3 on Wednesday February 28, @06:46PM
Isn't that nice of them to give you all of that foolproof goodness built right in? I'll lend you a soldering iron. Frankly the antenna chip would be very easy to pry off, if done carefully. An X-acto knife will also fix it.
Time to go bank shopping! A federal credit union might be much better.
(Score: 0) by Anonymous Coward on Wednesday February 28, @06:51PM (2 children)
You just need a handy little tool [uline.com]...
(Score: 3, Funny) by maxwell demon on Wednesday February 28, @07:20PM (1 child)
To cut the wireless wires?
(Score: 2, Funny) by nitehawk214 on Wednesday February 28, @08:07PM
I used a wireless wirecutter to cut the strings of my air guitar.
(Score: 0) by Anonymous Coward on Wednesday February 28, @08:43PM (2 children)
Okay, I'm confused now... why is this a problem?
Put another way, I assume you have never audited the internal systems of their system. Yet you still are willing to go to a branch and deposit money, or rely on direct deposit or something else.
If you are willing to trust a bank to handle things there, why would you not trust them on a website or an app. To be clear, they can be broken... but then the bank is on the hook to fix it and make reparations.
(Score: 3, Informative) by Justin Case on Wednesday February 28, @08:51PM
Because they want to execute their crap code on my hardware, exposing my data including data that has nothing to do with them. They won't be "on the hook" for the damage they cause; they will be oblivious. Like most of their customers.
(Score: 3, Insightful) by lentilla on Wednesday February 28, @09:02PM
The reason this isn't a problem is that when the bank robbers turn up and steal all the cash, they are stealing the bank's cash, and the bank still owes you the money you have loaned to them. Chances are good you'll get your three bucks and fifty-one cents, or whatever happens to be in your account.
For the same reason I don't invite those robbers back to my place for a cuppa and all my cash and goodies. It's simply a matter of exposure. Not to mention banks tend to have security people whose sole job it is to make sure their cash and their systems are secure. Ordinary people can't be expected to be full-time ordinary people and security experts. And even assuming they wanted to: auditing secret software is difficult - by the unlikely chance it's even allowed by the terms of service.
No, the grandparent has good reason to be wary.
(Score: 2) by DannyB on Wednesday February 28, @09:29PM
I've heard about strange things Banks do on the web.
Most likely they are trying to protect ${ you | themselves } from someone pretending to be you when logging in to your account.
They do this in all sorts of ways. Sometimes by using "something you know" that is not a password. Maybe "something you know" like a series of animal pictures. The pictures are presented in random order, but if you click the bird, the squirrel, then the ostrich, you must be the right person. Some other malicious JavaScript on the page won't get anything by key logging. And would have to be specially tailored to know about this picture technique, and discover the random arrangement of the images this time, and which ones you clicked.
Some even use (yuk!) Java Applets -- in an effort to hide their authentication attempt within a different execution environment. Nevermind how bad an idea it was, in hindsight, to ever have allowed any ${ Applets | ActiveX | Flash | Silverlight } that can interact with JavaScript on the page. What could possibly go wrong?
(Score: 2) by RS3 on Wednesday February 28, @06:41PM (3 children)
All of this code-bloating functionality being added to webpages and browsers, and we have to bloat some more with add-ons, extensions, and plugins just to stop all of it. If only someone would make a slimmed-down simplified browser... let's name it, I don't know, maybe something hot and sly. (cough cough)
"disable-HTML" purports to block several things including css. Trying it now... seems to work! Here'a link for chrome-based browsers:
https://chrome.google.com/webstore/detail/disable-html/lfhjgihpknekohffabeddfkmoiklonhm?hl=en-US [google.com]
"uMatrix" also does this, well. I like it, but it's a bit of work to teach it.
(Score: 1, Interesting) by Anonymous Coward on Wednesday February 28, @07:05PM (2 children)
I could have sworn that disabling external fonts was a standard feature in at least one browser. Disabling CSS should be easier. Custom stylesheets might require a plugin.
(Score: 2) by maxwell demon on Wednesday February 28, @07:23PM (1 child)
Indeed, Firefox has an option for it right in its menu (or maybe had? I don't know what changed in the latest versions).
(Score: 0) by Anonymous Coward on Wednesday February 28, @09:27PM
Unfortunately nobody knows how to design webpages anymore. The entire layout breaks down because it's some garbage hammered together in a manner wherein the layout isn't preserved if styles are turned off (properly designed HTML pages of ages past would render correctly because devs didn't assume the web was some majical WYSIWG thingamabob).
(Score: 2) by bzipitidoo on Wednesday February 28, @06:46PM
Big, supposedly reputable organizations have given me more trouble than petty criminals. Big is what makes them so hard to stop, and they know it. They don't use script kiddie hacks, CSS vulnerabilities, or whatever other trickery to rob you, they do it all nice and legally if not morally. What do you do when your ISP hikes your rates, again? Changes the terms to add new limits with big penalties or fees for exceeding them? You sure can't complain to the police that you're being robbed. So, do without Internet access? Or suck it up?
As for CSS vulnerabilities, simply employing sandboxes seems an easy technical fix. Sure is a lot easier to whip up a sandbox than sue Big.com.
(Score: 5, Interesting) by requerdanos on Wednesday February 28, @06:49PM (3 children)
I am webmaster and/or server admin for several sites. The ones where I have editorial control and decision-making power, I eliminate third-party content as a standard practice.
But some (a wordpress full of plugins, for example) just don't work that way because of the toxic phone-home viewpoint pervasive in the technology industries.
Just as your home automation used to be, years ago (think X10), based on devices you own that do their work in your home, and now are expected to be on devices (think Alexa) you license, who do no work but simply turn everything over to their masters back at the home office, so website features used to be things that you coded into your website, that ran on your server, but now are expected to be simply references to some master back at the home office on a third party server.
In both cases, I think this is the wrong way to go.
Google fonts/analytics? bzzt. I request fonts in css with graceful fallback to sans, serif, mono, etc, and analyze my web logs.
Just insert this iframe ad code? Bzzt. If I want to add a link, I add a link, not an iframe. I am working on writing an ad distribution network where the ads live on the server and are part of the web site that displays them, and are counted by tiny graphic elements within the ad that the user can cheerfully choose to not load, just like the ads themselves which will be clearly delineated with something like <div id="here-be-ads-matey">.
This handy web 2.0, 3.0, 9.0 widget, just add this code to call the javascript code on our servers? Bzzt. This is the wrong approach!
I wish the people that made web pages would adopt this view. It affects everyone who looks at a web page, but the page makers are the group that accept or reject these technologies in a way that makes them successful or not.
If that doesn't happen, then third-party content being unsafe will still be true, but will remain unavoidable. Because it is completely avoidable, that would be a security-hating shame.
(Score: 3, Insightful) by Arik on Wednesday February 28, @07:07PM (1 child)
The only way I can see, at this point, to force any sort of sane web practices would be for browsers to start enforcing sanity and after so many years of bending over backwards in the other direction that doesn't exactly seem likely. As long as they can get away with it, they're going to keep doing it, and what's more bad eventually drives good out of the market in that situation - each year fewer and fewer people will bother to pay for skilled labor to do it right when they see everyone else has gone cheap and gets away with it.
"Unix? These savages aren't even circumcised!"
(Score: 3, Informative) by requerdanos on Wednesday February 28, @07:51PM
Some of our big browser vendors are Microsoft "You Will Be Windows Ten-ilated; resistance is futile" "Meet Cortana!" and Google "Hey Google, how are your analytics looking for my sites and their googlefonts?"
So, yeah, no, not likely-looking.
It's not just apathy among coders. The decision makers are often intelligent people who are really good at what they do (but it isn't IT, it's fixing cars, or practicing law, or doing surgery, or practicing medicine, etc.).
These people, having management skills, hear "That great (tool|technology) you read about isn't a good fit for your site because it requires dependence on third party inclusions." And they say something like "But if you just did what I said, it would work fine, and most people don't care, right? Get to it if you want to keep getting paid."
It's like why people who otherwise wouldn't choose to still run Microsoft operating systems. Their job/executive funding source doesn't want to lead anyone to freedom, they just want to lead their company to income, and technology that doesn't respect anyone or anything is widely accepted to a degree that it's easy to just use it and say "it was industry best practices. I was doing good for my company."
Stallman, who is an admitted nut, is right on this. If you agree, tell him so [fsf.org].
(Score: 2) by stretch611 on Wednesday February 28, @09:49PM
Unfortunately, many web "developers" rely on 3rd party code as a crutch. If they did not use 3rd party content they would have to write the code themselves.
Even the developer of the linked article uses 3rd party content... He has commenting provided by Disqus. (I did not try to look for any, but that was obvious.)
(Score: 2) by Azuma Hazuki on Wednesday February 28, @09:33PM
I *just* a few days ago started teaching myself (X)HTML, CSS 3, and PHP.
Upon learning that it was possible to include CSS (among other things...) from other sites, that set off an immediate red flag, and I resolved to host everything locally if at all possible. It made me think "No, that sounds like the mother of all XSS vulns..." Glad to see this intuition isn't misplaced; seems my constant paranoia is actually useful in the world of computing!
I am "that girl" your mother warned you about...
(Score: 2) by Freeman on Wednesday February 28, @09:47PM
Third-party content is inherently unsafe, because you're not in control of the content. Though, pretty much the *Internet* is unsafe and should be treated like it has Ebola when interacting with it. That being said, I was a little curious as to how someone made a keylogger using CSS. To which the answer is, they didn't. They just passed the React keylogger in using CSS. Bottom line, if it's not hosted on your site, you can't rely on it.
"I said in my haste, All men are liars." Psalm 116:11