My OperaThis topic has been closed. No new entries allowed.
Reason: Non-descriptive title, poor description
You need to be logged in to post in the forums. If you do not have an account, please sign up first.
History Detection
What about this?http://w2spconf.com/2010/papers/p26.pdf
This bug will be fixed? Yes or no?
pls reread the document you have linked - at least once
Originally posted by bleicher:
you definitely don't understand whats it about - its not bug and it can not/may not be fixed, most you can use are private-tabs.
pls reread the document you have linked - at least once
He doesn't (probably) read these links. Here are his all three topics: http://my.opera.com/community/forums/search.dml?username=Glu0nix&exactusername=Y&datemodifier=newer&limitdate=any&sortby=post&disp=post&ignorememberships=1. Oh! I've found a
. Bad Opera! What about this ?Originally posted by Glu0nix:
History Detection
What about this?
Stop being so paranoid.
Be helpful to the shyman, and be wary of the slyman.
Be guidance to the blindman, and be thankful to the kindman.
ʎzzıp ʇǝƃ llıʍ noʎ ʇıq sıɥʇ pɐǝɹ ʇ,uop
Originally posted by Kropotkin2:
(...) It's definitely a bug and it can be fixed.
No, it's not a bug. Read here: http://en.wikipedia.org/wiki/Software_bug.
Originally posted by http://en.wikipedia.org/wiki/Software_bug:
A software bug is the common term used to describe an error, flaw, mistake, failure, or fault in a computer program or system that produces an incorrect or unexpected result, or causes it to behave in unintended ways.
It produces correct, expected and intended result, so again: it's not a bug.
24. May 2010, 13:35:26 (edited)
No, it's not a bug. Read here: http://en.wikipedia.org/wiki/Software_bug.
Yes, it is a bug. Read here (the guy is Internet Explorer's Program Manager):
http://blogs.msdn.com/ieinternals/archive/2009/06/17/CSSHistoryProbing.aspx
Also, look here:
http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/
Even Firefox developers acknowledge this bug. It is a bug. It can be fixed. Firefox is fixing it, but not completely.
It produces correct, expected and intended result, so again: it's not a bug.
From wiki: "an incorrect or unexpected result, or causes it to behave in unintended ways". So it is either incorrect result, unexpected result or unintended behaviour. We have an unintended behaviour here and unexpected results. So it is a bug.
Originally posted by Kropotkin2:
From wiki: "an incorrect or unexpected result, or causes it to behave in unintended ways". So it is either incorrect result, unexpected result or unintended behaviour. We have an unintended behaviour here and unexpected results. So it is a bug.
OK. I agree that it's an unintended behaviour that it can be exploited (
).The main reason I write in this topic is that when I read:
History Detection
What about this?
http://w2spconf.com/2010/papers/p26.pdf
This bug will be fixed? Yes or no?
it sound for me like the author was terrified and stopped browsing the Internet because somebody can see his history. The problem is it behaves like that in all (?) browsers, and it was so for a long time. There's no need to panic.
//
Besides that, author could at least summarize the study in linked .pdf file with one or two sentences. <<What about "this">> says nothing about the problem.
Originally posted by Saskatchewan:
it sound for me like the author was terrified and stopped browsing the Internet because somebody can see his history. The problem is it behaves like that in all (?) browsers, and it was so for a long time. There's no need to panic.
I do not use other browsers. I like Opera. I therefore security is exactly the Opera.
Originally posted by Kropotkin2:
Yes, it is a bug. Read here (the guy is Internet Explorer's Program Manager):
http://blogs.msdn.com/ieinternals/archive/2009/06/17/CSSHistoryProbing.aspx
Also, look here:
http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/
Even Firefox developers acknowledge this bug. It is a bug. It can be fixed. Firefox is fixing it, but not completely.
I just finished reading those and none of them use the word "bug". They use:
- Microsoft: "design vulnerability", "information leak";
- Mozilla: "privacy leak", "history attacks", "pretty old problem".
Some interesting quotes:
Originally posted by Microsoft:
In this case, the design of CSS contains a pretty straightforward vulnerability which allows for detection of which links have been visited and which have not.
The architects of CSS clearly had the best of intentions, as highlighting visited links can help users more easily navigate a site. Unfortunately, this useful feature had some unexpected consequences when exposed to clever web developers in the real world.
So as from above: Opera behaves normally by marking sites with ":visited" CSS pseudo-class.
Originally posted by Mozilla:
Originally specified as a useful feature for the Web, visited link styling has been part of the web for… well, forever. So this is a pretty old problem, and resurfaces every once in a while to generate more paranoid netizens.
-
I agree that Opera Software should take some action to prevent possibility of exploiting this "design vulnerability". You can think of the problem as of a bug or whichever word you use - that just doesn't really matter so much.
That's it from me.
25. May 2010, 12:26:52 (edited)
I just finished reading those and none of them use the word "bug". They use:
- Microsoft: "design vulnerability", "information leak";
- Mozilla: "privacy leak", "history attacks", "pretty old problem".
However, that doesn't mean it's not a bug. They use expressions like "The architects of CSS clearly had the best of intentions", "this useful feature had some unexpected consequences" and "bridge the gap between our users’ expectations of privacy and what actually happens on the web" that fit for bug definition. I think they don't use "bug" for the same reason governments use "insurgents" instead of "terrorists". That is, they know it's a bug and they don't want to do much about it. And labelling concerned users "paranoics" isn't gonna help this cause.
It's also on Bugzilla (the name speaks for itself):
https://bugzilla.mozilla.org/show_bug.cgi?id=147777
If a person can use a clock to fire a bomb, that does not means that every single clock-maker in the market should change how clocks work. Nor that clocks are "unsecure" because they can be used to fire a bomb.
Developers do not need to fix anything, as this is not a bug. It is the expected behavior based on what the specs say.
It is an unexpected behaviour because users do not expect it. The developers of browsers say it themselves. Therefore, it is a bug. Moreover, some browsers, for example Firefox, are trying to fix it. Yes, Opera does not need to fix anything, if it wants to stay insecure.
If you are so paranoid, use a user-css, override the styles so all the links states look the same (hover, visited, etc) and you are done.
That's so nice. Maybe i should use a packet sender to get and post raw html and read it? Why, developers do not need to fix anything. If there is some vulnerabity, leak or problem it's my fault that i am being exploited. I should only use browser if i don't care about privacy or viruses, because nothing needs to be fixed. And for everything else there is a packet sender.
If a person can use a clock to fire a bomb, that does not means that every single clock-maker in the market should change how clocks work. Nor that clocks are "unsecure" because they can be used to fire a bomb.
That is an incorrect analogy. If a clock is buggy - that is, it shows wrong time - no terrorist would ever use it to make a bomb.
Originally posted by Kropotkin2:
That is an incorrect analogy. If a clock is buggy - that is, it shows wrong time - no terrorist would ever use it to make a bomb.
so you want Opera to function WRONG so it cant be abused? Dude - try to cut some of your heads off - it is THE most secure way to avoid security problems.
how do you expect it to be fixed? completely ignore :visited styling? make it unaccessible by JS?
if you have any idea how one can not be blind and not see own nose - tell me, i am all ear.
what exactly do you want to be done?
Originally posted by bleicher:
how do you expect it to be fixed? completely ignore :visited styling? make it unaccessible by JS?
any other propositions?
anything but "fix it ro i gona be upset"?
:visited is import navigation feature for many sites, you could request it to be optional (e.g.) or forbid cross-domain access to css/history-properties, but all you did was just crying around and making random accusations. dont bring your private-life problem here, this is technical forum part, you still can cry about your mean teacher in the flood-forums.
Originally posted by Kropotkin2:
That's so nice. Maybe i should use a packet sender to get and post raw html and read it? Why, developers do not need to fix anything. If there is some vulnerabity, leak or problem it's my fault that i am being exploited. I should only use browser if i don't care about privacy or viruses, because nothing needs to be fixed. And for everything else there is a packet sender.
Well, you could fix it easily TODAY or you could wait. Has anyone submitted this as a bug?
how do you expect it to be fixed? completely ignore :visited styling? make it unaccessible by JS?
if you have any idea how one can not be blind and not see own nose - tell me, i am all ear.
I propose to make an option to highlight visited links in such a way that is no part of CSS or DOM so that web developers do not have access to it. At the same time, the usual :visited could stay too. So anyone would be able to choose what highlighting they want or both at the same time. I don't see a reason why this can't be implemented.
Well, you could fix it easily TODAY or you could wait. Has anyone submitted this as a bug?
I think this bug must have been submitted countless times. It's 10 years old already.
Originally posted by Kropotkin2:
I propose to make an option to highlight visited links in such a way that is no part of CSS or DOM so that web developers do not have access to it. At the same time, the usual :visited could stay too. So anyone would be able to choose what highlighting they want or both at the same time. I don't see a reason why this can't be implemented.
so basically forbid access to this property for JS? does not seem unreasonable at first at least
should be optional (on by default) though - forbidding it in general could probably create some accessibility problems for onscreenreaders etc.
so basically forbid access to this property for JS? does not seem unreasonable at first at least
No. Not just JS, one must make a new object which is outside of CSS or DOM. Because this bug works even with JS off. See this for example:
http://ha.ckers.org/weird/CSS-history.cgi
Originally posted by Kropotkin2:
No. Not just JS, one must make a new object which is outside of CSS or DOM. Because this bug works even with JS off.
No need to do such thing. Just blocking/not allowing CSS styling which use external files (e.g. background: url('file.xxx')) should be enough, I think.
Example of a website:
<a href="google.com">Google</a>
<style type="text/css">
a:visited {
background-image:url('google.com.jpg');
}
</style>
When author of the above "site" see that you requested "google.com.jpg" file, he knows that you visited Google in the past. With not allowing such styling it wont be possible to see if you visited it (you'll never request "google.com.jpg" file).
Behaviour of JS getComputedStyle function should also be changed of course.
No need to do such thing. Just blocking/not allowing CSS styling which use external files (e.g. background: url('file.xxx')) should be enough, I think.
Yeah, but there's no guarantee that there aren't other similar hacks out there. You can either hope that there aren't and close them one by one if they resurface, or you can solve the problem once and for all. That's just my opinion, though.