Bug#417796: mozilla-browser: possible information exposure

2007-04-06 Thread Caspar Bothmer 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Alexander Sack - Debian Bugmail wrote:
|>tag 417796 wontfix
|>thanks
| I would even say this isn't abug at all.

I disagree.


| You can do much more things
| with javascript.

For sure, but that is a different technique.  Only because you can use
one technique on a web page doesn't affect usage of another technique.
I can use java or flash to gather information.  It's still information
exposure via CSS.


caspar
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGFnYmzpQ+GCsPNMERAvJFAKDQ+r4N2bWjiP1hAbMWBB/6lrhLEACfR5Xu
zk89aqg8avz9AbacGdeL3Gw=
=KaMg
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#417796: mozilla-browser: possible information exposure

2007-04-06 Thread Alexander Sack - Debian Bugmail 
On Fri, Apr 06, 2007 at 07:57:23AM +0200, Mike Hommey wrote:
> tag 417796 wontfix
> thanks

I would even say this isn't abug at all. You can do much more things
with javascript. So if the web-app provider wants to know how you
behave on his website, he can certainly gather and transmit that info.

 - Alexander

 p.s. please take care that the bug is listed as To: or CC: when 
  replying to this mail (e.g. /reply-all/). 
-- 
 GPG messages preferred.   |  .''`.  ** Debian GNU/Linux **
 Alexander Sack| : :' :  The  universal
 [EMAIL PROTECTED]   | `. `'  Operating System
 http://www.asoftsite.org  |   `-http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#417796: mozilla-browser: possible information exposure

2007-04-06 Thread Caspar Bothmer 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike Hommey wrote:
| OMFFSM, when I click on a link, that is logged on a remote server !
| That's my privacy being violated !

That's two different things, don't you think?

If I click on a link, I use that link as it is meant to be, to get
further information from that remote server and tell that server to give
this information to me.

If I move my mouse over a page I retrieved from the remote server I do
not expect this to send anything to the remote server while doing so.

I agree with you that in most occasions there is no intent to abuse
this.  But that's the same with all other techniques used on the net,
isn't it?


| Do you realize your claim sounds pretty ridiculous ?

I am aware that the impact is not as problematic as other leaks, that's
why I didn't set severity to a higher level.  I am also aware that some
might not see the problem, which doesn't falsify the claim itself.

BTW: could you explain OMFFSM, please?


caspar
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGFjjQzpQ+GCsPNMERAlgCAJ9qSY+56C0nX1jTcuMEo/jW18hmJwCg0LdM
H3FrlIwCRfOjL7jcVJmeCYU=
=Tch6
-END PGP SIGNATURE-


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#417796: mozilla-browser: possible information exposure

2007-04-05 Thread Mike Hommey 
tag 417796 wontfix
thanks

On Wed, Apr 04, 2007 at 05:35:44PM +0200, Caspar Bothmer <[EMAIL PROTECTED]> 
wrote:
> Package: mozilla-browser
> Version: 2:1.7.8-1sarge10
> Severity: important
> 
> It is possible to get information about the users' behaviour using css.
> I best show it by example:
> 
> 
>  
>   
>#24678:hover
>{
>  background-image:url("24678.png")
>}
>#22578:hover
>{
> background-image:url("22578.png")
>}
>   
>  
>  
>   item 1
>   item 2
>  
> 
> 
> The first time you move the mouse over the marked element, the browser 
> tries to load and display the image in background.  This will be logged 
> on the remote server.
> 
> There is no need for javascript to ba active.

OMFFSM, when I click on a link, that is logged on a remote server !
That's my privacy being violated !

Do you realize your claim sounds pretty ridiculous ?

Mike



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#417796: mozilla-browser: possible information exposure

2007-04-04 Thread Caspar Bothmer 

Package: mozilla-browser
Version: 2:1.7.8-1sarge10
Severity: important

It is possible to get information about the users' behaviour using css.
I best show it by example:


 
  
   #24678:hover
   {
 background-image:url("24678.png")
   }
   #22578:hover
   {
background-image:url("22578.png")
   }
  
 
 
  item 1
  item 2
 


The first time you move the mouse over the marked element, the browser 
tries to load and display the image in background.  This will be logged 
on the remote server.


There is no need for javascript to ba active.

To stop this behaviour one can block images from a given server, but 
that isn't a viable option.


A possible solution would be to get all content at once and keep it in 
cache to display it on demand.


I don't know if newer versions of mozilla/iceape are affected by this.

I set this bug report to important as this issue should be fixed easily.


caspar


signature.asc
Description: OpenPGP digital signature