HTML disguised as JPEG
Franc Zabkar
HTML file which has been renamed as a JPEG? How can I pass such a URL
to Opera so that it gives me the option of saving the file?
For example, the following URL was recently posted to aus.jokes. It is
really a HTML file containing Javascript:
http://www dot cotedeporc dot org/boby/pic458.jpg
Don't visit the site if you are offended by rude cartoons.
-- Franc Zabkar
Please remove one 'i' from my address when replying by email.
Spartanicus
>How can I prevent Opera from automatically executing the code in a
>HTML file which has been renamed as a JPEG? How can I pass such a URL
>to Opera so that it gives me the option of saving the file?
>
>For example, the following URL was recently posted to aus.jokes. It is
>really a HTML file containing Javascript:
>
> http://www dot cotedeporc dot org/boby/pic458.jpg
You can't. Filenames and/or extensions are and should be irrelevant to a
web browser, what matters to a web browser is the content-type http
header, and in this case it says text/html, thus Opera is correct to
open it as such.
--
Spartanicus
Franc Zabkar
<inv...@invalid.invalid> put finger to keyboard and composed:
IMHO this poses a potential security threat. I would think a sensible
approach by the browser would be to warn the user against opening
these suspicious files and to present him/her with the option of not
doing so.
Rijk van Geijtenbeek
If you think HTML files are potentially harmful, you better not use your
browser anymore. If you think JavaScript can't be trusted, disable it
(F12). There is nothing suspicious about a server sending text/html to the
browser, using a random file name. Many server systems send HTML files
with extensions like .jsp, .cgi, .php, .asp, .dll, .exe and those will all
be treated as HTML (and so are harmless).
--
Get Opera 8 now! Speed, Security and Simplicity.
http://my.opera.com/Rijk/affiliate/
Rijk van Geijtenbeek
Opera Software ASA, Documentation & QA
Tweak: http://my.opera.com/Rijk/journal
Matthew Winn
> On Thu, 15 Sep 2005 00:13:52 +0100, Spartanicus
> <inv...@invalid.invalid> put finger to keyboard and composed:
> >
> >web browser, what matters to a web browser is the content-type http
> >header, and in this case it says text/html, thus Opera is correct to
> >open it as such.
>
> IMHO this poses a potential security threat. I would think a sensible
> approach by the browser would be to warn the user against opening
> these suspicious files and to present him/her with the option of not
> doing so.
It's not a potential security threat. As far as the web is concerned
the extension of a file is meaningless. If you're reading something
into it, don't. A extension may or may not have a meaning to the
server, and it may or may not have a meaning on your computer, but
those are two different machines and the meaning on each may well be
different. That's why the content-type header exists: because the
filename can't be relied upon as a source of file type information.
The first thing every PC user needs to learn about the internet is
that the familiar "extension determines the file type" rule of Windows
IS NOT UNIVERSALLY TRUE. On Unix, for example, extensions do almost
nothing: I can rename a Perl program to "something.html" and Unix will
still invoke Perl to execute it because the system only cares what the
file contains, not what it's called. Forget all about extensions.
They don't apply here.
If you try to save a "misnamed" file you'll find that Opera renames it
to give it an extension that reflects the filename conventions of your
own system, so that when you come to reopen it as a file it'll be
interpreted as the type of data it actually is. In this way Opera
protects you, because the extension doesn't become an issue unless you
save the file and then try to open it from Windows.
--
Matthew Winn
[If replying by email remove the "r" from "urk"]
Roger Johansson
Matthew Winn wrote:
> > >You can't. Filenames and/or extensions are and should be irrelevant to a
> > >web browser, what matters to a web browser is the content-type http
> > >header, and in this case it says text/html, thus Opera is correct to
> > >open it as such.
> It's not a potential security threat. As far as the web is concerned
> the extension of a file is meaningless. If you're reading something
> into it, don't. A extension may or may not have a meaning to the
> server, and it may or may not have a meaning on your computer, but
> those are two different machines and the meaning on each may well be
> different. That's why the content-type header exists: because the
> filename can't be relied upon as a source of file type information.
Before I click or right-click on a link I often hover over it to see
in the tool-tip what it is, if it is the file I want or just another
html page, if I can rightclick and do a quick save or if I have to
go to the target page.
The information I got reading this thread makes a lot of this
meaningless. The tool-tip will not tell me what the target is.
I would need a tool-tip which tells me the content-type header of
the target in addition to the filename I see now.
I was very disturbed a few years ago when I heard that MS-IE sometimes
executes a jpg picture instead of showing it as a picture.
It disturbes me even more now to understand that this is how Opera
is doing it too, and that it is the normal way it is working.
This means that my file manager program, now showing me only the file
name should also show me the content type header.
When I upload a file to a web site, the content type header is what
decides what will happen on somebody elses computer when he executes
that jpg file, or text file. Because that's what our browser programs
are doing, executing files, no matter what extensions the files have.
How can I read the content type header of a certain file in Opera?
Before I open/execute it.
--
Roger J.
Rijk van Geijtenbeek
>
> Matthew Winn wrote:
>
>> > >You can't. Filenames and/or extensions are and should be irrelevant
>> to a
>> > >web browser, what matters to a web browser is the content-type http
>> > >header, and in this case it says text/html, thus Opera is correct to
>> > >open it as such.
>
>> It's not a potential security threat. As far as the web is concerned
>> the extension of a file is meaningless. If you're reading something
>> into it, don't. A extension may or may not have a meaning to the
>> server, and it may or may not have a meaning on your computer, but
>> those are two different machines and the meaning on each may well be
>> different. That's why the content-type header exists: because the
>> filename can't be relied upon as a source of file type information.
>
> Before I click or right-click on a link I often hover over it to see
> in the tool-tip what it is, if it is the file I want or just another
> html page, if I can rightclick and do a quick save or if I have to
> go to the target page.
>
> The information I got reading this thread makes a lot of this
> meaningless. The tool-tip will not tell me what the target is.
> I would need a tool-tip which tells me the content-type header of
> the target in addition to the filename I see now.
>
> I was very disturbed a few years ago when I heard that MS-IE sometimes
> executes a jpg picture instead of showing it as a picture.
What do you mean with 'execute'? Opera can only display and render stuff,
it doesn't 'execute' anything. There are no security consequences when
HTML, JPEG or GIF get mixed up due to misleading extensions. And if
something with a 'save' file extension like 'jpg' gets send with a content
type header that says 'this is an executable program', Opera will open a
download dialog with a honking big warning sign on it. You then have the
choice to save it, or open it directly.
> It disturbes me even more now to understand that this is how Opera
> is doing it too, and that it is the normal way it is working.
>
> This means that my file manager program, now showing me only the file
> name should also show me the content type header.
Where does the file manager come in? As noted, Opera will make sure on
saving to disk that the extension does match the local convention for the
content type indicated by the http header. That's the security Opera
offers.
> When I upload a file to a web site, the content type header is what
> decides what will happen on somebody elses computer when he executes
> that jpg file, or text file. Because that's what our browser programs
> are doing, executing files, no matter what extensions the files have.
There is a big difference between executing and rendering in the browser.
Please don't confuse the two. And most servers are configured to send the
right content type for files with the common known file extensions, so
there is little room for confusion there.
> How can I read the content type header of a certain file in Opera?
> Before I open/execute it.
You can't before clicking. If it is something executable (a program) or
something Opera can't render, you will get a download dialog that includes
info on the content type.
Matthew Winn
> Before I click or right-click on a link I often hover over it to see
> in the tool-tip what it is, if it is the file I want or just another
> html page, if I can rightclick and do a quick save or if I have to
> go to the target page.
>
> The information I got reading this thread makes a lot of this
> meaningless. The tool-tip will not tell me what the target is.
> I would need a tool-tip which tells me the content-type header of
> the target in addition to the filename I see now.
>
> I was very disturbed a few years ago when I heard that MS-IE sometimes
> executes a jpg picture instead of showing it as a picture.
That was a bug in IE, precisely BECAUSE it relied on the extension
instead of always using the content-type. The sort of problem that
occurred was that a server would send a file with an extension like
".exe" but use the content-type to tell IE it was something else.
IE would save the file under its original name (whatever.exe). If the
poor user then tried to open the file Windows -- not having access
to the content-type -- would use the extension to try to decide how
to open the file. At best it would throw an error message. At worst
it could kill the system.
> It disturbes me even more now to understand that this is how Opera
> is doing it too, and that it is the normal way it is working.
Then you'd better stay off the internet, because that's the only way
it _can_ work.
As I said before: forget you ever heard of the idea that the extension
of a filename is used to determine the file type. It's rubbish. Some
resources on the internet don't even _have_ filenames, and others --
CGI programs, for example -- send content that has nothing to do with
the type of the file itself. People who cling to the mistaken notion
that the name of a file or a resource tells them something about its
contents will NEVER understand the issues of risk and safety that are
involved here.
It's not just a matter of differences between systems. Even on one
system you can't fully trust extensions. There's only a limited
number of meaningful extensions to go round and there's a huge amount
of duplication. Opera, for instance, uses ".adr" for its bookmark
files, but it's not the only product that uses ".adr" for files. As
for ".art", there are half a dozen products using that extension and
none of them are compatible. How could a browser know what to do with
a ".adr" or ".art" file without additional information to tell it what
the data represents? That's why a safe and secure web browser ignores
the extension of a file and relies on the content-type.
> This means that my file manager program, now showing me only the file
> name should also show me the content type header.
It can't, because the content-type is part of the dialogue between
the server and the browser. Opera does the right thing: it uses that
dialogue to find out the real type of the file, and then it saves it
to your hard disk with a name that matches that type for your system.
So, for example, if a CGI program named "showimage.pl" sends back data
with a content-type of "image/jpeg" Opera won't save the data as a
".pl" file because that wouldn't make sense. It'll rename it to give
it a ".jpg" extension so when you try to open that file in Windows
Windows will know what to do with it.
> How can I read the content type header of a certain file in Opera?
> Before I open/execute it.
You can't find the content-type of a file without sending a request to
the server, so unless the site author has been kind enough to put the
relevant information in a title attribute on a link you can't find out
the true type of a resource merely by hovering over the link.
Jorgen Grahn
> On 15 Sep 2005 02:54:46 -0700, Roger Johansson <roge...@gmail.com> wrote:
>> How can I read the content type header of a certain file in Opera?
>> Before I open/execute it.
>
> You can't find the content-type of a file without sending a request to
> the server, so unless the site author has been kind enough to put the
> relevant information in a title attribute on a link you can't find out
> the true type of a resource merely by hovering over the link.
But maybe it would be worthwhile for a browser to send that request, or have
it in the right-mouse-button menu as "Link info"?
There is the HTTP HEAD command for doing this without downloading the whole
document, if I recall correctly. Plus, you get to know things like document
size, last-modified time and so on.
I'm not a Windows person, so the foo.jpg effect is nothing I worry about.
Still, I would find this useful. Seeing more HTTP metadata in general would
be useful, sometimes.
[Followup set to opera.wishlist.]
/Jorgen
--
// Jorgen Grahn <jgrahn@ Ph'nglui mglw'nafh Cthulhu
\X/ algonet.se> R'lyeh wgah'nagl fhtagn!
me
You are absolutely correct.
Although other posters are "technically" correct in their statement that
the content-type header should be the definitive source of document
type information, this is an unhelpful irrelevance.
The fact is that, in this case, a user can be suckered into clicking on a
link where the behaviour of the browser after clicking is completely
unknown, undefined and unknowable by the user in advance.
Its all very well to opine that this isn't Opera's problem, but IMO, this
attitude is wrong. Most other browsers that correctly interpret
content-type will suffer from the same issue: this is not an
excuse that lets Opera wash its hands of the problem. (IE, until recently,
had an entirely different and entirely braindead mechanism for content
discovery)
Whilst its correct to say that any extension can house any resource,
common extensions such as .jpg, .gif etc. come with an expectation of
certain behaviour. To suggest that the user has to be sufficiently aware
of the technicalities and constantly acting a psychic firewall is an
abdication of responsibility.
In the same way that the user can associate external programs with certain
mime types, Opera should allow the user to associate certain *internal*
behaviours with certain extensions, "safe" behaviours being defined by
default.
Good catch, Frank.
me
> certain extensions, "safe" behaviours being defined by
> default.
>
> Good catch, Frank.
>
Oops, I mean "Franc". My apologies.
Rijk van Geijtenbeek
..
> Although other posters are "technically" correct in their statement that
> the content-type header should be the definitive source of document
> type information, this is an unhelpful irrelevance.
No, it isn't.
> The fact is that, in this case, a user can be suckered into clicking on a
> link where the behaviour of the browser after clicking is completely
> unknown, undefined and unknowable by the user in advance.
>
> Its all very well to opine that this isn't Opera's problem, but IMO, this
> attitude is wrong. Most other browsers that correctly interpret
> content-type will suffer from the same issue: this is not an
> excuse that lets Opera wash its hands of the problem. (IE, until
> recently, had an entirely different and entirely braindead mechanism for
> content
> discovery)
>
> Whilst its correct to say that any extension can house any resource,
> common extensions such as .jpg, .gif etc. come with an expectation of
> certain behaviour. To suggest that the user has to be sufficiently aware
> of the technicalities and constantly acting a psychic firewall is an
> abdication of responsibility.
What exactly can go wrong with the current behavior? There will always be
the (unexpected if you thought to get an image) extra step of the download
dialog appearing for anything that can have nefarious uses. For sites that
*want* to exploit user trust in extensions it is completely trivial to
make the tooltip say one thing, and then send something else all together
[1].
> In the same way that the user can associate external programs with
> certain mime types, Opera should allow the user to associate certain
> *internal*
> behaviours with certain extensions, "safe" behaviours being defined by
> default.
I can see several security issues with such an approach.
[1] Only if you are completely paranoid and turn off both JavaScript and
redirecting this could be prevented. This might be useful when
investigating crooks on the web, if you work for the FBI. For almost
anyone else, turning off JavaScript and redirection will lead to utter
frustration on lots of normal website.
--
Get Opera 8 now! Speed, Security and Simplicity.
http://my.opera.com/Rijk/affiliate/
Rijk van Geijtenbeek
Opera Software ASA, Documentation & QA
seani
PAN at wortk and I'm restricted to Google Groups. Apologies if I
misquote or misattribute; it's Monday after all.
>> Although other posters are "technically" correct in their statement that
>> the content-type header should be the definitive source of document
>> type information, this is an unhelpful irrelevance.
>No, it isn't.
Ah, we are close to panto season; "Oh yes it is".
But it was rather a general statement. To be more precise, the fact
that the browser obeys a standard is irrelevant to the users experience
of this problem. A bit like "The operation was a complete success, but
the patient died".
> What exactly can go wrong with the current behavior? There will always be
> the (unexpected if you thought to get an image) extra step of the download
> dialog appearing for anything that can have nefarious uses.
*Not* in this case. There will be no extra step allowing the user to
backout if an HTML document is served, rather than a JPG, and it *is*
potentially exploitable, to different degress depending on the
experience/awareness of the user.
> For sites that
> *want* to exploit user trust in extensions it is completely trivial to
> make the tooltip say one thing, and then send something else all together
> [1].
I want to make the point I'm making here absolutely clear. I believe
it's the same point that Franc makes; I'm sure he'll correct me if this
is not the case.
*No one* is suggesting that it requires JavaScript to be disabled: this
would not circumvent the vulnerability that Franc describes..
What I'm saying is that, for a limited set of common extensions, if the
content-type appears to disagree with the extension, then the user
should be given the choice of directing the behaviour of the browser,
possibly by:
1) Attempting to render the content in accordance with the extension
and overriding the behaviour directed by content-type. Specifically,
where an image/multimedia extension is used, attempting to render as
indicated by the extension,
or
2) Warning that the extension does not match the content-type for a
given set of extensions and allowing the browser to proceed.
Changing tooltips etc. is irrelevant. Even a full analysis of the
source code by an experienced HTML developer in this case will *not*
reveal the mismatch. The mismatch can only be detected at the point the
resource is delivered, and not by the user. The user currently has no
way of knowing that a mismatch may occur.
On balance, it seems to me that there is no good reason for a site to
indicate a JPG (and several other extensions) and serve an HTML
document in this way. If we always *trust* a site, why do we offer to
block popups etc?. I completely understand the issues surrounding
ambiguity between the content-type and the extension (and this from a
technical standpoint delivering Inter/Intranet systems), but we are
talking about a specific set of circumstances.
In any case, it isn't really a religious debate; Opera already uses the
extension to detemine behaviour in some cases.
Franc Zabkar
keyboard and composed:
>On Thu, 15 Sep 2005 17:17:31 +1000, Franc Zabkar wrote:
>
>> On Thu, 15 Sep 2005 00:13:52 +0100, Spartanicus
>> <inv...@invalid.invalid> put finger to keyboard and composed:
>>>Filenames and/or extensions are and should be irrelevant to a
>>>web browser, what matters to a web browser is the content-type http
>>>header, and in this case it says text/html, thus Opera is correct to
>>>open it as such.
>>
>> IMHO this poses a potential security threat. I would think a sensible
>> approach by the browser would be to warn the user against opening
>> these suspicious files and to present him/her with the option of not
>> doing so.
>Whilst its correct to say that any extension can house any resource,
>common extensions such as .jpg, .gif etc. come with an expectation of
>certain behaviour. To suggest that the user has to be sufficiently aware
>of the technicalities and constantly acting a psychic firewall is an
>abdication of responsibility.
>
>In the same way that the user can associate external programs with certain
>mime types, Opera should allow the user to associate certain *internal*
>behaviours with certain extensions, "safe" behaviours being defined by
>default.
>
>Good catch, Frank.
I was able to "catch" it because I have my browser set to display
cached images only. When I saw the text and several empty graphics
windows I knew that something was not right. If the JPEG had instead
been a GIF or some other image format, I would have been none the
wiser. That's not to say that an image, even an animated one (???),
can be harmful ...
Matthew Winn
> Although other posters are "technically" correct in their statement that
> the content-type header should be the definitive source of document
> type information, this is an unhelpful irrelevance.
>
> The fact is that, in this case, a user can be suckered into clicking on a
> link where the behaviour of the browser after clicking is completely
> unknown, undefined and unknowable by the user in advance.
So what? You can't ever know what will happen when you click a link.
The only thing the browser can do is protect you after the fact, and
Opera does a better job of that than any other browser.
> Its all very well to opine that this isn't Opera's problem, but IMO, this
> attitude is wrong. Most other browsers that correctly interpret
> content-type will suffer from the same issue: this is not an
> excuse that lets Opera wash its hands of the problem.
It's not "suffering" from any issue. The behaviour you describe as
"wrong" is the ONLY way to protect users.
> Whilst its correct to say that any extension can house any resource,
> common extensions such as .jpg, .gif etc. come with an expectation of
> certain behaviour. To suggest that the user has to be sufficiently aware
> of the technicalities and constantly acting a psychic firewall is an
> abdication of responsibility.
The only problem here is users who try to outguess the browser, and
on that basis assume they know better than the browser what should
happen. If you just ignore the name of a resource and let the browser
get on with the task of protecting you there is no problem and no
risk.
It's only when you treat the entire internet as if it were a vast
Windows drive and cling to the mistaken assumption that the apparent
extension of a resource has some meaning that you see a problem. Drop
that erroneous view of the world and you'll see that the problem isn't
really there. Your "problem" is an illusion brought on by an incorrect
understanding of the internet, and if you stop wilfully leading yourself
astray you wouldn't worry.
Most users never even try to see where a link goes before they click
it. They have no problem. It's only because a few people try to read
more into a URL than is truly there that they see an imaginary problem.
> In the same way that the user can associate external programs with certain
> mime types, Opera should allow the user to associate certain *internal*
> behaviours with certain extensions, "safe" behaviours being defined by
> default.
That would be a huge security hole. That's precisely the behaviour
that once made some Microsoft products such a danger, and which was
actively exploited to induce unsuspecting users to run binaries.
The only way to keep the users safe is to ignore the extension. The
browser does that, and if you don't that's your problem. The internet
isn't a Windows drive. Stop viewing it as one.
Haavard Kvam Moen
> The fact is that, in this case, a user can be suckered into clicking on a
> link where the behaviour of the browser after clicking is completely
> unknown, undefined and unknowable by the user in advance.
Do you have any examples of things that can go wrong, and maybe even
how you think they can be corrected?
> To suggest that the user has to be sufficiently aware of the
> technicalities and constantly acting a psychic firewall is an
> abdication of responsibility.
That is precisely the point: The user doesn't have to. Opera (and
other browsers) should default to being safe.
Rijk van Geijtenbeek
> First of all, sorry for nameshifting; I don't have the option to use
> PAN at wortk and I'm restricted to Google Groups. Apologies if I
> misquote or misattribute; it's Monday after all.
>
>>> Although other posters are "technically" correct in their statement
>>> that
>>> the content-type header should be the definitive source of document
>>> type information, this is an unhelpful irrelevance.
>
>> No, it isn't.
>
> Ah, we are close to panto season; "Oh yes it is".
>
> But it was rather a general statement. To be more precise, the fact
> that the browser obeys a standard is irrelevant to the users experience
> of this problem. A bit like "The operation was a complete success, but
> the patient died".
>
>> What exactly can go wrong with the current behavior? There will always
>> be the (unexpected if you thought to get an image) extra step of the
>> download dialog appearing for anything that can have nefarious uses.
>
> *Not* in this case. There will be no extra step allowing the user to
> backout if an HTML document is served, rather than a JPG, and it *is*
> potentially exploitable, to different degress depending on the
> experience/awareness of the user.
I utterly fail to see the logic here. I don't see any exploitable behavior
here. OTOH, it is quite common that you get a 404 HTML page back when
requesting an image file that is no longer available. Popping up dialogs
would make things harder in such cases, not easier. Trying to render this
HTML as a Jpeg is useless.
The only *useful* case I see here is when things are served as plain text,
which are in reality files of a type the user wants to download or display
as something other than text. Sniffing extensions or content here might
enhance the user experience. But as this is fraught with difficulties (and
causes security issues and hatred of MSIE by web purists), Opera 8 is more
reluctant to do such things than Opera 6/7. The knowledgeable user that
needs little protection will probably also manage to do a 'save as' and
edit the file extension to his liking.
Rijk van Geijtenbeek
..
> No, it *isn't*, you're just not getting this.
Obviously. You do consider the possibillity that there might not *be* a
point, right? But thanks a lot for this message. I understand what you are
saying much better now, but I still think it is not a valid concern. And
changing the way Opera handles file extensions and content type would
really be a security issue.
me
> On Sun, 18 Sep 2005 21:13:22 +0100, me <m...@mememe.com> wrote:
>> Although other posters are "technically" correct in their statement that
>> the content-type header should be the definitive source of document
>> type information, this is an unhelpful irrelevance.
>>
>> The fact is that, in this case, a user can be suckered into clicking on a
>> link where the behaviour of the browser after clicking is completely
>> unknown, undefined and unknowable by the user in advance.
>
> So what? You can't ever know what will happen when you click a link.
> The only thing the browser can do is protect you after the fact, and
> Opera does a better job of that than any other browser.
>
Hmmm. Perhaps. It's certainly a good deal better than IE, whether it's
better than firefox in this regard is questionable, and I speak as a
paid user for the Linux and WIN32 versions.
>> Its all very well to opine that this isn't Opera's problem, but IMO,
>> this attitude is wrong. Most other browsers that correctly interpret
>> content-type will suffer from the same issue: this is not an excuse
>> that lets Opera wash its hands of the problem.
>
> It's not "suffering" from any issue. The behaviour you describe as
> "wrong" is the ONLY way to protect users.
>
>> Whilst its correct to say that any extension can house any resource,
>> common extensions such as .jpg, .gif etc. come with an expectation of
>> certain behaviour. To suggest that the user has to be sufficiently
>> aware of the technicalities and constantly acting a psychic firewall
>> is an abdication of responsibility.
>
> The only problem here is users who try to outguess the browser, and on
> that basis assume they know better than the browser what should happen.
> If you just ignore the name of a resource and let the browser get on
> with the task of protecting you there is no problem and no risk.
>
> It's only when you treat the entire internet as if it were a vast
> Windows drive and cling to the mistaken assumption that the apparent
> extension of a resource has some meaning that you see a problem. Drop
> that erroneous view of the world and you'll see that the problem isn't
> really there. Your "problem" is an illusion brought on by an incorrect
> understanding of the internet, and if you stop wilfully leading yourself
> astray you wouldn't worry.
>
You're barking up the wrong tree here. It isn't "my" "problem". Perhaps
I'm not explaining the issue well. You *think* you know what I mean, but
clearly you don't.
> Most users never even try to see where a link goes before they click it.
> They have no problem. It's only because a few people try to read more
> into a URL than is truly there that they see an imaginary problem.
>
Firstly, I understand the security issues involved; I've been developing
Inter/Intranet applications for getting on for 10 years. Not simple forms
capture, but complex distributed systems, B2C and B2B, dynamically
generating PDF, RTF, XLS etc. etc. etc. I'm not trying to prove anything
by telling you this, other then convincing you that I *am* aware of the
issues involved.
I share your concerns that users treat the Internet as if it was a simple
extension of their desktop/harddisk, and I'm appalled by the implications
that MS apparent strategy of making these things *appear* seamless and
secure. Active Desktop didn't last 10 seconds in my home or at work. We
are on the same page here.
I won't repeat my reply to Rijk here, but I can think of one scenario off
the top of my head that makes this behaviour exploitable.
>> In the same way that the user can associate external programs with
>> certain mime types, Opera should allow the user to associate certain
>> *internal* behaviours with certain extensions, "safe" behaviours being
>> defined by default.
>
> That would be a huge security hole. That's precisely the behaviour that
> once made some Microsoft products such a danger, and which was actively
> exploited to induce unsuspecting users to run binaries. The only way to
> keep the users safe is to ignore the extension. The browser does that,
> and if you don't that's your problem. The internet isn't a Windows
> drive. Stop viewing it as one.
No, I am not. You are *not* reading and interpreting this problem
correctly, and you are *not* comparing like-with-like.
What I am suggesting, very precisely, is that when a user clicks on a link
to a resource with one of a set of common extensions such as JPG, WMV,
XLS etc. that, under control of user settings, the browser should *always*
treat the stream of data concerned as if the content-type matched the
extension. No more, no less.
This introduces *no* additional vulnerabilities and prevents others.
me
> On Sun, 18 Sep 2005 21:13:22 +0100, me <m...@mememe.com> wrote:
>
>> The fact is that, in this case, a user can be suckered into clicking on a
>> link where the behaviour of the browser after clicking is completely
>> unknown, undefined and unknowable by the user in advance.
>
> Do you have any examples of things that can go wrong, and maybe even
> how you think they can be corrected?
>
I am posting a scenario for Rijk. The scenario can be corrected by
exactly the steps I've previously suggested; as a configurable option, the
browser should use the extension in favour of the content-type header for
certain extensions.
>> To suggest that the user has to be sufficiently aware of the
>> technicalities and constantly acting a psychic firewall is an
>> abdication of responsibility.
>
> That is precisely the point: The user doesn't have to. Opera (and
> other browsers) should default to being safe.
But in this case it doesn't. Read my suggested scenario, and perhaps it
will become clear.
me
No, it *isn't*, you're just not getting this.
Ok, here's a concrete example:
* The user browses to a page claiming to have a list of useful Excel
spreadsheets.
* The user is fairly savvy, and only allows firewall access to Opera and a
few other selected applications.
* The user clicks on a link called, let's say,
"password-strength-check.xls". The file is described as a utility to check
the strength of passwords, and optionally store them in a password
protected Excel file.
* The use clicks on the link, and either:
a) A new window opens; it's Excel running the spreadsheet.
b) An Excel spreadsheet is displayed in-place in the browser window. You
know, "just like IE does it"
* The user pops a few passwords into cells as instructed. Perhaps you can
check more than one at a time. Perhaps it offers to generate secure
passwords in combination with the users name and/or a chosen URL, a bit
like password composer
(http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/) .
* The user clicks on a "Check" button.
* It doesn't seem to check much, or perhaps Excel just appears to GPF but
that's Ok, no harm done? Just forget about it.
Except that, although the link said "password-strength-check.xls", and
even the HTML source code said "password-strength-check.xls", Excel was
never called at any point.
Instead, the link sends an HTML file, indicated by the content-type, and
Opera renders it as such. The HTML page is an accurate facsimile of Excel;
toolbars look like toolbars using simple rollover graphics etc. etc. You
can get as close as you like to the app with a few screenshots, well
placed graphics and a bit of DHTML/Javascript.
When the used clicked on the "Check" button, the captured
passwords/whatever is posted back to the server and recorded. The users
firewall didn't object; it's Opera after all. The server responds with a
page that looks like Excel with an overlaid error dialog, or perhaps
shows a hidden DIV with the same for instant results.
The server has the users private data. Replace "password" with "credit
card number", "password check" with "free porn" or whatever. The social
manipulation aspect will need to be worked on by more devious men than me.
Alternatively, Opera steps in at the point the data is returned, and
either:
1) Attempts to render the returned HTML as an Excel spreadsheet (or pass
to the appropriate app)
2) Warns the user of the mismatch.
Note that this doesn't *have* to be applied in reverse; clicking on a .htm
file that results in an XLS, JPG being returned is relatively benign, and
damn near essential. This is *not* what I have suggested.
Also, although *we* know that for a "real" XLS Opera would behave
differently the user, depending on experience, may not. The user may well
not notice at all, or merely shrug their shoulders. Perhaps a setting has
changed? Who cares, my firewall will protect me if anything tries to send
data out.
> The only *useful* case I see here is when things are served as plain
> text, which are in reality files of a type the user wants to download or
> display as something other than text. Sniffing extensions or content
> here might enhance the user experience. But as this is fraught with
> difficulties (and causes security issues and hatred of MSIE by web
> purists), Opera 8 is more reluctant to do such things than Opera 6/7.
> The knowledgeable user that needs little protection will probably also
> manage to do a 'save as' and edit the file extension to his liking.
All true. All missing the point.
me
Oh, I don't know. I've seen a few pictures I'd rather forget :(
me
me
> On Mon, 19 Sep 2005 21:35:56 +0200, me wrote:
>
> ..
>
>> No, it *isn't*, you're just not getting this.
>
> Obviously. You do consider the possibillity that there might not *be* a
> point, right?
Yes, I have considered the possibility and dismissed it. You started off
by saying that you couldn't see a possible exploitation for this
behaviour. I've presented you with a concrete example, which you choose
apparently to ignore.
An interesting reaction.
> But thanks a lot for this message. I understand what you are
> saying much better now, but I still think it is not a valid concern. And
> changing the way Opera handles file extensions and content type would
> really be a security issue.
No it wouldn't be, not in the manner in which I suggest. All I am
saying, once again, is that Opera should intervene when there is a
mismatch between the stated extension and the content-type actually
delivered for some classes of extension. No more, no less. No security
issue. If you still insist that amending Operas behaviour in this way
introduces further security issues, perhaps you would share them with me?
Franc Zabkar
I can't understand the resistance to my concerns. Surely the point is
that someone has attempted to deceive me, and succeeded. Opera knew
that the target was not what it appeared to be, yet it did nothing to
alert me ... until I tried to save the page. IMO, the attitude that
Opera knows best is exactly what makes a browser, especially IE, so
vulnerable.
Irrespective of whether my concerns are misplaced or otherwise, it is
apparent that I am not alone. I would think that Opera's developers
should take this on board.
Matthew Winn
> Except that, although the link said "password-strength-check.xls", and
> even the HTML source code said "password-strength-check.xls", Excel was
> never called at any point.
>
> Instead, the link sends an HTML file, indicated by the content-type, and
> Opera renders it as such. The HTML page is an accurate facsimile of Excel;
> toolbars look like toolbars using simple rollover graphics etc. etc. You
> can get as close as you like to the app with a few screenshots, well
> placed graphics and a bit of DHTML/Javascript.
Except that there'll always be a browser window wrapped around it,
and I doubt you could ever get behaviour that's close enough to fool
anyone. It would be easier in Java, but there too the window is
clearly distinguishable from a local application.
Yes, there may be users who won't notice such things, but those users
are in trouble anyway: as experience has shown, if users are gullible
enough to type passwords without thinking then the attacker doesn't
need to be anywhere near as sophisticated as to fake up Excel. If you
set up a page "password-strength-check.html" and asked users to type
their passwords and your server would check the strength, you'd still
get people doing it.
> All missing the point.
We understand what you're trying to say very well. What you don't
understand is that there is no problem, and no matter how often you
repeat the mantra "the extension shows the file type" it will never be
anything other than false when applied to the internet.
The real point here is that a very small number of people, yourself
included, think they've found a clever way to predict the type of data
that a website will send. Now they've been told that this cannot
work, but instead of discarding the idea-that-can-never-work they're
refusing to give it up and trying to put the blame on the browser.
Most users don't look at the URL of a link. Even if they do, how
difficult do you think it would be for your hypothetical site to use
a link like "password-strength-check.html#check.xls"? Do you really
expect the users to be ignorant enough to think the resulting page is
actually Excel, but smart enough to know the meaning of that # in the
URL? Or the attacker could deliver the content using a CGI program,
from which the browser would have to accept any content silently. In
fact the attacker doesn't even need to be that sophisticated: all they
need to do is have a long URL that overflows the width of most users'
status fields. Your proposed "protection" is trivial to break.
You CANNOT protect the user by using the extension. Your idea would
actually make things worse: there would be so many false positives
that users would either end up too afraid to use the web at all, or
so familiar with the false positives that the one-in-a-million times
when there's a real problem they'd just ignore it.
A security system that doesn't work is more dangerous than no security
at all, and your security system doesn't work. If any browser did
adopt your idea I'd drop it in an instant.
Matthew Winn
> Incidentally, do you work for a large UK utility company?
I've never worked for a large UK utility company. Why do you ask?
Matthew Winn
> I can't understand the resistance to my concerns. Surely the point is
> that someone has attempted to deceive me, and succeeded. Opera knew
> that the target was not what it appeared to be, yet it did nothing to
> alert me ... until I tried to save the page.
It's that "not what it appeared to be" that's the fault in your
reasoning. You're trying to use the extension to predict the data,
but you're completely wrong to do so because it doesn't work. Drop
that idea and you'll never have a problem.
The reason for the resistance to your concerns is because it was
placing too much emphasis on the extension of a resource and not
enough on the content-type that led to major security problems in the
past. For security reasons it's important that the browser ignore the
extension, and for your peace of mind it's important that you ignore
it too.
> IMO, the attitude that
> Opera knows best is exactly what makes a browser, especially IE, so
> vulnerable.
The browser _does_ know best, because it has the real data and you
only have a URL. I can't stress this too strongly: DON'T try to guess
the data type from the URL.
seani
same "large UK utility company"
Matthew Winn
> Nothing nefarious :) I've worked with a Matt Winn on and off at the
> same "large UK utility company"
Someone has stolen my identity! I must track him down and destroy him!
Brian L Johnson
> Nothing nefarious :) I've worked with a Matt Winn on and off at the
> same "large UK utility company"
No, *I'm* Matthew and so's my wife!
--
-blj-
Peter Boulding
<no.e...@address.invalid> wrote in <op.sxeql8wu0v1caa@medion>:
>No, *I'm* Matthew and so's my wife!
No, *I'm* Spartanicus!
--
Regards
Peter Boulding
p...@UNSPAMpboulding.co.uk (to e-mail, remove "UNSPAM")
Fractal music & images: http://www.pboulding.co.uk/
Spartanicus
>>No, *I'm* Matthew and so's my wife!
>
>No, *I'm* Spartanicus!
Yer man played by Kirk Douglass was called "Spartacus".
--
Spartanicus
me
> On Mon, 19 Sep 2005 20:35:56 +0100, me <m...@mememe.com> wrote:
>> Except that, although the link said "password-strength-check.xls", and
>> even the HTML source code said "password-strength-check.xls", Excel was
>> never called at any point.
>>
>> Instead, the link sends an HTML file, indicated by the content-type, and
>> Opera renders it as such. The HTML page is an accurate facsimile of Excel;
>> toolbars look like toolbars using simple rollover graphics etc. etc. You
>> can get as close as you like to the app with a few screenshots, well
>> placed graphics and a bit of DHTML/Javascript.
>
> Except that there'll always be a browser window wrapped around it,
> and I doubt you could ever get behaviour that's close enough to fool
> anyone. It would be easier in Java, but there too the window is
> clearly distinguishable from a local application.
And I *don't* doubt that you *could* make it appear very close indeed. And
for users used to MS IE behaviour, even an Excel spreadsheet embedded in a
browser window would present no surprise whatsoever.
>
> Yes, there may be users who won't notice such things, but those users
> are in trouble anyway: as experience has shown, if users are gullible
> enough to type passwords without thinking then the attacker doesn't need
> to be anywhere near as sophisticated as to fake up Excel. If you set up
> a page "password-strength-check.html" and asked users to type their
> passwords and your server would check the strength, you'd still get
> people doing it.
>
Well yes perhaps so. And some people will give away their password on the
phone. Nothing you can do about either of those two situations. You *can*
mitigate against this situation, and you should.
Also in this case, they *will* be thinking. They have a firewall, they
know that Excel can't call home without permission, except that in this
case it can.
>> All missing the point.
>
> We understand what you're trying to say very well. What you don't
> understand is that there is no problem, and no matter how often you
> repeat the mantra "the extension shows the file type" it will never be
> anything other than false when applied to the internet.
>
That is not the mantra I'm repeating. Please read what I write, not what
you think I mean.
*I* know it isn't true. And *you* know. Not everyone does.
I also know that:
doesn't direct you to the Microsoft site. And it's a fact easily learnt by
other users.
So why does Opera *choose* to warn about this behaviour? It's a value
judgement based on a combination of:
* how many people would notice the possible spoof and be aware that they
aren't getting what they bargain for when they click on the link?
* how embarrassing for us would any proven exploits be?
> The real point here is that a very small number of people, yourself
> included, think they've found a clever way to predict the type of data
> that a website will send. Now they've been told that this cannot
> work, but instead of discarding the idea-that-can-never-work they're
> refusing to give it up and trying to put the blame on the browser.
>
F*ck me, how many times and in how many ways do I have to explain this? I
understand *exactly* how this process works. I am not claiming that the
content-type can be predicted from the extension.
You seem to be confusing:
"Check the content-type returned by an extension that is commonly used
to deliver a heterogeneous mix of file types" (e.g. .htm. .pl, .asp, .exe,
.dll)
with
"Check that a *specific* extension matches the most commonly delivered
content-type for that extension"
For the second case there will be a vanishingly small number of false
positives.
> Most users don't look at the URL of a link. Even if they do, how
> difficult do you think it would be for your hypothetical site to use
> a link like "password-strength-check.html#check.xls"? Do you really
> expect the users to be ignorant enough to think the resulting page is
> actually Excel, but smart enough to know the meaning of that # in the
> URL? Or the attacker could deliver the content using a CGI program,
> from which the browser would have to accept any content silently. In
> fact the attacker doesn't even need to be that sophisticated: all they
> need to do is have a long URL that overflows the width of most users'
> status fields. Your proposed "protection" is trivial to break.
>
> You CANNOT protect the user by using the extension. Your idea would
> actually make things worse: there would be so many false positives
> that users would either end up too afraid to use the web at all, or
> so familiar with the false positives that the one-in-a-million times
> when there's a real problem they'd just ignore it.
>
No, no, no, no, no. You *do* *not* *understand* what is being said
to you. You are reading the suggestion incorrectly.
I understand that *any* extension can deliver *any* content-type.
In one situation
"generic extension generates specific content-type"
there's nothing you can or should do.
In the other
"commonly understood explicit extension generates different explicit
content-type"
you can, and you should.
> A security system that doesn't work is more dangerous than no security
> at all, and your security system doesn't work. If any browser did adopt
> your idea I'd drop it in an instant.
Agreed, but it *would* work. Your privilege to switch of course.
Anyway, I doubt we'll see eye-to-eye on this. I'll file a report with
Mozilla and whatever the correct channel at Opera is, and if it's ignored,
it's ignored. If I get round to doing a quick POC, I'll post it, and you
can ignore it at your leisure.
Perhaps this is the excuse I need to get my hands dirty with a Firefox
extension.
Eik
> You *can*
> mitigate against this situation, and you should.
In my experience, the more you pander to people the less savvy they become
and the more they need further nannying of the sort you're suggesting. And
god knows there's plenty of you lot ready to 'help'. Most people click
'ok' to warnings without even reading them properly and every week I hear
technology shows full of calls from people frightened they're badly
infected and in need of urgent help to get rid of a virus - and all
because Norton simply raised a popup that said "an intrusion attempt WAS
BLOCKED". Clearly many people know they need a firewall (which is little
more than a buzzword to them much like they used to say "I want to buy an
internet") but they don't know why, or what it actually does.
Do you really think people like that will understand what you're saying
here? Pretend spreadsheets (that are really web pages, apparently) are the
least of their worries.
Opera's behaviour is what I want a browser to do and I am one of those web
browser users you're so concerned about. I am sick and tired of everything
I buy these days being designed for brainless idiots with no common sense.
If you read the Microsoft IE7 blogs you'll see they're even scared about
tabbed browsing because everyone might be baffled by it and not be able to
work the internet again. It's a wonder we were ever allowed to come down
from the trees.
All I want is software written by grown ups for grown ups. No walled
gardens or misleading tellytubby concepts of how things work because I'm
too stupid to understand the reality of it. You don't protect the elderly
from rouge salesmen by locking down their bank accounts and only letting
them have their own money if they really need it, you educate them not to
be fooled in the first place. If an individual won't see sense then tough
- that's how society works in every other regard.
--
Using Opera's revolutionary Email client: http://www.opera.com/mail/
me
> On Tue, 20 Sep 2005 21:04:07 +0100, me <m...@mememe.com> wrote:
>
>> You *can*
>> mitigate against this situation, and you should.
>
> In my experience, the more you pander to people the less savvy they become
> and the more they need further nannying of the sort you're suggesting. And
> god knows there's plenty of you lot ready to 'help'. Most people click
"Plenty of you lot". And what do you mean by that exactly?
> 'ok' to warnings without even reading them properly and every week I hear
> technology shows full of calls from people frightened they're badly
> infected and in need of urgent help to get rid of a virus - and all
> because Norton simply raised a popup that said "an intrusion attempt WAS
> BLOCKED". Clearly many people know they need a firewall (which is little
> more than a buzzword to them much like they used to say "I want to buy an
> internet") but they don't know why, or what it actually does.
>
> Do you really think people like that will understand what you're saying
> here? Pretend spreadsheets (that are really web pages, apparently) are the
> least of their worries.
>
Who are "they"? If you mean "the general public". "They" don't need to
understand what's being discussed, anymore than "they" need to understand
PKI or SSL, other than checking for a padlock icon. That's why "they" need
help and a configurable browser that lets them take the training wheels
off when they're savvy enough.
> Opera's behaviour is
what I want a browser to do and I am one of those
> web browser users you're so concerned about. I am sick and tired of
> everything I buy these days being designed for brainless idiots with no
> common sense. If you read the Microsoft IE7 blogs you'll see they're
> even scared about tabbed browsing because everyone might be baffled by
> it and not be able to work the internet again. It's a wonder we were
> ever allowed to come down
> from the trees.
>
> All I want is software written by grown ups for grown ups. No walled
> gardens or misleading tellytubby concepts of how things work because I'm
> too stupid to understand the reality of it. You don't protect the
> elderly
> from rouge salesmen by locking down their bank accounts and only
> letting
"Rouge salesmen", LOL. Accidental but it paints a vivid picture :)
> them have their own money if they really need it, you educate them not to
> be fooled in the first place. If an individual won't see sense then tough
> - that's how society works in every other regard.
Again, this is a value call.
Opera protects unwary users from any number of potential problems that
could be prevented "manually" by greater awareness. And yet it still
protects.
Personally, when forced to use WIN32 systems, I run no AV software.
Some people would be appalled and tell me how much danger I'm in. I'd
rather maintain the perimeter myself and encourage my friends to abandon
useless panaceas like AV software in favour of thinking through the
consequences of their actions. (I like to point out that typical virus
behaviour includes slowing down their PCs, chewing up resources, and
randomly crashing the whole shooting match; this is also the effective
behaviour of most AV software :))
Similarly, firewall software is unnecessary. It's not as if a malicious
attacker can throw a pointy data packet at you and burst through your
defences; you (or your software) have to solicit connections and act on
requests.
But people *are* lazy, and *are* inexperienced and *do* need protection.
When you're *sure* you know what you *think* you know, handle it yourself
and you'll be a lot safer (as I'm sure you do).
Until then etc. etc.
Eik
> "Plenty of you lot". And what do you mean by that exactly?
People who spend to much time worrying about "other people" and think thw
roeld needs to be wrapped up in cotton wool.
> If you mean "the general public". "They" don't need to
> understand what's being discussed, anymore than "they" need to understand
> PKI or SSL, other than checking for a padlock icon.
So what happens on those sites where IE shows the padlock and Opera
doesn't? It's obvious... Opera doesn't support padlocks and IE must be
more secure because it does. The usual explanation of embedded elements
being loaded from a remote source via an insecure connection is all "blah
blah" as they see it. But because you've given people this simple
understanding that the padlock *is* security then all they'll be prepared
to believe is that the site is secure in IE and not in Opera. Opera is
unsafe, QED.
By the same token, teaching people to care about file extensions on the
web is not good. It's only if you create a problem that you'll need to
look for a solution to it.
Microsoft's "friendly" approach to help newbie Internet users get used to
forward slashes in paths was to allow both slashes to work the same in IE.
Naturally this created even more confusion and the problems remain long
after the novelty of the web has worn off. There are still people
discovering Firefox because of its recent hype and posting to
messageboards because the links and images on their sites are broken. When
they're told not to use backslashes in URLs they become dismissive and
reply "Why not, they've always worked in the past". They're still
suspicious that Firefox has a problem until they try using forward slashes
and then they're happy because it works in both browsers-- not because
they're now doing something correctly. There's an important difference.
People are too lazy to educate themselves before problems arise (even at
the risk of losing money), especially when their mistakes are being taken
care of "by the computer".
> Opera protects unwary users from any number of potential problems that
> could be prevented "manually" by greater awareness. And yet it still
> protects.
There's a difference between this kind of scam:
http://www.retrosynth.com/misc/phishing.html
...and a web page that's supposed to fool people into thinking they're
looking at Microsoft Office apps. Before Opera's fix, I could have fallen
for a fake Unicode URL but I'd never fall for a fake spreadsheet in a
million years.
> Similarly, firewall software is unnecessary. It's not as if a malicious
> attacker can throw a pointy data packet at you and burst through your
> defences
I think KB835732 fixed a hole in Windows that allowed just that, but I'm
no Windows techie so I don't know if there were any unusual settings
needed for the exploit to work.
Matthew Winn
> to you. You are reading the suggestion incorrectly.
I _do_ understand what you're saying. I know you're only talking about
a limited subset of extensions. What you're getting wrong is at the
end of this bit:
> I understand that *any* extension can deliver *any* content-type.
>
> In one situation
>
> "generic extension generates specific content-type"
>
> there's nothing you can or should do.
>
> In the other
>
> "commonly understood explicit extension generates different explicit
> content-type"
Forget the first four words of that final sentence. They mean nothing
on the web. It makes no difference whether it's you or anyone else
who believes that. Anyone who looks at an extension and thinks it
means something is setting a trap for themselves, and they're the only
one who can escape it. Your plan merely attempts to legitimise a
flawed perception.
THERE IS NO SUCH THING AS A MEANINGFUL EXTENSION ON THE INTERNET.
Anything that encourages users to put their trust in a mistaken notion
about meaningful extensions is teaching them bad habits that will
eventually lead them to make dangerous errors.
Remember, too, that by default Windows doesn't show extensions. Many
of the sort of users you're talking about won't have any concept of
"commonly understood explicit extensions" unless you teach it to them.
They just see different types of icons. They're more likely to judge
a URL to be a spreadsheet if it has an X to its left than if it has a
perticular ending. What are your plans to protect them there?
> > A security system that doesn't work is more dangerous than no security
> > at all, and your security system doesn't work. If any browser did adopt
> > your idea I'd drop it in an instant.
>
> Agreed, but it *would* work. Your privilege to switch of course.
It would not work. I showed you several ways in which someone could
set up an HTML page that looked like it had a ".xls" extension and
would not trigger your proposed protection. Evading your security
system is trivially simple. What makes you think anyone wanting to
set up the sort of attack you describe wouldn't bother to work around
your scheme? It's as simple as adding a few extra characters to a URL.
Your proposal wouldn't defeat any attempt at deception.
Let me illustrate a couple of cases again in case you've forgotten:
http://.../spreadsheets/show?check_passwords.xls
("spreadsheets" is a CGI directory)
No alert: to the user it looks like a ".xls" file but it's actually a
CGI program named "show", so the browser doesn't alert the user.
http://.../downloads.html#check_passwords.xls
No alert: it looks like a ".xls" file but it's actually a ".html" file
serving HTML, so the browser doesn't alert the user.
Do you honestly think _any_ attacker is going to be unable to think of
that?
You have not discovered a security hole previously overlooked by the
rest of the world. Your ideas have been seen before, and they cause
security problems. People aren't arguing with you because they don't
understand you. They're arguing with you because you're wrong.
If you really want to protect users you need to wean them off the idea
that the URL extension is an indicator of content, not tell them that
it's useful and then try to change the software to help them out of
the inevitable confusion that results.