Scaring Up Some Traffic

Posted: May 15th, 2007
Filed under: Uncategorized


Sensationalism gets readers and “clicks” no matter the medium, but it can be highly dangerous… Yesterday, we saw a wonderful post of what not to do from Ryan Narine at ZDNet (http://blogs.zdnet.com/security/?p=197&tag=nl.e539).

Now it appears Ryan has “uncovered” what headers and JavaScript can do and declared it to be trouble with a capital T.  You see he cites a “hacker” named “RSnake” who released a funny little tool called “Mr-T” which uses JavaScript to look at your browser’s basic characteristics and a server-side program to look at your HTTP request headers and IP address.

Holy information leakage, Batman!  BAMM!  They know your IP address!  POW! They know your screen resolution!

OK, please forgive the tiniest bit of sarcasm there coming from people who actually believe in stemming UNNECESSARY information disclosure, but the stuff that is being disclosed here is actually the most innocuous stuff, vital information disclosure that is fundamentally NECESSARY to run a modern Web site.  Imagine the users out there who resort to feature removal within the browser or, even worse, who are frightened into buying “tools” to turn off needed HTTP headers and JavaScript. Sheesh. The effects of this OVERreaction will be staggering — watch your site’s caching go away, compression stop working, Flash support detection failing, and on and on — all from some unsubstantiated and misdirected FUD (fear, uncertainty, and doubt – so glad we took that business jargon class). 

The worst part about this ZDNet article is that there IS ACTUALLY legitimate information leakage happening, but it is only ever so briefly discussed:  it is sniff your history (like what sites you have visited)… The idea was originally promoted by our pal Jeremiah Grossman at WhiteHat Security (http://jeremiahgrossman.blogspot.com/2006/08/i-know-where-youve-been.html).  RSnake had done some hot new research here showing the use of CSS to do the same thing and that is the news of the article. But the reality of general browser information disclosure has been known for years, and folks out there on them Internets have provided much better and more comprehensive examples of what you can do (such as http://gemal.dk/browserspy/).  Some of that stuff is definitely not good to disclose…

More fascinating to us is that this idea is a decade old… it is called Browser Sniffing and Capability Detection.  In fact, one U.S. company makes a product (www.browserhawk.com) that uses this data for legitimate means, and thousands of Web professionals have done this themselves for years (Port80 folks included).  And PS, for example, how do you think we know whether to compress, cache or block a request, anyways?  A big part of it is browser detection, plain and simple.

We love ZDNet, we really do, but lots of mainstream tech sites and even print magazines really seem to like to go to these security or hacker conferences and report on things without any verification (http://blog.port80software.com/2006/08/fear-uncertainty-and-doubt-in-web-2-0/).  They just don’t seem to get that up and coming “hackers” (or folks who want to start security consultancies) go to these conferences and say all sorts of wild things to get press and street cred (it’s the way of the jungle). We seem to remember other self-serving fear mongering information being fed to journalists in the mainstream press a few years ago, journalists who didn’t follow up on the facts for a different reason… Hmmm, can’t quite remember the circumstances and outcome about that, oh well…   : ) 

The unfortunate part of ZDNet’s reporting here is that there really is great stuff going on that isn’t reported from these conferences because it is too difficult for a person to understand in five seconds or is apparently unlikely to happen.  Pssst… this is the stuff that ends up being the cause of real security problems, but then again reporting on that might not sell too many clicks because it just ain’t scary enough!

Enjoy good health,
Port80

No Comments »

Comments are closed.