219 lines
5.1 KiB
HTML
219 lines
5.1 KiB
HTML
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>Counter Web Bugs When Retrieving Embedded Content</TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
||
|
REL="HOME"
|
||
|
TITLE="Secure Programming for Linux and Unix HOWTO"
|
||
|
HREF="index.html"><LINK
|
||
|
REL="UP"
|
||
|
TITLE="Carefully Call Out to Other Resources"
|
||
|
HREF="call-out.html"><LINK
|
||
|
REL="PREVIOUS"
|
||
|
TITLE="Avoid Using vfork(2)"
|
||
|
HREF="avoid-vfork.html"><LINK
|
||
|
REL="NEXT"
|
||
|
TITLE="Hide Sensitive Information"
|
||
|
HREF="hide-sensitive-information.html"></HEAD
|
||
|
><BODY
|
||
|
CLASS="SECT1"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="NAVHEADER"
|
||
|
><TABLE
|
||
|
SUMMARY="Header navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
COLSPAN="3"
|
||
|
ALIGN="center"
|
||
|
>Secure Programming for Linux and Unix HOWTO</TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="avoid-vfork.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="80%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="bottom"
|
||
|
>Chapter 8. Carefully Call Out to Other Resources</TD
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="hide-sensitive-information.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"></DIV
|
||
|
><DIV
|
||
|
CLASS="SECT1"
|
||
|
><H1
|
||
|
CLASS="SECT1"
|
||
|
><A
|
||
|
NAME="EMBEDDED-CONTENT-BUGS"
|
||
|
></A
|
||
|
>8.7. Counter Web Bugs When Retrieving Embedded Content</H1
|
||
|
><P
|
||
|
>Some data formats can embed references to content that is automatically
|
||
|
retrieved when the data is viewed (not waiting for a user to select it).
|
||
|
If it's possible to cause this data to be retrieved through the
|
||
|
Internet (e.g., through the World Wide Wide), then there is a
|
||
|
potential to use this capability to obtain information about readers
|
||
|
without the readers' knowledge, and in some cases to force the reader
|
||
|
to perform activities without the reader's consent.
|
||
|
This privacy concern is sometimes called a ``web bug.''</P
|
||
|
><P
|
||
|
>In a web bug, a reference is intentionally inserted into a document
|
||
|
and used by the content author to track
|
||
|
who, where, and how often a document is read.
|
||
|
The author can also essentially watch how a ``bugged'' document
|
||
|
is passed from one person to another or from one organization to another. </P
|
||
|
><P
|
||
|
>The HTML format has had this issue for some time.
|
||
|
According to the
|
||
|
<A
|
||
|
HREF="http://www.privacyfoundation.org"
|
||
|
TARGET="_top"
|
||
|
>Privacy Foundation</A
|
||
|
>:
|
||
|
<A
|
||
|
NAME="AEN1585"
|
||
|
></A
|
||
|
><BLOCKQUOTE
|
||
|
CLASS="BLOCKQUOTE"
|
||
|
><P
|
||
|
>Web bugs are used extensively today by Internet
|
||
|
advertising companies on Web pages and
|
||
|
in HTML-based email messages for tracking.
|
||
|
They are typically 1-by-1 pixel in size to make them
|
||
|
invisible on the screen to disguise the fact that they are used for tracking.
|
||
|
However, they could be any image (using the img tag);
|
||
|
other HTML tags that can implement web bugs, e.g., frames,
|
||
|
form invocations, and scripts.
|
||
|
By itself, invoking the web bug will provide the ``bugging'' site the
|
||
|
reader IP address, the page that the reader visited, and various information
|
||
|
about the browser; by also using cookies it's often possible to determine
|
||
|
the specific identify of the reader.
|
||
|
A survey about web bugs is available at
|
||
|
<A
|
||
|
HREF="http://www.securityspace.com/s_survey/data/man.200102/webbug.html"
|
||
|
TARGET="_top"
|
||
|
>http://www.securityspace.com/s_survey/data/man.200102/webbug.html</A
|
||
|
>.</P
|
||
|
></BLOCKQUOTE
|
||
|
></P
|
||
|
><P
|
||
|
>What is more concerning is that other document formats seem to have
|
||
|
such a capability, too.
|
||
|
When viewing HTML from a web site with a web browser, there are other
|
||
|
ways of getting information on who is browsing the data, but when
|
||
|
viewing a document in another format from an email few users expect
|
||
|
that the mere act of reading the document can be monitored.
|
||
|
However, for many formats, reading a document can be monitored.
|
||
|
For example, it has been recently determined that Microsoft Word can
|
||
|
support web bugs;
|
||
|
see
|
||
|
<A
|
||
|
HREF="http://www.privacyfoundation.org/advisories/advWordBugs.html"
|
||
|
TARGET="_top"
|
||
|
>the Privacy Foundation advisory for more information </A
|
||
|
>.
|
||
|
As noted in their advisory,
|
||
|
recent versions of Microsoft Excel and Microsoft Power Point can also
|
||
|
be bugged.
|
||
|
In some cases, cookies can be used to obtain even more information.</P
|
||
|
><P
|
||
|
>Web bugs are primarily an issue with the design of the file format.
|
||
|
If your users value their privacy, you probably will want to limit the
|
||
|
automatic downloading of included files.
|
||
|
One exception might be when the file itself is being downloaded
|
||
|
(say, via a web browser); downloading other files from the same location
|
||
|
at the same time is much less likely to concern users.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="NAVFOOTER"
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"><TABLE
|
||
|
SUMMARY="Footer navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="avoid-vfork.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="index.html"
|
||
|
ACCESSKEY="H"
|
||
|
>Home</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="hide-sensitive-information.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
>Avoid Using vfork(2)</TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="call-out.html"
|
||
|
ACCESSKEY="U"
|
||
|
>Up</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
>Hide Sensitive Information</TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|