LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Secure-Programs-HOWTO/embedded-content-bugs.html

219 lines
5.1 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Counter Web Bugs When Retrieving Embedded Content</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Secure Programming for Linux and Unix HOWTO"
HREF="index.html"><LINK
REL="UP"
TITLE="Carefully Call Out to Other Resources"
HREF="call-out.html"><LINK
REL="PREVIOUS"
TITLE="Avoid Using vfork(2)"
HREF="avoid-vfork.html"><LINK
REL="NEXT"
TITLE="Hide Sensitive Information"
HREF="hide-sensitive-information.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Secure Programming for Linux and Unix HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="avoid-vfork.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 8. Carefully Call Out to Other Resources</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="hide-sensitive-information.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="EMBEDDED-CONTENT-BUGS"
></A
>8.7. Counter Web Bugs When Retrieving Embedded Content</H1
><P
>Some data formats can embed references to content that is automatically
retrieved when the data is viewed (not waiting for a user to select it).
If it's possible to cause this data to be retrieved through the
Internet (e.g., through the World Wide Wide), then there is a
potential to use this capability to obtain information about readers
without the readers' knowledge, and in some cases to force the reader
to perform activities without the reader's consent.
This privacy concern is sometimes called a ``web bug.''</P
><P
>In a web bug, a reference is intentionally inserted into a document
and used by the content author to track
who, where, and how often a document is read.
The author can also essentially watch how a ``bugged'' document
is passed from one person to another or from one organization to another. </P
><P
>The HTML format has had this issue for some time.
According to the
<A
HREF="http://www.privacyfoundation.org"
TARGET="_top"
>Privacy Foundation</A
>:
<A
NAME="AEN1585"
></A
><BLOCKQUOTE
CLASS="BLOCKQUOTE"
><P
>Web bugs are used extensively today by Internet
advertising companies on Web pages and
in HTML-based email messages for tracking.
They are typically 1-by-1 pixel in size to make them
invisible on the screen to disguise the fact that they are used for tracking.
However, they could be any image (using the img tag);
other HTML tags that can implement web bugs, e.g., frames,
form invocations, and scripts.
By itself, invoking the web bug will provide the ``bugging'' site the
reader IP address, the page that the reader visited, and various information
about the browser; by also using cookies it's often possible to determine
the specific identify of the reader.
A survey about web bugs is available at
<A
HREF="http://www.securityspace.com/s_survey/data/man.200102/webbug.html"
TARGET="_top"
>http://www.securityspace.com/s_survey/data/man.200102/webbug.html</A
>.</P
></BLOCKQUOTE
></P
><P
>What is more concerning is that other document formats seem to have
such a capability, too.
When viewing HTML from a web site with a web browser, there are other
ways of getting information on who is browsing the data, but when
viewing a document in another format from an email few users expect
that the mere act of reading the document can be monitored.
However, for many formats, reading a document can be monitored.
For example, it has been recently determined that Microsoft Word can
support web bugs;
see
<A
HREF="http://www.privacyfoundation.org/advisories/advWordBugs.html"
TARGET="_top"
>the Privacy Foundation advisory for more information </A
>.
As noted in their advisory,
recent versions of Microsoft Excel and Microsoft Power Point can also
be bugged.
In some cases, cookies can be used to obtain even more information.</P
><P
>Web bugs are primarily an issue with the design of the file format.
If your users value their privacy, you probably will want to limit the
automatic downloading of included files.
One exception might be when the file itself is being downloaded
(say, via a web browser); downloading other files from the same location
at the same time is much less likely to concern users.</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="avoid-vfork.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="hide-sensitive-information.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Avoid Using vfork(2)</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="call-out.html"
ACCESSKEY="U"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Hide Sensitive Information</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink