Re: Malicious CSS
Hello all, Le ven. 13 oct. 2023 à 18:02, a écrit : > > Send libreplanet-discuss mailing list submissions to > libreplanet-discuss@libreplanet.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss > or, via email, send a message with subject or body 'help' to > libreplanet-discuss-requ...@libreplanet.org > > You can reach the person managing the list at > libreplanet-discuss-ow...@libreplanet.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of libreplanet-discuss digest..." > > > Today's Topics: > >1. Malicious CSS (Yuchen Guo) > > > -- > > Message: 1 > Date: Thu, 12 Oct 2023 21:18:57 + > From: Yuchen Guo > To: libreplanet-discuss@libreplanet.org > Subject: Malicious CSS > Message-ID: <87y1g7fsji.fsf@lan> > Content-Type: text/plain > > It might be appropriate to consider blocking CSS now. Sites such as the > Onion uses CSS to render their photo galleries unviewable without > JavaScript, and the following site, > >http://cryptobitch.de/ > > uses CSS to render your whole computer unresponsive. This might have > been intended as a joke, but I was not amused by it. > Hello Yuchen, I agree with you. Thanks for pointing out that problem. I already knew for some time of this kind of trick https://www.leemeichin.com/posts/yes-i-can-connect-to-a-db-in-css.html Now to be considered secure, a web browser should be written in a memory safe language, have extensive testing by the community, do not mix URL bar and search bar to not leak your URL to a search engine, and use a whitelist for JS and a whitelist for CSS by default. I think there should be two select inputs next to the search bar or URL bar. One for JS and one for CSS. The two simple options in both would be "Deactivated", "All activated". But clearly, we need to be able to have profiles of whitelisted JS or CSS as intermediate options. Unless we have profiles, there will be "The" whitelist profile/choices of the distributor of the web browser. But in free software community, every one should be able to edit many profiles, to add in them fragments of CSS or JS, we analyzed. The No JS and No CSS is not mandatory. For example, in a web site, you can display visitors comments containing tags without adding any risk of XSS. Whitelists are the solution. A security researcher may use a large whitelist for websites he already analyzed. And use a restricted whitelist for sites to analyze. Here again, the right choice is to give user freedom and to educate and share knowledge. Best regards, Laurent Lyaudet ___ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
Re: Malicious CSS
Michael McMahon writes: > Do you know if the CSS on this page is intentionally malicious or are > the system requirements for the visuals greater than these old > machines? I think that depends on whether we share the same definition for the phrase "intentionally malicious". Perhaps the website author did not intend anyone viewing their page. In that case, it would be safe to assume it was not intentional. I found the link while viewing AUTHORS file from a popular piece of Free Software, namely Xournal++. About "maliciousness". When an unsuspecting user visits the page, http://cryptobitch.de/ with a web browser which understands CSS, their computer will be occupied with rendering the animation, that even moving the mouse cursor is difficult. All with JS disabled. For reference, I am using a reasonably specced Kaby Lake laptop computer from the year 2017. > An example of malicious CSS would be using complex queries to > fingerprint users that did not want to be fingerprinted. Examples of > this can be found at the CSS tracking [1] page. > > [1] https://csstracking.dev/ This is certainly eye-opening. Thanks for the link. > but it essentially breaks the Internet when you do not view media > files or CSS. This is debatable. The term "Internet" encompasses many different kind of technologies. Also, on many occasions I found websites "unbreaked" when viewed in Emacs Web Wowser or W3M. A design with small fonts, or huge Cookie banners, for example. Thanks. ___ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss
Re: Malicious CSS
Do you know if the CSS on this page is intentionally malicious or are the system requirements for the visuals greater than these old machines? An example of malicious CSS would be using complex queries to fingerprint users that did not want to be fingerprinted. Examples of this can be found at the CSS tracking [1] page. You can mitigate this sort of tracking by actively controlling your requests such as with NoScript configurations, but it essentially breaks the Internet when you do not view media files or CSS. [1] https://csstracking.dev/ Best, Michael McMahon | Web Developer, Free Software Foundation GPG Key: 4337 2794 C8AD D5CA 8FCF FA6C D037 59DA B600 E3C0 https://fsf.org Submit your session for LibrePlanet 2024: https://u.fsf.org/40g US government employee? Use CFC charity code 63210 to support us through the Combined Federal Campaign. https://cfcgiving.opm.gov/ On 10/12/23 17:18, Yuchen Guo wrote: It might be appropriate to consider blocking CSS now. Sites such as the Onion uses CSS to render their photo galleries unviewable without JavaScript, and the following site, http://cryptobitch.de/ uses CSS to render your whole computer unresponsive. This might have been intended as a joke, but I was not amused by it. PARTIAL CONTENT OF THE PAGE .blink { animation-duration: 1s; animation-name: blink; animation-iteration-count: infinite; animation-timing-function: steps(2, start); } #header, #main-copy { -moz-animation:standardized 1.5s forwards linear infinite; -webkit-animation:standardized 1.5s forwards linear infinite; -khtml-animation:standardized 1.5s forwards linear infinite; -ms-animation:standardized 1.5s forwards linear infinite; -lynx-animation:standardized 1.5s forwards linear infinite; animation:standardized 1.5s forwards linear infinite; background-size:50% auto; } @keyframes infinite-spinning { from { transform: rotate(0deg); } to { transform: rotate(360deg); } } body *, body * *, body * * * { -moz-animation: infinite-spinning 999s forwards linear infinite; -webkit-animation: infinite-spinning 999s forwards linear infinite; -ms-animation: infinite-spinning 999s forwards linear infinite; animation: infinite-spinning 999s forwards linear infinite; filter: blur(2px); } ___ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss ___ libreplanet-discuss mailing list libreplanet-discuss@libreplanet.org https://lists.libreplanet.org/mailman/listinfo/libreplanet-discuss