Discussion:
Cascading Style Sheet is an Extreme Hazard
(too old to reply)
Radium
2006-04-30 23:57:16 UTC
Permalink
Cascading Style Sheet [.css] is an extreme hazard to your privacy. It
allows others on the internet to see your monitor and files. It allows
them to copy images on your monitor to their computers. It also allows
them to copy files from your computer to their's. It is dangerous.
Avoid at all costs.

CSS that isn't stored in the victim's computer. Instead it is stored in
the perpetrator's PC. What it does is it reads everything on the
victim's screen and checks on the victim's visited webpages and can
even read text from any text or word application being used by the
victim. CSS is not a security risk and does not trick the victim's PC
into sending info to the perp. However, this is an extreme invasion of
the victim's privacy. The victim has no idea, that he/she is being
violated. The assailant can read text, and see any pictures that happen
to be on the victim's monitor without actually accessing the victim's
computer.

Your computer may not be at all damaged or touched. However, your
confidential information can easily be read by the attacker and anyone
the attacker gives it to. You don't have to download anything, visit
any website, or even use a browser to be attacked. You just need to be
connected to the internet and the attacker can strike you.

Once again, the victim's PC does not store any part of CSS. All info
and software is stored in the assailant's PC.
RobertVA
2006-05-01 02:00:05 UTC
Permalink
Post by Radium
Cascading Style Sheet [.css] is an extreme hazard to your privacy. It
allows others on the internet to see your monitor and files. It allows
them to copy images on your monitor to their computers. It also allows
them to copy files from your computer to their's. It is dangerous.
Avoid at all costs.
CSS that isn't stored in the victim's computer. Instead it is stored in
the perpetrator's PC. What it does is it reads everything on the
victim's screen and checks on the victim's visited webpages and can
even read text from any text or word application being used by the
victim. CSS is not a security risk and does not trick the victim's PC
into sending info to the perp. However, this is an extreme invasion of
the victim's privacy. The victim has no idea, that he/she is being
violated. The assailant can read text, and see any pictures that happen
to be on the victim's monitor without actually accessing the victim's
computer.
Your computer may not be at all damaged or touched. However, your
confidential information can easily be read by the attacker and anyone
the attacker gives it to. You don't have to download anything, visit
any website, or even use a browser to be attacked. You just need to be
connected to the internet and the attacker can strike you.
Once again, the victim's PC does not store any part of CSS. All info
and software is stored in the assailant's PC.
To see how utterly WRONG Radium's comments are, please visit
http://www.w3.org/Style/CSS/

The whole point of style sheets is to format text and images on the
client screen. They are very effective for setting type faces and
backgrounds for things like navigation bars over an entire web site. The
only data transmitted back to the web server is requests for the HTML
page, requests for the external style sheets and requests for any images
either requests.

At the worst, a site would be able to use styles with a background image
to track visitors, which could also be accomplished with a regular HTML
image tag. Do a Google search for "Web Bug".

Style sheets can be on the client computer in the form of embedded and
in-line styles that are visible in the page's HTML source. External
style sheets are copied to the client's temporary Internet folder. Just
set you OS's search function to show hidden and system files names "*.css".

It's possible Radium is thinking of CGI (Common Gateway Interface see
http://www.w3.org/CGI/) Visual Basic scripts or ActiveX controls. In
addition to style sheets these technologies are commonly used on web
sites. Many functions like on-line maps and web based email wouldn't be
possible without one, and in some cases two of these technologies,
mostly CGI and style sheets. Java and JavaScript are often used as well,
but have tighter access restrictions than the ActiveX controls.
Dana Cartwright
2006-05-01 11:50:58 UTC
Permalink
Post by RobertVA
Post by Radium
Cascading Style Sheet [.css] is an extreme hazard to your privacy. It
allows others on the internet to see your monitor and files. [SNIP]
To see how utterly WRONG Radium's comments are, please visit
http://www.w3.org/Style/CSS/
The whole point of style sheets is to format text and images on the client
screen. They are very effective for setting type faces and backgrounds for
things like navigation bars over an entire web site. The only data
transmitted back to the web server is requests for the HTML page, requests
for the external style sheets and requests for any images either requests.
At the worst, a site would be able to use styles with a background image
to track visitors, which could also be accomplished with a regular HTML
image tag. Do a Google search for "Web Bug".
Style sheets can be on the client computer in the form of embedded and
in-line styles that are visible in the page's HTML source. External style
sheets are copied to the client's temporary Internet folder. Just set you
OS's search function to show hidden and system files names "*.css".
It's possible Radium is thinking of CGI (Common Gateway Interface see
http://www.w3.org/CGI/) Visual Basic scripts or ActiveX controls. In
addition to style sheets these technologies are commonly used on web
sites. Many functions like on-line maps and web based email wouldn't be
possible without one, and in some cases two of these technologies, mostly
CGI and style sheets. Java and JavaScript are often used as well, but have
tighter access restrictions than the ActiveX controls.
Your reasoning, it seems to me, is based on the *normal* way stylesheets
work. Hackers exploit abnormal (pathological) behavior.

Aren't you overlooking the possibility that browsers have bugs in them (god
knows browsers seem to have tons of bugs) that involve style sheets, and
that there might indeed be, for example, buffer overflow bugs in browsers,
such that a particular style sheet *does* enable a website to screw around
with the user's computer?

I've never heard of such a bug, but we see this sort of thing all the time
in other software.

-Dana
RobertVA
2006-05-01 17:42:53 UTC
Permalink
Post by Dana Cartwright
Post by RobertVA
Post by Radium
Cascading Style Sheet [.css] is an extreme hazard to your privacy. It
allows others on the internet to see your monitor and files. [SNIP]
To see how utterly WRONG Radium's comments are, please visit
http://www.w3.org/Style/CSS/
The whole point of style sheets is to format text and images on the client
screen. They are very effective for setting type faces and backgrounds for
things like navigation bars over an entire web site. The only data
transmitted back to the web server is requests for the HTML page, requests
for the external style sheets and requests for any images either requests.
At the worst, a site would be able to use styles with a background image
to track visitors, which could also be accomplished with a regular HTML
image tag. Do a Google search for "Web Bug".
Style sheets can be on the client computer in the form of embedded and
in-line styles that are visible in the page's HTML source. External style
sheets are copied to the client's temporary Internet folder. Just set you
OS's search function to show hidden and system files names "*.css".
It's possible Radium is thinking of CGI (Common Gateway Interface see
http://www.w3.org/CGI/) Visual Basic scripts or ActiveX controls. In
addition to style sheets these technologies are commonly used on web
sites. Many functions like on-line maps and web based email wouldn't be
possible without one, and in some cases two of these technologies, mostly
CGI and style sheets. Java and JavaScript are often used as well, but have
tighter access restrictions than the ActiveX controls.
Your reasoning, it seems to me, is based on the *normal* way stylesheets
work. Hackers exploit abnormal (pathological) behavior.
Aren't you overlooking the possibility that browsers have bugs in them (god
knows browsers seem to have tons of bugs) that involve style sheets, and
that there might indeed be, for example, buffer overflow bugs in browsers,
such that a particular style sheet *does* enable a website to screw around
with the user's computer?
I've never heard of such a bug, but we see this sort of thing all the time
in other software.
-Dana
Gee, if you're that worried you shouldn't be on-line AT ALL.
p***@ipal.net
2006-05-01 01:49:03 UTC
Permalink
In comp.infosystems.www.authoring.stylesheets Radium <***@excite.com> wrote:

| Cascading Style Sheet [.css] is an extreme hazard to your privacy. It
| allows others on the internet to see your monitor and files. It allows
| them to copy images on your monitor to their computers. It also allows
| them to copy files from your computer to their's. It is dangerous.
| Avoid at all costs.
|
| CSS that isn't stored in the victim's computer. Instead it is stored in
| the perpetrator's PC. What it does is it reads everything on the
| victim's screen and checks on the victim's visited webpages and can
| even read text from any text or word application being used by the
| victim. CSS is not a security risk and does not trick the victim's PC
| into sending info to the perp. However, this is an extreme invasion of
| the victim's privacy. The victim has no idea, that he/she is being
| violated. The assailant can read text, and see any pictures that happen
| to be on the victim's monitor without actually accessing the victim's
| computer.
|
| Your computer may not be at all damaged or touched. However, your
| confidential information can easily be read by the attacker and anyone
| the attacker gives it to. You don't have to download anything, visit
| any website, or even use a browser to be attacked. You just need to be
| connected to the internet and the attacker can strike you.
|
| Once again, the victim's PC does not store any part of CSS. All info
| and software is stored in the assailant's PC.

You forgot about the fact that it can listen to every word spoken in your
house right through the speakers, even when the computer is turned off.
And it can make the web cam look around corners, even two at once. But
the feature teens love most is it allows cyber sex using just a mouse even
when they are not online through their MySpace page.

:-P
--
-----------------------------------------------------------------------------
| Phil Howard KA9WGN | http://linuxhomepage.com/ http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/ http://ka9wgn.ham.org/ |
-----------------------------------------------------------------------------
f***@arcor.de
2006-05-01 08:29:35 UTC
Permalink
Post by p***@ipal.net
You forgot about the fact that it can listen to every word spoken in your
house right through the speakers, even when the computer is turned off.
And it can make the web cam look around corners, even two at once. But
the feature teens love most is it allows cyber sex using just a mouse even
when they are not online through their MySpace page.
:-P
Now you just beat me to that type of answer - I just love it.
Harlan Messinger
2006-05-01 15:13:54 UTC
Permalink
Post by Radium
Cascading Style Sheet [.css] is an extreme hazard to your privacy. It
allows others on the internet to see your monitor and files. It allows
them to copy images on your monitor to their computers. It also allows
them to copy files from your computer to their's. It is dangerous.
Avoid at all costs.
CSS doesn't *do* anything. Are you thinking of Javascript?

As far as reading the text and pictures on your monitor is concerned--if
you're running a web server, your server *already* knows what text and
images its sending to clients--how would it serve them otherwise? What
would be the point of sending CSS or Javascript afterwards to read what
it had just gotten through sending?
p***@ipal.net
2006-05-01 17:23:41 UTC
Permalink
In comp.infosystems.www.authoring.stylesheets Harlan Messinger <***@comcast.net> wrote:

| Radium wrote:
|> Cascading Style Sheet [.css] is an extreme hazard to your privacy. It
|> allows others on the internet to see your monitor and files. It allows
|> them to copy images on your monitor to their computers. It also allows
|> them to copy files from your computer to their's. It is dangerous.
|> Avoid at all costs.
|
| CSS doesn't *do* anything. Are you thinking of Javascript?
|
| As far as reading the text and pictures on your monitor is concerned--if
| you're running a web server, your server *already* knows what text and
| images its sending to clients--how would it serve them otherwise? What
| would be the point of sending CSS or Javascript afterwards to read what
| it had just gotten through sending?

However, badly implemented CSS (i.e. IE) can allow someone to bypass some
javascript filters, and get javascript to run, even though no exact string
of "javascript" was being uploaded. E.g. the guy on MySpace with over a
million friends.
--
-----------------------------------------------------------------------------
| Phil Howard KA9WGN | http://linuxhomepage.com/ http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/ http://ka9wgn.ham.org/ |
-----------------------------------------------------------------------------
Harlan Messinger
2006-05-01 18:26:17 UTC
Permalink
Post by p***@ipal.net
|> Cascading Style Sheet [.css] is an extreme hazard to your privacy. It
|> allows others on the internet to see your monitor and files. It allows
|> them to copy images on your monitor to their computers. It also allows
|> them to copy files from your computer to their's. It is dangerous.
|> Avoid at all costs.
|
| CSS doesn't *do* anything. Are you thinking of Javascript?
|
| As far as reading the text and pictures on your monitor is concerned--if
| you're running a web server, your server *already* knows what text and
| images its sending to clients--how would it serve them otherwise? What
| would be the point of sending CSS or Javascript afterwards to read what
| it had just gotten through sending?
However, badly implemented CSS (i.e. IE) can allow someone to bypass some
javascript filters, and get javascript to run, even though no exact string
of "javascript" was being uploaded. E.g. the guy on MySpace with over a
million friends.
It still has nothing to do with CSS proper. It has to do with IE
recognizing Javascript *behaviors* embedded in CSS files. If sites like
MySpace aren't filtering those scripts, it's the same kind of problem
that there'd be if they didn't filter out SCRIPT tags. Yes, it's a
problem, but it isn't CSS that's the hazard.
p***@ipal.net
2006-05-02 07:20:45 UTC
Permalink
In comp.infosystems.www.authoring.stylesheets Harlan Messinger <***@comcast.net> wrote:
| phil-news-***@ipal.net wrote:
|> In comp.infosystems.www.authoring.stylesheets Harlan Messinger <***@comcast.net> wrote:
|>
|> | Radium wrote:
|> |> Cascading Style Sheet [.css] is an extreme hazard to your privacy. It
|> |> allows others on the internet to see your monitor and files. It allows
|> |> them to copy images on your monitor to their computers. It also allows
|> |> them to copy files from your computer to their's. It is dangerous.
|> |> Avoid at all costs.
|> |
|> | CSS doesn't *do* anything. Are you thinking of Javascript?
|> |
|> | As far as reading the text and pictures on your monitor is concerned--if
|> | you're running a web server, your server *already* knows what text and
|> | images its sending to clients--how would it serve them otherwise? What
|> | would be the point of sending CSS or Javascript afterwards to read what
|> | it had just gotten through sending?
|>
|> However, badly implemented CSS (i.e. IE) can allow someone to bypass some
|> javascript filters, and get javascript to run, even though no exact string
|> of "javascript" was being uploaded. E.g. the guy on MySpace with over a
|> million friends.
|
| It still has nothing to do with CSS proper. It has to do with IE
| recognizing Javascript *behaviors* embedded in CSS files. If sites like
| MySpace aren't filtering those scripts, it's the same kind of problem
| that there'd be if they didn't filter out SCRIPT tags. Yes, it's a
| problem, but it isn't CSS that's the hazard.

Nevertheless, it's still a hazard that the OP sees as curable by not using
CSS. He's misguided, of course, because this only applies to sites where
users can submit site designs that are not 100% vetted for every possible
browser screwup. It doesn't apply when the webmaster has full control,
unless we're talking about the evil webmaster from hell.
--
-----------------------------------------------------------------------------
| Phil Howard KA9WGN | http://linuxhomepage.com/ http://ham.org/ |
| (first name) at ipal.net | http://phil.ipal.org/ http://ka9wgn.ham.org/ |
-----------------------------------------------------------------------------
Loading...