Thursday, January 27, 2011

OK, this is a bit unsettling ...

File under unintended consequences.  It all makes sense, and yet, it doesn't seem quite right.

Mike Cardwell blogs:
When you visit my website, I can automatically and silently determine if you're logged into Facebook, Twitter, GMail and Digg.
and sure enough, the page will say "Yes, you are logged in" or "No, you are not logged in" at the appropriate places.  Eerie.  What's going on here?

As Cardwell explains, whenever you send an HTTP request to a server, you get back a response code.  That response code might say things like "Your request was OK, here's the data you asked for," or "Sorry, I don't have what you're looking for," or "Goodness, I seem to be having some sort of problem here." or any of a number of other things.  So far, so good.

Modern browsers can keep track of whether you're logged in to particular sites, so you don't have to keep logging in.  Fair enough.  If you're logged in and you ask for something on a site, you'll get it (assuming you have the proper permissions, etc.).  If not, you'll typically get an error.

HTML allows you to reference other web sites within your document -- that's pretty much what makes the web webby -- and modern browsers allow you to behave one way or another depending on what happens when you try to fetch something (it doesn't even have to be based on a status code -- pretty much any reliably observable difference in behavior will do).

Put it all together, and
  • any web site
  • can use a reference to another site
  • to tell if you're logged in to that site
In Chrome, at least, if you open an incognito window to visit Cardwell's site, it can no longer tell whether you're logged in, because incognito windows don't share any state with other browser windows.  But that's kind of throwing out the baby with the bathwater.  You can also turn off JavaScript support (or only selectively turn it on), but that has its own problems.

To really solve the problem you have to be able to control what state is shared between, for example, different tabs or windows.  Doing that simply and non-intrusively is easier said than done.

On the other hand, as a couple of commenters point out, such tricks have been around for a while.  Whether anyone's exploiting them in a significant way is another matter.  Before a site can find out if you're logged in, it has to get you to visit it, not that there aren't plenty of sneaky ways to do that, and then it just knows whether you're logged in or not to sites it knows how to check for (each site requires its own custom-tailored check).  And then, if all you log into is, say, GMail and Twitter, then all your adversary can find out -- from this particular particular, at least -- is that (yawn) you use GMail and Twitter.

Worth losing sleep over?  Probably not.  Worth keeping in mind?  Definitely.

Cardwell's site looks to have a lot of other fun and useful information on it as well ... and if you stop by for a visit, your browser will most likely tell his server I sent you.


Unknown said...

There is a lot of information that is processed client side, and not server side, when a web page is created.

A web page is not sent complete as it is from the server to your browser, but created by your computer from the code that your browser recieves.

You can have a link on a web page that makes the browser open a folder on your computer. The contents of that folder is never sent to the server, however.

Secondly, it has never bothered me that information about me is available on the web. I am pretty boring person. If anyone would like to dig something up on me on the web, which I doubt anyone would, then feel free.

David Hull said...

It's a good point that just because a web page says "I know you're logged in," that doesn't necessarily mean the server knows it. However, there are any number of ways to get that information back from the client side to the server side. If you're viewing this as an exploit, then you have to assume that the server knows anything the client side can find out.

But the larger issue you raise, I think, is how much you care what the server knows about you. If you don't have anything to hide, then what do you care who knows what about you?

Personally, I think this is a reasonable default position. Rather than hassle over protecting every last bit of personal information, relax. Paradoxically, if you assume that everything you do online is permanently available to everyone, a lot of the stress goes away, because most of the uncertainty goes away.

On the other hand, there is some information, for example banking information, that someone could very easily use to make life very difficult. This is also the kind of information that random miscreants are likely to care about -- they may not care about making one's life miserable, but they do care about the money in one's account.

For that kind of information, I want real safeguards and I'll have very little patience for information-leaking web sites -- hmm, maybe I'll start using incognito windows for my banking.

Keep in mind, too, that (as Cardwell points out) what kind of information can make one's life miserable varies from place to place. There are certainly parts of the world where you wouldn't want The Man to know you're logged in to Twitter.

Anyway, thanks for the response. I see from your profile that you're in the Faroe Islands. I believe you're due for a total eclipse of the sun in 2015.