These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

Straight answer on (image tags)?

First post
Author
Previous Topic Next Topic
Aethlyn
Brutor Tribe
Minmatar Republic
#21 - 2011-09-06 13:37:09 UTC
Code wise it's impossible to tell if an URL points to a static image or a server side script file, making it impossible to detect the real origin of the data transmitted to the user. Some forums utilize some simple file name matching (e.g. forcing the file name to end with ".png" or ".jpg"). However this isn't any real secure solution at all as it will only block very simple attempts. It takes less than a minute to write server side code that will be requested using something like http://example.com/static_image.jpg. On the first look this might appear to be a static JPEG image. However it could be anything, it could essentially be some script retrieving the page you're looking at and rendering it to an image (or doing more nasty things like trying to peek on the page's URL and/or cookies and/or trying to exploit some browser or image filter vulnerability.

Looking for more thoughts? Follow me on Twitter.
CCP Karuck
C C P
C C P Alliance
#22 - 2011-09-06 13:39:28 UTC
What Aethlyn wrote above is essentially correct. A few browsers also have problems with https:// sites linking to non-https images or images on a different domain.
  • Senior Programmer on EVE: Valkyrie / @SiggiGG
Ajurna Jakar
Jian Products Engineering Group
#23 - 2011-09-06 13:39:49 UTC
Aethlyn wrote:
Code wise it's impossible to tell if an URL points to a static image or a server side script file, making it impossible to detect the real origin of the data transmitted to the user. Some forums utilize some simple file name matching (e.g. forcing the file name to end with ".png" or ".jpg"). However this isn't any real secure solution at all as it will only block very simple attempts. It takes less than a minute to write server side code that will be requested using something like http://example.com/static_image.jpg. On the first look this might appear to be a static JPEG image. However it could be anything, it could essentially be some script retrieving the page you're looking at and rendering it to an image (or doing more nasty things like trying to peek on the page's URL and/or cookies and/or trying to exploit some browser or image filter vulnerability.


indeed you are correct. but how has this changed since yesterday. eg on the old forum where you could link images.

http://eve-corp-management.org/ 
Jade Constantine
Jericho Fraction
The Star Fraction
#24 - 2011-09-06 13:43:26 UTC  |  Edited by: Jade Constantine
CCP Karuck wrote:
What Aethlyn wrote above is essentially correct. A few browsers also have problems with https:// sites linking to non-https images or images on a different domain.


So how are you going to resolve this problem to allow the posting of image links CCP Karuck?

Do you have a gameplan going forwards over the next few days to resolve the issue?

How do other modern forums resolve these concerns for example?

I'd love to maintain an ongoing dialogue here while we get the issue resolved.

Cheers again for your responses!

PS.

Random thought

Since you are hosting our images on the eve is real site anyway. Have you considered allowing users of the forum to upload images to a web server CCP runs and have them linked directly from there? That might resolve your security concerns perhaps. I wouldn't mind uploading my various sigs and images for use in this way if it solved the problem.

The True Knowledge is that nothing matters that does not matter to you, might does make right and power makes freedom
Aethlyn
Brutor Tribe
Minmatar Republic
#25 - 2011-09-06 13:48:42 UTC
It didn't change - but the old forums were on http only anyway. It's more like an improvement: Why switching to HTTPS while keeping the images back door open?

Looking for more thoughts? Follow me on Twitter.
Tippia
Sunshine and Lollipops
#26 - 2011-09-06 13:49:53 UTC  |  Edited by: Tippia
Aethlyn wrote:
Code wise it's impossible to tell if an URL points to a static image or a server side script file, making it impossible to detect the real origin of the data transmitted to the user. Some forums utilize some simple file name matching (e.g. forcing the file name to end with ".png" or ".jpg"). However this isn't any real secure solution at all as it will only block very simple attempts. It takes less than a minute to write server side code that will be requested using something like http://example.com/static_image.jpg. On the first look this might appear to be a static JPEG image. However it could be anything, it could essentially be some script retrieving the page you're looking at and rendering it to an image (or doing more nasty things like trying to peek on the page's URL and/or cookies and/or trying to exploit some browser or image filter vulnerability.
…but none of that has anything to do with the forums, and as you say, there is no solution for it on the server side.

What you're talking about is a flaw in the browser. The forum software will simply put that url into an img tag, and if the browser is so ******** as to accept (much less execute) anything other than an image file coming through that link, then that browser needs to be fixed was retired 5 years ago. It's not something CCP can (or, I'd even say, should) worry or do anything about. Just tell people to get some anti-virus for those oh-so-dreaded jpeg viruses (Lol) and not use obsolete browsers.

Sure, I suppose a modern browser might accept svg (and embedded ecmascript) but most browser also refuse mixed content of that kind.
Ciar Meara
PIE Inc.
Khimi Harar
#27 - 2011-09-06 13:50:56 UTC
Jade Constantine wrote:

Do you have a gameplan going forwards over the next few days to resolve the issue?


Days, I don't want to sound bitter here because I kinda like the new forums although they lack some basic functionality at the moment.
Days is being very optimistic considering how long they have been working on this thing so far. I had not pegged you for an optimist Jade.

- [img]http://go-dl1.eve-files.com/media/corp/janus/ceosig.jpg[/img] [yellow]English only please. Zymurgist[/yellow]
CCP Karuck
C C P
C C P Alliance
#28 - 2011-09-06 13:51:25 UTC
Jade Constantine wrote:
CCP Karuck wrote:
What Aethlyn wrote above is essentially correct. A few browsers also have problems with https:// sites linking to non-https images or images on a different domain.


So how are you going to resolve this problem to allow the posting of image links CCP Karuck?

Do you have a gameplan going forwards over the next few days to resolve the issue?

How do other modern forums resolve these concerns for example?


Image links are a completely different thing, and you do get a warning when clicking any links. At least links can't be a script marauding as an image exploiting a security hole in your browser.

Most public forums don't use https, and are wide open to packet sniffers. Since the forums, EVE Gate and other upcomings webs here use your actual EVE login we are taking steps to secure your information more (yes you can joke all you want about this, but we are).

I'm sorry but I don't have a timeline for when this will be ready, that question would have to be answered by the forum producer.
  • Senior Programmer on EVE: Valkyrie / @SiggiGG
Riflin' Betty
Perfunctory
#29 - 2011-09-06 13:55:49 UTC  |  Edited by: Riflin' Betty
CCP Karuck wrote:


Image links are a completely different thing, and you do get a warning when clicking any links. At least links can't be a script marauding as an image exploiting a security hole in your browser.



By this exact logic you are now saying that remote scripting exploits WERE possible on the previous iteration of this forum, despite your explicit claims that the opposite was true.

Please resolve this logical fallacy for me?
Tippia
Sunshine and Lollipops
#30 - 2011-09-06 13:56:27 UTC
CCP Karuck wrote:
Image links are a completely different thing, and you do get a warning when clicking any links. At least links can't be a script marauding as an image exploiting a security hole in your browser.
…but again, is it really your business to fix flaws in whatever third-party software the user chooses to employ?

(And on that note, I've disabled your link warnings and I'd really like it if that was an actual option rather than something I had to code my way around locally.)
Aethlyn
Brutor Tribe
Minmatar Republic
#31 - 2011-09-06 13:56:32 UTC  |  Edited by: Aethlyn
Tippia wrote:
What you're talking about is a flaw in the browser. The forum software will simply put that url into an img tag, and if the browser is so ******** as to accept (much less execute) anything other than an image file coming through that link, then that browser needs to be fixed was retired 5 years ago.

No, (despite the mentioned possible client side exploits) I'm talking about server side code that's run when the image is requested. Depending on your browser it will send quite a few lines of information, including referral information and such. It's the way classic non-JavaScript stats tracking scripts work. This not only opens up possible exploits (it's not like you need only 5 minutes and you've got something to explot - let's be honest) but also privacy issues (e.g. in Germany some instances actually want to force the removal of facebook's "I like" buttons due to them collecting data just by being embedded into the pages). I know that most abusive stuff will require at least some JavaScript code, but it's possible to get quite some data utilizing simple HTTP requests, e.g. for images.

Looking for more thoughts? Follow me on Twitter.
Anja Talis
Sal's Waste Management and Pod Disposal
#32 - 2011-09-06 13:57:08 UTC
I think providing image hosting eve side is the quickest solution. You can then implement checking to ensure the images are what they claim to be and allow us to link to them.
Jade Constantine
Jericho Fraction
The Star Fraction
#33 - 2011-09-06 14:00:29 UTC
CCP Karuck wrote:

Image links are a completely different thing, and you do get a warning when clicking any links. At least links can't be a script marauding as an image exploiting a security hole in your browser.


My apologies for the confusion of terminology. I meant embedded images of course. I'm not that keen on the warning message for external links myself - quite immersion-breaking.

CCP Karuck wrote:
Most public forums don't use https, and are wide open to packet sniffers. Since the forums, EVE Gate and other upcomings webs here use your actual EVE login we are taking steps to secure your information more (yes you can joke all you want about this, but we are).


Okay that makes sense certainly. Have you considered the alternative I mentioned above about hosting a ccp-controlled image upload service for signatures and in-character imagery and allowing people to embed directly from the ccp secure webserver?

CCP Karuck wrote:
I'm sorry but I don't have a timeline for when this will be ready, that question would have to be answered by the forum producer.


Would it be possible for you to ask the forum producer to come and give a response to this thread when he gets a spare minute?


The True Knowledge is that nothing matters that does not matter to you, might does make right and power makes freedom
Sulyana Baiur
Shell Corporation Incorporated
#34 - 2011-09-06 14:03:58 UTC
I hate signature images, they are the worst kind of forum clutter.

Do the haters get a vote in this too? Nah.
CCP Karuck
C C P
C C P Alliance
#35 - 2011-09-06 14:04:41 UTC
Riflin' Betty wrote:
CCP Karuck wrote:


Image links are a completely different thing, and you do get a warning when clicking any links. At least links can't be a script marauding as an image exploiting a security hole in your browser.



By this exact logic you are now saying that remote scripting exploits WERE possible on the previous iteration of this forum, despite your exact claims that the opposite was true.

Please resolve this logical fallacy for me?


If you are referring to the short period where we did allow signatures on the first (failed) attempt at launching these forums then yes, it was a possibility. But it is a pretty remote possibilty, and this possibility exists on pretty much all public forums that do allow external image linking.
I'd like to underline that this is a remote possibility, and (known) flaws like these have been fixed in all modern browsers.

But like I stated in my previous reply this isn't the only concern. Some browsers give you a warning if you try to request non-https images from a https website (for a good reason too).

Privacy is a concern too. Example: By hosting an image on my own webserver and putting it in my signature on forums, I can get a pretty good picture of the usage of that forum and where people using it are from.. as well as log IP addresses etc.
I don't want to scare people, but do you want RMT tracking your IPs?
  • Senior Programmer on EVE: Valkyrie / @SiggiGG
Jade Constantine
Jericho Fraction
The Star Fraction
#36 - 2011-09-06 14:05:46 UTC
Sulyana Baiur wrote:
I hate signature images, they are the worst kind of forum clutter.

Do the haters get a vote in this too? Nah.


Hence you need an option to turn off images from your perspective in your preferences.

You should not be voting about denying such functionality to everyone. We live in a modern world of customizable content you know!

The True Knowledge is that nothing matters that does not matter to you, might does make right and power makes freedom
CCP Karuck
C C P
C C P Alliance
#37 - 2011-09-06 14:05:55 UTC  |  Edited by: CCP Karuck
Jade Constantine wrote:
My apologies for the confusion of terminology. I meant embedded images of course. I'm not that keen on the warning message for external links myself - quite immersion-breaking.


Please correct me if I'm wrong, but as far as I know you cannot embed images in your posts either.

Jade Constantine wrote:

CCP Karuck wrote:
Most public forums don't use https, and are wide open to packet sniffers. Since the forums, EVE Gate and other upcomings webs here use your actual EVE login we are taking steps to secure your information more (yes you can joke all you want about this, but we are).


Okay that makes sense certainly. Have you considered the alternative I mentioned above about hosting a ccp-controlled image upload service for signatures and in-character imagery and allowing people to embed directly from the ccp secure webserver?


Yes, that is one of the options being considered.
  • Senior Programmer on EVE: Valkyrie / @SiggiGG
Riflin' Betty
Perfunctory
#38 - 2011-09-06 14:08:13 UTC
CCP Karuck wrote:
[
If you are referring to the short period where we did allow signatures on the first (failed) attempt at launching these forums then yes, it was a possibility.


Then why did the DevBlog say it wasn't possible?
Alexandra Alt
Doomheim
#39 - 2011-09-06 14:08:32 UTC
Aethlyn wrote:
Code wise it's impossible to tell if an URL points to a static image or a server side script file (snip)....


No it's not impossible, can be server intensive ? yes it can, does the increase in server usage compensate the added feature ? No I don't think it does.

CCP Karuck wrote:
... A few browsers also have problems with https:// sites linking to non-https images or images on a different domain.


This is what I thought first as being the initial concern seeing the forums are being run under https, and this yes, concerns me alot more than the checking or not what the external url is since it can be used easily to generate man in the middle attacks.

Advice ? simple, add the ability to upload images into your forum account with a very very low diskspace limit (something like 150k ?! 'ought to be enough' like our dear Gates once said) and use that for avatar/signatures.
Riflin' Betty
Perfunctory
#40 - 2011-09-06 14:09:33 UTC
CCP Karuck wrote:
[
If you are referring to the short period where we did allow signatures on the first (failed) attempt at launching these forums then yes, it was a possibility.


Then why did the DevBlog say it wasn't possible?

Further you didn't allow anything, you left open some awful holes that made it possible to do despite your intent not to.