These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE General Discussion

 
  • Topic is locked indefinitely.
 

Straight answer on (image tags)?

First post
Author
Previous Topic Next Topic
Louis deGuerre
The Dark Tribe
#41 - 2011-09-06 14:10:37 UTC
But...but....but...

We must be able to make pony threads !!! X
Tippia
Sunshine and Lollipops
#42 - 2011-09-06 14:12:40 UTC  |  Edited by: Tippia
Aethlyn wrote:
No, (despite the mentioned possible client side exploits) I'm talking about server side code that's run when the image is requested. Depending on your browser it will send quite a few lines of information, including referral information and such. It's the way classic non-JavaScript stats tracking scripts work. This not only opens up possible exploits (it's not like you need 5 minutes and you've got something to explot - let's be honest) but also privacy issues (e.g. in Germany some instances actually want to force the removal of facebook's "I like" buttons due to them collecting data just by being embedded into the pages). I know that most abusive stuff will require at least some JavaScript code, but it's possible to get quite some data utilizing simple HTTP requests, e.g. for images.
Define “exploit”.

The browser should not feed it cookie information unless it's programmed by chimps; post headers when editing threads should not be sent to third parties (again, assuming the browser isn't stupid); the referral information is worthless (yay! I got a link to a page anyone can find anyway); accept and user headers are unrelated to the forums…

So what relevant information about my EVE presence — which is what they're trying to protect — could they get that isn't due to browser flaws (that, again, CCP can't/have no business fixing)?

In particular, consider this in relation to the fact that they're already pulling all of the jQuery and analytics files from google — you know that company that makes its money from collecting data about people…?
Jade Constantine
Jericho Fraction
The Star Fraction
#43 - 2011-09-06 14:14:25 UTC
CCP Karuck wrote:
Jade Constantine wrote:

CCP Karuck wrote:
Most public forums don't use https, and are wide open to packet sniffers. Since the forums, EVE Gate and other upcomings webs here use your actual EVE login we are taking steps to secure your information more (yes you can joke all you want about this, but we are).


Okay that makes sense certainly. Have you considered the alternative I mentioned above about hosting a ccp-controlled image upload service for signatures and in-character imagery and allowing people to embed directly from the ccp secure webserver?


Yes, that is one of the options being considered.


Okay then.

Thanks for your input Karuck, its been good to get a straight answer, much respect for that.

Could you ask the forum producer to make a response soon about the timescales for considering these options please?

I think it would be useful to get back to having a roadmap for feature delivery with timescales so we all know where we stand. If it turns out that we'd be waiting a few weeks for a ccp webserver for uploading of images to restore our sig functionality I think that'd be fine.

But I guess you appreciate how in the current climate of incarna-rage monoclegate and fearless it would be very useful to return to an older way of letting us know that the features we want are being worked on and will be delivered in short order!

All the best

The True Knowledge is that nothing matters that does not matter to you, might does make right and power makes freedom
CCP Karuck
C C P
C C P Alliance
#44 - 2011-09-06 14:14:50 UTC
Riflin' Betty wrote:

Then why did the DevBlog say it wasn't possible?

Further you didn't allow anything, you left open some awful holes that made it possible to do despite your intent not to.


Short reply: Two different things, no exploits got out.

Please link me to the reference you are talking about, but I'm pretty sure they were talking about embedding scripts in the signature, which is a completely different type of exploit.
If you have a pretty modern browser (not 4-5+ years old) then the case I am talking about is not possible anymore, at least no known exploits.
The case we discussed in the devblog is possible in all browsers but would have been a programming fail on our end. In that case the browser simply can't tell the difference between a normal script and a malicious one.

  • Senior Programmer on EVE: Valkyrie / @SiggiGG
T'Laar Bok
#45 - 2011-09-06 14:19:41 UTC
Images on the internet? pppffffftttt its just a passing fad and the devs obviously recognize this.

Amphetimines are your friend.

http://eveboard.com/pilot/T'Laar_Bok
Aethlyn
Brutor Tribe
Minmatar Republic
#46 - 2011-09-06 14:20:11 UTC
Client side exploits as in buffer overflows, image filter issues, etc.


Refreshing this page without hitting the cache requests content from the following servers:
https://forums.eveonline.com/
https://gate.eveonline.com/
https://image.eveonline.com/
https://ajax.googleapis.com/
https://ssl.google-analytics.com/

These involve 2 companies but I've got complete control over this (e.g. by blocking google analytics in your browser).

But how should this work for tons of unknown image hosts? Sure, you could opt them in one by one but this wouldn't really increase your security (casual users won't see any sense behind this anyway). It just adds tons of overhead either server or client side.

Looking for more thoughts? Follow me on Twitter.
Riflin' Betty
Perfunctory
#47 - 2011-09-06 14:21:51 UTC
CCP Karuck wrote:
Riflin' Betty wrote:

Then why did the DevBlog say it wasn't possible?

Further you didn't allow anything, you left open some awful holes that made it possible to do despite your intent not to.


Short reply: Two different things, no exploits got out.

Please link me to the reference you are talking about, but I'm pretty sure they were talking about embedding scripts in the signature, which is a completely different type of exploit.
If you have a pretty modern browser (not 4-5+ years old) then the case I am talking about is not possible anymore, at least no known exploits.
The case we discussed in the devblog is possible in all browsers but would have been a programming fail on our end. In that case the browser simply can't tell the difference between a normal script and a malicious one.



if you're not allowing images now for some nebulous fear of 'sploits, then by your definition exploits were possible when you released the half-behinded version of this forum before.

ergo, this is a binary issue: exploits were possible yes or no, and you said "no" but now you are saying "urrrr maybe".

I take particular offense to this topic as there has been a completely disproportionate time spent on this whole project, only to release something which is cobbled together and does not offer functionality we had access to previously.

All this time has cost the company a whole lot of money (i.e. your wages) which could have been fruitfully spent on more game developers for Flying in Space. Moreover a single webdev would have sufficed to simply implement a proper search engine and an updated theme for the old forums, which are otherwise perfectly functional.

In summary: this here is not 72,000 man hours worth, and it never was, and the spindoctoring about the whole debacle is making my head hurt.

Note that this is not pointed at you or anyone in particular, just more of a general observation.
Jade Constantine
Jericho Fraction
The Star Fraction
#48 - 2011-09-06 14:22:22 UTC
Alexandra Alt wrote:
Advice ? simple, add the ability to upload images into your forum account with a very very low diskspace limit (something like 150k ?! 'ought to be enough' like our dear Gates once said) and use that for avatar/signatures.


I think we need more than that potentially. Recruiting banners, in-character themed artwork for IGS / corporate/alliance boards etc. Certainly a couple of megs would be fine though. I mean last forum had a limit of 50k posting size. At any one time I'd probably have 10 ish images in current threads maybe.

Of course, somehow linking this into the eve is real publicity scheme and ensuring its all eve-themed artwork might be clever.

The True Knowledge is that nothing matters that does not matter to you, might does make right and power makes freedom
CCP Karuck
C C P
C C P Alliance
#49 - 2011-09-06 14:25:21 UTC
Riflin' Betty wrote:

if you're not allowing images now for some nebulous fear of 'sploits, then by your definition exploits were possible when you released the half-behinded version of this forum before.


Then by your definition you can call pretty much every forum out there that allows external images "half baked" as well.
Also, read my other replies.. this "remote change in hell" exploit was not the only reason we turned this off.

No one is perfect, it's the will to make things better that matters more to me.
  • Senior Programmer on EVE: Valkyrie / @SiggiGG
Mashie Saldana
V0LTA
WE FORM V0LTA
#50 - 2011-09-06 14:26:21 UTC
I guess it's just a matter of time before people get used to have no signature images here.

How to win EVE
Tippia
Sunshine and Lollipops
#51 - 2011-09-06 14:28:25 UTC  |  Edited by: Tippia
Aethlyn wrote:
Client side exploits as in buffer overflows, image filter issues, etc.
Iow, browser flaws that CCP cannot fix and which will exist/happen anyway when people are being sent to the same content through normal means. Like you say, casual users won't care and will get hit anyway.
Quote:
But how should this work for tons of unknown image hosts?
And the question remains: why do you need to make it work for them? What is there to protect and what makes it is an issue with the forums (i.e. within the domain of what CCP can control), and not with the behaviour and software on the user side?

For people who do care, they could always just re-institute the option of whether to display images or not and make it behave like the outgoing link warning (that no-one cares about anyway and just clicks through), and even without images, they will have to provide that option for signatures anyway sooner or later…

In fact, that's kind of the whole point, and has been the point for EVE as a whole for quite some time now: what is it about options that make CCP loathe them so much? P
Riflin' Betty
Perfunctory
#52 - 2011-09-06 14:28:27 UTC
CCP Karuck wrote:
Riflin' Betty wrote:

if you're not allowing images now for some nebulous fear of 'sploits, then by your definition exploits were possible when you released the half-behinded version of this forum before.


Then by your definition you can call pretty much every forum out there that allows external images "half baked" as well.
Also, read my other replies.. this "remote change in hell" exploit was not the only reason we turned this off.

No one is perfect, it's the will to make things better that matters more to me.


Exactly. So why are the pictures off if it's apparently ok for every other forum on earth?

Contradictions abound, and definitely not good value-for-investment-money.
Alexandra Alt
Doomheim
#53 - 2011-09-06 14:31:20 UTC  |  Edited by: Alexandra Alt
Aethlyn wrote:
Tippia wrote:
What you're talking about is a flaw in the browser. The forum software will simply put that url into an img tag, and if the browser is so ******** as to accept (much less execute) anything other than an image file coming through that link, then that browser needs to be fixed was retired 5 years ago.

No, (despite the mentioned possible client side exploits) I'm talking about server side code that's run when the image is requested. Depending on your browser it will send quite a few lines of information, including referral information and such. It's the way classic non-JavaScript stats tracking scripts work. This not only opens up possible exploits (it's not like you need only 5 minutes and you've got something to explot - let's be honest) but also privacy issues (e.g. in Germany some instances actually want to force the removal of facebook's "I like" buttons due to them collecting data just by being embedded into the pages). I know that most abusive stuff will require at least some JavaScript code, but it's possible to get quite some data utilizing simple HTTP requests, e.g. for images.


While you are right about how the functioning might happen, you're quite wrong about what can/cannot be sent to a server when requesting an image to be loaded when embedded in a page.

Cookies can be prevented to be sent to such external places depending on how the site software is configured, you can only allow cookies in a domain, secure only, and allot other settings to prevent the cookie hijacking scenario you're describing.

The only information that can be gathered is the usual referrer, user-agent, charset, encoding, language, a few headers that might be inserted from your ISP proxy if it has one, and eventually some other useless stuff. Now, this is sensitive (or can be) information for some, can be used as a gathering method for RMT sites about players, as possible strike targets for DNS hijacking/poisoning/hacking to make you go to other stuff, but then, were talking about highly sophisticated attacks here, not what your average Joe can do, thus, if there is the possibility, most certainly will be exploited (or attempted) and since the complexity to exploit such system means they'll be made by highly sophisticated people and most certainly succeed.

Now, one cannot live in a bubble thinking that every time you leave home you might die from a piano that has been dropped on you, you (as in any of us) leave allot of information scattered around the internet whenever we go that what would be revealed by a simple external image loading on a forum, and I'm pretty sure we don't worry as much as were worrying right now.

Again, I think (thus all the above is quite viable as something to take seriously) the biggest issue is ssl session hijacking, and that is way more serious than revealing your referrer/user-agent, and due to that I have to stand by CCP side and would think it should never be allowed the inclusion or external resources from non secure sources, thus the 'in-house' upload thing for each player.
AnzacPaul
Tactical Farmers.
Pandemic Horde
#54 - 2011-09-06 14:32:56 UTC
Riflin' Betty wrote:
CCP Karuck wrote:
Riflin' Betty wrote:

if you're not allowing images now for some nebulous fear of 'sploits, then by your definition exploits were possible when you released the half-behinded version of this forum before.


Then by your definition you can call pretty much every forum out there that allows external images "half baked" as well.
Also, read my other replies.. this "remote change in hell" exploit was not the only reason we turned this off.

No one is perfect, it's the will to make things better that matters more to me.


Exactly. So why are the pictures off if it's apparently ok for every other forum on earth?

Contradictions abound, and definitely not good value-for-investment-money.



I confess to know nothing about the subject, but this is interesting point to me. What makes these forums so vulnerable compared to any other?
Alexandra Alt
Doomheim
#55 - 2011-09-06 14:37:44 UTC
AnzacPaul wrote:

I confess to know nothing about the subject, but this is interesting point to me. What makes these forums so vulnerable compared to any other?


Heh, really ? is that hard to understand ?

For starters, forums are linked to your EveGate account, therefore everything else, hijacking of your account, your details, eventually in the future when everything is consolidated in the same platform (evegate) your API data, etc, etc.

On other forums what have u got to loose ? possibly a password, and the revealing of your email, hence those forums rarely bother about any kind of security related to session hijacking and or other vulnerabilities.
CCP Karuck
C C P
C C P Alliance
#56 - 2011-09-06 14:38:21 UTC
Riflin' Betty wrote:

Exactly. So why are the pictures off if it's apparently ok for every other forum on earth?


The Internet is far from being a perfect place. Most people thought non-https was ok until people started hacking their Facebook accounts with Firesheep.
  • Senior Programmer on EVE: Valkyrie / @SiggiGG
Cipher Jones
The Thomas Edwards Taco Tuesday All Stars
#57 - 2011-09-06 14:38:59 UTC
CCP Karuck wrote:
Riflin' Betty wrote:

if you're not allowing images now for some nebulous fear of 'sploits, then by your definition exploits were possible when you released the half-behinded version of this forum before.


Then by your definition you can call pretty much every forum out there that allows external images "half baked" as well.
Also, read my other replies.. this "remote change in hell" exploit was not the only reason we turned this off.

No one is perfect, it's the will to make things better that matters more to me.


Just quoting this as proof that you are damned if you don't and damned if you do. People complained that the last version of the new forums were insecure and CCP didn't do their job. Now CCP made them secure and people complain.

Thank you for the new forums.

I have one request please. Limit the size if images if/when you allow them. People abusing that exploit made the forums harder to read, and it was uncalled for. Stopping that would be swell. thank you.

internet spaceships

are serious business sir.

and don't forget it
Aethlyn
Brutor Tribe
Minmatar Republic
#58 - 2011-09-06 14:41:39 UTC
The fact there are accounts linked to it that can be valueable in the right context, including possible online transactions (entering payment information probably on the same machine you're browsing the forum with)?

For those looking for an abusive scenario not requiring direct script access on the client machine:
- Player uses the ingame browser to read forums.
- Image is loaded from malicious site.
- This might provide more or less (depending on player's system security) valueable information to someone trying to hijack the system: a) the player is running EVE right now b) the player's IP.
- With this information there is the possibility the attacker might abuse existing vulnerabilities (screwed up NAT settings, missing firewall, whatever) to hijack specifically players of EVE instead of just trying random IPs.

This doesn't involve any information usually kept/not sent by browsers regardless of their security settings.

Looking for more thoughts? Follow me on Twitter.
Jade Constantine
Jericho Fraction
The Star Fraction
#59 - 2011-09-06 14:45:33 UTC
Alexandra Alt wrote:
AnzacPaul wrote:

I confess to know nothing about the subject, but this is interesting point to me. What makes these forums so vulnerable compared to any other?


Heh, really ? is that hard to understand ?

For starters, forums are linked to your EveGate account, therefore everything else, hijacking of your account, your details, eventually in the future when everything is consolidated in the same platform (evegate) your API data, etc, etc.

On other forums what have u got to loose ? possibly a password, and the revealing of your email, hence those forums rarely bother about any kind of security related to session hijacking and or other vulnerabilities.


Yeah thats about the size of it. I think I like many other thousands got our accounts compromised on the old Scrap Heap Challenge forums when it was discovered our user names and passwords were stored in plain text and looted by scoundrels - but fortunately nothing was linked to that login data so ultimately nothing of value was lost. Losing Eve account to the same fiasco would be appalling so I can see the point that Karuck is making about the security issues being an order of magnitude worse here.

So bottom line.

I'm not really that interested in a blame game and throwing stones at all the "wasted man hours" of forum development etc.

But I would like the forum producer to come onto the forum with a timely and informative blog that shows how the web/forum team is going to implement the hosting of images (if they go that route) and allow us to return to the functionality of the old forums we've gotten used too.

Maybe even improving things along the way huh?

I guess I'm a bit sick of "soon(tm" like everyone else and would like to see some commitment to timely results but explain the issues and vulnerabilties, provide information on the problems and a sensible timescale on the resolution and I'm fine with that.

The True Knowledge is that nothing matters that does not matter to you, might does make right and power makes freedom
Riflin' Betty
Perfunctory
#60 - 2011-09-06 14:45:38 UTC
CCP Karuck wrote:
Riflin' Betty wrote:

Exactly. So why are the pictures off if it's apparently ok for every other forum on earth?


The Internet is far from being a perfect place. Most people thought non-https was ok until people started hacking their Facebook accounts with Firesheep.


Evasive answer is evasive.

Also, I'm really sorry but, high-horsing and buzzword throwing is not allowed for people who put live a hacked-job YaF without removing the old admin pages, having unencrypted character identifiers in cookies and above all allowing code injection into the signature field.

There is no compelling argument for you to disallow the image tag other than the fact that one of your webgurus decided it was not esthetically pleasing.