"HTML5 Geolocation API is scaring me"



  • So this guy makes a quick test with the new browser Geolocation API, querying Google Maps with the coordinates it gets.

    And surprise, surprise, he sees his own house!  *gasp*

     

    You mean this technology is working exactly as it is intended? Scary!...

     

    What's your take on this? Is he a troll or is he just genuinely concerned with the accuracy?



  • You're right. He's an idiot. So are the people who comment on his blog, although at least they pointed out that the browser is required to ask permission before using geo data.



  • well that code failed to load anything for me under Safari on OS X, and under Firefox it was about 10 miles from where I actually am. So yes that code does scare me - if you are meant to rely on it.



  • It got to within 10 meters from where I am. Yes, that is scary to me.

    The fact that the browser asks politely is nice, but not really relevant. It means for instance that also a rogue application could get to with 10 meters of where I am, without me telling them anything. Yes, Mozilla has a nice privacy policy, and so has Google, great, fine, but still, the information exists and is available. If the nice guys can use it, then the not so nice guys can abuse it. If say I write a blog about how I don't like my government (and say I happen to live in a country where I don't want my government to find out), am I still happy about this? Or think of any kind of scenario, where you wouldn't want your employer, neighbour, wife, or the nutcases on 4chan to find out. I think you will be able to come up with ideas.

    So as said before, I live in a cave, and I am naive - I hadn't realised geolocation could get this close. Yes, even having nothing to hide, that is scary.

     



  • Why are you freaking out?  It's less accurate than the fucking phonebook we survived with for generations without living in fear, so simmah down.



  • Your phone books actually have people's addresses in them?

    Anyway, I fail to see the WTF. Some people are scared of spiders. It's much more rational to be scared of geolocation.



  • @hoodaticus said:

    It's less accurate than the fucking phonebook we survived with for generations

    Maybe, but I thnik the point is that this is global and not limited to other people in the same town (or who use the same phone book, anyway).

    Pleasingly, though I live in Edinburgh, Scotland, that code put 'I'm here!' on King William Street in London, England. 300+ miles wrong is fine by me!



  • @b-redeker said:

    So as said before, I live in a cave, and I am naive - I hadn't realised geolocation could get this close. Yes, even having nothing to hide, that is scary.
    Why would they need to use geo-location when they can read your thought-waves every time you take off your tin-foil hat?



  • @Faxmachinen said:

    Your phone books actually have people's addresses in them?
     

    Yours don't?

     

    I'm not that concerned about websites misusing it as long as I'm always asked first and have the chance to deny it.

    But if Firefox can do it, any other app can do it, and the other app might not be as nice about asking me first.



  • @scgtrp said:

    Yours don't?

    No, it has phone numbers in it. Weird, huh?

    Though to be fair, the online catalog does, as well as all your other numbers and a handy map for the arsonist to follow.



  • @scgtrp said:

    But if Firefox can do it, any other app can do it, and the other app might not be as nice about asking me first.

    And that harms you... how?

    I guess you'll just have to be careful not to install that "CLICK THIS HUGE BUTTON WHEN YOU GO ON VACATION YOU CAN TRUST ME REALLY" browser plugin. And if you do install it, not to click the button.

    I have this same problem with privacy people, you know, "using third-party cookies this site knows I was at Site A then advertises it on Site B!" My response is, "so? How does that hurt you in any way?" I've yet to hear an actual answer. But people love to tell you how "creepy" it is.



  • @Faxmachinen said:

    No, it has phone numbers in it. Weird, huh?
     

     That is weird!  I've never seen a phonebook which didn't show both the address and the phone number.



  • @blakeyrat said:

    I have this same problem with privacy people, you know, "using third-party cookies this site knows I was at Site A then advertises it on Site B!" My response is, "so? How does that hurt you in any way?" I've yet to hear an actual answer. But people love to tell you how "creepy" it is.

    Have fun.



  • @Faxmachinen said:

    @blakeyrat said:

    I have this same problem with privacy people, you know, "using third-party cookies this site knows I was at Site A then advertises it on Site B!" My response is, "so? How does that hurt you in any way?" I've yet to hear an actual answer. But people love to tell you how "creepy" it is.

    Have fun.

    Um... oookkkaaayyy? You wanna maybe provide some commentary on that link?

    Take this post, for example. The only real problem here is that IE doesn't make it clear that the cookies don't get deleted immediately. But... what the fuck is the point? If someone wants no cookies in IE, they could just *gasp* use the privacy mode that IE (and every other browser on Earth) has... they wouldn't be deleting cookies every minute.

    I mean, I do agree it's annoying for testing webapps, but... scary? No. Creepy? No. Dangerous? No. Likely to hurt me in some way? Certainly not.



  • @blakeyrat said:

    Um... oookkkaaayyy? You wanna maybe provide some commentary on that link?

    Hold on, let me get my silver spoon. First off, if you'd actually read the article, you'd notice that it mentions a way for an attacker to steal your cookies. If that doesn't worry you in the slightest, you're not very well versed with the way the internet works. To paraphrase wikipedia, cookies can be used for authentication, storing site preferences, shopping cart contents, the identifier for a server-based session, etc. For instance, if someone steals your web banking session ID cookie, they're pretty much logged in to your bank as you.

    Then, if you'd read any of the other articles, you'd realize that there are techniques such as CRSF, clickjacking, session fixation, DoS, etc., and that they can all be facilitated by exploiting cookies.



  • @Faxmachinen said:

    Hold on, let me get my silver spoon.

    Huh? Like... you are going to get adopted by rich folks or something?

    @Faxmachinen said:

    First off, if you'd actually read the article, you'd notice that it mentions a way for an attacker to steal your cookies.

    Well, if it did, then it's written really shitty because I don't see where. Or how.

    @Faxmachinen said:

    If that doesn't worry you in the slightest,

    Nope.

    @Faxmachinen said:

    you're not very well versed with the way the internet works.

    Oh the classic, "if you don't agree with me, you must be ignorant" defense. Kudos, you're really raising the bar. Do you think it's possible, even remotely, that I might know how the Internet works and not be worried about that blog article? Which, according to you, somehow points out a way of stealing cookies although really it doesn't?

    @Faxmachinen said:

    Then, if you'd read any of the other articles, you'd realize that there are techniques such as CRSF, clickjacking, session fixation, DoS, etc., and that they can all be facilitated by exploiting cookies.

    Maybe if you had talked about one of those instead of just sending a link to a list of vaguely-titled articles with absolutely no commentary-- maybe now we'd be having a more reasonable discussion. But you didn't, and we ain't. Poopiehead!



  • @Faxmachinen said:

    Then, if you'd read any of the other articles, you'd realize that there are techniques such as CRSF, clickjacking, session fixation, DoS, etc., and that they can all be facilitated by exploiting cookies.
    What a wonderful example of people discussing better ways to bolt the front door whilst the back door remains wide open. None of your suggested examples involce stealing cookies, anyway.



  • @Faxmachinen said:

    For instance, if someone steals your web banking session ID cookie, they're pretty much logged in to your bank as you.

    Any half-competent internet banking system will tie the cookie to your IP address and possibly other information identifying your computer. Although from what we've seen on this site, there are plenty of less than half-competent internet banking systems out there...


  • Discourse touched me in a no-no place

    @Faxmachinen said:

    Your phone books actually have people's addresses in them?



  • @blakeyrat said:

    Oh the classic, "if you don't agree with me, you must be ignorant" defense.

    Actually, it was the classic "if you don't agree with me, you must be ignorant, and here's why" defense. But hey, if you only want to take sentences out of context so you can call logical fallacy upon them, then there's not much I can do for you. I figured you were actually interested in knowing why people are worried about cookies, and would actually take some time to read those articles (I dunno, start at the top?), but it seems you are more interested in arguing on the internet. Nevermind, then.

    @PJH said:

    [image]

    Interesting. We use first and last name, rather than first name/initials and address to identify people in our phonebooks.



  • @Faxmachinen said:

    We use first and last name [...] to identify people in our phonebooks.
     

    But which John Smith?

    Our phone books also contain an address, along with a well-produced street map of the relevant area.



  • @dhromed said:

    @Faxmachinen said:

    We use first and last name [...] to identify people in our phonebooks.
     

    But which John Smith?

    Our phone books also contain an address, along with a well-produced street map of the relevant area.

    Why are you people arguing about a book nobody's used in 10 years?

    Hey, let's compare slide rules while we're at it!

    @Faxmachinen said:

    Actually, it was the classic "if you don't agree with me, you must be ignorant, and here's why" defense. But hey, if you only want to take sentences out of context so you can call logical fallacy upon them, then there's not much I can do for you. I figured you were actually interested in knowing why people are worried about cookies, and would actually take some time to read those articles (I dunno, start at the top?), but it seems you are more interested in arguing on the internet. Nevermind, then.

    Call it what you like. The fact of the matter is, cookies aren't scary-- badly-programmed websites are scary. There's a big difference between the two. A badly-programmed website would be just as, or more, scary if it used a URL param instead of cookies to track sessions.

    And I can't take anybody seriously who pisses his pants at the thought of third-party cookies tracking his activity. Firstly, because you can just *turn them fucking off* in about 5 seconds flat in any browser on Earth. Secondly, because I don't see it as being a big deal that a server somewhere knows what sites I visit... the only "bad thing" I get from that is better-targeted advertising. Oooo targeted advertising, scary! oooOOOoooOOO!



  • @blakeyrat said:

    Why are you people arguing about a book nobody's used in 10 years?
     

    Very true! It's a little more than 10 years for me, I think. Last time I clearly rememberusing one to fetch a number I was a wee laddy.

    @blakeyrat said:

    cookie blub

    You're not really responding ontopic-ishly to the blog posts, though. None of them are really about privacy concerns.

     



  • @dhromed said:

    @blakeyrat said:

    Why are you people arguing about a book nobody's used in 10 years?
     

    Very true! It's a little more than 10 years for me, I think. Last time I clearly rememberusing one to fetch a number I was a wee laddy.

    @blakeyrat said:

    cookie blub

    You're not really responding ontopic-ishly to the blog posts, though. None of them are really about privacy concerns.

     

    Well, I would think if cookies were really scary, someone would be able to explain to me why in a concise manner. I'm not reading an entire blog in hopes of finding what you're all talking about. If privacy isn't the concern, what is?



  • @blakeyrat said:

    If privacy isn't the concern, what is?
     

    The most egregious might be that an attacker in the middle can duplicate a victim's session cookie and perform actions on the online system as if they were the victim. The first example on the Wikipedia article on CRSF seems a little naive, though.

     

    I'm going to have to ask Mr. Fax to break out that silver spoon anyway (even though that's a conflation of expressions).



  • @blakeyrat said:

    @dhromed said:

    @blakeyrat said:

    Why are you people arguing about a book nobody's used in 10 years?
     

    Very true! It's a little more than 10 years for me, I think. Last time I clearly rememberusing one to fetch a number I was a wee laddy.

    @blakeyrat said:

    cookie blub

    You're not really responding ontopic-ishly to the blog posts, though. None of them are really about privacy concerns.

     

    Well, I would think if cookies were really scary, someone would be able to explain to me why in a concise manner. I'm not reading an entire blog in hopes of finding what you're all talking about. If privacy isn't the concern, what is?

     

    Really any privacy concerns come from how sites use cookies, if its just things like defaulting how fields in a report are filled in then its not really that much of a concern (assuming things like account numbers aren't filled in).  The problem comes up when sites use cookies badly and store things like authentication tokens as then stealing them allows for man in the middle attacks.  For most things this isn't really as big a deal as people make it out to be, but its the internet home of hyperbole (and some of those that use things badly can be banks and insurance companies).  At least that is my understanding of the issue, anyone with a better one please step in to correct me.

     

    Some people still use the phonebook; I've used them recently for a name distribution thingy and to look up a taxi service when my phone was dead.  Its just that they are mostly useless these days, instead of completely.



  •  @Cad Delworth said:

    @hoodaticus said:

    It's less accurate than the fucking phonebook we survived with for generations

    Maybe, but I thnik the point is that this is global and not limited to other people in the same town (or who use the same phone book, anyway).

    No, the point is that when I call someone and leave my name and number, I make a concious choice that I can be found; but the Internet offers a certain freedom of speech to people who otherwise have no voice.

    Imagine if you will a site where IT workers can tell of the horrors they see (weird concept, I know). So imagine that you, under an anonymized name, tell what goes on at your employer, and call your boss a nitwit. Your boss reads this, and vows to fire whoever wrote that, or otherwise make his life a nightmare. Your boss happens to have a nephew who is a bit less of a nitwit, and because this aforementioned site is a pretty crappy solution (yeah, it gets unbelievable at this point, but bear with me), through XSS or Sql injection or some other attack, he traces the IP address of your home PC - and your home.

    Or if that doesn't bother you, imagine you live in Venezuela, China or maybe some fictional country where the FBI and the CIA or their local equivalent have unlimited powers and money, and you happen to oppose the local regime. Or imagine you have a sexblog that you wouldn't want your neighbours to find out about (or your wife). Are you sure that everything you ever searched for or posted or otherwise did on the internet is completely inoffensive to everyone else in the world?

    The point is that Internet appears to offer some anonimity to people who choose so. It now seems that this anonimity is less than I thought. Scary? Yes, I imagine that to some people this could be scary.



  • @b-redeker said:

    Or if that doesn't bother you, imagine you live in Venezuela, China or maybe some fictional country where the FBI and the CIA or their local equivalent have unlimited powers and money, and you happen to oppose the local regime. Or imagine you have a sexblog that you wouldn't want your neighbours to find out about (or your wife).

    Then I guess those people better not hit "allow" when the browser asks their permission.

    @b-redeker said:

    Are you sure that everything you ever searched for or posted or otherwise did on the internet is completely inoffensive to everyone else in the world?

    I would feel like a failure if I didn't post something offensive to somebody at least once a day.

    @b-redeker said:

    The point is that Internet appears to offer some anonimity to people who choose so. It now seems that this anonimity is less than I thought. Scary? Yes, I imagine that to some people this could be scary.

    The Internet at its worst is still more anonymous than any other form of communication at its best.



  • @b-redeker said:

    imagine you live in Venezuela, China or maybe some fictional country where the FBI and the CIA or their local equivalent have unlimited powers and money, and you happen to oppose the local regime.
    Then the fact that you have to take some very basic precautions to hid your browsing activities will be the least of your worries. The idea that your cookies and browser cache will be the weakest point is laughable. If you are a dissident, turn cookies off altogether, anonymise your ip address, turn off wifi, and bob's your raspberry flavoured auntie.

    @b-redeker said:

    Or imagine you have a sexblog that you wouldn't want your neighbours to find out about (or your wife).
    Sorry, how is that relevant? How is it relevant that your boss might trace your IP? That's not the same as finding your name, location, or any other information about you. And in any case, the important security hole is the one in the site that he uses to steal your information.



  • @Zecc said:

    the new browser Geolocation API, querying Google Maps with the coordinates it gets.
     

    The coordinates it gets .... from where?  I'm curious about how this works.  I tried it and it cames really close to my house (right across the street) .  How do you get such an exact location from just the IP address?



  • It's not just from the IP address:

    [url]http://www.mozilla.com/en-US/firefox/geolocation/[/url]

    How does it work?

    When you visit a location-aware website, Firefox will ask you if you want to share your location.

    If you consent, Firefox gathers information about nearby wireless access points and your computer’s IP address. Then Firefox sends this information to the default geolocation service provider, Google Location Services, to get an estimate of your location. That location estimate is then shared with the requesting website.

    If you say that you do not consent, Firefox will not do anything.




  • @El_Heffe said:

    @Zecc said:

    the new browser Geolocation API, querying Google Maps with the coordinates it gets.
     

    The coordinates it gets .... from where?  I'm curious about how this works.  I tried it and it cames really close to my house (right across the street) .  How do you get such an exact location from just the IP address?

    It's not going just by IP, unless that's the best available information. There's a bit of confusion here: geolocation isn't actually done by the browser, but rather by sending whatever information is available - GPS co-ordinates, wifi networks in range, etc - to a Network Location Server, which does the data-crunching and sends back a location. See this doc for what data can currently be used. As far as I can see, it's how the geolocation API finds your location.



  • Grab your router's MAC address, and enter it into this: http://samy.pl/mapxss/. See how close that gets. For me, it gets the address around the corner, very close.

    AFAIK, Firefox uses the same method for its geolocation.



  • @Faxmachinen said:

    For instance, if someone steals your web banking session ID cookie, they're pretty much logged in to your bank as you.
    That's fairly trivial to block BTW, store the user-agent and IP as part of the session and validate on each access.



  • @Lingerance said:

    @Faxmachinen said:
    For instance, if someone steals your web banking session ID cookie, they're pretty much logged in to your bank as you.
    That's fairly trivial to block BTW, store the user-agent and IP as part of the session and validate on each access.
    And get tickets complaining "session closes when I login elsewhere". Stupid, yes, but it's users I'm talking about here.



  • @Zecc said:

    @Lingerance said:

    @Faxmachinen said:
    For instance, if someone steals your web banking session ID cookie, they're pretty much logged in to your bank as you.
    That's fairly trivial to block BTW, store the user-agent and IP as part of the session and validate on each access.
    And get tickets complaining "session closes when I login elsewhere". Stupid, yes, but it's users I'm talking about here.
    ...ok, I don't get it. Why would the session close when they log in elsewhere?



  • @dhromed said:

    I'm going to have to ask Mr. Fax to break out that silver spoon anyway (even though that's a conflation of expressions).

    Well, I'm by no means a security expert, which is partially why I linked to the articles rather than trying to explain it myself.

    Anyway, as your example demonstrated, the problem with cookies is the implications they have on security. I'm not talking about idiot coders who ignore the standards here; the standard specifies that a cookie can only be read from the same domain that set it, yet we know that's not always the case. Ofcourse, cookies aren't by themselves the crux of security issues, but security is only ever as strong as it's weakest part.

    Also, the argument that you could just turn off cookies is useless, because you could just as easily argue that you could turn off your internet. It always comes down to functionality versus security.

     @Lingerance said:

    That's fairly trivial to block BTW, store the user-agent and IP as part of the session and validate on each access.

    That's fairly trivial to forge too, in most cases.



  • @Faxmachinen said:

    I'm not talking about idiot coders who ignore the standards here; the standard specifies that a cookie can only be read from the same domain that set it, yet we know that's not always the case.

    We do? Are you talking about IE 4 or something?

    @Faxmachinen said:

    Ofcourse, cookies aren't by themselves the crux of security issues, but security is only ever as strong as it's weakest part.

    Yah, but the weakest part right now is Java, it's Adobe browser plugins, it's Quicktime, it's retards unzipping unsolicited files they get in their email and running the .scr file. Cookies aren't even on the radar. (As far as security goes-- and I've already heard privacy isn't a concern.) I've seen security compromised by all those things just in the last month.

    Are there probably security bugs relating to cookies? No doubt. Are they important in the scheme of things? No.

    @Faxmachinen said:

    Also, the argument that you could just turn off cookies is useless, because you could just as easily argue that you could turn off your internet. It always comes down to functionality versus security.

    True. But since I've never ever ever in my entire career seen a cookie stolen, I'll take the damned functionality.



  • @DOA said:

    @Zecc said:
    @Lingerance said:
    That's fairly trivial to block BTW, store the user-agent and IP as part of the session and validate on each access.
    And get tickets complaining "session closes when I login elsewhere". Stupid, yes, but it's users I'm talking about here.
    ...ok, I don't get it. Why would the session close when they log in elsewhere?
    I expressed myself badly. They don't really login elsewhere. They login somewhere, leave the session open until it times out, successfully login elsewhere, leave that session open, and then get blocked when trying to reuse the first session.

    Because you see, logging out is a complex process which requires one full mouse click.



  • @blakeyrat said:

    We do? Are you talking about IE 4 or something?

    From http://www.owasp.org/index.php/HTTPOnly: "If the browsers enforces HttpOnly, a client side script will be unable to read or write the session cookie. However, there is currently no prevention of reading or writing the session cookie via a XMLHTTPRequest."

     @blakeyrat said:

    Yah, but the weakest part right now is Java, it's Adobe browser plugins, it's Quicktime, it's retards unzipping unsolicited files they get in their email and running the .scr file. Cookies aren't even on the radar.
    I'm talking about the weakest point of a specific system, not the average weakest point across all systems. You might think that doesn't concern you much as a user, but if your favorite trusted website gets compromised due to a weakness in their cookie handling, you're next.



  • @Faxmachinen said:

    I'm talking about the weakest point of a specific system, not the average weakest point across all systems. You might think that doesn't concern you much as a user, but if your favorite trusted website gets compromised due to a weakness in their cookie handling, you're next.

     

    If my favorite trusted website has problems with their cookie handling, they WILL have problems with other security measures too. Nobody is using all the security features right only to then fuck it up with cookie handling. Either the website is run by morons or it isn't.

     Additionally, EVERY website that does something critical with you cookies will have additional security measures, certficates, encryption and all that. One now might argue that (for example) facebook doesn't, but then again everybody who thinks facebook isn't going to sell your private data to russian advertising scammer chain gangs deserves it.



  • @fire2k said:

    Nobody is using all the security features right only to then fuck it up with cookie handling. Either the website is run by morons or it isn't.
     

    It's all fun & games in your world, but alas, this is not reality. Securing one aspect says absolutely nothing at all about the security of other aspects, whether they are "lesser" or "greater".



  • @dhromed said:

    @fire2k said:

    Nobody is using all the security features right only to then fuck it up with cookie handling. Either the website is run by morons or it isn't.
     

    It's all fun & games in your world, but alas, this is not reality. Securing one aspect says absolutely nothing at all about the security of other aspects, whether they are "lesser" or "greater".

    Have you ever been exploited by a cookie-stealing hack? Do you know anybody who has? How bad was it?

    I'm asking seriously; as I said above, cooking-stealing isn't even on the radar of things I think of when someone says "security."



  • @blakeyrat said:

    Have you ever been exploited by a cookie-stealing hack? Do you know anybody who has? How bad was it?

    I'm asking seriously; as I said above, cooking-stealing isn't even on the radar of things I think of when someone says "security."

     

    Yep, but it was more of an annoying prank then anything actually damaging.  And it wasn't the cookie from a system used by the uni, not a bank or other place that actually cares about security.



  • @blakeyrat said:

    Have you ever been exploited by a cookie-stealing hack?
     

    Not to my knowledge.

     

    But I have really no idea what the fuck caused that trojan a while back.


Log in to reply