but you shouldn't
CSS is always CSS. It's CSS on the repo too, but got edited back to "Css" here on the HN title for some reason.
A ruby dsl that’s indistinguishable from JavaScript. http://kevinkuchta.com/_site/2017/07/disguising-ruby-as-java...
^ and in talk form: http://confreaks.tv/videos/rubyconf2018-ruby-is-the-best-jav...
A url-shortener using AWS lambda - JUST lambda. No data store. http://kevinkuchta.com/_site/2018/03/lambda-only-url-shorten...
You made my day.
Wise and funny, at the same time.
>I remember last year, and probably the year before that, and probably the year before that still, people continually rediscover CSS keylogging. Glad to see something more interesting this time. Good work.
Following up on this, I found an article[0] claiming that it isn't really an issue since a pure CSS keylogger can only catch one character. It seems to me like your method of pseudo-refreshing the page by making old elements hidden and delivering new elements to replace them might be able to overcome this impediment, which would make your on-screen keyboard unnecessary; if I understand correctly, you could just keep capturing whatever the user types in a field, and deliver a new field that already has whatever they've typed already as the default value with autofocus on. Do I understand correctly? Is there something I'm missing, like autofocus not playing well with continuous chunks of data being delivered? I'm not saying you should put in the additional effort to do this for your beautiful-horrible-clusterfuck of a project, I'm just curious about the feasibility and thought you might already know the answer.
[0]: https://www.bram.us/2018/02/21/css-keylogger-and-why-you-sho...
That reminds me of:
• Stealing Data With CSS: Attack and Defense https://www.mike-gualtieri.com/posts/stealing-data-with-css-...
• CSS Exfil Vulnerability Tester https://www.mike-gualtieri.com/css-exfil-vulnerability-teste...
• CSS Exfil Protection (Firefox) https://addons.mozilla.org/en-US/firefox/addon/css-exfil-pro...
• CSS Exfil Protection (Chrome) https://chrome.google.com/webstore/detail/css-exfil-protecti...
Never really got much coverage. It's not mitigated by uBlock or uMatrix (unless you deny all CSS).
"Why's your code suck?: Why do you suck?"
I expected a lambda, which compresses/decompresses the url. This would also work without storing anything.
Thankfully, our method of receiving data fixes that for us. Here's what happens:
We show an "a" button whose background image is like "img/a". When you press it, the server receives the image request for "a" The server then pushes an update to the client to hide the current button and replace it with one whose background images is "image/aa".
I am happy to add “the hack FAQ” to my snack pack.
tl;dr css hover selectors that change the background image don't actually cause the browser to GET the specified background image until you hover over it, thus creating a way to send data from a web page with no javascript.
https://rawgit.com/elitheeli/stupid-machines/master/rule110-...
https://news.ycombinator.com/item?id=19847939
Now I don't know if there's any causal relationship between the two (or the three) or if it's just a big coincidence, since it says on the README that the inspiration for it came from a Tweet posted a few days ago.
Are browsers that allow CSS as vulnerable to being exploited as those that allow Javascript?
* Only with user interaction to step things along, similar to powerpoint: https://www.youtube.com/watch?v=uNjxe8ShM-8
HN Discussion: https://news.ycombinator.com/item?id=16319248
Basically the same idea, but it does refresh when you submit. The CSS buttons are quite a clever workaround to not refresh the page.
It still uses CSS so as not to be ugly, colour-code messages by user, and to position the "Enter message" box below the chat history, but I hope it gets the basic idea across. It should continue to work if you disable styling.
<meta http-equiv="refresh" content="10; URL='http://new-website.com'" />
So the page would simply refresh itself every 10 seconds.
You know, that HTTP allows websites to "track" you each time you visit them, right? The horror!
That doesn't solve the problem; email trackers could just use a unique URL per email.
Why are you contributing to the surveillance age of the internet?
That little background image feature in CSS has given up quite a bit of data in similar situations (people used to use it to check browsing history of :visited links before browser started blocking that).
Unfortunately, as always, using Tor will make things slower.
It will make this kind of example really slow, but if the intention is to break this kind of spying, then that's okay.
It's things like this that drove me to start browsing the web with CSS disabled by default. It's yet another vector for tracking.
This specific page uses :active, not :hover, so it is really no different from a web form, that performs web request each time you press a submit button. It just does not reload a page.
The infamous "a:visited" tracking didn't simply track your visits from Google — it tracked all your visits across entire Internet. Browser vendors are bunch of lazy hacks, who can't even implement per-site link history (just like they failed to implement per-site cookies). All "a:visited" states are source from single SQLite database, that stores your full web history. THAT is the "CSS Tracking", because it can tell a page about visits from completely different domains. Instead of separating your web history per-domain those <censored> have crippled :visited selector in several undocumented ways.
But who asked them to? As far as I know, the spec says nothing about per-site histories, and I find it much more useful to know if I already visited a site, regardless of the origin - for example, if I'm researching a topic, two or more sites might link to the same place, and I don't want to open it multiple times.
Plus, the idea that one can look at a modern browser, which are some of the most complex software packages being developed, and think "clearly these people don't know how to add an 'origin' column to a SQLite database", well, it boggles the mind.
To be fair there has been an ugly solution to this recently, the `__Host-` cookie prefix:
If you want to prevent this kind of spying, the solution is to load these kind of interactive background images either always or never, but not on the interaction they're supposed to track.
That being said, if one is THAT worried about tracking then one should not be on the modern web, and should probably stick to using Lynx over TOR.
I actually remember websites doing exactly that years ago.
Some would display the chat like here, by never closing the connection, as described in the repo. And another trick was to just send a refresh header (or use a meta tag) to automatically reload the iframe displaying the chat every $x seconds. The latter one was iirc more prominent because you could do it on any web host with PHP and MySQL as it doesn't require any long living processes.
In some other profession I'd make exceptions, but seriously the amount of money flowing to developers these days, there's no excuse to sell out.
Do you think that companies who send newsletter do it without any traces of analytics? Every link is tracked, every image is tracked. On the web, there are heatmaps of every single mouse movement. Your keystrokes used to be tracked too, until GDPR hit. Anyone who works does analytics can play back the path visitors used to navigate on the site.
It doesn't take any advanced team to do that. You simply drop a .js file from some third-party CND in your site's head and you have all that data. Any mom ? pop shop that has a website has access to that data.
Everyone does it, that's the current state of the industry. To refuse work from anyone who does analytics would mean to leave the web industry.
> but seriously the amount of money flowing to developers these days
At the time, I was paid cad$40k/year. According to glassdoor.ca, the salary for the same position would be cad$59k/year today. Not everyone works from the inside of a bubble.
It's intended to ensure that a CDN doesn't change the content they're serving to your users.
But it turns out you can approximate the speed a visiting browser computes those hashes to fingerprint browsers just by including some CSS on a page.
It boggles my mind too. Imagine, what would have happened, if those small Javascript snippets, used mainly to add cute visual effects to pages, could check if some image from different site is already in browser cache by performing cross-site HTTP requests... That would allow completely new dimension of spying on web users!
Fortunately, browser developers are some of the most competent people in the word. They would never give web pages too much power by letting them start CPU threads, use OpenGL, allocate arbitrary amount of memory or read your battery level to set exorbitant taxi tariffs for people in a pinch. Browsers are well-designed and highly secure, because they are being updated with security fixes every day, sometimes even multiple times a day.
They use SHA512 which is fast, but noticeable for large enough files.
> Or is this meant to spite the 0.01% of visitors that really try not to be tracked and have turned off javascript?
Yes, the point is that it works with blockers.
* FAQ is "fack", though I hear "eff-aye-que" often enough. * .edu is "dot ee dee you" not "dot ed-you", though I pronounce all of the other old-school domains as words. * .dev is definitely "dot dev", since "dev" is a word.
It may be apocryphal, but I remember reading somewhere that Tim Berners-Lee chose the name "World Wide Web" because the acronym was harder to say than the word itself.
I prefer ed-you, since it’s both shorter and matches the pronunciation of ‘education’. But when I’m feeling saucy, I pronounce .edu “dot eedoo”.
I don't doubt it.
> Everyone does it, that's the current state of the industry.
That's not an excuse
> To refuse work from anyone who does analytics would mean to leave the web industry.
Analytics as a whole is not the issue. Doing shit like abusing CSS in order to track when someone opens an email and what they do in that email is evil. That violates the user's trust and expectations. I don't doubt that any time I spend on somebodies website will be tracked and analyzed by them. But they have no right to track and analyze me on my own properties, like while reading my own email.
"Everybody is doing it" is not an excuse for evil behaviour. Be better than others, don't contribute to this race to the bottom.
59k a year is a very healthy salary. I know real Engineers doing things like verifying building and bridges who make less than that. Honestly to think that $59k a year in Canada is too little money to afford a moral compass shows how much of a bubble you are already in.
When their device calls our server, we have access to this person's basic information. Usually this information isn't aggregated but only counted to know how many users opened the email.
That's the equivalent of a caller id. This is the less hurtful and evil method of tracking I can think of.
I don't understand why you are so outraged from it.
Nobody is forcing you to open the newsletter email titled "AMAZING deal from [brand], get ONE FREE if you purchase THREE!" that you just received and much less to click the "request images in this email" button.
I could understand your point if we were talking about "Canvas Fingerprinting" where an invisible image is generated and the user's GPU is singled out to an unique token by exploiting the unique hardware information outputted during the rendering of the image, allowing you to track user across browsers, sites, logins and even after a software format or operating system reset.
However right now I'm merely talking about tracking the number of hits our server receive for "banner-image.jpg". This is not even information unique to the viewer.
And nobody is forcing you to invade users privacy.
> We used to do that to track emails. Gmail's fix was to cache the emails' images on their own server,
The fact that you call what gmail did a "fix" shows that you know what you're doing is not okay.
I'd love to meet these people. I've yet to have a good email publisher experience. whether it's a fortune 500 co or the newest startup they all terribly abuse email.
> unsubscribing you automatically
What is this magic? I've never once been automatically unsubscribed from anything.
That does not remotely sound like the behaviour of responsible "email publishers". Responsible behaviour is to only email people who asked for it, and to stop when they tell you to stop. Clever trickery to spy on people is not the behaviour of responsible people.
If their intention was as you say, it would be really stupid and unreliable trickery, not just because some systems might load the images without the user reading the email, but also because the user might read the email without loading the images. And even if they were to only and reliably load on reading, reading the email does not in any way imply that the user wants to receive it. Lots of people open email before throwing it away. Some mail readers show a preview which may be enough to read the message. Does that count as reading or not?
No responsible organisation would rely on this kind of trickery, and no organisation that relies on this can be considered responsible in their handling of email.
No, they don't.
> Gmail causing a lot of bogus engagement would make it look like people can’t get enough of your content
For a few days, perhaps. Gmail accounts for a significant proportion of all email. 'Publishers' would quickly realise they are no longer able to track emails sent to Gmail. To fail to do so would be their loss; if that weren't the case, they wouldn't bother with tracking at all.
They recently sent me an email saying something like "we noticed that you're not reading our email, so we're unsubscribing you." Apparently I hadn't been loading their tracking pixel/script/CSS, so they thought I wasn't "engaging" enough. This was despite the fact that I clicked on links to full articles, which had all sorts of tracking info embedded in a redirect.
A responsible email publisher offers a clearly-visible "unsubscribe" link at the bottom of the email, which will unsubscribe you with a single click. No nags, no checklists of email categories, maybe an "are you sure?" page at most, with equal-sized "yes" and "no" buttons. One or two clicks, and I don't hear from you again.
A dodgy email provider is more likely to "use lack of opens to reduce volume." If I don't trust some company to actually unsubscribe me when I ask, I'll just filter their domain directly to the trash. Clicking on spammers' "unsubscribe" links is usually a bad idea.
To be fair, this is the kind of thing where, if it had happened, it’s possible you wouldn’t have ever noticed.
Google, in particular, will send all a sender’s mail to everyone’s spam folder if it sees low engagement across all gmail users... so it is in publisher’s own self interest to remove disengaged users.