InformAction Forums

[lux99]

Firefox has a new add-on called Collusion, basically showing links to visited web sites and links to third parties wanting to place cookies
This is nothing new, NoScript does more or less the same, actually not showing who´s placing cookies, but listing all requests to 3rd parties.
To make sure that Collusion could do the job as good as NoScript I disabled NoScript (Allow Scripts Globally) and I visited an italian online newspaper www.corriere.it
Not surprisingly Collusion did not show all web sites that are listed by NoScript, not all of them are placing cookies in the end.
BUT Collusion showed one that NoScript did not list: rcsmetrics.it
Same happens with another newspaper elpais.com. There you have 2o7.net that is not listed by NoScript.
Can anyone explain that?
Regards
Luca

[GµårÐïåñ]

NoScript often shows you all the sites that are linked to the page, but generally IIRC only if they have scripting or some type of interaction with the main page that is within its functional security scope. Just like when you use RequestPolicy, it often blocks the cross domains so well, that you never even see them in NoScript but there are times that although the cross domain connections are NOT allowed in RequestPolicy, NoScript will still catch and show it in the menu list because it has more intelligently caught some kind of reference to it that may have been done in such a manner that was not obvious. So despite your experience that NS didn't show something, keep in mind, NS only deals with what's relevant, not everything that is there for the sake of the fact that its there. I mean if its serving just an image, who cares, its not blocking images, just scripting and embeddings like Flash, Java, etc. Just saying.

[Thrawn]

If you want to see all of the requests that a site is making, you could filter them all with ABE and watch the error console:

Code: Select all

Site ALL
Accept from SELF++
Anon


Which reminds me, I'm currently producing a mock-up of the SABER interface (it would be an ideal tool for this job).

[GµårÐïåñ]

Yeap that would do it, although it might slow the browser experience because of the constant logging but still not a bad idea at all. Did you get my email on the SABER interface? I am working on the interface too, and let's see where we meet on that which balances, function against ease.

[apollo702]

There is a TED talk on Collusion by Gary Kovacs http://www.ted.com/talks/lang/en/gary_kovacs_tracking_the_trackers.html and I was horrified ! He brought up the subject of tracking and said that with Collusion we could passively(my emphasis) track the trackers and be aware of them. I had to watch it again to see if I missed it- but it appears that he has no idea that many of FF's top add-ons can put a stop to the tracking. I have long wondered if the folks at Mozilla run add-ons at all or if they are aware of the privacy that NoScript, Ghostery, Request Policy... can provide. There is other evidence of this. How many times has their featured add-on list made sloppy selections that anyone who actually had run the add-ons would never have put them there? How many times have add-ons getting one-star reviews right and left made the list? I can't read their minds but the evidence so far is

[GµårÐïåñ]

Don't put your faith in the Mozilla addon team to tell you what is good and what is not, they are mediocre and useless at best. Their review process is non-existent and the people in charge of it are often clueless and lazy. Security is a proactive sport and you have to do your own due diligence and research and protect yourself. Tools like NoScript, RequestPolicy are excellent at that and despite large support base, quite underrated if you ask me.

[therube]

Years ago I had some faith in them- and honestly even back then there were some really major cracks in the dam. In my mind the golden age of Mozilla was about the Firefox 3.6 era. I was running what were 2 of the leading add-on collections and had 2 in the top 10. I always found screwy things with what Mozilla did- but diligent users could really put together some things of beauty. I had always been preaching that the browser ( as downloaded) was marginally better- but the real stars of the show were the add-ons and it was the community that really was taking it to all new levels.

Then the rapid release nightmare started and it seems that even the things they did well suddenly went to hell in a handbasket. I wont even list them all and I am sure that anyone on these pages knows them all to well. For a long time I wondered if Google had unofficially bought their way into Mozilla and ordered them to commit sabotage on their own products so the public would flee in droves. That way they could kill privacy without taking a PR hit. If Firefox could be destroyed then taking down Internet Explorer would be easy... I have done some digging around and I found some people who have an in at Mozilla and they aren't sure about the Google angle- but they say that what they see is stunning incompetence.

At the moment I am migrating to Palemoon and so far it is remarkably low on bugs. I have spoken numerous times to it's developer and he has a great attitude about quality. As far as Mozilla is concerned I now view them as a cancer to be cut out of my life. Even as I write this Freezeox 13.01's approval ratings have risen to 9% from 6%. Why? Because people are fleeing in droves and the complaints are dropping off! http://input.mozilla.org/en-US/?product=firefox&version=13.0.1&page=1 and it is as if they take the complaints as feature requests to double down on! I used to be a Feebay powerseller years ago and by rule I had to maintain a 98% approval rating. Hell, even congress has broken into the double digits at 11% Maybe Mozilla isn't dead YET but in my mind it is much like the scene in Titanic in which the ship had long ago struck the iceberg. The bow has already gone under and the stern has risen up. People are hanging on for dear life but even the stern is moments away from going down too...

[GµårÐïåñ]

Yeah in my view Fx is dead browser walking and I foresee that it will go the way of other browsers that got hyped and then died off. Addons like NS and RP are the only reason I stick with it and even then its only about 30% of the time, I use my own builds of Chromium original source so I don't have to deal with Google's Chrome version which pushes their own services and yet have a browser that has enough source modulation to allow me to tighten it up a bit. I have tried to do the same with Mozilla but its codebase is such a mess and a patch work of crap upon crap that I gave up trying to build anything unique out of that mess. For example, Collusion, does absolutely NOTHING for me, because NS castrates everything so well, it has nothing to show.

[apollo702]

Yeah in my view Fx is dead browser walking and I foresee that it will go the way of other browsers that got hyped and then died off. Addons like NS and RP are the only reason I stick with it and even then its only about 30% of the time, I use my own builds of Chromium original source so I don't have to deal with Google's Chrome version which pushes their own services and yet have a browser that has enough source modulation to allow me to tighten it up a bit. I have tried to do the same with Mozilla but its codebase is such a mess and a patch work of crap upon crap that I gave up trying to build anything unique out of that mess. For example, Collusion, does absolutely NOTHING for me, because NS castrates everything so well, it has nothing to show.

I don't know why I was so surprised when I watched the TED talk considering how he ran the SS Mozilla into into the iceberg- but unlike the Titanic at Mozilla they seem to keep piling on the mistakes. If Gary Kovacs were the captain of the Titanic he would have sent some crew to inspect the ship and since it was slowly flooding he would have ordered them to keep slamming into icebergs until the ship totally went under...

I still can't wrap my head around how someone in such a high position is lamenting the fact that there are trackers and we can watch them and be aware of them. I never was into grassy-knollism but Mozilla gets $100 million in funding from Google- virtually all of their funding. If there are no dots to connect I sure will be shocked.

Lastly, Ghostery labels trackers and NS also easily does it too. All we need to do is middle-click on unknown scripts and we can look them up. It is so easy 80 year old grannies can figure it out. Heck, I even use this method for Request Policy's unknown requests. I just keep a tab open with the NS ratings and then I just put the request links in if I don't already know what they are. I have already done a gazillion configurations for virtually every known page on the net( One of my never-ending projects is building the ultimate website list) and it is easy to know what to allow and what to block. Why the heck would I need collusion? Pfffftt!

[GµårÐïåñ]

I wanted to give Collusion its fair shake, I am always fair and don't pre judge anything until I have had a chance to tear it apart and can stand by what I say. I allowed its resource:// link in NS, I gave it full RP access and its still a blank page, I mean come on give me a break. In another secure profile that I have so tight nothing goes without my permission, I ran it and EVERYTHING is a line between me and the website I went to, NO CROSS connections and I was like, duh! That's how I have it setup, so it proved to me that I had a security that was bulletproof as proven in fact over the last decade and half.

[apollo702]

<span> That's how I have it setup, so it proved to me that I had a security that was bulletproof as proven in fact over the last decade and half.</span>

It is funny because ever since I really learned these things NOTHING ever gets through. I have the most boring security scans in the world. Not even a simple tracking cookie is getting through and I really put most of the credit at stopping things from getting through the browser rather than waiting till trouble gets in and then running security software to try to get rid of it.

I may want to start a thread in the security section about it because there comes the issue of how much security and privacy is too much? It seems that when all of us are in the early stages of our learning phase we just pile on one layer of security after another. If something is labeled security then it must be good and we add it too! Then we realize that the law of diminishing returns kicks in or we even get negative returns. It sounds like heresy but there is a point in which we want to start stripping away some of the junk security. Things like Collusion would be on that list. Why waste the time when things like NS do an infinitely better job? Just because something is labeled privacy or security doesn't mean that we want it or it is going to cut the mustard.

[tlu]

Yeah in my view Fx is dead browser walking and I foresee that it will go the way of other browsers that got hyped and then died off. Addons like NS and RP are the only reason I stick with it and even then its only about 30% of the time, I use my own builds of Chromium original source so I don't have to deal with Google's Chrome version which pushes their own services and yet have a browser that has enough source modulation to allow me to tighten it up a bit. I have tried to do the same with Mozilla but its codebase is such a mess and a patch work of crap upon crap that I gave up trying to build anything unique out of that mess. For example, Collusion, does absolutely NOTHING for me, because NS castrates everything so well, it has nothing to show.

A few comments:

1. I agree what is said in this thread about Collusion. It's a joke. I want to block cookies (particularly from trackers), I don't want to watch them
2. IMO, the rant about FF and the rapid release process is exaggerated. Yes, it's really a pity that Electrolysis is put on hold, and yes, FF 4 was horrible, but since then FF has improved a lot (e.g. the MemShrink project).
3. Regarding FF vs. Chrome: I still prefer FF because it's considerably more configurable (there's hardly anything in about:config which you can NOT change/tweak); many addons are still better and more reliable than their Chrome counterparts (ScriptNo is definitely inferior to Noscript, the Chrome ABP version is not yet on par with the FF one, and the same is true for Autopager - just to name some examples.) Several aspects in Chrome are not as controllable as in FF (see also what I wrote here), e.g., you can not disable DOM Storage (I know, I know there is a switch for that - but if you use it most Chrome addons don't work anymore so it's unusable). And yes, the Chrome sandbox (or rather sandboxes if you're using Ubuntu) is definitely a good thing and I hope that FF will have it, too, before long. However, with FF tightly confined in its Apparmor profile in Ubuntu I feel safe without a sandbox. On the other hand, I regard the risks from XSS and Clickjacking rather high (actually higher than malware trying to break out of a sandbox or Apparmor). While Chrome has a built-in XSS filter, there is nothing against Clickjacking. Noscript is still the only protection against this. Besides, Google is one the few monopolies which try to dominate the Internet, and Chrome is one tool for them to achieve this. If everyone is using their browser, they are free to define web standards as they suit them - and not necessarily us. Therefore, it's also a political decision which browser to use.
4. Regarding the Mozilla Review Process: What you wrote contradicts to what Giorgio said about it:

In fact, the review process has been improved and tightened a lot during the past years, for instance:

an automatic scanner checks for many known buggy, unsafe, and/or malicious coding patterns
editors are all picked among expert extension developers and must audit the code of the extension, rather than just checking that it works as advertised and doesn't exhibit malicious behavior
in case of doubt, the mandatory review performed by "ordinary" editors escalates to a super-review to be made by an AMO administratos

This doesn't mean a 100% guarantee that a malicious or buggy extension can't be published on AMO, but is significantly better than any other web-based software repository that I know (including Google's Chrome Extensions vault and Apple's Apps marketplace).

[GµårÐïåñ]

There is frankly no good browser, not Fx, not Chrome, not anything really. The only reason I stay with Fx at all is because of NS, I already said that, so I am aware that Chrome counterparts are not as good. And no what I said in no way contradicts what Giorgio said, he is being a sincere individual who takes their word on what they are doing better and I see it with my owns eyes that they don't. Simple as that on what's the difference. I am not arguing for or against anyone in particular, to each their won but after two and half decades in the field, I have seen it ALL and I can tell when the proverbial writing is on the wall on something, and when it happens, I promise not to say I told you so. As for MemShrink, I am on the project and aware of what it has accomplished which also let's me know what they have not, cannot and will never achieve, but they won't tell you about it. They hope what they HAVE achieved is enough window dressing to make people not look at the stuff they have not and will never achieve.

[apollo702]

. IMO, the rant about FF and the rapid release process is exaggerated. Yes, it's really a pity that Electrolysis is put on hold, and yes, FF 4 was horrible, but since then FF has improved a lot (e.g. the [url=<a href="https://blog.mozilla.org/nnethercote/]MemShrink[/url]" class="smarterwiki-linkify">https://blog.mozilla.org/nnethercote/]MemShrink[/url]</a> project).

I agree with most of the rest of what you had to say and you brought up many good points- but rabid-release is indeed ruining FF. During the good old days of 3.6 we all were happy. I had a killer setup with was a thing of beauty and I was forced to roll back to it once the rabid-release horror started. It only was considerably later that I switched to Palemoon. I tried every version of 4-4.14 and almost always they were progressively WORSE! Often times I wondered why am I doing this? If all they are going to do is pile error after error on and continually look for ways to aggravate their users then why bother?

I did install 4.14 to test it out and there were a few minor improvements. They did remove the dumb white backgrounds for icons on the address bar. It is a bit faster- but the startup time still sucks. My PM setup is almost a carbon-copy and it starts up about 30 seconds to a minute faster and it has a tiny fraction of the bugs!

There are still 1000000000000000000000000000 bugs and annoyances that they have refused to fix. Maybe even 10000000000000000000000000001? However many it is- it is a lot! Also, I noticed that they did more idiotic changes to the UI such as removing site icons and replacing with some gray mystery object and removing the blue and green backgrounds for safe sites. I promptly installed the Site Identify Button Colors add-on to correct that mistake. PM didn't make the icon mistake but it's color backgrounds are weak. The add-on significantly improved them so it will be a keeper in PM. Probably the only thing from keeping me from buying Freezefox a 1 way ticket to uninstallville is I might want it for testing and backup purposes.

Also, does anyone who doesn't work at Mozilla actually believe that it is really version 14 and not 4.14? I know that I have some really radical ideas but there is this thing called the decimal point. I know that the "." is a radical new concept but I really am one of those radical fringe types of people I guess.

I get the gimmick that Google invented. It is true that Internet Explorer had a near monopoly for years and Microsucks had little incentive to improve it. Then Google comes along and labels even the most minor update a major new release to show them up- but guess what? Add a decimal point for all of the minor updates and Google, Microsucks and Mozzmessedup all are releasing at almost exactly the same pace. Furthermore, if any institution was capable of pulling of a 6 week schedule it would be Google. I criticize( and praise them too for many things too!) them night and day and they have mega-bucks at their disposal and they hire skilled people. I totally oppose their attitude about spying but if they release something it almost is sure to be smooth and alluring to the masses. Mozilla on the other hand... I have often speculated that Google ordered or tricked them into rabid-release to quietly make them commit suicide...

I wish that the late Steve Jobs could have taken over Mozilla. He used to yell and scream at anyone who approached him with buggy tech and would have demanded that they take it back to the drawingboard! Nobody is impressed by their suicidal 6 week release schedule. Nobody says "Wow! Look at Mozilla! They really are innovating!" All people think is "Oh no! What have they ruined now... ughhhh!" They need to take a Steve Jobs style of not releasing anything until it is beautiful! That and that alone will save Mozilla. Sorry, but rabid release is foaming at the mouth, completely mangy and it is attacking everything in sight. It needs to be captured and put down before it does any more damage.

[Thrawn]

Speaking of "foaming at the mouth"...I can sympathise with the sentiments, but getting O/T. Maybe time to move to Ragnarok?