RefControl caution

Talk about internet security, computer security, personal security, your social security number...
Post Reply
User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

RefControl caution

Post by Thrawn » Thu Sep 13, 2012 3:40 am

Like several others here, I use & recommend the RefControl addon for hiding/altering the Referer(sic) header.

However, a word of caution: do not set the default action to 'Forge'. This action will bypass any Referer checks on all servers, which may actually make you more vulnerable to CSRF attacks. Granted, checking Referer is not a reliable server-side defence, but many sites use it, and there's no point making them any weaker than they already are. A better default is 'Block', with 'Forge' being applied to specific sites that would otherwise break.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1

User avatar
therube
Ambassador
Posts: 7669
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: RefControl caution

Post by therube » Thu Sep 13, 2012 4:06 am

> Granted, checking Referer is not a reliable server-side defence, but many sites use it

Still?
In days of old a lot of porn sites used referrer checks to allow or not allow a user.
What a joke.
refspoof (2003 from the date of my copy, & look it's still there, but again different from mine) was a popular extension in those days ;-).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Firefox/17.0 SeaMonkey/2.14a2

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3347
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: RefControl caution

Post by GµårÐïåñ » Thu Sep 13, 2012 9:11 pm

I universally set mine to BLOCK and make exceptions to those that I know need it to work. However, although you are theoretically correct, its a very unlikely and small attack vector that is not effective in doing much. Rest at ease my friend.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20100101 Firefox/15.0.1

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: RefControl caution

Post by Tom T. » Fri Sep 14, 2012 6:07 am

Thanks, Thrawn and GµårÐïåñ. I've changed mine from Forge to Block. Good tip, guys.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:15.0.1) Gecko/20100101 Firefox/15.0.1

Post Reply