Can websites somehow detect your ABE rules?

Discussions about the Application Boundaries Enforcer (ABE) module
johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Can websites somehow detect your ABE rules?

Post by johnscript » Wed Jul 27, 2016 10:34 am

We know that websites can kinda easily detect if you are using NoScript (well, scripts are blocked...) so much so that I often spot some specific "noscript" elements in page sources (maybe they are adding those to "unbreak" the page if scripts are blocked?) : but can they also detect if you are using some custom ABE rules from the requests that your browser is sending (after all ABE can modify the behavior in peculiar ways) , and therefore track you based on that?
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 9781
Joined: Sat Aug 03, 2013 5:45 pm

Re: Can websites somehow detect your ABE rules?

Post by barbaz » Wed Jul 27, 2016 3:38 pm

Yes and no. It depends on the purpose of your ABE rules.
I'm not giving more information in a public thread.
*Always* check the changelogs BEFORE updating that important software!
-

Guest

Re: Can websites somehow detect your ABE rules?

Post by Guest » Wed Jul 27, 2016 4:13 pm

How would someone detect ABE rules? I can detect Javascript on/off and the NoScript addon, but not ABE rules. I think this is impossible. This is the same with iptables rules.
Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Can websites somehow detect your ABE rules?

Post by Thrawn » Wed Jul 27, 2016 11:54 pm

If you're blocking a request, but allowing JavaScript on the site, it's theoretically possible for the site to detect that it gets errors trying to send that request.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: Can websites somehow detect your ABE rules?

Post by johnscript » Sat Jul 30, 2016 10:22 am

Guest wrote:How would someone detect ABE rules? I can detect Javascript on/off and the NoScript addon, but not ABE rules. I think this is impossible. This is the same with iptables rules.


Maybe not : although ABE is generally described as a firewall for convenience, I think it's not just comparable to an iptables-based normal firewall.

With iptables, you are basically allowing/denying/restricting some IPs, there's probably not much to infer from that - with ABE, however, you are interacting with a webserver selectively allowing/denying elements from a website, modifying somehow the expected interaction between your browser and the server in a way that (possibly?) goes beyond what common adblockers do.

Something like that, maybe:
Thrawn wrote:If you're blocking a request, but allowing JavaScript on the site, it's theoretically possible for the site to detect that it gets errors trying to send that request.


I guess there is after all some fingerprinting material there for someone really interested in that, and we all know that websites are going to great lengths to accurately fingerprint and track users (even more so across different devices) - but then we know that NoScript is a security suite, not (strictly speaking) a privacy tool, therefore I'm certainly not complaining here.
I was just thinking about this particular aspect.
Last edited by johnscript on Sat Jul 30, 2016 10:54 am, edited 1 time in total.
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: Can websites somehow detect your ABE rules?

Post by johnscript » Sat Jul 30, 2016 10:24 am

barbaz wrote:Yes and no. It depends on the purpose of your ABE rules.
I'm not giving more information in a public thread.


Well yes, I can understand that: no need to give away free stuff.
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Can websites somehow detect your ABE rules?

Post by Thrawn » Sun Jul 31, 2016 11:33 pm

johnscript wrote:no need to give away free stuff.

No need to give away free help and code samples to people who want to fingerprint you.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

johnscript
Junior Member
Posts: 49
Joined: Wed Feb 20, 2013 1:49 pm

Re: Can websites somehow detect your ABE rules?

Post by johnscript » Mon Aug 01, 2016 9:13 pm

But that's what I meant exactly: my apologies if it wasn't so clear... the "free stuff" thing was actually referred to them.

And thinking of it again, if *I* thought about this, they
Thrawn wrote:No need to give away free help and code samples to people who want to fingerprint you.

must have figured this out already - I guess it's the well known security vs. privacy dilemma.
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Can websites somehow detect your ABE rules?

Post by Thrawn » Mon Aug 01, 2016 11:00 pm

johnscript wrote:But that's what I meant exactly: my apologies if it wasn't so clear... the "free stuff" thing was actually referred to them.

Ah, thanks.

We're all volunteers here except Giorgio, so "giving away free stuff" is what we do in general.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0

Post Reply