Sniffing Browser History with NO Javascript

General discussion about the NoScript extension for Firefox
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: Sniffing Browser History with NO Javascript

Post by tlu » Wed Jun 17, 2009 4:06 pm

luntrus wrote: CookieSafe


I used that, too, but switched to Cookie Monster because it's easier to configure, IMHO.

And I'd like to add Secure Login which is a good companion for Noscript.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090616 Ubuntu/9.04 (jaunty) Minefield/3.6a1pre

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3350
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Sniffing Browser History with NO Javascript

Post by GµårÐïåñ » Thu Jun 18, 2009 5:42 am

Tom T. wrote:@Giorgio: Please ignore the moronic slanders and stay focused on what you are doing with NoScript. Then, "res ipsa loquitur" (it will speak for itself... to anyone with an open mind). IIRC, it was Isaac Asimov who said, "Never try to teach a pig to sing. It wastes your time and annoys the pig". Don't argue with the pigs. Make NS the best it can be, and let those with awareness or an open mind use it, and let the morons become part of botnets, bank accounts drained, etc. </preach>


Agreed

And thanks for the mention of SafeHistory. I became very active here too recently to have read the "old, old news", but installed it on your advice. I'm surprised it's not being actively maintained, being a product of the prestigious Stanford University, apparently. Perhaps someone that you trust could find a way to integrate this into NS, as you are so busy? I can find volunteers. :)


I have actually used this for a while and have mentioned it a few times along with RefControl. The only complaint I had about it was that it was not being developed anymore and I don't have sufficient knowhow of Fx internals to work on it.

Can a history-sniffing attack truly work if I clear ALL data in "clear private data/settings" in between website visits? No details needed, just yes or no -- just curious.

Thanks as always.


Yes it can but it would be much harder, not worth the time and involve a whole lot of guessing.

Giorgio Maone wrote:Yes.
But does anybody really do that?


Agreed, my point exactly.

It makes turning on off the new Fx 3.5 layout.css.visited_links_enabled about:config preference to false sound like a convenient fix ;)
(Yes, in Firefox 3.5 you can actually defeat this attack at the price of not seeing any history feedback inside the pages you visit).


A bit of a pain in the ass but it works effectively and have been using this hack for a long time, I just forget to restore it sometimes when I ditch and create a new profile.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Sniffing Browser History with NO Javascript

Post by Tom T. » Thu Jun 18, 2009 7:13 am

tlu wrote:
Tom T. wrote: Will look at Ref Control, thanks.
I'm a long-time user of RefControl - a good tool, indeed.

As soon as I looked at it, I liked what I saw, and installed it.
I was tempted to forge "noneofyourbusiness.com" as the universal referrer, no doubt to the amusement of those who review the server logs, but realized that that in itself could become a super-cookie tracking device -- unless ALL RefControl users used it. It should be the default ! :lol: :lol: :lol:

I'm trying to keep the # of add-ons reasonable, to avoid the inevitable conflicts, but will look at everyone's suggestions.
However, my original request still stands:

When Giorgio has the time, if ever, would he post *his* recommended list of privacy/security extensions, and possibly make it a sticky, possibly in a forum of its own.

Thanks all for input.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: Sniffing Browser History with NO Javascript

Post by tlu » Thu Jun 18, 2009 9:34 am

Giorgio Maone wrote:It makes turning on off the new Fx 3.5 layout.css.visited_links_enabled about:config preference to false sound like a convenient fix ;)
(Yes, in Firefox 3.5 you can actually defeat this attack at the price of not seeing any history feedback inside the pages you visit).


Well, I had the same problem with SafeHistory when I used it. E.g., in forums no threads were marked as read when using the back button. So it seems whatever you use there is always a drawback.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090616 Ubuntu/9.04 (jaunty) Minefield/3.6a1pre

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Sniffing Browser History with NO Javascript

Post by Giorgio Maone » Thu Jun 18, 2009 9:50 am

tlu wrote:Well, I had the same problem with SafeHistory when I used it. E.g., in forums no threads were marked as read when using the back button.

That was an implementation bug, not a design one: the concept of SafeHistory is that sites can "know" if a certain page has been visited or not only if you actually visited that page by navigating from the current site. Therefore forum thread links on the forum itself should obviously be highlighted.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: Sniffing Browser History with NO Javascript

Post by tlu » Thu Jun 18, 2009 10:15 am

Giorgio Maone wrote:
tlu wrote:Well, I had the same problem with SafeHistory when I used it. E.g., in forums no threads were marked as read when using the back button.

That was an implementation bug, not a design one: the concept of SafeHistory is that sites can "know" if a certain page has been visited or not only if you actually visited that page by navigating from the current site. Therefore forum thread links on the forum itself should obviously be highlighted.


Thanks, good to know. So it would be really great if you could take over its development and/or integrate it in NoScript if time permits.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090617 Ubuntu/9.04 (jaunty) Minefield/3.6a1pre

MysterX

CSS Vulnerability

Post by MysterX » Fri Jun 26, 2009 3:09 pm

Hi,

I was wondering if any steps have been taken in NoScript development to address this particular exploit, see http://www.making-the-web.com/misc/sites-you-visit/nojs/ for an overview and revealing demonstration.

regards

:geek:
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729)

User avatar
therube
Ambassador
Posts: 7680
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: CSS Vulnerability

Post by therube » Fri Jun 26, 2009 3:31 pm

Old news.
(Merging ...)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 SeaMonkey/1.1.17

dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Sniffing Browser History with NO Javascript

Post by dhouwn » Thu Apr 01, 2010 8:54 am

Update on this:
http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/
http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/
Seems like they didn't went the SafeHistory way… :roll: (which would have been easier to implement and maintain IMHO)

Giorgio Maone wrote:Very well thought fix :)
I don't share your opinion in this case and seems like I am not the only one…
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a4pre) Gecko/20100331 Minefield/3.7a4pre

eradic8
Senior Member
Posts: 67
Joined: Wed Aug 26, 2009 11:43 am

Re: Sniffing Browser History with NO Javascript

Post by eradic8 » Sat Apr 03, 2010 10:59 am

All this stuff is way above my head, but I was wondering if someone could tell me if I am safe from this browser sniffing problem. I always surf webpages using private browsing in firefox, and of course I have no script enabled.
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)

User avatar
Giorgio Maone
Site Admin
Posts: 8954
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Sniffing Browser History with NO Javascript

Post by Giorgio Maone » Sat Apr 03, 2010 11:09 am

dhouwn wrote:
Giorgio Maone wrote:Very well thought fix :)
I don't share your opinion in this case and seems like I am not the only one…

Could you elaborate? Who are the others, and what are their arguments?

I share your feeling about it being a bit overcomplicated and probably difficult to keep in sync with the always moving HTML 5 spec, but it's definitely more usable (literally, for end-users) than SafeHistory.

That said, I also preferred the SafeHistory/SafeCache approach (i.e. partitioning history according to site boundaries), and had even filed a bug to make it possible for NoScript, although I'm quite doubtful about its fate now...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

Post Reply