Page 2 of 2

Re: Sniffing Browser History with NO Javascript

Posted: Wed Jun 17, 2009 4:06 pm
by tlu
luntrus wrote: CookieSafe


I used that, too, but switched to Cookie Monster because it's easier to configure, IMHO.

And I'd like to add Secure Login which is a good companion for Noscript.

Re: Sniffing Browser History with NO Javascript

Posted: Thu Jun 18, 2009 5:42 am
by GµårÐïåñ
Tom T. wrote:@Giorgio: Please ignore the moronic slanders and stay focused on what you are doing with NoScript. Then, "res ipsa loquitur" (it will speak for itself... to anyone with an open mind). IIRC, it was Isaac Asimov who said, "Never try to teach a pig to sing. It wastes your time and annoys the pig". Don't argue with the pigs. Make NS the best it can be, and let those with awareness or an open mind use it, and let the morons become part of botnets, bank accounts drained, etc. </preach>


Agreed

And thanks for the mention of SafeHistory. I became very active here too recently to have read the "old, old news", but installed it on your advice. I'm surprised it's not being actively maintained, being a product of the prestigious Stanford University, apparently. Perhaps someone that you trust could find a way to integrate this into NS, as you are so busy? I can find volunteers. :)


I have actually used this for a while and have mentioned it a few times along with RefControl. The only complaint I had about it was that it was not being developed anymore and I don't have sufficient knowhow of Fx internals to work on it.

Can a history-sniffing attack truly work if I clear ALL data in "clear private data/settings" in between website visits? No details needed, just yes or no -- just curious.

Thanks as always.


Yes it can but it would be much harder, not worth the time and involve a whole lot of guessing.

Giorgio Maone wrote:Yes.
But does anybody really do that?


Agreed, my point exactly.

It makes turning on off the new Fx 3.5 layout.css.visited_links_enabled about:config preference to false sound like a convenient fix ;)
(Yes, in Firefox 3.5 you can actually defeat this attack at the price of not seeing any history feedback inside the pages you visit).


A bit of a pain in the ass but it works effectively and have been using this hack for a long time, I just forget to restore it sometimes when I ditch and create a new profile.

Re: Sniffing Browser History with NO Javascript

Posted: Thu Jun 18, 2009 7:13 am
by Tom T.
tlu wrote:
Tom T. wrote: Will look at Ref Control, thanks.
I'm a long-time user of RefControl - a good tool, indeed.

As soon as I looked at it, I liked what I saw, and installed it.
I was tempted to forge "noneofyourbusiness.com" as the universal referrer, no doubt to the amusement of those who review the server logs, but realized that that in itself could become a super-cookie tracking device -- unless ALL RefControl users used it. It should be the default ! :lol: :lol: :lol:

I'm trying to keep the # of add-ons reasonable, to avoid the inevitable conflicts, but will look at everyone's suggestions.
However, my original request still stands:

When Giorgio has the time, if ever, would he post *his* recommended list of privacy/security extensions, and possibly make it a sticky, possibly in a forum of its own.

Thanks all for input.

Re: Sniffing Browser History with NO Javascript

Posted: Thu Jun 18, 2009 9:34 am
by tlu
Giorgio Maone wrote:It makes turning on off the new Fx 3.5 layout.css.visited_links_enabled about:config preference to false sound like a convenient fix ;)
(Yes, in Firefox 3.5 you can actually defeat this attack at the price of not seeing any history feedback inside the pages you visit).


Well, I had the same problem with SafeHistory when I used it. E.g., in forums no threads were marked as read when using the back button. So it seems whatever you use there is always a drawback.

Re: Sniffing Browser History with NO Javascript

Posted: Thu Jun 18, 2009 9:50 am
by Giorgio Maone
tlu wrote:Well, I had the same problem with SafeHistory when I used it. E.g., in forums no threads were marked as read when using the back button.

That was an implementation bug, not a design one: the concept of SafeHistory is that sites can "know" if a certain page has been visited or not only if you actually visited that page by navigating from the current site. Therefore forum thread links on the forum itself should obviously be highlighted.

Re: Sniffing Browser History with NO Javascript

Posted: Thu Jun 18, 2009 10:15 am
by tlu
Giorgio Maone wrote:
tlu wrote:Well, I had the same problem with SafeHistory when I used it. E.g., in forums no threads were marked as read when using the back button.

That was an implementation bug, not a design one: the concept of SafeHistory is that sites can "know" if a certain page has been visited or not only if you actually visited that page by navigating from the current site. Therefore forum thread links on the forum itself should obviously be highlighted.


Thanks, good to know. So it would be really great if you could take over its development and/or integrate it in NoScript if time permits.

CSS Vulnerability

Posted: Fri Jun 26, 2009 3:09 pm
by MysterX
Hi,

I was wondering if any steps have been taken in NoScript development to address this particular exploit, see http://www.making-the-web.com/misc/sites-you-visit/nojs/ for an overview and revealing demonstration.

regards

:geek:

Re: CSS Vulnerability

Posted: Fri Jun 26, 2009 3:31 pm
by therube
Old news.
(Merging ...)

Re: Sniffing Browser History with NO Javascript

Posted: Thu Apr 01, 2010 8:54 am
by dhouwn
Update on this:
http://hacks.mozilla.org/2010/03/privacy-related-changes-coming-to-css-vistited/
http://blog.mozilla.com/security/2010/03/31/plugging-the-css-history-leak/
Seems like they didn't went the SafeHistory way… :roll: (which would have been easier to implement and maintain IMHO)

Giorgio Maone wrote:Very well thought fix :)
I don't share your opinion in this case and seems like I am not the only one…

Re: Sniffing Browser History with NO Javascript

Posted: Sat Apr 03, 2010 10:59 am
by eradic8
All this stuff is way above my head, but I was wondering if someone could tell me if I am safe from this browser sniffing problem. I always surf webpages using private browsing in firefox, and of course I have no script enabled.

Re: Sniffing Browser History with NO Javascript

Posted: Sat Apr 03, 2010 11:09 am
by Giorgio Maone
dhouwn wrote:
Giorgio Maone wrote:Very well thought fix :)
I don't share your opinion in this case and seems like I am not the only one…

Could you elaborate? Who are the others, and what are their arguments?

I share your feeling about it being a bit overcomplicated and probably difficult to keep in sync with the always moving HTML 5 spec, but it's definitely more usable (literally, for end-users) than SafeHistory.

That said, I also preferred the SafeHistory/SafeCache approach (i.e. partitioning history according to site boundaries), and had even filed a bug to make it possible for NoScript, although I'm quite doubtful about its fate now...