Does NoScript prevent the type history sniffing mentioned?

[Sam]

Sorry, forgot to tell you how to create a new Firefox profile.

Just use the shortcut with -P and no profile name specified, because the dialog box has UI that allows you to create, rename or delete profiles.

(Also I listed "referral" as a fingerprint, I meant "referrer" :p)

[scripteze]

BTW, here's a link to a paper by Paul Stone, on Browser Timing Attacks (a few diff types), connected to part of ? his bug report on bugzilla. http://contextis.co.uk/files/Browser_Timing_Attacks.pdf
But question: Here's a different bug on SVG attack for sniffing history, that shows to be fixed. https://bugzilla.mozilla.org/show_bug.cgi?id=711043
The other bug # 884270 - redraw timing - hasn't been fixed. It's labeled as "new," but a yr old isn't new.


Thanks. It may help others reading this, but I didn't need help manipulating profiles. I asked how would the business profile be made differently from an everyday one, that would enhance security?
Sam wrote:

For instance if you do business online, that means you have an identity as that person doing business online. You can set a professional Firefox profile and whitelist certain sites on its instance of NoScript. Pay much attention to your IP address, if it's static you're pretty much screwed. (You could still change your IP but I'm not sure I would trust Tor or a VPN for sensitive business stuff directly related to my real identity)

Yes, I have a static IPa. It's a remote possibility I can change it - Uverse, but I've not come across any method that's reliable or quick.
I'm not sure a bank or institution I have a relationship with will allow me to log on thru a proxy, VPN or Tor (a proxy). Nor if I'd want to use anything like an "unknown" proxy service; Nor exactly sure why I'd want a different IPa or particularly need a different browser fingerprint - for my bank?

I probably feel less secure using Tor to login to my bank, than using my ISP - because of potential malicious exits. Yes, packets still are SSL between the exit & bank (on HTTPS) - that's not as comforting as it used to be. Partly because of 2 bugs in OpenSSL in a few months & partly due to Snowden's documents indicating SSL was broken. Not that NSA is interested in my bank acct. But eventually, if any gov't figures out how to do something, others do too - incl. criminals.

The bank already know it's me & if they don't recognize me, there'll be problems. Unless I'm trying to hide my fingerprint from someone other than the institution I'm logging onto. So, don't quite understand that. I always thought minimizing or changing fingerprint is for when sites, trackers, hackers don't know you (& you don't want them finding out), not when banks already know exactly who you are.

Yes, but if I am in a need for high level mathematics that is dire enough I will look it up and learn the topic first hand

You were kidding, right? In the case of avg folks [which was the group I meant], lacking yrs of difficult training, needed to bring them up to the level at hand, & they'll pick up a book? Maybe yes, for some w/ highly technical & analytical backgrounds. For most, it ain't gonna happen - which was my point. That's underestimating just how non-technical the avg person is. Thus the smilie?

[Sam]

For most, it ain't gonna happen - which was my point.

Yup, but I'm not trying to help the universe right now, just someone interested first hand in the topic be it you or someone else reading
Besides I used myself as an example because I'm pretty much the average person when it comes to math. A mechanic may learn some accounting tricks because he has a need for them, that's what I meant. Journalists are learning to use Tails and PGP even though their technical background is naught, because they have a need for it.

Now I guess the real average person who has no need to learn this can still use Tor Browser and private browsing easily... (Private browsing is basically an inferior alternative to having separate profiles)

I probably feel less secure using Tor to login to my bank, than using my ISP - because of potential malicious exits.

You don't need to hide your IP from your bank anyway, it's the reverse: Show it one IP and your real identity, but show it only to your bank. (and eventually your business partners, i.e. it's up to you to group your activities under whichever identities you feel like)

The main problem is that static IP. I can't really help here because I never ever had one nor did anybody around me, so I never had a need to look into that issue. I think static IP is pretty much unacceptable and no ISP should do that (I would change ISP outright). Unfortunately I hear that it's common practise in the US so yeah, that's a problem to think around.

As you seem to know Tor is to be used for sensitive stuff that you don't want related to your real identity in any way. It can be serious stuff like making shameful business secrets public or trivial oddities like wanting to learn how to heal your haemorrhoids

Thanks. It may help others reading this, but I didn't need help manipulating profiles. I asked how would the business profile be made differently from an everyday one, that would enhance security?

It would have much less chances to be compromised because you wouldn't surf as large a variety of websites with it. Your NoScript whitelist would be smaller and business focused, storage only allowed to a few sites. You would have only the necessary add ons and no more: e.g. NoScript, ABP, Cookie Controller/Monster. All plugins would be disabled except Flash, which would be protected by a NoScript placeholder. NoScript would btw "apply restrictions to trusted sites" too.
Activate secure cookies in NS, forbid at least IFrames and WebGL. If necessary you can whitelist those permanently for selected sites using noscript.allowedMimeRegExp.
Avoid Google, Facebook and friends whenever possible. i.e. use Startpage for search, don't visit Facebook with this profile unless it's your business Facebook account (in which case if you have a personal account too, you're already screwed due to your IP)

Because you can run several Firefox instances at once as several profiles, it would not hamper your ability to surf. Just switch window if you want to watch some Youtube video. Your business profile would only go to websites that fit your business identity. (what you do is just as important as your security setup)

A banking profile would be even more restricted: Only do banking on it. Block everything you can in NoScript except for your bank's website.

That won't be enough but it's an incremental process anyway. You can later figure out how to differentiate the fingerprints of your various profiles, but meanwhile just separating profiles is already a security gain and a small privacy one as well. (i.e. both attacks from your first post won't work anymore if your Gmail account is open *right now* on a separate profile)

[scripteze]

Thanks Sam.

Sounds like I already have the settings described or use methods discussed, in my regular profile. But, a "banking profile" may be a tad safer.
I only allow domains permanently in NS, from sites I really trust / visit quite often. That doesn't entail several dozen domains.
And allowed domains in NS vs. blocking all, except what's needed on financial sites, is only an issue if the permanently allowed domains in NS, are present on the banking sites (as 3rd parties).

If they aren't on the bank sites, it doesn't matter what domains are / are not allowed in NS. Plus, most banking sites require a good deal of java script & sometimes other things, that may be generally blocked in NS. But, having a clean profile w/ everything blocked except the banks & their required contractors' domains, probably has value. Less for me than some, as I don't "allow" much, don't have plugins enabled, don't have a bunch of data-leaking, "phoning home" addons; don't store cookies; don't use disk cache / DOM storeage, etc. Even so, once you set up a separate profile & create a short cut launch w/ no remote & the profile name, it doesn't take long to start another Fx instance.

Info for general users' benefit: Or some may prefer to just use the stand alone profile manager from MDN https://developer.mozilla.org/en-US/doc ... le_Manager .
It doesn't require installation. Just unzip it where you want & create a shortcut for its main file. It has quite a few handy functions / features that the native profile manager doesn't.

It gives ability (on a GUI) to start a 2nd instance of Fx, via check box; allows selecting from all existing profiles (listed in a window) & to use any existing Fx installation / version w/ the selected profile.
The stand alone profile manager can be used for Tbird - if use the starting command in the shortcut (adding "thunderbird" at the end - w/o quotes): "E:\DOWNLOADS\Mozilla\Firefox\Firefox Programs\Mozilla Profile Mgr\profilemanager.exe" thunderbird. Then, when it opens, it shows thunderbird profiles & installed thunderbird versions.

Note, the MDN Profile Manager has one documented "bug": After any profile has been opened once, using the manager, on subsequent attempts to open them, a warning appears:
"profile xyz appears to be in use. Starting it again could damage... blah, blah."
Unless that profile IS already being used, this is a repetitive, FALSE warning, which is known to MDN. I've continued past this warning hundreds of times - it doesn't damage anything, IF... the profile in question is not already running. That shouldn't be hard to verify.

[Sam]

The forum broke your link, here it is again for anyone interested. (I prefer setting a regular Windows shortcut but that's just me, it's easy even for beginners though)

Separate profiles protects your sensitive profiles whenever your regular profile gets compromised, but it is also a base to start off of and build actual identities. In the end, each profile will look like a different browser to external sites, but one needs to solve the IP problem first

[barbaz]

one needs to solve the IP problem first

Well, there are addons like https://addons.mozilla.org/firefox/addo ... t-spoofer/...

Headers tab includes options to:

- send spoofed if none match headers
- send spoofed via headers (Custom or Random IP)
- send spoofed x forwarded for headers (Custom or Random IP)

Would spoofing those headers help at all, or not really because the request itself is still coming from your real IP?

[Sam]

Interesting add-on at first glance, if anything it may be a good source of information to figure out credible identities (because privacy requires looking like everyone else, each profile must have a fingerprint widely shared in the geographic area represented by its IP range).

If the IP is only modified in headers and is different than your real IP that you do show to the visited website as well, then I guess it singles you out as the one guy with a weird header, again assuming that the attacker's fingerprinting strategy looks for this kind of discrepancies.

Now maybe it's useful for emails ? Emails contain your IP in their headers, but I don't know how that IP is retrieved (and maybe that depends on your email provider ?). If the email provider fills the email headers with your browser header and not your real IP then this could be useful.

[mikep1655]

If privacy is a serious concern to you, my advice is to only use "temporarily allow...", and the add-ons Cookie Controller and Adblock Plus (with EasyPrivacy).

That doesn't do the trick.

NoScript remembers the sites visited in private browsing windows. Even if temporary permissions are revoked and all private windows closed, if I look at the list of recently blocked sites it contains sites which I visited in private windows.

This is not the same issue talked about here: http://forums.informaction.com/viewtopi ... 10&t=17144 and here: http://forums.informaction.com/viewtopi ... =7&t=19513

It's not a case of permissions persisting after private browsing is ended, it's a problem with NoScript retaining browsing history. So although with PB Firefox may not be remembering, and leaving traces behind, NoScript is.

[barbaz]

If privacy is a serious concern to you, my advice is to only use "temporarily allow...", and the add-ons Cookie Controller and Adblock Plus (with EasyPrivacy).

That doesn't do the trick.

NoScript remembers the sites visited in private browsing windows. Even if temporary permissions are revoked and all private windows closed, if I look at the list of recently blocked sites it contains sites which I visited in private windows.

This is not the same issue talked about here: http://forums.informaction.com/viewtopi ... 10&t=17144 and here: http://forums.informaction.com/viewtopi ... =7&t=19513

It's not a case of permissions persisting after private browsing is ended, it's a problem with NoScript retaining browsing history. So although with PB Firefox may not be remembering, and leaving traces behind, NoScript is.

http://forums.informaction.com/viewtopic.php?f=7&t=8678
I don't think that's susceptible to this type of history sniffing though.