InformAction Forums

Hi users of the NoScript add-on,

Most browser users are not aware about third party tracking. Google Analytics is still the biggest threat to your privacy concerns, tracking you online with five popular webtrackers they acquired. Just visiting one single website could mean you are being tracked by a dozen webtrackers.
Take this example: http://www.webanalisten.nl/ 8 trackers found there: GoogleAnalytics, MyBlogLog, Index tools, Wordpress stats, FeedBurner, Woopra, Clicky and ClickTale. During one month researchers found one hundred of these so-called webbugs on one single site, e.g.: Google's blogspot.com. The search giant owns the five most popular webtrackers like Analytics, DoubleClick, AdSense, FriendConnect and Widgets, and knows more about you online than you could know yourself probably. For the top 100 sites Google Analytics was on 81.
See report: http://knowprivacy.org/report/KnowPriva ... Report.pdf

This following nice Firefox add-on will keep an eye on the sites that keep an eye on you:
https://addons.mozilla.org/en-US/firefox/addon/9609
Combine this with Foxbeacon webbugdetector: https://addons.mozilla.org/nl/firefox/addon/9202
and we have all the information you need for those among you that are privacy concerned.

Well not completely true, with Google or Nedstat trackers or whatever it is reasonably simple to detect monitoring, because the browser has to actively send a request to their tracking service, but there are also technical means to do this tracking through realtime network protocol analysis/ a sort of "eavesdropping"/"listening in" on the web infrastructure or simply analyzing web server log files. Then there is deep packet inspection.
And a user normally is totally unaware about this going on.
And then there is also the item of Super Cookies or Flash Cookies.:
http://forums.comodo.com/anti_virusmalw ... #msg283308

Another option here is to just block this, a good rather actual list can be found here:
http://forums.mozillazine.org/viewtopic ... &p=6646655

Through the Firefox add-on NoScript you could also establish where the curious sites are and block these where the tracking is being done using JavaScript. For instance in NoScript you can mark google-analytics.com as untrusted, so getting and running "http://google-analytics.com/ga.js" is halted...
NoScript add-on: https://addons.mozilla.org/en-US/firefox/addon/722

A particularly nice add-on for blocking third party request is this extension: RequestPolicy -
https://addons.mozilla.org/en-US/firefox/addon/9727
Experimental but I have it for a year now and no problem with this whatsoever, also combined with the use of NoScript.

This extension is to control which cross-site requests are allowed. Improve the privacy of your browsing by not letting other sites know your browsing habits. Secure yourself from Cross-Site Request Forgery (CSRF) and other attacks.

Combining NoScript, RequestPolicy and AdBlockPlus you have a trio to protect your browser security and privacy. The other two are to know where the tracking comes from (Ghostery) and what the tracking is about (Fox beacon),

What you do with this information is your concern, at least now you have it,

luntrus

Not sure if this threat is something new, I have been against it and blocking it since day one. ANY tracking in my opinion is violation of privacy, heck we already have enough, why willingly ask for more? I block their tracking along with hundreds more using host files, explicit permissions, ns, abp, and request policy. Yes very redundant but ensures they NEVER exert themselves.

In addition, you can clear all your private data before going to the next site with Ctrl+Shift+Del (Win, Fx2-20. Don't know about F3). And configure Fx to clear all private data when the browser is closed. Tools > Options > Privacy > check "Always clear my private data when I close Firefox", and in Settings, check then all.

Being extremely cautious, I sometimes close and restart the browser before going from one site to the next -- but *always* *before* and *after* anything sensitive like online banking. Using Sandboxie and configuring it to dump the entire sandbox when you close the browser is another layer.

Personal opinion only, not necessarily representative of this forum, not an endorsement of any other product, no warranties, no rights conveyed. Hope the info is of use to someone. Thanks to luntrus for reminding us of the omnipresent threats.

Ditto, do that too. Ctrl+Shift+Del still clears private data, just make sure you have set it to select everything, you'd be amazed how many people think they are doing it but they haven't selected cookies and stuff. Although it may seem like hypocrisy, our parent company has googleanalytics services for the purpose of tracking our traffic and resources access and so on, nothing malicious, just technical clarity, it can be used for alot of things if you wanted. Now many tell me, we know you've been on the system but how come we have no record of you? I tell them, that's for me to know and for you to find out, if you spent too minutes outside of your comfort zone and learn.

It should be noted that, among the many ways to block googleanalytics.com (host file, proxy, firewall, ABP, ABE...) NoScript is the only one providing surrogate scripts to prevent those web pages which depend on Google Analytics scripts from breaking.

GµårÐïåñ wrote:Not sure if this threat is something new, I have been against it and blocking it since day one. ANY tracking in my opinion is violation of privacy, heck we already have enough, why willingly ask for more? I block their tracking along with hundreds more using host files, explicit permissions, ns, abp, and request policy. Yes very redundant but ensures they NEVER exert themselves.

Indeed very redundant, IMHO. I wonder why one would need Ghostery and/or RequestPolicy if one blocks Googleanalytics and the like with Noscript/ABP (... and, in addition, cookies with, e.g., Cookie Monster) by default anyway. So what's the benefit of using those two extensions other than increasing the RAM demand of Firefox? Do they really cover areas not covered by NS/ABP?

@luntrus: My first reply forgot to mention the Better Privacy add-on, which, as the article you linked to mentioned, does a fine job of dealing with Flash Cookies. I have found it very satisfactory. Before that, i just made a desktop shortcut to the Flash cookie folder, and after leaving a site that used Flash, clicked the shortcut and deleted them all manually.

tlu wrote:Indeed very redundant, IMHO. I wonder why one would need Ghostery and/or RequestPolicy if one blocks Googleanalytics and the like with Noscript/ABP (... and, in addition, cookies with, e.g., Cookie Monster) by default anyway. So what's the benefit of using those two extensions other than increasing the RAM demand of Firefox? Do they really cover areas not covered by NS/ABP?

Every user must decide for itself how much redundancy they desire. Modern jet airliners often have several independent backups to a critical system. Redundant, adds weight and cost? Yes. If the primary and its backup both fail? Priceless.

I don't have a problem with RAM usage, running a very lean system with plenty of RAM. RequestPolicy is not supported by Fx 2, which I choose to use for reasons not relevant here. Other than that, consider that one add-on might have an undiscovered flaw, or a regression in an update. Or a new threat emerges, which would already be blocked by one extension, but not another. Or one offers extra features or UI that one user prefers.

My layers: (no particular order) NoScript in 100%-lockdown mode, Better Privacy, Adblock Original, Hosts file, Sandboxie, Fx built-in Cookie Manager. I was running Spyware Blaster, but might not any more -- its functions seem to be well-covered by these others. The addition of ABE to NS will provide even more powerful protection. I don't use Ghostery, but I won't fault Guardian for doing so. Everyone makes their own choices, based on your browsing habits, system, resources, time you wish to spend fiddling, etc. Many of these use far less RAM than that wasted by unnecessary "services" running on a Windows machine, which also introduce vulnerabilities. I'm sorry I don't speak Linux, but check them out, make your own decision, and *do* provide *some* redundancy. It's what the security gurus call "defense in depth". Cheers!

Tom T. wrote: I don't have a problem with RAM usage, running a very lean system with plenty of RAM. RequestPolicy is not supported by Fx 2, which I choose to use for reasons not relevant here. Other than that, consider that one add-on might have an undiscovered flaw, or a regression in an update. Or a new threat emerges, which would already be blocked by one extension, but not another. Or one offers extra features or UI that one user prefers.

OK - replace "RAM usage" with "performance". While I understand your arguments, my impression is that a big number of extensions negatively affect the performance of Firefox. For example, I tested FF 3.6 Minefield on http://service.futuremark.com/peacekeeper/index.action twice - the second run in safe-mode. The Peacekeeper score for the second run was significantly higher compared to the first run. I didn't trace it back to specific extensions, and I admit that performance is not everything that counts and that a small number of extensions (or other extensions) might not have affected the performance that much. All I'm saying is that due to the large number of available extensions we're all tempted to add more and more of them. So while redundance looks good there might also be negative side effects. That's why I always deliberately check if an extension offers something new.

But, well, everyone to his taste ...

Out of curiosity, may I ask how many extensions were installed on the slower run? Mine total four. I was flabbergasted to find people whose extensions numbered in triple digits. Certainly, that many are not only going to slow performance, but inevitably, some are going to conflict with others. I put security as the first priority, and if my 50 or 100 extensions slowed the machine noticeably, I'd find something other than the security extensions to delete. Not disparaging your setup, of course, because I don't know. Would you mind sharing that?

Incidentally, a Hosts file and/or SpywareBlaster consume *no* resources, and actually speed up browsing: If your browser is not permitted to fetch the script from eviladvertising.com and then let NoScript block it, you have saved a lot of bandwidth and CPU. Similarly, if ad-blocking tools (any one) are configured to "block" ads, rather than just "don't show them" as some can be, that's a saving and speed-up. You can also save huge bandwidth by blocking unnecessary images. I don't really feel that my online banking experience is enhanced by seeing the picture of their pretty building, or models posing as bank employees, or models posing as customers. Is the page rather plain? Yes. But I'm *banking*, and I don't need the distractions anyway. Start blocking other images at other sites, and then try the tests.

I think I'll try it myself. What were your scores?

Edit: I think I'll not try it.

Peacekeeper measures your browser's performance by testing its JavaScript functionality.

Since I block the vast majority of javascript, how fast my browser renders it is not going to be the major performance issue.

This is true, google knows at least 70% of all internet traffic worldwide.

I have posted a feature request that would improve Noscript capability in ensuring google is not able to track us across the internet. Feedburner images should be blocked: http://forums.informaction.com/viewtopi ... =10&t=8153