InformAction Forums

Posted: **Tue Oct 20, 2009 9:24 pm**

Hi forum friends,

Stumbled upon following code and I am just wondering what are the implications for the user of a browser
of this referrer-forgery.js

Code: Select all

 --- JonDoFox_Extension/trunk/src/components/referrer-forgery.js	2008/09/01 07:34:13	1366
+++ JonDoFox_Extension/trunk/src/components/referrer-forgery.js	2008/09/01 12:19:39	1368
@@ -10,6 +10,14 @@
 }
 
 ///////////////////////////////////////////////////////////////////////////////
+// Constants
+///////////////////////////////////////////////////////////////////////////////
+
+const CLASS_ID = Components.ID('{cd05fe5d-8815-4397-bcfd-ca3ae4029193}');
+const CLASS_NAME = 'Referrer Forgery'; 
+const CONTRACT_ID = '@jondos.de/referrer-forgery;1';
+
+///////////////////////////////////////////////////////////////////////////////
 // Observer for "http-on-modify-request"
 ///////////////////////////////////////////////////////////////////////////////
 
@@ -61,6 +69,14 @@
       // If present, uninstall
       if (loc != null) {
         log("RefControl found, uninstalling ..");
+        // Prompt a message window
+        var prompts = Components.classes["@mozilla.org/embedcomp/prompt-service;1"].
+                         getService(Components.interfaces.nsIPromptService);
+        prompts.alert(null, "Attention", "The RefControl extension is now " +
+                   "going to be uninstalled since the new version of the " +
+                   "JonDoFox extension will replace RefControl's " +
+                   "functionality!");
+        // Uninstall
         em.uninstallItem(id);
       } else {
         log("RefControl not found");
@@ -77,8 +93,8 @@
       var observers = Components.classes["@mozilla.org/observer-service;1"].
                          getService(Components.interfaces.nsIObserverService);
                        
-      // XXX: true or false?
-      observers.addObserver(this, "profile-do-change", true);                 
+      // XXX: Insert true or false?
+      observers.addObserver(this, "final-ui-startup", true);                 
       observers.addObserver(this, "http-on-modify-request", true);
       observers.addObserver(this, "quit-application-granted", true);
     } catch (ex) {
@@ -93,7 +109,7 @@
       var observers = Components.classes["@mozilla.org/observer-service;1"].
                          getService(Components.interfaces.nsIObserverService);
       
-      observers.removeObserver(this, "profile-do-change");
+      observers.removeObserver(this, "final-ui-startup");
       observers.removeObserver(this, "http-on-modify-request");
       observers.removeObserver(this, "quit-application-granted");
     } catch (ex) {
@@ -105,24 +121,24 @@
   observe: function(subject, topic, data) {
     try {
       switch (topic) {
-        case 'http-on-modify-request':
-          subject.QueryInterface(Components.interfaces.nsIHttpChannel);
-          this.onModifyRequest(subject);
-          break;
-
         case 'app-startup':
           log("Got topic --> " + topic);
           this.registerObservers();
           break;
+        
+        case 'quit-application-granted':
+          log("Got topic --> " + topic);
+          this.unregisterObservers();
+          break;
 
-        case 'profile-do-change':
+        case 'final-ui-startup':
           log("Got topic --> " + topic);
           this.checkForRefControl();
           break;
         
-        case 'quit-application-granted':
-          log("Got topic --> " + topic);
-          this.unregisterObservers();
+        case 'http-on-modify-request':
+          subject.QueryInterface(Components.interfaces.nsIHttpChannel);
+          this.onModifyRequest(subject);
           break;
 
         default:
@@ -148,44 +164,40 @@
 // The actual component
 ///////////////////////////////////////////////////////////////////////////////
 
-var refForgery = {
+var ReferrerForgeryModule = {
   
-  CLASS_ID: Components.ID("{cd05fe5d-8815-4397-bcfd-ca3ae4029193}"),
-  CONTRACT_ID: "@jondos.de/referrer-forgery;1",
-  CLASS_NAME: "Referrer Forgery",
-
   firstTime: true,
 
-  // Implement nsIModule
+  // BEGIN nsIModule
   registerSelf: function(compMgr, fileSpec, location, type) {
-    log("Registering ** " + this.CLASS_NAME + " **");
+    log("Registering '" + CLASS_NAME + "' ..");
     if (this.firstTime) {
       this.firstTime = false;
       throw Components.results.NS_ERROR_FACTORY_REGISTER_AGAIN;
     }
     compMgr.QueryInterface(Components.interfaces.nsIComponentRegistrar);
-    compMgr.registerFactoryLocation(this.CLASS_ID, this.CLASS_NAME, 
-       this.CONTRACT_ID, fileSpec, location, type);
+    compMgr.registerFactoryLocation(CLASS_ID, CLASS_NAME, CONTRACT_ID, 
+               fileSpec, location, type);
 
     var catMan = Components.classes["@mozilla.org/categorymanager;1"].
                     getService(Components.interfaces.nsICategoryManager);
-    catMan.addCategoryEntry("app-startup", "RefForgery", this.CONTRACT_ID, 
-       true, true);
+    catMan.addCategoryEntry("app-startup", "RefForgery", CONTRACT_ID, true, 
+              true);
   },
 
   unregisterSelf: function(compMgr, fileSpec, location) {
-    log("Unregistering ** " + this.CLASS_NAME + " **");
+    log("Unregistering '" + CLASS_NAME + "' ..");
     // Remove the auto-startup
     compMgr.QueryInterface(Components.interfaces.nsIComponentRegistrar);
-    compMgr.unregisterFactoryLocation(this.CLASS_ID, fileSpec);
+    compMgr.unregisterFactoryLocation(CLASS_ID, fileSpec);
 
     var catMan = Components.classes["@mozilla.org/categorymanager;1"].
                     getService(Components.interfaces.nsICategoryManager);
-    catMan.deleteCategoryEntry("app-startup", this.CONTRACT_ID, true);
+    catMan.deleteCategoryEntry("app-startup", CONTRACT_ID, true);
   },
 
   getClassObject: function(compMgr, cid, iid) {
-    if (!cid.equals(this.CLASS_ID))
+    if (!cid.equals(CLASS_ID))
       throw Components.results.NS_ERROR_FACTORY_NOT_REGISTERED;
     if (!iid.equals(Components.interfaces.nsIFactory))
       throw Components.results.NS_ERROR_NO_INTERFACE;
@@ -195,7 +207,7 @@
   canUnload: function(compMgr) { 
     return true; 
   },
-  // end Implement nsIModule
+  // END nsIModule
 
   // Implement nsIFactory
   classFactory: {
@@ -214,5 +226,5 @@
 ///////////////////////////////////////////////////////////////////////////////
 
 function NSGetModule(comMgr, fileSpec) { 
-  return refForgery; 
+  return ReferrerForgeryModule;
 }

luntrus

Posted: **Tue Oct 20, 2009 9:31 pm**

That the HTTP "Referer" header (which is usually equal to the URL of the document where you come from) is replaced with something else.

Posted: **Wed Oct 21, 2009 4:35 am**

Giorgio Maone wrote:That the HTTP "Referer" header (which is usually equal to the URL of the document where you come from) is replaced with something else.

Which is one of the options of my Fx RefControl add-on.

Posted: **Wed Oct 21, 2009 7:29 am**

@Giorgio, @Tom T.: Ditto!

Posted: **Wed Oct 21, 2009 6:10 pm**

GµårÐïåñ wrote:@Giorgio, @Tom T.: Ditto!

I have to thank Giorgio for recommending RefControl to me. Lightweight, ultra-simple tool to help protect your privacy. I'd recommend it to anyone.

Posted: **Wed Oct 21, 2009 7:14 pm**

Hi TomT,

Yes RefControl is one of my favourite three extensions along with NS and RP.
My default to come here is this referrer: "luntrus visiting",
on another webforum "Polonus here",

luntrus aka polonus

Posted: **Wed Oct 21, 2009 9:05 pm**

luntrus wrote:Yes RefControl is one of my favourite three extensions along with NS and RP.
My default to come here is this referrer: "luntrus visiting",
on another webforum "Polonus here",

Hi luntrus,

Those are good.

But I realized that for other web sites where you want to try to keep what little privacy you have, *any* custom referrer could eventually be used to identify you uniquely. For example, if I put SantaClaus.com as my funny referrer, eventually that could be linked across all sites I visit. Therefore, simply using the "block referrer" option is probably the best. If enough people are using that option, it gives nosy sites no information about who is who.

In the same way, I used to enjoy playing with my useragent string. But then I realized that it becomes another unique identifier, so I gave up that fun.

I'm sure that you too don't use those custom referrers at sites where you'd like to be private, but just thought I'd mention this for the benefit of any others reading this thread. Something to think about.

Cheers.

Posted: **Sat Oct 31, 2009 11:50 pm**

Hi Tom T.,

I use this referrer-info specifically for those sites that know these nicks. But a general referer could be a better option after your analysis given in your posting.
What reminds me of the fact that you could change these referrers every other couple of days for other nicks, and besides
tracking is not exclusively done as referrer tracking. Just use ghostery to see the implication of trackers and profile tracking can be quite extensively done to even predict with certainty what could be your favorite psalm verse or sutra. Mine is psalm 100.
It strikes me that privacy is becoming more and more non-existent and we all seem to go along with this development. I fear my browser can reveal more about me than I could know about myself, you just explained that to me,

your forum friend,

luntrus

Posted: **Sun Nov 01, 2009 4:36 am**

luntrus wrote:Hi Tom T.,

I use this referrer-info specifically for those sites that know these nicks. But a general referer could be a better option after your analysis given in your posting.
What reminds me of the fact that you could change these referrers every other couple of days for other nicks, and besides
tracking is not exclusively done as referrer tracking. Just use ghostery to see the implication of trackers and profile tracking can be quite extensively done to even predict with certainty what could be your favorite psalm verse or sutra. Mine is psalm 100.
It strikes me that privacy is becoming more and more non-existent and we all seem to go along with this development. I fear my browser can reveal more about me than I could know about myself, you just explained that to me,

your forum friend,

luntrus

Hi luntrus,

I use the "block" option in RefControl for all sites except one that broke, and that one was an SSL bank site. If everyone with RefControl used the no-referrer option, then that is not remarkable or identifiable. And of course, if you just opened the browser and went directly to a site, there is not a referrer, so there is another way in which "no referrer" does not give away any information.

Yes, you could change the referrers frequently, if you remembered to do so. However, most of us have patterns in our words, phrases, etc. that we may not be aware of. IIRC, the US Federal Bureau of Investigation (FBI) mentioned some ability to link posts across time and web sites to one user, by a computer program that looked at things like punctuation (or lack thereof), grammar, phraseology, sentence construction (syntax), vocabulary, etc. The idea was to identify the poster of a given post and connect it to other posts by that person, even under different user names. This was for the valid purpose of investigating criminal activity, but it could also be used to diminish our privacy further. I never heard any more of this, as I expect the FBI would rather that we, and the bad people, not know that this is going on.

"It strikes me that privacy is becoming more and more non-existent and we all seem to go along with this development.

I do what little I can to fight it, although it's a losing battle in the long run. As Scott McNeally, CEO of Sun Microsystems, famously said, "You have zero privacy now-get over it." I don't really have all that much "exciting" stuff to hide, but I'm reminded of a cartoon strip, "Calvin and Hobbes", in which six-year-old Calvin is filling out a survey on chewing gum. "Age" - "45". "Favorite flavor" - "Garlic - curry". Then he grins at the reader and says, "I love messing with data-miners". Hooray, Calvin! (© Bill Watterson).

I fear my browser can reveal more about me than I could know about myself, you just explained that to me,

I'm afraid that this is true, my friend. You are of course correct that referrers are only one of many ways of building databases on users. If we are to try to maintain any privacy at all, we just have to think about each way in which we leak information, and be creative in dealing with them.

Your forum friend,
Tom

Posted: **Mon Nov 02, 2009 3:48 am**

Tom T. wrote: Hi luntrus,

I use the "block" option in RefControl for all sites except one that broke, and that one was an SSL bank site. If everyone with RefControl used the no-referrer option, then that is not remarkable or identifiable. And of course, if you just opened the browser and went directly to a site, there is not a referrer, so there is another way in which "no referrer" does not give away any information.

HeaderControl is another promising addon for this... it's still an experimental add-on, but looks pretty potent. I'm going to try this (disabling the referrer) out...

Tom T. wrote:Yes, you could change the referrers frequently, if you remembered to do so. However, most of us have patterns in our words, phrases, etc. that we may not be aware of. IIRC, the US Federal Bureau of Investigation (FBI) mentioned some ability to link posts across time and web sites to one user, by a computer program that looked at things like punctuation (or lack thereof), grammar, phraseology, sentence construction (syntax), vocabulary, etc. The idea was to identify the poster of a given post and connect it to other posts by that person, even under different user names. This was for the valid purpose of investigating criminal activity, but it could also be used to diminish our privacy further. I never heard any more of this, as I expect the FBI would rather that we, and the bad people, not know that this is going on.

At least for me, that FBI thing is true. My profile & posts are remarkably consistent...

Tom T. wrote:
"It strikes me that privacy is becoming more and more non-existent and we all seem to go along with this development.
I do what little I can to fight it, although it's a losing battle in the long run. As Scott McNeally, CEO of Sun Microsystems, famously said, "You have zero privacy now-get over it." I don't really have all that much "exciting" stuff to hide, but I'm reminded of a cartoon strip, "Calvin and Hobbes", in which six-year-old Calvin is filling out a survey on chewing gum. "Age" - "45". "Favorite flavor" - "Garlic - curry". Then he grins at the reader and says, "I love messing with data-miners". Hooray, Calvin! (© Bill Watterson).

I love that strip, too...

I also try to protect my privacy: tried to set up TOR, but it wouldn't work with my Internet connection; using Scroogle instead of Google; using HeaderControl addon; using CS Lite with a default cookie setting of "globally deny"; using NoScript with default-deny settings... however, I have to admit it's a losing battle. Windows is crammed with anti-piracy checks that are designed to poke and prod your system to see if it's legit, but those same checks invade our privacy; Chrome sends Google a unique, identifiable user string; Google, Ask.com, Yahoo, Bing, etc. send search data to their respective companies; ads track us; malicious people track us... the list goes on and on and on...

Tom T. wrote:
I fear my browser can reveal more about me than I could know about myself, you just explained that to me,
I'm afraid that this is true, my friend. You are of course correct that referrers are only one of many ways of building databases on users. If we are to try to maintain any privacy at all, we just have to think about each way in which we leak information, and be creative in dealing with them.

Creativity is good... I love "teasing" data-miners as well, ex. by giving them a false name, false location, etc. Only problem is eventually they'll get on to me, and all the rest of us. (btw, I think open-source software is the solution to this - people using Firefox, OpenOffice.org, Ubuntu, etc. will probably have better privacy than those with closed-source sw, simply because open-source software is, well, open. If Mozilla pulled an addon stunt like MS's .NET addon, people would find out quickly, due to the open-source nature of Fx - and Mozilla would have to buckle under the huge pressure. Same deal with OOo, Canonical, etc... closed-source stuff, because it's closed, can get away with things open-source sw won't even try.

Just my 2c...

Posted: **Mon Nov 09, 2009 6:26 am**

"What are the implications..."

Giorgio Maone wrote:That the HTTP "Referer" header (which is usually equal to the URL of the document where you come from) is replaced with something else.

I was just alerted by James Abbatiello, the developer of RefControl, that this add-on, which is apparently not listed on Firefox Add-ons, uninstalls RefControl (I hadn't bothered to scroll the bar all the way down):

Code: Select all

// If present, uninstall
       if (loc != null) {
         log("RefControl found, uninstalling ..");
+        // Prompt a message window
+        var prompts = Components.classes["@mozilla.org/embedcomp/prompt-service;1"].
+                         getService(Components.interfaces.nsIPromptService);
+        prompts.alert(null, "Attention", "The RefControl extension is now " +
+                   "going to be uninstalled since the new version of the " +
+                   "JonDoFox extension will replace RefControl's " +
+                   "functionality!");

The add-on's site is https://www.jondos.de/en/jondofox . It purports to be a complete privacy and anonymity service, combining various functions, including cookies, some NS functions (js, Flash/Java/Silverlight), and also offers a Tor-like network of its own. etc. It advises:

# If possible, do not add more extensions. There are many extensions that "backdoor" your anonymity, including some of the most popular extensions from the Firefox downlaod site, e.g. Flagfox.
# If you would like to use the profile only, you should remove all extensions and searchplugins from the Firefox installation directory beforehand. Otherwise, potentially insecure elements remain.

So it uninstalls competing extensions, including RefControl, although that was not obvious from the site or the FAQ.

It claims "JonDoFox does not influence your default Firefox configuration". -- apparently if you run it as a second profile, using your default profile for some browsing and the JDF profile for sensitive browsing.

Since it is not an official Mozilla add-on and uninstalls other extensions, it seems deep investigation should be made before using this add-on.

Posted: **Tue Nov 10, 2009 6:59 am**

Tom T. wrote:I was just alerted by James Abbatiello, the developer of RefControl, that this add-on, which is apparently not listed on Firefox Add-ons, uninstalls RefControl

Don't know if it qualifies as an add-on per se, but it's a FF profile configured to use the company's proxy software and service while keeping anonymity better preserved than a default profile. Their FAQ actually notes how to reinstall RefControl--which is incompatible with the profile's *basic* setting which itself spoofs the referer https://www.jondos.de/en/jondofox/faq#12n1418 . Their service is similar to Tor, so they really want everyone to "look" the same.
Their profile comes preloaded with NoScript(!), ABP and CS Lite, https://www.jondos.de/en/jondofox/help . All the software they offer is open source, so those of you who can read code would have a better idea if they are ok, but they seem legit. Their client is java based,I don't know if that's an issue or not.

computerfreaker wrote: HeaderControl is another promising addon for this... it's still an experimental add-on, but looks pretty potent. I'm going to try this (disabling the referrer) out...

My experience is that it's not ready for prime time yet. If and when it is, it would be great because it intends to spoof referer, user-agent and language all at once on a per-site basis. But it doesn't actually spoof properly yet...

Tom T. wrote:But I realized that for other web sites where you want to try to keep what little privacy you have, *any* custom referrer could eventually be used to identify you uniquely.[...]Therefore, simply using the "block referrer" option is probably the best. If enough people are using that option, it gives nosy sites no information about who is who.

I've been using RefControl with the block option myself, but that in itself is a giveaway: that you are blocking the referer. The forge option (showing the base domain of the site you're connecting to) is in some ways more invisible and may be smarter. Yes, if the whole world blocked the referer it would be different, but that's not likely to happen anytime soon! (would that it were...)
The only problem with the RefControl forge option is it overrides the de facto standard (or is it an actual standard?) to not show the referer if the referring URL is HTTPS and the destination is HTTP. Which again could be a giveaway that you're spoofing....

BTW: Hi! for the first time

Posted: **Tue Nov 10, 2009 8:49 am**

Hi!

Thanks for the info. Re:

I've been using RefControl with the block option myself, but that in itself is a giveaway: that you are blocking the referer. The forge option (showing the base domain of the site you're connecting to) is in some ways more invisible and may be smarter. Yes, if the whole world blocked the referer it would be different, but that's not likely to happen anytime soon! (would that it were...)

If you fire up a fresh browser at the start of the day, the first site you visit has no referer, right? So how many machines in the world are booted each day?
And if you frequently close and restart the browser, as many ultra-privacy/security conscious do, no referer, right? Because I use Sandboxie, I close the browser very frequently, which automatically empties the sandbox. But a lot of users close/restart anyway. So add all of those, and it seems sites should be getting a large number of hits with no referer -- enough that it's not a unique identifier.

If you are actually connecting to the base 2nd-level domain itself (yahoo.com, google.com, etc.), isn't showing itself as a referer going to look a little funny? -- and raise a flag?

IMHO. YMMV. And welcome to the forum!

Posted: **Wed Nov 11, 2009 5:47 pm**

??? wrote:
computerfreaker wrote: HeaderControl is another promising addon for this... it's still an experimental add-on, but looks pretty potent. I'm going to try this (disabling the referrer) out...
My experience is that it's not ready for prime time yet. If and when it is, it would be great because it intends to spoof referer, user-agent and language all at once on a per-site basis. But it doesn't actually spoof properly yet...

Unfortunately, you're right. Steve Gibson's ShieldsUp! service shows the correct referrer, even with HeaderControl set to block referrers - disabled HeaderControl and got RequestPolicy instead, and suddenly the referrer vanishes (which it was supposed to do 3 months ago, when I got HeaderControl...)
Anyway, not ready for prime time, but maybe soon...

Posted: **Fri Nov 13, 2009 1:05 am**

If you fire up a fresh browser at the start of the day, the first site you visit has no referer, right?

It's not an issue of a "fresh browser", or restarting your browser.
Any site that you manually type the URL for will have no referrer.

Perform this search: http://www.google.com/search?ie=UTF-8&o ... +detection
Click the first result: http://software.berkeley.edu/about/Serv ... heck.shtml
You will see that it shows, "Browser Referer | google.com/search?ie=UTF-8&oe=utf-8&q=browser+referrrer+detection".

Now instead of clicking the link, copy the link & paste it into the URL bar.
Now look at the referrer, "Browser Referer | (none)".

Or even if you were to simply hit the "Go" button (not Refresh, but Go), you will see the earlier reported referrer to now show (none).

InformAction Forums

What are the implications of this code?

What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?

Re: What are the implications of this code?