Browser Defenses Against Web Privacy Attacks -Firefox extensions

"Through a variety of means, including a range of browser cache methods and inspecting the color of a visited hyperlink, client-side browser state can be exploited to track users against their wishes. This tracking is possible because persistent, client-side browser state is not properly partitioned on per-site basis in current browsers. We address this problem by refining the general notion of a "same-origin" policy and by designing and implementing two browser extensions that apply a same-origin policy to the browser cache and visited links. We also analyze various degrees of cooperation between sites to track users, and show that even if long-term browser state is properly partitioned, it is still possible for sites to use modern web features to bounce users between sites and invisibly engage in cross-domain tracking of their visitors. Cooperative privacy attacks are an unavoidable consequence of all persistent browser state that affects the behavior of the browser, and disabling or frequently expiring this state is the only way to achieve true privacy against colluding parties."

Tests found here

Some of these attacks have being discussed before, e.g using changed color of visited links to tell where you have being from.

Firefox Extensions Safecache and Safehistory available to block all non-coporative leaks on the same page.

It's isn't clear how to use them but basically the extension writers have decided to tie them to your cookie settings. See Paper below for details, under "implementation"

Paper can be found here (direct PDF link)

Other nice privacy and security related firefox enhancements worth looking at

redirect remover

Go directly to links, without going through redirects. Has 2 modes. A whitelist mode, where all detected redirect links are converted to direct links except for sites on the whitelist (eg translation sites). A blacklist mode, where it converts only redirect links on certain domains and hightlights links that are redirects without changing them.

Very flexible, includes regexp matching if required.


refcontrol ,

Allows you to set per site referrer policies and default policies for other unlisted sites. It can take one of 3 actions, Normal, Block (send blank), Forge (send root domain referrer only) . It can also be instructed to take such actions only if moving between different domains (3rd party sites)

Another similar and newer extension is adaptive referrer remover which is even more flexible.



splitlink

See where the links REALLY takes you. Handles hexadecimal characters and redirects. Only for Firefox 1.5


adblock plus

No need to introduce this one. Many people also use the adblockfiltersetg extension which automates updates of adblock lists. Adblock plus includes whitelisting if required

noscript ,

Another popular one, introduces a zonal system similar to IE, java,javascript, plugins not allowed to work unless put into the 'zone'. Quick painless to put sites into the zone, made surfing the net without Javascript possible for me.

useragent switcher

Fake your user agent! Pretend to be IE!

proxy switcher, objection

Cleans flash local shared objects

x (not needed for 1.5)

No longer needed in firefox 1.5, where it is built in. But for now, a quick way to clean all browser traces.

password maker .

Use a different password for each site keyed on your master password.

cookie button ,

Make cookie access easy. Set permissions with one click, view cookie data with one click, Lots of other cookie related extensions available.

Greasemonkey Several nice scripts to control content ,neturalise google cookies etc.

fraudeliminator/spoofstick/trustbar etc etc

Worried about phishing? Which of the 3 is better?

 

if u wanna use IE within Firefox, there is also ietab

theres also the netcraft toolbar

just thought id add another:

Policy manager - This is an extension for managing Site Policies, a security feature (, it's like IE's "security zones").

Firefox includes the feature secretly, but there is no UI. This package includes manager GUI and a context menu extension to set the site's policy easily.

 

No, the aim is not to use 'IE within firefox'. The aim is to use sites that screen browsers based on arbitary reasons. That is the point of Useragent. As well as for privacy reasons.

BTW Using IEtabs on a certain page btw incurs the same danger as using IE directly.

On top of that there's an extra phishing vulnerability reported by HPguru here
http://www.dslreports.com/forum/remark,14632584

Yes, I'm aware of all these extensions but left them out by accident. Thank you,