What kind of information sends your computer out?

[elio]

Quote:

Originally Posted by Quill

I'm quite interested in this. As a long time user of firefox + Proxomitron (sidki) I'm curious about the alternatives. From what I gather, to simulate the proxomitron environment using fx extensions, I'd need:

Adblock (Plus) + Filter set
noscript
greasemonkey + scripts
Firekeeper

Would using the above be a better option than Prox now, pros/cons?

If you're confortable with Prox, there's no reason to ditch it for content filtering purposes (no need for AdBlock or Firekeeper).
The only potential advantage I could see in a content filtering extension over Prox is access to the browser internals and web page "live" DOM, but neither AdBlock nor Firekeeper seem to really use this "plus" in any way that could make them functionally superior to Proxomitron, so far (of course AdBlock is much easier for newbies, though).

While Proxomitron has clever tricks in its bag for script/DOM massaging, Greasemonkey can do several things that Prox can't (e.g. performing cross-site XMLHttpRequests to build customized mashups), but they're hardly security improvements: more likely, if unwisely used, they can open severe security holes, instead.

Finally, NoScript.
This is the only extension you can't live without from a security standpoint IMHO, and it has no counterpart in other browsers or tools, either built-in or plugin.

NoScript's prominent, non duplicable features are:
1. Reliable, in-depth, preemptive script-blocking
While Proxomitron claims to "disable scripts", it actually modify the textual HTTP response on the fly either to strip out character sequences that resemble scripts, to neutralize <script> tags with hacks (like bogus language attributes) or to hinder some features by injecting its own language-level or DOM-level JavaScript tweaking code. Either way, JavaScript as a language is still allowed to run in the context of the loaded page, so if some malicious code is obfuscated not to "seem" a script (e.g. using data: URLs, refreshes, frames, iframes, object content, Java, Flash, any scriptable plugin, CSS expression, XML binding, XML islands and the like - oh, so many wonderful ways to disguise JavaScript ), it will defy Proxomitron filters and will be ultimately run by the browser.
NoScript can't be fooled this way, because it works at the JS interpreter level.
As soon as some code tries to run, no matter how it "looks like" or where it hides, it will prevented to run if its origin is untrusted.
In case you're wondering, external untrusted .js files are also prevented from loading (even if they couldn't run anyway), thus no bandwidth waste happens.
2. Accessible, in-page security controls
While whitelists are the only reasonable way of blocking stuff in the security realm, for a whitelist to be usable it must be easily accessible.
NoScript gets it right, with multiple contextual entry points to allow/deny the current page and its sub-elements, including visual clues for disable Java, Flash and plugin objects, shown as one-click-activable placeholders inside the page layout.
3. Anti-XSS protection
1 and 2 still apply, aggravated by the fact that Proxomitron can't reliably tell which the originating page of a certain HTTP request is (a fundamental info for detecting and blocking/filtering XSS): the only related info available to Prox is the HTTP REFERER header, which can be empty or spoofed in many circumstances.

Recap
While Firekeeper and AdBlock are certainly more confortable for the average joe, you may want to stick with Proxomitron if you're a power user.

Greasemonkey is much more powerful than Proxomitron for DOM level massaging, but there's no reason to switch if you're already happy (no additional security/privacy).

NoScript's JS blocking and Anti-XSS features can't be replaced by Proxomitron (or anything else, for the matter).

Bottom line
If you're confortable with Proxomitron, use Firefox+NoScript+Proxomitron (and don't forget to TORrify this stack for maximum privacy, if you can afford the lag).

[Pedro]

Another great post elio. Now you were more concrete regarding Proxomitron/ NoScript/ script blocking.

Quote:

Originally Posted by elio

1. Reliable, in-depth, preemptive script-blocking
While Proxomitron claims to "disable scripts", it actually modify the textual HTTP response on the fly either to strip out character sequences that resemble scripts, to neutralize <script> tags with hacks (like bogus language attributes) or to hinder some features by injecting its own language-level or DOM-level JavaScript tweaking code. Either way, JavaScript as a language is still allowed to run in the context of the loaded page, so if some malicious code is obfuscated not to "seem" a script (e.g. using data: URLs, refreshes, frames, iframes, object content, Java, Flash, any scriptable plugin, CSS expression, XML binding, XML islands and the like - oh, so many wonderful ways to disguise JavaScript ), it will defy Proxomitron filters and will be ultimately run by the browser.
NoScript can't be fooled this way, because it works at the JS interpreter level.
As soon as some code tries to run, no matter how it "looks like" or where it hides, it will prevented to run if its origin is untrusted.
In case you're wondering, external untrusted .js files are also prevented from loading (even if they couldn't run anyway), thus no bandwidth waste happens.
2. Accessible, in-page security controls
While whitelists are the only reasonable way of blocking stuff in the security realm, for a whitelist to be usable it must be easily accessible.
NoScript gets it right, with multiple contextual entry points to allow/deny the current page and its sub-elements, including visual clues for disable Java, Flash and plugin objects, shown as one-click-activable placeholders inside the page layout.
3. Anti-XSS protection
1 and 2 still apply, aggravated by the fact that Proxomitron can't reliably tell which the originating page of a certain HTTP request is (a fundamental info for detecting and blocking/filtering XSS): the only related info available to Prox is the HTTP REFERER header, which can be empty on spoofed in many circumstances.

Thank you. I will continue my Proxomitron research. BTW, besides Proxomitron, closed source, Windows only and frozen in time (there are GUI patches though), what other proxies are you aware of? None as functional?
Privoxy, Muffin, Proximodo, they all seem to lack something, or just as frozen.

[Quill]

Excellent post elio. Thank you, it gives me much to think about.

[elio]

Quote:

Originally Posted by Pedro

besides Proxomitron, closed source, Windows only and frozen in time (there are GUI patches though), what other proxies are you aware of? None as functional?
Privoxy, Muffin, Proximodo, they all seem to lack something, or just as frozen.

I don't use any, because I'm satisfied with NoScript using its noscript.contentBlocker preference which extends content blocking with one click activation to trusted sites.

Nevertheless I find WebCleaner an interesting project, because it embeds a HTML parser and SpiderMonkey (the Mozilla JS interpreter), thus it holds potential for sharper filtering, even though it's gonna be slower than average because of the double parsing (proxy+browser).
Furthermore, it's open sourced and under active development.
Anyway, its limitations in effective (security-class) JS blocking and non suitability for XSS protection are the same as any other proxy, as confirmed also by its own FAQ.

[Pedro]

Yes, i notice that function in Noscript, but it doesn't solve all the ads.
Not that they annoy me that much! I even leave many unfiltered.

That WebCleaner seems a winner elio, thanks. The problem is the requirements for Windows (python, python ext., dll, openssl, lol).
But eventually i will install all that. I have to see it, curiosity just knocked.

It's multiplatform, and GPL. That allows me to reuse it on GNU OS's.