Zone Alarm Pro leaks privacy info

I have just installed Zone Alarm Pro, but when I tried the Browser test and Quick test at PC Flank (http://www.pcflank.com/about.htm) ZAP failed them. Apparently it leaks info to web sites of other sites you have visited. I contacted ZoneLab but they say nothing can be done to configure ZAP to prevent this security leak.

I never had this problem with Norton Personal 2003 FW which always passed the test. Unfortunately I had other problems with Norton (and their disgracefully bad Technical support!) and so had to ditch it. But does anyone know of a good alternative firewall that will pass the PC Flank tests?

 

In my opinion that is no big deal. If you want to pass the test you will need a program like adsubtract pro. Zonealarm pro may have a setting you can adjust to pass this yest. It's called a refferer I believe.

 

I have ZAPro and just did the test.... my results were -


The following was sent to your computer
* TCP ping packet
* TCP NULL packet
* TCP FIN packet
* TCP XMAS packet
* UDP packet

Here is the description of possible results on each sent packet:
"Stealthed" - Means that your system (firewall) has successfuly passed the test by not responding to the packet we have sent to it.
"Non-stealthed" - Means that your system (firewall) responded to the packet we have sent to it. What is more important, is that it also means that your computer is visible to others on the Internet that can be potentially dangerous.

Packet' type Status
TCP "ping" stealthed
TCP NULL stealthed
TCP FIN stealthed
TCP XMAS stealthed
UDP stealthed

Recommendation:

Your computer is invisible to the others on the Internet!

 

Topper, I went to zonealarms website. I believe zonealarm pro blocks reffers. It's called "id lock". Make sure you have that checked. Make sure you don't check block all cookies, cuz you won't be able to access a lot of websites. I couldn't find a screenshot on there website, and I'm not a zone alarrm user.

If there is no .. id lock.. to check, maybe another zonealarm user can help you. If you didn't have any open ports during your test I wouldn't worry. I haven't been able to pass the refferer test in 2 years lol. According to their website, only 25% pass the refferer tests.

 

If u are storing in ur computer private information such as personal, financial, etc. u need to enter this info. in ZAP's "my vault", then ur ID lock can be set in "Main". To do this, bring ZAP on ur screen, then click on ID Lock.

 

Yes it is the 'Referrer' that is causing the problem. ZAP will pass all the stealth tests but not the browser test. Unfortunately you cannot configure ZAP to pass this privacy test. I block/allow cookies depending on what site I'm going to - for the purpose of the test I had cookies blocked in IE.

My point is that Norton passed the test and ZAP did not. I can't (and won't!) go back to Norton because when things go wrong (in my case Live Update stopped working and downloading another one didn't help) dealing with Norton customer services is like banging your head on a brick wall!

I am now using KAV 5, which I am pleased with, and I am looking for a suitable good firewall. I'm not entirely satisfied with ZAP 5.1 and I'm wondering if anyone can recommend one that will pass the PC Flank privacy test?

Interestingly, PC Flank suggest covering yourself for this test by getting a good firewall!

 

It is the referrer field, and yes, I also noticed that PC Flank suggested the use of a personal firewall to block this information. The problem, however, is that the "referer" field is part of the HTTP protocol as defined by W3C (misspelled in the spec). It was purposely included in the specification, and was meant to be included in every HTTP request header. So, it really is a matter of opinion as to whether it should be blocked or not. Just as some people see it as a big deal and others do not, likewise some personal firewall vendors see it as a big deal and some do not.

As you say, I don't believe that Zone Alarm provides an option to intercept it. Zone Labs either may not view it as a big deal or they may view it as not properly part of the firewalling functionality. There is some merit in the view that, whether valid information gets sent in the referrer field or not is really more properly a choice to be made in one's web browser configurations. I believe some alternative browsers offer such a privacy choice, although I don't believe that Internet Explorer does. I also believe there are some other third party utilities and web filtering programs that will null out the referrer field. To me, it's just not that big of a deal.

 

Could be the way you configured IE or setup ZA. I don't have any problem with FF 0.9x or MyIE.

Put a check mark next to the top five items in COOKIE CONTROL. Set Ad Blocking to HIGH. Turn on Mobile Code Control. Verify ZA's Program Control is set to HIGH. Do not allow any program SERVER right. Reboot and retest system.

 

I can confirm that the 'problem' cannot be addressed by tighter configuration of either ZAP or Internet Explorer.

I have to say that I never experienced any difficulty going to secure sites using Norton, which did block the leak. But even if it is a theoretical problem, you can always reconfigure your FW should you wish. The point is that with ZAP you do not have the option!

So my question remains - what GOOD firewall does pass the PC Flank test?

 

You have been fortunate in your experiences then. Having used Norton quite a bit, the referer blocking (enabled by default) will impact on the functionality of many sites as Derek noted. Allowing referer is not something I would consider a leak, but as has been mentioned already by Alec you will have varying opinions on this.

From what I have seen posted elsewhere, there are still some issues with ZAP v5.x and the handling of referer.

A GOOD firewall has to block referer Again a matter of opinion what a firewall should or should not do

Of the firewalls that provide this ability the one you no longer wish to use, and probably had the best ability to configure it for those that took the time to learn (but therein lies the problem Derek mentions and the problems that result from misconfiguration).

Regards,

CrazyM

 

For control over referrers (and other data supplied by your browser) consider using a specialised web filter like Proxomitron. While it does take some time to get to grips with, the filters included can alter referrer ID to the domain of the site your visiting (which will allow you to download images from those sites that do check referrers like Tom's Hardware or FiringSquad) as well as other details like Browser/OS version, IP address, screen resolution, etc.

PC Flank really just touches the surface in terms of showing browser details - try a site like Privacy.net's Analyse Your Connection or (the most detailed I've come across) BrowserSpy to see what information your browser can give up.

 

I've had a look at those interesting links and I've come to the conclusion that I run a pretty tight system. What I'd love to know is PRECICELY what information PC Flank claims I am leaking to it. It is all very well saying I'm leaking private information about sites I've visited, but it doesn't list that info so maybe it doesn't amount to much at all!

I hope this isn't a case of PC Flank unnecessarily worrying those without the knowledge just to ignore it.

 

Referrers can be a privacy issue in some circumstances. If you are allowing cookies from third party sites (advertisers specifically) then they can identify (using web bugs and referrers) from which sites you came from and thereby build up a (partial) picture of your online activities.

When providing a simplified picture (which PC Flank and most other scan sites do), it is better to err on the side of caution.

 

Zone Alarm Pro, to its credit, does allow you to disable web bugs and remove header information from cookies, but in any case when I took the PC Flank test I had cleared 'History' from IE, deleted all cookies and set IE to block any further cookies. So I assume the test was referring to some other source of info, but I really don't know what!

 

PC Flank is reporting that Referrers were enabled - nothing else. If you clicked on the "Analyse..." link I gave above, it would have told you exactly what value the referrer was (it should be been this site).

My previous post was about the problems of referrers combined with other techniques like web bugs and cookies. If you see no problem with sites knowing where you came from (if you reached them by clicking a link) then ignore it.

 

My browser and ZAP settings were obviously too high; but I switched off Mobile Code Control settings in ZAP and went back to the 'Analyse' link. It still could not tell me where I had linked from. Presumeably because I had blocked persistant cookies in ZAP (though session cookies were enabled). So perhaps the upshot of this is that ZAP is doing a better job than I thought!

Theoretical leakage doesn't matter if you've nothing there to leak.

One thing that still confuses me is that ZAP itself keeps a list of sites I visit in a session and I assume that info is elsewhere in my machine, even when I use CrapCleaner, MRUBlaster and ZAP's own cache cleaner I cannot clear this list. Does the 'Referrer' give access to lists like this, or is it only telling where you linked from (ie your last site)?

 

Yes blocking referrers will cause trouble with some sites. Espically those that check your referrer before they allow you access to files for download etc to prevent bandwidth theft.

But the thing is, referrer strings can be easily forged and proxomitron does it for example.

Firefox does allow you to block all referrers but with the problems mentioned above.

There is a patch which selectively blocks referrers for firefox, which I believe gives you the best combination of privacy and functionality. The following build already has the patch incorporated.

http://www.pryan.org/mozilla/firefox/amano/



NOTES FOR THE REFERRER FEATURE (TAKEN FROM THE MODIFIED ALL.JS SOURCECODE):
------------------------------------------------------------------------------
pref("network.http.sendRefererHeader", 2);

// Controls how and when the referrer header will be sent:
// 0 - Never send the referrer.
// 1 - Send the actual referrer only for user initiated actions.
// 2 - Send for actual referrer for both user initiated actions and inline
// content.
// 3 - Not currently used.
// 4 - Send the actual referrer, only to the same home. Send nothing to 3rd
// parties.
// 5 - Send the actual referrer to the same host. Send the modified
// referrer (base URL only) to 3rd parties.
// 6 - Send the actual referrer to all hosts, but strip off the path for 3rd
// party requests.
// 7 - Always send the modified referrer.

pref("network.http.referrerSchemeOverride", false);

// If true, the modified referrer will be sent for schemes which
// normally wouldn't send a referrer, such as file: and resource:

Settings 4-7 are not available in the original firefox .

 

The "linked from" information is from the referrer - nothing else.

The referrer (as has been stated several times in this thread) gives the previous site you visited only and only if you followed a link to reach the current site - if you typed the URL in the address bar then the referrer should be blank.

If ZA is keeping its own list of sites visited, then you should contact ZoneLabs or use their forum to find out how to delete it. This should not normally be accessible to websites (i.e. if you're not using Internet Explorer you should be OK - if you are, there have been past vulnerabilities allowing malicious websites to access any file on your system and there are still unpatched vulnerabilities with the latest fixes).

 

Well that seems pretty clear then; if the Referrer is only giving info of the site you linked from, I really don't see it as a problem.

The list of sites visited kept by ZAP (ie the Privacy Site List) can be easily removed from ZAP by right clicking in the usual way. I merely wondered if ZAP itself was getting that list from somewhere else in my machine, but judging by what's been said that seems unlikely.

My mind has now been put at rest by the contents of this thread!