Discussion in 'privacy technology' started by vasa1, Nov 8, 2011.
The Evercookie: Like trying to kill Steven Seagal
Good article. I've taken to using QuickJava in Firefox myself, along with blocking 3rd party cookies and having ABP and TrackerBlock in place. I feel safe without Noscript, as I have Returnil set to only trust programs already on my drive. That means no script malware for me..though of course Panda Cloud and MBAM stand by
The only issue for which I haven't found a real solution is ETags. Disabling caching in Firefox (which would help) worsens its performance too much. Some addons which are sometimes recommended (like ModifyHeaders) don't work as they only change request headers but ETags are reply headers.
Well, each to his own However, I understand that by switching on JS with QuickJava also 3rd party scripts (often by the tracking servers you mentioned) are enabled (correct me if I'm wrong). That's problematic from a privacy perspective (which we are discussing here). Yes, in Noscript you have to decide what to allow. But in most cases that's no problem: If I open site xyz.com it's pretty obvious that you allow scripts from that domain first in order to make it work - and usually that's sufficient. Besides, you can add trackers to the Noscript blacklist. After a while, most of them simply don't appear in the "normal" list anymore.
Regarding the "extras": Sandboxing and AE don't help against XSS and ClearClicking. And the browser built-in protection against these threats (if any) is inferior at best.
Again, each to his own. But you can't get security and privacy without paying a price. The price of using Noscript is low enough for me.
Actually the built in XSS is fine - both Chrome and Firefox have reflective XSS filters and I imagine they all work in a similar fashion.
Basically, you click a link, you actually end up clicking an invisible button, and you're taken to an exploit page. Sandboxing would protect against this.
If it tries to initiate a download any browser will warn you first saying "this is a .exe, you sure you want to download it?"
There are other possibilities with ClickJacking but none are as severe as leading to an exploit page.
Still, NoScript can add that extra layer especially if there isn't sandboxing or if the XSS auditor isn't up to snuff in some way. As you said, there's a price for this.
I see NoScript as having really only a few issues, some obvious and some less-so:
2) Once a site is whitelisted it's whitelisted for everything (all tags)
3) The fact that it's entirely up to the user to determine which sites are trusted/untrusted.
I've actually found it very easy to use ScriptNo on Chrome but only to block certain tags (Frames and Noscript tags) this way I don't have to whitelist sites and instead I have every site limited.
I mostly just use it because I like the referer spoofing, which I think is broken as of now anyways.
Actually we're getting OT in this thread. But anyway:
According to the Noscript site, NS protects also against DOM based XSS and most types of persistent XSS. Besides, I'm not sure if the built-in protection in the browsers against reflective XSS is as good. And my question in another thread (if the XSS auditor in Chrome is enabled again - it was disabled earlier because of performance considerations) was never answered.
By Clickjacking also scripts can be executed, and if your filesystem is not affected, sandboxing doesn't help.
See the remark in my previous post regarding trackers and blacklist. Besides: In QuickJava this problem isn't solved at all. See also 3) below.
True (although this behavior can be changed). The upcoming Noscript version will change that.
True, but you have this problem with other solutions, too. At least, in Noscript you can middle-click the respective site in the Noscript menu to get a site that looks like this. A great help IMHO.
We've had several Very good threads on how to defeat this. Plus in at least one of those threads are links to www's to test to see if you're bacon, or not
Do a search on here for them & let us know how you shaped up, or not !
All you do is close your browser and then clear cookies and this "evercookie" is gone!
I went to http://samy.pl/evercookie and had an evercookie created,i saw it in 3 places... then i cleared cookies AND STILL SAW IT..
Then i closed my browser and cleared cookies again and then went back to http://samy.pl/evercookie and IT WAS GONE!! (All said undefined)
KISSmetrics and life of an ETag:
For Etags, see this thread. The filter is for Proxomitron but might be adaptable.
Separate names with a comma.