µBlock, a lean and fast blocker

Yes, and very quickly. I was interested in the detail of the exploits that lead to the patches. Like the article noted, uBO is a highly popular extension.

 

That it is patched means nothing.
It's the undiscovered but present bugs in every software that should make you think.
The question is, do CSS bugs still exist in UBO?
If you think the answer is yes, I probably wonder if now in the light of these new facts is the extension useful below:

https://chrome.google.com/webstore/...tion/ibeemfhcbbikonfajhamlkdgedmekifo?ucbcb=1

I hope to get a response:

https://github.com/PortSwigger/css-exfiltration/issues/1

 

Thank you for taking the actions. In light of all this, that CSS ext. seems very relevant but I need more info yet. Every new extension is a new potential vector. Will look forward to any updates, for sure.

 

Available for Firefox as well.
https://addons.mozilla.org/en-US/firefox/addon/css-exfil-protection/
I've been using it for a long time.

 

Actually, I don't think it will be much of a risk, if you don't use exotic filter lists.

 

After clicking on the Chrome extension in the webstore, i see that i already have it but it is disabled. I don't remember installing this extension. I did a search in my history and found i did a search for it 2 months ago and must have installed it and disabled it for some reason.

 

https://www.ghacks.net/2019/04/02/p...a-pure-css-data-stealing-attack-called-exfil/ ..... "Mike Gualtieri created a vulnerability tester that returns whether the web browser is vulnerable to CSS Exfil attacks. Just visit the web page in question to see if the browser is vulnerable or not. The page is just testing the vulnerability but not abusing it in any way."

 

Thanks for the info. I've been using it on Firefox for at least a year, but I didn't know there was a Chromium version. Installed and tested on Chromium and Edge, passed the test on the developer's page. (Note: the Microsoft Edge store has a similar-looking add-on by an unknown developer which I don't trust, so I installed it from the Chrome store.)

 

Hmm, OK--since Edge and Firefox tested as "vulnerable," went ahead and installed CSS Exfil Protection plug-in for Firefox and Edge--likewise using the Chrome Store version and not the MS Store one's. Thanks for that tip, SouthPark. I trust ghacks/Martin Brinkman anyway.

Probably it's overkill for my threat model but at least it doesn't seem to impede any browsing at this time. Four extensions/plugins for each browser--that's enough for me. I guess I'll keep it until something comes along that goes "bip."

 

Well, you got a response...

Next thing you could try, is ask the developer of "CSS Exfil Protection":
https://www.mike-gualtieri.com/contact

 

Probably the internal third-party fonts blocking could be already enough to prevent future possible attacks.

Code:

*$font,third-party

But you can ask Mike since you have been using his extension for a long time.

 

Maybe, but I guess the font issue doesn't affect me, because I have unchecked the option "Allow pages to use their own fonts, instead of your selections above".
I have Noto Sans on all sites (good readability).
On rare occasions I have to check that option to display the site properly (e.g. on https://fonts.google.com/)

 

fonts . google . com is vital for pages meanwhile, and its secure. it offers same fonts for any kind of browser that pages looks same for any OS with any browser.

 

just a question i tried to find out these days, no effort yet

i try to create a filter which has wildcards to replace this for a longer list with lots of domains sharing this mask:

www.domain.com domain.com * noop
www.domain.com www.domain.com * noop

i resetted uBo settings to default to see if my config is wrong, same, i still need to activate the noop for both in the second column. the wiki do not contain any help/text for this.

 

Ah you are talking about Firefox.
It depends on whether you have:

"browser.display.use_document_fonts" set to 0

block normal characters.
But then the icon characters are downloaded anyway.
to block those too you could set to "false".

"gfx.downloadable_fonts.enabled"

But the websites (also this) would be poorly usable.
You may want to check if installing the local icon font allows the usability of the websites:

apt-get install fonts-font-awesome

I unfortunately have little time right now to experiment.

 

@nicolaasjan

I remembered an old ghacks article on the subject.
Then with a quick search I found even better.
Check out the post by my compatriot RamonUn:

https://msfn.org/board/topic/176837-disable-web-fonts-in-google-chromemozilla-firefox/

 

I once experimented with this, but unfortunately this site doesn't want to use local FontAwesome (have it in my $Home directory in .fonts).
It uses specific glyphs like this:

Code:

<i class="fa fa-envelope-o"></i>

 

Even if you only download the icons, you will still have more protection.
Let's say an extra mitigation.
At least I think so.

 

Found out, that when using the exact same version of FontAwesome (4.7.0), downloaded from Wilders (.woff2) and converted to .ttf, it displayed the glyphs.
But I have 'gfx.downloadable_fonts.enabled' set to 'true' again.

 

In the meantime I have further reduced my lists in:

Edge:

40137 network filters + 37655 cosmetic filters

Firefox:

30347 network filters + 37654 cosmetic filters

 

In the meantime, I checked all the websites I usually visit with the CSS Exfil Protection extension.
No number appears on the icon of the extension as in the test.
So in my case its use is superfluous.

Also the third-party fonts block has its drawbacks.
I've found at least one web site where it's necessary to insert an exception for the correct display of all website fonts.
With "browser.display.use_document_fonts" set to 0 in Firefox no problem.

 

What have you thrown out since the last lists that you posted?
Also, how do you add the minified filterlist for easylist. The links I entered won't update.

 

Kees suggest to use the Adguard list
https://malwaretips.com/threads/ubl...iting-ad-blockers-with-css.111338/post-967507

“using AdGuard's filter lists which will keep you safe, because Adguard's filter lists are maintained under the supervision of AdGuard these list are maintained by a closed trusted group. When list are maintained by an open community (like easylist) one of the maintainers could turn bad, he/she could misuse one of the powerful commands”

 

Interesting advice from Kees that is aimed at members using chrome-based browsers.
Those who use Firefox don't need them.

I don't find it convenient to disable cosmetic filters as a general rule and enable them for the most used websites.
It's a Noscript model solution.

Then it would be more advantageous to disable remote fonts and enable them on websites where they are needed (less adjustment actions).

Theoretically (I have not implemented any of these solutions) I prefer blocking third-party fonts even if obviously more "risky" with exception entry (even less adjustment actions).

But obviously each user will decide what is best for him according to his own needs.