µMatrix - the HTTP Switchboard successor

Discussion in 'other software & services' started by tlu, Oct 25, 2014.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,868
    Well, not here. I guess that you have to clear the browser cache first before doing this test again.
     

    Attached Files:

  2. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    37,137
    I have the same result: "0 cached intermediate CAs identified"
    After disabling uMatrix, some CAs were identified and after enabling it without clearing the cache = "0 cached intermedia CAs identified".

    The site shouldn't detect CAs if 3rd-party images are not allowed (a lot of requests can be seen in the log), but i'm wondering why it can detect CAs if only 1st party scripts are allowed like in this case:
     
  3. 7hohPAyXMd

    7hohPAyXMd Registered Member

    Joined:
    Mar 7, 2014
    Posts:
    11
    Do you get the same results in a new Firefox profile?

    I tried again in a new Firefox profile, with no modification, and only uMatrix installed. blocked everything in the global scope, and allowed only 1st party scripts. Still the site finds 311 cached certificates!
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    37,137
    I tried a fresh profile with only uMatrix installed.
    Global scope (*) = nothing allowed, 1st party scripts allowed = "0 cached intermediate CAs identified"
    (tested in Firefox v51.0.1 + Firefox v52 beta9)
     
  5. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    This is also not working for me with uMatrix. It does, however, work with uBlock. With uMatrix, as soon as first party scripts are allowed the caching is allowed. I set the 'global scope' settings to block and only allow first-party scripts for fiprinca.0x90.eu. I also tried with 'behind the scenes' off. The log shows blocks for 'image' for all the links but the only css block is for 'https://fiprinca.0x90.eu/poc/min.css'

    uMatrix: Does not work.
    uBlock: (Works)
     
  6. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,868
    My rules are:
    Code:
    * * * block
    * * frame block
    * 1st-party css allow
    * 1st-party image allow
    0x90.eu fiprinca.0x90.eu script allow
    While your rule
    Code:
    * fiprinca.0x90.eu script allow
    indicates that you allowed scripts in fiprinca.0x90.eu triggered from any other source hostname because you obviously created it in the global scope but not in the domain-specific scope for 0x90.eu. This might explain the different behavior.
     
  7. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    [/IMG]
    That was an error.
    http://i.imgur.com/Siczitr.jpg
    However, If the script allow is domain specific and not global, either

    or subdomain specifc

    The result is the same.
     
  8. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,868
    I also tried it in a new profile with uMatrix as the only installed add-on - and, unfortunately, I have to say to now that I can replicate your findings. With those rules:
    Code:
    https-strict: * true
        matrix-off: about-scheme true
        matrix-off: chrome-extension-scheme true
        matrix-off: chrome-scheme true
        matrix-off: localhost true
        matrix-off: opera-scheme true
        referrer-spoof: * true
        referrer-spoof: wilderssecurity.com true
        * * * block
        * * frame block
        * 1st-party cookie block
        * 1st-party css allow
        * 1st-party image allow
        * 1st-party other block
        * 1st-party plugin block
        * 1st-party script block
        * 1st-party xhr block
        0x90.eu fiprinca.0x90.eu script allow
        behind-the-scene addons-discovery.cdn.mozilla.net css allow
        behind-the-scene addons-discovery.cdn.mozilla.net other allow
        behind-the-scene addons.cdn.mozilla.net image allow
        behind-the-scene addons.cdn.mozilla.net other allow
        behind-the-scene addons.mozilla.org image allow
        behind-the-scene addons.mozilla.org other allow
        mozilla.org addons.cdn.mozilla.net css allow
        mozilla.org addons.cdn.mozilla.net image allow
        mozilla.org addons.cdn.mozilla.net script allow
        mozilla.org addons.mozilla.org cookie allow
        mozilla.org addons.mozilla.org xhr allow
        mozilla.org mozilla.org script allow
        wilderssecurity.com www.wilderssecurity.com cookie allow
        wilderssecurity.com www.wilderssecurity.com script allow
    those CAs on https://fiprinca.0x90.eu/poc/ were indentified - contrary to my normal profile. I'm puzzled :confused:

    Then I deactivated uMatrix, installed uBlock Origin, restarted Firefox and opened https://fiprinca.0x90.eu/poc/ with the following rules:
    Code:
    * * 3p block
    addons.mozilla.org mozilla.net * noop
    behind-the-scene * 3p noop
    behind-the-scene * 3p-frame noop
    Result: 0 certificates identified!

    I have no explanation for this different behavior.

    @gorhill : Can you, please, look into this issue?
     
  9. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    uMatrix works fine. The logger show all 3rd-party requests being blocked, and the network pane in Firefox's dev tools confirms this. I tried to find out what the page is doing but it's a horrible mess of code, I can't be bothered to make sense of that mess. Bottom line is that uMatrix is blocking as it should, as witnessed by Firefox's dev console if ever one does not trust uMatrix's logger.

    Edit: this is just a case of false positive for the proof of concept. If you check the option "Collapse placeholder of blocked elements" in uMatrix, there is no more false positive (when the option is not checked, uMatrix replaces blocekd images with a data: URI image, thus causing the onLoad event to be issued for the image, something which the PoC relies on).

    The bigger problem here was to not look at the logger, and in doubt at the network pane in dev tools -- uMatrix is a network request blocker, the absolute imemdiate thing to do in case of doubt is to look at the logger and/or browser's network pane in dev tools.
     
    Last edited: Feb 27, 2017
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    37,137
    Yes, uMatrix works fine. As long as 3rd-party request are being blocked, no certificate should be detected.
    In my previous attempts no CA was identified: #604
    Then i tried your rules in a fresh profile, and now CA's were identified :ninja:

    Then i fiddled around with some settings, and i found out that if i untick all options on the first page of the uMatrix-settings:
    = CA's were identified.
    If i tick the option to show the number of request on the uMatrix-icon and the option below that option (nothing else was changed, and the rules are the same):
    = no CA identified
    o_O
    I tried it again:
    default settings + your rules and ticked settings on the first page of umatrix-settings = no CA identified
    Unticking of the settings in uMatrix leads to = CA's were identified
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,868
    As a matter of fact I had looked at the logger (but forgot to mention) which showed, indeed, that all 3rd-party requests were blocked. That's why I was so surprised that those certificates were identified. But @mood found out why:

    I can reproduce this! :thumb: In my normal profile (where 0 certificates were identified) those settings are ticked. In the new test profile they weren't - and certficates were identified. Once I ticked them, 0 certificates were identified which matches the results in my normal profile.

    So the question is: How can ticking/unticking those settings (which should only have a visual effect) make such a difference?
     
  12. Heimdall

    Heimdall Registered Member

    Joined:
    Jul 29, 2009
    Posts:
    185
    Is there a description of what "Collapse placeholder of blocked elements" actually does/how it works? For me it's really quite confusing. What I see, is a web page showing elements that are apparently being blocked in the logger. Whereas, with uBlock, the same apparent log entries exist and the web page elements are also blocked correctly.
     
  13. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    37,137
    After reading in the uBlock-thread about the "wyciwyg:"-issue:
    ... i noticed it in uMatrix too.
    After visiting the website i can see "0.wyciwyg-scheme" in the matrix:
    Firefox_(wyciwyg).png
     
  14. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    37,137
    It has been implemented in the latest Pre-Release of uMatrix. So the next release-version of uMatrix will definitely have this feature.
     
  15. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,868
    Yes, I've noticed that. This change was actually already implemented in v. 0.9.9b7. It's highly appreciated. However, I still have to check if the previously mentioned problem - that non-default hosts files were not automatically updated - is now solved.
     
  16. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,868
    It seems that it's not solved (I'm using v. 0.9.9b12 on Firefox). As a matter of fact no hosts file at all (including the default ones) had been updated for 6 days (automatic updates are enabled, of course). Only after clearing the cache I was able to manually update them. This is strange as it's working flawlessly in uB0.

    Can anybody confirm?
     
  17. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    37,137
    8 days ... :cautious:
    uMatrix 0.9.9b12 - Chrome
     
  18. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    37,137
  19. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    3,795
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    37,137
    The reason for this was posted in the uBlockO-thread, i think i'm gonna post it here too. So that all users of uMatrix are aware of it:
     
  21. deugniet

    deugniet Registered Member

    Joined:
    Nov 25, 2013
    Posts:
    966
  22. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    37,137
  23. Big Mike

    Big Mike Registered Member

    Joined:
    Apr 18, 2015
    Posts:
    17
    Hi,
    I'm using uMatrix with Vivaldi and it works perfectly in the "normal" view. But Vivaldi has the ability to add "Web Panels" to the side bar, which are displayed in a smaller panel on the left. The requests for these Web Panels are interpreted as "behind-the-scene" and therefore not processed by uMatrix by default.
    That's a pity, but actually I'm a bit afraid of changing the settings for behind-the-scene requests.
    Would there be the possibility to differ behind these requests and other behind-the-scene requests in a future version or is this not possible?

    Kind regards
    Michael
     
  24. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,868
    Since @gorhill has closed the issue tracker on his github site I'm reporting a problem here. I'm using v. 1.0.1b3 on Firefox Nightly 57.0a1 and noticed an issue that occurs on any sites where the matrix is that large that the scrollbar becomes visible. Now if I'm scrolling down to the lower part of the matrix using the scrollbar and then move the cursor from the scrollbar into the matrix it immediately scrolls up again. So this means that cells that are below the lower part of the matrix window are no longer approachable.

    This problem didn't occur with FF54. Resetting uMatrix to its defaults didn't help.

    EDIT: Correction: The problem also occurs with FF54. I hadn't noticed it in earlier uMatrix versions, though.
     
  25. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    864
    Location:
    Canada
    I would be ready to reopen the issue tracker if one or more people are willing to sort/validate the issue tracker, I just do not have the time to deal with the too many invalid issues which are opened regardless of what is asked from submitter. Too many invalid issues are caused by users's own ruleset, despite warning that the extension if for advanced users able to deal with such ruleset issues.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.