Zone Alarm Pro leaks privacy info

Discussion in 'other firewalls' started by TopperID, Oct 1, 2004.

Thread Status:
Not open for further replies.
  1. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I have just installed Zone Alarm Pro, but when I tried the Browser test and Quick test at PC Flank (http://www.pcflank.com/about.htm) ZAP failed them. Apparently it leaks info to web sites of other sites you have visited. I contacted ZoneLab but they say nothing can be done to configure ZAP to prevent this security leak.

    I never had this problem with Norton Personal 2003 FW which always passed the test. Unfortunately I had other problems with Norton (and their disgracefully bad Technical support!) and so had to ditch it. But does anyone know of a good alternative firewall that will pass the PC Flank tests?
     
  2. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    In my opinion that is no big deal. If you want to pass the test you will need a program like adsubtract pro. Zonealarm pro may have a setting you can adjust to pass this yest. It's called a refferer I believe.
     
  3. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    I have ZAPro and just did the test.... my results were -


    The following was sent to your computer
    * TCP ping packet
    * TCP NULL packet
    * TCP FIN packet
    * TCP XMAS packet
    * UDP packet

    Here is the description of possible results on each sent packet:
    "Stealthed" - Means that your system (firewall) has successfuly passed the test by not responding to the packet we have sent to it.
    "Non-stealthed" - Means that your system (firewall) responded to the packet we have sent to it. What is more important, is that it also means that your computer is visible to others on the Internet that can be potentially dangerous.

    Packet' type Status
    TCP "ping" stealthed
    TCP NULL stealthed
    TCP FIN stealthed
    TCP XMAS stealthed
    UDP stealthed

    Recommendation:

    Your computer is invisible to the others on the Internet!
     
  4. Mr2cents

    Mr2cents Registered Member

    Joined:
    Sep 18, 2004
    Posts:
    497
    Topper, I went to zonealarms website. I believe zonealarm pro blocks reffers. It's called "id lock". Make sure you have that checked. Make sure you don't check block all cookies, cuz you won't be able to access a lot of websites. I couldn't find a screenshot on there website, and I'm not a zone alarrm user.

    If there is no .. id lock.. to check, maybe another zonealarm user can help you. If you didn't have any open ports during your test I wouldn't worry. I haven't been able to pass the refferer test in 2 years lol. According to their website, only 25% pass the refferer tests.
     
  5. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    If u are storing in ur computer private information such as personal, financial, etc. u need to enter this info. in ZAP's "my vault", then ur ID lock can be set in "Main". To do this, bring ZAP on ur screen, then click on ID Lock.
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Yes it is the 'Referrer' that is causing the problem. ZAP will pass all the stealth tests but not the browser test. Unfortunately you cannot configure ZAP to pass this privacy test. I block/allow cookies depending on what site I'm going to - for the purpose of the test I had cookies blocked in IE.

    My point is that Norton passed the test and ZAP did not. I can't (and won't!) go back to Norton because when things go wrong (in my case Live Update stopped working and downloading another one didn't help) dealing with Norton customer services is like banging your head on a brick wall!

    I am now using KAV 5, which I am pleased with, and I am looking for a suitable good firewall. I'm not entirely satisfied with ZAP 5.1 and I'm wondering if anyone can recommend one that will pass the PC Flank privacy test?

    Interestingly, PC Flank suggest covering yourself for this test by getting a good firewall!
     
  7. Alec

    Alec Registered Member

    Joined:
    Jun 8, 2004
    Posts:
    355
    Location:
    Dallas, TX
    It is the referrer field, and yes, I also noticed that PC Flank suggested the use of a personal firewall to block this information. The problem, however, is that the "referer" field is part of the HTTP protocol as defined by W3C (misspelled in the spec). It was purposely included in the specification, and was meant to be included in every HTTP request header. So, it really is a matter of opinion as to whether it should be blocked or not. Just as some people see it as a big deal and others do not, likewise some personal firewall vendors see it as a big deal and some do not.

    As you say, I don't believe that Zone Alarm provides an option to intercept it. Zone Labs either may not view it as a big deal or they may view it as not properly part of the firewalling functionality. There is some merit in the view that, whether valid information gets sent in the referrer field or not is really more properly a choice to be made in one's web browser configurations. I believe some alternative browsers offer such a privacy choice, although I don't believe that Internet Explorer does. I also believe there are some other third party utilities and web filtering programs that will null out the referrer field. To me, it's just not that big of a deal.
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    If you block the referral headers then you are asking for trouble as any properly configured website will reject you.

    It is a big mistake to have referral headers blocked as no vital information is passed on and when the referral headers are blocked with misconfigured fgirewalls like Norton then problema abound

    We see more cases of people having problems with being unable to get to websites due to this then any other reason.

    The sites that are blocked to you include almost all secure sites, most online bank sites, windows update, most e-commerce sites and a whole list of forums and security sites so take your choice and be unable to use the internet properly or ublock a non-exisatnt so called privacy risk

    and as a matter of interest I find the PC flabnk tests to be utterly useless as they are unable to test any computer where the ISP uses an inline proxy server to connect, that rules out over half the ISP's in the UK and many in the US and that is without knowing anything about any ISP in other countries
     
  9. nod32_9

    nod32_9 Guest

    Could be the way you configured IE or setup ZA. I don't have any problem with FF 0.9x or MyIE.

    Put a check mark next to the top five items in COOKIE CONTROL. Set Ad Blocking to HIGH. Turn on Mobile Code Control. Verify ZA's Program Control is set to HIGH. Do not allow any program SERVER right. Reboot and retest system.
     
  10. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I can confirm that the 'problem' cannot be addressed by tighter configuration of either ZAP or Internet Explorer.

    I have to say that I never experienced any difficulty going to secure sites using Norton, which did block the leak. But even if it is a theoretical problem, you can always reconfigure your FW should you wish. The point is that with ZAP you do not have the option!

    So my question remains - what GOOD firewall does pass the PC Flank test?
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You have been fortunate in your experiences then. Having used Norton quite a bit, the referer blocking (enabled by default) will impact on the functionality of many sites as Derek noted. Allowing referer is not something I would consider a leak, but as has been mentioned already by Alec you will have varying opinions on this.

    From what I have seen posted elsewhere, there are still some issues with ZAP v5.x and the handling of referer.

    A GOOD firewall has to block referer o_O Again a matter of opinion what a firewall should or should not do ;)

    Of the firewalls that provide this ability the one you no longer wish to use, and probably had the best ability to configure it for those that took the time to learn (but therein lies the problem Derek mentions and the problems that result from misconfiguration).

    Regards,

    CrazyM
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    For control over referrers (and other data supplied by your browser) consider using a specialised web filter like Proxomitron. While it does take some time to get to grips with, the filters included can alter referrer ID to the domain of the site your visiting (which will allow you to download images from those sites that do check referrers like Tom's Hardware or FiringSquad) as well as other details like Browser/OS version, IP address, screen resolution, etc.

    PC Flank really just touches the surface in terms of showing browser details - try a site like Privacy.net's Analyse Your Connection or (the most detailed I've come across) BrowserSpy to see what information your browser can give up.
     
  13. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I've had a look at those interesting links and I've come to the conclusion that I run a pretty tight system. What I'd love to know is PRECICELY what information PC Flank claims I am leaking to it. It is all very well saying I'm leaking private information about sites I've visited, but it doesn't list that info so maybe it doesn't amount to much at all!

    I hope this isn't a case of PC Flank unnecessarily worrying those without the knowledge just to ignore it.
     
  14. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Referrers can be a privacy issue in some circumstances. If you are allowing cookies from third party sites (advertisers specifically) then they can identify (using web bugs and referrers) from which sites you came from and thereby build up a (partial) picture of your online activities.

    When providing a simplified picture (which PC Flank and most other scan sites do), it is better to err on the side of caution.
     
  15. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Zone Alarm Pro, to its credit, does allow you to disable web bugs and remove header information from cookies, but in any case when I took the PC Flank test I had cleared 'History' from IE, deleted all cookies and set IE to block any further cookies. So I assume the test was referring to some other source of info, but I really don't know what!
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    PC Flank is reporting that Referrers were enabled - nothing else. If you clicked on the "Analyse..." link I gave above, it would have told you exactly what value the referrer was (it should be been this site).

    My previous post was about the problems of referrers combined with other techniques like web bugs and cookies. If you see no problem with sites knowing where you came from (if you reached them by clicking a link) then ignore it.
     
  17. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    My browser and ZAP settings were obviously too high; but I switched off Mobile Code Control settings in ZAP and went back to the 'Analyse' link. It still could not tell me where I had linked from. Presumeably because I had blocked persistant cookies in ZAP (though session cookies were enabled). So perhaps the upshot of this is that ZAP is doing a better job than I thought!

    Theoretical leakage doesn't matter if you've nothing there to leak.

    One thing that still confuses me is that ZAP itself keeps a list of sites I visit in a session and I assume that info is elsewhere in my machine, even when I use CrapCleaner, MRUBlaster and ZAP's own cache cleaner I cannot clear this list. Does the 'Referrer' give access to lists like this, or is it only telling where you linked from (ie your last site)?
     
  18. Firefoxguy

    Firefoxguy Guest

    Yes blocking referrers will cause trouble with some sites. Espically those that check your referrer before they allow you access to files for download etc to prevent bandwidth theft.

    But the thing is, referrer strings can be easily forged and proxomitron does it for example.

    Firefox does allow you to block all referrers but with the problems mentioned above.

    There is a patch which selectively blocks referrers for firefox, which I believe gives you the best combination of privacy and functionality. The following build already has the patch incorporated.

    http://www.pryan.org/mozilla/firefox/amano/



    NOTES FOR THE REFERRER FEATURE (TAKEN FROM THE MODIFIED ALL.JS SOURCECODE):
    ------------------------------------------------------------------------------
    pref("network.http.sendRefererHeader", 2);

    // Controls how and when the referrer header will be sent:
    // 0 - Never send the referrer.
    // 1 - Send the actual referrer only for user initiated actions.
    // 2 - Send for actual referrer for both user initiated actions and inline
    // content.
    // 3 - Not currently used.
    // 4 - Send the actual referrer, only to the same home. Send nothing to 3rd
    // parties.
    // 5 - Send the actual referrer to the same host. Send the modified
    // referrer (base URL only) to 3rd parties.
    // 6 - Send the actual referrer to all hosts, but strip off the path for 3rd
    // party requests.
    // 7 - Always send the modified referrer.

    pref("network.http.referrerSchemeOverride", false);

    // If true, the modified referrer will be sent for schemes which
    // normally wouldn't send a referrer, such as file: and resource:

    Settings 4-7 are not available in the original firefox .
     
  19. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The "linked from" information is from the referrer - nothing else.
    The referrer (as has been stated several times in this thread) gives the previous site you visited only and only if you followed a link to reach the current site - if you typed the URL in the address bar then the referrer should be blank.

    If ZA is keeping its own list of sites visited, then you should contact ZoneLabs or use their forum to find out how to delete it. This should not normally be accessible to websites (i.e. if you're not using Internet Explorer you should be OK - if you are, there have been past vulnerabilities allowing malicious websites to access any file on your system and there are still unpatched vulnerabilities with the latest fixes).
     
  20. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Well that seems pretty clear then; if the Referrer is only giving info of the site you linked from, I really don't see it as a problem.

    The list of sites visited kept by ZAP (ie the Privacy Site List) can be easily removed from ZAP by right clicking in the usual way. I merely wondered if ZAP itself was getting that list from somewhere else in my machine, but judging by what's been said that seems unlikely.

    My mind has now been put at rest by the contents of this thread!
     
Thread Status:
Not open for further replies.