Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Mozilla privacy bug
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
SQLBoy
Guru
Guru


Joined: 17 Aug 2002
Posts: 381

PostPosted: Mon Sep 16, 2002 1:27 pm    Post subject: Mozilla privacy bug Reply with quote

This was posted on slashdot.org today and I figured I would pass it on. This page has the bug and the fix. I put these lines in the
/usr/lib/mozilla/defaults/pref/all.js file

Code:

pref("network.http.sendRefererHeader", 0);
pref("capability.policy.default.Window.onunload", "noAccess");


Here is the link:
http://members.ping.de/~sven/mozbug/refcook.html

Matt
Back to top
View user's profile Send private message
rac
Bodhisattva
Bodhisattva


Joined: 30 May 2002
Posts: 6553
Location: Japanifornia

PostPosted: Mon Sep 16, 2002 5:57 pm    Post subject: Reply with quote

Yet another reason to turn off Javascript.
_________________
For every higher wall, there is a taller ladder
Back to top
View user's profile Send private message
SQLBoy
Guru
Guru


Joined: 17 Aug 2002
Posts: 381

PostPosted: Mon Sep 16, 2002 6:01 pm    Post subject: Reply with quote

Yeah, I know. I wish I could turn it off myself but I need it for a couple sites. What would be cool if Galeon would let you actually specify "javascript" sites and block it on all other sites.
Back to top
View user's profile Send private message
infox
n00b
n00b


Joined: 14 Sep 2002
Posts: 14

PostPosted: Mon Sep 16, 2002 8:15 pm    Post subject: Reply with quote

I would setup a http proxy such as oops. I use this at home and I am not affected by this bug, and its quite nice along with junkbuster.
Back to top
View user's profile Send private message
pilla
Administrator
Administrator


Joined: 07 Aug 2002
Posts: 7695
Location: Pelotas, BR

PostPosted: Mon Sep 16, 2002 11:04 pm    Post subject: Reply with quote

I've tried to reproduce the bug using the link in Slashdot, but wasn't able. Running mozilla 1.0-r3
Back to top
View user's profile Send private message
rojaro
l33t
l33t


Joined: 06 May 2002
Posts: 732

PostPosted: Tue Sep 17, 2002 1:54 pm    Post subject: Reply with quote

there is no need to disable javascript completely. adding the following line is fully sufficient.

Code:
pref("capability.policy.default.Window.onunload", "noAccess");


disabling the sendRefererHeader function will result in lots of dynamic websites not working for you.
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970)
Back to top
View user's profile Send private message
rac
Bodhisattva
Bodhisattva


Joined: 30 May 2002
Posts: 6553
Location: Japanifornia

PostPosted: Tue Sep 17, 2002 5:30 pm    Post subject: Reply with quote

rojaro wrote:
there is no need to disable javascript completely.

I maintain that the security model of Javascript is broken as designed, and in my opinion it allows people who write websites to run arbitrary code on your machine under the user id of your browser. I do not remember one single security-related problem ever discovered in any web browser that could not have been completely avoided by turning Javascript off.
_________________
For every higher wall, there is a taller ladder
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18258

PostPosted: Tue Sep 17, 2002 5:35 pm    Post subject: Reply with quote

Unfortunately, turning javascript off can make browsing non-functional :(
_________________
Eat recycled food. It's good for the environment and okay for you.
Back to top
View user's profile Send private message
Naan Yaar
Bodhisattva
Bodhisattva


Joined: 27 Jun 2002
Posts: 1549

PostPosted: Tue Sep 17, 2002 6:42 pm    Post subject: Reply with quote

Are we forgetting ActiveX here :)?
rac wrote:
...I do not remember one single security-related problem ever discovered in any web browser that could not have been completely avoided by turning Javascript off.
Back to top
View user's profile Send private message
rac
Bodhisattva
Bodhisattva


Joined: 30 May 2002
Posts: 6553
Location: Japanifornia

PostPosted: Tue Sep 17, 2002 7:07 pm    Post subject: Reply with quote

Naan Yaar wrote:
Are we forgetting ActiveX here :)?

Excuse me. Is it possible to turn off ActiveX? I've never used MSIE or Windows.
_________________
For every higher wall, there is a taller ladder
Back to top
View user's profile Send private message
Naan Yaar
Bodhisattva
Bodhisattva


Joined: 27 Jun 2002
Posts: 1549

PostPosted: Tue Sep 17, 2002 7:25 pm    Post subject: Reply with quote

You can disable ActiveX in MSIE in addition to Javascript and Java. ActiveX is a bad idea.
rac wrote:
...Excuse me. Is it possible to turn off ActiveX? I've never used MSIE or Windows.
Back to top
View user's profile Send private message
rizzo
Retired Dev
Retired Dev


Joined: 30 Apr 2002
Posts: 1067
Location: Manitowoc, WI, USA

PostPosted: Wed Sep 18, 2002 2:39 pm    Post subject: Reply with quote

rac wrote:
I've never used MSIE or Windows.


You've never used Windows? You, sir, are my hero.
Back to top
View user's profile Send private message
pilla
Administrator
Administrator


Joined: 07 Aug 2002
Posts: 7695
Location: Pelotas, BR

PostPosted: Wed Sep 18, 2002 3:05 pm    Post subject: Reply with quote

A virgin.... he's pure 8)

rizzo wrote:
rac wrote:
I've never used MSIE or Windows.


You've never used Windows? You, sir, are my hero.
Back to top
View user's profile Send private message
rojaro
l33t
l33t


Joined: 06 May 2002
Posts: 732

PostPosted: Wed Sep 18, 2002 5:22 pm    Post subject: Reply with quote

rac wrote:
rojaro wrote:
there is no need to disable javascript completely.

I maintain that the security model of Javascript is broken as designed, and in my opinion it allows people who write websites to run arbitrary code on your machine under the user id of your browser. I do not remember one single security-related problem ever discovered in any web browser that could not have been completely avoided by turning Javascript off.


thats a pretty harsh view ... because you could say the same about ANY and EVERY piece of software ever made ... so if one's scared about "new" technologies like javascript as in our example (or .NET, Java, C++, Perl, PHP etc), one shouldnt use computers at all ... avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general ... dont fear - just master the technology before it masters you
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970)
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18258

PostPosted: Wed Sep 18, 2002 5:45 pm    Post subject: Reply with quote

rojaro wrote:
avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general
No, but I could certainly choose to not drive a car from a particular manufacturer that had a history of safety problems.
_________________
Eat recycled food. It's good for the environment and okay for you.
Back to top
View user's profile Send private message
Naan Yaar
Bodhisattva
Bodhisattva


Joined: 27 Jun 2002
Posts: 1549

PostPosted: Wed Sep 18, 2002 5:45 pm    Post subject: Reply with quote

There is a clear difference between technologies that you choose to run explicitly on your computer and stuff that creeps in insidiously through your browser. Using a web-browser as an program delivery mechanism is fraught with risks, as evidenced by the number of security issues with Javascript/ActiveX/Flash/Java...

The issue is not the technology itself; rather whether it is delivered and used within reasonable security constructs.
rojaro wrote:
...
thats a pretty harsh view ... because you could say the same about ANY and EVERY piece of software ever made ... so if one's scared about "new" technologies like javascript as in our example (or .NET, Java, C++, Perl, PHP etc), one shouldnt use computers at all ... avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general ... dont fear - just master the technology before it masters you
Back to top
View user's profile Send private message
dioxmat
Bodhisattva
Bodhisattva


Joined: 04 May 2002
Posts: 709
Location: /home/mat

PostPosted: Wed Sep 18, 2002 6:06 pm    Post subject: Reply with quote

btw, do disable js on the fly, have a look at http://xulplanet.com/downloads/prefbar/
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18258

PostPosted: Wed Sep 18, 2002 6:23 pm    Post subject: Reply with quote

dioxmat wrote:
disable js on the fly
Galeon users can select 'Settings" -> "Allow Java" or "Allow JavaScript". I didn't see anything in Mozilla.
_________________
Eat recycled food. It's good for the environment and okay for you.
Back to top
View user's profile Send private message
rojaro
l33t
l33t


Joined: 06 May 2002
Posts: 732

PostPosted: Wed Sep 18, 2002 6:24 pm    Post subject: Reply with quote

kanuslupus wrote:
rojaro wrote:
avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general
No, but I could certainly choose to not drive a car from a particular manufacturer that had a history of safety problems.


hehe ... name ONE car manufacturer which never called back a modell due to construction/technical design problems ... :)
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970)
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18258

PostPosted: Wed Sep 18, 2002 6:26 pm    Post subject: Reply with quote

Having a history of problems vs. a few, or minor problems, is a big difference. I didn't say zero problems.
_________________
Eat recycled food. It's good for the environment and okay for you.


Last edited by pjp on Wed Sep 18, 2002 6:26 pm; edited 1 time in total
Back to top
View user's profile Send private message
rojaro
l33t
l33t


Joined: 06 May 2002
Posts: 732

PostPosted: Wed Sep 18, 2002 6:26 pm    Post subject: Reply with quote

kanuslupus wrote:
dioxmat wrote:
disable js on the fly
Galeon users can select 'Settings" -> "Allow Java" or "Allow JavaScript". I didn't see anything in Mozilla.


Edit -> Preferences -> Advanced -> Scripts & Plugins

"Enable Javascript for" [x] Navigator
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970)
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18258

PostPosted: Wed Sep 18, 2002 6:27 pm    Post subject: Reply with quote

That is a bit more involved than 'on the fly' suggests IMO. Thanks for pointing it out though.
_________________
Eat recycled food. It's good for the environment and okay for you.
Back to top
View user's profile Send private message
dioxmat
Bodhisattva
Bodhisattva


Joined: 04 May 2002
Posts: 709
Location: /home/mat

PostPosted: Wed Sep 18, 2002 6:28 pm    Post subject: Reply with quote

kanuslupus wrote:
dioxmat wrote:
disable js on the fly
Galeon users can select 'Settings" -> "Allow Java" or "Allow JavaScript". I didn't see anything in Mozilla.


hence this prefbar.
the pref is buried in Edit > Preferencse > Advanced. this prefbar, which kicks ass btw, allows quik modifications of just about any pref, among other things.
Back to top
View user's profile Send private message
rojaro
l33t
l33t


Joined: 06 May 2002
Posts: 732

PostPosted: Wed Sep 18, 2002 7:48 pm    Post subject: Reply with quote

yeah, prefbar rocks ... especially those little features which allow to change the useragent on the fly and enabling/disabling popup's and java
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970)
Back to top
View user's profile Send private message
rac
Bodhisattva
Bodhisattva


Joined: 30 May 2002
Posts: 6553
Location: Japanifornia

PostPosted: Wed Sep 18, 2002 9:43 pm    Post subject: Reply with quote

@rizzo re: my Windows virginity. Actually, I did use Windows 1.0 or 2.0 (definitely pre-3.1) for about six weeks once in late 1988, because it was the way to get PageMaker running on the DOS machines at work.

rojaro wrote:
so if one's scared about "new" technologies like javascript as in our example (or .NET, Java, C++, Perl, PHP etc), one shouldnt use computers at all

As Naan Yaar pointed out (probably more eloquently than I am going to here), there are differences, and it's the mode of deployment that bothers me.

.NET I don't know enough about to evaluate, but I understand the rudiments of SOAP and XML-RPC, and as much as I admire Dave Winer (I bought Frontier 1.0, still have the cow-skull T-shirt to prove it, and was a rabid Frontier hacker and evangelist for a few years), and as cool hacks as they are, the security of those protocols does indeed give me cause for concern.

Java has security built into the design of the language. The privilege system is strong, the sandbox is part of the VM, and illegal instructions and buffer overflows and such are avoided by disallowing pointer access to raw memory. Comparing Java and Javascript (just in case anyone following this thread is unaware of the history, JavaScript (I think it was called LiveScript originally) was a Netscape thing and has absolutely nothing whatsoever to do with Java - some marketroids at Netscape decided that putting "Java" in the name made it sound better) is a good exercise. Java was designed to run untrusted code in a secure manner. Javascript is designed to allow authors of web pages to remotely control operation of the browser's software.

As far as C++, Perl and PHP go, where they are used on the web, they run on the server. I see only the HTML that they output. HTML is not code that executes on my system. HTML is data that is rendered by my browser. There is no security implication. If you are referring to security problems on the server side, this is a different discussion (and I will be glad to have it somewhere, if you wish).

Many security exploits refer to the ability of a remote attacker to execute arbitrary code on the exploited machine. If I compile and install source code with "emerge", I am choosing to trust the Gentoo ebuild maintainer, and whoever runs the mirror I am downloading from. There is accountability of a sort - if there is a problem, I know where to turn to report it, and I have the source code so that I can figure out what is happening.

If I open a URL in my browser, it will give me a file to save on my system and do whatever I want to do with it, or it will render HTML in a window for me. If I have Java enabled, it may download some applets and run them in a sandbox. If, on the other hand, I have Javascript turned on, the simple act of accessing a URL with my browser potentially gives the author of that web page the ability to execute arbitrary code on my computer under my username with the privileges of that account. That is not acceptable to me.

I don't care if it makes the browsing experience less rich or easy. For example, I have to type the smilies in my posts, because clicking on them doesn't do anything. Any website that makes some content only available if a browser has enabled Javascript is poorly written, IMO, and I avoid them. Sometimes I write them a letter explaining this position.

Note that I am not trying to eradicate Javascript from the face of the planet. If people want to use it, and people want to write it, that's fine. Where I get angry is when people who create web pages choose to block access to people because they do not enable Javascript, even when there is no good technical reason for doing so. Case in point: Javascript menus that do not degrade to normal HTML links. I see absolutely no reason for this except rudeness, laziness, or ignorance.
_________________
For every higher wall, there is a taller ladder
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum