+ Reply to Thread
Page 4 of 15 FirstFirst ... 2345614 ... LastLast
Results 46 to 60 of 223

Thread: CSS History Leak and how to prevent it even with enabled history [Firefox & Opera]

  1. #46
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,386
    Activity Longevity
    11/20 19/20
    Today Posts
    5/5 ssss39386
    "Empty Temporary Internet Files folder when browser is closed" by clicking in the empty check box.
    Doesn't that just clear the cache?

    You could set IE to remember the history for "0" days, though.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  2. #47

    Join Date
    27.03.09
    Location
    Earth
    P2P Client
    SB-I
    Posts
    267
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss267
    There is an option in FF to also clear all history when you close it...The only thing I see that it will help is if you browse SB-I after you browse trackers beause if you browse SB-I before trackers than they can still see you...

    I use Private Browsing in FF for security, that should prevent trackers to see where I have visted.

    Is there a way to have both Private and Normal mode up at the same time in FF?

    I tried to open up normal with private still on and the new browser turned private...
    Reply With QuoteReply With Quote
    Thanks

  3. #48
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,386
    Activity Longevity
    11/20 19/20
    Today Posts
    5/5 ssss39386
    Quote Originally Posted by Dynamic View Post
    Is there a way to have both Private and Normal mode up at the same time in FF?
    You can't. But you can still keep a separate profile for SB-I, set to delete private data after closing, and another one for trackers, and using different profiles at the same time is possible.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  4. Who Said Thanks:

    anonftw (20.07.09)

  5. #49

    Join Date
    20.04.09
    Posts
    154
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss154
    Hi, I always keep history disabled on firefox, is that enough to keep me safe then? The only option i have ticked there is "remember what i've downloaded".
    Reply With QuoteReply With Quote
    Thanks

  6. #50

    Join Date
    20.07.09
    Posts
    56
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss56
    Quote Originally Posted by Haggar View Post
    Hi, I always keep history disabled on firefox, is that enough to keep me safe then? The only option i have ticked there is "remember what i've downloaded".
    Yeah, I think you should be safe.
    However, visit these websites below and make sure your browsing history isn't there ("0 pages found")

    Sniffing Browser History: A Live Example
    Sniffing Browser History with NO Javascript!


    After I search more about this issue, I find that this is an old bug, reported in 2002 by David Baron for Firefox browser.

    Bug 147777 - :visited support allows queries into global history
    https://bugzilla.mozilla.org/show_bug.cgi?id=147777

    Unfortunately, the userContent.css method only fix the CSS attack, but to disable javascript attack you have to use NoScript extension.
    If you don't want to use NoScript extension, here's the easy way to fix this bug (Firefox only) :



    - Type about:config in the address bar
    - In the filter list, type layout.css.visited_links_enabled
    - The default value is true, we must change the value to false
    - Right click layout.css.visited_links_enabled and choose Toggle, this will change the status to user set and value to false
    - Restart your firefox

    I already test this method against the websites below and the history scan gives 0 result,
    so this method should work against javascript and css attack.
    Javascript Attack : Sniffing Browser History: A Live Example
    CSS Attack : Sniffing Browser History with NO Javascript!
    Reply With QuoteReply With Quote
    Thanks

  7. Who Said Thanks:

    Lucius (06.08.11) , Socialdemo (16.04.11) , BrianBosworth (11.04.11) , mmmmm (23.02.10) , SealLion (16.01.10) , Blocker (17.12.09) , GotIt (08.12.09) , KalPenn (02.09.09) , combine (29.08.09) , Tarantino (28.07.09) , capito (22.07.09) , kelly (21.07.09) , cutiepie (21.07.09) , Haggar (20.07.09) , alpacino (20.07.09) , anonftw (20.07.09) , anon (20.07.09)

  8. #51
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,386
    Activity Longevity
    11/20 19/20
    Today Posts
    5/5 ssss39386
    Quote Originally Posted by Zorvak View Post
    After I search more about this issue, I find that this is an old bug, reported in 2002 by David Baron for Firefox browser.

    Bug 147777 - :visited support allows queries into global history
    https://bugzilla.mozilla.org/show_bug.cgi?id=147777

    Unfortunately, the userContent.css method only fix the CSS attack, but to disable javascript attack you have to use NoScript extension.
    If you don't want to use NoScript extension, here's the easy way to fix this bug (Firefox only) :

    ...
    Great work. I think I'll add this to the announcement.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  9. #52

    Join Date
    02.03.09
    Posts
    69
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss69
    Quote Originally Posted by Zorvak View Post
    - Type about:config in the address bar
    - In the filter list, type layout.css.visited_links_enabled
    - The default value is true, we must change the value to false
    - Right click layout.css.visited_links_enabled and choose Toggle, this will change the status to user set and value to false
    - Restart your firefox
    what version of ff do you use, because i don't have that option? i have 3.0.11 version
    Reply With QuoteReply With Quote
    Thanks

  10. #53
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,386
    Activity Longevity
    11/20 19/20
    Today Posts
    5/5 ssss39386
    Quote Originally Posted by hojotrance View Post
    because i don't have that option?
    Perhaps you need to create it?
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  11. #54

    Join Date
    20.07.09
    Posts
    56
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss56
    Quote Originally Posted by anon View Post
    Perhaps you need to create it?
    No, the option is already there in Firefox 3.5.1.

    Quote Originally Posted by hojotrance View Post
    what version of ff do you use, because i don't have that option? i have 3.0.11 version
    I'm using Firefox 3.5.1, you need to upgrade it at least to 3.5 to see layout.css.visited_links_enabled option.

    Upgrade your Firefox to 3.5.1 :

    In Firefox : Help -> Check for Updates

    Or download the newest version directly from the official page :
    Firefox Product Page : Firefox Browser | Free ways to customize your Internet
    Download Link : Mozilla Download
    Reply With QuoteReply With Quote
    Thanks

  12. Who Said Thanks:

    anonftw (20.07.09)

  13. #55
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,386
    Activity Longevity
    11/20 19/20
    Today Posts
    5/5 ssss39386
    Quote Originally Posted by Zorvak View Post
    I'm using Firefox 3.5.1, you need to upgrade it at least to 3.5 to see layout.css.visited_links_enabled option.
    Good, I have added this info and the tweak to our security announcement.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  14. Who Said Thanks:

    Zorvak (21.07.09) , anonftw (20.07.09)

  15. #56

    Join Date
    20.07.09
    Posts
    56
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss56
    Update
    After I do several tests, userContent.css can't protect you against this CSS attack and its variation :

    Code:
    userContent.css
    a:visited{
      background: none !important;
      background-image: none !important;
      list-style-image: none !important;
    }
    CSS Attack 1, userContent.css will protect you against this attack
    Code:
    <style type="text/css">
    #link1 {
      color: blue;
    }
    
    #link1:visited{
      color: red;
      background: url(/log.php?visited_url=en.wikipedia.org);
    }
    </style>
    
    <a id="link1" href="http://en.wikipedia.org/">Wikipedia</a>
    CSS Attack 2, userContent.css won't protect you against this attack
    Code:
    <style type="text/css">
    #link1 {
      color: blue;
    }
    
    #link1:visited randomstring{
      color: red;
      background: url(/log.php?visited_url=en.wikipedia.org);
    }
    </style>
    
    <a id="link1" href="http://en.wikipedia.org/"><randomstring>Wikipedia</randomstring></a>
    Yeah, just by adding <randomstring> tag it will bypass userContent.css protection.
    Therefore, I recommended you upgrade to Firefox 3.5.1 and use layout.css.visited_links_enabled method to completely disable this attack.
    Reply With QuoteReply With Quote
    Thanks

  16. Who Said Thanks:

    Uninvited2611 (21.09.10) , SealLion (24.04.10) , Renk (20.09.09) , anon (21.07.09) , alpacino (21.07.09) , anonftw (21.07.09)

  17. #57

    Join Date
    30.12.08
    Location
    House
    P2P Client
    utorrent
    Posts
    555
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss555
    and how I can enable it this ? It must be true or false ?
    Reply With QuoteReply With Quote
    Thanks

  18. #58

    Join Date
    13.03.09
    Location
    United States of America
    P2P Client
    vuze extreme mod
    Posts
    336
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss336
    Quote Originally Posted by atlantis View Post
    and how I can enable it this ? It must be true or false ?
    set it to False in FireFox 3.5 or higher following the instructions below.

    Quote Originally Posted by Zorvak View Post
    - Type about:config in the address bar
    - In the filter list, type layout.css.visited_links_enabled
    - The default value is true, we must change the value to false
    - Right click layout.css.visited_links_enabled and choose Toggle, this will change the status to user set and value to false
    - Restart your firefox
    Reply With QuoteReply With Quote
    Thanks

  19. Who Said Thanks:

    alpacino (21.07.09) , atlantis (21.07.09)

  20. #59

    Join Date
    20.07.09
    Posts
    56
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 sssssss56
    Quote Originally Posted by atlantis View Post
    and how I can enable it this ? It must be true or false ?
    Atlantis, see my previous post :
    http://www.sb-innovation.de/showthre...e=4#post116433

    The default value for layout.css.visited_links_enabled is true, you must change it to false, by toggling it.
    Reply With QuoteReply With Quote
    Thanks

  21. #60

    Join Date
    30.12.08
    Location
    House
    P2P Client
    utorrent
    Posts
    555
    Activity Longevity
    0/20 18/20
    Today Posts
    0/5 ssssss555
    Actually my scans are clear but I'll set it to false for more safe
    Last edited by atlantis; 21.07.09 at 14:11.
    Reply With QuoteReply With Quote
    Thanks

+ Reply to Thread
Page 4 of 15 FirstFirst ... 2345614 ... LastLast

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •