Hi, so which things would be the best to use to prevent this? Noscript + Zorvak solution is enough? About noscript, are default settings too restrictive? which settings do you recommend for it? For Opera i disabled history and send referrer information.
If you don't care about web history, disabling it on any browser should be enough. Another nice measure is to use an exclusive browser for sb-i.
Sb-i already has a de-referrer script in place, but if you want to be extra care, don't click on links from here, rather open a new window/tab and type the address yourself!
it's hip to be square
If you're going to use the same browser for SB-I and trackers, I'd disable history entirely since I don't care about it (but you can use Zorvak's solution if you do)+NoScript/BlockIt+disable referers or use the RefControl settings I posted on kazuya's thread.
I personally use a different browser from Xenocode for every connected tracker.
"I just remembered something that happened a long time ago."
if u want to use firefox as ur browser to surf into SB-I must be do it at pprivate browsing..or more safer..do it with ie8..site works well with ie8 too private browsing..wont store history at all..
IE8? Safer?or more safer..do it with ie8..
But if you only use it to browse SB-I, that'd be fine. I personally prefer to use different browsers for my trackers instead - only some of them are using this method!
"I just remembered something that happened a long time ago."
Hi,
I have been using this config for some time already, and it works to prevent the leak on Opera. (Note I couldn't test the <randomstring> attack Zorvak mentioned above)
The procedure is more or less the same as with Firefox:
- Open a Notepad window and enter the following:
PHP Code:
a:visited{
background: none !important;
background-image: none !important;
list-style-image: none !important;
}
- Save it somewhere (can be any folder; I chose %programfiles%\Opera\styles) as user.css. You must enclose the filename between quotes in Notepad, or else it'll save it as a TXT file.
- Open Opera, and go to View -> Style -> Manage Modes.
- Click on the Display tab, then "Choose..." your stylesheet. Go to the directory where you located user.css and select it. Now go to the Presentation Modes tab and make sure the "My style sheet" checkbox is ticked for both modes.
Note: if you have set custom preferences for sites in the past, this tweak may not apply for those. You should go to Tools -> Preferences -> Advanced -> Content -> Manage Site Preferences, highlight a site, click on Edit, then go to the Display tab and make sure your stylesheet is being used at the bottom. Repeat this for every site you've set custom preferences for.
You're now protected against the CSS attack "flavor", but read on - trackers could still check if you've visited SB-I via the JavaScript attack. On Firefox you could download the NoScript addon and be done. For Opera, we'll do something similar with an user script called BlockIt.
- First of all, download it from here. Save the file somewhere (I did it under %appdata%\Opera\Opera\profile\scripts, because I want all of Opera's files to remain together) as BlockIt.js.
- After that, go to Tools -> Preferences -> Advanced -> Content -> JavaScript Options, and "Choose..." BlockIt's JS file at the bottom. Press OK on this and the Preferences Dialog to exit both.
- Load any page (Google, for example), and you should notice an icon of a paper clip on the bottom right of the screen. Click it to open BIT's UI:
- I'm not going to explain what every button does, you can read that below. For now, just know this means the addon is working, protecting you from malicious scripts.
Note: the same I mentioned for custom site preferences and your stylesheet applies here. Go to the Scripting tab, and "Choose..." BlockIt for every site.
- Now I'd recommend you Tools -> Delete Private Data, mostly just in case and so as to start fresh.
Congratulations, you're done shielding your browser against this flaw. To check this, visit a popular page such as Google or Facebook, then go to this site. BlockIt and the custom stylesheet should prevent the JS and CSS attacks, respectively, and thus the site shouldn't be able to show you the contents of your history. If it can, you've done something wrong.
FAQ
Q: Can't I just disable History?
A: That does NOT work on Opera.
Q: What do all those buttons on BlockIt do?
A: I'll just quote myself:
Q: I hate having to go to BIT and press All/T-Unblock every time I load a page. Is there a way to prevent it from hiding images?
A: By default, BIT blocks images hosted on sites outside of the one you're visiting as a security measure. You can change this by opening BlockIt.js, and editing the "var imgblockIt" line to read:
If you have any other questions, just tell me.Code:var imgblockIt = false;
"I just remembered something that happened a long time ago."
Just wondering, does toggling the layout.css... make firefox take longer to browse?
But I've created my usercontent.css and toggled it to false, so thanks, this may save me a banning or two :)
It didn't work when I typed that Let me check.
"I just remembered something that happened a long time ago."
------------------------------>>>>>>>>>> <<<<<<<<<<------------------------------
The check site isn't loading for me
Can anyone else check that? You can get a portable Opera 10.10 here.
"I just remembered something that happened a long time ago."
all you need is the firefox extension called SAFE HISTORY. It prevents java based and non-javabased attempts to steal your history.
can anyone confirm that ?
Edit: http://www.making-the-web.com/misc/s...ou-visit/nojs/ it doesn't work anymore
Last edited by atlantis; 15.12.09 at 22:50.
Bookmarks