Jump to content

Mathwiz

Member
 View Profile  See their activity

  • Posts

    1,728

  • Joined

  • Last visited

  • Days Won

    49

  • Donations

    0.00 USD 

  • Country

    United States

 Content Type 

Everything posted by Mathwiz

  1. Mathwiz
    Well, the plot thickens.... The ridiculous UA "Chrome" does indeed get one into elektroda.pl, but an honest-to-goodness Chrome 109 user agent, Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36, does not! Changing the Windows version to 10.0 didn't help either. Even the Firefox UA @VistaLover gave above doesn't get me into elektroda.pl! Nor does a UA consisting of just the word "Firefox." So far, only "Chrome" seems to do the trick. Edit: You can get away with this much: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome Safari/537.36 Just don't reveal that you aren't using the latest Chrome version! Apparently elektroda.pl wants to see "Chrome" but not a "too old" version. They also don't seem to mind Windows 7 (so I guess Supermium is OK?) This was all done using the latest Serpent 52, BTW, so obviously Chrome itself is not required; just the word in the UA....
  2. Mathwiz
    What is it with all these user-agent-based blocks all of a sudden? First Intel, then Xitter, elektroda.com.... I thought UA-based blocking was "old school" and everyone was supposed to be checking your browser's Javascript capabilities nowadays, but it seems UA blocking (and thence spoofing) is making a comeback for some stupid reason. (Although some - e.g., Xitter - seem to be using a combination; see @mina7601's recent post for example....) It's especially galling to see a ridiculous UA like just the word "Chrome" get past way too many of these stupid UA blocks, as if, "oh, you're using Chrome? Well, welcome; we don't even care what version you're running! But you over there, running Firefox - you'd better be running the very latest version, or a bas with you!" It's beginning to look like we should all just start spoofing Chrome 109 (last Win 7 version) even if our browser has no relationship with Chrome at all, and be done with all this UA nonsense.
  3. Mathwiz
    I get "Secure Connection Failed:" Toggling security.ssl.enable_tls13_compat_mode made no difference. Only difference is, I used the 64-bit version of Serpent 52. @adata, does your error page match the above (except possibly for language)?
  4. Mathwiz
    Thanks for figuring that out - although I must admit I'm puzzled that the minimum supported FF version depends on the Serpent version! It sounds like, if Xitter sees a FF version between 60 and 62, it performs some other Javascript check, which Serpent 55 passes but Serpent 52 fails. Perhaps there's a pref that can be set in those old FF versions to pass the check, so it allows those versions if the check indicates the pref is set properly. To be clear, I was referring to what I believed the Xitter SSUAO was intended to be; i.e., the SSUAO that didn't make it into last week's version. We don't know for certain what it was supposed to be, so I guessed. You're talking about the SSUAO that was actually in last week's version, which is known not to work. Edit: for what little it's worth, this week's Serpent 52 includes this SSUAO for Xitter: Mozilla/5.0 (%OS_SLICE% rv:102.0) Gecko/20100101 Firefox/102.0 Basilisk/52.9.0 ... which is close to what I guessed.
  5. Mathwiz
    Folks, you should not need to download and install FontAwesome 4.7 manually. The browser should download it (temporarily) from MSFN itself, based on MSFN's CSS. If that's not happening automatically, it's a bug when running under Vista (although downloading and installing manually is an easy workaround, now that you know which font is needed). @win32 has done a great job of making modern Chromium run under Vista, but we shouldn't be too surprised that it isn't quite perfect just yet.
  6. Mathwiz
    I'm pretty certain all browsers run background tasks. It's been a long time since most Web sites were entirely synchronous entities, where you press a button or click a link; the browser does something, shows you the resulting Web page, and then shuts down completely until you press another button or click another link. Probably like the '90's or so. Nowadays, many Web pages expect to send you notifications or update the page if something happens on their end, even without you doing anything on your end. Even MSFN. Nevertheless, it may be possible to force an app (such as a browser) to stop all processing when none of its windows have the focus. I'm not sure that's a good idea, but I wouldn't be surprised if there's a program out there somewhere that does that.
  7. Mathwiz
    I expect that @roytam1 will have the Xitter SSUAO fixed next week - in the meantime you can just add one yourself: Less certain about the intended Pale/New Moon SSUAO, but I suspect it doesn't matter as long as Xitter sees "Firefox/1xx.x" in the UA. (As I said I didn't determine the precise minimum version, but I did try 110.0 and it was good enough to get in, so 115.n should work.) @roytam1: In Serpent 55, unfortunately, there are other issues besides the SSUAO: twitter.com never finishes loading. (I tried both clean and "dirty" profiles; no difference.) Comes up fine in 52 with the above SSUAO though.
  8. Mathwiz
    A new SSUAO did make it into Serpent 55: Mozilla/5.0 (%OS_SLICE% rv:120.0) Gecko/20100101 Firefox/120.0 Basilisk/55.0.0 (Wasn't aware FF was up to version 120 already!) At any rate, the above SSUAO works, so apparently the "Basilisk" slice is ignored and Xitter just wants to see a "new enough" version of Firefox. I tried version 110 and it also gave me the sign up/in page; I didn't try anything older than 110. I assume the intended SSUAO for Serpent 52 is similar except it reads "Basilisk/52.9.0" at the end.
  9. Mathwiz
    Oh, come on. HTTPS Everywhere was developed by the Electronic Frontier Foundation, an American NGO. They have no connection to China. The answer to your question is right there in your question itself! HTTPS Everywhere was developed about ten years ago, when http: was still somewhat common and most browsers didn't upgrade http: to https:. EFF no longer supports HTTPS Everywhere or recommends its use. As you say, with "modern" browsers it's essentially redundant. But it may still be slightly useful for those of us using not-so-modern browsers, like 360Chrome.
  10. Mathwiz
    I think it's important to understand exactly what risks http: allows that https: deals with. First, there's nothing about https: that prevents the server from sending you malware, or receiving telemetry from you! Https: is not an anti-malware protocol. What https: does do is two things: It ensures you're connecting to the Web site you think you're connecting to It protects data from eavesdropping or modification by third parties (men/hackers in the middle) Those are both important functions, but if the Web site you're connecting to has bad intentions, https: won't protect you. At all. Conversely, there's no reason to think using http: makes the Web site any more suspicious than using https:. Using http: is stupid, because it gives third-party hackers a way into your traffic, but if the Web site is the one trying to hack you, there's no advantage in using http:. Why would the Web site want third parties monkeying with their data, even if they have bad intentions?
  11. Mathwiz
    It's possible I got this wrong, but if not, a "straight" FF UA is no good for Intel.com either: Mozilla/5.0 (Windows NT 10.0; rv:115.0) Gecko/20100101 Firefox/115.0 As @VistaLover pointed out, a SSUAO consisting merely of the word "Chrome" gets you in (although there are other issues once you get in) so apparently Intel has banned all non-Chrome-based browsers from their site. Speaking of SSUAOs, the default for Chase.com is in need of an update. Mozilla/5.0 (%OS_SLICE% rv:102.0) Gecko/20100101 Firefox/102.0 As discussed a while ago, Chase requires a minimum of 113.0 to avoid the "We'll stop supporting this browser soon" nag.
  12. Mathwiz
    You completely missed the point! If MSE can scan for the exploit on Windows, then surely widely-available AV software can scan for the exploit on Linux. Serpent 52 is patched. Try a pre-September version.
  13. Mathwiz
    I know, everyone hates CAPTCHAs, although they are a necessary evil. So it's understandable that folks keep coming up with "sit back and relax" alternatives. But this is what "Friendly Captcha" says it does: I know this sounds paranoid, but that sounds to me a lot like cryptomining. Even if "Friendly Captcha" is innocent of that charge, how long before someone develops an automated pseudo-captcha that cryptomines? "You want access to this website? You have to help us mine Bitcoin or some such...." I also have trouble understanding how "solving a crypto puzzle" proves you're NOT a bot - unless maybe you get rejected if your PC solves it too quickly! But that seems easy for the bots to work around....
  14. Mathwiz
    StartPage happens to be my preferred and default search engine. One feature I like is that you can set the page size to 20 results vs. 10, so you can keep traditional pagination without having to hit "Next" quite so often. As a result I haven't used Google search directly in quite some time, and hence was unaware of the scrolling bug on Serpent 55.
  15. Mathwiz
    So you're saying it does nothing even if you use a valid user ID and password. If using an invalid sign-on, I would at least expect an error message, rather than doing nothing at all. Doesn't work using Serpent 55 (probably all the UXP browsers too) even on Windows 7, so the problem is likely just another unsupported Googlism. If we can figure out which one, a polyfill might be found for it.
  16. Mathwiz
    Just to show the skeptics that the vulnerability is real and not mere fearmongering, you can download a "bad" WebP image here: https://github.com/mistymntncop/CVE-2023-4863/raw/main/bad.webp Important note: This WebP file does not contain any malware or exploit code! I wouldn't link to such a thing here on MSFN, even with a warning (and if it did, I don't think GitHub would allow it anyway). But it does trigger a buffer overflow in unpatched software, likely leading the software to crash. (For example, I got the "Aw, snap!" page in 360EE.) Therefore, you can use this as a "quick-and-dirty" test for vulnerable, unpatched software. On patched software (I used @roytam1's Serpent 55) the image displays a hard-to-read, black-on-grey image of the text of the above URL, showing that in theory, a WebP file can both contain actual content and exploit the overflow bug. I was pleased that Microsoft Security Essentials on Windows 7 detects the problem with the file and quarantines it! I'm not sure how thorough MSE's scanning is, but if you have Windows 7, it appears that MSE (which is free AV software from Microsoft) will keep you safe from (at least) downloading a file with this exploit. I don't say this often, but hooray Microsoft! Also, the fact that MSE can successfully scan WebP files for this issue implies that other Web sites should be doing the same thing. Now I don't know for sure that they all do, but it gives me some confidence that a malicious WebP will be caught before it can spread over social media. Email providers should be doing the same, of course. So that makes WebP seem a lot less scary than it was in September. I'm not sure which, if any, AV products will do the same for XP or Vista. That might be worth testing.
  17. Mathwiz
    @j7n: I think an exploit would have to be specific to at least the OS; probably also to the program that displays the malicious image. Since most folks are using updated browsers and image display programs now, I think the danger of a "generic" virus being passed around is now rather small, although not zero. No hackers are trying to spread ransomware among the tiny numbers of XP and Vista users any more. I think the greatest risk to XP and Vista users is from spear-phishing. Don't think you're an unlikely target just because you aren't a criminal and therefore "have nothing to hide." If you have access to confidential information at your job, if you have a jealous/suspicious spouse or partner (even if the suspicions are unjustified), or even if you hold unpopular political opinions, there are folks with reason to spear-phish you. Those folks would likely know that you use older, unpatched software because the newer, patched versions don't run on XP or Vista. A hacker could use that knowledge to craft a malicious WebP image and send it to you in an email. If the WebP image is part of the email itself (as opposed to just a link) your email client (which could be a Web browser using Web mail) wouldn't even give a warning before trying to display it. You would be vulnerable if your email client or browser is new enough to use the "optimized" libwebp from 2014, but not new enough to have the patch from this September. But as far as using an unpatched browser, I think the danger is small; mostly from sites where user-created images could be hosted, such as social media, fora (like MSFN!) and/or Web mail. So you should be reasonably safe using unpatched browsers like 360EE, Kafan, etc., as long as you don't use them for those kinds of sites.
  18. Mathwiz
    WebP is a combination of two different image formats: a lossy format similar to JPEG using VP8 codec, and a lossless format using WebP's custom lossless codec. The bug was in the lossless codec's handling of Huffman coding.
  19. Mathwiz
    I read quite a bit about this vulnerability back when it came to our attention. AIUI, the "in the wild" exploit was a spear-phish - it was used to spy on a specific individual via his smart phone. I don't believe the target's name was revealed, for obvious privacy reasons. Edit: According to this Cloudflare blog post: Spear-phishing is usually done by email, so a Web browser may not have been involved at all. But, unlike with a typical email phish, this victim didn't need to click a link, open an attachment, or respond to the email in any way. And the malicious WebP was likely an innocuous, or possibly even invisible, image. But you're assuming that a malicious WebP file could not also contain a real image. I don't believe that's been shown to be the case. That, I think, is what folks don't get about this vulnerability. Anyone could unknowingly be spreading malware simply by sharing a cool image or posting it to social media. (I would hope that most social media companies scan uploaded WebP's for the exploit nowadays, but I wouldn't bet on it.) Maybe your browser is patched, but if you download it and your photo viewer isn't patched, bam!
  20. Mathwiz
    It's probably an EU thing. The EU has rules requiring Web pages to get informed consent before doing things like tracking their users. So, much of the world (including the US where I live) never sees that page. Perhaps a VPN with an IP in the EU would let non-EU residents get the consent page and work on a bypass.
  21. Mathwiz
    Those two add-ons do totally different things. uBlock filters unwanted junk out of the Web pages you download. Stylus lets you customize the appearance of Web pages (and more) by telling the browser how to display the elements on the page. You shouldn't expect Stylus to filter anything. It could make ads invisible, but your browser would still download them (and you'd still be tracked by them). And you shouldn't expect uBlock to make Web pages look exactly like you want. It could block unwanted style sheets or Web fonts but that's about it. Quit trying to use a hammer to turn a screw!
  22. Mathwiz
    True; yellow text would be awfully hard to read over a white or light background!
  23. Mathwiz
    Just to clarify a few things about the terminology we're using, the "K" number refers to the (approx.) number of pixels across, while the "p" number refers to the number of pixels vertically. 2160p (aka UHD) is 3840x2160. We call it 4K but it's actually more like 3.75K. There are a few true 4K displays in existence, but most "4K" displays are actually 3840x2160. 1440p (aka QHD) is 2560x1440, so more like 2.5K than 2K.... 1080p (aka FHD) is 1920x1080, so closer to 2K
  24. Mathwiz
    That's the theme all right; but I was looking in the .xpi file for the User Agent Status extension. It only had one .css, and I was pretty clueless what I needed to do to it without @AstroSkipper's help.... As far as dark themes, I initially started using them on my Android phone because it has an AMOLED display, and the darker the screen, the longer the battery can go without needing to be recharged. Eventually I kind of got used to them and tried a few out on my Windows PC. I didn't really like any of the dark system themes that came with Windows 7, so I went back to the "Classic" theme (that makes it look like Windows 98!) but I did like that particular dark theme for Australis, so I've used it ever since.
  25. Mathwiz
    Odd that it was initially visible on yours but not mine; but be that as it may, your tweak fixed it on mine too! I know basic .css but the part I never would have figured out is all the #ua-status-* tags. I assume they're specified elsewhere in the .xpi but I wouldn't have had the foggiest idea where to look for them! You've obviously had quite a bit more experience with tweaking extensions than I; thanks again!
×
×
  • Create New...