Mathwiz

This is a couple of years old, so apologies if it's already been discussed; but I just ran across this last night. (BTW, this doesn't work in IE, or in Edge - yet - but works in Chrome, other Chromium derivatives like Opera, and FF and its derivatives.) This demo appears at first to be a "whack-a-mole" game: you're supposed to click the "mole" as quickly as possible. But try it: when you click the "mole," it will pop up a list of these nine Web pages: https://www.cnn.com https://news.ycombinator.com https://www.reddit.com https://www.amazon.com https://twitter.com/lcamtuf https://www.donaldjtrump.com https://www.farmersonly.com https://www.diapers.com ... and will tell you which ones you've visited! How it works: rather than being random, the mole's position depends on which combination of the above Web sites you've visited. Since there are nine Web sites, there are 2^9 or 512 possible visited/not visited combinations. So the demo actually shows 512 moles, one for each possible combination, and uses CSS "mix blend modes" to ensure only one mole is visible: the one that corresponds to your particular browsing history. Read the author's blog post for more details. Note that although this demo uses Javascript to reveal the results, collecting the info only required HTML, CSS, and a means to convince you to click the right spot on the page, so add-ons like Noscript won't protect you. If this were a truly deceptive web page, you could imagine revealing whether you've visited any of hundreds of Web sites by playing the "game" (or by clicking apparently-innocuous links or buttons at the deceptive Web site) for a few minutes. Countermeasures and Mitigations There are a couple of obvious countermeasures, but you'd have to give up some functionality. You could just disable flagging visited links: in FF, toggle layout.css.visited_links_enabled in about:config to "false." In the demo, the mole will now always appear in the "no links visited" position. Or you could give up mix blend mode instead: again in FF, toggle layout.css.mix-blend-mode.enabled to "false." This disables the "game:" the "mole" is gone, replaced with a white rectangle; but I'd wager that 99% of legit Web sites wouldn't be significantly affected. (A few might display slightly "funny" but should work OK. Besides, they'd look that way under IE/Edge anyhow, unless they have IE/Edge-specific coding, and in that case, an IE-like SSUAO is all you'd need to fix the site.) Finally, there's a weakness in this method that makes it a bit less revealing than you might think. When I first tried it, I was surprised to learn that I hadn't visited any of the above Web sites, even though I know I at least visit amazon.com rather often. But it didn't show as "visited" because I use a bookmark to go to amazon.com, which actually goes to https://www.amazon.com/?.... Since the demo page couldn't guess the entire long string, my browser didn't show https://www.amazon.com by itself as "visited." So maybe the best mitigation is just to append a ? and some extra random garbage to all your bookmarks!

Just gave it a try. (Clean install.) It does play with that combination (NM 28.6.0a1 on Win7 with media.ffvpx.enabled set to false and media.wmf.enabled set (defaulted) to true.

LOL: IOW, we already claimed XP was dead five years ago, and we're just now admitting we were wrong. But we're right this time! Well, maybe ... but there are still folks using Win2K, and there are more XP users than 2K users....

Zero handshake failures, sure enough; but naturally everything comes up ALERT since ProxHTTPSProxyMII is a MITM by design.

Why? These can be found at https://filterlists.com/

Mediafire is working now. Patch downloaded fine. You're probably right; it was probably a problem with the site that's fixed now. BTW, see this post: ... if for security, you want to "lock down" service workers so they only run on sites like Mediafire that require them.

I ran it again on Win 7, to see which three failed. But I got zero handshake failures this time, so the failures must've been intermittent and/or server-side.

And to give a practical example, here's the rule I just started using instead of disabling service workers in about:config.... *$csp=worker-src 'none',domain=~mediafire.com|~html5test.com ... so Web workers (including service workers) are disabled except at mediafire.com (requires service workers to upload files ) and html5test.com (mostly to prove that setting the domain as an exception works; also gets 10 extra bragging points on your browser's score). But html5workertest.com still shows all x's, proving workers are blocked on domains not listed.

What the.... (I tried re-enabling service workers; didn't help)

3 handshake failures on Win 7. I'm guessing the tool uses Microsoft's schannel.dll. If so, ProxHTTPSProxyMII would probably reduce the number of handshake failures on XP.

I was able to get past the crash in tornado by installing an older version: pip uninstall tornado pip install tornado==5.1.1 ... but now I'm getting a crash in zmq! Seems to be looking to link libzmq.lib. I'm not sure that lib can even be built on Win XP.

I understand; I too have mixed feelings about signed extensions. It certainly helps users have confidence in who developed the add-on and whether it's been modified, but taken to extremes, it just becomes another closed ecosystem, like the Apple store. (There's also an implied promise: if, say, MCP signs an add-on, the user is likely to believe that MCP has checked the add-on for malware and the like. I think Mozilla tries to do that, but it's probably beyond the means of a smaller organization like MCP.) Probably the best approach would have been something similar to code-signing certificates. When you install an add-on, it would validate any signature, and the certificate used to sign it, and let you know who, if anyone, signed the add-in, and whether anything was amiss. But the certificates wouldn't have to come from Mozilla, MCP, or anyone in particular, so there's no implied guarantee; and the user would have final say on whether any add-on was allowed to run, so if you knew why a signature was invalid, you could override the check for that add-on and let it run anyway.

Excellent detective work: So, I had to know: since versions prior to 1.4.0 work in FF 52, could, say, 1.3.0 (which I agree has superior functionality) be "fixed" to run in Serpent, simply by adding the above block to its manifest.json file? Yes! I just tried it; of course changing manifest.json invalidates the sig, but unlike FF, Serpent doesn't care about that (actually my copy of FF has been set not to care about it either, but you don't need to "fix" Tab Tally for FF anyhow); and with that change, Tab Tally 1.3.0 installs and runs in Serpent fine! Not a huge deal, but I wonder why the heck that function was removed? Was this just another case of MCP getting rid of code they didn't think the browser needed, as they did with all WE add-ons later?

I don't use Gmail. I pay for email services I trust to keep my email private and secure. There was a time when I unknowingly used gmail though. For a hot minute there was a wireless ISP called ClearWire. (Sprint eventually bought them out just to shut them down, but that's another story.) Anyhow, like many ISPs at the time, ClearWire provided free email at their clear.com domain. Little did I know it was actually just Gmail in disguise! Moral: beware of your ISP's "free" email accounts! BTW, I've discovered it's possible to configure Serpent 55 to get a score of 514, which I'm guessing would put it in second place behind Chrome 360. However, enabling Web components breaks Github, and I disabled beacons and geolocation for privacy reasons, leaving my copy with a final score of 491, very close to Chrome 49. (Geolocation alone costs a whopping 15 points; html5test.com really wants you to enable that one!)

I have to go through a rather slow proxy, so it takes me longer. Using a proxy may also explain why Serpent kept failing; IDK. I finally did get the big .rar file though. Curiously, I have another version! I believe mine is the newer version, but modified to run on Win98: the signatures and version info are missing! The file size is 38.303.202 bytes. I wish I could track down where I got it from, but it's probably long gone.

OK I officially hate OneDrive. DownThemAll won't work at all (just downloads an .html telling me to "sign in to my OneDrive account" ), and a "regular" download has failed twice thrice, each time after like 15 minutes. Do I have to use IE to download these? Edit: Apparently so. Downloads consistently fail about 80% of the way through when using Serpent. With IE the downloads seemed to freeze at one point, but clicking Pause and Resume got things going again. Also appears M$ throttles the throughput to any one IP, so you can't even gain a speed advantage by trying two downloads at once. Edit: Using IE appears to get around the throttling, at least. But I sure hope the downloads complete this time.

I don't have 5-8 on my XP system, but I don't think I'm missing anything. I think 10-13 replace 5-8.

I don't think it adds any features; just bug / security fixes

(From another thread, but relevant to the topic of this one) I don't think the situation is that awful. Not that it's good; but there are differences among those nations: AIUI the Chinese government requires all Web browsers made available in that country to spy on their users, while Western agencies (e.g., NSA, MI6) prefer to concentrate on hacking, cryptanalysis, and massive data collection. So I can't discount @Bersaglio's concerns about Chrome 360 so easily. Not sure where Russian browsers stand, but American-authored browsers wouldn't seem to be riskier than those from other nations just because the NSA does what it does. But I do worry about Google; like many privacy-conscious Internet users, I have a love/hate relationship with them. They really do have the best search engine (still), and if you avoid Google Sync, I don't think Chrome is significantly worse from a privacy standpoint than other browsers. Yet their data collection overall would make the NSA blush. "Why don't you use our 'free' email service, 'free' online appointment calendar, and watch a few 'free' videos in your 'free' time?" I avoid Google (even Chrome) if reasonable alternatives exist, just to send them a message that I disapprove of their business model. So where does that leave Chrome 360? Well, to me it seems more Chinese than Google. It replaces Google Sync with its own accounts, so I see no risk of the data it collects being Hoovered up into the Googleplex. It will, of course, be Hoovered up into China, but I'm personally less worried about what President Xi might do with my browsing habits than with all the unnecessary Internet traffic it generates. (Methinks my Internet connection might take a performance hit if my browser insists on connecting to China, or even a local proxy, every time I click on a link.)

Didn't mean to imply otherwise. But I figured it was worth a try anyway....

Yes; I think what happened (@Roytam1 can either confirm or correct me) is that after the crash was reported @roytam1 reverted to NSS 3.43 and re-uploaded the 20190427 builds. Thus I think all NM 27 builds on his Web site are crash-free. I think both the original 20190427 and the previous 20190419 builds were based on beta builds of NSS 3.44, but there were changes between the two; presumably one of those changes accounted for the NM 27 crash.

Just scored one for $7.75 ($5 + $2.75 shipping). Even included a valid product key! I'm gonna try upgrading my old Win 98 PC from Office 2000.

Not sure what's going on with 'pip install theano'. It worked for me (or seemed to). Maybe a Python expert can chime in? On the second screen shot, try executing each 'pip install' command separately; i.e., 'pip install -U conda', 'pip install numpy', etc. Some of these don't seem to exist, but others installed fine for me.

Doesn't seem to matter though. @roytam1 rolled back to 3.43 in the 2019.04.27 builds due to the 64-bit version of NM 27 crashing on startup, so I downloaded the Serpent 52.9.2019.04.19 build, which AIUI has an earlier NSS v3.44b, to test with; unfortunately it still fails to open https://tls13.1d.pw with the SSL_ERROR_RX_MALFORMED_SERVER_HELLO error code. That version does open the other TLS 1.3 test sites just fine though. Edit: By the way it looks like NSS v3.44 is stable as of May 10, but I have no idea whether the issue causing NM 27 to crash was fixed at the last minute.

Very first post: These prefs don't really matter when running FF 52.9 on WinXP, since it's been coded to block e10s on XP unless browser.tabs.remote.force-enable is set to true - in which case e10s is enabled irrespective of these other prefs. These prefs do matter on later Windows versions (and are the preferred method of enabling e10s) but let's stick with FF 52.9 on XP for now. Once e10s is enabled, this controls how many additional processes you can have. There's one "core" process plus one process per open tab up to the limit set by this pref. Personally, I set dom.ipc.processCount to 2. The default of 1 gives me little benefit, but larger values just waste RAM while providing little additional benefit, at least in my experience. But as usual, YMMV.