XPerceniol Posted December 14, 2021 Posted December 14, 2021 (edited) So ... here we go again. Another article that reminds me that its time to barbecue the old clunker and dig out the abacus and grandfather clock out of the moldy basement and forget about electronics altogether Seriously, got to always be serious - no time for funny business. https://thehackernews.com/2021/12/14-new-xs-leaks-cross-site-leaks.html I see mitigation techniques mentioned for only firefox and nothing about Chrome?! " At the end-user side, turning on first-party isolation as well as Enhanced Tracking Prevention in Firefox have been found to decrease the applicability of XS-Leaks. Intelligent Tracking Prevention in Safari, which blocks third-party cookies by default, also prevents all leaks that are not based on a pop-up. I prefer to always block 3rd party cookies; always. Perhaps there exists something 'along the lines' of First Party Isolation in Chrome that I'm unaware of. Isn't it nice when they scare you with no solution. If the microwave were big enough I'd try to just hide in it. Oh, and, by the way; I know (first hand) now, the refrigerator light does go out when you close the door Any thoughts about possible mitigation to lesson vulnerability? Edited December 14, 2021 by XPerceniol
msfntor Posted December 14, 2021 Posted December 14, 2021 In Chrome browsers, have "Block third-party cookies" (in DcBrowser) or "Block third-party cookies and site data" (in 360Chrome) notched - which "Prevent third-party websites from saving and reading cookie data"... With the "Privacy Settings" extension ( https://chrome.google.com/webstore/detail/privacy-settings/ijadljdlbkfhdoblhaedfgepliodmomj/related?hl=en-US ) - if you notch "Full Privacy", automatically the "websites.thirdPartyCookiesAllowed" preference is Disabled (this is the firstPartyIsolate preference)... you're able to set Disabled manually, in other two possibilities: "Reset to defaults" and "Enhanced Privacy". From FAQs page: https://add0n.com/privacy-settings.html?version=0.3.7&type=install : "To have control over what type of resources can be accessed by your browser, it is recommended to use Privacy Settings along with Policy Control extension." "Origin Requests Only (Firewall)" extension ( https://chrome.google.com/webstore/detail/origin-requests-only-fire/kadfhmhfoplfpmffcfanpnphhjbilifl?hl=en-US ) - block all requests that isn't from current site domain or sub domain. Preventing spy, tracking and ads. Extension allow requests to current domain or sub-domain and block all others requests. This same possibility we have in uBlock Origin, uMatrix... Extensions "ScriptBlock", "Script Blocker Ultimate" etc block scripts automatically... - So XS-Leaks are avoidable in Chrome browsers...what do you think then, please? 1
Sampei.Nihira Posted December 14, 2021 Posted December 14, 2021 (edited) The editor of the article is wrong. Instead, it is possible to fix these vulnerabilities while maintaining good (not great) website usability. There is no doubt that as usual more privacy/security implies less website usability. But it is certainly easy to solve. Again, Firefox outperforms chrome-based browsers. With Firefox and a less restrictive setting of my Edge I get only 2 critical vulnerabilities. To see if your browser needs fixing you have to test it. https://www.wilderssecurity.com/threads/xsinator-xs-leak-browser-test.442622/ As a security extension I only use uBlock origin in Hard Mode. It is no coincidence that even wat0114 who uses the same extension as me in hard mode gets identical results to mine. Edited December 14, 2021 by Sampei.Nihira 1
NotHereToPlayGames Posted December 14, 2021 Posted December 14, 2021 (edited) 1 hour ago, Sampei.Nihira said: Firefox outperforms chrome-based browsers. I patiently await @feodor2's "Mypal 2.0". NONE of Roytam's builds will work on one of my savings/IRA account web sites (in XP, 7, or 10!) so that alone kinda makes them all useless to me. I used to do that for years, maintain one browser for these web sites, maintain another browser for those web sites, I have zero interest in doing that anymore, life is too short. I miss when Mypal 27.9.4 performed everything I threw at it Hopefully "Mypal 2.0" (or whatever it's going to be called) will return me to Firefox-based. TBD edit - and NONE of Roytam's builds will work for my American Water billpay web site (in XP, 7, or 10!). Edited December 14, 2021 by NotHereToPlayGames 1
msfntor Posted December 14, 2021 Posted December 14, 2021 (edited) Checked with https://xsinator.com The same result, only one in red: Frame Count Leak; either in uBlock with 3-rd party not allowed, or with the Origin Requests Only extension. And this is not very practical for websites. Edited December 14, 2021 by msfntor 1
msfntor Posted December 14, 2021 Posted December 14, 2021 And because I prefer to have good usability of websites, I do NOT use neither 3-rd party deny in uBlock, nor Origin Requests Only extension... Good night for all... 1
Sampei.Nihira Posted December 15, 2021 Posted December 15, 2021 (edited) I disabled UBO and repeated the test. With Edge I have 15 reds as you can see from the image: Considering that with UBO active I get only 3 reds the difference is 12 reds attributable exclusively to UBO. So out of a total of 38 tests, 26 are NOT red due to the browser. Edited December 15, 2021 by Sampei.Nihira
vinifera Posted December 15, 2021 Posted December 15, 2021 (edited) i seem to have worse results than you guys 17 reds with uBlock origins ON (and OFF) means FF 95 is bad ? Edited December 15, 2021 by vinifera
Sampei.Nihira Posted December 15, 2021 Posted December 15, 2021 26 minutes ago, vinifera said: i seem to have worse results than you guys 17 reds with uBlock origins ON (and OFF) means FF 95 is bad ? Firefox in the pc of my daughter is configured in a less restrictive way in comparison to my Edge, and with deactivated UBO I obtain 15 red. So it is only necessary to configure better Firefox. 1
Tripredacus Posted December 16, 2021 Posted December 16, 2021 Love these tests. My results. Iron 77.0.4000.0 x64: 24/38 red Iron with UBO installed: 23/38 red Firefox 69.0.3 x64: test doesn't run with js disabled (my default state) Firefox (same) with js enabled for xsinator.com only: 3/38 red (with 10 gray/loading state) 1
XPerceniol Posted December 16, 2021 Author Posted December 16, 2021 (edited) Ummn .. how did I only get 9 on serpent 52? 3rd party cookies blocked and 1st party isolate is active. Other than that and my enormous prefs.js, I don't know what I'm doing right. Version 52.9.0 (32-bit) Build ID 20211110012942 Spoofed - Mozilla/5.0 (Windows NT 10.0; Win32; x86; rv:91.0) Gecko/20100101 Firefox/91.0 Edited December 16, 2021 by XPerceniol
XPerceniol Posted December 16, 2021 Author Posted December 16, 2021 (edited) OTOH: Not so good with DC Browser (Chrome/75.0.3770.100) 22 red Which is strange as I use: --ssl-version-min=tls1.2 --enable-strict-mixed-content-checking Site Settings: Allow sites to save and read cookie data (recommended) - yes Keep local data only until you quit your browser - yes Block third-party cookies - yes Prevent third-party websites from saving and reading cookie data - yes And the flag: chrome://flags/#reduced-referrer-granularity Looking through the other flags; I don't see anything that would help with this. Edited December 16, 2021 by XPerceniol
Sampei.Nihira Posted December 16, 2021 Posted December 16, 2021 @XPerceniol It's not weird. Chrome-based browsers are structurally "weaker" than firefox-based browsers. In various privacy/security focused tests: https://browseraudit.com/ with firefox-based browsers you will always get higher scores (seemingly easily) than chrome-based browsers. This doesn't mean that you can't get good scores with chrome-based browsers, it's that you have to work hard to get the best possible scores from the browser you use. P.S. It's not just a matter of flags, although with my Edge I have 10 flags set differently than the default. 1
vinifera Posted December 16, 2021 Posted December 16, 2021 yeh... but if you disable JS then most sites wont work at all ...
Sampei.Nihira Posted December 16, 2021 Posted December 16, 2021 As you will notice the test website is grey (so allowed) and javascripts are allowed: (Too easy to disable javascript).
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now