Jump to content

XS-Leaks (Cross-Site Leaks) Attacks Modern Web Browsers - Possible Mitigation


XPerceniol

Recommended Posts

So ... here we go again. Another article that reminds me that its time to barbecue the old clunker and dig out the abacus and grandfather clock out of the moldy basement and forget about electronics altogether :D

Seriously, got to always be serious - no time for funny business.

https://thehackernews.com/2021/12/14-new-xs-leaks-cross-site-leaks.html

I see mitigation techniques mentioned for only firefox and nothing about Chrome?!

" At the end-user side, turning on first-party isolation as well as Enhanced Tracking Prevention in Firefox have been found to decrease the applicability of XS-Leaks. Intelligent Tracking Prevention in Safari, which blocks third-party cookies by default, also prevents all leaks that are not based on a pop-up.

I prefer to always block 3rd party cookies; always.

Perhaps there exists something 'along the lines' of First Party Isolation in Chrome that I'm unaware of.

Isn't it nice when they scare you with no solution. If the microwave were big enough I'd try to just hide in it. Oh, and, by the way; I know (first hand) now, the refrigerator light does go out when you close the door :)

Any thoughts about possible mitigation to lesson vulnerability?

Edited by XPerceniol
Link to comment
Share on other sites


In Chrome browsers, have "Block third-party cookies" (in DcBrowser) or "Block third-party cookies and site data" (in 360Chrome) notched - which "Prevent third-party websites from saving and reading cookie data"...

 

With the "Privacy Settings" extension ( https://chrome.google.com/webstore/detail/privacy-settings/ijadljdlbkfhdoblhaedfgepliodmomj/related?hl=en-US ) - if you notch "Full Privacy", automatically the "websites.thirdPartyCookiesAllowed" preference is Disabled (this is the firstPartyIsolate preference)... you're able to set Disabled manually, in other two possibilities: "Reset to defaults" and "Enhanced Privacy".

From FAQs page: https://add0n.com/privacy-settings.html?version=0.3.7&type=install : "To have control over what type of resources can be accessed by your browser, it is recommended to use Privacy Settings along with Policy Control extension."

 

"Origin Requests Only (Firewall)" extension ( https://chrome.google.com/webstore/detail/origin-requests-only-fire/kadfhmhfoplfpmffcfanpnphhjbilifl?hl=en-US ) - block all requests that isn't from current site domain or sub domain. Preventing spy, tracking and ads. Extension allow requests to current domain or sub-domain and block all others requests.

 

This same possibility we have in uBlock Origin, uMatrix...

Extensions "ScriptBlock", "Script Blocker Ultimate" etc block scripts automatically...

 

- So XS-Leaks are avoidable in Chrome browsers...what do you think then, please?

Link to comment
Share on other sites

The editor of the article is wrong.
Instead, it is possible to fix these vulnerabilities while maintaining good (not great) website usability.
There is no doubt that as usual more privacy/security implies less website usability.
But it is certainly easy to solve.

Again, Firefox outperforms chrome-based browsers.
With Firefox and a less restrictive setting of my Edge I get only 2 critical vulnerabilities.

To see if your browser needs fixing you have to test it.

https://www.wilderssecurity.com/threads/xsinator-xs-leak-browser-test.442622/

As a security extension I only use uBlock origin in Hard Mode.
It is no coincidence that even wat0114 who uses the same extension as me in hard mode gets identical results to mine.

Edited by Sampei.Nihira
Link to comment
Share on other sites

1 hour ago, Sampei.Nihira said:

Firefox outperforms chrome-based browsers.

I patiently await @feodor2's "Mypal 2.0".  NONE of Roytam's builds will work on one of my savings/IRA account web sites (in XP, 7, or 10!) so that alone kinda makes them all useless to me.  I used to do that for years, maintain one browser for these web sites, maintain another browser for those web sites, I have zero interest in doing that anymore, life is too short.  I miss when Mypal 27.9.4 performed everything I threw at it  :(  Hopefully "Mypal 2.0" (or whatever it's going to be called) will return me to Firefox-based.  TBD

edit - and NONE of Roytam's builds will work for my American Water billpay web site (in XP, 7, or 10!).

Edited by NotHereToPlayGames
Link to comment
Share on other sites

I disabled UBO and repeated the test.
With Edge I have 15 reds as you can see from the image:

1.jpg


Considering that with UBO active I get only 3 reds the difference is 12 reds attributable exclusively to UBO.

So out of a total of 38 tests, 26 are NOT red due to the browser.

Edited by Sampei.Nihira
Link to comment
Share on other sites

26 minutes ago, vinifera said:

i seem to have worse results than you guys

17 reds with uBlock origins ON (and OFF)

 

means FF 95 is bad ?

Firefox in the pc of my daughter is configured in a less restrictive way in comparison to my Edge, and with deactivated UBO I obtain 15 red.
So it is only necessary to configure better Firefox.:yes::hello:

Istantanea-2021-12-15-20-49-04.png

Link to comment
Share on other sites

Love these tests. My results.

Iron 77.0.4000.0 x64: 24/38 red :no:
Iron with UBO installed: 23/38 red :dubbio:
Firefox 69.0.3 x64: test doesn't run with js disabled (my default state) :sneaky:
Firefox (same) with js enabled for xsinator.com only: 3/38 red (with 10 gray/loading state) :ph34r:

Link to comment
Share on other sites

spacer.png

spacer.png

Ummn .. how did I only get 9 on serpent 52? 3rd party cookies blocked and 1st party isolate is active. Other than that and my enormous prefs.js, I don't know what I'm doing right.

Version     52.9.0 (32-bit)
Build ID     20211110012942

Spoofed - Mozilla/5.0 (Windows NT 10.0; Win32; x86; rv:91.0) Gecko/20100101 Firefox/91.0

Edited by XPerceniol
Link to comment
Share on other sites

OTOH:

Not so good with DC Browser (Chrome/75.0.3770.100)

spacer.png

22 red :(

Which is strange as I use:

 --ssl-version-min=tls1.2 --enable-strict-mixed-content-checking

Site Settings:

Allow sites to save and read cookie data (recommended) - yes

Keep local data only until you quit your browser - yes

Block third-party cookies - yes

Prevent third-party websites from saving and reading cookie data - yes

And the flag:

chrome://flags/#reduced-referrer-granularity

Looking through the other flags; I don't see anything that would help with this. 

Edited by XPerceniol
Link to comment
Share on other sites

@XPerceniol

 

It's not weird.
Chrome-based browsers are structurally "weaker" than firefox-based browsers.
In various privacy/security focused tests:

https://browseraudit.com/

with firefox-based browsers you will always get higher scores (seemingly easily) than chrome-based browsers.

This doesn't mean that you can't get good scores with chrome-based browsers, it's that you have to work hard to get the best possible scores from the browser you use.

P.S. It's not just a matter of flags, although with my Edge I have 10 flags set differently than the default.:hello:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...