Jump to content

XS-Leaks (Cross-Site Leaks) Attacks Modern Web Browsers - Possible Mitigation


XPerceniol

Recommended Posts

spacer.png

Just for the record, I'm actually not paranoid and both browsers work/function very well and I feel they are secure (enough as can be) but perhaps lacking in other areas. I'm not at all worried; I realize some need to be concerned with privacy and (so called) anonymity and I get that, perhaps in repressed areas of the word, folks need to take this seriously. Its just good to know/realize that anything can be exploited these days; sad to say in this new internet world.

A bit dismayed that even our 360EE still gives me 20 red, but, again, it works very well and I don't know enough at all about Chrome to even begin to come up with solutions, but hopefully, in our effort(s) and continued development here, we'll improve overtime. They have worked very hard to make this even possible and we mustn't take their hard wok for granted.

 

Edited by XPerceniol
Link to comment
Share on other sites


On 12/14/2021 at 11:55 PM, msfntor said:

I do NOT use neither 3-rd party deny in uBlock, nor Origin Requests Only extension...

 

6 hours ago, XPerceniol said:

And the flag:

chrome://flags/#reduced-referrer-granularity

Thank you for this flag:

now, this flag enabled in DcBrowser, I've 10 Reds and 3 Not Applicable;

in 360Chrome 13.5 r 5: 12 Reds and 3 Not Applicable, with this flag, and 9 Reds without this flag changed, and not this same ones than in DcBrowser...

Edited by msfntor
Link to comment
Share on other sites

2 hours ago, vinifera said:

yeh... but if you disable JS then most sites wont work at all ...

JUST THE WAY I LIKE IT  :cheerleader:

I allow JS on my banking and billpay, but the vast majority of the rest of my browsing experience is for READING the content on a web site, which works perfectly fine without JS BS (not "always", but good enough for me, I'll just go to a DIFFERENT source where I can READ the content without JS BS).

Link to comment
Share on other sites

6 hours ago, Tripredacus said:

Love these tests. My results.

Firefox 69.0.3 x64: test doesn't run with js disabled (my default state) :sneaky:
Firefox (same) with js enabled for xsinator.com only: 3/38 red (with 10 gray/loading state) :ph34r:

 

so with FF 69 you get only 3 reds
and with FF 95 considered "modern" i get 17

what the hell ...

Link to comment
Share on other sites

12 minutes ago, NotHereToPlayGames said:

The flag mentioned earlier INCREASED my reds from FOUR to FIVE.

 

43 minutes ago, msfntor said:

in 360Chrome 13.5 r 5: 12 Reds and 3 Not Applicable, with this flag, and 9 Reds without this flag changed, and not this same ones than in DcBrowser...

-but in DcBrowser, this flag enabled has decreased  Reds from 11 to 10..

Edited by msfntor
Link to comment
Share on other sites

@NotHereToPlayGamessince you are privacy aware person I am curious what addons are using in your 360chrome?

I may have to give it a shot to access some sites that need newer js and wasm. I have used gecko based browsers for most of my life so not fully sure what works on chromium and even less on older one

Link to comment
Share on other sites

I tend to NOT use the "latest-and-greatest" version of most of my extensions ON PURPOSE.

Newer often times just means a newer "feature" was added.  But if that "feature" is a security/privacy risk, then all you did was shoot yourself in the foot thinking "it's newer, it has to be better".

Flags:  --disable-logging --no-default-browser-check --disable-component-update --disable-background-networking --allow-outdated-plugins --kiosk-printing --disable-print-preview --cipher-suite-blacklist=0xe013 --disable-webgl --js-flags=--noexpose_wasm

I do NOT use any uMatrix/uBlock "lists" (one that I used to use is still listed in my profile but unchecked).  I use MVPS HOSTS file but tend to only update once every six months or so.

A ton of site-specific uMatrix and NoScript rules not included below.  I rarely visit YouTube but since it has such a gigantic following amongst MSFN members I have two extensions just for a site I almost never visit.

image.thumb.png.43eba5264a444090b733b6f123210d0e.png

image.png.0e1cad84cd4727aca04e597ba692aa51.png

image.png.071ca44efdd6d399569f1323555547da.png

image.png.6e2bc5c7cd8c839898a80d9ce12164c1.png

 

image.png.df891977b72866423636208129179147.png

image.png.e71dd9771e37445873e041754948d664.png

image.png.d4ebad25981ed3bd484dc952884817b1.png

image.png.56b9dec9ab5d747f39e3f73fc4f98988.png

Edited by NotHereToPlayGames
Link to comment
Share on other sites

2 hours ago, msfntor said:

 

-but in DcBrowser, this flag enabled has decreased  Reds from 11 to 10..

You're welcome, but he's right, enabling that flag decreases in DC and makes things worse in 360EE. I actually don't use DC browser because videos play better on 360 (for me). I notice they either skip or stop with the rotating circle on DC. I find  --disable-gpu --enable-strict-mixed-content-checking helped in 360. You say V11 isn't working correctly?
 

Link to comment
Share on other sites

1 hour ago, Mr.Scienceman2000 said:

@NotHereToPlayGamessince you are privacy aware person I am curious what addons are using in your 360chrome?

I may have to give it a shot to access some sites that need newer js and wasm. I have used gecko based browsers for most of my life so not fully sure what works on chromium and even less on older one

How can we be sure the addons aren't collecting our data. I don't know which ones to trust. I can disable js globally but most site won't load all the features.

Edited by XPerceniol
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...