Jump to content

XS-Leaks (Cross-Site Leaks) Attacks Modern Web Browsers - Possible Mitigation


XPerceniol

Recommended Posts

1 hour ago, XPerceniol said:

How can we be sure the addons aren't collecting our data.

That's one of the reasons I never install addons directly from the Chrome Web Store.

I download the .crx, exract it, remove all non-English location files, browse through .js files for possible phone-home URLS, repackage the .crx, then drag-and-drop into 360Chrome.

Edited by NotHereToPlayGames
Link to comment
Share on other sites


8 hours ago, XPerceniol said:

How can we be sure the addons aren't collecting our data. I don't know which ones to trust. I can disable js globally but most site won't load all the features.

there is two tools you can use. One is process hacker 2.38 with it low level driver enabled. It is last for xp. You go to network tab then launch browser to see what sites does it connect. Look any network connections with your browser name. Also not that not all of connections mean data collection. Some of them can be related to site you are connecting. If same connections happens on many sites then it is spying addon. Second is MITM proxy that will need custom cert to be loaded on browser but it can see more

You could learn use thing called Umatrix. That allow per site scope for allowing/blocking js. For example I can allow google scripts on google site while blocking scripts from google on this site or anything else.

Link to comment
Share on other sites

10 minutes ago, Mr.Scienceman2000 said:

You could learn use thing called Umatrix. That allow per site scope for allowing/blocking js. For example I can allow google scripts on google site while blocking scripts from google on this site or anything else.

Sure, true... but too complicated for my wife probably... if I die (this can happen, you never know!...) - then my wife could not use my computer because things are too complicated. So I don't use uMatrix.:o:P

Link to comment
Share on other sites

9 hours ago, msfntor said:

Sure, true... but too complicated for my wife probably... if I die (this can happen, you never know!...) - then my wife could not use my computer because things are too complicated. So I don't use uMatrix.:o:P

I don't have wife but I know that struggle still. One person had to use my pc to do new order as his laptop had died and he was asking why all sites are broken and was confused about javascript, css allowing etc :buehehe:

Link to comment
Share on other sites

Quote

I don't have wife but I know that struggle still. One person had to use my pc to do new order as his laptop had died and he was asking why all sites are broken and was confused about javascript, css allowing etc

:buehehe:


 

I have not met a "single" person... Whom is happily married. :D

Edited by XPerceniol
Link to comment
Share on other sites

1 hour ago, Mr.Scienceman2000 said:

One person had to use my pc to do new order as his laptop had died and he was asking why all sites are broken and was confused about javascript, css allowing etc :buehehe:

Happened to me once that payment transaction didn't go through due to some domain of transaction processing system not being whitelisted yet.

I have doubts this whole block JS by default thingy actually saved me from anything. It sure got annoying many times.

Link to comment
Share on other sites

2 hours ago, UCyborg said:

I have doubts this whole block JS by default thingy actually saved me from anything. It sure got annoying many times.

Uhhh...

Sure,  if you don't go to the "doubious" sites,
but use only a few (or ten/20 websites...) chosen by you some time ago, then MAYBE you don't need to ban JS... but be aware, that well known websites are also target of attacks, hackers,...you are never sure on the internet, so...
It's YOUR choice.

I prefer Script Blocker Ultimate, then sometimes change to ScriptBlock, simple too...easy in the end, and this gives the feeling of "security".

Test: https://browserleaks.com/javascript

Confirm dialog test: http://www.liesong.de/js/scripts/confirm.html

Edited by msfntor
Link to comment
Share on other sites

13 hours ago, UCyborg said:

Happened to me once that payment transaction didn't go through due to some domain of transaction processing system not being whitelisted yet.

I have doubts this whole block JS by default thingy actually saved me from anything. It sure got annoying many times.

it is frustrating as many stores here uses checkout services instead of sending bill for you to pay. One called checkout finland here uses way too many domains, subdomains etc and if you reload purshace will fail but it takes money anyway. And to make it even more pain in the as# they change those all the time

I ended up using lowered script blocking on browser instance I use for banking (seperate browser on seperate hw) and on workstation I block JS

Link to comment
Share on other sites

12 hours ago, msfntor said:

Sure,  if you don't go to the "doubious" sites,
but use only a few (or ten/20 websites...) chosen by you some time ago, then MAYBE you don't need to ban JS... but be aware, that well known websites are also target of attacks, hackers,...you are never sure on the internet, so...
It's YOUR choice.

Yeah, I used to be more adventurous in that regard. These days I mostly stick to a small handful of them. NoScript is still used to give me a second to think if I want to proceed in case I encounter the site that doesn't display anything.

That said, I'd still be sitting here typing this even if my car didn't have seat belts and airbags. YMMV.

1 hour ago, Mr.Scienceman2000 said:

it is frustrating as many stores here uses checkout services instead of sending bill for you to pay.

What about the pay the postman delivering the package method?

Link to comment
Share on other sites

1 hour ago, UCyborg said:

That said, I'd still be sitting here typing this even if my car didn't have seat belts and airbags. YMMV.

ironic is that those supposed to saves lives but they can also take them away. Few years ago there was recall over failing seatbelt harnesses. And more recent is Takasa airbag recall that affects near all airbag equipped cars from early 2000 onward. Problem is that airbag can harden and explode instead of filling up. I am pretty confident that all cars made from 2000 onward are affected but manufactures refuse recall most until someone dies for it failing and company gets sued. I feel very confident stepping to car with one

Edited by Mr.Scienceman2000
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...