Jump to content

XS-Leaks (Cross-Site Leaks) Attacks Modern Web Browsers - Possible Mitigation

XPerceniol

By XPerceniol
in Web Browsers

 Share

Recommended Posts

NotHereToPlayGames

NotHereToPlayGames

Posted
Posted (edited)
1 hour ago, XPerceniol said:

How can we be sure the addons aren't collecting our data.

That's one of the reasons I never install addons directly from the Chrome Web Store.

I download the .crx, exract it, remove all non-English location files, browse through .js files for possible phone-home URLS, repackage the .crx, then drag-and-drop into 360Chrome.

Edited by NotHereToPlayGames

Nokiamies

Nokiamies

Posted
Posted
8 hours ago, XPerceniol said:

How can we be sure the addons aren't collecting our data. I don't know which ones to trust. I can disable js globally but most site won't load all the features.

there is two tools you can use. One is process hacker 2.38 with it low level driver enabled. It is last for xp. You go to network tab then launch browser to see what sites does it connect. Look any network connections with your browser name. Also not that not all of connections mean data collection. Some of them can be related to site you are connecting. If same connections happens on many sites then it is spying addon. Second is MITM proxy that will need custom cert to be loaded on browser but it can see more

You could learn use thing called Umatrix. That allow per site scope for allowing/blocking js. For example I can allow google scripts on google site while blocking scripts from google on this site or anything else.

1
msfntor

msfntor

Posted
Posted
10 minutes ago, Mr.Scienceman2000 said:

You could learn use thing called Umatrix. That allow per site scope for allowing/blocking js. For example I can allow google scripts on google site while blocking scripts from google on this site or anything else.

Sure, true... but too complicated for my wife probably... if I die (this can happen, you never know!...) - then my wife could not use my computer because things are too complicated. So I don't use uMatrix.:o:P

2
Tripredacus

Tripredacus

Posted
Posted
17 hours ago, vinifera said:

so with FF 69 you get only 3 reds
and with FF 95 considered "modern" i get 17

what the hell ...

The (relative) Extensions I have on this are:
- DDG Privacy Essentials
- HTTPS Everywhere
- NoScript
- UBO

2
Nokiamies

Nokiamies

Posted
Posted
9 hours ago, msfntor said:

Sure, true... but too complicated for my wife probably... if I die (this can happen, you never know!...) - then my wife could not use my computer because things are too complicated. So I don't use uMatrix.:o:P

I don't have wife but I know that struggle still. One person had to use my pc to do new order as his laptop had died and he was asking why all sites are broken and was confused about javascript, css allowing etc :buehehe:

1
XPerceniol

XPerceniol

Posted
  • Author
Posted (edited)
Quote

I don't have wife but I know that struggle still. One person had to use my pc to do new order as his laptop had died and he was asking why all sites are broken and was confused about javascript, css allowing etc

:buehehe:


 

I have not met a "single" person... Whom is happily married. :D

Edited by XPerceniol
UCyborg

UCyborg

Posted
Posted
1 hour ago, Mr.Scienceman2000 said:

One person had to use my pc to do new order as his laptop had died and he was asking why all sites are broken and was confused about javascript, css allowing etc :buehehe:

Happened to me once that payment transaction didn't go through due to some domain of transaction processing system not being whitelisted yet.

I have doubts this whole block JS by default thingy actually saved me from anything. It sure got annoying many times.

msfntor

msfntor

Posted
Posted (edited)
2 hours ago, UCyborg said:

I have doubts this whole block JS by default thingy actually saved me from anything. It sure got annoying many times.

Uhhh...

Sure,  if you don't go to the "doubious" sites,
but use only a few (or ten/20 websites...) chosen by you some time ago, then MAYBE you don't need to ban JS... but be aware, that well known websites are also target of attacks, hackers,...you are never sure on the internet, so...
It's YOUR choice.

I prefer Script Blocker Ultimate, then sometimes change to ScriptBlock, simple too...easy in the end, and this gives the feeling of "security".

Test: https://browserleaks.com/javascript

Confirm dialog test: http://www.liesong.de/js/scripts/confirm.html

Edited by msfntor
Nokiamies

Nokiamies

Posted
Posted
13 hours ago, UCyborg said:

Happened to me once that payment transaction didn't go through due to some domain of transaction processing system not being whitelisted yet.

I have doubts this whole block JS by default thingy actually saved me from anything. It sure got annoying many times.

it is frustrating as many stores here uses checkout services instead of sending bill for you to pay. One called checkout finland here uses way too many domains, subdomains etc and if you reload purshace will fail but it takes money anyway. And to make it even more pain in the as# they change those all the time

I ended up using lowered script blocking on browser instance I use for banking (seperate browser on seperate hw) and on workstation I block JS

UCyborg

UCyborg

Posted
Posted
12 hours ago, msfntor said:

Sure,  if you don't go to the "doubious" sites,
but use only a few (or ten/20 websites...) chosen by you some time ago, then MAYBE you don't need to ban JS... but be aware, that well known websites are also target of attacks, hackers,...you are never sure on the internet, so...
It's YOUR choice.

Yeah, I used to be more adventurous in that regard. These days I mostly stick to a small handful of them. NoScript is still used to give me a second to think if I want to proceed in case I encounter the site that doesn't display anything.

That said, I'd still be sitting here typing this even if my car didn't have seat belts and airbags. YMMV.

1 hour ago, Mr.Scienceman2000 said:

it is frustrating as many stores here uses checkout services instead of sending bill for you to pay.

What about the pay the postman delivering the package method?

NotHereToPlayGames

NotHereToPlayGames

Posted
Posted
1 hour ago, UCyborg said:

I'd still be sitting here typing this even if my car didn't have seat belts and airbags.

My joke on my '55 Dodge and '61 Studebaker isn't about their lack of seat belts or airbags, but rather that they both have close to half a dozen ash trays but no cup holders.

Nokiamies

Nokiamies

Posted
Posted (edited)
1 hour ago, UCyborg said:

That said, I'd still be sitting here typing this even if my car didn't have seat belts and airbags. YMMV.

ironic is that those supposed to saves lives but they can also take them away. Few years ago there was recall over failing seatbelt harnesses. And more recent is Takasa airbag recall that affects near all airbag equipped cars from early 2000 onward. Problem is that airbag can harden and explode instead of filling up. I am pretty confident that all cars made from 2000 onward are affected but manufactures refuse recall most until someone dies for it failing and company gets sued. I feel very confident stepping to car with one

Edited by Mr.Scienceman2000
Nokiamies

Nokiamies

Posted
Posted
1 hour ago, UCyborg said:

What about the pay the postman delivering the package method?

that works for most but some stores I use wont offer that option. Either you give credit card or use checkout service to wire transfer

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...