Browserland » Security

Browsers’ Private Mode Is Not So Private

Giovanni Panasiti — Sun, 29 Aug 2010 21:18:25 +0000

During the last Usenix Security Symposium was presented a research by G. Aggrawal, E. Bursztein, C. Jackson, and D. Boneh. This research was published as a PDF and you can download it.

According to their research the “private mode” features offered by the major browsers (Internet Explorer, Firefox, Chrome and Safari) don’t work as promised.

In theory these features should let you to browse the Web without leaving any trace on your computer , but they don’t. For example when you visit a website that uses SSL security certification,also if you are using Firefox, IE, and Safari “private mode”, this visit will be recorded in a file on your computer.

In Firefox, the private mode leaves traces everytime you set preferences for a specific site or use a plug-in, an add-on, or visit a site that uses the HTML5 advanced features. Instead, Internet Explorer has a problem in those sites which carry query SMB for any reason.

More in general the problem is that these browsers don’t distinguish browsing sessions between private and “non-private”. So a specially crafted website can track who visit it in public mode or in private mode.

The authors of the research also found a way to allow a site to find out if the visitors use public or private mode just using an IFRAME and a bit of Javascript.

The researchers used this system to know in which situations users use private browsing feature. This feature is presented by manufacturers as a solution to buy gifts without the recipient knowing it in advance, although the researchers proved that this feature is mainly used to visit adult website. The real surprise is that the proportion of users adopting the private mode to visit adult websites is very close to the one of those who use it for shopping or browsing for generic topic: respectively 8% and 6%.

The other interesting aspect, found by researchers, is that there is much variability from browser to another browser: Internet Explorer users are those that less use this feature (2%, including pornographic sites). Safari users are at the opposite end with a 14%.

The problem is that researchers proved that this feature is not what you think it is and everything you do on the Web is recorded. So whatever you do online, you better know you are going to be observed and remember: you are not invisible.

This article was originally published by Paolo Attivissimo on his blog Il Disinformatico in italian language.

Serious Safari Security Flaw Found: A Bug Makes Vulnerable Your Personal Informations

Giovanni Panasiti — Fri, 23 Jul 2010 08:45:11 +0000

If you are among the more than 80 million people who use Apple’s Safari browser to surf the web, you may want to change your settings stat.

At the moment, if you are a Safari user, who surfs the web visiting web pages and stuff, a malicious website can uncover your first name, last name, work place, city, state, and your email address. Even if you’ve never been there, or entered any personal information, before.

PhotoFiltre: Todd Klassy

This is possible using an exploit discovered in Safari’s AutoFill that allows malicious websites to extract a user’s first name, last name, work place, city, state, and email address. They don’t even need to fill out a form to trigger the bug: It can occur simply by their loading the site and takes place in just seconds. WhiteHat Security’s Jeremiah Grossman has described it in greater detail.

In Safari, AutoFill uses data from the users personal record in the local operating system address book. Again it is important to emphasize this feature works even though a user never entered this data on any website. Also this behavior should not be confused with normal auto-complete data a Web browser may remember after its typed into a form.

To better understand what we are talking about visit this website using Safari version 4 or 5 (the last): Safari AutoFill Exploit and press the “START” button.

In a few seconds the page shows you your first name, last name, work place, city, state, and your email address. Luckly this is only an harmless demo, but it works exactly how could works a malicios website. But in a malicious website your personal data may be transmitted to the operator of the site without you to do anything, and without you see anything. All this could happen in backgroud while you are surfing the Web.

In other words, with Safari you can steal the identity of a visitor without noticing. Goodbye anonymity. Imagine putting a trap on a website with objectionable content and thus steal the identities of visitors. The possibility of spamming and blackmail are easy to guess.

To read more about this in Jeremiah Grossman’s article: I know who your name, where you work, and live (Safari v4 & v5)

How To Surf The Web Anonymously: Proxy Servers

Giovanni Panasiti — Mon, 19 Jul 2010 13:39:19 +0000

If you want to surf in the web anonymously, if you want to hide your IP address, there are a lot of free proxy servers that you can use to secure your web browsing activities.

Proxy servers allow you to surf in the Web without leaving any trace of your passage. They also allow you to bypass firewalls due to censorship filters, schools, universities or any other case where yo are forbid to browse the web like you do at home.

Photocredit: ukaszSie

If you are in your office and a firewall doesn’t allow you to access some websites a proxy server is what you really need.

When you surf in the Web your privacy is constantly at risk. When you are in Internet everything you do is recorded by Internet providers and by the servers that host the web sites you visit. All this information is collected without you even noticing, and these could be given away to third-party services.

So cover your traces when you surf the Web is very important and proxy allows you to make it.

I found an incredible number of Proxy servers and I have them all listed below:

Bind2

Link: http://bind2.com/

Online-Proxy.net

Link: http://www.online-proxy.net/

BTunnel

Link: http://www.btunnel.com/

Bypass School Filter

Link: http://www.bypassschoolfilter.com/

Web4Proxy

Link: http://web4proxy.com/

Proxywars

Link: http://www.proxywars.net/

Sambaweb.info

Link: http://www.sambaweb.info/

Proxy-Online.com

Link: http://www.proxy-online.com/

Free Proxy Server

Link: http://www.freeproxyserver.ca

Unblock Myspace

Link: http://www.unblockmyspace.com/

Proxy.org

Link: http://www.proxy.org/

InternetProxy.net

Link: http://internetproxy.net/

Free Public Proxy

Link: http://www.free-public-proxy.com/

Hide My Ass!

Link: http://www.hidemyass.com/

Zend2

Link: http://www.zend2.com/

GoTrusted

Link: http://www.gotrusted.com/

Anonymous Surfing

Link: http://www.anonymizer.com/

SnoopBlock

Link: http://www.snoopblock.com/

PageWash

Link: http://www.pagewash.com/

MegaProxy

Link: https://www.megaproxy.com/freesurf/

In this guide I post the best Proxy servers services between those posted in MasterNewMedia’s “Bypass That Firewall” – Mini-Guide

Simultaneous Anonymous Browsing In Firefox: Private Browsing Window

Giovanni Panasiti — Mon, 25 Jan 2010 12:03:50 +0000

With version 3.5, Mozilla introduced in Firefox a new feature: Private Browsing. For those who don’t know, Private Browsing is a particular state of Firefox which allows people to browse anonymously on the web, without leaving any trace into the browser’s history, cookies, complement data, etc.

Unfortunately this feature in Firefox is not very practical to use: in fact, you have to close your actual session in order to start it.

Luckily there’s a plugin, Private Browsing Window, that lets you open a new completely independent anonymous window, like it is in Chrome’s Incognito Mode, so that you don’t need to close the current browsing session.

Once you have downloaded and installed it, restart Firefox and you will find a green icon on the right bottom of your browser, or a new voice into the Tools menu: clicking it will start a new private browsing session without leaving the “normal one”.

Installation Link: https://addons.mozilla.org/en-US/firefox/addon/59736

Photo Credits: Safe Box – VisualPharm, Binary Code Background – Flavio Takemoto

List Of The Best Add-On To Improve The Security Of Our Firefox Web Browser

Giovanni Panasiti — Sun, 22 Nov 2009 17:33:01 +0000

While surfing the main thing is to pay attention to safety. For this reason, today, I submit to you this list of the best add-on to improve your browser’s security.

Here the list:

NoScript

Winner of the “2006 PC World World Class Award”, this tool provides extra protection to your Firefox.

It allows JavaScript, Java and other executable content to run only from trusted domains of your choice, e.g. your home-banking web site, guarding your “trust boundaries” against cross-site scripting attacks (XSS) and Clickjacking attempts, thanks to its unique ClearClick technology.

Such a preemptive approach prevents exploitation of security vulnerabilities (known and even unknown!) with no loss of functionality…

BetterPrivacy

Several members recommended BetterPrivacy as the best way to control Flash cookies. Flash cookies are difficult to remove, do not expire, and can re-create deleted HTTP cookies. After much testing, I know BetterPrivacy works, whereas controlling Flash cookies using Adobe’s Web site is questionable.

AdBlock Plus

AdBlock Plus is not a security add-on. But I would not surf the Web without it. Blocking all ads, especially those bandwidth-hogging banner ads. Web pages pop up almost immediately. Try it once and you will never leave it.

LinkExtend

LinkExtend provides meta-site-ratings for computer safety, child safety, company ethics, and popularity. Safety results come from eight online services giving you a safer browsing experience. Site links, titles, files and reviews are also included.
WOT

Web of Trust warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory.

BugMeNot

BugMeNot is a service that provides login information for sites that require a login. It is mostly used for sites that you don’t want to register just for one occasion. All logins are submitted by users, and the logins can be marked as “working” or “not working”. A working ratio of lower than 50% removes the login from BugMeNot.

Note that this search plugin does not have any kind of affiliation with BugMeNot. And, the quality of the results completely depends on BugMeNot.

PhishTank SiteChecker

PhishTank SiteChecker gives Firefox users a way to bring the community judgment of PhishTank (http://www.phishtank.com/) into their favorite browser, for extra protection against phishing.

How To Make Your Firefox Safer With Links Checker: LinkExtend

Giovanni Panasiti — Sun, 22 Nov 2009 17:30:25 +0000

There’s no way to reduce to zero your risk of picking up some piece of malware while browsing.

Much emphasis has been placed on the enhanced security features of the latest versions of the popular browsers. Whether one is any safer than another is anybody’s guess, but no browser gives you more ways to thwart a Web-based attack than Firefox via its wealth of security add-ons.

Today I want to present a fantastic add-on that lets you browsing safer, its name is: LinkExtend

LinkExtend provides meta-site-ratings for computer safety, child safety, company ethics, and popularity. Safety results come from eight online services giving you a safer browsing experience. Site links, titles, files and reviews are also included.

Here you can install the add-on: Click here

Here the official Web-site: LinkExtend

How To Avoid Hacker Attacks And Make Firefox More Secure: Mini-Guide

Nico Canali — Thu, 27 Dec 2007 22:00:23 +0000

Have you ever thought that every single time you browse a web-page you are vulnerable to hacker attacks? Sure it’s full of anti-virus, anti-spyware and anti-malware softwares that can help you preventing infection, but being protected from the start, directly when you are browsing a page, would be a great move.

Photo Credit: Sergio Ianni – Edited By Nicolo’ Canali De Rossi

In this step-by-step guide I am going to show how to set your Firefox up in a secure state to avoid any possible damage, just by disabling some features.

Here the details:

From your browser toolbar, select Tools and then Options. A new window with six tabs will open.

Set Firefox as your default browser

Under the tab “General”, click on the check-box to set Firefox as your default browser. From now on, every action associated with Internet Explorer is assigned with Mozilla Firefox.

Clear private data and cookies

Under the “Privacy” tab, you will see two boxes: “Cookies” and “Private Data”.

The first one will help you set cookie exceptions and also how long cookies will be stored in your system. This is a really personal decision, depending on which web-sites you use and how you use them.

“Private Data” is a very useful option that can help clear all the sensitive data (like browsing history, cookies, cache and saved password). You can also set up to clear you data every time you close Firefox.

Create a master password

In the “Security” tab, you will find a box called “Passwords”. This function allows you to store all your log-in passwords inside Firefox.

Creating a master password can help you encrypt all the others, increasing security remembering just one word instead of many.

Just select the box, click on “Change Master Password”, and insert an easy-to-remember but also strong password.

Set up warnings

Firefox can warn you every time something suspicious is going on. In “Security”, tick the boxes “Warn me when sites try to install add-ons” and “Tell me if the site I’m visiting is a suspected forgery”.

These options should be active by default, so just check if they are selected.

You can also set up some more warnings that can notify you whenever a particular page opens or closes. Under “Warning Messages” click “Settings”, and select all the warnings you want to be displayed.

Disable Java and block popups

Java is a programming language that allows any web-site to run applications on your computer automatically.

Disabling it, or at least activating it just when it’s needed would be a good behavior.

To do so, just go into the “Content” tab, and untick the “Enable Java” box.

You will also see an Advanced button next to “Javascript“. Click it, disable all the features you see, apart from the ones you think will be absolutely necessary for you, and click OK.

Back in “Content”, make sure that the “Block Popus” feature is active.

Download Actions

The last thing you need to do is to modify actions that Firefox takes when files are downloading. Any time a file type is configured to open automatically with an associated application, this can make the browser more dangerous to use, facilitating hackers’ attacks.

Under “Content” click the “Manage…” button in the “File Types” box.

Here you will be able to see the file types and the actions the browser will perform when it encounters a particular file type.

For any file type that you see listed, click on “Change Action” and select “Save them on my computer” to save files of that type instead of opening them in another program, preventing automated exploitation of vulnerabilities that may exist in those applications.

This is an updated version of the CERT/CC‘s recommended Firefox’s security settings, in which they used Firefox 1.5. For this mini-guide I used Firefox 2.0.0.11.