| View previous topic :: View next topic |
| Author |
Message |
SQLBoy
Guru
Joined: 17 Aug 2002
Posts: 381
|
 Posted: Mon Sep 16, 2002 1:27 pm Post subject: Mozilla privacy bug |
 |
|
This was posted on slashdot.org today and I figured I would pass it on. This page has the bug and the fix. I put these lines in the
/usr/lib/mozilla/defaults/pref/all.js file
| Code: |
pref("network.http.sendRefererHeader", 0);
pref("capability.policy.default.Window.onunload", "noAccess");
|
Here is the link:
http://members.ping.de/~sven/mozbug/refcook.html
Matt |
|
| Back to top |
|
 |
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Mon Sep 16, 2002 5:57 pm Post subject: |
|
|
Yet another reason to turn off Javascript.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
SQLBoy
Guru
Joined: 17 Aug 2002
Posts: 381
|
| Posted: Mon Sep 16, 2002 6:01 pm Post subject: |
|
|
| Yeah, I know. I wish I could turn it off myself but I need it for a couple sites. What would be cool if Galeon would let you actually specify "javascript" sites and block it on all other sites. |
|
| Back to top |
|
|
infox
n00b
Joined: 14 Sep 2002
Posts: 14
|
| Posted: Mon Sep 16, 2002 8:15 pm Post subject: |
|
|
| I would setup a http proxy such as oops. I use this at home and I am not affected by this bug, and its quite nice along with junkbuster. |
|
| Back to top |
|
|
pilla
Bodhisattva
Joined: 07 Aug 2002
Posts: 7731
Location: Underworld
|
| Posted: Mon Sep 16, 2002 11:04 pm Post subject: |
|
|
| I've tried to reproduce the bug using the link in Slashdot, but wasn't able. Running mozilla 1.0-r3 |
|
| Back to top |
|
|
rojaro
l33t
Joined: 06 May 2002
Posts: 732
|
| Posted: Tue Sep 17, 2002 1:54 pm Post subject: |
|
|
there is no need to disable javascript completely. adding the following line is fully sufficient.
| Code: | | pref("capability.policy.default.Window.onunload", "noAccess"); |
disabling the sendRefererHeader function will result in lots of dynamic websites not working for you.
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Tue Sep 17, 2002 5:30 pm Post subject: |
|
|
| rojaro wrote: | | there is no need to disable javascript completely. |
I maintain that the security model of Javascript is broken as designed, and in my opinion it allows people who write websites to run arbitrary code on your machine under the user id of your browser. I do not remember one single security-related problem ever discovered in any web browser that could not have been completely avoided by turning Javascript off.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Tue Sep 17, 2002 5:35 pm Post subject: |
|
|
Unfortunately, turning javascript off can make browsing non-functional 
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Naan Yaar
Bodhisattva
Joined: 27 Jun 2002
Posts: 1549
|
| Posted: Tue Sep 17, 2002 6:42 pm Post subject: |
|
|
Are we forgetting ActiveX here  ?
| rac wrote: | | ...I do not remember one single security-related problem ever discovered in any web browser that could not have been completely avoided by turning Javascript off. |
|
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Tue Sep 17, 2002 7:07 pm Post subject: |
|
|
| Naan Yaar wrote: | | Are we forgetting ActiveX here ? |
Excuse me. Is it possible to turn off ActiveX? I've never used MSIE or Windows.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
Naan Yaar
Bodhisattva
Joined: 27 Jun 2002
Posts: 1549
|
| Posted: Tue Sep 17, 2002 7:25 pm Post subject: |
|
|
You can disable ActiveX in MSIE in addition to Javascript and Java. ActiveX is a bad idea.
| rac wrote: | | ...Excuse me. Is it possible to turn off ActiveX? I've never used MSIE or Windows. |
|
|
| Back to top |
|
|
rizzo
Retired Dev
Joined: 30 Apr 2002
Posts: 1067
Location: Manitowoc, WI, USA
|
| Posted: Wed Sep 18, 2002 2:39 pm Post subject: |
|
|
| rac wrote: | | I've never used MSIE or Windows. |
You've never used Windows? You, sir, are my hero. |
|
| Back to top |
|
|
pilla
Bodhisattva
Joined: 07 Aug 2002
Posts: 7731
Location: Underworld
|
| Posted: Wed Sep 18, 2002 3:05 pm Post subject: |
|
|
A virgin.... he's pure 
| rizzo wrote: | | rac wrote: | | I've never used MSIE or Windows. |
You've never used Windows? You, sir, are my hero. |
|
|
| Back to top |
|
|
rojaro
l33t
Joined: 06 May 2002
Posts: 732
|
| Posted: Wed Sep 18, 2002 5:22 pm Post subject: |
|
|
| rac wrote: | | rojaro wrote: | | there is no need to disable javascript completely. |
I maintain that the security model of Javascript is broken as designed, and in my opinion it allows people who write websites to run arbitrary code on your machine under the user id of your browser. I do not remember one single security-related problem ever discovered in any web browser that could not have been completely avoided by turning Javascript off. |
thats a pretty harsh view ... because you could say the same about ANY and EVERY piece of software ever made ... so if one's scared about "new" technologies like javascript as in our example (or .NET, Java, C++, Perl, PHP etc), one shouldnt use computers at all ... avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general ... dont fear - just master the technology before it masters you
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Wed Sep 18, 2002 5:45 pm Post subject: |
|
|
| rojaro wrote: | | avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general |
No, but I could certainly choose to not drive a car from a particular manufacturer that had a history of safety problems.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
Naan Yaar
Bodhisattva
Joined: 27 Jun 2002
Posts: 1549
|
| Posted: Wed Sep 18, 2002 5:45 pm Post subject: |
|
|
There is a clear difference between technologies that you choose to run explicitly on your computer and stuff that creeps in insidiously through your browser. Using a web-browser as an program delivery mechanism is fraught with risks, as evidenced by the number of security issues with Javascript/ActiveX/Flash/Java...
The issue is not the technology itself; rather whether it is delivered and used within reasonable security constructs.
| rojaro wrote: | ...
thats a pretty harsh view ... because you could say the same about ANY and EVERY piece of software ever made ... so if one's scared about "new" technologies like javascript as in our example (or .NET, Java, C++, Perl, PHP etc), one shouldnt use computers at all ... avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general ... dont fear - just master the technology before it masters you |
|
|
| Back to top |
|
|
dioxmat
Bodhisattva
Joined: 04 May 2002
Posts: 709
Location: /home/mat
|
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Wed Sep 18, 2002 6:23 pm Post subject: |
|
|
| dioxmat wrote: | | disable js on the fly |
Galeon users can select 'Settings" -> "Allow Java" or "Allow JavaScript". I didn't see anything in Mozilla.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
rojaro
l33t
Joined: 06 May 2002
Posts: 732
|
| Posted: Wed Sep 18, 2002 6:24 pm Post subject: |
|
|
| kanuslupus wrote: | | rojaro wrote: | | avoiding an trafficaccident by not using cars wont solve the problem of traffic accidents in general |
No, but I could certainly choose to not drive a car from a particular manufacturer that had a history of safety problems. |
hehe ... name ONE car manufacturer which never called back a modell due to construction/technical design problems ... :)
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Wed Sep 18, 2002 6:26 pm Post subject: |
|
|
Having a history of problems vs. a few, or minor problems, is a big difference. I didn't say zero problems.
_________________
Quis separabit? Quo animo?
Last edited by pjp on Wed Sep 18, 2002 6:26 pm; edited 1 time in total |
|
| Back to top |
|
|
rojaro
l33t
Joined: 06 May 2002
Posts: 732
|
| Posted: Wed Sep 18, 2002 6:26 pm Post subject: |
|
|
| kanuslupus wrote: | | dioxmat wrote: | | disable js on the fly |
Galeon users can select 'Settings" -> "Allow Java" or "Allow JavaScript". I didn't see anything in Mozilla. |
Edit -> Preferences -> Advanced -> Scripts & Plugins
"Enable Javascript for" [x] Navigator
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
| Posted: Wed Sep 18, 2002 6:27 pm Post subject: |
|
|
That is a bit more involved than 'on the fly' suggests IMO. Thanks for pointing it out though.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
dioxmat
Bodhisattva
Joined: 04 May 2002
Posts: 709
Location: /home/mat
|
| Posted: Wed Sep 18, 2002 6:28 pm Post subject: |
|
|
| kanuslupus wrote: | | dioxmat wrote: | | disable js on the fly |
Galeon users can select 'Settings" -> "Allow Java" or "Allow JavaScript". I didn't see anything in Mozilla. |
hence this prefbar.
the pref is buried in Edit > Preferencse > Advanced. this prefbar, which kicks ass btw, allows quik modifications of just about any pref, among other things. |
|
| Back to top |
|
|
rojaro
l33t
Joined: 06 May 2002
Posts: 732
|
| Posted: Wed Sep 18, 2002 7:48 pm Post subject: |
|
|
yeah, prefbar rocks ... especially those little features which allow to change the useragent on the fly and enabling/disabling popup's and java
_________________
A mathematician is a machine for turning coffee into theorems. ~ Alfred Renyi (*1921 - †1970) |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Wed Sep 18, 2002 9:43 pm Post subject: |
|
|
@rizzo re: my Windows virginity. Actually, I did use Windows 1.0 or 2.0 (definitely pre-3.1) for about six weeks once in late 1988, because it was the way to get PageMaker running on the DOS machines at work.
| rojaro wrote: | | so if one's scared about "new" technologies like javascript as in our example (or .NET, Java, C++, Perl, PHP etc), one shouldnt use computers at all |
As Naan Yaar pointed out (probably more eloquently than I am going to here), there are differences, and it's the mode of deployment that bothers me.
.NET I don't know enough about to evaluate, but I understand the rudiments of SOAP and XML-RPC, and as much as I admire Dave Winer (I bought Frontier 1.0, still have the cow-skull T-shirt to prove it, and was a rabid Frontier hacker and evangelist for a few years), and as cool hacks as they are, the security of those protocols does indeed give me cause for concern.
Java has security built into the design of the language. The privilege system is strong, the sandbox is part of the VM, and illegal instructions and buffer overflows and such are avoided by disallowing pointer access to raw memory. Comparing Java and Javascript (just in case anyone following this thread is unaware of the history, JavaScript (I think it was called LiveScript originally) was a Netscape thing and has absolutely nothing whatsoever to do with Java - some marketroids at Netscape decided that putting "Java" in the name made it sound better) is a good exercise. Java was designed to run untrusted code in a secure manner. Javascript is designed to allow authors of web pages to remotely control operation of the browser's software.
As far as C++, Perl and PHP go, where they are used on the web, they run on the server. I see only the HTML that they output. HTML is not code that executes on my system. HTML is data that is rendered by my browser. There is no security implication. If you are referring to security problems on the server side, this is a different discussion (and I will be glad to have it somewhere, if you wish).
Many security exploits refer to the ability of a remote attacker to execute arbitrary code on the exploited machine. If I compile and install source code with "emerge", I am choosing to trust the Gentoo ebuild maintainer, and whoever runs the mirror I am downloading from. There is accountability of a sort - if there is a problem, I know where to turn to report it, and I have the source code so that I can figure out what is happening.
If I open a URL in my browser, it will give me a file to save on my system and do whatever I want to do with it, or it will render HTML in a window for me. If I have Java enabled, it may download some applets and run them in a sandbox. If, on the other hand, I have Javascript turned on, the simple act of accessing a URL with my browser potentially gives the author of that web page the ability to execute arbitrary code on my computer under my username with the privileges of that account. That is not acceptable to me.
I don't care if it makes the browsing experience less rich or easy. For example, I have to type the smilies in my posts, because clicking on them doesn't do anything. Any website that makes some content only available if a browser has enabled Javascript is poorly written, IMO, and I avoid them. Sometimes I write them a letter explaining this position.
Note that I am not trying to eradicate Javascript from the face of the planet. If people want to use it, and people want to write it, that's fine. Where I get angry is when people who create web pages choose to block access to people because they do not enable Javascript, even when there is no good technical reason for doing so. Case in point: Javascript menus that do not degrade to normal HTML links. I see absolutely no reason for this except rudeness, laziness, or ignorance.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
|
Networking & Security
