Closed Thorin-Oakenpants closed 5 years ago
claustromaniac
commented
5 years ago I think another decent candidate for a [tools] section would be uBO-Scope.
Well, if the idea is to separate privacy/security-related but non-protecting extension into a separate list, then any extensions like the legacy SSleuth would belong in there too, right? BTW, I kinda miss SSleuth.
Just-me-ghacks
commented
5 years ago 3P Request Blocker - Page not found
practik
commented
5 years ago re https://github.com/ghacksuserjs/ghacks-user.js/issues/294#issuecomment-388491739
Forget Me Not … work very unreliable
@crssi , do you remember what problems you found with FMN? I ask because I've been trying it out for about a week (after using Cookie AutoDelete for nearly a year), and so far FMN has been just as good as CAD, in some ways even better. What should I be watching out for?
Atavic
commented
5 years ago @Just-me-ghacks https://addons.mozilla.org/en-GB/firefox/addon/tprb/
crssi
commented
5 years ago @practik Yes. What I have found back then is that FMN worked well until it decided to not to. It was very random, sometimes few minutes after browsing, sometimes an hour or so, but at one moment it stopped to delete cookies after, until FF restart. Since I have not returned to FMN now for months, it might be already sorted out. I would say for you to just check, every once and a while, if cookies are removed as they should. Cheers
practik
commented
5 years ago ^^ !! That's bad. But it hasn't done that for me so far. Hopefully it is sorted out, it's gone through a few updates since you tested it. I'll keep an eye on it. Thanks!
grauenwolfe
commented
5 years ago Whoa, Luminous looks like it could be badass. Anyone using it already?
Atavic
commented
5 years ago I have it on an install used for unlogged browsing (like no github or webmail) only.
I block events like beforeunload and all the events related to mouse movements, like mouseover, etc.
grauenwolfe
commented
5 years ago @Atavic Very down-to-earth but still entirely thorough documentation. Hopefully it can actually help me deal with all of the internet's rampant annoyances. Probably try it out soon on another machine and see how it does.
Thorin-Oakenpants
commented
5 years ago BTW, I kinda miss SSleuth.
https://github.com/sibiantony/ssleuth/issues/78#issuecomment-392271507So no idea when or what SSleuth Web Ext will look like
claustromaniac
commented
5 years ago Ah, great. I was about to mention that I renamed my repo and now the link to Detect Cloudflare PA should be broken, but it seems Github is smart enough to redirect folks to the new URL. :tada:
I still want to mention that I went ahead and listed it on AMO. Traktofon seems to be MIA or something, and I was bored, so I also added a toolbar icon to it and made the address bar icon optional, among many other thingies.
So far it works great for me. The only significant issue left to fix seems to be that it can't always behave as expected when the backward or forward navigation actions are used, but that one seems kinda painful to fix compared to the other issues that I already fixed. I may eventually work on that, though.
Anyway, I thought you may want to know.
:jeans: : modified the wiki to only point to your fork - its not really a fork anymore IMO
Thorin-Oakenpants
commented
5 years ago ^^ your github readme needs to link to your AMO, preferably at the top and before linking to Detect Cloudflare
"This extension neither collects nor shares any kind of information whatsoever." <- needs a privacy header?
Also AMO can have a policy page: see https://addons.mozilla.org/firefox/addon/canvasblocker/privacy/ which is nice for those who don't come visit you at github ahh, I see you have been busy
claustromaniac
commented
5 years ago its not really a fork anymore IMO
What would you call it?
edit: Thorin: it's more of a spoon, or a fork spoon hybrid .. a spork if you will
edit: claustro: :rofl:
^^ your github readme needs to link to your AMO, preferably at the top and before linking to Detect Cloudflare
There was already a link at the top, but not in the readme. People seem to ignore those, though...
Edit: Thorin: people seem to ignore those... which is why I mentioned it
edit: claustro: aight, thanks. BTW I kinda like this kind of conversations with edits - it's akin to whispering... except everything gets recorded anyway. Like, say, whispering on the phone.
"This extension neither collects nor shares any kind of information whatsoever." <- needs a privacy header?
Added :heavy_check_mark:
Kraxys
commented
5 years ago I would like to advice for 3 extensions:
1) The 2 natural companions of I think every meticulous proxy or vpn user:
With these 2 addons you can make your system time zone and and wifi geolocation be in accordance with the IP geolocation and local time zone of the proxy/vpn server you are using. Not a one click process, though. But this avoids increasing your entropy by wearing a Russian ip and in the the same time a system wifi geolocation and date settings that show you near Melbourne.
2) BP Block Font Fingerprint: https://addons.mozilla.org/en-US/firefox/addon/bp-block-font-fingerprint This extension avoid the detection of any font or any unique glyph, without impairing la appearance of the page (as setting the pref browser.display.use_document_fonts to 0 does).
crssi
commented
5 years ago 0 font detection will make you unique for sure.
earthlng
commented
5 years ago re: BP Block Font Fingerprint:
0 font detection will make you unique for sure.
not only will it make you pretty unique because very few people use something like this extension, the extension itself also has several flaws.
but thanks to this extension suggestion I looked at fonts again in general and I found some things which I think we need to improve in the user.js. I'll open a new issue to discuss them
Kraxys
commented
5 years ago @crsi & earthing I agree concerning the unicity created by BP Block Font Fingerprint. And thanks in particular to Earthing to make clear this extension had some fundamentals flaws.
What's your opinion concerning my suggestions about Change TimeZone and Location Guard, in order precisely to diminish the entropy raised by using a vpn/proxy server having time and location characteristics than those of the system's user?
For location, blocking geo wifi in preference may be considered as sufficient (except if the browsed site mandatory want geo wifi data, a case where the use of Location Guard could be useful). But not geoblocking and instead spoofing geo wifi with Location Guard accordingly to the proxy server used, puts the user on a safer side in the point of view a spoofing: The location provided by the proxy server IP is in that case confirmed by geo wifi data sent by the browser, so reinforcing its likelihood.
Concerning Change Timezone, this extension solves a sharper problem as there isn't in FF's preference anything as "don't send any date time-zone data" (as it was the case for location with blocking geo wifi preference). Blocking these data from being sent could maybe be achieved with some uMatrix or NoScript setting, but it then raise an unicity flag, as not letting the browser send them is not a common behavior.
Atavic
commented
5 years ago https://github.com/dessant/clear-browsing-data seems rich in options. Do they cover anything interesting?
Kraxys
commented
5 years ago Clear Browsing Data seems interesting. But after installing it, it seems not able, neither to clear browsing data when the browser closes, nor when it starts. Only during the browsing session.
In order to sanitize a browsing session as soon as it begins, there is StorageErazor: It clears Cache, Local Storage and IndexedDB each time the browser starts. The IndexedDB clearing is important, since 1) blocking IndexedDB in FF preference breaks some site 2) Cookies Autodeleted doesn't handle IndexedDB.
Maybe Clear Browsing Data and StorageErazor may be seen as complementary each other.
practik
commented
5 years ago StorageErazor: It clears Cache, Local Storage and IndexedDB each time the browser starts. The IndexedDB clearing is important
Actually, you can do this without any extension simply by setting Firefox to clear "Offline Website Data" on shutdown (see section 2803 of ghacks-user.js, or https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/issues/171#issuecomment-376807286).
Kraxys
commented
5 years ago @practik :Thanks for this information. I didn't know checking "clear Offline Website Data" erased indexedDB. This strongly reduces the usefulness of StorageErazor, but I will nevertheless keep this addon enable and "clear Offline Website Data" checked, as the second works when the browser closes, and the first, when it starts, so that I'm absolutely sure to begin each browsing session on a neat basis :)
Other addons I suggest are the ones permitting to block Authentication: Along ip-check.info:
"Many browsers allow web sites to send hidden authentication data to third party sites. Example:
This may either happen directly on the current page or in an iframe, and does NOT need JavaScript. If additionally iFrames and JavaScript are used, even the currently loaded page may get your ID. This data is deleted when the browser is closed, but, execpt for this, has the same effect as third party cookies.
Your browser should not send any HTTP authentication data to third party sites.
Currently known to be affected are: Chrome, Safari, Firefox".
I don't know whether or not all that is completely up-to-date, but if it remains true, I think it would be wise to prevent tracking via Authorization.
I currently have found 2 addons permitting that: Authentication Tracking Blocker and Block Http Authentication
Notice that blocking Authentication is one of the feature of Chameleon, too. This addon has many other interesting features (as optionnally spoofing time, screen size and ClientRects), and while using it may increase entropy, I think that when properly used, it can in fact reduce it (eg when spoofing your system time accordingly the time of the proxy server you are using, or when spoofing screen size with the most common ones for desktop PC, such as 1366x768 or 1920x1080).
crssi
commented
5 years ago @Kraxys do you have any example site using Authentication?
crssi
commented
5 years ago @Atavic thank you, but I didn't mean a description, but a real case site using it. :smile:
Atavic
commented
5 years ago I haven't seen any, you got to use Fiddler, Charles Proxy or similar tools to debug headers responses.
crssi
commented
5 years ago Using Fiddler here for years (now you made me to look at Charles Proxy, for which I have never heard before :smile:) and also found one at https://www.amainhobbies.com/ over XHR. Interesting at this site is also that login doesn't work when EvilCorp analytics is blocked.. WTF.
Atavic
commented
5 years ago Charles is not free and has a Mac version. Privoxy is another proxy that changes or crunches headers.
sanjayen
commented
5 years ago Please change the Decentraleyes rules to add to uBlock Origin URL to https://git.synz.io/Synzvato/decentraleyes/wikis/Frequently-Asked-Questions#for-umatrix-and-ublock-origin-non-easy-mode-users
Thorin - Thanks, done :+1:
Thorin-Oakenpants
commented
5 years ago @earthlng .. FYI: https://github.com/FirefoxBar/HeaderEditor/issues/45 resolved, for you to check out/test or whatever
claustromaniac
commented
5 years ago Block Cloudflare MITM Attack seems to have reincarnated about a month ago, by a different author.
This one works differently than the previous one. I wonder how long it will last this time.
Thorin-Oakenpants
commented
5 years ago OT: Interesting read
Atavic
commented
5 years ago ^ There's an SSL Scan giving the full Certificate's chain: https://www.htbridge.com/ssl/ ...and the Web Scan seems good, too.
ghost
commented
5 years ago Hi,
I'm concerned about font fingerprinting and I'd appreciate your advice about a Firefox extension called BP Block Font Fingerprint.
I do have:
// 1401: disable websites choosing fonts (0=block, 1=allow)
user_pref("browser.display.use_document_fonts", 0);nevertheless, Browserleaks' Font Fingerprinting shows Fingerprint for JS Fonts (unicode) and Fingerprint for JS Fonts (classic)
even if, JonDonym IP check shows Fonts - 4 installed fonts have been found on your computer. - good
When using the above mentioned BP Block Font Fingerprint no Fonts appear nowhere. I'd appreciate your opinion on this extension. Thanks.
Thorin-Oakenpants
commented
5 years ago I checked this out recently, and it just breaks web pages - it seems to disable JS or something. I couldn't actually get the browserleaks page to work with the extension enabled. And I didn't bother to dig any deeper because at the end of the day I think this makes you SUPER unique (54 users)
https://addons.mozilla.org/en-US/firefox/addon/bp-block-font-fingerprint/reviews/
Breaks JavaScript entirely - sad
sad, sounds like Trump :grimacing: . Anyway, I'm also concerned by this, and Client Rects, as high entropy items that need addressing. The only way to win against these two, is via numbers in RFP, IMO.
ghost
commented
5 years ago I think this makes you SUPER unique (54 users)
yeah, I had that in mind too, this entropy you often mention here. Seems to me this only dissuades from using the extension should it be harmless on the js scale.
I read the review about this extension mentioning it broke JavaScript entirely (sad! sounds trumpy when in fact it's basically a popular wording!) but I didn't understand exactly what that could mean once I had tried the extension and observed no broken javascript... I also had a look at the extensions script itself and noticed exceptions were handled for so-called trusted sites including google, apple ... that disturbed me a bit.
OK, got your advice, clear. Thanks @Thorin-Oakenpants
Thorin-Oakenpants
commented
5 years ago I'm not 100% on the uniqueness. I don't think it gives everyone's glyphs the same value. The question would be does this make you less unique than without? But TBH, without being able to get the test to work and the JS comment, I decided it wasn't worth looking at anymore - and I'm leery of too many extensions causing conflicts (eg. CSP).
earthlng
commented
5 years ago @StanGets see my comment here
There are also still problems/limitations with WebExtensions that effectively allow sites to do things without extensions being able to do anything about it
ghost
commented
5 years ago BP Block Font Fingerprint had already been evoked and discussed on this very thread. I wrote too quickly. Comments and yours in particular, @earthlng confirm that at this time the extension is not worth being installed. I had tested it only, quickly before uninstalling it and coming here because I was wondering if I was right to ... remove it.
Fast, quick, speedy... always running, should have checked. Thanks @Thorin-Oakenpants and @earthlng
garywill
commented
5 years ago That BP Block Font Fingerprint seems not FOSS
License All Rights Reserved
I can't find source code link
earthlng
commented
5 years ago you can just download the addon, extract it and inspect the source code
atomGit
commented
5 years ago Thorin-Oakenpants
commented
5 years ago Trace can protect against:
Wouldn't touch it with a barge pole. It's trying to do too much and will probably cause other extensions to fail (rolling the dice).
Some of this is already covered by FF (beacons, some SB & TP), and quite frankly, blocking should be a separate item/mechanism: uBO & uM to a degree with hosts lists (crypto miners, bad top level domains, specific tracking cookies - who's providing this info?).
Canvas is already covered by RFP and/or CanvasBlocker (which is thoroughly proven and tested over years). ETags we already have covered, and I would rather promote a more useful extension such as header editor which can do more.
What is "Chrome Header Tracking"? If this is also an extension in Chrome, then count me out - often building for both chrome and firefox means code issues = leaky shit, bad code/api-design decisions, can't link to anything but kkapsner knows what I'm talking about).
I could go on. Might be interesting to check out how things are mitigated code wise, but these AIO's are never a good idea IMO. It's also a single point of failure. I would rather an extension focused on a single aspect and did it damn well.
Thorin-Oakenpants
commented
5 years ago ^^ and sheeshus h christ .. just like everyone else starting out, they get basics wrong (leaking navigator objects, look at the closed issues) .. and the whole UA randomizing thing is such a turn off. Even chameleon is constantly patching "holes" with this. Sure it takes time for a product to mature. But why rely on one person when you're had years and many people looking at this already - Tor Uplift!
atomGit
commented
5 years ago no disrespect to the dev or what he's trying to do, but i'm glad you said that - one less thing to worry about
and yes, i know much of what is covered in Trace is covered by other necessary add-ons, but i don't know what all the dev is gonna do with this - i had it installed but with all the lists and some other stuff disabled
Thorin-Oakenpants
commented
5 years ago I'm actually thinking of dropping CanvasBlocker myself. ClientRecs() is the only thing it adds for me (and the FP'ng threat of that is remote - control your JS people!). edited: actually, CB covers some canvas that RFP doesn't, I forgot about that
I'm also considering NOT recommending Cookie Auto-Delete. I don't understand why people remove cookies but leave behind orphaned data, and the removal of a cookie probably affects how FF cleans internally). CAD does not cover your ass in any way with cache, IDB, SW cache, appCache.... sure, appCache is rare and we kill it via a pref. Edit, and sure you can clean on close, but the whole point of CAD is that it cleans after you close a domain, so that argument is a load of BS, IMO
I still think the best ever solution is to block all cookies and whitelist using FF's internals - because IDB is severely lacking in control (by host, by time range) and has been since forever. I'm hoping NGLS fixes all this - https://bugzilla.mozilla.org/show_bug.cgi?id=1286798
Daystar1998
commented
5 years ago Also, wouldn't Temporary Containers in auto mode plus FPI prevent most of the issues with keeping cookies, cache, IDB, etc. thus minimizing the need for an auto-deleter such as CAD? Especially when combined with using a whitelist for cookies. Or am I misunderstanding something with how containers and FPI work?
crssi
commented
5 years ago @Thorin-Oakenpants
control your JS people!
That is almost easy for you... geeks, but not for ordinary users. :smile_cat:
@Thorin-Oakenpants and @Daystar1998
From my observation (I am using FPI+TC auto mode)... and still there are some cookies left behind and CAD deals with those. It might be that a new TC doesn't pick those leftovers, but I haven't test that... yet.
Thorin-Oakenpants
commented
5 years ago @Daystar1998 Yes. TC can clean by a contextId API thingie which means IDB is cleared. I'll see if I can dig up it up .. ahhh https://github.com/ghacksuserjs/ghacks-user.js/issues/395 (in first post)
Temporary Containers only uses one API to remove data, and that is
contextualIdentities.remove- which removes alluserContextIdtagged storage (including IDB).
And as stocially says, a new container id = a new clean cookie/persistent data etc, anyway. Pays to configure TC to what suits you best. If you're re-using containers then you need to understand the pitfalls of that
Edit: I do not use TC, so I do not know what "auto-mode" means
Thorin-Oakenpants
commented
5 years ago @crssi "and still there are some cookies left behind and CAD deals with those"
Maybe you should look at why those cookies remain. If those cookies are no threat due to always starting a new container, then there's no need for CAD, just clear them on close. Seriously, cookie extensions cause way more problems than they could ever solve.
Daystar1998
commented
5 years ago Automatic mode in TC means that it automatically creates a new temporary container when opening a new tab. This can be enhanced by setting it to open a new temporary container on navigation though there are a couple exceptions where it won't work as mentioned here https://github.com/stoically/temporary-containers/wiki/Isolation-Notes
previous threads #294 #211 #12 woo... the old issue of 294 is a palindrome of this issue 492 ... spooky :ghost:
Use this issue for extension announcements: new, gone-to-sh*t, recommendations for adding or dropping in the wiki list 4.1: Extensions. Stick to privacy and security related items
:small_orange_diamond: possible additions
:small_orange_diamond: nah feel free to discuss
...