Slashdot Mirror
Privacy Leak in Mozilla and Mozilla-Based Browsers
Mike S. writes "Mozillazine has pointed users to this story at ZDNet UK which breaks the news about a privacy bug discovered in in all Mozilla builds up to and including 1.2a as well as browsers based on Mozilla such as Netscape 6/7, Chimera and Galeon.
The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field. This page has a demonstration of the bug and instructions on patching it via a user.js file."
...is that the bug has apparently been a known one for months, and still hasn't been repaired.
I love Mozilla. I use Mozilla. This just troubles me greatly. Even now that it's known, I haven't heard anything about a fix. Hopefully it'll be arriving shortly, because I like my privacy.
Should it be fixed? Yes. Is it a big deal? Not unless you're doing something nasty. Bottom line is that I don't really care who knows what websites I go to, because I keep my web accesses legitimate and vanilla. Who's got time to crack, pr0n, or spod when trying to raise a family? Geesh.
"He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1
Do not link to BugZilla from the front page. Not only is it extremely impolite to overload their system with a bunch of hits from people who have no actual interest in the page, but they have disabled links with a slashdot referrer anyway. I'm sure some clued person will go to the bug report and relay any pertinent information in the comments anyway.
People will tell you to disable Javascript alltogether for protection, but it's better to just disable the onunload event. Just put the following line into your user.js file:
n lo ad", "noAccess");
:)
user_pref("capability.policy.default.Window.onu
You won't miss those ununload events anyway
"Oppression and harassment is a small price to pay to live in the land of the free." -- Montgomery Burns.
I very highly doubt that any site that I visit will be exploiting this bug. Who would waste the time to do this when only about 1% of their visitors will be susceptible to the user tracking. Yeah, I am concered about privacy, but is this really news? Thanks /. for keeping me informed.
I do everything in Mozilla in tabs. I open new sites in tabs, I'll even load other pages in tabs (middle click is your friend). As a result, they can't spy on me, because I don't go anywhere in that tab once I get there. If (and that might be a pretty big if) that is how you do your browsing, this bug isn't a big deal.
Bryan
It always bemuses me that people seem to think these things are new. Tracking exits is relatively simple and as for how people access your site, just check HTTP_REFERER. Typed URLs and bookmarks show no referer, links show you who sent them to your site. Granted, it's not 100% infalible, but it works on any browser. I'd rather trade 80% accuracy 100% of the time than 100% accuracy on 5-10% of hits.
From time to time, it still amuses me to be watching the logs while I'm chatting to a visitor via Messenger and tell them what system they're running, what their screen res is, color depth, what enabled/disable features they have and the path they've taken through the site. If you're really that bothered, JavaScript even lets you track their mouse's movement around and how they scroll up/down the page and then play it back on your own PC, telling you things like how fast they read and what they paid attention to.
apparently this bug has been exploited by doubleclick, who provides the ad services on slashdot.
Unforunately, it turns out its just less secure, because hackers and script kiddies can look right there at the source code and figure out how to break into the system.
Is is possible that Microsoft is funding the project to under open source? Is it possible that the only reason the Mozilla project got done so fast is that it had Microsoft money backing it? Hmmmm... something to think about
Guess what? I got a fever! And the only prescription.. is more cowbell!
At least for me. I tried the windows enigmail on 1.0a, 1.1a, and now 1.2a, and none of them work. GnuPG is installed in c:/gnupg where it belongs... I thought this shit was supposed to be seamless.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
.. how many people are saying "no big deal". If the article stated:
/. article and because I'm OS/Software egnostic, I tried Mozilla 1.0 which was a horrible product. I could repeatedly lock up the browser simply by going into the preferences. Maybe it's been fixed 1.0.1, but I'm not willing to waste my time, especially since IE runs just fine.
/. editors have taken.
"The bug in Internet Explorerallows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field"
you would hear a dplethora of privacy zealots bitching and moaning how this is typical M$ practice and blah blah fucking blah.
Because of a
I have excellent Karma, so if you can't handle the truth, mod me down, I don't give a shit, I'm just sick of the "hippicratical oath"
Live web cams
Don't you mean "Make up my mind slashdot!"
(Duh. Cars are secure [locks built in] or insecure [can lock up on slippery roads and crash]... personally I use them, but I really wanna know... should I drive or not?)
It's more or less the inverse, this bug enables the referer to know where they refered you to.
Of course, if you really wanted to do that then in most cases you'd just set up a bounce script on your server, much like freshmeat does, so that it would work on anyone.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Is that as breeches go it is a fairly minor one with a trivial work around, yet it remained confidential in bugzilla.
If it isn't a big enough security hole to warrant instant attention then it should not be hidden in bugzilla, so anyone can have a whack at fixing it.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
The YOU online updater in Yast has been set up to automatically download and install the patch for a coupla months now. Of course, it only applies to the default 0.98 Mozilla version included with the distro, but for those who haven't upgraded, it's there.
THE GOOD HUMOR MAN CAN ONLY BE PUSHED SO FAR
Bart Simpson on chalkboard in episode 2F18
Yea. So should Referrer be removed from existence.
I respectfully disagree. Without the Referer: header, how is a developer supposed to know whether or not somebody else is leeching his bandwidth by linking directly to an image or to a large zip file, so as not to run into problems with metered bandwidth?
Will I retire or break 10K?
Well, this just proves my point. Javascript should be disabled. (check my older posts, it's there somewhere).
Anyhow, I think everyone should look into Privoxy [privoxy.org]. In my setup, I have all on(un)load tags removed, and the refer forged to report the it as root of the current server.
It's quite nice. You simply setup a regex to replace/remove any HTML, you can configure that feature on a site-by-site basis, and do so using a simple web-editor.
So, check it out, and take back full control of your browser.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
[If the artible stated:]
/. said, "It looks like a normal sales memo-- no big deal" when the Register was using it as evidence of the Vileness of Microsoft(tm).
"The bug in Internet Explorerallows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field"
you would hear a dplethora of privacy zealots bitching and moaning how this is typical M$ practice and blah blah fucking blah.
I am not so sure.
When Brian Valentine's email was leaked to the Register, I was amazed how many people on
In general I think slashdot is a bit more diverse than you think.
LedgerSMB: Open source Accounting/ERP
The last few builds have introduced more bugs than ever. It seems to me that spangly new features are being introduced at the expense of the browser's stability and performance.
For instance, the new keyboard stuff in 1.2a (ok, it's an Alpha I know), had screwed up Javascript's keydown events - the browser intercepts them first, then passes the event to the scripting engine so if a key is held down you get the anoying error "bell" as the buffer is filled. Keyboard events->javascript is/was also broken completely in the Mac/Linux port from 1.1. 1.2a is also slower than 1.1 at rendering dynamic content - especially content that involves keyboard input (like games) due to the problem above.
Also when will they fix the damned image clipping bug in linux that's been there for 2 sodding years now?!! For those who haven't seen it, when clipping an element containing images that have transparency, everything except the images will be clipped, completely ruining the layout of dynamic scripts.
I guess no-one wants to work on the boring stuff like making it work when there's sidebars, tabs and themes to be had...
</rant>
Code, Hardware, stuff like that.
The latest reason to switch to Konqueror.
Two checkmarks, and I think PROXO kills this onload/onunload crap dead. Doesn't everyone use it?
(Why don't < and > work when I select "Plain old Text"?)
1. Use the Preview button to avoid submitting comments with mistakes.
2. According to this FAQ page, Plain Old Text only converts newlines to <br>. You're looking for Extrans, which also escapes &, <, and >.
Will I retire or break 10K?
If you think that all that matters is whether the /. community things something is secure or not, then you are looking in the wrong place.
In the real world, there will always be security problems. THe real issue is the scope of those problems. I happen to think that Mozilla and open source software in general tends to be more secure (aside from old versions of BIND and all versions of Sendmail).
If security is what you want, do a risk assessment, and look at the actual ways that different products will mitigate those risks. If you use Linux because it is "More Secure" then you are asking for trouble. So, you need to make up your own mind and determine what you need to do.
In other words, don't follow someone's oppinion until you understand why they think that way and whether it applies to your situation.
LedgerSMB: Open source Accounting/ERP
Eh.. it's not that bad of a bug, but I patched it already. I love Mozilla it's so great. You get everything that every other browser has PLUS more. And it's open source! What more could you ask for?
-------
"In times of universal deceit, telling the truth becomes a revolutionary act."
-- George Orwell
It's more or less the inverse, this bug enables the referer to know where they refered you to.
Grandparent was talking about the CGI scripts used to track users who click an outward link on a web site. (Some Slashdot users abuse those scripts to create a link that appears to go to Yahoo! but really goes to Goatse.cx.) However, this bug in Mozilla gives a site's scripts access to a clicked bookmark or to a URL entered in the location bar.
Will I retire or break 10K?
The demonstration doesn't work for me.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2a) Gecko/20020910
Maybe it's something about the way I'm using tabbed browsing, or
my cache settings (once per session), but I can't get the demo
to work at all. It always gives the URL of the demo as referer.
Yes, I have cookies enabled (though I limit their max lifespan).
Weird.
Cut that out, or I will ship you to Norilsk in a box.
Well, that's why you put things on the web (a public forum)... For other people to point their browsers at.
But when other people link directly to non-HTML files, your advertisers don't pay you. That's why GameFAQs.com allows linking only to HTML pages.
I happen to run junkbuster - you get no stinking Referer from me.
Many popular download sites (fileplanet, gamespy, gbadev.org, etc.) happen to run a leech script - you get no stinking cool apps from them.
Will I retire or break 10K?
For this demonstration, the image loaded is really a script that sets a cookie with the request referer.
I just said "no" to the cookie dialog and that appears to have broken the example.
If you're going to raise a stink about your browser's security, why are you accepting any and all cookies?
I looked at my settings, and was amused to find that I had disabled javascript's ability to create/mess with cookies. I'm happy the Mozilla team partioned the javascript functionality like this, because (it appears anyway) that until a bug fix is available, you only have to disable this one aspect of javascript.
How in the hell do you go from funny to offtopic, when the post is clearly related to the one that is funny?
user_pref("capability.policy.default.Window.onunlo ad", "noAccess");
" , true);, true);
while you are at it, throw in these to stop pop-ups:
user_pref("dom.disable_open_during_load
user_pref("dom.disable_open_during_close"
If you care to follow that link...
Just in case you're not being funny, Google out PAN (for pimp-assed newsreader).
I use Netscape 3.0.1 ONLY (check my referral) SAFE AS ALWAYS
All versions vefore 3.0.1 gold for mac and after 3.0.1 have security issues. (java, email, exploits, javascript, cookies, etc).
3.0.1 has no problems and the Mac OS 8.6 (also in use as I type this) also has no security weaknesses according to bugtraq.
I use many OSes, and many browsers for SSL related activities (rare), but only surf the net using 3.0.1
I said I would upgrade if ANY BROWSER LASTS 2 YEARS WITHOUT A SECURITY INCIDENT.
I have restated my vow every year since 1995.
And I laugh my ass off when IE and netscape have weakenesses in then that my trusted 3.0.1 browser is immune to. Too bad netscape did not ever release its source code, and only releases its stillborn buggy code to the mozilla effort.
Hurray for IE and Mozilla security defects! They vindicate my security aware habits!
Yet another reason 2 switch 2 Internet Explorer
If you use Chimera in OS X, browse to your:
/Users/*your username*/Library/Application Support/Chimera/Profiles/default/*salted name*.slt/ directory and edit the prefs.js file with vi, or BBEdit (which is the default editor on mine).o ad","noAccess");
Add the line:
user_pref("capability.policy.default.Window.onunl
To the bottom on the file,save your changes and restart your browser. Careful of the space slashcode likes to put in there! Should be no spaces in the line you past into the file.
Thats why there are these kinds of hacker problems everyday in the open source world. Every day. Now if the source were closed none of these problems would exist.
But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...
George Carlin said it best, that we think in language. Changing the rhetoric that is used to describe the problem doesent change the problem. You can be Anti-Microsoft all you want, but that is worth NOTHING if the software that you choose to use exhibits the same problems, and you are not honest about them.
Again, I'm not taking Microsoft's side -- there aren't sides to take. Open Source software needs to be just as accountable as commercial software if it's to be taken seriously.
You are an idiot. While Netscape 3 may be bug free, it is nowhere near the current level of standards on the internet. Many sites use CSS, Flash, JavaScript, etc. that your pathetic browser does not support.
I say try Opera, they seem to be less bug ridden than Mozilla and IE recently!
After testing the bug site listed, it looks like this privacy leak doesn't actually follow you around, but, only reports the NEXT PAGE you look at.
:), you would need a bunch of websites to be running this exploit and sharing data to get much info out of it.
I jumped around to various pages, and, it only recorded the mozilla.org link. AFAIK, you only get the very next page linked from the exploiting referrer.
So, unless slashdot is a participant in this scheme
Severity = TAFNAB
Honestly, this is a _NEWS_ site, not a list of programs you're supposed to use. So, there's some _good_ stuff out there about Mozilla, there's also some bad stuff.
Just be thankful it's open-source, because that means that there's a couple million people who can help fix it.
Karma: Non-Heinous
Opensource has the same problems as proprietary. It is irresponsible for opensource users to think that problems will be fixed *immediately*. Anyone who thinks that opensource is a be all and end all and all problems found will be fixed as soon as discovered needs their freakin head checked, then fired if they're involvement has to do with a production environment.
I don't know about any of the rest of you, but I use galeon, and I tried a link, a bookmark and typing my own url. Each time returning to the page that suposedly demonstrates this exposure I got url=unknown.
I stopped the link page from loading, leaving the original URL in the url box, click there, hit enter, and voila -- no HTTP_REFERER!
Since I am so smart, obviously I am not a slashdot moron, the redirect doesn't apply to me, and neither does your comment! ppppphhhttt!
First of all, this does not allow someone to track where you're going but rather where you went. I know that sounds like nitpicking, but really it's the difference between a bug and a correct protocol implementation.
The method described is to check the referrer on requests sent to a particular server after the user has left a page on that server. Surprise! the referrer is now their current location i.e. where they went after your site.
Would you expect any different?
It's matter of micro-seconds and request timing.
Ok, maybe they could make sure all requests generated by an 'onunload' event are handled before the request to the following page, but personally I would consider that a judgement call and not 'bug'.
Also, I've noticed people here don't seem to give a hoot that your entire history of where you came from can be far more easily tracked!
Here is an easy fix,
...
...
1. In Mozilla goto
'Edit | Preferences | Advanced | Script & Plugins'
2. Uncheck the following checkboxes
'Ceate or change cookies' and 'Read Cookies'
After changing this goto the demo page again to verify! The demo will not work anymore.
it just needs to know whether the client is asking for .html or .htm .... right?
It needs to know if the request for a .png or a .zip came from within the site or from outside. That's only possible with HTTP's Referer: header. However, the Referer: header could be improved: reveal only the referring hostname, not the referring page.
Will I retire or break 10K?
We will not tolerate ourselves to look stupid while accusing other companies of leaving security holes for months, and then doing it ourselves. Do it again, and we will slashdot you again. And yes, we will defeat your referrer. Thank you, have a nice day. :)
Berto
"The bug in Internet Explorer allows a web site to track where you're going when leaving the site whether you use a link, a bookmark, or type a URL into the address field."
You would hear a plethora of privacy zealots bitching and moaning about how this is typical MS practice and blah blah fucking blah.
Because of a
I have excellent Karma, so if you can't handle the truth, mod me down. I don't give a shit. I'm just sick of the "hypocritical oath"
On XP, your user.js file goes in the following directory:
n lo ad", "noAccess");
C:\Documents and Settings\\Application Data\Mozilla\Profiles\default\.slt\
(You will need to enable "Show Hidden File Types" in order to view the Application Data folder)
Just open up Notepad (or whatever) and created a new file, naming it user.js. In order to fix the privacy bug, all you need is the following line:
user_pref("capability.policy.default.Window.onu
Hope that helps!
...(like the subject says)...
Comment removed based on user account deletion
I do not see how one is an idiot for maintaining operability with old technology. The wheel works fine for me, do you think the new Octagon wheel will be an improvement?
Saskboy's blog is good. 9 out of 10 dentists agree.
user_pref("network.http.sendRefererHeader", 0);
Yes, I agree with this guy. You are, indeed, a fucking idiot.
Any developer who puts the username and password in a URL should be shot. And any user who sees their password in the URL in plainsight and doesn't complain, or stop using the services, shouldn't be allowed near a computer to begin with.
See parent comment aboot Slashcode.
Big deal, they can tell where you are going. How's that a problem unless you are logging onto a site that has your name & address. After all tracking IP addresses and who uses them among millions of dialup users should stretch thin any org. And if they are that good, you are hosed anyway. Plus, that IP information should be protected by your ISP. Pffft :p
Heh. This post reminds me of the old Far Side cartoon. A caveman is trying to sell another caveman a car. In the background you see lots of Fred Flintstone-style caveman cars, each with square wheels. The car in the foreground has triangular wheels. The salesman is saying, "This new, improved model. Has one less bump."
Yeah, I'm off-topic. I'm way the fuck off-topic. I'm so off-topic, I'm not even going to mention the topic (although I could, just to stay topical). Mod me down if you want. I've got karma to burn, and I'm feeling grouchy and self-destructive.
I'd define the terms thus:
Privacy leak: lets someone else see what I'm doing or where I'm going. Does not let them see into my system.
Security exploit: lets someone else see the contents of my HD.
Severe security exploit: lets someone else *manipulate* the contents of my HD, pilfer my credit card number, or something else on that order.
~REZ~ #43301. Who'd fake being me anyway?
Conclusive proof! Making a disparaging comment about Mozilla-- or Linux, or Gnome, or KDE, or any of that shit-- is, prima facie, enough to get moderated down on Slashdot. Somebody threw this AC a downmod just because he said that one option-- and possibly the best one-- was not to use Mozilla.
I will mail one crisp new American dollar, postage paid, to the first person who moderates this comment down. Send your claim to foobar104@yahoo.com.
It isn't "Open Source's" fault. Slashdot is to blame. They are just extremely biased toward open source.
Slashdot really sucks nowadays. There are better alternatives. Check out
Quit Slashdot Movement.
So, I guess that this is another selling point that the OSS movement will use in the future to push OSS on everybody.
That you as an individual don't have to wait around for some slow lazy company who is only interested in receiving you checks to get off their duffs to write a fix.
Don't feel bad about being OT. It made me laugh.
In fact I'll follow in your fine tradition of making people laugh, and not mention how this fits in to the topic either.
Saskboy's blog is good. 9 out of 10 dentists agree.
Yeah, troll whatever..Truth is, if this was a story about a security hole in all versions of IE that had been known for months there would be 500 comments already. You really need to change your slogan to "MS SUCKS! LINUX ONLY MATTERS!". The slashdot community's bias is just as evil as MS's monopoly. Go fuck yourself slashdot for parading as a place for real news while in reality you all are nothing more than a bunch of linux cheerleaders.
-AC cuz I dont need a crap account.
Too bad I have to quit moz to get the prefs in. Isn't there a JS
which can patch the hole without having to quit? Sucks.
I'm currently developing a javascript based framework that relies on a few open child windows. Creating a list of open windows has been done, but I'm not exactly happy with the codebase. This is my first experience with JavaScript. What method do you use for knowing which child windows have been open and their status?
Dacels Jewelers can't be trusted.
Nothing gets my goat more than having crappy software shoved down my throat with a "and you will like it" to wash it down.
I'm tons more willing to cut some slack to a free and open source project for a minor issue than to let off some corporation responsible for riddling my machine with security problems I can't uninstall-- and routinely refuses to fix ina timely manner.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
This is the correct link
The poster asks:
> But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...
And it is currently rated as "Score:5, Insightful".
I fear that Slashdot's moderation facility is being used by Microsoft as another FUD tool. While some posters try to moderate honestly, Microsoft astroturfers moderate each others' posts up, thus increasing their karma, and giving themselves more power to moderate.
There is no objective basis by which the above post could be considered "insightful".
In fact, the above post is completely stupid.
The post suggests there is something wrong when some IE vulnerabilities have been rated "Severe", while this Mozilla vulnerability is just rated as a "Privacy Leak".
Let's consider that.
Should this Mozilla problem be considered as "severe"? Hardly. As others have pointed out, providing the URL of the site you are going to is not that different from what all browsers have always done when they provide the URL of the site you came from. In fact, the problem is so minor that I am not even going to bother installing the fix until the next browser release comes out. When referring to this problem, the words "Privacy Leak" are, if anything, too strong.
On the other hand, let's consider some of the _19_ currently unpatched security holes in IE.
Here are some samples:
> Who framed Internet Explorer
> Description: Cross-protocol scripting, arbitrary command execution, local file reading, cookie theft, website forging, sniffing https, etc.
> MS JVM native method vulnerabilities
> Description: A collection of at least 10 different vulnerabilities in the MS JVM, escaping the sandbox, local file reading, silent delivery and execution of arbitrary programs, etc.
> WMP Stench
> Description: Silent delivery and installation of an executable on a target computer
> Java XMLDSO base tag
> Description: Arbitrary local file reading.
> delegated SSL authority
> Description: HTTPS spoofing, man-in-the-middle attacks, etc.
> document.domain parent DNS resolver
> Description: Improper duality check leading to firewall breach
> CTRL-key file upload focus
> Description: Local file reading, downloading and executing arbitrary code.
Arbitrary command execution? Local file reading? Escaping the sandbox? HTTPS spoofing? Firewall breach? Should any of those be considered "severe"? You betcha!
In fact, of the nineteen open security holes in IE, nine of them allow binary executable code to be run on your computer.
So clearly, the original poster is an idiot. Objectively, his post should be rated "Score:-1, Troll".
I would say that the posters who moderated his post up are even bigger idiots, but I don't believe that to be the case. Instead, I figure they're probably professional liars, being paid by Microsoft.
i agree with this post.
I tried the test and I think the problem is basically caused by the HTTP referrer field (as another post mentioned below). This isn't exactly a new exploit (from my understanding) but a function of the the HTT-Protocol that not many people seem to know about.
If you've got a windows machine machine you can get the Agnitum Outpost firewall. Not only is it a good firewall (Zonealarm screwed up my machine) but it can block ads , content (based on what sites you tell it to block) and can block referrers. You can also write plugins for the firewall to do other functions. (PS I don't work for these people - i just use and like the firewall)
Conclusive proof! You're a fucking idiot. Shut the hell up before you hurt yourself.
I find it unconscionable that such a gaping hole has been allowed to remain over a month... shame on the Mozilla team :(
You know, it really bothers me when a site designer can't be bothered to set a background color for the page, and just assumes the visitor's default window background is white.
People who do that need to be smacked around a bit.
People will pass up steak once a week, for crap every day.
You managed to discover the obvious.
People will pass up steak once a week, for crap every day.
Interestingly, the onunload fix suggested by the
referred page breaks cbe (crossbrowser) features.
Haven't had the time to look into exactly what
breaks, but my (quite standard) popups stopped
popping up...
Ah, now we see the violence inherent in the system. Come and see the violence inherent in the system. Help! Help! I'm being repressed!
Oh, what a give away. Did you here that, did you hear that, eh?.... That's what I'm on about -- did you see him repressing me, you saw it didn't you? See that?
----
Yeah, it's a sad day for slashdot when a post like yours gets modded -1 troll and the parent is +5 insightful. Almost makes me feel like creating a user name and doing some serious karmawhoring, but what kind of crap would a person have to spew to earn mod points from this bunch?
many popular leech scripts allow you to set the referer for when you want to leech those cool apps.
If it wasn't for referer the revenue streams of many Internet companies would disappear. And not just annoying stuff like ads and pop-ups.
Knowledge of traffic patterns and their journey is an important part of knowing how to promote your site. You can work with your cross linked sites to best position those links. For us the referer field is just as important as our hit counts, if not more so.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Not just the refering host.
:]
I have, and never will have, any intention of mapping search terms to users but which search terms drive traffic to our site is a vital piece of information for us.
On a serious site search engine positioning is a daily job. Spending $50 on some shareware search engine submission program and running it they day you finish your web site just isn't enough.
The data we get from our refering page information is what helps us keep a top ten google psotion for our chosen key words.
I would guess that 90% of web design houses know next to nothing about web positioning. [which is great news for us
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
I wish Java, Javascript, Plugins, etc, etc had never been invented.
How many real uses of Java and Javascript are there? Remember the first few years of it - just about every home page had a hello world program on it. WOW! I'm really excited. It only took about an hour to download over my 28.8K modem, which was almost brand new at the time.
Anything remotely useful you can do in Javascript, I can do *better*, on the server, using PHP or Perl. Before you ask, I don't have to time to prove that, so please don't post URLs saying, "I bet you can't do that in PHP, it *has* to be done client side".
As for plugins, read this:
I DO NOT INSTALL PRE-COMPILED BINARIES FROM AN UNTRUSTED SOURCE ON ANY OF MY MACHINES.
An untrusted source means:
source != distribution CD
If you want me to use your plug in, GPL it, and give me the source. Then I will consider it. Until then, NO WAY.
So, if I visit a page that needs flash, and calls me an idiot for not downloading it already, I click back. End of story.
I browse without Javascript, Java and without Plugins. I don't visit sites that need them. Tell me what I'm missing out on.
Here's a good example - Slashdot is perfectly usable without:
Java
Javascript
Any plugins
Cookies
It even works fine in Lynx.
OK, you can't log in without cookies, but that could be implemented in other ways.
Opera lets you turn off the referrer entirely. I always use that, for privacy reasons. Besides, it lets me use the Bugzilla links that people say are designed to be unaccessible from Slashdot :-).
What good is the referrer supposed to do, anyway? I always found it disturbing to be able to see in my logs which IMAP folders people use with their webmail.
Some users need to use NTLM Authorization Proxy Server because their admins don't allow any client except IE.
:
Just add the two last lines at the beginning of client_header_fix function in client.py
def client_header_fix(self):
""
self.logger.log('*** Trying to fix client header...')
# Remove referer
self.client_head_obj.del_param('referer')
The real fix would be to have an option in the browser to wrap long text lines.
There are many hundreds of sites, mostly mail archives, that this would make readable. Expecting all of them to fix their code is nice, but it's unlikely to happen.
unmount is used by Syllable As it also uses bash and GNU toolsets, his .sig is perfectly valid.
Bollocks to that. I telnet to port 80 and read the raw HTML with more! Who needs all these fancy hypertext things anyway?
The nice thing is that Mozilla has a workaround, one that basically kills of a whole potential series of exploits.
Another workaround for this bug exists that for some may be less draconian than disabling the onUnload Javascript handler. This *should* have the same effect as using a proxy that strips REFERER headers from your requests:
.js file you want to store it in.
user_pref("network.http.sendRefererHeader", 0);
Placed in your prefs.js (or whichever
Cheers.
It seems there is a huge effort to invade privacy recently, and I wonder what purpose this effort serves?
When you click on a broken link and get an "oops!" page, remember that HTTP_REFERER tells the site where you came from, so that the broken link can be fixed.
It's standard on many of my sites to do this - it's a very good thing IMHO - improving customer experience is good, and we certainly don't CARE who you are!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Gaping even, huge even. At the moment it doesn't really matter. mozilla has such a small % of hte whole thing even if someone did actually try to exploit it they wouldn't get enough information to really use it.
Ah who the hell cares.
I repeat your own post back to you.
here's the path for Mac OS X.
$HOME/Library/Mozilla/Profiles/default/.slt
--
What is pirate software? Software for inventory of stolen treasure?
Well, Privoxy looks like it'd be a lot of work to configure. On the other hand, it's got good pretty good docs, and working with it will probably teach you a lot about how http works in the real world. Which is actually the main reason I just downloaded it.
Hover your mouse over links such as those at fark.com. You'll notice they run them all through a GO script to track where you go, then forward you there. It's almost invisible, it is invisible to new users. If a webadmin wants to track this, this is the best way - not to rely on a transient browser anomaly. "Anomaly" is a better term for this.
The above could be obfuscated further by altering the status bar text to the "destination" link rather than the actual, tracker-link.
I do not consider this a security flaw since web admins have the ability to track where you're going WITHOUT this anomaly using server-side.
There are several other ways: Remember that the link is on the page that they control. An OnClick event that runs a function that talks to a server CGI to log which link you clicked, your IP, date time, is easily done.
Some might think the resources used for such an implementation are more intensive: They need to run you through a CGI. But a CGI needs to read your cookie, and also relies on you coming back (what if you don't? The data is lost.) Anyone exploiting this isn't thinking through their implementation, and their solution will not work for most browsers, and will soon quit working altogether.
Another argument: The difference with server side tracking is that, when you return, they don't know "who" clicked "which" link. Also false. I can cookie you with a unique identifier, and log your linkhit against that cookie ID, and when you return, tell you which link you clicked.
Let's summarize: If this bug is fixed, but you leave cookies, status-bar-text-changing, and javascript on, I can do the same thing. If anyone doesn't believe me, you don't know much about scripting and I am willing to make a page proving this - you're welcome to come and test it with your "patched" Mozilla browser.
So this is a security threat, how? Creating the user.js file is as simple as turning off cookies, or editing the various other script settings to combat the deceptive tactics used by webadmins to track you.
If I was on the BugZilla team I'd be demoting this defect to "anomaly, minor" or whatever lowest possible rating it has.
Erik.LA
# Erik
Sheesh.
This isn't a bug. If you have Javascript enabled, you should expect to have little to no privacy anyway. (Just as you should expect popups, popunders, porn-adverts, memory leaks, and system crashes.)
I mean, what's the recommended solution?
That's right. Do what the security-minded folks have been saying for years. Disable Javascript. Don't use it. Don't visit sites that require it.And if you don't, well, don't whine about it.
Pick One: http://www-rohan.sdsu.edu/~stremler/sigs/sigs.html (Note - disable Javascript first!)
The people here shout as if the world is moving to hell, when a microsoft security hole news breaks up. But the same people pass of lame excuses and make security holes in OSS a non-issue. This is hopelessly hypocritic. Open Source software can only grow better when their users demand carefulness on the developers part, Not by fanatically supporting an OSS product unacknowledging its security weak points. Shame on you people!
So why should I care if a website knows I leave it and go to SlashDot. Doesn't everybody?
Ben Bucksch in Bugzilla posted to add the following to your user.js: pref("network.sendRefererHeader", 2); // 0=don't send any, 1=send only on clicks, 2=send on image requests as well
Be that as it may, there are times when I need to allow popups in order to get full use out of a site. What's needed is a simple popup policy engine, something like the cookies privacy engine in IE. In particular, I'd like to impose a global limit on popup frequency, so a site can't force me to accept all their crap just to get single popup window that I want to see. The simplistic "no popups" option in Mozilla is not useful for most of us.
This post is off-topic. And the moderators will never know.