Skip to main content
Topic: Browser security paranoid privacy panic (Read 18963 times)

Browser security paranoid privacy panic

Transifex website, where many open-source distros and other projects host their translation environment, has made some alterations to the way traffic occurs after users log in. There are no good cookies anymore that I can trace. I had to disable adblock to be able to stay logged in.

Is this a wider trend?

When you log in to websites, what security measures do you take? Do you check/modify the headers and the referrer that your browser sends to the server? Do you take a look what headers the server replies with? Do you count the cookies? Is your browser set to erase history at close? Share your habits and tips.

Re: Browser security paranoid privacy panic

Reply #1
Browserspy.dk (by a Mozilla fan) has been my source of insight how deeply a website can look into the browser and into the system. Plugins, history, cookies, headers, and whatnot. Not just the user agent.

Does anyone know more such websites? I don't mean a test page that crashes the browser. I mean something that informs about how your browser behaves.

Re: Browser security paranoid privacy panic

Reply #2
If you're concerned about fingerprinting when logging in into a website where you have cookies enabled anyway, have you considered using a browser only for logins?

Keep also in mind that a browser that doesn't reveal almost nothing still can have an unique fingerprint.
Keeping and evaluating fingerprint databases means more work and expense for the website owner, something that hardly pays.

Which of the items your browser reveals, are you concerned most about? Some of those detected by Browserspy.dk can be avoided.

Re: Browser security paranoid privacy panic

Reply #3
I'm concerned if you know of a similar website like Browserspy.dk :)

I use multiple browsers and, yes, one is so-called home browser which is basically meant to log me in to a bunch of forums and portals when I open it. In addition to a home browser, I have the so-called system default, most prominently featured in menus and icons. I use the system default for random browsing usually with cookies near-completely turned off, with adblock, etc. Then I have a so-called reading browser (Opera used to have very good user CSS support for this) and more, some browsers just for the fun of trying out browsers.

I occasionally change my home browser. For example a year ago I switched from Opera 12 to Opera 11. Hopefully Otter will be able to become my next home browser.

I worry more about the convenience of managing cookies, passwords, user agents, headers, referrers etc. I worry about convenience because I want those things to be simple. Of course it would be nice when the bowser handles them safe too.

Re: Browser security paranoid privacy panic

Reply #4
I worry more about the convenience of managing cookies, passwords, user agents, headers, referrers etc.

And for some incomprehensible reason Firefox has been making great strides toward making all that harder since version 4. :(

Re: Browser security paranoid privacy panic

Reply #5

I'm concerned if you know of a similar website like Browserspy.dk :)

AFAIK EFF has one. It is poorer than Browserspy.dk, so I didn't bother to bookmark it.


I worry more about the convenience of managing cookies, passwords, user agents, headers, referrers etc. I worry about convenience because I want those things to be simple. Of course it would be nice when the bowser handles them safe too.

Cookies?
Most of the time I'm in private mode. If I have to enable cookies for some stupid sites, they will be gone after closing the tab.
Passwords?
I have my login cookies. I need my passwords seldom. Most of them are stored in my memory. In case of a memory leak, I have them stored encrypted on my HD.
I've never used a password manager.
User Agent?
I could fake it easily but don't see any reason for doing so.
Referrer?
You can disable it within the browser or just open links in new tabs.

Re: Browser security paranoid privacy panic

Reply #6

And for some incomprehensible reason Firefox has been making great strides toward making all that harder since version 4. :(

I don't like the path Firefox is going but with a few extensions it stil comes closest to Opera Presto.

Re: Browser security paranoid privacy panic

Reply #7
@ersi, this should be interesting in this case:
https://github.com/Emdek/otter/issues/27
Although so far there is no progress on that topic, expect standard disabling of referrer, user agent switching (what about an option to set random one for each request?) and cookie policies.
Nadszedł już czas, najwyższy czas, nienawiść zniszczyć w sobie.
The time has come, the high time, to destroy hatred in oneself.

Re: Browser security paranoid privacy panic

Reply #8
Let's hope something good will come out of it, Emdek :)

In year 2001 or so, when WAP-browsing with the mobile phone given to me by my employer, I landed on http://wap.gemal.dk/ along with its WAP version of Browserspy. It was one of the first foreign WAP sites I ever visited. This is how I found Browserspy.


Cookies?
Most of the time I'm in private mode. If I have to enable cookies for some stupid sites, they will be gone after closing the tab.

A few years ago private mode did not even exist and I'm still uncomfortable with it. I can't figure out how it could be useful. Blocking cookies used to be common sense. However, blocking all cookies prevents logging in to forums and such.

What I'd like to see is a "preserve" option for individual cookies, like in Dooble browser. It should work like pin tabs. When you pin a tab, then "Close all tabs" won't apply to those tabs. Similarly, preserved cookies would be exempt from "Clear all cookies".

Dooble is pretty private, by the way. You can't even use it properly without creating a master password for it first.


Passwords?
I have my login cookies. I need my passwords seldom. Most of them are stored in my memory. In case of a memory leak, I have them stored encrypted on my HD.

I have not found any user-friendly way to encrypt stuff selectively. Looks like the best way is to install the entire opsys encrypted in the first place. The worst problem with encryption is that you still need a password for un-encryption and this password is of course not encrypted anywhere. Just like master password in some browsers. FF removed its master password option lately, I have heard.


I've never used a password manager.

I do. I have never synced passwords over cloud though. This idea always sounded kind of spooky.


User Agent?
I could fake it easily but don't see any reason for doing so.

Not so long ago e.g. bank websites outright demanded fake user agents.


Referrer?
You can disable it within the browser or just open links in new tabs.

Along with cookies, referrer is the thing that enables you to browse around forums and such. It suffices to send some kind of referrer, any kind really, but what most browsers tend to do is to send exactly the last visited page. Privacy expert QuHno for example thinks the best idea would be if browsers send to the requesting server its own domain - just the domain part https://vivaldi.net/forum/browsers/70-improving-your-favorite-web-browser#1592

In Elinks the referrer can be customised to anything. I can type BillGatesForPresident.com if I want.

Re: Browser security paranoid privacy panic

Reply #9
A few years ago private mode did not even exist and I'm still uncomfortable with it. I can't figure out how it could be useful. Blocking cookies used to be common sense. However, blocking all cookies prevents logging in to forums and such.

In my understanding it means as much as starting a separate session (akin to opera -pd /tmp), except within your regular environment.

What I'd like to see is a "preserve" option for individual cookies, like in Dooble browser. It should work like pin tabs. When you pin a tab, then "Close all tabs" won't apply to those tabs. Similarly, preserved cookies would be exempt from "Clear all cookies".

Dooble is pretty private, by the way. You can't even use it properly without creating a master password for it first.

Note that the arrival of site preferences in Opera 8 made some people decide to browse around with, instead of new page and close page, new page & disable javascript and close page & disable javascript.

I don't know how usable the 2014 web would be with it, but if your suggestion were implemented, one could do something like close/new page & disable javascript & clear all cookies.

Re: Browser security paranoid privacy panic

Reply #10

I don't know how usable the 2014 web would be with it, but if your suggestion were implemented, one could do something like close/new page & disable javascript & clear all cookies.

And what sense does it make?
With any decent browser you can enable/disable scripting/cookies on the fly. It takes a single click.
You have to enable cookies but don't want to keep them, simply enable cookies and open a new private tab/window. You can do it with any decent browser. After closing the private tab/window, cookies are gone.

Re: Browser security paranoid privacy panic

Reply #11

Privacy expert QuHno for example thinks the best idea would be if browsers send to the requesting server its own domain - just the domain part.

My lokal filtering proxy can do that but I don't use that feature because of 2 reasons:
1. This would be a very unique behaviour of my browser any admin could easily detect.
2. You will get access denied to some resources if the referrer isn't the one it is supposed to be (main_domain.com/blablabla/).
Some admins don't like their resources to be hot linked.

Simply open new links in new tabs and the privacy issue with referrers is solved.

Re: Browser security paranoid privacy panic

Reply #12
And what sense does it make?
With any decent browser you can enable/disable scripting/cookies on the fly. It takes a single click.

That's rather the point. If you prefer to browse with these things off but occasionally want to enable them, you could either keep toggling things manually and risk forgetting or you could automate the process.

You have to enable cookies but don't want to keep them, simply enable cookies and open a new private tab/window. You can do it with any decent browser. After closing the private tab/window, cookies are gone.

And why on earth would you want to perform fifty extra steps every single time if enabling these things is the exception? ;) Besides, private window has other consequences like no history.

Re: Browser security paranoid privacy panic

Reply #13

And what sense does it make?
With any decent browser you can enable/disable scripting/cookies on the fly. It takes a single click.

That's rather the point. If you prefer to browse with these things off but occasionally want to enable them, you could either keep toggling things manually and risk forgetting or you could automate the process.

It's rather hard to forget since you have the settings on your address bar. :)
Automating the process? Which process? Sometimes you want them on, most of the time off.


And why on earth would you want to perform fifty extra steps every single time if enabling these things is the exception? ;) Besides, private window has other consequences like no history.

First of all there aren't 'fifty' steps, just two. A mouse gesture and a click. Aside of that it happens seldom since it is rather an exception. Most of the time I'm with scripting and cookies off.

Re: Browser security paranoid privacy panic

Reply #14
It's rather hard to forget since you have the settings on your address bar.  :)
Automating the process? Which process? Sometimes you want them on, most of the time off.

So you're exactly the kind of user this should appeal to. I'm not really sure what your objections are anyway. No one's forcing you to alter your keyboard shortcuts. :P

First of all there aren't 'fifty' steps, just two. A mouse gesture and a click. Aside of that it happens seldom since it is rather an exception. Most of the time I'm with scripting and cookies off.

The charms bar is also just a gesture away. Any argument along those lines will fall on extremely deaf ears on this end. I want everything to take as few actions as possible. If I wanted to perform meaningless chores I'd use a typewriter.

PS I browse with first-party cookies and JS enabled. I've found it rather obnoxious to do otherwise these past few years. When I want to do without I typically prefer to use Elinks or Netsurf instead.

Re: Browser security paranoid privacy panic

Reply #15
Browser security paranoid privacy panic

Well, that's what I get if trying to access DnD Sanctuary using TOR Browser:

Quote
Error 403

We're sorry, but we could not fulfill your request for / on this server.

You do not have permission to access this server. Before trying again, run anti-virus and anti-spyware software and remove any viruses and spyware from your computer.

Your technical support key is: 25dc-233d-2b02-1b1f

You can use this key to fix this problem yourself.

If you are unable to fix the problem yourself, please contact the WEBMA5TER and be sure to provide the technical support key shown above.


Strange things happens when you want to be anonymous.
A matter of attitude.

Re: Browser security paranoid privacy panic

Reply #16
Google is very pervasive/invasive. I have Seamonkey where cookies work, I think, the way I want, site-specifically. I log in to a Google Mail account there, but otherwise I keep cookies blocked. Still other Google sites, such as YT and Maps, invite me to log in with that account, even though I never open those sites up in the same tabs. Eery.

Looks like when you want to keep different sites apart, you have to actually use different browser profiles. Cookie management is not enough.

Basically, a sure way to test the privacy of a browser is to try it on different Google sites and see if you are getting recognised.

Re: Browser security paranoid privacy panic

Reply #17

Strange things happens when you want to be anonymous.

I assume it's an attempt to limit spam.
As for anonymity, we all know that you are Belfrager from Portugal. :D

Re: Browser security paranoid privacy panic

Reply #18

I log in to a Google Mail account there, but otherwise I keep cookies blocked. Still other Google sites, such as YT and Maps, invite me to log in with that account, even though I never open those sites up in the same tabs.

What difference does another tab make? In case you mean a private tab, try to open a private window instead and see what happens.
I can't test myself since I have no account at Google.

I was always reluctant for site-specifically cookie management. Switching cookies on, where I need to and blocking them otherwise all the time.

Re: Browser security paranoid privacy panic

Reply #19

What difference does another tab make?

For cookies apparently no difference.


In case you mean a private tab, try to open a private window instead and see what happens.

And why it should matter when the new tab says "private"? Can cookies read? Even if they can, why would they obey?
 

I was always reluctant for site-specifically cookie management. Switching cookies on, where I need to and blocking them otherwise all the time.

I keep cookies that keep me logged in to sites. Therefore site-specific cookies. Otherwise I don't care about cookies. I thought that by keeping only necessary cookies and blocking the rest would be good enough, but looks like cookies have a way to talk to each other in the cookie tin. This is a very good reason for further security paranoid privacy panic.

Re: Browser security paranoid privacy panic

Reply #20
If you're logged into a site (non private tab) and open a new private tab and then visit the site you are already logged in, the site shouldn't have any chance to recognise you. At least not through conventional cookies. There is no magic, except the browser has a flaw.
So if you are logged into gmail (no private tab), you can visit YouTube in a private tab without Google knowing exactly who you are. I say 'exactly' because of the same IP number you'll have. Even with a static IP number they can't tell for sure.
Cookies between normal and private tabs aren't shared.

You could easily find out if Google recognizes you through conventional cookies and in case it does you could figure out what you're doing wrong.
It would be more helpful than panic. ;)

Re: Browser security paranoid privacy panic

Reply #21
I'm not really panicking. Just trying to figure out how browsers work. For example:


Cookies between normal and private tabs aren't shared.

This sounds reassuring, but I am not sure this is the standard for private tabs. Private tabs are an invention I never understood. What are they supposed to do? Why should cookies between any tabs be shared, unless I open a link from one tab in a background tab?


You could easily find out if Google recognizes you through conventional cookies and in case it does you could figure out what you're doing wrong.

This is precisely what I figured. To test the security of a browser I can log in to Gmail and then browse other Google sites in other tabs and see if Google offers logging in with the Gmail account. However, it's precisely a test for the security of the browser, not a test of me doing something wrong. Why should the cookies and perhaps scripts etc. identify me when I open different domains in separate tabs? ('Separate' meaning that the other tab is not opened by clicking a link in the first tab.)

Re: Browser security paranoid privacy panic

Reply #22

This sounds reassuring, but I am not sure this is the standard for private tabs.

You don't have to be sure. All you need is to test yourself. :)


Why should cookies between any tabs be shared, unless I open a link from one tab in a background tab?

By shared I mean your settings for cookies are shared!
If you set them to be enabled it doesn't make any difference how many tabs you will open. Your cookie-settings apply for all open tabs.

Gmail's cookie is a Google cookie that probably covers all Google domains.
The browser can't do anything about it. You have put that cookie in your permissions and now you wonder that Google recognizes you.


Re: Browser security paranoid privacy panic

Reply #23
wouldn't a extension like 'Ghostery' go a long way in stopping most of this?
“I kill monsters and zombies with infeasibly large plasma-based weaponry”

Re: Browser security paranoid privacy panic

Reply #24

wouldn't a extension like 'Ghostery' go a long way in stopping most of this?

Ghostery and Adblock, as companies, make money by collecting and sharing (selling) information on what people like to block. Otter's adblock is also vulnerable to this, because its adblock files get updated automatically in the background without notice, and I have seen my customised adblock files vanish several times when updating Otter. This part of Otter should be re-built. The files are okay, but the way they get parsed and updated is not.

Anyway, here's a DNS spoofability test I found https://www.grc.com/dns/dns.htm

Enjoy the test.