Nothing new, but the visual theme looks really cool:
Mozilla is already working on this, but please do not comment on the bug report, already too much noise there...
Mozilla is already working on this, but please do not comment on the bug report, already too much noise there... 23 Responses to “Start Panicking!” |
Bad Behavior has blocked 931 access attempts in the last 7 days.
May 8th, 2009 at 10:19 pm
Is there some workaround other than using a wireless connection?
May 8th, 2009 at 10:25 pm
@Ben:
what does make you believe a wireless connection is a workaround?
For this very PoC, based on JavaScript, NoScript is enough a workaround.
But since it's possible, even though slow and unpractical, performing the same trick without using JavaScript, the only full-blown protection is SafeHistory.
May 8th, 2009 at 10:28 pm
Easy fix: Only surf in Private Browsing mode (or toggle the pref layout.css.visited_links_enabled in about:config). No need for NoScript, just the latest and greatest Firefox Beta...
May 8th, 2009 at 10:41 pm
@Simon:
I'd still prefer a SafeHistory-like solution, since both Private Browsing and the visit_link_enabled setting globally cripple my navigation experience, by disabling history feedback.
May 8th, 2009 at 11:06 pm
Duh, because wireless is encrypted.
Sorry if it is lame to set myself up for a joke. I was bored on a Friday afternoon.
May 8th, 2009 at 11:21 pm
quite a comprehensive list of domains:
http://startpanic.com/db/db_en.txt
May 8th, 2009 at 11:33 pm
@nick,
booh, mine are all missing :(
May 8th, 2009 at 11:54 pm
Why would the same be "slow and unpractical"? It seems to me,that it would perhaps be faster:
[style]
#urllist a { display:none; }
#urllist a:visited { display:block; }
[/style]
[div id='urllist']
[a href='http://google.com/' style='background:url(url?google.com)'][/a]
[a href='http://www.google.com/' style='background:url(url?www.google.com)'][/a]
[a href='http://yahoo.com/' style='background:url(url?yahoo.com)'][/a]
[a href='http://www.yahoo.com/' style='background:url(url?www.yahoo.com)'][/a]
[/div]
May 9th, 2009 at 10:15 am
@nick #6, :
It's just about the whole of the Web, isn't it. ;-)
Sorry Prof, your empire-building is hopeless ;-)
May 9th, 2009 at 11:24 am
I seriously can't get any results other then
"
Here we go!
startpanic.com
"
I tried Safari first as it's my main browser. Result was above. I thought that I was not getting any result then above because I changed file flags for directories where Safari would store cookies, cache, bookmarks, history and where flash cookies are stored so no data could be written in those directories. (sudo chflags uchg,schg /foo) So I tried FireFox and I still get the same result. NoScript and CookieSafe both disabled. I didn't set file flags for in directories FireFox uses.
May 9th, 2009 at 12:24 pm
You don't need JavaScript to exploit this:
http://ha.ckers.org/weird/CSS-history.cgi
Any exploit though has to try to guess sites/urls where you might have been.
May 9th, 2009 at 2:16 pm
@Otto de Voodg:
Of course you can do it script-less, as I said in my comment #2, but it's too slow and resource-intensive to be practical outside PoCs.
And you're obviously correct, the attacker can test if you've visited certain sites, rather than enumerating all your history, but in many scenarios (e.g. guessing if you're an user of a certain bank service before trying a focused phishing attack or checking if you visit certain "subversive" resources before raiding your home with a terrorist charge) this is dangerous enough.
May 9th, 2009 at 3:55 pm
[...] написание этой небольшой заметки меня подтолкнул пост в блоге автора плагина NoScript о ресурсе с [...]
May 9th, 2009 at 11:30 pm
Giorgio, I love SafeHistory but the problem is that it has not been updated for a long while and it causes some issues in Fx 3 but for me NoScript seems to be pretty effective and the fact that I don't maintain a history at all.
May 10th, 2009 at 4:39 am
Will the Firefox fix have the same functionality as SafeHistory?
May 10th, 2009 at 8:38 am
I like CSSH more.. haha we can crawl which links you entered in each website.
http://eaea.sirdarckcat.net/cssh-mon/cssh-mon.php
Greetz!!
May 10th, 2009 at 9:07 am
I used SafeHistory before, but it's not compatible with Firefox 3. I know how to patch it, but I don't think it's a good idea. Does any one know an alternative?
May 10th, 2009 at 2:21 pm
@AndreH:
As you can see there are 100,000 domains in that list, for more than 1MB file size, which you're proposing to turn in server-side generated styled links to be downloaded.
Consider also that a scriptless approach requires one separate HTTP request (and database write) for each single domains found in history, while with JavaScript you can coalesce the logging in one single request/write.
So I can hardly imagine an attacker preferring the scriptless way over the JavaScript one in a real world scenario, aside very motivated targeted attacks against a specific NoScript user.
@Dom:
Nope. If you look at the bug report, you'll find I repeatedly suggested that was the right approach, however the current "solution" breaks the :visited functionality entirely and therefore is obviously disabled by default.
@Basti:
I heard of a compatible beta, but I can't find it right now.
There's no alternative, I'm afraid.
May 11th, 2009 at 2:31 pm
[...] Mozilla is already working on this bug. [via Giorgio Maone's blog] [...]
May 13th, 2009 at 7:38 am
Hi Giorgio,
When I cleared the history of Mozilla FF, visiting on startpanic.com didn't yield any result. The bug lifts information about visited website from the history. Isn't it? Is IE also susceptible? My IE 7.0 gets hanged whenever I visit startpnaic.com and click Check. Why?
May 13th, 2009 at 7:21 pm
@Nilesh:
Yes. More precisely, attackers can tell if a certain URL is present in your history or not (they're using a list of 100,000 to be impressive).
Of course it is. Every modern browser susceptible.
Because its JavaScript interpreter sucks?
June 6th, 2009 at 12:26 pm
fuck this is ..what.. 3 years old news? am I the only one without amnesia or what?
June 7th, 2009 at 11:38 am
@rvdh:
Did you notice the OP starts with "Nothing new" linked to a... what? ... 3 years old article? :P