-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sticky: extensions #492
Comments
I think another decent candidate for a Well, if the idea is to separate privacy/security-related but non-protecting extension into a separate list, then any extensions like the legacy SSleuth would belong in there too, right? BTW, I kinda miss SSleuth. |
3P Request Blocker - Page not found |
@crssi , do you remember what problems you found with FMN? I ask because I've been trying it out for about a week (after using Cookie AutoDelete for nearly a year), and so far FMN has been just as good as CAD, in some ways even better. What should I be watching out for? |
@practik |
^^ !! That's bad. But it hasn't done that for me so far. Hopefully it is sorted out, it's gone through a few updates since you tested it. I'll keep an eye on it. Thanks! |
Whoa, Luminous looks like it could be badass. Anyone using it already? |
I have it on an install used for unlogged browsing (like no github or webmail) only. I block events like |
@Atavic |
So no idea when or what SSleuth Web Ext will look like |
Ah, great. I was about to mention that I renamed my repo and now the link to Detect Cloudflare PA should be broken, but it seems Github is smart enough to redirect folks to the new URL. 🎉 I still want to mention that I went ahead and listed it on AMO. Traktofon seems to be MIA or something, and I was bored, so I also added a toolbar icon to it and made the address bar icon optional, among many other thingies. So far it works great for me. The only significant issue left to fix seems to be that it can't always behave as expected when the backward or forward navigation actions are used, but that one seems kinda painful to fix compared to the other issues that I already fixed. I may eventually work on that, though. Anyway, I thought you may want to know. 👖 : modified the wiki to only point to your fork - its not really a fork anymore IMO |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
I would like to advice for 3 extensions:
With these 2 addons you can make your system time zone and and wifi geolocation be in accordance with the IP geolocation and local time zone of the proxy/vpn server you are using. Not a one click process, though. But this avoids increasing your entropy by wearing a Russian ip and in the the same time a system wifi geolocation and date settings that show you near Melbourne.
|
0 font detection will make you unique for sure. |
re: BP Block Font Fingerprint:
not only will it make you pretty unique because very few people use something like this extension,
but thanks to this extension suggestion I looked at fonts again in general and I found some things which I think we need to improve in the user.js. I'll open a new issue to discuss them |
@CRSI & earthing What's your opinion concerning my suggestions about Change TimeZone and Location Guard, in order precisely to diminish the entropy raised by using a vpn/proxy server having time and location characteristics than those of the system's user? For location, blocking geo wifi in preference may be considered as sufficient (except if the browsed site mandatory want geo wifi data, a case where the use of Location Guard could be useful). But not geoblocking and instead spoofing geo wifi with Location Guard accordingly to the proxy server used, puts the user on a safer side in the point of view a spoofing: The location provided by the proxy server IP is in that case confirmed by geo wifi data sent by the browser, so reinforcing its likelihood. Concerning Change Timezone, this extension solves a sharper problem as there isn't in FF's preference anything as "don't send any date time-zone data" (as it was the case for location with blocking geo wifi preference). Blocking these data from being sent could maybe be achieved with some uMatrix or NoScript setting, but it then raise an unicity flag, as not letting the browser send them is not a common behavior. |
https://github.com/dessant/clear-browsing-data seems rich in options. |
Clear Browsing Data seems interesting. But after installing it, it seems not able, neither to clear browsing data when the browser closes, nor when it starts. Only during the browsing session. In order to sanitize a browsing session as soon as it begins, there is StorageErazor: It clears Cache, Local Storage and IndexedDB each time the browser starts. The IndexedDB clearing is important, since 1) blocking IndexedDB in FF preference breaks some site 2) Cookies Autodeleted doesn't handle IndexedDB. Maybe Clear Browsing Data and StorageErazor may be seen as complementary each other. |
Actually, you can do this without any extension simply by setting Firefox to clear "Offline Website Data" on shutdown (see section 2803 of ghacks-user.js, or Cookie-AutoDelete/Cookie-AutoDelete#171 (comment)). |
@practik :Thanks for this information. I didn't know checking "clear Offline Website Data" erased indexedDB. This strongly reduces the usefulness of StorageErazor, but I will nevertheless keep this addon enable and "clear Offline Website Data" checked, as the second works when the browser closes, and the first, when it starts, so that I'm absolutely sure to begin each browsing session on a neat basis :) Other addons I suggest are the ones permitting to block Authentication:
I don't know whether or not all that is completely up-to-date, but if it remains true, I think it would be wise to prevent tracking via Authorization. I currently have found 2 addons permitting that: Notice that blocking Authentication is one of the feature of Chameleon, too. This addon has many other interesting features (as optionnally spoofing time, screen size and ClientRects), and while using it may increase entropy, I think that when properly used, it can in fact reduce it (eg when spoofing your system time accordingly the time of the proxy server you are using, or when spoofing screen size with the most common ones for desktop PC, such as 1366x768 or 1920x1080). |
@Kraxys do you have any example site using Authentication? |
Here the headers are described. |
@Atavic thank you, but I didn't mean a description, but a real case site using it. 😄 |
I haven't seen any, you got to use Fiddler, Charles Proxy or similar tools to debug headers responses. |
Using Fiddler here for years (now you made me to look at Charles Proxy, for which I have never heard before 😄) and also found one at |
Charles is not free and has a Mac version. Privoxy is another proxy that changes or crunches headers. |
Please change the Decentraleyes rules to add to uBlock Origin URL to https://git.synz.io/Synzvato/decentraleyes/wikis/Frequently-Asked-Questions#for-umatrix-and-ublock-origin-non-easy-mode-users Thorin - Thanks, done 👍 |
The very concept of allowing sites to store anything else than cookies
There may be valid use cases (I linger to know which ones) but meanwhile they allow sites to lay data in my IndexedDB storage folder without the reason being obvious to me. If I've set the cookie behavior to block all by default with exceptions set by me it is because of what allowing cookies leads to: why does bostonglobe.com lay data in my IndexedDB, why does youtube.com as well? Maybe we're in the same scenario as plain cookies where sites use them even when not required: a valid feature abused by some, many websites. I just do not want and do not accept a website downloading data in my browser profile without my explicit authorization. Hence blocking all cookies by default but more: should I be interested by a site to the point of accepting its cookies that I'd forget that site should allowing its cookies extend to that site creating its indexedDB in my profile. Same with localStorage: no persistent cookie (Allow exception) for a site that lays data in my localStorage (webappstore.sqlite) which I clean anyway once Firefox is closed. In other words, yes for basic cookies, no no and systematic no to persistent localStorage (never persistent with session cookies) and ultimately no to indexedDB in my profile for anything else than that of the Webextensions i've installed. What we all observe is that a browser includes features which are meant for the best user experience (I do not have in mind developers aiming to trick users on the basis of industry lobbying requirements, no conspiracy theory) and that these valuable features are exploited by some websites for their own profit and not for the user's advantage. Hence the amount of defense mechanisms developed by users, by Ghacks-user.js itself to start with, aiming at preserving the best and controlling maybe not the worst natively but the worst as what sites occasionally do with the best. And this is only the beginning, IMO. Whatever the best intentions the trend is and remains digging into users' life. period. |
Yeah look. They are valid mechanisms, but like everything else, they get abused. Personally, I have had cookies blocked by default for the last 5+ years. I've allowed sites I log into a cookie (about 10 sites over the years, currently just four), I've allowed about 6 more sites a session cookie to function (and blocked them in uMatrix in headers). That's about it. I've never seen any persistent localStorage or IDB shit in all that time, and the web works for me just fine. Just think of the tens of millions of things I didn't have to clean up or have tracking me |
That's what I do as well. I just happen to find this way of proceeding a bit radical. |
@Kraxys said
I said
@crssi said
I said
@crssi said
|
No. I don't have time. I'm not an expert, but I have questions about this
|
I've installed and use this Site Bleacher Firefox extension in place of previous ForgetMeNot. But Site Bleacher does the job perfectly well for cookies and localStorage, and weighs only around 50KB I think. |
It (supposedly) removes it when you open the site (but not subsequent pages if you already have tab of it open) |
If I remember correctly, but I'd have to test again, it may have removed bostonglobe's IDB but I'm sure it didn't remove youtube's IDB. There's also something special with youtube' IDB foler name which ends with something like '3rd-party' ... I'll test again right now. Stay tuned :=) |
My 1st comment confirmed : neither bostonglobe nor youtube have had their IDB wiped by Site Bleacher. Usually, default, my network.cookie.cookieBehavior = 2 = block all Opened bostonglobe.com and IDB folder name was: Opened youtube.com and IDB folder name was: => Neither wiped by Site Bleacher. I use in fact Site Bleacher in order to create the 'Allow Temporary Cookie' which was handled by some legacy add-ons, that is accept cookie when on site then remove, which was the 3rd option afer what we know of session cookies and allow cookies (which remain after FF restart). Global cookie policy : block all For these exceptions I don't want the cookie to remain once i've quit the site => Site Bleacher or ForgetMeNot. |
@Thorin-Oakenpants The question was, does this WE clear IDB. And my tests shows that it does. @StanGets The fact that the IDB files are there, does not mean that those IDB's were not data cleared. TEST 1:
You will see that IDB and LS and Cookies was filled in the previous visit and not cleared. TEST 2:
You will see that IDB, LS and Cookies were cleared and does not show the data from the last visit on revisit. |
I haven't got time to look at this. This sucks, I had a bookmark for testing IDB. You added a title, and then some text. Add as many as you want. When you came back it would display your stored data. This is all you need - because what you entered was unique https://demo.agektmr.com/storage/ looks like it might do the job for a test. |
I have looked into a source code and I guess my guessing was right... the code injection is involved. This is the code injected: const oldIndexedDBOpen = window.indexedDB.open;
function newIndexedDBOpen(arg1) {
const e = new CustomEvent("new_indexdb", {
detail: arg1
});
document.dispatchEvent(e);
return oldIndexedDBOpen.apply(this, [arg1]);
}
newIndexedDBOpen.bind(window.indexedDB);
window.indexedDB.open = newIndexedDBOpen; This opens all your valid questions about if this is good or not. Cheers |
This is it: https://static.raymondcamden.com/demos/2014/feb/7/index.html#/home Now use that to stick in unique data |
^^ I have now tested on the page you suggested and revisiting the page comes out clean, IDB cleared. But since we have a working solution already, I would not analyze this extension anymore... and it raises too many other valid questions... detection of this extension, CSP, does it work when JS is disabled... and on and on. |
First of all, it doesn't clean up after itself, because naturally, it only cleans when you open the domain, and it can't wipe folders etc. But you can do all that, sanitizing, on close. There is an option to whitelist until close (in other words, session a domain), but to me that's the same as whitelisting, because you clear on close. The very first time I tested it, the extension didn't do anything, until I clicked on settings on the icon. And even though I didn't change anything, THEN it worked. I hope that was just a one off and not for every domain.
As long as I closed all instances of the test page, the next time I opened it, it was emptied. This will leave persistent disk data (forensics), but will prevent the website from accessing it next time you visit. I do not know about the rest of the potential issues such as detecting script injection, function names, leaking UUID, and causing issues with other extensions, or even failing on sites with CSP or whatever. That said, it's a metric fuck-tonne better than C-AD regards leaving orphaned data around to be re-used to track you |
Well, without JS, the data can't be read either |
I do have questions over the third party data, it should be cleaning ALL data by first party IMO, and I'm not in a position to test it all - but using the storage inspector and a site that uses IDB on 3rd party should would be a start |
First time it failed because you had the test page opened in time you had installed WE. ;)
Sure it is, but what when you enable JS in the middle of loading page? |
Bollocks. The page was not open in the session at all, and the extension was up and running and installed. Repeat from what I said earlier
pages closed before installing extension and not opened until after extension on
in the middle of loading a page? wot? That's not normal bro, see a doctor. |
you may be referring to the same issue i raised with the dev - this is his reply...
|
I was thinking not to underestimate a standard user diversity of usage.
With all the respect, lady, from the lately insulting and aggressiveness I am more thinking to see out of here. Obviously I am just wasting your time and I am sorry for that. Cheers |
that comment was rather rude pants - i know you mean well, but you can be quite abrasive at times - and i know how to spot those people because i'm one of them unfortunately |
You're just reading too much into my words. I'm not being aggressive or insulting at all - at least not the way I said it in my head as I typed it. Yes you're right to always think of possible situations - the permutations, etc. But loading JS partway thru a page load seems almost impossible. In most cases a user would enable js and reload - e.g changes to tweaking uM, uBO, etc. I'm not even sure how you could enable it part way thru a page load |
Here you go. If you have JS disabled and load the page. Then you enable JS and reload the page, does the extension then treat the reload as the FIRST time it was opened? Probably not. |
Here's the thing guys and gals, and I'll try and be more selective with words in future Slang/idioms, tone, and emotion, do not translate well across text. To me what I said was something lighthearted and slightly comedic - in my realm of real life people, it's not offensive (seeing a doctor for a non medical issue is part of the joke) - it's just a way of saying, I don't think you thought that thru, would you care to explain it further. I am also incredibly extremely busy, especially right now, but mainly over the last 4 months (which is not anyone's fault, just laying some background), and part of my work methodology is practicing a zero inbox. So when I get notifications, I like to deal with them and delete them. I also use the open issues in this repo as my ToDo list or reminders. When in the middle of a lot of work, I can often make quick replies, and throw the ball back in the other person's court - hence why I kept telling you guys to test it (rather than me doing it). Been here for two years. Everyone should know that I never have any problems with anyone (except that one guy, you know who), and I often go the extra mile in working things out, or explaining things. Earthlng even recently told me off for trying to do to much. So that said, it's up to you, individually, as to whether or not, you want to be part of this repo. Earthlng and I have had arguments in the past, and we get tetchy or frustrated with each other, but we know there's nothing personal in it. And likewise, I know everyone here is asking genuine questions, or contributing - that's what collaboration is. There are no stupid questions or statements, at worst, just misunderstanding. And no-one is right all of the time (sometimes I forget that bit). just going to @crssi here in the hope he will see it. Apologies dude. You are welcome here, you have collaborator status, and you've been here from the start. |
Noted. Next time I will tell you "STFU, grab a beer, get naked and run around appartment singing some songs. 😄" (<- in a good sense) ❤️ |
@Kraxys - re: Change Timezone i use a vpn and when i test at browserspy.dk it's detecting my TZ as GMT, which is not my real TZ, and this is without the add-on - why this is the case i don't know off-hand be curious what your results are if you also use a vpn |
previous threads #294 #211 #12
woo... the old issue of 294 is a palindrome of this issue 492 ... spooky 👻
Use this issue for extension announcements: new, gone-to-sh*t, recommendations for adding or dropping in the wiki list 4.1: Extensions. Stick to privacy and security related items
🔸 possible additions
🔸 nah feel free to discuss
...
The text was updated successfully, but these errors were encountered: