Privacy Leak in Mozilla and Mozilla-Based Browsers 358
Mike S. writes "Mozillazine has pointed users to this story at ZDNet UK which breaks the news about a privacy bug discovered in in all Mozilla builds up to and including 1.2a as well as browsers based on Mozilla such as Netscape 6/7, Chimera and Galeon.
The bug allows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field. This page has a demonstration of the bug and instructions on patching it via a user.js file."
The most disturbing thing about this... (Score:5, Interesting)
I love Mozilla. I use Mozilla. This just troubles me greatly. Even now that it's known, I haven't heard anything about a fix. Hopefully it'll be arriving shortly, because I like my privacy.
Re:The most disturbing thing about this... (Score:4, Insightful)
Bugs should be publicized immediately so fixes will happen sooner. It's good to first inform those who are responsible for the code so they can have a heads up, but months (if true here) is too long to wait.
Re:The most disturbing thing about this... (Score:2)
Which is not to say that they don't frequently disappear and reappear regularly as the flaws are hammered out, but for something to be completely untouched after this long is certainly not usual.
The problem with this bug (Score:4, Insightful)
If it isn't a big enough security hole to warrant instant attention then it should not be hidden in bugzilla, so anyone can have a whack at fixing it.
Re:The problem with this bug (Score:3, Interesting)
Re:The problem with this bug (Score:4, Insightful)
Are you going to tell me there actually are legitimate uses for unonload!?
I use the internet since 1996 and have yet to come across the first site that uses this 'feature' *cough* in a usefull, non-irritating manner (i.e. something else then opening a bazillion new popups as soon as you close the previous one)
I can not imagine why onunload exists in the first place - 2nd, I can not imagine why people would ever leave it on if they can turn it off.
But maybe that's just because my imagination is so limited
Re:The problem with this bug (Score:5, Interesting)
I'll give you one example. My company sells software with web front-end interfaces. One of the techniques we use is implementing a close-to-log-out feature. In other words, when you close the main app window, a handler fires that closes all daughter windows of the main app window and ends the user's session. That depends on onunload().
We also use onunload() to make sure the application doesn't get confused if a user closes a window on which the application depends. When the users closes a window-- an alert dialog, say-- the onunload() handler checks to make sure that everything is as it should be. If it isn't, an error condition is established. Without onunload(), our application would be much less reliable in those kinds of situations.
Re:The problem with this bug (Score:4, Insightful)
I mean no offense, but that's a terrible idea. I say that only because we had a pretty serious debate-- okay, shouting match-- about this in a team meeting about a year ago. On the one hand, there were us-- the managers-- saying that the software had to be resilient in the face of inconsistent or wrong user input. On the other, we had the engineers who said things like, "Browsers just don't work that way," and "Of course it's going to break if you do something stupid," and "We have to rely on the user closing their session properly." The bottom line is this: users don't do what you tell them. If you tell them not to close the window, they'll close it anyway. Your app has to be able to deal with things like that, just as it has to deal with "no such file or directory" or "out of memory." Without onunload(), it'd be impossible to write a non-trivial, resilient web application.
Okay, end of rant.
Re:The problem with this bug (Score:2)
Will you be my manager?
Honestly, I have never seen management side against engineering on issues like this. When it comes to issues like this, it always seems to be someone from QA (me) who has to propose these scenarios that "will never happen". Usually management just wants to get the thing out the door. Getting the customer not to do "something stupid" is a training or documentation issue.
I do stupid things every day. That's my job.
Re:The problem with this bug (Score:2)
Re:The problem with this bug (Score:2)
In an application I am working on, we have a popup configuration system which allows you to decide what content you want on the main page, reorganise it, change layouts etc. Once you are done editing you can close the popup, an onUnload then fires to force the main window to refresh (so you get to see the new layout).
Re:The problem with this bug (Score:4, Insightful)
The bug was public for two months before it was marked as security-sensitive. There isn't an army of coders who spend all of their time fixing known minor privacy bugs. The bug had the "privacy" keyword for almost two months before it was marked as security-sensitive, so it would not have been invisible to such an army.
I'm not saying it was a good idea to make it security-sensitive after it was open for a while. It wasn't a good idea in this case, because someone who had seen the bug while it was public decided to make it public again. I'm just saying that leaving it open probably would not have led someone to fix it immediately.
Re:The most disturbing thing about this... (Score:2, Insightful)
Re:The most disturbing thing about this... (Score:2, Insightful)
Mod Parent Up! (Score:2)
See parent comment aboot Slashcode.
Re:The most disturbing thing about this... (Score:2)
It seems to me that privacy bugs often get short shrift in Bugzilla [mozilla.org]. I believe we're still waiting to get inline loads blocked within mail messages (i.e. for web bugs).
Re:The most disturbing thing about this... (Score:5, Insightful)
Fine, this is not how you'd expect it to work.
But, GIVE ME A BREAK. Privacy issues on the Web are legend. Cookies, refer, hidden fields, the entire body of software we know as "IE", the list goes on and on and on.
So, by some new "stupid browser trick" you can now see where people are going -- not just where they've come from (as has always, forever, been the case).
Oh my.
If you are worried about "privacy" then you have been using an appropriate "junk busting" proxy from day one.
If you are not using such a proxy, then you are not now, and never have been, seriously worried about privacy. And, this "horror of horrors" is no more an issue to anyone than the Referrer field.
This sounds more like Microsoft Marketing pouring though a Bug Base and using the media to turn a mole hill into a mountain.
Should it be fixed? Yea. So should Referrer be removed from existence. So should alot of much more pressing privacy issues be outright abolished.
So go back to sleep. If you weren't worried about this yesterday, then there is no reason for you to be worried about it today.
Re:The most disturbing thing about this... (Score:2)
Firstly, the referer [sic] field only contains the URL of a *referring* page, not just any page you happened to be on before. Why? Because sending non-referring page URLs is an invasion of privacy. Furthermore, IE and Mozilla both stop you actually retrieving this data from Javascript, even though you can pass it to certain Javascript functions, showing that again this privacy is respected.
May I suggest you find out how your interweb browser works before posting in the future? Oh, and read the RFC: it's Referer field, not Referrer field.
Re:Metered bandwidth (Score:2)
I don't know if something exists yet (if not, off to Apache module programming land for me), but the server should make sure that an IP has gotten an HTML page before it fetches an image or other large binary.
The referer: header is good for keeping people in sites, but there is no need for the system to keep track of people coming from other sites, and being to identify those sites.
Re:You can't put ads in a zip file (Score:2)
Without the Referer: how do they know where the links are coming from?
That's why GameFAQs.com allows linking only to HTML pages.
Exactly - a solution that doesn't involve Referrer.
Re:You can't put ads in a zip file (Score:2)
Re:You can't put ads in a zip file (Score:2)
nop, we need the search terms (Score:2)
I have, and never will have, any intention of mapping search terms to users but which search terms drive traffic to our site is a vital piece of information for us.
On a serious site search engine positioning is a daily job. Spending $50 on some shareware search engine submission program and running it they day you finish your web site just isn't enough.
The data we get from our refering page information is what helps us keep a top ten google psotion for our chosen key words.
I would guess that 90% of web design houses know next to nothing about web positioning. [which is great news for us
wget -e http://gspy.com http://gspy.com/app.zip (Score:2)
If it wasn't for referer the revenue streams of many Internet companies would disappear. And not just annoying stuff like ads and pop-ups.
Knowledge of traffic patterns and their journey is an important part of knowing how to promote your site. You can work with your cross linked sites to best position those links. For us the referer field is just as important as our hit counts, if not more so.
Re:The most disturbing thing about this... (Score:4, Funny)
Mozilla is open source. Why haven't YOU fixed this bug yet?
Re: (Score:2)
Re:The most disturbing thing about this... (Score:2, Insightful)
Fix explained in demonstration page (Score:2)
Re:The most disturbing thing about this... (Score:2, Informative)
Oh, give me a break. This flaw is so minor that I am not even going to bother to install the fix (I will wait for the next Mozilla release).
This bug allows a website to see the URL of the next site you are going to. It is little different from what all browsers have always done, when they provide the URL of the site you came from. If either one worries you, then just click on "home" before typing in a URL.
So how "disturbed" should you be? Let's put this case into perspective. Let's look at some of the IE security holes that Microsoft is currently sitting on, in some cases for over six months...
There are currently _19_ unpatched security holes in IE [pivx.com].
Here are some samples:
> Who framed Internet Explorer
> Description: Cross-protocol scripting, arbitrary command execution, local file reading, cookie theft, website forging, sniffing https, etc.
> MS JVM native method vulnerabilities
> Description: A collection of at least 10 different vulnerabilities in the MS JVM, escaping the sandbox, local file reading, silent delivery and execution of arbitrary programs, etc.
> WMP Stench
> Description: Silent delivery and installation of an executable on a target computer
> Java XMLDSO base tag
> Description: Arbitrary local file reading.
> delegated SSL authority
> Description: HTTPS spoofing, man-in-the-middle attacks, etc.
> document.domain parent DNS resolver
> Description: Improper duality check leading to firewall breach
> CTRL-key file upload focus
> Description: Local file reading, downloading and executing arbitrary code.
> IE https certificate attack
> Description: Undetected SSL man-in-the-middle attacks, decrypting SSL-encrypted traffic in realtime.
> Published: December 22 2001 ( Stefan Esser )
> Published: June 6 2000 ( ACROS )
> Status: Initially fixed in IE4 and early IE5s by MS00-039, re-introduced by a later patch.
Arbitrary command execution? Local file reading? Escaping the sandbox? HTTPS spoofing? Firewall breach? Decrypting SSL-encrypted traffic? Yikes!!!
Of the nineteen open security holes in IE, nine of them allow binary executable code to be run on your computer.
Compared to that, this Mozilla bug is so minor that it barely deserves mentioning.
Re:The most disturbing thing about this... (Score:2, Interesting)
Last I checked, I can't download Internet Explorer source code and do my own fixes or add my own features.
There is a difference, take some responsibility.
People get hung up on open source and forget that the only real difference is the source. Paid support and paid staff often does have benefits.
Re:The most disturbing thing about this... (Score:2)
i am one of those people looking for a desktop alternative to windows. i don't program. i don't read code. i don't know how. i don't want to, i just want it to work.
not everyone who uses open source programs or operating systems should be checking/fixing code. that would mean that there is a relatively small, stagnant (ie not growing) population of users. this is not what we want, right?
Dear Slashdot morons (Score:5, Interesting)
Re:Dear Slashdot morons (Score:5, Funny)
Dear BugZilla morons (Score:2, Troll)
We will not tolerate ourselves to look stupid while accusing other companies of leaving security holes for months, and then doing it ourselves. Do it again, and we will slashdot you again. And yes, we will defeat your referrer. Thank you, have a nice day. :)
Re:Dear BugZilla morons (Score:2)
It's not a "we get to rape your local filesystem" bug. It's a "web surfing history" bug. It's not that scary.
I prefer to look at the bright side. It's fixable with a userland .js file with no recompiling. That's sort of neat.
Easy work-around for now (Score:5, Informative)
user_pref("capability.policy.default.Window.onu
You won't miss those ununload events anyway
Re:Easy work-around for now (Score:2)
Re:Easy work-around for now (Score:3, Interesting)
This was the solution to a hack, actually (IIRC). The Page Widening Trolls (TM) like to make a string of text thousands of characters long so there's a real nasty side-scroll. By adding in that space every X nuber of characters, it becaome imposible for the trolls to make the window side scroll.
Browse
Re:Easy work-around for now (Score:2)
Re:Easy work-around for now (Score:2)
Sure it does. If it's intentional we call it a 'feature' not a bug. Or, as we say in the shop, "The only difference between a feature and a bug is that a feature has documentation."
Re:Easy work-around for now (Score:3, Interesting)
Re:Easy work-around for now (Score:3, Informative)
Re:Easy work-around for now (Score:4, Informative)
Re:Easy work-around for now (Score:4, Informative)
Re:Easy work-around for now (Score:3, Informative)
If you just use mozilla as it is then you create your user.js in ~/.mozilla/[your_username]/[some random directory name]/user.js - the path up to user.js should exist already if you have used mozilla, and hopefully only 1 with a wierd random name
If you use galeon, then it goes in ~/.galeon/mozilla/galeon/user.js
Re:Easy work-around for now (Score:2)
No Big Deal (Score:3, Interesting)
Re:No Big Deal (Score:2, Informative)
I'm not real upset by this. (Score:2, Interesting)
HTTP_REFERER (Score:5, Interesting)
It always bemuses me that people seem to think these things are new. Tracking exits is relatively simple and as for how people access your site, just check HTTP_REFERER. Typed URLs and bookmarks show no referer, links show you who sent them to your site. Granted, it's not 100% infalible, but it works on any browser. I'd rather trade 80% accuracy 100% of the time than 100% accuracy on 5-10% of hits.
From time to time, it still amuses me to be watching the logs while I'm chatting to a visitor via Messenger and tell them what system they're running, what their screen res is, color depth, what enabled/disable features they have and the path they've taken through the site. If you're really that bothered, JavaScript even lets you track their mouse's movement around and how they scroll up/down the page and then play it back on your own PC, telling you things like how fast they read and what they paid attention to.
This is not the same as Referer tracking. (Score:2)
Of course, if you really wanted to do that then in most cases you'd just set up a bounce script on your server, much like freshmeat does, so that it would work on anyone.
Explanation of exit tracking (Score:2)
It's more or less the inverse, this bug enables the referer to know where they refered you to.
Grandparent was talking about the CGI scripts used to track users who click an outward link on a web site. (Some Slashdot users abuse those scripts to create a link that appears to go to Yahoo! but really goes to Goatse.cx [yahoo.com].) However, this bug in Mozilla gives a site's scripts access to a clicked bookmark or to a URL entered in the location bar.
Re:HTTP_REFERER (Score:2)
This is significantly more of an invasion of privacy than you make it out to be. If a website owner knows that I clicked a link on cnn.com to get to your page, that's no big deal. With this bug, however, a web page can track if I, out of my own whim, decide to go to porn.com after visiting your site. This is decidedly unexpected behavior, since if I'm entering in addresses into the goto bar myself, I don't expect anybody to be tracking my behavior.
Re:HTTP_REFERER (Score:4, Informative)
iCab, on the Mac, has a setting (and has had it almost since its very first versions) to only allow the Referrer: to be sent only when in the same domain (or even never sent). So Sony.com can trace how I look through their site, but cannot see that I came to Sony's site from a link on slashdot.org
I could even set it to never send it, as well.
Re:HTTP_REFERER (Score:2)
I care much more that enigmail doesn't work (Score:2)
Re:I care much more that enigmail doesn't work (Score:2)
Re:I care much more that enigmail doesn't work (Score:2)
I'm surprised.. (Score:2, Insightful)
"The bug in Internet Explorerallows a web site to track where you're going when leaving the site whether you use a link, a bookmark or type a URL into the address field"
you would hear a dplethora of privacy zealots bitching and moaning how this is typical M$ practice and blah blah fucking blah.
Because of a
I have excellent Karma, so if you can't handle the truth, mod me down, I don't give a shit, I'm just sick of the "hippicratical oath"
Re:I'm surprised.. (Score:2)
So: people on Slashdot like Mozilla. This bug isn't a big enough deal to really affect anyone, so they don't complain.People on Slashdot hate Microsoft. The bug still isn't a big enough deal to do something about if you're affected, but you can point and laugh at Microsoft about it nonetheless.
Re:I'm surprised.. (Score:2)
His comment sounded pretty objective to me. Have you ever used Mozilla? Assuming the answer is yes, have you ever used a state-of-the-art browser like IE 5 or 6 or OmniWeb 4.1? Mozilla would have been great if it had been called Netscape 5.0 and released in early 1998. Since this is 2002 and the world has moved on, Mozilla sucks pretty hard.
Re:I'm surprised.. (Score:3, Insightful)
Since you sound like an otherwise reasonable person, I can't help but think that you simply haven't given Mozilla a chance. Having used all of the major browsers available, I prefer Mozilla. Not because it's open-source, not because it's an underdog, but because I like it. If you'd said, "Mozilla doesn't offer enough for me to switch," that would've made sense; however, I can't see how anyone who'd used Mozilla (1.0+) could think it "sucks pretty hard."
Re:I'm surprised.. (Score:2)
She DID it with TWO STACKS of old PHONE BOOKS and a COPY of the MOZILLA source code in BINARY!
(Oops. Sorry.)
Why Mozilla Sucks Hard
An Essay by Foobar104.
(Okay, not so much an essay as just a list, in no particular order. Also, I make no guarantee that this is my complete list of gripes. If you refute all of these, I will either just ignore you and pretend I never came back to this thread, or I'll respond with, "Yeah, but what about x and y? Bet you think Mozilla sucks now, don't you!?")
1. On both platforms I've tried-- Windows 2000 and Mac OS X-- Mozilla is significantly slower than the browser of choice on that platform. Browsers of choice being IE and OmniWeb, of course. Does it render pages faster? Who the hell cares? How fast it renders pages has no affect on me at all if I refuse to wait the eight to twelve seconds it takes to launch the application or the five seconds it takes to open a new window.
2. Mozilla's user interface does not follow the HCI standards of any known platform. It's equally quirky and wrong on Windows, Mac OS 9, or Mac OS X.
3. The Mozilla preferences dialog is completely screwed. There are dozens-- maybe as many as a hundred-- preferences listed in that dialog, grouped in categories that make little sense if any. And, on that subject, don't anybody ever say the words "edit your user.js file" to me again, okay? If I wanted to fart around with config files, I'd just write my own browser. This is my home machine, and I expect to be able to use it without firing up a text editor.
4. The Mozilla toolbar is broken and can't be fixed by mere mortals. By which I mean this: I want a home button on my toolbar, but Mozilla doesn't let me put one there. I want to show only icons in the menu bar, but Mozilla won't let me do that, either.
5. Text fields-- both plain text fields and textarea fields-- are broken. What do I mean by "broken?" I mean that these things do not work correctly. What am I, Bugzilla?
6. The sidebar "feature," which no right-minded person would ever find useful, is so bloated and overbuilt that it must take up a significant fraction of the total size of the application, both in terms of megabytes on disk and megabytes of RAM when running.
7. Speaking of megabytes, who told the Mozilla "team"-- and I use the word loosely-- that they could ship a 35 MB web browser that eats up as much RAM as Microsoft Word and Microsoft Excel combined? OmniWeb is 8 MB, and that's for the version with i18n.
8. "New Window" is on a fucking submenu. That's absurd. Have those guy really never read the Apple Human Interface Guidelines? No matter what OS you write software for, that book is the bible, man.
That's it. I'm done now. Mostly because I'm just bored.
Re:I'm surprised.. (Score:2)
The last time I used mozilla was admittedly a long time ago, but it was slower than a donkey's ass on christmas, and I haven't had any reason to go back and look at it again, because IE seems to be getting better and better.
Re:I'm surprised.. (Score:2)
No, I didn't say Linux was a horrible product. In face, I love Linux and install Cygwin tools on my windows pc just so I can use similar tools.
What I did say is that
I can give 2 sh*ts who makes the software, just as long as it performs well and is relatively cheap to own [free is the best obviously]
Re:I'm surprised.. (Score:2)
Already fixed in Suse 8.0 (Score:2, Informative)
Muwahahaha (Score:4, Informative)
Anyhow, I think everyone should look into Privoxy [privoxy.org]. In my setup, I have all on(un)load tags removed, and the refer forged to report the it as root of the current server.
It's quite nice. You simply setup a regex to replace/remove any HTML, you can configure that feature on a site-by-site basis, and do so using a simple web-editor.
So, check it out, and take back full control of your browser.
Re:Muwahahaha (Score:2)
Re:Muwahahaha (Score:2)
The last time I brought this up, someone said the same thing about the Opera/Internet Explorer Javascript exploit.
Besides, my more general problems concern that javascript gives anonymous webmasters the ability to use your processor for juat about anything they want...
If they just wanted to annoy you, they can popup infinite windows (even with Mozilla configured to block them) to eat up your memory and CPU. They can have an infinte loop of javascript alerts (meaning all open browser windows lockup, and you are forced to kill your browser).
Hell, a webmaster could even use javascript to record every movement of your mouse on every webpage they maintain...
Considering that I've only ever seen ~2 useful applications of javascript, it doesn't even warrant a debate.
Not to knock Mozilla but... (Score:3, Interesting)
For instance, the new keyboard stuff in 1.2a (ok, it's an Alpha I know), had screwed up Javascript's keydown events - the browser intercepts them first, then passes the event to the scripting engine so if a key is held down you get the anoying error "bell" as the buffer is filled. Keyboard events->javascript is/was also broken completely in the Mac/Linux port from 1.1. 1.2a is also slower than 1.1 at rendering dynamic content - especially content that involves keyboard input (like games) due to the problem above.
Also when will they fix the damned image clipping bug in linux that's been there for 2 sodding years now?!! For those who haven't seen it, when clipping an element containing images that have transparency, everything except the images will be clipped, completely ruining the layout of dynamic scripts.
I guess no-one wants to work on the boring stuff like making it work when there's sidebars, tabs and themes to be had...
</rant>
Re:Not to knock Mozilla but... (Score:2)
Re:Not to knock Mozilla but... (Score:2)
Re:Not to knock Mozilla but... (Score:2)
Yes it's stable, but it's also too slow to take seriously. 1.1 wipes the floor with 1.0 in terms of rendering speed with dynamic content. I need to know the direction the browser is taking all the time as I maintain a javascript API for game-writers. I have to know what's changing before the stable release.
At the moment I'm becoming so despondant with more and more things becoming broken, and consequently having to add more and more code forks that dropping all Mozilla support until they fix things is looking more likely.
I hate IE only sites more than anything, but the Mozilla developers are making it very hard to support their browser. I'm not the only scripter saying this either. They just don't seem interested in addressing the problems reported to them (as I do frequently on Bugzilla, taking time to create examples and documenting the problem, though it gets me nowhere).
Re:Not to knock Mozilla but... (Score:2)
You have no obligation to support anything but major releases, and they will always be easy to support, end of story.
cookie, cookie, cookie (Score:2, Interesting)
For this demonstration, the image loaded is really a script that sets a cookie with the request referer.
I just said "no" to the cookie dialog and that appears to have broken the example.
If you're going to raise a stink about your browser's security, why are you accepting any and all cookies?
Re:cookie, cookie, cookie (Score:3, Informative)
For this demonstration, you need to enable cookies. The bug itself does not require cookies to be enabled, however.
I think that explains the situration pretty clearly.
I can't get the demo to work... (Score:2)
I looked at my settings, and was amused to find that I had disabled javascript's ability to create/mess with cookies. I'm happy the Mozilla team partioned the javascript functionality like this, because (it appears anyway) that until a bug fix is available, you only have to disable this one aspect of javascript.
Re:I can't get the demo to work... (Score:3, Informative)
I hate to defend Microsoft... (Score:4, Insightful)
George Carlin said it best, that we think in language. Changing the rhetoric that is used to describe the problem doesent change the problem. You can be Anti-Microsoft all you want, but that is worth NOTHING if the software that you choose to use exhibits the same problems, and you are not honest about them.
Again, I'm not taking Microsoft's side -- there aren't sides to take. Open Source software needs to be just as accountable as commercial software if it's to be taken seriously.
Re:I hate to defend Microsoft... (Score:3, Insightful)
Re:I hate to defend Microsoft... (Score:2)
Umm, maybe because this bug isn't severe? It only lets a malicious site find out what URL you visit immediately after leaving the site. I'm much more concerned about IE's policy of allowing sites to read from and write to the clipboard than I am about this bug.
Not to defend either one, but.. (Score:2)
Privacy leak: lets someone else see what I'm doing or where I'm going. Does not let them see into my system.
Security exploit: lets someone else see the contents of my HD.
Severe security exploit: lets someone else *manipulate* the contents of my HD, pilfer my credit card number, or something else on that order.
Re:I hate to defend Microsoft... (Score:2)
Now explain to me how you could do the same thing with IE.
I'll not be holding my breath....
Because unlike IE I can uninstall Mozilla (Score:2)
I'm tons more willing to cut some slack to a free and open source project for a minor issue than to let off some corporation responsible for riddling my machine with security problems I can't uninstall-- and routinely refuses to fix ina timely manner.
Ignorance and Foolishness rated as Insightful (Score:2, Informative)
> But why is it when its an IE bug, its a "Severe Security Exploit", and when its a Mozilla bug, its a "Privacy Leak"...
And it is currently rated as "Score:5, Insightful".
I fear that Slashdot's moderation facility is being used by Microsoft as another FUD tool. While some posters try to moderate honestly, Microsoft astroturfers moderate each others' posts up, thus increasing their karma, and giving themselves more power to moderate.
There is no objective basis by which the above post could be considered "insightful".
In fact, the above post is completely stupid.
The post suggests there is something wrong when some IE vulnerabilities have been rated "Severe", while this Mozilla vulnerability is just rated as a "Privacy Leak".
Let's consider that.
Should this Mozilla problem be considered as "severe"? Hardly. As others have pointed out, providing the URL of the site you are going to is not that different from what all browsers have always done when they provide the URL of the site you came from. In fact, the problem is so minor that I am not even going to bother installing the fix until the next browser release comes out. When referring to this problem, the words "Privacy Leak" are, if anything, too strong.
On the other hand, let's consider some of the _19_ currently unpatched security holes in IE [pivx.com].
Here are some samples:
> Who framed Internet Explorer
> Description: Cross-protocol scripting, arbitrary command execution, local file reading, cookie theft, website forging, sniffing https, etc.
> MS JVM native method vulnerabilities
> Description: A collection of at least 10 different vulnerabilities in the MS JVM, escaping the sandbox, local file reading, silent delivery and execution of arbitrary programs, etc.
> WMP Stench
> Description: Silent delivery and installation of an executable on a target computer
> Java XMLDSO base tag
> Description: Arbitrary local file reading.
> delegated SSL authority
> Description: HTTPS spoofing, man-in-the-middle attacks, etc.
> document.domain parent DNS resolver
> Description: Improper duality check leading to firewall breach
> CTRL-key file upload focus
> Description: Local file reading, downloading and executing arbitrary code.
Arbitrary command execution? Local file reading? Escaping the sandbox? HTTPS spoofing? Firewall breach? Should any of those be considered "severe"? You betcha!
In fact, of the nineteen open security holes in IE, nine of them allow binary executable code to be run on your computer.
So clearly, the original poster is an idiot. Objectively, his post should be rated "Score:-1, Troll".
I would say that the posters who moderated his post up are even bigger idiots, but I don't believe that to be the case. Instead, I figure they're probably professional liars, being paid by Microsoft.
bug? (Score:4, Interesting)
First of all, this does not allow someone to track where you're going but rather where you went. I know that sounds like nitpicking, but really it's the difference between a bug and a correct protocol implementation.
The method described is to check the referrer on requests sent to a particular server after the user has left a page on that server. Surprise! the referrer is now their current location i.e. where they went after your site.
Would you expect any different?
It's matter of micro-seconds and request timing.
Ok, maybe they could make sure all requests generated by an 'onunload' event are handled before the request to the following page, but personally I would consider that a judgement call and not 'bug'.
Also, I've noticed people here don't seem to give a hoot that your entire history of where you came from can be far more easily tracked!
Disable referrer (Score:2)
Opera lets you turn off the referrer entirely. I always use that, for privacy reasons. Besides, it lets me use the Bugzilla links that people say are designed to be unaccessible from Slashdot :-).
What good is the referrer supposed to do, anyway? I always found it disturbing to be able to see in my logs which IMAP folders people use with their webmail.
Re:Yawn. (Score:3, Insightful)
Google Browser buttons [google.com] after reading your web page to execute a search. I may not want you to know that after reading your web page I executed a search for "anonymous STD testing Chicago."
It's not "nasty" per se, but I sure don't need to broadcast that to the world.
Re:Yawn. (Score:3, Funny)
Re:Moron moderators: (Score:2)
Funny trumps off-topic. A post that's both funny and off-topic will be moderated as funny. A post that's merely off-topic-- without being funny-- will be moderated off-topic.
This should be obvious. Perhaps your trouble is that you're an idiot?
Re:Yawn. (Score:2)
My advice-- (Score:3, Insightful)
In the real world, there will always be security problems. THe real issue is the scope of those problems. I happen to think that Mozilla and open source software in general tends to be more secure (aside from old versions of BIND and all versions of Sendmail).
If security is what you want, do a risk assessment, and look at the actual ways that different products will mitigate those risks. If you use Linux because it is "More Secure" then you are asking for trouble. So, you need to make up your own mind and determine what you need to do.
In other words, don't follow someone's oppinion until you understand why they think that way and whether it applies to your situation.
Re:My advice-- (Score:2)
Why don't _you_ decide instead? (Score:2)
Just be thankful it's open-source, because that means that there's a couple million people who can help fix it.
Re:Mozilla .... you are the weakest link (Score:2, Offtopic)
Either that, or Opera [opera.com].
I'd switch to Konqueror in a heartbeat if it supported a way to hand off the URL of a link to another program, though. I love Konqueror, but I love Downloader for X more.
Offtopic, but did are KDE developers going nuts on optimizations? Built 3.0.3 yesterday, and it just flies on my old K6-500.
Re:Easy Fix! (Score:3, Insightful)
The implementors of the demo were lazy (having no server-side scripting) and used a cookie to record the information leaked by onUnload. You are in no way protected by disabling cookies.
That just breaks the demo, the vulnerability is still there.
Re:I use Netscape 3.0.1 ONLY (check my referral) S (Score:2)
Yeah, I'm off-topic. I'm way the fuck off-topic. I'm so off-topic, I'm not even going to mention the topic (although I could, just to stay topical). Mod me down if you want. I've got karma to burn, and I'm feeling grouchy and self-destructive.
Re:Here's a solution: (Score:2)
I will mail one crisp new American dollar, postage paid, to the first person who moderates this comment down. Send your claim to foobar104@yahoo.com [mailto].
Re:this is redundant -- (Score:2)