It's ba-ack. Exploit revives slain browser history bug A Google researcher has resurrected an attack that allows website operators to steal the browsing history of visitors almost a year after all major browser makers introduced changes to close the gaping privacy hole. Proof-of-concept code recently posted by Google security researcher Michal Zalewski works against the majority of …
Simple workaround with many spin off benefits: treat your computer as a production machine,
So no running of arbitrary programs -- especially Javascript ones -- unless you have (at best) got a QA certificate for the specific scripts being run; or (at worse) have a QA certificate vouching for the code from the site that has supplied the code.
Even today -- where the best we can do is whitelists of sites we trust to supply Javascript code -- using Noscript adds an important layer of security to the machines we use every day.
But it is time that Javascript is recognised as an attack vector and is subject to mandatory QA checks before it is allowed through firewalls.
Do you expect some entity is going to manually check every piece of Javascript code on the net for potential security issues? Who do you think is going to pay for that?
As for NoScript, it seems to lead to a lot of the following behavior: Go to website; notice site doesn't work properly; glance at a couple hundred kb of usually uncommented, commonly cryptic, occasionally obfuscated Javascript code; tell NoScript to load everything or whitelist the site. Which really isn't much of an improvement in security.
Yes, idiot web designers use it indiscriminately. Noscript breaks them. I choose not to use those sites and if i have to then it runs in a VM. I'm prepared to make that tradeoff for security.
"tell NoScript to load everything or whitelist the site. Which really isn't much of an improvement in security"
Obviously security isn't a priority to you as you freely discard it. Your choice, your responsibility, your hackage, that's fine but please dont' whinge about it.
But we keep going through this every time, don't we.
People: turn off scripting. Do it now, get used to it being off. If you don't want to, don't moan here if you get sniffed/hacked. It's your tradeoff.
(@volsano: noscript or a high-level proxy is the right place to block jscript; a firewall typically works at a much lower level)
(@them who disable caching: that can significantly increase the load on the servers, hence their cost to run, which isn't fair on the majority of sites who don't abuse your browse)
Because caching to speed page loads is an actual FEATURE of most browsers, dating all the way back to the dialup days when pages loaded slower than molasses, even without lots of images and whatnot. This script seems to exploit this FEATURE to determine if it's been cached previously. And for those who say don't use JavaScript, I suspect this is merely used as a means to the end. I strongly suspect it (with the right coding) could be done completely SERVER-SIDE and therefore beyond MOST means to block or even detect it (because it doesn't have to use an IFRAME--think two obligatory IMG tags--say a header and a footer--and timing the difference between each one's call; that would get all but the Lynx users, and I suspect even cleverer coding could get even them).
If you look at the comments in his source code, you'll note that it cancels the requests before they can be completed if the site hasn't been cached. So it doesn't pollute its results if run repeatedly, and doesn't leave traces of having been run (aside from the script itself being cached, of course).
The exploit does not work for me; plus, all versions give roughly the same (erroneous) results (i.e. the versions which are not supposed to work do not work worst than the one which is supposed to work). Also, same results after clearing the cache.
Although to be honest there might or might not be a caching proxy between me and the wild wild web; if that is the reason, someone here lurvs Justin Bieber and someone else likes Playboy (I really hope they are not the same person).
This example works by timing how long it takes the browsers to render the display, if the site has been cached then it is going to load quicker. This is a functional benefit to most surfing so yes you can turn of caching, most people have a decent connection now but the next "vilnerability" will be DNS caching shall we turn that off too?
If you have problems with using noscript then dont but as the previous post points out dont come b1tching to us that you failed to take reasonable measures of protection.
Flash get my votes for being worst vector
Doesn't this mean that you have to tell it what websites you want it to check for?... rather than just ask your computer which websites you've been to... if a NAT'd computer is behind a caching proxy, isn't it likely that you'll get the same results for every computer in that network as well...
neat though...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
