The only really annoying thing is the idiotic WebRTC settings. Their love for "data channels" with zero prompts, despite having no legitimate uses, ignores your proxy settings. This should be fixed.
1: I asked someone involved with WebRTC. They suggested "maybe a page wants to communicate with your fridge directly" as a serious use of WebRTC data channels.
I can understand not wanting to scare people with "Allow P2P Data Channel", but ignoring proxy settings and revealing all IPs is unacceptable. WebRTC folks toss off these concerns with "there's no way to prevent tracking so heh".
But that's orthogonal to whether it's torrenting. You can torrent while respecting network settings, and without exposing local IPs.
We should be reducing the amount of data exposed and fixing the mistakes of the past that allowed so much data to be easily exfiltrated.
> Best experience first.
"Best" is not a defined term. What software developers should (always) be providing is the safest method first. Fancy UI tricks are a far lower priority than safety. If there is any doubt, fail safely.
Anybody that isn't putting safety first is being incredibly irresponsible. Stop leaking data and design for safety and security first. Yes, this it will be harder to make a nice user experience. In time, this will improve, but in the meantime safety is not something that can simply be ignored.
Safety is not an optional feature that only some people should have.
How will you know that a download is desired or not?
I don't really mind the trend in browsers over the last several years to give explicit access to more OS resources, it frees us from both Flash and Java Applets, Adobe's PDF reader, and other crap. But I'm not sure the browser replacements, at least in the short term, will actually get the security models any better. Is there any reason to prefer all these new JS APIs over allowing a Java Applet, besides "Java Applets are insecure"? It's certainly not performance -- I know many people chuckle when someone demos the latest X in JS (with or without WebGL) where X was done better with less hardware years ago via an applet. Secure or not, it's incredibly difficult to actually run an applet these days, and it's a strange disconnect with how the browser is fine doing so much else without warning. Will we see a similar increase in difficulty for running JS that can be just as insecure?
I've been a NoScript and adblock advocate for many years, but the first is often met with alien stares and the second is only successful when I install it on their browser myself or when I'm recommending adblocking to either other technical people or people who really hate ads even on TV. There's a weird resistance some people have that can get brought up in both cases, though, and it's probably going to take more than a few big public fails due to malicious websites before people will stop bringing it up. The argument adblocking users have been making for ages: this is my computer, my browser, and neither is under any obligation to act in a particular way based on the contents of what your server sends me. I don't like your ads? I can choose not to see them. I don't trust your JS? I can choose not to execute it. I don't like your theme? I can load my own. It's very weird to me that people oppose this view.
I hate that. Is there a reliable way to turn that behavior off?
The page also thinks my system is flat on a table. Close; the screens are, while the tower's on the floor :P
Data channels are useful for synchronizing your phone and your laptop. All native platforms support this. Most websites do it with a roundtrip to the server. So it would be mysterious to the user why a permission is prompted for something that should just work. Obviously it's bad for privacy though.
So painting it as having no legitimate uses is a bit one-sided. There is no easy fix.
In general I want a website to suck as much power as possible so it can be done sucking power as soon as possible, whether I'm on battery or not. If you want to find waste, track execution time and bandwidth use.
At least, it makes sense to measure battery usage to optimize your code. And in my opinion, it's also beneficial to react to battery events (delay when on low battery, process when on a wall socket) and network events (bad coverage vs. strong wifi).
- some stuff from my User Agent string (changing it to IE11 made it think I'm on Windows 8)
- my public IP, network provider and approx. downstream speed.
I don't use Facebook or Google so I don't know if those things would have worked.
None of the network scanning worked, it didn't use the geolocation stuff, etc.
If Chrome/Firefox/IE do allow access to all/some of those things without prompting, jesus titty fucking christ.
All of you claiming "Safari is the new IE6" need to perhaps pay attention.
Google has a vested interest in pushing browser technologies regardless the cost to privacy or user security - their ChromeOS devices depend on a world where web apps can do everything.
All in all, not very spooky with Safari at least.
I assume (because mine didn't show anything) that it's relying on the browser leaking it's device-detected location without prompting?
After your comment I loaded the page again, and sure enough it shows a very specific, but quite wrong location. Wrong province wrong.
I actually got better GeoIP results than that (down to the local city) on my old broadband connection. I just tried it now (we moved 2KM and changed ISP, from DOCSIS to ADSL) and all I get is the country now - possibly because its dynamic whereas our DOCSIS IP never seemed to change.
So it's kind of creepy on Google's part that they even offer this service, but the data seems to be so woefully useless that I can't believe anyone would actually use it.
So, the script creates an (invisible) <img> element for every website which points to the login page (which might redirect to the favicon). If it receives an image, the user is already logged in and the onLoad() callback will fire. Otherwise, it will get an HTML page, so the onError() callback will fire.
It could work with any image on the website, not just the favicon.
I reported this bug to every company listed there, but all of them said it is not relevant to their users' privacy.
Note to the author: I am not entirely sure how the WebRTC connection gets you a local IP, it seems to be connecting to stun:stun.services.mozilla.com. Anyway,that grabs the wrong local address for me, and gets the IP of my docker0 interface, perhaps it could grab more IPs, or is it just displaying the first one it finds?
Edit: Oh, the getIP function just calls the callback on the first candidate it finds.
You might want to change that to something on a big company CDN to avoid killing kenrockwell.com's server.
But yeah, I echo the other commenter wanting to know more about how you set that up.
1. Connect Raspberry Pi to local LAN and get wifi setup (I VLAN wireless traffic, so I have it listening/connected to both)
2. Change iptables default policy to DROP
3. Add relevant ALLOW rules to make sure basic stuff like DHCP still works. I added an allow rule to talk to another machine that runs a PHP script that talks to Twilio
4. Spend about a week adding custom DROP rules for any normal broadcast traffic on your network (Bonjour, random auto-discovery stuff, etc)
5. If you have properly excluded everything "normal" you should be able to run "iptables -vL" about 24 hours apart and the packet count next to the INPUT chain policy will not have incremented (remember we have a default of DENY)
6. Add a final rule of 'iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ZOMG: " --log-level 4'
7. Write a bash script to monitor syslog, parse the log, forward to the before-mentioned script on another host
Just my 2 cents, but I feel like there might be some commercial demand for something like this if you'd ever consider packaging it.
Hate it when that happens to me...every week.
It's incredible that a webpage can do that.
How so? Any site you navigate to knows your IP, and can take action based on that.
Congrats on the page!
"Here are all the nudie pics on your phone as identified by our nudity detection algorithm. Here is a list of your probable work and family contacts. Here is the MMS that you really don't want this app to send on your behalf!"
Apps on iOS don't prompt for permissions at install they prompt when they try to access something, eg photos, contacts, etc
Outside our tech filter bubble where we upgrade to a new flagship phone every year, millions of people use low-cost, prepaid, or hand-me-down phones that have long been on the market, and stopped receiving software updates years ago through the broken supply chain of AOSP -> device mfr -> carrier.
I see that you removed automatic network scanning due to a comment here; but since it's an educational project, I think it would be valuable to add a comment that explains that a malicious website could get that info without consent.
If you want a simpler solution which offers the best bang for your buck then using uBlock in medium mode is what I would recommend. This will block 3rd-party scripts and iframes (globally). Any page breakage that occurs as a result can be very easily handled by setting a noop for scripts and/or iframes for that pages scope. You can also block 1st party scripts if you really want to but it will likely cause a lot more stuff to break. uBlock can also enable browser settings that will prevent WebRTC leakage under certain circumstances.
On a side note if you're using even just uBlock then that will likely remove the need for running additional privacy extensions (save ones that deal with cookies) like Disconnect which also block network requests (you can use the Disconnect lists from within uBlock). uMatrix does give you the control over cookies.
Btw only hard mode stops any browser details leaking on the test site: http://webkay.robinlinus.com/ which is awesome, but I wonder how much time you have to spend fixing all the sites that you visit that will be broken in this mode.
Anyone using "hard mode"?
To unblock scripts just turn the 3rd party scripts block to gray which equals a noop for that. Green is explicitly allow which is what we DON'T want since we still want filtering from the filter lists to apply. Basically to unbreak sites you start with setting 3rd party scripts to noop then iframes if that doesn't fully fix a site. This setup is rather course grained but is the easiest way to increase security and privacy with the least amount of user interaction (the most bang for your buck basically).
As you browse with this "medium mode" you'll probably interact less and less as your dynamic filtering list gets built up. I wouldn't recommend using the "hard mode" since there's not a lot to gain from it and it will cause a lot more breakage.
Edit: Also I just noticed this but font blocking is also enabled in the medium mode screenshots. This isn't part of the described medium mode and the author of the screenshots likely forgot to turn it off before taking them. However you're free to try it out if you want but keep in mind it can break the look and feel of sites. Also it may not actually block the downloading of the font if you're using Chrome or a Chromium based browser so there's less of a reason to use it on Chrome.
My main browser, Firefox, has uBlock and Self-Destructing Cookies. Tried it in both IE11 and Edge (both of which I never use), and I got pretty much the same result. Firefox and Epiphany on Gentoo Linux also failed to startle me.
I'd like to see a screenshot of a "worst case scenario".
Are you saying it showed your geo location without having prompted for it, and that you're OK with that?
I find that error hilarious, because I setup correct in-addr.arpa and ip6.arpa reverse DNS entries for my (static) IP, which returns a domain name that has an accurate LOC record. My IP is two DNS queries away from my location (~10m precision), yet most of the time everyone uses these geoip databases instead of LOC.
Safari 9.1 : Minimal HW/SW detection, No social media leak, No network scan (after click)
Safari 9.1.1 (Tech Preview) : Minimal HW/SW detection, No social media leak, No network scan (after click)
Chrome 49.0.2623.110 : Full HW/SW detection, Social media login detected, Network scanning (after click)
Firefox 45.0.1 : Full HW/SW detection, Social media login detected, Network scanning (after click)
Also, my machine only has two physical cores, so 9.1.1 leaked physical + virtual
On Safari 9.1.1 TP : no addons
On Safari 9.1 : AB (getadblock.com)
On Firefox : uBO / No "NoScript" (for testing)
On Chrome : uBO
...which is not entirely correct, since your user agent, request headers, and IP are still visible. There's plenty of other sites which will show you those without requiring any client-side scripting. Here's one just from a quick Google search:
(Interestingly, you can see GoogleBot's IP and request headers if you view Google's cached version of the page.)
How about text-only browsers?
How about homemade "browsers" that are powered by netcat?
As one informal poll appeared to show, many users questioned on the streets of an American city did not even know what a "browser" was.
Most times I only want to retrieve files (download) via some daemon running on some remote computer and then view them on my computer. That includes text, hypertext, or binary. Pretty much the same as in 1993.
I rarely use a graphical browser to do this. It is not needed.
Instead, today, unlike 1993, I am using a graphical "browser" to _play video_ after I download it (no internet connection). But playing a video file is not "browsing". Something is not right.
Seems like the www took a wrong turn.
Edit: Actually, I believe you need Flash or a Java applet to actually get a list of fonts installed. But you can do other, slow, iterative approaches via JS.
Of course, this isn't the first site to remind of us of that, but the reminders are still good, and interesting to learn about!
Chromium 49. The only place I am logged into is Reddit
> Twitter: logged in
> Facebook: logged in
> Google Plus: logged in
> Reddit: logged in
> Flickr: logged in
It knows too much
Reading keystrokes from a nearby keyboard using the gyroscope
Speech Recognition using the gyroscope
Not just a problem with webpages, apps that don't have access to your mic do have access to your gyroscope
One possible solution is to not allow gyroscope reading above say 20hz without user permission (for both apps and webpages)
You write "To prevent your browser from accessing your Device Orientation use NoScript." under the Network Scan section. Looks like copy / pasta.
So I installed Tor with the Noscript addon and the demo was not able to access any details at all. Well it did show my ISP and hardware details, but it was wrong.
This should be the default setup in a browser, Tor+Noscript.
The issues of constant captcha harassment and slow browsing speed using this setup need to be addressed. Slow browsing can be addressed by adding more nodes to route traffic. Regarding the captcha issue though, I am not sure about a good working solution.
That's just unrealistic for most people, especially the TOR recommendation. Script blockers are troublesome even for tech savvy individuals, though I highly recommend blocking scripts for anyone who can "handle it". Gorhill's work (via uBlock Origin) provides a much more realistic way of disabling these kinds of malicious and/or invasive actions. Not sure if they're currently blocked, but he's made strides to block crapware and its kin, so this might not be so far off.
GPU: Vendor: Mozilla
For example, ip address + timestamp + even a rough geo ip location could reveal travel patterns of users simply visiting your site.
Let's say those travel patterns include visits to nations less friendly to the US and you just might find out some details about someone ( or at least a certain IP ) they really wouldn't want you to know.
That's why you see webrtc requests to internal IP addresses. I do not see any requests to the router admin panel, and in fact it looks like the code specifically avoids sending a webRTC request to the gateway IP (x.y.z.1)
I opened the same link in Firefox Android with uBlock Origin installed, and got no hardware stats other than the kernel, no software stats, and no IP.
My takeaway from this is to NEVER use an app that uses Webkit.
I'm not sure if that was the intended purpose, but thanks for the eye-opener anyway!
You're talking about WebKit on android, which was ported there by Google.
The original WebKit (as WebKit, not khtml) browser (Safari) doesn't leak all that information, so my take away would be not to trust a company obsessed with collecting private information and pushing all things into a browser, to have the best track record when it comes to protecting your privacy.
I know how some of them are, but not all. I predict others are in this boat, and interested in learning!
Surely you can source this information (OS and browser) from the User Agent?
Shutting NoScript off doesn't make too much difference, and I don't think RAS does that much (some sites seem to see through it), so it must be one of the other addons (uBlock Origin, Disconnect, BetterPrivacy, HTTPS Everywhere).
> private mode
That's mostly about not leaving data trails on the local device (hence the "porn mode" nickname).
Single page apps are definitely in the "lazy" category. If you send a page without content, that page is broken. You should be prioritizing the safety of your readers.
If developing proper pages is difficult with your develop0ment tools or methods, then you should find a different method - ideally something that handles the progressive enhancement for you.
It would be great to hear your suggestions on how to improve both the advices!
Is NoScript supported by iOS safari ?
Maybe it'll take off and people will understand, maybe not. But it's something worth pondering.
CSP is widely supported by now, including iOS webkit: http://caniuse.com/#feat=contentsecuritypolicy
But a very cool hack.
I'm one of those heathens that actually puts the desktop tower on top of the desk. Got me.