-
-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
About the leak (resource) #235
Comments
I agree with WagnerGMD. |
It's patched in v56. |
@MrAlex94 While the extension is disabled, it isn't revealing the extensions any more in WF 56, however it is revealing the following without the extension enabled: Platform Detection, Default Locale, Firefox ESR Channel, firefox.js, firefox-branding.js, firefox-l10n.js, webide-prefs.js and greprefs.js, (The js files have hashes which are uniquely identifiable, it is able to not only count the number of strings but display all of the settings. For example, firefox-branding.js contains links to waterfox that identify the browser as not being MFF) all of these are not exposed when the extension is enabled. I don't know if it's 100% fixed in FF 57, I have heard some mention this, but I figured I would mention this. https://browserleaks.com/firefox 🎱 -- |
Perhaps there is something wrong in No Resource URI Leak_v1.2.2 ? I haven't heard about (but on the moment it was fine with No Resource URI Leak_v1.1.1) |
No, there was some additional changes on a repository link posted in the topic 1.1.1 is from on the ghacks.js script issues forum. It's marked as closed I think on the ghacks.js repository if you're looking for it, I don't have the link on me. If I recall, the changes to 1.1.1 were to fix the relative path issue with xpcom/xul after FF 56 dropped, 1.1.2 added webextensions hiding to it if I recall, the white list for the webextensions doesn't work if I recall based on the post, but that is irrelevant to me as I have found everything to be working with webextensions (from what is enabled anyway in 55.2.2 WF. (Web extensions generate persistent random ID's which are even more identifiable. *last I checked.) I don't know what you're talking about with something being wrong, some enhancements were made to the extension, not fully implemented but helpful, I built it from its source and titled it 1.1.2 for my library. What I said about specific resources still being exposed in 55.2.2 in response to @MrAlex94 is still true, this can be tested with the extension disabled. It reveals lots of detailed information like settings configurations, it would easily identify the browser as WF and those files all have unique hashes so it makes you uniquely identifiable. The issue is not fully resolved and in my book is as trackable as before, even without exposing the XUL/XPCOM extensions, it looks like webextensions aren't exposed either, so that part of @MrAlex94's patch seemed to have worked there. (Unless something is wrong with the testing site or it hasn't implemented checks for exposure of webextensions, in which case, 1.1.2 is the way to go.) 🌵 🎱 😞 |
As examples I was meaning :
There is a confusion ? Because no there is a difference between the both (Waterfox_v55.2.2 and Waterfox_v56). According to the name and these links :
I will conclude it's normal (Waterfox_v55.2.2 wasn't fixed and you will need the addon). Because it wasn't yet announced (Waterfox_v56 isn't ready neither published).
That's one recopy message from this link (date is 18 november 2017): https://twitter.com/Waterfoxproject/status/931963434761183237 |
@WagnerGMD I don't understand what you're contesting here about my post, I simply stated that the fix implemented in Waterfox 55.2.2 was not sufficient enough. That unfortunately, @MrAlex94 reply was incorrect, because without the extension, very finger printable files were still being exposed, as I explained in my other post. " MrAlex 94 : It's patched in v56." (v56 isn't out, we're still on 52.2.2, that was not made clear, easy for one to get confused with the versioning numbers since FF was 56 recently now 57.) I explained that you need to use the No Resource URI Leak clone (such as the one you posted 1.1.1) or build the newer one that includes web extensions, although, the white listing is broken for web extensions with 1.1.2. (The clone is needed because the original broke due to something about indirect or direct paths, it was corrected in the clone version of the extension.) I'll not be commenting further on the subject, it was meant to be informational for other users, as I had been under the wrong impression and disabled the extension when I moved to WF 52.2.2. A warning to users who read this and thought the problem was solved. 😞 |
You don't seem to understand. Sorry I won't be there to argue (not my aim).
Update 14 December : Update 16 December : Update 8 January 2018 : Update 26 January 2018 : |
Actual behaviorhttp://nsa39.casimages.com/img/2018/02/28/180228051921800212.png Expected behaviorhttp://nsa39.casimages.com/img/2018/02/28/180228051922647994.png Update 28 Feb 2018 : |
Update March 26th, 2018: A whole cache of information is still available including everything you've tweaked in preferences.js, HIGHLY unique and fingerprintable. fix is needed urgently. PSA |
Please, are you certain that those five fix the issue? All were made (committed by Alex) in 2017. |
Yes, I am certain. Mozilla has fixed the issue when they released Firefox 57 (November 2017). GitHub of course copies the original date of the commits, yet @MrAlex94 has only merged the commits recently. The original dates remain as Alex chose to mention the original author of the code, which I think is good GitHub practice. |
@Peacock365 thanks, now I see the five matches for Bug 863246 under Commits on Apr 30, 2018. Still, I'm curious, because I always think of things on a timeline: how would I navigate from e.g. 9681c08 to the April 2018 point on the timeline? I mean, which link/button would I use? (Sorry for hijacking/going off-topic. Just, this is new to me.) |
I agree that the system is pretty confusing. If a person A submits an old GitHub commit, and chooses to mention the original author B, the commit will appear amongst the newest commits in the repository of A, but will still have the original date of B's commit regardless. Why? I don't know. GitHub should stop this practice and should start to always show the commit time of person A's commit, if you ask me. |
Thanks / apologies for going off-topic |
Update 17 May 2018 : |
Just to confirm @Peacock365 the fact, it was true and I was certain too (like I said in my first post).
|
Honestly at the time I thought the patches had landed for v56. And it's easy to verify the claim, please check the commits Peacock linked to, the core of patches which landed June 8 (the rest related to debugging tools and tests. June 12, Firefox 56 was merged to central as shown here. (Of course, they weren't actually merged until Firefox 57 became central). So when I checked at the time, I saw the commits and assumed it was all fine and dandy. And I didn't come back to this issue until I saw it again in my inbox. Just a FYI, this is what my inbox looks like related to issues, before I move them to the GitHub issues tag, they're in my inbox along with dozens of other emails. It takes time to read through them all! I am more than happy to have professional discourse, but you are just rude with your comments, especially just to come here to call me a liar. Unfortunately I am a human and fallible. Maybe that should be considered the next time you want to come here and be indecorous. |
A link to change logs was shared a few weeks ago, a day after the new web site went live: https://www.reddit.com/comments/beomqj/-/el91umc/
These should be easy to find, by date, through today's revision. HTH |
Honestly are you totally blind ?
Did you forgot ? The people trust your world and form my point of view, you lie to everyone (as reminder the 7 october 2017). Because a real professional is able :
To resume, you have lost my trust @MrAlex94 and yes that's a good reason to be rude. You didn't guess ? You had lost the trust from several people and they won't provide help anymore. Do you deserve more explanations ? To conclude, today I was thinking my reply will be very short (a few lines) : Basically too much sign of disrespect and mistakes. That's why the anwser is no ! Despite the fact, I was absent for a very long time. Nothing has changed and it's even little worst today... Now I had just discovered that you didn't even check the commits because on the moment, you have just assumed "it was all fine"... That's another good reason to be rude, no ? Damn right ! Now to finish, you can blame the humans guilty of betrayal (no you aren't the only one). |
Strange that you felt the need to reply after 6 months. I think I was more than fair in my previous reply, which you seem to have ignored. I'm going to reply to the fact you keep calling me a liar. First of all, I explained before my reasoning for believing the fix would land in v56. Also please note, lying usually is done deliberately with the intent to deceive. My misunderstanding was not that. Honestly you seem unjustifiably over aggressive, and seem to have a massive chip on your shoulder.
What are you on about? There are so many platforms I have to test commits on - and I didn't push any wide updates, so I'm following correct software practices. There was no harm - what's the big deal? I don't think you understand how hard running a project this size is by one person. Thankfully I have people who push commits and help the project, otherwise it would be even harder! Such an odd rant. Honestly, I'm more than happy to have discourse with people, even if it's about things that are unsatisfactory - but with the way you behave, your loss won't be a noted one. |
Hello,
I'm wonder when do you plan to fix this trouble ? If you want to check it, you just need to open this page and you will get the same result as on this picture.
In the past, that's right the addon No Resource URI Leak_v1.1.0 was a good solution. But it doesn't work anymore (since Firefox_v55 or Firefox_v56). Despite the fact : yes one new version exist, it wouldn't be better to just include the patch ? Because it was already done with Firefox_v57 and I don't see the point to wait (or avoid).
Kind regards.
The text was updated successfully, but these errors were encountered: