General discussion and chat (archived)
-
John connor
Unread post
by John connor » 2019-02-26, 05:40
Academics from Greece have devised a new browser-based attack that can allow hackers to run malicious code inside users' browsers even after users have closed or navigated away from the web page on which they got infected. This new attack, called MarioNet, opens the door for assembling giant botnets from users' browsers. These botnets can be used for in-browser crypto-mining (cryptojacking), DDoS attacks, malicious files hosting/sharing, distributed password cracking, creating proxy networks, advertising click-fraud, and traffic stats boosting, researchers said.
https://www.zdnet.com/article/new-brows ... -web-page/
Is Pale Moon vulnerable?
I use Sandboxe so I gotta wonder if it'd stick?
-
Nigaikaze
- Board Warrior
- Posts: 1322
- Joined: 2014-02-02, 22:15
- Location: Chicagoland
Unread post
by Nigaikaze » 2019-02-26, 05:46
F22 Simpilot wrote:Is Pale Moon vulnerable?
Since that attack appears to be based on Service Workers, do a forum search for that phrase and it will answer your question.
Nichi nichi kore ko jitsu = Every day is a good day.
-
karlchen
- Apollo supporter
- Posts: 34
- Joined: 2019-01-16, 15:55
Unread post
by karlchen » 2019-02-26, 08:40
I assume that the recommended search should return this very clear statement by Moonchild on top of the list:
Moonchild wrote:About Push in Pale Moon:
https://www.palemoon.org/info-url/push.shtml
Service workers in Pale Moon:
Service workers are a terrible idea, unless you actually enjoy the idea of having your browser do stuff "in the background" that you have absolutely no control over.
We have no plans whatsoever to implement or enable this, because it's a privacy and security nightmare.
As a consequence, the answer to the question
F22 Simpilot wrote:Is Pale Moon vulnerable?
should be, "No, it is not, because Pale Moon does not support Service Workers."
-
Moonchild
- Pale Moon guru
- Posts: 35571
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
-
Contact:
Unread post
by Moonchild » 2019-02-26, 09:13
F22 Simpilot wrote:Is Pale Moon vulnerable?
No, it is not, because Pale Moon by default does not support Service Workers.
(they -can- be enabled through advanced configuration but it is a really bad idea to do so, and that configuration is wholly unsupported)
The same situation is valid for Basilisk.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
John connor
Unread post
by John connor » 2019-02-27, 01:03
Well that's good.
I use a plain vanilla install of Firefox for sites that use Recaptcha. Is there a way to turn off Service Workers in FF? Or is it beyond complicated?
-
Michaell
- Lunatic
- Posts: 283
- Joined: 2018-05-26, 18:13
Unread post
by Michaell » 2019-02-27, 02:06
about:config:
dom.serviceWorkers.enabled = false
or user.js:
user_pref("dom.serviceWorkers.enabled", false);
Win10home(1709), PM33.0.0-portable as of Feb 1, '24
-
cartel
- Lunatic
- Posts: 475
- Joined: 2014-03-16, 21:57
- Location: Chilliwack, BC
Unread post
by cartel » 2019-02-28, 13:33
I made dom.workers.enabled;false also.
I can live without it and google maps
FF wants to hide the setting and enable always:
https://bugzilla.mozilla.org/show_bug.cgi?id=1434934
> Disabling workers is not a privacy enhancing change. I don't know why people have that impression.
Worker SAB was the initial timing intrinsic used to run Spectre in browsers, and some people may be wary of additional timing intrinsics that have yet to be discovered or disclosed. I don't feel strongly about this issue, although I disagree with your statement about privacy. Disabling workers decreases attack surface, increasing security and, by extension, privacy.
Others say disable it and provide very good reasons:
https://github.com/ghacksuserjs/ghacks- ... /issues/60
The FBI exploit used workers and I assume other exploits do too
Looks like the Pwn2Own exploit also used workers. If you need more reasons to disable that
-
Moonchild
- Pale Moon guru
- Posts: 35571
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
-
Contact:
Unread post
by Moonchild » 2019-03-01, 16:30
Disabling workers is not a privacy enhancing change. I don't know why people have that impression.
^ this.
Please don't confuse web workers with service workers.
Web workers are an essential part of many, more complex, websites - with them disabled, you're likely breaking a lot. Even if the website has a fallback it will be horrendously slow without workers.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
yami_
Unread post
by yami_ » 2019-03-01, 17:39
Off-topic:cartel wrote:increasing security and, by extension, privacy
Security in not privacy.
-
Moonchild
- Pale Moon guru
- Posts: 35571
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
-
Contact:
Unread post
by Moonchild » 2019-03-01, 23:53
cartel wrote:increasing security and, by extension, privacy
As an aside: security and privacy are often opposing forces. See: HSTS
Using HSTS increases security on subsequent visits to HSTS sites. Disabling it increases privacy (because it won't store visited HSTS domains/hosts)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
Sampei Nihira
Unread post
by Sampei Nihira » 2019-03-03, 08:02
Hi,
"dom.webnotifications.serviceworker.enabled"
"devtools.browserconsole.filter.serviceworkers"
"devtools.webconsole.filter.serviceworkers"
they are set to "true".
Do I need to switch to "false"?
-
gepus
- Keeps coming back
- Posts: 941
- Joined: 2017-12-14, 12:59
Unread post
by gepus » 2019-03-03, 10:16
Nope.
Once serviceworkers are disabled, related prefs should have no effect.
-
Sampei Nihira
Unread post
by Sampei Nihira » 2019-03-04, 17:32
True.
With the test below is highlighted what you wrote:
https://html5workertest.com/
With Chrome, you can block Service Workers as long as you block even the Web Workers.
It can be done with the uMatrix extension.
But even with the uBlock Origin extension you only need to set up a rule.
-
gepus
- Keeps coming back
- Posts: 941
- Joined: 2017-12-14, 12:59
Unread post
by gepus » 2019-03-05, 10:46
Speaking of Chrome - this browser and all of its derivatives are banned on my device.
Disabling something is always best practice, compared to blocking something. It saves bandwidth and resources.
For those using a decent browser, disabling serviceworkers in about:config is the best solution. Blocking workers/serviceworkers with an extension is a poor workaround.
-
Moonchild
- Pale Moon guru
- Posts: 35571
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
-
Contact:
Unread post
by Moonchild » 2019-03-05, 10:52
gepus wrote:For those using a decent browser, disabling serviceworkers in about:config is the best solution. Blocking workers/serviceworkers with an extension is a poor workaround.
...or you can just use Pale Moon or Basilisk and not need to do anything
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
gepus
- Keeps coming back
- Posts: 941
- Joined: 2017-12-14, 12:59
Unread post
by gepus » 2019-03-05, 11:53
Moonchild wrote:...or you can just use Pale Moon or Basilisk and not need to do anything
You're right but most of us have more than one browser installed, hence my wording.
BTW, is Hyperlink-Auditing an essential part of the modern web? I'm asking because it is enabled by default in Pale Moon.
-
Nigaikaze
- Board Warrior
- Posts: 1322
- Joined: 2014-02-02, 22:15
- Location: Chicagoland
Unread post
by Nigaikaze » 2019-03-05, 18:10
gepus wrote:You're right but most of us have more than one browser installed, hence my wording.
...or you can just use Pale Moon
AND Basilisk and not need to do anything
Nichi nichi kore ko jitsu = Every day is a good day.
-
gepus
- Keeps coming back
- Posts: 941
- Joined: 2017-12-14, 12:59
Unread post
by gepus » 2019-03-05, 21:06
Nigaikaze wrote:gepus wrote:You're right but most of us have more than one browser installed, hence my wording.
...or you can just use Pale Moon
AND Basilisk and not need to do anything
Assuming that a site doesn't work with Pale Moon then one can test the site with Basilisk or if it doesn't work with Basilisk one can test with Pale Moon.
How could I miss till now such a great concept?
-
New Tobin Paradigm
Unread post
by New Tobin Paradigm » 2019-03-05, 21:16
Well the added advantage is you will be so busy testing that there will be no time to post about it.