How to stop Pale Moon from Giving out Information

General discussion and chat (archived)

Moderator: satrow

maiko

Re: How to stop Pale Moon from Giving out Information

Post by maiko » 2016-08-08, 16:11

Actually, User Agents are mostly useful to solve certain functionality with some web sites, say, you would like to read a minimalist version of a certain web page you can mimic a mobile phone agent to get that result.

But if Big Bro wants to find out who you are you may look like fool pretending to be Web browser "X" and OS "Y", simply because, particularly with Windows, each OS version have their own TCP/IP stack size and shape, ie. the data packets sent by your OS over any network is finger-printable and can't really be modified by a browser. Linux on the other hand seems to share the same TCP/IP stack over all the different distros.

When it comes to different browsers, if I recall my memory correct, each browser have also their own header shape and form sent over the net, even so much as that a Firefox for Windows and Linux differs from each other.

Conclusion, if you are running firefox in Windows, don't spoof another windows version, change ONLY firefox version, that's all you can do, no opera, no chrome etc...or else you have to look at Tor browser. :lol:

Thehandyman1957 wrote:
Fedor2 wrote:Whats a problem with os? Other browsers gives that information too. And there are advanced methods of os detection irrespective of the userganet string. See http://www.browserleaks.com/firefox
Yup, I got that covered too. ;)
Screenshot - 7_15_2016 , 5_10_51 PM.png
8-) :lol:

Seems like you are using this add-on: 8-)
https://addons.mozilla.org/en-US/firefo ... -uri-leak/
But you don't need that one to stop BL/ff ... NoScript will do the same :P
go to about:config
remove resource: from noscript.mandatory
add resource:// and resource://gre to noscript.untrusted
:thumbup: 8-) :clap: :mrgreen:
Last edited by maiko on 2016-08-09, 01:36, edited 1 time in total.

Thehandyman1957

Re: How to stop Pale Moon from Giving out Information

Post by Thehandyman1957 » 2016-08-09, 00:03

maiko wrote:But if Big Bro wants to find out who you are you may look like fool pretending to be Web browser "X" and OS "Y", simply because, particularly with Windows, each OS version have their own TCP/IP stack size and shape, ie. the data packets sent by your OS over any network is finger-printable and can't never be modified by a browser. Linux on the other hand seems to share the same TCP/IP stack over all the different distros.

When it comes to different browsers, if I recall my memory correct, each browser have also their own header shape and form sent over the net, even so much as that a Firefox for Windows and Linux differs from each other.

Conclusion, if you are running firefox in Windows, don't spoof another windows version, change ONLY firefox version, that's all you can do, no opera, no chrome etc...or else you have to look at Tor browser. :lol:
Wow, well that's great to know. :thumbup: I'm certainly not the brightest bulb on the tree but what you said makes sense.
Seems like you are using this add-on: 8-)
https://addons.mozilla.org/en-US/firefo ... -uri-leak/
But you don't need that one to stop BL/ff ... NoScript will do the same :P
go to about:config
remove resource: from noscript.mandatory
add resource: and resource://gre to noscript.untrusted
:thumbup: 8-) :clap: :mrgreen:
Yes you are right, I am using that add-on. I do have one questions about your instructions on Noscript.

When I add the bottom two to noscript.untrusted, is there a particular place those two need to be?
Like, does it matter where they are inserted? I am assuming there needs to be a space in front and in back?

Thanks for your great post. I did quit using the user string agent as it was causing to many problems and
Even when I was just using FF and PM strings the versions were to old. So I ditched that one. :mrgreen:

By the way, welcome to the PM forum. ;)

CharmCityCrab
Banned user
Banned user
Posts: 638
Joined: 2015-06-25, 00:47

Re: How to stop Pale Moon from Giving out Information

Post by CharmCityCrab » 2016-08-09, 01:20

Thehandyman1957 wrote:Hello all. I have a curious question. So today I was curious on what info Pale Moon was giving to web sites upon request
and I found this web site.
http://mybrowserinfo.com/detail.asp?bhcp=1

And it gave me these results.
Your IP Address_ 107.182.238.123 - MyBrowserInfo.com (My Browser Info).pdf

It surprised me that it was telling them what Operating system I was using. I would like to stop that if possible.
I realize that web pages need a certain amount of info just to show the page right but is there a way to minimize
this exposure to the max minimum's? :think:

It seems to me that after all the other add on's and using a VPN there are still ways to fingerprint a person this way. :problem:
All web browsers do that, at least to the best of my knowledge. It's part of how web pages determine the capabilities of your "stack" (operating system, browser, etc..) and decide which versions of their pages to "feed" you. You can use extension or rewrite things to get around that, but in many cases, it'll result in web pages that don't display correctly. If you have your browser tell a site you're using Internet Explorer 5 on Windows 98 and you're actually using Pale Moon on Windows 10, there's a good chance you're going to be fed a page that isn't displayed properly.

User avatar
LimboSlam
Board Warrior
Board Warrior
Posts: 1029
Joined: 2014-06-09, 04:43
Location: USA

Re: How to stop Pale Moon from Giving out Information

Post by LimboSlam » 2016-08-09, 01:30

Thehandyman1957 wrote:It surprised me that it was telling them what Operating system I was using. I would like to stop that if possible.
I realize that web pages need a certain amount of info just to show the page right but is there a way to minimize
this exposure to the max minimum's? :think:
There's this add-on called Masking Agent: https://addons.mozilla.org/en-US/firefo ... d.1-signed, sadly though the developer isn't maintaining it anymore and hasn't responded to my email that I sent him about supporting Pale Moon.
With Pale Moon by my side, surfing the web is quite enjoyable and takes my headaches away! :)
God is not punishing you, He is preparing you. Trust His plan, not your pain.#‎TrentShelton #‎RehabTime

maiko

Re: How to stop Pale Moon from Giving out Information

Post by maiko » 2016-08-09, 02:37

Thehandyman1957 wrote:
Seems like you are using this add-on: 8-)
https://addons.mozilla.org/en-US/firefo ... -uri-leak/
But you don't need that one to stop BL/ff ... NoScript will do the same :P
go to about:config
remove resource: from noscript.mandatory
add resource: and resource://gre to noscript.untrusted
:thumbup: 8-) :clap: :mrgreen:
Yes you are right, I am using that add-on. I do have one questions about your instructions on Noscript.

When I add the bottom two to noscript.untrusted, is there a particular place those two need to be?
Like, does it matter where they are inserted? I am assuming there needs to be a space in front and in back?

Thanks for your great post. I did quit using the user string agent as it was causing to many problems and
Even when I was just using FF and PM strings the versions were to old. So I ditched that one. :mrgreen:

Observe! I made a mistake in my original post, resource: should be resource:// (notice the double slashes added)

Yeah, just add a space in between, if you already have a bunch of websites etc added to your noscript.untrusted, it probably looks something like....

Code: Select all

.........www.idonttrustthisshiteweb.com http://www.anothershillweb.com resource:// resource://gre
:lol:
and it doesn't matter in which order you put it, I just added the goodies in the end of that string.

But I ought to add a disclaimer here, my experiences is mainly with Firefox, Palemoon though is still quite a new experience for me.
Secondly, adding resource:// to the untrusted list may still break with some add-on's, as I discovered with FreeMemory2
https://addons.mozilla.org/en-US/firefo ... -memory-20
I had to add an additional path under about:config called capability.policy.maonoscript.sites
By adding resource://freememory2 (actually I think, more exactly it was resource://freememory2/data, don't remember now) will add an exclusice bypass for freememroy2 addon overriding the untrusted setting.
This might make things a bit fiddly with some add-on's, but so far I haven't noticed many glithches at all with the few add-on's I am using.

BTW, here's some more bonus stuff from maiko-the-apprentice-jap-babe, I don't know if it adds some additional protection, but you could try out adding some more exotic fun stuff to the noscript.untrusted list, such as blob: chrome: irc: ircs: mediasource: mediastream: /favicon.ico and manymanymany... more goodies, this is pretty new stuff as I haven't seen anyone else covering this and I too have only started scratching the surface, but considering all the nice "features" Firefox is flaunting with in the open cyberspace these might need some sweet love and care... 8-) :crazy: :mrgreen:

And don't forget to remove the equal preferences under noscript.mandatory when adding them to noscript.untrusted and/or capability.policy.maonoscript.sites. :!:
Thehandyman1957 wrote:By the way, welcome to the PM forum. ;)
Thanks a lot! :wave:

Thehandyman1957

Re: How to stop Pale Moon from Giving out Information

Post by Thehandyman1957 » 2016-08-10, 00:54

CharmCityCrab wrote:All web browsers do that, at least to the best of my knowledge. It's part of how web pages determine the capabilities of your "stack" (operating system, browser, etc..) and decide which versions of their pages to "feed" you. You can use extension or rewrite things to get around that, but in many cases, it'll result in web pages that don't display correctly. If you have your browser tell a site you're using Internet Explorer 5 on Windows 98 and you're actually using Pale Moon on Windows 10, there's a good chance you're going to be fed a page that isn't displayed properly.
Yea, it didn't take me long to figure that one out. :lol:

Thehandyman1957

Re: How to stop Pale Moon from Giving out Information

Post by Thehandyman1957 » 2016-08-10, 01:02

LimboSlam wrote:
Thehandyman1957 wrote:It surprised me that it was telling them what Operating system I was using. I would like to stop that if possible.
I realize that web pages need a certain amount of info just to show the page right but is there a way to minimize
this exposure to the max minimum's? :think:
There's this add-on called Masking Agent: https://addons.mozilla.org/en-US/firefo ... d.1-signed, sadly though the developer isn't maintaining it anymore and hasn't responded to my email that I sent him about supporting Pale Moon.
This seems like a cool idea at first but after looking at what it does to the user agent string I think it would make me stick out like a sore thumb.
Screenshot - 8_9_2016 , 5_58_57 PM.png
It actually adds the name of the add on to the user string. So if I was wanting to stop the fingerprinting then this would be like putting a
big target sign on my chest.

LOL, Reminds me of a Far Side cartoon years ago with two dear talking to each other and one has a big target birth mark on his chest.
And the other deer says to him, Bummer of a birthmark Hal.... :lol: God that guy had a great sense of humor. :mrgreen:

Thehandyman1957

Re: How to stop Pale Moon from Giving out Information

Post by Thehandyman1957 » 2016-08-10, 01:13

maiko wrote:Observe! I made a mistake in my original post, resource: should be resource:// (notice the double slashes added)

Yeah, just add a space in between, if you already have a bunch of websites etc added to your noscript.untrusted, it probably looks something like....

Code: Select all

.........www.idonttrustthisshiteweb.com http://www.anothershillweb.com resource:// resource://gre
:lol:
and it doesn't matter in which order you put it, I just added the goodies in the end of that string.

And don't forget to remove the equal preferences under noscript.mandatory when adding them to noscript.untrusted and/or capability.policy.maonoscript.sites. :!:
Thanks for that tip. :thumbup:
But I ought to add a disclaimer here, my experiences is mainly with Firefox, Palemoon though is still quite a new experience for me.
Secondly, adding resource:// to the untrusted list may still break with some add-on's, as I discovered with FreeMemory2
:think: I think I might just stay with the No Resource URI Leak 0.2.1 as it seems to work alright and gives me no heart ache. :angel:
BTW, here's some more bonus stuff from maiko-the-apprentice-jap-babe, I don't know if it adds some additional protection, but you could try out adding some more exotic fun stuff to the noscript.untrusted list, such as blob: chrome: irc: ircs: mediasource: mediastream: /favicon.ico and manymanymany... more goodies, this is pretty new stuff as I haven't seen anyone else covering this and I too have only started scratching the surface, but considering all the nice "features" Firefox is flaunting with in the open cyberspace these might need some sweet love and care... 8-) :crazy: :mrgreen:
:lol: This is where I would get myself into a bunch of trouble. I'm just dangerous and dumb enough to make a big mess doing those things. :lol:

dark_moon

Re: How to stop Pale Moon from Giving out Information

Post by dark_moon » 2016-08-13, 16:09

maiko wrote:BTW, here's some more bonus stuff from maiko-the-apprentice-jap-babe, I don't know if it adds some additional protection, but you could try out adding some more exotic fun stuff to the noscript.untrusted list, such as blob: chrome: irc: ircs: mediasource: mediastream: /favicon.ico and manymanymany... more goodies, this is pretty new stuff as I haven't seen anyone else covering this and I too have only started scratching the surface, but considering all the nice "features" Firefox is flaunting with in the open cyberspace these might need some sweet love and care... 8-) :crazy: :mrgreen:

And don't forget to remove the equal preferences under noscript.mandatory when adding them to noscript.untrusted and/or capability.policy.maonoscript.sites. :!:
Thanks for that, but i wonder why not just use NoScript in whitelist mode so these sites are forbidden by default.

maiko

Re: How to stop Pale Moon from Giving out Information

Post by maiko » 2016-08-29, 01:33

dark_moon wrote:
maiko wrote:BTW, here's some more bonus stuff from maiko-the-apprentice-jap-babe, I don't know if it adds some additional protection, but you could try out adding some more exotic fun stuff to the noscript.untrusted list, such as blob: chrome: irc: ircs: mediasource: mediastream: /favicon.ico and manymanymany... more goodies, this is pretty new stuff as I haven't seen anyone else covering this and I too have only started scratching the surface, but considering all the nice "features" Firefox is flaunting with in the open cyberspace these might need some sweet love and care... 8-) :crazy: :mrgreen:

And don't forget to remove the equal preferences under noscript.mandatory when adding them to noscript.untrusted and/or capability.policy.maonoscript.sites. :!:
Thanks for that, but i wonder why not just use NoScript in whitelist mode so these sites are forbidden by default.
Hi and sorry for a slow reply, I am not an expert as pointed out earlier, but I believe if resource: can be read out from the web, then apparently the NoScript Whitelist doesn't work to block the inner of the web browser.
At least in Firefox, if we type in resource:/// we will get into the inner of the browser, it opens up:
Index of jar:file:///C:/MyFirefoxInstallFolder/App/Firefox/browser/omni.ja!/

And from this link: https://www.browserleaks.com/firefox
we can see it tries to fingerprint Firefox for these following files:
× firefox.js
× firefox-branding.js
× firefox-l10n.js
× webide-prefs.js
× greprefs.js
× services-sync.js
× 000-tor-browser.js

From the list of files above, lets look at the 3 first ones (× firefox.js, firefox-branding.js, firefox-l10n.js)
which can be found under this path:
jar:file:///C:/MyFirefoxInstallFolder/App/Firefox/browser/omni.ja!/defaults/preferences/

We can also go directly to the folder path wherein the Firefox is installed and look for the packed file called omni.ja, open it up with an unpacker program such as 7Zip, look up under the same path for these aforementioned fingerprintable files residence.
C:\MyFirefoxInstallFolder\App\Firefox\browser

ps. another one to put under "untrusted" is also file://, just in case... :wtf: :lol: :silent:

dark_moon

Re: How to stop Pale Moon from Giving out Information

Post by dark_moon » 2016-08-29, 10:25

Maybe you can ask the NoScript guys if your steps are realy necessary.
https://forums.informaction.com

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 24979
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: How to stop Pale Moon from Giving out Information

Post by Moonchild » 2016-08-29, 11:04

Inspecting resource:/// and the contents of omni.ja is a very elaborate way of determining "you're using browser x" instead of simply looking at user agents. The only thing it thwarts is the use of "UA randomizers" which have their own severe drawbacks if used.
After all, the contents of omni.ja files is static for the browser and does not include any user data. So all you can really tell from it is "You're using Firefox/Pale Moon/whatever" and if you want to make the check more complex you can check for version specific things to determine the version.

Also, arbitrary file access with file:// is blocked from web content context (for obvious reasons).
"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne
Image

User avatar
LimboSlam
Board Warrior
Board Warrior
Posts: 1029
Joined: 2014-06-09, 04:43
Location: USA

Re: How to stop Pale Moon from Giving out Information

Post by LimboSlam » 2016-08-30, 03:20

Moonchild wrote:After all, the contents of omni.ja files is static for the browser and does not include any user data. So all you can really tell from it is "You're using Firefox/Pale Moon/whatever......"

Also, arbitrary file access with file:// is blocked from web content context (for obvious reasons).
So really the browser does a pretty good job at limiting this data of omni.ja files. Now would their even be significant reason to continue using this add-on? Well unless the BZ bug doesn't get fix, then I'll probably be using it.
With Pale Moon by my side, surfing the web is quite enjoyable and takes my headaches away! :)
God is not punishing you, He is preparing you. Trust His plan, not your pain.#‎TrentShelton #‎RehabTime

dark_moon

Re: How to stop Pale Moon from Giving out Information

Post by dark_moon » 2016-09-02, 23:11

I try it now with resource:// and resource://gre and that works great!

The "No Resource URI Leak" addon doesn't work with Pale Moon 27 so this feature in NoScript is a nice to have :mrgreen: :thumbup:

dark_moon

Re: How to stop Pale Moon from Giving out Information

Post by dark_moon » 2016-09-03, 09:25

I also asked now in NoScript forum and set resource:// to untrusted isn't a good idea:
https://forums.informaction.com/viewtop ... 208#p84208

dark_moon

Re: How to stop Pale Moon from Giving out Information

Post by dark_moon » 2016-09-11, 12:52


maiko

Re: How to stop Pale Moon from Giving out Information

Post by maiko » 2016-09-11, 13:11

[quote="dark_moon"][/quote]

oh I see, great it worked for you, and thanks also for open a new post and talking with the NS people. :thumbup: However bear in mind reading their replies from a viewpoint where they often prompt forum posters their add-on is foremost a security tool. :!: :coffee: :think:

Edit: dark moon, I just saw your last post now, I read the link, similar reply already given earlier in this thread by MC and I agree.

Locked