Cookie conundrum
in [UK Mac]
|
From: James Taylor on 1 Feb 2010 16:45 Rowland McDonnell wrote: > James Taylor wrote: > >> Phil Taylor wrote: >> >>> James Taylor wrote: >>> >>>> My goodness! I had no idea there was a hidden client making outbound >>>> connections without the knowledge or permission of the user. Under what >>>> circumstances do things get added to the pubsub fetch database? >>> >>> Fascinating isn't it? I suspect that you get such subscriptions by >>> inadvertently clicking the RSS button on a web site. Since nothing >>> visible happens, you forget about it. >> >> It's just yet another example of Apple not caring about user security. >> They only care about giving the impression of security. It's dishonest. > > *ALL* the firms are dishonest, when it comes to this sort of thing. Well, the sad fact is that security and privacy are hard to sell when the great majority of customers don't understand such things and certainly don't care about them if given a choice between security and privacy on the one hand or convenience and kewl features on the other. > In the case of Apple, experience shows that in the past, Apple's > security policy has resulted in no widespread problems for users. I think we've done that argument to death already Roland. Just because there haven't been any major virus outbreaks on OSX, doesn't mean that Apple's security practice is adequate, or that OSX is secure. > Apple's attitude stinks - but practically speaking, we've got it a lot > better than the Windoze people. <shrug> Oh for sure. >> I use Firefox with the CS Lite extension: >> <https://addons.mozilla.org/en-US/firefox/addon/5207> >> and I keep cookies disabled on all but a few whitelisted sites >> where I actually need them for my own convenience. > > Yes, but that's an untrustable download - how can you be sure that your > security is uncompromised by that unverifiable extension? You can read the source code. It's just javascript. > I use FlashBlock as well as what you recommend below. > <https://addons.mozilla.org/en-US/firefox/addon/433> The functionality of FlashBlock is included in NoScript, so if you have NoScript installed already there is no reason to slow Firefox down with yet another extension. Indeed NoScript does it for all the plugins. To configure NoScript for this, go to its preferences, into the "Embeddings" tab. Forbid all the plugins, tick "Apply these restrictions to whitelisted sites too", untick "Collapse blocked objects", and I also like to untick "Ask for confirmation before temporarily unblocking an object". This way, even if you've whitelisted YouTube, for example, when you load a YouTube page the video will appear as a yellow box, then only when you click on that yellow box will the video to be loaded, and more importantly none of the Flash ads so commonly embedded in web pages will load or be able to store tracking cookies. >> Firefox has an extensible architecture that allows people who >> really do care about user privacy and security to make the >> browser respect those things. > > Which is pretty poor, since privacy and security should be of high > quality by default, without the need to add the security risk that comes > with any extensible architecture being operated without some sort of - > oh dear, am I writing this? - authority, ensuring good quality. You have a point, but we live in an imperfect world and I'm very pleased that Firefox has allowed others to improve upon it and add features that Mozilla itself, like any big company, probably wouldn't have bothered adding because they are not mainstream enough. Security and privacy being prime examples that the average user doesn't care about, but which some of us do. >> If your friend cares about this she should definitely not be >> using an Apple browser, she should use Firefox. > > Firefox has its flaws. They all have flaws, but at least the Firefox flaws get patched in days, unlike Apple who leave security holes unpatched for months on end. > I read an article covering an interview with a heavy modern hacker. > His advice if you wanted a secure browsing experience? > > No Firefox. Opera, with Javascript off. Opera has had no shortage of security flaws, and has the distinct disadvantage of being closed-source, and lacking the security extensions that Firefox has. Perhaps the fact that Opera has the smallest market share of all the major browsers would mean that nobody bothers writing exploits for it. However, leaving JavaScript off at all times is not realistic these days. It's better to be able to turn it on for specific sites without turning it on for all sites, hence NoScript. >> Other essential security extensions for Firefox include NoScript: >> <https://addons.mozilla.org/en-US/firefox/addon/722> > > Yes. very handy, that one. You'd be *amazed* the number of times I've > seen a Google script being blocked. I just mark google-analytics.com as untrusted, then I never have to see it or worry about it again. > Is there anywhere on-line where Google isn't poking around? > Probably not... Google are the closest thing we have to Big Brother or Skynet. They may not be run officially by a government, but they do have permanent servers set up to allow governments easy access to user search data, browsing history, Gmail, etc, as was revealed in the fallout from recent Chinese cyber attacks when those same servers were discovered and used by the Chinese as a very convenient backdoor into Google's systems. >> and RequestPolicy: >> <https://addons.mozilla.org/en-US/firefox/addon/9727> > > I've not met that one before. Good one, though. Ish. > > Hmm - like a lot of these extensions, this is one that it's not easy for > someone who's not a Web security expert to make good use of. Actually, Request Policy is much simpler to understand and use than NoScript. Whereas NoScript tries to deal with a whole range of different and complex security issues just one of which is XSS (Cross Site Scripting), Request Policy has a very simple mission: To allow or disallow one site to access another and thus prevent CSRF (Cross Site Request Forgery) which is not currently handled by NoScript. CSRF differs from XSS in that XSS exploits the trust that the browser has in the site, whereas CSRF exploits the trust that the site has in the browser. XSS is where malicious script is injected into a site that you trust, and this causes your browser to do something harmful. CSRF doesn't even require scripting to do something malicious because it involves embedding malicious URLs in one web page that cause your browser to make a request to another site (which you may be already logged into or have a cookie that means you don't need to login again) in such a way that it could make a bank transaction, steal credentials, set bogus DNS servers on your router, download malware, etc. >> These extensions require some configuration and knowledge to use >> effectively, but your friend will enjoy the learning process if she >> cares about security enough to want to look into it. > > In general, any computer security add-on that requires knowledgable > configuration is unusable by anyone except a computer security > specialist. Without the sort of contacts that sort of person has, you > can forget being able to learn what's needful /in the *general* case of > computer security software/. I tend to agree, although I'm not quite as pessimistic. I would like to think that anyone who cares can read the NoScript documentation to learn what it protects against and how and why to use it. > But in the case of NoScript, I've made intelligent use of it. I need > information that's not available to me to use it optimally, but I'm used > to that... The online documentation is very detailed. What information are you unable to find? > RequestPolicy is somewhat similar - one needs information that is > inaccessible other than to well-connected computer security specialists, > and the rest of us can go hang. I think it's a lot simpler than you imagine. It simply keeps a whitelist of which sites may access resources on which other sites. That hardly requires a great deal of expert knowledge. > I don't trust the suggested whitelist entries. Nor me. Just start with an empty whiltelist and add things as necessary. You'll have to add quite a lot initially, but doing so as the need arises is an education in just how pervasively some sites interconnect with others. All JavaScript running in the context of a given site has access to the same global data, so it's kind of scary to see how many other sites you need to trust to trust the site you actually went to. -- James Taylor
From: Rowland McDonnell on 1 Feb 2010 18:59 James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > Rowland McDonnell wrote: > > > James Taylor wrote: > > > >> Phil Taylor wrote: > >> > >>> James Taylor wrote: > >>> > >>>> My goodness! I had no idea there was a hidden client making outbound > >>>> connections without the knowledge or permission of the user. Under what > >>>> circumstances do things get added to the pubsub fetch database? > >>> > >>> Fascinating isn't it? I suspect that you get such subscriptions by > >>> inadvertently clicking the RSS button on a web site. Since nothing > >>> visible happens, you forget about it. > >> > >> It's just yet another example of Apple not caring about user security. > >> They only care about giving the impression of security. It's dishonest. > > > > *ALL* the firms are dishonest, when it comes to this sort of thing. > > Well, the sad fact is that security and privacy are hard to sell when > the great majority of customers don't understand such things and > certainly don't care about them if given a choice between security and > privacy on the one hand or convenience and kewl features on the other. Indeed - that is because they have been brainwashed into bone idle acceptance of whatever they're fed, brainwashed into believing that it's impossible to understand the background stuff, and denied access to the information that they'd need to understand what they'd need to understand. <shrug> It's all about the commercial computer firms wanting to keep their captive market trapped and incapable of dealing with anything without - paying extra... It's all about leaching money from the suckers who suck on the PC teat. And you think that this commercial tyranny is a good thing, and should remain unchallenged, do you? Your words indicate that you do. > > In the case of Apple, experience shows that in the past, Apple's > > security policy has resulted in no widespread problems for users. > > I think we've done that argument to death already Roland. Oh shut up. Have you any idea how irritatingly patronising and annoying I find that mode of discourse? Yes, of course you do - it's why you're using it. `We' have not done anything together. There has been no argument - there has been you ignoring my points and treating my opinions with contempt, just to be annoying. I really don't appreciate that mode of operation on your part. [snip] Rowland. -- Remove the animal for email address: rowland.mcdonnell(a)dog.physics.org Sorry - the spam got to me http://www.mag-uk.org http://www.bmf.co.uk UK biker? Join MAG and the BMF and stop the Eurocrats banning biking
From: James Taylor on 2 Feb 2010 01:08 Rowland McDonnell wrote: > James Taylor wrote: > >> Well, the sad fact is that security and privacy are hard to sell when >> the great majority of customers don't understand such things and >> certainly don't care about them if given a choice between security and >> privacy on the one hand or convenience and kewl features on the other. > > Indeed - that is because they have been brainwashed into bone idle > acceptance of whatever they're fed, brainwashed into believing that it's > impossible to understand the background stuff, and denied access to the > information that they'd need to understand what they'd need to > understand. Even if you tell people they're totally insecure and their privacy is at risk, most people are too preoccupied with other priorities to spend any time looking into what they'd need to understand to know what they'd need to understand. Life's too short. Indeed some people prefer to believe they're using a secure computing platform (eg. Apple) because to entertain the possibility that it might not be secure is inconceivable to their puny minds. > <shrug> > > It's all about the commercial computer firms wanting to keep their > captive market trapped and incapable of dealing with anything without - > paying extra... That's certainly a factor too, but I think the point I make above it the bigger factor. > It's all about leaching money from the suckers who suck on the PC teat. > > And you think that this commercial tyranny is a good thing, and should > remain unchallenged, do you? Your words indicate that you do. No, I didn't say it was a good thing. It's just how things are. -- James Taylor
From: Woody on 2 Feb 2010 02:56 Rowland McDonnell <real-address-in-sig(a)flur.bltigibbet.invalid> wrote: > James Taylor <usenet(a)oakseed.demon.co.uk.invalid> wrote: > > > Rowland McDonnell wrote: > > > > > James Taylor wrote: > > > > > >> Phil Taylor wrote: > > >> > > >>> James Taylor wrote: > > >>> > > >>>> My goodness! I had no idea there was a hidden client making outbound > > >>>> connections without the knowledge or permission of the user. Under what > > >>>> circumstances do things get added to the pubsub fetch database? > > >>> > > >>> Fascinating isn't it? I suspect that you get such subscriptions by > > >>> inadvertently clicking the RSS button on a web site. Since nothing > > >>> visible happens, you forget about it. > > >> > > >> It's just yet another example of Apple not caring about user security. > > >> They only care about giving the impression of security. It's dishonest. > > > > > > *ALL* the firms are dishonest, when it comes to this sort of thing. > > > > Well, the sad fact is that security and privacy are hard to sell when > > the great majority of customers don't understand such things and > > certainly don't care about them if given a choice between security and > > privacy on the one hand or convenience and kewl features on the other. > > Indeed - that is because they have been brainwashed into bone idle > acceptance of whatever they're fed, brainwashed into believing that it's > impossible to understand the background stuff, and denied access to the > information that they'd need to understand what they'd need to > understand. No, it is because they really don't care, don't want to know and would rather get on with other things. Most people don't want to know about computers at all, they just want to get their stuff done and a computer is some part of that. -- Woody www.alienrat.com
From: Geoff Berrow on 2 Feb 2010 03:57
On Mon, 1 Feb 2010 21:01:50 +0000, real-address-in-sig(a)flur.bltigibbet.invalid (Rowland McDonnell) wrote: >Woody <usenet(a)alienrat.co.uk> wrote: > >[snip] > >> > That is my choice - you, as a Web developer, >> > need to understand that some of us will simply never ever trust any >> > information planted on our computers by an external anything for reading >> > by an external anything and that's that. >> >> Not really. As you say, it is your choice but it is a very minority >> choice. > >No, that's just a snide put down on your part. A deeply dishonest >debating tactic. Seems reasonable to me. I have created many sites which rely on session cookies (cookies stored in the browsers memory) and have yet to come across anyone who has a problem with it. So IME it is the minority tinfoil hat brigade that have the problem. > >[snip] > >> As a web developer you are always aware of the fact that you can't >> please everyone > >And the only way you can please anyone is to ensure that they can't find >out what you're doing, or they'll object. > >Hide your intentions, hide your activities, keep it secret - that's the >way it works, do it all behind our backs. Do make sure you have that tinfoil the right way round, ok? -- Geoff Berrow (Put thecat out to email) It's only Usenet, no one dies. My opinions, not the committee's, mine. Simple RFDs www.4theweb.co.uk/rfdmaker |