funsec mailing list archives

Re: Firefox' privacy mode not so private

From: Imri Goldberg <lorgandon () gmail com>
Date: Tue, 15 Sep 2009 17:11:28 +0300

I have to say, I'm surprised that this discussion hasn't deteriorated to:

Reply 1: I don't use flash
Reply 2: I don't use gui browsing, it's text based browsing for me
Reply 3: etc...
a-la http://xkcd.com/378/ .


On Tue, Sep 15, 2009 at 3:18 PM, <Toralv_Dirro () mcafee com> wrote:

 You can configure Flash directly by visiting

http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html

(Website Privacy Settings / Website Storage Settings)

And while you're there, there are lots of other settings you may want to
adjust...


cheers,
Toralv


 ------------------------------
*From:* funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] *On
Behalf Of *Imri Goldberg
*Sent:* Tuesday, September 15, 2009 1:40 AM
*To:* funsec
*Subject:* [funsec] Firefox' privacy mode not so private

 Heya
It seems this was some kind of a 'known secret', but firefox' privacy mode
isn't private. Apparently, websites[1] can use flash to store
'Local-Shared-Objects' (LSOs, see
http://en.wikipedia.org/wiki/Local_Shared_Object ), which are basically
cookies. Firefox' regular capabilities of 'clear all private data' and
'privacy mode', which supposedly don't leave any record of your browsing
history, don't erase these files.

Simplest solution: erase the files.
Other solutions: install BetterPrivacy (disclaimer: I didn't use it enough
to vouch for it), uninstall flash (and delete the files), install a
flash-blocker, etc.

I've also written a short blog post on the subject, you can also leave your
comments there:
http://www.algorithm.co.il/blogs/index.php/security/privacy-mode-not-so-private/

Cheers,
Imri

[1] websites include at least google and youtube, various cdns (which may
be used by multiple websites), etc.

--
Imri Goldberg
--------------------------------------
www.algorithm.co.il/blogs/
--------------------------------------
-- insert signature here ----


------------------------------
Firmensitz: Muenchen
Amtsgericht: AG Muenchen
Handelsregister: HRB 144340
Geschaeftsfuehrer: Emmet Russell, Keith Krzeminski, Douglas Rice
Bankverbindung: ABN-Amro Bank N.V. Konto 671 211 9006
UST-ID: DE168122444




-- 
Imri Goldberg
--------------------------------------
www.algorithm.co.il/blogs/
--------------------------------------
-- insert signature here ----

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Firefox' privacy mode not so private Imri Goldberg (Sep 14)
- Re: Firefox' privacy mode not so private Paul Ferguson (Sep 14)
- Re: Firefox' privacy mode not so private Reed Loden (Sep 14)
  - Re: Firefox' privacy mode not so private Valdis . Kletnieks (Sep 15)
- Re: Firefox' privacy mode not so private Toralv_Dirro (Sep 15)
  - Re: Firefox' privacy mode not so private Imri Goldberg (Sep 15)
    - Re: Firefox' privacy mode not so private Toralv_Dirro (Sep 15)
    - Re: Firefox' privacy mode not so private der Mouse (Sep 15)
- Re: Firefox' privacy mode not so private David Lodge (Sep 15)
  - Re: Firefox' privacy mode not so private Nick FitzGerald (Sep 15)
    - Re: Firefox' privacy mode not so private Rob, grandpa of Ryan, Trevor, Devon & Hannah (Sep 15)