Re: Firefox' privacy mode not so private

[<Toralv_Dirro () McAfee com>]

With all those webvideo sites around nowadays it is kinda hard to sound convincing when stating "I don't use flash" :)

For the missing deterioration: That's one of the reasons I still follow this list


cheers,
Toralv


________________________________
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Imri Goldberg
Sent: Tuesday, September 15, 2009 4:11 PM
To: funsec () linuxbox org
Subject: Re: [funsec] Firefox' privacy mode not so private

I have to say, I'm surprised that this discussion hasn't deteriorated to:

Reply 1: I don't use flash
Reply 2: I don't use gui browsing, it's text based browsing for me
Reply 3: etc...
a-la http://xkcd.com/378/ .


On Tue, Sep 15, 2009 at 3:18 PM, <Toralv_Dirro () mcafee com<mailto:Toralv_Dirro () mcafee com>> wrote:
You can configure Flash directly by visiting
http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager.html

(Website Privacy Settings / Website Storage Settings)

And while you're there, there are lots of other settings you may want to adjust...


cheers,
Toralv


________________________________
From: funsec-bounces () linuxbox org<mailto:funsec-bounces () linuxbox org> [mailto:funsec-bounces () linuxbox 
org<mailto:funsec-bounces () linuxbox org>] On Behalf Of Imri Goldberg
Sent: Tuesday, September 15, 2009 1:40 AM
To: funsec
Subject: [funsec] Firefox' privacy mode not so private

Heya
It seems this was some kind of a 'known secret', but firefox' privacy mode isn't private. Apparently, websites[1] can 
use flash to store 'Local-Shared-Objects' (LSOs, see http://en.wikipedia.org/wiki/Local_Shared_Object ), which are 
basically cookies. Firefox' regular capabilities of 'clear all private data' and 'privacy mode', which supposedly don't 
leave any record of your browsing history, don't erase these files.

Simplest solution: erase the files.
Other solutions: install BetterPrivacy (disclaimer: I didn't use it enough to vouch for it), uninstall flash (and 
delete the files), install a flash-blocker, etc.

I've also written a short blog post on the subject, you can also leave your comments there: 
http://www.algorithm.co.il/blogs/index.php/security/privacy-mode-not-so-private/

Cheers,
Imri

[1] websites include at least google and youtube, various cdns (which may be used by multiple websites), etc.

--
Imri Goldberg
--------------------------------------
www.algorithm.co.il/blogs/<http://www.algorithm.co.il/blogs/>
--------------------------------------
-- insert signature here ----

________________________________
Firmensitz: Muenchen
Amtsgericht: AG Muenchen
Handelsregister: HRB 144340
Geschaeftsfuehrer: Emmet Russell, Keith Krzeminski, Douglas Rice
Bankverbindung: ABN-Amro Bank N.V. Konto 671 211 9006
UST-ID: DE168122444



--
Imri Goldberg
--------------------------------------
www.algorithm.co.il/blogs/<http://www.algorithm.co.il/blogs/>
--------------------------------------
-- insert signature here ----

________________________________
Firmensitz: Muenchen
Amtsgericht: AG Muenchen
Handelsregister: HRB 144340
Geschaeftsfuehrer: Emmet Russell, Keith Krzeminski, Douglas Rice
Bankverbindung: ABN-Amro Bank N.V. Konto 671 211 9006
UST-ID: DE168122444

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.