dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
14312
z12
Premium Member
join:2004-01-26

1 recommendation

z12

Premium Member

DOM Storage, a browser privacy issue?

Apparently, dom storage is a lot better than the old fashioned cookie for storing data.
Firefox 2 already supports it, and supposedly, IE8 will also.

Doing a little research, I found this:
»developer.mozilla.org/en ··· :Storage
quote:
DOM Storage is the name given to the set of storage-related features introduced in the Web Applications 1.0 specification. DOM Storage is designed to provide a larger, securer, and easier-to-use alternative to storing information in cookies. It is currently only available in Mozilla-based browsers, notably starting with Firefox 2.

DOM Storage is useful because no good browser-only methods exist for persisting reasonable amounts of data for any period of time. Browser cookies have limited capacity and provide no support for organizing persisted data, and other methods (such as Flash Local Storage) require an external plugin.

I didn't like the implications of that so I disabled dom.storage via about:config.
It wasn't long before I noticed a javaScript error at cnn:

Error: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "http://i.cdn.turner.com/cnn/.element/js/2.0/StorageManager.js Line: 165"]
Source File: http://i.cdn.turner.com/cnn/.element/js/2.0/StorageManager.js
Line: 165
 

Looking over the offending code revealed that a 3 Meg storage area failed to be created.
I have since noticed similar js errors on other sites as well.

Checking the globalStorage specification referenced on the link above:
»www.whatwg.org/specs/web ··· tracking
quote:
While these suggestions prevent trivial use of this API for user tracking, they do not block it altogether. Within a single domain, a site can continue to track the user during a session, and can then pass all this information to the third party along with any identifying information (names, credit card numbers, addresses) obtained by the site. If a third party cooperates with multiple sites to obtain such information, a profile can still be created.

However, user tracking is to some extent possible even with no cooperation from the user agent whatsoever, for instance by using session identifiers in URIs, a technique already commonly used for innocuous purposes but easily repurposed for user tracking (even retroactively). This information can then be shared with other sites, using using visitors' IP addresses and other user-specific data (e.g. user-agent headers and configuration settings) to combine separate sessions into coherent user profiles.

Now, couple global storage along this with a new "feature" in Firefox 3
»developer.mozilla.org/en ··· tMessage
quote:
window.postMessage is a method for safely enabling cross-origin communication. Normally, scripts on different pages are only allowed to access each other if and only if the pages which executed them are at locations with the same protocol (usually both http), port number (80 being the default for http), and host (modulo document.domain being set by both pages to the same value). window.postMessage provides a controlled mechanism to circumvent this restriction in a way which is secure when properly used.

There's no comparison between how much data can be stored in a cookie vs dom storage.
It's not hard to imagine that these "features" could be used for tracking purposes.

In Firefox 2, under Tools-->Options I see no method to configure any dom storage options.
I don't know about Firefox 3 or IE8.
SUMware2
Premium Member
join:2002-05-21

SUMware2

Premium Member

Understand your concerns.

The following will not alleviate all privacy issues, but there are two 'lesser known' Firefox addons that attempt to limit information leakage.

SafeCache is a Mozilla Firefox browser extension that protects your privacy by silently defending against cache-based tracking techniques. It allows embedded content to be cached, but segments the cache according to the domain of the originating page.

SafeHistory is a Mozilla Firefox browser extension that protects your privacy by silently defending against visited-link-based tracking techniques. It allows offsite visited links to be marked only if the browser's history database contains a record of the link being followed from the current site.

Every little bit helps.

AB57
Premium Member
join:2006-04-04
equatorial

AB57 to z12

Premium Member

to z12
The 'DOM' component is an optional choice on any initial install of Firefox.
I've personally never seen the need for it or any of its 'features', and so have always unchecked the DOM box when installing.

YMMV.
z12
Premium Member
join:2004-01-26

z12 to SUMware2

Premium Member

to SUMware2
SUMware

The sameorigin.pdf was an interesting read for sure.
The one glaring omission was no mention of dom storage.
It is my understanding that dom storage is not the same as the browser cache.
Dom storage will also be in IE8 so a mozilla addon won't cover everybody.
I'm not sure what other browser will have this feature in the future.

Presently, I'm thinking of browsing around and collecting a list of sites where I get the js error.
Then revisit the sites with dom storage enabled.
Perhaps I will find something interesting in firefox's profile folder.

The window.postMessage method is very disturbing.
I find cooperative tracking scripts on most sites I visit.
This with an iframe is tailor made for tracking/adserving.
Personally, I'm planing on having Proxomitron hose this method before trying ff3.
z12

1 recommendation

z12 to AB57

Premium Member

to AB57
AB

Your confusing this with the DOM Inspector. Not the same thing at all.

The name is confusing, see here: »ejohn.org/blog/dom-stora ··· answers/

AB57
Premium Member
join:2006-04-04
equatorial

AB57

Premium Member

said by z12:

AB

Your confusing this with the DOM Inspector. Not the same thing at all.

The name is confusing, see here: »ejohn.org/blog/dom-stora ··· answers/
Ah! Gotchya.
Yep, guess I was. I'm easily confused.

At least I didn't confuse it with Dom DeLuise or Dom Dimaggio, so there's still hope!
z12
Premium Member
join:2004-01-26

z12

Premium Member

said by "AB" :
Yep, guess I was. I'm easily confused.

I find that to be the case all to often myself nowadays.
SUMware2
Premium Member
join:2002-05-21

SUMware2 to z12

Premium Member

to z12
said by z12:

The window.postMessage method is very disturbing.
Thanks for bringing this up. Looks like it may be targeted for exploitation attempts.
said by z12:

Personally, I'm planing on having Proxomitron hose this method before trying ff3.
Capital idea. Have you created a filter?
z12
Premium Member
join:2004-01-26

z12

Premium Member

said by "SUMware" :
Capital idea. Have you created a filter?

Not yet. The simplest thing would be to override the method via js.
Your probably already injecting js before other scripts run.

Adding this to it should do the trick.
window.postMessage = null;
 

I'd have to test on ff3 to be sure.

They have made some js changes that limit what we can do with proxo. :(

But maybe ff3 will allow this to be disabled via about:config.
SUMware2
Premium Member
join:2002-05-21

SUMware2

Premium Member

said by z12:

They have made some js changes that limit what we can do with proxo.
But maybe ff3 will allow this to be disabled via about:config.
Guess we'll soon discover how this will all shake out.
Graycode
join:2006-04-17

Graycode to z12

Member

to z12
said by z12:

I didn't like the implications of that so I disabled dom.storage via about:config.
I wasn't aware of Dom Storage or its implications. Thanks for pointing that out!
The Snowman
Premium Member
join:2007-05-20

The Snowman to z12

Premium Member

to z12


This is js correct ? An from little that I know of it.....it must be script to the website/page...is that correct ?

For the heck of it.....although am not even sure I can test this with IE 6......I made a couple of blocks just to see the results......preventing StorageManager.js
from loading in the browser.

I do realize that doing this is a waste of time using IE 6., however, I just want to see how websites re-act to the block. There may be other ways to block this EXPLOIT and eventually I will get around to those.

ok, I am in learning mode so comments welcomed.

Its a Secret
Please speak into the microphone
Premium Member
join:2008-02-23
Da wet coast

Its a Secret

Premium Member

How did you disable this in IE 6? In learning mode also.

Cheers.
SUMware2
Premium Member
join:2002-05-21

SUMware2

Premium Member

said by Its a Secret:

How did you disable this in IE 6?
It's gonna be in IE8:
»msdn2.microsoft.com/en-u ··· 85).aspx

I've just disabled dom.storage in FF and will see how it goes.
The Snowman
Premium Member
join:2007-05-20

The Snowman to z12

Premium Member

to z12


Its a Secret

I did not dis-able it ..just preventing it from loading when visiting a website. Someone mentioned "proxo" and that gave me an idea....although I do not use proxo....I do have a program that can "filter"......so its filtered out.

But not to worry...from the above comments I take it that IE 6 is not subject to the Exploit. Someone will correct me if this is not correct.
There may be other possible risks to both privacy and security because of this "Thang" so I will mess around with it just a tad bit.
SUMware2
Premium Member
join:2002-05-21

2 edits

SUMware2 to z12

Premium Member

to z12
Ya know, dom storage sounds sorta like IE's "userdata persistence".

...he said thinking that he was thinking an original thought:

»developer.mozilla.org/en ··· :Storage
quote:
Currently, only Mozilla-based browsers provide a working implementation of the DOM Storage specification. However, Internet Explorer does have a similar feature called "userData behavior" that allows you to persist data across multiple browser sessions.

DOM Storage is useful because no good browser-only methods exist for persisting reasonable amounts of data for any period of time. Browser cookies have limited capacity and provide no support for organizing persisted data, and other methods (such as Flash Local Storage) require an external plugin.

snowguynotlogin
@verizon.net

snowguynotlogin to z12

Anon

to z12


SUM

userdata persistence......well I haven't had a chance as yet to look over dom to compare. But I really do not like the smell of this Thang...in fact I think I would remove Java before allowing dom.
So far I don't see it as a problem to block....my concern was with internet explorer more than firefox.....firefox can take care of itself but interent explorer...well, it's the red head step child these days...no one to play with it.
The Snowman
Premium Member
join:2007-05-20

The Snowman

Premium Member



WoW...after that last post it hit me like a Lightening Bolt.....that I retired myself from computer security/privacy a few months ago. So I doubt if I will follow through on researching this exploit.
It has been a very long winter for me and a miracle that I am still alive due to my illness. I would say that its time for me to lay back and enjoy the internet but that is impossible considering the many new exploits arriving everyday.

This DOM Thang is just one more than will eventually be blocked. You guys can do it......
SUMware2
Premium Member
join:2002-05-21

2 edits

SUMware2 to z12

Premium Member

to z12
So far no downside to disabling dom storage.
From what I've read it's not yet widely utilized. That's nice.

One of the first things I do when assisting peeps tighten their Windows security & privacy is to disable 'UserData Persistence' in all IE zones.

Looks like I'll be doing the same thing with FF's (& IE's) dom storage.
The Snowman
Premium Member
join:2007-05-20

The Snowman

Premium Member

SUMware

my friend you may find the info at the below link of interest:

»developer.mozilla.org/en ··· :Storage

An yes, you would be correct in that DOM Storage is of the same nature as "userdata persistence".

Regarding the block I set-up last night....as yet I have not been able to see or tell if it's working or not. Its not unusual for some websites not to load due to my block set-up and to find if the new block is working I would need to remove all other blocks.....which is not so difficult...un-fortunately health wise I am having a very difficult time of it yesterday and today so am not doing much right now. But will let you know how the block works out.....eventually.

AB57
Premium Member
join:2006-04-04
equatorial

AB57 to z12

Premium Member

to z12
said by z12:

. . I disabled dom.storage via about:config.
It wasn't long before I noticed a javaScript error at cnn . . .
You know, I've had a problem the last couple of months or so viewing videos here:

»www.cnn.com/video/player ··· ion=/ALL

or at plain vanilla cnn.com, too.
Never had a problem before, as long as I was allowing scripts and/or cookies, which I still am. I figured it for an AdBlock thing, though I haven't been able to determine what yet, after experimenting around a bit.

But I checked my DOM settings in about:config, and DOM storage is not allowed-- a 'user choice' that I made. I didn't make it manually, I'm certain, so it must have come along with some user.js settings I imported from somewhere.
Here's what all my DOM settings look like:




I set 'dom.storage.enabled' to 'true' last night-- just that one setting-- but that changed nothing as far as being able to watch video there-- I still couldn't, so I set it back.
I did, however, have a rash of zero-length temporary files appear in Application Data\Temp, for whatever that's worth.

Ultimately, I'd rather leave DOM off than watch CNN videos-- they're not the only game in town.
It does make me wonder if one of my DOM settings is the culprit, however.

But, c'est la vie. Posting this more as 'general info' than anything, I guess.

snowguynotlogin
@verizon.net

snowguynotlogin to z12

Anon

to z12


AB, whats that..... "change click ddlclick mouseup reset submit"......in the picture you posted " looks like its set to ALLOW.......am just wondering what purpose it has.

A mousey
@anonymouse.org

A mousey

Anon

Hello, I found this:

»kb.mozillazine.org/Dom.p ··· d_events
SUMware2
Premium Member
join:2002-05-21

SUMware2 to AB57

Premium Member

to AB57
said by AB57:

I figured it for an AdBlock thing, though I haven't been able to determine what yet, after experimenting around a bit.
Could be AdBlock, NoScript, Proxomitron (if you use it), or combinations thereof related. I've no problems viewing CNN vids, nor anything else, with dom storage disabled.
SUMware2

SUMware2 to z12

Premium Member

to z12

Coming to IE8

What's New in IE 8?
3/17/2008 -
quote:
IE 8's "DOM Storage" feature provides caching of Web page data in a local cache. Web applications may store and load data in a local cache directly. DOM storage provides AJAX functionality beyond client/server interactions. While disconnected from the server, a client may interact with the local cache to read and store data, and when the server connection becomes available, the cache data may be synchronized with the server.

The "Connection Events" feature provides notification about user connectivity events. It indicates when a user is connected to the Web site and when he is not. This feature lets AJAX applications exit if a call is cancelled or if a call times out.
An interesting read. And perhaps an indicator of potential vulns & attack vectors.

AB57
Premium Member
join:2006-04-04
equatorial

AB57 to SUMware2

Premium Member

to SUMware2

Re: DOM Storage, a browser privacy issue?

said by SUMware2:

said by AB57:

I figured it for an AdBlock thing, though I haven't been able to determine what yet, after experimenting around a bit.
Could be AdBlock, NoScript, Proxomitron (if you use it), or combinations thereof related. I've no problems viewing CNN vids, nor anything else, with dom storage disabled.
No, no Proxomitron. I also have it figured for a NoScript or AdBlock thing, most likely AdBlock, as I've fooled around with NoScript and covered pretty much any options that could be affecting things there.

No biggie. I'll figure it out eventually, maybe.
The Snowman
Premium Member
join:2007-05-20

The Snowman to z12

Premium Member

to z12


Oh boy....this DOM Thang is sure a potential ISSUE waiting to happen.

Although I don't as yet see any reports of Firefox having been exploited because of it. Nevertheless, if I can possibly avoid the use of DOM I will. I have no interest in IE8......I tested the beta version...and only found it to be a report tool for microsoft. I'll stick with IE6 for as long as possible and when that wont work any longer...move to linux.
z12
Premium Member
join:2004-01-26

z12 to SUMware2

Premium Member

to SUMware2

Re: Coming to IE8

from »www.adtmag.com/article.a ··· id=22259
quote:
IE 8 has a cross-domain request feature, or "XDomainRequest" (XDR), which is similar to XMLHttpRequest. XDR is used to make restricted and secure cross-domain requests. It enables data aggregation across Web sites.

A cross-document messaging feature in IE 8 provides secure exchange of data between documents in different domains.

Firefox 3 will have these "features" also. Why is this such a good thing?

I especially like this:
quote:
It enables data aggregation across Web sites.

So instead of tracking, it's data aggregation. What a cool feature.

I really have to wonder about the HTLM5 proposed by the "Web Hypertext Application Technology Working Group".
It seems theres a lot of bling at the price of privacy.
All I really need is a browser that works, is secure and keeps where I go private.
I guess I'm old school.
The Snowman
Premium Member
join:2007-05-20

The Snowman

Premium Member



Hmmmm, I have stored away somewhere a few "old school" security programs.....think its time to see if they will still work.

Its a Secret
Please speak into the microphone
Premium Member
join:2008-02-23
Da wet coast

Its a Secret to z12

Premium Member

to z12

Re: DOM Storage, a browser privacy issue?

As we all know, new isn't necessarily better. That maxim has stood the test of time.