Author Topic: Tests and other Media topics (Read 583272 times)

polonus · « **Reply #480 on:** August 12, 2017, 06:49:53 PM »

Why uBlock Origin now has a new companion extension named uBlock Origin Extra?
Read: https://www.theregister.co.uk/2017/08/11/ad_blocker_bypass_code/
and https://github.com/gorhill/uBO-Extra
Get it here: https://chrome.google.com/webstore/detail/ublock-origin-extra/pgdnlhfefecpicbbihgmbmffkjpaplco/related

enjoy,

pol

Asyn · « **Reply #481 on:** August 12, 2017, 06:54:34 PM »

Hi Pol, some valuable info, thanks a lot..!!

DavidR · « **Reply #482 on:** August 12, 2017, 07:25:53 PM »

Quote from: polonus on August 12, 2017, 06:49:53 PM

Why uBlock Origin now has a new companion extension named uBlock Origin Extra?
Read: https://www.theregister.co.uk/2017/08/11/ad_blocker_bypass_code/
and https://github.com/gorhill/uBO-Extra
Get it here: https://chrome.google.com/webstore/detail/ublock-origin-extra/pgdnlhfefecpicbbihgmbmffkjpaplco/related

enjoy,

pol

I'm starting to find uBlock Origin bit of a pain in the backside.

I'm continually having to switch it off as it is blocking things that I feel are too aggressive. Even trying to exclude those sites doesn't seem to resolve the problem as it would appear that the exclusion is only for originating site (image1 & image3).

It is nowhere near flexible enough, I would like to see it closer to Request policy that allows connections from a site to 3rd party connections and not exclude it for every site (image2). So I'm honestly considering binning it and not adding additional functionality.

bob3160 · « **Reply #483 on:** August 12, 2017, 07:54:08 PM »

Sometimes (IMHO) the cure is worse than the disease.

DavidR · « **Reply #484 on:** August 12, 2017, 08:17:57 PM »

Quote from: bob3160 on August 12, 2017, 07:54:08 PM

Sometimes (IMHO) the cure is worse than the disease.

This could be the case for some. AdBlockPlus wasn't bad, quite flexible, but then it shot itself in the foot with trust worthy issues.

bob3160 · « **Reply #485 on:** August 12, 2017, 08:20:54 PM »

I right now am putting up with extra adds,
One program is too aggressive and not really adjustable.
The other lost it's trust and it will be a long road back towards again earning it.

Asyn · « **Reply #486 on:** August 12, 2017, 08:29:37 PM »

Quote from: DavidR on August 12, 2017, 07:25:53 PM

I'm starting to find uBlock Origin bit of a pain in the backside.

I'm continually having to switch it off as it is blocking things that I feel are too aggressive. Even trying to exclude those sites doesn't seem to resolve the problem as it would appear that the exclusion is only for originating site (image1 & image3).

It is nowhere near flexible enough, I would like to see it closer to Request policy that allows connections from a site to 3rd party connections and not exclude it for every site (image2). So I'm honestly considering binning it and not adding additional functionality.

Hi Dave, uBO is highly flexible and adjustable, guess you didn't dig deep enough yet.
Anyway, I don't want to drag this thread OT, so if you want/need help let me/us know...

polonus · « **Reply #487 on:** August 14, 2017, 01:42:00 PM »

DNS CAA should be implemented now during September. It is a kind of genuine administrative control whether the domain name is in the DNS record. More vague then HPKP testing for browsers where it checked against whitelisted public keys.

In case of DNS CAA with all the different CA's the check is not often well performed and alo often social engineering sensitive.

Check: https://caatest.co.uk/vendercartoabom.com.br where we could not find any - hostname does not match certificate for this PHISHING site, certificate not correctly been installed with Hostgator Wildcard - Comodo. (carding abuse?).

How to generate CAA records: https://sslmate.com/labs/caa/

Testing: https://www.ssllabs.com/ssltest/ also compare to cryptoreport.websecurity.symantec.com/checker/
and https://observatory.mozilla.org/ and http://www.dnsinspect.com/

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #488 on:** August 15, 2017, 10:57:08 PM »

Check your old add-ons for compatibility: https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/

Read about the profile clash to come: https://github.com/Aris-t2/ClassicThemeRestorer/issues/299

pol

DavidR · « **Reply #489 on:** August 16, 2017, 12:00:01 AM »

Quote from: polonus on August 15, 2017, 10:57:08 PM

Check your old add-ons for compatibility: https://addons.mozilla.org/en-US/firefox/addon/add-on-compatibility-reporter/
<snip>

Ha, these are going to be pretty redundant in three months as support for Legacy updates will end. It is said that 80% of the add-ons on the Mozilla add-ons are still Legacy add-ons.

But you don't need the add-on-compatibility-reporter, simply going to the firefox add-ons section in the browser as all Legacy add-ons are already flagged as such. Only one of my add-ons isn't Legacy.

bob3160 · « **Reply #490 on:** August 16, 2017, 12:21:45 AM »

Looks like
Avast Online Security needs some work.

polonus · « **Reply #491 on:** August 20, 2017, 12:55:01 PM »

Why polonus is scanning what he is scanning and reporting what he is reporting for instance in the "virus and worms"?
All of it in vain? Some here pay attention, although as a rule it goes by greatly unnoticed....
(No I do not mean you, Eddy, no I do not mean you Pondus and others).

Nobody gives a hoot what you detect...
Read here why...https://medium.com/@homakov/why-it-sucks-to-be-a-security-researcher-8a1d17fbffe8

link info credits go to Egor Homakov

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #492 on:** August 24, 2017, 07:51:08 PM »

protection against clickjacking

In the document HEAD element, add the following

Code: [Select]

<style id="antiClickjack">body{display:none !important;}</style>

<script type="text/javascript">
   if (self === top) {
       var antiClickjack = document.getElementById("antiClickjack");
       antiClickjack.parentNode.removeChild(antiClickjack);
   } else {
       top.location = self.location;
   }
</script>

info credits go to StackOverflow's Prabin Tp

Check for clickjacking with https://asafaweb.com/ & https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
like

Code: [Select]

<html>
   <head>
     <title>Clickjack test page</title>
   </head>
   <body>
     <p>Website is vulnerable to clickjacking!</p>
     <iframe src="http://www.target.site" width="500" height="500"></iframe>
   </body>
</html>

Protection for client users: https://www.lifewire.com/how-to-protect-yourself-from-clickjacking-attacks-2487178

polonus

polonus · « **Reply #493 on:** August 24, 2017, 10:04:13 PM »

With Mozilla now more and more going the Google Chrome monopoly way.
What is your experience with the following browser?

https://cliqz.com/en/

I see the old firefox mssion fans now turn to Palemoon or Opera. On Android we have Brave.

Will all browsers be "just another browser" soon or will there still be an escape for those,
that want to avoid crap, scam, spam, mal-ads, tracking and other forms of extensive profiling?

The more you protect the more you stand out to these evil forces that invade your devices.

polonus

polonus · « **Reply #494 on:** August 25, 2017, 06:57:58 PM »

Google opens up somewhat more on Titan:

Discussion on it here: https://news.ycombinator.com/item?id=15093129
and
https://www.blackhat.com/us-17/briefings/schedule/#firmware-is-the-new-black---analyzing-past-three-years-of-biosuefi-security-vulnerabilities-6924

Probably their management controller was not secure enough, and now they will protect every byte of their propriety code the hard-coded way, so even those with access to it cannot manipulate, so Google may lead and calls the shots always.
Only hope is that every one of these self-made security chips with TMP and secure boot will follow the original blue-print

polonus