Finally firefox has a webbug detector...

[polonus]

Hi malware fighters,

As cookies became manageable, and could be avoided, as well as people became aware of Super Cookies, the use of 1 pixel large Web bugs came in to track you. These requests typically include the IP address of the requesting computer, the time the content was requested, the type of Web browser that made the request, and the existence of cookies previously set by that server. The server can store all of this information, and associate it with a unique tracking token attached to the content request.

Web bugs are typically used by third parties to monitor the activity of customers at a site.

Now they can be made visible with FoxBeacon. It can be found here:
http://www.shyyonk.net/foxbeacon/download.html
Test site for it: http://www.mycomputer.com/agreements/privacy_policy.html
I liked bugnosis, that was only for IE, now for Firefox we have Foxbeacon,

polonus

[DavidR]

Well a brief read indicates a potential issue with the web shield.

After being installed, FoxBeacon embeds itself into the Firefox browser and acts as a proxy. It reads every incoming web page and trying to find hidden web bugs.

Since the web shield is a proxy we now have two proxies fighting over the same page, so at the very least we have to co-ordinate these by adding the foxbeacon proxy port to the web shield redirect and uncheck ignore local communication, etc.

If only we knew what port foxbeacon used, it is very light on information.

[TheSpirit]

Actually, I think that NoScript does the same. There is probably no need for further extensions. Correct me if I'm wrong. It's from 2007, isn't it?

[DavidR]

I would say NoScript would up to a point, since many sites require javascript for many functions if you allow it then the web bug could well be activated.

So it isn't very clear and there is little information on exactly how foxbeacon works to say if noscript might do the job as well.

[polonus]

Hi DavidR,

You can enable FoxBeacon at will, e.g. when you need it to check. What is going on can be found here: chrome://foxbeacon/content/browser.js. For your convenience and mine I will post these questions to Giorgio Maone, the maker of NoScript, and we will have an answer. The source of this addon, Mellon University standard, and professional guidance for the developer makes it is not questionable, then the example after it was build, 'bugnosis", has been used on IE for years and years without many security questions raised. I will just ask Giorgio Maone if NoScript also protects against webbugs at the moment the page is being sent, not at later handling through java script, there I think we have full protection. Also I will ask him what an add-on like ABP can do, and we have to have FoxBeacon enabled to know what to block in ABP for  the future, haven't we?

polonus

[DavidR]

It isn't so much an issue of enabling at will but how it works based on it saying it acts as a proxy. If when at will I chose to enable it, if it had an interaction with the web shield I know which protection I would want on and I think you know which that would be

Also as TheSpirit mentioned if NoScript covers this area then perhaps we don't need foxbeacon, that entirely how foxbeacon works, as to how much crossover there is between the two.

No one is questioning the probity of the origin of foxbeacon, just how it works.

[polonus]

Hi DavidR,

So until I know from Giorgio what are the security risks of this add-on, your way to find the majority of notorious Web bugs listed here: http://www.securityspace.com/s_survey/data/man.200102/webbug.html

Mind you there also benevolent Web bugs you better not block using NoScript because they are used for alignment and other purposes to make your surfing more enjoyable, especially because you are not on broadband.

The best solution here would be to block the nasties (e.g. undesirable Web bugs) inside your hosts file, at least that is advised. I am sure NoScript protects where Web bugs make acrobatics using of JS in their aftermath, but my concern is at the moment of the page query from the browser. It has nothing to do with being paranoid, but just like you I want to know the underlying mechanism, and for FoxBeacon that is XUL,

polonus

[DavidR]

I honestly don't belive there are any security risks for this add-on and I'm certainly not implying that.

My concern is its claim to act as a proxy and the associated problems of getting other proxies and the web shield's localhost proxy working together.

The problem is as I keep banging on, is there is zero information on how the foxbeacon proxy works, so we can't tell if it will work with the web shield without having to make any changes to the web shield redirects.

Personally I'm not unduly concerned about web bugs anyway, my concern is someone installing the add-on and not knowing if there might be an issue with it and the web shield.

[polonus]

Hi DavidR,

What are your concerns then for users of the Firefox Torpark browser that also works in combination with a proxy privoxy.
Does this mean that you are against the use of proxies per se?

For those bold enough to play..when you start to play around with this great add-on, some hints. Leave NoScript on, wherever you go,  but allow the little Web bug devils to be analyzed. For a test go to this page as an example : http://www.dziennik.pl/ Here you will see the FoxBeacon blink red, click the icon, and you see the analysis window for a dozen or so webbugs, all from: ad2.pl.mediainter.net Severity of the webbug = 1 on a scale from 1 to 3; size pixels 0x0 Set Cookie = info; P3P policy: your data is collected for completion and support of activity for which it (the Web bug) was provided. Furthermore the analysis says it comes from a different domain as that of the page visited, so that is a bunch of info for a little Web bug analysis. Now with blockable items in ABP you can block: ad2.pl.mediainter.net  as given there. So while acting whenever FoxBeacon alerts you can build up an ABP block list for the undesirables, read from the analysis page I would go for blocking the 3 category bugs,

Enjoy,

polonus

[alanrf]

The Torpark offering (when I tested it back in 2006) totally prevented any scanning by the avast Webshield. 

Indeed the whole point of it seemed to be that it was totally "sealed" and intended to be used without any awareness of the system on which it is running and leaving no traces when removed.

[DavidR]

Hi DavidR,

What are your concerns then for users of the Firefox Torpark browser that also works in combination with a proxy privoxy.
Does this mean that you are against the use of proxies per se?
<snip>

I don't really care for torpark not my concern and not what this topic was about.

My concern is for the average Joe who if foxbeacon will be totally unaware that they may not be protected by the web shield if there is any interaction that causes web shield not to scan content, leaving the user less well protected. They migh not get a web bug but could well catch a severe cold instead.

Which is why I'm making it plain there 'could' be conflict between the two proxies, so any average Joe viewing this topic now or in the future has another opinion or view.

Nothing to do with not liking proxies or otherwise.

[polonus]

Hi DavidR,

I did not have to change anything in the way the browser connects out for FoxBeacon. That is what I see from the Options Advance Network settings inside Firefox, avast connects through localhost through 12080,
NoScript on. so I do not worry,

polonus

[bob3160]

As I see it, this is another one of those tools best left for the experts.
The average user provided he browses safely and wisely, doesn't really
need analytical tools. Just my 2cents worth.

[Lisandro]

As I see it, this is another one of those tools best left for the experts.
The average user provided he browses safely and wisely, doesn't really
need analytical tools. Just my 2cents worth.

I feel the same Polonus, too technical for me...

[polonus]

Hi Tech,

I agree with you, we will leave this add-on for those interested. I for one I am always interested what goes on behind my back inside a browser with the 0x0 or 1x1 pixels Web bug I might click. So I expect for those with the Web developer extension, I expect they would like to have this FoxBeacon info.
Later I might present you with a quick and easy list you can paste into ABP Preferences to block the category three or dangerous third party Web bugs. A good thing is the majority of sites with NoScript and ABP installed do not show much Web bugs, but there are some sites that you would not expect that have them (BBC news),
These are or rather were the major Web bug domains:

doubleclick.net   2988   script[11.2%], img[98.7%], iframe[60.0%], layer[51.4%], im[0.2%], div[0.2%], ilayer[0.2%], frame[0.4%], la[0.2%], s[0.2%]
akamai.net   2253   img[89.6%], script[14.0%], input[27.5%], embed[1.4%], im[0.5%]
linkexchange.com   1851   img[98.2%], iframe[47.1%], frame[0.1%], 1000[0.1%]
bfast.com   1737   img[99.4%], input[0.9%], iframe[4.5%], script[5.1%], frame[0.5%], i[0.1%]
demon.co.uk   1270   img[98.7%], frame[1.3%], ul[0.1%]
extreme-dm.com   1210   img[100.0%]
hitbox.com   1162   img[99.8%], input[0.4%], script[14.8%], iframe[6.0%]
linksynergy.com   881   img[92.7%], frame[0.8%], script[7.0%]
akamaitech.net   819   input[20.0%], img[96.0%], script[4.0%], embed[1.3%]
commission-junction.com   736   img[99.1%], frame[0.7%], image[0.2%], im[0.2%]
wunderground.com   732   img[99.8%], frame[0.5%]
excite.com   667   input[12.5%], img[28.1%], script[59.4%], frame[1.6%]
link4ads.com   657   iframe[69.6%], img[73.9%], script[2.9%]
preferences.com   655   img[100.0%], iframe[16.0%], script[16.0%], ffb[4.0%]
thecounter.com   566   img[99.8%], mg[0.2%]
listbot.com   542   input[96.5%], img[3.5%]
goto.com   529   img[98.5%], input[92.2%]
eimg.com   508   img[100.0%]
199.172.144.25   507   img[100.0%]
flycast.com   448   script[81.0%], iframe[85.2%], img[92.3%], ilayer[1.4%]
netscape.com   447   img[99.0%], frame[1.0%]
yimg.com   437   img[98.9%], script[1.1%], input[0.8%]
cnet.com   418   img[96.4%], input[39.3%], frame[1.8%], script[1.8%]
focalink.com   414   img[100.0%], iframe[4.9%], script[4.9%]
superstats.com   411   script[57.8%], img[68.1%], s[0.3%]
rambler.ru   407   img[100.0%], iframe[0.3%]
amazon.com   393   img[93.5%], input[2.9%], 112[0.7%], frame[5.0%], bgsound[0.7%]
digits.com   385   img[100.0%]
weather.com   377   input[65.6%], img[85.0%], frame[5.8%]
avenuea.com   371   img[100.0%]
humanclick.com   364   script[95.3%], img[30.4%], s[0.3%]
isyndicate.com   340   script[85.8%], img[22.3%], input[3.0%], frame[4.1%], iframe[1.0%], s[0.5%]
sextracker.com   327   img[100.0%], input[2.0%]
trafficcount.com   315   img[100.0%]
yahoo.com   311   img[44.8%], frame[7.1%], script[46.5%], input[3.3%], html[0.4%]
bcentral.com   311   img[99.7%], input[0.7%]
fxweb.com   302   img[100.0%]
zdnet.com   302   img[92.3%], frame[7.7%], iframe[7.7%], input[7.7%]
sitemeter.com   290   script[71.5%], img[97.2%], sc[0.4%], s[0.4%]
register.com   287   frame[94.8%], img[4.8%], input[2.2%]
w3.org   286   img[100.0%]
aol.com   285   img[81.8%], frame[16.1%], bgsound[1.4%], im[0.7%], script[0.7%]
moreover.com   277   script[98.1%], img[61.0%], frame[1.3%], input[5.2%], s[0.6%]
spylog.com   274   img[100.0%], script[10.6%]
burstnet.com   274   img[100.0%], iframe[25.0%], i[0.7%]
geocities.com   270   img[74.4%], frame[24.8%], script[0.8%], input[0.4%], embed[0.8%]
webtrendslive.com   250   img[100.0%], script[0.6%]
cgiserver.net   249   img[100.0%]
tv.com   244   img[100.0%]
builder.com   242   img[100.0%]
associmg.com   241   img[96.8%], input[29.1%]
seez.com   240   img[100.0%]
nedstat.net   228   img[100.0%], frame[0.5%]
google.com   223   img[100.0%]
nextcard.com   217   img[100.0%]
valueclick.com   215   script[64.6%], img[60.8%]
paypal.com   208   img[87.5%], input[17.3%]
searchbutton.com   203   input[93.8%], img[56.3%]
sexhound.com   200   img[100.0%], input[14.3%]
netnames.com   189   img[99.5%], script[97.9%], frame[0.5%]
beseen.com   187   img[90.0%], script[9.4%], cript[0.6%], frame[0.6%]
yahoo.co.jp   185   img[100.0%]
pagecount.com   181   img[100.0%]
mycomputer.com   179   script[91.4%], img[44.7%], frame[0.7%]
list.ru   179   img[100.0%]
paycounter.com   176   img[100.0%]
imgis.com   172   script[30.9%], img[52.6%], iframe[22.7%]
1-jobs.com   170   img[100.0%]
adobe.com   165   img[85.0%], script[15.0%]
mediaplex.com   162   img[100.0%], iframe[6.3%]
av.com   161   img[90.7%], input[96.1%]
corporate-ir.net   159   frame[66.7%], img[33.3%]
sexlist.com   158   img[100.0%]
go2net.com   156   img[76.8%], iframe[51.4%], script[51.4%]
sf-01.com   156   img[100.0%]
da.ru   155   img[1.3%], frame[98.7%]
hypermart.net   153   img[95.1%], frame[4.9%], script[0.8%]
iadnet.com   153   img[100.0%]
216.32.68.154   153   img[100.0%]
yahoo.co.kr   153   img[100.0%]
7search.com   151   img[100.0%], script[10.4%]
linkstoyou.com   148   img[100.0%]
addme.com   146   img[98.5%], iframe[5.1%], script[0.7%]
bravenet.com   145   script[6.1%], img[96.2%], input[0.8%], frame[0.8%]
teleweb.at   136   script[76.9%], img[100.0%]
mtree.com   135   img[100.0%]
worldonline.nl   134   frame[99.3%], img[0.7%]
porntrack.com   131   img[100.0%]
atgratis.com   130   img[100.0%]
cmpnet.com   126   img[78.6%], input[14.3%], embed[14.3%], iframe[21.4%], script[21.4%]
smartclicks.com   124   img[99.0%], font[1.0%]
nic.cc   123   img[69.2%], frame[30.8%]
internet.com   122   img[92.3%], script[7.7%]
whatuseek.com   121   script[45.2%], img[46.6%], input[16.4%], ximg[1.4%]
about.com   120   img[100.0%], input[45.8%]
webconnect.net   120   img[100.0%]
networksolutions.com   118   img[96.4%], input[60.7%]
lycos.com   114   img[95.4%], script[10.2%], input[3.7%]
recommend-it.com   113   img[100.0%]
looksmart.com   112   iframe[4.5%], img[55.1%], input[32.6%], script[43.8%], frame[1.1%]

polonus