abwaters 2.0 » Browsers http://abwaters.com on software development, technology, etc. Thu, 26 Jan 2012 09:08:52 +0000 en hourly 1 http://wordpress.org/?v=3.2.1 Official Firefox 3 Beta 2 http://abwaters.com/2007/12/20/official-firefox-3-beta-2/ http://abwaters.com/2007/12/20/official-firefox-3-beta-2/#comments Thu, 20 Dec 2007 14:27:45 +0000 digg http://abwaters.com/2007/12/20/official-firefox-3-beta-2/ Firefox 3 Beta 2 has been officially released over at Mozilla.

[Improved in Beta 2!] Firefox 3 Beta 2 includes approximately 900 improvements over the previous beta, including fixes for stability, performance, memory usage, platform enhancements and user interface improvements.

read more | digg story

]]> http://abwaters.com/2007/12/20/official-firefox-3-beta-2/feed/ 0 Internet Explorer 8 passes ACID2 test! http://abwaters.com/2007/12/20/internet-explorer-8-passes-acid2-test/ http://abwaters.com/2007/12/20/internet-explorer-8-passes-acid2-test/#comments Thu, 20 Dec 2007 14:26:57 +0000 digg http://abwaters.com/2007/12/20/internet-explorer-8-passes-acid2-test/ MSDN’s Channel9 and the IEBlog both confirm the new version of IE, IE8, will pass the ACID2 Test!

read more | digg story

]]> http://abwaters.com/2007/12/20/internet-explorer-8-passes-acid2-test/feed/ 0 Ars Technica Tests Safari 3 beta on Windows vs. Firefox 2 and IE7 http://abwaters.com/2007/06/13/ars-technica-tests-safari-3-beta-on-windows-vs-firefox-2-and-ie7/ http://abwaters.com/2007/06/13/ars-technica-tests-safari-3-beta-on-windows-vs-firefox-2-and-ie7/#comments Wed, 13 Jun 2007 18:10:15 +0000 digg http://abwaters.com/2007/06/13/ars-technica-tests-safari-3-beta-on-windows-vs-firefox-2-and-ie7/ We put Apple’s browser to the test and discovered that it falls short of Firefox and Internet Explorer 7. Far from being “the world’s best browser” as Apple claims, Safari 3 suffers from usability deficiencies, text readability issues, and security flaws. It’s not all bad, though.

read more | digg story

]]> http://abwaters.com/2007/06/13/ars-technica-tests-safari-3-beta-on-windows-vs-firefox-2-and-ie7/feed/ 0 ‘Day One’ for Safari for Windows Becomes Zero-Day Nightmare http://abwaters.com/2007/06/13/day-one-for-safari-for-windows-becomes-zero-day-nightmare/ http://abwaters.com/2007/06/13/day-one-for-safari-for-windows-becomes-zero-day-nightmare/#comments Wed, 13 Jun 2007 13:51:18 +0000 digg http://abwaters.com/2007/06/13/day-one-for-safari-for-windows-becomes-zero-day-nightmare/ It took security engineers perhaps less than two hours yesterday to introduce Apple’s surprise entry in the field of Windows browsers to the big, cruel world of exploits and vulnerabilities, following its introduction yesterday morning at WWDC. As a result, much of the clout Safari had received as the secure browsing alternative is lost

read more | digg story

]]> http://abwaters.com/2007/06/13/day-one-for-safari-for-windows-becomes-zero-day-nightmare/feed/ 0 Gaping holes exposed in fully-patched IE 7, Firefox http://abwaters.com/2007/06/05/gaping-holes-exposed-in-fully-patched-ie-7-firefox/ http://abwaters.com/2007/06/05/gaping-holes-exposed-in-fully-patched-ie-7-firefox/#comments Wed, 06 Jun 2007 02:39:45 +0000 digg http://abwaters.com/2007/06/05/gaping-holes-exposed-in-fully-patched-ie-7-firefox/ Polish hacker Michal Zalewski has ratcheted up his ongoing assault on Web browser security models, releasing details on serious flaws in fully patched versions of IE 6, IE 7 and Firefox 2.0…

I don’t know what to say…this is huge! This is a very large, easy to exploit vulnerability that exposes a site’s cookies to any malicious web site on the net.

A harmless proof-of-concept exploit can be found here.

http://lcamtuf.coredump.cx/ierace/

Wait…i’m getting a vision…yes, it’s coming clearer…a Microsoft Security Patch is in your future.

read more | digg story

]]> http://abwaters.com/2007/06/05/gaping-holes-exposed-in-fully-patched-ie-7-firefox/feed/ 0 Microsoft Firefox?! http://abwaters.com/2006/11/15/microsoft-firefox/ http://abwaters.com/2006/11/15/microsoft-firefox/#comments Wed, 15 Nov 2006 22:44:31 +0000 Bryan Waters http://abwaters.com/2006/11/15/microsoft-firefox/ I couldn’t help myself with this one. It’s been a very long day and my son walks in and says, “Pull up a browser and go to http://www.msfirefox.com/…” I couldn’t help but laugh…

Enjoy.

]]> http://abwaters.com/2006/11/15/microsoft-firefox/feed/ 0 Browzar – A False Sense of Security http://abwaters.com/2006/11/13/browzar-a-false-sense-of-security/ http://abwaters.com/2006/11/13/browzar-a-false-sense-of-security/#comments Mon, 13 Nov 2006 01:16:08 +0000 Bryan Waters http://abwaters.com/2006/11/13/browzar-a-false-sense-of-security/ When I first read about Browzar, I was impressed by the hype. After further investigation, I found the product to be easy to use…no installation required and with the simplest and most straightforward of interfaces. A perfect browser for most people…just so long as you don’t expect to actually protect your privacy. After downloading Browzar, I went to a couple of websites trying to exercise their browser in various areas likejavascript compatibility, css support and so on. Browzar worked flawlessly but there was something bothering me. Up till this point, it had not occurred to me that they were just hosting the IE web browser ActiveX control. I guess I should have realized this fact from the size of the download. Once I realized they were just using Internet Explorer, I knew that it couldn’t possibly be as safe as they were claiming. So I started digging deeper…

Browzar Home Page

Browzar claims that it doesn’t keep a browsing history, stored files, cookies and avoids the auto-complete feature built-in to IE. It turns out that it that they were right about the stored files, cookies and auto-complete history.

But it does keep a browsing history. It seems that since they are using an embedded copy of IE, they can get around almost everything else, but the index.dat file created by the IE object and its libraries still exists and keeps a record of your entire browsing history. After looking at the FAQ on the Browzar site, they even acknowledge this fact but they add the disclaimer that the index.dat file is a system file that under normal use cannot be seen or read and that only someone with a relatively sophisticated knowledge of computers could access this file. It turns out that there are freeware, shareware and even open-source utilities available that allow access to this file. The same sort of utilities that may be easily obtained by someone only slightly skilled at using Google.

Just to prove the point, instead of downloading one of these tools, I wanted to find the simplest mechanism possible to view the browsing history from the index.dat file just to see what it would take. It turns out that Sysinternals (now owned by Microsoft) provides a free utility that extracts strings from binary files. Note:this is essentially a Windows version of the *nix command-line tool of the same name. You can download “Strings” from the following location:

 http://www.microsoft.com/technet/sysinternals/utilities/Strings.mspx

After downloading Strings, I deleted my index.dat files (not all that easy by the way) and proceeded to run Strings on the freshly created index.dat both before and after a short browsing session with Browzar. Here are the results.

Before Browzar Session:
Strings v2.3
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals – http://www.sysinternals.com/

Client UrlCache MMF Ver 5.2
ODXP0UB5
ZCFT4EYX
S52JULZU
1XC9JDO3

Notice that other than a few hash directories for storing content, the index.dat file is completely empty.

After Browzar Session:
Strings v2.3
Copyright (C) 1999-2006 Mark Russinovich
Sysinternals – http://www.sysinternals.com/

Client UrlCache MMF Ver 5.2
ODXP0UB5
ZCFT4EYX
S52JULZU
1XC9JDO3
HASH
REDR
ehttp://www.browzar.com/start?v=1201
LEAK
http://www.browzar.com/start/?v=1201
start[1].htm
HTTP/1.1 200 OK
Content-Length: 5370
Content-Type: text/html
Content-Location: http://www.browzar.com/start/index.html
ETag: “dec1a412f3c71:66d”
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
~U:root
LEAK
`Sta
http://abwaters.com/
abwaters[1].htm
HTTP/1.1 200 OK
X-Powered-By: PHP/4.4.4
X-Pingback: http://abwaters.com/xmlrpc.php
Status: 200 OK
Keep-Alive: timeout=10, max=100
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
~U:root
LEAK
http://pagead2.googlesyndication.com/pagead/ads?client=…

http://pagead2.googlesyndication.com/pagead/show_ads.js

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/addtomyyahoo.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/img/side.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/google.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/bloglines_sm2.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/addmymsn.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/meta/addmyfeedster.gif

http://abwaters.com/wp-content/themes/2cDarkGrey/img/cats.png

http://abwaters.com/content/images/vista_screen2_th.jpg

http://pagead2.googlesyndication.com/pagead/ads?client=…

Note: The “after” session dump was edited for space and privacy reasons.

The “after browzar” session has an entry for every piece of content requested by the Browzar session. Sure looks like Browzar history to me.

There are dozens of tools for getting at this same information and anyone wanting to get at this information bad enough will likely be able to access it regardless of technical ability. The fact is, its there!

Browzar’s main claim is that it erases your browsing history to protect your privacy. Something that is obviously not true.

The other problem with Browzar’s claim of privacy protection is that it completely avoids the issue of external privacy violations of your browsing session.  There is no use of tunneling, anonymizers, proxies or any other mechanism which means that all your network traffic is exposed to any external sniffing, caching or logging. Since inexpensive home firewalls now routinely come with built-in logging features, this is not as unlikely as it may sound.

It seems that Browzar provides only the simplest protection against privacy violations which, based on the testimonials on their site, are most useful against your family members or friends who share your computer.

By the way, it turns out that both their business model and their privacy weakness were listed in their FAQ on their site. They make money from the searches that users initiate with the “Browzar Search” box in the toolbar and they point out that they don’t address the index.dat issue. If I had only read this a little closer, I could have saved myself a lot of time.

On their website they claim that a Mac and Linux version is coming soon. I suppose they will have to use the Mozilla source to build that. For example, a no-install version of Firefox bundled with Tor would be outstanding!

On the positive side, Browzar is very visually appealing! Now if they could only get that privacy thing addressed they might have something…

]]> http://abwaters.com/2006/11/13/browzar-a-false-sense-of-security/feed/ 1