Author Topic: Why hide browser properties from JS....  (Read 3333 times)

dave1006

  • Full Member
  • ***
  • Posts: 113
    • ICQ Messenger - 92066376
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Why hide browser properties from JS....
« on: July 07, 2002, 05:36:14 PM »
Hi everyone,
I, like most here I would guess, have certain filters which block JavaScript from determining my browser name/version and other stats about my computer, however, it suddenly dawned on me 'why?': JS runs on our own computer, and therefore unless you submit data to a site (via tag or post), the remote site won't be able to use this JS to identify you or your browser in any way... The only reason I can see people wanting to hide their browser (and other info) from JS is infact not to 'hide' it, but rather to fake it - ie, for websites who will only display content to specific browsers (usually IE and Netscape only...).

I could be missing some big point here.... Wondered if anyone would care to enlighten me? Thanks.

dave
dave at smokeajay.co.uk
dave
dave at smokeajay.co.uk

altosax

  • Sr. Member
  • ****
  • Posts: 328
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Why hide browser properties from JS....
« Reply #1 on: July 07, 2002, 06:07:21 PM »
hi dave,
your apparently simple question could require hours to answer because it involve other important question, like privacy.
the first answer i feel to give you is this: why a web site should know your browser's properties? you write: because it can serve customized pages.
but this isn't true at all. we have many standards that ensure the perfect view with all compliant browsers. all the sites really need is the respect of standards.
the second answer is related to the first: to educate webcoder to respect standards. we have very few possibilities to protect ourselves from their abuses, if even a single possibility exists, why not?
i agree with you faking browser's properties to have access to site designed for browser other than yours. but do you think, like me, that this is an abuse? a limitation to our freedom that webmaster place on their site while they are using a free resource. the whole web exists because people have created it for free (and for freedom).

anyway, this is the filter i use to fake my browser properties. it is set for opera, but you can easily customize it:

Name = "Hide Browser's Properties from JS [vm]"
Active = TRUE
URL = "$TYPE(htm)|$TYPE(js)"
Limit = 64
Match = "navigator.$LST(JSProperties)"
Replace = "1"

and this is the blocklist with faked properties:

# Proxomitron4 URL killfile: $LST(JSProperties)
# Created by sidki on June 28, 2002
# Modified by altosax on July 02, 2002
#
# List for "Hide Browser's Properties from JS" filter.
# It fakes listed navigator properties and methods.
#
# If you think that this filter is quite aggressive,
# make an exception list and append it to the URL match:
# URL = "($TYPE(htm)|$TYPE(js))(^$LST(BypassJSProperties))"
# or comment out the offending line of code.
#
# If "appName" and "platform" causes too much troubles try this:
# appName$SET(1='XMSIE')
# platform$SET(1='XWin')
#
# All credits to sidki for the original idea.


# Note: these are not all navigator properties and methods.
#
userAgent$SET(1='Opera/5.02 (Win32; U) [en]')
appName$SET(1='Opera')
appCodeName$SET(1='Mozilla')
appVersion$SET(1='5.02')
appMinorVersion$SET(1='0')
platform$SET(1='Win32')
language$SET(1='en')
browserLanguage$SET(1='en')
systemLanguage$SET(1='en')
userLanguage$SET(1='en')
cpuClass$SET(1='x86')
plugins.length$SET(1='0')
plugins.refresh(true)$SET(1=navigator.plugins.refresh(false))
cookieEnabled$SET(1='false')
onLine$SET(1='false')
userProfile$SET(1='false')
connectionType$SET(1='offline')
javaEnabled()$SET(1='false')


what i wrote is only a little bit of all i could write, but my native language is the italian, if you understand italian i could mail you private with some other interesting answer to reflect on.

regards,
altosax.



Edited by - altosax on 07 Jul 2002  19:14:50
 

dave1006

  • Full Member
  • ***
  • Posts: 113
    • ICQ Messenger - 92066376
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Why hide browser properties from JS....
« Reply #2 on: July 07, 2002, 07:04:01 PM »
Hi altosax, thanks for your responce.
quote:
the first answer i feel to give you is this: why a web site should know your browser's properties?


This is my main point really, the website *doesn't* know your browser's properties - as all javascript is run on the clients machine.

On all other points I agree with you - JS should conform to standards that allow all (or all compliant browsers) to run it; and as for protecting/securing your browsing, I agree too that JS needs to be filtered, but this isn't what my original point was - that browser/computer properties need not be hidden from JS for 'privacy' purposes, unless these properties are being submitted to the website.

A last point is that, for example, DOM isn't supported by Opera but is by Mozilla and IE, and JS may need to determin if DOM is supported.

dave
dave at smokeajay.co.uk
dave
dave at smokeajay.co.uk

altosax

  • Sr. Member
  • ****
  • Posts: 328
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Why hide browser properties from JS....
« Reply #3 on: July 07, 2002, 07:49:17 PM »
dave wrote:

quote:

This is my main point really, the website *doesn't* know your browser's properties - as all javascript is run on the clients machine.



the problem is not if they really know your browser's properties, but what code they are able to make your machine execute based on your navigator properties.
who knows the possible future exploits? so i fake my browser with a different one. if you use a DOM capable browser fake it with a different DOM capable one.

regards,
altosax.

 
 

dave1006

  • Full Member
  • ***
  • Posts: 113
    • ICQ Messenger - 92066376
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Why hide browser properties from JS....
« Reply #4 on: July 07, 2002, 09:58:57 PM »
Ok, but wouldn't 'they' just try a whole bunch of exploits hoping that one would work? I mean, I'm currently unaware of 'exploits' through JS for Opera and Mozilla other than the usual universal JS problems. And if there are JS exploits, shouldn't a JS-filter filter those rather than, say, your screen resolution or browser name? Although I realise exploits are being found/developed constantly so maybe this isnt always possible... (But then... JS only has X amount of commands?  So shouldnt we just filter out commands which *may* be used as exploits?)

Maybe the best solution is to filter JS properties for 'unknown' sites by default, so you can browse them a couple of times, and then decide whether the site is trust worthy enough to know your details. (Which i guess is what everyone does anyway.)

As a final note, I currently use Mozilla and Opera (I like the new DOM Banner Blaster, but unfortunatly Opera doesn't support DOM just yet) - I'm thinking maybe it is best to use a 'imaginary' browser name/version etc as default until the/a site is 'trusted'... But still, maybe this is all a little 'overkill'.

dave
dave at smokeajay.co.uk
dave
dave at smokeajay.co.uk

Scott Lemmon

  • Full Member
  • ***
  • Posts: 103
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://proxomitron.cjb.net/
    • Email
Why hide browser properties from JS....
« Reply #5 on: July 07, 2002, 10:19:01 PM »
Actually there's many ways a website can sneak JavaScript data back to a server.  One very common method is to dynamically create a image who's URL contains the info they want to pass embedded within it. When the browser then loads the image, the URL and information it contains is sent back to the server. Many counters and stat trackers use this trick to track things like screen resolution, color depth, and other info not normally found in HTTP headers.

 
 

dave1006

  • Full Member
  • ***
  • Posts: 113
    • ICQ Messenger - 92066376
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Why hide browser properties from JS....
« Reply #6 on: July 07, 2002, 10:27:55 PM »
Hi Scott,
Yes, that's exactly what I was saying - so, what we need is a filter to see if the JS calls an image (or otherwise connects to a site), right? ie, look for addresses with possibly dynamically created URL within JS.

Other than this, in *most* cases, it actually helps if JS can tell what browser you have (for browser specific html/script writing...)?

This is really the main jist of what I was wondering.

dave
dave at smokeajay.co.uk
dave
dave at smokeajay.co.uk

JakBeNymble

  • Moderator
  • Sr. Member
  • *****
  • Posts: 308
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • http://
    • Email
Why hide browser properties from JS....
« Reply #7 on: July 08, 2002, 03:14:06 AM »
Hi "Friends",

             Nice looking Filter "AltoSax"! I think that the InterNet was designed so that one machine reguardless of type, browser or O/S could communicate with every other machine on-line. Now I know that was the theory, but in "Real-Time" there are times when a certain  browser just won't cut it. But I think it's because the site wants to be "Nosier" than it should. The way that I see it is, as long as the site has an IP to know where to route the data to, that should be all that it needs to function. But at the same time, I know that the server is probably wanting to know who, what, when, and where just in case of an "Attack".

Take Care and Have a Great Day!
"jak"





Edited by - JakBeNymble on 08 Jul 2002  04:21:36
 

pooms

  • Jr. Member
  • **
  • Posts: 75
    • ICQ Messenger -
    • AOL Instant Messenger -
    • Yahoo Instant Messenger -
    • View Profile
    • Email
Why hide browser properties from JS....
« Reply #8 on: July 08, 2002, 05:54:40 AM »
Personally, hiding my browser characteristics has never been very important
to me. If I do it, it is really only to discover what sites (ie Microsoft)
explicitly want to see certain browsers, or to amuse myself with the thought
that a webmaster might look into their web log and see a very strange
browser user-agent