How does GMail know I use Firebug extension in Iceweasel?

On Nov 28, 2007 6:17 PM, Raj Kiran Grandhi wrote:

> It offers a couple of option to disable/configure it. However what I
> find disturbing is how gmail 'knows' what extensions I have installed on
> my machine. Is there a bug in iceweasel/firefox that leaks out some
> information on extensions to the remote servers?
>

It is definitely possible to detect some/many of a user's extensions.
In fact, not long ago someone released code to block users with the
adblock extension. Here is some more info:
http://ha.ckers.org/blog/20060823/detecting-firefox-extentions/
http://www.ush.it/2007/10/11/detect-noscript-poc/

--
swk

--

On Thu, 29 Nov 2007 06:56:23 +0530
Raj Kiran Grandhi wrote:

[snip]

> privacy implications? Disabling javascript renders most sites pretty
> useless. I have played around with noscript for a couple of months
> before turning it off.

"Most sites pretty useless"? Not most sites that I use.

> Raj Kiran Grandhi

Celejar
--
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

--

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/28/07 18:17, Raj Kiran Grandhi wrote:
> Recently gmail has begun displaying the following notice when I login to
> its web interface:
>
> "Firebug is known to make Gmail slow unless it is configured correctly."
>
> It offers a couple of option to disable/configure it. However what I
> find disturbing is how gmail 'knows' what extensions I have installed on
> my machine. Is there a bug in iceweasel/firefox that leaks out some
> information on extensions to the remote servers?

JavaScript?

> A search on google tells me that many others have noticed this too, but
> I could not find how google does it.

- --
Ron Johnson, Jr.
Jefferson LA USA

%SYSTEM-F-FISH, my hovercraft is full of eels
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHTghQS9HxQb37XmcRAtIFAKCWqCw7GmQn2GlbfyaiF4EHSo/WoACeN/C8
JiS0sodj0dahkBjShG+CUXs=
=9qRj
-----END PGP SIGNATURE-----

--

On Nov 28, 2007 4:17 PM, Raj Kiran Grandhi wrote:
> Recently gmail has begun displaying the following notice when I login to
> its web interface:
>
> "Firebug is known to make Gmail slow unless it is configured correctly."
>
> It offers a couple of option to disable/configure it. However what I
> find disturbing is how gmail 'knows' what extensions I have installed on
> my machine. Is there a bug in iceweasel/firefox that leaks out some
> information on extensions to the remote servers?
>
> A search on google tells me that many others have noticed this too, but
> I could not find how google does it.

Firebug sets the value of the DOM element window.console to "Firebug" and
creates the elements window.console.firebug and console.firebug

Cheers,
Kelly Clowers

--

On Wed, Nov 28, 2007 at 09:11:39PM -0800, Kelly Clowers wrote:
> On Nov 28, 2007 7:06 PM, Douglas A. Tutty wrote:
>
>
> >
> > AIUI, enabling JavaScript enables the remote site to run javascript on
> > your box. It doesn't do any sort of audit of what it will run. So I
> > would assume tht it can do whatever javascript is capable of.
> >
> > Can javascript read my .ssh directory and grab my id_rsa or id_dsa?
>
> Javascript the language can - i.e. you could write a script file in JS
> instead of Perl. However, JS that is run in a web page is sandboxed.
> If it could read your files it would be considered a (very) major security
> flaw in that browser's JS implementation and the news would be all
> over the tech sites.
>

So how big is the sandbox? What is the worst that a mal JS could do?
So we don't keep site passwords in the browser's "shall I remember this
for the future" but instead keep it in a separate file in the home
directory. I would assume then that after visiting a site where I had
to enter a password, I should exit and restart the browser before
visiting another site?

Doug.

--

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/28/07 19:26, Raj Kiran Grandhi wrote:
> Ron Johnson wrote:
>>
>> On 11/28/07 18:17, Raj Kiran Grandhi wrote:
>>> Recently gmail has begun displaying the following notice when I login to
>>> its web interface:
>>>
>>> "Firebug is known to make Gmail slow unless it is configured correctly."
>>>
>>> It offers a couple of option to disable/configure it. However what I
>>> find disturbing is how gmail 'knows' what extensions I have installed on
>>> my machine. Is there a bug in iceweasel/firefox that leaks out some
>>> information on extensions to the remote servers?
>>
>> JavaScript?
>
> I do use the javascript version gmail instead of the plain html one.
> However it is a surprise to me that remote sites are able to figure out
> what extensions I have installed using javascript. Does that not have
> privacy implications?

Java & JS are supposed to live in a sandbox. Still, I don't let FF
store my passwords.

> Disabling javascript renders most sites pretty
> useless. I have played around with noscript for a couple of months
> before turning it off.

Why? Noscript is great...

> Extensions like webdeveloper and firebug are very useful in working
> around some of those "user friendly" features of some websites (like
> disabling the text entry field, so that users can enjoy the
> non-cross-platform shiny calender widget to enter a date)
>
> Websites basing their content (and bugs) based on the user-agent is bad
> enough as it is. Add extensions to that list and it makes me want to
> weep :(
>
> Is there some way to keep javascript enabled while limiting the amount
> of information the remote site can "see"?

Be careful what you store in your web browser.

- --
Ron Johnson, Jr.
Jefferson LA USA

%SYSTEM-F-FISH, my hovercraft is full of eels
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHTjaoS9HxQb37XmcRAuevAJ0V+LQVa93kFVcFaOpOORwkOwMdEwCgyn2g
mSok9aieVCDjVtI11zD9eF8=
=hsu7
-----END PGP SIGNATURE-----

--