Web Browsers: A Question About Information Leakage

[Raissermesser]

The big thing these days are applications with interfaces that work with a web browser. This allows support across operating systems and devices by having the server to all the grunt work, with a standard interface that works on everything from desktop to mobile devices. All well and good. But tinkering with one had me thinking about information leakage between tabs and windows.

Here's the issue: An application is pulled up on the default browser. The user then looks up information on the web. This opens as a new tab, or a new window in the same browser. Now the browser had two different web sites open, one with the application, and one with the user looking up information.

Now, in the application window, the user types in his user name and password. Could this information be seen by the web site in the other tab or window?

I've tinkered with setting up different profiles, and while that kind of sort of works, and while Windows Task Manager shows different instances of the same browser, I'm not convinced there's no possibility of sharing information.

Anyone have any information on this? I have a sick feeling that the move toward web browser interfaces may be a bad thing.

 

[pdieten]

The operating system generally does not permit separate web client processes to have access to each others' memory and neither has access to the other's session. So no, they don't have any more access to each other's contents than any other two applications do.

 

[GaryTha]

There are apps that can use the microphone to decode keystrokes by the different sounds made on each key. This is pre-computer technology. My son laughed when I told him this. I laughed back, and then Alexus laughed.

 

[Proinsias]

Theo knows a thing or two about this sort of thing:
'Re: chromium and firefox - myths and facts?' - MARC

Firefox has a no-remote option for running more than one profile at once.
Opening a new instance of your Mozilla application with another profile - MozillaZine Knowledge Base

but all I see is lipstick on a pig

 

[EL Alamein]

I am suspicious too.

I run Firefox and I have it set to remove all history and cookies from a session when it is closed.

However recently I needed a new chimney cap and ordered one from the local hardware store. And even though I closed that session of Firefox then the next day (24 hour later mind you) I found advertisements for chimney caps in some articles I was reading.

That shouldn't have happened yet it did. The information must have been stored elsewhere for it to have popped up again.

I'd love to know how to stop this.

Chris

 

[StillShaving]

Unless you use a proxy it may be unstoppable. I believe Google controls/reaps most of the web search ad space. They likely use the ability to track your IP address and which browser was used. So when they were deciding which ads to serve up the next day they could guess that this was the same person who was looking for chimney caps.

 

[FarmerTan]

Excellent thread, and 95% over my head, lol. I'm glad that there are smart people out there.

 

[Raissermesser]

I am suspicious too.

I run Firefox and I have it set to remove all history and cookies from a session when it is closed.

However recently I needed a new chimney cap and ordered one from the local hardware store. And even though I closed that session of Firefox then the next day (24 hour later mind you) I found advertisements for chimney caps in some articles I was reading.

That shouldn't have happened yet it did. The information must have been stored elsewhere for it to have popped up again.

I'd love to know how to stop this.

Chris

I have Firefox set the same way, but when I run Bleachbit, it finds stuff there. As an experiment, I ran Bleachbit, browsed on Firefox, and ran it again. Yep, there was more stuff there. Previous searches, unless it's something like DuckDuckGoose, will leave traces in cookies.

That said, check to see if you have a browser "helper bar" installed. Those are notorious for phoning home.

 

[Raissermesser]

Unless you use a proxy it may be unstoppable. I believe Google controls/reaps most of the web search ad space. They likely use the ability to track your IP address and which browser was used. So when they were deciding which ads to serve up the next day they could guess that this was the same person who was looking for chimney caps.

FWIW, most sites can detect your IP, browser, OS, and even screen size. I used to go over statistics for the company web site. I don't know if they can detect the card's MAC address, but it wouldn't surprise me. MAC address would be better than IP, particularly in situations where there's a dynamic IP address.

FWIW, some years ago I used to tinker with a utility that faked your browser type, and know that it's possible to spoof MAC addresses. Please note that I'm not even at the script kiddie level when it comes to such things, and it's simply out of curiosity and security concerns.

 

[Proinsias]

I am suspicious too.

I run Firefox and I have it set to remove all history and cookies from a session when it is closed.

However recently I needed a new chimney cap and ordered one from the local hardware store. And even though I closed that session of Firefox then the next day (24 hour later mind you) I found advertisements for chimney caps in some articles I was reading.

That shouldn't have happened yet it did. The information must have been stored elsewhere for it to have popped up again.

I'd love to know how to stop this.

Chris

I don't think it matters much what you clear on your local machine, if you tell Google's servers you are craving chimney caps they are not gonna forget anytime soon. I use DuckDuckGo most of the time to avoid this to some degree, Start Page if I want Google results. There are a few others with a similar approach to privacy.

Google, Facebook etc also has trackers everywhere so even if you use something like DuckDuckGo to find a url Google will know when you land on it if you are not actively blocking thier trackers. Facebook, Google and Twitter all seem to be keeping an eye on this page.

There is also the digital fingerprint idea, if you visit the same few sites in the same sort of order in a habitual fashion you can be quickly identified, or a least a reasonable guess made, almost anywhere.

 

[Go West Young Man]

It always amuses me that everyone is so paranoid about a company with a clear and open privacy policy that is completely up from about how and what data it uses..... And then not only gives objectively evil companies like Verizon and Comcast even more info with fewer restrictions, but pays for the privilege...

 

[StillShaving]

To the original question, are not all the session cookies shared across browser tabs? Browsers like Chrome create individual OS processes to protect against buggy code, so they must use the filesystem to share. (I have not followed how these things are actually implemented.)

A year or two ago i recall some browser extension created to keep Facebook in a sandbox after it was exposed how aggressively they (their servers) were asking for other sites cookies. A different browser was touting how they already prevented that by default.

This is where smartphone apps have the advantage over a desktop browser.

 

[Esox]

I installed Brave browser yesterday and have been using it while comparing it to Firefox. I've been using Firefox since the beginning and I know it well. I've never had any sign of any leaks between tabs or windows other than caused by BHO's and I'm not sure I'd call that a 'leak'. Every tab or window is a separate connection.

Do web browsers use different outgoing ports for different tabs? - https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs/1055309

The Brave browser is a whole new animal. Based on Chromium, its very fast. Much faster than Firefox. Its very well thought out but it does take some configuring to get it how you like it.

It also seems to be very secure. Want a private Tor window? Its built right into the browser, defaults to DuckDuckGo and operates the same as the regular Tor browser, only much faster.

Its a very clean looking browser too. This is the basic homepage with some features turned off. The picture changes every time you open a browser or new tab.

It has a very good built in ad blocker that can be user configured. The user config settings are very well detailed and give you all the power you need to set it up how you like and want it. I havent found the need to install any add on's or extensions to add to it like I do with Firefox. It just seems to do what it does, quickly, cleanly and easily with whatever permissions you give it.

Of all the browsers I've tried in the last 20 years, this might be the one to finally beat Firefox.

 

[GuybrushThreepwood]

Of all the browsers I've tried in the last 20 years, this might be the one to finally beat Firefox.

Indeed it's a great browser and replaced Opera as my favorite browser, i just wish they would allow you to choose your own background picture.

 

[oc_in_fw]

I installed Brave browser yesterday and have been using it while comparing it to Firefox. I've been using Firefox since the beginning and I know it well. I've never had any sign of any leaks between tabs or windows other than caused by BHO's and I'm not sure I'd call that a 'leak'. Every tab or window is a separate connection.

Do web browsers use different outgoing ports for different tabs? - https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs/1055309

The Brave browser is a whole new animal. Based on Chromium, its very fast. Much faster than Firefox. Its very well thought out but it does take some configuring to get it how you like it.

It also seems to be very secure. Want a private Tor window? Its built right into the browser, defaults to DuckDuckGo and operates the same as the regular Tor browser, only much faster.

View attachment 1046374

Its a very clean looking browser too. This is the basic homepage with some features turned off. The picture changes every time you open a browser or new tab.

View attachment 1046375

It has a very good built in ad blocker that can be user configured. The user config settings are very well detailed and give you all the power you need to set it up how you like and want it. I havent found the need to install any add on's or extensions to add to it like I do with Firefox. It just seems to do what it does, quickly, cleanly and easily with whatever permissions you give it.

Of all the browsers I've tried in the last 20 years, this might be the one to finally beat Firefox.

Available for iPhone. Will be checking it out

 

[Chandu]

Now, in the application window, the user types in his user name and password. Could this information be seen by the web site in the other tab or window?

It should not be able to. But that said, this is an interesting extension for FF. Read the about this extension for what this helps.

Don't touch my tabs! (rel=noopener) – Get this Extension for 🦊 Firefox (en-US)

Download Don't touch my tabs! (rel=noopener) for Firefox. Prevent tabs opened by a hyperlink from hijacking the previous tab by adding the rel=noopener attribute to all hyperlinks (excluding same-domain hyperlinks).

addons.mozilla.org

It has a very good built in ad blocker that can be user configured.

And better yet, most sites aren't aware of it and don't give you the "we noticed you're running and adblocker..." whine.

To be safe on the web I do two things most of the time. 1. Duck Duck GO. 2. Express Vpn

 

[Esox]

To be safe on the web I do two things most of the time. 1. Duck Duck GO. 2. Express Vpn

I mostly dont worry about anything online much. I dont frequent risky sites or searches and I havent had any issues unless I've gone looking for one. I havent even used any AV programs for the last maybe 10 years and that includes Windows Defender.

I'm on Wiin10 Pro, but even on Win7 Ultimate my machine was invisible online without any protection. If you poke around this site there are several vulnerability tests you can run to find out how easy it might be to compromise your machine from random automated attacks.

GRC | ShieldsUP! — Internet Vulnerability Profiling - https://www.grc.com/x/ne.dll?bh0bkyd2

That wont make any difference to a personally targeted attack, but WinXP was one of the most vulnerable OS's. Any newer OS, Win7, Win8 and Win10, are pretty secure.

I like speed and Brave is fast. Firefox is almost as fast. The one thing I've found so far I dont like about Brave is I cant seem to turn off search suggestions. Thats aggravating to the point Firefox is set as default again but I'm still using both.

 

[Chan Eil Whiskers]

I installed Brave browser yesterday and have been using it while comparing it to Firefox. I've been using Firefox since the beginning and I know it well. I've never had any sign of any leaks between tabs or windows other than caused by BHO's and I'm not sure I'd call that a 'leak'. Every tab or window is a separate connection.

Do web browsers use different outgoing ports for different tabs? - https://superuser.com/questions/1055281/do-web-browsers-use-different-outgoing-ports-for-different-tabs/1055309

The Brave browser is a whole new animal. Based on Chromium, its very fast. Much faster than Firefox. Its very well thought out but it does take some configuring to get it how you like it.

It also seems to be very secure. Want a private Tor window? Its built right into the browser, defaults to DuckDuckGo and operates the same as the regular Tor browser, only much faster.

View attachment 1046374

Its a very clean looking browser too. This is the basic homepage with some features turned off. The picture changes every time you open a browser or new tab.

View attachment 1046375

It has a very good built in ad blocker that can be user configured. The user config settings are very well detailed and give you all the power you need to set it up how you like and want it. I havent found the need to install any add on's or extensions to add to it like I do with Firefox. It just seems to do what it does, quickly, cleanly and easily with whatever permissions you give it.

Of all the browsers I've tried in the last 20 years, this might be the one to finally beat Firefox.

I've used a number of Browsers over the years, but am currently trying Dissenter. You probably know it's a spinoff from Brave. So, far I'm finding the browser easy to use, effective, and to my liking.

I've coupled it with the search engine, Startpage. I tried others but Startpage works best (in my limited experience) with the browser. Not that its perfect.

I'm also considering adding a VPN.

Happy shaves,

Jim

 

[Esox]

I've used a number of Browsers over the years, but am currently trying Dissenter. You probably know it's a spinoff from Brave. So, far I'm finding the browser easy to use, effective, and to my liking.

I've coupled it with the search engine, Startpage. I tried others but Startpage works best (in my limited experience) with the browser. Not that its perfect.

I'm also considering adding a VPN.

Happy shaves,

Jim

I havent used Dissenter and am back to using Firefox full time. Startpage seems to have had a facelift. I remember when it started it was just another default Google search. I just use the plain old Google start page but its becoming increasingly difficult to do a quick search for hard to find information. Some pages I use to look up 10 years ago dont even come up in a search anymore.

If the Dissenter browser has Tor built into it, you dont need a VPN. Tor assigns a new IP, at random, from anywhere in the world every time you open a new window while also giving you access to .onion links.

As far as your machine being vulnerable, try some of the tests in the GRC link I posted above. If you find any vulnerabilities to your machine they can most likely be solved in Windows Group Policy Editor by turning some Windows 'features' off.

How to manage the Group Policy on Windows 10, 8 and 8.1? - https://www.auslogics.com/en/articles/how-to-manage-the-group-policy-on-windows-10-8-and-8-1/

Windows 10 Professional allows the most permissions in gpedit.msc. Windows 10 Home, the least. If you're not sure what you're doing in gpedit though, dont mess around very much or you'll be learning Windows the hard way! Nuked installs are no fun lol.

 

[never-stop-learning]

I mostly dont worry about anything online much. I dont frequent risky sites or searches and I havent had any issues unless I've gone looking for one. I havent even used any AV programs for the last maybe 10 years and that includes Windows Defender.

I'm on Wiin10 Pro, but even on Win7 Ultimate my machine was invisible online without any protection. If you poke around this site there are several vulnerability tests you can run to find out how easy it might be to compromise your machine from random automated attacks.

GRC | ShieldsUP! — Internet Vulnerability Profiling - https://www.grc.com/x/ne.dll?bh0bkyd2

That wont make any difference to a personally targeted attack, but WinXP was one of the most vulnerable OS's. Any newer OS, Win7, Win8 and Win10, are pretty secure.

I like speed and Brave is fast. Firefox is almost as fast. The one thing I've found so far I dont like about Brave is I cant seem to turn off search suggestions. Thats aggravating to the point Firefox is set as default again but I'm still using both.

Ubuntu Linux and Chromium are pretty secure.

Add a VPN and things get very secure.

"Just because you're paranoid doesn't mean that they are not really out to get you."