operas fraud protection sucks

Posted by Nico Golde in
Sunday, September 14. 2008

Dear Opera developers...
even I find it hard to believe that your fraud protection is of a real use for anyond (besides the technical implementation: doing an http request for each unvisited site to http://sitecheck2.opera.com/?host=HOST really sucks) it might help some people.

BUT why on earth are you doing this for private ip ranges??? FAIL!

UPDATE: the documentation states that this is not done, however I only recognized this because I saw that it is exactly doing that in a packet dump and I can reproduce this:
192.168.1.212 - - [14/Sep/2008:21:22:09 +0200] "GET http://sitecheck2.opera.com/?host=192.168.1.4&hdn=1jefsNeoBNollcGHqAYxxA== HTTP/1.1" - - "-" "Opera/9.50 (X11; Linux i686; U; en)"

So either urlsnarf is buggy here (which I don't believe as the request should never go through a socket) or opera has a bug.
Comment (1) - Trackbacks (0)
Defined tags for this entry: , , ,

Google chrome code reuse nightmare

Posted by Nico Golde in
Friday, September 5. 2008

While some people think that Googles new open source webbrowser Chrome is a great example of code reuse I think the opposite is true. He found at least 25 open source libraries used by the browser. So far this is not a problem but what is a problem is that it embeds all of them in the upstream source tarball instead of depending on the system-wide copies. I know that it might be problematic if people have to install 25 libraries on their own (they could provide static builds though) but for distributors this is just a nightmare if security issues pop-up in one of the used libraries (famous libraries who had issues in the past: webkit, libpng, libjpeg, libxml, ...).

In this case the distributors can't just fix the security issue in the shared library and all applications using it are fixed, no they also have to fix all the copies in software like Chrome. Same if you installed Chrome from source, if a security issue pops out in one of the embedded libs you have to go and install a new Chrome version. Google also needs to additionally maintain upstream and security fixes in their embedded code copies but I guess they have enough manpower to do so.

I didn't yet look at the Chrome source code but I hope it has at least a way to link against the system-wide copies without patching the makefiles.
Comments (13) - Trackbacks (0)
Defined tags for this entry: , , , , ,

squeeze

Posted by Nico Golde in
Monday, September 1. 2008

Say Hi to Squeeze, the Debian version that will be released after Lenny (and of course when it's ready)!
Comments (3) - Trackbacks (0)
Defined tags for this entry: , , ,
(Page 1 of 1, totaling 3 entries)

Calendar

Back September '08 Forward
Mon Tue Wed Thu Fri Sat Sun
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30          

Quicksearch

Support



=>my website

Recent Entries

E-Plus GSM privacy/TMSI allocation leak
Thursday, October 11 2012
Exploiting the Ubiquisys/SFR femtocell webserver (wsal/shttpd/mongoose/yassl embedded webserver)
Wednesday, August 3 2011
So what happened recently...
Wednesday, April 6 2011
Sunday, February 6 2011
exim remote vulnerability
Thursday, December 9 2010
Will my Phone Show An Unencrypted Connection?
Wednesday, September 8 2010
smpCTF 2010 quals writeups
Sunday, August 8 2010
protocol design fail: MMS notification
Wednesday, July 28 2010
acrobat reader stealing my passwords
Tuesday, June 29 2010
UnrealIRCd backdoored
Saturday, June 12 2010

Archives

Syndicate This Blog

Categories



All categories

Tag cloud