We will be updating the Forum on Tuesday, 19th of March between 09:00 and 11:00 (UTC) (see the time in your time zone). During this time you may experience some downtime. Thanks in advance for your patience. 🙂
The basics of web browser security: an introduction
-
Why my site info window is different than one on the screenshot in the post?
https://imgur.com/xKrUPpC
All settings open in new tab. But it was like shown several snapshots ago. It was a better solution than now. Maybe there is some setting for reverting this option? -
@solidsnake In latest versions of chromium, the site info box only shows permissions that are requested rather than all of them. As vivaldi doesn't need to use, for example, the camera, that permission isn't shown and uses your default (probably "ask").
Why it always shows flash though, I don't understand.
-
@lonm: Thanks for the explanation. But I don't see javascript for example, and the site uses it. Sometimes i want to disable it, and it would be much more convenient if it would be on this menu rather than in a separate tab.
But if it is a chromium thing, then probably vivaldi team couldn't change that. -
@lonm said:
@ian-coog: It's not available on vivaldi.com (the blog comments), but can be found on the associated forum.vivaldi.net thread.
Correct, there's no edit button on the blog, and I don't frequent the forums enough to have remembered that the comments also show up in a thread there. Thanks for reminding me.
-
Elon Musk deletes Facebook pages for SpaceX and Tesla.
-
@solidsnake You are absolutely right. As far as general users are concerned only showing necessary permissions makes things simpler to understand and so should enhance understanding of privacy and security.
But for power users (whatever that means) it would make more sense to at least have an option to show all.
-
@gt500: Thanks for the feedback. One of the upcoming articles will cover parts of this, at least (changing those settings). There may be a couple of things that could be worded better in the UI, or get restrictions to make them harder to abuse, and we are always happy to look into possible improvements there. Our settings are always being worked on, and we do have plans to add more controls.
then why do they keep adding features that are easy for malicious websites to abuse
When browsers wish to add features, they do get a great deal of effort spent on working out possible vectors they may introduce, and trying to prevent them. Many of us spent a lot of effort in making sure that the permissions implementations would not be a completely open book for websites to abuse. If you are interested, you can help take part in the standardisation processes (such as W3C, whose HTML5 specification does take security implications into account). You may contact the standardisation bodies if you would like to contribute in some way.
delay the loading of page content until Allow or Deny is clicked in the notification, forcing users to interact with the notification before being allowed to even view the website they were visiting.
This is always possible for any page. They can choose to display a blank page, or an error message and claim you have to do [something] in order to make the page work. This is a form of social engineering, and is something the phishing filter is intended to combat (the website would be blacklisted for being malicious).
scripts can change the message displayed on the notification
If you think you can abuse a message from a page which is displayed in the UI, please report this to our bug tracking system, and we will analyse it to determine if it has security implications.
A cursory test does not appear to show the problem you described though; the wording in Vivaldi is hardcoded by the browser, since the method used to ask for permission only accepts a callback function as a parameter. An older WebKit API which allowed strings seems not to be supported in Chromium. I cannot, of course, speak for the other browser vendors - if you think you can abuse their browsers in this way, you should report it to them (most vendors will give you researcher rewards of some kind if you report a security issue without discussing it publicly first).
-
@solidsnake: It's like that, it only shows options that have their defaults defined as Ask or whose default was changed from the browser default. Since JavaScript is unblocked by default it's not shown.
PS: Yeah, I hate that too.
-
@gt500 Re that BP article - i read it last month, but re-read it now via your link to refresh my memory. My reaction both times was... meh.
Either i manage miraculously to somehow avoid all the "bad" sites that misbehave that way, or, my uO & Ghostery or Privacy Badger [i alternate between them] extensions do a great job, coz i never ever experience the described misbehaviour. Meanwhile, on the sites for which i have enabled them, web notifications are a valued & appreciated functional feature for me.
-
@tarquin said in The basics of web browser security: an introduction:
and we do have plans to add more controls
IMHO. Control is the correct word for the context.
-
delay the loading of page content until Allow or Deny is clicked in the notification, forcing users to interact with the notification before being allowed to even view the website they were visiting.
This is always possible for any page. They can choose to display a blank page, or an error message and claim you have to do [something] in order to make the page work.
I apologize if I was not clear enough here, however the point was that scripts have a way to tell if a user has interacted with the notification that asks users for permission to allow web notifications. Scripts should not have access to this sort of information.
If you think you can abuse a message from a page which is displayed in the UI, please report this to our bug tracking system, and we will analyse it to determine if it has security implications.
I will see if I can find you an example.
If you are interested, you can help take part in the standardisation processes (such as W3C, whose HTML5 specification does take security implications into account).
Browser makers can't simply blame standards organizations for poor implementation of features, or for poor security precautions when implementing features. The W3C doesn't write the code for Google Chrome, Vivaldi, or Firefox. The W3C also doesn't make the decisions as to what features each of these browsers will have.
-
@steffie: uBlock Origin will prevent a lot of abuse, and might be why you haven't seen it. It's also possible that you haven't visited the kind of sites that use such scripts.
-
@tarquin: Well, that was certainly easy to find:
https://imgur.com/a/vgnK2 -
@gt500: VirusTotal report on the URL used in testing:
https://www.virustotal.com/#/url-analysis/u-2384dc8f31dad438b9a2d2809a1ed4b82c747cdf7ccac01fcee32e455da81af0-1521934109Viewing the report is safe, but please leave the testing up to the QA team and security experts.
-
@gt500 This is not the notification UI being manipulated, it's just an HTML in the page trying to fool people, the Vivaldi UI for notifications is totally different.
-
@an_dz: So you're saying it's a social engineering attack intended to fool people into clicking "Allow" twice without re-reading the notification?
-
@gt500: As a reply to each topic.
-
That's impossible, what sites do is create an HTML that imitates the Chrome UI (or other browsers) to make people think it's Chrome. When IE was the king this also happened with download messages, popup messages and plugin installs.
-
Any site is free to request things from users, for example Vivaldi requires users to register and to be logged in to post in this forum/blog. It's up to the users to boycott sites that request things that they consider stupid, like having to accept notifications.
-
I Agree, and that's why I've created and grouped bugs to expose those Chromium settings in our UI a while back. I really hope they add it.
-
Also agree, and it's the same reason as point 3. With our own UI we can have a better UI/UX with better wording.
-
-
@an_dz: So you're saying it's a social engineering attack intended to fool people into clicking "Allow" twice without re-reading the notification?
Upon further testing that does appear to be the case. When you click "Allow", they open a popup window that's too small for the notification asking for permission to allow web notifications to be fully visible, so it is partially cut off by the right side of the browser window, obscuring what it says.
It's still an effective demonstration as to how easy it is to abuse the feature. We all know that when it comes to the average user, there are two kinds of people: Those who always click "Yes" on every popup, and those who always click "No" on every popup.
Besides, why does this feature even exist? Since when were RSS and ATOM not enough?
-
@gt500 There's nothing one can do, it's impossible to "block" a website from doing this. The thing is that you are responsible for your actions, whatever you do will have its consequences.
Besides, why does this feature even exist? Since when were RSS and ATOM not enough?
-
RSS/Atom are extra standards. Notifications API is part of JS.
Since they are extras basically only Presto Opera ever adopted as a default feature of the browser. Notifications API is a part of ECMAScript/JavaScript, which is an essential part of every browser and so must be implemented by all JS engines. -
RSS/Atom is static, Notifications API is dynamic.
RSS/Atom is a webpage with some "news" which the browser downloads whenever they wish to, you can configure the interval of update in your RSS/Atom reader. You can't edit older messages because they become different and so become "new".
The Notification API is a notification popup that fires whenever the site wishes, so they fire when the action occurs and not when you decide to download the "news" as in RSS. It's also JavaScript and so the notification can be modified on the fly to match inputs the user has made even without this data going to any servers.
Examples
RSS/Atom is for getting the latest Blog posts in the Vivaldi forum. It doesn't matter if you see this now or some hours later.
Notifications is for getting a popup when someone sends you a message, for example in Telegram or WhatsApp. You want those to be instantaneous, right after you receive the message.
-
-
@an_dz: Internet Explorer has had a built-in RSS reader for years, and Firefox used to have one as well (sadly they removed it at some point).
RSS/Atom is static, Notifications API is dynamic.
Feeds are dynamically generated by some sort of script each time they are loaded by an RSS reader, that way they always show the latest content. They would be of no use if they were just static pages.