Finally firefox has a webbug detector...

Hi malware fighters,

As cookies became manageable, and could be avoided, as well as people became aware of Super Cookies, the use of 1 pixel large Web bugs came in to track you. These requests typically include the IP address of the requesting computer, the time the content was requested, the type of Web browser that made the request, and the existence of cookies previously set by that server. The server can store all of this information, and associate it with a unique tracking token attached to the content request.

Web bugs are typically used by third parties to monitor the activity of customers at a site.

Now they can be made visible with FoxBeacon. It can be found here:
http://www.shyyonk.net/foxbeacon/download.html
Test site for it: http://www.mycomputer.com/agreements/privacy_policy.html
I liked bugnosis, that was only for IE, now for Firefox we have Foxbeacon,

polonus

Well a brief read indicates a potential issue with the web shield.

After being installed, FoxBeacon embeds itself into the Firefox browser and acts as a proxy. It reads every incoming web page and trying to find hidden web bugs.

Since the web shield is a proxy we now have two proxies fighting over the same page, so at the very least we have to co-ordinate these by adding the foxbeacon proxy port to the web shield redirect and uncheck ignore local communication, etc.

If only we knew what port foxbeacon used, it is very light on information.

Actually, I think that NoScript does the same. There is probably no need for further extensions. Correct me if I’m wrong. It’s from 2007, isn’t it?

I would say NoScript would up to a point, since many sites require javascript for many functions if you allow it then the web bug could well be activated.

So it isn’t very clear and there is little information on exactly how foxbeacon works to say if noscript might do the job as well.

Hi DavidR,

You can enable FoxBeacon at will, e.g. when you need it to check. What is going on can be found here: chrome://foxbeacon/content/browser.js. For your convenience and mine I will post these questions to Giorgio Maone, the maker of NoScript, and we will have an answer. The source of this addon, Mellon University standard, and professional guidance for the developer makes it is not questionable, then the example after it was build, 'bugnosis", has been used on IE for years and years without many security questions raised. I will just ask Giorgio Maone if NoScript also protects against webbugs at the moment the page is being sent, not at later handling through java script, there I think we have full protection. Also I will ask him what an add-on like ABP can do, and we have to have FoxBeacon enabled to know what to block in ABP for the future, haven’t we?

polonus

It isn’t so much an issue of enabling at will but how it works based on it saying it acts as a proxy. If when at will I chose to enable it, if it had an interaction with the web shield I know which protection I would want on and I think you know which that would be ;D

Also as TheSpirit mentioned if NoScript covers this area then perhaps we don’t need foxbeacon, that entirely how foxbeacon works, as to how much crossover there is between the two.

No one is questioning the probity of the origin of foxbeacon, just how it works.

Hi DavidR,

So until I know from Giorgio what are the security risks of this add-on, your way to find the majority of notorious Web bugs listed here: http://www.securityspace.com/s_survey/data/man.200102/webbug.html

Mind you there also benevolent Web bugs you better not block using NoScript because they are used for alignment and other purposes to make your surfing more enjoyable, especially because you are not on broadband.

The best solution here would be to block the nasties (e.g. undesirable Web bugs) inside your hosts file, at least that is advised. I am sure NoScript protects where Web bugs make acrobatics using of JS in their aftermath, but my concern is at the moment of the page query from the browser. It has nothing to do with being paranoid, but just like you I want to know the underlying mechanism, and for FoxBeacon that is XUL,

polonus

I honestly don’t belive there are any security risks for this add-on and I’m certainly not implying that.

My concern is its claim to act as a proxy and the associated problems of getting other proxies and the web shield’s localhost proxy working together.

The problem is as I keep banging on, is there is zero information on how the foxbeacon proxy works, so we can’t tell if it will work with the web shield without having to make any changes to the web shield redirects.

Personally I’m not unduly concerned about web bugs anyway, my concern is someone installing the add-on and not knowing if there might be an issue with it and the web shield.

Hi DavidR,

What are your concerns then for users of the Firefox Torpark browser that also works in combination with a proxy privoxy.
Does this mean that you are against the use of proxies per se?

For those bold enough to play…when you start to play around with this great add-on, some hints. Leave NoScript on, wherever you go, but allow the little Web bug devils to be analyzed. For a test go to this page as an example : http://www.dziennik.pl/ Here you will see the FoxBeacon blink red, click the icon, and you see the analysis window for a dozen or so webbugs, all from: ad2.pl.mediainter.net Severity of the webbug = 1 on a scale from 1 to 3; size pixels 0x0 Set Cookie = info; P3P policy: your data is collected for completion and support of activity for which it (the Web bug) was provided. Furthermore the analysis says it comes from a different domain as that of the page visited, so that is a bunch of info for a little Web bug analysis. Now with blockable items in ABP you can block: ad2.pl.mediainter.net as given there. So while acting whenever FoxBeacon alerts you can build up an ABP block list for the undesirables, read from the analysis page I would go for blocking the 3 category bugs,

Enjoy,

polonus

The Torpark offering (when I tested it back in 2006) totally prevented any scanning by the avast Webshield.

Indeed the whole point of it seemed to be that it was totally “sealed” and intended to be used without any awareness of the system on which it is running and leaving no traces when removed.

I don’t really care for torpark not my concern and not what this topic was about.

My concern is for the average Joe who if foxbeacon will be totally unaware that they may not be protected by the web shield if there is any interaction that causes web shield not to scan content, leaving the user less well protected. They migh not get a web bug but could well catch a severe cold instead.

Which is why I’m making it plain there ‘could’ be conflict between the two proxies, so any average Joe viewing this topic now or in the future has another opinion or view.

Nothing to do with not liking proxies or otherwise.

Hi DavidR,

I did not have to change anything in the way the browser connects out for FoxBeacon. That is what I see from the Options Advance Network settings inside Firefox, avast connects through localhost through 12080,
NoScript on. so I do not worry,

polonus

As I see it, this is another one of those tools best left for the experts.
The average user provided he browses safely and wisely, doesn’t really
need analytical tools. Just my 2cents worth.

I feel the same Polonus, too technical for me…

Hi Tech,

I agree with you, we will leave this add-on for those interested. I for one I am always interested what goes on behind my back inside a browser with the 0x0 or 1x1 pixels Web bug I might click. So I expect for those with the Web developer extension, I expect they would like to have this FoxBeacon info.
Later I might present you with a quick and easy list you can paste into ABP Preferences to block the category three or dangerous third party Web bugs. A good thing is the majority of sites with NoScript and ABP installed do not show much Web bugs, but there are some sites that you would not expect that have them (BBC news),
These are or rather were the major Web bug domains:

doubleclick.net 2988 script[11.2%], img[98.7%], iframe[60.0%], layer[51.4%], im[0.2%], div[0.2%], ilayer[0.2%], frame[0.4%], la[0.2%], s[0.2%]
akamai.net 2253 img[89.6%], script[14.0%], input[27.5%], embed[1.4%], im[0.5%]
linkexchange.com 1851 img[98.2%], iframe[47.1%], frame[0.1%], 1000[0.1%]
bfast.com 1737 img[99.4%], input[0.9%], iframe[4.5%], script[5.1%], frame[0.5%], i[0.1%]
demon.co.uk 1270 img[98.7%], frame[1.3%], ul[0.1%]
extreme-dm.com 1210 img[100.0%]
hitbox.com 1162 img[99.8%], input[0.4%], script[14.8%], iframe[6.0%]
linksynergy.com 881 img[92.7%], frame[0.8%], script[7.0%]
akamaitech.net 819 input[20.0%], img[96.0%], script[4.0%], embed[1.3%]
commission-junction.com 736 img[99.1%], frame[0.7%], image[0.2%], im[0.2%]
wunderground.com 732 img[99.8%], frame[0.5%]
excite.com 667 input[12.5%], img[28.1%], script[59.4%], frame[1.6%]
link4ads.com 657 iframe[69.6%], img[73.9%], script[2.9%]
preferences.com 655 img[100.0%], iframe[16.0%], script[16.0%], ffb[4.0%]
thecounter.com 566 img[99.8%], mg[0.2%]
listbot.com 542 input[96.5%], img[3.5%]
goto.com 529 img[98.5%], input[92.2%]
eimg.com 508 img[100.0%]
199.172.144.25 507 img[100.0%]
flycast.com 448 script[81.0%], iframe[85.2%], img[92.3%], ilayer[1.4%]
netscape.com 447 img[99.0%], frame[1.0%]
yimg.com 437 img[98.9%], script[1.1%], input[0.8%]
cnet.com 418 img[96.4%], input[39.3%], frame[1.8%], script[1.8%]
focalink.com 414 img[100.0%], iframe[4.9%], script[4.9%]
superstats.com 411 script[57.8%], img[68.1%], s[0.3%]
rambler.ru 407 img[100.0%], iframe[0.3%]
amazon.com 393 img[93.5%], input[2.9%], 112[0.7%], frame[5.0%], bgsound[0.7%]
digits.com 385 img[100.0%]
weather.com 377 input[65.6%], img[85.0%], frame[5.8%]
avenuea.com 371 img[100.0%]
humanclick.com 364 script[95.3%], img[30.4%], s[0.3%]
isyndicate.com 340 script[85.8%], img[22.3%], input[3.0%], frame[4.1%], iframe[1.0%], s[0.5%]
sextracker.com 327 img[100.0%], input[2.0%]
trafficcount.com 315 img[100.0%]
yahoo.com 311 img[44.8%], frame[7.1%], script[46.5%], input[3.3%], html[0.4%]
bcentral.com 311 img[99.7%], input[0.7%]
fxweb.com 302 img[100.0%]
zdnet.com 302 img[92.3%], frame[7.7%], iframe[7.7%], input[7.7%]
sitemeter.com 290 script[71.5%], img[97.2%], sc[0.4%], s[0.4%]
register.com 287 frame[94.8%], img[4.8%], input[2.2%]
w3.org 286 img[100.0%]
aol.com 285 img[81.8%], frame[16.1%], bgsound[1.4%], im[0.7%], script[0.7%]
moreover.com 277 script[98.1%], img[61.0%], frame[1.3%], input[5.2%], s[0.6%]
spylog.com 274 img[100.0%], script[10.6%]
burstnet.com 274 img[100.0%], iframe[25.0%], i[0.7%]
geocities.com 270 img[74.4%], frame[24.8%], script[0.8%], input[0.4%], embed[0.8%]
webtrendslive.com 250 img[100.0%], script[0.6%]
cgiserver.net 249 img[100.0%]
tv.com 244 img[100.0%]
builder.com 242 img[100.0%]
associmg.com 241 img[96.8%], input[29.1%]
seez.com 240 img[100.0%]
nedstat.net 228 img[100.0%], frame[0.5%]
google.com 223 img[100.0%]
nextcard.com 217 img[100.0%]
valueclick.com 215 script[64.6%], img[60.8%]
paypal.com 208 img[87.5%], input[17.3%]
searchbutton.com 203 input[93.8%], img[56.3%]
sexhound.com 200 img[100.0%], input[14.3%]
netnames.com 189 img[99.5%], script[97.9%], frame[0.5%]
beseen.com 187 img[90.0%], script[9.4%], cript[0.6%], frame[0.6%]
yahoo.co.jp 185 img[100.0%]
pagecount.com 181 img[100.0%]
mycomputer.com 179 script[91.4%], img[44.7%], frame[0.7%]
list.ru 179 img[100.0%]
paycounter.com 176 img[100.0%]
imgis.com 172 script[30.9%], img[52.6%], iframe[22.7%]
1-jobs.com 170 img[100.0%]
adobe.com 165 img[85.0%], script[15.0%]
mediaplex.com 162 img[100.0%], iframe[6.3%]
av.com 161 img[90.7%], input[96.1%]
corporate-ir.net 159 frame[66.7%], img[33.3%]
sexlist.com 158 img[100.0%]
go2net.com 156 img[76.8%], iframe[51.4%], script[51.4%]
sf-01.com 156 img[100.0%]
da.ru 155 img[1.3%], frame[98.7%]
hypermart.net 153 img[95.1%], frame[4.9%], script[0.8%]
iadnet.com 153 img[100.0%]
216.32.68.154 153 img[100.0%]
yahoo.co.kr 153 img[100.0%]
7search.com 151 img[100.0%], script[10.4%]
linkstoyou.com 148 img[100.0%]
addme.com 146 img[98.5%], iframe[5.1%], script[0.7%]
bravenet.com 145 script[6.1%], img[96.2%], input[0.8%], frame[0.8%]
teleweb.at 136 script[76.9%], img[100.0%]
mtree.com 135 img[100.0%]
worldonline.nl 134 frame[99.3%], img[0.7%]
porntrack.com 131 img[100.0%]
atgratis.com 130 img[100.0%]
cmpnet.com 126 img[78.6%], input[14.3%], embed[14.3%], iframe[21.4%], script[21.4%]
smartclicks.com 124 img[99.0%], font[1.0%]
nic.cc 123 img[69.2%], frame[30.8%]
internet.com 122 img[92.3%], script[7.7%]
whatuseek.com 121 script[45.2%], img[46.6%], input[16.4%], ximg[1.4%]
about.com 120 img[100.0%], input[45.8%]
webconnect.net 120 img[100.0%]
networksolutions.com 118 img[96.4%], input[60.7%]
lycos.com 114 img[95.4%], script[10.2%], input[3.7%]
recommend-it.com 113 img[100.0%]
looksmart.com 112 iframe[4.5%], img[55.1%], input[32.6%], script[43.8%], frame[1.1%]

polonus

The one site I would absolutely expect to have them is the BBC.

(/rant on)

When you have to answer to moronic politicians for your funding you absolutely have to be able to justify your existence with irrefutable data on your usage. There are many (and their bought and paid for political hacks) who complain the BBC has no right to provide information over the Web since it might compete with free market offerings. The BBC remains (IMHO) one source of light in a world where the media (in my country and others) has largely become the putrid organ of a geriatric Australian (and others like him) with very decided political views pushed by his media empire for his profit rather than any attempt at fair reporting.

(/rant off)

Your ever humble,
Alan

Many of those sites can be blocked with a HOSTS file.
I use hpHosts and MVPS HOSTS files:
http://www.mvps.org/winhelp2002/hosts.htm <== has a good description of the HOSTS file and its use

I manage them with HostsMan and I use its HostsServer proxy to speed up browsing:
http://www.abelhadigital.com

Yes, and that’s why BBC is facing severe cut-backs. We should never discuss good public services. Some politician might spot it and think that there is room for further cost reductions. :wink:

I love the TV show Yes Minister

Hi malware fighters,

Do not understand this, because I run FoxBeacon and the FoxBeacon Menu nest to NoScript in the latest nightly build:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2pre) Gecko/20081121 Minefield/3.1b2pre ID:20081121034512
The add-on runs superb on ff 3. Because of NoScript and ABP, ABP Watcher, and Element Helper add-ons, I do not see that many Web Bugs with FoxBeacon, but I know now on the MS page I have to additionally block this third domain Web bug:
http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/njs.gif?dcsuri=/nojavascript&WT.js=No
Open blockable items in ABP, locate the Web bug and click, bye bye,

polonus