How to prevent my information from being accessed by webpages
How to prevent my information from being accessed by webpages. Discuss How to prevent my information from being accessed by webpages, on Wireless Forums.
How to prevent my information from being accessed by webpages
Hello - I have visited a few sites that somehow have information about what
city I live in. I have cleared autocomplete and history and cookies and
offline files, and when I go back they still greet me with the city I live
in. How do they get that info? How do I stop it?
Running IE 6
Thanx
Re: How to prevent my information from being accessed by webpages
q wrote:
> Hello - I have visited a few sites that somehow have information about what
> city I live in. I have cleared autocomplete and history and cookies and
> offline files, and when I go back they still greet me with the city I live
> in. How do they get that info? How do I stop it?
> Running IE 6
> Thanx
>
>
let me guess,
Re: How to prevent my information from being accessed by webpages
q wrote:
> Hello - I have visited a few sites that somehow have information about what
> city I live in. I have cleared autocomplete and history and cookies and
> offline files, and when I go back they still greet me with the city I live
> in. How do they get that info?
GeoIP
> How do I stop it?
proxying
> Running IE 6
And you don't consider this as a much bigger problem?
Re: How to prevent my information from being accessed by webpages
"q" <Q@q.com> writes:
> Hello - I have visited a few sites that somehow have information about what
> city I live in. I have cleared autocomplete and history and cookies and
> offline files, and when I go back they still greet me with the city I live
> in. How do they get that info? How do I stop it?
> Running IE 6
> Thanx
They're most likely divining this info from your computer/ISP's IP
address.
If you proxy your web traffic through another server, then the web
site will think you're coming from there.
Tor is a program that pseudo anonymizes your apparent web whereabouts
by the use of onion routing. You can google the program and term for
more information, but basically, it makes you apparent IP address
appear to come from a number of different places.
I agree with Sebastian though, IE6 is likely the bigger issue here.
You should reconsider that choice if you are concerned with security.
ActiveX is just way too pourous. Firefox and Opera are decent
alternatives.
Re: How to prevent my information from being accessed by webpages
Todd H. wrote:
> I agree with Sebastian though, IE6 is likely the bigger issue here.
> You should reconsider that choice if you are concerned with security.
> ActiveX is just way too pourous.
The problem is that you can't actually disable ActiveX due to numerous flaws
in IE's implementation.
Re: How to prevent my information from being accessed by webpages
"Sebastian G." <seppi@seppig.de> writes:
> Todd H. wrote:
>
>
>> I agree with Sebastian though, IE6 is likely the bigger issue here.
>> You should reconsider that choice if you are concerned with security.
>> ActiveX is just way too pourous.
>
>
> The problem is that you can't actually disable ActiveX due to numerous
> flaws in IE's implementation.
Re: How to prevent my information from being accessed by webpages
"Sebastian G." <seppi@seppig.de> writes:
> Todd H. wrote:
>
>
>> I agree with Sebastian though, IE6 is likely the bigger issue here.
>> You should reconsider that choice if you are concerned with security.
>> ActiveX is just way too pourous.
>
>
> The problem is that you can't actually disable ActiveX due to numerous
> flaws in IE's implementation.
Re: How to prevent my information from being accessed by webpages
On 2008-02-21, q <Q@q.com> wrote:
> Hello - I have visited a few sites that somehow have information about what
> city I live in. I have cleared autocomplete and history and cookies and
> offline files, and when I go back they still greet me with the city I live
> in. How do they get that info? How do I stop it?
> Running IE 6
> Thanx
>
It's often possible to deduce what city you're in by your IP address,
particularly if you're using a ordinary ISP that's local to you.
Unless you want to dial in to an access point in some other city,
or go through a proxy in some other city, there's not much you can do.
--
Christopher Mattern
NOTICE
Thank you for noticing this new notice
Your noticing it has been noted
And will be reported to the authorities
Re: How to prevent my information from being accessed by webpages
"Todd H." wrote:
> "Sebastian G." writes:
>> The problem is that you can't actually disable ActiveX due to numerous
>> flaws in IE's implementation.
>
> Yup.
Could either of you give me an example of how disabling it fails or
point to somewhere that discusses it?
Re: How to prevent my information from being accessed by webpages
On Thu, 21 Feb 2008 08:07:56 GMT, q wrote:
> Hello - I have visited a few sites that somehow have information about what
> city I live in. I have cleared autocomplete and history and cookies and
> offline files, and when I go back they still greet me with the city I live
> in. How do they get that info? How do I stop it?
Re: How to prevent my information from being accessed by webpages
Ant wrote:
> "Todd H." wrote:
>> "Sebastian G." writes:
>>> The problem is that you can't actually disable ActiveX due to numerous
>>> flaws in IE's implementation.
>> Yup.
>
> Could either of you give me an example of how disabling it fails or
> point to somewhere that discusses it?
Well, three big issues:
- If you instantiate it through a CLSID instead of the interface name (which
is actually undocumented as well as invalid HTML), then the COM server is
responsible for instantiation. So, in 99% of all cases MSIE is earlier, and
applies it policies (means: does not instantiate the control), in the rest
1% the policies are totally bypassed. Even further, on can trigger updates
of existing controls, provide old signed controls, and possibly even
redirect to arbitrary download locations.
- Aside from the policies, some controls are ultimately trusted and can
always be instantiated. Just take a look at the source code of MSIE's
internal error webpages...
- Even if instantiation is not attempted at all, just searching for the
control has funny side effects. For example, as in Windows 2000 SP3, trying
to instantiate the Control TlntSrvClient.TlntSrvEnum triggers the startup of
the Telnet Server Service (if installed, and the user logged in as Admin).
But IE has other issues as well, like f.e. boundary errors in the CSS parser.
Re: How to prevent my information from being accessed by webpages
Thanks for the mention about IE6. I upgraded to ie7 last night and still no
good.I'm going to check out Firefox.
Thanx
"Sebastian G." <seppi@seppig.de> wrote in message
news:6257s7F2249a7U2@mid.dfncis.de...
>q wrote:
>
>> Hello - I have visited a few sites that somehow have information about
>> what city I live in. I have cleared autocomplete and history and cookies
>> and offline files, and when I go back they still greet me with the city I
>> live in. How do they get that info?
>
>
> GeoIP
>
>> How do I stop it?
>
>
> proxying
>
>> Running IE 6
>
>
> And you don't consider this as a much bigger problem?
Re: How to prevent my information from being accessed by webpages
q wrote:
> Thanks for the mention about IE6. I upgraded to ie7 last night and still no
> good.
Well, why do you insist on abusing MSIE as a webbrowser?
> I'm going to check out Firefox.
Which is a serious webbrowser, but won't solve your problem, since it's not
related to the webbrowser at all (or whatever you choose to abuse as such).
Re: How to prevent my information from being accessed by webpages
On Feb 21, 2:09 pm, comph...@toddh.net (Todd H.) wrote:
> "q" <Q...@q.com> writes:
> > Hello - I have visited a few sites that somehow have information about what
> > city I live in. I have cleared autocomplete and history and cookies and
> > offline files, and when I go back they still greet me with the city I live
> > in. How do they get that info? How do I stop it?
> > Running IE 6
> > Thanx
>
> They're most likely divining this info from your computer/ISP's IP
> address.
>
> If you proxy your web traffic through another server, then the web
> site will think you're coming from there.
>
> Tor is a program that pseudo anonymizes your apparent web whereabouts
> by the use of onion routing. You can google the program and term for
> more information, but basically, it makes you apparent IP address
> appear to come from a number of different places.
>
> I agree with Sebastian though, IE6 is likely the bigger issue here.
> You should reconsider that choice if you are concerned with security.
> ActiveX is just way too pourous. Firefox and Opera are decent
> alternatives.
>
> Best Regards,
> --
> Todd H.http://www.toddh.net/
Re: How to prevent my information from being accessed by webpages
"Sebastian G." wrote:
> Ant wrote:
>> Could either of you give me an example of how disabling it fails or
>> point to somewhere that discusses it?
>
> Well, three big issues:
>
> - If you instantiate it through a CLSID instead of the interface name (which
> is actually undocumented as well as invalid HTML), then the COM server is
> responsible for instantiation. So, in 99% of all cases MSIE is earlier, and
> applies it policies (means: does not instantiate the control), in the rest
> 1% the policies are totally bypassed.
If this is random it would be difficult to check. I'd like to see a
prooof-of-concept.
> Even further, on can trigger updates
> of existing controls, provide old signed controls, and possibly even
> redirect to arbitrary download locations.
Again, I'd like to see a POC.
> - Aside from the policies, some controls are ultimately trusted and can
> always be instantiated. Just take a look at the source code of MSIE's
> internal error webpages...
Error messages (e.g. 404) don't appear in my IE without OK-ing an
ActiveX prompt.
> - Even if instantiation is not attempted at all, just searching for the
> control has funny side effects. For example, as in Windows 2000 SP3, trying
> to instantiate the Control TlntSrvClient.TlntSrvEnum triggers the startup of
> the Telnet Server Service (if installed, and the user logged in as Admin).
I don't know why a search would be made when all automatic object
creation is disallowed in all zones.
> But IE has other issues as well, like f.e. boundary errors in the CSS parser.
Re: How to prevent my information from being accessed by webpages
Ant wrote:
>> - Aside from the policies, some controls are ultimately trusted and can
>> always be instantiated. Just take a look at the source code of MSIE's
>> internal error webpages...
>
> Error messages (e.g. 404) don't appear in my IE without OK-ing an
> ActiveX prompt.
Interesting. How did you get such a configuration?
> I don't know why a search would be made when all automatic object
> creation is disallowed in all zones.
Because the implementation is somewhere between stupid and broken.
Instantiation already happens before it tries to apply its policies.
>> But IE has other issues as well, like f.e. boundary errors in the CSS parser.
>
> I'll have to look into this further.
reliably crash a fully up-to-date Internet Explorer 7. No news, I reported
these to Microsoft back in 2004; about the time when I stopped caring for MSIE.
Re: How to prevent my information from being accessed by webpages
"Sebastian G." wrote:
> Ant wrote:
>> Error messages (e.g. 404) don't appear in my IE without OK-ing an
>> ActiveX prompt.
>
> Interesting. How did you get such a configuration?
By tweaking the registry values under ...\Internet Settings\Zones\0
Many people would find that a nuisance when performing some normal
day-to-day operations but I tend not to operate normally.
>> I don't know why a search would be made when all automatic object
>> creation is disallowed in all zones.
>
> Because the implementation is somewhere between stupid and broken.
> Instantiation already happens before it tries to apply its policies.
Perhaps limiting ActiveX in *all* zones would stop it. I've yet to see
a control instantiated that I haven't explicitly allowed.
Re: How to prevent my information from being accessed by webpages
Ant wrote:
> "Sebastian G." wrote:
>
>> Ant wrote:
>>> Error messages (e.g. 404) don't appear in my IE without OK-ing an
>>> ActiveX prompt.
>> Interesting. How did you get such a configuration?
>
> By tweaking the registry values under ...\Internet Settings\Zones\0
And which exactly? I configured everything possible for the Local Zone,
including everything from IE's GUI as well as all group policies.
> Many people would find that a nuisance when performing some normal
> day-to-day operations but I tend not to operate normally.
I know, even the SCM msc applet hicks up when deactivating scripting for the
local zone.
Still I couldn't reproduce your finding that the Help Message Generator COM
Controls from MSIE's internal resource pages could not be instantiated.
>> Instantiation already happens before it tries to apply its policies.
>
> Perhaps limiting ActiveX in *all* zones would stop it.
No, that won't help either: The problem is that the instantiation is done by
the COM Server (typically running in the DCOM Server Service), and it has
its own policies and configuration. And its default policy is to
automatically download, install and update every control it stumbles upon.
> I've yet to see a control instantiated that I haven't explicitly allowed.
LOL? Even the list view in Windows Explorer is implemented by a COM Control.
Re: How to prevent my information from being accessed by webpages
"Sebastian G." wrote:
> Ant wrote:
>> "Sebastian G." wrote:
>>> Ant wrote:
>>>> Error messages (e.g. 404) don't appear in my IE without OK-ing an
>>>> ActiveX prompt.
>>> Interesting. How did you get such a configuration?
>> By tweaking the registry values under ...\Internet Settings\Zones\0
>
> And which exactly? I configured everything possible for the Local Zone,
> including everything from IE's GUI as well as all group policies.
Changing the 'Flags' value in zone 0[1] to 0x47 causes the 'My
Computer' icon to appear on the security tab in the Internet settings
dialog. You can then manipulate the settings as for other zones. I've
set the running of ActiveX to 'prompt'.
[1]
I did this for my user account under HKU, rather than HKLM.
>>> Instantiation already happens before it tries to apply its policies.
>> Perhaps limiting ActiveX in *all* zones would stop it.
>
> No, that won't help either: The problem is that the instantiation is done by
> the COM Server (typically running in the DCOM Server Service), and it has
> its own policies and configuration. And its default policy is to
> automatically download, install and update every control it stumbles upon.
Re: How to prevent my information from being accessed by webpages
Ant wrote:
> "Sebastian G." wrote:
>
>> Ant wrote:
>>> "Sebastian G." wrote:
>>>> Ant wrote:
>>>>> Error messages (e.g. 404) don't appear in my IE without OK-ing an
>>>>> ActiveX prompt.
>>>> Interesting. How did you get such a configuration?
>>> By tweaking the registry values under ...\Internet Settings\Zones\0
>> And which exactly? I configured everything possible for the Local Zone,
>> including everything from IE's GUI as well as all group policies.
>
> Changing the 'Flags' value in zone 0[1] to 0x47 causes the 'My
> Computer' icon to appear on the security tab in the Internet settings
> dialog. You can then manipulate the settings as for other zones. I've
> set the running of ActiveX to 'prompt'.
Please tell news. Even deactivating ActiveX there changes nothing about
these special ActiveX Controls.
> I've disabled DCOM using dcomcnfg.
No, you've disabled binding DCOM to network protocols.
Re: How to prevent my information from being accessed by webpages
"Sebastian G." wrote:
> Ant wrote:
>> Changing the 'Flags' value in zone 0[1] to 0x47 causes the 'My
>> Computer' icon to appear on the security tab in the Internet settings
>> dialog. You can then manipulate the settings as for other zones. I've
>> set the running of ActiveX to 'prompt'.
>
> Please tell news. Even deactivating ActiveX there changes nothing about
> these special ActiveX Controls.
It produces the prompt to allow/disallow running.
>> I've disabled DCOM using dcomcnfg.
>
> No,
Yes.
> you've disabled binding DCOM to network protocols.
How to prevent my information from being accessed by webpages 
Linear Mode
