Is this new Firefox feature a security hole?
Results 1 to 5 of 5

Thread: Is this new Firefox feature a security hole?

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743

    Is this new Firefox feature a security hole?

    Ok this Question comes from the information found here and Here :

    I first heard about it in a couple of posts on another forum on this thread

    BAsicly is FF or Mozilla pre-caching a good idea..

    Now Google's faster than ever on Firefox and Mozilla browsers. When you do a search on these browsers, we instruct them to download your top search result in advance, so if you click on it, you'll get to that page even more quickly.

    I'm not so sure I like this idea. It's basically the "I feel lucky" option with an extra click. On a broadband connection, would I even notice the difference? On a dial-up connection, which I had to suffer with last week, it would impose a performance penalty. I'd prefer it if this were an option.

    And why only for Firefox? Is there a technical reason why this can't be done for another browser?

    Updated: The more I think about this, the less I like it. What if the top search result contains content that is objectionable? If I do a perfectly legitimate search on my work computer, I have the option to avoid downloading that page based on its summary and title. But if the page downloads for me, it goes through my company's proxy servers, where it gets logged as something I downloaded. It's also cached on my computer. If that page happens to include porn or other unwanted content, I could get in serious trouble and even lose my job, even though I am completely innocent
    and

    Let me repeat that: I clicked on a link in one page, and Firefox silently, without any indication to me, downloaded a large executable file in the background and placed it in my browser's cache.

    I repeated the experiment with a much larger executable file (10MB) from a different third-party Web site, using a completely clean Firefox profile. Same result.

    If you were to click on the link to my test page using Firefox, that executable code would be on your computer, downloaded from a site you never chose to visit. Now, let me be clear: That code isn't an immediate danger. There's no way I'm aware of for it to execute. At least not now. But if I were a bad guy, I'd be working my tail off to figure out how to get that code to execute - or to trick you into running it. I'd also be looking at other creative ways to exploit the fact that I can get you to download scripts and other content from a third-party site that you never even realized you visited. And I would surely be thinking of how I could get my pages to appear at the top of a Google search window, where they would automatically be prefetched by Firefox.

    This is not a good thing.
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Senior Member
    Join Date
    Feb 2004
    Posts
    270
    Sounds dangerous but it could be a nice option.

    Maybe if firefox would warn you and you could choose to allow or disalow and alway's allow or disallow for certain sites or file types or both.

    That would be a nice thing.
    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

  3. #3
    Hoopy Frood
    Join Date
    Jun 2004
    Posts
    662
    It definetly needs to have the ability to be toggled and needs to be toggled off by default, IMHO. If not for security concerns, then the bandwidth concerns.

    - Xierox
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    discussion here:

    http://www.mozillazine.org/talkback.html?article=6310

    also from the site I listed how to prevent the "potential" problems
    Google Help explains how to disable this feature in Firefox:

    1.
    Type "about:config" the address bar.
    2.
    Scroll down to the setting "network.prefetch-next" and set the value to "False".

    The default should be off, not on, in my opinion. A browser should never, ever download content from a site that you didn't specifically choose to visit. What are Google's developers thinking?
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    I am suprised that this topic has not raised more discussion..

    is this where AO has come.. or just a lost thread in a dynamic AO
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •