Sites That Scan Through The Browser

[Jim.Alles]

Sam, you articulated so many points in that post perfectly.

And you'll get no argument from me.

That post of mine was to indicate that none of NGFW's tools are magically going to start mitigating this threat to privacy. Because none of the underlying tech will. That activity is what oils the machine.

The task is addressing the problem without breaking things.

Well, something is going to get broken, just not too much to be intolerable.

F1A probably has a good approach, for awareness and control:

Not allowing .js breaks the majority of sites.
NoScript initially blocks each site's attempt to run .js until I decide...

I have said before; once you understand enough about the tech, you will realize the only real solution is to turn off the lights (they are smart too), walk away, and go live in the woods.

[Sam Graf]

Well, something is going to get broken, just not too much to be intolerable.

Very good point. The whole goal, in a nutshell, is to break something.

Part of the problem is my attitude. I was totally happy with AltaVista.

[Jim.Alles]

Sam, thanks so much for your response and for mentioning the "Block Sites" tab. When I tried this yesterday with the "Rules" tab (no SSL Inspector here) for a random domain, it didn't work for https URLs, but only for http URLs.

I'm actually amazed how it can work on the Blocked Sites tab, because in my limited understanding the request URL itself is actually encrypted, so I'm not sure how Web Filter would be able to apply that filter on an https request w/o SSL Inspector. I appears to me that it must have something to do with the SSL certificate...

The URL is encrypted in the request. But the domain (FQDN) is not (think DNS resolution). Webfilter can also glean info from the certificate, if you enable that checkbox. Look here: http://wiki.untangle.com/index.php/Web_Filter#HTTPS_Options

So wouldn't a Block Filter of

Code:

*online-metrix.net*

in Web Filter do the job? Or does Web Filter only block the response, not the request (which would be needed here)?

We need specific names of tabs here, things work differently between Rules and block/pass Sites.

Watch, you don't need asterisks here, they aren't the wildcards you think they are.
This is an offshoot of a mega-thread: https://forums.untangle.com/web-filter/42644-url-matcher.html

[Jim.Alles]

Part of the problem is my attitude. I was totally happy with AltaVista.

I want my analog bag phone.

[tangofan]

But to me this all gets a little murky pretty quickly in terms of our expectations of the various tools at hand, both within Untangle and beyond.

First, as Jim points out, eBay isn't doing anything illegal. That is plainly part of the conversation.

Sam, thanks so much for your very thoughtful and nuanced response.

Whether ebay isn't doing anything illegal, might depend on the laws of your country and state. In the U.S. I'm assuming they're in the clear, in other countries (especially EU countries with their stricter data protection laws) the story might be different. But perhaps they're not running that script there.

However, for me, that's a non-issue in terms of network security. In the context of network security, is everything that is perfectly legal also perfectly desirable? Is there anything unlawful about attempting to mitigate perfectly legal actions on one's own network? Is it, for example, illegal or even unethical to block tracking mechanisms if one simply prefers not to be tracked?

I take it that these questions are largely or even entirely rethorical.

And parenthetically, just to be clear, I think the "I have nothing to hide" line of thought isn't terribly robust. It pretty quickly sounds like the thing it actually is if we put it correctly: "I have nothing to protect."

Indeed!!! Everybody has something to "hide" and it's perfectly ethical to do so (in my not so humble opinion on this topic).

Second, there are two possible issues here: the question of port scanning and the question of marketing/tracking. To me, blocking online-metrix.net is a privacy issue, a marketing/tracking issue. Blocking a JavaScript library delivered through eBay that enables, among other things, localhost port scanning is a network security issue. I think that's important because that will help inform our decisions about mitigation tools, or how high on the mitigation priority list the item is.

A very good distinction. My (perhaps inaccurate) understanding is that online-metrix.net is receiving the results of the port scan and thus for me it was the more practical question of whether I want to interrupt the execution of the undesired activity or the transmission of its results. Certainly the first is preferable, but the second would be a fallback option.

So my approach is to target as narrowly as possible the behavior I object to. If my chief concern is the whole gamut of online-metrix.net services, I'm going to think about Ad Blocker on Untangle and browser privacy plugins. If I decide eBay doing port scans is unacceptable, I'm going to target eBay. But that's just me.

Totally agree as long as that's doable in a reasonable manner.

All that to say, the engineers here will look at this one way. To me, it's all a little murky in terms of an appropriate reponse.

As an engineer by trade, I'm indeed inclined to a practical approach and I would go with "as targeted as possible and as broad as necessary". So if filtering out this eBay script with Untangle works for me, then that's the way to go. If that doesn't work, and it it needs filtering/blocking of online-metrix.net, then I'd go for it. But perhaps that's not too far from what you're suggesting.

[tangofan]

The URL is encrypted in the request. But the domain is not (think DNS resolution). Webfilter can also glean info from the certificate, if you enable that checkbox. Look here: http://wiki.untangle.com/index.php/Web_Filter#HTTPS_Options

More stuff to learn. Cool.

We need specific names of tabs here, things work differently between Rules and block/pass Sites.

Sorry I meant the "Block Sites" tab. Is there any more in-depth explanation of the differences between the various tabs? The WIKI Help Documentation seems rather brief.

Watch, you don't need asterisks here, they aren't the wildcards you think they are.
This is an offshoot of a mega-thread: https://forums.untangle.com/web-filter/42644-url-matcher.html

Thanks so much for the warning, I would have never noticed.

Of course the WIKI always explains on how the input is interpreted, but it would be really nice to have some sort of indicator within the Untangle web interface. Perhaps a tooltip on or an icon next to the field name.

Of course I am perfectly capable of overlooking even the clearest such indicator...

[Sam Graf]

Whether ebay isn't doing anything illegal, might depend on the laws of your country and state. In the U.S. I'm assuming they're in the clear, in other countries (especially EU countries with their stricter data protection laws) the story might be different. But perhaps they're not running that script there.... I take it that these questions are largely or even entirely rethorical.

I'm not a lawyer, but from a purely practical point of view, it would seem to me all but impossible to make port scans illegal. Privacy laws are a different matter, though, as you point out.

I think those questions are rhetorical. I think eBay probably would not.

[Jim.Alles]

Of course the WIKI always explains on how the input is interpreted, but it would be really nice to have some sort of indicator within the Untangle web interface. Perhaps a tooltip on or an icon next to the field name.

Of course I am perfectly capable of overlooking even the clearest such indicator...

The Wiki is brief, but that it is about all we have.

And if you had come to the conclusion that you found experts on the above thread;
1. This thread will likely change that opinion starting about here: https://forums.untangle.com/off-topic/42635-sites-google-com-3.html#post238776
2. You might have to define expert differently

speaking strictly for me:
Ex = has-been
Spurt = drip under pressure

[tangofan]

I'm not a lawyer, but from a purely practical point of view, it would seem to me all but impossible to make port scans illegal. Privacy laws are a different matter, though, as you point out.

I'm not a lawyer either, but isn't that how most laws work, that is that context matters? E.g. there is (I assume) no law that forbids throwing a rock into a window, but if you do that to someone else's window, it's illegal damage of foreign property.

[tangofan]

And if you had come to the conclusion that you found experts on the above thread;
1. This thread will likely change that opinion

You absolutely had to crush my illusions, didn't you?

Seriously though they was a very interesting thread.

2. You might have to define expert differently

speaking strictly for me:
Ex = has-been
Spurt = drip under pressure

As the old saying goes: "Among the blind, the one-eyed is king." And I'm definitely not among the one-eyed here, yet.