browser leak tester

[Infrasonic]

Courtesy of a Steve Gibson (GRC) posted link - a 37 point online browser test. https://xsinator.com/testing.html

I've just run one in full fat mode with all my Chrome extensions/flags on, so I'll run a few with different browsers/setups and find the sweet spots security wise. The first run had more issues than I was expecting (!) so I'll have to spend some time analysing the cost/benefits...

[RockRabbit]

Thank you for providing this link.

I have just run it on a Linux/FF set up and the results were not good either, although I have difficulty understanding all of the tests! My FF setup is as locked down as is possible (without extensions) so I'll have to look further into this as well.

[Infrasonic]

Thank you for providing this link.

I have just run it on a Linux/FF set up and the results were not good either, although I have difficulty understanding all of the tests! My FF setup is as locked down as is possible (without extensions) so I'll have to look further into this as well.

I'm guessing here but I'd be surprised if it's possible to score 100% (or near) with a browser that is still of use for general browsing.

Where it might come in handy is for an ultra secure VPN/E2E encrypted type environment analysis where restricted browser functionality might be less of an issue?

[RockRabbit]

I'm guessing here but I'd be surprised if it's possible to score 100% (or near) with a browser that is still of use for general browsing.

Probably. Out of interest I ran the test on a straight 'out of box' Gnome browser on Linux and got 23 possible "exploitables" out of 37. FF (locked down) still gave 15! Want to try with TOR, but I no longer have access to that browser.

I guess the moral here is to avoid 'suspect' web sites as far as possible.

[mc2fool]

Hmmm....

Firefox 95: 16
Chrome 96: 23

Firefox only had 2 problems that Chrome didn't: WebSocket Leak (FF) and Cache Leak (CORS).

Now, what does it all mean?!?

[Infrasonic]

Want to try with TOR, but I no longer have access to that browser.

I guess the moral here is to avoid 'suspect' web sites as far as possible.

Brave has a TOR mode (my default browser on my Chrome OS Debian Linux crostini container). However there are a load of compromised TOR exit nodes floating around out there so that has its own issues security wise!
https://www.google.com/search?q=comprom ... nt=gws-wiz

[Infrasonic]

Security Now will be covering this whole topic in their next weekly episode - out tomorrow...https://www.youtube.com/c/securitynow/videos

[Infrasonic]

Just as an experiment I blocked everything in site settings in Chrome and it made hardly any difference. I had to unblock JavaScript to get the test site to work (unsurprisingly), but other than that it only scored 2 less potential exploits than previously.

One thing I've done now is to go across all Chromium based browsers security settings and change downloads from 'ask permission' to a global block - you'll get a visual block alert in the URL bar anyway so can allow list temporarily as needed and then remove the site permission after downloading if you want.

I think most of these potential exploits are 'theoretical' lab based ones rather than zero day exploits currently in use.
Chrome had a zero day security update today - there are plenty of them around across the browser spectrum but I don't think this site is exposing them - I'll find out more tomorrow with Mr Gibson's analysis.

[Lanark]

Steve Gibson is not highly regarded in security circles. He is constantly crying wolf over things that are not remotely important: call the FBI someone can use code to see the size of an image on the internet.

http://attrition.org/errata/charlatan/steve_gibson/

> Steve Gibson is somewhat of a "fringe" charlatan. In some professional security circles, he is not considered a reputable security professional, rather more of a snake oil salesman peddling third-rate software with bold claims. While many of his claims are a bit outlandish or bold, few, if any, are demonstrably false. However, when asked to speak on security topics, Gibson is getting adept at putting his foot in his mouth. A single amusing quote may be laughable, but a series of them begin to paint a picture of someone who doesn't really understand security. Rather, he seems to know enough buzzwords and ideas to be dangerous to his clients.

[Infrasonic]

Steve Gibson is not highly regarded in security circles. He is constantly crying wolf over things that are not remotely important: call the FBI someone can use code to see the size of an image on the internet.

http://attrition.org/errata/charlatan/steve_gibson/

> Steve Gibson is somewhat of a "fringe" charlatan. In some professional security circles, he is not considered a reputable security professional, rather more of a snake oil salesman peddling third-rate software with bold claims. While many of his claims are a bit outlandish or bold, few, if any, are demonstrably false. However, when asked to speak on security topics, Gibson is getting adept at putting his foot in his mouth. A single amusing quote may be laughable, but a series of them begin to paint a picture of someone who doesn't really understand security. Rather, he seems to know enough buzzwords and ideas to be dangerous to his clients.

In his early days I'd agree - he's more on it now and I always reference full time IT security professionals opinions against Gibsons.
You'll always get a range of opinions- look at how many technical/security spats Linus Torvalds (Linux) gets into with others who have the technical chops to argue against him...

[Infrasonic]

The 18 page white paper PDF behind this test site is here...https://dl.acm.org/doi/abs/10.1145/3460120.3484739

It's quite dense - way more than a quick five minute read.

If you just want a quick understanding of what the test results reveal go to page 15 onwards where they have an expanded explanation of each test and some good tables for different OS/browser results.

My takeaway is that most of the security issues are JavaScript related - unfortunately well over 90% of websites out there use it so turning JS off globally in your browser(s) may well break many sites. Whenever I've experimented with turning JS off it's been a very frustrating experience that has lead me to turn JS back on...

[jamesbone]

Courtesy of a Steve Gibson (GRC) posted link - a 37 point online browser test.

I've just run one in full fat mode with all my Chrome extensions/flags on, so I'll run a few with different browsers/setups and find the sweet spots security wise. The first run had more issues than I was expecting (!) so I'll have to spend some time analysing the cost/benefits...

Really Cool

[Infrasonic]

I'll add this on here, even though it's from a different source to the op link. It gets updated monthly.

https://privacytests.org/

What is PrivacyTests.org?

Most web browsers leak your identity and your browsing history, but some browsers are more leaky than others.

The goal of PrivacyTests.org is to understand in detail: what data is each web browser leaking? Which web browsers offer the best privacy protections?

PrivacyTests.org is an open-source initiative that subjects popular web browsers to a suite of automated tests. These tests are designed to audit web browsers' privacy properties in an unbiased manner. The results of the tests are made public to help users make an informed choice about which browser to use, and to encourage browser makers to fix leaks of private user data...

Cont.