info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
(OT) How web trackers exploit password managers
12 views
Skip to first unread message
John Corliss
Jan 1, 2018, 6:54:09 AM1/1/18
to
"Most web browsers come with a built-in password manager, a basic tool
to save login data to a database and fill out forms and/or sign in to
sites automatically using the information that is in the database.
Users who want more functionality rely on third-party password managers
like LastPass, KeePass or Dashlane. These password managers add
functionality, and may install as browser extensions or desktop programs.
Research from Princeton's Center for Information Technology Policy
suggest that newly discovered web trackers exploit password managers to
track users."
Full article is here:
https://www.ghacks.net/2017/12/31/how-web-trackers-exploit-password-managers
--
John Corliss BS206. No ad, CD, commercial, cripple, demo, nag, pirated,
share, spy, time-limited, trial or web wares for me please. I filter out
posts originating from Google Groups and recommend you do likewise. I
also block (can't see & won't reply to) posts from the following people:
»Q«, Kasey, FredW and BurfordTJustice.
to save login data to a database and fill out forms and/or sign in to
sites automatically using the information that is in the database.
Users who want more functionality rely on third-party password managers
like LastPass, KeePass or Dashlane. These password managers add
functionality, and may install as browser extensions or desktop programs.
Research from Princeton's Center for Information Technology Policy
suggest that newly discovered web trackers exploit password managers to
track users."
Full article is here:
https://www.ghacks.net/2017/12/31/how-web-trackers-exploit-password-managers
--
John Corliss BS206. No ad, CD, commercial, cripple, demo, nag, pirated,
share, spy, time-limited, trial or web wares for me please. I filter out
posts originating from Google Groups and recommend you do likewise. I
also block (can't see & won't reply to) posts from the following people:
»Q«, Kasey, FredW and BurfordTJustice.
Shadow
Jan 1, 2018, 10:18:47 AM1/1/18
to
On Mon, 1 Jan 2018 03:53:42 -0800, John Corliss <r9j...@yahoo.com>
wrote:
>"Most web browsers come with a built-in password manager, a basic tool
>to save login data to a database and fill out forms and/or sign in to
>sites automatically using the information that is in the database.
>
>Users who want more functionality rely on third-party password managers
>like LastPass, KeePass or Dashlane. These password managers add
>functionality, and may install as browser extensions or desktop programs.
>
>Research from Princeton's Center for Information Technology Policy
>suggest that newly discovered web trackers exploit password managers to
>track users."
>
>Full article is here:
>
>https://www.ghacks.net/2017/12/31/how-web-trackers-exploit-password-managers
I thought the flaw was known from the beginning. Obviously
anything built to send your password automatically when it accesses a
site will do just that. I presumed the "managers" popped up some kind
of warning of the type "this site is requesting your Nitter password.
Do you allow Nitter to know you are visiting this site ?" Or something
to that effect.
It's what all those "Login with X" where X can be glugle,
fakekook twitt or whatever do. Or even "like us on tracker X".
The tracking done by Google's DNS servers is far harder to
detect. And probably yields more personal data. Which is why I would
NEVER use google DNS.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
wrote:
>"Most web browsers come with a built-in password manager, a basic tool
>to save login data to a database and fill out forms and/or sign in to
>sites automatically using the information that is in the database.
>
>Users who want more functionality rely on third-party password managers
>like LastPass, KeePass or Dashlane. These password managers add
>functionality, and may install as browser extensions or desktop programs.
>
>Research from Princeton's Center for Information Technology Policy
>suggest that newly discovered web trackers exploit password managers to
>track users."
>
>Full article is here:
>
>https://www.ghacks.net/2017/12/31/how-web-trackers-exploit-password-managers
anything built to send your password automatically when it accesses a
site will do just that. I presumed the "managers" popped up some kind
of warning of the type "this site is requesting your Nitter password.
Do you allow Nitter to know you are visiting this site ?" Or something
to that effect.
It's what all those "Login with X" where X can be glugle,
fakekook twitt or whatever do. Or even "like us on tracker X".
The tracking done by Google's DNS servers is far harder to
detect. And probably yields more personal data. Which is why I would
NEVER use google DNS.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Mr. Man-wai Chang
Jan 1, 2018, 1:05:11 PM1/1/18
to
On 1/1/2018 19:53, John Corliss wrote:
> "Most web browsers come with a built-in password manager, a basic tool
> to save login data to a database and fill out forms and/or sign in to
> sites automatically using the information that is in the database.
>...
> "Most web browsers come with a built-in password manager, a basic tool
> to save login data to a database and fill out forms and/or sign in to
> sites automatically using the information that is in the database.
Just don't let web browsers store passwords! You should never do that
anyway.
--
@~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!!
/ v \ Simplicity is Beauty!
/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3
不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA):
http://www.swd.gov.hk/tc/index/site_pubsvc/page_socsecu/sub_addressesa
John Corliss
Jan 2, 2018, 4:13:43 AM1/2/18
to
Mr. Man-wai Chang wrote:
> On 1/1/2018 19:53, John Corliss wrote:
>> "Most web browsers come with a built-in password manager, a basic tool
>> to save login data to a database and fill out forms and/or sign in to
>> sites automatically using the information that is in the database.
>> ...
>
> Just don't let web browsers store passwords! You should never do that
> anyway.
Sounds to me like browsers should always pop up a login so that you can
> On 1/1/2018 19:53, John Corliss wrote:
>> "Most web browsers come with a built-in password manager, a basic tool
>> to save login data to a database and fill out forms and/or sign in to
>> sites automatically using the information that is in the database.
>> ...
>
> Just don't let web browsers store passwords! You should never do that
> anyway.
see it. That would put an end to this kind of nonsense real quickly.
John Corliss
Jan 2, 2018, 4:14:12 AM1/2/18
to
John Corliss wrote:
> Mr. Man-wai Chang wrote:
>> On 1/1/2018 19:53, John Corliss wrote:
>>> "Most web browsers come with a built-in password manager, a basic tool
>>> to save login data to a database and fill out forms and/or sign in to
>>> sites automatically using the information that is in the database.
>>> ...
>>
>> Just don't let web browsers store passwords! You should never do that
>> anyway.
>
> Sounds to me like browsers should always pop up a login so that you can
> see it. That would put an end to this kind of nonsense real quickly.
Make that "see it and have to approve it."
> Mr. Man-wai Chang wrote:
>> On 1/1/2018 19:53, John Corliss wrote:
>>> "Most web browsers come with a built-in password manager, a basic tool
>>> to save login data to a database and fill out forms and/or sign in to
>>> sites automatically using the information that is in the database.
>>> ...
>>
>> Just don't let web browsers store passwords! You should never do that
>> anyway.
>
> Sounds to me like browsers should always pop up a login so that you can
> see it. That would put an end to this kind of nonsense real quickly.
Mr. Man-wai Chang
Jan 2, 2018, 10:23:16 AM1/2/18
to
On 2/1/2018 17:13, John Corliss wrote:
>>
>> Sounds to me like browsers should always pop up a login so that you can
>> see it. That would put an end to this kind of nonsense real quickly.
>
> Make that "see it and have to approve it."
Not talking about the standard login prompt which nobody could avoid. I
>>
>> Sounds to me like browsers should always pop up a login so that you can
>> see it. That would put an end to this kind of nonsense real quickly.
>
> Make that "see it and have to approve it."
meant not letting the browsers to store passwords in its data profile. :)
John Corliss
Jan 3, 2018, 5:47:57 AM1/3/18
to
Mr. Man-wai Chang wrote:
> John Corliss wrote:
>>>
>>> Sounds to me like browsers should always pop up a login so that you can
>>> see it. That would put an end to this kind of nonsense real quickly.
>>
>> Make that "see it and have to approve it."
>
> Not talking about the standard login prompt which nobody could avoid. I
> meant not letting the browsers to store passwords in its data profile. :)
Well, I happen to *like* allowing my browser to store passwords for
> John Corliss wrote:
>>>
>>> Sounds to me like browsers should always pop up a login so that you can
>>> see it. That would put an end to this kind of nonsense real quickly.
>>
>> Make that "see it and have to approve it."
>
> Not talking about the standard login prompt which nobody could avoid. I
> meant not letting the browsers to store passwords in its data profile. :)
websites that aren't critical, so I disagree with you.
If browsers are sending in logins without showing the user what they're
doing, then that's an obvious problem with what (to me at least) seems
like an obvious solution: have the browser show the user every login,
hidden or not... and which third party tracking script is making them do
it when that happens.
Shadow
Jan 3, 2018, 8:19:17 AM1/3/18
to
On Wed, 3 Jan 2018 02:47:26 -0800, John Corliss <r9j...@yahoo.com>
wrote:
>Mr. Man-wai Chang wrote:
>> John Corliss wrote:
>>>>
>>>> Sounds to me like browsers should always pop up a login so that you can
>>>> see it. That would put an end to this kind of nonsense real quickly.
>>>
>>> Make that "see it and have to approve it."
>>
>> Not talking about the standard login prompt which nobody could avoid. I
>> meant not letting the browsers to store passwords in its data profile. :)
>
>Well, I happen to *like* allowing my browser to store passwords for
>websites that aren't critical, so I disagree with you.
>
>If browsers are sending in logins without showing the user what they're
>doing, then that's an obvious problem with what (to me at least) seems
>like an obvious solution: have the browser show the user every login,
>hidden or not... and which third party tracking script is making them do
>it when that happens.
You'd have to use a browser that wasn't specifically designed
to track you if you expect that sort of behavior.
Yet you use Mozilla/Google ? Hum ....
wrote:
>Mr. Man-wai Chang wrote:
>> John Corliss wrote:
>>>>
>>>> Sounds to me like browsers should always pop up a login so that you can
>>>> see it. That would put an end to this kind of nonsense real quickly.
>>>
>>> Make that "see it and have to approve it."
>>
>> Not talking about the standard login prompt which nobody could avoid. I
>> meant not letting the browsers to store passwords in its data profile. :)
>
>Well, I happen to *like* allowing my browser to store passwords for
>websites that aren't critical, so I disagree with you.
>
>If browsers are sending in logins without showing the user what they're
>doing, then that's an obvious problem with what (to me at least) seems
>like an obvious solution: have the browser show the user every login,
>hidden or not... and which third party tracking script is making them do
>it when that happens.
to track you if you expect that sort of behavior.
Yet you use Mozilla/Google ? Hum ....
Mr. Man-wai Chang
Jan 3, 2018, 11:21:39 AM1/3/18
to
On 3/1/2018 18:47, John Corliss wrote:
> Well, I happen to *like* allowing my browser to store passwords for
> websites that aren't critical, so I disagree with you.
Do the same to your bank accounts? :)
> Well, I happen to *like* allowing my browser to store passwords for
> websites that aren't critical, so I disagree with you.
> If browsers are sending in logins without showing the user what they're
> doing, then that's an obvious problem with what (to me at least) seems
> like an obvious solution: have the browser show the user every login,
> hidden or not... and which third party tracking script is making them do
> it when that happens.
browsers' data profile, PERIOD! :)
John Corliss
Jan 4, 2018, 3:05:07 AM1/4/18
to
Mr. Man-wai Chang wrote:
> John Corliss wrote:
>> Well, I happen to *like* allowing my browser to store passwords for
>> websites that aren't critical, so I disagree with you.
>
> Do the same to your bank accounts? :)
Perhaps you missed where I said "passwords for websites that *aren't
> John Corliss wrote:
>> Well, I happen to *like* allowing my browser to store passwords for
>> websites that aren't critical, so I disagree with you.
>
> Do the same to your bank accounts? :)
critical*"
>> If browsers are sending in logins without showing the user what they're
>> doing, then that's an obvious problem with what (to me at least) seems
>> like an obvious solution: have the browser show the user every login,
>> hidden or not... and which third party tracking script is making them do
>> it when that happens.
>
> You don't need to argue with me. I would not listen. No passwords in
> browsers' data profile, PERIOD! :)
online. Thus, the passwords that I have stored are to websites and
forums which are not of a sensitive nature either.
For convenience' sake, I like having logins filled in automatically.
However, even that has been ruined by trackers.
John Corliss
Jan 4, 2018, 3:07:27 AM1/4/18
to
Shadow wrote:
https://www.w3.org/standards/techs/html#w3c_all
need to start thinking more about end users rather than website authors
so much.
> John Corliss wrote:
>> Mr. Man-wai Chang wrote:
>>> John Corliss wrote:
>>>>>
>>>>> Sounds to me like browsers should always pop up a login so that you can
>>>>> see it. That would put an end to this kind of nonsense real quickly.
>>>>
>>>> Make that "see it and have to approve it."
>>>
>>> Not talking about the standard login prompt which nobody could avoid. I
>>> meant not letting the browsers to store passwords in its data profile. :)
>>
>> Well, I happen to *like* allowing my browser to store passwords for
>> websites that aren't critical, so I disagree with you.
>>
>> If browsers are sending in logins without showing the user what they're
>> doing, then that's an obvious problem with what (to me at least) seems
>> like an obvious solution: have the browser show the user every login,
>> hidden or not... and which third party tracking script is making them do
>> it when that happens.
>
> You'd have to use a browser that wasn't specifically designed
> to track you if you expect that sort of behavior.
> Yet you use Mozilla/Google ? Hum ....
These people:
>> Mr. Man-wai Chang wrote:
>>> John Corliss wrote:
>>>>>
>>>>> Sounds to me like browsers should always pop up a login so that you can
>>>>> see it. That would put an end to this kind of nonsense real quickly.
>>>>
>>>> Make that "see it and have to approve it."
>>>
>>> Not talking about the standard login prompt which nobody could avoid. I
>>> meant not letting the browsers to store passwords in its data profile. :)
>>
>> Well, I happen to *like* allowing my browser to store passwords for
>> websites that aren't critical, so I disagree with you.
>>
>> If browsers are sending in logins without showing the user what they're
>> doing, then that's an obvious problem with what (to me at least) seems
>> like an obvious solution: have the browser show the user every login,
>> hidden or not... and which third party tracking script is making them do
>> it when that happens.
>
> You'd have to use a browser that wasn't specifically designed
> to track you if you expect that sort of behavior.
> Yet you use Mozilla/Google ? Hum ....
https://www.w3.org/standards/techs/html#w3c_all
need to start thinking more about end users rather than website authors
so much.
Mr. Man-wai Chang
Jan 4, 2018, 5:30:34 AM1/4/18
to
On 4/1/2018 16:04, John Corliss wrote:
> I don't bank online or conduct any business of a sensitive nature
> online. Thus, the passwords that I have stored are to websites and
> forums which are not of a sensitive nature either.
>
> For convenience' sake, I like having logins filled in automatically.
> However, even that has been ruined by trackers.
Bad habit!!! Anyway, it's your choice! :)
> I don't bank online or conduct any business of a sensitive nature
> online. Thus, the passwords that I have stored are to websites and
> forums which are not of a sensitive nature either.
>
> For convenience' sake, I like having logins filled in automatically.
> However, even that has been ruined by trackers.
John Corliss
Jan 5, 2018, 1:49:17 AM1/5/18
to
Mr. Man-wai Chang wrote:
> John Corliss wrote:
>> I don't bank online or conduct any business of a sensitive nature
>> online. Thus, the passwords that I have stored are to websites and
>> forums which are not of a sensitive nature either.
>>
>> For convenience' sake, I like having logins filled in automatically.
>> However, even that has been ruined by trackers.
>
> Bad habit!!! Anyway, it's your choice! :)
How is it a bad habit if I have the self discipline to refrain from
> John Corliss wrote:
>> I don't bank online or conduct any business of a sensitive nature
>> online. Thus, the passwords that I have stored are to websites and
>> forums which are not of a sensitive nature either.
>>
>> For convenience' sake, I like having logins filled in automatically.
>> However, even that has been ruined by trackers.
>
> Bad habit!!! Anyway, it's your choice! :)
engaging in business of a personally confidential or critical nature on
the internet?
Who gives one shit about the password to a forum for discussion of old
trucks for example?
Also, as for the tracking scripts, most of them are dealt with by
adblockers like uBlock Origin.
Then there's this:
https://motherboard.vice.com/en_us/article/595ggz/snowdens-favorite-ad-blocker-can-now-automatically-detect-new-tracking-scripts
0 new messages