Consider this thing

2 views
Skip to first unread message

FDIMM

unread,
Nov 13, 2009, 3:44:08 PM11/13/09
to Firebug
Hello,
I am using "firebug" and i can tell only good things about it :)
It is very powerfull, even too powerfull if you want to prevent users
from hacking...

The reason why I am writing is firebug dedection... Why there is no
way to detect it ? You can only detect it if console is enabled, and
you can bypass this easily!

So i suggest to consider this, and implement a way to detect and
prevent users from using it. It's meant for debuging not breaking
security of the site. Isn't?

Just set window.firebug to true and that would help a lot!

FDIMM

John J Barton

unread,
Nov 13, 2009, 4:54:43 PM11/13/09
to Firebug


On Nov 13, 12:44 pm, FDIMM <fdi...@gmail.com> wrote:
> Hello,
>  I am using "firebug" and i can tell only good things about it :)
> It is very powerfull, even too powerfull if you want to prevent users
> from hacking...
>
> The reason why I am writing is firebug dedection... Why there is no
> way to detect it ? You can only detect it if console is enabled, and
> you can bypass this easily!

I would describe this feature differently: The Firebug Console disable
feature is designed to protect user privacy. As a user of Firebug you
should know that the Console adds a 'console' property to the Web page
window and this property can be tested by Web page Javascript. If you
do not want a Web page to detect your use of Firebug, disable the
Firebug Console.

>
> So i suggest to consider this, and implement a way to detect and
> prevent users from using it. It's meant for debuging not breaking
> security of the site. Isn't?

Firebug is designed for debugging and has no features designed to
defeat site security. All of the operations performed by Firebug are
either local to a user's machine or standard Web API operations.

FDIMM

unread,
Nov 13, 2009, 5:18:49 PM11/13/09
to Firebug
You dont understand................
I have no problems with it..
With firebug you can track every! http request which at some point
isn't good for developer..
Also with the help of this tool you can see all the javascript
functions/object/variables so you can't hide anything!
If firebug is designed for debugging purposes why can't we detect
it? ;) not just console but at all firebug huh? answer this :)

John J Barton

unread,
Nov 13, 2009, 5:44:37 PM11/13/09
to Firebug


On Nov 13, 2:18 pm, FDIMM <fdi...@gmail.com> wrote:
> You dont understand................
> I have no problems with it..
> With firebug you can track every! http request which at some point
> isn't good for developer..

Sorry I don't understand why tracking an http request would not be
good for a developer.

> Also with the help of this tool you can see all the javascript
> functions/object/variables so you can't hide anything!

I'm confused by this. "...you can see...you can't hide..."? I guess
you meant: "With Firebug a user can see all of my javascript functions/
objects/variable so I can't hide anything". Well, yes, we do our
best.

I think you are on the wrong track if you expect to control user's
access to Web markup or Javascript.

> If firebug is designed for debugging purposes why can't we detect
> it? ;) not just console but at all firebug huh? answer this :)

You can detect Firebug if the user wishes to allow it (by enabling the
Console). It's the user's browser, not Firebug's and not yours.

jjb

Brian L. Matthews

unread,
Nov 13, 2009, 6:17:25 PM11/13/09
to fir...@googlegroups.com
On 11/13/09 2:18 PM, FDIMM wrote:
> You dont understand................
> I have no problems with it..
> With firebug you can track every! http request which at some point
> isn't good for developer..
>

On the contrary, it's great for the developer.

> Also with the help of this tool you can see all the javascript
> functions/object/variables so you can't hide anything!
>

That's how browsers and the internet work.

> If firebug is designed for debugging purposes why can't we detect
> it? ;) not just console but at all firebug huh? answer this :)
>

Go read about TamperData, HttpFox, tcpdump, telnet... The only thing
detecting Firebug would get you is a false sense of security.

Brian

FDIMM

unread,
Nov 14, 2009, 6:18:14 AM11/14/09
to Firebug
>Go read about TamperData, HttpFox, tcpdump, telnet... The only thing
>detecting Firebug would get you is a false sense of security.

yeah right... its not good to detect it. Let the user see/take/edit
EVERYTHING you use in the site.REALY good point.
False sense of security ? doesn't make sense at all. Preventing user
from seeing the code lowers the security? WOW
It seems that you and javascript are enemies

Hernan Rodriguez Colmeiro

unread,
Nov 14, 2009, 10:14:02 AM11/14/09
to fir...@googlegroups.com
If you want to lock the users of your webpage, and not letting them to
view the source, I'm afraid you chose the wrong technology. The web is
ment to be free and open to anyone to see it's source, and I think is
not in the firebug's objectives to give a mechanism to inhibit it's
users from doing so.

Hernan

PS: What I said is just my own opinion…

Brian L. Matthews

unread,
Nov 14, 2009, 9:17:05 PM11/14/09
to fir...@googlegroups.com
On 11/14/09 3:18 AM, FDIMM wrote:
>> Go read about TamperData, HttpFox, tcpdump, telnet... The only thing
>> detecting Firebug would get you is a false sense of security.
>>
> yeah right... its not good to detect it. Let the user see/take/edit
> EVERYTHING you use in the site.REALY good point.
>

That's how the web works, it's got nothing to do with Firebug. If all
copies everywhere of Firebug suddenly disappeared, it would do nothing
to change what people could do with your site.

> False sense of security ? doesn't make sense at all. Preventing user
> from seeing the code lowers the security? WOW
>

But that's the point, it *wouldn't* prevent users from seeing your code,
that's why it would be a *false* sense of security. And yes, preventing
users from seeing your code can lower your security. Security through
obscurity is never a good security policy.

This may sound snarky, it's not meant to be, but you seem to have a
fundamental misunderstanding of how the web and security works.

Brian
Reply all
Reply to author
Forward
0 new messages