Reducing permissions on Firefox extensions

wat0114 wrote:Strange, the Cache directory size never changes (2.91 MB, 45 files, 57 folders) 45 files even after clearing it using Tools-> Clear Recent History. I put it back to Low IL and tried again but it makes no difference??

Was it empty before applying the medium integrity level? You could try manually deleting the contents of the Cache folder and see if that same content still appears. It's odd.

Firefox should also be able to delete the contents, once you have applied the low integrity level.

Was it empty before applying the medium integrity level? You could try manually deleting the contents of the Cache folder and see if that same content still appears. It's odd.

Firefox should also be able to delete the contents, once you have applied the low integrity level.

No it wasn't empty before, and everything is dated today and time stamped 8:42 PM (45 minutes ago) or later. No matter what I do it stays the same

Okay problem solved with a workaround: I used the -rl flag to remove the Low IL form Firefox.exe then tried clearing cache again, and it was successful. This is with the c:\users\user_name\appdata\local\mozilla directory and sub-directories including Cache at Low IL still.

*EDIT* well another oddity After emptying Cache with resulting near zero size, I re-applied the Low IL to firefox.exe and the Medium Il to the Cache directory, started surfing around while checking periodically the Cache folder to see it gradually increase in size to a maximum of .98 MB, 19 files, 31 folders, then stop increasing. It just sits at this size all the time now, indicating, of course, that firefox.exe is no longer writing to it, as it shouldn't. I just wonder why the brief ability of firefox.exe to write to it after I put it back to Low IL and Cache at Medium IL?? At least things are behaving as they should now

That is odd indeed... I'm wondering if the following situation could be the reason.

You have the profile folder @ low integrity level, with inheritance by default. This means that any sub-container or object will inherit the same set of permissions/restrictions.

Then, you have applied an explicit medium integrity level to the Cache folder.

What I'm thinking that could be happening is that, when you start Firefox, maybe the fact that the profile is @ low integrity level, with inheritance, it gets to write that initial data to the Cache folder, despite the fact the Cache folder itself is @ medium integrity level. But, then it can no longer do it...

There could be some sort of an initial interaction...

It's a bit of an oddity like the one I've mentioned about Chromium. When I have both chrome.exe, the profile folder @ low integrity level and Temp folder @ medium integrity level, if I try to download anything/something tries to get downloaded, I don't even get to see a prompt, nor anything like that. The behavior I would expect, because chrome.exe cannot communicate with Temp.

But, if I apply a medium integrity level to the profile folder, then I get to see the download attempts, which still fail.

Anyway, maybe you could try to divert Firefox caching to a Cache folder outside of the profile folder, and then apply the medium integrity level to that Cache folder or even leave it @ the default inherited medium integrity level.

You could try that instead and see if it makes a difference. In a few moments I'll be downloading Firefox and give it a try as well. I'm intrigued by it now...

Interesting theory you've presented and it wouldn't surprise me if you're right. Just one question I have: Does this write prevention from the browser to the Cache directory cause a performance hit, even a barely noticeable one, with the medium IL applied to Cache?

wat0114 wrote:[...]Just one question I have: Does this write prevention from the browser to the Cache directory cause a performance hit, even a barely noticeable one, with the medium IL applied to Cache?

I can't say that I have ever experienced such performance hit. I have seen others mentioning that this kind of tweaking would cause performance hits, but... until this present day, nothing like that happened to me. I'm not using a machine on steroids, and I really see no difference, performance wise, between allowing/not allowing cache.

Obviously, that's not to say that you may not experience it. I suppose you'd find out once you try it. If there's no performance hit, then why not... to enhance privacy a bit further... if you're into that.

Of course, I'd never sacrifice performance over privacy.

Great, that's good to hear, and I honestly didn't perceive any noticeable hit at all last night when surfing for a while after the tweak was applied. I think I'll just leave things the way they are, then, without creating a different Cache folder. I don't want to make too many changes, potentially confusing things for myself in the process

Well, confusing you it's the last of my wishes...

m00nbl00d wrote:Well, confusing you it's the last of my wishes...

That's good, LOL!

BTW, there's one site here -http://www.bbc.co.uk/news/uk-17249086- that simply refuses to play videos with Waterfox @ Low IL. The only way they play is with firefox.exe @ Medium IL. Exact same problem with chrome.exe @ Low IL. I ruled out NoScript and Cookie Monster extensions, as well as the firewall. Not a big deal because it's a site I don't normally browse, but strange it's the only one I've encountered so far that doesn't like the browser at Low IL. Maybe because it forces Flash to Low IL that causes the problem? Just speculating of course

I suppose you're talking about the message saying that you don't have the right Adobe Flash Player version?

I wonder if it's trying to store a flash cookie to the Adobe Flasher Player folder in the user profile, and considering that the folder is @ medium integrity level, then it simply fails? Once you add medium integrity level to the browser, then it can store the cookie/whatever.

Even Youtube videos play fine without allowing such. That's also the first website whose videos don't play.

If other websites can have their videos play without storing that data (they're forbidden), then so could BBC, I suppose. Therefore, in my opinion is nothing but a way to force you to allow cookies/data to be stored in your system, who knows for what...

m00nbl00d wrote:I suppose you're talking about the message saying that you don't have the right Adobe Flash Player version?

Oh...I didn't even see that; I just got the swirling progress indicator arrow going all the time

I wonder if it's trying to store a flash cookie to the Adobe Flasher Player folder in the user profile, and considering that the folder is @ medium integrity level, then it simply fails? Once you add medium integrity level to the browser, then it can store the cookie/whatever.

Even Youtube videos play fine without allowing such. That's also the first website whose videos don't play.

If other websites can have their videos play without storing that data (they're forbidden), then so could BBC, I suppose. Therefore, in my opinion is nothing but a way to force you to allow cookies/data to be stored in your system, who knows for what...

Maybe that's it. The fact it doesn't happen on any other Flash content site I visit means it's probably something cookie-related as you allude to. Oh well, I won't lose sleep over it. Thanks for checking!

*EDIT*

I just now realized I've become an "Advanced" member here, higher than even you, LOL!

Uh oh... show off

Shucks! a few more problems playing Flash on some websites.

-http://ca.askmen.com/video/entertainment/ ...the videos don't play

and -http://www.fan960.com/ ...Listen Live doesn't work.

It looks like the Low IL is breaking a bit more than I first thought

wat0114 wrote:Shucks! a few more problems playing Flash on some websites.

-http://ca.askmen.com/video/entertainment/ ...the videos don't play

and -http://www.fan960.com/ ...Listen Live doesn't work.

It looks like the Low IL is breaking a bit more than I first thought

I haven't tried the first link, but I gave a try to second link. At first, I was blocking all plugins. I could see it complained about Flash Player, and also could see the plugin image that Chromium places when plugins are blocked, for VLC Media Player Web Plugin. I enabled only Flash Player and it played, but I couldn't hear no sound?

I'm wondering if actually needed VLC Media Player Web Plugin or another default media player? I also noticed that they have sponsored content, before the flash content starts playing. The ads were being blocked, and I did not allow them. I wonder if this had any weight on not hearing the sound? Maybe as way to the force the user to allow the ads? Granted, I have no idea if you are/were blocking the ads. They have also a couple tracking services or so. They could also be punishing users blocking all this, by not letting them listening to anything, even if the flash content plays?

The first service you talked about also has a few tracking services, including their own tracking service, which goes something like -http://images.askmen.com/trackers/beacon.gif?z=1330966392

That makes it harder to block without recurring to an add-on/extension/other type of program. A hosts file is futile.

As an example, I gave this service a try: -http://www.cbtnuggets.com/it-training-videos/series/comptia-network-n10-004-jk0-016/5777

I could play it just fine. See if you can play that flash video.

The issue itself is not Adobe Flash Player also being @ low integrity level; it's more the fact those websites can't store data to the computer anymore, because Adobe Flash Player data storage folder is @ medium/high integrity level.

You could try configuring Adobe Flash Player not to let web sites store data. Would that help solve anything?

One has got to ask a question: Why do some services play Flash content (audio/video) just fine, without being able to write data to the system, while others don't play fine or won't play, at all?

If some can have them play, that means the others can do it too. Maybe they just want to track users, and for that, they will need to write data to the system.

Until this day, I haven't come across issues with Flash content, not even on Youtube. Glady, all services I used at some point, weren't agressive with their tactics to track their visitors... not even Youtube... surprisingly...

On the other hand, Google Chrome won't update if one blocks Google Analytics...

m00nbl00d wrote:

I haven't tried the first link, but I gave a try to second link.

Don't worry, that first link isn't porn

I'm wondering if actually needed VLC Media Player Web Plugin or another default media player?

I don't think so. That site plays normally through Flash.

I also noticed that they have sponsored content, before the flash content starts playing. The ads were being blocked, and I did not allow them. I wonder if this had any weight on not hearing the sound? Maybe as way to the force the user to allow the ads?

No, I normally block all that extra content with NoScript and the audio still plays.

Granted, I have no idea if you are/were blocking the ads. They have also a couple tracking services or so. They could also be punishing users blocking all this, by not letting them listening to anything, even if the flash content plays?

I disabled NoScript temporarily to allow all ads and other extra content but still no audio. Once I apply Medium Il to Firefox.exe the audio plays. Same problem with Chrome @ Low IL. Once I revert it back to Medium IL (chml -rl) the audio plays fine. It really does seem to be a problem with the browser @ Low IL, and as you theorize, I think with these particular trouble sites , they do try to write to disk but can't because of the Low IL.

As an example, I gave this service a try: -http://www.cbtnuggets.com/it-training-videos/series/comptia-network-n10-004-jk0-016/5777

I could play it just fine. See if you can play that flash video.

Yes, it plays fine with audio and video when Firefox is @ Low IL.

The issue itself is not Adobe Flash Player also being @ low integrity level; it's more the fact those websites can't store data to the computer anymore, because Adobe Flash Player data storage folder is @ medium/high integrity level.

Yep, this makes sense.

You could try configuring Adobe Flash Player not to let web sites store data. Would that help solve anything?

Probably not. I'm warned when applying the setting that it may break functionality. I can try anyways.

m00nbl00d wrote:One has got to ask a question: Why do some services play Flash content (audio/video) just fine, without being able to write data to the system, while others don't play fine or won't play, at all?

If some can have them play, that means the others can do it too. Maybe they just want to track users, and for that, they will need to write data to the system.

Until this day, I haven't come across issues with Flash content, not even on Youtube. Glady, all services I used at some point, weren't agressive with their tactics to track their visitors... not even Youtube... surprisingly...

Most of the flash content sites I browse do work just fine. It's only three so far that don't. What I will probably end up doing when I want to browse those trouble sites is just use a different browser.

wat0114 wrote:
Don't worry, that first link isn't porn

Thanks for the heads up!

wat0114 wrote:
Most of the flash content sites I browse do work just fine. It's only three so far that don't. What I will probably end up doing when I want to browse those trouble sites is just use a different browser.

I'd say that would be an ellegant solution.

Somewhat similar to when I need to allow Java, which doesn't play along in certain websites loading signed applets, I think. Something like that.

To make that other the other browser safer, you could make use of the Specific-Site Browser approach, and only allow connections to the domains they need to work. You could use another Firefox "installation", only that you'd extract the contents and manually place it in Program Files and point it to a different profile folder. Or, Chromium/Google Chrome.

I'd imagine to be cumbersome to use this approach with a firewall, if the IPs change a lot.

-edit-

Another thing you could do, would be to apply a low integrity level to the folder where flash content needs to be stored, whenever needed. You could have two batch files: one to apply and the other restore it back to medium.

It could be another alternative, for those problematic websites.

m00nbl00d wrote:-edit-

Another thing you could do, would be to apply a low integrity level to the folder where flash content needs to be stored, whenever needed. You could have two batch files: one to apply and the other restore it back to medium.

It could be another alternative, for those problematic websites.

I've tried this to no avail unless I'm targeting the wrong directory??

wat0114 wrote:
I've tried this to no avail unless I'm targeting the wrong directory??

Most likely. And, it actually never really ocurred to me about it. There's another folder "C:\Users\<username>\AppData\Roaming\Macromedia\Flash Player".

I don't know if you have to apply it to that one and to "C:\Users\<username>\AppData\Roaming\Adobe\Flash Player" as well.

Guess what? I'm an Advanced Member...

m00nbl00d wrote:

wat0114 wrote:
I've tried this to no avail unless I'm targeting the wrong directory??

Most likely. And, it actually never really ocurred to me about it. There's another folder "C:\Users\<username>\AppData\Roaming\Macromedia\Flash Player".

I don't know if you have to apply it to that one and to "C:\Users\<username>\AppData\Roaming\Adobe\Flash Player" as well.

Doh!! How did I miss the Macromedia folder I had only applied it to the Adobe one, but now it's to both and not those troubled sites work But one question: will it be okay to leave these Flash directories at Low IL?

m00nbl00d wrote:Guess what? I'm an Advanced Member...

Yes you certainly are Advanced Thank you again for bailing me out!

wat0114 wrote:
will it be okay to leave these Flash directories at Low IL?

Well, that would depend on a user system security configuration, I'd say.

Yes, an object @ low integrity level will be able to write to there, and to other folders @ low integrity level. In a configuration where there's no default deny, then execution would be granted within that low integrity level world.

But, if you want to play on the safe side, just in case, you could have two batch files. One will apply the low integrity level to those two folders and the other will restore the standard user account medium integrity level, by using the flag -rl.

You could follow this approach as well: https://ssj100.forumotion.com/t459-application-launcher-trick-using-windows-own-methods

You could create the shortcuts as mentioned there, pointing to the batch files (You could place the batch file inside a new folder in your user profile -%localappdata%\some_folder-, perhaps.).

Name the shortcuts in a way that, when you open the Start Menu, you type a combination of as few keys as possible to get those two shorcuts and then pick the one you want and press Enter.

That's how I do for my Chromium shortcuts. lol Or, you can just have the batch files in your Desktop or Task Bar. Whatever works best for you, of course.

Thank you for those suggestions, but I think I'll leave things the way they are now, even with the risk of Low level execution. At least I don't sacrifice convenience, especially because I frequent those sites often enough that I don't want to always have to select another profile whenever I do. At least a Low IL processes can't modify higher IL objects, although I realize they can read them.

If you got important processes @ medium/high you'd like to keep hidden from processes @ low, then you can apply an explicit medium/high IL to those processes, and make use of the flags -nw, -nx and -nr.

I do that for KeePass.