http://startpanic.com/
This site can tell you what sites you've visited using browser's vulnerabilities. K-Meleon is vulnerable too

wait for the experts of K-Meleon.

http://bcheck.scanit.be/bcheck/

Our experts always find a way to calm us down.

I'm no expert let alone of K-Meleon.
Nevertheless:

Quote
AirSpirit
This site can tell you what sites you've visited using browser's vulnerabilities.

Nope, no vulnerability is involved. You can tell which sites have been visited in case JavaScript is enabled in your browser only by comparing against a list of sites the webmaster of the snooping site has prepared.
You could avoid this kind of snooping by disabling JavaScript or (if browser settings make it possible) by disabling colored visualisation of visited links .

After rethinking:
Meddling with CSS won't help. The only counter measure would be to turn of JavaScript or at least I thought so untill I saw and tested the CSS hack Fred reffered to.

However we shouldn't forget about AJAX which is capable of even more nasty things.

@ nico

At least this is what I get with my settings (+ Proxomitron) I use on a regular basis.


This however shouldn't mean at all that K-Meleon wouldn't crash with default settings.



Edited 2 time(s). Last edit at 04/24/2009 10:15PM by Yogi.

my settings + immunize function Spybot-S&D and SpywareBlaster.

actually any site can trace back your tracks with a good javascript.. this one was lousy. i left it uhing and ohing for like half an hour and went to work while it humped my processor and all it could find were the last and first entries in history.

if you're paranoid, you can disable js for global policy and enable js for just sites you surf frequently and trust using policies manager.
http://kmeleonbrowser.org/forum/read.php?1,91203

and if you're really paranoid, you can do your online banking and ebay purchasing etc in 'privacy mode'
http://kmeleonbrowser.org/forum/read.php?1,83391,83558

No matter how paranoid someone might be, that's not a security risk.
If the snooping webmaster has a list containing e.g.:
www.bigboobies.gov
which I've visited than he will know that I was visiting that site.
Even so he can't see that I visited e.g.:
www.bigboobies/logme_in/pass_ohoh/haleluia.gov

Not to mention that all purchases are done over a secure/encrypted connection.

Vulnerabilities?

Often vulnerabilities are caused by the dope behind the weapon rather than the weapon itself.

Charlie

~~If it ain't broke, why screw it up?~~

js is disabled mainly on this browser. still, if every honk-site is able to trace the history of gecko/km via js then something is really wrong with its architecture, period.

Quote
caktus
Vulnerabilities?

Often vulnerabilities are caused by the dope behind the weapon rather than the weapon itself.

so true

Reading out part of the history is probably possible
with any browser that has enabled javascript.
But it seems only possible to compare a prewritten
list of sites, so only the sites included in this list can
be found.
It seems even to be possible without enabled javascript
using a CSS hack, as is described here :

http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/

but still only for sites in a prewritten list,

But this would work only, if there is a browser history
present.
For example, it is not possible for my variation
KM18121forCD-Kiosk, which has no history and no cache,
because it's purpose is to work from a CD or stick
without writing anything on the used computer.
But you can also set for all variations your history
to work for 0 days, to disable history snooping,
although this would make it less confortable to
search your history yourself.
Allowing javascript to only a few websites, where it
is really necessary, be it using NoScript or simply
using an on/off button would also reduce the risk
and is generally not a bad idea, because many malware
actions work only with javascript enabled, and a site
working with javascript only is basically bad in my
personal opinion.

Fred

Quote
xray
if every honk-site is able to trace the history of gecko/km via js then something is really wrong with its architecture

Its a trick relying on cache - every browser tends to have & use a cache
It saves bandwidth.

First they used cookies, when users became aware the used web-bugs, JS, cache & IPs for tracking.

They want their interest, behavior and moving statistics for e-commerce.

http://bcheck.scanit.be/bcheck/
It isn't a reliable test for current vulnerabilities because all K-Meleon 1.5.x versions with default config and Flash 10 plugin pass the test but also Firefox 2.0.0.20 pass the test. (Option: "Run all available tests")

K-Meleon in Spanish



Edited 2 time(s). Last edit at 04/24/2009 06:28PM by desga2.

Thanks for your answers
Probably I'll install NoScript for K-Meleon.

privoxy even I was not saved :O

Quote
Fred
because many malware actions work only with javascript enabled, and a site working with javascript only is basically bad in my personal opinion.

Flashblock and my weakness

To watch Youtube flash videos without javascript
you can use the macro OnlyVideo.kmm .

http://kmeleon.sourceforge.net/wiki/KmmOnlyVideo

This right click macro opens and plays the flash video
in a new window.
Javascript can be turned off.
With javascript off or Noscript, most other flash will not play,
and can probably at least not be dangerous, if it plays
without javascript.
To play a specific flash video from a trusted site,
allow it as the case arises in NoScript, or turn on
javascript for the site.

Fred