Identi.ca
error getting credentials
Freemor

Well... Thats new. (Oh And you're doing it wrong)

Freemor at

Browsing to: https://www.similarweb.com/blog/social-media-usage


and got this:


JavaScript Disabled

This website is using a security service to protect itself from online attacks.
The service requires full JavaScript support in order to view the website.
Please enable Javascript on your browser and try again. 

Reference ID: 49599d410354a0fc5973a143fcf8e334


Really.. a Security thing that you run on MY machine to protect your server? Aside from smelling of total BS. I can't see how runnig JS on my machine would protect their server Since 99% of attacks on websites are NOT done in a browser. And hey What about MY security you guys? Not even a nod to that? no, "We understand that you might want to disable JS because..."?


And what about failing gracefully.. Want to protect yourself. Anyone coming in that looks suspicious throw them over to a non-iteractive flat HTML version of your site thus removing all chance of XXS or PHP code insertion, SQL injection, etc. But No you'd rather just blame the user with a warning that makes no sense.


I'm gonna follow up on this one and actually ask WTF!


Hmmmmm.. ok, seems the message shoud read "Sorry we hate Tor".


As a first stage of testing I went with no JS but no Tor.. Worked fine.. Very intersting..


So does it work with Tor and JS?


that results in:

Cookies disabled

This website is using a security service to protect itself from online attacks.
The service requires full cookie support in order to view the website.
Please enable Cookies on your browser and try again. 

Reference ID: 4357306db8905c61e8cdbfa6fce0057e


Seems that works.. kinda as I'm still routed through privoxy and third party or non session cookies get crunched. as well as adds and other annoyances....


Looking at the src of the page that was finally served up:

  • Usual tracker BS (GA,Yoast,Piwik,FB,etc)
  • Clearly a WP site (no wonder they are nervous.)


Ok, so we have a Wordpress site, that allows access from Tor given the right conditions (cookies set), And this is gonna keep them safe.. So not the case. I see WP attacks thrown at my non-WP site all the time and none of then try to load a main page. And if this is somethig in their reverse proxy then the attack script only needs to get the right cookies and then it can waltz right through.


EricxDu, Benjamin Cook, Douglas Perkins likes this.

Elena ``of Valhalla'', Douglas Perkins, Douglas Perkins, Douglas Perkins shared this.