homepage Welcome to WebmasterWorld Guest from 107.21.187.131
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Browsers / Firefox Browser Usage and Support
Forum Library, Charter, Moderators: incrediBILL

Firefox Browser Usage and Support Forum

This 34 message thread spans 2 pages: 34 ( [1] 2 > >     
Does anyone need prefetch?
Prefetch in firefox is a security flaw
spiritualseo




msg:4066182
 8:03 am on Jan 23, 2010 (gmt 0)

The prefetch functionality in firefox is a security loophole.

Firstly it's a completely unwanted function. I don't care if my website loads a second faster than it usually would. Secondly it can get your machine to download malware from websites you have not even visited.

For instance, I was doing some Google SERP analysis for one of my clients who sells adult products and what do I see? Malware being downloaded from a website I did not even visit.

I did shut down the function later on, but this is a nuisance. This is definitely not bright coming from a browser that claims to be super secure.

Hope chrome does not have this feature.

[edited by: tedster at 5:27 pm (utc) on Jan. 23, 2010]
[edit reason] moved from another location [/edit]

 

tedster




msg:4066427
 6:12 pm on Jan 23, 2010 (gmt 0)

I considered this a problem from the first day prefetch showed up. Then there's the secondary (but very real) distortion of server log information.

rocknbil




msg:4066450
 7:48 pm on Jan 23, 2010 (gmt 0)

For reference:

[developer.mozilla.org...]

I'd never given this a lot of thought, which is why I looked into it. Out of curiosity, if your AVG is up to date and doing it's job, wouldn't this offer some form of protection against this?

KenB




msg:4066462
 8:10 pm on Jan 23, 2010 (gmt 0)

If you want to stop Firefox from prefetching web pages on your website, add the following to your .htaccess file:


RewriteCond %{X-moz} ^prefetch [NC]
RewriteRule (.*) - [F,L]

tedster




msg:4066587
 1:12 am on Jan 24, 2010 (gmt 0)

I recently caught a virus on its first day in the wild - my AV had not yet added the exploit's signature, and the website that served it up was owned by a high profile company, but the site had just been hacked that day.

Prefetch is more and more a liability, IMO - especially the way malware is proliferating and become quite devious today.

KenB




msg:4066641
 2:50 am on Jan 24, 2010 (gmt 0)

Prefetch is more and more a liability, IMO - especially the way malware is proliferating and become quite devious today.

Agreed!

I've disabled prefetching on all my profiles. To disable prefetching add the following to your prefs.js:

user_pref("network.prefetch-next", false);

I think the Firefox developers are so enamored with their prefetch idea that they are not willing to see just how big of a security issue it could pose.

rocknbil




msg:4066888
 8:31 pm on Jan 24, 2010 (gmt 0)

Or, found it yesterday but can't find the link today:

- New tab, type about:config

- If you get the warranty void warning, click "ok I'll be careful"

- in the Filter field, enter network.prefetch-next

- If set to false, you're good, otherwise double-click the config line which will set it to false.

The more I think about this, the more I wonder W** they were thinking. "Internet Destroyer Emulation mode?"

Seb7




msg:4067488
 7:16 pm on Jan 25, 2010 (gmt 0)

prefetch sounds like a good idea initially, but is really really a bad idea in the real world.

Gomvents




msg:4067512
 7:42 pm on Jan 25, 2010 (gmt 0)

what if they set it not to prefetch any scripts?

travelin cat




msg:4067522
 7:49 pm on Jan 25, 2010 (gmt 0)

Rocknbil,
Thanks for the shortcut. When I went in to about:config, I searched for the term "prefetch". The first one to come up was network.prefetch-next, but I also found these:

stumble.2893641.prefetch;true
stumble.2893641.prefetcher_fetch_depth_in_topic;3
stumble.2893641.prefetcher_pass_1_timeout_ms;10000
stumble.2893641.prefetcher_pass_2_timeout_ms;30000
stumble.2893641.prefetcher_pass_3_timeout_ms;120000
stumble.2893641.prefetcher_pass_max;3
stumble.2893641.prefetcher_skip_resources;false
stumble.log_prefetch_progress;false

I am assuming these came from my stumbleupon toolbar.

Could these be a problem as well?

ken_b




msg:4067554
 8:15 pm on Jan 25, 2010 (gmt 0)

rocknbil;

Thanks for the step by step instructions.

Much appreciated!

physics




msg:4067615
 9:20 pm on Jan 25, 2010 (gmt 0)

Firstly, they never should have set this to be on by default. This is the kind of BS that will turn people off from Firefox.
Secondly, the on/off option for this should be easy to set, e.g. a check box on the main Options page.

travelin cat




msg:4067624
 9:29 pm on Jan 25, 2010 (gmt 0)

Physics, I agree that it should be off by default, but putting it on the options page would probably not help the average Joe.

I had never heard of prefetch before this thread, so I can imagine that most everyday people would not have a clue as to what it does.

rocknbil




msg:4067635
 10:01 pm on Jan 25, 2010 (gmt 0)

There is a **small** saving grace to this, at least, I hope.

When I've accidentally tripped on malicious sites, my AVG goes off like a ten alarm fire. Hopefully, a prefetched malicious site would do the same thing. Still, why pull the wildcat's tail . . .

KenB




msg:4067648
 10:13 pm on Jan 25, 2010 (gmt 0)

I have to agree with Physics, if Firefox is going to have prefetch, it REALLY needs needs to be a check box setting in the options panel.

rocknbil




msg:4067663
 10:37 pm on Jan 25, 2010 (gmt 0)

Could these be a problem as well? stumble settings in config

I missed this on page 1, I don't know. A good way to find out might be to run HTTP Live Headers while you visit stumble upon.

IanKelley




msg:4067703
 11:35 pm on Jan 25, 2010 (gmt 0)

I didn't realize FF prefetched by default, thanks for the heads up, just disabled it.

As far as downloading malware goes, there is a big difference between downloading code and executing it. Until it's executed it's not a threat.

I suppose it's possible that FF left some kind of hole in their prefetcher that would allow an app to run itself... but the chances are remote, that's the kind of mistake even IE would be unlikely to make.

jimh009




msg:4067713
 11:47 pm on Jan 25, 2010 (gmt 0)

Better safe than sorry. Thanks for telling how to fix this...never realized FF did this. The pre-fetch might also explain a couple of pesky things that my anti-virus has been catching recently.

kaled




msg:4067739
 12:35 am on Jan 26, 2010 (gmt 0)

Prefetch is NOT a security problem. It simply means that data is buffered into memory in the expectation that it might be wanted sometime soon. In order for there to be a security issue, the data would have to processed, for instance, if it's javascript, it would have to be run, if it's a nasty .gif (or whatever) it would have to pass through a display routine.

Hope that clarifies the issue.

Kaled.

mcavic




msg:4067810
 2:56 am on Jan 26, 2010 (gmt 0)

refetch is NOT a security problem. It simply means that data is buffered into memory

Furthermore, it's only used when the web site requests it. For example, in a slide show where the user is highly likely to click one specific link. It's not normally used to fetch a bunch of links that the user may or may not click. Correct?

incrediBILL




msg:4067841
 4:06 am on Jan 26, 2010 (gmt 0)

There are no security problems with pre-fetch as far as I can tell but it could cause some LEGAL problems by pre-fetching links you would never click, perhaps something that violates your internet usage policy for your job.

You land some spam page Google served up as a top 10 result, it's a dicey page with shady links to dubious places, you try to get out as quick as possible but TOO LATE as you've pre-fetched all sorts of things from places you aren't supposed to be going.

Try to explain that you didn't go to that adult site, it was your browser, to your HR dept. and try to keep a straight face.

jomaxx




msg:4067880
 6:18 am on Jan 26, 2010 (gmt 0)

"This might void your warranty!"

WHAT warranty? What's this about? Firefox comes with a warranty?

g1smd




msg:4067908
 7:44 am on Jan 26, 2010 (gmt 0)

RewriteCond %{X-moz} ^prefetch [NC]
RewriteRule (.*) - [F,L]

F always implies L so you only need F.

RewriteCond %{HTTP:X-moz} ^prefetch [NC]
RewriteRule . - [F]

You also don't need to backreference the pattern as you are not reusing it.

Be aware that the above rule, while widely used, doesn't stop requests for the root "/" URL of any site.

JAB Creations




msg:4067915
 8:06 am on Jan 26, 2010 (gmt 0)

That's the problem with developers, they think good design adapts to what a user might do and ignore what the user is doing!

Pre-fetching something also bombed massively with Vista which treats RAM like a RAM drive (they are two totally different things).

Pre-fetching websites is obviously bad for security, but it also skews statistics and wastes resources.

In regards to software pre-fetching it should only be done intelligently. For example many video games have launcher programs associated with them (e.g. World of Warcraft and Oblivion). The OS should see what executable (that has an actual open window) commonly calls another (must be an actual open window and not just a background-process) executable. Then and only then is the correct way to do any kind of pre-fetching. If speed is truly that important to the person using their computer they can spend the extra money to get a faster computer if need be.

- John

jdMorgan




msg:4068030
 2:04 pm on Jan 26, 2010 (gmt 0)

I have to agree with Physics, if Firefox is going to have prefetch, it REALLY needs needs to be a check box setting in the options panel.

Yes, and the default setting should be "prefetch off."

"This might void your warranty!"

WHAT warranty? What's this about? Firefox comes with a warranty?

This was simply a "little joke" in the UI -- an amusing (if perhaps ill-advised) way to word a warning that changing Firefox settings using About:config can cause performance, functional, or security problems in Firefox or in the network.

RewriteCond %{HTTP:X-moz} ^prefetch [NC]
RewriteRule . - [F]
...
Be aware that the above rule, while widely used, doesn't stop requests for the root "/" URL of any site.

The rule can be modified to deny prefetch requests for "/" as well, by changing the rule pattern from "." to "^.*$" or even to just "^".

If a custom 403 error page is used, then it will have to be excluded from the rule to prevent an 'infinite' rewrite/error loop. If not already done "globally" in your config code, this can be accomplished by using a negative-match pattern such as

RewriteRule !^URL-path-to-my-custom-403-error-page\.html$ - [F]

Jim

incrediBILL




msg:4068059
 2:32 pm on Jan 26, 2010 (gmt 0)

If speed is truly that important to the person using their computer they can spend the extra money to get a faster computer if need be.

Pre-fetch is about bandwidth speed and internet and server latency issues, it has nothing to do with local computer speed because the fastest computer in the world still can't download a page from the same web server any faster, but can only format it for display faster.

Pre-fetching websites is obviously bad for security

Everyone keeps saying this but nobody can identify a single security issue.

Pre-fetch only downloads a web page in advance, it does not execute the page.

For a security problem to happen the page must be executed, specifically javascript, flash, PDF, etc. and those elements are not downloaded nor activated until that page is physically displayed by action of the user.

Don't get me wrong, I'm not defending the technology as I'm completely against pre-fetch because in theory if everyone was using it, it could overload our networks and servers in relatively short time.

However, that doesn't mean we should be spreading FUD that has no merit about the technology because at the end of the day pre-fetch simply wastes bandwidth and server resources, nothing more.

pageoneresults




msg:4068065
 2:45 pm on Jan 26, 2010 (gmt 0)

The browser observes all of these hints and queues up each unique request to be prefetched when the browser is idle. There can be multiple hints per page, as it might make sense to prefetch multiple documents. For example, the next document might contain several large images.

I want to learn more about prefetching. Apparently the source can provide prefetch hints which are typically found in the link rel element.

What are the prefetching hints? - The browser looks for either an HTML link tag or an HTTP Link: header with a relation type of either next or prefetch.

For some reason I just don't feel 100% comfortable with that prefetch mechanism - FUD or not. :)

tangor




msg:4068649
 2:02 am on Jan 27, 2010 (gmt 0)

Prefetch is a bit of busy work. Disabled simply to keep things simple. Don't see a purpose for it, but it might have a use under certain conditions.

I do agree that FF should make it an option easy to find, and should be default OFF.

ken_b




msg:4070046
 9:32 pm on Jan 28, 2010 (gmt 0)

So this prefetch stuff is supposed to speed up page loads for a visitor, right? Or do I have the whole idea wrong?

Anyhow, if speeding up load times is part of the deal, will turning off prefetch slow load times down?

And if so, will that have any consequences inrelation to the recent talk about Google using apge load times as a ranking factor? (Or do I have that concept wrong too?)

KenB




msg:4070060
 9:56 pm on Jan 28, 2010 (gmt 0)

Disabling the prefetch feature will have no impact on Google's page speed measurements because they are doing these measurements via the Google Toolbar, which is on IE and the prefetch we have been discussing is on Firefox.

This 34 message thread spans 2 pages: 34 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Browsers / Firefox Browser Usage and Support
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved