goto the phaster homepage

 
 

Because the web will dramatically change how we interact and learn, I thought it important to find out about the Netscape browser since it is one of the dominant application programs for viewing content. This page started on (5/29/98) is a summary of some of the information I have discovered about using the Netscape browser on a Mac.

Now (1/21/2001) that I pretty much know how the Netscape browser works, I figured I would try to secure Micro$oft’s Internet Explorer 5.0 as well as I have secured Netscape’s Navigator (besides I was sort of curious how my site looked using that other browser).

Your browser has JavaScript turned off.
Please turn JavaScript on in your browser preferences.

Internet Explorer users: Preferences > Web Content > Enable Scripting
Netscape Navigator users: Preferences > Advanced > Enable JavaScript

then reload the page,
so you can learn more about your browser, cookies, etc...

Still relevant...

It has been about five years since I started looking at the problem of how to secure the netscape version 4 browser, and it has been a few years since I up dated this page. But a few days ago (Fri, 17 Oct 2003) I received an eMail that stated this info still has some relevancy.

Just came upon your unpretentious pages. Web Surfing Secrets--terrific. Used most of the tips, they work great. Minor variations were needed with Netscape 7.

One tip that I'd like to pass on regards caching. What lucky Mac users can do is set up a RAM disk (control panels>memory). Then in whatever browser, they can set up the RAM disk as their cache folder. This has two advantages: 1) it speeds up browser page loading because it doesn't write files to disk; 2) when you shut down or restart, the cached pages disappear---provided you make sure to uncheck the box "save contents to disk..." when you set up the RAM.

Thanks for the great and useful page.

regards
RJ Currie

An even simpler method in place of "save contents to (RAM) disk..." might be to edit the pref file and add the lines:

user_pref("browser.cache.disk_cache_size", 0);
user_pref("browser.cache.memory_cache_size", 10240);

In this case the disk cache to zero (which forces the use of the memory cache).

The startup screen

Let’s start with something simple and useful. You can easily change the opening page that appears when Navigator starts. Select Edit/Preferences from the main menu and select the Navigator category. In the Home Page area, set Navigator to open to my search engine guide, phaster dot com.

Y2K issues

Y2K issues forced me to look at Communicator 4.7. That is because my certificates in the Essential Files / Defaults / Security folder expired on December 31, 1999 (if you are using an older version of Netscape pre 4.06 and go to a bank or an e-commerce site, you may see a pop up window, warning users of expired certificates). Certificates are needed for secure transactions on the web, using 128 bit security. The solution I was told, was to upgrade to version 4.7.

After installing Communicator 4.7, I noticed an AOL influence (a “Personal Toolbar,” AOL InstantMessenger built in and two additional buttons on the regular toolbar: “My Netscape” and “Shop”). Personally I think that is way too much bloat and I have some issues with later versions, “Smart-Browsing” feature in Communicator 4.06 can be used to profile your surfing habbits, so for now I am just discarding my old certificates in Communicator 4.05 and just replacing them with the certificates from Communicator 4.7.

F.Y.I. if you use 4.7 and don’t use AOL or InstantMessenger, you can trash AOL Scheduler (a self-launching app), InstantMessanger Menu extension and any other AOL extensions.

OS9 issues

A related issue may occur when you have Communicator 4.7 installed with OS9 (the specific problem is the inability to use 128-bit encryption). If you have this problem try removing the TalkBack folder from the Communicator folder.

Edit bookmarks

Many sites you bookmark have names that are either obtrusively long or elusively nondescript. To edit a bookmark’s name in Communicator or Navigator, display the bookmarks window by pressing command-B, select a bookmark name, then edit the bookmark’s info by pressing command-I.

Things your mom didn’t tell you about browsing

So you ask, what is your browser configuration and what possible information do browses broadcast while you surf the internet? Well, I will show you with the following javascript “Browser Detection” program.


you must “Enable JavaScript” to operate this program



When you surf you broadcast what type of computer you use and your OS and other info. To illustrate what other browsers broadcast, here are some responses that friends of mine had, using the javascript: javascript:document.write(navigator.userAgent+"<BR>")

Mozilla/4.04 (Macintosh; U; PPC, Nav)
in other words this is a power mac, navigator 4.04 (128 bit security)

Mozilla/4.05 [en] (Win95; U)
in other words this is a PC, using M$ win 95, communicator 4.05 (128 bit)

Mozilla/4.0(compatible;MSIE 4.01;Windows 95)
in other words this is a PC, using M$ win 95, explorer 4.01 (40 bit)

Mozilla/4.05 [en] (X11; I; Linux 2.0.32 i686)
in other words this is a PC with an i686 processor, using linux

The art of “Spoofing”

If you do not feel comfortable broadcasting what type of computer you use and your OS, it is possible to trick or “spoof” other machines, into thinking that your Mac is something else, using the ResEdit utility. So what is ResEdit, you ask. Well, ResEdit is a utility that allows you to do all sorts of things at the system level, and as such can really wreck your system, if you’re not careful.

You may wonder what legitimate reason there may be to “Spoof.” Well, I think the following correspondence from a friend who found my site this past week, sums it up pretty well.

BTW: that tip about using ResEdit to change the USER_AGENT env variable does not only work for Mac programs, but I had done that before for Communicator on Linux. The reason was that my bank (which I use for Internet banking) requires customers to have WinNT/95 to use their service. Those pricks give as reason that this platform is more secure than UNIXes!!! Obviously, they don’t know anything at all! To make sure you’re running WinNT/95, they check in their Java program the USER_AGENT variable. So I just edited the executable and replaced the X11;Linux string with Win;WinNT, and now they think I’m using Windows! What idiots...

If you decide to use ResEdit to “spoof” I suggest you “Duplicate” your browser program, and modify the program copy. With that warning here are the step by step instructions, for ResEdit to modify your browser:

1. Open a copy of Netscape 4.04 with ResEdit 2.1.3.
2. Double-click the resource named “STR#”.
3. Double-click resource 210, “IDs”.
4. To disguise your browser as Micro$oft Explorer 4.0 for the Mac try the following:
String 1 = Explorer
String 2 = 4.0
String 3 = Mozilla
String 4 = (compatible; MSIE 4.0; PPC)
String 5 = (compatible; MSIE 4.0; PPC)
5. Save Netscape and quit ResEdit.

I’m guessing at these entries but they should be close. If you want to make the spoof complete, you can edit the “vers” resource in ResEdit, and change the info visible in the “Get Info” box. You may want to change the version number of the modified browser, creating for example:

version: 4.04.007, License to Kill

This of course is a browser that “James Bond agent 007” might use. Keep in mind that when you modify your browser to “Spoof” you reduce the Macintosh and Netscape web use statistics. Furthermore if you “spoof” with a unique browser name, you will be instantly noticed in the web use statistics logs.

Cover your tracks

Speaking of web logs, there is a trick that eliminates web masters from knowing what site you were at previously. I guess I should illustrate why this may be important. Suppose you are Bill Clinton, and suppose you decided to set up your own copy of a Netscape product (on a Mac of course) with the default home page being “MonicaBlowMe dot Com” Now suppose after a long day at the office, being the leader of the free world, you decide to start up your browser and surf the internet. There really is a point to all this, honest. Now you have your browser up and running, with the default home page fully loaded, and the screen is covered with plump chicks doing the nasty. Then you remember that you had to check something on the independent council home page, so you type in his URL and hit return. Big mistake. “Why,” you ask. Well, it is because the user logs will tell Ken Starr, that the President of the United States was checking out Monica, prior to visiting the independent council web site. Do you think Starr would ignore that little bit of information about Clinton if he had it; I think not.

When you surf, your browser may disclose to what ever site you are at currently, the URL of the site you were at previously. If you do not feel comfortable disclosing that information to an independent council or want to piss off those marketers who love to know what type of sites you visit, I suggest that you add the line:

user_pref("network.sendRefererHeader", false);

to the “Netscape Preferences” file. To add or check a line of text you will need a text editor such as BBEdit lite. For consistency insert the line where the other network prefs are set, in order. Basically this line tells Communicator/Navigator to not send the URL in response to the referrer tag.

The truth about “Cookies”

A cookie is a small text file, placed on your computer by the server, which stores information about when you visited the site and what you viewed there. Cookies cannot be very large - no single entry can be more than 4,000 bytes long, and there cannot be more than 300 entries in the file, and no more than 20 entries per site. Cookies can persist for only one user session, or until a date set by the cookie’s creator. In practical terms, though, what the cookies most often do, is allow the server to remember you when you visit a site, and help the site’s administrators and architects adjust the site to better suit their clients’ needs, or provide customized information to the user depending on the user’s preferences. The original cookie recipe was “baked” by several employees at Netscape and is a HTML extension and web page design tool that looks something like:

Set-Cookie: NAME=VALUE;expires=DATE;path=PATH;domain=DOMAIN_NAME;secure.

For example, if you visit a Web site that requires you to key in certain information (name, address, password, credit card number, etc.) the server can recall that information the next time you visit by storing it in a cookie.

To illustrate what a cookie does, I included a simple javascript program, that prompts you for your name, the first time you load this page. This script records in a cookie, how many times you’ve loaded this page and when you last loaded this page.


you must “Enable JavaScript” to operate this program

Change your cookie demo name?


Suppose you work in an office where different people have to share a single computer, or where the computers are networked. In such a case it is possible to save confidential information in a “MagicCookie,” that by the way is the name of the file, where cookie information is stored on a Mac. If confidential information is contained within a “MagicCookie,” it’s a simple matter for an evil coworker to view the contents of the cookie with a program such as BBEdit. A more benign scenario, would be for marketers to get personal information from the “MagicCookie” so your name can be added to their snail mail lists, which they often times sell to other marketers. If you hate junk mail and spam I’ve got some useful info for you.

Although HyperText Transfer Protocol (HTTP) rules state that one site cannot deposit a cookie for another, slick internet marketing firms such as DoubleClick came up with a clever way to circumvent this rule. When you load a page from a given site (like AltaVista, Yahoo and even some personal home pages, for example) there are pieces of that page (banner advertisements or counters) that come from other sites. If your browser actually connects to DoubleClick to get the ads on a page, DoubleClick can send you a cookie--even though you’re on AltaVista or even some personal home page.

Simple work around, that NSA spooks would appreciate

If you are fortunate enough to own a Mac, there is a simple way to eliminate having personal information stored on the hard disk in the “MagicCookie” file. Start by trashing the “MagicCookie” file, and replace the “MagicCookie” file with a folder named “MagicCookie.” If you have a folder named “MagicCookie,” your browser will work normally, but it will not be possible to write cookie information when you quit browsing, because it’s impossible to write information formatted for a file to a folder.

It’s also possible to replace the “Global History” file (type in the phrase “about:global” the result may take some time and may shock you). If you have a “Global History” folder, information about the sites you have been to cannot be determined after quit browsing, since that information is not saved onto your hard disk. This work around is very effective because, sites think they sent you cookies which they can retrieve later on for possible marketing purposes, but in reality when you shut down, all that information is lost. If you use this work around, keep in mind that while you browse, cookie and history information is still stored in RAM.

After installing Communicator version 4.7 (January 2000) I discovered that the browser history is now kept in a file called “Netscape History.” As before trash the “Netscape History” file and replace it with a similarly named folder.

Secure the “Cache”

Have you ever wondered where all the text and graphic images from those web pages you visit, end up after you leave a page at a site? Well, that information is stored in “Cache” for faster recall, just in case you decide to return to a previous page or site. Type in the phrase “about:cache” to search through your disk cache. Type in the phrase “about:memory-cache” to display items currently loaded in memory. Type in the phrase “about:image-cache” to list images currently stored in the cache.

Did you know that, the pronunciation of “Cache” rhythms with “Trash” and that’s exactly what should be done with the “Cache” when you quit surfing. To eliminate all traces of information contained within the “Cache” you will need a secure erase program such as the “Wipe Info” program, which is part of the Norton Utilities. On the Mac OS whenever you “Empty Trash...” the data contained within the “Trash” folder is not permanently erased; in reality the OS just makes that space available to be written over. Some computer users may be surprised to find out that, there are utilities on the market for many different platforms that allow the user to recover so called erased data.

If you are using M$ products (OS and browser) and want to secure your cache, you have to realize that those products are not well designed. If you snoop around in DOS you will discovered that IE’s cache folder contains four hidden folders. So you ask why Windows Explorer doesn’t show those hidden folders? Well, to put it simply, C:\Windows\Temporary Internet Files is a weird folder that follows its own rules. For performance reasons, IE spreads the files it caches into four system folders within Temporary Internet Files. (These are not four redundant copies of your cache, but four parts of the whole collection.) So when you look at C:\Windows\Temporary Internet Files in Windows Explorer, you see the contents of all of these system folders. But you won’t see the only two files that are actually there: index.dat and desktop.ini.

Are you getting the latest info?

Some proxy servers are used to hold web pages in a cached fashion. The purpose of these proxy servers is to speed up your connection by storing web pages and files so your connection doesn’t have to look past the proxy server for the data. However, sometimes it has the reverse effect if the server is not working correctly. There is no way to tell if the web pages you are viewing are stored on a proxy server or if you actually downloaded the page from its real server. The problem is you can never know if you are getting the latest version of a web page or not. Proxy servers can be updated by the minute, hour or day, there is no standard for them. There is a solution however; you can set your browser to not use proxy servers assuring you will always get the latest version of a web page. Note however, some connections have to use proxy servers to get through a network firewall.

Adding a “?” to the end of a URL may also speed up your connection by avoiding proxy servers, for example:
http://www.phaster.com/?

Netscape Navigator 3.0.x:
Check “No Proxies”
Path:  Options menu / Network Preferences / Proxies tab / No Proxies

Netscape Communicator/Navigator 4.xx:
Check “Direct Connection to the Internet”
Path:  Edit menu / Preferences / Advanced / Proxy / Direct Connection to the Internet

Eliminate graphics for faster browsing

The easiest way to speed up your browsing is to nuke downloading images. To make Navigator ignore graphics, select Edit/Preferences from the main menu, then select the Advanced category. Uncheck the Automatically Load Images option. If you later decide that you want to see an image (while “Automatically Load Images” is turned off), just click the image’s placeholder icon. To see all the images on a page, just go to Edit/Preferences/Advanced and turn the Automatically Load Images option back on, and reload the page.

If you want to surf with graphics, pick up WebFree. This control panel for the Mac intercepts the flow of data into your Web browser and strips out everything that might annoy or worry you, from bandwidth hogging irritants like ad banners and GIF animation (imagine going to AOL and not seeing any advertisement) to the paranoia-inducing cookie.

Mac warez

If you do not have a shell account and want to find out more technical information, you can use shareware from sustworks.com. Their IPNetMonitor software is a package of integrated Internet tools which allow Macintosh users to monitor their connection to the Internet.

 MacUpdate: Macintosh Software & Games

FTP tips

Downloading files from FTP servers via Navigator is nothing new, but Communicator allows you to upload files as well. The syntax for FTP is ftp://user:password@site.com/directory/. If you leave out just the password but do put in the username (ftp://username@ftp.site.com), you’ll be prompted for a password. This lets you bookmark the site so that no one else will have access to it. If you leave out the username and password, you use the standard anonymous FTP login, so it’s: ftp://site.com/. While connected to an FTP URL, you can drag and drop files from your desktop to the Navigator window to upload them to the server.

Be sure to set your browser so it does not provided your email address as the password when you download files from anonymous FTP connections. In Netscape select Edit/Preferences and click Advanced, delete the check mark next to “Send email as anonymous FTP password,” then click OK.

Broadband, what you should know

Although cable modems are fast, they are also insecure if not configured properly. That is because every one who uses a cable modem in your neighborhood is networked together. Suppose you use a Mac and your neighbor does too, if you left file sharing turned on, then your computer will show up as an AppleShare server on your neighbors Mac. Likewise, if you have an AppleTalk printer that is connected to the same Ethernet hub as your cable modem, your printer will appear on your neighbors’ Chooser. Fortunately neighbors with a PC using Windows and a cable modem, will not see your Mac or AppleTalk printer unless they have installed software to use the AppleTalk protocol.

If you have a Mac and a cable modem, turn off file sharing in the FILE SHARING control panel and turn off your AppleTalk printer when it is not being used, to secure your machine.

If you have a home Ethernet network, and need file sharing turned on, double-click the GUEST icon in the USERS & GROUPS control panel, and disable the guest connection. With the guest connection disabled, your neighbor will need to know a valid user name and password to access your Mac Ethernet network. You can specify user names and passwords, in the Mac USER & GROUPS control panel.

One item you may want to add if you have a high speed connection, is a router (think of it as a traffic cop that not only allows several computers to share one line, it can also enhance network security). If you have only one computer connected to the internet, you can use the routers Network Address Translation (NAT) to give your computer an IP address, users on the internet cannot detect.

If your Macintosh has a broadband connection Speed Download is an extremely fast and powerful download manager packed with a clean Macintosh interface and tons of essential features, such as segmented downloading, resumeable downloads, scheduling, scripting, and much more.

On a public network OS 9.x and Netscape can be very secure (if ya know what to watch out for).

Reviews and 15 seconds of fame

This past April (1999) I was notified that this page is listed on a new computer security search engine. This page in fact is the only page so far listed under the topic of web browsers.

It was just after I was notified about the computer security search engine, that I started to log traffic for an experiment seeking to answer the question, “What people search for” on the web. After checking the logs I discovered that ResExcellence has a link back to this page which states, “A site that delves into the tiny recesses of Netscape Communicator to discusses Global Histories, Cookies, and Cache.” Ironic that I found that link exactly one year after I started this page, my first attempt at a web page as a matter of fact.

A last word and some links

On this page you may have noticed in some sections, that I mentioned that Java Script needed to be enabled for some cleaver Java Script programs. In general Java Script and Java are harmless tools, but I should warn you that these two tools in the improper hands, can be used to compromise your computer security. Therefore if you are not sure about a site, play it safe and disable both Java and Java Script.

B.T.W. if all you use a computer for is browsing/checking email, word processing, and balancing your check book with something like Quicken, simplify your life boycott Micro$oft and buy an iMac.

Well that’s it for now. Check back every so often and I will have even more tips about: java, javascript, hacks to increase cache memory, phreaking info to maximize your connection speed, a description of how to use web proxies to mask your IP address, and other information that you won’t find any where else.

The following sites I consider worth while reference material.
 
 

CIAC menu gif (optimized feb. 1999)

 
 

 Frequently Asked Questions about Communicator 4.x
 Macintosh Security Site
 Snake Oil Warning Signs: Encryption Software to Avoid
 The Cookie Leak Security Hole in HTML Email messages
 The World Wide Web Security FAQ
 WWW Browser Security & Privacy Flaws
 Phaster MacPortal (my own Macintosh search engine guide)


 
 
 
 

Home