New Update Osprey Browser Protection discussion and updates

[ErzCrz]

Let me know your thoughts! Trying to grow as much as possible.

I'm liking it. Doesn't affect browser speed and cool that it uses various DNS and web protections and good that it removes tracking from analysed urls

 

[Fan-of-spyshelter]

@ foulest
continue to treat me, if you want, you willl know the consequence soon...
you are a thief without any proof, from your side since i have verry solid proof from my side ...

and this willl be my last proof before sending it to the manufacture who was complaining.

why a thief ?

see here under this line,

Update README.md · Foulest/Osprey@d37cb29 (changed 2 hours ago) from this time

## Privacy

Osprey strips down each URL of tracking parameters before sending it to any APIs. ANY API HUH ?

(...)

The only data the APIs receive is the stripped-down URL, your user agent, and your IP address. Use a reputable VPN or

proxy service if you're concerned about IP-related privacy. (*THAT WAS NOT SAID BEFORE INSTALLING YOUR ADDON)

There are also extensions that mask your user agent, if you're so inclined. (*THAT WAS NOT SAID BEFORE INSTALLING YOUR ADDON TOO)

As for why Osprey needs to check complete URLs instead of just the domain, many phishing attacks use legitimate

companies such as Jotform to host their phishing campaigns. If Osprey only checked a website's domain name, it wouldn't

detect those threats. Osprey only sends your hostname to its various DNS API providers, so if you're highly concerned (SENDING US HOST NAME ??)

about URL page privacy, the DNS APIs are there for you. (the only secdns provider you have @Foulest is Control D with no visible contract)

&

without officials partner ship (excluding PrecisionSEC) IT IS IMPOSSIBLE you get any comission you told, without sending the data from all the users you have,
and as i told you i do not come from a user complain, but a manufacture complain.


choice is your's but not for long ^^
i closed this case from my side.

 

[goodjohnjr]

Today's thread so far :

King Kong - Training Day (5/5) Movie CLIP (2001) HD by Movieclips:



@Foulest I would recommend showing at least some proof of permission from one or more providers, to help people feel better, no matter how small; or ask those providers to make a public statement or something.

Then perhaps you can ask for volunteers to help you out on GitHub, et cetera, to help you & spread the word.

As you can see, there are people who are very passionate about Osprey Browser Protection.

Who I am sure would be willing to put some of that energy into helping you improve your web browser extension et cetera, good luck.

 

[Foulest]

Today's thread so far :

King Kong - Training Day (5/5) Movie CLIP (2001) HD by Movieclips:



@Foulest I would recommend showing at least some proof of permission from one or more providers, to help people feel better, no matter how small.

Then perhaps you can ask for volunteers to help you out on GitHub, et cetera, to help you & spread the word.

As you can see, there are people who are very passionate about Osprey Browser Protection.

Who I am sure would be willing to put some of that energy into helping you improve your web browser extension et cetera, good luck.

I'm not comfortable sharing internal conversations with my contacts, regardless of whether they're censored or not. Sorry, those talks are confidential. It would be absurdly stupid to claim and advertise that companies are officially partnered and integrated with Osprey if they aren't. Trust me, they are. PrecisionSec had to make a new endpoint just for Osprey.

 

[goodjohnjr]

I'm not comfortable sharing internal conversations with my contacts, regardless of whether they're censored or not. Sorry, those talks are confidential. It would be absurdly stupid to claim and advertise that companies are officially partnered and integrated with Osprey if they aren't. Trust me, they are. PrecisionSec had to make a new endpoint just for Osprey.

Thank you for responding.

 

[Marko :)]

for ur info @Marko :) ,

firstly NO a web extension module can not be blocked by a firewall, that is not true, to block the extension module you need to block all the navigator, or configure your json file your self for firefox.By default, MOZILLA do not block Osprey addon and warned you : "This add-on is not actively monitored for security by Mozilla. Make sure you trust it before installing."

secondly,
if we are talking the same caching operation : Cache-Control header - HTTP | MDN
I don't accept any caching header on my web browser, just the minimum of memory required for running the Gui navigator.

why ?

You claim that the extension has central server. That means it has an IP through which it reaches ControlD's servers. If that was the case, ControlD's firewall would block the IP address of extension's central server, due to overwhelming amount of requests (your claim). For some reason it doesn't block it; maybe because there isn't a central server?

Here is a piece of Osprey code which is responsible of questioning ControlD's servers. I challenge you to find me the IP address of an Osprey's server which is overwhelming amount of requests per second.

Mozilla warns you about every extension that doesn't have their Recommended badge. The message warns you to install only extensions you trust, and does not indicate that the extension is malicious itself.

secondly,
if we are talking the same caching operation : Cache-Control header - HTTP | MDN
I don't accept any caching header on my web browser, just the minimum of memory required for running the Gui navigator.

why ?

You are mixing the apples with oranges. Browser cache is completely different from DNS cache.

I still don't understand how we came from ControlD is only for personal use, over fake ControlD partnership to browser cache. You claimed something, we proved you wrong and then you started randomly jumping from one thread to another.

 

[Fan-of-spyshelter]

You claim that the extension has central server. That means it has an IP through which it reaches ControlD's servers. If that was the case, ControlD's firewall would block the IP address of extension's central server, due to overwhelming amount of requests (your claim). For some reason it doesn't block it; maybe because there isn't a central server?

Here is a piece of Osprey code which is responsible of questioning ControlD's servers. I challenge you to find me the IP address of an Osprey's server which is overwhelming amount of requests per second.

Mozilla warns you about every extension that doesn't have their Recommended badge. The message warns you to install only extensions you trust, and does not indicate that the extension is malicious itself.

You are mixing the apples with oranges. Browser cache is completely different from DNS cache.

I still don't understand how we came from ControlD is only for personal use, over fake ControlD partnership to browser cache. You claimed something, we proved you wrong and then you started randomly jumping from one thread to another.

NO,

firstly i said that the extension NEED to Have an organisation liscence for more than 100 users (from the explanation of BARRY) -> so a API KEY could be genuinely used and generalte a token from control D server, other wise this line programmed that you showed to me here under, could not be used, but let me give you the alll part of the code (even the commentary do nothing).

Secondly, Note that now is changed again ->BrowserProtection.js (change 10 hours ago from this time and marked as a 1.3.5)

/**
* Checks the URL with Control D's Security DNS API.
*
* @param {Object} settings - The settings object containing user preferences. USER PREFERENCE ABOUT WHO ?
*/
async function checkUrlWithControlDSecurity(settings) {
// Checks if the provider is enabled
if (!settings.controlDSecurityEnabled) {
return;
}

// Checks if the URL is in the allowed cache
if (isUrlInAllowedCache(urlObject, urlHostname, "controlDSecurity")) {
console.debug(`[Control D Security] URL is already allowed: ${url}`);
callback(new ProtectionResult(url, ProtectionResult.ResultType.KNOWN_SAFE, ProtectionResult.ResultOrigin.CONTROL_D_SECURITY), (new Date()).getTime() - startTime);
return;
}

// Checks if the URL is in the blocked cache
if (isUrlInBlockedCache(urlObject, urlHostname, "controlDSecurity")) {
console.debug(`[Control D Security] URL is already blocked: ${url}`);
callback(new ProtectionResult(url, BrowserProtection.cacheManager.getBlockedResultType(url, "controlDSecurity"), ProtectionResult.ResultOrigin.CONTROL_D_SECURITY), (new Date()).getTime() - startTime);
return;
}

// Checks if the URL is in the processing cache
if (isUrlInProcessingCache(urlObject, urlHostname, "controlDSecurity")) {
console.debug(`[Control D Security] URL is already processing: ${url}`);
callback(new ProtectionResult(url, ProtectionResult.ResultType.WAITING, ProtectionResult.ResultOrigin.CONTROL_D_SECURITY), (new Date()).getTime() - startTime);
return;
}

// Adds the URL to the processing cache to prevent duplicate requests
BrowserProtection.cacheManager.addUrlToProcessingCache(urlObject, "controlDSecurity", tabId);

const filteringURL = `

https://freedns.controld.com/no-malware-typo

?name=${encodeURIComponent(urlHostname)}`; (THIS IS NOT A FREE UNFILTERED DNS)

try {
const filteringResponse = await fetch(filteringURL, {
method: "GET",
headers: {
"Accept": "application/dns-message"
},
signal
});

const nonFilteringResponse = await fetch(nonFilteringURL, {
method: "GET",
headers: {
"Accept": "application/dns-json"
},
signal
});

// Returns early if one or more of the responses is not OK
if (!filteringResponse.ok || !nonFilteringResponse.ok) {
console.warn(`[Control D Security] Returned early: ${filteringResponse.status}`);
callback(new ProtectionResult(url, ProtectionResult.ResultType.FAILED, ProtectionResult.ResultOrigin.CONTROL_D_SECURITY), (new Date()).getTime() - startTime);
return;
}

const filteringData = new Uint8Array(await filteringResponse.arrayBuffer());
const filteringDataString = Array.from(filteringData).toString();
const nonFilteringData = await nonFilteringResponse.json();

// If the non-filtering domain returns NOERROR...
if (nonFilteringData.Status === 0 &&
nonFilteringData.Answer &&
nonFilteringData.Answer.length > 0) {

// ControlD's way of blocking the domain.
if (filteringDataString.endsWith("0,4,0,0,0,0")) {
console.debug(`[Control D Security] Added URL to blocked cache: ${url}`);
BrowserProtection.cacheManager.addUrlToBlockedCache(urlObject, "controlDSecurity", ProtectionResult.ResultType.MALICIOUS);
callback(new ProtectionResult(url, ProtectionResult.ResultType.MALICIOUS, ProtectionResult.ResultOrigin.CONTROL_D_SECURITY), (new Date()).getTime() - startTime);
return;
}
}

// Otherwise, the domain is either invalid or not blocked.
console.debug(`[Control D Security] Added URL to allowed cache: ${url}`);
BrowserProtection.cacheManager.addUrlToAllowedCache(urlObject, "controlDSecurity");
callback(new ProtectionResult(url, ProtectionResult.ResultType.ALLOWED, ProtectionResult.ResultOrigin.CONTROL_D_SECURITY), (new Date()).getTime() - startTime);
} catch (error) {
console.debug(`[Control D Security] Failed to check URL ${url}: ${error}`);
callback(new ProtectionResult(url, ProtectionResult.ResultType.FAILED, ProtectionResult.ResultOrigin.CONTROL_D_SECURITY), (new Date()).getTime() - startTime);
}
}


WHERE IS THE API PUBLIC TOKEN FROM HIS PRIVATE TOKEN IF HE HAS A CONTRACT ?

Other thing , he mention in ProtectionResult.js (change 10 hours ago from this time and marked as a 1.3.5 TOO) that he have 6 official partner only :

// Official Partners mean (endopoint)
1: "adGuardSecurity", -> NOT TRUE -> (for instant -> Overview | AdGuard DNS Knowledge Base)
2: "adGuardFamily", -> NOT TRUE --> same
3: "alphaMountain", (i do not knoxw this one) -> artificial intelligence (data collecting) no dns here
4: "controlDSecurity", -> NOT TRUE (since More than 100 users)
5: "controlDFamily", -> NOT TRUE -> same
6: "precisionSec", (i do not know this one) -> artificial intelligence (data collecting) no dns here


Thirdly, I didn't say that mozzila flagged him, i just said even MOZILLA is not responsible of the security he pretend to have.

fourthly, ok so you are speaking about a DNS CACHE my mistake you were not clear enough, but even a dns cache can be poisonnning :



lastly,
if you pretend that he is not an ENDOPOINT why our settings can not be changes automaticaly in our firefox system ?
and how does he software work exactly by using 2 different DNS SEC PROVIDER IN THE SAME TIME ? before...

as soon as i know, changing the dns from mozilla AS PERSONNALY can only be done by our manual configuration (until we have a script).

Now please, i would like to recommend to you to prove me that some script of him change our firefox setting.
if you can not proove it, it's mean he is an endopoint without any contracts so he is responsible of what he do with our information by SPOOFING our DNS without users consent.

 

[Andy Ful]

@Foulest,​

Do some providers in Osprey block newly registered domains or use other advanced methods unrelated to blocklists?
For example, providers usually offer in the free versions such features as Threat Intelligence Feeds, AI-Driven Threat Detection, and Google Safe Browsing. However, free versions mainly do not use advanced features like blocking Newly Registered Domains (NRDs) + parked domains + Top-Level Domains, or protection against DNS Rebinding + homograph attacks + Domain Generation Algorithms, etc.

 

[ForgottenSeer 123960]

I'm not comfortable sharing internal conversations with my contacts, regardless of whether they're censored or not. Sorry, those talks are confidential. It would be absurdly stupid to claim and advertise that companies are officially partnered and integrated with Osprey if they aren't. Trust me, they are. PrecisionSec had to make a new endpoint just for Osprey.

Liability and Transparency in Software Development:
Based on the conversation provided, the core issue revolves around liability and the importance of transparency when a developer uses others' work. Here’s a breakdown of the legal, ethical, and professional aspects.

The Legal Perspective:
While the developer isn't legally obligated to show the public proof of permission, their claim of having it puts them in a vulnerable position. If a copyright holder of the code they used were to challenge them, the developer would have the burden of proof to demonstrate a valid license or agreement in court. Their refusal to provide proof to the public, while not illegal in itself, makes them look less credible and could be seen as an admission that they lack the necessary permissions. Simply saying "trust me" would not hold up as evidence in a legal dispute.

The Ethical and Professional Perspective:
In the developer community, transparency is key. Refusing to show proof of permission, especially when using copyrighted work, is a major red flag that erodes community trust.

By not being transparent, the developer:

* Loses Credibility: People will reasonably assume that the permissions don't exist, which can make them reluctant to use or trust the extension.

* Creates a Bad Precedent: This behavior goes against the spirit of open-source and collaborative development, where giving proper credit and following licensing rules are standard practice.

The Security Perspective:
For a security-focused tool like a browser extension, this lack of transparency is particularly concerning. Users are trusting their data and security to this tool, and they have a right to know that it is built on a solid foundation. Without proof of collaboration, it's impossible for users to verify the claims being made, which makes the entire project appear less secure and trustworthy. Ultimately, while the developer may feel they are protecting confidential information, their actions are doing more harm than good for the project's reputation and user base.

 

[silversurfer]

For how long this debate continues? Everyone involved said enough, please stop all from now, otherwise this thread might be locked temporary for a few days...

 

[oldschool]

For how long this debate continues? Everyone involved said enough, please stop all from now, otherwise this thread might be locked temporary for a few days...

Thank you.

 

[KnownStormChaser]

@Foulest in 1.3.5 why did you have to remove OpenDNS, CIRA DNS and Switch.ch? I get that they have false positives, but couldn't you have just kept them disabled by default for those of us who wish to keep using them? I don't mind a few more false positives if that means they'll catch more threats.

 

[silversurfer]

Changes in 1.3.5​

• Updated Privacy Policy with expanded language
• Enabled DNS0.eu Security DNS by default
• Removed OpenDNS protections due to lack of support for false positives
• Removed CIRA DNS protections due to low-quality network locations and lack of support for false positives
• Removed Switch.ch protections due to low-quality network locations, redundancy with Quad9, and lack of support for false positives
• Merged the two CleanBrowsing adult content filters into one
• Disabled G DATA and Microsoft SmartScreen by default as a precaution
• Changed DNS0.eu from DNS0.eu ZERO to regular servers to reduce false positives
• Renamed all adult content filters for parity across the extension
• Added link to privacy policy to protection options panel
• Added logo descriptions on hover to the protection options panel for accessibility
• Revised email support messages for reporting false positives
• Cleaned up code

This update has been submitted to all extension stores.

Release 1.3.5 · Foulest/Osprey

Changes in 1.3.5 Updated Privacy Policy with expanded language Enabled DNS0.eu Security DNS by default Removed OpenDNS protections due to lack of support for false positives Removed CIRA DNS prote...

github.com

 

[Foulest]

@Foulest in 1.3.5 why did you have to remove OpenDNS, CIRA DNS and Switch.ch? I get that they have false positives, but couldn't you have just kept them disabled by default for those of us who wish to keep using them? I don't mind a few more false positives if that means they'll catch more threats.

Mainly for cleaning up purposes. Switch.ch is redundant since its threat feeds are already in Quad9 (as confirmed by them via email), and I prefer not to include providers in Osprey that are completely unavailable for support. False positives remain for months (literally), and that's not ideal at all. I'm fine with false positives if their email support resolves them in a week or two. Out with the old, and hopefully, over the next few weeks, in with the new.

@Foulest,​

Do some providers in Osprey block newly registered domains or use other advanced methods unrelated to blocklists?
For example, providers usually offer in the free versions such features as Threat Intelligence Feeds, AI-Driven Threat Detection, and Google Safe Browsing. However, free versions mainly do not use advanced features like blocking Newly Registered Domains (NRDs) + parked domains + Top-Level Domains, or protection against DNS Rebinding + homograph attacks + Domain Generation Algorithms, etc.

It's entirely possible. DNS0.eu's ZERO mode used to do that, but it resulted in a lot of false positives. AlphaMountain factors in a lot of those into their threat scores, so you might see them flag pages as 'Untrusted'. Osprey only uses the block lists from the providers it has. No other technology to deter things locally.

Liability and Transparency in Software Development:
Based on the conversation provided, the core issue revolves around liability and the importance of transparency when a developer uses others' work. Here’s a breakdown of the legal, ethical, and professional aspects.

The Legal Perspective:
While the developer isn't legally obligated to show the public proof of permission, their claim of having it puts them in a vulnerable position. If a copyright holder of the code they used were to challenge them, the developer would have the burden of proof to demonstrate a valid license or agreement in court. Their refusal to provide proof to the public, while not illegal in itself, makes them look less credible and could be seen as an admission that they lack the necessary permissions. Simply saying "trust me" would not hold up as evidence in a legal dispute.

The Ethical and Professional Perspective:
In the developer community, transparency is key. Refusing to show proof of permission, especially when using copyrighted work, is a major red flag that erodes community trust.

By not being transparent, the developer:

* Loses Credibility: People will reasonably assume that the permissions don't exist, which can make them reluctant to use or trust the extension.

* Creates a Bad Precedent: This behavior goes against the spirit of open-source and collaborative development, where giving proper credit and following licensing rules are standard practice.

The Security Perspective:
For a security-focused tool like a browser extension, this lack of transparency is particularly concerning. Users are trusting their data and security to this tool, and they have a right to know that it is built on a solid foundation. Without proof of collaboration, it's impossible for users to verify the claims being made, which makes the entire project appear less secure and trustworthy. Ultimately, while the developer may feel they are protecting confidential information, their actions are doing more harm than good for the project's reputation and user base.

Not really going to care about a response you couldn't write yourself. Leaking internal communications is not ideal, and I won't be doing it. I don't even feel comfortable telling you who I talked to, because I feel someone here would send them emails threatening legal action or something, claiming that Osprey is rogueware or illegal or something worse. Not out of the picture, given this thread's recent history. I'll see what I can do, I guess.

 

[Virtuoso]

@Foulest Why was G-data and Microsoft disabled by default?

 

[ForgottenSeer 123960]

Mainly for cleaning up purposes. Switch.ch is redundant since its threat feeds are already in Quad9 (as confirmed by them via email), and I prefer not to include providers in Osprey that are completely unavailable for support. False positives remain for months (literally), and that's not ideal at all. I'm fine with false positives if their email support resolves them in a week or two. Out with the old, and hopefully, over the next few weeks, in with the new.

It's entirely possible. DNS0.eu's ZERO mode used to do that, but it resulted in a lot of false positives. AlphaMountain factors in a lot of those into their threat scores, so you might see them flag pages as 'Untrusted'. Osprey only uses the block lists from the providers it has. No other technology to deter things locally.

Not really going to care about a response you couldn't write yourself. Leaking internal communications is not ideal, and I won't be doing it. I don't even feel comfortable telling you who I talked to, because I feel someone here would send them emails threatening legal action or something, claiming that Osprey is rogueware or illegal or something worse. Not out of the picture, given this thread's recent history. I'll see what I can do, I guess.

I completely understand your hesitation, and I want to thank you for being so honest about your concerns. The last thing we want is for anyone to feel uncomfortable or at risk. We're here to help, not to create problems, and I appreciate you taking the time to see if you can get something from the providers directly. That would be a huge help, and no matter what happens, we really appreciate your efforts.

 

[Foulest]

@Foulest Why was G-data and Microsoft disabled by default?

Just a legal precaution, alongside some disclaimers for the project. Use at your own risk. Those are the two providers that I'm in talks with, and finalized approval is pending.

 

[robboman]

i will not replys to this above image,

but, sending us host name and ip adress -> your soft is a ROGWARE composed by characteristic of a SPYWARE .

Until you change the direction and made reals contracts, you are solely responsible of what you do with all the people who use your extension.

Bro you are the most nuts person I have ever seen on this website.

 

[Fan-of-spyshelter]

Just a legal precaution, alongside some disclaimers for the project. Use at your own risk. Those are the two providers that I'm in talks with, and finalized approval is pending.

Exception from GPLV3 RULES :

just to be clear with every one here who code for Europe a SECURITY soft, no matter the kind of liscence,

there is no USE AT YOUR OWN RISK, When people are not well informed from :

the biginning before they use the (addon.xpi) in terms of transparancy if there some damage after the publication of the soft on a library, even the developper/author is(are) not in control, at the time of the damage made by a third party.

and when i ask for a proof (like an email) is not to attack the recipient but to defend first. if i see the proof is not legal i will just giving a warning nothing else....

but attacking me on my person, and not proove to me that i am wrong by facts over the last verrsion 1.3.4 (before the new one) is something not professionnal.

if you want money be professionnal, it's the basics.

 

[Andy Ful]

It's entirely possible. DNS0.eu's ZERO mode used to do that, but it resulted in a lot of false positives. AlphaMountain factors in a lot of those into their threat scores, so you might see them flag pages as 'Untrusted'. Osprey only uses the block lists from the providers it has. No other technology to deter things locally.

I think that many people would like to use Osprey for kids' protection, accepting a higher rate of false positives. So, including the additional provider profile with blocking newly registered domains (or similar proactive features) would be welcome. Currently, Osprey provides efficient protection against threats confirmed by PhishTank; however, more than one-quarter of phishing websites are likely inactive before they are confirmed by PhishTank or similar anti-phishing entities.