2.3.6.81 is failing pcflank leak test with browser tabs

So in your opinion, is this a problem with Comodo or Maxton? Does any firewall pass the test with Maxton running at those parameters?

For me, this is more like usage problem. Because Maxton always ask if you want to visit the last visited site. There are many other ways to achieve the same behavior without even using any OLE stuff. The only reliable solution to such usage problems, is to make sure some critical data is never sent unencrypted. CPF will have such a vault in 3.0. Otherwise, users can always press Allow accidentally. Yet if CPF intercepts OLE requests before they happen, this behavior wont be observed. But this does not cease the threat against such a behavior. Have a look at the next message for example.

Egemen

Think of the following scenario:

1 -User visits www.moneybank.com
2- www.moneybank.com has been DNS poisoned or domain has been somehow redirected(which is very probable if attacked)
3- User visits the last tab he visited, thus sending his login information to the attacker.

This is more being about security concious. As seen from the example, this type of action, has many more serious security problems.

Thanks for the explanation egemen.

This has been bugging me all day, trying to understand how an app that wasn’t running could be sending data. As you’ve pointed out, the “remember last visited pages” option has the potential to be a security hole.

Cheers,
Ewen :slight_smile:

I cannot pass PCFlank leak test with IE6 either.

I have tried many many times. Deleting TIFs and restarting between tries.

The closest I get is “page cannot be displayed” or something similar. This is easily accomplished by Comodo. I never get to the results page where text is supposed to be displayed.

In order to completely pass PCFlank, as designed, a drip-less faucet must be displayed. Any thing else and it did not pass the test as designed. If your results are anything less than a Total Pass it should and must be considered as partially passed.

I realize that the goal is for the text not to be passed on. Comodo achieves this. Saying that Comodo passes the test is not correct and that is where the problem is. If a firewall shuts down IE or the computer itself the result is the same; no text is passed on. In my opinion this is not passing the test either.

I have seen where other firewall testing results have shown PCFlank (and other tests) as partially passing with an explanation as to why this is equivalent to passing. Until Comodo can pass the PCFlank test as designed, with drip-less faucet and all, I think partially should be stated as well by Comodo. I am confident this “passed” will happen with Comodo soon.

My only Comodo leak testing up until last night was with PCFlank. After update I tested all available ones on firewallleaktester.com - This website is for sale! - firewallleaktester Resources and Information. . I downloaded them into a folder first. I began at the top of the list and ran through them one after another ( only non zipped ones ) until the computer became unresponsive, changed background, writing on background from a test, no right click, ect. Restart did not clear up all the problems. This was with clean XpHome sp2 and only enough programs to get online. Nothing else. Started all over from fresh - same results. All default Comodo setting. Please check this out but with caution. One thing to note is that after a test passed I then purposely failed it, just to make sure the test ran OK.

And yes, I do like Comodo Personal Firewall very very much and appreciate all the work put into it by all for all.

Thanks egemen, I think that pretty much sums it up in very few words

Yes, Outpost passes using a tabbed browser such as Maxthon. Specific reason being, it blocks the leak before it gets to the point of attempting to open the malicious page rather than queing it up then blocking the connection. This is not at all about Outpost vs Comodo, just giving some details since you asked. Outpost blocks the leak perhaps one step earlier where the leak test itself is prevented from launching the page & actually reports that the firewall passed & therfor the leak page is never actually opened, hence there is no page for a tabbed browser to recall, that is all. Whether this is problem with Comodo or Maxthon is more a matter of opinion I suppose. One could ask more generically is it a problem with any tabbed browser or is it a problem with any firewall that lets the leak test proceed to this stage? The results would be the same regardless of branding, these mechanics are very general & not necessarily limited to Comodo or Maxthon persay.

A little deductive reasoning here:

  1. It’s definitely a scenario which involves running a tabbed browser, which just about all modern browsers are now a days.
  2. More specifically it does have to do with recalling previous session tabs, this is a setting which many people probably enjoy, if they are aware of it, though not all will be aware of this option & some will not prefer it even if they know how to use it.
  3. Some firewalls are capable of blocking the leak while running with tabs remembered, some firewalls are not.
  4. Some firewalls are capable of blocking the leak when not using a tabbed a browser set to remember previous session. For this type to function at it’s best would require either a smaller user base that all coincidentally do not use remember tabs, or would require users to specifically sacrifice this very convenient function.

In the end I would say that ultimately it is still a matter of personal opinion whether this is an issue with tabbed browsers or firewalls, because people will have differing opinions & I don’t think either opinion would be outright wrong here.

However, more logically, I would be of the opinion that tabbed browsers are here to stay & that most firewall companies will not want to have to try to dictate to their customer base what settings they must use in their browser to achieve the desired level of security, unless it is absolutely necessary & there is no other means. Beyond that, it would stand to reason that since some firewalls are able to provide this level of security without interfering with a user’s personal browser setting… well, you can draw your own conclusions there. My opinon is that it is an issue which is able to be produced between both the firewall & the browser, & from experience testing many other software including several firewalls, I know that it is possible for the firewall to change to fix the matter, while tabbed browsing with the option to remember previous session tabs probably will not be changing.

I probably won’t be around much for a few days, going to re-tile some of these bathroom floors over the weekend, I’ll check back next week.

And thanks again egemen for simplifying this scenario for others, I tend be way over analytical & detailed sometimes, which may become confusing.

-x

Hi, I will give you my take as I have others. With OLE automation, an application such as PCFlank test is basing this on communicating with IE. Now, keep in mind, OLE is integrated into windows for applications that cannot\don’t have and ability to connect to their server on their own. Not all are bad and many may be needed. IE is not a WEB BASED browser, IE is also integrated into Windows, being a part of. So in fact, when this occurs and PCflank communicates with IE, it’s communicating on the OS level, not internet. You would in fact have to disable OLE automation all together. So what PCFlank is saying, because there was communication from two OS based beings, it has failed. Now, I have unhooked my pc altogether, ran the test, still said info was sent. Obviously it wasn’t , so , is this a bit misleading?

Please read what it says on the site,

If your text is not shown, you either didn’t take the test, your previous IP address was different from your current one or your firewall successfully prevented the leak of data

This does not state you should see the box stating it passed. I have emailed them a couple of times waiting for a reply on how they consider a firewall leaky when PCflank uses a natural OLE automation that any application can use, no word back and it’s been quite some time, hmmm. When I get info, I am making a post for others to read.

I wonder, when I click on the IE icon, that is communication with the browser telling it to open. Is this a leak as well?

I understand your thoughts on this and very good questions :wink: but just something to keep in mind and perhaps this issue will get ironed out soon, many have wondered the same.

Take care,

Paul

comicfan2000,

Thanks for explanation. I understand. I don’t think the test will be changed when there are now 2 firewalls that pass with a drip-less faucet. This is where it becomes difficult to understand. You have pointed out, quite correctly, three scenarios of test results. There is a fourth, which is a flat out pass.

I agree that Comodo does not pass text info to the webpage. Therefore, it should be conclude that it passed the test. To remove all doubts and confusion among users who compare differences in various firewalls, Comodo should achieved a drip-less faucet. It would take all needed explanations off the table and become a nonissue.

We both agree that Comodo successfully prevented the leak of data. It’s just that there will always be needed explanations as to why it doesn’t show it like “X firewall” does.

Hi guys,

Let me also summarize the different modes of operations for CFW and almost any other leak test passing firewall:

CFW is a firewall. This means we taught him to watch over network traffic. CFW is not interested in any memory modification or infection or OLE Automation unless such an attempt will result in a network connection. It is this smart analysis capability of CFW which makes us to install it with its full strength by default. And thats why, we can see reports from our users that CFW cathed an unknown virus or trojan variant. Because all of the CFW users, by default, can use it with its full strength and its alerts are quite informative.

Others may have the similar functionality but without giving the user a clear explanation, it has no use. Because not everybody will be able to use any other firewall with its maximum strength.

I have seen many alerts in other firewalls like csrss.exe/explorer.exe is trying to modify iexplore.exe. What a horrifying thing to ask for user’s approval for such a vital internal windows operation. Thats why they come with a theoretical pseudo-strength only useful to advanced users and disabled by default.

In case of the other firewalls, this firewall leak testing board will be very promising and surprising soon. We will all together see, how important to be able to pass “unknown” leak tests instead of trying to pass the known ones only.

For starter, I recommend everyone to use BITSTester.exe tool found in www.firewallleaktester.com, to observe how real OLE threats can occur and can be prevented by a real dynamic threat management.

Thank you all for the feedback,

Egemen


“The perfect personal firewall would be inexpensive and easy to install and use, would offer clearly explained configuration options, would hide all ports to make your PC invisible to scans, would protect your system from all attacks, would track all potential and actual threats, would immediately alert you to serious attacks, and would ensure nothing unauthorized entered or left your PC.” This great definition is quoted from Make Your PC Hacker Proof, Jeff Sengstack, PC World, July 21, 2000.