Join 3,551 readers in helping fund MetaFilter (Hide)


Why does one version of firefox allow me to facebook, and the other does not?
December 11, 2011 4:53 PM   Subscribe

Why would one browser version circumvent my company's internet blocking software, while an updated version does not?

I just recently updated my Firefox browser from 3.5 (or 3.6?) to 8. On the old version, I could get to any internet site, including facebook and things apparently labeled "adult". Now that I've updated, the ScanSafe blocker works again. Now obviously, I shouldn't be visiting those sites, I shouldn't use software my company hasn't allowed, etc. I just want to know if there is any reason why updating the browser would have this effect. It's Windows XP Pro, I don't know which service pack. Both firefox versions are portable, and I still have both installed so I can offer more details if needed.
posted by trogdole to Computers & Internet (9 answers total) 2 users marked this as a favorite
 
Upon checking, the earlier version is 3.5.19, and the new is 8.0.1
posted by trogdole at 4:55 PM on December 11, 2011


What add-ons are installed in each version? I'm wondering if AdBlock or NoScript are preventing the blocker from working correctly.
posted by werkzeuger at 5:04 PM on December 11, 2011


When something like that happened to me on my work computer, it turned out to be coincidental. The weekend I updated my browser and was playing around on the computer, they had done some changes on their acceleration server which temporarily turned off the nanny software that blocked unapproved sites.

Hours later, they fixed it and it was back to normal.
posted by birdherder at 5:05 PM on December 11, 2011


They both have adblock plus, faviconize tab, ie tab, tab mix plus, microsoft .NET framework assistant and old location bar. The 3.5 version also has xmarks and menu editor. The 8 version has Missing e, and tiny menu.
posted by trogdole at 5:09 PM on December 11, 2011


Random Googling got me this snippet about how ScanSafe works:
1. The software works at the protocol level, not application level. This means it works with any application that uses the HTTP or HTTPS protocols. This means if users go ahead and install another browser to bypass corporate proxy settings (which a lot do!) then the Anywhere+ driver still redirects the protocols correctly to the closest ScanSafe scanning tower.

2. We use an SSL tunnel to get all HTTP and HTTPS traffic to the scanning tower. It does this to add an extra level of security to the application (stop people sniffing your traffic at wireless hotspots etc) and for other reasons as well.
If this is correct, it sounds like you have some kind of local driver installed for ScanSafe which coordinates with the central device.

Just brainstorming here: Browsers aren't the only thing that makes use of HTTP and HTTPS. Many applications use it for back-end processing. Mucking with these non-browser connections would have a high likelihood of fucking up applications. It's possible that the makers of ScanSafe try to detect this by looking for certain user agent strings to catch only browser traffic for filtering, leaving the other stuff alone.

If that's correct, then perhaps ScanSafe didn't recognize your old Firefox version's User Agent string and was classifying that traffic as "not a browser, don't filter."

You could test this by installing the User Agent Switcher and manually changing it back to an older string, or pick one of the web spider strings.
posted by odinsdream at 5:32 PM on December 11, 2011 [2 favorites]


Another alternative could be that your proxy settings are different between the browser versions--one version is hitting the HTTP proxy with the net nanny installed and another is not.

My company's net nanny works that way, though they've also disallowed any traffic that is not run through the proxy.
posted by fifteen schnitzengruben is my limit at 5:41 PM on December 11, 2011


If it's working at the protocol level, as mentioned above, it's not relying on browser proxy settings.
posted by odinsdream at 5:55 PM on December 11, 2011


Firefox version 4 changed the default proxy settings from "no proxy" to "system proxy setting", which on Windows translates to "copy the Internet Explorer proxy setting".

Seems likely to me that your netadmin has used Group Policy to select their approved filtering proxy, and that your pre-4.0 Firefox was simply ignoring this and connecting direct. For this to work, your netadmin would need to be wearing clown shoes. I leave the plausibility of that scenario to you.

If you want to restore the old behavior using the new Firefox, go to Tools->Options->Advanced->Network Connections and change the proxy from "system proxy" to "no proxy".
posted by flabdablet at 5:59 PM on December 11, 2011 [3 favorites]


Oh and by the way: one of the standard checklist items on the ICT audit that upstream inflicts on my site every year is whether or not I'm using Group Policy to prevent users from changing IE's proxy settings. Since I am quite convinced that the guy who wrote that checklist was wearing clown shoes, I suspect that mistaking this kind of measure for "security" does indeed form part of some kind of tragicomic IT tradition.

Our upstream netadmins are not quite as silly as yours seem to be; they've actually worked out that by blocking port 80 outbound, most people will be forced to use their proxy for web access. And they're red-hot on preventing any kind of outbound access via "dangerous" ports like 993 for secure IMAP or 587 for secure SMTP, which stops my users doing threatening things like accessing their Gmail accounts via Outlook (quote: "Our External Fire Wall blocks these ports and provide protection to us all ... We are NOT going to open any other ports through the FW.")

Ports 1024 on up are wide open, though, so I guess none of those could ever possibly be used for anything even vaguely insecure.
posted by flabdablet at 5:09 AM on December 12, 2011


« Older You're a smart, awesome guy wi...   |  I just purchased a refurb 32gb... Newer »
This thread is closed to new comments.