[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Firefox privacy and Tor Browser
- To: or-dev@xxxxxxxx
- Subject: Firefox privacy and Tor Browser
- From: Mansour Moufid <mansourmoufid@xxxxxxxxx>
- Date: Sat, 27 Mar 2010 11:47:17 -0430
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-dev-outgoing@xxxxxxxx
- Delivered-to: or-dev@xxxxxxxx
- Delivery-date: Sat, 27 Mar 2010 12:17:49 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:received :message-id:subject:to:content-type:content-transfer-encoding; bh=JOkumNgGHVgsgnyY/4sMRC3rzHu2gdW/HZ5qE6ZxpGE=; b=M9AgxmsR7ODAVrKqncdjg1ZdYT5ahFSSmn5/FHT64aV6vHgk7k3g6w8xiphUmtHKMU REhB4wXp2OxVqRnti+01bZauOJT08go+TRIiIcmLvnX/9S+1mcfG0BOGzdg92f9fjWxq led/UrxUd3xosWa2CHbHu5e4nlNHk9juPGXPY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; b=Gw+2+ddkORWFaxKl8dZlnkY0sAQjMyG6PnKSvppXOWi95SgvAIbEptAdrdd4wOBeBe Lm9nYULOtUg/gHVssWyLs4aBOP7/oMQL/mPufr8lP6xLIuHiz1CquzP4ZQL/AUQfTaGw ei6JA5l7KdjT4weRi1frHGBAEHLwM9M5AsNGw=
- Reply-to: or-dev@xxxxxxxxxxxxx
- Sender: owner-or-dev@xxxxxxxxxxxxx
Hello,
I just heard the news about the Tor Browser bundle for GNU/Linux. I
like the idea, and I wanted to pitch a couple thoughts to the
developers. I apologize in advance if these things have been brought
up already, or if the subject belongs on or-talk instead.
Firstly, about NoScript. You may wish to consider an extension named
RequestPolicy [1] instead. You may want to also want to consider
FlashBlock [2], since that is a popular attack vector.
Secondly, about a specific behavior in Firefox itself, which I think
Tor developers should all be aware (or reminded) of. Firefox uses
Google's Safe Browsing API [3] to check visited websites against a
Google blacklist. There have been privacy issues brought up [4]. In
short, Firefox's use of this API could lead to Google (or anyone
listening to network traffic, since it was in the clear) being able to
track users via a unique hash communicated with Google servers and
persistent across sessions (including "Private Browsing"). BartÅomiej
has written extensively on the subject [5]. His attempts to patch this
privacy leak at the time were sabotaged by Google employees [6]. This
behavior is optional now in Firefox 3, but still on by default [7].
So, Tor Browser may want to consider having this "feature" off by
default?
That's all for now.
Thanks everyone for your time and the great work on Tor!
[1] <https://addons.mozilla.org/en-US/firefox/addon/9727>
[2] <https://addons.mozilla.org/en-US/firefox/addon/433>
[3] <http://code.google.com/apis/safebrowsing/>
[4] <http://ha.ckers.org/blog/20090824/google-safe-browsing-and-chrome-privacy-leak/>
[5] <http://bb.homelinux.org/en/firefox/howtobug368255.html>
[6] <https://bugzilla.mozilla.org/show_bug.cgi?id=368255>
[7] <http://bb.homelinux.org/en/firefox/googsbff3.html>
--
Mansour Moufid