[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Firefox privacy and Tor Browser

To: or-dev@xxxxxxxxxxxxx
Subject: Re: Firefox privacy and Tor Browser
From: Al MailingList <alpal.mailinglist@xxxxxxxxx>
Date: Sat, 27 Mar 2010 16:47:56 +0000
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Sat, 27 Mar 2010 12:48:05 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Q3aLmZd4B8S3Q5Vx+mfKqJoSUSQ69uRFBLP12aFuYhc=; b=xKroOJK2ahXuVmps+7fTpliTsu3rgX7RcqNnpuyVN4FrOpZhYjL7AbCgtnsuuLeODn BME8rR5I3yOgQx98i4nE829mIGFpHvG9Imv56CsdVm+41qnGTl5P3SD2ReoKAL7DFPNl hAxcasQPT9dYlsxQt+ztR61LWMrdqGAGgxhME=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=uJJDd5gZRAfnZfpSik9IeOY+zsTPKs9meEBKRoCgsyldJG9gwCd7tEWnb7rSnRneV7 72HdLk4JkhwT7lZTldfq/fsJtvMadsL8mTmRUVJGPdsGbpk40EA66ZgLhrFOJqggbSeT vYcyEhu9jSu0txIkxrsuY89eAsID8bnAt3iGs=
In-reply-to: <44a1f4d21003270917l3254b423te57ea7d9b698fe13@xxxxxxxxxxxxxx>
References: <44a1f4d21003270917l3254b423te57ea7d9b698fe13@xxxxxxxxxxxxxx>
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx

A couple of points

No script also blocks flash.

Google's safe browsing is just an HTTP request, so I would assume when
tor is correctly configured it would not be in the clear.

Reference 5 seems to have his tin foil hat on a little tight. I'm not
quite sure what he's saying, but the google safe browsing updates
don't send the sites you're visiting, it simple retrieves the list of
bad sites (more specifically a diff of the bad sites list since your
last update). So all they can do is track that a particular user is
updating the local black list periodically.



On Sat, Mar 27, 2010 at 4:17 PM, Mansour Moufid <mansourmoufid@xxxxxxxxx> wrote:
> Hello,
>
> I just heard the news about the Tor Browser bundle for GNU/Linux. I
> like the idea, and I wanted to pitch a couple thoughts to the
> developers. I apologize in advance if these things have been brought
> up already, or if the subject belongs on or-talk instead.
>
> Firstly, about NoScript. You may wish to consider an extension named
> RequestPolicy [1] instead. You may want to also want to consider
> FlashBlock [2], since that is a popular attack vector.
>
> Secondly, about a specific behavior in Firefox itself, which I think
> Tor developers should all be aware (or reminded) of. Firefox uses
> Google's Safe Browsing API [3] to check visited websites against a
> Google blacklist. There have been privacy issues brought up [4]. In
> short, Firefox's use of this API could lead to Google (or anyone
> listening to network traffic, since it was in the clear) being able to
> track users via a unique hash communicated with Google servers and
> persistent across sessions (including "Private Browsing"). BartÅomiej
> has written extensively on the subject [5]. His attempts to patch this
> privacy leak at the time were sabotaged by Google employees [6]. This
> behavior is optional now in Firefox 3, but still on by default [7].
> So, Tor Browser may want to consider having this "feature" off by
> default?
>
> That's all for now.
>
> Thanks everyone for your time and the great work on Tor!
>
> [1] <https://addons.mozilla.org/en-US/firefox/addon/9727>
> [2] <https://addons.mozilla.org/en-US/firefox/addon/433>
> [3] <http://code.google.com/apis/safebrowsing/>
> [4] <http://ha.ckers.org/blog/20090824/google-safe-browsing-and-chrome-privacy-leak/>
> [5] <http://bb.homelinux.org/en/firefox/howtobug368255.html>
> [6] <https://bugzilla.mozilla.org/show_bug.cgi?id=368255>
> [7] <http://bb.homelinux.org/en/firefox/googsbff3.html>
>
> --
> Mansour Moufid
>

Follow-Ups:
- Re: Firefox privacy and Tor Browser
  - From: Mansour Moufid

References:
- Firefox privacy and Tor Browser
  - From: Mansour Moufid

Next by Author: Re: Firefox privacy and Tor Browser
Previous by thread: Firefox privacy and Tor Browser
Next by thread: Re: Firefox privacy and Tor Browser
Index(es):
- Author
- Thread