On Sat, Aug 27, 2016 at 08:48:58AM -0700, stan wrote:
On Sat, 27 Aug 2016 12:10:26 +0200
Richard Z <rz(a)linux-m68k.org> wrote:
> Firefox is doing this. You have to disable the spyware called "safe
> browsing" to get rid of it. And yes, it has been exploited by
> intelligence agencies around the world and may submit every single
> URL you visit to google if they want it.
>
>
https://bugzilla.mozilla.org/show_bug.cgi?id=368255
>
That was an interesting read. Thanks.
I actually run nightly compiled locally, with a .mozconfig that turns
off lots of firefox capability that I don't need, and is just attack
surface for me. I don't have safe-browsing enabled, but I don't have
it disabled explicitly either, so it must be a default setting. I'll
compile it out from now on. Safe-browsing! Talk about double speak.
it is indeed enabled by default. Perhaps Fedora should disable that
default. I can't remember when it ever warned me about a malicious
site but it certainly causes extra traffic and additional spying
opportunities.
In that bugzilla the google guy noted the hostility to google.
he also never answered valid concerns mentioned in the thread. It would
have been quite easy to avoid many concerns and the later confirmed
abuse of this cookie: just set the cookie against a different domain or
the precise subdomain as requested in comment 16 and asked repeatedly
again later in the thread. This would mean the cookie would be sent
only for requests to safe-browsing and not for any other connection
anywhere in google world (search,maps,mail, youtube...).
This would have also reduced the network traffic they were so
anxious about so it doesn't make sense technically to require
a cookie against the main domain.
The answer in comment 17 is less than convincing imho. I don't think
the author of that comment is quite as naive about computer security
and privacy as he pretends there.
The good news however is that the cookie now seems to sandboxed,
https://bugzilla.mozilla.org/show_bug.cgi?id=897516
although I haven't looked into the code if it is really enabled
now.
Some concerns remain, it appears impossible to expire this cookie
and in principle a sophisticated attacker may still be able to get
a complete list of the URLs that are visited - it will be only
slightly more work to connect it with a particular user.
Of course, google have woven themselves so successfully into the
web,
they probably don't need this data to perfectly identify a browser
everywhere it goes. :-)
google is not the only once who could be abusing this data.
Richard
--
Name and OpenPGP keys available from pgp key servers