Firefox privacy and Tor Browser
Mansour Moufid
mansourmoufid at gmail.com
Sat Mar 27 16:17:17 UTC 2010
Hello,
I just heard the news about the Tor Browser bundle for GNU/Linux. I
like the idea, and I wanted to pitch a couple thoughts to the
developers. I apologize in advance if these things have been brought
up already, or if the subject belongs on or-talk instead.
Firstly, about NoScript. You may wish to consider an extension named
RequestPolicy [1] instead. You may want to also want to consider
FlashBlock [2], since that is a popular attack vector.
Secondly, about a specific behavior in Firefox itself, which I think
Tor developers should all be aware (or reminded) of. Firefox uses
Google's Safe Browsing API [3] to check visited websites against a
Google blacklist. There have been privacy issues brought up [4]. In
short, Firefox's use of this API could lead to Google (or anyone
listening to network traffic, since it was in the clear) being able to
track users via a unique hash communicated with Google servers and
persistent across sessions (including "Private Browsing"). Bartłomiej
has written extensively on the subject [5]. His attempts to patch this
privacy leak at the time were sabotaged by Google employees [6]. This
behavior is optional now in Firefox 3, but still on by default [7].
So, Tor Browser may want to consider having this "feature" off by
default?
That's all for now.
Thanks everyone for your time and the great work on Tor!
[1] <https://addons.mozilla.org/en-US/firefox/addon/9727>
[2] <https://addons.mozilla.org/en-US/firefox/addon/433>
[3] <http://code.google.com/apis/safebrowsing/>
[4] <http://ha.ckers.org/blog/20090824/google-safe-browsing-and-chrome-privacy-leak/>
[5] <http://bb.homelinux.org/en/firefox/howtobug368255.html>
[6] <https://bugzilla.mozilla.org/show_bug.cgi?id=368255>
[7] <http://bb.homelinux.org/en/firefox/googsbff3.html>
--
Mansour Moufid
More information about the tor-dev
mailing list