Firefox privacy and Tor Browser

Al MailingList alpal.mailinglist at gmail.com
Sat Mar 27 16:47:56 UTC 2010


A couple of points

No script also blocks flash.

Google's safe browsing is just an HTTP request, so I would assume when
tor is correctly configured it would not be in the clear.

Reference 5 seems to have his tin foil hat on a little tight. I'm not
quite sure what he's saying, but the google safe browsing updates
don't send the sites you're visiting, it simple retrieves the list of
bad sites (more specifically a diff of the bad sites list since your
last update). So all they can do is track that a particular user is
updating the local black list periodically.



On Sat, Mar 27, 2010 at 4:17 PM, Mansour Moufid <mansourmoufid at gmail.com> wrote:
> Hello,
>
> I just heard the news about the Tor Browser bundle for GNU/Linux. I
> like the idea, and I wanted to pitch a couple thoughts to the
> developers. I apologize in advance if these things have been brought
> up already, or if the subject belongs on or-talk instead.
>
> Firstly, about NoScript. You may wish to consider an extension named
> RequestPolicy [1] instead. You may want to also want to consider
> FlashBlock [2], since that is a popular attack vector.
>
> Secondly, about a specific behavior in Firefox itself, which I think
> Tor developers should all be aware (or reminded) of. Firefox uses
> Google's Safe Browsing API [3] to check visited websites against a
> Google blacklist. There have been privacy issues brought up [4]. In
> short, Firefox's use of this API could lead to Google (or anyone
> listening to network traffic, since it was in the clear) being able to
> track users via a unique hash communicated with Google servers and
> persistent across sessions (including "Private Browsing"). Bartłomiej
> has written extensively on the subject [5]. His attempts to patch this
> privacy leak at the time were sabotaged by Google employees [6]. This
> behavior is optional now in Firefox 3, but still on by default [7].
> So, Tor Browser may want to consider having this "feature" off by
> default?
>
> That's all for now.
>
> Thanks everyone for your time and the great work on Tor!
>
> [1] <https://addons.mozilla.org/en-US/firefox/addon/9727>
> [2] <https://addons.mozilla.org/en-US/firefox/addon/433>
> [3] <http://code.google.com/apis/safebrowsing/>
> [4] <http://ha.ckers.org/blog/20090824/google-safe-browsing-and-chrome-privacy-leak/>
> [5] <http://bb.homelinux.org/en/firefox/howtobug368255.html>
> [6] <https://bugzilla.mozilla.org/show_bug.cgi?id=368255>
> [7] <http://bb.homelinux.org/en/firefox/googsbff3.html>
>
> --
> Mansour Moufid
>



More information about the tor-dev mailing list