On Sat, Aug 27, 2016 at 08:48:58AM -0700, stan wrote: > On Sat, 27 Aug 2016 12:10:26 +0200 > Richard Z <rz@xxxxxxxxxxxxxx> wrote: > > > > Firefox is doing this. You have to disable the spyware called "safe > > browsing" to get rid of it. And yes, it has been exploited by > > intelligence agencies around the world and may submit every single > > URL you visit to google if they want it. > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=368255 > > > > That was an interesting read. Thanks. > > I actually run nightly compiled locally, with a .mozconfig that turns > off lots of firefox capability that I don't need, and is just attack > surface for me. I don't have safe-browsing enabled, but I don't have > it disabled explicitly either, so it must be a default setting. I'll > compile it out from now on. Safe-browsing! Talk about double speak. it is indeed enabled by default. Perhaps Fedora should disable that default. I can't remember when it ever warned me about a malicious site but it certainly causes extra traffic and additional spying opportunities. > In that bugzilla the google guy noted the hostility to google. he also never answered valid concerns mentioned in the thread. It would have been quite easy to avoid many concerns and the later confirmed abuse of this cookie: just set the cookie against a different domain or the precise subdomain as requested in comment 16 and asked repeatedly again later in the thread. This would mean the cookie would be sent only for requests to safe-browsing and not for any other connection anywhere in google world (search,maps,mail, youtube...). This would have also reduced the network traffic they were so anxious about so it doesn't make sense technically to require a cookie against the main domain. The answer in comment 17 is less than convincing imho. I don't think the author of that comment is quite as naive about computer security and privacy as he pretends there. The good news however is that the cookie now seems to sandboxed, https://bugzilla.mozilla.org/show_bug.cgi?id=897516 although I haven't looked into the code if it is really enabled now. Some concerns remain, it appears impossible to expire this cookie and in principle a sophisticated attacker may still be able to get a complete list of the URLs that are visited - it will be only slightly more work to connect it with a particular user. > Of course, google have woven themselves so successfully into the web, > they probably don't need this data to perfectly identify a browser > everywhere it goes. :-) google is not the only once who could be abusing this data. Richard -- Name and OpenPGP keys available from pgp key servers -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org