Re: evercookies.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Aug 27, 2016 at 08:48:58AM -0700, stan wrote:
> On Sat, 27 Aug 2016 12:10:26 +0200
> Richard Z <rz@xxxxxxxxxxxxxx> wrote:
> 
> 
> > Firefox is doing this. You have to disable the spyware called "safe
> > browsing" to get rid of it. And yes, it has been exploited by
> > intelligence agencies around the world and may submit every single
> > URL you visit to google if they want it.
> > 
> > https://bugzilla.mozilla.org/show_bug.cgi?id=368255
> > 
> 
> That was an interesting read.  Thanks.
> 
> I actually run nightly compiled locally, with a .mozconfig that turns
> off lots of firefox capability that I don't need, and is just attack
> surface for me.  I don't have safe-browsing enabled, but I don't have
> it disabled explicitly either, so it must be a default setting. I'll
> compile it out from now on. Safe-browsing! Talk about double speak.

it is indeed enabled by default. Perhaps Fedora should disable that
default. I can't remember when it ever warned me about a malicious
site but it certainly causes extra traffic and additional spying 
opportunities.

> In that bugzilla the google guy noted the hostility to google.

he also never answered valid concerns mentioned in the thread. It would 
have been quite easy to avoid many concerns and the later confirmed 
abuse of this cookie: just set the cookie against a different domain or 
the precise subdomain as requested in comment 16 and asked repeatedly 
again later in the thread. This would mean the cookie would be sent
only for requests to safe-browsing and not for any other connection 
anywhere in google world (search,maps,mail, youtube...). 
This would have also reduced the network traffic they were so 
anxious about so it doesn't make sense technically to require 
a cookie against the main domain.
The answer in comment 17 is less than convincing imho. I don't think
the author of that comment is quite as naive about computer security
and privacy as he pretends there.

The good news however is that the cookie now seems to sandboxed,
https://bugzilla.mozilla.org/show_bug.cgi?id=897516
although I haven't looked into the code if it is really enabled
now.
Some concerns remain, it appears impossible to expire this cookie
and in principle a sophisticated attacker may still be able to get
a complete list of the URLs that are visited - it will be only
slightly more work to connect it with a particular user.

> Of course, google have woven themselves so successfully into the web,
> they probably don't need this data to perfectly identify a browser
> everywhere it goes.  :-)

google is not the only once who could be abusing this data.

Richard

-- 
Name and OpenPGP keys available from pgp key servers
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux