Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Wednesday September 26 2018, @12:29AM   Printer-friendly
from the Checking-in-on-checking-in dept.

Tor Browser Bundle 8.0 (TBB) sends OS+kernel+TOTAL_PING_COUNT in update queries to Mozilla

- Tails 3.9, which ships with TBB 8.0, is also affected.

User report:[1]
https://blog.torproject.org/comment/277375#comment-277375

Sanitize the add-on blocklist update URL
https://trac.torproject.org/projects/tor/ticket/16931

related, old, closed ticket (unresolved):

TBB-Firefox sends OS+kernel in update queries to Mozilla
https://trac.torproject.org/projects/tor/ticket/6734

[1]: "TBB-Firefox sends Linux kernel version in extensions blocklist update queries to Mozilla. 6 years old ticket closed https://trac.torproject.org/projects/tor/ticket/6734 without fix this privacy issue.

From Ubuntu 18.04.1 LiveCD
/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/60.2.0/Firefox/20180204030101/Linux_x86_64-gcc3/en-US/release/Linux 4.15.0-29-generic (GTK 3.22.30 libpulse 11.1.0)/default/default/1/1/new/"

"about:config
extensions.blocklist.url"

"Also it send TOTAL_PING_COUNT to tell mozilla how many days you use TBB."


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Wednesday September 26 2018, @03:12PM (4 children)

    by Anonymous Coward on Wednesday September 26 2018, @03:12PM (#740233)

    In this case the info is being shared with the target website *and* being sent back to Mozilla, along with URL and total ping count. Further, this isn't vanilla Firefox, it's the TOR browser bundle which suggests a higher level of security and privacy. This is not acceptable and could put lives at risk given that TOR is used by whistleblowers and professional journalists in parts of the world where oppressive governments and regimes have a habit of murdering them. Russia is just one example.

  • (Score: 0) by Anonymous Coward on Wednesday September 26 2018, @04:06PM

    by Anonymous Coward on Wednesday September 26 2018, @04:06PM (#740274)

    Correction...

    Prior to my morning coffee, instead of "TBB" in the summary I saw "TPB" which immediately made me think that people browsing The Pirate Bay had noticed their browser sending that info back to Mozilla. Now that I'm more awake I can see this isn't the case. Please disregard my comment, journalists are unaffected by this and the world seems to still be roughly the same as it was yesterday. :-/

  • (Score: 2) by RamiK on Wednesday September 26 2018, @04:27PM (2 children)

    by RamiK (1813) on Wednesday September 26 2018, @04:27PM (#740285)

    You're joking, right? This is the browser dialing to mozilla's server for updates in TOR and only telling them the obvious. Moreover, TOR users are already visible to man-the-middle infrastructure (government and ISPs) since the connection to the exit nodes can't be disguised. What keeps them safe is how the content of the connection is encrypted.

    If you don't trust mozilla why use their browser in the first place?

    --
    compiling...
    • (Score: 0) by Anonymous Coward on Wednesday September 26 2018, @06:25PM (1 child)

      by Anonymous Coward on Wednesday September 26 2018, @06:25PM (#740364)

      I don't trust anyone to install updates on my computers without my permission. I don't want to have to change the settings every time I update and if I wanted convenience I wouldn't be using TBB.

      Centralized trust tempts capture, if it hasn't happened already, if they don't trust users to keep browsers upto date why should be trust them.

      In the end a simple stripped down browser connecting through a tor rotating proxy goes along way to mitigate these risks.

      • (Score: 2) by RamiK on Wednesday September 26 2018, @07:51PM

        by RamiK (1813) on Wednesday September 26 2018, @07:51PM (#740422)

        I don't trust anyone to install updates on my computers without my permission.

        You use javascript enabled browsers. Many of which to access sites with server-side functionality. And I doubt you read through the code when you do "permit" updates so it's not an informed consent regardless...

        Unless you read Mozilla's code, you're already putting your safety in their hands. Knowingly or otherwise.

        --
        compiling...