Tor Browser Bundle 8.0 (TBB) sends OS+kernel+TOTAL_PING_COUNT in update queries to Mozilla
- Tails 3.9, which ships with TBB 8.0, is also affected.
User report:[1]
https://blog.torproject.org/comment/277375#comment-277375Sanitize the add-on blocklist update URL
https://trac.torproject.org/projects/tor/ticket/16931related, old, closed ticket (unresolved):
TBB-Firefox sends OS+kernel in update queries to Mozilla
https://trac.torproject.org/projects/tor/ticket/6734[1]: "TBB-Firefox sends Linux kernel version in extensions blocklist update queries to Mozilla. 6 years old ticket closed https://trac.torproject.org/projects/tor/ticket/6734 without fix this privacy issue.
From Ubuntu 18.04.1 LiveCD
/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/60.2.0/Firefox/20180204030101/Linux_x86_64-gcc3/en-US/release/Linux 4.15.0-29-generic (GTK 3.22.30 libpulse 11.1.0)/default/default/1/1/new/""about:config
extensions.blocklist.url""Also it send TOTAL_PING_COUNT to tell mozilla how many days you use TBB."
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @03:12PM (4 children)
In this case the info is being shared with the target website *and* being sent back to Mozilla, along with URL and total ping count. Further, this isn't vanilla Firefox, it's the TOR browser bundle which suggests a higher level of security and privacy. This is not acceptable and could put lives at risk given that TOR is used by whistleblowers and professional journalists in parts of the world where oppressive governments and regimes have a habit of murdering them. Russia is just one example.
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @04:06PM
Correction...
Prior to my morning coffee, instead of "TBB" in the summary I saw "TPB" which immediately made me think that people browsing The Pirate Bay had noticed their browser sending that info back to Mozilla. Now that I'm more awake I can see this isn't the case. Please disregard my comment, journalists are unaffected by this and the world seems to still be roughly the same as it was yesterday. :-/
(Score: 2) by RamiK on Wednesday September 26 2018, @04:27PM (2 children)
You're joking, right? This is the browser dialing to mozilla's server for updates in TOR and only telling them the obvious. Moreover, TOR users are already visible to man-the-middle infrastructure (government and ISPs) since the connection to the exit nodes can't be disguised. What keeps them safe is how the content of the connection is encrypted.
If you don't trust mozilla why use their browser in the first place?
compiling...
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @06:25PM (1 child)
I don't trust anyone to install updates on my computers without my permission. I don't want to have to change the settings every time I update and if I wanted convenience I wouldn't be using TBB.
Centralized trust tempts capture, if it hasn't happened already, if they don't trust users to keep browsers upto date why should be trust them.
In the end a simple stripped down browser connecting through a tor rotating proxy goes along way to mitigate these risks.
(Score: 2) by RamiK on Wednesday September 26 2018, @07:51PM
You use javascript enabled browsers. Many of which to access sites with server-side functionality. And I doubt you read through the code when you do "permit" updates so it's not an informed consent regardless...
Unless you read Mozilla's code, you're already putting your safety in their hands. Knowingly or otherwise.
compiling...