Tor Browser Bundle 8.0 (TBB) sends OS+kernel+TOTAL_PING_COUNT in update queries to Mozilla
- Tails 3.9, which ships with TBB 8.0, is also affected.
User report:[1]
https://blog.torproject.org/comment/277375#comment-277375Sanitize the add-on blocklist update URL
https://trac.torproject.org/projects/tor/ticket/16931related, old, closed ticket (unresolved):
TBB-Firefox sends OS+kernel in update queries to Mozilla
https://trac.torproject.org/projects/tor/ticket/6734[1]: "TBB-Firefox sends Linux kernel version in extensions blocklist update queries to Mozilla. 6 years old ticket closed https://trac.torproject.org/projects/tor/ticket/6734 without fix this privacy issue.
From Ubuntu 18.04.1 LiveCD
/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/60.2.0/Firefox/20180204030101/Linux_x86_64-gcc3/en-US/release/Linux 4.15.0-29-generic (GTK 3.22.30 libpulse 11.1.0)/default/default/1/1/new/""about:config
extensions.blocklist.url""Also it send TOTAL_PING_COUNT to tell mozilla how many days you use TBB."
(Score: 3, Funny) by Anonymous Coward on Wednesday September 26 2018, @12:40AM (3 children)
If I wanted telemetry, I'd use Microsoft Edge.
(Score: 5, Insightful) by Runaway1956 on Wednesday September 26 2018, @12:43AM (1 child)
Agreed. This makes me want to check up on all my Mozilla based applications. WTF? None of my activity is any of Mozilla's business.
(Score: 2, Insightful) by Anonymous Coward on Wednesday September 26 2018, @05:50PM
Why doesn't the Tor project switch both of these releases to some other browser, like Pale Moon. Based on Firefox, with all the phone-home and other cruft removed.
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @08:51PM
Unlike fucking Chromium which requires patching the source code to strip out Google references, Firefox enables you to sack the undesirable crap via config. Granted it would have been better to ship with no undesirable crap in the first place, but you don't even need an add-on to control it.
(Score: -1, Flamebait) by Anonymous Coward on Wednesday September 26 2018, @12:43AM (16 children)
Don't like your things phoning home all the time? Time travel back to 1990 you dinosaur. Go see Madonna in concert while you're back there. Oh right you can't go see Madonna because your Pope told you not to attend that concert tour. Too bad she touched herself onstage right?
(Score: 3, Offtopic) by Runaway1956 on Wednesday September 26 2018, @12:45AM (15 children)
You must be Catholic. You should realize that 3/4 of the world doesn't give the smallest damn about any pope. I'm part of that 3/4, thank you very much. Normal people simply don't think about anything the pope says or does - it's beneath our notice.
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @12:49AM
Who needs a pope? Allah is my co-pilot. *boots Tor*
(Score: 0, Interesting) by Anonymous Coward on Wednesday September 26 2018, @01:01AM (13 children)
Whoosh much?
Pope John Paul II told Catholics to boycott the Blonde Ambition World Tour in 1990 because Madonna simulated masturbation during her performance of Like A Virgin. That was back when we got our news from a TV screen instead of a computer screen. Did you not see the news or do you not remember?
Anyway the point is with ubiquitous connectivity that we have today the expectation is that everything will be always connected and everything tries to use the connection to update itself. If only there were some kind of setting to turn off autoupdate.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 26 2018, @01:08AM (2 children)
well... no, that's a stupid expectation unless you mean: retarded people from marketing want their noses on people's shit all the time
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @01:14AM (1 child)
Don't you want to get updates automatically? How else will you keep up with the new emojis trending this week?
(Score: 1, Touché) by Anonymous Coward on Wednesday September 26 2018, @02:48AM
The latest visual studio update came with 7.6 GB of emoji support.
(Score: 1, Offtopic) by Runaway1956 on Wednesday September 26 2018, @01:29AM (6 children)
Whooshing right back at you.
We kinda sorta noticed the pope's edict, in the same manner in which we noted that some politician claimed to be the inventor of the internets. And, that's almost the same notice taken of some blonde skank performing obscene stunts on stage in front of audiences of brainwashed zombies. None of those things had any meaning to the average person - it was just something to laugh at, or not.
(Score: 0, Redundant) by Anonymous Coward on Wednesday September 26 2018, @01:46AM (5 children)
You're taking the mention of a pope too seriously here.
Simplified for you:
Don't like modern technology (the web)? Why don't you go back in time to when the technology didn't exist (1990) and while you're there go see some event that happened (concert tour). Except a conservative person who prefers the past might not like something that happened (concert scandal) back then either.
(Score: 1) by khallow on Wednesday September 26 2018, @04:59AM (2 children)
So we have a bit of drama in 1990 (ignoring that I wasn't listening to Madonna, the Pope, or TV at the time). What would be any different about the drama today? I don't see it playing out any different. Madonna still gives the concert with increased publicity. The Pope gets his say. And we still hear about it through the various news sources out there.
(Score: 0) by Anonymous Coward on Thursday September 27 2018, @02:42AM (1 child)
Tor Browser sends update queries to Mozilla because things expect always on connectivity, khallow.
Things today expect always on connectivity, khallow.
We have always on connectivity today because of the internet, khallow.
We have the internet everywhere today because the web made the internet popular, khallow.
The World Wide Web didn't exist in 1990, khallow.
Get in your time machine and go back to 1990 and kill yourself, khallow.
The future doesn't want you, khallow.
Fuck off and die, khallow.
(Score: 1) by khallow on Friday September 28 2018, @04:30AM
(Score: 2) by maxwell demon on Wednesday September 26 2018, @06:24AM
So you think wanting privacy is something inherently conservative?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @04:55PM
Is there some magic reason why the phoning home functions can not be turned off? Are users no longer capable of making decisions for themselves?
(Score: 2) by c0lo on Wednesday September 26 2018, @09:39AM
Now you start to make sense.
Use subtlety sparingly, mate, too much of it and many will take the false track due to no faults of their own.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @11:25AM (1 child)
You picked a bad example there, while that might have been an event of some import to you, to some of us out here it means less than nothing.
1. Pope John Paul II: Despite (or, because of) having had to suffer a Catholic education, and half my family being Catholic, I'm an atheist...I can't even tell you which this one was (the one that got poisoned?, the CIA pope?) without Googling the bugger(sic?).
2. told Catholics: So why do you think that anyone who doesn't drink that particular brand of Sky Fairy Kool-Aid (see 1) cared about what he said about anything?
3. Madonna simulated masturbation: Ah, Madonna, that would be 80's pop music, wouldn't it?...nope, sorry, of no interest then or now. (FWIW, I prefer my blonde pop star 'skank' to be a nice mid 70's vintage Debbie Harry)
4. Did you not see the news or do you not remember?: To a lot of us, the antics of a pop star and the subsequent witterings of a Grand Poobah sky pilot on said antics weren't of any interest in the first place, let alone worth remembering...and some of us can remember back to the 60's thank you very much...
But yeah, got what you intended to mean, but bad example...
(Score: 0) by Anonymous Coward on Thursday September 27 2018, @02:22AM
No, it's a great example. Madonna was touring mere months before the Web began. You can't appreciate that fact because you're a elitist bigot.
Pope John Paul II was pope for 26 years and was pope when The World Wide Web was invented. Madonna is the highest grossing solo touring artist of all time. These people are public figures. You are expected to know who they are.
I'm not Catholic but I sure know who the pope is (Pope Francis now in case you haven't noticed). I don't listen to Madonna but I sure know who she is (still singing in case you haven't noticed).
The Blonde Ambition World Tour ended in August 1990, and the first World Wide Web browser was released in December 1990. If you set your time machine for September 1990 you can enjoy three blissful months while Madonna is not on tour and the web won't exist yet.
Since you hate popular music, and you also hate popular religious objections to.popular musicians, you must also hate how the popularity of the web led to the popularity of the internet. During those few good old days of 1990 the entire internet can be yours alone, dear elitist bigot.
Congratulations for being an old crotchety asshole. You're a perfect fit for SoylentNews. SoylentNews is old people. Just like you.
(Score: 2, Insightful) by Anonymous Coward on Wednesday September 26 2018, @01:20AM (6 children)
You'd think TBB developers would be the kind of people with an eye for this sort of thing.
How did this make it to end users? I really don't get it. Are most people in the world just half sentient?
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @01:29AM
Not enough Low Quality Assurance, that's the problem. Tor Project should contract Soggy Quality to do all their testing and quality audits. Michael David Crawford has an army of soggy teenage girls fresh out of the showers and eager to get to work finding issues just like this one.
(Score: 1, Funny) by Anonymous Coward on Wednesday September 26 2018, @02:04AM
Somehow Mozilla not being ran by autists wasn't a giant red flag.
(Score: 2) by jasassin on Wednesday September 26 2018, @03:19AM (2 children)
The thing that bothers me is that it was reported and noone appears to give a shit. This isn't like fixing some insdeous bug, it's hacking one line of code. I'm baffled.
I'd fix it but my addition of a // in the beginning of a line might confuse and anger them.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 2) by takyon on Wednesday September 26 2018, @03:48AM
Getting ready for the ultimate Tor-browser integration [soylentnews.org]?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by exaeta on Wednesday September 26 2018, @04:43AM
Mozilla is (probably) on the side of the NSA, what did you expect? There are lots of vulnerabilities in Firefox. I suspect many are intentional.
The Government is a Bird
(Score: 2) by takyon on Wednesday September 26 2018, @03:47AM
We've repeatedly heard about Firefox integrating Tor into the main browser [soylentnews.org]. If you think things are bad now...
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Flamebait) by exaeta on Wednesday September 26 2018, @04:39AM (1 child)
Shit like this can ONLY be managed by an expert.
Mozilla will NEVER be able to put out secure software.
The Government is a Bird
(Score: 2) by realDonaldTrump on Wednesday September 26 2018, @07:30AM
So many times, they make the cyber but they forget to put in the SECURITY. They make it look so beautiful, they make it do amazing things. Incredible things -- the aircraft carriers, the porn, the Cell Phone and everything else. But it's not secure. Trust me, bad cyber is a disaster for our Country. It's doing a number on our Elections, our Energy Grid, our everything. You'd think, cyber is so hard, the low I.Q. folks would do something else, right? WRONG! But don't worry. The forgotten cyber is FORGOTTEN NO MORE! We're putting the Security in. I call it my National Cyber Strategy. America First! 🇺🇸 whitehouse.gov/articles/president-trump-unveils-americas-first-cybersecurity-strategy-15-years [whitehouse.gov]
(Score: 2) by RamiK on Wednesday September 26 2018, @10:01AM (5 children)
Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
compiling...
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @03:12PM (4 children)
In this case the info is being shared with the target website *and* being sent back to Mozilla, along with URL and total ping count. Further, this isn't vanilla Firefox, it's the TOR browser bundle which suggests a higher level of security and privacy. This is not acceptable and could put lives at risk given that TOR is used by whistleblowers and professional journalists in parts of the world where oppressive governments and regimes have a habit of murdering them. Russia is just one example.
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @04:06PM
Correction...
Prior to my morning coffee, instead of "TBB" in the summary I saw "TPB" which immediately made me think that people browsing The Pirate Bay had noticed their browser sending that info back to Mozilla. Now that I'm more awake I can see this isn't the case. Please disregard my comment, journalists are unaffected by this and the world seems to still be roughly the same as it was yesterday. :-/
(Score: 2) by RamiK on Wednesday September 26 2018, @04:27PM (2 children)
You're joking, right? This is the browser dialing to mozilla's server for updates in TOR and only telling them the obvious. Moreover, TOR users are already visible to man-the-middle infrastructure (government and ISPs) since the connection to the exit nodes can't be disguised. What keeps them safe is how the content of the connection is encrypted.
If you don't trust mozilla why use their browser in the first place?
compiling...
(Score: 0) by Anonymous Coward on Wednesday September 26 2018, @06:25PM (1 child)
I don't trust anyone to install updates on my computers without my permission. I don't want to have to change the settings every time I update and if I wanted convenience I wouldn't be using TBB.
Centralized trust tempts capture, if it hasn't happened already, if they don't trust users to keep browsers upto date why should be trust them.
In the end a simple stripped down browser connecting through a tor rotating proxy goes along way to mitigate these risks.
(Score: 2) by RamiK on Wednesday September 26 2018, @07:51PM
You use javascript enabled browsers. Many of which to access sites with server-side functionality. And I doubt you read through the code when you do "permit" updates so it's not an informed consent regardless...
Unless you read Mozilla's code, you're already putting your safety in their hands. Knowingly or otherwise.
compiling...