
Stop Firefox leaking data about you - amq
https://github.com/amq/firefox-debloat
======
dao-
Seems like lots of FUD; how do Firefox Hello, Pocket and Geolocation "leak
data about you" if you don't explicitly use them? How do DRM and Reader mode
leak data at all?

Also, Safe Browsing, DRM, Search suggestions, Telemetry and Health report can
be disabled in the preferences UI. Don't need sensationalist about:config
protips for that.

~~~
akavel
Also, from the description of the Safe Browsing feature (as linked on the
above page), it seems that it _doesn 't_ actually send (and thus leak) URLs;
rather, it _downloads_ a blacklist from Google periodically (~30min), and
checks URLs against it _locally_... [https://support.mozilla.org/en-US/kb/how-
does-phishing-and-m...](https://support.mozilla.org/en-US/kb/how-does-
phishing-and-malware-protection-work#w_how-does-phishing-and-malware-
protection-work-in-firefox)

(Though, for _file downloads_ , some meta information seems to be sent if I'm
reading correctly.)

~~~
TheLoneWolfling
Note that it does indeed recheck against the remote copy on a blacklist hit.

So Google could indeed easily track URLs by adding it on the periodic check
and then returning false on the specific check.

~~~
magicalist
I'm quite late with this, but this is incorrect. At no time is the URL sent to
Google; in fact, at no time is even the _hash_ of the full URL sent to Google.
I'd suggest you re-read the safebrowsing protocol.

As ploxiln notes, if a hit is found with a matching prefix to the
(canonicalized) URL, a request is made for all hashes of URLs beginning with
that hashed prefix. The hash of the current URL can then be checked against
that list locally.

~~~
TheLoneWolfling
I was oversimplifying, sorry. You are correct that the URL isn't ever
explicitly sent.

However.

Generally there are only one or two URLs that start with the hash prefix that
_is_ explicitly sent to Google. Which means in practice it may as well be
leaking the actual URL to Google.

Especially as there are multiple hashes per URL (5 worst-case?).

If Google wants to track a URL, they can do so.

------
avian
Another thing worth noting is that if you are using Debian-rebranded Firefox
(Iceweasel), you have a very unique user agent that is easy to track.

There is a bug opened ([https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=748897](https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=748897)), but as far as I know, no simple solution
exists yet. You can change the user agent with an extension to keep it
identical with the most popular Firefox version, but then you have to manually
keep it up-to-date.

~~~
RolloTom
If you don't want edit manually user agent, oscpu and platform in
"about:config" then blender can do it for you:
[https://addons.mozilla.org/it/firefox/addon/blender-1/](https://addons.mozilla.org/it/firefox/addon/blender-1/)

EDIT: seems that this extension need to be updated, sorry...

But I don't know, if you allow javascript maybe you will leak your real user
agent?

I like to switch between iceweasel and seamonkey, and I'm "proud" of my
different and unique user agent :) Speaking of privacy, actually I'm more
concerned about referer, third-party sites, content delivery networks and so
on.

~~~
JoshTriplett
> But I don't know, if you allow javascript maybe you will leak your real user
> agent?

The user-agent provided to JavaScript is the same one sent via HTTP.

~~~
RolloTom
Good to know, thank you!

------
salibhai
Seems like a bad idea turning off phishing notifications and browser warnings

[http://kb.mozillazine.org/Browser.safebrowsing.enabled](http://kb.mozillazine.org/Browser.safebrowsing.enabled)
Firefox 2.0 incorporates the Google Safe Browsing extension in its own
Phishing Protection feature to detect and warn users of phishy web sites.

~~~
cremno
I think using a blocker extension like uBlock Origin restores (at least
partially) this functionality without involving Google.

~~~
scott_karana
Right, but then you're just changing _who_ you leak data to, you're not
stopping the leak.

EDIT: wow, downvotes? Getting a list from EasyList is just as much a leak as
getting a list from Google. _Someone_ has your IP either way.

~~~
glass-
> Getting a list from EasyList is just as much a leak as getting a list from
> Google. Someone has your IP either way.

The problem with SafeBrowsing isn't downloading the list, it's that it sends
data back to Google if it finds a match. Malware lists with AdBlock plugins
don't do this.

~~~
scott_karana
My understanding was that Google's malware list is a two prong approach:

    
    
      1: An all-in-one lump download of blacklists
      2: Optionally, "Enhanced" also sends hashed URLs to Google in case specific sub-pages aren't on the list, etc
    

Easylist, of course, only offers #1. Firefox, by default, uses both, which is
less private, but seemingly still configurable to use only #1.

Citations:

[http://www.google.com/tools/firefox/safebrowsing/faq.html](http://www.google.com/tools/firefox/safebrowsing/faq.html)

[https://developers.google.com/safe-
browsing/firefox3_privacy...](https://developers.google.com/safe-
browsing/firefox3_privacy_faq)

[http://www.pclinuxos.com/forum/index.php?topic=124878.0](http://www.pclinuxos.com/forum/index.php?topic=124878.0)

------
Animats
Mozilla has an annoying pattern of removing items from the user preferences to
"avoid user confusion", an excuse companies often use when deceiving
customers. (Example: Microsoft dropping the "RT" designation. [1])
"Accept/reject third-party cookies", for example, doesn't always appear in the
preferences any more.

Mozilla's new "social" features don't have a turn-off option in the
Preferences. You can disable them by going to "about:config", creating the tag
"social.enabled" (it doesn't even exist by default) and it to False. Mozilla
provides no easy way to do that. This add-on takes care of those convenient
little omissions.

Obviously, Mozilla is doing all this to tie users to their mothership and make
it harder for them to leave. It's not like users were crying out for "Pocket"
integration in the browser.

[1] [http://www.winbeta.org/news/surface-2-no-longer-has-rt-
brand...](http://www.winbeta.org/news/surface-2-no-longer-has-rt-branding-
attempt-avoid-customer-confusion)

~~~
ep103
Yeah, Google never does this with their interfaces (/sarcasm)

~~~
driverdan
OP said nothing about Google. What Google does isn't necessarily relevant to
what Mozilla does.

------
tux
Don't forget about this;

"media.peerconnection.enabled = false" WebRTC leaks IP when you use TOR/VPN,
test it with ipleak.net

"beacon.enabled = false" Blocks
[https://w3c.github.io/beacon/](https://w3c.github.io/beacon/) analytics.

Also recommend using plugins; uBlock, NoScript if you use VPN.

~~~
DiThi
How can WebGL leak your IP? Did you confuse it with WebRTC?

~~~
tux
Yes sorry ^_^ I meant WebRTC :) Edited!

------
garrettr_
Please for the love of god _do not_ disable the Google SafeBrowsing
preferences. SafeBrowsing protects you from a lot of malicious websites, and
does not leak much information to Google. For most people the security
benefits of SafeBrowsing far outweigh the privacy concerns.

It is important to remember that malicious websites and malware in general may
negatively impact your security and privacy in extremely harmful ways (malware
compromises PII, website credentials, financial information, uses webcam and
microphone to photograph/film/record you from blackmail/revenge porn purposes,
...)

For context, please see these relevant Mozilla bugs about SafeBrowsing privacy
concerns: [0], [1]. tl;dr Firefox must set a cookie for SafeBrowsing, but it
uses a separate cookie jar for SafeBrowsing so Google cannot tie the
Safebrowsing activity to anything else you do related to Google or their
services (which is the biggest concern here). They can learn a limited profile
of your browsing activity, along the lines of "Random user x often uses their
browser between 9am and 5pm on M-F".

The Safebrowsing implementation is specifically designed to be privacy-
preserving. [2] It uses a Bloom filter to implement fast lookups in a
minimally sized hash table of known malicious URL's. The only time a full URL
(actually various _hashes_ of multiple prefixes of the full URL, including the
full URL) that you browse it sent to Google is when a prefix of it collides
with a known malicious URL, in which case the URL must be sent to Google to
resolve the question of whether the URL you are trying to visit is actually
malicious or just a false positive from the Bloom Filter. Yes, the hashes are
unsalted so it would be possible for Google to check if you were trying visit
some pre-determined URL ("were they trying to visit www.thoughtcrime.org?")
but only if it collided with a known malicious URL.

It would be helpful to know what the average rates of collisions and false
positives are to get a sense of how much of an average user's browsing history
is leaked to Google through Safe Browsing - can anybody from Google comment?

[0]:
[https://bugzilla.mozilla.org/show_bug.cgi?id=368255](https://bugzilla.mozilla.org/show_bug.cgi?id=368255)
[1]:
[https://bugzilla.mozilla.org/show_bug.cgi?id=897516](https://bugzilla.mozilla.org/show_bug.cgi?id=897516)
[2]: [https://code.google.com/p/google-safe-
browsing/wiki/SafeBrow...](https://code.google.com/p/google-safe-
browsing/wiki/SafeBrowsingDesign)

~~~
dec0dedab0de
_Please for the love of god do not disable the Google SafeBrowsing
preferences. SafeBrowsing protects you from a lot of malicious websites, and
does not leak much information to Google. For most people the security
benefits of SafeBrowsing far outweigh the privacy concerns._

I would never disable it for my mom, or any non technical friends. But I would
hope the majority of HN users are pretty good at spotting, and steering clear
of malicious websites.

~~~
garrettr_
They're _designed to trick you_ , so I don't think any population, no matter
how sophisticated, should trust themselves to correctly identify malicious
websites 100% of the time.

Additionally, some sites may potentially contain exploits that run as soon as
you visit the site (vulnerabilities in plugins like Java or Flash, drive-by
downloads, etc.) in which case it doesn't matter if you correctly identify the
website as malicious and hit the "Back" button - it's already too late. Much
better to avoid loading the content at all, which is exactly what is achieved
with SafeBrowsing.

------
gruez
How exactly does reader.parse-on-load.enabled leak privacy? Isn't everything
parsed locally?

~~~
scott_karana
I too am curious about this one.

------
wodenokoto
While visiting google every 30 minutes or so is a way of leaking, you aren't
leaking much more than ip and the fact that this up is in Firefox.

Isn't reader an offline functionality?

~~~
TheLoneWolfling
You're missing that any blacklist hits are rechecked against Google.

So it leaks a heartbeat, _and any hits against the blacklist_.

~~~
wodenokoto
Is that new? Back when they started implementing they were saying that the did
it as privately as possible, so that google couldn't track your browsing. It
seems unnessecary. You do t get hits very often, so they could just redownload
the entire list when there is a hit if they feel like double checking.

------
chimeracoder
Don't forget about WebRTC: [https://github.com/diafygi/webrtc-
ips](https://github.com/diafygi/webrtc-ips)

If you have WebRTC enabled, any website can determine _both_ your local IP
address (e.g. 192.168.1.1) and your globally-addressable IP address. The
combination of these is essentially unique, and can even be better than cookie
tracking or browser fingerprinting.

It's possible to disable WebRTC in Firefox, but AFAIK not in
Chrome/Chromium[0].

As for Firefox Hello and Pocket integration, you can turn these off if you
want, but I'm 99% certain that they don't actually send any data about you
unless you actually use them.

[0]
[https://productforums.google.com/forum/#!topic/chrome/gJ8HF-...](https://productforums.google.com/forum/#!topic/chrome/gJ8HF-
yoG-Y)

~~~
SapphireSun
You're really not going to like IPv6 are you?

------
aorth
Recommends turning on Firefox's built-in tracking protection[0] (which matured
in Firefox 37 or so), but has anyone compared this to uBlock? I guess the
first thing to measure would be number of trackers blocked, but then of course
memory and CPU usage would be interesting as well. uBlock has done this
comparison[1] against AdBlock Plus, Disconnect, etc, so it would be very
interesting...

[0] [https://support.mozilla.org/en-US/kb/tracking-protection-
fir...](https://support.mozilla.org/en-US/kb/tracking-protection-firefox)

[1]
[https://github.com/gorhill/uBlock/#performance](https://github.com/gorhill/uBlock/#performance)

------
amq
Important changes:

\- Reader mode is confirmed not leaking data. No need to disable it.

\- There is a way to stop leaking the browser history to Google while keeping
Safe Browsing.

* both tested using Fiddler

------
pseud
Most of these are enabled automatically with Tinfoil:

[https://addons.mozilla.org/en-
US/firefox/addon/tinfoil/](https://addons.mozilla.org/en-
US/firefox/addon/tinfoil/)

[https://github.com/cohjam/tinfoil](https://github.com/cohjam/tinfoil)

------
jaxb
I guess there is a similar howto on various opt-out settings in Google account
itself?

[https://history.google.com/history/](https://history.google.com/history/) and
[https://plus.google.com/settings/endorsements](https://plus.google.com/settings/endorsements)
etc.?

------
erikb
I don't know but the DRM stuff is actually cool with me. I guess you can't
convince the lawyers of nearly all media to turn on DRM for a few decades to
come. But I still want to use things like Netflix. With the new DRM stuff you
can at least have it running on a Linux instead of a Windows system. Step by
step in the right direction, I'd say.

------
cedricbonhomme
Maybe I'll update my Firefox configuration:
[https://bitbucket.org/snippets/cedricbonhomme/cbj6/firefox-c...](https://bitbucket.org/snippets/cedricbonhomme/cbj6/firefox-
configuration)

------
zbraniecki
It would be awesome to turn it into an extension that makes it a single
toggle.

~~~
Someone1234
I wouldn't use it since it:

\- Disables the malware and phishing lists/warnings.

\- Disables HTML5-video DRM (even if this has nothing to do with leaking
data).

\- Geo location already brings up a popup (and thus disabling it seems petty).

~~~
eridal
>* - Disables HTML5-video DRM (even if this has nothing to do with leaking
data).*

I would rather live in a browser without video support, than with DRM

~~~
icebraining
Mozilla provides EME-free builds of Firefox:
[https://news.ycombinator.com/item?id=9534096](https://news.ycombinator.com/item?id=9534096)

------
MichaelCrawford
127.0.0.1 www.google-analytics.com

127.0.0.1 www.hosted-pixel.com

The political candidates are the worst.

------
fapjacks
Wow. What the fuck, Mozilla? Here I was, really hopeful that you were actually
serious about honoring user desire for privacy.

~~~
m3Lith
Did you even check out the link? There is nothing sensational or exceptional
about collecting/sending basic user data when using certain features, most of
which can be easily disabled/not used.

~~~
fapjacks
"Easily disabled" for example like tweaking about:config? Yeah, that's _super_
easy and accessible for the average user!

~~~
gerv
The fact that he only lists the about:config way doesn't mean that this is the
only way to do it. Many of these options have GUI prefs.

