
Re: The Spirit of Free Software, or the Reality - programmernews3
https://lists.debian.org/20150714230628.GA7938@jwilk.net
======
iMerNibor
So, from what I gathered it's just the favicons of the search engines, some
mozilla country stuff (not sure why) and google safe browsing (which you can
turn off and is a good feature for casual users) So what's the issue here? All
this isnt really a problem and safe browsing is, in my opinion, even good for
normal users.

~~~
Manishearth
I'm pretty sure that these get requests don't even fetch with cookies, so
fingerprinting is probably impossible here. The most info they can get is
"hey, this ip uses Firefox". Harmless in itself. It can be compounded with
more info to track someone, but all of this info already contains IP/browser
info so this doesn't help at all.

~~~
dclusin
I recall reading something on the internet that IP + browser fingerprint is
good enough to unique identify a large number of people. Has this changed or
otherwise untrue?

~~~
duskwuff
Getting the type of "browser fingerprint" they're depending on here requires a
bunch of Javascript. You can't get that data from just looking at a single
request, which is all that they're getting here.

~~~
HappyTypist
I think IP + useragent + locale (which is sent with every HTTP request) is
enough to pinpoint most users.

~~~
markvdb
Especially Debian users ("iceweasel" in the user agent string!)...

~~~
avian
I made an add-on that tries to help with that:
[https://github.com/avian2/thawed-weasel](https://github.com/avian2/thawed-
weasel)

------
pbiggar
This is what happens when folks with a radically-non-mainstream view of
privacy try to use an app built for mainstream folks by folks with slightly
more mainstream opinions about privacy.

~~~
tedunangst
It's not obvious to me that "I want my browser to tell Google about every site
I visit" actually is the mainstream view of privacy.

~~~
iMerNibor
"Privacy

Google maintains the Safe Browsing Lookup API, which has a privacy drawback:
"The URLs to be looked up are not hashed so the server knows which URLs the
API users have looked up". The Safe Browsing API v2, on the other hand, has
the following privacy advantage: "API users exchange data with the server
using hashed URLs so the server never knows the actual URLs queried by the
clients". The Firefox and Safari browsers use the latter."
[https://en.wikipedia.org/wiki/Google_Safe_Browsing#Privacy](https://en.wikipedia.org/wiki/Google_Safe_Browsing#Privacy)

~~~
tedunangst
Heh. The next paragraph after that quote is:

> Safe Browsing also stores a mandatory preferences cookie on the computer[9]
> which the US National Security Agency allegedly uses to identify individual
> computers for purposes of exploitation.[10]

That may or may not be true, but must one be a radical to be concerned?

~~~
nickodell
It's true, but slightly misleading.

If you open firefox and browse to a few sites, it will send that cookie. If
you then take your computer down to the coffee shop and keep browsing, even if
you don't log into anything, it will still send that cookie in the clear.

There are other ways that the NSA can figure out a list of IP addresses you've
been using, but this is 1) totally silent, and 2) is common to a _lot_ of
systems.

------
hendry
At Webconverger I've been working on whittling these leaking issues down, by
wiresharking Firefox, e.g.

[https://github.com/Webconverger/webconverger-
addon/issues/42](https://github.com/Webconverger/webconverger-addon/issues/42)
[https://github.com/Webconverger/webconverger-
addon/issues/41](https://github.com/Webconverger/webconverger-addon/issues/41)
[https://github.com/Webconverger/webconverger-
addon/issues/43](https://github.com/Webconverger/webconverger-addon/issues/43)

Though with things like
[https://bugzilla.mozilla.org/show_bug.cgi?id=1100304](https://bugzilla.mozilla.org/show_bug.cgi?id=1100304)
and anti-features like [http://dustri.org/b/firefox-youre-supposed-to-be-in-
my-pocke...](http://dustri.org/b/firefox-youre-supposed-to-be-in-my-pocket-
not-the-other-way-around.html) you got to wonder if Mozilla has stopped caring
about privacy.

~~~
provemewrong
It's interesting, especially since Firefox currently heavily uses "privacy" as
their selling point:

>Committed to you, your privacy and an open Web [1]

>We’ve always designed Firefox to protect and respect your private
information. That’s why we’re proud to be voted the Most Trusted Internet
Company for Privacy. [1]

>When it’s personal, choose Firefox. [2]

[1]: [https://www.mozilla.org/en-
US/firefox/desktop/](https://www.mozilla.org/en-US/firefox/desktop/)

[2]: [https://www.mozilla.org/en-US/firefox/new/](https://www.mozilla.org/en-
US/firefox/new/)

------
PhantomGremlin
These browsers are all constantly accessing many sites. Here's[1] a comment I
posted a month ago about Firefox. The summary is here's (at minimum) what
Firefox accesses when it starts up as a Guest in OS X, and this is _after_ I
unchecked a bunch of boxes:

    
    
       self-repair.mozilla.org
       snippets.cdn.mozilla.net
       search.yahoo.com
       location.services.mozilla.com
       www.mozilla.org
       tiles.services.mozilla.com
       safebrowsing.google.com
       aus4.mozilla.org
    

Try it yourself as Guest. But make sure that Parental Controls are on. That
way OS X will popup these sites and ask permission. Firefox is unusable w/o
opting in all of these.

[1]
[https://news.ycombinator.com/item?id=9743799](https://news.ycombinator.com/item?id=9743799)

------
otherusername2
The whole shrugging off and downplaying of issues like this are exactly the
reason the internet is complete shit when it comes to security.

Why, after all the exploits, insecure software and bad decisions, can people
_still_ not see that they can't anticipate everything?

For instance, here's a scenerio I can easily envision: The NSA strongarms Ebay
into letting them sniff TCP connections to their favicon, combines the TCP
fingerprint with the browser useragent to uniquely identify you from perhaps
millions of other users. Geolocate your IP to determine where you are and
_bam_ they know all about you they need to know. Tin-foil hat? Of course.
Plausible? Totally. Doable? Absolutely. They don't need to be perfect, just
good enough.

------
sethish
Wait, we all realize these are grabbing the favicons for the bookmarks right?
This list of .iso's reads to me like a list of default bookmarks.

------
Qantourisc
I also wonder how much work it would be to make a version with these striped
out. Replacing functionality with a NOOP, is often not that hard.

~~~
okasaki
The problem is that it's a big responsibility. You can't just do it once and
dump it on the internet. It has to be kept up to date with the latest Firefox
versions, and it has to have prompt releases (within a day). You also need to
be absolutely sure that your changes aren't creating more problems than
they're fixing.

------
MichaelCrawford

       127.0.0.1 www.google-analytics.com
    
       127.0.0.1 ssl.google-analytics.com
    
       127.0.0.1 www.hosted-pixel.com # I Swear I'm Not Making This Up
    

On some but not all operating systems it's better to use 0.0.0.0.

It's better to block it with a firewall but your aged grandmother doesn't know
how to configure them.

iOS and I expect Android have hosts files but you must jailbreak to edit them.
On iOS you can do that with iFile from the Cydia store. iFile once cost money
but it's free now.

~~~
freshyill
My Grandmother's a real ace when it comes to editing hosts.

~~~
gkoberger
Your grandmother probably doesn't use Ice Weasel, and probably doesn't care
it's making requests.

