
WOT is selling your PII and browsing history - gillytech
http://lifehacker.com/web-of-trust-sells-your-browsing-history-uninstall-it-1788667989
======
mkesper
Recent discussion:
[https://news.ycombinator.com/item?id=12870953](https://news.ycombinator.com/item?id=12870953)

------
stowawaywot
I have seen the data the article talks about. For more than 99 % of the URLs,
there was NO "cleaning" performed whatsoever, instead they just used the raw
URL and made it thus accessible to anyone who bought the data. Some of these
URLs included sensible session information, password reset tokens, e-mails or
private links to content hosted on Dropbox / Google Calendar / Google Drive
and similar web services.

Also, WOT is not the only extension doing this, the company behind it has
hundreds of other extensions and mobile apps that perform the same kind of
data collection, capturing several percent of the entire Web traffic in total
(in Germany alone, almost 3 million people were spied upon using this
technique).

Browser vendors really need to change their attitude towards extensions, as
they basically allow users to install malware/spyware in their browsers
without performing any real certification / auditing. At the very least there
should be a way for users to see a full audit log of the information that an
extension sends to remote servers, as this is usually already enough to tell
if the extension is sending more data than it should.

Also, anonymization should NEVER be done on the remote end, but always at the
source, as there is no way to guarantee that it will happen otherwise (as WOT
proves).

~~~
hannob
> Browser vendors really need to change their attitude towards extensions, as
> they basically allow users to install malware/spyware in their browsers
> without performing any real certification / auditing.

That's something I hear a lot in context of the WOT issue, but how should that
work? There are thousands (maybe millions) of extensions with new versions all
the time. I see only one way: Shut down extensions and only allow a few
selected ones that get audited by the browsers.

However do we really want this?

> At the very least there should be a way for users to see a full audit log of
> the information that an extension sends to remote servers, as this is
> usually already enough to tell if the extension is sending more data than it
> should.

That helps experts analyze extensions, but it doesn't fix the problem of
thousands of users installing some shady extension nobody looked at. WOT was
even open source, yet nobody seemed to have bothered to look into it until
recently.

~~~
stowawaywot
No, it is not necessary to shut down all extensions, you just need a better
security model. Today, one click is sufficient to grant an extension unlimited
access to all your request data (including form data) together with the
ability to send that data anywhere. In addition, most of the problematic
extensions try to trick the user by either not informing him/her at all about
the data collection, or by misnoming it as anonymized collection of "usage
statistics" (which is often a blatant lie).

Of course it's fine to argue that it's the users problem, but then I don't see
why on one hand we're trying to harden browsers against all kinds of
sophisticated attack vectors while at the same time giving malicious actors
privileged access to all the users data via the App Store. And again,
restricting the kind of access that an extension has to the users data would
be a first step to amend the problem. Allowing users to report abuse in an
effective way would be a second step. Being more strict with violators would
be a third one, as today most extensions simply reapply for access after being
deleted and often get included again (just wait and see, WOT will also make a
reappearance).

------
uulbiy
Both Firefox[1] and Chrome[2] removed it from their stores. I don't know if we
should expect an official announcement, but it seems that neither Mozilla nor
Google commented on the issue. Many other sources reported it though[3][4][5].

If you are using WOT in either Firefox or Chromium/Chrome you can just remove
it without replacing it with anything. Both browsers cover that for you with
Google's Safe Browsing[6][7].

[1]: [https://addons.mozilla.org/en-Us/firefox/addon/wot-safe-
brow...](https://addons.mozilla.org/en-Us/firefox/addon/wot-safe-browsing-
tool/)

[2]: [https://chrome.google.com/webstore/detail/wot-web-of-
trust-w...](https://chrome.google.com/webstore/detail/wot-web-of-trust-
website)

[3]: [http://techdows.com/2016/11/web-of-trust-add-on-
removed.html](http://techdows.com/2016/11/web-of-trust-add-on-removed.html)
(4/11/2016)

[4]: [http://www.ghacks.net/2016/11/05/mozilla-and-google-
remove-w...](http://www.ghacks.net/2016/11/05/mozilla-and-google-remove-wot-
extension/) (5/11/2016)

[5]:
[https://www.reddit.com/r/news/comments/5bgnyr/weboftrust_rem...](https://www.reddit.com/r/news/comments/5bgnyr/weboftrust_removed_from_chrome_and_firefox/)
(6/11/2016)

[6]:
[https://wiki.mozilla.org/Security/Safe_Browsing](https://wiki.mozilla.org/Security/Safe_Browsing)

[7]:
[https://www.google.com/tools/firefox/safebrowsing/](https://www.google.com/tools/firefox/safebrowsing/)

------
raarts
They are:

> Reviewing our privacy policy to determine which changes need to be made in
> order to enhance and ensure that our users privacy rights are properly
> addressed.

'addressed' is not the same as 'respected'.

------
andybak
World of Tanks? War on Terror?

Come on people. You saved 9 characters in that post title.

~~~
simonh
I spent the first 30 seconds or so reading this thread thinking that World Of
Tanks must have some browser extension. Never heard of Web Of Trust before.

------
tinix
is anyone really surprised by this?

~~~
yaps8
Yes, I didn't use or recommand WOT because it didn't seem useful but I never
suspected anything shady. How did you know ?

------
cheiVia0
Some details in the Debian bug report:

[https://bugs.debian.org/842939](https://bugs.debian.org/842939)

