Hacker News new | past | comments | ask | show | jobs | submit login
Mozilla stops distribution of WOT addon
158 points by mkesper on Nov 4, 2016 | hide | past | web | favorite | 82 comments
You cannot install the WOT addon anymore in Firefox. This is due to WOT selling all your browsing data to firms - easily de-anonymizable (containing e-mail addresses, usernames or identifying parts of URLs in cleartext). Reporters of German broadcast NDR found out about this by inspecting a test dataset they acquired disguised as a company asking around to buy personal data.



Web of Trust is a browser extension that claims 140 million installs. The marketing language on the home page [1] is all about how the extension will help users decide which websites to trust.

Their privacy statement [2] includes a section that describes "Browsing usage, including visited web pages, clickstream data or web address accessed;" as one of the categories of "non-personal information" that they may disclose or share with 3rd parties.

I'd imagine most users installing an extension to make their browsing safer would not be happy to know they were also making their entire browsing history available to 3rd party data brokers at the same time.

Unscrupulous business practices are definitely made easier when no one actually reads Privacy Policies...

[1] https://www.mywot.com/

[2] https://www.mywot.com/en/privacy/privacy_policy


The info collected is not considered as consented by the user in Germany by the Hamburg commissioner for data protection: "disclosure of personal data, companies need basically a data subject's consent." "an extensive evaluation the data by Web of Trust is therefore under German law "not allowed"

https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...


And I think, assuming its the same as many other EU countries, that means active consent, not just implicit (e.g. you used the product so you implicitly consented to the privacy policy)


Do you know what would be a great way to prevent this?

Every data send by an extension should be user viewable.

Here's the json file (or maybe something better) that we are posting, press Agree to send it


They would just start obfuscating the data (with ciphers, word replacements, encoding, minification, etc.)

They'd then claim it was for your security/privacy/protection. You know, like how Microsoft encrypts your Windows 10 usage data it sends them.

At least you could use the presence of such obfuscation as a sign there's probably something bad afoot. Presuming only a tiny number of extensions try to encode the data they send.


This extension already does in fact, with double base64 (see btoa in source).


> ... you could use the presence of such obfuscation as a sign there's probably something bad afoot.

So, that "if you have nothing to hide..." argument, basically?


Similar but not the same, one thing is hiding your own information, but another very different is you taking my information and hiding it from me


No, the only thing that will work is to pummel guilty companies into the ground with fines.

But you can bet GooBookSoft will lobby against that like their lives depended on abusing customer data. And they do depend on it.


I do not think collecting data on users is necessary. You still can show ads in search results even if you don't know anything about a user. And you don't need user's browsing history to sell him an airplane ticket.


Nope. I'm going for FaceGooSoft or FaceGleSoft. First writes better. Second sounds better. But you can have the copyrite because all are fun.


>Nope. I'm going for FaceGooSoft or FaceGleSoft. First writes better. Second sounds better.

With much regret, MiFaceGoo is rarely appropriate in the professional world.


You cannot make a technical solution to this. Now every company tries to collect as much information as they can. Only laws can help.

> Every data send by an extension should be user viewable.

You can start Wireshark and get that data. But it would be too complicated for an average Joe.


Most people would just press "Agree" without reading it, but giving the possibility to read the data only when you want would give to expert users the way to occasionally check what the addons are doing.


Here is the blog entry of the Journalist Mike Kuketz, explaining in detail how he uncovered the fraud, unfortunately only in German. This includes samples of the questionable GET and POST Requests, as well as a link to a commit to the WOT sources on GitHub, which introduced the necessary changes ...

https://www.kuketz-blog.de/wot-addon-wie-ein-browser-addon-s...

The commit referenced in the blog:

https://github.com/mywot/firefox-xul/commit/0df107cae8ac1890...


> The commit referenced in the blog

Interesting, the date of the commit is April 20, 2015.

I did comment on April 16, 2015 about how the WOT extension could record a user's browsing history[1], so it does look like they were doing this before this specific commit.

Edit: ah never mind, my comment was for the Chrome version of the extension while the commit is for the Firefox extension. So they have been doing it since longer for the Chrome extension.

[1] https://github.com/gorhill/uBlock/issues/65#issuecomment-937...


And by the way, he also suggests in his blog post that Ghostery and Adblock Plus might as well sell browser histories as WOT does. There might be even more.


I just stick with EFF Privacy Badger.

https://www.eff.org/privacybadger


Ghostery allows you to OPT IN to sending your browsing data [1], which may be sold as part of services offered by their parent company to improve ad ROI for their customers. They also tell you that they're collecting the request data [2].

I think knowingly sharing your data (with a positive affirmation) is significantly different than having your data collected and sold without your knowledge

[1] http://imgur.com/a/ugglB

[2] https://www.ghostery.com/support/faq/ghostery-add-on/What-da...


The problem is not the selling of browsing data. WOT tells you openly that they do it.

The problem is that the data is not anonymized enough. The question is, if this is actually possible.


Reminds me of the old saying. "When the service is free the product is you."


Lateley there's a trend to dismiss the above saying (i.e. if it's free you are the product) in a casual manner.

Reality isn't influenced by such dismissals or wishful thinking however. If a company's financial interests aren't aligned with the general interests of its customers, then it will trample over the interests of its customers. Google, Facebook, any company that's selling advertising are not only not your friends, but they're screwing you over.


My issue with that saying is that it prejudices people against Free (as in libre) Software.

Free Software is free, and you aren't the product when you use it. In most cases its the only software that actually puts the user first.

Saying "If it's free, you are the product" tells people that the only way to get good software is to pay money for it. When in reality lots of payed software harvests your data just as much.


IME free and open software does tend toward abandonment or some form of monetization over time. Just ran into this with Synergy recently.


Ghostery yes.

Regarding AdBlock Plus he is complaining about the Acceptable Ads "feature", not that ABP is collecting and/or selling user data


Firefox really needs to start to disable extensions (but enable exceptions) when in private mode.

And maybe it is time to completely forbid data logging in browser addons. Then suspicious activity, like the linked commit would have caused, could be detected.


This begs the question: Where do you draw the line between "data logging" and submitting the URL (or domain, I'm not certain on what level WoT would normally operate) to a server in order to get its reputation? In the end, you can't be certain what the backend does with the data just by looking at the extension code. If you go too far with a rule like that, you'll likely block a lot of legitimate and useful extension. If all you ask for is the word of the extension developer that the data won't be used in this fashion, that probably won't change much in practice.


Currently, facing this abuse, I'd completely forbid data transfer from an extension to a server by default. Then add exceptions: If the transfer is necessary for the legitimate function of the extension (note: It is not for stuff like adblocker, where the lists are already cached locally), allow it under special control as long as the data sent out is anonymized as much as reasonable. URLs for example should be hashed before going out.


> URLs for example should be hashed before going out.

That doesn't help at all. If the server has a database it's going to match this hash too, then it knows what URL corresponds to the hash.


It prevents the server form matching the url when it has stuff like the session id and username in it, and also helps in not giving those information to the outside.


Yeah, Google Safe Browsing ships a local database of urls to prevent this:

https://developers.google.com/safe-browsing/v4/update-api


The line should be drawn in a court.


Though what happened here is already forbidden. It is just very difficult to use the law against those criminals. That is why the browser makers are in a better position to control this.


thanks for linking, I'd like to see if there's a news article on it as well.


I wanted to say: And Google did not removed it. But actually it is also gone in Google extension store. Google also seriously needs to think about security in their Chrome extension store. I've seen more than once ads injected by extensions by the auto update (no real security there). Maybe I've been also tracked in the past. Google needs to actively monitor all extensions for ad injection and tracking code (where are their AI experts on that?) and also it should react faster to reports. In the past, weeks and months go by before a report has consequences for a extension. So the discovery of WOT is only thanks to German reporters.... but it was longer known that WOT tracks you.


I will take the opportunity to share what I have observed a few weeks ago regarding another extension in the Chrome Store: Popup Blocker (800,000+ users)[1] also leaks your browsing history.

For every site you visit, there is a POST to

    https://api2.poperblocker.com/view/update
which contains information about each visited page. Example of information sent in the POST (I randomly clicked on an entry in the front page of Hacker News):

    us=576
    ver=1.0
    sver=1
    nid=chrome
    h=e[...]6
    tid=1478271585985
    u=https%3A%2F%2Fthehftguy.wordpress.com%2F2016%2F11%2F01%2Fdocker-in-production-an-history-of-failure%2F&p=https%3A%2F%2Fnews.ycombinator.com%2F
    rd=https%3A%2F%2Fnews.ycombinator.com%2F
    ch=2
The information above is double-encoded using atob before being sent in a POST. The `h` value stays the same i each POSTs.

The privacy policy of the extension used to be complete nonsense, a copy-pasta of the text found on the front page of (probably unrelated) site `whatarecookies.com`.

Looks like they changed it though[2], it is now a large image of pure-text HTML[3], which appears to be borrowed a lot from (coincidence!) WOT's own Privacy Policy's page.[4] I will assume using an image may be to purposefully make it more difficult to find out the copy-pasta.

The review I had left a few weeks ago for the extension -- in which I informed of the above -- seems to be gone.

[1] https://chrome.google.com/webstore/detail/poper-blocker/bkkb...

[2] http://www.poperblocker.com/privacy.html

[3] http://www.poperblocker.com/privacy.png

[4] https://www.mywot.com/en/privacy/privacy_policy


There is nothing that can be done. Any moderation can be easily bypassed (for example, obfuscated code, code loaded from external servers etc.). You just should not install software that you don't trust.

For example I don't use any browser extensions because I don't have time to inspect their code after every update.

I wonder why both Google and Mozilla don't write this at the front page of their extension stores?


Mozilla actually manually reviews the extensions and updates to the extensions, and would reject obfuscated code. See for example:

https://blog.mozilla.org/addons/2016/08/19/a-simpler-add-on-...

https://blog.mozilla.org/addons/2010/02/15/the-add-on-review...


Serious question: do you audit code changes in browser updates?

EDIT: I realize there are (probably) fewer authors involved there.


Browsers are made by reputable organizations like Mozilla Foundation or (not so reputable) Google. And extensions are usually written by some anonymous person from Internet (or sold to anonymous person after gaining popularity).


> Google needs to actively monitor all extensions for ad injection and tracking code (where are their AI experts on that?)

All the AI experts in the world won't be able to solve the halting problem. What you're asking for is impossible.


All the AI experts in the world won't be able to solve the problem of people thinking a problem is equivalent to the halting problem.

You don't need perfect performance, you only need to stay ahead of most of the attempts. Fighting fraud is similar -- it's not possible to stop 100%, but you can get close, and try to make it easy to minimize/undo the damage done by the false negatives.


You are probably over optimistic about what AI is. AI is not a human-like mind that sits inside a computer and solves any problem you give.


I am aware :). But don't you think that a finer grained permissions model, combined with even a simple Bayesian classifier (or a NN classifier) that triggers manual review, could catch a lot of suspicious extensions? E.g. P(malware|reads url+calls third party) > P(malware)


There will be ways to bypass those checks. The easiest is to wait a week after installation before doing anything bad. Or extension could download and execute code from remote server that would serve one version of code for users from Mountain View and another version to everyone else. Or the code could check whether it is run on a real device.


This is where the classification heuristics and fine-grained permissions come in. Code that does anything conditioned on dates is higher risk. Code that uses location services is higher risk.

Also, many of these checks can be done by the browser in situ, so an extension that suddenly changes its behavior can be flagged for review. And pre-release malware scans can be run on banks of actual hardware that simulates different dates and locations.

Sure, there will be an arms race, but that's better than an anarchical free for all.


Did not find any english versions of this news yet, so here a translated heise site: https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...


In the article you posted the WOT spokesperson appears to say that they'll be making sure that data is better anonymized in future - not that they will stop selling it. I don't think this type of response is going to work out well for them...

"When there are cases where information has not been anonymized and protected, we will, of course, review this and, if necessary, take steps to ensure adequate protection for our users."




What's interesting is how the story completely failed to make the news in the English-speaking net for several days. The story broke on Tuesday (CET), outside Germany it was only picked up by ghacks until now...


Ghacks is shadowbanned on HN for some reason. I vouched for this particular story, but it didn't get traction :(

https://news.ycombinator.com/item?id=12850214


Could be because of the title: "Your browsing history may have been sold already"

It's not remotely comparable to the situation. "WOT addon is banned from browsers after selling users history to the highest bidder."


Please don't use the word "retarded" as a casual adjective. It's a pejorative term historically used for people with intellectual disabilities. Thanks for understanding.


I don't think I've ever consciously visited their site, so no idea how well ghacks ranks as a source...

The story was curiously absent from HN and any other site I frequent, so I checked Google and as of yesterday it only found ghacks outside the German bubble.


It is a shame that Mozilla did not explain why they removed the addon on the addon page, instead we just find a boring 404 page: https://addons.mozilla.org/en-US/firefox/addon/wot-safe-brow...

They could have taken the opportunity to show that they care about user privacy and denounce WoT at the same time


This is a breaking story, and currently mozilla is reacting.

I am confident they will release a public statement and maybe even an actual post mortem for the tech crowd


Such innovation .. pure evil.

What's the takeaway? Not to install any browser add-on?

On a serious note, I guess that it might be safer to to run a browser in a Docker container and use one instance to browser only site. The question is that how feasible it would be?


You can use Chrome profiles to create private "sandbox" for certain extensions. Put for example webdev related to extensions in separate profile, which you don't use for daily surfing.


You can also use Lynx if you want to go Full Stallman.


Think about their business model before installing.


I came to the conclusion that one should use only addons which are widely used by netsec experts, because audit is a fairly rare thing these days and one has to rely on when somebody sees something suspicious.


Good riddance, a vile site full of self appointed internet police with handpainted badges with a sense of importance

They falsely flagged a a website I ran a while back (social media management tools via approved APIs) as: pharmacy, scam and spam. Due to this mails from our server were not getting through.

I tried contacting saying they are all false. They updated saying we sold facebook likes and fake followers. We did nothing of the sort and did nothing at all with facebook anyways. I tried contacting again to which I was told we were a scam because the domain has privacy enabled nor had my personal name and address on the site. I value my privacy and do not have my full name and certainly not my address anywhere online.

I asked our customers via a support forum post if they could post an honest review of our site and service which did nothing to the score - it seems a couple of users have all the power. We then got branded as spammers for trying to manipulate our rating (with actual reviews, but as it was against the power users (who had never used our product) we were in the wrong.


I "want to believe you" and I always try to extend the benefit of the doubt whenever possible but it'd be interesting to hear the other side of the story as well.

Among other things, I manage a bunch of mail servers and I keep a close eye on them. I "blacklist" IP addresses of "misbehaving senders" pretty often and the rejection messages provide a way for the sender to get in touch with us. This way, we can work with them to rectify whatever problem caused them to be blacklisted by us -- many times it's that an e-mail account was compromised and used to send out spam.

I can't even begin to count how many times I've had administrators of other mail servers swear to me that they have NEVER sent out any spam whatsoever (or similar statements) and that blacklisting them is a mistake and absolutely 100% our fault.

Except that, in every case, I, personally, have looked at every single message, determined it was spam, tracked down where it came from (verifying Received: headers against Postfix logs), and manually added the IP address to our list. In addition, the first time it happens they don't even get prevented from sending mail to us; only upon the second incident are messages rejected.

Thus, for someone to say that they know absolutely positively 100% without a doubt that their server never sent us spam just makes me laugh because I know that not only did they send us spam but, as a matter of fact, they've done it at least twice!

So, like I said, I want to believe you but I'd want to hear it from the other side before making a conclusion. There's always another version of events and experience has shown me that it's usually drastically different.


Here is a brief (and compared to the german sources not so great) english language version of what happened:

http://techdows.com/2016/11/web-of-trust-add-on-removed.html


This is more or less the same way SimilarWeb collects its data, so I wonder when will they start being treated the same. They operate a number of inhouse extensions and partner with other extension developers to collect the entire click trail of the users. Internal links in your intranet, localhost, "private" google drive links, all is collected and sold. It's beyond me how this shady business is treated as legitimate, including major web and tech publications citing their data reports.


Details in the Debian bug report:

https://bugs.debian.org/842939


WOT = Web of Trust


It should be rebranded as WAT


They could literally use the slogan "U WOT M8" and it would explain everything about this service.


So basically I should uninstall it, correct? Does anyone know of anything to replace it?


You can create multiple profiles in firefox with various level of security settings. Use noscript for unknown websites in anonymous ff profile.

https://support.mozilla.org/en-US/kb/profile-manager-create-...

https://addons.mozilla.org/en-US/firefox/addon/noscript/

I read ghacks blog frequently to keep myself up to date with new features being added in Firefox. Follow this blog and read their previous articles to learn how to stay safe in online world.

http://www.ghacks.net/

this link is also helpful to stay safe

https://www.privacytools.io/


I think you can use their bookmarklet, but personally I don't see any benefits as somewhat similar Google Safe Browsing service is internally used by all major browsers.


it was decently accurate at judging whether a random website contained "legal" downloads of books


Yeah, it is true that WOT is useful for some rare use cases, where it is important whether some unknown website is a scam or not, but I don't think I need it for casual browsing.


Replace it with common sense.


All the other addons are completely trustable, of course.

It also really helps that Firefox never deletes cookies by default and never tells you about this. We 'respect' your privacy, yes, we do! Really! Look, you will have only one google cookie when you start a very new firefox.

We really respect your privacy, yes! We will reiterate that until you believe it, but never change our privacy destroying default settings, because we 'respect' you!


Do you really think being logged out of every website every time you start your browser would be an acceptable default?


I only browse in (incognito|private) windows. My browsers are configured to startup that way automatically.

It "works for me" and it'd probably work for a lot of (perhaps even most) other users so maybe it would be an acceptable default. I don't know.

I think there's a happy medium somewhere between these two extremes that absolutely would be an acceptable default, though. Firefox could certainly come with better defaults if Mozilla truly valued privacy that high.

(FWIW, my mozilla.cfg -- pointed to by general.config.filename -- currently has 127 settings in it. It's been added to over the years, though, so some of those are certainly deprecated by now.)


Those stories about Adblockers selling browsing history and private data, is just a lame intent to make people stop using adblockers and make us digest all that advertising crap.... Watch an ad is our choice....


While advertisers would benefit if people are afraid to use adblockers, it doesn't necessarily mean that they did it themselves.

There was clearly a market for user browsing data (since WOT was able to find customers), so if WOT is shut down, more will pop up. And the apps that mine user data don't need to be adblockers, that's just the reason they give users to install the extension.


on android i used to go pretty extreme and edit hosts file on a rooted phone. you can find maintained lists for it they just zero out the address. for security i would also make all the edits i wanted for different things and then unroot.

for firefox there is also script blocker with the ability to white list adresses also remove history on close.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: