Firefox SafeBrowsing should be okay to enable #339
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#339
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Is there a link or an article to the privacy concerns of enabling SafeBrowsing? It should not be a privacy concern, and the security risk seems very high.
Is useful if you're not using anything else. Moreover it is a service based on Amazon servers (3rd party). See discussion here.
Only the Tracking Protection service (shavar) is hosted on Amazon servers. (I'm the maintainer of that code-base, in fact.)
SafeBrowsing lists are served by Google's servers directly to Firefox clients. It should not be a privacy concern (as explained by the article I linked ... which was written by the Firefox SafeBrowsing maintainer).
And that's precisely why it is.
I'm not a big fan of big G either, but given that ...
... the only privacy threat I can see with Firefox clients contacting Google's servers is that it leaks an IP address to Google's servers. But this only tells Google that there's a Firefox browser at the IP address and nothing more.
Compare that to the security (and corollary privacy) risks of completely disabling malware, unwanted software, and social engineering threat checks in Firefox, and it seems that disabling SafeBrowsing is based on unreasonable fear of anything Google-provided - not a realistic privacy concern.
This can be solved with common sense which doesn't leak anything to Google.
Maybe I don't understand the intended audience of the site. What level of tech savvy do you expect the audience to have? Recognizing malware & social engineering threats requires a bit of tech savvy. If the site is only intended for people who are tech savvy enough to recognize malware & social engineering threads on their own, fine.
But since there's a big "Spread the word and help your friends" section on the site, it seems trying to reach a wide audience. And that wide audience is full of people without the "common sense" to recognize malware & social engineering threats.
You're right. We're not trying to focus on any specific kind of audience. I meant that it is a privacy concern to a certain degree, and that it can be solved with common sense. However, we're trying to cover the whole "threat model spectrum". With that in mind, I think it's best we suggest disabling it, but explain the trade-off.
Looking at the 3 relevant Firefox config settings:-
in:-
Privacy Settings :: Add-ons for Firefox
https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/
and comparing the on/off state of the above in each of this add-on's settings:-
it is clear that SafeBrowsing adds to security but detracts from privacy.
IMO security should take precedence. I go for Privacy (compatible) & Security.
So, enabling SafeBrowsing is the way to go.
It might be reasonable and practical, but this is a privacy project. It would be a mistake to not at least inform that there is a privacy concern with this.
Privacy is nothing without security.
You achieve maximum security by sacrificing all privacy and monitoring everything.
You achieve maximum privacy by sacrificing some security.
This is important to keep in mind, even when privacy and security overlap on many things (such as tools).
A balance between the two is necessary. IMO this points to enabling SafeBrowsing.
We shouldn't be making this decision for people; instead, explain this simple problem and let them decide.
This site is already encouraging people to sacrifice their security. The current advice minimizes security for nearly 0 privacy gain. The only thing SafeBrowsing reveals to Google is that a Firefox client is running at a certain IP address.
But with SafeBrowsing disabled, any adversary (corp, hacker, government) who wishes to hack or track a user needs only to direct them to any known malware download or phishing site, and their privacy and security are both compromised.
This is terrible and irresponsible advice to give to people.
@Shifterovich Yeah, I'm in favor of letting the people decide that option, with a note on the side shortly describe it it can increase security but at a cost of talking to Google.
It also seems weird that Mozilla isn't the intermediary for this "SafeBrowsing" list, using a main list from Google, and any extra additions that Google haven't caught but Mozilla did, but without revealing IPs to Google. I assume most people trust Mozilla more than Google anyways. Unfortunately, in the world of everything being behind a Google CDN of some sort (analytics, apis, fonts, etc), an IP address becomes more than just a "Firefox client running at a IP address".
And assuming the user that comes by this site and downloads these add-ons, configurations, etc, some of these effects would be mitigated anyways. If you used a host, DNS, or general blocker, you would be cleared from "known" malware anyways. If you used NoScript or block JS at all, you wouldn't have malware running on the browser.
What if this known malware is just rebundled so it doesn't matches any of the hashes or URLs that it came from? Then SafeBrowsing is not useful at all. It's just like any other malware that enters the system. Now if it protected against new undetected malware in the wild, I'm all for it. I don't know ... I just feel like @groovecoder besides his one case where the user has no other protections in place (no anti-malware, doesn't keep system up-to-date, no adblocker, etc.), SafeBrowsing just becomes another list that only covers one specific case, which some like uBlock Origin handles well in addition to blocking networking connections and ad networks.
But that's just me I feel like. I feel like his position is a bit overstretched but I understand the concern. If this was for a newbie, then I'd be on his side but no one accidently stumbles on PrivacyTools unless they were a bit serious about taking their privacy a bit more seriously. So for me and speaking for the people here, it seems the trade off is worth it since most of us have a bit more control of their browser setup.
Not trying to anger anyone or flame anyone here.
Feel free to point these out and/or fix them with a notice regarding the trade-off.
Right - if the audience is not for newbies, fine. But I tell lots of people to go to privacytools.io, and the site itself has a section to share it via social networking. So, intentionally or not, the site is advising people to reduce the security, with no assurance that they are adopting any of the other protections.
Furthermore, a user offsetting the risk of disabling SafeBrowsing by running uBlock Origin is sending "auto-update filter list" requests to Dropbox, GitHub, AWS, and dozens of other domains, which is the argument for disabling SafeBrowsing in the first place?
It makes no sense.
But if the maintainers here think a notice on the setting is enough, I'll happily send that PR. Just not sure I can advocate as strongly for this site in the future.
Thanks for pointing that out. I think adding a notice to both uBlock and SafeBrowsing is the best option. Might move SafeBrowsing to the bottom of the tweaks section and convert it into a notice, instead of a tweak.
Not sure what the other maintainers think, but yeah, I definitely think letting people decide for themselves is the right way to do it.
@groovecoder Isn't that the point of trust? Any software you use is all based on trust and I find it unsettling that you make this a "battle". Somehow, I find that you are oversimplifying this debate and making this debate very dishonest. By letting the users choose, you can have them turn this option on or using uBlock Origin/DNS blocking, etc. If they don't mind Google, they can turn it on and get that protection that way. And for the rest, they can use add-ons, host files, and other mechanisms. Is that an unfair solution or is your "can't advocate as strongly for this site" a childish response to get it your way? I guess, Google is perfect and we all must be crazy in trying to avoid them, right?
But there's not much to debate here, we have the notice and the users can make that choice. And you didn't respond back with how your mechanism stops known malware that is rebundled :/ ...
Edit: Remember the whole Google Analytic on the Add-ons page fiasco? People do value their privacy and Mozilla brushed it off? This is the same debate. @Shifterovich (and @groovecoder apparently works at Mozilla but doesn't understand the privacy debate)
I don't mean to make it a "battle" and I'm not trying to "get my way". I've submitted a PR with notices that will inform and help users choose for themselves.
What I apparently don't understand is the intended audience of the site, or the overall privacy "strategy" it promotes. But, I'm starting to understand this site isn't trying to promote a privacy "strategy" - instead it simply expose people to all of the available options and as much information as possible? That's good, but also leaves much to the personal judgement of people who can easily misunderstand the trade-offs they're making for any individual protection. So you need to have some tech-savvy to understand the site properly.
FWIW, I think @dnguyen01's suggestion to include a choose-your-threat-model section of the site is great, and would help clear this up for people new to the site.
No, you wanted to outright enable this setting. When I suggested informing users and letting them choose for themselves, you started with that "can't advocate as strongly for this site" thing.
It's not good, it's great. We could recommend one VPN provider, the one we decide is the best. Same with browsers. Same with email providers. Same with search engines.
Our approach is to give enough information to let people make a good decision, not to decide what we think is best for the users. Yes, enabling this option is probably the right choice for most people, but why not let them choose. A notice as simple as "If you don't want to download a list of "bad" URLs from Google every X minutes, disable this option; but know that you won't be protected from ..." is definitely harder to misunderstand than Mozilla's "we don't track you" (thanks for reminding that @dnguyen01).
Not interested in an argument about motives. I still prefer this site change its suggestion to not disable SafeBrowsing. But, the audience target and content strategy of the site makes sense to me now. It's just not for everyone.
How does letting people decide rather than giving them a solution that works for most exclude anyone apart from those unable to make a decision?
> deciding what's best for most and using that is not exclusive at all
> letting people decide is absolutely exclusive because there's an edge case of people who can't read and make decisions
🤔
Not sure what you're quoting there, since those lines don't appear anywhere else in this thread. But this issue is clearly off the rails now.
PR is submitted with updated notices. I understand the audience of the site better and have a better idea of when and how to suggest it to people. So, I'm happy regardless.
Those aren't quotes, I just wonder how that logic makes any sense.
Safebrowsing uses a Goggle API Key that uniquely identifies the browser, see:
https://github.com/ghacksuserjs/ghacks-user.js/issues/197
That's clearly Google fingerprinting.
SafeBrowsing uses a single Google API key for Firefox - not each Firefox user.
https://github.com/ghacksuserjs/ghacks-user.js/issues/197#issuecomment-321027157
An API Key plus Cookies means fingerprint for me, see Passive fingerprinting
https://w3c.github.io/fingerprinting-guidance/#passive
huh... Didn't spot the #passive anchor.
@Hillside502 - right, there's a single API key hard-coded into all Mozilla builds of Firefox. There is NOT an API key for each user, so the API key is no more a fingerprinting vector than a Firefox user-agent string.
@Atavic ...
A service cookie is a potential tracking item, but Google says "Google will receive standard log information, including a cookie, as part of this process. Google will not associate the information that Phishing Protection logs with other personal information about you." ... so it depends how Google-paranoid you are. 🤷♂️
"🤷♂️" ?
There's no tinfoil hat emoji.
@groovecoder
It strikes me odd how much you want to suggest to enable this feature. Some of the terms and conditions and privacy policies are carefully worded. Google not associating the information with personal information about you, is the personal information my google account? or do they keep a profile from other services independent of my google account?
Chrome - Safe browsing policies
As far as I understand this applies to all browsers using safe browsing.
I'm not sure if this applies only to Chrome or other web browsers too.
Chrome privacy whitepaper
Standard logs seems to be different from raw logs.
They still somehow track you, even if they separate cookies from the normal browsing and it's not about being paranoid but seems a bit naive to think Google is offering this free service to million of devices without getting anything back, except maybe for a more accurate list of malware and phishing sites.
Yes - it depends where one stands on the paranoid/naive spectrum re: Google tracking.
Having personally worked with Chrome sec team, I believe they're honestly motivated by helping to secure as much of the web as possible. (If the web dies, they die)
I'm personally more concerned about stray malware or phishing pages than the 2-week IP + SafeBrowsing cookies.
@kewde
This discussion on safebrowsing privacy has so far only focused on the most minor of the privacy threats involved in this "service", namely connecting to Google with cookies. On that minor but real point of Google cookie tracking, let me yet add a small reminder :
https://bugzilla.mozilla.org/show_bug.cgi?id=368255#c64
What should worry everybody much more is that with the safebrowsing "Download protection", according to what can be read in the first link by groovecoder, Google is informed of every single unusual program you download with firefox. This is a massive privacy breach. Read the page well : if a downloaded binary is unsigned or signed but not in the local whitelist, then its name and origin are always automatically sent to the "remote application reputation server". This is what groovecoder calls "not a privacy concern".
There is a third problem, this time with "Browsing protection", but not as bad as the previous one. I saw this possible threat reported on bugzilla. Google may have a watchlist of "interesting sites", not necessarily phishing/malware ones, added to its blacklist. Users whose firefox browser downloads from Google the set of hashes containing the hash of one of the sites on the watchlist because they visited it may be tagged by Google as having potentially visited an "interesting site". This may help to narrow targets in a mass surveillance scheme.
Now on the broader question of whether Google can be trusted to respect our privacy if given a chance to violate it, as groovecoder just asserted ("I believe they're honestly motivated by helping"). Google's main business is to sell our private life. In addition, as has been revealed about their profitable participation in illegal mass surveillance programs, they are not even bound to respect their privacy policies or more generally the law. And considering how much money Mozilla receives from Google, Mozilla can't even be trusted either to have an objective point of view on Google's violations of privacy when they choose to implement their services (default search engine, google-analytics in addons page, safebrowsing,...). Of course they will use all the data they gather exactly how they want.
Please note you can disable the remote checks of SafeBrowsing download protection with
browser.safebrowsing.downloads.remote.enabledset tofalseI'm glad I could help you remember that your previous assertion might not have fully covered the reality :
"The current advice minimizes security for nearly 0 privacy gain. The only thing SafeBrowsing reveals to Google is that a Firefox client is running at a certain IP address."
By default, which means for the majority of users, not aware enough to defend themselves by altering default options not to mention hidden about:config prefs, Safebrowsing gives to Google the list of unusual program files they download and sort of the list of sites they visit that are part of their home-made frequently updated blacklist, all this tied with an identifying cookie (that can't be cleared by the user except with external tools like CCleaner).
We should probably wrap this up as the issue has stalled for too long, i vote for keeping it set for disabled, with a small description of the trade off.
How good is the safe browsing? Would it be worth it to instead suggest people to use DoH with a malicious domain filtering DNS provider like Quad9?
I suggest to look at gHacks user.js for that.
@Mikaela Quad9 doesn't provide more privacy then Google...
SBv4 (which has been used for quite some time: over a year) doesn't even use cookies.
Personally, as a default and the responsible setting to have, SB should be enabled. Never ever put anyone at risk, by default! Can't believe it's been almost 2 years.
@groovecoder is (and Francois was) Mozilla engineers who work on this stuff. There's a big difference between actual privacy vs tin-foil (sorry, couldn't resist) and by that I mean those who want to control every single request to the point of blocking everything possible (e.g update checks: note I said checks, not downloads: or safebrowsing lists, etc).
Anyway, as offered elsewhere ... I could offer to redo your about:config entries. After reading a couple of comments in here (can't remember exactly which ones), it occurred to me that besides the content, it could do with a slight breakup into categories: e.g.
✅ no brainer
no breakage
examples: tracking protection, pings, beacons, speculative connect, etc
✅ no brainer [optional]
some specific breakage or some side affects
examples: pocket, clipboard, punycode (yes because non-Latin users can get screwed by this)
👀 look at these and chose a setting that suits you
examples: settings for referrers and cookies
🔘 choose [breakage]
examples: widevine, eme, FPI, RFP
⚠️ don't do these unless you fully understand the risks / trade-offs
the trade-off is highly debatable and should be opt in
examples: Safe Browsing including binaries
As long as each item explains how it can break things where applicable, and the ⚠️ section explains the risk, then users
areshould be fully informedThe above sort of structure actually makes it easier for me to provide something for you: the ghacks user.js is structured differently: and I set that up five years ago. And five years down the track, I know enough to easily slot items into the above.
Anyway: you know where to find me. I've been fiddling with Firefox for a decade, and deep-diving it for the last five. The current list also contains inaccuracies and prefs that do nothing - which I've commented on before. This is the second time I have offered to provide a cleaned up version for your consideration.. won't be a third .. so sing out, last chance.
Note: That would be to just clean up what you have: not turn it into anything larger
Edit: OMG .. can't believe I found the first time I offered (it's at the end of my long comment)
@thorin-oakenpants I have not been a part for the team for very long so I have not seen those offers you made before, could be tht i simply missed it. I would be very happy if you want to collaborate with us to improve the about config settings (as you saw when i pinged you at earlier about config issues, i just didn't want to ping you too often as I figured you have enough work with your own project.). I am currently writing the new information that will be listed on the new browser page, if you want to help me out on the about config section that would be amazing :).
Another couple of thing to consider
Items with a UI presence should/could be given less weight (in the decision making process), IMO: e.g the ghack user.js always had all the SB options as inactive (commented out) as a default, but recently we just removed all of that. The exception here is the SB binaries check = always been actively blocked
Items that Mozilla are playing with constantly and have a UI presence (also you can run the risk of blocking Mozilla from flipping these prefs to the best configuration): e.g. tracking protection, activity stream
Yes I will draft up a simple, reduced list with sections in a new more condensed format. It will address this ticket, adding beacon (from another new ticket), etc: I'll use #1212
feel free to close this: it's all being handled under #1212
step 1 removes the current SB prefs
step 2 will include the SB real-time binary check
step 4 will put that SB binary check under a "risk" category