✨ Feature Suggestion | dom.serviceWorkers.enabled should be set to false #860

New Issue

2019-04-13T11:34:33Z

orion40 commented

2019-04-13 11:34:33 +00:00

(Migrated from github.com)

Description:

There was a time where as soon as you closed a tab, the website you were on couldn't run code in your browser anymore. Thanks to service workers, you can now have code being executed without you ever knowing about it, as they are not visible to the browser extensions, and usually do not ask for your permission (the notification message you sometimes get on websites).

They are a privacy and security threat, and should be mentioned in the website.

Here's a couple of links with more description about the issue:
https://sakurity.com/blog/2016/12/10/serviceworker_botnet.html
https://blog.acolyer.org/2019/04/12/master-of-web-puppets-abusing-web-browsers-for-persistent-and-stealthy-computation/

## Description: There was a time where as soon as you closed a tab, the website you were on couldn't run code in your browser anymore. Thanks to service workers, you can now have code being executed without you ever knowing about it, as they are not visible to the browser extensions, and usually do not ask for your permission (the notification message you sometimes get on websites). They are a privacy and security threat, and should be mentioned in the website. Here's a couple of links with more description about the issue: [https://sakurity.com/blog/2016/12/10/serviceworker_botnet.html](https://sakurity.com/blog/2016/12/10/serviceworker_botnet.html) [https://blog.acolyer.org/2019/04/12/master-of-web-puppets-abusing-web-browsers-for-persistent-and-stealthy-computation/](https://blog.acolyer.org/2019/04/12/master-of-web-puppets-abusing-web-browsers-for-persistent-and-stealthy-computation/)

👍 1

johnozbay commented

2019-05-11 12:47:06 +00:00

(Migrated from github.com)

While I do see the reason behind this request, and agree with some portions of it, there are incredibly important and legitimate use cases for web workers especially in the field of privacy and security.

In short, all web-crypto libraries use or rely on service workers in one form or another to handle processing-heavy operations in the service-worker thread, rather than the main UI thread, so that your browser & UI won't be blocked/frozen while things are being encrypted / decrypted / hashed.

So for example:

OpenPGPjs uses service workers.
https://github.com/openpgpjs/openpgpjs/blob/master/dist/openpgp.worker.js
https://github.com/openpgpjs/openpgpjs#set-up

libsodium.js can use web workers:
https://github.com/jedisct1/libsodium.js/issues/8

TweetNaCl-js can use web workers:
https://github.com/dchest/tweetnacl-js/issues/65

The list goes on.

Blocking service workers would/could slow down (or completely break) privacy providing web services, like :

Protonmail
ba1964ee71/src/app/setupPmcrypto.js (L15)

Tutanota
2ae78fc01d/src/api/worker

Cryptee
fe0ffb242b/source/js/main.js (L642)

and many others that rely on similar cryptographic libraries. (these are merely 3 examples off the top of my head)

In my opinion, it's incredibly important to consider all angles while making a decision like this, so that a privacytoolsIO browser-feature-recommendation wouldn't break / slow down most of the privacy services recommended on privacytoolsIO.

While I do see the reason behind this request, and agree with some portions of it, there are incredibly important and legitimate use cases for web workers especially in the field of privacy and security. In short, all web-crypto libraries use or rely on service workers in one form or another to handle processing-heavy operations in the service-worker thread, rather than the main UI thread, so that your browser & UI won't be blocked/frozen while things are being encrypted / decrypted / hashed. So for example: **OpenPGPjs** uses service workers. https://github.com/openpgpjs/openpgpjs/blob/master/dist/openpgp.worker.js https://github.com/openpgpjs/openpgpjs#set-up **libsodium.js** can use web workers: https://github.com/jedisct1/libsodium.js/issues/8 **TweetNaCl-js** can use web workers: https://github.com/dchest/tweetnacl-js/issues/65 The list goes on. Blocking service workers would/could slow down (or completely break) privacy providing web services, like : **Protonmail** https://github.com/ProtonMail/WebClient/blob/ba1964ee7163702322ffa996f49decaebe946543/src/app/setupPmcrypto.js#L15 **Tutanota** https://github.com/tutao/tutanota/tree/2ae78fc01dbc0c006ed79aaa42011ed3b567ba79/src/api/worker **Cryptee** https://github.com/cryptee/web-client/blob/fe0ffb242b39069df97415abff316f2ec5515680/source/js/main.js#L642 and many others that rely on similar cryptographic libraries. (these are merely 3 examples off the top of my head) In my opinion, it's incredibly important to consider all angles while making a decision like this, so that a privacytoolsIO browser-feature-recommendation wouldn't break / slow down most of the privacy services recommended on privacytoolsIO.

blacklight447 commented

2019-08-28 18:05:31 +00:00

(Migrated from github.com)

Ive done some testing at it seems to break protonmail. I do not think we can recommend tweaks that will also break one of our recommendations. I am closing the issue, anyone is free to comment with new arguments to open it up again,

This repo is archived. You cannot comment on issues.