Changing the extensions.blocklist.url flag #565

Merged

HxxxxxS merged 2 commits from patch-1 into master 2018-11-07 14:36:19 +00:00

Conversation 12 Commits 2 Files Changed 1 +7

HxxxxxS commented 2018-11-07 11:42:33 +00:00 (Migrated from github.com)

Copy Link

Limit the amount of identifiable information sent when requesting the Mozilla harmful extensions blocklist.

Description

From Reddit user /u/LocalFigurez at https://old.reddit.com/r/privacytoolsIO/comments/9uqeew/firefox_tip_sanitize_firefox_blocklist_url_so_it/

Firefox includes feature that connects in regular time intervals (every 24 hour) to the Mozilla's servers to download blocklist of harmful extensions, vulnerable plugins and crash-prone graphic drivers. This request includes following information:

APP_ID
APP_VERSION
PRODUCT
VERSION
BUILD_ID
BUILD_TARGET
OS_VERSION
LOCALE
CHANNEL
PLATFORM_VERSION
DISTRIBUTION
DISTRIBUTION_VERSION
PING_COUNT
TOTAL_PING_COUNT
DAYS_SINCE_LAST_PING

By changing extensions.blocklist.url from

https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/

to

https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/

Firefox won't send identifiable information in the blocklist request and you will still get all the security features from it.

HTML Preview

https://htmlpreview.github.io/?https://github.com/HxxxxxS/privacytools.io/blob/patch-1/index.html

Limit the amount of identifiable information sent when requesting the Mozilla harmful extensions blocklist. ### Description From Reddit user /u/LocalFigurez at https://old.reddit.com/r/privacytoolsIO/comments/9uqeew/firefox_tip_sanitize_firefox_blocklist_url_so_it/ Firefox includes feature that connects in regular time intervals (every 24 hour) to the Mozilla's servers to download blocklist of harmful extensions, vulnerable plugins and crash-prone graphic drivers. This request includes following information: APP_ID APP_VERSION PRODUCT VERSION BUILD_ID BUILD_TARGET OS_VERSION LOCALE CHANNEL PLATFORM_VERSION DISTRIBUTION DISTRIBUTION_VERSION PING_COUNT TOTAL_PING_COUNT DAYS_SINCE_LAST_PING By changing `extensions.blocklist.url` from https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/ to https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/ Firefox won't send identifiable information in the blocklist request and you will still get all the security features from it. ### HTML Preview https://htmlpreview.github.io/?https://github.com/HxxxxxS/privacytools.io/blob/patch-1/index.html

👍 1

ghost commented 2018-11-07 12:02:00 +00:00 (Migrated from github.com)

Copy Link

Thank you.

Can anyone confirm that it will download the same list even if you limit the arguments to APP_ID and APP_VERSION?

Thank you. Can anyone confirm that it will download the same list even if you limit the arguments to `APP_ID` and `APP_VERSION`?

zalox commented 2018-11-07 12:35:18 +00:00 (Migrated from github.com)

Copy Link

Hi @Shifterovich, I can't confirm, but if you do https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/ you get the list.

Hi @Shifterovich, I can't confirm, but if you do `https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/` you get the list.

HxxxxxS commented 2018-11-07 12:55:57 +00:00 (Migrated from github.com)

Copy Link

Changing random parameters from null

 Changing random parameters from null 

HxxxxxS commented 2018-11-07 13:04:03 +00:00 (Migrated from github.com)

Copy Link

I suppose you could even set the extensions.blocklist.urlflag to the nullbyte parameter url @zalox posted above.

@Shifterovich let me know if you think I should edit the PR to include this.

I suppose you could even set the `extensions.blocklist.url`flag to the nullbyte parameter url @zalox posted above. @Shifterovich let me know if you think I should edit the PR to include this.

zalox commented 2018-11-07 13:09:01 +00:00 (Migrated from github.com)

Copy Link

Hi @HxxxxxS, your wget diff should use capital -O instead of -o.

I took the liberty to test with the version set to 63.0:

wget -O 1.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/63.0
wget -O 2.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/
diff 1.html 2.html

edit: remove $ in front of bash commands

Hi @HxxxxxS, your wget diff should use capital `-O` instead of `-o`. I took the liberty to test with the version set to 63.0: ```bash wget -O 1.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/63.0 wget -O 2.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/ diff 1.html 2.html ``` edit: remove $ in front of bash commands

HxxxxxS commented 2018-11-07 13:17:28 +00:00 (Migrated from github.com)

Copy Link

Haha, my bad. But seems point still stands.

Haha, my bad. But seems point still stands.

ghost commented 2018-11-07 14:27:54 +00:00 (Migrated from github.com)

Copy Link

╭─xxx@yyy /tmp/ptio  
╰─$ sha256sum 1.html 
5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e  1.html
╭─xxx@yyy /tmp/ptio  
╰─$ sha256sum 2.html 
5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e  2.html

https://blocklists.settings.services.mozilla.com/v1/blocklist/3/privacy/tools/ works as well. Any pair of values works as long as it ends with /.

The one concern with changing APP_ID/VERSION to something random is that it could break some things, but at this time, mozilla.com serves the same content regardless of these values.

I like the null byte approach the most. Even better than serving APP_ID. Can you update the PR to the null byte version?

``` ╭─xxx@yyy /tmp/ptio ╰─$ sha256sum 1.html 5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e 1.html ╭─xxx@yyy /tmp/ptio ╰─$ sha256sum 2.html 5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e 2.html ``` https://blocklists.settings.services.mozilla.com/v1/blocklist/3/privacy/tools/ works as well. Any pair of values works as long as it ends with `/`. The one concern with changing APP_ID/VERSION to something random is that it could break some things, but **at this time, mozilla.com serves the same content regardless of these values**. I like the null byte approach the most. Even better than serving APP_ID. Can you update the PR to the null byte version?

ghost commented 2018-11-07 14:36:31 +00:00 (Migrated from github.com)

Copy Link

Thanks.

Thanks.

ghost commented 2018-11-07 15:51:33 +00:00 (Migrated from github.com)

Copy Link

@Shifterovich

Also there is browser.safebrowsing.downloads.remote.enabled preference which can be set to false. This disables safebrowsing binaries which aren't on local lists being checked by Google (real-time metadata checking). Also this does NOT disable safebrowsing feature which would otherwise weaken security.

https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

This was pointed out in the same Reddit thread.

@Shifterovich Also there is `browser.safebrowsing.downloads.remote.enabled` preference which can be set to `false`. This disables safebrowsing binaries which aren't on local lists being checked by Google (real-time metadata checking). Also this does NOT disable safebrowsing feature which would otherwise weaken security. https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ This was pointed out in the same Reddit thread.

ghost commented 2018-11-07 16:09:02 +00:00 (Migrated from github.com)

Copy Link

@GuyInTheShadows Take a look at #339

@GuyInTheShadows Take a look at #339

ghost commented 2018-11-07 16:16:28 +00:00 (Migrated from github.com)

Copy Link

Thanks for the link. I will read it through.

Thanks for the link. I will read it through.

beerisgood commented 2018-11-07 18:44:57 +00:00 (Migrated from github.com)

Copy Link

@GuyInTheShadows you don't need safebrowsing if you use uBlock Origin.
Also using safebrowsing is a privacy problem

@GuyInTheShadows you don't need safebrowsing if you use uBlock Origin. Also using safebrowsing is a privacy problem

This repo is archived. You cannot comment on pull requests.

Reviewers

No Reviewers

Labels

Clear labels

🔍🤖 Search Engines

approved

approved, waiting for a PR

dependencies

Pull requests that update a dependency file

duplicate

feedback wanted

high priority

I2P

The Invisible Internet Project (I2P)

iOS

low priority

OS

Operating Systems

Self-contained networks

Social media

stale

A label for stalebot if it gets added

streaming

Anything related to media streaming.

todo

Tor

Anything covering the Tor network

WIP

active work in progress, do not merge or PR (yet)!

wontfix

Issues or bugs that will not be fixed and/or do not have significant impact on the project.

XMPP

Extensible Messaging and Presence Protocol

[m]

Matrix protocol

₿ cryptocurrency

ℹ️ help wanted

↔️ file sharing

⚙️ web extensions

Browser Extension related issues

✨ enhancement

❌ software removal

💬 discussion

🤖 Android

🐛 bug

💢 conflicting

📝 correction

Correction of content on the website

🆘 critical

📧 email

🔒 file encryption

📁 file storage

🦊 Firefox

Firefox & forks, about:config etc.

💻 hardware

🌐 hosting

🏠 housekeeping

Anything primarily related to site cleanup.

🔐 password managers

🧰 productivity tools

🔎 research required

🌐 Social News Aggregators

🆕 software suggestion

👥 team chat

🔒 VPN

Virtual Private Network

🌐 website issue

*Technical* issues with the website.

🚫 Windows

👁️ browsers

🖊️ digital notebooks

🗄️ DNS

Domain Name System

🗨️ instant messaging (im)

🇦🇶 translations

Anything covering a translated version of the site

No Label

Milestone

No items

No Milestone

Assignees

Clear assignees

jonah

No Assignees

1 Participants

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#565

No description provided.