Changing the extensions.blocklist.url flag #565

2018-11-07T11:42:33Z

HxxxxxS commented

2018-11-07 11:42:33 +00:00

(Migrated from github.com)

Limit the amount of identifiable information sent when requesting the Mozilla harmful extensions blocklist.

Description

From Reddit user /u/LocalFigurez at https://old.reddit.com/r/privacytoolsIO/comments/9uqeew/firefox_tip_sanitize_firefox_blocklist_url_so_it/

Firefox includes feature that connects in regular time intervals (every 24 hour) to the Mozilla's servers to download blocklist of harmful extensions, vulnerable plugins and crash-prone graphic drivers. This request includes following information:

APP_ID
APP_VERSION
PRODUCT
VERSION
BUILD_ID
BUILD_TARGET
OS_VERSION
LOCALE
CHANNEL
PLATFORM_VERSION
DISTRIBUTION
DISTRIBUTION_VERSION
PING_COUNT
TOTAL_PING_COUNT
DAYS_SINCE_LAST_PING

By changing extensions.blocklist.url from

https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/

to

https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/

Firefox won't send identifiable information in the blocklist request and you will still get all the security features from it.

HTML Preview

https://htmlpreview.github.io/?https://github.com/HxxxxxS/privacytools.io/blob/patch-1/index.html

Limit the amount of identifiable information sent when requesting the Mozilla harmful extensions blocklist. ### Description From Reddit user /u/LocalFigurez at https://old.reddit.com/r/privacytoolsIO/comments/9uqeew/firefox_tip_sanitize_firefox_blocklist_url_so_it/ Firefox includes feature that connects in regular time intervals (every 24 hour) to the Mozilla's servers to download blocklist of harmful extensions, vulnerable plugins and crash-prone graphic drivers. This request includes following information: APP_ID APP_VERSION PRODUCT VERSION BUILD_ID BUILD_TARGET OS_VERSION LOCALE CHANNEL PLATFORM_VERSION DISTRIBUTION DISTRIBUTION_VERSION PING_COUNT TOTAL_PING_COUNT DAYS_SINCE_LAST_PING By changing `extensions.blocklist.url` from https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/ to https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/ Firefox won't send identifiable information in the blocklist request and you will still get all the security features from it. ### HTML Preview https://htmlpreview.github.io/?https://github.com/HxxxxxS/privacytools.io/blob/patch-1/index.html

👍 1

ghost commented

2018-11-07 12:02:00 +00:00

(Migrated from github.com)

Thank you.

Can anyone confirm that it will download the same list even if you limit the arguments to APP_ID and APP_VERSION?

Thank you. Can anyone confirm that it will download the same list even if you limit the arguments to `APP_ID` and `APP_VERSION`?

zalox commented

2018-11-07 12:35:18 +00:00

(Migrated from github.com)

Hi @Shifterovich, I can't confirm, but if you do https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/ you get the list.

Hi @Shifterovich, I can't confirm, but if you do `https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/` you get the list.

HxxxxxS commented

2018-11-07 12:55:57 +00:00

(Migrated from github.com)

Changing random parameters from null

![https://i.imgur.com/1u75Xim.png](https://i.imgur.com/1u75Xim.png) Changing random parameters from null ![https://i.imgur.com/CADDurI.png](https://i.imgur.com/CADDurI.png)

HxxxxxS commented

2018-11-07 13:04:03 +00:00

(Migrated from github.com)

I suppose you could even set the extensions.blocklist.urlflag to the nullbyte parameter url @zalox posted above.

@Shifterovich let me know if you think I should edit the PR to include this.

I suppose you could even set the `extensions.blocklist.url`flag to the nullbyte parameter url @zalox posted above. @Shifterovich let me know if you think I should edit the PR to include this.

zalox commented

2018-11-07 13:09:01 +00:00

(Migrated from github.com)

Hi @HxxxxxS, your wget diff should use capital -O instead of -o.

I took the liberty to test with the version set to 63.0:

wget -O 1.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/63.0
wget -O 2.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/
diff 1.html 2.html

edit: remove $ in front of bash commands

Hi @HxxxxxS, your wget diff should use capital `-O` instead of `-o`. I took the liberty to test with the version set to 63.0: ```bash wget -O 1.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/63.0 wget -O 2.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/ diff 1.html 2.html ``` edit: remove $ in front of bash commands

HxxxxxS commented

2018-11-07 13:17:28 +00:00

(Migrated from github.com)

Haha, my bad. But seems point still stands.

ghost commented

2018-11-07 14:27:54 +00:00

(Migrated from github.com)

╭─xxx@yyy /tmp/ptio  
╰─$ sha256sum 1.html 
5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e  1.html
╭─xxx@yyy /tmp/ptio  
╰─$ sha256sum 2.html 
5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e  2.html

https://blocklists.settings.services.mozilla.com/v1/blocklist/3/privacy/tools/ works as well. Any pair of values works as long as it ends with /.

The one concern with changing APP_ID/VERSION to something random is that it could break some things, but at this time, mozilla.com serves the same content regardless of these values.

I like the null byte approach the most. Even better than serving APP_ID. Can you update the PR to the null byte version?

``` ╭─xxx@yyy /tmp/ptio ╰─$ sha256sum 1.html 5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e 1.html ╭─xxx@yyy /tmp/ptio ╰─$ sha256sum 2.html 5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e 2.html ``` https://blocklists.settings.services.mozilla.com/v1/blocklist/3/privacy/tools/ works as well. Any pair of values works as long as it ends with `/`. The one concern with changing APP_ID/VERSION to something random is that it could break some things, but **at this time, mozilla.com serves the same content regardless of these values**. I like the null byte approach the most. Even better than serving APP_ID. Can you update the PR to the null byte version?

ghost commented

2018-11-07 14:36:31 +00:00

(Migrated from github.com)

Thanks.

ghost commented

2018-11-07 15:51:33 +00:00

(Migrated from github.com)

@Shifterovich

Also there is browser.safebrowsing.downloads.remote.enabled preference which can be set to false. This disables safebrowsing binaries which aren't on local lists being checked by Google (real-time metadata checking). Also this does NOT disable safebrowsing feature which would otherwise weaken security.

https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

This was pointed out in the same Reddit thread.

@Shifterovich Also there is `browser.safebrowsing.downloads.remote.enabled` preference which can be set to `false`. This disables safebrowsing binaries which aren't on local lists being checked by Google (real-time metadata checking). Also this does NOT disable safebrowsing feature which would otherwise weaken security. https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ This was pointed out in the same Reddit thread.

ghost commented

2018-11-07 16:09:02 +00:00

(Migrated from github.com)

@GuyInTheShadows Take a look at #339