Safe Browsing availability and levels

[grahamperrin]

https://www.waterfoxproject.org/, I never realised that Waterfox lacks this feature.

I learnt through https://www.reddit.com/r/waterfox/comments/7zouiz/safe_browsing_google_provider/dupreza/.

Can a preference be added to Waterfox, to allow use of the API?

If not: the web site etc. should make things such as this clear, please.

Reference

Mozilla bug 1387651 - Staged rollout of Safe Browsing V4 to the release population using Shield (RESOLVED FIXED 2017-11-08)

status-firefox56: affected → fixed

I became aware of the roll-out when an outdated Firefox ESR alerted me to an incompatibility:

[jbeich]

Phishing list is probably the most interesting one. No clue if Safe Browsing V2 still works but to enable V4 (aka google4 in about:url-classifier):

1. Obtain Google API Key, downstream may want to use the one from Chromium package
2. Adjust prefs by reverting d44cb05 (FF56-only)
3. Build with --with-google-api-keyfile=/path/to/google.key
4. Increase quota for for API key to avoid download error (429) e.g., by contacting Mozilla

[WagnerGMD]

Open the page about:preferences#security, you should see that :

• Block dangerous and deceptive content
• Warn you about unwanted and uncommon software

And according to the page about:config :

pref("browser.safebrowsing.downloads.enabled",true);
pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted",true);
pref("browser.safebrowsing.downloads.remote.block_uncommon",true);
pref("browser.safebrowsing.downloads.remote.enabled",true);
pref("browser.safebrowsing.malware.enabled",true);
pref("browser.safebrowsing.phishing.enabled",true);
## I don't recall exactly but the last time, it was good enough. Because it doesn't require more to disable it.

In the case, I'm just wonder : it isn't the same thing ?

[jbeich]

@WagnerGMD, do you see warnings (i.e., about:blocked) when following links from Safe Browsing demos? Maybe compare with Firefox and Chrome.

[grahamperrin]

Open the page about:preferences#security, you should see that :

• Block dangerous and deceptive content
• Warn you about unwanted and uncommon software
  …

Oh, yes, I see that they're enabled with a clean profile.

Have I raised an issue without testing? I'm an itsy-witsy bit stoned, just enough to not test the other prefs. Sorry

[WagnerGMD]

At this moment, I can't try with Waterfox. Because it was disable (a long time ago). The main reason was : I assume my antivirus will work too. (but it doesn't seem to bue true for now...that's strange and I will need to check this later...)

I don't use Chrome but I had try with Firefox_v60. Bad news, it was able to block only a fews (I will need to check again but at first feeling, I would say between 4 and 8).
Each link in the section Webpage Warnings was blocked. If you need one example I have take one picture.

No trouble @grahamperrin and no worry, I just want to avoid confusion. Because I really don't know if we are talking about the same thing ? Right now, I can't say because I had just discover your post. And apparently there is also an addon Safe Browsing_v4. Do you have a link ? Because at the moment, I can't tell which one it's between them on AMO
Another reason : no I had never use this addon.

[tmkk]

I'm a starter of the reddit thread, and I mean that safe browsing itself works but Waterfox doesn't use lists which Google provides (browser.safebrowsing.provider.google.*) and only uses Mozilla's.

For example, http://malware.testing.google.test/testing/malware/ is blocked with Firefox but not with Waterfox.

[grahamperrin]

Thanks,

… http://malware.testing.google.test/testing/malware is blocked with Firefox but not with Waterfox.

I find it blocked. Tested with both:

1. a click from within Thunderbird; and
2. a Control-Click within a Waterfox view of this page:

Also blocked in the new profile 452 that I created after raising this issue.

56.0.4_4 on FreeBSD-CURRENT.

[grahamperrin]

… apparently there is also an addon Safe Browsing_v4. Do you have a link ? Because at the moment, I can't tell which one it's between them on AMO …

Tag https://addons.mozilla.org/firefox/tag/google%20safe%20browsing draws attention to Privacy Settings, version 0.2.6 of which is compatible with the current release of Waterfox. However, tags on AMO are/were so rarely used that I should not treat the result as comprehensive.

Safe Browsing Version 4, 1.0.0

The attempted installation auto-enable pictured in the opening post was of an extension a system extension that I should not expect to find at AMO. I assume that 1.0.0 was within the Shield-based rollout that was outlined in Mozilla bug 1387651.

[jbeich]

V2.2 would probably be supported until ESR52 reaches EOL.

@grahamperrin, on FreeBSD waterfox-56.0.4.20_1 or later should use V4. Safe Browsing will stop working until limits on downstream key are bumped. As a workaround just remove the patch or use a different key. Firefox has GOOGLE_API_KEY exposed in resource://gre/modules/AppConstants.jsm (in Firefox 56+) or resource://gre/components/nsURLFormatter.js (in Firefox 24-55) where resource://gre/... refers to firefox/omni.ja. For one, to blend in maybe use Mozilla's key. ;)

[WagnerGMD]

Thank you @grahamperrin for the clarification, now I understand (and it doesn't come from AMO).

[grahamperrin]

Waterfox application functionality

Re: my 'everyday' Waterfox profile, at https://mozilla.logbot.info/firefox/20180526#c14811467 (without mentioning Waterfox) I pinpointed a 2018-01-16 update … that probably arose from prior use of the profile, on FreeBSD-CURRENT, with Firefox.

On a nearby Mac running Sierra I found a Waterfox profile named 'hello' that was created on 2018-01-16. This profile has the preferences for Safe Browsing, and:

• about:config?filter=browser.safebrowsing.provider.google.lastupdatetime finds nothing

– if I'm not mistaken, no update. My concern here is that end users may have a false sense of security.

Meta, tracking: #538

[grahamperrin]

At about:preferences#security I found both:

• ☑ Block dangerous and deceptive content; and
• ☑ Warn you about unwanted and uncommon software

– whilst at about:config?filter=browser.safebrowsing.enabled I found:

• nothing.

[WagnerGMD]

According to the page about:config, for me (right now) it doesn't seem to exist.
browser.safebrowsing.provider.google.lastupdatetime
After a little quick search, I had found this one.

pref("browser.safebrowsing.provider.mozilla.lastupdatetime",1527309692870);
## No I don't have a clue about this number... I have decide to just recopy the value.

Then I'm wonder :

• the name is the correct one ?
• Unless the name was modify perhaps according to the OS ?
• Otherwise it doesn't exist anymore because it was disable ?

pref("browser.safebrowsing.downloads.enabled",false);
pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted",false);
pref("browser.safebrowsing.downloads.remote.block_uncommon",false);
pref("browser.safebrowsing.downloads.remote.enabled",false);
pref("browser.safebrowsing.malware.enabled",false);
pref("browser.safebrowsing.phishing.enabled",false);

From my point of view (and a lot of people), it's almost useless because we have a good antivirus (web filter, antimalware, etc (and for the record, nothing has change I'm still under W10 and I didn't yet done the update because it's again Waterfox_v56.1.0 (for the moment))). That's why @grahamperrin I decide to disable these settings (a long time ago).

PS : You can check it (the page about:preferences#security) on this picture.

[grahamperrin]

Hi,

a clue about this number.

https://mozilla.logbot.info/firefox/20180526#c14811471 includes a link to an an extension that will convert numbers such as those.

OT

… almost useless because we have a good antivirus (web filter, antimalware, etc …

(If you'd like to discuss the pros and cons of e.g. uBlock Origin and Privacy Badger compared to the Safe Browsing API, please aim for https://www.reddit.com/r/waterfox/ – I'll pick it up from there. Thanks 👍)

[WagnerGMD]

HI,

thank you for the clue @grahamperrin and sorry I just can't. The reason is very simple, I don't use them (neither uBlock Origin, neither Privacy Badger).
About reddit, the website has to be improve (markdown remain buggy, etc) and that's true despite the new latest version... Yes it's better but these bugs are a lot boring... and the people doesn't answer. I could be very patient (several months) but like would say Blaine (The Monorail) : 'I don't play foolish game' !
From my point of view, the lack of answer isn't respectful and I don't (or won't) accept this anymore. That's why sometimes I'm on reddit but it's become rare.

PS : But today my afternoon was very good (for once). So I will give you 2 drawback examples (for each addons) :

• the GUI could be a lot improve (or simplify, etc)
• the lack of clarity (fonts != css, etc)

Do you remember (or know) the addon Policeman or Policy Control ? By clarity I refer to my wish to identify clear (pictures, fonts, etc) and control anything about the request.
So from my point of view, even uMatrix could be better.

[grahamperrin]

Please, no more off-topic.

Safe Browsing availability and levels

This issue deserves focus.

[WagnerGMD]

To be clear, my first intention was to explain my point of view (or the situation). That's why at this moment, I can't help on the reddit website. Like I said (for real) the bugs are very annoying... and if you want to blame someone take reddit (after all I have report these bugs several months ago and nothing was done to rectify these bugs (until these last days and no it isn't good enough yet)).

And don't forget one thing : Which one has mentioned these addons at first ? It wasn't me then my advice will be to avoid to blame me (because no it won't be my fault) and (no offense) but sometimes this kind of reaction is a bad one (exaggeration for nothing).
You can discuss even with a very little courtesy instead of "screaming" (or react like this).

PS : For the record, nearly 12 years ? I had help a very huge number of people over the internet (on various matter).
Despite the fact I'm a very little developer myself (Python, etc), now I just try to see what it's possible to help to improve Waterfox and according to my own capacity (which are limited by the IRL, etc).