-
Notifications
You must be signed in to change notification settings - Fork 522
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tracking protection (edit: and SB) - why exactly is it disabled? #102
Comments
afaik TP uses the same lists (Disconnect) that are already available in uBO. Either your uBO lists are not updated or I'd love to see an example of those cases you're mentioning |
@earthlng wrote:
You probably have a point there. The Disconnect lists were not selected in my uBO filters. Is Tracking Protection (TP) list limited to Disconnect? Doesn't this link suggest otherwise? The next time I come across such an example, I'll try to remember to post it here; it happens rarely though. If you guys have made the conscious decision to not cater to people who don't also use uBO then I understand the decision better. If this Besides, if uBO Disconnect list is really a drop-in replacement, I don't see the downside of having TP on because that code path will never be traveled anyway for a user with that uBO list active. As my 3rd link shows, TP is only triggered if extensions have allowed the connection to proceed. @Thorin-Oakenpants wrote:
Consider: Firefox gives the option of two lists, a basic list (default) meant to have few breaks, and a strict list meant to provide stronger protection. Because the lists are updated every hour (I think) and are maintained by a company that makes it its business to provide privacy tools (Disconnect), I suspect that breakages in the basic list are few and far between. I have no empirical evidence though. Just personal experience (never seen it myself) |
@Thorin-Oakenpants I did read the Implementation wiki. I even quote it in the OP. But the only thing it says about uBO is:
This doesn't get across that people who use this without uBO should not expect privacy. If that is your position, consider making it more obvious because as things stand, such a user would be more exposed using your I tried to make the case for Tracking Protection regardless of whether uBO is used; please take another look at my previous post. Thanks for reading. |
it seems so:
source: https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/ You can choose between recommended and strict, and that changes
If you look at this both |
Pants can sometimes be a bit salty. @RoxKilly, please don't let this spook you away from here. You contribute quality posts and comments, and I'd hate to see you abandoning us. |
@earthlng Thanks for the encouragement. I'm in no danger of leaving; I was being sincere with my thanks. I'm curious: what do you think about following assessment:
Gets back to my original question: what is the benefit of disabling it? |
@RoxKilly wrote:
I see what you mean but I just can't imagine that someone would use something like this user.js but not use uBO. It can be used simply as a better version of ABP. You don't even have to use the more advanced features and IMO it's really easy to setup and use (in easy mode, at least). Not to mention the amazing Element picker.
it makes the slight difference that it downloads the blocklists (every hour?) basically for no reason at all. #NotSoQuietFox And as for the sentence you two are arguing about ....
I'd say the important part in that is: as well as uBlock Origin IMHO uBO is an absolute must-have addon, and I'd rather we make that abundantly clear instead of enabling TP (and/or SB) |
Do you not read, SaltyPants? ;) When changing it in the options FF needs to restart btw |
@Thorin-Oakenpants wrote:
I don't yet know which preference determines whether the basic or strict protection list is used. I know how to change it in the UI, if that helps: With @Thorin-Oakenpants wrote:
To get tracking protection working in my browser all I had to do was comment out |
seriously? you too? why am I even posting here if nobody reads my shit xD |
@earthlng LOL The download itself doesn't occur every hour. A check is made for whether there is an update every hour:
|
@Thorin-Oakenpants I simply commented out those two lines. My copy of
In
I've also just confirmed that Tracking Protection is working by disabling uBO, then loading nytimes.com |
THANK YOU, ffs :)
Hell no! I like the way it is right now. Beginning to hate @RoxKilly - now you're 2 against 1 - that sucks! xD /* 0420: disable Tracking Protection (TP)
* There SHOULD be NO privacy concerns here, but we strongly recommend to use uBlock Origin instead,
* which offers more comprehensive as well as specialized lists. ... ***/
|
@Thorin-Oakenpants wrote:
"TP only in private windows" is:
Those are the default settings by the way "TP always" is:
I don't know for a fact but I don't see why it would be any other way. |
Ok, I'll let you two wrap each other in TP while I go watch some funny cat videos.
happy TP-ing you two, laterz |
Both set as False here, with the URL removed as Roxkilly. Potential amazon tracking: https://www.robtex.com/dns-lookup/shavar.services.mozilla.com |
Browser retrieves the hash for updates from: EDIT: SAFEBROWSING_ID is not the same as Google API_KEY. By looking at robtex here, you see the service is hosted at Amazon. |
/*** 1200 HSTS
|
My problem is AmazonCDN hosting and potential tracking because of it's huge online presence. |
Huh... missed the whole party here. :) To make it work, I have set those: Does my comment make any sense? EDIT: never think of what @Atavic said... good point |
Thank you pants. What about SB? |
So Mozilla hosts such services on Amazon servers. Will Amazon use the connections to track the browser? They definitely could. |
I will shut up now. :) |
Note that enabling these won't do anything if
As documented here, |
@Atavic , the use of HSTS by itself does not mean fingerprinting. HSTS is actually a great security feature because it protects against a man-in-the-middle downgrade attacks by forcing the browser to connect only over a secure channel by default. Using HSTS to fingerprint requires having the browser make many connections to many domains (subdomains usually) and testing whether the browser knows to connect to these domains over HTTPS by default. So unless we have evidence that the Tracking Protection server connection involves many domains with HSTS there can be no fingerprinting of that sort. In addition, Firefox doesn't save HSTS settings in Private Browsing mode, so in the browser's default configuration (Tracking Protection used during Private Browsing) this fingerprinting technique wouldn't even work. Again, I think we need evidence that there is even fingerprinting going on in the first place for this to be a concern. @fmarier
I'm having a hard time seeing how there is tracking going on. Seems to me that at most, the Amazon hosted server |
I keep reading that uBo has the same default lists as TP. Which lists are people talking about? When I compare the Disconnect tracking list in uBo to the TP lists, they appear very different. |
uBO doesn't use the Disconnect list by default. Here is its default setup. The 3rd party lists loaded are:
|
Yes. I know this because as I pointed out in the OP:
I don't use the Disconnect list in uBO, though I have EasyList, Peter Lowe's, and EasyPrivacy ON. These occurrences are rare though; the next time I run across one, if I remember, I'll post it here |
Those I have additionaly to uBo standard for TP: I don't go FB, but to whome who does: I have also other collections for SB and others, if anyone interested. EDIT: If anyone sees some in this list that are total nonsense, please let me know ;) |
@Thorin-Oakenpants wrote
Thanks. On the surface, those results indicate that much is covered by Disconnect (and hence possibly TP) that is not covered by the default uBo setup. I'm not sure if the analysis is so simple, however. Wouldn't it depend on which order uBo processes lists? IOW, if 2 lists have |
What I really miss in uBo is statistics... but I understand why those can't really be implemented. If those would be implemented the uBo would take a lot of CPU resources to do so. Crap, this comment might be just a spam here and should go to uBo "issue" instead. |
Under Malware filter list by Disconnect I have 2 used out of 2598, checked now. |
I think what @crssi means is a counter about which filters (and from which list) you actually encounter in your browsing. |
Doh... my English again. :) Yes, @earthlng, you are correct. |
I was thinking about this issue a bit more, and a strong argument to keep TP enabled is that its list can be automatically updated multiple times per day (I believe). To the contrary, most uBo lists are only automatically updated every 3 days, some only get automatically updated every 7 days, and I believe some may be scheduled to take even longer. Yes, you can manually force uBo updates more frequently, but it's not really reasonable to expect users to all do that. |
@earthlng I tend to agree. And at the same time, I tend to disagree. :) I agree because when the frequency of updates is infrequent, then looking for updates frequently isn't productive. I disagree because it doesn't take any effort from the user, and only the most severely bandwidth-restricted users will notice. Also, sometimes a really invasive tracker can come along and needs to be blocked ASAP. That, as you pointed out, is relatively rare. Now, when it comes to SB (vs TP), I am starting to think it's really important to have blocklists updated more frequently than every 3 days. And SB provides that. From what I can tell, SB would have blocked the phishing scam described in https://www.ghacks.net/2017/05/04/fell-prey-to-google-docs-phishing-scam-do-this/ but uBo would not have blocked it for a majority of its users. |
I wrote earlier:
I got a hit. Turn on Tracking Protection then open this page with default uBO settings. uBO would not protect the user, but the built-in TP does. |
@Gitoffthelawn wrote
What makes you think that?
I'm reading that as SB did NOT protect users. It would be interesting to know what updates they pushed, because I don't really understand atm what exactly the problem was. @RoxKilly wrote
Can't replicate. Fresh profile with default uBO and this user.js but with TP enabled: "No tracking elements detected on this page". What isn't blocked that should be blocked? |
@earthlng wrote:
To replicate:
Without TP, I would not have avoided this particular tracking mechanism. I get such a hit once or twice a week I think. If you don't get the same result, I suspect it's either because you skipped step 6 above or the Amazon server doesn't send the tracking bug to your PC, or your uBO settings aren't the default. @earthlng wrote:
You guys were discussing the benefits of the frequent update check by the SafeBrowsing engine as an advantage over uBO malware lists. I think the point @Gitoffthelawn made is that because Google pushed a fix to SB infrastructure within an hour of the exploit being public, and since SB checks for updates every hour, people who use SB for protection would have had a much shorter vulnerable window (the quick update would protect most people who actually receive and eventually open the phishing email) than people who use just uBO with this |
@RoxKilly wrote
Exactly. Your paraphrase of what I wrote made it much more clear though. :) I think uBo would benefit from the ability to customize the list check interval. Actually, do you know if it checks lists for updates or always just downloads the most recent versions? The downside, of course, is the additional traffic if too many people start asking for lists to be updated too frequently.. it would amount to a DDOS. But the number of people that would actually adjust such a setting would likely be minimal compared to the installed base. Are the SB and TP lists available anywhere in a format compatible with uBo? |
@RoxKilly wrote
I did forget that, sorry. Ok so @Gitoffthelawn wrote
https://github.com/gorhill/uBlock/wiki/Advanced-settings
afaik it checks a checksum file from gorhill's github repo before updating lists.
Not that I know. The TP list could however easily be parsed and converted into a compatible format. idk if the same is possible for SB. Would this be the format we want ... ?
|
FYI These lists have been implemented into Ubo Lists: uBlock-LLC/uBlock#1406 (comment) |
@Gitoffthelawn wrote:
@earthlng wrote:
That may no longer be the case. I just came across this statement from gorhill from Jan 2017
|
Interestingly this very page/tracker is explicitly allowed on the following lists: |
Hmmm... Popular lists such as EasyList have a string at the top to indicate how often to perform updates. For example: IIRC, popular blocking programs like AdBlock Plus and uBlock Origin (uBo) will not automatically update the list from its source until that time has expired. IIRC, when a user of AdBlock Plus manually updates a list, it will force an update, overriding the value specified in the header. IIRC, uBlock Origin will not update the list in this situation, even if the user performs a manual update. IIRC, in uBo, even if the user specifies a lower value by using the In uBo the user can purge all uBo caches and then perform a manual update of every list. AFAIK, this will manually update the lists. AFAIK, in uBo, there is no obvious way to manually purge and update a single list before it has expired, which can be days. That's a lot of IIRC and AFAIK, so you may want to confirm. |
Consider writing out |
The implementation guide explains:
Could someone please elaborate? Is the block because the browser has to connect to a remote server to download blocklists? @Thorin-Oakenpants do you operate under the assumption that this
user.js
must be used in conjunction with uBlock Origin? If this is meant for both uBO users and non-users, why disable TP?Setting that aside, let me make the case for TP even for a uBO user like myself: For the vast majority of webpages, TP never plays a role because uBO blocks requests before they get to the TP code (see the last comment from link 3 below). So there is no additional burden on the browser and I don't see an additional privacy exposure (beyond the blocklist downloads).
In some cases, default uBO filter lists and settings let something through the cracks and TP actually catches it (eg: enable Tracking Protection and open this page as of May 4 2017). This is usually a tracking image of some sort. In those cases I'm glad to have TP on.
For Reference
The text was updated successfully, but these errors were encountered: