Firefox 3.0: EULA: "Phone home"?

[dant]

Following is just a "heads up" as it was discussed in the Fedora Forum site:
=====================================================
As the EULA replacement page says:
> If you do not agree to these terms, do not use the Services and disable the
> Services in Edit > Preferences > Security and uncheck the options for
> both: "Tell me if the site I'm visiting is a suspected attack site" and "Tell
> me if the site I'm visiting is a suspected forgery".

I'd recommend that everyone disable those options if they value their privacy.
Or just switch to a sane browser, such as Konqueror. It's really outrageous
that this kind of "phoning home" is tolerated in Free Software.
=====================================================

FWIW,
Dan

 

[Beau]

Following is just a "heads up" as it was discussed in the Fedora Forum site:
=====================================================
As the EULA replacement page says:
> If you do not agree to these terms, do not use the Services and disable the
> Services in Edit > Preferences > Security and uncheck the options for
> both: "Tell me if the site I'm visiting is a suspected attack site" and "Tell
> me if the site I'm visiting is a suspected forgery".

I'd recommend that everyone disable those options if they value their privacy.
Or just switch to a sane browser, such as Konqueror. It's really outrageous
that this kind of "phoning home" is tolerated in Free Software.
=====================================================

FWIW,
Dan

Thanks for the heads up Dan. I had to use a different path to change the option. It was Tools > Options > Security Tab, running Firefox 3.0.

Any idea what kind of data is sent and what they do with it?

 

[dant]

No idea really. Some are shrugging it off as nothing suspicious but then
again, the EULA mentions that they do share `data' with third parties so
that alone made me decide to disable those "nifty features" since I do not
know exactly what `data' is being used and for what purpose. Unless it
is clearly specified as to what data is being shared, I'd rather not give up
my rights if I can help it.

Dan

 

[Mark]

Following is just a "heads up" as it was discussed in the Fedora Forum site:
=====================================================
As the EULA replacement page says:
> If you do not agree to these terms, do not use the Services and disable the
> Services in Edit > Preferences > Security and uncheck the options for
> both: "Tell me if the site I'm visiting is a suspected attack site" and "Tell
> me if the site I'm visiting is a suspected forgery".

I'd recommend that everyone disable those options if they value their privacy.
Or just switch to a sane browser, such as Konqueror. It's really outrageous
that this kind of "phoning home" is tolerated in Free Software.
=====================================================

FWIW,
Dan

The anti-malware tools built into browsers like IE and Firefox are a symptom of a bigger problem: People don't want to make an effort to take care of themselves. Instead they'd rather let someone  else handle it for them. And thus a pathocracy was born.

People don't take time to gain some knowledge about the dangers of the Internet. Most run around the net with a 'save me' attitude - meaning they want software that thinks for them and makes decisions for them.  Likewise, people don't want to know what's really going on. They turn on the tube, watch a talking head say whatever, believe it, and follow the other stampeding cows right off the cliff.

As for Konquerer - gaaaaa. What a pain in arse. Easier to disable the malware site checking in Firefox than to tolerate Konquerer.

Either way you get what you pay for....

 

[Mark]

Thanks for the heads up Dan. I had to use a different path to change the option. It was Tools > Options > Security Tab, running Firefox 3.0.

Any idea what kind of data is sent and what they do with it?

Computerworld has a story about it from back in February:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9062798

"Like the antiphishing blocker found in Firefox 2.0, the anti-malware tool relies on a list generated by Google Inc., the search company that provides most of Mozilla's revenue. Firefox 3.0 users can choose to have the browser either download an updated blacklist daily or query Google in real time for each page it tries to pull up."

"It's based on a blacklist," explained Schroepfer. "We're pulling that data similarly to antiphishing, checking the site against that [black]list and then putting up the malware warning if necessary."

The blacklist originates with the tests Google runs on sites that it crawls for its search index. Some of the criteria Google users to finger a site as dangerous -- and deserving a spot on the blacklist -- are based on findings by StopBadware.org, a group created by Google, Chinese computer maker Lenovo Group Ltd. and Sun Microsystems Inc. Google has made it clear, however, that it also applies its own criteria and procedures and relies on its own tools to spot sites that host or distribute malware.

 

[foofighter]

Thanks for the heads up Dan. I had to use a different path to change the option. It was Tools > Options > Security Tab, running Firefox 3.0.

Any idea what kind of data is sent and what they do with it?

Well, as far as I can tell no data at all is being sent, since the check is done locally. What they do is get the blacklists from a central location, on a regular basis, and then as you surf the sites you visit are checked against that. So nothing happens as you actually surf around, so no privacy is being invaded. Personally I consider it really bad advice to turn these features off, since they can be helpful against the kind of attacks that they are supposed to stop. I'm keeping them on in my Firefox.

Here's a page explaining what connections are being made from Firefox:
hxxp://support.mozilla.com/fr/kb/Firefox+makes+unrequested+connections

 

[aragorn]

Many Linux users have noticed excessive hard disk usage and heavy CPU loads when allowing Firefox 3 to check the "safety" of sites. I've also experienced this - there's a heck of a lot going on with ones hard disk - wonder what Firefox is actually doing...

Some discussion here: _http://ubuntuforums.org/showthread.php?t=759673

So far I'm happy using Opera ;)

 

[foofighter]

Many Linux users have noticed excessive hard disk usage and heavy CPU loads when allowing Firefox 3 to check the "safety" of sites. I've also experienced this - there's a heck of a lot going on with ones hard disk - wonder what Firefox is actually doing...

Some discussion here: _http://ubuntuforums.org/showthread.php?t=759673

So far I'm happy using Opera ;)

Well, going by the discussion, it seems to be a bug or just bad implementation. But, again, Firefox doesn't seem to be "phoning home", which was the original point.

 

[dant]

All this talk about speculation is just that, speculation.  But if
one really wants real hard data, then there are ways to test
this and that is, to isolate the IP traffic under a sniffer and
decode all data in/out of the box where firefox is concerned
and then take this data and analyse it for any suspicious
activities. But this is a time consuming process and very few
people have the time or energy to do this.

Most of us already know what M$ does with user data and
there are literally MANY pathways to obtain it both covertly
and overtly and it is not restricted only via the http protocol
and M$ is not the only company doing it.

This is a multi-billion market and it is no wonder M$ covets
Google's position.  as the C's say: "Greed is a sickness".

In my humble opinion:
================
Poster at Fedora site asked, "How do you think Firefox (Mozilla) going to recover their
    "investment" by giving out "free software?"  Do you truly
      believe that they are doing all of this work from the bottom
      of their hearts to serve humankind, and for free?"
The reply on Fedora site was, "Selling "third party" "data".
    This means anything from user habits, thus targeted
    advertisements, or perhaps even to feed government tracking
    and monitoring but this is obviously pure speculation on my
    part but I would not put it past them or anyone else esp. w/o
    hard data as proof."

I don't need FF built-in anti-phishing or anti-whatever if it means
trading freedom for "security" as this is getting quite old already.
There are other software tools available on Fedora (linux) that can
deal with security issues and more.

Like I said earlier: if I cannot get a clear answer with what Mozilla
(FF) does with the data - I am not going to trust them with what
they (don't) say, and may even switch to a alternative browser.

BTW: I did not write the comment between the `=' lines, this
information was taken from a poster at a Fedora site - and as
for recommending Konqueror or whatever - this is a matter of
opinion (but not mine) - but there are many other alternatives
web-browsers out there.

Kind regards,
Dan

 

[MrGullible]

I'm a little paranoid so I have a certain approach started related to security. This post may be a little off-phase for this thread but the thread is related to security so the following may be of value if you are looking for a more secure setup. Probably there should be a thread for us to discuss computer security if enough of us are interested to pursue and those more seasoned that I in these forums think it is appropriate.

For the Linux users, here is the approach I am taking so far with regards to Internet security for Firefox. First off, I created a different user account just to run firefox. Secondly, have set up FF under AppArmor and set AppArmor to "complain" mode so I could see what FF is trying to do as I hit various sites. Then I used that info to lock down FF to prevent it from accessing anything I didn't want. Next I loaded some plugins in FF that erase all personal stuff (cookies etc.) automatically after I close or restart FF. I also have a plugin that basically says that if I go to site X, and it is marked as a "sensitive" site by me, then close all other FF windows and tabs etc. so that no other code will be active when I'm on a sensitive site (i.e. one that requires passwords, has personal data, etc.). Lastly, I use privoxy to change my outgoing headers and filter out some kinds of content, and then pipe that through the tor anonymizing network. Yah, I know it is sort of paranoid but those are my first round security measures. I have more that I'm implementing and it is simple fun to work on.

 

[dant]

Just keep in mind that FF is based on Java, and Java has *many*
objects/programs and is not necessarily secure or bug-free. The
same is true with M$'s COM (dll,exe,...) objects as with any OS.
Many of these objects have unpublished APIs and "backdoors".

The point is that it all depends on how the code is written and
what objects are being accessed/exposed and for what purpose.
This means potentially, *anything* on your hard-drive/(Wifi/Lan/Wan)
networked home/business office is in reality easily accessible and
available to the coder. This also means they can use any protocol of
choice, be it COBRA, RCP, ... (long list) or potentially a protocol that is
proprietary thus unseen by normal IP sniffers/security programs and
you would never know that you have been had. Another point is that
there are *many* issues with the underlying network protocols - from
the software layer all the way down to the hardware layer that are being
taken advantage of by "hackers" and they are using "obscure/arcane"
protocols as well, the most recent being: "DNS redirection" (man in the
middle attacks) and this is freaking out "security experts" (in the know)
that have known about this for years (but was told to keep quiet)
with little/no action taken by those the international community (who
are also in the know).

So - all the security measures that you take must also take into account
the accessibility of all objects in your OS - assuming that you can control
such objects with such "fined-grained" security restrictions, especially that
of unpublished APIs that are hidden within an object that requires total
and unrestricted access (for other "normal" object access) which may render
the overall system disabled/crippled, if you attempt to restrict certain object(s).
Remember what M$ said about "ripping out" IE and it would disable the
OS fiasco? Hmm.

As for performance, no matter how fast your computer is, it takes time to
load Java objects and then to perform operations afterwards as compared
to natively compiled (non-java) code (on the average). Some Java apps are
*really* slow on older versions of OSes and it is at times, is quite noticeable.

Edit: What hago said is very true:

People don't take time to gain some knowledge about the dangers of the Internet. Most run around the net with a 'save me' attitude - meaning they want software that thinks for them and makes decisions for them. Likewise, people don't want to know what's really going on. They turn on the tube, watch a talking head say whatever, believe it, and follow the other stampeding cows right off the cliff.

FWIW,
Dan

 

[MrGullible]

Dant: Could you clarify what you mean by "FF is based on Java"? FF has a java plugin that can be loaded, but if that isn't installed then it doesn't load any java stuff (verified by ldd and strace on Linux).

There are different general security areas or domains that many users confuse of course. Some of the main ones:

- Isolation is one where you limit the effect or scope of some type of break-in or malicious hack.
- Personal information security where bugs / exploits acquire some of your information and pass it to "bad" people
- Activity tracking where someone can find out who you are and what you are doing

There are myriad ways that each of the above can be a problem. Also, it is a real pain to do detailed protection of all (and that is no guarantee anyway) and it might be more inconvenience than it is worth. Some level of protection from the 1st 2 above is my guess at what many users want to achieve. Activity tracking is in a whole different league, depending on who you are protecting against.

For example, it is possible to make a system very tight for the first 2 against many malicious sources. It is impossible for activity tracking if you are up against an organized and focused attempt from say a government or military institution.

 

[dant]

Dant:
Could you clarify what you mean by "FF is based on Java"?

FF has a java plugin that can be loaded, but if that isn't installed then it
doesn't load any java stuff (verified by ldd and strace on Linux).

You are correct that I made an incorrect assumption on my part.

The response I got from a Fedora developer was:

Firefox has almost nothing to do with Java. (my emphasis)

So, I will retract what I had initially assumed.

There are different general security areas or domains that many users confuse of course.

Some of the main ones:
- Isolation is one where you limit the effect or scope of some type of break-in or malicious hack.
- Personal information security where bugs / exploits acquire some of your information and pass it to "bad" people
- Activity tracking where someone can find out who you are and what you are doing

There are myriad ways that each of the above can be a problem. Also, it is a real pain to do detailed protection of all (and that is no guarantee anyway) and it might be more inconvenience than it is worth. Some level of protection from the 1st 2 above is my guess at what many users want to achieve. Activity tracking is in a whole different league, depending on who you are protecting against.

For example, it is possible to make a system very tight for the first 2 against many malicious sources.
It is impossible for activity tracking if you are up against an organized and focused attempt from say
a government or military institution.

Yes, I agree with you.

It is quite difficult to control objects in general (as they are used) and to know
exactly what they contain. AFAIK, there are no mechanisms (that I am aware of)
to restrict access to "malicious" objects from a higher level (at the kernel level)
and with security in mind other than there is the possibility of doing this under
SELinux - but I am not absolutely certain of this. For some reason or another,
I am not even certain that SELinux is to be completely trusted either since it
was written by a member/group working for the NSA.

Sorry for the "wishful thinking" on my part, as it certainly got me! But in general,
I am still wary of objects that are downloaded and installed into our OS, knowing
that they potentially may contain `malicious' (or hidden) objects. This is what we
are all (potentially) up against and/or exposed to, IMO.

Dan

 

[MrGullible]

I agree. The SELinux MAC kernel module is the tightest control I know of, tighter than AppArmor in a lot of ways but much much more of a PITA to configure :)

As you seem to be, I am also suspicious of it as well since it was done by the NSA. The source code for it is of course public and has been for a long time, but unless I have personally reviewed all the code then I couldn't fully trust it. On the other hand. I haven't encountered information on the net suggesting there was some back door or something, and one guy enabled it and gave out the root password to his box to everyone on the net for them to hack and the experiment went well with no significant intrusions.

 

[D69]

Lastly, I use privoxy to change my outgoing headers and filter out some kinds of content, and then pipe that through the tor anonymizing network.

Tor wont give you any anonymity if you dont look at java-script.

So far I'm happy using Opera Wink

Opera also has anti-malware protection

http://news.zdnet.co.uk/security/0,1000000189,39442158,00.htm


If its about ff3 , IMO , every post that raises users awareness is ok but there is no point in being afraid of hackers/crackers.
Security industry , large companies ( m$ , ggle etc. etc.) are the ones who general internet users should be afraid of.
They are developing far more complicated technologies.
All of those stories about real big hackers/cracker threat are mostly made up to get maximum money out of security biz.
Hackers invented internet , they were here from the beginning and still are and will be.

People don't take time to gain some knowledge about the dangers of the Internet. Most run around the net with a 'save me' attitude - meaning they want software that thinks for them and makes decisions for them. Likewise, people don't want to know what's really going on. They turn on the tube, watch a talking head say whatever, believe it, and follow the other stampeding cows right off the cliff.

sooo true , thats what keeps sec biz running

I agree. The SELinux MAC kernel module is the tightest control I know of,

There are a lot of tools that are faaar better ..... BUT always keep in mind that there is no real protection.
Unbreakable systems does NOT exist.

C`s rule about getting knowledge , therefore raising awareness , also applies here