firefox addons spy on you, what to do?

29 replies [Last post]
tonlee
Offline
Joined: 09/08/2014

I do not know if this is true, but it is what I have heard.
Firefox preferences -> security -> block dangerous and ... If this setting is marked, any url you watch is send to google, because google verifies with their url list. Google likely keeps the data. I do not know if google pays mozilla for the data.

Now it is said that several, like android apps, firefox addons transfers data about the user to google or another entity. The data may get sold and who knows how it is used.

What about firefox and thunderbird addons? Can't they hidden for the user transfer data and the user will not know to whom or what data? Is there a addon whitelist that lists addons that do not spy on you?

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

>I do not know if this is true, but it is what I have heard.
Firefox preferences -> security -> block dangerous and ... If this setting is marked, any url you watch is send to google, because google verifies with their url list. Google likely keeps the data. I do not know if google pays mozilla for the data.

True, it is called "safe browsing".
Here, the relevant about:config settings in seamonkey (ff)

user_pref("browser.safebrowsing.controlledAccess.infoURL", "");
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false);
user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.url", "");
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.gethashURL", "");
user_pref("browser.safebrowsing.id", "");
user_pref("browser.safebrowsing.keyURL", "");
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.malware.reportURL", "");
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("browser.safebrowsing.provider.google.gethashURL", "");
user_pref("browser.safebrowsing.provider.google.lists", "");
user_pref("browser.safebrowsing.provider.google.pver", "");
user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.provider.google.updateURL", "");
user_pref("browser.safebrowsing.provider.google4.gethashURL", "");
user_pref("browser.safebrowsing.provider.google4.lists", "");
user_pref("browser.safebrowsing.provider.google4.pver", "");
user_pref("browser.safebrowsing.provider.google4.reportURL", "");
user_pref("browser.safebrowsing.provider.google4.updateURL", "");
user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");
user_pref("browser.safebrowsing.provider.mozilla.lists", "");
user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");
user_pref("browser.safebrowsing.reportErrorURL", "");
user_pref("browser.safebrowsing.reportGenericURL", "");
user_pref("browser.safebrowsing.reportMalwareErrorURL", "");
user_pref("browser.safebrowsing.reportMalwareMistakeURL", "");
user_pref("browser.safebrowsing.reportMalwareURL", "");
user_pref("browser.safebrowsing.reportPhishMistakeURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
user_pref("browser.safebrowsing.reportURL", "");
user_pref("browser.safebrowsing.updateURL", "");
user_pref("browser.safebrowsing.warning.infoURL", "");

>What about firefox and thunderbird addons?

Well, they are software. If they were written to spy on you...
You should keep them minimal, less is more. I have only 3 installed, noscript, ublock origin, httpseverywhere, you don't need more..
cheers

tonlee
Offline
Joined: 09/08/2014

I disliked how the firefox gui got modified. I do not know if firefox can get configured to the previous gui. That is why I installed the restore theme addon. An addon that I do not trust and would prefer not to use.
Same about the addons zoom button and manually sort folders on thunderbird.
On firefox I have installed addons disconnect google, fb and twitter. I do not know if they can be trusted and if they are libre software.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I will here assume you refer to these add-ons:

If you look at their licenses (written after "Released under"), they respectively are:

  • Mozilla Public License, version 2.0
  • Mozilla Public License Version 1.1
  • GNU General Public License, version 2.0
  • Mozilla Public License, version 2.0
  • GNU General Public License, version 3.0
  • GNU General Public License, version 3.0

If you search them in https://www.fsf.org/licensing/licenses/ you will discover they all are free software licenses. You can access their source codes (and study it) following links from the respective "Add-on home pages".

hack and hack
Offline
Joined: 04/02/2015

I really like the idea of having only 3 addons installed (though it seems it demands knowing how to configure them, as far as I know, which isn't far). It seems it would cover 99% of the needed protection if properly configured (What are those 1%? No idea yet).

OTOH, let's say I mainly use TORBB, and Abrowser with those three addons for video and anything too heavy for TORBB.
I'm thinking of having a third browser which would be enabling JS, thus enabling a lot more addons to compensate would make sense, like:
- Self-destructing cookies
- Privacy Badger or Disconnect (seems they do the same stuff)
- Refferrer control
- Request Policy or equivalent (Umatrix, Policeman)
- Decentraleyes
- Random agent spoofer

Maybe some of these overlap, maybe more are needed, I need to do some research.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I believe you are referring to "Safe browsing" in the first paragraph. I believe it is disabled by default in Abrowser. At least it is disabled here (but I may have disabled it by myself). See browser.safebrowsing.enabled in about:config (to be typed in the address bar).

As for the add-ons, they should always be free software. Abrowser proposes a catalog with free software add-ons exclusively. Free software add-ons (like any free software programs) are extremely unlikely to contain spyware. Well, they are extremely unlikely to contain any malware. Because the users are free to study the source code.

tonlee
Offline
Joined: 09/08/2014

Thanks. Are all free software addons listed in abrowser?
Where do I get abrowser, it is not in debian 8 64bit's synaptic package manager?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Abrowser is Trisquel's default browser. Install Trisquel! :-)

That said you can access Abrowser's plugin catalog here: https://trisquel.info/en/browser/addons

And here is IceCat's: https://directory.fsf.org/wiki/IceCat (second half of the page).

Those add-ons can be installed in any Firefox-based browser. You can keep on using http://addons.mozilla.org too... but you then need to check the license by yourself.

tonlee
Offline
Joined: 09/08/2014

Thanks.
If it is a trisquel browser, do they not want people to install abrowser on other distributions? Why do they not make an abrowser trisquel debian package? Who at trisquel should I ask?

onpon4
Offline
Joined: 05/30/2012

> Why do they not make an abrowser trisquel debian package?

Because it's not the Trisquel maintainers' job to make and maintain a package for Debian. If you want an Abrowser package in Debian, no one is stopping you from making and maintaining one.

tonlee
Offline
Joined: 09/08/2014

>package for Debian

For debian linux distributions.

tonlee
Offline
Joined: 09/08/2014

I wrote trisquel and suggested they make an abrowser debian package. They have not answered.
I do not know where to get the abrowser source code.

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

Abrowser is distributed as a .deb package. Here is how to get its source:
$ sudo apt-get source abrowser
Substitute "source" for "download" to download the pre-compiled .deb package.

tonlee
Offline
Joined: 09/08/2014

If I write sudo apt-get download abrowser on a trisquel computer, an abrowser debian file will be downloaded on the computer and I can install and test it on another gnulinux system?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

I have never tried. Obviously, that other GNU/Linux system must use APT and have Abrowser's dependencies in its repositories. Ubuntu would be the best candidate (Trisquel being based on it).

hack and hack
Offline
Joined: 04/02/2015

Magic Banana, how does it work exactly? Are Trisquel addons catalog not part of the repo?
And does Firefox repo contain non-free addons? Else, what's the difference?

Magic Banana

I am a member!

Offline
Joined: 07/24/2010

That is it: http://addons.mozilla.org lists proprietary add-ons, whereas https://trisquel.info/en/browser/addons does not.

You can contribute to Abrowser's catalog of free software add-ons from https://trisquel.info/issues/8176 or opening a new issue in the Web project: https://trisquel.info/project/issues/web

david will probably take care of it.

hack and hack
Offline
Joined: 04/02/2015

Thanks, I just contributed about VimFx.

Zem Mattress
Offline
Joined: 05/08/2014

I'm trying to add the ublock origin from https://trisquel.info/en/browser/addons, but I get "the add-on could not be loaded because of a connection failure".

Tried from Abrowser Add-ons menu as well, same result.

I'm not very experienced with Terminal, but could I use it to install add-ons?

Thanks!

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014
Zem Mattress
Offline
Joined: 05/08/2014

Funny: "Abrowser prevented this site from asking you to install software on your computer"

lembas
Offline
Joined: 05/13/2010

You can install extensions by downloading the .xpi and drag&dropping it onto a browser window.

Jodiendo
Offline
Joined: 01/09/2013

Ill have to disagree with the incredibleness, deficient and eloquent users.
Best to block any HTTP, HTTPs or URL inside your routers. Is more effective than your web browser, even do I'm able to block in the browser such as Mozilla.

Misty
Offline
Joined: 03/22/2016

As you so eloquently put it, "Ill have to disagree with the incredibleness, deficient and eloquent users."

Well then please explain to us poor deficient users HOW to access and change those settings. What about modems? I know if I knew how to do it, I would. The router I used to have had instructions on how to get into it, change the pw and change other settings.

How many people do you know who know what Trisquel is, or what the FSF is?

JadedCtrl
Offline
Joined: 08/11/2014

IMHO, it would be a much better idea to use a local web-proxy like Privoxy to block these URLs.
Privoxy can work as an ad-blocker, a program to route web traffic through Tor, and for blocking privacy-violating sites c:
Take that, guugle, we got you!

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

Free software is gold, but it is no guarantee against malicious developers. Free software can have malicious functionalities as well, it just is much much less frequent.
Anyway, each new software you install on your box is a new potential way of exploiting your box. The less addons you install, the better. Firefox is already huge, no need to add complexity and code IMHO.

Tonlee, is this the article?
http://www.startlr.com/some-addon-of-spying-browser-users-and-resell-the-history/

tonlee
Offline
Joined: 09/08/2014

Yes. I have been suspecting addons to do what is described in the broadcast. It is much like many apps on android and ios. If some addons are not malware, I would know how to verify?

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

tonlee, as Magique said, first of all make sure it is free software, then all you can do is you trust only well known and trustworthy developers. Don't install things you don't need, this should be the "philosophy" of it, I think.

zoroastro
Offline
Joined: 05/24/2014

There's something against the Mozilla Firefox/Abrowser "Html5Everywhere" plugin to flash players?

SuperTramp83

I am a translator!

Offline
Joined: 10/31/2014

zoroastro: no.. Don't think now, because of WOT case that this is a frequent behavior - it is not. Free software addons are safe in most cases. I just recommend the rule of not installing what you don't really need, that's all. And Html5Everywhere is indeed useful for you, so..enjoy!