Closed Bug 1186772 Opened 9 years ago Closed 8 years ago

Default Firefox settings results in Google tracking cookie being created

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Version:
39 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: quality+bugzilla, Unassigned)

References

Details

Attachments

(1 file)

googlecookies.png
61.63 KB, image/png
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150630154324

Steps to reproduce:

Open Firefox with default settings


Actual results:

Google tracking cookie created


Expected results:

No Google tracking cookie should be created when using Firefox with default settings.

From what I can tell, this is a consequence of either `Block reported attack sites` or `Block reported web forgeries` being enabled.  Both options are enabled by default and are part of SafeBrowsing.

The issue is that, from what I can tell, a Google tracking cookie is created when either of these options are enabled (and they are enabled by default).  This functionality should be available without creating any Google tracking cookies, or Mozilla should find a new partner for this type of functionality.
Component: Untriaged → Safe Browsing
Product: Firefox → Toolkit
I can confirm this.
The Safe Browsing cookies are separate from the rest of the cookies (they are using a different cookie jar) as of bug 897516. They're not readable while doing regular web browsing.

Are there any indication that this is not the case and that we have a regression? Have you seen the Safe Browsing cookies sent along with requests to Google sites?
Attached image googlecookies.png 
For me (not the original poster), I haven't checked whether cookies are actually sent along. All I can see is that as soon as I enable `Block reported attack sites` or `Block reported web forgeries`, I get two Google cookies. As far as I see, there is no UI indication that these are somehow in a separate cookie jar as the bug 897516 indicates. In fact, it says 'Send for: Any Type of Connection'.

I am happy if separate cookie jars prevent Google tracking, but I wonder why a cookie needs to be set and persisted in the first place?
(In reply to morten from comment #3)
> I am happy if separate cookie jars prevent Google tracking, but I wonder why
> a cookie needs to be set and persisted in the first place?

It's a requirement of the Safe Browsing service. I presume they use cookies for fraud & abuse detection as well as to detect client bugs/problems because they're not using the Safe Browsing cookies to collect information to add to other Google products:

"It’s important to note that any time Safe Browsing sends data back to Google, such as information about a suspected phishing page or malicious file, the information is only used to flag malicious activity and is never used anywhere else at Google. After two weeks, any associated information, such as your IP address, is stripped, and only the URL itself is retained. If you’d rather not send any information to Safe Browsing, you can also turn these features off."

Source: https://blog.chromium.org/2012/01/all-about-safe-browsing.html (second last paragraph)
(In reply to morten from comment #3)
> For me (not the original poster), I haven't checked whether cookies are
> actually sent along. All I can see is that as soon as I enable `Block
> reported attack sites` or `Block reported web forgeries`, I get two Google
> cookies. As far as I see, there is no UI indication that these are somehow
> in a separate cookie jar as the bug 897516 indicates. In fact, it says 'Send
> for: Any Type of Connection'.

The separate cookie jar (called "app ID") is unfortunately not displayed in the UI. Here's how to look it up:

  francois@machine:~/.mozilla/firefox/77xclm9y.empty$ sqlite3 cookies.sqlite 
  SQLite version 3.8.7.1 2014-10-29 13:59:56
  Enter ".help" for usage hints.
  sqlite> select * from moz_cookies;
  2|mozilla.org|0|0|_gat_UA-...|1|.mozilla.org|/|1439742766|1439742250496341|1439742166803448|0|0
  4|google.com|-2|0|PREF|ID=11111...|.google.com|/|1502814169|1439742169965950|1439742169965950|0|0
  5|google.com|-2|0|NID|70=eiAlxM2Hs9...|.google.com|/|1455553369|1439742169966060|1439742169966060|0|1
  6|mozilla.org|0|0|_gali|firstrun-video|.mozilla.org|/|1439742205|1439742175351149|1439742175351149|0|0
  7|mozilla.org|0|0|_ga|GA1.2.16333...|.mozilla.org|/|1502814251|1439742251012023|1439742166780675|0|0
  sqlite> .fullschema
  CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement));
  CREATE INDEX moz_basedomain ON moz_cookies (baseDomain, appId, inBrowserElement);
  /* No STAT tables available */

Here appid = 0 is the normal cookie jar whereas -2 is a separate one for Safe Browsing requests.
All right, I get results similar to that.

sqlite> select * from moz_cookies;
1|google.com|-2|0|PREF|ID=1111111111111111:TM=1439743375:LM=1439743375:V=1:S=FriJoVlMoGcMmksM|.google.com|/|1502815375|1439743375169226|1439743375169226|0|0
2|google.com|-2|0|NID|70=h-24MJQieRR11xMe1rTkgxkj113wDOBnfkxPtPHuuGFKIJ9EQ82ANcBA1UPZjgRTPkfk-RN9rTwAT8zGVVClhkLW-l2l8HSS8zkep5KmHG5mUs9Swnft_qSt-7YOTe9S|.google.com|/|1455554575|1439743375169665|1439743375169665|0|1

So yeah, I think it's clear the UI needs some work here to not confuse users.

Still, I am a bit uncomfortable having a persistent cookie from Google. From the 'All About Safe Browsing' page, I understand that there's both a passive and an active anti-phishing/malware component to Safe Browsing. It would be great if you could make use of only the passive part if you have concerns like me.
(In reply to morten from comment #6)
> So yeah, I think it's clear the UI needs some work here to not confuse users.

Exposing the appID without confusing users is a hard problem :) If you have ideas, feel free to file a bug against the cookie component / UI.

> Still, I am a bit uncomfortable having a persistent cookie from Google. From
> the 'All About Safe Browsing' page, I understand that there's both a passive
> and an active anti-phishing/malware component to Safe Browsing. It would be
> great if you could make use of only the passive part if you have concerns
> like me.

I'm not sure what you mean by "passive" and "active" components. The two components I know about are:

1. protection when you visit a malware/phishing site
2. protection when you download a malware binary

The second one requires metadata lookups against a Google server which you can disable with browser.safebrowsing.downloads.remote.enabled.

However, both of them require downloading a list of bad URLs from the Google service and that requires cookies.
You will have to excuse my ignorance, but all I know about Safe Browsing is reading that 'All About Safe Browsing' Chrome blog you posted earlier. It just sounded like the list could be downloaded and checked passively (on the client side). Only in certain cases did extra data need to be checked with Google (to increase accuracy, I presume). Maybe I am completely off, and it's not possible to make Safe Browsing (a bit less) effective while keeping it client-side.

(In reply to François Marier [:francois] from comment #7)
> However, both of them require downloading a list of bad URLs from the Google
> service and that requires cookies.

Perhaps this is what I don't understand. Merely downloading a list requires cookies?
(In reply to morten from comment #8)
> Perhaps this is what I don't understand. Merely downloading a list requires
> cookies?

As I understand it, that's an operational requirement they have.

You are free to set Firefox to clear cookies at shutdown though if you'd like to get a fresh Safe Browsing cookie every time you open Firefox.
(In reply to François Marier [:francois] from comment #9)
> (In reply to morten from comment #8)
> > Perhaps this is what I don't understand. Merely downloading a list requires
> > cookies?
> 
> As I understand it, that's an operational requirement they have.

That's certainly odd.

I guess I am not really comfortable relying on Google's vague promises, which I cannot verify. I think the more that can be done on the client-side to limited privacy worries for the users, the better.

> You are free to set Firefox to clear cookies at shutdown though if you'd
> like to get a fresh Safe Browsing cookie every time you open Firefox.

I usually leave Firefox running for days, so this is not really good enough. I think I will just disable Safe Browsing.

I think a nice UI improvement would be if there was some hover or small button next to the checkboxes that enable Safe Browsing that briefly describe the privacy implications of enabling this feature. Something like: 'This allows Google to set a tracking cookie, which in Firefox is relegated to a separate cookie jar with restricted access. Google promises to anonymize your IP after two weeks. Read mode [...]'. This could help alleviate the surprise users (including me) get when a Google cookie suddenly shows up without them visiting any websites.
(In reply to morten from comment #10)
> I think the more that can be done on the client-side
> to limited privacy worries for the users, the better.

Setting “Accept third-party cookies: Never” under about:preferences#privacy seems to work. I tested in the latest Nightly.

> I think a nice UI improvement would be if there was some hover or small
> button next to the checkboxes that enable Safe Browsing that briefly
> describe the privacy implications of enabling this feature.

There could be a “Learn more” link like the ones for Do Not Track and Tracking Protection. Filed bug 1197573.
OS: Unspecified → All
Hardware: Unspecified → All
The Safe Browsing currently requires cookies and since we don't control the server-side, there's nothing we can do about this.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
One possibility is to communicate with the upstream provider of Safe Browsing and see if they are willing to work on a cookieless solution.  Can't hurt to ask.

Another possibility is to use the upstream provider's Safe Browsing data, but deliver it directly to users.
Flags: needinfo?(francois)
(In reply to quality+bugzilla from comment #14)
> One possibility is to communicate with the upstream provider of Safe
> Browsing and see if they are willing to work on a cookieless solution. 
> Can't hurt to ask.

Last time I asked about that, it was an operational requirement that's
unlikely to change anytime soon.
 
> Another possibility is to use the upstream provider's Safe Browsing data,
> but deliver it directly to users.

That's certainly an option, but it would be an extremely expensive service
to run. We would be looking at hundreds of terabytes of traffic every day.
Flags: needinfo?(francois)
Thanks for the reply François.

Whenever you feel it is appropriate, perhaps you can ask the upstream provider if it is still an operational requirement and if they can work on changing it.

Also, can documentation be pinged so that this can be better documented for end users?
Flags: needinfo?(francois)
> Whenever you feel it is appropriate, perhaps you can ask the upstream provider if it is still an operational requirement and if they can work on changing it.

It is still an operational requirement and as I understand it, they are no plans to change this.
Flags: needinfo?(francois)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: