Closed Bug 1197499 Opened 10 years ago Closed 9 years ago

EU cookie law breach

Categories

(Toolkit :: Safe Browsing, defect)

Product:
Toolkit
Component:
Safe Browsing
Version:
40 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: 99zx6r, Unassigned)

References

(
URL
)

Details

(Keywords: privacy)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Build ID: 20150812163655 Steps to reproduce: Open Firefox (try and delete the cookie, then close and reopen, it's in the Firefox code to contact google and get a tracking cookie) Actual results: Creates a Google cookie (have disabled everything I can, you can't delete the Google search engine.) Expected results: absolutely nothing (without a notification informing the user that a cookie was about to be written to their machine) I should be able to open a clean browser and choose who gets my data and/or be notified of who is tracking me, forcing Google on us and its breech of the EU law should be changed for EU residents. I want no Search engines installed, I am perfectly capable of typing in whichever I want to use at whatever time I desire to use one.
Severity: normal → critical
Keywords: sec-critical, wsec-cookie
OS: Unspecified → Windows
Priority: -- → P1
Hardware: Unspecified → x86_64
in the EU any deposit of a cookie has to be notified to the user the user can then choose to continue with said cookie or not and in some cases not use the site or software. This option is not currently available in Firefox(current release version). Every time you start it you get a google.com cookie, even if you delete the cookies.sqlite file, you get the cookie, if you add google.com and google.co.uk to the list of blocked cookie sites you get the cookie as these entries are removed by Firefox code. ref: http://www.allaboutcookies.org/privacy-concerns/new-european-laws.html Currently as just opening Firefox creates google.com cookies it is not legal in the EU and as such is more than just annoying to not be able to remove google as a built-in search engine Maybe Firefox in only now designed for non-EU users?
for the US users who have no such protections, visit the official site and see how the law says it should be done: https://ico.org.uk/
next step is to start here but thought it better for FF devs to fix the issue before having it forced on them (like we have with your google.com cookie) https://www.snapsurveys.com/swh/surveylogin.asp?k=133707671186
URL: https://ico.org.uk/
(In reply to 99zx6r from comment #0) > (try and delete the cookie, then close and reopen, it's in the Firefox code > to contact google and get a tracking cookie) What you're describing is the Google Safe Browsing cookie, which is set when checking for updates to the anti-malware and anti-phishing database: bug 1186772, comment 4. This cookie is sandboxed; it's not tied to your regular Google cookie, should you have one: bug 368255. https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work > (have disabled everything I can Setting “Accept third-party cookies: Never” under about:preferences#privacy seems to work. I tested in the latest Nightly. You can disable both “Block reported attack sites” and “Block reported web forgeries” under about:preferences#security but this would negatively impact security. > you can't delete the Google search engine.) The search engine is unrelated to this. Regardless, it's definitely possible to delete it, provided that you have at least one other search engine. It's not possible to remove all search engines. > I want no Search engines installed That's not possible: bug 383726, comment 1. You can add a privacy-oriented search engine like DuckDuckGo, StartPage or Ixquick, then remove all others. http://mycroftproject.com/search-engines.html?name=duckduckgo http://mycroftproject.com/search-engines.html?name=startpage http://mycroftproject.com/search-engines.html?name=ixquick (In reply to 99zx6r from comment #1) > if you add google.com and google.co.uk to the list of blocked cookie sites you get the cookie as these > entries are removed by Firefox code. Presumably you meant a Block exception for google.com doesn't apply to the Google Safe Browsing cookie, which is indeed the case. Cookie exceptions shouldn't disappear on their own; if that's what's happening on your system, there's likely a problem with your permissions.sqlite file. https://support.mozilla.org/kb/how-to-fix-preferences-wont-save ――――― > sec-critical : Exploitable vulnerabilities which can lead to the widespread compromise of many users. This isn't a security issue of any kind, let alone a critical one. > wsec-cookie : Cookie related errors (HTTPOnly / Secure Flag, incorrect domain / path) This isn't a bug in setting or retrieving cookies. > Importance: P1 The priority field is for developer use only.
Component: Untriaged → Safe Browsing
Keywords: sec-critical, wsec-cookieprivacy
OS: Windows → All
Priority: P1 → --
Product: Firefox → Toolkit
Hardware: x86_64 → All
thanks, almost all of what you say is true - i would prefer to have no search engines installed but i guess it's policy to force you to have 1 at all times, i don't want any regardless of who they are. it happens when you allow any 3rd party cookies("visited" or "never" stops it as you noted) - allow 3rd party "always" as soon as you open FF you will get a google.com cookie without any user notification (which is a breach of the law - hence why i reported) When google is selected as your search engine you cannot block the google cookie, the setting is removed after each restart, i guess this is policy too of the google search engine code. all my setting save fine except blocking google cookies if google is the installed search engine - whether you visit or allow them or not I may have put the bug in the wrong place but any cookies without a cookie warning is illegal in the EU. (this site (https://bugzilla.mozilla.org/show_bug.cgi) also does it but only when you login - cookie but no notification - not a big issue if you are specifically logging in to a site - smoke and mirrors) Thanks for checking it out (a google tracking cookie like this is a security issue when you don't know it's there and can't delete it or block it, eg it shows you are using Firefox as a browser and that you have 3rd party cookies enabled) Solution: Allowing any non-visted 3rd party cookies in FF breaks EU law without specific end-user configuration of settings. (i have marked resolved "wontfix" as again "i would prefer to have no search engines installed but i guess it's policy to force you to have 1 at all times, i don't want any regardless of who they are, i can type and 99% of the time I know what URL I am going to. FF is not going on my corporate network for these reasons, proper use of GPOs and IE make it more secure in this respect as I can configure this for all users and not manually one-by-one after they install, by default FF accepts 3rd parties - i will continue my search for a decent 100% clean browser from install that doesn't require end-user knowledge and actions to prevent tracking - maybe you have an install script that can pre-define these settings?)
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
"> sec-critical : Exploitable vulnerabilities which can lead to the widespread compromise of many users. This isn't a security issue of any kind, let alone a critical one. > wsec-cookie : Cookie related errors (HTTPOnly / Secure Flag, incorrect domain / path) This isn't a bug in setting or retrieving cookies." Any legal breach is a critical security issue - for a Sys Admin, maybe not for a Dev, which is why we run networks and you write code and QA is a constant pain in your backside.
fyi - the blocking of google.com cookies in the exceptions is ALWAYS removed upon restart (so it's a definite "wontfix")
and another fyi even adding the blocking of google.com and google.co.uk cookies doesn't stop them placing a cookie - this setting is completely ignored by FF when it's google. (from visited is also often ignored if you go to google and it's one of their 3rd party cookies, you still sometimes get the 3rd party cookie even if you don't visit any pages but the google.com first site) only solution is manually "never" allow 3rd party cookies and to block google.com/.co.uk. after restart only the "never" is kept and the google exceptions are removed so back to google tracking you again (so again won't fix as it's not a default install option and therefore breaks the EU law for most users ie no notification of cookie deposit and worse, no way to prevent it without changing the settings every time you start Firefox) - for home/single and small network developers it's still better than chrome - for corporate IE is still the only option (we are years off being able to deploy Linux with LDAP for normal office type end-users of large networks)
(and don't even mention the A word, leave those toys to the posers with too much money who like old tech wrapped in expensive cases made by children) (yes i'd accept for users of Adobe After Effects the RAM preview/render is quicker but everything else is worse/terrible so one or 2 graphic animators may have a point, at least OSX can join an AD network now with limited functionality but they then need special treatment and support for everything else - try it with 1000+ windows users configurable with 1 click(GPOs) and having to give special treatment to the 3 guys who won't wait a few seconds longer for their RAM previews. Pain in the f* a*) OT now, but obviously you won't fix FF, (I guess you're part owned/funded by google?)
and from what i read TTIP will make this redundant shortly - just like we have true secure Encryption keys by law in the EU, you don't in the US, by law in the US there must be a master key held by the company hosting the service that can unlock ALL Encrypted material on their servers.
and after further testing my final words on the original topic, in CAPS just to highlight YOU CAN NOT BLOCK GOOGLE COOKIES FROM FIREFOX (THE EXCEPTIONS WILL BE REMOVED WHEN YOU RESTART, EVEN THOUGH THEY SHOW IN THE LIST BEFORE A RESTART THEY WILL BE IGNORED) For that reason alone I'm going to use Bing as a default search engine just so Google/FF can track me not using Google. :)
and just for any home/small network users that don't run their own DNS servers, grab "acrylic DNS" and add the following to the hosts file 127.0.0.1 >google.com 127.0.0.1 >google.co.uk bye bye google you don't exist on my machine any more, no cookies, no nothing. ;) ps this is on the bing.com site http://onlinehelp.microsoft.com/en-gb/bing/dn768284.aspx - at the bottom and at the top: "By using this site you agree to the use of cookies for analytics, personalised content and ads.Learn More" Just like the law says. see ya google oops i mean Firefox devs.
(In reply to 99zx6r from comment #5) > (i have marked resolved "wontfix" Reopening. WONTFIX resolution is for developer use only. https://developer.mozilla.org/en-US/docs/What_to_do_and_what_not_to_do_in_Bugzilla#Resolving_bugs_as_WONTFIX > all my setting save fine except blocking google cookies if google is the installed search engine As I said, cookie exceptions you set up for google.com / google.whatever-tld aren't removed when you restart Firefox. If that's what's happening on your system, you either have a problem with the database that stores that information, or one of your add-ons may be to blame. Try renaming permissions.sqlite in your profile folder while Firefox is closed, then setting up the exceptions again. If the problem persists, ask for help on the support site at https://support.mozilla.org/questions/new Block exceptions for google.com / google.whatever-tld apply to web pages, not the Safe Browsing cookie. Currently, that one only seems blockable by setting “Accept third-party cookies: Never”. This seems fixed in the latest Nightly (what will be Firefox 43). A Block exception for “https://google.com” appears to block the Safe Browsing cookie even with “Accept third-party cookies: Always”. > by default FF accepts 3rd parties I take it you mean third-party cookies. Blocking them was made the default in bug 324397 but was reverted in bug 417800. You can read the discussions on those reports if you want an explanation for why the default is set the way it is. > i will continue my search for a decent 100% clean browser from install that doesn't > require end-user knowledge and actions to prevent tracking - maybe you have > an install script that can pre-define these settings?) https://mike.kaply.com/2012/03/15/customizing-firefox-default-preference-files/ If you want to set “Accept third-party cookies: Never” that's pref("network.cookie.cookieBehavior", 1); If you want more in-depth customization, see https://mike.kaply.com/cck2/ (In reply to 99zx6r from comment #12) > add the following to the hosts file > > 127.0.0.1 >google.com That would break a large number of sites by blocking Google services like RECAPTCHA. Please refrain from posting further comments. You've made your point; now all that's left is for an appropriate person to decide what to do with this report. That's significantly more difficult when you flood the report with unnecessary comments. Again, please refer to the support site if you keep having the aforementioned problems, or you need help with customization.
Status: RESOLVED → UNCONFIRMED
Resolution: WONTFIX → ---
Please see the Firefox Browser Privacy Notice (https://www.mozilla.org/en-US/privacy/firefox/) for more information on how Firefox handles data and cookies.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago9 years ago
Resolution: --- → WONTFIX
(In reply to François Marier [:francois] from comment #14) > Please see the Firefox Browser Privacy Notice > (https://www.mozilla.org/en-US/privacy/firefox/) for more information on how > Firefox handles data and cookies. When Firefox secretly connects to Google servers (and it does this by default), then Google's privacy policy is in force: https://www.google.com/policies/privacy/
Oh, and your comment doesn't address unerlying issue (ie. breaking the EU law) at all. How nice!
You need to log in before you can comment on or make changes to this bug.