Open
Bug 1369299
Opened 7 years ago
Updated 10 months ago
Add a test to assure GeoIP/RegionDefault won't send whenGeoIP search is disabled
Categories
(Firefox :: Search, enhancement, P5)
Firefox
Search
Tracking
()
NEW
People
(Reporter: timhuang, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [tor])
Attachments
(2 files)
For fingerprinting resistance, we'd like to disable GeoIP search lookup when 'privacy.resistFingerprinting' is true.
Updated•7 years ago
|
Priority: -- → P1
Reporter | ||
Comment 1•7 years ago
|
||
And we also want to disable region default search lookup.
Summary: Disable GeoIP Search lookup when 'privacy.resistFingerprinting' is true → Disable GeoIP/RegionDefault Search lookup when 'privacy.resistFingerprinting' is true
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment 4•7 years ago
|
||
(In reply to Tim Huang[:timhuang] from comment #0) > For fingerprinting resistance, we'd like to disable GeoIP search lookup when > 'privacy.resistFingerprinting' is true. How widely was this discussed? This is pretty likely to have somewhat far-reaching implications, and I'm not sure I understand the concern, with which comment #0 and comment #1 doesn't help. Is there background to this somewhere that's not obvious from this bug? Is the concern about the request, or about the contents of the response, or about deducing the search engine based on the ip address of subsequent requests, and thus making inferences about the location of the caller? If the destination of the packet is known, isn't the source also known? The fingerprinting issues I've seen are usually about websites that the user visits making an inference, so I'm assuming that the threat model is different here - what is it, and why has it changed?
Flags: needinfo?(tihuang)
Comment 5•7 years ago
|
||
mozreview-review |
Comment on attachment 8873814 [details] Bug 1369299 - Part 1: Disable the GeoIP and region default look up when 'privacy.resistFingerprinting' is true. https://reviewboard.mozilla.org/r/145240/#review149202 r- for now. Mark (H) or Florian would be better reviewers anyway.
Attachment #8873814 -
Flags: review?(gijskruitbosch+bugs) → review-
Comment 6•7 years ago
|
||
mozreview-review |
Comment on attachment 8873815 [details] Bug 1369299 - Part 2: Add a test case for testing GeoIP and region default search lookup are not requested when 'privacy.resistFingerprinting' is true. https://reviewboard.mozilla.org/r/145242/#review149204
Attachment #8873815 -
Flags: review?(gijskruitbosch+bugs)
Reporter | ||
Comment 7•7 years ago
|
||
The original idea of disabling GeoIP search and region default lookups to prevent fingerprinting came from Tor [1]. They were thinking about GeoIP lookup could leak information. However, they didn't discuss much regarding the threat model in that thread. In my opinion, I think a possible threat model here is that attacker can observe one's request and response of GeoIP lookups and make a connection between the IP address and the country where this IP is located. But, I am not sure about is this Tor's concern in terms of fingerprinting. Arthur, could you provide some insight about this? [1] https://trac.torproject.org/projects/tor/ticket/16254
Flags: needinfo?(tihuang) → needinfo?(arthuredelstein)
Comment 8•7 years ago
|
||
In Tor Browser, we don't want to store any long-term state that could serve a way for network adversaries to distinguish users. So we disabled the GeoIP search and region defaults to ensure that location information isn't getting stored in the browser.search.* prefs, which could be inferred by future search requests.
Flags: needinfo?(arthuredelstein)
Updated•7 years ago
|
Priority: P1 → P3
Whiteboard: [fingerprinting][tor][fp:m1] → [fingerprinting][tor]
Comment 9•7 years ago
|
||
mozreview-review |
Comment on attachment 8873814 [details] Bug 1369299 - Part 1: Disable the GeoIP and region default look up when 'privacy.resistFingerprinting' is true. https://reviewboard.mozilla.org/r/145240/#review153712 This patch looks fine, but I'm not sure at this stage if we want to tie this to privacy.resistFingerprinting.
Attachment #8873814 -
Flags: review?(arthuredelstein)
Comment 10•7 years ago
|
||
mozreview-review |
Comment on attachment 8873815 [details] Bug 1369299 - Part 2: Add a test case for testing GeoIP and region default search lookup are not requested when 'privacy.resistFingerprinting' is true. https://reviewboard.mozilla.org/r/145242/#review153716 ::: browser/components/resistfingerprinting/test/browser/browser_geoIPLookup.js:165 (Diff revision 1) > + is(gReqs, 0, "No GeoIP and region default lookups been made.") > +}); > + > +add_task(async function Cleanup() { > + await SpecialPowers.pushPrefEnv({"set": > + [["privacy.resistFingerprinting", false]] This is a very useful test to ensure that geoip requests have been disabled. Possible we want to just test the effects of setting "browser.search.geoip.url" to an empty string instead of using "privacy.resistFingerprinting".
Attachment #8873815 -
Flags: review?(arthuredelstein) → review+
Updated•7 years ago
|
Whiteboard: [fingerprinting][tor] → [fingerprinting][tor][fp:m4]
Reporter | ||
Updated•6 years ago
|
Assignee: tihuang → nobody
Status: ASSIGNED → NEW
Reporter | ||
Updated•6 years ago
|
Summary: Disable GeoIP/RegionDefault Search lookup when 'privacy.resistFingerprinting' is true → Add a test to assure GeoIP/RegionDefault won't send whenGeoIP search is disabled
Whiteboard: [fingerprinting][tor][fp:m4] → [tor]
Updated•3 years ago
|
Severity: normal → N/A
Priority: P3 → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•