Open Bug 1369299 Opened 3 years ago Updated 1 year ago

Add a test to assure GeoIP/RegionDefault won't send whenGeoIP search is disabled

Categories

(Firefox :: Search, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: timhuang, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor])

Attachments

(2 files)

For fingerprinting resistance, we'd like to disable GeoIP search lookup when 'privacy.resistFingerprinting' is true.
Priority: -- → P1
And we also want to disable region default search lookup.
Summary: Disable GeoIP Search lookup when 'privacy.resistFingerprinting' is true → Disable GeoIP/RegionDefault Search lookup when 'privacy.resistFingerprinting' is true
(In reply to Tim Huang[:timhuang] from comment #0)
> For fingerprinting resistance, we'd like to disable GeoIP search lookup when
> 'privacy.resistFingerprinting' is true.

How widely was this discussed? This is pretty likely to have somewhat far-reaching implications, and I'm not sure I understand the concern, with which comment #0 and comment #1 doesn't help. Is there background to this somewhere that's not obvious from this bug? Is the concern about the request, or about the contents of the response, or about deducing the search engine based on the ip address of subsequent requests, and thus making inferences about the location of the caller? If the destination of the packet is known, isn't the source also known? The fingerprinting issues I've seen are usually about websites that the user visits making an inference, so I'm assuming that the threat model is different here - what is it, and why has it changed?
Flags: needinfo?(tihuang)
Comment on attachment 8873814 [details]
Bug 1369299 - Part 1: Disable the GeoIP and region default look up when 'privacy.resistFingerprinting' is true.

https://reviewboard.mozilla.org/r/145240/#review149202

r- for now. Mark (H) or Florian would be better reviewers anyway.
Attachment #8873814 - Flags: review?(gijskruitbosch+bugs) → review-
Comment on attachment 8873815 [details]
Bug 1369299 - Part 2: Add a test case for testing GeoIP and region default search lookup are not requested when 'privacy.resistFingerprinting' is true.

https://reviewboard.mozilla.org/r/145242/#review149204
Attachment #8873815 - Flags: review?(gijskruitbosch+bugs)
The original idea of disabling GeoIP search and region default lookups to prevent fingerprinting came from Tor [1]. They were thinking about GeoIP lookup could leak information. However, they didn't discuss much regarding the threat model in that thread.

In my opinion, I think a possible threat model here is that attacker can observe one's request and response of GeoIP lookups and make a connection between the IP address and the country where this IP is located. But, I am not sure about is this Tor's concern in terms of fingerprinting. 

Arthur, could you provide some insight about this?

[1] https://trac.torproject.org/projects/tor/ticket/16254
Flags: needinfo?(tihuang) → needinfo?(arthuredelstein)
In Tor Browser, we don't want to store any long-term state that could serve a way for network adversaries to distinguish users. So we disabled the GeoIP search and region defaults to ensure that location information isn't getting stored in the browser.search.* prefs, which could be inferred by future search requests.
Flags: needinfo?(arthuredelstein)
Priority: P1 → P3
Whiteboard: [fingerprinting][tor][fp:m1] → [fingerprinting][tor]
Comment on attachment 8873814 [details]
Bug 1369299 - Part 1: Disable the GeoIP and region default look up when 'privacy.resistFingerprinting' is true.

https://reviewboard.mozilla.org/r/145240/#review153712

This patch looks fine, but I'm not sure at this stage if we want to tie this to privacy.resistFingerprinting.
Attachment #8873814 - Flags: review?(arthuredelstein)
Comment on attachment 8873815 [details]
Bug 1369299 - Part 2: Add a test case for testing GeoIP and region default search lookup are not requested when 'privacy.resistFingerprinting' is true.

https://reviewboard.mozilla.org/r/145242/#review153716

::: browser/components/resistfingerprinting/test/browser/browser_geoIPLookup.js:165
(Diff revision 1)
> +  is(gReqs, 0, "No GeoIP and region default lookups been made.")
> +});
> +
> +add_task(async function Cleanup() {
> +  await SpecialPowers.pushPrefEnv({"set":
> +    [["privacy.resistFingerprinting", false]]

This is a very useful test to ensure that geoip requests have been disabled. Possible we want to just test the effects of setting "browser.search.geoip.url" to an empty string instead of using "privacy.resistFingerprinting".
Attachment #8873815 - Flags: review?(arthuredelstein) → review+
Whiteboard: [fingerprinting][tor] → [fingerprinting][tor][fp:m4]
Assignee: tihuang → nobody
Status: ASSIGNED → NEW
Blocks: meta_tor
No longer blocks: uplift_tor_fingerprinting
Summary: Disable GeoIP/RegionDefault Search lookup when 'privacy.resistFingerprinting' is true → Add a test to assure GeoIP/RegionDefault won't send whenGeoIP search is disabled
Whiteboard: [fingerprinting][tor][fp:m4] → [tor]
You need to log in before you can comment on or make changes to this bug.