Closed Bug 1433350 Opened 3 years ago Closed 2 years ago
As defense in depth, don't load user's name etc
. into memory
In Tor Browser, we have a defense-in-depth privacy patch to prevent some code from loading the user's real name, username, windows domain and email address from being loaded into memory. Here's the original ticket and patch: https://trac.torproject.org/13398 https://torpat.ch/13398 Perhaps we could turn off this code by default in Firefox as well? Or put it behind privacy.resistFingerprinting?
> Perhaps we could turn off this code by default in Firefox as well? Or put it > behind privacy.resistFingerprinting? Disable it completely. There's no need for this information to be collected IMO. If if is needed for some technical reason (thunderbird compat?) then behind the RFP pref
Here's a patch putting it under the MOZ_THUNDERBIRD flag.
Attachment #8949294 - Flags: review?(dtownsend)
I'm not seeing any evidence that this component is ever instantiated or queried by Firefox code, can you explain more about what you're seeing here?
I don't think it is instantiated by Firefox code. After discussing with Richard (the patch's author) I think you're right that this patch is not as important now that extensions can't instantiate it anymore. The only value would be defense against a future internal use of nsIUserInfo.
Comment on attachment 8949294 [details] [diff] [review] 0001-Bug-1433350-Don-t-load-full-name-email-etc.-except-i.patch Review of attachment 8949294 [details] [diff] [review]: ----------------------------------------------------------------- So given that this component is unused in Firefox I think we should actually just remove it entirely from mozilla-central, that removes the possibility of a leak and makes our code smaller :)
Attachment #8949294 - Flags: review?(dtownsend) → review-
Jorg, looks like the nsIUserInfo component is used in Thunderbird but I'd expect it to be easy to move into comm-central.
We might be able to stop using it altogether given comments like: // nsIUserInfo may not be implemented on all platforms ... Aceman, can you take a look, this is used in account creation. Let's also file a C-C bug for it.
In m-c this seems to be used at least in https://dxr.mozilla.org/comm-central/source/mozilla/testing/modules/tests/xpcshell/test_mockRegistrar.js . In Thunderbird we use the nsIUserInfo information to pre-fill a full name and email address when creating a new account. This seems to be a convenience feature and there is always code (and comment) coping if getting the info from nsIUserInfo fails. Note there is no use in Seamonkey. While this interface is scriptable and accessible to addons, in Thunderbird addons (old-style, non-webextensions) can still get the information. So I think we would survive if this interface got dropped. User will just need to fill it in manually if at all needed (he may want to put something else into the name).
Aceman, could to prepare a patch to rip it all out and attach it here unless M-C people want us to file a separate bug.
Attachment #8953783 - Flags: review?(mkmelin+mozilla)
Comment on attachment 8953783 [details] [diff] [review] remove uses in Thunderbird Review of attachment 8953783 [details] [diff] [review]: ----------------------------------------------------------------- Such a shame, but r=mkmelin
Attachment #8953783 - Flags: review?(mkmelin+mozilla) → review+
(In reply to :aceman from comment #9) > So I think we would survive if this interface got dropped. User will just > need to fill it in manually if at all needed (he may want to put something > else into the name). Instead of dropping nsIUserInfo altogether, could we move the interface and implementation to comm-central? mossop was only proposing to remove the code from mozilla-central because it is not used at all in Firefox. I agree with mkmelin that it's a shame to remove the pre-fill feature from Thunderbird.
It we moved it to TB (if that is possible, as the implementation is in platform-specific C++ files), it wouldn't solve the original privacy problem why you filed this bug. It is actually Thunderbird where the code and also addons would still be able to silently access this data (in Firefox addons no longer can). Or you would then make your patch apply to Thunderbird? Is there a Tor version of Thunderbird?
My thinking is that the usability/privacy tradeoff is different for Firefox vs Thunderbird. In Firefox, there is no downside to removing the code, and a modest reduction of risk to privacy by ensuring no future mozilla-central code calls these functions. In Thunderbird, there would be potentially an improvement in privacy but a reduction in usability. In any case, my focus is on the browser -- I defer to the Thunderbird team to decide if they want to keep the auto-fill feature. :) There is a Tor version of Thunderbird planned, based around torbirdy. I am informed that the wizard that uses this code is already disabled by torbirdy.
2 years ago
Depends on: 1541958
Product: Toolkit → Thunderbird
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Assignee: nobody → acelists
OS: Unspecified → All
Hardware: Unspecified → All
Version: unspecified → Trunk
Comment on attachment 9056330 [details] [diff] [review] 1433350-2.patch Grrr, every single hunk needed rebasing here and I missed that the almost identical code got removed twice :-( - Thanks for following up.
Attachment #9056330 - Flags: review?(jorgk) → review+
Pushed by email@example.com: https://hg.mozilla.org/comm-central/rev/516af70f7341 remove remaining use of nsIUserInfo. r=jorgk
You need to log in before you can comment on or make changes to this bug.