Safebrowsing "Learn more" link breaks resistFingerprinting anonymity
Categories
(Firefox :: Settings UI, defect, P3)
Tracking
()
People
(Reporter: 13hurdw, Unassigned)
Details
Attachments
(1 obsolete file)
To reproduce:
- privacy.resistFingerprinting true
- Open about:preferences#privacy , click "Learn more" link under Security section
The learn more direct link is https://support.mozilla.org/1/firefox/<VERSION>/<OS>/en-US/phishing-malware , which although it 302 redirects to https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work?as=u&utm_source=inproduct, contains the actual build number and OS of the client, bypassing the resistFingerprinting setting. This is more important for TorBrowser where it reveals the real OS. Not a huge deal but other pages loaded on the mozilla site like GA could see referrer.
Expected: Learn more URL doesn't give build and OS of client
|
||
Comment 1•6 years ago
|
||
I can reproduce this issue following the steps from comment 0 . After setting the privacy.resistFingerprinting to true the Learn more link sill contains version and OS info.
Since I can reproduce this issue, I am marking this as New.
|
||
Comment 2•6 years ago
|
||
Tom, Ethan, is this issue of interest to Tor browser? If so, you might want to change the behavior of https://searchfox.org/mozilla-central/rev/60c4067b1cbb0f94d7dc2d7cdfa27ed579817fee/toolkit/components/urlformatter/nsURLFormatter.js#107 if the privacy.resistFingerprinting pref is set.
|
||
Comment 3•6 years ago
|
||
Yeah; we care about this and want to fix it. But I don't think it's a very high priority.
|
||
Updated•6 years ago
|
|
||
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
||
Comment 4•6 years ago
|
||
I wasn't sure what to replace the value with. Strictly using the empty string will result in invalid URLs in some cases. I allowed locale to get replaced with the actual value otherwise the page on the Mozilla site will get displayed in the wrong language.
|
|
||
Comment 5•6 years ago
|
||
Tom, not sure if the review request shows up in your queue (since I requested changes but jaws needs your input to make those changes), so needinfo here :)
|
|
||
Comment 6•6 years ago
|
||
%VERSION% should be the most recent ESR version; which can come from here: https://searchfox.org/mozilla-central/rev/03ebbdab952409640c6857d835d3040bf6f9e2db/toolkit/components/resistfingerprinting/nsRFPService.cpp#655 if that function is accessible.
%OS% can be the real OS; since we do expose that in the navigator object.
%LOCALE% should be 'en_US' if the pref javascript.use_us_english_locale is true; otherwise it is the user's real locale.
|
||
Comment 7•6 years ago
|
||
(In reply to Tom Ritter [:tjr] from comment #6)
%OS% can be the real OS; since we do expose that in the navigator object.
Only for now. That could get reduced, see Bug 1519122 . Would it not be better to restrict to two OSes here, so it doesn't have to be revisited?
|
|
||
Comment 8•6 years ago
|
||
(In reply to Simon Mainey from comment #7)
(In reply to Tom Ritter [:tjr] from comment #6)
%OS% can be the real OS; since we do expose that in the navigator object.
Only for now. That could get reduced, see Bug 1519122 . Would it not be better to restrict to two OSes here, so it doesn't have to be revisited?
Hm. So I think my answer would depend on how many of our links that go through this thing have OS-specific instructions. If it's none or very few; then yea we should use fewer OSes. If it's many then maybe we would want to leave this fingerprinting vector open (since it's not an active vector, etc).
|
|
||
Comment 9•6 years ago
|
||
Yeah, it would be better if we could use the implementation of nsRFPService.cpp to get the spoofed OS and spoofed version. I don't have the time to put together a larger patch that does this so I'm going to unassign.
|
||
Updated•6 years ago
|
|
|
||
Comment 10•5 years ago
|
||
This is pretty much the same as Bug 1507280 . Maybe close that and change the title of this to "Sanitize URLs: learn more / Safebrowsing etc"
|
||
Updated•2 years ago
|
Description
•