Closed Bug 1602249 Opened 5 years ago Closed 5 years ago

superfish.com is seemingly for sale and exempt from ETP

Categories

(Core :: Privacy: Anti-Tracking, defect)

Product:
Core
Component:
Privacy: Anti-Tracking
Version:
71 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: John, Assigned: englehardt)

References

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15

Steps to reproduce:

From what I understand, the "Content" category of the Disconnect.me list is exempt from the default protections of Firefox ETP. The domain superfish.com is in that category (https://services.disconnect.me/disconnect-plaintext.json). Wikipedia says "Superfish's software has been described as malware or adware by many sources" (https://en.wikipedia.org/wiki/Superfish) and they were the tracker of choice involved in the "Lenovo security incident" 2014 (see same Wikipedia article). Furthermore, if you go to https://superfish.com it says the domain name is on sale for around 13 million dollars which looks like a paid way to circumvent ETP.

Actual results:

superfish.com seems to be part of the exempt Content category. Sorry if I misinterpreted the structure of the list and superfish.com is indeed not part of the Content category.

Expected results:

I didn't expect a well-known tracker like superfish.com to be exempt and also up for sale.

Component: Untriaged → Privacy: Anti-Tracking
Product: Firefox → Core

ETP is intended to block the Content category in the future and it does in Nightly right now.

But why would you buy superfish.com for 13M when you can buy any fresh domain name that is not on the list for a few bucks? Are they already embedded in a lot of places?

Maybe my brain is still in vacation mode. Steve can probably help us out here :)

Flags: needinfo?(senglehardt)

Hi Johann!

Here's my line of thinking:

  1. Yes, an arbitrary new domain is a much cheaper solution for trackers, is an inherent deficiency of list-based tracking prevention, and is probably already happening. However, there's a risk in that whatever process is used to maintain the list will miss superfish.com with a script saying superfish.com –> already categorized, [new domain] –> flag for curation.

  2. Being in the Content category is a super power because those domains are explicitly allowed to track Firefox users. Buying the superfish.com domain name offers an opportunity to businesses who that want to both track and offer content since their assumption might be that they get to stay in the Content category if they offer embedded content.

  3. Dormant domain names should not be in the super power category because it casts doubt on the curation process.

  4. superfish.com is a well-known tracker that has been used for bad purposes (see linked Wikipedia article). Should it really be in the super power category in the first place?

  5. $13M is a lot of money, as you point out. Thus there has to be value there. Is that just the name or does this domain name offer already established tracking powers, maybe even scripting powers? The problem with stale domains was explored by Nick Nikiforakis et al in: https://www.securitee.org/files/jsinclusions_ccs2012.pdf

I see, thanks for elaborating further. I'm not sure the content category is as much a super power as you're making it out to be (especially since we can hopefully block it soon), but I understand the concern about dormant domains on the lists. Those aren't really my territory though, let's see what Steve says.

Thanks John. I agree with your points that this could be missed during a curation process and might not be the best fit for the Content category since it now appears to be a dormant domain. I've filed an issue here with Disconnect: https://github.com/disconnectme/disconnect-tracking-protection/issues/121.

I think the actual risk of attack from this specific domain is low -- if it were to be purchased and used for nefarious purposes we could promptly ask Disconnect to re-review it based on the new practices. Thus I'm comfortable resolving this against Bug 1501461. Shipping ETP for the "Content" category is a top priority for us right now, and will fix this issue regardless of how Disconnect decides to handle the domain.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Flags: needinfo?(senglehardt)
Resolution: --- → DUPLICATE

Thank you! I assume you mean "Shipping ETP for the 'Content' category" means moving to strict mode (the dupe). That would indeed get rid of the Content category problem.

Disconnect has indeed decided to move superfish to the Advertising category so this will be blocked by ETP once https://github.com/mozilla-services/shavar-prod-lists/pull/91 is merged (hopefully this week).

Assignee: nobody → senglehardt
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: DUPLICATE → ---

With the merging of https://github.com/mozilla-services/shavar-prod-lists/pull/91 this domain should now be blocked in all Firefox releases by the default, Level 1 ETP.

In about:url-classifier we see:

tracking-protection	
URI: https://superfish.com/
List of tables: ads-track-digest256
tracking-annotation	
URI: https://superfish.com/
List of tables: ads-track-digest256
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.