Closed
Bug 354199
Opened 19 years ago
Closed 19 years ago
firefox fetches a key from sb.google.com in local list mode
Categories
(Toolkit :: Safe Browsing, defect)
Toolkit
Safe Browsing
Tracking
()
RESOLVED
FIXED
People
(Reporter: tony, Assigned: tony)
Details
(Keywords: fixed1.8.1.2, Whiteboard: [need testcase])
Attachments
(1 file)
|
2.52 KB,
patch
|
mmc
:
review+
jay
:
approval1.8.1.2+
|
Details | Diff | Splinter Review |
If the user has phishing protection enabled with local list checking, it still makes a request to sb.google.com to get a key. The key is only needed when doing remote checks so we should remove this http request for local list mode.
|
||
Comment 1•19 years ago
|
||
I already know of at least one person who's seen this behavior and believes that this is being used by Google to log personal information. This is something which should get priority for getting fixed because it does raise eyebrows and concerns.
Flags: blocking1.8.1.2?
Flags: blocking-firefox3?
|
||
Comment 2•19 years ago
|
||
I've seen talk of this as well, but had it explained to me as a cookie. If it's not necessary then it should definitely go.
|
Assignee | |
Comment 3•19 years ago
|
||
This doesn't provide a way to log personal information any more than the act of downloading the local list data every 30 minutes does.
|
|
||
Comment 4•19 years ago
|
||
While that's probably true, it's the appearance of impropriety which is the problem. People can be very sensitive about their privacy, Tony, so even the appearance that it's being violated can be a problem.
|
|
||
Comment 5•19 years ago
|
||
Right, but users don't know that and we have no way to tell them. The people that find this are just going to know google is storing something besides the list, and they're also probably the types to be paranoid about this sort of thing (seeing how they've tracked and detected it in the first place).
|
|
||
Comment 6•19 years ago
|
||
Tony: We'd like this for 2.0.0.2, so let's try to get a patch together soon.
Flags: blocking1.8.1.2? → blocking1.8.1.2+
|
|
Assignee | |
Comment 7•19 years ago
|
||
Sure thing, should be pretty straight forward.
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•19 years ago
|
||
Only set the key url when in remote check mode. This is a small patch so we can get something on Firefox 2. What I'd really like to do is refactor the crypto key manager class into an XPCOM service with it's own enableUpdate/disableUpdate method (rather than having it dependent on whether or not the key url is set). I'll make a follow up patch to do that for trunk, but it seems like unnecessary risk for branch since it doesn't provide any extra functionality.
Attachment #249495 -
Flags: review?(mmchew)
|
|
||
Comment 9•19 years ago
|
||
Comment on attachment 249495 [details] [diff] [review]
only get key in remote mode
Looks fine to me. I think your future fix sounds good, rather then the URL check.
Attachment #249495 -
Flags: review?(mmchew) → review+
|
|
||
Updated•19 years ago
|
Flags: blocking-firefox3?
Whiteboard: [needs-checkin]
|
|
Assignee | |
Comment 10•19 years ago
|
||
on trunk
Checking in globalstore.js;
/cvsroot/mozilla/browser/components/safebrowsing/content/globalstore.js,v <-- globalstore.js
new revision: 1.14; previous revision: 1.13
done
|
|
Assignee | |
Comment 11•19 years ago
|
||
Comment on attachment 249495 [details] [diff] [review]
only get key in remote mode
I'm going to be out of town until the Jan 8th, 2007. Someone else should check in on branch if we need it before then.
Attachment #249495 -
Flags: approval1.8.1.2?
|
|
Assignee | |
Updated•19 years ago
|
Whiteboard: [needs-checkin]
|
|
||
Comment 12•19 years ago
|
||
Comment on attachment 249495 [details] [diff] [review]
only get key in remote mode
Approved for 1.8 branch, a=jay for drivers. Let's get this landed and tested asap.
Attachment #249495 -
Flags: approval1.8.1.2? → approval1.8.1.2+
|
||
Comment 14•19 years ago
|
||
-->RESOLVED FIXED? and fixed1.8.1.2 ?
|
|
||
Comment 15•19 years ago
|
||
According to comment #8, Tony wants to do more for a *real* trunk fix
|
|
Assignee | |
Comment 16•19 years ago
|
||
Sorry, splitting comment #8 out into a separate bug 369621.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
|
|
||
Comment 17•19 years ago
|
||
hi Tony Chang, what is the best way for QA to verify your fix on the 1.8 branch? please list a few testcases so we can verify. If its not easy to verify, can you assist and please test it with your results posted? Thanks.
|
|
||
Updated•19 years ago
|
Whiteboard: [need testcase]
|
|
Assignee | |
Comment 18•19 years ago
|
||
You can use ethereal or fiddler or whatever to watch for network traffic. You want to test to see if there's a request to https://sb.google.com/safebrowsing/getkey or not at browser startup. You should not see this if Firefox is in local list mode (in the security preferences tab, it's the "check using a downloaded list of suspected sites"). When switching to the "check by asking Google" option, you should see the request sent. A couple test cases:
1) start on a new profile, observe no request sent
2) switch to "check by asking Google" and observe a request being sent
1) start on a new profile, observe no request sent
2) close firefox and edit prefs.js manually. In prefs.js, set browser.safebrowsing.remoteLookups to true.
3) Start firefox using the same profile and observe the request being sent.
If the user is upgrading to 2.0.0.2 and has "check by asking Google", there may or may not be a request because we only make the request once per 24 hours.
|
||
Updated•11 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•