474053 - Googles invisible spyware "Safe Browsing" plugin is not in Firefox's Add-on list where you'd be able to configure or disable it!

Status: VERIFIED INVALID

(Toolkit :: Safe Browsing, defect)

Description

[Percolator]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.10 (intrepid) Firefox/3.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.10 (intrepid) Firefox/3.0.5

I just created a new Ubuntu partition for doing sensitive thinks (internet banking). Wanting to make the chances of compromising as little as possible I removed most of the non necessary applications of my Ubuntu, scanned my drive and some other stuff. I also had to do the usual new-firefox-needs-cleaning (wander how many times I've already done that :-S )

 - Deleted the "bookmarks" on the Bookmark Toolbar (they do a call home and no, BBC is stupid so why the f*** is it on it)

 - In the preferences I disabled Java (if some site is carrying Java applets everything goes way too slow)

 - I also disabled the cache, all forms of form collecting data and cookies will (off course) expire after Firefox exits
, DUH
 - And finally I also disabled all update checks



After going to the banking website everything seemed fine until.... about after 2 minutes. EtherApe was open and I saw some communication with the Google servers. First I thought the banking website was insecure by adding hidden third party links. After double checking that, I could exclude that option.

Then I used Wireshark to see what exactly was happening and saw calls like the following:

926	33.823524	74.125.100.26	************	HTTP	HTTP/1.1 200 OK  (application/vnd.google.safebrowsing-chunk)


Never having installed an application sounding like safebrowsing I double checked everything and couldn't possible find anything still linking my browser to Google. I rebooted to be sure, started Firefox and waited. After about 2 minutes it would reconnect to the Google servers again. I found something about Safe Browsing being part of Chrome and it being a data collecting tool for Google (what do you expect).
After hours of browsing I finally figured out what was happening. Because Firefox thinks I'm an infant who can't look out for himself and I was doing secure HTTP some secret invisible Google plug in you can't even uninstall was checking if my secure URL wasn't spoofed. Off course it was also dumping my private data together with that link in their huge monster database. So how can I turn it off? By unchecking "Tell me if the site I'm visiting is a suspected attack site" and "Tell me if the site I'm visiting is a suspected forgery".
Why isn't there any indication that those two check boxes are linked to Google instead of being a list-free algorithm or something part of Firefox.




Actually I'm disgusted by Mozilla for not putting Googles spyware "Safe Browsing" plugin in Firefox's Add-on list where you'd be able to configure or disable it!



Furthermore this kind of information transfer is a security breach on itself even if it wants to supposedly avoid security threats (http://www.oreillynet.com/onlamp/blog/2005/12/two_things_that_bother_me_abou.html).


Reproducible: Always

Steps to Reproduce:
1. Going to a HTTPS website
2. Wait 2 minites
3. Watch EtherApe and Wireshark
Actual Results:  
1. Going to a HTTPS website
2. Wait 2 minites
3. Watch EtherApe and Wireshark

Expected Results:  
A secret call home to Google's servers

Transmitting nothing without first notifying me, the owner of my PC!

Comment 1

[:Gavin Sharp [email: gavin@gavinsharp.com]]

The default mode in Firefox 2 doesn't send your URLs to Google at all, it just periodically downloads a blacklist and does the comparisons locally. In Firefox 3, the protocol works a little bit differently, but we still don't send URLs directly to Google, and instead only send full hashes of URLs that matched a local list of downloaded partial hashes. The Google privacy policy describes how they deal with this data in both cases.

You can disable "Safe Browsing" (both for attack sites and web forgeries) in the Security preference pane (Edit->Preferences->Security). It's not shown in the add-ons managed because it's not actually an addon.

Comment 2

[Dave Townsend [:mossop]]

(In reply to comment #0)
> Why isn't there any indication that those two check boxes are linked to Google
> instead of being a list-free algorithm or something part of Firefox.

It is possible for third-party sites to implement the same protocol and set Firefox to use that instead. As for notes about contacting Google, you'll find that in the privacy policy, http://www.mozilla.com/en-US/legal/privacy/firefox-en.html which is part of the information that you would have been offered to view on first installing/using Firefox.

> Actually I'm disgusted by Mozilla for not putting Googles spyware "Safe
> Browsing" plugin in Firefox's Add-on list where you'd be able to configure or
> disable it!

It isn't an add-on, it is integral to Firefox, hence you will find it in the security section of the options.

> Furthermore this kind of information transfer is a security breach on itself
> even if it wants to supposedly avoid security threats
> (http://www.oreillynet.com/onlamp/blog/2005/12/two_things_that_bother_me_abou.html).

That page covers the Google extension which uses a version of the safebrowsing protocol that is two years old. Since then things have changed and I believe Google cannot tell anything about the sites you've visited

Comment 3

[Dave Townsend [:mossop]]

(In reply to comment #2)
> That page covers the Google extension which uses a version of the safebrowsing
> protocol that is two years old. Since then things have changed and I believe
> Google cannot tell anything about the sites you've visited

Three years old sorry

Comment 4

[Bartłomiej Brzozowiec (BartZilla)]

(In reply to comment #0)
> Why isn't there any indication that those two check boxes are linked to Google
> instead of being a list-free algorithm or something part of Firefox.
 
I would like to know this, too. My suspicion is that Google/Mozilla knows that putting "Google" somewhere in the options would make these "features" frowned upon by users, and that is definitely not Google's aim (they want to "protect" as much users as they can).

See eg. handling of bug 430741, read also my comment in bug 417687 comment 18.
 
> Actually I'm disgusted by Mozilla for not putting Googles spyware "Safe
> Browsing" plugin in Firefox's Add-on list where you'd be able to configure or
> disable it!

Well, I'm disgusted with this whole situation, too, but it seems that you were asleep for a very long time: "safebrowsing" is integral part of FF since Firefox 2.
Eg. I submitted bug related with "safebrowsing" _two years ago_ (it is related with current version too, and still not fixed BTW): bug 368255.

Anyway, if you want to disable so-called "safebrowsing" for good (ie. at compile time), then put these options in your .mozconfig:

ac_add_options --disable-safe-browsing
ac_add_options --disable-url-classifier

(Frankly, I haven't checked this trick recently yet, but it was working some time ago...)
Pass this info to Ubuntu maintainers of Firefox if you don't want to compile Firefox yourself with each new release. (Hint: Mozilla is not going to start preparing versions without Google-"safebrowsing" ****; Google pays them, not you, not me -- not users.)

(Note that changing compile time options ("Custom builds created using options to configure") is fully with compliance of Mozilla Community Edition Policy: http://www.mozilla.org/foundation/trademarks/community-edition-policy.html, so they don't have to change the name or seek official blessings from Mozilla to do this.)

> Furthermore this kind of information transfer is a security breach on itself
> even if it wants to supposedly avoid security threats
> (http://www.oreillynet.com/onlamp/blog/2005/12/two_things_that_bother_me_abou.html).

It is old stuff, Google fixed some problems since then (eg. sending full URLs in "enhanced protection mode" in FF2 was encrypted via RC4 using key requested via https, although in a (unlikely in normal circumstances) situation when key was missing the browser indeed was sending unencrypted URLs, at least last time I checked...).

> Reproducible: Always
> 
> Steps to Reproduce:
> 1. Going to a HTTPS website

Visiting of HTTPS site is not needed for occurrence of traffic noticed by you. You may go to about:blank, wait some time (~0.5h at max) and you will notice traffic with Google generated by Firefox on default "security" settings.

----------------------------------------------------

(In reply to comment #1)
> 3, the protocol works a little bit differently, but we still don't send URLs
> directly to Google,

Minor addition: Firefox 2 in so-called "enhanced protection mode" (disabled by default) was sending full URLs directly to Google. Demonstration: http://bb.homelinux.org/firefox/sb/

> and instead only send full hashes of URLs

Correction: browser (FF3) sends _partial_ hashes, it _receives_ full hashes.
(Sending only partial hashes is definitely better than sending full hashes, but still not good enough to solve all privacy problems...).

> You can disable "Safe Browsing" (both for attack sites and web forgeries) in
> the Security preference pane (Edit->Preferences->Security).

Submitter of the bug knows this, he/she explicitly mentioned those options in his/her initial bug report...

> It's not shown in
> the add-ons managed because it's not actually an addon.

Indeed. It was add-on by Google before FF2; since FF2 it is fully integrated with the browser.

----------------------------------------------------

(In reply to comment #2)
> (In reply to comment #0)
> > Why isn't there any indication that those two check boxes are linked to Google
> > instead of being a list-free algorithm or something part of Firefox.
> 
> It is possible for third-party sites to implement the same protocol and set
> Firefox to use that instead.

Indeed, it is _technically_ possible to implement "safebrowsing" protocol (I have done this, partially, see http://bb.homelinux.org/firefox/sb2/), however Google seems to restrict _legal_ usage of the protocol: from the page with specification (http://code.google.com/p/google-safe-browsing/wiki/Protocolv2Spec): "Do not use this protocol without explicit written permission from Google." "Copyright 2007 Google Inc. All Rights Reserved." "Note: This is not a license to use the defined protocol. This is merely a description of the protocol."
(BTW: I always thought that software using proprietary protocols was against Debian Social Contract... (Ubuntu is offspring of Debian, IIRC...))

> As for notes about contacting Google, you'll find
> that in the privacy policy,
> http://www.mozilla.com/en-US/legal/privacy/firefox-en.html which is part of the
> information that you would have been offered to view on first installing/using
> Firefox.

Installing Firefox on Linux doesn't require agreeing to EULA or reading any other document. (It is only a matter of untarring in case of official binaries.)
On first run there is only a small toolbar on top with the button "Know your rights..." (EULAs are about restrictions and other legal mumbo-jumbo; this button is a really good joke...)
(Related bug: bug 443918)

> (...) I believe
> Google cannot tell anything about the sites you've visited

You are wrong. See eg. demo here: http://bb.homelinux.org/firefox/sb2/

Comment 5

[Johnathan Nightingale [:johnath]]

(In reply to comment #4)
> (Hint: Mozilla is not going to start
> preparing versions without Google-"safebrowsing" crap; Google pays them, not
> you, not me -- not users.)

*plonk*

If anyone asks, this is the point where you moved from privacy advocate to troll.

Comment 6

[Bartłomiej Brzozowiec (BartZilla)]

(In reply to my comment #4)
> ...

Using of c-word was unnecessary, and I want to apologize for it. I was (and still am) agitated by the whole situation, but it doesn't justify using such language. Sorry for that.