Closed Bug 490503 Opened 16 years ago Closed 16 years ago

disable DNS prefetching because of possible law implications

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
3.5 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: wagner.sim88, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.0.9) Gecko/2009042113 Ubuntu/8.10 (intrepid) Firefox/3.0.9 Build Identifier: Dear Mozilla Developers, In Germany, a new law against child pornography distribution is under discussion. The current draft will force ISP to block DNS request to sites, which are suspected to contain child pornography. A list of such sites will be created by the BKA (the "German FBI") and given to the ISPs, which will then take the necessary technical measurements. So far, so good. Now to the bad part for us. The current draft is thought to be extended to require the ISPs to record all requests to that sites and hand it over the to BKA, if needed for law enforcement. The BKA will then use these records and start a house search on the suspected users. Just trying to view a site that contains child pornography is a crime in Germany. Furthermore, house searches because of child pornography will most certainly corrupt your reputation. Just imagine such a thing happening to a teacher. You get fired in Germany for less (Actually you can get fired for the suspicion of having taken about 5$ from the cash box, note THE SUSPICION, no prove needed). The law doesn't specify what is meant by "request". It doesn't say clearly, whether it's the DNS request, or the HTTP request to the "Blocking Site" that you get, instead of the original site. I am assuming here the worst case, that the ISPs will record the DNS requests. As DNS prefetching starts requesting sites without real user interaction, someone can easily be tricked. Imaging, some one who wants to ruin your life, post certain links to suspicious sites as a comment to your own blog. If you open now your blog and read the comment, DNS prefetching will start requesting those sites and you get registered by the BKA. So if you are unlucky, your life has just been ruined. Even though you didn't actually click on that links. Of course the recorded data is very questionable, so it's very unsure whether the evidences will be enough to deliver a judgement. However just being suspicted of viewing child pornography is not that kind of a situation everybody wants to be... So as long, as the discussion is going on and the juristic implications aren't clear, we should not risk bringing Firefox users in uncomfortable situations via DNS prefetching! So I request you to disable DNS prefetching until this bug has been fixed. Note: Even if the law makes clear, that only HTTP requests to the "Blocking Site" will be recorded, the user can still be tricked via JavaScript, iframes, but we can't do anything about this. [Maybe we can find out the address of the "Block Site"-Server, and block any requests to it...] Sources: Draft of the law: http://www.bmwi.de/BMWi/Redaktion/PDF/Gesetz/entwurf-gesetzes-zur-bekaempfung-der-kinderpornographie-in-kommunikationsnetzen,property=pdf,bereich=bmwi,sprache=de,rwb=true.pdf The problematic part is: Page 2 point (5) Further sources are found on www.heise.de, a german news portal (they are very critical with this law): http://www.heise.de/newsticker/Kinderporno-Sperren-Regierung-erwaegt-Echtzeitueberwachung-der-Stoppschild-Zugriffe--/meldung/136769 Possible fixes for that bug, ordered after preferences: I. Stop that law: Hard to do, there have been small protests by the Choas Computer Club (a hacker and civil rights movements in Germany [www.ccc.de]) but so far to no use. Politicians are blocking sane arguments, even insulting members of the CCC. Soon elections, so politicians have to show, "they can do something". Furthermore most politicians don't have the neccessary knowledge, to understand how this thing called internet really works. (getting sarcastic here, sorry) Only small interests in public, most people don't understand the implications and discussions involving such a hot topic like child pornography are very difficult. Most people want the politicians "to do something against it". And of course we have "nothing to hide" II. Disabling DNS prefetch DNS prefetching should be deactivate until the law and all implications are clear. If users want to activate DNS prefetching, Firefox should show a drastical warning, like: DNS prefetching starts requesting the IP address for sites without your interaction. In some countries, certain requests may be blocked and recorded by the police for further investigation against you. Therefore we don't advice you to use this function, if this is done in your country. If in doubt don't use this function! Further measurements: To rise the awareness of the implications of such laws, Firefox 3.5 might show some kind of protest after installation. I know foundations like Mozilla should have a neutral point of view, but I think somekind of protest is needed. Even if we do our work, users might still get wrongfully under suspicion. They might be tricked by a JavaScript or just click on a link without knowing where it will lead to. Therefore I think its OK, to protest against the recording of requests, because they are just to easy to manipulate. I would suggest showing some kind of a protest page, after installation, only in Germany or in countries with similar laws. The text could be something like this: The Mozilla foundation has decided to protest against the recording of DNS request to certain sites and their use for investigation. We want to rise the attention, that it is impossible, to tell whether a request (be it DNS or HTTP) was started intentionally by the user or by an automatic mechanism, like a java script on a site or DNS prefetching. Therefore, these records are useless for any kind of investigation! Firefox 3.5 should contain DNS prefetching, but due to coming laws and unclear legal situation we decided to deactivate it by default. You can still activate it at your own risk. Sidenote: We don't want to influence the discussion about laws for blocking sites. whether this is applicable, should be an open discussion, although we are strongly opposed against any kind of censorship. I am looking forward to your comments! Reproducible: Always
Version: unspecified → 3.5 Branch
DNS prefetching gets only the DNS entry for the name from the DNS server, the logging itself is on the "stop sign" server but DNS prefetching doesn't cause such sites to be visited. If Firefox would do that it would only show that the logging is incorrect/broken. BTW: They already broke the whole DNS system with their redirect but luckily i could switch my DNS servers on my router in 10s . -> invalid
Severity: critical → normal
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Component: General → Security
QA Contact: general → firefox
Resolution: --- → INVALID
Reporter: you may be also interested in (non-standard, AFAIK) "link prefetching". See eg. https://developer.mozilla.org/en/Link_prefetching_FAQ (but note that this page has some misleading/untrue statements, like "(https:// URLs are never prefetched for security reasons)" -- see eg. bug 487006... The only good way to check how it really works is to make some tests and read source code, I guess :-/). You also wrote: "I know foundations like Mozilla should have a neutral point of view ..." -- well, Firefox is a product of Mozilla _Corporation_. They are definitely not "neutral". For example, they are heavily dependant on Google, since Google is their main source of income. (But actually that's not very important in this case... Just FYIing...)
Unfortunately the law is not clear in the point, whether the DNS request or the HTTP request of the "Block Site" will be recorded. I am trying to translate the critical points of the law: Page 2, Point (5): The ISP may record and use personal data, if required for the measurements in point 2 and 4. Theses records may be transfered for law enforcement of §184b to the competent authorities [the BKA]. So recording is allowed in the context of points 2 and 4 which are: (2) ISPs according to §8, which provide access for more than 10 000 Users [...] are required to undertake measurements, which will aggravate access to sites in the blocking list. For blocking FQDN, IP-Addresses and URLs will be used. The blocking appears at least at the level of DNS, the request won't be answered. [...] (4) ISPs will redirect user requests to blocked site to a stop site, which will inform users about the reasons for blocking and will provide contact information to the BKA. The site is created by the BKA. So point (2) applies to the DNS requests while (4) applies to HTTP requests to the "Stop Site". In both contexts the recording of requests is allowed. As the ISPs are required to record statistics about the successful blocks, I think they are likely to choose DNS request logging, because that way you don't have to provide two different logs (one log on the DNS name server and one on the web server hosting the "Stop") So in my opinion, it is not specified, which action makes you suspicious. It may be either already the DNS request or the HTTP request. Which logs are used is up to the BKA. So therefore I think the issue is still valid, as long, as the law is not clear enough. So I reopen the Bug again. (Sorry, if I am a bit insistent here) @BartZilla: Well, nobody has a true NPOV ;-). But I think Mozilla should be at least political neutral. (Not that they join Google in World Dominance, hehe) And you are right it's a corporation, but that means it should keep even more out of political business. (Just like all the others ;), sarcasm strikes again) Link prefetching in my opinion is just as risky as java script. Both can trigger the HTTP request of blocked sites, but they require a higher level of access to the content (e.g. you can't post a comment or a forums post, that will trigger HTTP requests to certain sites, if there isn't a vulnerability) But didn't Google Gears prefetch <a>-links? That would be a problem...
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
After some thinking, I recognized another way to compromise the logging: As most forums and social networks allow to post images, there is an easy way to trigger a HTTP response. Just use something like [img]http://dontcallthissite.com[/img]. That will become an image tag with the source being the blocked site. Watching a site that contains such an image will trigger a HTTP request to that site (just like cross-site request forgery). Maybe, we should think more about the protest note, than the "fixing" of Firefox... And perhaps we should add the stop site to the malware site list, to prevent any requests to that site, once it becomes available.
(In reply to comment #4) > (...) > And perhaps we should add the stop site to the malware site list, to prevent > any requests to that site, once it becomes available. But you realize that "phishing" and "malware" lists in FF are maintained by Google and Mozilla has very limited control over them, right?
Yes, but nothing would prevent us from adding sites to the list internally. Just check a site via Google's Safe Browsing API and then against an internal blacklist. Should be easy, isn't it?
>Unfortunately the law is not clear in the point, whether the DNS request or the >HTTP request of the "Block Site" will be recorded. Not the law, simple and very easy logic makes it clear that it can only be done on the "Stop server" That makes this bug invalid, please do not reopen it unless you have technical reasons. a) We do not have a list of forbidden URLS and we never will have. b) We could only get somehow IPs from the Stop server. c) they could however change the used IP for the "stop server" every hour and they will do it if a major browser like Firefox with 40% (?) market share in germany would try to block such requests and they really want to log such requests. d) based on a) we can not block the DNS request for a Domain name itself because we don't know if the DNS requests will be redirected. We could only know if the "Stop server" IP is returned as answer but that would be already to late if they would do the logging per DNS request on the name server e) logging on the DNS server makes no sense because in many cases http://domain.tld isn't illegal, only http://domain.tld/forbiddenpage.html. A good example is the danish list which blocked something like http://groups.google.com/...../mozilla/seamonkey/messageid . You can only log the domain.tld on the DNS server, not the requested resource on the server. And there is another reason, from the neutral point of view, Mozilla.org will (I think) never do that. If you as user wants to protest then simple change the used DNS server as I did. Feel free to write an extension that is doing what you want and every user can protest if they install your addon (if it ever works).
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → INVALID
(In reply to comment #6) > Yes, but nothing would prevent us from adding sites to the list internally. > Just check a site via Google's Safe Browsing API and then against an internal > blacklist. > Should be easy, isn't it? Umm, actually, yeah, something like this is already used to add testing "phishing" and "malware" pages (ie. http://mozilla.com/firefox/its-an-attack.html and http://mozilla.com/firefox/its-a-trap.html). These URIs are hardcoded in source code: http://bb.homelinux.org/firefox/sources/3.0.10/mozilla/browser/components/safebrowsing/content/malware-warden.js.html#60 and http://bb.homelinux.org/firefox/sources/3.0.10/mozilla/browser/components/safebrowsing/content/malware-warden.js.html#67 . (Note that actually I don't have opinion regarding your proposal; I'm just sharing some info.)
1) DNS pre-fetching can be turned off. If by some bizarre legal theory mere DNS fetches can land someone in hot water in Germany our localization team can argue that we turn this off in the German version. 2) as you note there are far more straightforward ways to force your victim to access illegal content, ways that work in all browsers. The legal system must be made to take this into account (but there may be several innocent victims until it does). http://ha.ckers.org/blog/20080320/click-a-link-go-to-jail/
You need to log in before you can comment on or make changes to this bug.