Closed Bug 517736 Opened 16 years ago Closed 16 years ago

keyword.enabled is true by default, should be false to protect privacy

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ralf.bartzke, Unassigned)

References

Details

(Keywords: privacy)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 Firefox call http://www.google.com... with the currently entered text on type errors in the addressbar, without permission of the user. There is no possibility for normal user to deactivate this or to remove http://www.google.com as called search engine. If the user have by mistake a classified url or a a password entered, it will be transferred to google. This is a result of the default settings: keyword.url -> http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= in connection with keyword.enabled -> true keyword.enabled should be changed to false until the normal user has the possibility to adjust this and should be false by default to protect his privacy. To change the values, experienced users can enter about:config into the addressbar. Reproducible: Always Steps to Reproduce: 1. Enter "esysjfysefsefsdfs" to addressbar an press <Return> Actual Results: Firefox call www.google.com with "esysjfysefsefsdfs". Expected Results: Error Message
Not a security issue.
Group: core-security
Component: Build Config → General
Keywords: privacy
OS: Windows 2000 → All
QA Contact: build.config → general
Hardware: x86 → All
because of bug 263213 urls should not be critical (any more). but, what makes the "entered password by mistake" concerning the 'i feel lucky search' different than the "entered password by mistake" on other search fields/forms in sites/other UI elements? mistake is mistake, isn't it?
Component: General → Preferences
QA Contact: general → preferences
Here an example of a URL, mailed by a dealer, who contains private information: ------------------------------------------------------------------------- If you are having problems viewing this HTML email, please use this link: <http://www._____.com/emailbuy.php?email=bill.arm_strong@aol.com&refer=JBE&sid=1&x=1> ------------------------------------------------------------------------- If this url is by mistake incompletely copied from the email into the addressbar, the email address contained is transferred to google and makes it possible to attach email address and current IP number of the computer.
The fix XtC4UaLL linked to means that your scenario isn't actually possible. We only use the keyword.URL value if the entered text is not a valid URL. For the vast majority of users, this is the right tradeoff of convenience vs. privacy risk. Those who aren't willing to live with the (very minor) risk of accidentally sending private non-URL data to Google can flip the pref as you mention, or install an extension that does that.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
I disagree because I think, you should give the user by default only privacy risks, which he knows and with he agrees. But that's only my personal opinion. I point out that that any inadvertently or invisibly marked or incompletely entered text can transfered to a search engine by a simple that any user daily can happen and which he does not have to count normally. This can happen, for example, if url data from a spread-sheet analysis software are copied or if the user forget to enter the country identifier. On examination of possible entered strings I discovered the following: If I entered the incomplete and artificial URL: emailbuy.php?email=bill.arm_strong@aol.com&refer=JBE&sid=1&x=1 Firefox called temporarly a swiss (????.ch) search engine. Another browser, Seamonkey, don't make this at the same time. After the second restart of Firefox this disappeared and is currently not reproducible.
Supplement: The automatic call of any other search engine like: http://www.search.com/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= is taken by Firefox, after keyword.enabled using about:config is switched, Firefox is restartet and, for example, "search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=" is entered.
You need to log in before you can comment on or make changes to this bug.