The "Web Security" FF add-on might send sensitive data to a specific website

Discussion in 'privacy problems' started by summerheat, Aug 13, 2018.

  1. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    The German security researcher Mike Kuketz warns that the FF add-on Web Security seems to send obfuscated data to a specific IP address (136.243.163.73) over an unencrypted channel with every newly loaded or changed domain.

    Kuketz points out that also @gorhill noticed that concerning behaviour.

    Conclusion: You might want to avoid that add-on.
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    In the most positive light, in order to check URLs, the add-on is uploading seeded hashes. But they might also be collecting browsing history. As WoT, Safari, etc have done.

    I don't use these add-ons. I would use one, however, if it relied entirely on a local database of malicious URLs. Periodically updated, but with nothing leaked about queries to it.
     
  3. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    https://www.theregister.co.uk/2018/08/15/mozilla_security_plugin/

     
  4. mekelek

    mekelek Registered Member

    Joined:
    May 5, 2017
    Posts:
    518
    Location:
    Hungary
    who installs an extension called "web security" anyways??
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    OK, so let's see. They say that "the collection of browsing information is only done to check a site against Web Security's global blacklist." But that collecting browsing history "has nothing to do with tracking the users browser behavior" and that they "do not use this server communication for tracking the users browsing history."

    Hmmm. They admit to collecting browsing history. But they claim that they're not doing that in order to track browsing history. If that's the case, they ought to be explaining how whatever they do can't be used for tracking browsing history. As in using hashed URLs with salt. Or whatever. I mean, "trust us" is a worthless claim.
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    They could also download "global blacklist" to every system and perform checks locally...
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    True. But maybe they want to keep that blacklist private?
     
  8. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,881
    Location:
    Slovenia, EU
    Yes that's possible. It also seems that add-on has been taken down:

    upload_2018-8-17_5-51-34.png
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,032
    Location:
    Texas
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Good for them :thumb:
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Exactly, people should not fall for this crap.
     
  12. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Do I have any good reason to be suspicious of Firefox and their latest changes? I've noticed problems with the option "drop rights" in Sandboxie due to changes that they are make and now this:

    "The incident follows a report last week that German security add-on ‘Web Security’ had been misbehaving. Mozilla had highlighted the add-on in a blog post promoting a collection of security-focused extensions to the browser. That prompted eagle-eyed techies to pick apart the program and find out exactly what it was doing. They discovered it assigning each user an ID and sending information labelled ‘old-URL’ and ‘new-URL’ to a consistent IP address."

    https://nakedsecurity.sophos.com/2018/08/20/firefox-axes-add-ons-developer-pushes-back/
     
  13. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    2,001
    Location:
    Member state of European Union
    Addon and problem with Sandboxie? I don't think this can be related.
     
  14. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    It sounds like Facebook. Ever time someone finds something they're like , oh, uh, how'd that get there. We'll fix it. I'm afraid that Firefox is gone and is no longer trustworthy. I have an idea who may be behind it but I don't want to get political.And I really don't know, unless it's just greed, but I no longer trust them anymore. And since theyve made these new changes you can no longer use drop rights in Sanboxie. Does any know of a safe, trustworthy browser?
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Well, Firefox is still a lot better about extension security than Chrome.
     
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    Oh it's most definitely related and it's not just one simple addon. Drop rights is a problem now too. They seem to insist on having administrative privileges.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    See https://blog.mozilla.org/futurereleases/2018/08/30/changing-our-approach-to-anti-tracking/

    ...
     
  18. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
  19. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    It's relevant evidence for good intent by Mozilla.
     
  20. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
  21. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    2,199
    What does that mean? o_O
     
  22. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,363
    Location:
    Oz
    If you go into Sandboxie settings, right click on Sandbox default box, go down and choose settings, and then restrictions, you can check "drop rights" and that takes away administrative privileges for anything running in the sandbox. But it's fixed now in the new version.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.