Can Facebook/Google steal https connections info?

Discussion in 'privacy technology' started by amarildojr, Dec 10, 2015.

  1. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    I'm here wondering if it's dangerous, from a privacy and security standpoint, to use Facebook/Google while doing e-Mail with SSL.

    Personally I don't think their sites' plugins/scripts are malicious, I think they "steal" only the data you put on their servers. However, considering how scarred are the images of these companies, and considering who they work with (like akamai) I'm starting to think wether I should stop using these websites while private browsing, because of this fear that I have twoards them (google, facebook) stealing https connections and their infos, like passwords and etc.

    What do you guys think?

    PS: I had to create a Facebook and Google account, but I'm considering shutting them off for the 7th time.
     
  2. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    I don't think that scripts on sites in one tab can read data from sites in another. XSS protections and other browser built-in protections should prevent that from happening. But you never can be sure, I guess. So to be sure you can use different browsers for different activities or log only to one service per session.
    If you are talking about browser extensions or plugins - well then things are different.
     
  3. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    I only use plugins that are known and licensed under GPL or similar. No Closed-Source software runs on my machine. So Noscript, RequestPolicy, https-Everywhere, and uBlock Origin.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    For anything that I care that much about, I just use a different VM.
     
  5. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,592
    I had the same question as amarildojr but never was fully comfortable with arriving at the total answer. Therefore; I ascribe to something similar as Minimalist mentioned on my REAL NAME computer. I use Debian and therefore Iceweasel by default. I have setup up private instances for several significant things, such as one for banking and another for email. Email was your question; and for that by running a profile/instance strictly for my email I don't have to worry about cross talk/contamination when I use the other Iceweasel instances. If you open Iceweasel (Firefox) directories you will see the activity is saved in completely separate folders and pretty securely sequestered from communicating with the other instances. Its a very effective approach. There is no problem opening multiple instances concurrently if you want to. I prefer to try and maintain one at a time just because! I do make exceptions if the site I am accessing is pretty trusted by me. On my generic "general" Iceweasel instance/profile I have it about as locked down as you can get. Its totally clean when the browser session closes. That means I close the general browser and re-open it ALWAYS between sites. If you are really nervous about it you could firejail/sandbox so nothing is allowed in your email instance but what you configure. I don't feel I need that and I have never seen any "dirt", and believe me I have looked.

    The above is for my REAL NAME only machine. I am much more compartmentalized and "over the top" on my hobby computers. My personal choice is to avoid the VM route on the "family" computer. It would be more secure but I am comfortable as described above.
     
  6. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    I always use a different browser that is not logged in for searching and browsing. I have separate browsers for logged in Google account use and Google search. I have another browser for Facebook. I set up dedicated browsers as single site clients for both Google and Facebook with scripting allowed only for the necessary domains. I do this in both Windows and Linux. I have been doing it this way for many years. This is on my real persona computer. Google could correlate searches coming from the same IP so anything I don't want coming from that IP gets done through a VPN on a different computer on a different subnet.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    :thumb:
     
  8. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    So, basically, if I keep NoScript protections enable, I should be fine? Even though I must allow Facebook and Google's plugins to run?
     
  9. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    330
    Use different profiles for different purposes. Because they do that and after that they are going to say "Oh sorry it is a bug", "We did this by mistake". Latest google "mistake" was eavesdropping with chromium on debian.
     
  10. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Compartmentalize. Put Facebook on Chromium and Google on Firefox for example. Test with plugins disabled and enable if things don't work. I have almost all the plugins disabled and those that are enabled are on click to play. I had been using Opera Blink for Facebook but since the last two revisions took away the flags to disable sync, I've switched to open source Chromium for Facebook.
     
  11. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    406
    Well, in newer versions of the popular "web browsers"...

    ServiceWorkerMessageEvent
    https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API
    https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers
    In that quoted bit, didya notice that ServiceWorker routines CAN place cross-origin requests?

    IMO, we've (again) been sold down the river by Mozilla introducing this crap into firefox.
    Now we're faced with the "2 out of 3 of the major browser are supporting it, so it should be adopted as a hard html spec" eventuality.

    ============
    edited to add:
    Service workers are only available for use by "webapps", not "content scripts", but you can see where things are heading ~~
    please LIKE us, please install our app ---} 10% off if you LIKE us ...and content available exclusively via our app.
     
    Last edited: Dec 13, 2015
  12. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    Do you know which setting(s) change this behavior?
     
  13. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    I believe it will be possible to give multiple isolated compartments to a single browser using Firejail on Linux, if you have used that. The advantage is that, if you trust what Firejail is doing (which "ought" already to be in the browsers!), it offers the isolation/sandbox/rollback facilities plus you would only need to learn and maintain the foibles of one browser. Effectively you'd have a command line + specific parameters for each one of the compartments you mention. Anyway, that's one of the tasks I'm looking at trying next.
     
  14. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Firejail does sound pretty cool. I've been in the habit of multiple browser use for a long time and since I've been doing new Linux installs, I've been trying out a lot of new browsers. What I'm finding is that Chromium based browsers are all pretty similar in the way they work but differ in what they implement. Chromium itself is pretty nice because it has the sandboxing but not the Google specific code of Chrome. I can run it alongside Chrome with no problems and have Chrome logged into Google and Chromium doing Facebook. Facebook has exposed me to all kinds of questionable links and having the sandbox is nice.
     
    Last edited: Dec 13, 2015
  15. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    I'll see if I can use Firejail in such a way that, when I allow Google/Facebook plugins in one browser, these permissions won't cross to the other browser.
     
  16. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    Agree the combination of Chrome/Chromium is productive and little culture shock.

    The good aspect of Firejail is, for me, that it is relying on existing kernel facilities, and separates the trust of using that aspect from the browser (which I don't trust sufficiently). It's true that Chrome/Chromium are using some of the same isolation techniques that apply in Firejail, but give you little control or confidence in what might be happening behind the scenes (whereas Firejail is very configurable, including networking firewall and DNS controls). Plus I wouldn't use FF without Firejail at all.
     
  17. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    I'll never use Chromium/Chome. Chrome is proprietary, and Chromium silently uploaded a proprietary blob that allowed the program to spy on it's users. You can't trust software like that.

    The only browser I'll be using it Parabola's Iceweasel, completey GNU ;) I already contacted Firejail's developer to see how to separate two browser instances.
     
  18. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Any specifics on this blob?
     
  19. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    https://lwn.net/Articles/648392/

    @MisterB
     
  20. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,871
    What complete rubbish.
    It does not "spy" on its users.Its serving a genuine purpose.
    Incidentally linux leaves your microphone on by default..is linux spying on us too..?

    First off when i was using chrome i tested this and you have to enable your microphone.Secondly it asks if it can access your microphone and there are settings within chrome to turn it off.It really is that simple.

    You can simply change your search engine and remove google search entirely from chrome.Also the microphone icon in google search needs to be pressed.
    There are several ways this can be de-activated.
     
  21. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    Linux is just a Kernel, it can't change the microphone settings by itself. Arch, for instance, leaves everything muted by default, the user must unmute what he/she wants.

    My biggest problem with Chromium is that it stealthly downloaded a proprietary blob. Specially since it was present in the "Main" Debian repo and considered fully Open-Source, users should expect to have no proprietary code running on their system. Chromium then betrayed it's users. Add that to the fact that this stealth proprietary executable automatically gets Mic permissions without user consent: yes, it's spyware.

    They might have changed how the blob works NOW, but back then it spyed on Linux and Windows users, I'm not aware about Mac users. And it's a blob after all. Chromium will never gain my trust again.

    Parabola, on the other hand, is doing an awesome job gathering the not-so-private Debian's Iceweasel and turning it into a trully privacy-friendly and GNU browser.
     
  22. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    Well, it looks like I missed the blob since my installs of Chromium are less than a month old. I will check them anyway. It isn't a big issue considering that I'm using it for Facebook and privacy is obviously not the biggest concern in my use of it. Any microphone that is under software control is a potential privacy issue. The best way to deal with it is to disable it in the BIOS or pull the cable connector if you really want to be sure it isn't being used without your permission.
     
  23. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,149
    Location:
    UK
    Trusting any browser is potentially risky, either now or downstream. How many people actually review the code, and browsers have become huge and complex and have the potential to be a cuckoo (think webrt for example) - hence the value of a two-factor approach to compartmentalisation with something like Firejail or Apparmor etc.

    @amarildojr - please report back if you get feedback from the FireJail developer - I can't see any constraints with popping the instances in separate namespaces for example, but would be interested to see what their recommendation is. I can recommend compiling FireJail from source on Debian as that gives best checksum control over the .deb if that's the route you need.
     
  24. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    @deBoetie Thanks but I've decided to stick with Arch. I'm using Firejail from AUR, which is recommended from NetBlue's website.
     
  25. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
Loading...