Discussion in 'privacy technology' started by febainy, Aug 14, 2014.
do extensions obey FireFox proxy settings?
Well, AdBlock Plus seems to. I have a CrunchBang 11 VM with stand-alone Tor installed, and IceWeasel configured for SocksPort 9050. After installing AdBlock Plus, I verified that I could download a new subscription. Then I stopped Tor ("sudo service tor stop") and restarted IceWeasel. IceWeasel could not reach any websites, and also I could not download a new AdBlock Plus subscription. Then I reconfigured IceWeasel to connect directly, with no proxy. Now, IceWeasel could reach websites, and also I could download a new AdBlock Plus subscription. QED AdBlock Plus respects the browser proxy setting, at least for downloading.
There is (of course) no reliable expectation that other extensions respect the browser proxy setting. You could do the same test for any extension that has observable downloading behavior. You could also test for more subtle leaks by observing with Wireshark.
Any extension can disregard/ignore the general browser.preferences settings.
For example, the popular (390,000+ installs) FoxyProxy extension does so.
Extensions are granted this freedom "by design" (not a bug)
This is a good reason to avoid relying on plug-in proxies.
I wonder whether FoxyProxy breaks the proxy setting in the Tor browser.
This is why an outbound firewall that can properly handle loopback traffic is a necessity. Correctly written rules can prevent a browser or extensions from bypassing or ignoring proxy settings. If the firewall can be set to alert when certain rules are applied, the user can be notified in near real time when a browser or extension tries to bypass proxy settings.
Even if the current versions of a browser or the extensions don't exhibit that behavior, what about the next versions or ones after that? With FireFox's rapid update policy, how easily could such a change be made with the user finding out well after the fact? The course FireFox is taking is not favorable to user privacy or anonymity. Why take the chance? It's better to be safe and preempt the problem.
Separate names with a comma.