Opened 4 years ago

Closed 2 years ago

Last modified 8 months ago

#17898 closed defect (fixed)

Disable Firefox' new Tracking Protection in ESR 45

Reported by: cypherpunks Owned by: gk
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: ff45-esr, tbb-6.0a5, TorBrowserTeam201604R, GeorgKoppen201604
Cc: brade, mcs, gk, elypter Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Firefox's new Tracking Protection includes 2 lists, 1 basic and 1 strict list with the basic enabled by default in private browsing (the mode TBB uses by default).

How will this need to be configured in Firefox 45 ESR when it lands?

There's a config value that can also be toggled so protection works even without private browsing mode on for users that allow history on (= private browsing mode switched off)

Is there a way to link this in with the security slider (basic protection for lower levels and strict for high)?

Child Tickets

Attachments (1)

0001-Bug-17898-Disable-Tracking-Protection.patch (1.1 KB) - added by gk 4 years ago.

Download all attachments as: .zip

Change History (19)

comment:1 Changed 4 years ago by mcs

Cc: brade mcs added

comment:2 in reply to:  description ; Changed 4 years ago by gk

Cc: gk added
Keywords: ff45-esr added

Replying to cypherpunks:

Firefox's new Tracking Protection includes 2 lists, 1 basic and 1 strict list with the basic enabled by default in private browsing (the mode TBB uses by default).

How will this need to be configured in Firefox 45 ESR when it lands?

Seems we have to set privacy.trackingprotection.pbmode.enabled to false

Is there a way to link this in with the security slider (basic protection for lower levels and strict for high)?

Well, the security slider (as the name says) is for security related things while tracking protection aims at defending against cross-origin tracking. These are different things and I think we should not mix them. This would further complicate things and would make an analysis of the properties Tor Browser provides even harder. Thus, no, there are no plans to expose this in the slider.

comment:3 in reply to:  2 ; Changed 4 years ago by mcs

Replying to gk:

Well, the security slider (as the name says) is for security related things while tracking protection aims at defending against cross-origin tracking. These are different things and I think we should not mix them. This would further complicate things and would make an analysis of the properties Tor Browser provides even harder. Thus, no, there are no plans to expose this in the slider.

I agree that we should not mix privacy related things into the security slider settings. But if features such as tracking protection break a lot of websites, we may eventually want to provide a way for users to choose how much privacy protection they need. That said, at this point in time I do not think we have enough experience to decide what to group together in order to make a user interface that users would be able to understand.

comment:4 Changed 4 years ago by cypherpunks

There is also the value privacy.trackingprotection.enabled which is set to false by default (meaning it only works in PB mode). I think both this value as well as privacy.trackingprotection.pbmode.enabled need to be set to true.

From my experience, basic seems to very rarely (if at all) break any sites core functionality but it is more common for strict to break sites.

If not in the security slider, it would be seem ideal to implement it in a similar fashion to allow users a tradeoff for increased privacy.

Last edited 4 years ago by cypherpunks (previous) (diff)

comment:5 in reply to:  3 Changed 4 years ago by gk

Replying to mcs:

Replying to gk:

Well, the security slider (as the name says) is for security related things while tracking protection aims at defending against cross-origin tracking. These are different things and I think we should not mix them. This would further complicate things and would make an analysis of the properties Tor Browser provides even harder. Thus, no, there are no plans to expose this in the slider.

I agree that we should not mix privacy related things into the security slider settings. But if features such as tracking protection break a lot of websites, we may eventually want to provide a way for users to choose how much privacy protection they need. That said, at this point in time I do not

I am a bit confused because we want to *disable* it by default. And that should not break anything as this is the default mode (outside of PB). And then there is section 2.3.5 of the Tor Browser design documentation. :)

So, I kind of repurposed this bug to make sure we have the new tracking protection in PB disabled as well in ESR45 (seems I was not clear enough).

comment:6 Changed 4 years ago by cypherpunks

These lists must be disabled, because they are fingerprintable. That's why we advice not to use adblockers.

comment:7 in reply to:  6 Changed 4 years ago by cypherpunks

Replying to cypherpunks:

These lists must be disabled, because they are fingerprintable. That's why we advice not to use adblockers.

That's because not everyone uses adblockers. Protection lists are default in Firefox private browsing now. How much more/less fingerprintable will TBB users be with these lists off than on?

comment:8 Changed 4 years ago by gk

Cc: elypter added
Summary: Firefox new Tracking ProtectionDisable Firefox' new Tracking Protection in ESR 45

See: https://ieee-security.org/TC/SPW2015/W2SP/papers/W2SP_2015_submission_24.pdf and there the introduction (especially the demo) for (additional) arguments against the blacklisting approach. Oh, and you probably know that Mozilla is exempting trackers because those are so important that they can't allow them to be broken (which they would if they just took Disconnect.me's blocklist): https://github.com/mozilla-services/shavar-list-exceptions. See: https://bugzilla.mozilla.org/show_bug.cgi?id=1101005 for all the breakage due to the tracking protection feature.

comment:9 Changed 4 years ago by gk

Resolving #17167 as a duplicate of this one.

comment:10 Changed 4 years ago by gk

Keywords: tbb-6.0a5 added

comment:11 Changed 4 years ago by gk

Keywords: TorBrowserTeam201604 added

We want that for the alpha and the ESR 45 stable series.

comment:12 Changed 4 years ago by gk

Keywords: GeorgKoppen201604 added
Owner: changed from tbb-team to gk
Status: newassigned

comment:13 Changed 4 years ago by gk

Keywords: TorBrowserTeam201604R added; TorBrowserTeam201604 removed
Status: assignedneeds_review

Looking at the implementation it seems setting privacy.trackingprotection.pbmode.enabled to false should be enough to disable Tracking Protection. The attached patch is up for review.

comment:14 Changed 4 years ago by mcs

r=mcs, r=brade
Looks good.

comment:15 Changed 3 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

This is commit 639e137de46de4f0151455062d7001ec9c46d495 on tor-browser-45.0.2esr-6.x-1.

comment:16 Changed 2 years ago by cypherpunks

Resolution: fixed
Status: closedreopened

Why not disable(unclickable) & hide it from the UI?

comment:17 in reply to:  16 Changed 2 years ago by gk

Resolution: fixed
Status: reopenedclosed

Replying to cypherpunks:

Why not disable(unclickable) & hide it from the UI?

Yes, I think that is a reasonable suggestion. We have #21545 for that for what it is worth.

comment:18 Changed 8 months ago by eddie007

you still going there ​http://fixwindows10connections.com homepage and learn how to install wireless display in your device and easy to control your display in others computer

Note: See TracTickets for help on using tickets.