Opened 7 years ago

Closed 7 years ago

Last modified 13 months ago

#6734 closed defect (duplicate)

TBB-Firefox sends OS+kernel in update queries to Mozilla

Reported by: rransom Owned by: mikeperry
Priority: High Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords: tbb-fingerprinting, interview
Cc: g.koppen@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

‘echelon’ in #tor reports that TBB-Firefox sends the current OS and kernel version to addons.mozilla.org:

2012-08-30 01:23:48 <echelon> https://addons.mozilla.org/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/10.0.5/Firefox/20120608001639/Linux_x86-gcc3/en-US/default/Linux%202.6.37.6-smp%20(GTK%202.24.4)/default/default/20/20/3/

This is at least an information leak, and more seriously, Firefox's ‘extension blocklist’ could be used to disable Torbutton (or other preconfigured extensions) in TBB-Firefox.

Child Tickets

Change History (6)

comment:1 Changed 7 years ago by gk

Cc: g.koppen@… added

comment:2 Changed 7 years ago by mikeperry

Priority: criticalmajor

Mozilla's half-assed cert pinning for a.m.o. should make this less of a threat. At any rate, we rely on that pinning for NoScript updates. Downgrading to 'major' for the info leak issues with the OS+Kernel version. Also, if I had to guess, that's probably the build host info, not your current info.

comment:3 in reply to:  2 Changed 7 years ago by cypherpunks

'extensions.blocklist.enabled'

All list of connections without permissions: https://support.mozilla.org/en-US/kb/how-stop-firefox-automatically-making-connections

comment:4 Changed 7 years ago by mikeperry

Keywords: tbb-fingerprinting interview added
Summary: TBB-Firefox sends extension blocklist queries to MozillaTBB-Firefox sends OS+kernel in update queries to Mozilla

I think that the OS+kernel leak is the more serious issue here. The blocklist concerns are a function of TLS cert pinning weaknesses..

comment:5 Changed 7 years ago by mikeperry

Resolution: duplicate
Status: newclosed

This is a dup of either #6735 or #3555, take your pick.

EDIT: #3555 seems actually to be the wrong ticket.

Last edited 13 months ago by gk (previous) (diff)

comment:6 Changed 13 months ago by skeletonchimp

I have posted about this here:

https://trac.torproject.org/projects/tor/ticket/3555#comment:33

This issue remains. Can we please fix this?

Note: See TracTickets for help on using tickets.