Opened 7 years ago

Closed 6 years ago

Last modified 6 years ago

#7188 closed defect (fixed)

Using Mozilla's "Sync" feature unexpectedly syncs a lot of privacy settings

Reported by: cypherpunks Owned by: mikeperry
Priority: High Milestone:
Component: Firefox Patch Issues Version:
Severity: Keywords: tbb-usability, tbb-testcase, MikePerry201312
Cc: adrelanos@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Firefox has a "Sync" feature. It syncs bookmarks, web history, opened tabs, settings, home page etc. I use this on my regular Firefox (non-TBB) installation to sync bookmarks. Until a while back, it did not sync anything other than bookmarks. That seems to have changed now to include a lot of settings as well.

A few days back, however, I "synced" the TBB expecting to get all my bookmarks. But I immediately noticed that a lot of things had changed, including

  1. Default Search Engine,
  2. Privacy Settings (my sync settings had DNT enabled, DNT changed from disabled to enabled when I synced),
  3. Cookie Settings (cookies were suddenly disabled in TBB, which is how my sync settings were in regular Firefox since I use CookieMonster),
  4. Homepage (changed from check.torproject to Startpage, which I use as my homepage in regular Firefox)

I am sure there are settings other than the ones mentioned above that get changed in TBB when you sync from your Firefox settings. Obviously, this is bad for anonymity because if everyone starts to use the "sync" function, fingerprinting would be that much easier.

Needless to say, I deleted my TBB folder in Ubuntu and reinstalled it.

Possible solution - disable the "sync" function in TBB?

Child Tickets

Change History (8)

comment:1 Changed 7 years ago by Larkdg

Possible solution - disable the "sync" function in TBB?

Downloaded newest update of TBB (x86_64 2.2.3.9-4 on my Debian/testing - updated) and

Preferences -> Sync is NOT enabled (just "Set Up Firefox Sync" & "Pair A Device" links.)

Are you implying taking the links out altogether under Preferences -> Sync (making "Pair A Device" the only option?)

comment:2 Changed 7 years ago by fleakite

@Larkdg: Sync is NOT enabled by default. Users would have to enable them on their own by providing their email address and activation code (or recovery key).

Disabling the "Set up Sync" on TBB would be one way of solving this since the "sync" feature changes enough settings (as listed previously) on the default TBB to make fingerprinting easier and bad for anonymity.

comment:3 in reply to:  2 Changed 7 years ago by Larkdg

Replying to fleakite:

@Larkdg: Sync is NOT enabled by default. Users would have to enable them on their own by providing their email address and activation code (or recovery key).

Disabling the "Set up Sync" on TBB would be one way of solving this since the "sync" feature changes enough settings (as listed previously) on the default TBB to make fingerprinting easier and bad for anonymity.

I understood Sync is NOT enabled by default. This ticket was generated with the ending comment containing, "Possible solution - disable the "sync" function in TBB?"

I say anonimity is prior to "making fingerprinting easier" (ask TAILS devs) and recommend TBB just purge "Sync" from TBB:

... this probably has been beaten to death in the overall projects, so, I end my comments!

comment:4 Changed 7 years ago by nickm

Component: TorTorBrowserButton
Owner: set to mikeperry

comment:5 Changed 7 years ago by mikeperry

Component: TorBrowserButtonFirefox Patch Issues
Keywords: tbb-usability added
Priority: criticalmajor
Summary: Using "Set up Sync" feature in TBB changes a lot of settings; easier fingerprinting; bad for anonymityUsing Mozilla's "Sync" feature unexpectedly syncs a lot of privacy settings

I like the idea of supporting sync, because it's my understanding Mozilla more or less did it right, and it's end-to-end encrypted to the client, but I agree the pref change problem is bad.

On the other hand, perhaps people who use sync should create a separate account for their TBB syncing?

Either way, this does sound like a usability issue. I suppose we could at the very least inform people that they should only be syncing TBB profiles. Perhaps there's some sort of profile version negotiation we could make use of for this.

comment:6 Changed 7 years ago by proper

Cc: adrelanos@… added

I suppose we could at the very least inform people that they should only be syncing TBB profiles.

Unless you can prevent to sync settings (about:config), I recommend against. Since settings change with new versions, syncing a new version of TBB with old settings could harm anonymity by messing up the settings.

comment:7 Changed 6 years ago by mikeperry

Keywords: MikePerry201312 added
Resolution: fixed
Status: newclosed

Ok, I have set the default sync prefs to only allow syncing of bookmarks, history, and passwords if it is enabled for TBB 3.5. Addons, prefs, and tabs will be disabled by default (though only via pref, so users can in theory enable them).

See also #10368 for auditing Sync to decide if it is safe enough to recommend for bookmarks, history, and passwords (and if we can find some way so that only Tor Browsers are synced together).

comment:8 Changed 6 years ago by gk

Keywords: tbb-testcase added
Note: See TracTickets for help on using tickets.