Opened 10 months ago

Closed 9 months ago

Last modified 9 months ago

#9195 closed defect (fixed)

Disable download manager scanning (reports downloads to cloud for many AV systems)

Reported by: cypherpunks Owned by: erinn
Priority: critical Milestone:
Component: Tor bundles/installation Version:
Keywords: tbb-pref, MikePerry201307 Cc:
Actual Points: 0.5 Parent ID:
Points:

Description

I have found that the latest Tor Browser Bundle (tor-browser-2.3.25-10_en-US.exe), when installed as instructed, uses a default setting of:
browser.download.manager.scanWhenDone;true

Which can be found by:
opening a tab with "about:config" in Tor Browser
and typing 'scan' in the "Search:" field.

The default setting should be set to false, and all Tor Browser Bundles should ship with this setting:
browser.download.manager.scanWhenDone;false

Why?

Anyone who uses Microsoft Security Essentials or another cloud based AV product,
will transmit the filename and hash of <b>EACH</b> downloaded file in the clear to be vacuumed up by the NSA or their own domestic stasi equivalent. If I were a Chinese or Syrian citizen I would soil my pants. (Not that our own governments are better.)

To verify this:
Obtain a windows box which uses MSE (with default settings).
Install Wireshark.
Install the latest Tor Browser Bundle.
Start Wireshark and start capturing traffic.
Start Tor Browser.
Download any file that would trigger MSE, such as
https://www.torproject.org/dist/torbrowser/tor-browser-2.3.25-10_en-US.exe
Watch MSE transmitting info (filename & hash) about this file to Microsoft.

Note: You can disable cloud scanning in MSE and other similar products, but this is too much to ask of most users. It is better to avoid this problem completely since we know that NSA has installed backdoors into Microsoft networks.

The drawback is that users are, presumably, slightly less protected from viruses by not scanning files when downloaded. But if the user has any decent AV product and updates the definition files regularly, the file would be scanned when used.

Child Tickets

Change History (7)

comment:1 Changed 10 months ago by arma

Looks important.

comment:2 follow-up: Changed 10 months ago by mikeperry

  • Keywords tbb-pref MikePerry201307 added; Tor Browser Bundle removed
  • Priority changed from major to critical

Thank you for the detailed explanation. I didn't realize that AV systems had moved into the cloud for verifying stuff like this.

Also, seems incredibly invasive way for them to do it, too.. Why didn't they just use a bloom filter or similar mechanism to query for and download hash lists before resorting to such a submission (like how Google's safebrowsing lists work)?

Are they purposefully doing it wrong to collect/mine/sell user data, I wonder? Someone should probably also contact a few tech reporters about this (if they haven't already reported on it). There is no technical reason for these AV systems to work this way.

comment:3 in reply to: ↑ 2 ; follow-up: Changed 10 months ago by runa

Replying to mikeperry:

Thank you for the detailed explanation. I didn't realize that AV systems had moved into the cloud for verifying stuff like this.

From http://kb.mozillazine.org/Browser.download.manager.scanWhenDone: "... this preference is only used for scanning completed downloads and only has an effect if you have antivirus software installed and are running Windows" ... "Starting in Firefox 3.7, also apply Windows security policy checks".

comment:4 in reply to: ↑ 3 Changed 10 months ago by cypherpunks

Replying to runa:

Replying to mikeperry:

Thank you for the detailed explanation. I didn't realize that AV systems had moved into the cloud for verifying stuff like this.

From http://kb.mozillazine.org/Browser.download.manager.scanWhenDone: "... this preference is only used for scanning completed downloads and only has an effect if you have antivirus software installed and are running Windows" ... "Starting in Firefox 3.7, also apply Windows security policy checks".

Yes, scanWhenDone + AV works as intended on a Windows system. Many AV providers are quite open about adding "cloud" features to their products.

It is after the PRISM revelations that the consequences becomes dire.

1.) Please verify that you can reproduce the described behaviour.

2.) I may be mistaken about the usage of the term "cloud" in relation to MSE. This is because it has been a long time since I replaced it with Comodo and I don't remember what label MSE used for the feature. But most companies assign different meaning to the same terms, so it doesn't matter what it is called. Many AV companies do have separate products aptly named "Cloud Scanner", but that MSE had a cloud scanning feature enabled by default came as a surprise to me.

3.) The concern for the Torproject in this matter is in respect to the default setting used in TBB. How to correctly use AV products to maintain some level of privacy lies outside the scope of Torproject. But this problem illustrates the difficulty of keeping netizens safe and protect their privacy, and also points to the urgent need for a collaboration with other groups to produce a "The Netizens How-To Guide to Privacy and Safe Computer Usage" ebook.
EFF, EPIC and The Internet Defense League comes to mind as collaborators.
I can provide a draft of the structure for such a book, if asked.

4.) What is the feature called in Comodo? = "Use cloud while scanning".

5.) What documentation gives this information?
http://help.comodo.com/topic-72-1-451-4757-Scan-Profiles.html
(This site requires JavaScript.)
Quote:
"Use cloud while scanning - Selecting this option enables the Antivirus to detect the very latest viruses more accurately because the local scan is augmented with a real-time look-up of Comodo's online signature database. With Cloud Scanning enabled your system is capable of detecting zero-day malware even if your local anitvirus [SIC] database is out-dated. (Default = Disabled)."
... [snip] ...
"Update virus database before running – Selecting this option makes CIS to check for virus database updates and if available, update the database before commencing the scan. (Default = Disabled)."

  1. If someone contacts tech reporters, ask them to investigate McAfee's HackerWatch (and all components of their product for privacy leaks).

http://md5.hackerwatch.org
I suspect McAfee is more eager to watch their users than "hackers".

comment:5 Changed 9 months ago by mikeperry

  • Actual Points set to 0.5
  • Resolution set to fixed
  • Status changed from new to closed

I changed this pref in git for TBB-2.4 and 3.0.

comment:6 Changed 9 months ago by mikeperry

  • Summary changed from Bad default setting in Tor Browser Bundle poses a severe privacy risk. to Disable download manager scanning (reports downloads to cloud for many AV systems)

comment:7 Changed 9 months ago by nickm

I don't disagree with this change, but I note that AV software does ostensibly serve a purpose, and that while this change will make some users not get traced when they download stuff, it could make those users get trojaned more easily when they do download software-like things and run them. Is there anything we can do to ameliorate that?

Note: See TracTickets for help on using tickets.