back to article Mozilla-endorsed security plug-in accused of tracking users

A security plug-in for the Firefox browser is under fire after users discovered it was collecting and uploading their online activity. The outcry began after Mozilla featured the Web Security extension on its blog with a post titled "Make Your Firefox Browser a Privacy Superpower." The plug-in, developed by German company …

  1. Anonymous Coward
    Anonymous Coward

    'Check a site against Web Security's global blacklist'

    Isn't the built-in Firefox 'Block Reported Sites' option supposed to do this? Browsers used to download a block list locally. And besides, why isn't this being done client-side anyway? Privacy risk? BND-NSA abuse?

    1. big_D Silver badge

      Re: 'Check a site against Web Security's global blacklist'

      Given the speed with which new sites can appear, to do this in real time, you'd either need to download the updated list before every page view or you need to send the domain name to the service for checking.

      The other question is, how much space will that take up? For a properly indexed database, you need to install a databas engine, not something the add-on is allowed to do, create the relevant tables, index them and then populate it every few minutes with any changes. That would be a complete logistical nightmare to implement, especially over hundreds of thousands or millions of devices.

      I understand the privacy problem, but on the other hand, I don't see a way to make the add-on fast and light and useful. A local black list will take up a lot of space and will always be out of date. A local white list with the top 1,000 sites might work, then anything else would be sent for checking.

      It is a tradeoff, you have to hope that they aren't logging your ID and URLs visited in return for decent security.

      I'll wait until the story is fully disclosed, before leaping to any conclusions.

  2. Anonymous Coward
    Anonymous Coward

    Firefox already sends all your data to google if you enable the "dangerous and deceptive" filter.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: 'Firefox already sends all your data to google'

        Sorta, in that Google runs a bunch of services that Firefox supports like it's malware and malicious site lookup. If you feel like breaking the plumbing you can change the embedded URLS in about:config. You have the standard Google promise they won't be Evil with the info, but there are no technical limitations prevent them skimming the information, just legal concerns.

        That said your DNS is about as big a privacy leak. That said, unless the block list is huge and has a high churn rate it would be safer, and more resilient to push the list to the client. The probably don't because they down want someone bogarting the blacklist database.

        Or their just selling it to a three letter agency for cash and giggles. Plenty of fish and security extensions in the sea. At least Mozilla is less of open sewer as the Android app store.

        1. Len

          Re: 'Firefox already sends all your data to google'

          If you read how Firefox Built in Phishing and Malware Protection works then you'd know that the URLs you visit are never sent to Google. Instead, the browser holds a continuously updated local list of hashes (to limit the size) of suspect domain names and verifies every link you visit against that.

          https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work

    2. Anonymous Coward
      Anonymous Coward

      Is it really too difficult to read how Firefox's phishing and malware protection actually works or do you just like spreading FUD?

      1. This post has been deleted by its author

  3. Mayday
    Flame

    Standard

    "We take privacy very..."

    Slightly different tack here. Normally it is "seriously". This time it is "important".

    I think mine and any vendor/supplier etc definitions differ.

    1. Tree
      Pirate

      Re: We Take PIRACY very seriously?

      There are many types of spyware, but Gurgle and faceBUTT top them all for theft of your info. ARRGGH!

    2. Destroy All Monsters Silver badge

      Re: Standard

      But the server is in Germany, not in the US, so that's already +100 for me.

      (OT: Brennan's license to sniff around while getting pension money revoked, yay!)

  4. Jamesit

    "collection of browsing information is only done to check a site against Web Security's global blacklis"

    When the browser is opened download the block list and check for updates every X minutes and check against that.

    Nothing needs to be sent to a remote server.

    1. Nick Kew

      How big is the global blacklist? Could add long delays for users on slower connections, and perhaps overload the server's pipe.

      1. Adam 1

        It is no doubt unimaginably huge. A list is the wrong data structure to be using for this use case. Other structures like bloom filters let you trade off between storage size and false positive rate.

        It doesn't really matter if your bloom blocks a page wrongly once every hundred thousand tests if that drops the download size from multiple GB to a handful of MB. They could even hash the Uri that was blocked and send for further analysis without the privacy complaints apparent from uploading every address you visit.

        But that is why you don't push down a list of URIs

  5. Adam 1

    so

    We've not heard about bloom filters then?

    1. Oh Homer
      Thumb Down

      Re: Bloom filters

      According to Wikipedia: "the more elements that are added to the set, the larger the probability of false positives."

      Yikes!

      1. GnuTzu

        Re: Bloom filters

        Correct. Bloom filters have to be periodically cleared, or bits aged out. And, I've never been under the illusion that a bloom filter should be used as a standalone cache. You need an additional mechanism to validate a match (to check for false positives), and you need to think very carefully about which way the gains provided by a bloom filter benefit, otherwise, you'll never be able to tune it in a meaningful way.

      2. Adam 1

        Re: Bloom filters

        > the more elements that are added to the set, the larger the probability of false positives

        Yes, it is mathematics, not magic. The laws in information theory are not violated. The probability of false positives can also be lowered by using a bigger file. It's a bang for your buck argument.

        And if you keep reading that Wikipedia page, you'll read about how Google Chrome uses this exact technique to flag pages as malicious.

        You need to remember that larger is a comparator, not an absolute size. In the same way that 0.0000033% chance is larger than 0.0000032%, but both are still rather unlikely.

  6. Wzrd1 Silver badge

    Interesting!

    "The reference to the extension has been removed from the blog post as part of the investigative process."

    Because, security by obscurity is actually an effective thing. No, it's security by obscenity.

    Disabling or removing the applet is proper, removing the post is not.

    Information security meeting is tomorrow, this will indeed be brought up and I strongly suspect, Firefox will no longer be on our entire network. Which is a rather significant number of users.

  7. eldakka

    Disabling or removing the applet is proper, removing the post is not.

    It is entirely proper.

    A company has submitted a plugin to the Firefox plugin 'store'.

    It has been accepted.

    After that, Firefox wrote a post 'spruiking' this plugin, recommending it.

    Some users raised concerns over the plugin. So Firefox has stopped recommending it until it's sorted out. Therefore they have removed the post that was recommending it. It has not been proven yet to be malicious, therefore it is still available, but Firefox are no longer recommending it.

    The only thing wrong with the chain of events I see is the initial recommendation by Firefox. They should have thoroughly vetted the plugin before actually recommending it.

    The rest after that I see nothing wrong with that chain of events.

    1. Charles 9

      Unless, of course, they changed their behavior AFTER they were vetted...

  8. Phil Kingston

    Hmmmm. Interested to know how this crew's "free" plugin makes them money. Assuming it's not hoovering up user browsing habits and flogging same to advertisers of course.

    On the plus side, they managed to get quite a cool domain name.

  9. Bibbit

    I know this is like Canute trying to hold back the tide but

    Please stop using "reach out". Please.

    1. Anonymous Coward
      Anonymous Coward

      Re: I know this is like Canute trying to hold back the tide but

      Now if you feel that you can't go on (can't go on)

      Because all of your hope is gone (all your hope is gone)

      And your life is filled with much confusion (much confusion)

      Until happiness is just an illusion (happiness is just an illusion)

      And your world around is crumbling down, darlin'

      The Four Tops said it all perfectly. This is the only time the words 'Reach Out' are the right words.

    2. Kurt Meyer

      Re: I know this is like Canute trying to hold back the tide but

      "Please stop using "reach out". Please."

      If it will help, think of it as a self-identifying mechanism for clowns.

      In much the same way that the use of the word "gifted" is a self-identifier for ass(arse)holes.

  10. Anonymous Coward
    Anonymous Coward

    Probably the only reason Mozilla removed the plug-in is that the users found out they were being tracked.

    The plug-in was unneccesary, though. Default Firefox settings leak enough already.

  11. nuked
    Facepalm

    Do people really still expect their browsing history to be private?

  12. adam payne

    "We’ve received concerns from the community about the Web Security extension, and are currently investigating those concerns," a Mozilla spokesperson told The Register.

    "The reference to the extension has been removed from the blog post as part of the investigative process."

    Shouldn't you have tested the extension before recommending it.

  13. Aodhhan

    You take privacy seriously... my azz.

    Taking privacy seriously means testing and checking all plugins for privacy concerns before making them available to the public.

    Obviously this application wasn't checked for privacy concerns... so it seems you don't take privacy seriously. You're only trying to cover your back side after the fact, like a weak politician.

    Making some BS statement after the fact, doesn't help your credibility at all. It only makes it worse. Better would be, you are going to make changes in procedures to ensure privacy is maintained prior to making plugins available.

  14. Flakk

    Poor Mozilla

    I like Firefox... I really do. It's just a shame that Mozilla seems an awful lot like a scrappy kid eager to go blindfolded into a yard full of rakes.

  15. JCitizen
    Go

    A good alternative..

    I could never figure out what that extension was all about anyway; so I switched to DuckDuckGo as a search engine, and installed it as well. The only problem I have is web sites complaining because I'm not taking cookies and they can't get into my shorts. I do wish there were a URL exclusion for sites I want to support; but there is none as far as I can tell. All the other ad blockers and script blockers just got too complicated to use, and did not really do the job. So there ya go!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like