Bug#697125: iceweasel: default value for extensions.blocklist.enabled causes Iceweasel to phone home

Francesco Poli (wintermute) invernomuto at paranoici.org
Tue Jan 1 16:03:35 UTC 2013 

Package: iceweasel
Version: 10.0.11esr-1
Severity: normal

Hello,
some time ago I read about a creepy feature [1][2] of Mozilla Firefox that
seems to be enabled by default and can only be disabled in the advanced
configuration page (about:config).

[1] http://www.zdnet.com/blog/hardware/firefox-and-thunderbird-phone-home-daily/2143
[2] http://cybernetnews.com/yes-firefox-does-phone-home-everyday/

It seems that Firefox sends a bunch of user data (including IP address,
used browser version, browser usage times, number of users and list
of enabled extensions) to a Mozilla-Foundation-controlled server.
Daily!

It seems that this is used to disable extensions which are deemed to
be "dangerous" by Mozilla. But I think that this poses at least two issues:

 * the user should not be silently induced to trust Mozilla on which
   extensions are OK and which are "dangerous"
 
 * the data sent to Mozilla seem to be unnecessarily detailed and thus
   are a privacy issue (after all, the same purpose could be achieved
   by _downloading_ a list of "dangerous" extensions from Mozilla,
   without _sending_ any data to them!)

Hence, I am convinced that this feature should be disabled by default
in Debian's Iceweasel, unless the user explicitly re-enables it.

This feature is reportedly controlled the about:config
extensions.blocklist.enabled value (true enables the feature,
false should disable it).

Now, I checked in Iceweasel's about:config page and it seems to me that
the extensions.blocklist.enabled value is in its default state, that is
"true". This is confirmed even when starting Iceweasel in safe-mode.

Please modify Iceweasel so that this creepy feature is disabled by default
and can be re-enabled only when the user explicitly decides to so desire.

Thanks for your time!
Bye (and season's greetings).



-- Package-specific info:

-- Extensions information
Name: Cookie Monster
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{45d8ff86-d909-11db-9705-005056c00008}
Package: xul-ext-cookie-monster
Status: enabled

Name: Debian buttons
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{8fb11c5b-84eb-4da0-9128-292eacce2dcb}
Package: xul-ext-debianbuttons
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: NoScript
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{73a6fe31-595d-460b-a920-fcc0f8843232}
Package: xul-ext-noscript
Status: enabled

Name: Uppity
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{16cbd87c-eb99-4f5c-9825-83cf13ab7ff8}
Package: xul-ext-uppity
Status: enabled

Name: User Agent Switcher
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{e968fc70-8f95-4ab9-9e79-304de2a71ee1}
Package: xul-ext-useragentswitcher
Status: enabled

-- Plugins information
Name: DivX Browser Plug-In
Location: /usr/lib/mozilla/plugins/gecko-mediaplayer-dvx.so
Package: gecko-mediaplayer
Status: enabled

Name: mplayerplug-in is now gecko-mediaplayer 1.0.6
Location: /usr/lib/mozilla/plugins/gecko-mediaplayer.so
Package: gecko-mediaplayer
Status: enabled

Name: QuickTime Plug-in 7.6.9
Location: /usr/lib/mozilla/plugins/gecko-mediaplayer-qt.so
Package: gecko-mediaplayer
Status: enabled

Name: RealPlayer 9
Location: /usr/lib/mozilla/plugins/gecko-mediaplayer-rm.so
Package: gecko-mediaplayer
Status: enabled

Name: Shockwave Flash
Location: /usr/lib/gnash/libgnashplugin.so
Package: browser-plugin-gnash
Status: enabled

Name: Windows Media Player Plug-in
Location: /usr/lib/mozilla/plugins/gecko-mediaplayer-wmp.so
Package: gecko-mediaplayer
Status: enabled


-- Addons package information
ii  browser-plugin 0.8.11~git20 amd64        GNU Shockwave Flash (SWF) player 
ii  gecko-mediapla 1.0.6-1      amd64        Multimedia plug-in for Gecko brow
ii  iceweasel      10.0.11esr-1 amd64        Web browser based on Firefox
ii  xul-ext-cookie 1.1.0-4      all          makes it very easy to manage cook
ii  xul-ext-debian 1.9-1        all          Buttons for querying Debian-relat
ii  xul-ext-noscri 2.1.4-1      all          Javascript/plugins permissions ma
ii  xul-ext-uppity 1.5.8-3      all          toolbar button to "go up" on the 
ii  xul-ext-userag 0.7.3-1      all          Iceweasel/Firefox addon that allo

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (800, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages iceweasel depends on:
ii  debianutils         4.3.2
ii  fontconfig          2.9.0-7.1
ii  libc6               2.13-37
ii  libgdk-pixbuf2.0-0  2.26.1-1
ii  libglib2.0-0        2.33.12+really2.32.4-3
ii  libgtk2.0-0         2.24.10-2
ii  libnspr4            2:4.9.2-1
ii  libnspr4-0d         2:4.9.2-1
ii  libsqlite3-0        3.7.13-1
ii  libstdc++6          4.7.2-4
ii  procps              1:3.3.3-2
ii  xulrunner-10.0      10.0.11esr-1

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
ii  fonts-stix [otf-stix]  1.1.0-1
ii  libgssapi-krb5-2       1.10.1+dfsg-3
pn  mozplugger             <none>

Versions of packages xulrunner-10.0 depends on:
ii  libasound2                1.0.25-4
ii  libatk1.0-0               2.4.0-2
ii  libbz2-1.0                1.0.6-4
ii  libc6                     2.13-37
ii  libcairo2                 1.12.2-2
ii  libdbus-1-3               1.6.8-1
ii  libdbus-glib-1-2          0.100-1
ii  libevent-2.0-5            2.0.19-stable-3
ii  libfontconfig1            2.9.0-7.1
ii  libfreetype6              2.4.9-1.1
ii  libgcc1                   1:4.7.2-4
ii  libgdk-pixbuf2.0-0        2.26.1-1
ii  libglib2.0-0              2.33.12+really2.32.4-3
ii  libgtk2.0-0               2.24.10-2
ii  libhunspell-1.3-0         1.3.2-4
ii  libjpeg8                  8d-1
ii  libmozjs10d               10.0.11esr-1
ii  libnotify4                0.7.5-1
ii  libnspr4-0d               2:4.9.2-1
ii  libnss3-1d                2:3.13.6-1
ii  libpango1.0-0             1.30.0-1
ii  libpixman-1-0             0.26.0-3
ii  libreadline6              6.2-8
ii  libsqlite3-0              3.7.13-1
ii  libstartup-notification0  0.12-1
ii  libstdc++6                4.7.2-4
ii  libvpx1                   1.1.0-1
ii  libx11-6                  2:1.5.0-1
ii  libxext6                  2:1.3.1-2
ii  libxrender1               1:0.9.7-1
ii  libxt6                    1:1.1.3-1
ii  zlib1g                    1:1.2.7.dfsg-13

Versions of packages xulrunner-10.0 suggests:
ii  libcanberra0  0.28-6
ii  libgnomeui-0  2.24.5-2

-- no debconf information

More information about the pkg-mozilla-maintainers mailing list