Bug#697125: iceweasel: default value for extensions.blocklist.enabled causes Iceweasel to phone home

Wed Jan 2 07:25:21 UTC 2013

(Zack, question for you at the end)

On Tue, Jan 01, 2013 at 05:03:35PM +0100, Francesco Poli (wintermute) wrote:
> Package: iceweasel
> Version: 10.0.11esr-1
> Severity: normal
> 
> Hello,
> some time ago I read about a creepy feature [1][2] of Mozilla Firefox that
> seems to be enabled by default and can only be disabled in the advanced
> configuration page (about:config).
> 
> [1] http://www.zdnet.com/blog/hardware/firefox-and-thunderbird-phone-home-daily/2143
> [2] http://cybernetnews.com/yes-firefox-does-phone-home-everyday/
> 
> It seems that Firefox sends a bunch of user data (including IP address,
> used browser version, browser usage times, number of users and list
> of enabled extensions) to a Mozilla-Foundation-controlled server.
> Daily!

No list of extensions is sent.

> It seems that this is used to disable extensions which are deemed to
> be "dangerous" by Mozilla. But I think that this poses at least two issues:
> 
>  * the user should not be silently induced to trust Mozilla on which
>    extensions are OK and which are "dangerous"

They should be instead lured into installing malware.

>  * the data sent to Mozilla seem to be unnecessarily detailed and thus
>    are a privacy issue (after all, the same purpose could be achieved
>    by _downloading_ a list of "dangerous" extensions from Mozilla,
>    without _sending_ any data to them!)

That's actually what happens, a list of blocked addons is downloaded.
No list of extensions is sent to Mozilla. The only information sent is:
- APP_ID
- APP_VERSION
- PRODUCT
- BUILD_ID
- BUILD_TARGET
- OS_VERSION
- LOCALE
- CHANNEL
- DISTRIBUTION
- DISTRIBUTION_VERSION
- PING_COUNT
- TOTAL_PING_COUNT
- DAYS_SINCE_LAST_PING

Only the first two are strictly required. APP_ID is
{ec8030f7-c20a-464f-9b0e-13a3a9e97384} (the guid for Firefox),
APP_VERSION is self describing, PRODUCT is "Iceweasel", BUILD_ID is the
BuildID found in /usr/lib/iceweasel/application.ini, BUILD_TARGET is
roughly `uname -s`_`uname -m`-gcc3, OS_VERSION is roughly `uname -sr`,
LOCALE the locale the UI is in, CHANNEL is "default", DISTRIBUTION and
DISTRIBUTION_VERSION come from preferences (resp. distribution.id and
distribution.version, both currently not set), PING_COUNT is the number
of times the blocklist has been downloaded from the same version of the
application, TOTAL_PING_COUNT is the number of times the blocklist has
been downloaded ever (with the given profile), and DAYS_SINCE_LAST_PING
the number of days since last time the blocklist has been downloaded.
The IP address is thrown away and replaced with a geographic location (I
think it's only the country)

I'm not very much concerned by this kind of data being sent by default,
first, because it doesn't expose much of anything, and second, because
the server-side code is also open-source.

https://github.com/mozilla/zamboni/blob/master/lib/urls_base.py#L24
https://github.com/mozilla/zamboni/blob/master/apps/blocklist/views.py

> Hence, I am convinced that this feature should be disabled by default
> in Debian's Iceweasel, unless the user explicitly re-enables it.

Hence, I am not convinced this feature should be disabled by default,
especially since this is a useful malware protection (and yes, it's
pretty easy to encounter such malware, there have been some spreading
through facebook a few months ago, for instance).

Arguably, we could remove most of the information sent, but I'm not
convinced either. But then, I could be seen as biased, since I'm also a
Mozilla Corporation employee. So I'll defer the decision to touch the
downloaded url to someone else. Which makes me wonder, do we have
specific people in Debian dealing with such privacy concerns?

Mike