Paranoid browser test - is there privacy in FOSS?

I have been looking at both Firefox and Chromium (supposedly respecting user privacy and freedom, not like Google Chrome).

Firefox settings:

https://ultraimg.com/images/2017/12/12/nKx1.png

https://ultraimg.com/images/2017/12/12/nKxV.png

https://ultraimg.com/images/2017/12/12/nKxr.png

Chromium settings:

https://ultraimg.com/images/2017/12/12/nKxB.png

I am pasting the last screenshot as link because the forum doesn’t allow more than 4 images:

https://ultraimg.com/images/2017/12/12/nKxh.png

Additionally in both browsers I have installed extensions uMatrix, uBlock Origin and HTTPS everywhere. I don’t have any chat program installed (pidgin, kopete etc). I have NTP service enabled.

My findings:

• Firefox disrespects settings for “Data Collection and Use”. I have provided more info in this bug report. In FF 57 things seem even worse: There are even more telemetry flags enabled and enforced by default and not accessible via Preferences, i.e. only through about:config.

• watching uMatrix logger upon startup (without any other tabs open): both Firefox and Chromium communicate with hosts owned by Google and Mozilla. In other words - Google and Mozilla know the exact time when the user starts his browser (and perhaps other things too). Firefox communicates with google and other hosts too (even after disabling OCSP query and “Block dangerous and deceptive content”)

• after closing the browser (say Chromium) as well as all other desktop apps I wait about 5 minutes after the browser process has died and I look at tcpdump output:

14:32:29.015682 IP pc.47222 > router.domain: 7090+ A? lh3.googleusercontent.com. (43)
14:32:29.018269 IP router.domain > pc.47222: 7090 2/0/0 CNAME googlehosted.l.googleusercontent.com., A 216.58.207.33 (88)
14:32:29.018425 IP pc.43317 > router.domain: 38316+ A? accounts.google.com. (37)
14:32:29.020262 IP router.domain > pc.43317: 38316 1/0/0 A 216.58.207.45 (53)
14:32:29.020416 IP pc.38513 > router.domain: 51010+ A? clients2.googleusercontent.com. (48)
14:32:29.021398 IP router.domain > pc.38513: 51010 2/0/0 CNAME googlehosted.l.googleusercontent.com., A 216.58.207.33 (93)

If I read that correctly: somehow there is still communication between the local machine (pc) and the router on our network related to Google. Similar thing is observed with Firefox. There are also packets which contain ‘amazon’ substring.

**More testing:

**IceCat behaves similar to Firefox.

Tor browser doesn’t seem to do what Firefox and Chromium do.

Questions:

1. Considering a FOSS ethical perspective (everything you would hear from FSF) - Are these valid concerns?
2. Is there something technically wrong or missing in this simple test?
3. Is there anything to report (bugs)?
4. Or should I visit the mental hospital?

For Firefox you could take a look at “ghacks-user.js”:

https://github.com/ghacksuserjs/ghacks-user.js

Described as “An ongoing comprehensive user.js template for configuring and hardening Firefox privacy, security and anti-fingerprinting.”

A brief(er) overview of it:

https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.1-Overview

I’ve not really looked in much detail, in it’s “standard” form I feel it would probably be far too restrictive.

It’s however a good source for the listing of pretty much all Firefox’s privacy/security/etc settings that are available via user.js; and yes, the bulk of those are not accessible from the settings GUI, and some that were have indeed been removed over time.

Hi
Don’t forget webrtc and pocket…

https://browserleaks.com/webrtc

extensions.pocket.enabled;false [default is true]

[QUOTE=tannington;2847800]For Firefox you could take a look at “ghacks-user.js”:

https://github.com/ghacksuserjs/ghacks-user.js
[/QUOTE]
Thanks. Yes, I found that a few minutes after posting here. Looking into it.

[QUOTE=malcolmlewis;2847804]Hi
Don’t forget webrtc and pocket…

https://browserleaks.com/webrtc

extensions.pocket.enabled;false [default is true][/QUOTE]
Thanks. I believe uBO takes care of it too.

I also found this:

https://tornull.org/tbbnull.php

But anyway the root question remains: why FOSS spies on us by default and why do we have to hack it in various ways to prevent that? Where is the freedom in the whole thing? Is Mozilla just another “I want to track you” organization?

I’ve never really trusted any browser’s privacy settings, nowadays HTML5 requires and does extensive probing of your system to display on a multitude of device screens and support functionality Users commonly expect nowadays.

So,
I currently install a multitude of different web browsers and use each for specific tasks so that any tracking is limited to within that common task.
If I don’t want to be tracked, that browser is not logged into any authenticator (like Facebook, Google, Twitter, etc.)
If I want to further limit tracking, use a text-only web browser that doesn’t support HTML5, but nowadays that won’t work on a lot of websites.

HTH,
TSU

Or maybe we should all move to Qubes?

…go to about:config in FF and enter search term “http”. Delete as many of these as you like and then have a look again.

I always though about doing the same experiment as you did, but expecte the outcome to be like that or even worse.

Maybe have a look at Pale Moon.

How about Waterfox? Has anyone tried it? Their site says it is based on Firefox but with removed telemetry and data collection.

https://www.waterfoxproject.org/

I’ll put this in the nicest way I can;
No one cares about you or your browsing history, habits or anything else for that matter.

No, there are no monsters under the bed or the closet and no evil h4x0rz or big corporations don’t care about you specifically because you have no interesting data to give out.

People really need to stop being so paranoid or get medication for it.

…yeah, Google is a charity to safe the world and being naive about what’s goinig on is the solution. Keep using whichever browser you like and keep posting ON TOPIC in surveillance threads…

If nobody cares about all that - why were things like PRISM, XKeyscore etc. created? Has the world become more secure due to those “security” measures? Or on the contrary?

No, there are no monsters under the bed or the closet and no evil h4x0rz or big corporations don’t care about you specifically because you have no interesting data to give out.

It is not about protecting one’s photos from last summer but about protecting also client’s data. Of course one can be completely negligent and disrespectful to the parties one communicates with for the convenience of believing in non-facts.

People really need to stop being so paranoid or get medication for it.

I am open to get a recipe from you for medication about Intel ME, proprietary BIOS, quantum computers built to break any cryptography challenge etc. If there is such medication I would gladly give it with those who build these systems.

…besides the NSA (storing statistically 1 TB of data per capita of the world population, as of 2013), for loging into this forum I have to accept:

microfocus scripts (to reach the login screen)

opensuse.org 13 scripts

suse.com 32 scripts

googleapis 1 script

Some dozends more I block (from other vendors), no idea why they are necessary at all.

I have a number of (tech and other) forums I don’t have to accept A SINGLE script from any source (especially not googleapis) to login and write comments.

This is a pest. I would never know obout these things without uMatrix and NoScript.

[QUOTE=suse_rasputin;2847881]…besides the NSA (storing statistically 1 TB of data per capita of the world population, as of 2013), for loging into this forum I have to accept:

microfocus scripts (to reach the login screen)

opensuse.org 13 scripts

suse.com 32 scripts

googleapis 1 script

Some dozends more I block (from other vendors), no idea why they are necessary at all.

I have a number of (tech and other) forums I don’t have to accept A SINGLE script from any source (especially not googleapis) to login and write comments.

This is a pest. I would never know obout these things without uMatrix and NoScript.[/QUOTE]

You forgot to mention that this forum uses Google Analytics and www.opensuse.org has connections to Facebook too.

BTW you don’t need to accept anything from googleapis to use the forum. Here are my uMatrix settings:

https://snag.gy/hyfwlP.jpg

I have to allow ajax.googleapis.com one script during login, otherwise there is the green “Forgot password” text of the login page in the password field and no way to proceed from there. Have a screenshot but no picture hoster… (you should have a look if googleapis is allowed by your uMatrix in general, I use the combination of uMatrix and NoScript).

Surfing the web is so digusting these days (especially webshops), I started to have machines for nothing else but browsing in dedicated networks used via VNC. Just to keep my normal net as clean as possible and my data away from any tracking and other stuff.

[QUOTE=suse_rasputin;2847889]I have to allow ajax.googleapis.com one script during login, otherwise there is the green “Forgot password” text of the login page in the password field and no way to proceed from there. Have a screenshot but no picture hoster… (you should have a look if googleapis is allowed by your uMatrix in general, I use the combination of uMatrix and NoScript).
[/QUOTE]
Ok, I had

* ajax.googleapis.com script allow

but I removed it and I was able to log in. BTW why do you need NoScript if you have uMatrix (it can block JS too)?

Surfing the web is so digusting these days (especially webshops)

Quite right. That’s why I like to keep the sites I work on ‘self-contained’ - having all needed resources on the same domain and with strong HTTP headers (making A+ in https://observatory.mozilla.org/). I rarely see other sites do that (unfortunately). I don’t know if it is due to webmaster’s lack of knowledge or simple carelessness. For example amazon.com doesn’t even have XSS protection header.

Reboot your machine (after a decent Bleachbit, including your cache) and try to login, without googleapis.com allowed one scritp you won’t succeed. Believe me.

You should try the combination of NoScript and uMatrix. I think they complement each other.

But all this helps you nothing if your browser is a chatterbox, as the starter of this thread suggests. Will do some wiresharks on FF 57 over the coming weeks. MAybe it’s time to keep browsers COMPLETELY out of the LAN and place them in a dirty net on their own…

[QUOTE=suse_rasputin;2847893]Reboot your machine (after a decent Bleachbit, including your cache) and try to login, without googleapis.com allowed one scritp you won’t succeed. Believe me.
[/QUOTE]

My testing procedure doesn’t include reboot of the nuclear reactor I just open private mode window and login. The only ugly thing in the login window with googleapis.com disabled is the lack of submit button but I simply enter user and pass and press Enter. Screenshot:

https://ultraimg.com/images/2017/12/13/nK9F.png

If you want the overlay links not to appear you can try a static uBO rule (works for me)

login.microfocus.com###help > ul

But all this helps you nothing if your browser is a chatterbox, as the starter of this thread suggests. Will do some wiresharks on FF 57 over the coming weeks. MAybe it’s time to keep browsers COMPLETELY out of the LAN and place them in a dirty net on their own…

Could you please share the results? It would be interesting to see also what that Waterfox really does. Hopefully this will turn into a bug report to Mozilla (who btw still haven’t answered the one about telemetry).

BTW I wonder if it is possible to isolate the browser additionally somehow (I need to learn about AppArmor) without having to create a VM guest just for web browsing purposes (or move to Qubes). Currently I use an extension which allows FF to store passwords in its own gnome keyring. But recently I found this information:

Any application that executes with the same user’s privileges can get access to any of the user’s keyrings, and thus, can read secrets stored in any that are unlocked.

In other words one either has to agree browsers to have full access to keyrings containing other credentials (for LAN, SSH, private keys etc) or one has to store plain text logins. Or one has to move to kwallet where the situation is even worse.

From a paranoid viewpoint one can really consider some kind of LAN cable kill switch (:D) but that wouldn’t help if the software stores temporary data “until network becomes available”. Unfortunately looking at the code myself wouldn’t really show how exactly the program works. Hopefully some developers are reading this thread.

…works without the googleapis script, I never tried “ENTER”, instead of the login button…:X

Will do some browser research and come back. May take a while

Thanks. Will wait.

…any ideas how to share .cap files, if interesing? :shame: