[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The Spirit of Free Software, or The Reality

On Wed, Jul 15, 2015 at 01:26:16PM +0900, Mike Hommey wrote:
> On Wed, Jul 15, 2015 at 03:51:42AM +0200, Bas Wijnen wrote:
> > On Wed, Jul 15, 2015 at 01:06:28AM +0200, Jakub Wilk wrote:
> > > POST https://safebrowsing.google.com/safebrowsing/downloads?client=Iceweasel&appver=38.1.0&pver=2.2&key=no-google-api-key
> > > + a few dozens of GET requests to https://safebrowsing.google.com/
> > > 
> > > So nothing serious here. It's just casually violating your privacy.
> > 
> > I disagree that the safebrowsing part is not serious, especially considering
> > that it continues to send a message there on every new page you visit.  Best
> > case the only thing that happens is that Google checks that you aren't visiting
> > a dangerous site.  But really?  Does anyone believe that Google does not store
> > this data to monitor browsing habits?
> FUD is easy. How about documenting yourself on how Safe browsing
> actually works?

Please don't be so harsh.  FUD is about trying to mislead people into thinking
untrue bad things about someone.  I have no bad intentions, and I don't see why
you would think that I do.

I have some experience with safe browsing, but indeed I have not looked up how
it works.  I do know that it continuously sends data to Google, and I have
quite a bit of confidence in their capability and willingness to use that data
for tracking.  From your description it sounds like that is not trivial, but
there are smart people at Google, and they have near infinite resources.

> Hint: urls are _never_ sent to Google. The worst thing
> that Google can know is that the _hash_ of /some/ url you went to, has the
> first n bits matching the first n bits of the hash of one (or multiple)
> of the known malware of phishing urls. Nothing more.

That sounds good, and I believe you that is how it's supposed to work, but I
can't quite match it with my observations.  The first time I encountered safe
browsing was when I was running wireshark for an unrelated reason.  I saw lots
of packets going to a remote server even though I wasn't doing anything on the
network yet.  So I checked which host it was, and it turned out to be Google.
Given that every product they have seems to be targeting maximum gathering of
personal information on people, I worry when my computer is sending a lot of
data to them without me asking for it.

I also note that it sent requests there all the time.  I wasn't even doing
anything with my browser, and I didn't have any sites open that would obviously
keep contact with the server.  I don't remember exactly what happened, but I do
remember that it looked like Iceweasel was sending a lot of information about
me to Google.

As Jakub was saying: just starting it up without even visiting a site yet will
do a POST and a *few dozen* GET requests.  Shouldn't it be waiting with its
checks until it actually knows what to check?  What is it sending them at
browser startup?

So I wanted to make it stop; I can live without the safe browsing feature.  I
couldn't find it anywhere in the regular preferences.  In about:config I
searched for it and there is an "enabled" flag, which I turned off, but that
didn't actually stop the traffic (is that a bug, or does it disable something
in a different way?)  Eventually I managed to stop it by replacing all the
safebrowsing related urls with empty strings.  I don't like that I need to do
that much work to prevent my computer from contacting Google.  I also don't
think I am obligated to find out the technical details of the protocol before
I'm allowed to complain about it.

All that being said, I agree with Ben that the Iceweasel packaging in Debian is
excellent, and I'm happy to know that this is the case.


Reply to: