[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Tor Browser 8.0 sends OS+kernel+TOTAL_PING_COUNT!!

Tor Browser 8.0 sends OS+kernel+TOTAL_PING_COUNT in update queries to Mozilla

- Tails 3.9, which ships with TB 8.0, is also affected.

######

User report:[1]
https://blog.torproject.org/comment/277375#comment-277375

- Sanitize the add-on blocklist update URL
https://trac.torproject.org/projects/tor/ticket/16931

related, old, closed ticket (unresolved):

- TBB-Firefox sends OS+kernel in update queries to Mozilla
https://trac.torproject.org/projects/tor/ticket/6734

related, old, closed ticket (also unresolved):

- Nasty MitM possibility with the Firefox blocklist service 
https://trac.torproject.org/projects/tor/ticket/22966

[1]: "TBB-Firefox sends Linux kernel version in extensions blocklist update queries to Mozilla. 6 years old ticket closed https://trac.torproject.org/projects/tor/ticket/6734 without fix this privacy issue.

>From Ubuntu 18.04.1 LiveCD
/v1/blocklist/3/%7Bec8030f7-c20a-464f-9b0e-13a3a9e97384%7D/60.2.0/Firefox/20180204030101/Linux_x86_64-gcc3/en-US/release/Linux 4.15.0-29-generic (GTK 3.22.30 libpulse 11.1.0)/default/default/1/1/new/"

"about:config
extensions.blocklist.url"

"Also it send TOTAL_PING_COUNT to tell mozilla how many days you use TBB."

######

WTF?
Reply to: