[tbb-bugs] #22966 [Applications/Tor Browser]: Nasty MitM possibility with the Firefox blocklist service

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 18 19:38:34 UTC 2017

#22966: Nasty MitM possibility with the Firefox blocklist service
 Reporter:  basvd                     |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  High                      |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by yawning):

 Sigh.  Per Mozilla's documentation this should not be happening, though at
 this point I have no reason to doubt that it is.

 > Add-ons Blocklist: Firefox contacts Mozilla once per day to check for
 add-on information to check for malicious add-ons. This includes, for
 example: browser version, OS and version, locale, total number of
 requests, time of last request, time of day, IP address, and the list of
 add-ons you have installed. You can turn off metadata updates at any time,
 but it may leave you open to security vulnerabilities.

 > 3. In the Filter text box, type extensions.getAddons.cache.enabled.
 > 4. Double click the extensions.getAddons.cache.enabled item to turn it
 from true to false

 That pref is disabled by default in Tor Browser.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22966#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list