[tbb-dev] nsIUserInfo (browser developer candidate)

[Richard Pospesel]

Hi tor devs!

I've spent today getting ramped up on building/debugging tor-browser and
investigating a solution to issue #13398
<https://trac.torproject.org/projects/tor/ticket/13398> (NsUserInfo object
scrapes user's name, username, email, and domain).

My first instinct was to just completely remove the offending code and
interface.  It looks like some things have changed in this area since the
issue was filed, as this information is no longer cached on firefox
startup, but is still accessible via Add-Ons through the userinfo object (
https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/
Reference/Interface/nsIUserInfo ).

So my question to you is in this case, do we prefer to completely excise
the nsIUserInfo interface from the codebase (and break any user Add-Ons
which use it) or do we prefer to replace all the per-system implementations
with a single 'mock' implementation which returns empty string (or errors)
for each property getter?

Having read the design-doc (particularly the parts on finger printing) it
seems like ripping out the class entirely is a bad idea as it would
immediately identify the browser as a modern Tor Browser (given how old the
API is and that vanilla Firefox still has it) and potentially break Add-Ons
using it.  However, simply returning empty-string for these properties
would also identify the browser as Tor Browser.  I know for certain that on
windows the username (at least) will always return *something* so getting
empty string here would also point to Tor Browser.

All that said, I suspect either of the above solutions are preferable to
leaking user identifying information.

What do you think?

best,
-Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20170719/a028027d/attachment.html>