[tor-bugs] #33003 [Applications/Tor Browser]: Tor browser / Firefox telemetry data
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jan 23 11:03:52 UTC 2020
#33003: Tor browser / Firefox telemetry data
--------------------------------------+-----------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: needs_information
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: TorBrowserTeamTriaged | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+-----------------------------------
Comment (by cypherpunks):
> Their existence is not a bug
Still that same existence is an open door to anti-privacy. Suppose a case
when the user plays with `about:config` or other preferences and
inadvertently enables an anti-privacy feature such as telemetry or
anything else which exists in Firefox. If the URLs had been removed he
would not be able to de-anonymize the browser. IOW not having those URLs
can be seen as a precaution.
> if they are used in unexpected ways, then that may be a bug.
As I mentioned initially, my personal expectation from a privacy
respecting browser is 0 (zero) background connections, i.e. ones not
initiated by me explicitly or through a setting which I explicitly set-up.
This means: out of the box there should be no connections other than those
related to typed URLs. I suppose HTTPS-E must be considered along these
lines too as it has some mechanism for remote updates. All that should be
an opt-in on first run.
> This happens occasionally, but are you reporting this is happening now?
I don't know how to tcpdump the connections which Tor Browser makes as I
don't know how to tcpdump anything that passes through Tor. If you explain
how to do this I can try.
> Can you provide steps for reproducing it?
I found this which seem related to all those background connections (in
Firefox):
https://bugzilla.mozilla.org/show_bug.cgi?id=1432248
Note how Mozilla (that "privacy respecting" and "non-profit" organization)
closed this as WONTFIX and linked it to another bug report which was also
closed as WONTFIX. To date these automatic connections in Firefox persist
and their documentation about how to disable them is still not complete.
Mozilla Firefox's privacy policy is an anti-privacy policy. Just read:
https://www.mozilla.org/en-US/privacy/firefox/
By default they *share* a lot. But private means not shared, i.e. the
opposite.
In contrast ungoogled-chromium makes zero background connections out of
the box (tested). Perhaps it is a better alternative for being a new basis
for Tor Browser because it can already be configured to work through Tor
proxy, so all it needs is some fine tuning about reducing the fingerprint.
What do you say? (I realize this is not a bug report but a wider
discussion. Please advise where it is appropriate to talk about that if
you think it is worthwhile)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33003#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list