Firefox privacy and Tor Browser

Mansour Moufid mansourmoufid at
Sat Mar 27 16:17:17 UTC 2010


I just heard the news about the Tor Browser bundle for GNU/Linux. I
like the idea, and I wanted to pitch a couple thoughts to the
developers. I apologize in advance if these things have been brought
up already, or if the subject belongs on or-talk instead.

Firstly, about NoScript. You may wish to consider an extension named
RequestPolicy [1] instead. You may want to also want to consider
FlashBlock [2], since that is a popular attack vector.

Secondly, about a specific behavior in Firefox itself, which I think
Tor developers should all be aware (or reminded) of. Firefox uses
Google's Safe Browsing API [3] to check visited websites against a
Google blacklist. There have been privacy issues brought up [4]. In
short, Firefox's use of this API could lead to Google (or anyone
listening to network traffic, since it was in the clear) being able to
track users via a unique hash communicated with Google servers and
persistent across sessions (including "Private Browsing"). Bartłomiej
has written extensively on the subject [5]. His attempts to patch this
privacy leak at the time were sabotaged by Google employees [6]. This
behavior is optional now in Firefox 3, but still on by default [7].
So, Tor Browser may want to consider having this "feature" off by

That's all for now.

Thanks everyone for your time and the great work on Tor!

[1] <>
[2] <>
[3] <>
[4] <>
[5] <>
[6] <>
[7] <>

Mansour Moufid

More information about the tor-dev mailing list