Firefox privacy and Tor Browser

andrew at andrew at
Sun Mar 28 01:22:58 UTC 2010

On Sat, Mar 27, 2010 at 11:47:17AM -0430, mansourmoufid at wrote 1.8K bytes in 40 lines about:
: Firstly, about NoScript. You may wish to consider an extension named
: RequestPolicy [1] instead. You may want to also want to consider
: FlashBlock [2], since that is a popular attack vector.

Thanks for your thoughts.  While I'm a big fan of request policy, it
'breaks' the web for 95% of the users out there.  The
slightly-above-average web user still doesn't understand the web page
they are viewing is composed of many domains all serving up different
parts.  Having watched people use request policy for the first time,
they end up temporarily enabling everything, because the defaults are
still shocking to them.

: Secondly, about a specific behavior in Firefox itself, which I think
: Tor developers should all be aware (or reminded) of. Firefox uses
: Google's Safe Browsing API [3] to check visited websites against a
: Google blacklist. There have been privacy issues brought up [4]. In
: short, Firefox's use of this API could lead to Google (or anyone
: listening to network traffic, since it was in the clear) being able to
: track users via a unique hash communicated with Google servers and
: persistent across sessions (including "Private Browsing"). Bartłomiej
: has written extensively on the subject [5]. His attempts to patch this
: privacy leak at the time were sabotaged by Google employees [6]. This
: behavior is optional now in Firefox 3, but still on by default [7].
: So, Tor Browser may want to consider having this "feature" off by
: default?

It is disabled, along with reported attack sites. It's disabled in
prefs.js.  See

Andrew Lewman
The Tor Project
pgp 0x31B0974B

Blog: torproject

More information about the tor-dev mailing list