Bug#575039: safebrowsing is enabled by default and sending data without my consent

[Mike Hommey]

retitle 575039 Please add a link to http://www.mozilla.com/en-US/firefox/phishing-protection/ in README.Debian
severity 575039 wishlist
thanks

On Tue, Mar 23, 2010 at 02:50:19PM +0100, Holger Levsen wrote:
> reopen 575039
> thanks
> 
> On Dienstag, 23. März 2010, Mike Hommey wrote:
> > The only data safebrowsing sends is a request for a database. It doesn't
> > send your browsing data.
> 
> I don't think, that's right. First of all, it also sends my IP address, by 
> definition. 

You should stop browsing the web, it's sending your IP address. Sending
email does, too.

> Then, in the URL being requested there is this looooong wrkey variable, which 
> looks like a unique ID to me, mabye it's the google cookie by which google 
> tracks each browser..  do you know for sure what it is? This one:
> 
> http://safebrowsing.clients.google.com/safebrowsing/downloads?client=Iceweasel&appver=3.0.6&pver=2.2&wrkey=AKEgNiuhoOEmKsbgcf26JrVQOcsFTiymVIKMPFtbUtKZ4TKeNsA_RU9P1-BAJvw0hcFHm4vwwnXmvNuUsYZGzh7qJaK35U-xow== 
> 

See http://code.google.com/p/google-safe-browsing/wiki/Protocolv2Spec,
4. MAC.

Less technical details here:
http://www.mozilla.com/en-US/firefox/phishing-protection/
See "How does Phishing and Malware Protection work in Firefox?" and
"What information is sent to Mozilla or its partners when Phishing and
Malware Protection are enabled?"

> Can you please add a note to README.Debian (or somewhere similar) to document 
> this?
> 
> On Dienstag, 23. März 2010, Mike Hommey wrote:
> > And currently, as it sends request google doesn't like, safebrowsing is
> > effectively disabled. See bug #518357.
> 
> Well, the feature might be broken currently, but still my browser sends data 
> without my consent. And, as the feature is broken, even completly uselessly 
> violates my privacy.

Privacy violation is a pretty exaggerated statement.

Mike