Hi,
I have a few questions about the safebrowsing feature in Firefox.
Answering any of these questions would be extremely helpful.
1. How does one clear the safebrowsing data?
2. Does Firefox stop fetching safebrowsing data if the browser is
inactive? The spec says the list is updated every 30 minutes, but
doesn't say anything about user activity.
3. The data itself is authenticated, but it is also served over HTTP,
and the protocol supports requesting specific lists and segments. This
might introduce the ability of websites to repeatedly block list
segments in an attempt to create a "supercookie" in the client. This
"supercookie" looks like it can persist for up to 6 hours (based on
the retry behavior in
https://wiki.mozilla.org/Phishing_Protection:_Design_Documentation#Client_Backoff
<http://www.google.com/url?q=https%3A%2F%2Fwiki.mozilla.org%2FPhishing_Protection%3A_Design_Documentation%23Client_Backoff&sa=D&sntz=1&usg=AFQjCNER-Z-tD46-m2VihudZ4bBeqS9fpA>).
Is there a way for websites to read this supercookie at will? If so,
is there a way to prevent it/clear it?
4. Clearing the list data might also cause an immediate re-download of
all lists and segments. Does it?
5. Say I needed to clear the MAC key. How do I do that? Does doing so
invalidate the previous list data?
Again, any answers to these questions would be very helpful.
Thanks in advance,
cl34r
______________________________
____________________________________________
My GPG key:
http://pgp.jjim.de/pks/lookup?op=get&search=0x96B1D5FB69704B5E
<http://www.google.com/url?q=http%3A%2F%2Fpgp.jjim.de%2Fpks%2Flookup%3Fop%3Dget%26search%3D0x96B1D5FB69704B5E&sa=D&sntz=1&usg=AFQjCNGYWYwKCgTZf-XYV-3QtL86W0M15Q>
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
