+1 for the PS and the rest
I don't want to bother with this project again, but here [1] is
explained part of what the browsers are doing, we can see that they send
http/https request outside (example 2), but that's not enough of course,
some of them like Chrome do inject by default some scripts in the page
(example 3, this is not completely easy to detect, I noticed this with a
good old site of ours http://www.viagri.fr which at that time had 0
outside scripts in there, then I was surprised to see some outgoing
requests and looking at the source code of the page the predictad script
was there, injecting other stuff itself as well, it can be deactivated
but you have to know it)
Regarding Tor, if think that the Tor Browser is blocking at least
safebrowsing.
Regarding safebrowsing, it can make mistakes, as shown in [2] which
prevented us to renew a SSL certificate, I questioned Google about this
and never got a final answer.
Coming back to FF, as already asked it would be interesting to know
precisely what it is sending outside and if there is an option to tell
FF not to send anything (even ocsp queried with http sometimes, we don't
care)
[1]
https://www.kickstarter.com/projects/450023/ianonym-internet-privacy-everywhere-from-any-devic
[2]
https://lists.torproject.org/pipermail/tor-talk/2015-February/036761.html
Le 28/04/2015 09:50, carlo von lynX a écrit :
Juicy content from Ashkan Soltani further below.
On Sun, Apr 26, 2015 at 01:26:29PM -0700, Al Billings wrote:
If you're the kind of person paranoid about safebrowing pings and similar,
yeah, you should pull the tinfoil hat tighter and block all things.
What I said in the original posting:
"I was told it even lets Google have the cookie it uses to
identify you, so even if you use Tor, the five eyes immediately
know it is you. I didn't bother to check however."
I wonder if you read that part. Should that part be accurate, then
safebrowsing is among the top vectors for mass correlation of IP
numbers (or Tor circuits) to specific browsers and human beings.
The others being font and jquery includes, search engine utilization
and maybe a few +1 buttons here and there.
We discussed this topic back in 2014, May 12th to be exact.
safebrowsing could be offered in a distributed anonymous way,
instead it is being done in a way that it de-anonymizes people to
the fie eyes.
Some weeks later I accidently met Ashkan Soltani who told me he
already dissected the issue in pre-Snowden days. Looks like it
hardly got traction - since noone knew the implications:
http://ashkansoltani.org/2012/02/25/cookies-from-nowhere/
http://blogs.wsj.com/digits/2012/02/28/the-google-cookie-that-seems-to-come-out-of-nowhere/
It is actually quite incredible that Google has been flying under
the radar of general interest since Ashkan's story came out, given
the immense implication for mass surveillance.
P.S. I don't think you have the necessary competence to tell *anyone*
about tinfoil hats and would like to ask you to contribute to this
mailing list less frequently and more thoughtfully. Thank you.
--
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at compa...@stanford.edu.
