Bug #8574

Extension infiltration (revised)

Added by Anonymous 6 days ago.

Status:NewStart date:09/15/2017
Priority:NormalDue date:
Assignee:Anonymous% Done:

0%

Category:-Spent time:-
Target version:-
Component:

Description

Someone put Mozilla up to secretly tracking-fingerprinting Orfox through add-ons and the URI leak. It looks like theres a Mozilla override to the user override for extension signing, meaning you can only install extensions Mozilla allows. Lets look at the two anti-tracking privacy extensions, Ghostery leaks data, is owned by a private company, and you cant disable data collection. The other anti-tracking privacy extension Privacy Badger is the worst-performing anti-tracking extension and made by the EFF. Disconnect is GNU licensed and open source and you can't install it! Disconnect in WebExtension breakage isnt the first. Some devs report that about:addons is bypassing any extension blockages built with the new WebExtensions, such as uBlock Origin and Ghostery, and communicating with Google Analytics, which in turn could forward that data to an undisclosed operation, when the user is on that page. In addition, Google funds the EFF, and in the interests of National Security, the NSA is in Google they can't say no, and perhaps the EFF and Mozilla too, theres no reason not to, the spy agencies arent idealists engaged in a fair fight with anyone who uses Tor, they want the user data and they want it now so it takes time and multi-tiered approaches to get into Tor Browser and Orfox. Cisco has already been caught with backdoors in its router software, and their WebRTC H.264 video plugin is in EVERY Firefox installation including the Tor browsers. The EFF gets major funding from Google, and they have a huge HTTPS Everywhere extension that intercepts EVERY URL, that should be simple thing, granted its GPL but that doesnt stop it from new code entered into the build, and thats included in every Tor browser install. Who makes the browser and tracks the add-ons that every Tor user needs to maintain anonymity? Mozilla. What can they do when the the NSA appears with badges and engineers to skim data to help them identify Tor users, whats Mozilla gonna do, call the cops?? Think about it this way, if you can't get your spy code into the open-source browser, ya get it into the Pink Fluffy extension and control the doors. Thatll get it right under Tor users noses, because the Guardian Project doesnt host the extension site, they dont control the code, the flow or analytics of the extensions. Some extensions are unable to be installed even with local download with XPI signing verification disabled and the ones that are available could be directedly compromised, making for weak tracking protection, fingerprinting, and thus correlation identification. The news is, theres a 250,000$ bounty on a Tor browser breach! Every link in the Tor browser chain is significant, and if the extensions are weak AND compromised, then any attack through the browser can have a higher hit rate and/or breach anonymity.


Related issues

Copied from Core Apps - Bug #8462: Extension infiltration (revised) New 09/15/2017

Also available in: Atom PDF