Some security and privacy questions raised at the launching of Fx 3.0

[polonus]

Hi malware fighters,

Download day is at hand. The Firefox 3.0 will be launched any day now. But while this browser is having some nice new features aboard, also security wise (location bar, Google blacklisting, etc). there are also developments that make that we have to look out that third parties will not take over part of this browser, folks that do not have our best interest at heart but only their very own. There are many ways where the user can be profiled and tracked that are hidden and ways a majority of the users of browsers are unaware of. Before the BetterPrivacy add-on was developed browser users were unprotected against so-called  Super or Flash Cookies, before an American University launched the SafeHistory and SafeCache add-ons we could be profiled and tracked by historywrapper etc. Why the DomInspector was taken out of fx 3.0 as by default, and must be downloaded as a seperate add-on? Why NoScript did not protect against the hidden profiling and tracking by Super Cookies? Mr. Maone in a discussion admitted to me on MozillaZine that the browser is slowly taken  out of the hands of the user into the hands of the pay per click ad-serving goons. Even some British Internet Providers worked secretly hand in foot with a firm that was known to launch spyware to make it legit to launch ads on basis of the users click history and surfing habits. Even Torbutton to enhance a user's privacy is known to have new leaks (Geoposition via JS) since fx 3.0 RC1. One gets errors for kREAL_HISTORY.getService(); is undefined in fx 3.0 RC2 and I am given some special attention at some query.xqy code, also knowing full well that Tor is open at the end-nodes anyway privacy wise.
So one has to use a small regiment of measures to make the browser a tool for surfing the WWW, and not a tool in the hands of the adman that wants to earn from your browser habits. Sign of the times,

polonus

[sopadeajo]

Why the DomInspector was taken out of fx 3.0 as by default, and must be downloaded as a seperate add-on? Why NoScript did not protect against the hidden profiling and tracking by Super Cookies? Mr. Maone in a discussion admitted to me on MozillaZine that the browser is slowly taken  out of the hands of the user into the hands of the pay per click ad-serving goons.

Download day: 17 june


Another add-on that should be iucluded by default in firefox is the ability to read history (recently visited webpages) when not connected.Scrapbook add-on can do that, but it is an add-on.I did not use firefox for years because of that:
i could not read history when unconnected.

Google-analytics.com is blocked by noscript, but i believe firefox (i am not sure though) is working with them. If this is true, then we have two contradictory tendencies: protect against habits tracking (for commercial $ purposes) done by some add-ons and exactly the contrary done by default by firefox?


If so, and $$$$ are very powerful, there should be movements to fight against it.

[Sesame]

This is one of the reasons why, I think, the customizability of apps is important since it offers choices.  The "problem" itself is not new and capital is one of the factors that helped Firefox to become this popular.  In any system, I think, whether meaningful choice is given to people or not is important but I'm getting too political here.

[polonus]

Hi Rumpelstiltskin,

You are making some vary valid remarks here, two contradictory tendencies, where the common non-educated user stands to loose at the end of the day: - he or she is taken by surprise and is unaware what goes on behind his or her back. We have a mission here to educate those that come in here, if they wish to know how to secure their browsers a bit better security-and-privacy-wise. RIP version 1.0.6.4 from http://rip.mozdev.org/ and you can do a lot more permanently or semi-permanently or only on one page or as a general rule. Mozilla CacheView (a beautiful tip from Bob 3160) gives you insight at what is stored on your computer.
Even if you have cleared out cookies, personal tracking identification can set your old cookie information back and through what is stored on your comp can establish what they want to serve up to you. With script running they can reconstruct your browser history, surfing habits, profile, geo-location, more than you care to realize even.
Browser habits is big business to them, just like here in Europe where they know all about you when you mention your street code and house number, and the same goes when you enter your date of birth (then they don't need your name, all further information is linked anyway). You are already completely transparent, that is not the point, but completely transparent to how many institutions or organizations, and is this info linked? The "I have nothing to hide, what can they do to me" argument is stupid, because do you want everybody to know about every aspect of your profile, etc all the time?.
Again to get some of these fundamental rights back you have to install quite some cocktail of security and privacy related add-ons, extensions and additional proggies, and that is a bit too much for the common sheeple. Some can see the writing on the wall, some are so numbed down they can't even be bothered, and it is way over their heads, and we cannot do this alone, we have to do this together, Rumpelstiltskin,

polonus

[DavidR]

<snip>
Google-analytics.com is blocked by noscript, but i believe firefox (i am not sure though) is working with them. If this is true, then we have two contradictory tendencies: protect against habits tracking (for commercial $ purposes) done by some add-ons and exactly the contrary done by default by firefox?
<snip>

NoScript doesn't block google-analytics.com, NoScript blocks all scripts and 'the user' chooses what scripts to allow, I choose not to let google-analytics to run. So it is a user choice and no contradiction, not to mention Mozilla didn't build the NoScript add-on.

[polonus]

Hi DavidR,

If you like to stick to your user choice, and you are fully entitled to, why not use RIP, manage RIP, allow it all the time, only for one page, permanently, and bye-bye to your concerns. You can enforce it to work with the Nightly Tester Tools and it is a great add-on with a good manager for all your RIPs,

pol

[sopadeajo]

NoScript blocks all scripts and 'the user' chooses what scripts to allow, I choose not to let google-analytics to run.

And i do exactly the same than you.I meant NoScript blocks by default (you do not have to be running behind google to do so, i am new to firefox and i had the will to stop google collecting data, so i was happily surprised to see that NoScript already did it ).

[Sesame]

You are making some vary valid remarks here, two contradictory tendencies, where the common non-educated user stands to loose at the end of the day: - he or she is taken by surprise and is unaware what goes on behind his or her back. We have a mission here to educate those that come in here, if they wish to know how to secure their browsers a bit better security-and-privacy-wise. RIP version 1.0.6.4 from http://rip.mozdev.org/ and you can do a lot more permanently or semi-permanently or only on one page or as a general rule. Mozilla CacheView (a beautiful tip from Bob 3160) gives you insight at what is stored on your computer.
Even if you have cleared out cookies, personal tracking identification can set your old cookie information back and through what is stored on your comp can establish what they want to serve up to you. With script running they can reconstruct your browser history, surfing habits, profile, geo-location, more than you care to realize even.
Browser habits is big business to them, just like here in Europe where they know all about you when you mention your street code and house number, and the same goes when you enter your date of birth (then they don't need your name, all further information is linked anyway). You are already completely transparent, that is not the point, but completely transparent to how many institutions or organizations, and is this info linked? The "I have nothing to hide, what can they do to me" argument is stupid, because do you want everybody to know about every aspect of your profile, etc all the time?.
Again to get some of these fundamental rights back you have to install quite some cocktail of security and privacy related add-ons, extensions and additional proggies, and that is a bit too much for the common sheeple. Some can see the writing on the wall, some are so numbed down they can't even be bothered, and it is way over their heads, and we cannot do this alone, we have to do this together, Rumpelstiltskin,

I am inclined to think these information may be better kept by various groups rather than one organization like in 1984.  To some extent, I understand why marketeers want browsing/shopping habits of anonymous people, too.  However, it is also true that some groups such as commercial hackers and pedophile seem not to share ethical view with me.  It is hard to be always aware to potential risks when we think we are using the net especially most part of the action is not controlled by us than we tend to think.  I know some people upload their information on the net in rather careless manner.  Even if we don't do it by ourselves, our friends/acquaintances/family members may be less careless than we are.  Some people may be young and some other may be much older and have lot of experience in their lives except computers.  Children may be accustomed to be patronized but the older people tend to find it tough to accept to be treated like that and wouldn't like to be looked down.  Also, in most of cases, their experience can still help them to avoid risks on the net...even if they don't understand why they get spams, most of them are not naive to believe the content of them, for example.  Quite many "red flag" movements were failed because of the contempt to the objects of their heroism to some extent.  So, polonus, I understand your cause and it is free for you to regard yourself as a malware fighter who tries to help people (Yes, it's your choice  ) but, I'm just a mere individual who is trying to be a wiser consumer/citizen through information exchange.

Speaking of practical aspect of this topic, a part of the reason why I recommend Firefox Portable is that it doesn't store cache by default.  Combined with NoScript, it, I think, offers quite a reasonable safety.  As for RIP, I didn't know about the addon, and I'll give it a try.  Thanks. 

[sopadeajo]

a part of the reason why I recommend Firefox Portable is that it doesn't store cache by default

You are wrong Rumple*?*¿;

If you want to protect surfers privacy, (impossibility  for a third party to remotely access  surfer history/cache) then what you must do is, by default, tell them how to reject tracking scripts and cookies; by default.

Let people the real possibility, by default, to view, read, administrate (OFF LINE!), the history (and cahe) of what they have surfed.This will be much better for information (society(what stupid words!)). than the ethearal go like a bee and do not learn nothing.Never stop when browsing, never think.

I am asking Firefox to incorporate a full read/view/administrate history feature, not by default, but switchable(off/on). Those who do not need it, because they do not read/analyse anything, just they do not habilitate it.
In fact Noscript  and ABP should be a default feature. We understand, though,that these features are kind of tiring features.

You certainly are not  helping people at all to doing this.

[bob3160]

P A R A N O I A   

[polonus]

Hi bob3160,

Why not give the simple solution to it for the average user. "With your browser you can click right, then there is also the possibility to click left, then if a double click does not work, you can as a last resort "click it away". Acting this way, Paranoia level will never be reached, and you will live on in blissful unawareness,

polonus

P.S. Click the pic for animation

[Sesame]

a part of the reason why I recommend Firefox Portable is that it doesn't store cache by default

You are wrong Rumple*?*¿;

I meant Firefox portable with NoScript, which rejects script by default.  This will give the user reasonable security, IMO.  Actually, I ended up with simply rephrasing my words.  The below is more desirable quote.

a part of the reason why I recommend Firefox Portable is that it doesn't store cache by default.  Combined with NoScript, it, I think, offers quite a reasonable safety.

As for cookies, I am using CS Lite addon but am not totally happy with it.  I used to use CookieSafe but the addon is not updated for quite a long time.

That said, like you, basically, I like software let me customize it and allow me to learn about what I am doing through the process.

PS 1 As for my board name, google it and you'll find the origin.  I thought it's well known fairy tale but I admit it's not wise to use it as a board name.   

PS 2 Well, we seem to have sandwiched good old polonus and bob, nicely contrasting two opinions. 

[DavidR]

Visit the CookieSafe site and the forums, there is a topic which is about compatibility with FF 3.0 and you should be able to find a link for version 3.0.2 which is compatible with FF 3.0, but you would have to remove CS Lite.

[polonus]

Hi ye all,

Ten tips to bolster your privacy settings in FF 3.0:
http://www.security-hacks.com/2007/06/08/firefox-10-tips-to-bolster-your-privacy

polonus

P.S. I would like to add BetterPrivacy (new), RIP, and the combination of NoScript and ABP ,and Fission add-ons

Damian

[Sesame]

Visit the CookieSafe site and the forums, there is a topic which is about compatibility with FF 3.0 and you should be able to find a link for version 3.0.2 which is compatible with FF 3.0, but you would have to remove CS Lite.

Thanx, DavidR.  The forum is linked from the Mozilla official CookieSafe addon and was found very easily there.  In fact, I don't know how I hadn't noticed it for such a long time.   

Ten tips to bolster your privacy settings in FF 3.0:
http://www.security-hacks.com/2007/06/08/firefox-10-tips-to-bolster-your-privacy
(...)
P.S. I would like to add BetterPrivacy (new), RIP, and the combination of NoScript and ABP ,and Fission add-ons

Thanx, polonus.  The site is well-written with plain words.  I have already alternative ways to deal with most of the issues.  For example, I use CCleaner to remove Flash Player cookies.  However, I, indeed overlooked some functions such as one offered by SafeHistory addon.

BTW, as for secure connection to Gmail through Firefox, I am using CustomizeGoogle addon with Gmail> secure checked.