Proposed solution: patch
How to reproduce:
(1) Install torbrowser-launcher and install the tor-browser with it
(2) Go in the add-ons manager
(3) Search for ghostery in the search bar
(4) Ghostery (a non free addon) appears and can be installed easily
(there is an install button)
Some pointers to fix it:
- The Tor project suggest not to use any addons. So disabling addons shound't be a concern. Addons can easily be disabled by searching for "addon" in about:config and changing the URL.
- Tor browser privacy protections heavily depends on preventing browser fingerprinting: If this fix enables an attacker to differenciate between PureOS's tor-browser and the other tor-browsers, then the privacy protections are gone. So after trying to disable the addons, this needs to be tested. https://panopticlick.eff.org/ can help with that, as you can:
- Check if the resulting browser is close to unique
- Compare with an unmodified tor-borwser (it can be installed on the side for the purpose of testing but both browsers cannot at the same time). You can measure the number of bits of identifying information that way as the website reports it. You have a message like that on the page: "Currently, we estimate that your browser has a fingerprint that conveys XXXX bits of identifying information." You can also check the following bug that involved the addon manager to understand better if users can be deanonimized if the addon manager is disabled or its url points to something else: https://bugzilla.mozilla.org/show_bug.cgi?id=1303127
To do the fix suggested above, either tor-browser or its installer needs
to be patched to ship a different configuration default for the addons.
Once this is done, it's also a good idea to take a look at the security
slider to see if the tor-browser complains about not having default
settings. If it complains, it should be fixed not to make it complain.