Page MenuHomePureOS Tracker
Create Task
Maniphest T343

[FREEDOM ISSUE] Tor-browser addon manager is not DFSG compliant but can be disabled
Open, Freedom IssuePublic
Actions

Description

Package: torbrowser-launcher
Tag: [uses-nonfree]
Reference: https://libreplanet.org/wiki/List_of_software_that_does_not_respect_the_Free_System_Distribution_Guidelines#firefox
Short description:
Proposed solution: patch
Replacement:
Notes:

How to reproduce:
(1) Install torbrowser-launcher and install the tor-browser with it
(2) Go in the add-ons manager
(3) Search for ghostery in the search bar
(4) Ghostery (a non free addon) appears and can be installed easily

(there is an install button)

Some pointers to fix it:

  • The Tor project suggest not to use any addons. So disabling addons shound't be a concern. Addons can easily be disabled by searching for "addon" in about:config and changing the URL.
  • Tor browser privacy protections heavily depends on preventing browser fingerprinting: If this fix enables an attacker to differenciate between PureOS's tor-browser and the other tor-browsers, then the privacy protections are gone. So after trying to disable the addons, this needs to be tested. https://panopticlick.eff.org/ can help with that, as you can:
    • Check if the resulting browser is close to unique
    • Compare with an unmodified tor-borwser (it can be installed on the side for the purpose of testing but both browsers cannot at the same time). You can measure the number of bits of identifying information that way as the website reports it. You have a message like that on the page: "Currently, we estimate that your browser has a fingerprint that conveys XXXX bits of identifying information." You can also check the following bug that involved the addon manager to understand better if users can be deanonimized if the addon manager is disabled or its url points to something else: https://bugzilla.mozilla.org/show_bug.cgi?id=1303127

To do the fix suggested above, either tor-browser or its installer needs
to be patched to ship a different configuration default for the addons.
Once this is done, it's also a good idea to take a look at the security
slider to see if the tor-browser complains about not having default
settings. If it complains, it should be fixed not to make it complain.

Event Timeline

GNUtoo created this task.Feb 24 2018, 14:17
zlatan.todoric reassigned this task from hema.prathaban to jonas.smedegaard.Feb 25 2018, 08:32
zlatan.todoric added a subscriber: hema.prathaban.
zlatan.todoric edited subscribers, added: chris.lamb; removed: hema.prathaban.
mladen lowered the priority of this task from 95 to Freedom Issue.Feb 26 2018, 14:36
chris.lamb renamed this task from [FREEDOM ISSUE] Tor-browser addon manager is not FSDG compliant but can be disabled to [FREEDOM ISSUE] Tor-browser addon manager is not DFSG compliant but can be disabled.Feb 26 2018, 14:46
jonas.smedegaard removed jonas.smedegaard as the assignee of this task.Aug 20 2018, 00:19
jonas.smedegaard added a subscriber: jonas.smedegaard.
jonas.smedegaard removed a subscriber: jonas.smedegaard.