PureBrowser allows Firefox Shield studies to be installed (but not run)
Open, LowPublic

Description

After the weekend's debacle over the expired certificates, I noticed that even though PureBrowser had the options greyed out regarding "Allow Firefox to install and run studies", when I clicked on "View Firefox studies" I could see the workaround fix had already been installed automatically, indicating that despite the setting being unavailable, the feature is still enabled.

Looking further in about:config, I could see that Normandy was enabled:
app.normandy.enabled

IMO this should be disabled by default in PureBrowser, to better align with PureOS and Purism's mission and protecting the users from unintended consequences

Even though in this case Mozilla was being helpful with it, it still feels dirty --- more over I still had to manually apply the XPI fix myself even if it was already pullled by the studies, so I'm not sure how much of this feature is enabled or disabled un PureBrowser.

Screenshots:

patrixl created this task.May 6 2019, 7:21 AM
patrixl edited the task description. (Show Details)
patrixl edited the task description. (Show Details)May 6 2019, 7:24 AM
patrixl edited the task description. (Show Details)
patrixl added a project: Restricted Project.

Is PureBrowser the *only* Mozilla browser you run on that machine?

jonas.smedegaard triaged this task as "Low" priority.May 6 2019, 7:09 PM

It is my understanding that PureBrowser is immune to the Normandy backdoor, because PureBrowser has removed the hidden system add-on "Application Update Service Helper" (along with all other hidden system add-ons).

If I understand you correctly, @patrixl, even though you saw some indications of Normandy having been active the actual action was unsuccesful, which I take as (vague) confirmation that "Application Update Service Helper" was needed for Mozilla to properly make use of their backdoor.

Lowering this, since it then becomes only a cosmetic issue of what config options are shown.

jonas.smedegaard changed the title from "PureBrowser still allows Firefox Shield studies to be installed and run" to "PureBrowser confusingly looks like it allows Firefox Shield studies to be installed and run".May 6 2019, 7:10 PM

Is PureBrowser the *only* Mozilla browser you run on that machine?

Yes, I "only" have 3 browsers installed:
PureBrowser
Gnome Web
Chromium

It is my understanding that PureBrowser is immune to the Normandy backdoor, because PureBrowser has removed the hidden system add-on "Application Update Service Helper" (along with all other hidden system add-ons).

If I understand you correctly, @patrixl, even though you saw some indications of Normandy having been active the actual action was unsuccesful, which I take as (vague) confirmation that "Application Update Service Helper" was needed for Mozilla to properly make use of their backdoor.

Lowering this, since it then becomes only a cosmetic issue of what config options are shown.

Normandy was enabled according to about:config, and additionally a Shield Study did show up in the about:studies so something DID get installed, even though it didn't appear to have any effect (ie no fix was actually applied until I manually downloaded the XPI from Mozilla and installed it).

So something is still going on even though it appears to not be fully functional as you said.

I'm not sure if this is purely cosmetic because something did happen.. See the 2nd screenshot in my first post:

Regards,
Patrice.

I am still not convinced that anything more severe than cosmetic was "going on": Please clarify how you come to the conclusion that Firefox Shield studies was installed and run.

I am still not convinced that anything more severe than cosmetic was "going on": Please clarify how you come to the conclusion that Firefox Shield studies was installed and run.

I came to that conclusion by seeing a study in about:studies , as per the previous screenshot. This means the study got installed, which means some pinging of some kind happened between PureBrowser and Mozilla. This study is specifically about the weekend's incident, so it's doubtful it came preloaded with PureBrowser.

It's the same study I saw on my Mac, where it applied the fix successfully, unlike PureBrowser, so at least I know the feature is not 100% functional on PureBrowser, but the fact that the study was there at all, to me, indicates something was done automatically to my browser, without prior knowledge or notifying or agreement from the user. At least that's the conclusion that makes sense to me.

Regards,
Pat.

jonas.smedegaard changed the title from "PureBrowser confusingly looks like it allows Firefox Shield studies to be installed and run" to "PureBrowser allows Firefox Shield studies to be installed (but not run)".May 8 2019, 10:51 AM

I agree that it seems the study gets installed onto the local machine - but not run: the fix was not applied.

My concern was if backdoor could be abused (i.e. I focused on the "and" in your original title).

You got a point that even if not succesfully executed there is a concern that Mozilla can push data onto the local machine at all.

Issue title adapted accordingly.

Thanks!

I agree that it seems the study gets installed onto the local machine - but not run: the fix was not applied.

My concern was if backdoor could be abused (i.e. I focused on the "and" in your original title).

You got a point that even if not succesfully executed there is a concern that Mozilla can push data onto the local machine at all.

Issue title adapted accordingly.

Thanks!

Pat.

Add Comment