[LINK] RFI: Firefox 3.5/3.6
Roger Clarke
Roger.Clarke at xamax.com.au
Fri Mar 26 10:57:47 AEDT 2010
Roger Clarke wrote on Thu, 25 Mar 2010 14:27:22 +1100
>Call be paranoid by all means, but is anyone aware of an analysis of
>Firefox 3.5/3.6 from the viewpoint of consumer rights and privacy? ...
Here's a quick summary of some off-list advice:
1. Geolocation
In Firefox 3.6, Geolocation apparently:
- defaults to 'Ask'
- can be set to 'Never Allow' or somesuch, but I haven't seen how
you do it in the documentation, and you may have to ask other users
http://en-us.www.mozilla.com/en-US/firefox/geolocation/
2. Other Google-Related Features
There are many - many of which appear to embody serious privacy threats.
(There are some good ones of course - Google does some neat things.
The malware report/safe browsing feature may be one to leave switched
on).
In general (maybe in all cases?), the features have an 'Off' switch.
*But* they cannot be accessed in the Preferences display! Instead
they require a fair bit of knowledge of what's under the bonnet.
Use about:config in the url bar. Some info at
http://kb.mozillazine.org/About:config_entries.
Call me a serious sceptic if you will, but that looks like an active
effort on the part of the designers to advantage marketers over
consumers, by ensuring that only a very small proportion of Firefox
3.6 users block Google-related functions.
3. Cross-Site Scripting
Firefox 3.6 is, as I'd speculated, highly marketer-friendly and
consumer-unfriendly in relation to 'cross-site scripting' (which
refers to the practice of sites that you visit inviting lots of
'strategic partners' to invade your browser).
I gather that users have to (a) understand what's going on, (b) find
out about multiple plug-ins/'embeddeds', (c) take a risk on
installing them, and (d) maybe even then configure them.
Important instances of this category of antidote for Firefox's
nastier features are as follows:
- Noscript
https://addons.mozilla.org/en-US/firefox/addon/722
- RefControl
https://addons.mozilla.org/en-US/firefox/addon/953
- JSView
https://addons.mozilla.org/en-US/firefox/addon/2076
See also AdBlockPlus: http://adblockplus.org/en/
4. Where to find a Consumer-Friendly Browser?
For those of us who decline to use Firefox after 3.0.x, will
SeaMonkey be any more consumer-friendly?
http://www.seamonkey-project.org/doc/features
________________________________________________________________________
Roger Clarke wrote on Thu, 25 Mar 2010 14:27:22 +1100
>Call be paranoid by all means, but is anyone aware of an analysis of
>Firefox 3.5/3.6 from the viewpoint of consumer rights and privacy?
>
>The product pages are in the style of an upbeat marketer.
>
>The suspicion is that the design decisions have been made by upbeat
>marketers for upbeat marketers, rather than by consumers for
>consumers.
>
>Sure, the product trumpets its privacy and security features. But
>these are largely about resistance to 'unauthorised third parties'.
>
>The bigger security and privacy concerns arise from second parties -
>the operators of the web-sites that consumers visit - and
>'pseudo-authorised third parties' - the 'strategic partners' of the
>operators of web-sites that consumers visit.
>
>Looking at the features pages, here are some areas I'm wondering about:
>http://en-us.www.mozilla.com/en-US/firefox/features/
>http://en-us.www.mozilla.com/en-US/firefox/underthehood/
>https://developer.mozilla.org/En/Firefox_3.6_for_developers
>
>- Faster DOM ... added support for new standards
> [no further information provided]
>
>- Network and File Access
> A new File API, based on emerging standards, now allows asynchronous
> event-based access to files (see it in action). Mixed with cross-site
> XMLHttpRequests originally introduced in Firefox 3.5 [wrong: it
> originated at Microsoft], these give Web developers the ability to
> build exciting mashups from multiple Web sites.
>
> [This enables AJAX, and hijack of the browser by the web-server:
> http://www.rogerclarke.com/EC/Web2C.html#AltT ]
>
>- Location-aware Browsing
> ... users can share their location with requesting Web sites, allowing
> developers to customize their applications so they deliver more useful,
> more relevant output. New in Firefox 3.6, developers can lookup the
> address corresponding to a specific location
> https://developer.mozilla.org/En/Using_geolocation
>
> [This is quite specifically a Google tie-in, so there appears to be
> a high likelihood of disclosure of data to Google, irrespective of
> what the laws of various countries, and the weasel-words in the
> various dispersed privacy policy statements might say]
>
>- Personas
> The concept has been debased from a nymous identity to a prettified
> colour-scheme:
> http://en-us.www.mozilla.com/en-US/firefox/features/#look-and-feel
>
>- Instant Web Site ID
>
> [This appears to be another Google tie-in, with all the consumer
> risks that dealing with Google in the background entails
>
>
>There's no doubt there's a lot of 'good things' in there for consumers.
>
>But it looks like there's a host of 'good things' for marketers,
>which are specifically there to enable manipulation of the browser,
>the consumer's data, and the consumer.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Cyberspace Law & Policy Centre Uni of NSW
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list