[LINK] Mozilla in the Frontline of CyberWarfare

Roger Clarke Roger.Clarke at xamax.com.au
Sat Sep 1 10:56:13 AEST 2012


At 8:12 +1000 1/9/12, tomk wrote:
>I've been using Mozilla in one form or another since 1995.
...
>This is extremely aggressive and unusual behaviour on the part of Firefox.
>It would appear that Firefox have sold out to the Corporativism meme and
>can no longer be trusted to operate as agreed.

Mozilla and Firefox ceased to be trustworthy quite some time ago.

I suspect that the simplest explanation is that the organisation must 
be run by geeks-who-think-like-marketers not 
geeks-who-think-like-consumers.

Posts from Aug 2009, Mar 2010 and Jul 2011 are below, tracking the 
collapse of the organisation into just another corporate facilitation 
platform.

_______________________________________________________________________


Date: Sun, 16 Aug 2009 20:50:03 +1000
To: link at anu.edu.au
From: Roger Clarke <Roger.Clarke at xamax.com.au>
Subject: RFC:  Is Firefox 3.5 a reason to join, or leave?

Firefox 3.5 has had a number of security and functionality problems, 
but perhaps it's settling down now, at 3.5.2:
http://www.mozilla.com/en-US/firefox/3.5.2/releasenotes/

As a Firefox 3.0.<recent-version> user, I'm concerned about a number 
of aspects of v3.5.  For starters:

-   what's changed?  This helps, but isn't all that useful really:
     http://www.mozilla.com/en-US/firefox/features/

-   does it over-write 3.0.x, or is it an additional installation,
     leaving 3.0.x in place

-   what range of security-settings does it offer, e.g. relating to:
     -   cookie prevention
     -   cookie management
     -   data disclosure in GETs and POSTs
     -   support for multiple identities

     It's a concern that the security enhancement it trumpets is a
     response to a minor problem rather than a major one
     ('Private Browsing', aka 'don't let your Mum see what you've done')

-   crucially, how 'insecure-by-design' is it?

     Put another way, is this designed for users or web-server managers?

     Under 'The Cutting Edge', these are a serious concern:
     -   HTML5
     -   Cross-Site XMLHttpRequest

     So it's designed to enable AJAX engines?
     (which equate to server-side control over the browser)

     And it's enhancing the very features that facilitate
     web application attacks and drive-by infections?


I'd appreciate insights and leads.  I suspect others might too.

_________________________________________________________________________

 From http://www.rogerclarke.com/EC/Web2C.html#AltT (2006-07):

"Another limiting factor[of 'Ajax engines' within browsers] is the 
insecurity inherent in such techniques. The corporation's 
applications are capable of being manipulated, subverted or hijacked, 
because a considerable amount of active code is visible client-side 
(e.g. Paul 2007).

"From the user's perspective, however, control of the browser-window 
by code delivered by an application running on the server represents 
subversion of the concept of the Web and hijack of the functions of 
the browser. Marketers have repeatedly tried to bully the Web into a 
means of 'pushing' ads to consumers, despite the inherently 'pull' 
nature of the HTTP protocol. AJAX at last provides an environment in 
which the advertiser's dream of web-casting can be implemented. 
Perhaps 'billboards on the information superhighway' were trumpeted 
by Schrage (1994) a decade too early. And, now that they can be 
delivered, they come with a capacity for ad-targeting far greater 
than was feasible at that time."

_______________________________________________________________________

>Date: Thu, 25 Mar 2010 14:27:22 +1000
>Subject: RFI: Firefox 3.5/3.6
>
>Call be paranoid by all means, but is anyone aware of an analysis of 
>Firefox 3.5/3.6 from the viewpoint of consumer rights and privacy?
>
>The product pages are in the style of an upbeat marketer.
>
>The suspicion is that the design decisions have been made by upbeat 
>marketers for upbeat marketers, rather than by consumers for 
>consumers.
>
>Sure, the product trumpets its privacy and security features.  But 
>these are largely about resistance to 'unauthorised third parties'. 
>
>The bigger security and privacy concerns arise from second parties - 
>the operators of the web-sites that consumers visit - and 
>'pseudo-authorised third parties' - the 'strategic partners' of the 
>operators of web-sites that consumers visit.
>
>Looking at the features pages, here are some areas I'm wondering about:
>http://en-us.www.mozilla.com/en-US/firefox/features/
>http://en-us.www.mozilla.com/en-US/firefox/underthehood/
>https://developer.mozilla.org/En/Firefox_3.6_for_developers
>
>-   Faster DOM ... added support for new standards
>     [no further information provided]
>
>-   Network and File Access
>     A new File API, based on emerging standards, now allows asynchronous
>     event-based access to files (see it in action). Mixed with cross-site
>     XMLHttpRequests originally introduced in Firefox 3.5 [wrong:  it
>     originated at Microsoft], these give Web developers the ability to
>     build exciting mashups from multiple Web sites.
>
>     [This enables AJAX, and hijack of the browser by the web-server:
>     http://www.rogerclarke.com/EC/Web2C.html#AltT ]
>
>-   Location-aware Browsing
>     ... users can share their location with requesting Web sites, allowing
>     developers to customize their applications so they deliver more useful,
>     more relevant output. New in Firefox 3.6, developers can lookup the
>     address corresponding to a specific location
>     https://developer.mozilla.org/En/Using_geolocation
>   
>     [This is quite specifically a Google tie-in, so there appears to be
>     a high likelihood of disclosure of data to Google, irrespective of
>     what the laws of various countries, and the weasel-words in the
>     various dispersed privacy policy statements might say]
>
>-   Personas
>     The concept has been debased from a nymous identity to a prettified
>     colour-scheme: 
>     http://en-us.www.mozilla.com/en-US/firefox/features/#look-and-feel
>
>-   Instant Web Site ID
>
>     [This appears to be another Google tie-in, with all the consumer
>     risks that dealing with Google in the background entails
>
>
>There's no doubt there's a lot of 'good things' in there for consumers.
>
>But it looks like there's a host of 'good things' for marketers, 
>which are specifically there to enable manipulation of the browser, 
>the consumer's data, and the consumer.

_______________________________________________________________________

>Date: Fri, 26 Mar 2010 10:57:47 +1000
>Subject: Re: [LINK] RFI: Firefox 3.5/3.6
>
>Roger Clarke wrote on Thu, 25 Mar 2010 14:27:22 +1100
>>Call be paranoid by all means, but is anyone aware of an analysis of
>>Firefox 3.5/3.6 from the viewpoint of consumer rights and privacy? ...
>
>Here's a quick summary of some off-list advice:
>
>1.  Geolocation
>
>In Firefox 3.6, Geolocation apparently:
>-   defaults to 'Ask'
>-   can be set to 'Never Allow' or somesuch, but I haven't seen how
>     you do it in the documentation, and you may have to ask other users
>     http://en-us.www.mozilla.com/en-US/firefox/geolocation/
>
>
>2.  Other Google-Related Features
>
>There are many - many of which appear to embody serious privacy threats.
>
>(There are some good ones of course - Google does some neat things. 
>The malware report/safe browsing feature may be one to leave 
>switched on).
>
>In general (maybe in all cases?), the features have an 'Off' switch.
>
>*But* they cannot be accessed in the Preferences display!  Instead 
>they require a fair bit of  knowledge of what's under the bonnet. 
>Use about:config in the url bar.  Some info at 
>http://kb.mozillazine.org/About:config_entries.
>
>Call me a serious sceptic if you will, but that looks like an active 
>effort on the part of the designers to advantage marketers over 
>consumers, by ensuring that only a very small proportion of Firefox 
>3.6 users block Google-related functions.
>
>
>3.  Cross-Site Scripting
>
>Firefox 3.6 is, as I'd speculated, highly marketer-friendly and 
>consumer-unfriendly in relation to 'cross-site scripting' (which 
>refers to the practice of sites that you visit inviting lots of 
>'strategic partners' to invade your browser).
>
>I gather that users have to (a) understand what's going on, (b) find 
>out about multiple plug-ins/'embeddeds', (c) take a risk on 
>installing them, and (d) maybe even then configure them.
>
>Important instances of this category of antidote for Firefox's 
>nastier features are as follows: 
>-   Noscript
>     https://addons.mozilla.org/en-US/firefox/addon/722
>-   RefControl
>     https://addons.mozilla.org/en-US/firefox/addon/953
>-   JSView
>     https://addons.mozilla.org/en-US/firefox/addon/2076
>
>See also AdBlockPlus:  http://adblockplus.org/en/
>
>
>4.  Where to find a Consumer-Friendly Browser?
>
>For those of us who decline to use Firefox after 3.0.x, will 
>SeaMonkey be any more consumer-friendly? 
>http://www.seamonkey-project.org/doc/features

_______________________________________________________________________

>Roger wrote on Sun, 17 Jul 2011 16:54:06 +1000
>>Constructively negative comments are urgently sought on the 
>>following exposure draft:
>>          Reactions to Mozilla's BrowserID Proposal
>>          http://www.rogerclarke.com/II/BrowserID-1107.html

_______________________________________________________________________

>Roger wrote on Tue, 19 Jul 2011 08:39:30 +1000
>>Mozilla want to have a yarn with me.
>>I've previously said very negative things about Mozilla's recent browsers:
>http://mailman.anu.edu.au/pipermail/link/2010-March/087411.html
>http://mailman.anu.edu.au/pipermail/link/2010-March/087415.html
>http://mailman.anu.edu.au/pipermail/link/2010-November/090443.html
>>
>>But I've never done a solid analysis of their features, in order to 
>>be specific about their anti-consumer nature.
>>Can anyone point me to any such analyses?
>>Re HTML 5 specifically, there's the NYT article of Oct 2010:
>http://mailman.anu.edu.au/pipermail/link/2010-October/089788.html

_______________________________________________________________________

>Date: Wed, 20 Jul 2011 09:53:46 +1000
>Subject: Re: RFC: Negative Assessment of Mozilla BrowserID
>
>I had a call from, and an interesting chat with, Mozilla's Alex 
>Fowler (policy) and Ben Adida and Dan Mills (tech leads on the 
>privacy team).
>
>They believe they have a better story to tell than I have been able 
>to extract from their document.
>
>In particular:
>-   signing keys are per-email-address and short-lived (hrs to a day)
>     and hence of quite limited use as a means of correlating traffic
>-   they have ideas on how to encourage and support the use of
>     'single-site email-addresses'
>-   the database-server approach is intended only as a boot-strapping
>     mechanism, and the authentication mechanism is intended to be
>     implemented in the browser.  (To be fair, their page does say this,
>     but I wanted to undermine the idea of sustaining the server)
>
>They said they're working on other privacy-protective features for 
>the browser family.  But they prettymuch accepted my statement that 
>they're pushing a big rock up a steep hill, given how inherently 
>marketer-friendly and consumer-hostile the current versions of 
>Firefox have become.
>
>They say they think they need a more privacy-oriented explanation of 
>the initiative.  I encouraged separate papers for commercial 
>web-sites, for intermediaries and technology providers, and for 
>consumers.  (Naturally, sceptics in all three camps would want to 
>read all three, but this way the pitch to each interest-group would 
>be clear).
>
>They intend an open call to privacy advocates for feedback, and I 
>stressed the need to get a wide-enough list.  Alex mentioned CDT, 
>and is ex-EFF.  I mentioned EPIC, PI and APF, and specifically 
>referred to the valuable feedback I'd had on the PI Advisory Board 
>list.
>
>We'll see.
>
>_______________________________________________________________________


Update on 1 Sep 2012:

Over a year later, I've received no invite to comment, either as a 
previous critic put on their list of invitees, or as Chair of APF, or 
as an Advisory Board member of PIS, or as a Director of ISOC-AU, and 
I've never heard of any such call ever being issued to other people 
or organisations.

Don't imagine for a moment that Mozilla products are safe.

_______________________________________________________________________


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law               University of NSW
Visiting Professor in Computer Science    Australian National University



More information about the Link mailing list