Changing the extensions.blocklist.url flag

[HxxxxxS]

Limit the amount of identifiable information sent when requesting the Mozilla harmful extensions blocklist.

Description

From Reddit user /u/LocalFigurez at https://old.reddit.com/r/privacytoolsIO/comments/9uqeew/firefox_tip_sanitize_firefox_blocklist_url_so_it/

Firefox includes feature that connects in regular time intervals (every 24 hour) to the Mozilla's servers to download blocklist of harmful extensions, vulnerable plugins and crash-prone graphic drivers. This request includes following information:

APP_ID
APP_VERSION
PRODUCT
VERSION
BUILD_ID
BUILD_TARGET
OS_VERSION
LOCALE
CHANNEL
PLATFORM_VERSION
DISTRIBUTION
DISTRIBUTION_VERSION
PING_COUNT
TOTAL_PING_COUNT
DAYS_SINCE_LAST_PING

By changing extensions.blocklist.url from

https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/

to

https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/

Firefox won't send identifiable information in the blocklist request and you will still get all the security features from it.

HTML Preview

https://htmlpreview.github.io/?https://github.com/HxxxxxS/privacytools.io/blob/patch-1/index.html

[ghost]

Thank you.

Can anyone confirm that it will download the same list even if you limit the arguments to APP_ID and APP_VERSION?

[zalox]

Hi @Shifterovich, I can't confirm, but if you do https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/ you get the list.

[HxxxxxS]

Changing random parameters from null

[HxxxxxS]

I suppose you could even set the extensions.blocklist.urlflag to the nullbyte parameter url @zalox posted above.

@Shifterovich let me know if you think I should edit the PR to include this.

[zalox]

Hi @HxxxxxS, your wget diff should use capital -O instead of -o.

I took the liberty to test with the version set to 63.0:

wget -O 1.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/63.0
wget -O 2.html -q https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%20/%20/
diff 1.html 2.html

edit: remove $ in front of bash commands

[HxxxxxS]

Haha, my bad. But seems point still stands.

[ghost]

╭─xxx@yyy /tmp/ptio  
╰─$ sha256sum 1.html 
5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e  1.html
╭─xxx@yyy /tmp/ptio  
╰─$ sha256sum 2.html 
5f036970d2889afbc10da1b01733f4c02d8ace7c5e57d936c33ecc163d0c152e  2.html

https://blocklists.settings.services.mozilla.com/v1/blocklist/3/privacy/tools/ works as well. Any pair of values works as long as it ends with /.

The one concern with changing APP_ID/VERSION to something random is that it could break some things, but at this time, mozilla.com serves the same content regardless of these values.

I like the null byte approach the most. Even better than serving APP_ID. Can you update the PR to the null byte version?

[ghost]

Thanks.

[ghost]

@Shifterovich

Also there is browser.safebrowsing.downloads.remote.enabled preference which can be set to false. This disables safebrowsing binaries which aren't on local lists being checked by Google (real-time metadata checking). Also this does NOT disable safebrowsing feature which would otherwise weaken security.

https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

This was pointed out in the same Reddit thread.

[ghost]

@GuyInTheShadows Take a look at #339

[ghost]

Thanks for the link. I will read it through.

[beerisgood]

@GuyInTheShadows you don't need safebrowsing if you use uBlock Origin.
Also using safebrowsing is a privacy problem