On Wed, Jul 15, 2015 at 01:26:16PM +0900, Mike Hommey wrote: > On Wed, Jul 15, 2015 at 03:51:42AM +0200, Bas Wijnen wrote: > > On Wed, Jul 15, 2015 at 01:06:28AM +0200, Jakub Wilk wrote: > > > POST > > > https://safebrowsing.google.com/safebrowsing/downloads?client=Iceweasel&appver=38.1.0&pver=2.2&key=no-google-api-key > > > + a few dozens of GET requests to https://safebrowsing.google.com/ > > > > > > So nothing serious here. It's just casually violating your privacy. > > > > I disagree that the safebrowsing part is not serious, especially considering > > that it continues to send a message there on every new page you visit. Best > > case the only thing that happens is that Google checks that you aren't > > visiting > > a dangerous site. But really? Does anyone believe that Google does not > > store > > this data to monitor browsing habits? > > FUD is easy. How about documenting yourself on how Safe browsing > actually works?
Please don't be so harsh. FUD is about trying to mislead people into thinking untrue bad things about someone. I have no bad intentions, and I don't see why you would think that I do. I have some experience with safe browsing, but indeed I have not looked up how it works. I do know that it continuously sends data to Google, and I have quite a bit of confidence in their capability and willingness to use that data for tracking. From your description it sounds like that is not trivial, but there are smart people at Google, and they have near infinite resources. > Hint: urls are _never_ sent to Google. The worst thing > that Google can know is that the _hash_ of /some/ url you went to, has the > first n bits matching the first n bits of the hash of one (or multiple) > of the known malware of phishing urls. Nothing more. That sounds good, and I believe you that is how it's supposed to work, but I can't quite match it with my observations. The first time I encountered safe browsing was when I was running wireshark for an unrelated reason. I saw lots of packets going to a remote server even though I wasn't doing anything on the network yet. So I checked which host it was, and it turned out to be Google. Given that every product they have seems to be targeting maximum gathering of personal information on people, I worry when my computer is sending a lot of data to them without me asking for it. I also note that it sent requests there all the time. I wasn't even doing anything with my browser, and I didn't have any sites open that would obviously keep contact with the server. I don't remember exactly what happened, but I do remember that it looked like Iceweasel was sending a lot of information about me to Google. As Jakub was saying: just starting it up without even visiting a site yet will do a POST and a *few dozen* GET requests. Shouldn't it be waiting with its checks until it actually knows what to check? What is it sending them at browser startup? So I wanted to make it stop; I can live without the safe browsing feature. I couldn't find it anywhere in the regular preferences. In about:config I searched for it and there is an "enabled" flag, which I turned off, but that didn't actually stop the traffic (is that a bug, or does it disable something in a different way?) Eventually I managed to stop it by replacing all the safebrowsing related urls with empty strings. I don't like that I need to do that much work to prevent my computer from contacting Google. I also don't think I am obligated to find out the technical details of the protocol before I'm allowed to complain about it. All that being said, I agree with Ben that the Iceweasel packaging in Debian is excellent, and I'm happy to know that this is the case. Thanks, Bas -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150715121808.gp8...@fmf.nl
