Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for December 5, 2013
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
So far as I know, Mozilla Corp is not selling credit card info to third parties yet. ;-)
where does it says that?
Posted Aug 11, 2009 21:05 UTC (Tue) by dlang (✭ supporter ✭, #313)
Posted Aug 11, 2009 21:13 UTC (Tue) by sbergman27 (guest, #10767)
Posted Aug 11, 2009 22:07 UTC (Tue) by dlang (✭ supporter ✭, #313)
or something else?
I don't see how they could have a search box with any default without you accusing them of 'gathering your private information and delivering it' to whoever the default is.
Posted Aug 11, 2009 22:19 UTC (Tue) by coriordan (guest, #7544)
Posted Aug 11, 2009 22:20 UTC (Tue) by sbergman27 (guest, #10767)
I'm saying that it might not be a bad idea to provide the user a bit of choice instead of sending them right to Soilent Corp. and collecting the resulting multi-million dollar checks monthly.
Out of curiosity, are you playing devil's advocate? Or are your serious?
Posted Aug 11, 2009 22:32 UTC (Tue) by dlang (✭ supporter ✭, #313)
I don't see anything wrong with them getting a check for setting the default to one vendor, especially when it's the most popular (and arguably best) search engine in the first place.
Posted Aug 12, 2009 0:33 UTC (Wed) by coriordan (guest, #7544)
Posted Aug 12, 2009 0:52 UTC (Wed) by dlang (✭ supporter ✭, #313)
so they shouldn't be blindly applied to all sites.
at this point you are appointing someone else to select which sites you are going to be able to work with.
just like with the anti-spam blackhole lists, this can be a good thing or a bad thing depending on how closely your definition of a problem site matches the definition of the people managing the list.
remember that for all that you are complaining about them not including 'privacy' features, they do include the ability to block cookies from specific servers, or only accept them for the current session. they even give you the ability to do this choice every single time a cookie is supplied.
nobody takes it to this extreme (I'm one of the more extreme cases, but even I have many sites that I just say "allow and don't ask me" for because it is too painful to look at every cookie.)
exactly what 'privacy features' that are not blacklists of sites do you believe need to be added to firefox that google is blocking?
Mozilla, Google and privacy
Posted Aug 13, 2009 22:57 UTC (Thu) by Tobu (subscriber, #24111)
If Mozilla cared about privacy, they would implement a same-origin policy strong enough to block tracking by advertisers. Google is the biggest advertiser on the web, with 70% of the market since acquiring DoubleClick; and Mozilla gets almost all of its revenue from Google.
Posted Aug 13, 2009 23:28 UTC (Thu) by dlang (✭ supporter ✭, #313)
now if you have a page fetched from one server that contains a link to an image (or other object) on another server, that other server can set a cookie that it will get the next time it is accessed.
this is what companies like doubleclick use to track you as you go to different sites, but there are also many legitimate reasons for this to happen, if you blocked all links that pointed at a server other than the one you pulled the initial page from you would break the web.
if you are referring to something else when you say 'third party cookies' please help me understand.
as far as history retrieval from css goes, the only way to block that is to disable the ability of css to do different things for links that you have visited vs ones that you have not. while doing this is a useful option to have, It's pretty valuable to be able to tell which links on a page you ahve clicked on recently, so I can see why they wouldn't want to disable that globally.
referrer data also has legitimate uses (although I don't have as solid a reason for it off the cuff, and probably not one that you would consider acceptable), and if you want to eliminate it I don't see why you would allow it for embedded content
while I agree that the two actions that you mention harm privacy, they are also features that many people want to have. so you are saying that these features should not exist, which leaves people vulnerable to phishing attacks. I don't see that as a winning approach
as for the multiple pop-ups, you do have the option to tell firefox "don't ask me again for this server". this doesn't mean that there are no problems. the fact that firefox will happily open up hundreds of duplicate pop-ups is a problem (this is problem for authentication pop-ups as well as cookie pop-ups), but I see this as a separate problem (one I would like to see them fix.
Posted Aug 14, 2009 11:43 UTC (Fri) by Tobu (subscriber, #24111)
Cookies are set for the domain content was fetched from, but included content makes the distinction irrelevant. This is indeed what I meant by third-party cookies: cookies set by third-party content.
I don't suggest breaking the web by refusing third-party content. Just that a cookie set on domain D via inclusion on domain A should not be the same as a cookie set on domain D via inclusion on domain B. As far as cookies are concerned, this should be enough to restore privacy.
Posted Aug 15, 2009 3:12 UTC (Sat) by dlang (✭ supporter ✭, #313)
your suggestion to add a referrer-type tag to the cookie store is interesting and I think it would be a very good thing for someone to try implementing.
however it will break some legitimate uses as well as the people you are trying to break. you won't see this breakage on most small sites, but on large sites that spread functionality across multiple URLs you make it will break portions of the site that are common.
Posted Aug 15, 2009 20:17 UTC (Sat) by Tobu (subscriber, #24111)
Posted Aug 15, 2009 3:17 UTC (Sat) by foom (subscriber, #14868)
In Safari it can't. From the preferences...
[ ] Always
[ ] Never
[X] Only from sites I visit
Block cookies from third parties and advertisers.
Posted Aug 15, 2009 3:21 UTC (Sat) by dlang (✭ supporter ✭, #313)
I assume that this isn't the default (that it defaults to yes)
any idea how many sites get broken by this option?
Posted Aug 15, 2009 3:36 UTC (Sat) by foom (subscriber, #14868)
Quite a few are broken by me disabling Flash's data storage, though.
Posted Aug 15, 2009 19:30 UTC (Sat) by njs (guest, #40338)
Posted Aug 15, 2009 20:01 UTC (Sat) by Tobu (subscriber, #24111)
Yeah, but it is ineffective.
I have this option in Chromium and Firefox. All it does is check that the cookie setter (RFC 2965, the dom, maybe equivalents in html5 dom storage
) requests a domain compatible with the current domain.
Content included from another domain works around it, and here both Firefox and Chromium have a myriad of cookies from adservers (these aren't leftovers, they get removed at the end of a session through another firefox setting).
The problem is that the effective way to prevent this (namespace cookies with the referer domain in addition to the cookie domain) hasn't been implemented, and these settings are just a distraction. I haven't tried Safari, but at least for the browsers I use, exposing them as "block third party/tracker/adserver cookies" is misleading. Maybe there is a reason fixing this is not that simple, but I suspect the reason is a big conflict of interest.
Posted Aug 12, 2009 8:05 UTC (Wed) by Los__D (guest, #15263)
That plugin could easily contain the privacy features you want/need.
Posted Aug 12, 2009 8:32 UTC (Wed) by coriordan (guest, #7544)
Nope. Permission is needed:
If you want to ship extensions, themes or plugins installed by default or as part of the same installation process as the Mozilla products (as opposed to, say, linked as XPIs from the default start page), and you plan on distributing them under any Mozilla trademarks, you must therefore first seek approval from Mozilla.
Mozilla's trademark policy
Posted Aug 12, 2009 8:51 UTC (Wed) by dlang (✭ supporter ✭, #313)
what distro asked permission to do this and was refused?
or are you just assuming that mozilla would refuse permission for any plugin that claimed to increase privacy?
Posted Aug 12, 2009 11:23 UTC (Wed) by coriordan (guest, #7544)
customize-google is a better example of a privacy plugin than
adblock. It also can block Google ads, but the cookie privacy protection is the most important feature.
Let's look at the facts:
I found this 2007 article interesting: A dangerous conflict of interest between Firefox and Google.
No, I don't have a link to a communication from Mozilla saying they'd block customize-google. I haven't really looked. I hope I stumble upon something like that some day. Until then, everything indicates that Google is Mozilla's boss and privacy features are not allowed. I don't
see Mozilla denying any of these accusations either.
Posted Aug 12, 2009 14:01 UTC (Wed) by AndreE (subscriber, #60148)
- from the comments, it seems that a number of Mozilla developers privately contacted the author and voiced some disagreements.
-In the comments, the developer of AdBlock Plus states that he was asked my MoCo to spec out integration but declined due to his time constraints
-The XSS thing he points to is very melodramatic. He didn't even bother to correctly summarise the issue. He adds his own hyperbole to the hyperbole of the very biased reporter.
-there is an excellent comment about the inclusion of customize-google. Having a site specific extension that needs continual monitoring to verify its functionality added to the default build really doesn't make any sense at all.
Seriously, that article is just terrible.
There are some legitimate concerns about MoCo and Google, but to be so badly informed and push hype and fact ... oh wait I guess that IS modern journalism.
Posted Aug 13, 2009 15:50 UTC (Thu) by coriordan (guest, #7544)
I still think Mozilla's lack of efforts to improve online privacy is disappointing (and their financial dependence on Google is the only realistic explanation), and that they go too far in using their trademark to prevent others from integrating privacy features.
exactly what privacy features do you want?
Posted Aug 13, 2009 15:57 UTC (Thu) by dlang (✭ supporter ✭, #313)
exactly what is it that you want to see happen?
and please don't respond 'ship privacy modules by default', state what you want the privacy modules to do.
In my opinion, 'protecting privacy' is like 'blocking spam', everyone agrees that it's a good idea, but when you get down to the nitty-gritty of exactly what to do people can't agree on what is a reasonable trade-off between protection and false-positives breaking something that you want to work.
Posted Aug 13, 2009 17:57 UTC (Thu) by coriordan (guest, #7544)
> exactly what is it that you want to see happen?
Despite Mozilla's massive amount of funding, large developer team,
and proven ability to innovate, I suspect you're going to reject any
suggestion I offer that would require them to invest more than one
programmer-day of work. So I'll start dead simple:
How about blocking cookies that are known to be of no use to the
Even just one. Pick one single cookie that tracks users and
provides no benefit, and block it. This would be better than
nothing, but they don't do it.
By putting in more than one programmer-day of effort, this could be
well done. Maybe maintain a very conservative list of bad cookies
(I think there's already a similar feature about a list of phishing
sites to avoid, so maybe this idea could be implemented similarly),
and block them. Maybe block DoubleClick's cookie?
mozdev for "privacy", I get 215 hits. Most aren't
about online privacy, but there must be some ideas in there that
aren't too hard to implement or adapt.
Posted Aug 13, 2009 18:16 UTC (Thu) by dlang (✭ supporter ✭, #313)
however, your example is exactly what I feared it would be.
you want someone to appoint themselves the arbitrators of what cookies should be allowed and what ones should be blocked (either by name or by server)
I have _no_ objection to people creating such lists and allowing users to opt to use such lists.
however I have a very strong objection to building such blacklists into the application by default.
the history of blacklisting should prove this. if blacklists were so obviously good and infallible they would be built into every mail server and every mail client. they aren't (although support for them is common in mail servers), precisely because different people have different opinions on what should be blocked.
firefox already _has_ extensive privacy features, they just aren't configured the way that you want to force everyone to have them configured out of the box.
firefox has per-domain controls over cookies (to deny cookies from that domain), all that someone would have to do is to pre-populate that file, no mozilla programming time needed.
as for the 215 hits on "privacy", I don't care how many ideas there are, or how hard to implement. what I want to know is if they are something that _nobody_ objects to (not just none of the privacy advocates object to)
Posted Aug 13, 2009 4:08 UTC (Thu) by rqosa (subscriber, #24136)
Posted Aug 13, 2009 18:20 UTC (Thu) by coriordan (guest, #7544)
When using the trademark, you can't make changes without Mozilla's permission - i.e. you can't apply security patches. Despite this, distros such as Ubuntu have accepted the trademark restrictions, so they've obviously estimated very highly the user overall cost of removing the trademark.
I don't know the whole Debian story but I think it's that they switched to their branding before the "unbrand" feature was added to the Firefox compile process. You might find the answer on http://en.wikipedia.org/wiki/Mozilla_Corporation_software...
Posted Aug 13, 2009 23:40 UTC (Thu) by rqosa (subscriber, #24136)
Posted Aug 14, 2009 20:56 UTC (Fri) by coriordan (guest, #7544)
Posted Aug 11, 2009 22:33 UTC (Tue) by roc (subscriber, #30627)
Delivering search traffic is of great value, and in this case it helps pay for the development of a lot of free software, including contributions to stuff like cairo, Harfbuzz and Valgrind which benefit people who don't even use Firefox.
> I'm saying that it might not be a bad idea to provide the user a bit of
Clicking on the clearly marked dropdown arrow and selecting another search engine is too hard?
Posted Aug 11, 2009 22:54 UTC (Tue) by sbergman27 (guest, #10767)
For most people. Yes.
For my part, arguing with the deeply entrenched Firefox Fanboy Alliance is too thankless. Dig your own graves. We can revisit the situation in a couple of years, when the reality has become more clear. Today, we Linux folks still tend to be a bit blind to it. "The enemy of my enemy is my friend" and all.
The Gingerbread Man
Posted Aug 11, 2009 22:59 UTC (Tue) by dlang (✭ supporter ✭, #313)
or is _anything_ where they accept money to set a default unacceptable to you?
Posted Aug 12, 2009 6:39 UTC (Wed) by hppnq (guest, #14462)
But also, no distribution wants to ship with Tor enabled or even included by default. Why? Because 1) in some environments you may have to explain why you need this and 2) because it doesn't solve the problem at all. Or do you trust your ISP?
Face it. You're on CCTV. This is not at all about privacy, it is about trust.
Posted Aug 12, 2009 7:32 UTC (Wed) by hppnq (guest, #14462)
Posted Aug 13, 2009 4:19 UTC (Thu) by rqosa (subscriber, #24136)
Posted Aug 13, 2009 12:34 UTC (Thu) by hppnq (guest, #14462)
I owe you the link, I am afraid to google it. ;-)
Posted Aug 11, 2009 22:27 UTC (Tue) by roc (subscriber, #30627)
Firefox's search box even shows the Google icon and the word "Google" before you type into it, so users will know where their search is going. And changing the search engine setting is as simple as clicking on the icon and choosing from the dropdown.
In fact you must dislike other browsers even more. Epiphany, for example, will do searches from the location bar without even showing you beforehand that they're going to Google, and doesn't even provide an easy way to change the destination search engine. The horror!
Posted Aug 11, 2009 22:35 UTC (Tue) by sbergman27 (guest, #10767)
I object to them doing so and collecting $70 million a year without providing some sort of choice to the user up front.
You make a reasonable point regarding the Epiphany location bar. I'll file a complaint. It's not a feature I use. I doubt the Epiphany project is making $70 million a year off it, though.
Posted Aug 11, 2009 23:01 UTC (Tue) by rahulsundaram (subscriber, #21946)
The choice is plain and simple and hardly takes a couple of seconds in a very visible drop down box. Installing additional search engines is pretty trivial as well. If anything, Firefox provides more choice here than other browsers.
Posted Aug 11, 2009 23:17 UTC (Tue) by sbergman27 (guest, #10767)
Posted Aug 11, 2009 23:40 UTC (Tue) by rahulsundaram (subscriber, #21946)
Posted Aug 11, 2009 23:45 UTC (Tue) by sbergman27 (guest, #10767)
Posted Aug 12, 2009 18:49 UTC (Wed) by stickster (guest, #40146)
Posted Aug 12, 2009 5:10 UTC (Wed) by njs (guest, #40338)
I definitely keep a wary eye on Google and friends, and find it annoying that I have to install AdBlock myself. But what I get in return is hundreds of people working full-time to build me a better browser and fight for an open web. I agree that people should be aware of what's going on, but I contend that it's entirely possible to understand the situation and still support it.
(Disclosure: I don't have any direct connection to Mozilla, but several friends work there.)
Posted Aug 12, 2009 5:33 UTC (Wed) by sbergman27 (guest, #10767)
Sure. But I wonder what percentage of FF pawns are "aware of what's going on", and "understand the situation".
Our current Microsoft overlord came to power while we were still too much focused upon our old IBM overlord. In 10 years time, I don't want to be fighting the iron grip that Google has on us all. A grip which we are willingly giving it today.
If you are still casting Mozilla Corp as a "Freedom Fighter", you are not keeping a wary enough eye upon Google and friends, if I may be so bold as to say so.
Posted Aug 12, 2009 6:49 UTC (Wed) by nix (subscriber, #2304)
The news that Firefox receives lots of money from Google in exchange for
simply setting one default, well, good for them! money for free software
development in exchange, not for selling their souls, but for doing
something they were *going to do anyway* and were in fact *already doing*
and *so is every other non-MS browser vendor*.
Posted Aug 12, 2009 7:56 UTC (Wed) by njs (guest, #40338)
I agree, but don't see any connection to the current article. Is there a freedom-supporting search engine that you would rather Firefox default to instead? Or how *should* Mozilla be fighting back against Google, exactly?
> If you are still casting Mozilla Corp as a "Freedom Fighter", you are not keeping a wary enough eye upon Google and friends, if I may be so bold as to say so.
I've seen plenty of concrete stuff that Mozilla folk have done to open up the web and keep it that way, and their governance structure makes it near-illegal for them to do anything else. So sure, you can be that bold, but I won't believe you unless you can back it up with more than ominous hand-waving and guilt-by-association.
Posted Aug 13, 2009 21:06 UTC (Thu) by rscharfe (subscriber, #39299)
The only search engine I know of that claims to respect your privacy is this one: http://www.ixquick.com/eng/protect_privacy.html.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds