desktop-packages team mailing list archive

Thread
Date

[Bug 455068] Re: Merely starting Firefox gives user a permanent Google cookie

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Fred <455068@xxxxxxxxxxxxxxxxxx>
Date: Thu, 22 Dec 2011 23:18:00 -0000
Reply-to: Bug 455068 <455068@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: firefox (Ubuntu)
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/455068

Title:
Merely starting Firefox gives user a permanent Google cookie

Status in “firefox” package in Ubuntu:
Confirmed
Status in “firefox-3.5” package in Ubuntu:
Confirmed

Bug description:
Binary package hint: firefox-3.5

Immediately after installing Ubuntu (karmic UNR beta), merely running
the web browser causes the user to be tagged with a 2-year Google
tracking cookie and a 1-year BBC.CO.UK cookie.

The act of simply *starting* the browser should not produce *any*
permanent tracking cookies. Let alone Google "do some evil", track
everyone everywhere and remember everything forever, cookies. Nor
cookies issued by the British government.

To reproduce:

* Install a new Ubuntu karmic koala system, if necessary. Plug it into the Internet.
* Add a new user to the running system, so they'll have no previous Firefox config: "sudo adduser cookietest".
* Log in as the new user "cookietest".
* Start Firefox.
* When the Ubuntu start page appears (http://start.ubuntu.com/9.10/), immediately go into the Edit menu and hit "Preferences".
* Click on "Privacy".
* Click on the link that says "Remove individual cookies..." (or if it's showing, the button on the far right, "Show Cookies...").

Two sites with cookies will be listed. If you twist (click) the
triangle to the left of each one, you can see the cookies themselves:

bbc.co.uk BBC-UID
google.com PREF

Clicking on each cookie will show its value and attributes:

Name: BBC-UID
Content: (A very long encoded string with a bunch of strings in it like "Gecko" "Ubuntu" "karmic", "Firefox", etc).
Domain: .bbc.co.uk
Path: /
Send For: Any type of connection
Expires: Mon 18 Oct 2010 ... (a year from today)

Name: PREF
Content: ID=c1338edc1fbbc34a:TM=1255898269:LM=1255898269:S=-K5OC6XRbtZBlmg3
Domain: .google.com
Path: /
Send for: Any type of connection
Expires: Tue 18 Oct 2011 ... (two years from today)

What I expected to happen: Starting the web browser in a clean
install would not paste any cookies onto my hide.

What happened instead: I got an essentially permanent Google tracking
cookie, plus a BBC.UK tracking cookie. Before I even got a chance to
change my privacy settings, or to install cookie blocking add-ons.

This privacy breach was aided and abetted by the default Firefox config setting of "Remember history" (i.e. accept all cookies permanently), which I believe should be changed to default to:
* Use custom settings for history (changed from default "Remember history")
* Accept cookies from sites
* Don't accept third party cookies (changed from default "Accept third party cookies")
* Keep until I close Firefox. (changed from default "Keep until they expire")

It might be advisable for the default configuration to explicitly blacklist cookies from google.com and bbc.co.uk. But
note that the BBC cookie was not fetched directly; it came via a redirect from a Mozilla server. Mozilla could change that
redirect to some other site at any time. Only disabling cookies totally, for all sites, would truly protect users from this
kind of automated tracking. (The blacklist is under Edit->Preferences->Privacy, then you have to change a menu item
from "Remember history" to "Use custom settings for history" and then click "Exceptions..." in the right margin. Mozilla
has made it as hard as possible to turn off Google's cookies, without actually removing the ability to do so!)

This cookie storage was possibly aided and abetted by the Ubuntu start
page, which includes graphics from Google (currently, this graphic
does not appear to come with a cookie, though if we close Google's
other route to tag every Firefox user, they could easily change this
graphic to set a cookie -- which is a good reason to block "third
party" cookies). The BBC cookie arrives via the default entry in the
"Bookmarks toolbar" for "Latest headlines". This RSS feed goes to
"http://fxfeeds.mozilla.com/en-US/firefox/headlines.xml";, which
responds with a 302 redirect to
"http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml";.
Firefox appears to automatically fetch that RSS feed, whether or not
the user clicks on it. And the BBC sets a cookie with every response
it makes to an http request to that site.

Hmm. Disconnecting the Ethernet before the first run of Firefox
produces a different start page:

file:///usr/share/ubuntu-artwork/home/index.html

and no cookies are there, when I look. This is a bit complicated.
The start page is set in Preferences to:

chrome://ubufox/content/startpage.html

This contains a function that does a HEAD request to start.ubuntu.com/9.10/ and if it succeeds, goes to that page;
if not, it goes in 4 seconds to the above disconnected-start page.

I ran tcpdump watching the network traffic, to figure out where the cookies came from. No cookie seems to be
transferred in the start page. But in the background, there is a TCP session in the HTTPS protocol to
"sb-ssl.google.com". It does a bunch of certificate stuff (including a separate TCP HTTP connection to oscp.thawte.com,
which translates to oscp.fra1.verisign.com). No cookies are apparently transferred during that certificate connection.
Following the close of the certificate TCP connection, my machine sent an HTTPS packet to nuq04s01-in-f136.google.com
(which is where sb-ssl.google.com ended up resolving to). There is some encrypted back-and-forth, and then a domain
name lookup for "safebrowsing.clients.google.com", which resolves to nuq04s01-in-f102.google.com, and we begin an
unencrypted HTTP connection to there. **IN THAT HTTP CONNECTION** my machine sends that PREF cookie to
Google.

This means that Google stuffed that cookie into my machine *in the
encrypted HTTPS connection to sb-ssl.google.com*.

Now, the "Safe Browsing" stuff wasn't supposed to track its users, or
feed them any cookies, according to public pronouncements from Google.
But Mozilla didn't defend against invisible policy changes on the
Google side, so Ubuntu users now get tracked. Every subsequent access
to a Google search, Youtube video, Facebook page, or to any site that
serves up Google ads, will send the identifying cookie deposited
during this initial "Safe Browsing" transaction, tying all of those
interactions together to a single end-user.

So, even users who immediately go in and change their cookie settings have already been tagged with two cookies,
one from the most egregious privacy violator on the planet -- the one that pays Mozilla scores of millions of dollars
per year to keep Firefox that way. (How much money does Canonical annually get from Google by having a search box on the start page?) And the other cookie is from a government web site for a government that has been in the forefront of forcing Internet companies to do "data retention" of tracking data about end-users for years.

Possible fixes:

* Change default browser settings to disable cookes from Google and BBC.
* Rather than getting a "Safe Browsing" feed from Google, Mozilla should provide the feed (and no cookies).
* Remove the out-of-Ubuntu's-control RSS feed from the default bookmarks.
* ...there are many other options...

It's become a real privacy hazard just to run the web browser in
Ubuntu. It shouldn't be that way, by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/455068/+subscriptions