← Back to team overview

desktop-packages team mailing list archive

[Bug 455068] Re: Merely starting Firefox gives user a permanent Google cookie

 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: firefox-3.5 (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/455068

Title:
  Merely starting Firefox gives user a permanent Google cookie

Status in “firefox” package in Ubuntu:
  Confirmed
Status in “firefox-3.5” package in Ubuntu:
  Confirmed

Bug description:
  Binary package hint: firefox-3.5

  Immediately after installing Ubuntu (karmic UNR beta), merely running
  the web browser causes the user to be tagged with a 2-year Google
  tracking cookie and a 1-year BBC.CO.UK cookie.

  The act of simply *starting* the browser should not produce *any*
  permanent tracking cookies.  Let alone Google "do some evil", track
  everyone everywhere and remember everything forever, cookies.  Nor
  cookies issued by the British government.

  To reproduce:

  * Install a new Ubuntu karmic koala system, if necessary.  Plug it into the Internet.
  * Add a new user to the running system, so they'll have no previous Firefox config:  "sudo adduser cookietest".
  * Log in as the new user "cookietest".
  * Start Firefox.
  * When the Ubuntu start page appears (http://start.ubuntu.com/9.10/), immediately go into the Edit menu and hit "Preferences".
  * Click on "Privacy".
  * Click on the link that says "Remove individual cookies..." (or if it's showing, the button on the far right, "Show Cookies...").

  Two sites with cookies will be listed.  If you twist (click) the
  triangle to the left of each one, you can see the cookies themselves:

   bbc.co.uk   BBC-UID
   google.com  PREF

  Clicking on each cookie will show its value and attributes:

  Name: BBC-UID
  Content:  (A very long encoded string with a bunch of strings in it like "Gecko" "Ubuntu" "karmic", "Firefox", etc).
  Domain: .bbc.co.uk
  Path: /
  Send For: Any type of connection
  Expires: Mon 18 Oct 2010 ... (a year from today)

  Name: PREF
  Content: ID=c1338edc1fbbc34a:TM=1255898269:LM=1255898269:S=-K5OC6XRbtZBlmg3
  Domain: .google.com
  Path: /
  Send for: Any type of connection
  Expires: Tue 18 Oct 2011 ... (two years from today)

  What I expected to happen:  Starting the web browser in a clean
  install would not paste any cookies onto my hide.

  What happened instead:  I got an essentially permanent Google tracking
  cookie, plus a BBC.UK tracking cookie.  Before I even got a chance to
  change my privacy settings, or to install cookie blocking add-ons.

  This privacy breach was aided and abetted by the default Firefox config setting of "Remember history" (i.e. accept all cookies permanently), which I believe should be changed to default to:
    * Use custom settings for history (changed from default "Remember history")
    * Accept cookies from sites
    *  Don't accept third party cookies  (changed from default "Accept third party cookies")
    *  Keep until I close Firefox.   (changed from default "Keep until they expire")

  It might be advisable for the default configuration to explicitly blacklist cookies from google.com and bbc.co.uk.  But
  note that the BBC cookie was not fetched directly; it came via a redirect from a Mozilla server.  Mozilla could change that
  redirect to some other site at any time.  Only disabling cookies totally, for all sites, would truly protect users from this
  kind of automated tracking.  (The blacklist is under Edit->Preferences->Privacy, then you have to change a menu item
  from "Remember history" to "Use custom settings for history" and then click "Exceptions..." in the right margin.  Mozilla
  has made it as hard as possible to turn off Google's cookies, without actually removing the ability to do so!)

  This cookie storage was possibly aided and abetted by the Ubuntu start
  page, which includes graphics from Google (currently, this graphic
  does not appear to come with a cookie, though if we close Google's
  other route to tag every Firefox user, they could easily change this
  graphic to set a cookie -- which is a good reason to block "third
  party" cookies).  The BBC cookie arrives via the default entry in the
  "Bookmarks toolbar" for "Latest headlines".  This RSS feed goes to
  "http://fxfeeds.mozilla.com/en-US/firefox/headlines.xml";, which
  responds with a 302 redirect to
  "http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml";.
  Firefox appears to automatically fetch that RSS feed, whether or not
  the user clicks on it.  And the BBC sets a cookie with every response
  it makes to an http request to that site.

  Hmm.  Disconnecting the Ethernet before the first run of Firefox
  produces a different start page:

    file:///usr/share/ubuntu-artwork/home/index.html

  and no cookies are there, when I look.  This is a bit complicated.
  The start page is set in Preferences to:

    chrome://ubufox/content/startpage.html

  This contains a function that does a HEAD request to start.ubuntu.com/9.10/ and if it succeeds, goes to that page;
  if not, it goes in 4 seconds to the above disconnected-start page.

  I ran tcpdump watching the network traffic, to figure out where the cookies came from.  No cookie seems to be
  transferred in the start page.  But in the background, there is a TCP session in the HTTPS protocol to
  "sb-ssl.google.com".  It does a bunch of certificate stuff (including a separate TCP HTTP connection to oscp.thawte.com,
  which translates to oscp.fra1.verisign.com).  No cookies are apparently transferred during that certificate connection.
  Following the close of the certificate TCP connection, my machine sent an HTTPS packet to nuq04s01-in-f136.google.com
  (which is where sb-ssl.google.com ended up resolving to).  There is some encrypted back-and-forth, and then a domain
  name lookup for "safebrowsing.clients.google.com", which resolves to nuq04s01-in-f102.google.com, and we begin an
  unencrypted HTTP connection to there.  **IN THAT HTTP CONNECTION** my machine sends that PREF cookie to
  Google.

  This means that Google stuffed that cookie into my machine *in the
  encrypted HTTPS connection to sb-ssl.google.com*.

  Now, the "Safe Browsing" stuff wasn't supposed to track its users, or
  feed them any cookies, according to public pronouncements from Google.
  But Mozilla didn't defend against invisible policy changes on the
  Google side, so Ubuntu users now get tracked.  Every subsequent access
  to a Google search, Youtube video, Facebook page, or to any site that
  serves up Google ads, will send the identifying cookie deposited
  during this initial "Safe Browsing" transaction, tying all of those
  interactions together to a single end-user.

  So, even users who immediately go in and change their cookie settings have already been tagged with two cookies,
  one from the most egregious privacy violator on the planet -- the one that pays Mozilla scores of millions of dollars
  per year to keep Firefox that way.  (How much money does Canonical annually get from Google by having a search box on the start page?)  And the other cookie is from a government web site for a government that has been in the forefront of forcing Internet companies to do "data retention" of tracking data about end-users for years.

  Possible fixes:

  *  Change default browser settings to disable cookes from Google and BBC.
  *  Rather than getting a "Safe Browsing" feed from Google, Mozilla should provide the feed (and no cookies).
  *  Remove the out-of-Ubuntu's-control RSS feed from the default bookmarks.
  * ...there are many other options...

  It's become a real privacy hazard just to run the web browser in
  Ubuntu.  It shouldn't be that way, by default.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/455068/+subscriptions