Hi Rik, Sorry for the late reply.
On Fri, Mar 22, 2019 at 10:10 PM Rik Cabanier <caban...@gmail.com> wrote: > > > On Fri, Mar 22, 2019 at 6:07 AM Ehsan Akhgari <ehsan.akhg...@gmail.com> > wrote: > >> On Thu, Mar 21, 2019, 9:39 PM Rik Cabanier, <caban...@gmail.com> wrote: >> >>> Why are these sites not included in the "safe browsing" service that is >>> used by most browsers? >>> That way, everyone would be protected. >>> >> >> Because the relevant part of safe browsing service covers a different set >> of criteria: https://www.google.com/about/unwanted-software-policy.html. >> > > I think this page has the 3 criteria: > https://safebrowsing.google.com/#policies > It seems origins that try to fingerprint users or do cryptomining fall > under category 1 and 3 > Hmm, do you mean malware or social engineering? I read https://support.google.com/webmasters/answer/3258249 and https://support.google.com/webmasters/answer/6350487/ and it is absolutely not clear to me whether origins that fingerprint the user or engage in (covert) cryptomining fall within those definitions. The examples mentioned on those two pages are specific to Chrome and other Google software/policies and that's also unhelpful in determining whether those categories include such software. Note that I'm not saying that these categories are _not_ possibly a subset of the existing SafeBrowsing database, but it's not obvious to us if they are. Another advantage that working on these categories with Disconnect will have is that we will be able to document the technical details leading to the decisions, for example see https://github.com/disconnectme/disconnect-tracking-protection/blob/master/descriptions.md. In the cases where I have (in my personal capacity) submitted a URL to Google Safe Browsing, my experience has been that I have never heard back about whether my submissions have been added to the database or not, and what the reasons have been. Cheers, Ehsan > > >> But more importantly, Google's safe browsing isn't by far the only block >> list of bad URLs based on various criteria that various browsers and >> extension use to improve the user's browsing experience. To answer your >> actual question here, the block lists we're working with Disconnect to >> create here are available for everyone to use under a permissive license at >> https://github.com/disconnectme/disconnect-tracking-protection. We >> actually ingest the list using the safe browsing protocol so other browsers >> that have implemented that protocol could do the same today. >> > > Good to know. Thanks for that link! > > >> >>> On Thu, Mar 21, 2019 at 2:59 PM Steven Englehardt < >>> sengleha...@mozilla.com> >>> wrote: >>> >>> > Summary: >>> > We are expanding the set of resources blocked by Content Blocking to >>> > include domains found to participate in cryptomining and >>> fingerprinting. >>> > Cryptomining has a significant impact on a device’s resources [0], and >>> the >>> > scripts are almost exclusively deployed without notice to the user [1]. >>> > Fingerprinting has long been used to track users, and is in violation >>> our >>> > anti-tracking policy [2]. >>> > >>> > In support of this, we’ve worked with Disconnect to introduce two new >>> > categories of resources to their list: cryptominers [3] and >>> fingerprinters >>> > [4]. As of Firefox 67, we have exposed options to block these >>> categories of >>> > domains under the “Custom” section of the Content Blocking in >>> > about:preferences#privacy. We are actively working with Disconnect to >>> > discover new domains that participate in these practices, and expect >>> the >>> > lists to grow over time. A full description of the lists is given here >>> [5]. >>> > >>> > Bugs: >>> > Implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1513159 >>> > Breakage: >>> > Cryptomining: https://bugzilla.mozilla.org/show_bug.cgi?id=1527015 >>> > Fingerprinting: https://bugzilla.mozilla.org/show_bug.cgi?id=1527013 >>> > >>> > We plan to test the impact of blocking these categories during the >>> Firefox >>> > 67 release cycle [6][7]. We are currently targeting Firefox 69 to block >>> > both categories by default, however this may change depending on the >>> > results of our user studies. >>> > >>> > To further field test the new lists, we expect to enable the blocking >>> of >>> > both categories by default in Nightly within the coming month. If you >>> do >>> > discover breakage related to this feature, we ask that you report it >>> in one >>> > of the cryptomining or fingerprinting blocking breakage bugs above. >>> > >>> > Link to standard: These are additions to Content Blocking/Tracking >>> > Protection which is not a feature we've standardized. >>> > >>> > Platform coverage: >>> > Desktop for now. It is being considered for geckoview: ( >>> > https://bugzilla.mozilla.org/show_bug.cgi?id=1530789) but is on hold >>> until >>> > the feature is more thoroughly tested. >>> > >>> > Estimated release: >>> > Disabled by default and available for testing in Firefox 67. We expect >>> to >>> > ship this on by default in a future release, pending user testing >>> results. >>> > An intent to ship will be sent later. >>> > >>> > Preferences: >>> > * privacy.trackingprotection.fingerprinting.enabled - controls whether >>> > fingerprinting blocking is enabled >>> > * privacy.trackingprotection.cryptomining.enabled - controls whether >>> > cryptomining blocking is enabled >>> > >>> > These can also be enabled using the checkboxes under the Custom >>> section of >>> > Content Blocking in about:preferences#privacy for Firefox 67+. >>> > >>> > Is this feature enabled by default in sandboxed iframes?: Blocking >>> applies >>> > to all resources, regardless of their source. >>> > >>> > DevTools bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1537627 >>> > When blocking of either category is enabled, any blocked resources >>> will be >>> > logged to the console with the following message: `The resource at “ >>> > example.com” was blocked because content blocking is enabled.` >>> > >>> > Do other browser engines implement this? >>> > Opera and Brave block cryptominers using the no-coin cryptomining list >>> > [8][9]. The cryptomining list supplied by Disconnect is, in part, >>> created >>> > by matching web crawl data against no-coin and other crowdsourced >>> lists. >>> > No other browsers currently block the fingerprinting list, as we are >>> > working with Disconnect to build it for this feature. However, many of >>> the >>> > domains on the fingerprinting list are likely to appear on other >>> > crowdsourced adblocking lists. >>> > >>> > Web-platform-tests: Since content blocking is not a standardized >>> feature, >>> > there are no wpts. >>> > >>> > Is this feature restricted to secure contexts? No. Users benefit from >>> > blocking in all contexts. >>> > >>> > [0] https://arxiv.org/pdf/1806.01994.pdf >>> > [1] https://nikita.ca/papers/outguard-www19.pdf >>> > [2] https://wiki.mozilla.org/Security/Anti_tracking_policy >>> > [3] >>> > >>> > >>> https://github.com/mozilla-services/shavar-prod-lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-blacklist.json#L9537 >>> > [4] >>> > >>> > >>> https://github.com/mozilla-services/shavar-prod-lists/blob/7eaadac98bc9dcc95ce917eff7bbb21cb71484ec/disconnect-blacklist.json#L9316 >>> > [5] https://wiki.mozilla.org/Security/Tracking_protection#Lists >>> > [6] https://bugzilla.mozilla.org/show_bug.cgi?id=1533778 >>> > [7] https://bugzilla.mozilla.org/show_bug.cgi?id=1530080 >>> > [8] >>> > >>> > >>> https://www.zdnet.com/article/opera-just-added-a-bitcoin-mining-blocker-to-its-browser/ >>> > [9] https://github.com/brave/adblock-lists/blob/master/coin-miners.txt >>> > _______________________________________________ >>> > dev-platform mailing list >>> > dev-platform@lists.mozilla.org >>> > https://lists.mozilla.org/listinfo/dev-platform >>> > >>> _______________________________________________ >>> dev-platform mailing list >>> dev-platform@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-platform >>> >> -- Ehsan _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
