Looking at the existing Firefox privacy policy (https://www.mozilla.org/en-US/privacy/firefox/) in more detail, the download metadata behavior is already described there, under "Security", "Firefox Forgery and Attack Protection".
Gavin On Mon, Jul 28, 2014 at 5:10 PM, Gavin Sharp <[email protected]> wrote: > "Application Reputation" checking is a separate system from Safe > Browsing that shares some of the same characteristics but also behaves > differently in some cases. > > The blog post you mention describes a scenario where "download > metadata" (described in more detail at > https://wiki.mozilla.org/Security/Features/Application_Reputation_Design_Doc#High-level_overview) > is sent to Google servers if certain conditions are met, and those > conditions are different than the conditions required for sending a > safe browsing lookup request. > > For download metadata to be sent to Google, my understanding of the > conditions that must be satisfied are: > - "browser.safebrowsing.malware.enabled" must be true (it defaults to > true, but can be turned off in the Firefox preferences UI as described > in the post) > - the user must be on Windows and running Firefox 32 or later > - the download's must be of an executable file (as determined by the > file extension) > - the downloaded file's URL must not be on a local "blocklist" of > malware downloads > - the downloaded file must not have been signed by a signature that's > on the local "allowlist" of known good publishers > > I assume there are privacy policy changes in progress to describe > these additional behaviors - Sid/Monica, do you have pointers to a bug > about privacy policy updates? > > Gavin > > On Mon, Jul 28, 2014 at 4:23 AM, Rubén Martín > <[email protected]> wrote: >> El 25/07/14 a las #4, Asa Dotzler escribió: >>> It looks like we already have documentation where this is explained, >>> including a link to technical details that will probably be >>> undigestible to most humans. What more are you asking for? >>> >>> https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work >> >> Interesting. I read: >> >>> Phishing and Malware Protection works by checking the sites that you >>> visit against lists of reported phishing and malware sites. These >>> lists are automatically downloaded and updated every 30 minutes or so >>> when the Phishing and Malware Protection features are enabled. The >>> technical details of the safe-browsing protocol are also publicly >>> available >>> <http://code.google.com/p/google-safe-browsing/wiki/Protocolv2Spec>. >> >> And: >>> There are two times when Firefox will communicate with Mozilla’s >>> partners while using Phishing and Malware Protection. The first is >>> during the regular updates to the lists of reporting phishing and >>> malware sites. No information about you or the sites you visit is >>> communicated during list updates. The second is in the event that you >>> encounter a reported phishing or malware site. Before blocking the >>> site, Firefox will request a double-check to ensure that the reported >>> site has not been removed from the list since your last update. In >>> both cases, existing cookies you have from google.com >>> <http://google.com>, our list provider, may also be sent. >> Reading this I assume that right now we are NOT sending urls to google >> in any case except we hit a positive on the blocking list. >> >> My question is if we are going to do the same for downloads in Firefox >> 32 or this is going to change. >> >> Regards. >> >> -- >> Rubén Martín [Nukeador] >> Mozilla Reps Mentor >> http://www.mozilla-hispano.org >> http://twitter.com/mozilla_hispano >> http://facebook.com/mozillahispano >> >> >> _______________________________________________ >> governance mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/governance >> _______________________________________________ governance mailing list [email protected] https://lists.mozilla.org/listinfo/governance
