Bug#503127: iceweasel: privacy violation in default settings of Iceweasel (connect to Google, Mozilla and BBC)

[Sven Aluoor]

Package: iceweasel
Version: 3.0.3-2
Severity: wishlist

When Iceweasel is started he connects automatically to different sites
like Google, Mozilla and BBC. This "spyware" behavor should not be
default; the user should explicit enable Malware Protection, News-feed
and other fancy features.

Here urlsnarf (dsniff package) output:

urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]
10.104.234.88 - - [22/Oct/2008:20:17:08 +0200] "GET
http://www.mozilla.org/projects/granparadiso/ HTTP/1.1" - - "-"
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092816
Iceweasel/3.0.3 (Debian-3.0.3-2)"

[...]

10.104.234.88 - - [22/Oct/2008:20:17:29 +0200] "POST
http://safebrowsing.clients.google.com/safebrowsing/downloads?client=Iceweasel&appver=3.0.3&pver=2.1&wrkey=AKEgNiuD4Ve0qo50XtZVVKU-Tr9j--jx0Dn8semb0gs5gdLGarZgC18UkF2HcD5_LDU6MF-dm7XDnlOm60QxiQFEZ6o1VErq7Q==
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:17:30 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-malware-shavar_s_7441-7520:7441-7508
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:18:48 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-malware-shavar_a_6941-6960:6942-6943,6945-6947,6949-6957,6960
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:18:52 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-malware-shavar_a_6961-7040:6961-6962,6964-6985
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:19:56 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-phish-shavar_s_26521-26560:26521-26560
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:19:57 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-phish-shavar_s_26561-26720:26561-26720
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:19:58 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-phish-shavar_s_26721-26880:26721-26880
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:19:59 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-phish-shavar_s_26881-27040:26881-26907
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:19:59 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-phish-shavar_a_30881-31040:30881-30898,30900-30908,30910-30912,30914-30962,30964-31034,31036-31040
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:20:01 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-phish-shavar_a_31041-31200:31041-31047,31049-31065,31067-31069,31071-31136,31138-31147,31149-31184,31186-31192,31194-31200
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)" 10.104.234.88 - -
[22/Oct/2008:20:21:02 +0200] "GET
http://static.cache.l.google.com/safebrowsing/rd/goog-phish-shavar_a_31201-31360:31201-31300
HTTP/1.1" - - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3)
Gecko/2008092816 Iceweasel/3.0.3 (Debian-3.0.3-2)"

-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages iceweasel depends on:
ii debianutils 2.30 Miscellaneous utilities
specific t ii fontconfig 2.6.0-1 generic font
configuration library ii libc6 2.7-14 GNU
C Library: Shared libraries ii libgcc1
1:4.3.2-1 GCC support library ii libglib2.0-0
2.16.6-1 The GLib library of C routines ii
libgtk2.0-0 2.12.11-3 The GTK+ graphical user
interface ii libnspr4-0d 4.7.1-4 NetScape
Portable Runtime Library ii libstdc++6 4.3.2-1
The GNU Standard C++ Library v3 ii procps
1:3.2.7-8 /proc file system utilities ii
psmisc 22.6-1 Utilities that use the proc
filesy ii xulrunner-1.9 1.9.0.3-1 XUL + XPCOM
application runner

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
pn latex-xft-fonts <none> (no description available)
ii libkrb53 1.6.dfsg.4~beta1-4 MIT Kerberos runtime
libraries pn mozplugger <none> (no description
available) pn ttf-mathematica4.1 <none> (no description
available) pn xfonts-mathml <none> (no description
available) pn xprint <none> (no description
available) ii xulrunner-1.9-gnome-s 1.9.0.3-1 Support for
GNOME in xulrunner app

-- no debconf information

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

[Mike Hommey]

On Wed, Oct 22, 2008 at 08:43:48PM +0200, Sven Aluoor wrote:
> Package: iceweasel
> Version: 3.0.3-2
> Severity: wishlist
>
> When Iceweasel is started he connects automatically to different sites
> like Google, Mozilla and BBC. This "spyware" behavor should not be
> default; the user should explicit enable Malware Protection, News-feed
> and other fancy features.
>
> Here urlsnarf (dsniff package) output:
>
> urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]
> 10.104.234.88 - - [22/Oct/2008:20:17:08 +0200] "GET
> http://www.mozilla.org/projects/granparadiso/ HTTP/1.1" - - "-"
> "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092816
> Iceweasel/3.0.3 (Debian-3.0.3-2)"

This is planned to be replaced with about: in next upload already

The rest is the phishing protection. It doesn't send anything about the
urls you browse, but only get a list of known phishing urls, and
subsequent updates. This is not a privacy concern.

Mike