Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [Privacy Reviews]Call For Comments: Thunderbird Opensearch)

9 views
Skip to first unread message

Brian Smith

unread,
Feb 3, 2012, 4:58:04 PM2/3/12
to cur...@mozilla.com, dev-pl...@lists.mozilla.org
>From https://wiki.mozilla.org/Privacy/Reviews/OpenSearch#Identity_transmission:

"Since this feature only transmits the selected text (or entered text for global search), and since no cookies are transmitted with search queries, this risk is minimal and limited to severe accidental misuse of the feature."

1. Don't we send cookies with searches out of the Firefox search box? Why should Thunderbird behave differently?

2. Shouldn't Thunderbird be doing these searches in the user's default web browser, specifically so that the user's cookie store and other browser settings/features (including privacy-protecting settings, features, and addons) can be used?

3. In particular, without cookies, Thunderbird won't be able to do HTTPS-protected Google searches, right? (Yesterday, the networking team was just discussing how we could do the redirect from HTTP to HTTPS Google locally. We were thinking of doing so for performance reasons, but obviously it has positive privacy implications too. But, it won't work without the user's cookies, at least according to Google's current policy.)

- Brian

Mark Banner

unread,
Feb 5, 2012, 9:27:17 PM2/5/12
to
On 03/02/2012 16:58, Brian Smith wrote:
>> From
>> https://wiki.mozilla.org/Privacy/Reviews/OpenSearch#Identity_transmission:
>
>>
> "Since this feature only transmits the selected text (or entered text
> for global search), and since no cookies are transmitted with search
> queries, this risk is minimal and limited to severe accidental misuse
> of the feature."
>
> 1. Don't we send cookies with searches out of the Firefox search box?
> Why should Thunderbird behave differently?

I'm not sure exactly what this is/what you're describing here.

> 2. Shouldn't Thunderbird be doing these searches in the user's
> default web browser, specifically so that the user's cookie store and
> other browser settings/features (including privacy-protecting
> settings, features, and addons) can be used?

Thunderbird uses the gecko cookie store and has the relevant preferences
UI. Some add-ons, e.g. noscript are already available for Thunderbird.

We want to do search within Thunderbird to reduce application level
context switching whilst reading emamil.

> 3. In particular, without cookies, Thunderbird won't be able to do
> HTTPS-protected Google searches, right? (Yesterday, the networking
> team was just discussing how we could do the redirect from HTTP to
> HTTPS Google locally. We were thinking of doing so for performance
> reasons, but obviously it has positive privacy implications too. But,
> it won't work without the user's cookies, at least according to
> Google's current policy.)

See above.

Mark.

Brian Smith

unread,
Feb 5, 2012, 9:53:28 PM2/5/12
to Mark Banner, dev-pl...@lists.mozilla.org
Mark Banner wrote:
> On 03/02/2012 16:58, Brian Smith wrote:
> >> From
> >> https://wiki.mozilla.org/Privacy/Reviews/OpenSearch#Identity_transmission:
> >
> >
> > "Since this feature only transmits the selected text (or entered
> > text for global search), and since no cookies are transmitted with
> > search queries, this risk is minimal and limited to severe
> > accidental misuse of the feature."
> >
> > 1. Don't we send cookies with searches out of the Firefox search
> > box? Why should Thunderbird behave differently?
>
> I'm not sure exactly what this is/what you're describing here.

My understanding is that the above quote is saying that Thunderbird won't send cookies with the searches. We DO send cookies with searches in Firefox. It seems like the privacy implications are the same for both products (compare the case of searching for something selected from your GMail in Firefox to the case of searching for something selected from your GMail in Thunderbird).

- Brian

Jim

unread,
Feb 6, 2012, 3:42:11 AM2/6/12
to
On 02/03/2012 03:58 PM, Brian Smith wrote:
> 2. Shouldn't Thunderbird be doing these searches in the user's
> default web browser, specifically so that the user's cookie store and
> other browser settings/features (including privacy-protecting
> settings, features, and addons) can be used?

This is available as an option by toggling
mail.websearch.open_externally (I'm going on memory for the name). It's
what I personally prefer, but I can see why the default is what it is.

- Jim

Sid Stamm

unread,
Feb 7, 2012, 4:29:47 PM2/7/12
to Brian Smith, cur...@mozilla.com
On 2/3/12 1:58 PM, Brian Smith wrote:
> 3. In particular, without cookies, Thunderbird won't be able to do
> HTTPS-protected Google searches, right?

I'm not sure I follow this... can you clarify why "no cookies" equals
"no https"? Or do you mean "user can't log in, so user won't
automatically get https"?

> (Yesterday, the networking
> team was just discussing how we could do the redirect from HTTP to
> HTTPS Google locally. We were thinking of doing so for performance
> reasons, but obviously it has positive privacy implications too. But,
> it won't work without the user's cookies, at least according to
> Google's current policy.)

Their policies may not always require cookies for HTTPS and it might not
be a wise investment of time to hack around it.

-Sid
0 new messages