Mozilla stops distribution of WOT addon
You cannot install the WOT addon anymore in Firefox. This is due to WOT selling all your browsing data to firms - easily de-anonymizable (containing e-mail addresses, usernames or identifying parts of URLs in cleartext).
Reporters of German broadcast NDR found out about this by inspecting a test dataset they acquired disguised as a company asking around to buy personal data.
83 comments
[ 13.7 ms ] story [ 2745 ms ] thread"When there are cases where information has not been anonymized and protected, we will, of course, review this and, if necessary, take steps to ensure adequate protection for our users."
Their privacy statement [2] includes a section that describes "Browsing usage, including visited web pages, clickstream data or web address accessed;" as one of the categories of "non-personal information" that they may disclose or share with 3rd parties.
I'd imagine most users installing an extension to make their browsing safer would not be happy to know they were also making their entire browsing history available to 3rd party data brokers at the same time.
Unscrupulous business practices are definitely made easier when no one actually reads Privacy Policies...
[1] https://www.mywot.com/
[2] https://www.mywot.com/en/privacy/privacy_policy
https://translate.google.com/translate?sl=auto&tl=en&js=y&pr...
Every data send by an extension should be user viewable.
Here's the json file (or maybe something better) that we are posting, press Agree to send it
But you can bet GooBookSoft will lobby against that like their lives depended on abusing customer data. And they do depend on it.
With much regret, MiFaceGoo is rarely appropriate in the professional world.
> Every data send by an extension should be user viewable.
You can start Wireshark and get that data. But it would be too complicated for an average Joe.
They'd then claim it was for your security/privacy/protection. You know, like how Microsoft encrypts your Windows 10 usage data it sends them.
At least you could use the presence of such obfuscation as a sign there's probably something bad afoot. Presuming only a tiny number of extensions try to encode the data they send.
So, that "if you have nothing to hide..." argument, basically?
All the AI experts in the world won't be able to solve the halting problem. What you're asking for is impossible.
You don't need perfect performance, you only need to stay ahead of most of the attempts. Fighting fraud is similar -- it's not possible to stop 100%, but you can get close, and try to make it easy to minimize/undo the damage done by the false negatives.
Also, many of these checks can be done by the browser in situ, so an extension that suddenly changes its behavior can be flagged for review. And pre-release malware scans can be run on banks of actual hardware that simulates different dates and locations.
Sure, there will be an arms race, but that's better than an anarchical free for all.
For example I don't use any browser extensions because I don't have time to inspect their code after every update.
I wonder why both Google and Mozilla don't write this at the front page of their extension stores?
EDIT: I realize there are (probably) fewer authors involved there.
https://blog.mozilla.org/addons/2016/08/19/a-simpler-add-on-...
https://blog.mozilla.org/addons/2010/02/15/the-add-on-review...
For every site you visit, there is a POST to
which contains information about each visited page. Example of information sent in the POST (I randomly clicked on an entry in the front page of Hacker News): The information above is double-encoded using atob before being sent in a POST. The `h` value stays the same i each POSTs.The privacy policy of the extension used to be complete nonsense, a copy-pasta of the text found on the front page of (probably unrelated) site `whatarecookies.com`.
Looks like they changed it though[2], it is now a large image of pure-text HTML[3], which appears to be borrowed a lot from (coincidence!) WOT's own Privacy Policy's page.[4] I will assume using an image may be to purposefully make it more difficult to find out the copy-pasta.
The review I had left a few weeks ago for the extension -- in which I informed of the above -- seems to be gone.
[1] https://chrome.google.com/webstore/detail/poper-blocker/bkkb...
[2] http://www.poperblocker.com/privacy.html
[3] http://www.poperblocker.com/privacy.png
[4] https://www.mywot.com/en/privacy/privacy_policy
http://techdows.com/2016/11/web-of-trust-add-on-removed.html
What's the takeaway? Not to install any browser add-on?
On a serious note, I guess that it might be safer to to run a browser in a Docker container and use one instance to browser only site. The question is that how feasible it would be?
https://www.kuketz-blog.de/wot-addon-wie-ein-browser-addon-s...
The commit referenced in the blog:
https://github.com/mywot/firefox-xul/commit/0df107cae8ac1890...
Reality isn't influenced by such dismissals or wishful thinking however. If a company's financial interests aren't aligned with the general interests of its customers, then it will trample over the interests of its customers. Google, Facebook, any company that's selling advertising are not only not your friends, but they're screwing you over.
Free Software is free, and you aren't the product when you use it. In most cases its the only software that actually puts the user first.
Saying "If it's free, you are the product" tells people that the only way to get good software is to pay money for it. When in reality lots of payed software harvests your data just as much.
https://www.eff.org/privacybadger
I think knowingly sharing your data (with a positive affirmation) is significantly different than having your data collected and sold without your knowledge
[1] http://imgur.com/a/ugglB
[2] https://www.ghostery.com/support/faq/ghostery-add-on/What-da...
The problem is that the data is not anonymized enough. The question is, if this is actually possible.
Regarding AdBlock Plus he is complaining about the Acceptable Ads "feature", not that ABP is collecting and/or selling user data
And maybe it is time to completely forbid data logging in browser addons. Then suspicious activity, like the linked commit would have caused, could be detected.
That doesn't help at all. If the server has a database it's going to match this hash too, then it knows what URL corresponds to the hash.
https://developers.google.com/safe-browsing/v4/update-api
Interesting, the date of the commit is April 20, 2015.
I did comment on April 16, 2015 about how the WOT extension could record a user's browsing history[1], so it does look like they were doing this before this specific commit.
Edit: ah never mind, my comment was for the Chrome version of the extension while the commit is for the Firefox extension. So they have been doing it since longer for the Chrome extension.
[1] https://github.com/gorhill/uBlock/issues/65#issuecomment-937...
https://news.ycombinator.com/item?id=12850214
The story was curiously absent from HN and any other site I frequent, so I checked Google and as of yesterday it only found ghacks outside the German bubble.
It's not remotely comparable to the situation. "WOT addon is banned from browsers after selling users history to the highest bidder."
https://support.mozilla.org/en-US/kb/profile-manager-create-...
https://addons.mozilla.org/en-US/firefox/addon/noscript/
I read ghacks blog frequently to keep myself up to date with new features being added in Firefox. Follow this blog and read their previous articles to learn how to stay safe in online world.
http://www.ghacks.net/
this link is also helpful to stay safe
https://www.privacytools.io/
It also really helps that Firefox never deletes cookies by default and never tells you about this. We 'respect' your privacy, yes, we do! Really! Look, you will have only one google cookie when you start a very new firefox.
We really respect your privacy, yes! We will reiterate that until you believe it, but never change our privacy destroying default settings, because we 'respect' you!
It "works for me" and it'd probably work for a lot of (perhaps even most) other users so maybe it would be an acceptable default. I don't know.
I think there's a happy medium somewhere between these two extremes that absolutely would be an acceptable default, though. Firefox could certainly come with better defaults if Mozilla truly valued privacy that high.
(FWIW, my mozilla.cfg -- pointed to by general.config.filename -- currently has 127 settings in it. It's been added to over the years, though, so some of those are certainly deprecated by now.)
for firefox there is also script blocker with the ability to white list adresses also remove history on close.
They could have taken the opportunity to show that they care about user privacy and denounce WoT at the same time
I am confident they will release a public statement and maybe even an actual post mortem for the tech crowd
There was clearly a market for user browsing data (since WOT was able to find customers), so if WOT is shut down, more will pop up. And the apps that mine user data don't need to be adblockers, that's just the reason they give users to install the extension.
They falsely flagged a a website I ran a while back (social media management tools via approved APIs) as: pharmacy, scam and spam. Due to this mails from our server were not getting through.
I tried contacting saying they are all false. They updated saying we sold facebook likes and fake followers. We did nothing of the sort and did nothing at all with facebook anyways. I tried contacting again to which I was told we were a scam because the domain has privacy enabled nor had my personal name and address on the site. I value my privacy and do not have my full name and certainly not my address anywhere online.
I asked our customers via a support forum post if they could post an honest review of our site and service which did nothing to the score - it seems a couple of users have all the power. We then got branded as spammers for trying to manipulate our rating (with actual reviews, but as it was against the power users (who had never used our product) we were in the wrong.
Among other things, I manage a bunch of mail servers and I keep a close eye on them. I "blacklist" IP addresses of "misbehaving senders" pretty often and the rejection messages provide a way for the sender to get in touch with us. This way, we can work with them to rectify whatever problem caused them to be blacklisted by us -- many times it's that an e-mail account was compromised and used to send out spam.
I can't even begin to count how many times I've had administrators of other mail servers swear to me that they have NEVER sent out any spam whatsoever (or similar statements) and that blacklisting them is a mistake and absolutely 100% our fault.
Except that, in every case, I, personally, have looked at every single message, determined it was spam, tracked down where it came from (verifying Received: headers against Postfix logs), and manually added the IP address to our list. In addition, the first time it happens they don't even get prevented from sending mail to us; only upon the second incident are messages rejected.
Thus, for someone to say that they know absolutely positively 100% without a doubt that their server never sent us spam just makes me laugh because I know that not only did they send us spam but, as a matter of fact, they've done it at least twice!
So, like I said, I want to believe you but I'd want to hear it from the other side before making a conclusion. There's always another version of events and experience has shown me that it's usually drastically different.
https://bugs.debian.org/842939