User anonymity & safety when using firefox internal VPN proxy for privacy addons

[methuzla]

_VDH+vdhcoapp should honour the current proxy the user thinks they have in place._

There are various addons for firefox which provide a degree of user anonymity, and sometimes bypass unfriendly firewalls. If a user has one of these in effect, it seems that VDH + vdhcoapp steps outside the 'VPN' cloak, exposing the user's real IP without warning.

This could lead to serious consequences in countries where civil liberties and freedom of expression are poorly respected.

The "without warning" in itself is a cause for concern and irresponsible where naive users are concerned.

downloadhelper.net/install-coapp is a little economical with the truth:

"How safe is it to install and run the companion app ?" "The companion application is very safe …" (not)

Unless vdhcoapp uses a proxy different from the current firefox proxy, or bypasses the system-wide proxy, or there isn't a proxy in use, for most users naturally this is not going to be a problem.

As a companion app which accesses the wider net in the background, I feel vdhcoapp bears a responsibility to be 'safe' or at least to warn potentional users if it is not 'safe' with regard to secure privacy. Currently it accesses the net in a way the user might not expect, is not led to expect, which could be regarded as irresponsible.

I suggest that this inadequacy be addressed in some way.

• One solution would be to have vdhcoapp pick up the current firefox proxy & use that.
• Another could be for vdhcoapp to ask for a proxy: warn, ask, suggest, default, setting, reminder. This would need much more code.
• At the very least warnings about proxy access 'should' be prominently documented, with suitable warnings about leaky config settings (consider https://ipleak.net/ )

As for Firefox itself, management is and has for some time been in abrogation of its stated mission in imposing various defaults which leak users' identities, often in vicarious pursuit of fashion. One can only hope the current bunch of souls in charge will move on as soon as practicable, before firefox ceases to be relevant (there is good work going on, too). There are Firefox config entries that can be altered if the user is warned about them (peerconnction etc,) as some privacy addons do warn but many don't.
VDH with vdhcoapp would begin to fall into this bracket of needing good policy to inform the user.

The above may apply to other browsers too.

Blessings.

[mi-g]

This is currently in Video DownloadHelper 7.1.2aX development. Downloads are now re-using the same proxy as the initial browser request. It will go mainstream (7.1.2) in the next couple of days.

[methuzla]

Hi, @mi-g

Many thanks for sorting it out!

I mentioned this a long time ago in the main forum, but it seemed to have been buried and forgotten, so I thought I'd waken it up here. Apologies, I was unaware of the dev stream - is that published anywhere?

Will you be asking the tech writer bods to update the ff AMO & webpage downloadhelper.net/install-coapp as well? (Or, are you the tech writer bod as well?)

Will this be the same for rival browsers?

[mi-g]

There is no real need to update the documentation on the companion app here: if a recent VDH version is being run and proxy is used, then the add-on will request the update the coapp to 1.1.1 or later to go further.

I'm unsure about your question on other browsers. Currently VDH only runs on Firefox. It will soon be ported to Chrome, with the same coapp being used.

[methuzla]

Thanks. I did think it would be nice if the documentation said that now the co-app will be using the ff proxy (whereas before VDH was exposing the user, and was saying that was safe), just to save everyone's man-hours in going to check if it was so, visiting forums, asking questions and so on.,,

I look forward to seeing it working though. Thanks

[mi-g]

The "safe" mention was about the application not containing malware, which is a legitimate question users would ask when requested to install an application.

The proxy changes will be part of the changelog notice when 7.1.2 will be made public, along with a long list of other improvements.

[mi-g]

Cleaning up bug entries. Current version of VDH is 7.2.2.

[mi-g]

If you use a browser-only VPN solution (this seems to be the case with Browsec VPN) the coapp will download from the ISP IP address. If you installed a computer-wide VPN solution, the coapp will use the VPNized IP.

[mi-g]

Yes, when you play with VPNs and hiding your IP, you have to understand how it works and what are the limitations.