arkenfox / user.js

Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
MIT License
10.17k stars 517 forks source link

Firefox Monitor system integration #638

Closed ghost closed 5 years ago

ghost commented 5 years ago

We had this ticket opened https://github.com/privacytoolsIO/privacytools.io/issues/525.

Now all of those user prefs are already taken care of in ghacks-user.js. The only one I was curious about was what your thoughts on:

extensions.fxmonitor.enabled boolean false https://www.ghacks.net/2018/08/25/firefox-62-firefox-monitor-system-add-on-integration/

@Thorin-Oakenpants care to comment? By the way I've finally decided to stop being lazy and use user.js once I have everything how I like it I shall be branching.

Thorin-Oakenpants commented 5 years ago

https://blog.mozilla.org/blog/2018/11/14/firefox-monitor-launches-in-26-languages-and-adds-new-desktop-browser-feature/

If you do not wish to see these alerts on any site, you can simply choose to “never show Firefox Monitor alerts” by clicking the dropdown arrow on the notification. doorhanger-english 2x

Thorin-Oakenpants commented 5 years ago

Might be worthwhile adding: I'm not sure where they are at with rolling it out? Or if it will stay? It was initially only a study and then after that only for a few US people. I've never seen it (but I'm not US, but I have a US-en browser)

I have no issues with it being provided - it's good for most people (the dirty great unwashed tech-illiterate masses), and I have no issues with how it's done - I have faith in Mozilla de-anonymizing whatever. There's a link there on one of their blogs about how it's anonymized etc.

Thorin-Oakenpants commented 5 years ago

https://blog.mozilla.org/security/2018/06/25/scanning-breached-accounts-k-anonymity/ is how they handle the checking

edit: ^^ that's probably the website service, not the system add-on. I can't find out much about this system add-on. I don't think it does anything except alert you that a site you are on has been recently compromised, and gives you a link to use the online web service

^^ see: here ( http://blog.scdeval.com/firefox-monitor-have-you-been-breached/ ) is someone talking about it .. in Jan of this year

Thorin-Oakenpants commented 5 years ago

AFAIC, there is nothing to do here. The system add-on, if you get it, can be disabled by the user via the first notification, and it's a good service for people IMO. I will assume the list of sites is local (it's hard to find anything on this extension). All it does is link you to the online service.

Additionally, we have a system add-on section where we tell people to delete all the shit they don't want in the features folder. I don't think we need to do more

Feel free to re-open if you find anything to contradict what I have unearthed

ghost commented 5 years ago

Thanks for this information. I also agree with you, no risk and probably for the betterment of the unwashed.

earthlng commented 5 years ago

for completeness sake we can add the pref inactive like Screenshots

Thorin-Oakenpants commented 5 years ago

https://www.ghacks.net/2019/02/18/firefox-67-to-display-breach-alerts/

I guess we can deal with in in 67 changes - edit: most likely inactive

tartpvule commented 5 years ago

@Thorin-Oakenpants, did you forget to commit this (extensions.fxmonitor.enabled)? I didn't see any mention of fxmonitor in the current user.js. FYI, you might also want to see about extensions.fxmonitor.telemetryDisabled. https://dxr.mozilla.org/mozilla-central/source/browser/components/fxmonitor/FirefoxMonitor.jsm

Thorin-Oakenpants commented 5 years ago

I'll re-check this out later: re-opening. But I don't believe it's something we need to add

Thorin-Oakenpants commented 5 years ago

As far as I can tell, the telemetry expires in less than a month, not they might extend that. I can't tell if it's governed by the master telemetry switch. I'll dig a bit more

I still think there is no need to add this: it requires user interaction. I honestly don't even think it's worth adding purely for the info

Thorin-Oakenpants commented 5 years ago

1567258 FF70+ Make Monitor a built-in component

Thorin-Oakenpants commented 5 years ago

since we'll be on 70-alpha soon: at most I would stick it under the visual annoyances in personal

   // user_pref("extensions.fxmonitor.enabled", false); // disable Firefox Monitor [FF62+]
   // user_pref("extensions.pocket.enabled", false); // disable and hide Pocket [FF46+]
   // user_pref("identity.fxaccounts.enabled", false); // disable and hide Firefox Accounts and Sync [FF60+] [RESTART]

Not sure about the version, maybe we should drop that

It fits nicely IMO with the pocket and sync prefs. But without context, people might think Firefox is monitoring them (horrible name IMO) and they need to enforce it as false for some privacy: which is not true. Then again, there's no context for pocket or sync. But, unlike Sync and Pocket (which have a permanent UI presence), Monitor is a single popup which can then be ignored forever.

Unless someone comes up with a compelling reason, I'm going to say no to this one, again.