Firefox Says Its Revamped SmartBlock Won't Break Facebook Login Buttons Anymore (theverge.com) 32
Firefox 90 introduces the next version of SmartBlock, the browser's tracker blocking mechanism built into its private browsing and strict modes, which now has improvements designed to prevent buttons that let you log into websites using your Facebook account from breaking, Mozilla announced on Tuesday. From a report: SmartBlock was first introduced with Firefox 87 in March, and if you aren't familiar, here's Mozilla's description of how it works, from the company's blog: "SmartBlock intelligently fixes up web pages that are broken by our tracking protections, without compromising user privacy. SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact." Sometimes, though, the feature would break Facebook login buttons. In a new blog post, Mozilla's Tom Wisniewski and Arthur Edelstein explain why this would happen, using an example of trying to log in to Etsy.
Please! Break Facebook! (Score:5, Insightful)
Re: (Score:2)
Seeing as Firefox has such a small market share of browsers, that doesn't seem likely.
Re: (Score:3)
If the market share is that small then a niche market approach would be appropriate. A browser that advertises that it can never get onto Facebook, Twitter, etc might be a selling point for the right narrow set of potential users.
Re: Please! Break Facebook! (Score:2)
Damn, that was a feature (Score:5, Insightful)
Using a login from one site to logon to another site, is dangerous and seriously bad behavior, much worse than even sharing passwords. If we can we SHOULD make it nonfunctional.
Re:Damn, that was a feature (Score:4, Insightful)
Break Google and Apple logins as well though ;)
Re: (Score:2)
Please provide specific technical reasons as to why you believe OAuth2 to be "seriously bad behavior".
Heck, you could even describe Kerberos as "using a login from one site to logon to another site".
Re:Damn, that was a feature (Score:5, Insightful)
It's very simple - and abused / exploited often enough.
You go to my site.
You click "login with Google".
You get a div/iframe with Google's logo asking for your Google user name and password.
You enter your Google username and password.
I now have your Gmail login, which I use to reset your bank password. You *ASSUMED* that your username and password was going to Google because you saw Google's logo. I can right-click save Google's logo and put in on my form very, very easily. Since the login form is embedded in my page, I can send that info wherever I want.
What's safer (though not perfect), is how OAuth is used by Onelogin and similar. FIRST, you go to Onelogin. You login, then on the Onelogin page you have a link to Service Now or whatever and you click the site you want to go to AFTER you logged in. Not before.
Even where the third-party site links to the authentication provider, it's one XSS away from the bad guy getting your Google or Apple creds. New XSS vulnerabilities are discovered every month.
If you want a login that approaches actual security you need to public keys. That way, no site gets your secret, so they can't use it to log in to another site. Rather, they use your public key (which is under public, not secret) to verify that *you* have your private key.
Lol no (Score:3)
> OAuth2 has some mitigation for man-in-the-middle attacks. The scenario you described would be very limited because of the IP and time based authentication
There is no mitm needed. The user sees a "Google login" thing appear in the middle of the page. Where does the user see any time or IP limits? Nowhere, because there are none. It's just a div on my page, that I put Google's logo in. There's no OAuth - to the user it looks precisely like OAuth. It's just a form in my page that sends your user/pass to
Microsoft / O365 is a particularly good/bad one (Score:2)
One we see a lot is specifically logging in with your Microsoft account. User clicks "Login with Microsoft". They see the same form they are accustomed to, using TLS with a valid cert showing it's really O365.com.
User enters their credentials.
The form I built on O365 sends those credentials, including MFA code, to me. I now own your O365 account. You are no longer employed as a cloud administrator.
URLs again (Score:2)
User clicks "Login with Microsoft". They see the same form they are accustomed to, using TLS with a valid cert showing it's really O365.com. {...} The form I built on O365 sends those credentials, including MFA code, to me.
Here again, the URL will be different.
Instead of the usual:
https://login.microsoftonline.... [microsoftonline.com]
they'll get something like:
https://raymorriscloud-my.shar... [sharepoint.com]
And again, even if the user doesn't pay enough attention, the password manager (Firefox Lockwise) will treat the websites differently and clearl mark the difference.
It could suggest reusing some known O365.com password (as they could come from different sub-domains), but will clearly indicate that this is a suggestion from another similar domain, not the pas
Re: (Score:2)
> they'll get something like: https://raymorriscloud-my.shar... [raymorrisc...my.shar...]
The default URL is actually forms.microsoft.com. That's if you don't check the "shorten URL" box.
You can check for yourself what happens if you click that box, or you can make yet another wild ass guess and state it as if it were fact. You do seem to think that any idea that comes out of your is fact, based on it coming from *your* butt.
URL - Missing the point. (Score:2)
The default URL is actually forms.microsoft.com.
Thanks but the exact correct URL is beside the point...
That's if you don't check the "shorten URL" box.
...let me have an educated guess:
It will probably look roughly similar to
microsoft.com followed by a base32 coded unique ID ?
I am sure you find it fun, but it's beside the point....
For sure, though, it won't begin with "login."
You can check for yourself what happens if you click that box,
I don't use office much (or Microsoft's product in general).
or you can make yet another wild ass guess and state it as if it were fact. You do seem to think that any idea that comes out of your is fact, based on it coming from *your* butt.
The piece you copy-pasted said litteraly: "something like:".
I might be making a mistake as English isn't my first language, but I presumed this would help convey that it
domain (Score:2)
You get a div/iframe with Google's logo asking for your Google user name and password.
...but the domain will be wrong.
This page (with google logo and everything) will have an url that will look something like
https://www.google.com.raymorr... [dynhost.org]
Not the usual:
https://accounts.google.com/ [google.com]
Also, if the user is already logged into google, OAuth2 won't require a full log-in starting from scratch, instead it will give a list of currenlty logged in account to pick from and eventually re-ask the password for that account to confirm the OAuth2 authentication.
Even if the user is distracted and doesn't pay
Re: (Score:2)
You're right that password managers won't automatically fill it in, unless of course the attacker takes advantage of some truly horrid URL parsing bugs in certain password managers. (Strstr() anyone?).
The user won't, can't SEE the URL of it's iframe like medium.com and other sites do.
On a site like medium, the only indication the user has of anything weird is that the password manager doesn't fill it in automatically, IF the user is using a password manager AND the attacker hasn't looked at the Caves for th
Iframe hiding URLs (Score:2)
The user won't, can't SEE the URL of it's iframe like medium.com and other sites do.
Hiding the URL of an OAuth provider by wraping it inside an iframe would be a very bad practice.
I would have expected this practice to be at minimum discouraged by OAuth providers, or at best detected and rejected.
It turns out that all providers I use clearly open their log-in or confirmation screen in a separate page.
IF the user is using a password manager
Current best practices encourage the use of a password manager, and TFA's Firefox comes with one (Lockwise) out of the box.
Re: (Score:2)
Re: Damn, that was a feature (Score:2)
It depends. My government has several sites that i can log into (taxes, Healthcare, etc.).
I can log in any of those sites by using that site's specific account, or I can click the govconnect button, which asks me which site's credentials I want to use, redirects me to the chosen one to log in, and then brings me back on the first site.
It's great, because i can use one single account to log into all of them, but only because they are all gov sites, which drastically reduces the risks and privacy concerns.
Usi
Re:But Firefox dosen't block it's own Pocket track (Score:5, Informative)
but Firefox gets to track with impunity
Okay I'm calling you out. You will need to show in source where that is happening. Here you go to get started. [searchfox.org] Because when I look at it [searchfox.org]. It is downloading a general list and pruning out items that don't match your local history on the PC side. There are calls to get some CSS elements from get-pocket that have to do with layout, but outside that, I have yet to find something that specifically spills the beans on what you've been doing.
So put your money where your mouth is, where is it doing this tracking? I'm more than happy to see where in code it is doing that.
I remember back when Firefox was a lean mean browser compared to IE6. It was less than a five megabyte download back in 2004, now it is over 50
Yeah we added all of HTML 4, the whole XHTML modules thing, SVG, MathML, JavaScript version 4 and 5. And now with the ES6+ family which operate a bit differently than versions prior. Not only that all of the fun things that come with HTML5. Way back in 2004, I could read the entire W3 HTML spec in a single sitting. Now you could literally publish fifteen really thick books that cover just the current standard. There is an ungodly fuck ton of shit in the current HTML standard. You need to take your argument up with the correct people to be angry at.
Even Samsung browser is more popular than Firefox now days
No it's not because Samsung browser is just Chrome. You may wonder why it is such a slim browser and that is because the vast majority of it is Chrome, it's just some extra UI on top of Chrome. So if you look at it on the Android market and see "Oh gosh it's such a small download" that's because it's just downloading some UI elements and that's it. Everything else about it is Chrome. So when you actually look at in memory, you have the exact same hard hitting memory requirements as Chrome PLUS a few extra megabytes of UI elements on top of it.
and not many people who are not using Samsung phones are downloading it.
I have a Samsung phone, they throw that shit on there no questions ask. There isn't a download step. Additionally, other people aren't downloading it, the reason it's numbers are high because it uses the browser, unless you change that in settings, as the in app browser when an API call for a Chrome frame is asked. So if you're on say the Reddit app and you click an external link, it'll fire up the Samsung browser.
Firefox is the biggest scam perpetuated on the open source community
And you know what. Cool. Go run Chrome, go run IceWeasel, go do Pale Moon. Whatever. But the web became something completely different than what you wanted. I'm sorry that the W3 decided to be ran by a bunch of Google engineers that wanted to add every single side project they ever wanted to the HTML spec. But that's the world we're in and so these super "fat" by early 2000 standards browsers are what we get for any browser trying to keep up. And what's more, Microsoft of all people got tired of trying to keep up with web standards and decided to just go with a reskin of Chrome. Microsoft. So let that sink in about the level of work that has to go in, just to keep your head above water with the W3 HTML standard. I wish it wasn't like this, but it ain't my call on what does and doesn't get accepted into the HTML standard. So if you have a standard with over 70 different components that all have their own set of standards, well you're going to get a big mess.
Just get a good firewall program (Score:1)
I mean "blocking" any domains with BookFace in the URL.
I do log into BookFace a couple times a year, just to catch up with friends and family. I have a completely separate browser to do that. It's kind of a pain, but I do get to see some nice pictures.
Stupid on so many levels (Score:2)
The whole point of the anti-tracking tech is to prevent the tracking. If you 'login with facebook' the federated login process means they are going to be able to get all the tracking info the could want (well they always want more but you know what I mean). If a user is going to chose that option - they have more or less already consented to FB tracking them on that domain. They should just probably not use the private/anti-tracking mode there.
Mozilla should not be getting into a giant cat-and-mouse with b
Re: (Score:2)
Just add a popup (Score:5, Insightful)
"You selected 'Private Browsing' mode. Why are you using Facebook?"
Re: (Score:2)
Re: (Score:2)
All of them include snooping on your browsing on other than Facebook sites.
Awesome (Score:2)
Dear Mozilla,
That isn't the reason your browser is tanking in user share.
I didnt even know FB login button was broken. (Score:1)
It should be obvious from the title that I don't use facebook logins, or for that matter facebook at all (where possible).
So I wasn't aware that it was broken. Maybe it should have stayed broken. lol
Firefox Rocks! (Score:1)