There and back again: A plugin’s tale.
18 sep 2013
I sent this as a email to Ghostery today, and I thought it might be interesting for other people as well so I rewrote it as a blog post.
Both applications (Firefox plugins) have the same main goal: block/limit how you are tracked by third parties on the Internet.
Here is a talk on the issues presented by one of the disconnect.me people on DefCon 19.
Why I switched from Ghostery to disconnect.me:
- Disconnect.me’s UI is somewhat more appealing. (It looks very nice, shows how much speed you’ve gained from blocking etc).
- Their source code is free, as in freedom.
- Ghostery defaults to no blocking at all, you have to manually edit the settings to block everything. This is a dangerous security trap to new users.
- Ghostery is owned by Evidon a company with the slogan “Rule the invisible web and grow your business” (how scary is that?). Ghostery comment on their relationship in their blog.
Why I switched back to Ghostery:
- Disconnect.me doesn’t want to block Piwik since it is can be hosted by the provider of the site and not necessarily by a third party. Clarification: Disconnect base their blocking on domain names rather than technologies, thus Piwik (as a tech) is tricky for them to block until they can point out what third-party data collecting companies use piwik.
- They don’t block supers spies disqus (the comments below) by default (since they deliver functionality), and if I choose to block them the entire comment section is removed without a place-holder. Ghostery puts a box where the comments should be, with a play button on it. This keeps the layout from being messed up and it makes sure I do not miss there is a comment section on the site I visit (while stil being protected from spying as long as I do not comment).
- Most importantly: They have a HTTPS Everywhere like functionality which defaults connections to HTTPS. This is very nice, but then I noticed this.
So I just need to block your https connections and you'll send me your password? thanks disconnect. pic.twitter.com/zWRWen8l4T— Christopher Käck (@kejsarmakten) September 17, 2013
Disconnect.me defaults back to HTTP if HTTPS isn’t working on the sites. This presents this attack vector:
1. Run arpspoof on an open network and get all the traffic to route through you computer.
2. Do only deliver packages to port 80 and drop anything to port 443.
3. All disconnect.me clients will default to 80 and send you delicious cleartext cookies allowing you to log in to their accounts.
To quote an email I got as a response to my tweet.
“We made the user experience/security tradeoff in favor of user experience. Anyone who needs to be absolutely sure that their current session is encrypted should be checking it in their browser.”
I’d recommend all disconnect.me users to also use HTTPS Everywhere in their browsers, to avoid a false sense of security.
Update: They took my suggestion and added a new ticket on Github about informing users about fallback to HTTP. Great!
Update: Ghostery sent me this comparison page on different tracker blocking systems: Are we private yet?.
To summarize I am eager to go back to disconnect.me since they seem to have a better and more transparent structure in their organization (open-source code, and reached out via e-mail after my tweet to explain the issues), but there are a few technical limitations in the way they handle blocking which makes me stay with Ghostery for the time being
Again, both are doing a great job but have limitations.
Plugins like these are the only realistic way to deal with the problems that politicians try to solve with the stupid DoNotTrack flags and the ‘kaklagen’/ ‘concent before cookie usage’-law in Sweden.
So hopefully both these will mature into plugins that will help empower the people of the Internet. It is very nice to see some competition in the field, heterogeneity is an important defense mechanism in immune systems in any population.