not all of the Behind-the-scene requests are being intercepted #182
Comments
|
Need more details. How to reproduce on my side? |
|
clean install of chrome, run, click 'Skip for now' in the 'Chrome' tab, go to 'Settings', set 'Open a specific page or set of pages.' to about:blank, install HTTPSB, go to the rules manager: chromium-behind-the-scene commit all, exit and run again, you'll see connections being established. |
|
How did you check for "connections being established"? And to what server? When it comes to details, more is better in bug reporting. |
|
*.1e100.net URLs. they belong to google. |
|
I was able to reproduce this.
It a requests to Probably a Chrome feature they don't want extensions blocking? There's a |
|
For sure there are requests which can't be seen by extensions, like when visiting the chrome store for example (this would be a security risk). Whatever can not be intercepted and reported by HTTPSB, I need to document, so that a user does not get a false idea that all is filtered/reported. I did launched I've noticed a connection to If you use Chrome though instead of Chromium, this is not unexpected that it will do things even hidden to extensions. There is nothing extensions can do about this. However regarding Chromium, I need to investigate further what is this connection, my understanding was that with all settings which could result in net traffic being turned off, there should be no connection to Google server whatsoever. |
This is at launch, right? As reported in the other issue you opened, extensions are not immediately up and functioning at launch time, Chromium decides when to launch extensions, and this might be after some requests have been done by the browser. There is nothing an extension can do about this. We should focus on net requests which are done after HTTPSB has been launched, since there is nothing HTTPSB can do for requests made before it executes. |
|
Also, certainly requests related to browser or extensions update are not relayed to extensions. Investigating this is time consuming, which mean I am not working on stuff which allows me to release versions. So I will ask you guys you investigate fully what you think should be reported in HTTPSB while it is not. It appears to me at this point what is reported is normal browser behavior given you are using Chrome on Windows. So please:
Bottom line, I can't fix browser issue, I can only address HTTPSB issues. And I will have to start to be more hardcore on bug which are described with only "chrome still establishes connections and they are not shown on the matrix either". From now on, issues like these will be close with "not enough details", given that they put the whole burden on the developer's shoulders to figure what is the detailed problem. Please keep in mind my time is as valuable to me as yours is to you. |
|
|
gorhill, it's not that my description of the issue isn't complete. the description of the issue is clear. connections are still being made after the installation and the initialization of HTTPSB, and they are not shown on the matrix. it's that i don't know what you know and don't know. now, i do care about your time, and we can progress a lot faster if we communicate in real-time. i'm waiting for you: https://webchat.freenode.net/, in the #httpsb channel. |
|
this is from chrome://net-internals/#events of a chromium startup (the established connections outside of chromium and chrome are to *.1e100.net URLs) |
|
At launch chromium requests the same 2 files that show up in
These files might have something to do with these chromium settings shown below. Disabling these seem to stop the requests at launch. But in the gif I posted earlier, the request was done after. HTTPSB was already loaded ( shown in window 2 in the gif. ) Going to that doesn't show up in the matrix. |
|
To confirm whether the request goes through webRequest.OnBeforeRequest() is to remove the comment prefix ( If a request is not reported at the console, then it's a request the Chrome browser chooses to not make available to extensions, if it shows in the console but not in the matrix, then HTTPSB fails to report as it should. |
|
Ok, using Chrome 32 in a VM, This, with all options disabled, including "Offer to translate pages...". |
many hours passed. you didn't come to the channel. |
|
Re. I think at this point we have a lot of details. So for all requests which do not go through extensions, the only thing I can do is document these so a user will know what to expect if using Chromium or a derived browser. |
|
So here is what I have this morning, after 17 hours of having Chrome/Windows 7 idling with no tabs opened (showing only And what I got at the console: So there a request, The others were not reported by the webRequest API, and there is not much I can do for these aside documenting them. And then there are the |
|
maybe these requests are tunneled through the *.1e100.net connections. maybe SPDY connections are handled differently? |
EDIT: Err, it seems I confuse "protocol" with "scheme". Never mind. In any case, what is quoted below is still relevant. Yes, this is what this comment in Chromium source code suggest: So apparently "SPDY" is one of these schemes for which requests are not reported to extensions. Add to this the requests to Now I do find disturbing these connections to Possible mitigation: using one of the browser switches to filter by hostnames -- somebody did that somewhere for |
|
Here is what the whitepaper says re.
Seems this is related to Chrome's "new tab" tab. I don't get the requests below if I force only "about:blank" tab when launching Chrome: |
|
So, I think the outcome here is that there are requests which are not passed to extensions for examination/filtering, and what you report seems to fall into that category. |
|
I still want to run similar test with Chromium, as the expectation of privacy is higher with Chromium, but I did already find that Chromium, just like Chrome, ping |
|
it still connects and checks these even with a about:blank startup, with everything in the settings unchecked. it connects on its own without any user interaction. |
You mean to Edit: Ok, I see that when Chrome connects to |
|
yes. |
So this means HTTPSB can't report these, as per quoted commented code somewhere above ( What is really needed is a wiki page where we can report findings like where behind-the-scene behind-the-scene requests (which cannot be reported by HTTPSB) are made by various Chromium-based browser. |
|
Here, anybody welcomed to add to this (no special permissions required AFAICT): Privacy matters: Hidden remote connections |
|
Alright, all requests I've seen so far were requests the browser does not expose to extensions, thus there is nothing this extension can do for these requests. |
|
I went to I downloaded the file from and its just a json file with all the languages used to pouplate the dropdown menu in
|
|
The part that may worry users (though that is not what this issue is about) is whether the key parameter can be used to identify uniquely a user. Source code: https://code.google.com/p/chromium/codesearch#chromium/src/components/translate/core/browser/translate_url_util.cc&sq=package:chromium&l=24&type=cs&rcl=1391908708 |
|
For the record, Google Chrome is built with A LOT of phone home operations and interactions with Google services/servers that are NOT exposed to any meaningful capture. This is what makes it "insecure" in the sense that it allows Google to snoop on EVERYTHING you do. This is why projects such as Comodo's Dragon and SRWare's Iron build directly from the Chromium source ripping out much of that chatty phone home behavior and reporting allowing for a more secure operation. Even these have to allow a very small amount of benign and non-privacy related communication for purposes of the Play Store, Translation feature, Sync, etc. One point of note though, while Comodo goes to great length to embed their own custom code which some may see just as bad, although many trust Comodo more than Google (personally I think they are equally bad), SRWare's Iron doesn't do that beyond setting the extension gallery to their own custom "store" (but you can still use the store regularly by going there directly) and setting their own homepage which can be easily removed. If you like your hand held, go with Dragon and if you are and advanced user who is pretty independent, then just use Iron. |
Answering to my own question, regarding Chromium: found out the API key is a single key shared by all users of Ubuntu (or derived), as seen on line 1539 of (warning, big file) https://launchpadlibrarian.net/163981042/buildlog_ubuntu-saucy-amd64.chromium-browser_32.0.1700.102-0ubuntu0.13.10.1~20140128.970.1_UPLOADING.txt.gz. So it can't be used to uniquely track a computer as far as Chromium is concerned. |
|
no one builds and releases any chromium or chromium-based builds that don't connect to google or somewhere else on their own. the only solutions are modifying the source code and building it on our own or modifying the binary code. |
That's what I said in no uncertain terms. |
|
@GuardianMajor you said to people to get dragon and iron:
|
I wouldn't be surprised if there is one or more switches in there to prevent these auto-connections: http://peter.sh/experiments/chromium-command-line-switches/. That would be quite simpler than maintaining a fork. Of interest: http://peter.sh/experiments/chromium-command-line-switches/#google-apis-url |
|
@requiredregistration
You seem to pick and choose what you want to hear. |
|
@GuardianMajor read the description of the issue and my last two messages again. you also said:
that means connections to somewhere behind-the-scene. |
I don't understand... Given what I've seen, this is exactly the way my Chromium behaves after I disable the appropriate privacy-related settings, so I don't know what "chatty phone home behavior" Comodo or SWare have "ripped out" from Chromium (can you be more specific?). @requiredregistration's has been talking specifically about what you call "benign and non-privacy related communication for purposes of the Play Store, Translation feature, Sync". There is nothing HTTPSB can do about these, but I think the point is that we would like that even these "benign" connections to be controlled by the user. |
|
@requiredregistration |
|
@gorhill |
The ones you are able to disable are just the public facing options. The code by default tracks what sites you see, what you search, what extensions you have installed, how often you use which, scans your bookmarks for targeted ads based on your browsing behavior and generally snooping functionality that goes to serve Google's pushing of services. For example if you are using Skydrive or Outlook.com you will notice a lot more search results that highlight Google Drive and Gmail. And so on. |
|
@GuardianMajor HTTPSB is a security and privacy extension. think about it. |
and once again, your point? |
|
@GuardianMajor when it connects, it sends and receives data, and that without user permission. |
I believe you are talking about Chrome here (for which this would certainly not be unexpected). I am talking about Chromium. As far as I am aware, there is no snooping in Chromium. Currently the issue here is that it connects to Google server at start and then every 2 hours I've observed (presumably for updates) without the user being able to control this (although I may try these switches when I have time). We can't conflate that whatever Chrome does, Chromium does it too. Chromium is all open source, and whatever speculated claim can be validated by looking at the code. To say that Google "snoops" through Chromium on one's browsing history is such a serious claim, I need a URL to the piece of code which does that (I've check another claim re. Chromium, like the RLZ id, and found it to be unfounded). |
You are correct, that is Chrome. Although Chromium's code is developed by Google as well, and while they don't snoop as much as the Google Chrome build, they do package some of the communication which can be stripped out to minimize it to the basic functionality I have previously stated as "benign" to take place. |
latest chrome stable
chrome still establishes connections and they are not shown on the matrix either.
The text was updated successfully, but these errors were encountered: