[Privacy Reviews]Call For Comments: Thunderbird Opensearch

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[Privacy Reviews]Call For Comments: Thunderbird Opensearch

Curtis Koenig
Hi all,
I am taking over much of the management work for Privacy Reviews, and in
keeping with the process already laid out by Sid I am making a call for
comments to dev.planning for the following review.

Thunderbird Opensearch: https://wiki.mozilla.org/Privacy/Reviews/OpenSearch

The CFC shall remain open until 9-Feb and then I will take the
recommendations back to the team for discussion with them. Please
provide any comments as replies to this thread for simplicities sake.

/Curtis
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Thunderbird Opensearch)

Brian Smith-31
From https://wiki.mozilla.org/Privacy/Reviews/OpenSearch#Identity_transmission:

"Since this feature only transmits the selected text (or entered text for global search), and since no cookies are transmitted with search queries, this risk is minimal and limited to severe accidental misuse of the feature."

1. Don't we send cookies with searches out of the Firefox search box? Why should Thunderbird behave differently?

2. Shouldn't Thunderbird be doing these searches in the user's default web browser, specifically so that the user's cookie store and other browser settings/features (including privacy-protecting settings, features, and addons) can be used?

3. In particular, without cookies, Thunderbird won't be able to do HTTPS-protected Google searches, right? (Yesterday, the networking team was just discussing how we could do the redirect from HTTP to HTTPS Google locally. We were thinking of doing so for performance reasons, but obviously it has positive privacy implications too. But, it won't work without the user's cookies, at least according to Google's current policy.)

- Brian
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Thunderbird Opensearch)

Mark Banner-4
On 03/02/2012 16:58, Brian Smith wrote:

>> From
>> https://wiki.mozilla.org/Privacy/Reviews/OpenSearch#Identity_transmission:
>
>>
> "Since this feature only transmits the selected text (or entered text
> for global search), and since no cookies are transmitted with search
> queries, this risk is minimal and limited to severe accidental misuse
> of the feature."
>
> 1. Don't we send cookies with searches out of the Firefox search box?
> Why should Thunderbird behave differently?

I'm not sure exactly what this is/what you're describing here.

> 2. Shouldn't Thunderbird be doing these searches in the user's
> default web browser, specifically so that the user's cookie store and
> other browser settings/features (including privacy-protecting
> settings, features, and addons) can be used?

Thunderbird uses the gecko cookie store and has the relevant preferences
UI. Some add-ons, e.g. noscript are already available for Thunderbird.

We want to do search within Thunderbird to reduce application level
context switching whilst reading emamil.

> 3. In particular, without cookies, Thunderbird won't be able to do
> HTTPS-protected Google searches, right? (Yesterday, the networking
> team was just discussing how we could do the redirect from HTTP to
> HTTPS Google locally. We were thinking of doing so for performance
> reasons, but obviously it has positive privacy implications too. But,
> it won't work without the user's cookies, at least according to
> Google's current policy.)

See above.

Mark.
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Thunderbird Opensearch)

Brian Smith-31
Mark Banner wrote:

> On 03/02/2012 16:58, Brian Smith wrote:
> >> From
> >> https://wiki.mozilla.org/Privacy/Reviews/OpenSearch#Identity_transmission:
> >
> >
> > "Since this feature only transmits the selected text (or entered
> > text for global search), and since no cookies are transmitted with
> > search queries, this risk is minimal and limited to severe
> > accidental misuse of the feature."
> >
> > 1. Don't we send cookies with searches out of the Firefox search
> > box? Why should Thunderbird behave differently?
>
> I'm not sure exactly what this is/what you're describing here.

My understanding is that the above quote is saying that Thunderbird won't send cookies with the searches. We DO send cookies with searches in Firefox. It seems like the privacy implications are the same for both products (compare the case of searching for something selected from your GMail in Firefox to the case of searching for something selected from your GMail in Thunderbird).

- Brian
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Thunderbird Opensearch)

Jim-267
In reply to this post by Brian Smith-31
On 02/03/2012 03:58 PM, Brian Smith wrote:
> 2. Shouldn't Thunderbird be doing these searches in the user's
> default web browser, specifically so that the user's cookie store and
> other browser settings/features (including privacy-protecting
> settings, features, and addons) can be used?

This is available as an option by toggling
mail.websearch.open_externally (I'm going on memory for the name). It's
what I personally prefer, but I can see why the default is what it is.

- Jim
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Thunderbird Opensearch)

Sid Stamm-3
In reply to this post by Brian Smith-31
On 2/3/12 1:58 PM, Brian Smith wrote:
> 3. In particular, without cookies, Thunderbird won't be able to do
> HTTPS-protected Google searches, right?

I'm not sure I follow this... can you clarify why "no cookies" equals
"no https"?  Or do you mean "user can't log in, so user won't
automatically get https"?

> (Yesterday, the networking
> team was just discussing how we could do the redirect from HTTP to
> HTTPS Google locally. We were thinking of doing so for performance
> reasons, but obviously it has positive privacy implications too. But,
> it won't work without the user's cookies, at least according to
> Google's current policy.)

Their policies may not always require cookies for HTTPS and it might not
be a wise investment of time to hack around it.

-Sid
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Thunderbird Opensearch)

Curtis Koenig
In reply to this post by Brian Smith-31
Thanks all for the discussion, I don't see any new threats here.
My best answer to the below questions are:
1: No
2: Yes if the user chooses
3: No, users can install search plugins

So I am closing this out.

-Curtis
On 2012-02-03 16:58 PM, Brian Smith wrote:

> From https://wiki.mozilla.org/Privacy/Reviews/OpenSearch#Identity_transmission:
>
> "Since this feature only transmits the selected text (or entered text for global search), and since no cookies are transmitted with search queries, this risk is minimal and limited to severe accidental misuse of the feature."
>
> 1. Don't we send cookies with searches out of the Firefox search box? Why should Thunderbird behave differently?
>
> 2. Shouldn't Thunderbird be doing these searches in the user's default web browser, specifically so that the user's cookie store and other browser settings/features (including privacy-protecting settings, features, and addons) can be used?
>
> 3. In particular, without cookies, Thunderbird won't be able to do HTTPS-protected Google searches, right? (Yesterday, the networking team was just discussing how we could do the redirect from HTTP to HTTPS Google locally. We were thinking of doing so for performance reasons, but obviously it has positive privacy implications too. But, it won't work without the user's cookies, at least according to Google's current policy.)
>
> - Brian
_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning
Reply | Threaded
Open this post in threaded view
|

Re: [Privacy Reviews]Call For Comments: Thunderbird Opensearch)

Sid Stamm-3
In reply to this post by Brian Smith-31
To elaborate a bit on the blunt enumerated answers:

On 2/15/12 3:04 PM, Curtis Koenig wrote:
> Thanks all for the discussion, I don't see any new threats here.
> My best answer to the below questions are:
> 1: No

Firefox sends cookies on searches, so Thunderbird could too; but I don't
think it matters a whole lot since Thunderbird would have its own cookie
jar here and not share cookies with Firefox.  My understanding is that
Thunderbird doesn't send cookies with the text-box search

> 2: Yes if the user chooses

The user can choose to open searches in the default browser.

> 3: No, users can install search plugins

The way I understand OpenSearch, it will use the same stuff that we use
in the Firefox search box which means any search plugin we install in
Firefox could potentially work in Thunderbird (Right, thunderbird
devs?).  The upshot is that when we roll out HTTPS search in Firefox, we
can do the same in Thunderbird.

Thanks Brian, and all, for the feedback.  The results of the privacy
review will be documented and Curtis and I will discuss the
recommendations with the engineering team.

Regards,
Sid

> So I am closing this out.
>
> -Curtis
> On 2012-02-03 16:58 PM, Brian Smith wrote:
>> From https://wiki.mozilla.org/Privacy/Reviews/OpenSearch#Identity_transmission:
>>
>> "Since this feature only transmits the selected text (or entered text for global search), and since no cookies are transmitted with search queries, this risk is minimal and limited to severe accidental misuse of the feature."
>>
>> 1. Don't we send cookies with searches out of the Firefox search box? Why should Thunderbird behave differently?
>>
>> 2. Shouldn't Thunderbird be doing these searches in the user's default web browser, specifically so that the user's cookie store and other browser settings/features (including privacy-protecting settings, features, and addons) can be used?
>>
>> 3. In particular, without cookies, Thunderbird won't be able to do HTTPS-protected Google searches, right? (Yesterday, the networking team was just discussing how we could do the redirect from HTTP to HTTPS Google locally. We were thinking of doing so for performance reasons, but obviously it has positive privacy implications too. But, it won't work without the user's cookies, at least according to Google's current policy.)
>>
>> - Brian

_______________________________________________
dev-planning mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-planning