Firefox GPC and ETP Strict #16
MasterInQuestion
started this conversation in
Mozilla
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Transferred:
[[
[ XE @ CE 2024-03-24 19:51:48 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c5
Middle-ground proposal for consideration:
When a user enables ETP Strict mode, GPC should be automatically enabled.
This proposal is more moderate than just enabling GPC by default for all users, and is more inline with the intent of the GPC.
|1| It is inline with the intent of the GPC designers. [ https://globalprivacycontrol.org/faq#Default ]
|2| It is inline with the California Attorney General's interpretation of the law which inspired the creation of the GPC. [ See Appendix E, comment 73: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-fsor-appendix-e.pdf ]
|3| It is inline with Mozilla's current approach towards the GPC (currently Mozilla automatically enables GPC by default in private browsing mode, I propose applying this same logic to ETP strict mode, a user who enables either of these features is making an affirmative choice to protect their privacy). [ See: https://www.mozilla.org/en-US/firefox/120.0/releasenotes/ ] ]
----
[ Master ? @ CE 2024-03-25 04:29:16 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c6
Does this imply the quickest fix to this would be addressing 1871964..?
["about:config"] "privacy.globalprivacycontrol" related configs not persist after restart ]
----
[ XE @ CE 2024-03-25 22:37:24 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c7
No, I believe that bug is unrelated to my proposal.
What I am proposing is that GPC should be automatically set to true (`
privacy.globalprivacycontrol.enabled: true`):If a user enables ETP Strict mode (`
browser.contentblocking.category: strict`); in addition to the other preferences which are already triggered when ETP strict is enabled. ]----
[ Master ? @ CE 2024-03-26 03:37:36 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c8
"... more moderate than just enabling GPC by default for all users, and is more inline with the intent of the GPC."
<^> I focused on this line.
Which is somewhat similar to Firefox's current behavior. ]
----
[ XE @ CE 2024-03-26 04:25:51 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c9
That line was meant to characterize/contextualize my proposal:
"When a user enables ETP Strict mode, GPC should be automatically enabled." ]
----
[ Master ? @ CE 2024-03-26 05:15:25 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c10
It appears the UI option to control GPC ("Tell websites not to share & sell data") is currently independent from the Enhanced Tracking Protection options. (despite cataloged under which)
Your proposal makes sense, somewhat.
.
Though some extra work for very marginal gain:
Most people viewing ETP would config accordingly, and there should be no functional error. (I believe?) ]
----
[ XE @ CE 2024-03-26 18:25:28 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c11
I'd argue the reverse is true, Minimal extra work, for meaningful gains.
"Most people viewing ETP would config accordingly"
<^> Many would, but I don't believe most would.
First consider that ETP strict mode is used by private-by-design Firefox derivatives (such as Tor Browser, Mullvad Browser, LibreWolf) where users are not expected to or are even strongly discouraged from changing default settings (because doing so can make it easier to fingerprint you).
Connecting GPC to ETP strict will allow users of these Firefox derivative browsers to take advantage of GPC without making themselves more fingerprintable.
There are also browser hardening projects that would enable the GPC, but are waiting for upstream Firefox to do so first.
(due in part to the concern over browser fingerprinting, they prefer to wait until changes are made upstream so that a larger cohort of users are using the GPC, not just users of a small hardening project or guide)
Making privacy easy and convenient and simple for end-users is a goal in and of itself.
One that Firefox has pursued and aspired to for some time.
Us power users and nerds forget this often, but making security or privacy features simple, convenient, and frictionless, is not just a UX consideration, it is a security/privacy consideration.
The more frictionless privacy and security enhancing settings are, the more mainstream users will take advantage of these settings. ]
----
[ Master ? @ CE 2024-03-27 22:51:56 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c12
It is UI option. Hardly relevant with derivatives that use custom config.
(eventually, the underlying functionalities should be working alright)
Security doesn't itself come by following random security advices or blindly deploying "security-enhanced" setup:
Well realizing the underlying implementation is the essence to guarantee effectiveness and security. ]
----
[ XE @ CE 2024-03-28 18:24:57 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c13
This seems off topic and unrelated to the proposal (and comes across a bit condescending).
GPC isn't a security feature, and nobody is suggesting following "random security advice".
This proposal is simply an extension of the approach Firefox has already chosen to take towards the GPC with Private Browsing mode.
It follows the same logic, and is a sensible next step. ]
----
[ Master ? @ CE 2024-04-05 15:34:14 UTC:
https://bugzilla.mozilla.org/show_bug.cgi?id=1848951#c14
"private-by-design Firefox derivatives ... where users are not expected to or are even strongly discouraged from changing default settings (because ..."
"security/privacy consideration"
Merely speaking the facts, unbiased.
Feel free to post off-topic on [ https://github.com/MasterInQuestion/talk/discussions ].
I tend to eventually answer old queries. ]
]]
Beta Was this translation helpful? Give feedback.
All reactions