Attention EasyList & EasyPrivacy users

Talk about internet security, computer security, personal security, your social security number...
Post Reply
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Attention EasyList & EasyPrivacy users

Post by barbaz »

Heads up to all EasyPrivacy users: http://forums.lanik.us/viewtopic.php?f=62&t=19083 (yes, same barbaz)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 SeaMonkey/2.28.2-unofficial-1
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Attention EasyPrivacy users

Post by barbaz »

Summary: I've been a longtime user of the EasyPrivacy list for ABP. Apparently, recently, the EasyPrivacy maintainers have added at least one whitelist that protects tracking of the sort their written policy clearly says should be blocked (on multiple counts at that). I reported the example I spotted on their forums, under the assumption that someone was just being careless, and despite at least one maintainer being around, my thread has dropped off the first page of the forum and no action was taken. So I'm posting this fact publicly here, as a warning to this security- & privacy-conscious community.

Until they remove the shady whitelisting, I cannot reasonably recommend to anyone to use EasyPrivacy, because a false sense of privacy is worse than a real sense of no privacy.
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 Gecko/20100101
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Attention EasyPrivacy users

Post by Thrawn »

Thanks for the heads-up. I don't normally bother with ABP, though, because plain static ads don't pay as well as dynamic ones - so everyone uses active content for their ads, and NoScript wipes it out :).

And Self-Destructing Cookies takes care of the rest.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Attention EasyPrivacy users

Post by barbaz »

Still no response or action, so..
mozillaZine thread: http://forums.mozillazine.org/viewtopic ... &t=2882975
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 Gecko/20100101
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Attention EasyPrivacy users

Post by barbaz »

With the kind assistance of LoudNoise @ mozillaZine, I've now also reported this to ABP:
https://adblockplus.org/forum/viewtopic.php?f=2&t=25773
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 Gecko/20100101
morganism
Senior Member
Posts: 134
Joined: Tue Nov 26, 2013 9:44 pm

Re: Attention EasyPrivacy users

Post by morganism »

I think Privacy Badger plugin from the EFF should block those whitelists also...
Mozilla/5.0 (Windows NT 6.0; rv:32.0) Gecko/20100101 Firefox/32.0
bgmnt
Junior Member
Posts: 47
Joined: Sun Nov 17, 2013 3:41 pm

Re: Attention EasyPrivacy users

Post by bgmnt »

Yeah that filter exception is dubious indeed. EasyPrivacy openly makes exceptions for site compatibility all over the place, so you can just turn off all EasyPrivacy exceptions. It's quick: Just select all exceptions and press space.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Attention EasyPrivacy users

Post by barbaz »

I don't trust just disabling the whitelists because they might change on an auto update and thus get re-enabled...

Luckily the Easy project is open source so personally I rather fork the whole project for myself, that gives me the most control including the ability to review any filters I question and delete them if I don't want them.
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Attention EasyPrivacy users

Post by kukla »

I can remove the entire whitelist, but if doing that may break some sites, how is one supposed to know just which of those entries to remove? Maybe overkill, but I'm also running Ghostery concurrently, which is blocking the shit out of everything, and which can often be a big PITA until the tracker or item is identified and paused. But at least its items can be disabled individually (and, unlike EP, those individual items are viewable per site) or all blocking temporarily paused.

In that case, maybe I can do without EP entirely? Seems like there's probably very little that EP catches that Ghostery doesn't?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:35.0) Gecko/20100101 Firefox/35.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Attention EasyPrivacy users

Post by barbaz »

kukla wrote:I can remove the entire whitelist, but if doing that may break some sites, how is one supposed to know just which of those entries to remove?
If you fork EasyPrivacy from the repository for personal use, this document might help you there.

Also sometimes you can tell just by looking at the filters. For example, there were a couple filters of the form

Code: Select all

@@||site.com^$~third-party
IMO that's always too broad for a whitelist that fixes site breakage, so I removed those as well, but YMMV.
Or if you know something about the structure of the site a whitelist applies to then you can use that knowledge to decide whether the whitelist is necessary for you.

Bear in mind as well that NoScript surrogates will fix some of the site breakages for which EasyPrivacy has to use whitelists.
kukla wrote:Maybe overkill, but I'm also running Ghostery concurrently,
Yep, Ghostery + EasyPrivacy is overkill (even more so if you have NoScript).
kukla wrote:But at least its items can be disabled individually (and, unlike EP, those individual items are viewable per site)
Sure you can view EasyPrivacy items per site - that's how I found out about this in the first place.
ABP menu > Open blockable items
kukla wrote:In that case, maybe I can do without EP entirely? Seems like there's probably very little that EP catches that Ghostery doesn't?
I can't say because I've never used Ghostery...
*Always* check the changelogs BEFORE updating that important software!
-
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

Re: Attention EasyPrivacy users

Post by kukla »

Thanks for all the information.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:36.0) Gecko/20100101 Firefox/36.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Attention EasyPrivacy users

Post by barbaz »

Another heads up: it's looking like this is not an isolated incident in the Easy project...

Watch these spaces:
https://forums.lanik.us/viewtopic.php?f=62&t=21910
https://forums.lanik.us/viewtopic.php?f ... 907#p69041
(That poster is a moderator on the Adblock Plus forums.)
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply