[opensuse] Firefox Location-Aware Browsing ?
Just wondering out loud - why is Firefox occasionally asking me for permission to share information that the webserver will have (or have access to) any way?
By default, Firefox uses Google Location Services to determine your location by sending:
your computer’s IP address, information about the nearby wireless access points, and a random client identifier, which is assigned by Google, that expires every 2 weeks.
All Firefox has is my (private) IP-address, so why bother asking when the webserver knows it too?? -- Per Jessen, Zürich (13.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hi, I wonder if that is an openSUSE topic. Am 01.07.2014 09:01, schrieb Per Jessen:
Just wondering out loud - why is Firefox occasionally asking me for permission to share information that the webserver will have (or have access to) any way?
By default, Firefox uses Google Location Services to determine your location by sending:
your computer’s IP address, information about the nearby wireless access points, and a random client identifier, which is assigned by Google, that expires every 2 weeks.
All Firefox has is my (private) IP-address, so why bother asking when the webserver knows it too??
As you can see Firefox will use more information than your ip address to find your location: "information about the nearby wireless access points" The webserver does not have that. In case you have no wireless access points detected Firefox indeed only has the ip. But then it's still just a matter of choice for the web application author if he likes to ask your browser or uses your client ip to find your location. And btw, Firefox is only asking you if Javascript code from the website is asking your browser. It's not like Firefox decides itself to ask you for your location. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Wolfgang Rosenauer wrote:
Hi,
I wonder if that is an openSUSE topic.
It probably isn't really, but at least my Firefox is running on openSUSE :-)
Am 01.07.2014 09:01, schrieb Per Jessen:
Just wondering out loud - why is Firefox occasionally asking me for permission to share information that the webserver will have (or have access to) any way?
By default, Firefox uses Google Location Services to determine your location by sending:
your computer’s IP address, information about the nearby wireless access points, and a random client identifier, which is assigned by Google, that expires every 2 weeks.
All Firefox has is my (private) IP-address, so why bother asking when the webserver knows it too??
As you can see Firefox will use more information than your ip address to find your location: "information about the nearby wireless access points"
The webserver does not have that. In case you have no wireless access points detected Firefox indeed only has the ip.
Does Firefox have any information like that? It seems unlikely. There is probably one or two wifi APs in the vicinity, but even if the machine used one, how would Firefox know about it? Just being curious.
But then it's still just a matter of choice for the web application author if he likes to ask your browser or uses your client ip to find your location.
Right.
And btw, Firefox is only asking you if Javascript code from the website is asking your browser. It's not like Firefox decides itself to ask you for your location.
It's clearly some cooperation between FF and the website, I was just wondering what information FF might have that would not be available without my permission. -- Per Jessen, Zürich (14.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 01.07.2014 10:02, schrieb Per Jessen:
Wolfgang Rosenauer wrote:
As you can see Firefox will use more information than your ip address to find your location: "information about the nearby wireless access points"
The webserver does not have that. In case you have no wireless access points detected Firefox indeed only has the ip.
Does Firefox have any information like that? It seems unlikely. There is probably one or two wifi APs in the vicinity, but even if the machine used one, how would Firefox know about it? Just being curious.
It has access to the wifi information since it interfaces with libiw. Since this transfers information from your local machine Firefox asks you for permission. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Wolfgang Rosenauer wrote:
Am 01.07.2014 10:02, schrieb Per Jessen:
Wolfgang Rosenauer wrote:
As you can see Firefox will use more information than your ip address to find your location: "information about the nearby wireless access points"
The webserver does not have that. In case you have no wireless access points detected Firefox indeed only has the ip.
Does Firefox have any information like that? It seems unlikely. There is probably one or two wifi APs in the vicinity, but even if the machine used one, how would Firefox know about it? Just being curious.
It has access to the wifi information since it interfaces with libiw.
Since this transfers information from your local machine Firefox asks you for permission.
Interesting, thanks. -- Per Jessen, Zürich (16.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/01/2014 10:02 AM, Per Jessen wrote:
Wolfgang Rosenauer wrote:
Hi,
I wonder if that is an openSUSE topic.
It probably isn't really, but at least my Firefox is running on openSUSE :-)
Am 01.07.2014 09:01, schrieb Per Jessen:
Just wondering out loud - why is Firefox occasionally asking me for permission to share information that the webserver will have (or have access to) any way?
By default, Firefox uses Google Location Services to determine your location by sending:
your computer’s IP address, information about the nearby wireless access points, and a random client identifier, which is assigned by Google, that expires every 2 weeks.
All Firefox has is my (private) IP-address, so why bother asking when the webserver knows it too??
As you can see Firefox will use more information than your ip address to find your location: "information about the nearby wireless access points"
The webserver does not have that. In case you have no wireless access points detected Firefox indeed only has the ip.
Does Firefox have any information like that? It seems unlikely. There is probably one or two wifi APs in the vicinity, but even if the machine used one, how would Firefox know about it? Just being curious.
But then it's still just a matter of choice for the web application author if he likes to ask your browser or uses your client ip to find your location.
Right.
And btw, Firefox is only asking you if Javascript code from the website is asking your browser. It's not like Firefox decides itself to ask you for your location.
It's clearly some cooperation between FF and the website, I was just wondering what information FF might have that would not be available without my permission.
Browsers can tell many things about us. Try this and see: http://www.browserleaks.com/webrtc Check the "Try to get Network IPs" button for local net discovery. ~rmš~ -- Radule Šoškić, mr.sci, CISSP, GPEN, GSNA Head of ICT Audit Telekom Srbija a.d. 11000 Beograd, Takovska 2 Serbia Мр Радуле Шошкић, CISSP, GPEN, GSNA Директор Сектора за ревизију технологија и система Телеком Србија а.д. 11000 Београд, Таковска 2 Србија tel: +381 11 3023122 fax: +381 11 3221079 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Radule Šoškić wrote:
On 07/01/2014 10:02 AM, Per Jessen wrote:
Wolfgang Rosenauer wrote:
Hi,
I wonder if that is an openSUSE topic.
It probably isn't really, but at least my Firefox is running on openSUSE :-)
Am 01.07.2014 09:01, schrieb Per Jessen:
Just wondering out loud - why is Firefox occasionally asking me for permission to share information that the webserver will have (or have access to) any way?
By default, Firefox uses Google Location Services to determine your location by sending:
your computer’s IP address, information about the nearby wireless access points, and a random client identifier, which is assigned by Google, that expires every 2 weeks.
All Firefox has is my (private) IP-address, so why bother asking when the webserver knows it too??
As you can see Firefox will use more information than your ip address to find your location: "information about the nearby wireless access points"
The webserver does not have that. In case you have no wireless access points detected Firefox indeed only has the ip.
Does Firefox have any information like that? It seems unlikely. There is probably one or two wifi APs in the vicinity, but even if the machine used one, how would Firefox know about it? Just being curious.
But then it's still just a matter of choice for the web application author if he likes to ask your browser or uses your client ip to find your location.
Right.
And btw, Firefox is only asking you if Javascript code from the website is asking your browser. It's not like Firefox decides itself to ask you for your location.
It's clearly some cooperation between FF and the website, I was just wondering what information FF might have that would not be available without my permission.
Browsers can tell many things about us. Try this and see: http://www.browserleaks.com/webrtc Check the "Try to get Network IPs" button for local net discovery.
I don't see that option: http://files.jessen.ch/screenshot-browserleaks.jpeg -- Per Jessen, Zürich (18.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 01/07/14 11:21, Per Jessen wrote:
Radule Šoškić wrote:
Browsers can tell many things about us. Try this and see: http://www.browserleaks.com/webrtc Check the "Try to get Network IPs" button for local net discovery.
I don't see that option:
You don't see it because WebRTC is disabled - it's there if you enable it... Dx -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dylan wrote:
On 01/07/14 11:21, Per Jessen wrote:
Radule Šoškić wrote:
Browsers can tell many things about us. Try this and see: http://www.browserleaks.com/webrtc Check the "Try to get Network IPs" button for local net discovery.
I don't see that option:
You don't see it because WebRTC is disabled - it's there if you enable it...
I think my browser is too old, that's why it's not there. See my other post about what happened in a newer browser :-) -- Per Jessen, Zürich (19.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Radule Šoškić wrote:
Browsers can tell many things about us. Try this and see: http://www.browserleaks.com/webrtc Check the "Try to get Network IPs" button for local net discovery.
Okay, that was fun :-) I used a more up-to-date browser with webrtc enabled, and tried the "Try to get Network IPs". This went out and discovered an entire /24 subnet (192.168.2.0) and then got stuck on the broadcast address ..... most informative, hehe. /Per -- Per Jessen, Zürich (18.3°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1 July 2014 08:01, Per Jessen
Just wondering out loud - why is Firefox occasionally asking me for permission to share information that the webserver will have (or have access to) any way?
By default, Firefox uses Google Location Services to determine your location by sending:
your computer’s IP address, information about the nearby wireless access points, and a random client identifier, which is assigned by Google, that expires every 2 weeks.
All Firefox has is my (private) IP-address, so why bother asking when the webserver knows it too??
Requestiing your geolocation is part of the HTML5 standard, where a website requests from your browser where you are so it can give you a better service (or more targeted and thus profitable advertising). For example, Google Maps wants to be able to display where you are accurate to within a few meters, other websites may just want your city or country to influence your search results. Well behaved browsers like Firefox will respect your privacy and will ask you first before providing this information to a random unknown website. It is true that a website can try guess your location from your IP address, but this is usually only accurate to country level or sometimes city level and is often wrong so is rarely accurate enough for most use cases. They get better results by asking the browser to use the local device facilities to give them the accuracy level they require. When returning the location, the browser can make use of various device facilities to guess your location with decreasing levels of accuracy, usualy working from GPS to known cell towers to known wifi access points to simple IP address. The browser can implement all this code itself, or use the host OS facilities, or use something like Googles online services. I know Mozilla are working on their own location database of cell phone towers and wifi access points so they can stop sending so much data to Google (see https://location.services.mozilla.com/). John. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Layt wrote:
On 1 July 2014 08:01, Per Jessen
wrote: Just wondering out loud - why is Firefox occasionally asking me for permission to share information that the webserver will have (or have access to) any way?
By default, Firefox uses Google Location Services to determine your location by sending:
your computer’s IP address, information about the nearby wireless access points, and a random client identifier, which is assigned by Google, that expires every 2 weeks.
All Firefox has is my (private) IP-address, so why bother asking when the webserver knows it too??
Requestiing your geolocation is part of the HTML5 standard, where a website requests from your browser where you are so it can give you a better service (or more targeted and thus profitable advertising).
Sure, but I don't see why the website doesn't just do the geo-locate itself. The information from my browser (whatever information it is) will be no more accurate, I think.
For example, Google Maps wants to be able to display where you are accurate to within a few meters, other websites may just want your city or country to influence your search results. Well behaved browsers like Firefox will respect your privacy and will ask you first before providing this information to a random unknown website. It is true that a website can try guess your location from your IP address, but this is usually only accurate to country level or sometimes city level and is often wrong so is rarely accurate enough for most use cases. They get better results by asking the browser to use the local device facilities to give them the accuracy level they require.
This is the interesting bit then - what does my browser know about my location?
When returning the location, the browser can make use of various device facilities
I guess we're primarily talking about devices other than plain Linux PCs? -- Per Jessen, Zürich (18.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1 July 2014 11:31, Per Jessen
John Layt wrote:
Requestiing your geolocation is part of the HTML5 standard, where a website requests from your browser where you are so it can give you a better service (or more targeted and thus profitable advertising).
Sure, but I don't see why the website doesn't just do the geo-locate itself. The information from my browser (whatever information it is) will be no more accurate, I think.
As I said, geo-ip is highly inaccurate and often wrong, so few websites want to rely on that. It certainly can't tell maps.google.com what street you're standing on so it can give you directions. Most commonly, all you know is that a certain IP was allocated to a certain ISP, and if that ISP operates across the entire US or UK then you have no idea where the person it was dynamically allocated to actually is. You may hit it lucky and get an IP that was allocated to a small city specific ISP, but it's not something you can rely on. Furthermore, with the shortage of IP4 addresses, blocks are being freely traded outside their originally allocated geo region and the database may never be updated. Then you get the problem of proxy servers: I used to work for a large multinational in the UK who routed all their traffic through their head office in the US, so I always got US Google or Amazon instead of UK Google or Amazon.
For example, Google Maps wants to be able to display where you are accurate to within a few meters, other websites may just want your city or country to influence your search results. Well behaved browsers like Firefox will respect your privacy and will ask you first before providing this information to a random unknown website. It is true that a website can try guess your location from your IP address, but this is usually only accurate to country level or sometimes city level and is often wrong so is rarely accurate enough for most use cases. They get better results by asking the browser to use the local device facilities to give them the accuracy level they require.
This is the interesting bit then - what does my browser know about my location?
It knows whatever the OS knows and is willing to tell the browser about. If you install Firefox on Android you will be asked to give it permission to access your GPS location, your cell radio for cell tower info, your network stack for wifi ap's in the area, etc. On Linux we have no such system level access checks, so we currently rely on the apps playing nice and asking you first, as Firefox does. Gnome and KDE for example use GeoClue to do this in various apps and browsers. GeoClue doesn't yet have any policy checks built in, if an app asks it tells it where you are, but this is being worked on and in the future it will use something like PolKit to ask the user for permission first. [Which brings the thread back to being related to OpenSUSE :-) ). However, even once GeoClue gets this security feature, an app can still go ask NetworkManager or ModemManager or gpsd or even the hardware directly, and I'm not sure they have any security features as yet or in the planning.
When returning the location, the browser can make use of various device facilities
I guess we're primarily talking about devices other than plain Linux PCs?
Mostly, but most laptops and many desktops have wifi, and some have 3G/4G/GPS built-in or as dongles, so the browser has to assume that it can get highly detailed and possibly personally sensitive information that you may not want shared with any random website, so it has to ask you first to be safe. John. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-07-01 13:04, John Layt wrote:
On 1 July 2014 11:31, Per Jessen
wrote:
It knows whatever the OS knows and is willing to tell the browser about. If you install Firefox on Android you will be asked to give it permission to access your GPS location, your cell radio for cell tower info, your network stack for wifi ap's in the area, etc. On Linux we have no such system level access checks, so we currently rely on the apps playing nice and asking you first, as Firefox does.
As far as I know, on Android you get a list of what permissions an application needs, and then you choose to install the app or not. You do not have a choice to allow or deny some of the permissions, or to do so after installation. At least on my phone. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Dne Út 1. července 2014 13:36:12, Carlos E. R. napsal(a):
On 2014-07-01 13:04, John Layt wrote:
On 1 July 2014 11:31, Per Jessen
wrote: As far as I know, on Android you get a list of what permissions an application needs, and then you choose to install the app or not. You do not have a choice to allow or deny some of the permissions, or to do so after installation.
Some alternative ROMs (like CyanogenMod, but not in all versions, nor for all devices) have possibility to later remove some permission. But application can then behave strange or not work at all... Vojtěch -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/
On 2014-07-01 13:48, Vojtěch Zeisek wrote:
Dne Út 1. července 2014 13:36:12, Carlos E. R. napsal(a):
As far as I know, on Android you get a list of what permissions an application needs, and then you choose to install the app or not. You do not have a choice to allow or deny some of the permissions, or to do so after installation.
Some alternative ROMs (like CyanogenMod, but not in all versions, nor for all devices) have possibility to later remove some permission. But application can then behave strange or not work at all...
Ah, I see. So native Android can not. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 07/01/2014 07:36 AM, Carlos E. R. pecked at the keyboard and wrote:
On 2014-07-01 13:04, John Layt wrote:
On 1 July 2014 11:31, Per Jessen
wrote: It knows whatever the OS knows and is willing to tell the browser about. If you install Firefox on Android you will be asked to give it permission to access your GPS location, your cell radio for cell tower info, your network stack for wifi ap's in the area, etc. On Linux we have no such system level access checks, so we currently rely on the apps playing nice and asking you first, as Firefox does.
As far as I know, on Android you get a list of what permissions an application needs, and then you choose to install the app or not. You do not have a choice to allow or deny some of the permissions, or to do so after installation.
At least on my phone.
It's the same with my Android devices. When an app starts requesting more info then I want to allow then either I don't update the, don't install the app or delete it. It's _my_ device I'll decide what I want to allow. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-07-01 15:07, Ken Schneider - openSUSE wrote:
On 07/01/2014 07:36 AM, Carlos E. R. pecked at the keyboard and wrote:
It's the same with my Android devices. When an app starts requesting more info then I want to allow then either I don't update the, don't install the app or delete it. It's _my_ device I'll decide what I want to allow.
Yes, but I would prefer to allow the application to install and adjust myself the permissions I allow and which not. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
John Layt wrote:
On 1 July 2014 11:31, Per Jessen
wrote: John Layt wrote:
For example, Google Maps wants to be able to display where you are accurate to within a few meters, other websites may just want your city or country to influence your search results. Well behaved browsers like Firefox will respect your privacy and will ask you first before providing this information to a random unknown website. It is true that a website can try guess your location from your IP address, but this is usually only accurate to country level or sometimes city level and is often wrong so is rarely accurate enough for most use cases. They get better results by asking the browser to use the local device facilities to give them the accuracy level they require.
This is the interesting bit then - what does my browser know about my location?
It knows whatever the OS knows and is willing to tell the browser about.
Sure, but what kind of information are we talking about? I don't imagine my openSUSE knows much more about my location than it's private (RFC1918) IP-address. For a smartphone with all the nifty little devices (compass, gps, wifi, accelerometer, altimeter etc), I imagine there is lots of info to be had.
When returning the location, the browser can make use of various device facilities
I guess we're primarily talking about devices other than plain Linux PCs?
Mostly, but most laptops and many desktops have wifi, and some have 3G/4G/GPS built-in or as dongles, so the browser has to assume that it can get highly detailed and possibly personally sensitive information that you may not want shared with any random website, so it has to ask you first to be safe.
I've only seen the browser ask this once or twice, but as I'm pretty certain my browser knows very little about my location (apart from what can be determined/deduced from my IPv4 address), I just got curious. Does anyone happen to know which Javascript API causes the browser to ask? -- Per Jessen, Zürich (20.2°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 01.07.2014 14:20, schrieb Per Jessen:
Sure, but what kind of information are we talking about? I don't imagine my openSUSE knows much more about my location than it's private (RFC1918) IP-address. For a smartphone with all the nifty little devices (compass, gps, wifi, accelerometer, altimeter etc), I imagine there is lots of info to be had.
On your Linux it should be only the knowledge of your local ip addresses and Wifi access points it sees (no connection required).
I've only seen the browser ask this once or twice, but as I'm pretty certain my browser knows very little about my location (apart from what can be determined/deduced from my IPv4 address), I just got curious.
Does anyone happen to know which Javascript API causes the browser to ask?
http://www.w3.org/TR/geolocation-API/ Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 1 July 2014 13:20, Per Jessen
John Layt wrote:
This is the interesting bit then - what does my browser know about my location?
It knows whatever the OS knows and is willing to tell the browser about.
Sure, but what kind of information are we talking about? I don't imagine my openSUSE knows much more about my location than it's private (RFC1918) IP-address. For a smartphone with all the nifty little devices (compass, gps, wifi, accelerometer, altimeter etc), I imagine there is lots of info to be had.
But Firefox doesn't *know* that you are running it on an OpenSUSE box that only has a standard ethernet port plugged into a DSL router with a dynamic external IP address (which is easy to find out, don't assume the browser doesn't know it). When the Firefox devs write the code they have to assume that all levels of detail are available and take the necessary precautions. In fact, the standard *requires* them to do so.
I've only seen the browser ask this once or twice, but as I'm pretty certain my browser knows very little about my location (apart from what can be determined/deduced from my IPv4 address), I just got curious.
You'll only see it if a) the browser implements the HTML5 Geolocation API and b) the website sends a request for your location. John. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Carlos E. R.
-
Dylan
-
John Layt
-
Ken Schneider - openSUSE
-
Per Jessen
-
Radule Šoškić
-
Vojtěch Zeisek
-
Wolfgang Rosenauer