Re: gnuzilla-dev Digest, Vol 63, Issue 2

[chippy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi again. 

I wanted to show you some progress on my proposal.
For this I cloned mozzarella on my webserver. Though, I believe that
what's running on the website https://gnuzilla.gnu.org/mozzarella is
not a verbatim copy of what's in gitlab, because it throws some errors
if you try and run it as it is. Is that so? can i have a copy on what's
on the site?

Also I wanted to let you know that it is possible to download
mozzarella/cron.py and read the database access credentials.


I tried to signup to https://gitlab.trisquel.org but my account hasn't
been approved in days so I think it's not going to be approved at all. 

For this reason I cannot contribute to the project.

I also asked for help on #trisquel irc but no reply yet.

There are no contact information on https://gnuzilla.gnu.org/mozzarella
nor on https://gitlab.trisquel.org/explore so I'm writing here.

You can see some of the proposed changes at
https://icecatbrowser.org/mozzarella in the extension pages.

I'll add more and format the data in a more appealing way.


Thanks,
Chip

On Mon, 2024-05-27 at 12:00 -0400, gnuzilla-dev-request@gnu.org wrote:
> Hi Luis,
> 
> I disagree.  I believe you are aggravating the picture stating that
> someone should go through the source code; you don't need to do that.
> 
> It can indeed be done with some automation using selenium, gekodriver
> and docker.
> 
> ATM I wrote a functioning py script that can run a headless browser,
> install the extension, activate the extension (ghostery requires user
> input), open some websites, then uninstall the extension and quit.
> 
> You can find a POF
> here:
> https://codeberg.org/chippy/Selenium-extension-test/src/branch/main/s
> elenium-test1.py
> in this example the browser binary is called "vanilla" because I
> rebuilt Icecat with no extensions so to be able to try the extensions
> one by one, without interference. I'll upload that to this repo too
> so
> it's easier if someone wants to help.
> 
> The point is to run this in a docker container while monitoring
> network
> transmissions and generate some report.
> 
> Now, to inspect the network activity of some software, I normally use
> network namespaces: I relegate a software to run in an isolated
> network
> namespace (even with an ad-hoc resolv.conf). This way I can avoid all
> the transmission coming from other processes, and I can make sure
> that
> everything I see (say in tcpdump), comes from the application I want
> to
> monitor.
> So I'd be able to see even if the application is bypassing my system
> dns, if it does DOH etc
> 
> This does not get me the content of the transmissions though, as they
> are encrypted.
> 
> Unfortunately I don't seem to be able to use network namespaces
> within
> a docker container...not without changing things on the host, which
> we
> don't want.
> 
> So the second choice would be proxychains... 
> Proxychains too cannot reveal the content of the transmissions
> 
> What's left is mitmproxy/mitmdump so we can not only see the amount
> of
> transmisisons and their endpoints, but by installing the mitmproxy
> ssl
> certificate, we can also peek into the content of these transmissions
> and have an idea of what is going on on our machines. This requires a
> pre-configured profile to run icecat with, where the http proxy is
> configured. This also means we trust that icecat or the extensions
> does
> not evade the proxy. We can maybe do that with some firewall rules.
> 
> I'll spend some time trying to come up with some Dockerfile and side
> script that can do all this and as a final result, export to the user
> (via email or by generating some report).
> 
> ** Does someone want to help me? **
> 
> I believe that mozzarella would benefit from this too. It could let
> users know which extensions send out/collect data.
> 
> I understand it would take some baby sitting at least in the
> beginning,
> but think to the reward! Millions users use these extensions and I'm
> sure they would like to be able to know which ones collect data.
> 
> So next step is to parameterize and normalize the data about the
> extension so you can just run a loop and hopefully in few hours find
> the results. I started with that too, so far I found that some
> extension may require user input to work, you can see that in the two
> example I'm using here:
> https://codeberg.org/chippy/Selenium-extension-test/src/branch/main/extensions.json
> 
> I'd love some feedback on this. Remember this is a POC...
> 
> Thanks in advance.
> Chip.
> 
> > From: Luis Guzman <ark@switnet.org>
> > To: gnuzilla-dev@gnu.org
> > Subject: Re: Please remove Ghostery from Mozzarella
> > Message-ID: <b70fec28-430f-4be1-bc67-52db22055240@switnet.org>
> > Content-Type: text/plain; charset=UTF-8; format=flowed
> > 
> > Hello chippy,
> > 
> > I've been looking closely the development, and here some details I
> > could 
> > share.
> > 
> > En 25/05/24 10:27, chippy escribió:
> > > Hi.
> > > 
> > [...]
> > > 
> > > I tried for few minutes the extension Ghostery and it connected
> > > back to
> > > several services (like collector-hpn.ghostery.net) . [...]
> > > > 
> > > Isn't this a scammy extension?
> > > 
> > > What is this doing on Mozzarella? I expected Mozzarella to be a
> > > curated
> > > collection of extensions. However, this, unfortunately, does not
> > > seem
> > > the case.
> > 
> > By the length of the repository, that will require a full team of 
> > several people to be able to curate and review all the source code
> > of
> > each extension. I'm not aware of a distro with such workforce which
> > is 
> > the closest to people curating large amount of packages / source
> > code
> > I 
> > could think of.
> > 
> > So Mozzarella uses scripts to parse extensions via API calls by the
> > license they report to use, following that path I'm sure there
> > could
> > be 
> > cases where that could be wrong, as the license could be wrongly 
> > reported or not complied to.
> > 
> > Nevertheless, this approach allows to automate parsing the complete
> > archive with no more work than the one done by the scrapper
> > scripts.
> > 
> > > 
> > > Another question:
> > > 
> > > I was wondering if it could be possible on the mozzarella website
> > > to
> > > add, in the details of the extensions,
> > > - whether or not the extension phones homes,
> > > - whether or not the extension needs downloading except
> > > from https://addons.mozilla.org and
> > > - if it contacts third parties.
> > 
> > If you check the API search parameters, you'll see there is no way
> > to
> > know that, by an API call.
> > * https://mozilla.github.io/addons-server/topics/api/addons.html
> > 
> > Adding such integration would require to change the nature of
> > Mozzarella 
> > code base to some sort of wiki database, which reminds me to the h-
> > node 
> > effort.
> > > 
> > > This would enormously help me and others, I imagine, in deciding
> > > whether or not to use an extension, like in this case.
> > 
> > The author has noted that Mozzarella on it's current state is
> > developed 
> > on his free time[1]. So, volunteering to implement such changes
> > would
> > be 
> > a good starting point.
> > 
> > > 
> > > Thanks in advance,
> > > Chippy.
> > > 
> > 
> > Regards
> 

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHjsOxo2lYlkBceyyzUfEn4QpaccFAmZbGeUACgkQzUfEn4Qp
aceBYQ//e2spbvi2c8I5XqYeRaVG9UfquKDYqfrwIVfFUxpVUwMc7+S9nBk2kIXL
Jxb5IHM8ozqEhFKCvP8pv2GoAt002n4ba3gQ7hjGaj6zktBs08IxZguPVcOJsfJ+
ZrPhKYYrPxvlWRAYZHK0nFQSxX6kghkyTZTp3y2uRkuVlPWbAvrO/xQ03b4y9ifL
0ZGOMtyEAHZfNg5OwVIhVNC9Lrn5TxIS7gHN7C4DYKC6JW7EiUcv941dCRZC4nJi
flj9n/FinLz36Zz+KGnv321q8FIkcWNsS5C7s70FNOzC3keI+tWcEvvoMeuZiLR5
mOBy8m5xKf8o24T08sWA7WYVnkvDIyERzihqc3BpKlJ9zKOWsnYh8rK3Gix+MZ1D
UdlTVWvO92EkcxH4vIhuJjAQjIoQTZF6Idd5K5sj7XJKXnQshlKK0z8XPOWIOP6B
qN9zA2XrtNLGvi7eSG/CrWP2MziykdJthKQVciRrnXPe3sPHKFsvCFsJKlqoSb0F
hkMYZNOFmNxjVwkKiRg6+mKVHbhlvoFi5eNZEaO7Kaeh4cmQejOWqE19mNzaSGZV
fao69hD7fh+DQ0fhrLzAGnRuOrwcj9GByGxb0weAWUxxx+irIxqhIplrmq2OpISu
u1HHvh2err/A7I/DgTy/nwTcHhXGMqgXYNxbeeK0pIadBm+me1I=
=VwTr
-----END PGP SIGNATURE-----