Skip Navigation
blog.trailofbits.com Coordinated disclosure of vulnerabilities affecting Girault, Bulletproofs, and PlonK

By Jim Miller Trail of Bits is publicly disclosing critical vulnerabilities that break the soundness of multiple implementations of zero-knowledge proof systems, including PlonK and Bulletproofs. T…

Trail of Bits is publicly disclosing critical vulnerabilities that break the soundness of multiple implementations of zero-knowledge proof systems, including PlonK and Bulletproofs. These vulnerabilities are caused by insecure implementations of the Fiat-Shamir transformation that allow malicious users to forge proofs for random statements.

0
Jump
Firefox Suggest (search bar suggestions) is offline by default (proof inside)
  • Telemetry and Suggest are two completely separate things.

    The only different between "online" and "offline" is that in "offline" mode what you type in your URL bar is not included in the telemetry sent after you have selected a suggestion. But this changes absolutely nothing to what is sent to the Suggest API endpoint when you type in your URL bar.

    I've repeatedly provided clear evidence of what I said, you just keep mentioning a random code comment and interpreting it in a way which completely contradicts the actual code and what countless people have observed. So at the risk of repeating myself:

    • A code comment does not prove anything.
    • Your completely wrong interpretation of it even less so.
    • Link to code supporting your claims or GTFO.
    0
  • Jump
    Firefox Suggest (search bar suggestions) is offline by default (proof inside)
  • And how would that support your claim that this post is:

    misinformation. No data is sent by default, you have to opt in.

    The relevant parts from this code comment about the "offline" mode are:

    Firefox Suggest suggestions are enabled by default.

    The onboarding dialog is not shown.

    Which correspond to the code I've already linked to.

          case "offline":
            enabled = true;
            defaults.setBoolPref("quicksuggest.shouldShowOnboardingDialog", false);
            defaults.setBoolPref("suggest.quicksuggest", true);
            defaults.setBoolPref("suggest.quicksuggest.sponsored", true);
            break;
    

    The code you cited just says that users with locale "en-US" are enrolled in the "offline" mode.

    Basically:

    • locale = "en-US" => "offline" => opt-out
    • locale != "en-US" => "opt-in" with all possible dark patterns to trick the user into accepting it: user has to click the small "Not now" text which does not look like a button on the top right corner to disable Suggest.

    To summarize, the "offline" / "online" Suggest Scenario have absolutely nothing to do with the fact that Firefox sends data to Mozilla or not, it only defines if the Suggest feature is opt-in or opt-out. Is this naming extremely confusing? Absolutely! But at this point it's clear that Mozilla has done everything possible to mislead users about what their "suggestions" really are.

    So please, stop spreading misinformation while claiming that people trying to bring awareness about this awful "feature" are the ones providing false information. A code comment is not proof, your completely wrong interpretation of it even less so. If you don't agree, please link to the relevant source code which would contradict the one I've linked to.

    0
  • Jump
    Removed
  • No, you are the one providing misinformation. The explanation you linked to is completely wrong. "offline" actually means that you are silently and automatically "opted-in", so basically what everybody except Mozilla calls opt-out.

    However, this does not change anything to the fact that these "suggestions" were silently enabled in Firefox 92, and that the opt-in dialog box was introduced only in Firefox 93. In addition, this opt-in dialog is not shown if you left your locale as the default "en-US" ("offline" = opt-out).

    0
  • Jump
    Firefox Suggest (search bar suggestions) is offline by default (proof inside)
  • From your comment on this other post and the downvotes it generated on said post, while this post and your comment get upvoted, I guess neither you nor anybody even checked to see what "offline" means...

    If you scrolled down a little from the link you provided, you would have seen that "offline" really means:

    • Do NOT show the "opt-in" dialog to the user.
    • Silently opt-in user to "suggestions"

    So basically "offline" = "opt-out" and not opt-in.

    0
  • Jump
    Mozilla to put ads in Firefox address bar suggestions
  • There is something seriously wrong with Mozilla leadership. They keep alienating the small privacy-focussed userbase they have left, and then act surprised when Firefox's marketshare keeps shrinking...

    Baker needs to go and be replaced by someone who cares about Firefox long term viability instead of only caring about how many millions more they can add to their obscene salary while destroying Firefox and everything else that Mozilla built over the years.

    0