And by burned, I mean “realize they have been burning for over a year”. I’m referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn’t alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.
To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn’t seem to be the case.
This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:
- using Tor Browser
- disabling javascript
- keeping software updated
My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn’t fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.
How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn’t maintained enough for those recommendations to make a difference? Sorry for the rant, it’s just all so tiring.
Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.
What are the benefits of flatpacks? Like why not just install the actual Tor browser on your system? The one that is released and maintained by The Tor Project?
[edit] Looks like the Tor Project does support this flatpack. Im a silly goose.
flatpaks are supposed to be cross-distro. Maintainers only have one package to look after instead of several
Edit: autocorrect got me
And they give you more control over the permissions that you give the application; packages from apt, yay, etc. get full filesystem access by default even if they contain a bug or malicious code, flatpaks can be walled off by you very well.
Not to mention:
I don’t understand the hate for flatpak. I wouldn’t even be on Linux if it wasn’t for flatpaks. I tried to switch many times over the years and it was such a PITA. With flatpaks I made the switch about a year ago and it finally stuck. Even got my wife to switch.
There are quite a few reasons to avoid flatpaks tbh.
You have no control over the dependencies. A flatpack can include a very old dependency and there is nothing you can do about it. You are at the mercy of the developer.
Many Flatpak applications available on flathub are not effectively sandboxed by default. Do not rely on the provided process isolation without first reviewing the related flatpak permission manifest for common sandbox escape issues.
Running untrusted code is never safe; sandboxing cannot change this. It can be a false sense of security.
It is generally not a good idea to run unattended updates via systemd, as the applications can get new permissions without the user aware of the changes. See this blogpost for examples
Flatpak does not run on the linux-hardened kernel unless you do additional kernel modifications that could have negative security implications.
I think
apt
handles this, as well, no?All the other reasons are very valid, though! Especially the transactional updates!