Sometimes you can’t take EFF serious

Well, I’m already fighting for years against FUD, especially when it comes to privacy tools and recommendation I often fight against individuals or people who still to believe in application security. However, this time Electronic Frontier Foundation (EFF) failed – so what happened? We had the recent leak called Efail which is a weakness in PGP and S/MIME and EFF wrote in their documentation as precautions to disable security extensions S/MIME – which is a no-go advise, especially because everything is in most cases patchable so in this case.

EFail Overview.


Not the first strange advise from EFF

EFF is often or better known for his fingerprinting test called Panopticlick. On this site you get also very strange ‘recommendations’ and you (according to them) should/can install Privacy Badger extension in order to reduce your Browser fingerprint. I have really problems with such recommendation because I think such things should be fixed within the Browser and not by extensions.

Their fingerprint is also based on other people work and such project mostly has bugs, Panopticlick requires JavaScript, once you disabled it, the page can’t work and the test is pointless. It basically shows only that JavaScript together with some known API’s are a possible tracking target but it doesn’t tell you that not every page tracks you nor does there mathematically explanation seems correct.

Chromium vs Tor
I made a test with Chromium vs Tor to show that such test is worthless. I even opened a bunch of random tabs + enabled several plugins and still got lower bits (Tor security slider to Medium).

Questionable advise and tests from EFF

Much of what EFF wrote is already outdated and not up-2-date anymore. Same goes for such a fingerprint test. Some test is inaccurate, and it’s not really mentioned that let’s say even if someone knows what Fonts you use that it doesn’t make you vulnerable or more trackable. It doesn’t tell you anything that you should use (except an extension) and some basic blah. Basically, every website today logs everything about you in order to protect the platform and just because someone logs something about you doesn’t mean you’re vulnerable or they sell it and just because a page might officially don’t log anything about you doesn’t always mean that you’re good to go. The test doesn’t respect most of such cases.

New Marketing gag with so-called anti-fingerprinting mechanism which doesn’t help?

Mozilla’s new strategy seems to integrate (copy and paste) features from the Tor project in order to make people believe that there more secure, I find this same like EFF so-called security advise for dangerous and wrong. You can disable everything and use 100 extensions to block everything – it won’t help you if you post your personal information on Facebook or any other site. This also not prevents any tracking at all, it only makes you even more unique if you try to hide you because the page might see ‘unexpected’ behaviour and then you’re even more suspicious.

This snake oil seems to work well for Mozilla, and we should not forget that they implement their own telemetry the same like all others in order to ‘improve’ their own products – so how they are better? That you can’t trust anyone should be clear after the Mr.Robot failure. I’m not sure if you can trust an organization (no matter if Mozilla or not) if they use ‘we secure you’ as a marketing strategy when it’s clear that they collect the same amount of data like Google and all the other big players. So people should wake up and ask themselves why there still isn’t any browser (not even tor) able to hide every metadata leakage – well the answer is really simple, it’s not possible and complicated. Tor project works since year in this case with more or less good results.

Using anti-fingerprinting mechanism doesn’t solve the problem in the best case it lowers a possible attack surface but that’s all. Assuming no one has physical access to your PC/Browser.

Closing Words

EFail and other security problems are patchable, and the developers already started to work on it, some patches are already out and the drama is once again high. Wrong security advise were spread and given, especially from EFF which makes me question how many efforts they spent in order to check the facts but since this isn’t dangerous enough they still hold on their fingerprint test without telling you that this shouldn’t be taken seriously. The documentation on such projects is incomplete.

As much as I support and like EFF’s work, sometimes it makes me wonder if they should not take much more efforts in their projects/documentation in order to provide more useful information.