Privacy-conscious users have sounded the alarm after it emerged the "New Tab" thumbnail feature in Firefox 13 is "taking snapshots of the user's HTTPS session content". Reg reader Chris discovered the feature after opening a new tab only to be "greeted by my earlier online banking and webmail sessions complete with account …
The new tab thumbnails are based on users' browsing history. All information is contained within the browser and can be deleted at any time.
So the new tab thumbnail feature isn't capturing any new data, it's just shining a glaring light on the fact the ruddy browser stores HTTPS session data anyway?
This is better how exactly?
The order of the thumbnails is by default taken from the browsing history. You can later delete or re-arrange them with the pins and crosses when you roll the mouse over them.
The thumbnails are stored in a new directory in the profile called 'thumbnails' and they are unfortunately stored unencrypted. You can blow them away if you don't want them, make the directory read-only if you don't want them to be regenerated, or change the homepage to about:blank so about:newtab never even appears.
So I suppose Mozilla have unwittingly stumbled across another problem... should browsers store https directions in their browsing history?
I know that Opera Mobile speeddial also stores thumbnails of https pages and Chrome probably does too.
"https directions" should be "https addresses"
I think the point is that until it started storing these thumbnails it wasn't storing secure data anyway: in particular it was (I assume, based on this not having been discovered earlier as it's a very obvious attack) caching secure data. It does store https things in the history, so there is information that you have visited a secure site, but no secure content was cached, I hope.
I couldn't find the Thumbnails folder so I simply deleted every 'link' on the new tab page until there were only the 9 beige empty 'boxes'.
I then continued to browse to different sites, which show in History, and opened a new tab to check and there's nothing in any of the 'boxes'. At this point it seems that the 'boxes' aren't updated or related to History or Favorites, at least now. Maybe time will tell a different story.
It might be that the thumbnails folder makes an appearance in the next version, I'm using Aurora (v14).
To me, it increasingly looks like Firefox people have basically got in the business of making themselves look busy and pat each other on the back.
I was reading their requirements wiki (e.g., the entry for the feature at hand: https://wiki.mozilla.org/Firefox/Features/New_Tab_Page) earlier on. Two things called my attention:
1. The status section ending with "Great work by the whole team." Eh??? Who let the PR managers in? That's supposed to be a technical document, and as such I find hollow self-congratulatory statements out of place. Maybe it's just me and my corporate bullshit phobia though.
2. The feature overview states: "Whenever Firefox users open a new tab, their goal is to use it to navigate somewhere." Actually, my goal when opening a new tab is precisely to have a clean page, purely because I find that more pleasing that cluttering up my desktop with unnecessary content, while still leaving FF running so a) it doesn't take half a year to open when I need it again, and b) it will still remember my various session settings (I mostly use Private mode, but I do want it to remember the contents of some form entry boxes, URLs, etc., so starting automatically in Private mode is not an option). This is of course just one example of how varied use cases may be for such a widely deployed application, so a hand-waving sentence saying "this is what people do" without any justification whatsoever I think is not enough.
Some teams I know of use the advocatus diaboli concept. Essentially, any new requirement needs to get past a gatekeeper whose job is to argue *against* the inclusion of said requirement, however obviously good an idea it may sound. Somehow that seems to produce higher quality products which stay focused on what they really are meant to do, not what someone with the right amount of clout thought would be neat.
Corrections by a CISO
If you're really concerned with security and privacy, you shouldn't be using any browser to remember completed forms or passwords. That's what products like RoboForm are for, and Roboform has never had a vulnerability requiring a security patch for as long as I've been using it (well over a decade).
As for the comments by tfb & APraxis, the data were always there in the cache, as with many other browsers (e.g. Opera & Chrome; I have banned any use of IE, so I can't comment there). There is no "Thumbnails" folder, they're generated on the fly from the data in the cache.
My major complaint with the "Firefox/Features/New Tab Page - MozillaWiki" linked above by Gold Plating, is that one of the requirements reads that it should be "useful without any configuration, yet can be easily configured and disabled". After upgrading to FF 13, I immediately wanted to turn it off, but had to search through all of the options before finally learning that the icon in the upper right corner of the New Tab Page was intended to make it "easily disabled", I just finally found out how to permanently disable it or "show, hide and customize top sites" on this page:
As for the security issue, some are suggesting that we should have Firefox clear the history after every session. However, it isn't necessary to clear the entire Browing history (which can come in handy at times) if the user simply clears the browser's Cache, Active Logons, and perhaps Offline Website Data plus Form & Search History for safe measure. This can be done from the Options dialog, Privacy tab, History section, by checking the box for "Clear history when Firefox closes" and using the Settings button to be more specific.
These options are visible and accessible by default, but not if the user had previously changed the first option in the History section from "Use custom settings for history" to either "Remember history" or "Never remember history".
Clearing specific historical info can also be done manually by downloading one of the sets of toolbar button extensions with an "Open Clear Private Data Dialog" button, such as the Broom button I have, and adding it to the toolbar, by right-clicking the toolbar and selecting customize. Using that button, I can choose what time range to clear, 1, 2 or 4 hours, Today, or Everything, and which categories to clear, so I don't lose my entire browsing history, site preferences or non-trackng cookies such as the one that allows my bank to recognize my system when I try to login. This prevents me or anyone else from logging in from another system, unless they have access to my email so they can validate the other system by receiving a code sent to me upon request, and that code is only valid for a short time.
A pointless thing, really...
And easily subverted:
Wander to about:config, answer the impertinent question about your abilities, and change the value of browser.newtabpage.enabled to 'false'. And if, like me, you'd like the new tab to come up with your homepage rather than the default blank page, that's on the value immediately above: browser.newtab.url
What were they thinking? On the one hand they're pushing privacy mode, and on the other they dump the last dozen pages you visited for all to see. I have no idea whether privacy mode pages appear this way - I'd guess not - but the generic 'show the world' mode is utterly pointless.
Re: A pointless thing, really...
Thanks a lot! Been searching for a way to turn that off :)
@Neil - Re: A pointless thing, really...
Thanks for the fix!
However... Mozilla seems to be wandering toward Facebook territory in a couple ways:
1) New privacy-impacting features (not advertised as such), which technically can turned off, but only by changing something in the Mozilla-equivalent of the Windows Registry. And that presumes I happen to read in fora that the feature affects my privacy, and someone finds the magic shut-off entry and posts it. It's rather like FB's continual change of privacy policies/settings, and concomitant shuffling of where and how one changes one's FB settings -- it's a never-ending war. (No, I don't FB.)
2) User-tracking. Some versions ago, Mozilla introduced a Firefox customization feature called "Personas". It's like mini-wallpaper, but within the browser window. I thought it was neat, and used it extensively. One day I had Wireshark running, started Firefox to look up something, and saw that when Firefox started up, it started talking to some server below mozilla.org in the DNS hierarchy. "personas" was somewhere in the DNS query it sent. I shut off Personas, quit Firefox, re-started Firefox... and Wireshark showed FF no longer made a DNS query to (something).mozilla.org.
Why the hell would Mozilla do that? Do I have point out how stupid it would be to fetch the personas when FF starts up, vs caching them locally?
"greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc."
the thumbnails on mine are so small and blurry I can read The Register banner text and that's it. All the rest is just illegible pixels. Maybe only a problem for people with high resolution displays?
Still turned it off anyway.
I just went and looked at the new tab page. Of the nine options, 4 are different pages on the same website, four have titles but no images, one says "file not found" and seven of them are for sites I already have open on other pages.
So I took the suggestion in the article and clicked on the square icon thingie. A blank page is less distracting. Maybe I'm getting old but it seems that most "usability enhancements" nowadays are just complicated graphical ways of performing simple tasks.
Firefox gives you options to have or not have. Dont know why people are up in arms about optional features.
Especially optional features that other browsers have had for years. Nothing but FUD
"Dont know why people are up in arms about optional features."
I don't know either, but one possible reason could be that those "optional" features add weight and complexity to a code base which is already not lean by any means (and let's remember that's how Firefox [called Phoenix at the time] got started in the first place). As a bit of a hand-waving generalisation, more size and complexity also means less security (larger attack surface, etc.)
I just don't understand why they think this is such a cool thing to have, and on the other hand you need to install some dodgy extension if you want a fucking download progress bar.
The Firefox 13 new tab window is just annoying. I do not want to be shown the contents of my other open tabs when opening a new one my home page will do thanks.
Also has anyone else had Firefox 13 behave really strange in that it reloads every tab you click on it and sometimes doesn't load content presenting you with empty space on the page?
Firefox seems to be slipping.
FF has slipped badly in the past year or two. As a consequence I've switched to the more secure Comodo Dragon based on Chromium. Much faster. More stable. More secure.
Stupid tab loading / reloading
Yup - but it only does it sometimes; not every tab, or every site, or every time I go back to a tab.
One suggestion is that it's a combination of the "Don't load tabs until selected" setting, and the page's cache timeout setting. I've just tried turning off the first setting (Options, General - you may need to turn "When Firefox starts: Show my windows and tabs from last time" back on to turn it off) - it's too early to tell if that's cured it, but fingers crossed.
Yet another bloody stupid idea from Mozilla anyway. Before, if you opened FF with a bunch of default tabs you had to wait once for them all to load. Now, you wait less time for them to "load" - but each time you select one, you have to wait for it to load for real.
Someone should start working on a lightweight FF build; maybe with all that extra BS pushed out into plugins? You could call it "Phoenix" or something...
Re: Stupid tab loading / reloading
Turns out that Lynx still works with El Reg... does away with the issue completely!
Re: Stupid tab loading / reloading
Thumbs up for the reference to Phoenix. You sarcastic bastard! ;)
browser.privatebrowsing.autostart = TRUE
Do people still use failfox?
As opposed to Chrome, made by an organisation who do no evil whatsoever.
So no different to Mozilla, kept alive "by an organisation who do no evil whatsoever".
Better off switching to Comodo Dragon based on Chromium. All Google home calls disabled. Use of Comodo DNS is not required and not a default. Faster and more stable than FF in my experience.
Ok - I guess they do. My bad
@Frank 14 - Re Comodo Dragon browser
When I visited Comodo's website, NoScript told me the site contained scripts from the following tracking company URLs:
Given Comodo's obsession with tracking and monetizing visitors to its website, why would I ever trust that their "Comodo Dragon" web browser?
It does worry me, not that people are still finding bugs in [s/IE/FF], but that those bugs are so prevalant and easy to find, and nobody has bothered to actual fix the cause (not just patch the resulting symptom).
modify browser.newtab.url to about:blank instead of about:newtab
It still stores the information
"Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser. That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened."
But if you later click that icon again so the previews come back, it shows you pages that you browsed previously - i.e. the information was still stored. Presumably the same if you change the settings so the new tab doesn't appear.
It's all gone a bit IE
These guys are dropping the ball a bit here. I know everyone raves about Chrome these days but I am fixated on the fox when it comes to tinkling the interwebz..
They need to up their game and make Firefox better than Chrome for privacy - which aint too difficult thanks to Chrome being made by the worlds largest web advertising and stalking company. Sort it out dudes! I love me some Firefox but this is Microsoft level of common sense fail!
That's not what HTTPS is for
HTTPS isn't designed to protect the information on your PC - it's meant to protect data as it's transmitted to another party, so that it can't be intercepted or tampered with en-route. It's just as vulnerable to being intercepted and siphoned off by malware on your PC as HTTP site traffic is.
This is extra privacy on top of what Mozilla actually needs to do.
Re: That's not what HTTPS is for
"This is extra privacy on top of what Mozilla actually needs to do"
Which planet do you live on exactly? Were you trained by Microsoft?
Re: That's not what HTTPS is for
That's a valid point, but taking screenshots of secure websites is still a slip-up.
Re: That's not what HTTPS is for
"HTTPS isn't designed to protect the information on your PC"
That's not the point. The reason it was mentioned (and complained about) is because there is a, in my opinion reasonable, expectation that a page served via HTTPS may contain sensitive or private information which should not be unduly exposed.
This is the reason why HTTPS content is generally not cached, even though technically there is no requirement not to do so.
NoScript wins again
The NoScript add-on for Firefox forbids about:newtab, or can be set to do so.
This behaviour is so silent that I didn't initially know what the heck this article was about, as the new tab screen has *always* just been nine grey rectangles for me...
That's "...in FF13 has *always* just been...", obviously. D'oh.
Yipes, that's a bit of a fuck-up. Surely during the development of a feature that takes screenshots of what you're doing someone would consider HTTPS and private mode? That's some serious derp.
I'm OK though, I turned off that quick-dial crap anyway. Always annoyed me in Opera and Safari, still annoys me in FF.
Just use ESR
No, not the mad conspiracy/gun bloke, Extended Support Release which, according to the roadmap, is good until V17's release, at which point V17 becomes ESR. Also available in Thunderbird flavour. YKIMS.
Nicely hidden there, Mozilla. We'll always find these things eventually, though.
My Chrome 18 does that too, I just realized it. Anyone complained? Apparently not... So much for FUD against Firefox.
Re: Chrome too
'Scuse me, off to check Opera/Safari...
First thing I did when I saw the new tab page is switch it off.
FF / Chrome / Iron
6 years a loyal FF user, just changed to Iron this week. Still like FF but the bloat was getting too much. FF smells like a Microsoft product these days.
Chrome = Google stalkware
Re: FF / Chrome / Iron
If you have an older firefox profile and are seeing bloat, please reset your browser.
-Type "about:support" in the url bar
-Click the "Reset Firefox" button
I just did this and my firefox has been working better then ever before. Sometimes 'bloat' is really just an old corrupted profile. ^.^
..first thing i did is disable new tab (switched it to blank in about:config) - it's a useless feature anyway: if it was user initiated thumbnail view that would be ok, but why do i have to wait for that somewhat heavy thumbnail page to load (running a s^%tload javascipt, no doubt) if all i want to do i paste the url or type it in?
Re: That's why...
If you're copy/pasting a URL in the browser just select the text, right-click, "open in new tab". If you want to type a URL and open it in a new tab just type it in the current location box and middle click the green arrow. Both avoid manually opening a new tab.
It doesn't make much difference for the folks who have the browser remember the login details for their bank anyway. I know I have it remember mine, granted it remembers bogus data including data for not only my banks but banks I don't even use. Hey, just because I'm paranoid doesn't mean I'm not paranoid enough or something like that.
All I get is a bunch of thumbnails warning me that I need to be 18 to proceed.
Tried Mozilla's fix and it still keeps the images, it just doesn't show them :(
I couldn't find any "thumbnails" folder, but did find an image of the rendered webpage in the "cache" directories (along side the unrendered cached file).
Does setting "disk_cache_ssl" to false fix this problem? Probably a good idea to turn this off anyway if you don't want potentially sensitive data stored in unencrypted on disk.
You may also want to set the cache to be deleted on exit, or to not use disk caching at all if you are really paranoid.
Holy crap, did I blink or something?
I'm still on v8.
On that note, may as well wait till v14 till they fix yet another broken feature.
- Geek's Guide to Britain INSIDE GCHQ: Welcome to Cheltenham's cottage industry
- 'Catastrophic failure' of 3D-printed gun in Oz Police test
- Game Theory Is the next-gen console war already One?
- Analysis Spam and the Byzantine Empire: How Bitcoin tech REALLY works
- Apple cored: Samsung sells 10 million Galaxy S4 in a month