back to article Firefox 'new tab' feature exposes users' secured info: Fix promised

Privacy-conscious users have sounded the alarm after it emerged the "New Tab" thumbnail feature in Firefox 13 is "taking snapshots of the user's HTTPS session content". Reg reader Chris discovered the feature after opening a new tab only to be "greeted by my earlier online banking and webmail sessions complete with account …

COMMENTS

This topic is closed for new posts.

Page:

  1. TeeCee Gold badge
    Facepalm

    Seriously?

    The new tab thumbnails are based on users' browsing history. All information is contained within the browser and can be deleted at any time.

    So the new tab thumbnail feature isn't capturing any new data, it's just shining a glaring light on the fact the ruddy browser stores HTTPS session data anyway?

    This is better how exactly?

    1. Dan 55 Silver badge

      Re: Seriously?

      The order of the thumbnails is by default taken from the browsing history. You can later delete or re-arrange them with the pins and crosses when you roll the mouse over them.

      The thumbnails are stored in a new directory in the profile called 'thumbnails' and they are unfortunately stored unencrypted. You can blow them away if you don't want them, make the directory read-only if you don't want them to be regenerated, or change the homepage to about:blank so about:newtab never even appears.

      So I suppose Mozilla have unwittingly stumbled across another problem... should browsers store https directions in their browsing history?

      I know that Opera Mobile speeddial also stores thumbnails of https pages and Chrome probably does too.

      1. Dan 55 Silver badge
        Headmaster

        Gnh

        "https directions" should be "https addresses"

      2. APraxis

        Re: Seriously?

        I couldn't find the Thumbnails folder so I simply deleted every 'link' on the new tab page until there were only the 9 beige empty 'boxes'.

        I then continued to browse to different sites, which show in History, and opened a new tab to check and there's nothing in any of the 'boxes'. At this point it seems that the 'boxes' aren't updated or related to History or Favorites, at least now. Maybe time will tell a different story.

        1. Dan 55 Silver badge

          Re: Seriously?

          It might be that the thumbnails folder makes an appearance in the next version, I'm using Aurora (v14).

    2. Anonymous Coward
      Boffin

      Re: Seriously?

      I think the point is that until it started storing these thumbnails it wasn't storing secure data anyway: in particular it was (I assume, based on this not having been discovered earlier as it's a very obvious attack) caching secure data. It does store https things in the history, so there is information that you have visited a secure site, but no secure content was cached, I hope.

    3. Anonymous Coward
      Anonymous Coward

      Gold Plating

      To me, it increasingly looks like Firefox people have basically got in the business of making themselves look busy and pat each other on the back.

      I was reading their requirements wiki (e.g., the entry for the feature at hand: https://wiki.mozilla.org/Firefox/Features/New_Tab_Page) earlier on. Two things called my attention:

      1. The status section ending with "Great work by the whole team." Eh??? Who let the PR managers in? That's supposed to be a technical document, and as such I find hollow self-congratulatory statements out of place. Maybe it's just me and my corporate bullshit phobia though.

      2. The feature overview states: "Whenever Firefox users open a new tab, their goal is to use it to navigate somewhere." Actually, my goal when opening a new tab is precisely to have a clean page, purely because I find that more pleasing that cluttering up my desktop with unnecessary content, while still leaving FF running so a) it doesn't take half a year to open when I need it again, and b) it will still remember my various session settings (I mostly use Private mode, but I do want it to remember the contents of some form entry boxes, URLs, etc., so starting automatically in Private mode is not an option). This is of course just one example of how varied use cases may be for such a widely deployed application, so a hand-waving sentence saying "this is what people do" without any justification whatsoever I think is not enough.

      Some teams I know of use the advocatus diaboli concept. Essentially, any new requirement needs to get past a gatekeeper whose job is to argue *against* the inclusion of said requirement, however obviously good an idea it may sound. Somehow that seems to produce higher quality products which stay focused on what they really are meant to do, not what someone with the right amount of clout thought would be neat.

      1. davidows
        WTF?

        Corrections by a CISO

        If you're really concerned with security and privacy, you shouldn't be using any browser to remember completed forms or passwords. That's what products like RoboForm are for, and Roboform has never had a vulnerability requiring a security patch for as long as I've been using it (well over a decade).

        As for the comments by tfb & APraxis, the data were always there in the cache, as with many other browsers (e.g. Opera & Chrome; I have banned any use of IE, so I can't comment there). There is no "Thumbnails" folder, they're generated on the fly from the data in the cache.

        My major complaint with the "Firefox/Features/New Tab Page - MozillaWiki" linked above by Gold Plating, is that one of the requirements reads that it should be "useful without any configuration, yet can be easily configured and disabled". After upgrading to FF 13, I immediately wanted to turn it off, but had to search through all of the options before finally learning that the icon in the upper right corner of the New Tab Page was intended to make it "easily disabled", I just finally found out how to permanently disable it or "show, hide and customize top sites" on this page:

        http://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites?s=new+tab+page&r=0&e=un&as=s

        As for the security issue, some are suggesting that we should have Firefox clear the history after every session. However, it isn't necessary to clear the entire Browing history (which can come in handy at times) if the user simply clears the browser's Cache, Active Logons, and perhaps Offline Website Data plus Form & Search History for safe measure. This can be done from the Options dialog, Privacy tab, History section, by checking the box for "Clear history when Firefox closes" and using the Settings button to be more specific.

        These options are visible and accessible by default, but not if the user had previously changed the first option in the History section from "Use custom settings for history" to either "Remember history" or "Never remember history".

        Clearing specific historical info can also be done manually by downloading one of the sets of toolbar button extensions with an "Open Clear Private Data Dialog" button, such as the Broom button I have, and adding it to the toolbar, by right-clicking the toolbar and selecting customize. Using that button, I can choose what time range to clear, 1, 2 or 4 hours, Today, or Everything, and which categories to clear, so I don't lose my entire browsing history, site preferences or non-trackng cookies such as the one that allows my bank to recognize my system when I try to login. This prevents me or anyone else from logging in from another system, unless they have access to my email so they can validate the other system by receiving a code sent to me upon request, and that code is only valid for a short time.

  2. Neil Barnes Silver badge
    FAIL

    A pointless thing, really...

    And easily subverted:

    Wander to about:config, answer the impertinent question about your abilities, and change the value of browser.newtabpage.enabled to 'false'. And if, like me, you'd like the new tab to come up with your homepage rather than the default blank page, that's on the value immediately above: browser.newtab.url

    What were they thinking? On the one hand they're pushing privacy mode, and on the other they dump the last dozen pages you visited for all to see. I have no idea whether privacy mode pages appear this way - I'd guess not - but the generic 'show the world' mode is utterly pointless.

    1. petur
      Thumb Up

      Re: A pointless thing, really...

      Thanks a lot! Been searching for a way to turn that off :)

    2. Anonymous Coward
      Anonymous Coward

      @Neil - Re: A pointless thing, really...

      Thanks for the fix!

      However... Mozilla seems to be wandering toward Facebook territory in a couple ways:

      1) New privacy-impacting features (not advertised as such), which technically can turned off, but only by changing something in the Mozilla-equivalent of the Windows Registry. And that presumes I happen to read in fora that the feature affects my privacy, and someone finds the magic shut-off entry and posts it. It's rather like FB's continual change of privacy policies/settings, and concomitant shuffling of where and how one changes one's FB settings -- it's a never-ending war. (No, I don't FB.)

      2) User-tracking. Some versions ago, Mozilla introduced a Firefox customization feature called "Personas". It's like mini-wallpaper, but within the browser window. I thought it was neat, and used it extensively. One day I had Wireshark running, started Firefox to look up something, and saw that when Firefox started up, it started talking to some server below mozilla.org in the DNS hierarchy. "personas" was somewhere in the DNS query it sent. I shut off Personas, quit Firefox, re-started Firefox... and Wireshark showed FF no longer made a DNS query to (something).mozilla.org.

      Why the hell would Mozilla do that? Do I have point out how stupid it would be to fetch the personas when FF starts up, vs caching them locally?

  3. thesykes

    really?

    "greeted by my earlier online banking and webmail sessions complete with account numbers, balances, subject lines etc."

    the thumbnails on mine are so small and blurry I can read The Register banner text and that's it. All the rest is just illegible pixels. Maybe only a problem for people with high resolution displays?

    Still turned it off anyway.

  4. Len Goddard
    Thumb Down

    Useless

    I just went and looked at the new tab page. Of the nine options, 4 are different pages on the same website, four have titles but no images, one says "file not found" and seven of them are for sites I already have open on other pages.

    So I took the suggestion in the article and clicked on the square icon thingie. A blank page is less distracting. Maybe I'm getting old but it seems that most "usability enhancements" nowadays are just complicated graphical ways of performing simple tasks.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: Useless

        "Dont know why people are up in arms about optional features."

        I don't know either, but one possible reason could be that those "optional" features add weight and complexity to a code base which is already not lean by any means (and let's remember that's how Firefox [called Phoenix at the time] got started in the first place). As a bit of a hand-waving generalisation, more size and complexity also means less security (larger attack surface, etc.)

        I just don't understand why they think this is such a cool thing to have, and on the other hand you need to install some dodgy extension if you want a fucking download progress bar.

  5. That Steve Guy

    The Firefox 13 new tab window is just annoying. I do not want to be shown the contents of my other open tabs when opening a new one my home page will do thanks.

    Also has anyone else had Firefox 13 behave really strange in that it reloads every tab you click on it and sometimes doesn't load content presenting you with empty space on the page?

    Firefox seems to be slipping.

    1. Anonymous Coward
      Anonymous Coward

      Agreed

      FF has slipped badly in the past year or two. As a consequence I've switched to the more secure Comodo Dragon based on Chromium. Much faster. More stable. More secure.

    2. Tac Eht Xilef

      Stupid tab loading / reloading

      Yup - but it only does it sometimes; not every tab, or every site, or every time I go back to a tab.

      One suggestion is that it's a combination of the "Don't load tabs until selected" setting, and the page's cache timeout setting. I've just tried turning off the first setting (Options, General - you may need to turn "When Firefox starts: Show my windows and tabs from last time" back on to turn it off) - it's too early to tell if that's cured it, but fingers crossed.

      Yet another bloody stupid idea from Mozilla anyway. Before, if you opened FF with a bunch of default tabs you had to wait once for them all to load. Now, you wait less time for them to "load" - but each time you select one, you have to wait for it to load for real.

      Someone should start working on a lightweight FF build; maybe with all that extra BS pushed out into plugins? You could call it "Phoenix" or something...

      1. Neil Barnes Silver badge
        Thumb Up

        Re: Stupid tab loading / reloading

        Turns out that Lynx still works with El Reg... does away with the issue completely!

      2. Anonymous Coward
        Anonymous Coward

        Re: Stupid tab loading / reloading

        Thumbs up for the reference to Phoenix. You sarcastic bastard! ;)

  6. Anonymous Coward
    Anonymous Coward

    Solution

    about:config

    browser.privatebrowsing.autostart = TRUE

    EOT

  7. ukgnome
    Trollface

    Do people still use failfox?

    1. Anonymous Coward 15

      As opposed to Chrome, made by an organisation who do no evil whatsoever.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        So no different to Mozilla, kept alive "by an organisation who do no evil whatsoever".

        Better off switching to Comodo Dragon based on Chromium. All Google home calls disabled. Use of Comodo DNS is not required and not a default. Faster and more stable than FF in my experience.

        1. Anonymous Coward
          Anonymous Coward

          @Frank 14 - Re Comodo Dragon browser

          When I visited Comodo's website, NoScript told me the site contained scripts from the following tracking company URLs:

          optimizely.com

          fetchback.com

          addthis.com

          reedge.com

          google-analytics.com

          trustlogo.com

          Given Comodo's obsession with tracking and monetizing visitors to its website, why would I ever trust that their "Comodo Dragon" web browser?

    2. ukgnome
      Facepalm

      Ok - I guess they do. My bad

  8. Gordon Fecyk
    Go

    [s/pot/kettle]

    It does worry me, not that people are still finding bugs in [s/IE/FF], but that those bugs are so prevalant and easy to find, and nobody has bothered to actual fix the cause (not just patch the resulting symptom).

  9. Anonymous Coward
    Anonymous Coward

    In about:config

    modify browser.newtab.url to about:blank instead of about:newtab

  10. Christoph

    It still stores the information

    "Users can also switch back to using blank new tab screens by clicking the square icon in the top right corner of the browser. That will change the default preference to show a blank page, rather than the most visited websites when a new tab is opened."

    But if you later click that icon again so the previews come back, it shows you pages that you browsed previously - i.e. the information was still stored. Presumably the same if you change the settings so the new tab doesn't appear.

  11. LinkOfHyrule
    FAIL

    It's all gone a bit IE

    These guys are dropping the ball a bit here. I know everyone raves about Chrome these days but I am fixated on the fox when it comes to tinkling the interwebz..

    They need to up their game and make Firefox better than Chrome for privacy - which aint too difficult thanks to Chrome being made by the worlds largest web advertising and stalking company. Sort it out dudes! I love me some Firefox but this is Microsoft level of common sense fail!

  12. James Howat

    That's not what HTTPS is for

    HTTPS isn't designed to protect the information on your PC - it's meant to protect data as it's transmitted to another party, so that it can't be intercepted or tampered with en-route. It's just as vulnerable to being intercepted and siphoned off by malware on your PC as HTTP site traffic is.

    This is extra privacy on top of what Mozilla actually needs to do.

    1. Anonymous Coward
      FAIL

      Re: That's not what HTTPS is for

      "This is extra privacy on top of what Mozilla actually needs to do"

      Which planet do you live on exactly? Were you trained by Microsoft?

    2. Anonymous Coward
      Anonymous Coward

      Re: That's not what HTTPS is for

      That's a valid point, but taking screenshots of secure websites is still a slip-up.

    3. Anonymous Coward
      Anonymous Coward

      Re: That's not what HTTPS is for

      "HTTPS isn't designed to protect the information on your PC"

      That's not the point. The reason it was mentioned (and complained about) is because there is a, in my opinion reasonable, expectation that a page served via HTTPS may contain sensitive or private information which should not be unduly exposed.

      This is the reason why HTTPS content is generally not cached, even though technically there is no requirement not to do so.

  13. Big Al
    Alert

    NoScript wins again

    The NoScript add-on for Firefox forbids about:newtab, or can be set to do so.

    This behaviour is so silent that I didn't initially know what the heck this article was about, as the new tab screen has *always* just been nine grey rectangles for me...

  14. Big Al

    *cough*

    That's "...in FF13 has *always* just been...", obviously. D'oh.

  15. Greg J Preece

    Yipes, that's a bit of a fuck-up. Surely during the development of a feature that takes screenshots of what you're doing someone would consider HTTPS and private mode? That's some serious derp.

    I'm OK though, I turned off that quick-dial crap anyway. Always annoyed me in Opera and Safari, still annoys me in FF.

  16. Chronos
    Thumb Up

    Just use ESR

    No, not the mad conspiracy/gun bloke, Extended Support Release which, according to the roadmap, is good until V17's release, at which point V17 becomes ESR. Also available in Thunderbird flavour. YKIMS.

    Nicely hidden there, Mozilla. We'll always find these things eventually, though.

  17. dullboy
    Facepalm

    Chrome too

    My Chrome 18 does that too, I just realized it. Anyone complained? Apparently not... So much for FUD against Firefox.

    1. Greg J Preece

      Re: Chrome too

      Really?

      'Scuse me, off to check Opera/Safari...

  18. Luke McCarthy

    Hah

    First thing I did when I saw the new tab page is switch it off.

  19. Jim 59

    FF / Chrome / Iron

    6 years a loyal FF user, just changed to Iron this week. Still like FF but the bloat was getting too much. FF smells like a Microsoft product these days.

    Chrome = Google stalkware

    1. This post has been deleted by its author

  20. vgrig_us

    That's why...

    ..first thing i did is disable new tab (switched it to blank in about:config) - it's a useless feature anyway: if it was user initiated thumbnail view that would be ok, but why do i have to wait for that somewhat heavy thumbnail page to load (running a s^%tload javascipt, no doubt) if all i want to do i paste the url or type it in?

    1. Anonymous Coward
      Anonymous Coward

      Re: That's why...

      If you're copy/pasting a URL in the browser just select the text, right-click, "open in new tab". If you want to type a URL and open it in a new tab just type it in the current location box and middle click the green arrow. Both avoid manually opening a new tab.

  21. Eddy Ito
    Trollface

    Ok but

    It doesn't make much difference for the folks who have the browser remember the login details for their bank anyway. I know I have it remember mine, granted it remembers bogus data including data for not only my banks but banks I don't even use. Hey, just because I'm paranoid doesn't mean I'm not paranoid enough or something like that.

  22. Bucky 2
    Pint

    Not me

    All I get is a bunch of thumbnails warning me that I need to be 18 to proceed.

  23. andy3k
    Black Helicopters

    Tried Mozilla's fix and it still keeps the images, it just doesn't show them :(

    I couldn't find any "thumbnails" folder, but did find an image of the rendered webpage in the "cache" directories (along side the unrendered cached file).

    Does setting "disk_cache_ssl" to false fix this problem? Probably a good idea to turn this off anyway if you don't want potentially sensitive data stored in unencrypted on disk.

    You may also want to set the cache to be deleted on exit, or to not use disk caching at all if you are really paranoid.

  24. John Tserkezis

    Holy crap, did I blink or something?

    I'm still on v8.

    On that note, may as well wait till v14 till they fix yet another broken feature.

Page:

This topic is closed for new posts.

Other stories you might like