Jump to content

compromised privacy / flaw in Firefox v2.x?

Robbie

By Robbie
in Software

 Share

Recommended Posts

Robbie

Robbie

Posted
Posted

I'm not sure if someone has posted something about this before...

 

This compromising of privacy has only taken me about 11 months to realise, since Firefox 2.0 was launched last October... and it's thanks to CCleaner's companion, Recuva that I actually did.

 

Anyone familiar with Firefox will probably know that if there is a computer crash etc, and Firefox is open at the time and as a result closes, the next time you run Firefox you will be told that "Firefox closed unexpectedly" and given the option to "restore the last Firefox session" or start a new session. Choosing "restore" will reload all the tabs you had running and the websites that you were visiting at the time of the crash. For a long time I've tried to work out how FF can possibly remember this as I've never been able to find a file that has this information when I go to the default FF folder in USER NAME / Application Data / Mozilla/ Firefox / Profiles / user FF folder name. I've looked several times.

 

Sometimes using Recuva I've been able to recover a file called sessionstore.js.moztmp, which it is apparent is the file that stores all this information - and recovering that file and opening it in note pad reveals a list of the urls I was visiting when I closed Firefox. I've just found out that this is a temporary file (hence the .moztmp extension) that is created when FF is opened and is automatically deleted when FF is closed - which explains why I could never find it. Presumably, in the event of a crash the file is not deleted but kept until the next session. The main point, however, is that this file contains a list of all the URLs and additional information (cookies included, it seems) about the sites you have been visiting, and seemingly not just the sites you were visiting at the time FF closed but quite a few sites you visited in your FF session before the crash, plus the headings of threads in forums and more. When the file is deleted is is just deleted to free space, it would appear, meaning that it renders the idea of using CCleaner, or any other privacy tool, to wipe the Firefox cache and cookies etc somewhat redundant, as Firefox is busy making a secondary backup of all the sites you have visited as well!

 

Fortunately, I've just discovered that the option to allow Firefox to recover from a crash from restoring the last session can be turned off - in about:config - and by doing so, Firefox doesn't create this temporary sessionstore file, thereby enhancing privacy. The fix in about:config is to locate browser.sessionstore.resume_from_crash and to alter the value from True to False. You'll not be able to restore the previous Firefox session after a crash - but nor will Firefox be undermining your privacy by keeping a file on the sites you visit and then dumping this file to the hard drive where it can be recovered.

Link to comment
Share on other sites
Anthony A

Anthony A

Posted
Posted

Every browser I have (6 of them) has a crash recovery feature like Firefox has. Maybe I am missing the point your trying to make but how do you expect a browser to give you an option to return to the pages you were viewing when it crashed if it doesn't remember the pages you were looking at? It's a feature not a flaw IMO.

Link to comment
Share on other sites
Robbie

Robbie

Posted
  • Author
Posted

perhaps flaw was the wrong word. I was more thinking along the lines that CCleaner and similar programs are there to enhance privacy when Firefox itself has a feature which somewhat undermines it. I agree it's a feature, some people will welcome it, but it has privacy implications that some people would not welcome, but may be unaware of.

Link to comment
Share on other sites
BrownSugar

BrownSugar

Posted
Posted
That was an interesting read Robbie, thanks for taking the time with that long post.

 

The "restore previous session" feature of Firefox is one I can happily live without, and I'll be following your tip on disabling it. Cheers.

 

 

While you're on this subject, do those of you who use Firefox have that automatic BBC Rss feeder enabled? I hope it's automatic and comes built into Firefox because I've seen it since I loaded FF! I really could do without it as it takes some time to get those headlines. Is it as simple as deleting the "Latest Headlines" icon in the toolbar?

Link to comment
Share on other sites
  • Moderators
DennisD

DennisD

Posted
  • Moderators
Posted
While you're on this subject, do those of you who use Firefox have that automatic BBC Rss feeder enabled? I hope it's automatic and comes built into Firefox because I've seen it since I loaded FF! I really could do without it as it takes some time to get those headlines. Is it as simple as deleting the "Latest Headlines" icon in the toolbar?

 

All I can tell you is that I don't get that BBC feed thing at all. I can vaguely remember something about it, but I've used FF for so long, I can't even remember binning it.

 

Deleting the "Latest Headlines" sounds familiar.

 

Slightly off topic, but have you any idea where I can download some new memory cells? I seem to be putting a lot of "can't remember's" in my posts recently. :rolleyes:

Link to comment
Share on other sites
slowday444

slowday444

Posted
Posted
I'm not sure if someone has posted something about this before...

 

This compromising of privacy has only taken me about 11 months to realise, since Firefox 2.0 was launched last October... and it's thanks to CCleaner's companion, Recuva that I actually did.

 

Anyone familiar with Firefox will probably know that if there is a computer crash etc, and Firefox is open at the time and as a result closes, the next time you run Firefox you will be told that "Firefox closed unexpectedly" and given the option to "restore the last Firefox session" or start a new session. Choosing "restore" will reload all the tabs you had running and the websites that you were visiting at the time of the crash. For a long time I've tried to work out how FF can possibly remember this as I've never been able to find a file that has this information when I go to the default FF folder in USER NAME / Application Data / Mozilla/ Firefox / Profiles / user FF folder name. I've looked several times.

 

Sometimes using Recuva I've been able to recover a file called sessionstore.js.moztmp, which it is apparent is the file that stores all this information - and recovering that file and opening it in note pad reveals a list of the urls I was visiting when I closed Firefox. I've just found out that this is a temporary file (hence the .moztmp extension) that is created when FF is opened and is automatically deleted when FF is closed - which explains why I could never find it. Presumably, in the event of a crash the file is not deleted but kept until the next session. The main point, however, is that this file contains a list of all the URLs and additional information (cookies included, it seems) about the sites you have been visiting, and seemingly not just the sites you were visiting at the time FF closed but quite a few sites you visited in your FF session before the crash, plus the headings of threads in forums and more. When the file is deleted is is just deleted to free space, it would appear, meaning that it renders the idea of using CCleaner, or any other privacy tool, to wipe the Firefox cache and cookies etc somewhat redundant, as Firefox is busy making a secondary backup of all the sites you have visited as well!

 

Fortunately, I've just discovered that the option to allow Firefox to recover from a crash from restoring the last session can be turned off - in about:config - and by doing so, Firefox doesn't create this temporary sessionstore file, thereby enhancing privacy. The fix in about:config is to locate browser.sessionstore.resume_from_crash and to alter the value from True to False. You'll not be able to restore the previous Firefox session after a crash - but nor will Firefox be undermining your privacy by keeping a file on the sites you visit and then dumping this file to the hard drive where it can be recovered.

Seems like it should be this value or at least both: browser.sessionstore.enabled (change to false), however, I won't mess with it until verified by someone.

Link to comment
Share on other sites
Robbie

Robbie

Posted
  • Author
Posted

I've just done some testing and it is the value that I posted that controls whether the sessionstore file is created. Changing the value to False while also displaying the Firefox profile folder in Windows Explorer immediately sees the file vanish, reverting back to True and the file appears again. I checked with MozillaZine and the preference you mention, browser.sessionstore.enabled has to be enabled (set to True) for the other value, browser.sessionstore.resume_session_once, to function but from my test, disabling just browser.sessionstore.enabled alone will not prevent the sessionstorefile from being created. The other preference must be set to the value False.

 

In the end I've changed the value for both preferences to False.

 

see also

 

http://kb.mozillazine.org/Browser.sessions...sume_from_crash

 

http://kb.mozillazine.org/Browser.sessionstore.enabled

Link to comment
Share on other sites
slowday444

slowday444

Posted
Posted
I've just done some testing and it is the value that I posted that controls whether the sessionstore file is created. Changing the value to False while also displaying the Firefox profile folder in Windows Explorer immediately sees the file vanish, reverting back to True and the file appears again. I checked with MozillaZine and the preference you mention, browser.sessionstore.enabled has to be enabled (set to True) for the other value, browser.sessionstore.resume_session_once, to function but from my test, disabling just browser.sessionstore.enabled alone will not prevent the sessionstorefile from being created. The other preference must be set to the value False.

 

In the end I've changed the value for both preferences to False.

 

see also

 

http://kb.mozillazine.org/Browser.sessions...sume_from_crash

 

http://kb.mozillazine.org/Browser.sessionstore.enabled

Thank You!

Link to comment
Share on other sites
Caldor

Caldor

Posted
Posted

Windows is a closed system with lots of privacy problems. Youve barely touched the surface with this one app. Its in everything - right to the core of NTFS itself and especially the new atomic NTFS in Vista and Longhorn server. Even if you lock down the whole system with full disc encryption like pointsec youve still got the risk of information leakage onto the wan/lan.

 

CCleaner is somewhat extensible to help as a privacy tool (vista's cleanup utility does not provide secure deletion) but frankly the community here isnt organised enough to do what is required in my view to collaborate on a good winapp2.ini. And ccleaners inbuilt defintions arent up to date wither. And, the defintions needs to be seperated between xp and Vista.

 

I wonder what platforms groups like the NSA run? :) There is a reason the NSA released mandatory access control patches for the Linux kernel in SELINUX. Frankly again, Linux on the desktop is a PITA for useability.

Link to comment
Share on other sites
Caldor

Caldor

Posted
Posted

I agree with you for a home user with worthless data (family photos, songs etcetc) it is paranoid. For home use, theres no reason for a serious penetration attempt as the data isnt worth anything. If someone wanted to hack me for my bandwidth to use as a zombie there is far more easier targets than my home systems on fast broadband. For my work though the data contained is highly valuable, and I guess Im applying that need unfairly for a home system.

 

But I guess I'm also saying, and saying rationally in my view, that if your data is high value I do not consider the Windows platform to have the necessary architecture and privacy controls offered to suit. I submit that BSD and specialy hardened Linux builds offer a stronger platform for protecting high value data. Theres lots of other things needed as well - to give you a real life example you will find embassies dont use CRTs they use LCDs because the technology exists to read the radiation from CRTs and see remotely what the screen has on it with good fidelity.

 

That said I like Vista and I know its the most secure desktop OS MS has ever released. Its an easy to use GUI based OS that works on most hardware.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept