Anatomy of a bug: latest Firefox 'new tab' feature thumbnails HTTPS pages

Filed Under: Data loss, Featured, Firefox, Vulnerability

About a week ago, popular IT news site The Register announced a security hole in Firefox.

Under the headline Firefox 'new tab' feature exposes users' secured info: Fix promised, El Reg decried the most recent Firefox release as "unlucky version 13".

The story ended up pretty widely reported, and Mozilla has publicly promised a fix.

But is this really a bug? If so, is it serious?

Even more importantly, do any of the workarounds popping up online actually do what they claim?

We decided to investigate - which took a lot more fiddling, digging and experimentation than you might think. (Unless you're a software tester. If so, you already know how explosively configuration options combine.)

Example of a New Tab page with images thumbnailed during earlier browsing

The controversial feature is Firefox 13's updated 'new tab' system. This takes thumbnail snapshots of sites you visit, and replays them later when you use the New Tab window.

The thing which outraged Register reader Chris, and led to all the news coverage, is that the thumbnails include images of content accessed over HTTPS, such as banking transactions and webmail sessions.

That much is true.

I opened a series of HTTPS pages looking like this:

Then I exited Firefox and reloaded it.

At this point, the New Tab page did indeed clearly reveal the content of my earlier secure browsing:

In hindsight, this is a bad idea, given Firefox's default privacy settings. I'm glad Mozilla has committed to change it.

If you permit Firefox to retain cached information from day to day in this form, anyone with even momentary access to your browser in the future can hit Ctrl-T or Command-T, and may immediately get a look at personal information you wouldn't expect to have been be preserved.

Nevertheless, HTTPS doesn't promise encryption at all times. The S-for-secure component applies only during the HTTP part of the transaction - the data transfer. It's worth keeping that in mind.

Whatever is inside an HTTPS request, and inside its corresponding reply, must exist in unencrypted form at each end of the conversation in order to be of any use.

That means both your browser and the server you're talking to may - indeed, probably will - end up with a permanent record of the transaction's content, even though it was encrypted during transmission.

In fact, that's exactly what happens in Firefox, version 13's New Tab thumbnails notwithstanding.

Even if you turn off the thumbnail display (clicking the matrix icon on the New Tab screen will do that for you), the contents of your HTTPS pages may very well end up in the Firefox cache anyway.

(When a web page is sent to your browser, whether securely transmitted or not, the server gets to say if and how it should be cached. The server does this by setting an Expires: or a Cache-Control: header in the HTTP reply.)

In my HTTPS experiments, turning off the thumbnails didn't do anything about Firefox's cache.

Here's what I saw after clearing all history and repeating my tests with thumbnail display turned off. I examined the cache with the special about:cache URL:

Zooming in to the seven files listed as cached shows three of the URLs duplicated - the HTTPS pages I visited in the test.

The objects denoted No expiration time are the thumbnail images; their partners are the original, decrypted, HTTP replies:

Zooming in to any of the files in the list brings up the complete HTTP header and body data in the reply:

So the new-found data leakage due to the thumbnails is a bit of a red herring.

The information from which Firefox 13 builds its thumbnails has been there all along in previous Firefox versions.

The cache isn't quite as easy to get to as the New Tab window, but it can still be accessed directly from your browser. Also, of course, it contains not just highly-compressed snapshots of your web pages at specific instants, but an exact history of all their components.

Your best bet for getting rid of cached content - which, as we have seen, includes the very thumbnails that got Register reader Chris worried in the first place - is to use Firefox's existing privacy features to purge old browsing data promptly.

Keeping a detailed record of your browsing history and maintaining it between sessions is convenient, but insecure.

A little inconvenience goes a long way towards improving security, which is why I recommend a Firefox privacy configuration similar to this:

I also recommend that you use the Clear Recent History... command as a matter of routine whenever you finish an online transaction involving personally identifiable imformation.

You'll find the history-clearing dialog in the Tools menu.

Finally, as I promised earlier, what about the "thumbnail bug" workarounds you'll find online?

You may be tempted to use a workaround until Mozilla adapts the behaviour of its 'new tab' system to exclude HTTPS pages.

For example, you may have read about the browser.newtabpage.enabled option you can change in about:config.

I've also read that you ought to change the other two newtab-related settings you can see here, too:

Bad news. This isn't actually a workaround at all. It feels like one, because the thumbnails no longer appear if you tweak the settings above.

But the thumbnails are still collected, are still held in the cache, and are still accessible by visiting about:newtab and clicking the matrix icon.

In conclusion, if this whole issue really is a bug, it's more of bug in our attitude to retaining browser data between sessions than a bug in the Firefox code.

Even when Mozilla "fixes" any thumbnail concerns you might have, I'll still be advising you to get much more aggressive about how often and how thoroughly you clear out your browser history...


-

, , , , , , , ,

You might like

11 Responses to Anatomy of a bug: latest Firefox 'new tab' feature thumbnails HTTPS pages

  1. Otiel · 790 days ago

    Clear all history when the browser closes should be enabled by default.

  2. bsdbigot · 789 days ago

    navigate to about:config
    set browser.newtab.url value to about:blank
    problem solved

    • Paul Ducklin · 789 days ago

      No! Problem NOT solved! Please read the article through to the end :-)

      Below the image in which I show a screenshot of that very option (the last image in the article) you can see what I found when I tried your workaround.

      "...Bad news. This isn't actually a workaround at all. It feels like one, because the thumbnails no longer appear if you tweak [the newtab settings in about:config].

      But the thumbnails are still collected, are still held in the cache, and are still accessible by visiting about:newtab and clicking the matrix icon..."

      Changing the URL which pops up when you hit Ctrl-T/Command-T simply changes what the New Tab option displays when it opens.

      Just because you can't see them doesn't mean the thumbnails aren't still there.They *are*, and you can view them by navigating to about:newtab. Or, for that matter, by navigating to about:cache and drilling down.

  3. Mike · 789 days ago

    I agree with Otiel. I have had my Firefox browser set up this way since day one and have not had a problem. I believe the real problem is a lot of people jump right in without reading instruction beforehand.

  4. MikeP · 789 days ago

    I suggest people use the add-on 'Clear Cache Button', available free. One press and it's gone!

    I also suggest people look at using 'My Homepage', again it's free, as that will make FF load your selected homepage every time, so the cached contents do not appear accidentally.

  5. Topiary · 789 days ago

    I use private browsing by default, enable private browsing from the privacy tab

  6. Bodgel · 789 days ago

    Do none of the browsers offer an option to simply (automatically) remember the URLs visited, without storing any of the data downloaded from them?

    It's useful to be able to go and find a site you came across a couple of days or weeks ago without having to save everything in Favourites just in case. And there's no value in caching a great bunch of data - it will only take as long to load the second time as the first. Make it a site-specific option if you want to fill your disc with little PNGs.

    There are potential security issues in the URLs alone of course - but then there should be options for the paranoid like stripping off the parameters, or remembering only the domain name. The domain name alone would be all you need in most cases - a small site will be easy to browse around and a big one will have search facilities.

  7. Guest · 789 days ago

    Do ANY of these cache clearing methods actually do a Secure Wipe of the cache? Or is it still on the Hard Drive. A DOD wipe would be a good feature. I use CCleaner before I close down for the night - I'm guessing that this does a good job, as it is set to do a DOD wipe.

  8. Internaut · 789 days ago

    Well .. there is always something amiss with most anything. I'm surprised FireFox let this one out.

    From here on in, I treat FireFox updates as I would Internet Exploder updates like a retired doctor treats any question about health - with disdain.

    The only 'bug' in any browser, is the obnoxious in-your-face "upgrade now" or "remind me later". The other option I'd like to see is "leave me alone - I'll wait until the public is done beta testing the new roll-out version".

  9. Robert Wurzburg · 789 days ago

    I've been advocating and advising everyone to completely clean their Internet Explorer
    after every website they visit, before moving on to the next one, for the same reasons.

    You NEVER should be saving encrypted pages to disk either, where they can be later
    accessed in unencrypted form using your web browser and displayed or transmitted
    to another remote location.

    I was shocked at the amount of information in the cache encrypted and unencrypted
    that is stored by default. This can be accessed at any time, and needs to be cleared
    after logging out of every website you visit, whether you sign in or not. I go a step fur-
    ther and clean up my browser, everything, after signing in.

    Cleaning up your browser after each website visit is a "best practice" NOT paranoid
    behavior. Trust me it really is necessary to provide you with another layer of security
    while using the Internet. Even cleaning up after you sign in will prevent a hacker from
    getting your credentials while on the website, or the login hash that can be copied to
    initiate a session masquerading as you.

  10. Spyder · 788 days ago

    Is anyone concerned about browsing privacy on Safari?

    Regardless of one's effort to utilize, "Best Practices", Safari 5.1.7 keeps a record of your browsing history anyway!

    Even after automatically (or manually) clearing cache and history, one only has to navigate to:
    1. User>Library>Caches>com.apple.safari>Webpage Previews
    &
    2. User>Library>Caches>Metadata>Safari>History

    to find that there still remains a record of one's browsing exploits (although, some earlier versions of Safari don't seem to keep these records when cache and history are cleared).

    Perhaps it's not as visible as FF's Thumbnails, but it's as revealing, if someone gains access to your computer!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog