Anatomy of a bug: latest Firefox ‘new tab’ feature thumbnails HTTPS pages

About a week ago, popular IT news site The Register announced a security hole in Firefox.

Under the headline Firefox ‘new tab’ feature exposes users’ secured info: Fix promised, El Reg decried the most recent Firefox release as “unlucky version 13”.

The story ended up pretty widely reported, and Mozilla has publicly promised a fix.

But is this really a bug? If so, is it serious?

Even more importantly, do any of the workarounds popping up online actually do what they claim?

We decided to investigate – which took a lot more fiddling, digging and experimentation than you might think. (Unless you’re a software tester. If so, you already know how explosively configuration options combine.)

Example of a New Tab page with images thumbnailed during earlier browsing

The controversial feature is Firefox 13’s updated ‘new tab’ system. This takes thumbnail snapshots of sites you visit, and replays them later when you use the New Tab window.

The thing which outraged Register reader Chris, and led to all the news coverage, is that the thumbnails include images of content accessed over HTTPS, such as banking transactions and webmail sessions.

That much is true.

I opened a series of HTTPS pages looking like this:

Then I exited Firefox and reloaded it.

At this point, the New Tab page did indeed clearly reveal the content of my earlier secure browsing:

In hindsight, this is a bad idea, given Firefox’s default privacy settings. I’m glad Mozilla has committed to change it.

If you permit Firefox to retain cached information from day to day in this form, anyone with even momentary access to your browser in the future can hit Ctrl-T or Command-T, and may immediately get a look at personal information you wouldn’t expect to have been be preserved.

Nevertheless, HTTPS doesn’t promise encryption at all times. The S-for-secure component applies only during the HTTP part of the transaction – the data transfer. It’s worth keeping that in mind.

Whatever is inside an HTTPS request, and inside its corresponding reply, must exist in unencrypted form at each end of the conversation in order to be of any use.

That means both your browser and the server you’re talking to may – indeed, probably will – end up with a permanent record of the transaction’s content, even though it was encrypted during transmission.

In fact, that’s exactly what happens in Firefox, version 13’s New Tab thumbnails notwithstanding.

Even if you turn off the thumbnail display (clicking the matrix icon on the New Tab screen will do that for you), the contents of your HTTPS pages may very well end up in the Firefox cache anyway.

(When a web page is sent to your browser, whether securely transmitted or not, the server gets to say if and how it should be cached. The server does this by setting an Expires: or a Cache-Control: header in the HTTP reply.)

In my HTTPS experiments, turning off the thumbnails didn’t do anything about Firefox’s cache.

Here’s what I saw after clearing all history and repeating my tests with thumbnail display turned off. I examined the cache with the special about:cache URL:

Zooming in to the seven files listed as cached shows three of the URLs duplicated – the HTTPS pages I visited in the test.

The objects denoted No expiration time are the thumbnail images; their partners are the original, decrypted, HTTP replies:

Zooming in to any of the files in the list brings up the complete HTTP header and body data in the reply:

So the new-found data leakage due to the thumbnails is a bit of a red herring.

The information from which Firefox 13 builds its thumbnails has been there all along in previous Firefox versions.

The cache isn’t quite as easy to get to as the New Tab window, but it can still be accessed directly from your browser. Also, of course, it contains not just highly-compressed snapshots of your web pages at specific instants, but an exact history of all their components.

Your best bet for getting rid of cached content – which, as we have seen, includes the very thumbnails that got Register reader Chris worried in the first place – is to use Firefox’s existing privacy features to purge old browsing data promptly.

Keeping a detailed record of your browsing history and maintaining it between sessions is convenient, but insecure.

A little inconvenience goes a long way towards improving security, which is why I recommend a Firefox privacy configuration similar to this:

I also recommend that you use the Clear Recent History... command as a matter of routine whenever you finish an online transaction involving personally identifiable imformation.

You’ll find the history-clearing dialog in the Tools menu.

Finally, as I promised earlier, what about the “thumbnail bug” workarounds you’ll find online?

You may be tempted to use a workaround until Mozilla adapts the behaviour of its ‘new tab’ system to exclude HTTPS pages.

For example, you may have read about the browser.newtabpage.enabled option you can change in about:config.

I’ve also read that you ought to change the other two newtab-related settings you can see here, too:

Bad news. This isn’t actually a workaround at all. It feels like one, because the thumbnails no longer appear if you tweak the settings above.

But the thumbnails are still collected, are still held in the cache, and are still accessible by visiting about:newtab and clicking the matrix icon.

In conclusion, if this whole issue really is a bug, it’s more of bug in our attitude to retaining browser data between sessions than a bug in the Firefox code.

Even when Mozilla “fixes” any thumbnail concerns you might have, I’ll still be advising you to get much more aggressive about how often and how thoroughly you clear out your browser history…