Firefox 59’s privacy mode plugs leaky referrers

In a small and partly symbolic tweak, the Firefox browser’s Private Browsing Mode is to stop passing websites the data that identifies the last web page a user visited.

Currently, when a user clicks on a link to visit a new website in any leading browser, that site is told the address of the page the visitor is coming from – the referring URL – via the (yes, misspelled) HTTP Referer header.

For example, if you visited Naked Security from our recent post about Intercept X on the Sophos News site, Naked Security would be passed the following:

Referer: https://news.sophos.com/en-us/2018/02/02/intercept-x-the-executives-view/

In some cases the referrer value can reveal a lot about a user’s interests, and it’s not just the web page you’re visiting that gets to see it. These days, many websites embed code from third parties, to perform tasks like web analytics or advertising, and they also get to see the referrer data.

In 2015, a study by Timothy Libert, a doctoral student at the University of Pennsylvania, found that nine out of ten visits to health-related web pages result in data being leaked to third parties like Google, Facebook and Experian.

The most infamous example of leaky Referer headers is probably the US government’s healthcare.gov website (the sign-up system for the US Affordable Care Act) which, thanks to URLs like the one below, could leak information about whether users were pregnant or a smoker; as well as their age, salary and zip code.

Referer: https://www.healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&pregnant=1&zip=85601&state=AZ&income=35000

Using Firefox 59’s privacy mode, that same address will have the path information shorn from the URL, passing only:

Referer: https://www.healthcare.gov/

But here’s the rub. First, Firefox will only remove path information in privacy mode and not when using the main browser itself.

Second, intriguingly, Firefox users have been able to turn off information about the referring page for more than 15 years, by delving into the browser’s about:config screen (read this document for Mozilla’s explanation of these settings).

Be warned though – turning off referrer data could break some websites.

This still begs the question of why Mozilla has had a burst of enthusiasm for the concept now.

The answer might be that Mozilla had an epiphany regarding privacy, the result of which was November’s Firefox Quantum overhaul. This boasted a range of security and privacy enhancements, which are being added to with every point release.

Removing the referrer path in privacy mode is unlikely to have a major impact on Firefox user’s privacy but it does remind users that its existence is a risk they should at least pay attention to.

For years, privacy has been taken for granted, or at least the lack of it accepted as a necessary sacrifice so the web could work for website owners. Countering this philosophy could turn out to be the fuel for Firefox’s second coming.