[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History
Sorry for this (one) top post - just wanted you & any others new to the
Tor Browser & the whole family of software from Tor Project, not to be
You cited a cookie or history issue in Firefox. You expected Firefox
history - accumulated during NON-private browsing, to be automatically
cleared when (I assume) the private browsing session was ended or
Firefox was closed. That may or may not have anything to do with Tor
Firefox in Private Browsing, probably shouldn't pull data from earlier
non-private browsing, but you can just uncheck the options under
Preferences > Privacy & Security to stop any history from popping up in
the address bar. And you can check desired options to delete when
clearing history. TBB deletes all data in that list (if any exists), if
the "clear history" items are checked or not, but the time frame may
need to be "everything." In Firefox, time span needs to be =
Everything, or it may not clear all history.
Unless an equivalent bug was filed in Tor Project's bug system and
accepted, https://trac.torproject.org, and that bug is still "unfixed,"
it's highly unlikely such a Tor Browser bug exists. By design, Tor
Browser doesn't save data to disk across sessions. You can
*intentionally* protect some cookies.
I've used TBB many times NOT in Private Browsing; entered a few cookie
exceptions for sites that I knew required them. The specific sites set
session cookies. In TBB "Clear History" settings, when time frame is =
"Everything," TBB still cleared cookies whether cookies were checked or
unchecked to clear after shutdown. Intentionally protecting individual
cookies, under Tor Button is an entirely different matter.
Most important: in Tor Browser Bundle *(TBB)* - the "browser" part of
the bundle IS absolutely THE Mozilla Firefox browser (TBB uses Firefox
"esr" versions). The Firefox version has been *EXTENSIVELY modified* to
increase anonymity, hide real IP addresses, NOT to give up a lot of data
(like typical browsers often do) that may / can allow web sites /
hackers / and adversaries against privacy, to identify internet users by
several different methods. Tor itself, isn't a web browser. It helps
the browser connect to the Tor network (that's very over simplified).
2) Your comments still sounds like you're trying to use another browser
besides Tor Browser with Tor, to access the Tor Network!
Or just asking if TBB behaves the same as Firefox?
TBB does not behave the same as the standard Firefox, in many ways.
Some links to explain TBB design: Torproject.org_FAQ - Noreply Wiki
<https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ> ; The Design
and Implementation of the Tor Browser [DRAFT]
* Using any other browser than Tor Browser with Tor, hoping to gain the
same anonymity, privacy, reduced fingerprinting as "Tor Browser Bundle"
isn't a good idea, nor recommended. Don't use another browser with Tor,
unless for experimenting or testing, when anonymity isn't a concern.
Countless modifications are made to the "base Firefox" to make "Tor
Browser." It's far easier, with better results to use TBB.
On 09/25/2018 08:33 PM, Nick Levinson wrote:
On Tuesday, September 25, 2018, 2:01:04 AM EDT, Joe
> * * * * *
> Is the claim that Firefox (vs. TorBrowser, based on Firefox esr
version) stores visited URLs in places.sqlite regardless of settings
under > Privacy & Security?
> The subject of this message is confusing. Is it asking the
question, "does browser remember URLs..."?
> Or telling us, "browser does remember URLs..."?
> You said it's years old. I doubt that would've slipped by Tor
Project & all users for years.
> Where is the data claimed to be stored?
> The title sound like, "if Firefox remembers URLs visited before
shutdown, then they won't be deleted, even if that's checked under
Clear > History.
> If I understand you & the subject, the claim is that even when
"Never Remember History" is checked, it is remembering visited URLs
*during* that session, but deletes them when the browser is closed, or
if "Clear History" is used during the session?
> However, if "remember browsing and download history" is checked AND
you DON'T have "Always Use Private Browsing Mode", TBB will > remember
history during the session, but not after shutdown.
> As far as I've ever seen, TBB deletes any history of any type,
whether you have "clear history" settings checked, or not. That's by
> How is it a security leak? During a session, are sites supposedly
able to tell which sites you visited, directly or indirectly?
> There was a bug in Fx many, many yrs ago - where sites could make a
query of some type & determine if sites had been visited. AFAIK, that
was fixed long ago.
> During that period, users couldn't have visited links change colors.
It's about Tor, but I'll explain as if Tor is based on Firefox by
describing the Firefox problem. Suppose it's set to Remember History.
I visit example.com. Firefox remembers the URL. So far, no problem.
Then I change Remember History to Never Remember History. I have no
idea that it's still remembering example.com. Someone inspecting my
computer can see that I visited example.com when I think they can't
see any history. That's a security leak.
One could argue why I'd let anyone inspect my computer. However, Never
Remember History is offered for a reason, probably as protection
against anyone inspecting my computer.
The URLs are definitely stored somewhere. I proved that. Which file
it's in, I don't know. It's stored somewhere available after powering
down and powering up, i.e., through a cold boot. I tried identifying
the exact location but failed. But it's somewhere there. I tested
without networking or a removable (flash) drive
it had to have been stored on my local hard drive.
The complaint for Firefox is years old. It still has not been solved
for Firefox. Thus, unless Tor people monitor most unpatched Firefox
complaints (and there are many and most of them are unimportant), Tor
people could have missed this one. A wontfix or invalid for Firefox
might not be a decision appropriate for Tor.
Users could easily miss it for years. The user interface says Never
Remember History. The meaning is unambiguous. The problem is that the
UI's meaning does not reflect the programming inside Firefox. Most
users would never test the truth of any UI. They would trust the UI.
Therefore, in this case, most users would be misled.
The title was about Tor, albeit inspired by Firefox's problem. Firefox
is definitely storing the URLs. If Tor uses the same design insofar as
relevant, then Tor is also storing the URLs.
Clear History is not the complaint's subject. As far as I know, Clear
History works. However, Never Rememmber History implies that the
history is being cleared just by selecting Never Remember History. If
a user should apply another step, the UI should not make a sweeping
overclaim or else it should explicitly tell the user to take that step.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to