[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #18382 [Tor Browser]: Private browsing retains state
#18382: Private browsing retains state
-------------------------+--------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: defect | Status: reopened
Priority: Medium | Milestone:
Component: Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
-------------------------+--------------------------
Comment (by cypherpunks):
Replying to [comment:8 cypherpunks]:
> Replying to [comment:7 cypherpunks]:
> > When all tabs related to an URL bar domain are closed, a reasonable
user expectation is that that particular session is closed and that a new
tab will start from a clean slate.
> This sounds neat. However, reasonable expectation? What other web
browser ever did this? I can't think of any. What makes you think that
users would expect such behavior?
Private browsing claims not to save history (yet it does in volatile
memory).
Tor browser before using private browsing was better behaved, it did allow
users to clear the history while blocking disk access.
> Not to mention the amount of breakage doing this would result in.
What breakage? Active cookies / logins will obviously be cleared. Beyond
that nothing should break.
> > > Unless you're fond of security theater
> >
> > This is not security theater. This is about breaking up browser
sessions into smaller pieces that are harder to correlate.
> I sympathize with your intention here. This sounds good. But you said
nothing about the very important point I raised about the ineffectiveness
of just focusing on history, cookies and cache. If Tor Browser were to
clear those while leaving the rest of the state in place, the result is
that correlation has only been made harder for some of the less
resourceful adversaries. This would only lead to an unwarranted sense of
security. Hence why I would call it security theater.
The intent of this ticket is to do exactly the same as new identity, but
on a URL bar domain granularity. What correlation can be done if all
session state associated with an URL bar domain is properly cleared when
it is closed? What is that rest of the state you are talking about?
Window size is a sticky point, but there are open tickets for that.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18382#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs