Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox 59 Will Stop Websites Snooping on Where You've Just Been (zdnet.com)

Posted by msmash on from the moving-forward dept.

Firefox 59 will reduce how much information websites pass on about visitors in an attempt to improve privacy for users of its private browsing mode. From a report: When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called "referrer value." While this helps websites understand where visitors are coming from, it can also leak data about the individual browsing, because it tells the site the exact page you were looking at when you clicked the link, said Mozilla. Browsers also send a referrer value when requesting other details like ads, or other social media snippets integrated in a modern website, which means these embedded content features also know exactly what page you're visiting.

12 of 121 comments (clear)

  1. Change doesn't stop snooping of where you've been by JoeyRox · · Score: 4, Informative

    The headline implies this change will prevent sites from knowing what site you linked from. That's incorrect. From the article:

    To prevent this type of data leakage, from Firefox 59, the private browsing option will remove path information from referrer values sent to third parties, effectively stripping out additional data and only leaving the web domain.

  2. Re:Don't break the referrer by halivar · · Score: 5, Informative

    If you RTFA (I know, I know; I must be new around here), you'll see this is only for Private Mode, and leaves the domain portion intact. You can still see if they loaded from your domain.

  3. Ruining my fun.. by sqorbit · · Score: 3, Funny

    This will ruin my fun of constantly going to pornhub then moving right to the Christian Coalition site to fill their logs up with porn referrals

    --
    Sent from my TARDIS
    1. Re:Ruining my fun.. by StormReaver · · Score: 5, Informative

      Unless Pornhub links to the Christian Coalition, the referrer field will be blank. The "referer" field only gets set when you click on a link. Just typing in the new address on the address bar doesn't do it.

    2. Re:Ruining my fun.. by afidel · · Score: 2

      So you just drop a link to christian coalition in a pronhub comment and click it from there, problem solved =)

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  4. Re:Change doesn't stop snooping of where you've be by Kjella · · Score: 5, Interesting

    Meh, in private browsing mode they really should kill the referrer from any top level page. If it's an <img>, <iframe> or <video> tag it's cool... but if I go from foo.com to bar.com via an <a href> it shouldn't secretly tell bar.com I came from foo.com. Transparency in what information you're exposing is essential to security and most people aren't aware it's happening.

    --
    Live today, because you never know what tomorrow brings
  5. Pangalactic! by jabberw0k · · Score: 2

    You probably meant interstitial, as inter-terrestrial could be somewhat delayed.

  6. Re: Finally by Midnight+Thunder · · Score: 2, Insightful

    Every time I look at a post like this, I wonder when Slashdot will get with the times and support unicode?

    --
    Jumpstart the tartan drive.
  7. Re: Finally by Anonymous Coward · · Score: 2, Interesting

    I'm glad they haven't. There's very little real use for it, and those messed-up comments give useful information for judging clueless commenters.

  8. Firefox's other privacy problems need to be fixed. by Anonymous Coward · · Score: 2, Interesting

    Unlike many people, I've actually read Firefox's privacy policy.

    It turns out that Firefox's privacy policy is quite disturbing, especially when considering how often we're told that Firefox supposedly "cares" about our privacy.

    The Firefox privacy policy dated September 28, 2017 makes it clear that Firefox user data can be collected by Firefox and can be sent to various third parties, including Google, some "Adjust" company, some "Leanplum" company, and SalesForce.

    For example, there are very worrying sections like (emphasis has been added):

    Webpage and technical data to Google’s SafeBrowsing service: To help protect you from malicious downloads, Firefox sends basic information about unrecognized downloads to Google's SafeBrowsing Service, including the filename and the URL it was downloaded from.

    and:

    Location data to Google's geolocation service: Firefox always asks before determining and sharing your location with a requesting website (for example, if a map website needs your location to provide directions). To determine location, Firefox may use your operating system’s geolocation features, Wi-fi networks, cell phone towers, or IP address, and may send this data to Google's geolocation service, which has its own privacy policy.

    and:

    On iOS and Android: Firefox by default sends mobile campaign data to Adjust, our analytics vendor, which has its own privacy policy. Mobile campaign data includes a Google advertising ID, IP address, timestamp, country, language/locale, operating system, and app version.

    and:

    On iOS and Android: Firefox by default sends data about what features you use in Firefox to Leanplum, our mobile marketing vendor, which has its own privacy policy.

    and:

    Your email address is sent to our email vendor, SalesForce Marketing Cloud, which has its own privacy policy.

    Some people will foolishly claim that privacy violations like these are "acceptable" because they can supposedly be "disabled".

    No, they're not acceptable at all!

    Intrusive data collection/transmission like this shouldn't have to be disabled; the code implementing this data collection and transmission shouldn't even exist in the first place! There should be nothing to disable because Firefox should not be able to collect this data, and it should not be able to transmit it anywhere.

    Reading Firefox's privacy policy has made me very distrustful of Firefox and Mozilla, and especially of the people who wrongly claim that Firefox somehow "respects its users' privacy".

  9. Re:Referrer Header by q4Fry · · Score: 5, Informative

    You beat me to the reply. According to the horse itself, this is in fact precisely what they are doing:

    Starting with Firefox 59, Private Browsing will remove path information from referrer values sent to third parties (i.e. technically, setting a Referrer Policy of strict-origin-when-cross-origin).

    I agree that it should be the default, and (I discovered today), you can set it be in Firefox's about:config by setting network.http.referer.userControlPolicy to 2.

  10. Re:Firefox's other privacy problems need to be fix by higuita · · Score: 2

    The fact that mozilla tried to really list all the data that it takes and where to send it is good and your post looks like scary, but all of those items have a reasons:

    > Google’s SafeBrowsing service
    duh! if you want to know if the site/file is in a blacklist, you do need to sent it to some place to be checked. It can be disabled, but of course most people want this enabled

    >Location data to Google's geolocation service
    duh again, if you see a pop-up from firefox asking that the site wants to see your location, if you press "allow", your IP is sent to some place to map the IP to a location... you can press "not allow" and you will not share anything

    >On iOS and Android: Firefox by default sends mobile campaign data to Adjust, our analytics vendor
    "Adjust" tracks firefox installs and usage platforms, so firefox can see what works and not works (tables vs cheap phones vs expensive phones, or country, or mobile OS preference)... it is not for tracking what people do online.
    Yes, that "Google advertising ID" is scary, but thats the way tracking in mobile works, specially if related with other marking campaigns... and this is for mozilla data analyzes, not to be shared to google. Think this as a newrelic, but instead of performance and errors, place mozilla campaign Id, so they know what campaign pays the most and where/in what devices

    >On iOS and Android: Firefox by default sends data about what features you use in Firefox to Leanplum, our mobile marketing vendor,
      "Leanplum" looks its like Adjust/Newrelic, but for the internal firefox features. probably tells how many people uses webgl, pocket, add-ons, movies, audio, so they can understand better how differently people uses the mobile vs the desktop ... again, not for tracking you, but to track features usage or lack of usage

    >Your email address is sent to our email vendor, SalesForce Marketing Cloud,
      "SalesForce Marketing Cloud" is their email provider for the marketing and email announcements... so it basically sends email... and yes, any email server will see your email! most companies do not even list this in their "privacy policy"... because its is the way email works! If you disable email notifications, they probably do not even share your email with then.

    All this telemetry is there to help mozilla develop the browser, not to track you. Without it, how they would know if people use many tabs or few tabs? if after releasing a new feature, the memory usage increased everywhere and that they should try to track some leak? if people still use flash and how important is is (ads or the full site in flash). All those "privacy problems" you listed are really needed

    When one reads the privacy policy, ones needs to try to understand how and why it is used, not simply cry "wolf" and start spreading FUD

    --
    Higuita