W3C home > Mailing lists > Public > www-archive@w3.org > July 2011

Firefox 5 betrays my browsing history

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Sat, 23 Jul 2011 20:40:40 +0200
To: www-archive@w3.org
Message-ID: <hs2m27p31o7853qqu04np12rhaapmldgfl@hive.bjoern.hoehrmann.de>
Hi,

  Long ago I developed the habit to have fairly clear idea how files are
organized on my computer, what their contents is, the formats used, for
any number of reasons really (if you play a game and find you need more
money, you need to know where the game keeps the savegame files, where
in the file the money value is stored and how and if there are checksums
you have to adapt alongside the money value).

So I tend to spend good bit of time in my file manager and have a look
at file contents and so I regularily stumble on little issues like this:
running low on drive space I figured I should check which recent crashes
left residual data that shouldn't be there, and so I happend to come a-
cross the Firefox user data folder which took up a lot more space than
it should, considering I've configured it to delete everything on exit,
and the last exit was a clean one.

Turns out `places.sqlite` and `places.sqlite-wal` were the biggest files
there, and so I checked what's in them and they are full of URLs. Many
of them from the BBC, which I figure Firefox added without my consent as
some sort of default, but there were also URLs to my own web sites there
that clearly wouldn't ship as any kind of default.

So, I started Firefox, and checked the configuration, and indeed, it is
configured, and as an aside, this took a lot effort, I spend a long time
the other day trying to locate where to configure my cookie settings but
I could not find them without resorting to a web search because they are
hidden behind some meta-configuration, and indeed I set it to "Clear
history when Firefox closes" and the details there include history.

So, little experiment, close Firefox, pick some URL that does not appear
in either of the two files, launch Firefox, visit that site, check how
the files change (they then included the site), close the tab (that does
not remove them), close Firefox (that seems to remove it from one but
not the other), launch Firefox again (that does not remove the address),
and then visit a different. Only at that last point was the history re-
moved (closing Firefox again without visiting another site also seems to
remove the entries, for some value of "remove", who knows whether this's
any kind of secure deletion).

So, lesson learned, "Clear history when Firefox closes" does not lead to
Firefox clearing the history when it closes. My wild guess would be that
Mozilla switched to using http://www.sqlite.org/draft/wal.html without
auditing (or in fact using) that feature properly (it seems clear that
the minimal expectation with respect to the setting is that you can not
just snoop around the file system without any undeletion tools and re-
cover the history in whole or in part, as it has been "cleared").

Oh well, back to enjoying WebGL demos in Firefox. I love those, you load
the HTML file, and then the computer locks up, the screen goes dark, and
after a while you get the screen back with notice that the graphics sub-
system crashed and you get to wonder whether you are really sure you got
a legitimate demo there, or you've got new malware now...

regards,
-- 
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/ 
Received on Saturday, 23 July 2011 18:40:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 7 November 2012 14:18:37 GMT