Opened 5 years ago

Closed 5 years ago

#10569 closed defect (worksforme)

Tor Browser's Private Browsing Mode breaks sites.

Reported by: mttp Owned by: mikeperry
Priority: Medium Milestone:
Component: TorBrowserButton Version:
Severity: Keywords: tbb-usability-website tbb-helpdesk-frequent
Cc: gk, mcs Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Users are getting frustrated when they can't log in to certain sites. An example is en.mail.qq.com, which says you must have cookies enabled before it rejects your login. Disabling private browsing mode in Torbutton fixes this issue, but not many users know to do that.

Child Tickets

Change History (16)

comment:1 Changed 5 years ago by gk

Keywords: tbb-usability added; usability private browsing mode TBB3.5 removed
Summary: Private Browsing mode breaks sites.Tor Browser's Private Browsing Mode breaks sites.

I can reproduce this issue although not with a vanilla Firefox 24 ESR in PBM (and third party cookies disabled). Exciting.

comment:2 Changed 5 years ago by mttp

For users visiting this ticket, you can disable private browsing mode from Torbutton menu-> Preferences -> Security Settings -> untick "Don't record browsing history or website data"

Last edited 5 years ago by mttp (previous) (diff)

comment:3 Changed 5 years ago by mcs

Cc: mcs added

comment:5 Changed 5 years ago by mikeperry

Keywords: tbb-usability-website added; tbb-usability removed

comment:6 in reply to:  2 Changed 5 years ago by cypherpunks

Replying to mttp:

...you can disable private browsing mode from Torbutton menu-> Preferences -> Security Settings -> untick "Don't record browsing history or website data"

After this, user should maybe check the regular Firefox. Tools > Options, Privacy tab. (but Privacy tab might be in menu Edit > Preferences in Linux version?)
User may want to change cookies or other checkboxes.
I myself change the 'always use private browsing mode' and cookie settings in Firefox Privacy tab. I then see Torbutton preference as in mttp's recommendation have 'automatically' changed.

Last edited 5 years ago by cypherpunks (previous) (diff)

comment:7 Changed 5 years ago by joebt

"...frustrated when they can't log in to certain sites. An example is en.mail.qq.com"

Another example is https://unseen.is, in the login form at top of page. This page was accessible / readable via TBB last week, but not today (after site upgrades?). NOTE: the site is in ICELAND - country code ".is" - not to be mistaken w/ the word "is."

With the site whitelisted in NoScript & even w/ Private Browsing mode disabled (basically only allowing cookies, or [as a test] also allowing "remember browsing history" - at least while accessing a critical site).

Creating a new Unseen.is email account: Before Unseen.is "upgraded their system" on 3/2/2014, from above URL, with cookies allowed & unseen.is whitelisted in NoScript, it was possible to load the site in TBB 3.5.2 (Win). Data for a new acct could be submitted via TBB & the acct was actually created. But once data was submitted & acct creation was successful, all that appeared afterward in TBB was a blank page w/ "spinning throbber / wheel" - that just sat.

But the acct was created & could be accessed / used, by other browser. It was also impossible to login to the active acct via TBB. Again, it seemed to accept login data, but then displays only blank screen w/ a throbber or "star wheel."

KEY POINT: The problem doesn't seem to be NoScript, javascript or cookie issues.

Even (temporarily) disabling or uninstalling in TBB 3.5.2: NoScript and / or: (Torbutton, HTTPS Everywhere), doesn't allow accessing HTTPS://unseen.is. There are apparently? other settings changes made in TBB causing the problem. It may BE valid action by TBB to preserve anonymity, but it's still a problem.

But...Using regular Fx 27 - Win, with NoScript, (and unseen is whitelisted), HTTPS Everywhere & only session cookies allowed for Unseen.is (no 3rd party), login works normally. As w/ TBB, after submitting login data, the white "loading mask" page w/ throbber appears a few sec., but quickly disappears - allowing access to the acct.

Separate testing with regular Fx 27, using a "special profile" created by the extension "JonDoFox," the same problem arises. Even after the extra* addons installed by JonDoFox extension - for privacy - are disabled or removed. *Extra addons JDF installs are similar to TBB: NoScript, HTTPS Everywhere - plus couple others. But JDF makes some similar changes about:config, or in blocking certain browser data to reduce browser fingerprinting, as do TBB / Torbutton.

So far, I've not identified what common changes* made by TBB / Torbutton and JonDoFox (*that AREN'T directly in NoScript, etc.) - that may be the problem - if any. But the issue seems to point at such common changes, that aren't part of NoScript, HTTPS Everywhere, etc.

"you can disable private browsing mode from Torbutton"

Yes, but that still doesn't allow TBB 3.5.2 Win access to https://unseen.is. AFAIK, regardless of what OTHER TBB privacy settings are changed, the site's still inaccessible.

What may be of troubleshooting help is the domain https://mail.unseen.is/webmail/ IS TBB accessible & login works - at least for me as of 3/3. To login w/ TBB at this URL, only domain unseen.is is whitelisted in NoScript & session cookies for (only) the unseen.is domain are required. So far, several support techs seem unaware of this difference for the 2 URLs.

Note: Seems no trackers on https://mail.unseen.is/webmail/.But, https://unseen.is. shows tracker:  https://dnn506yrbagrg.cloudfront.net/pages/scripts/0019/2012.js?387188.  May / may not be significant to the issue.

Last edited 5 years ago by joebt (previous) (diff)

comment:8 Changed 5 years ago by lunar

Keywords: tbb-helpdesk-frequent added

comment:9 Changed 5 years ago by gk

After a lot of fiddling I think there is nothing broken with our Private Browsing Mode wrt to en.mail.qq.com at least. I successfully logged into it with 3.5.2.1 but it took me a while. The underlying problem seems to be the latency due to slow Tor circuits. Not much we can do here.

comment:10 Changed 5 years ago by gk

While the unseen.is case is interesting it is no failure of our Private Browsing Mode either it seems.
@joebt: Could you file a new bug that is tracking the unseen.is issue?

comment:11 Changed 5 years ago by joebt

While the unseen.is case is interesting it is no failure of our Private Browsing Mode either it seems.

May not be entirely true. Yes, like lots of sites, you can't login Unseen w/o cookies. But, w/o cookies in TBB, the home page displays blank https://unseen.is. And when it happens, I don't see the msg (from Firefox 24 ESR), saying ~ "can't load page - possibly because cookies are disabled," the way that regular Fx does.

Regular browsers w/o cookies enabled (IIRC) fail to load that page - but cookies aren't usually "permanently disabled" in regular browsers. I'm not suggesting TBB cookies always be enabled by default - just that it be made easier to permit cookies for select sites - but not globally. And if it's decided that cookies definitely shouldn't be enabled (don't know why, but...), then tell users up front.

Another topic for another ticket, but lately I've also seen more sites fail to load or key functions not fully work, due to NoScript. Even if everything from the visited domain is temporarily or permanently allowed. My guess is, sites are getting tired of losing $, from all the privacy enhancing browsers, addons, etc., blocking 3rd parties & other "unkosher" things the sites themselves want to do.

comment:12 Changed 5 years ago by joebt

Adding to comment on Unseen.is & cookies:
Obviously can't login w/o cookies. But UNchecking "don't record browsing history..." in Torbutton, apparently isn't enough to allow even 1st party cookies.

Unchecking that TBB option (for me) doesn't add a check in the Fx ESR Options > Privacy box, "Accept cookies from Sites." Which is good & bad. Unchecking that Torbutton option doesn't allow any & all sites to set cookies, but if that Fx: Options > "allow cookies" box is not also checked, you can't login (possibly not display) sites that require cookies - that I've tried.

So, TBB makes it cumbersome to turn on / off allowing cookies (maybe by design).
But to use TBB to login, it also forces users to allow cookies from ALL sites - at least temporarily.

  • Users are likely to get confused, cranky when allowing cookies for one trusted site takes several steps.  Perhaps modify how options changed in Torbutton changes associated Fx options.  Or add new Torbutton option(s), marked clearly for what they do.
  • E.G., new Torbutton option to enable (1st party) cookies, that also changes 3rd party cookies option to "Never."
  • Users are likely to forget cookies are enabled (no warning), allowing all sites to set them - not just one trusted site.
  • When allowing cookies, users are likely to forget to change "Allow 3rd party cookies" to "Never."
  • Using a cookie manager extension may make handling cookies a bit easier (or not), but official position is don't use extensions. Good advice, but I find it very cumbersome in TBB to enable cookies for 1 or 2 sites, then disable them again, then re-enable them... w/o using some cookie manager. Yes, it'd be great if all (reputable) sites worked w/o cookies.

comment:13 Changed 5 years ago by lunar

According to an help desk report, http://www.bouyguestelecom.fr/mon-compte/ is affected.

comment:14 in reply to:  13 Changed 5 years ago by gk

Replying to lunar:

According to an help desk report, http://www.bouyguestelecom.fr/mon-compte/ is affected.

What does "affected" mean in this context? So far, I have not found a single hint that our Private Browsing Mode is indeed broken. What tests have been performed in order to put an issue with access to http://www.bouyguestelecom.fr/mon-compte/ here?

comment:15 Changed 5 years ago by lunar

The user told me they were unable to login. They got an error message mentioning a bad cookie. I told them to deactivate Private Browsing Mode and then they were successfully able to login.

I unfortunately don't have credentials for that site.

comment:16 Changed 5 years ago by gk

Resolution: worksforme
Status: newclosed

The original case (en.mail.qq.com) is working for me although due to the timeout not really reliably. Closing this ticket (I am not convinced yet that we have a bug in our PBM) after having opened new ones for all the other cases added to this ticket.

Note: See TracTickets for help on using tickets.