Tor Browser's Private Browsing Mode breaks sites.

Users are getting frustrated when they can't log in to certain sites. An example is en.mail.qq.com, which says you must have cookies enabled before it rejects your login. Disabling private browsing mode in Torbutton fixes this issue, but not many users know to do that.

added component::torbrowserbutton owner::mikeperry priority::medium resolution::worksforme status::closed tbb-helpdesk-frequent tbb-usability-website type::defect labels

I can reproduce this issue although not with a vanilla Firefox 24 ESR in PBM (and third party cookies disabled). Exciting.

Trac:
Summary: Private Browsing mode breaks sites. to Tor Browser's Private Browsing Mode breaks sites.
Keywords: usability, private browsing mode, TBB3.5 deleted, tbb-usability added

For users visiting this ticket, you can disable private browsing mode from Torbutton menu-> Preferences -> Security Settings -> untick "Don't record browsing history or website data"

Trac:
Cc: gk to gk, mcs

https://blog.torproject.org/blog/tor-browser-bundle-35-released?page=1#comment-43008 might be another report.

Trac:
Keywords: tbb-usability deleted, tbb-usability-website added

Replying to mttp:

...you can disable private browsing mode from Torbutton menu-> Preferences -> Security Settings -> untick "Don't record browsing history or website data" After this, user should maybe check the regular Firefox. Tools > Options, Privacy tab. (but Privacy tab might be in menu Edit > Preferences in Linux version?) User may want to change cookies or other checkboxes. I myself change the 'always use private browsing mode' and cookie settings in Firefox Privacy tab. I then see Torbutton preference as in mttp's recommendation have 'automatically' changed.

"...frustrated when they can't log in to certain sites. An example is en.mail.qq.com"

Another example is https://unseen.is, in the login form at top of page. This page was accessible / readable via TBB last week, but not today (after site upgrades?). NOTE: the site is in ICELAND - country code ".is" - not to be mistaken w/ the word "_is_."

With the site whitelisted in NoScript & even w/ Private Browsing mode disabled (basically only allowing cookies, or [as a test] also allowing "remember browsing history" - at least while accessing a critical site).

Creating a new Unseen.is email account: Before Unseen.is "upgraded their system" on 3/2/2014, from above URL, with cookies allowed & unseen.is whitelisted in NoScript, it was possible to load the site in TBB 3.5.2 (Win). Data for a new acct could be submitted via TBB & the acct was actually created. But once data was submitted & acct creation was successful, all that appeared afterward in TBB was a blank page w/ "spinning throbber / wheel" - that just sat.

But the acct was created & could be accessed / used, by other browser. It was also impossible to login to the active acct via TBB. Again, it seemed to accept login data, but then displays only blank screen w/ a throbber or "star wheel."

KEY POINT: The problem doesn't seem to be NoScript, javascript or cookie issues.

Even (temporarily) disabling or uninstalling in TBB 3.5.2: NoScript and / or: (Torbutton, HTTPS Everywhere), doesn't allow accessing HTTPS://unseen.is. There are apparently? other settings changes made in TBB causing the problem. It may BE valid action by TBB to preserve anonymity, but it's still a problem.

But...Using regular Fx 27 - Win, with NoScript, (and unseen is whitelisted), HTTPS Everywhere & only session cookies allowed for Unseen.is (no 3rd party), login works normally. As w/ TBB, after submitting login data, the white "loading mask" page w/ throbber appears a few sec., but quickly disappears - allowing access to the acct.

Separate testing with regular Fx 27, using a "special profile" created by the extension "JonDoFox," the same problem arises. Even after the extra* addons installed by JonDoFox extension - for privacy - are disabled or removed. *Extra addons JDF installs are similar to TBB: NoScript, HTTPS Everywhere - plus couple others. But JDF makes some similar changes about:config, or in blocking certain browser data to reduce browser fingerprinting, as do TBB / Torbutton.

So far, I've not identified what common changes* made by TBB / Torbutton and JonDoFox (*that AREN'T directly in NoScript, etc.) - that may be the problem - if any. But the issue seems to point at such common changes, that aren't part of NoScript, HTTPS Everywhere, etc.

"you can disable private browsing mode from Torbutton"

Yes, but that still doesn't allow TBB 3.5.2 Win access to https://unseen.is. AFAIK, regardless of what OTHER TBB privacy settings are changed, the site's still inaccessible.

What may be of troubleshooting help is the domain https://mail.unseen.is/webmail/ IS TBB accessible & login works - at least for me as of 3/3. To login w/ TBB at this URL, only domain unseen.is is whitelisted in NoScript & session cookies for (only) the unseen.is domain are required. So far, several support techs seem unaware of this difference for the 2 URLs.

Note: Seems no trackers on https://mail.unseen.is/webmail/.But, https://unseen.is. shows tracker:  https://dnn506yrbagrg.cloudfront.net/pages/scripts/0019/2012.js?387188.  May / may not be significant to the issue.

Trac:
Username: joebt

Trac:
Keywords: tbb-usability-website deleted, tbb-usability-website tbb-helpdesk-frequent added

After a lot of fiddling I think there is nothing broken with our Private Browsing Mode wrt to en.mail.qq.com at least. I successfully logged into it with 3.5.2.1 but it took me a while. The underlying problem seems to be the latency due to slow Tor circuits. Not much we can do here.

While the unseen.is case is interesting it is no failure of our Private Browsing Mode either it seems. @joebt: Could you file a new bug that is tracking the unseen.is issue?

//While the unseen.is case is interesting it is no failure of our Private Browsing Mode either it seems.//

May not be entirely true. Yes, like lots of sites, you can't login Unseen w/o cookies. But, w/o cookies in TBB, the home page displays blank https://unseen.is. And when it happens, I don't see the msg (from Firefox 24 ESR), saying ~ "can't load page - possibly because cookies are disabled," the way that regular Fx does.

Regular browsers w/o cookies enabled (IIRC) fail to load that page - but cookies aren't usually "permanently disabled" in regular browsers. I'm not suggesting TBB cookies always be enabled by default - just that it be made easier to permit cookies for select sites - but not globally. And if it's decided that cookies definitely shouldn't be enabled (don't know why, but...), then tell users up front.

Another topic for another ticket, but lately I've also seen more sites fail to load or key functions not fully work, due to NoScript. Even if everything from the visited domain is temporarily or permanently allowed. My guess is, sites are getting tired of losing $, from all the privacy enhancing browsers, addons, etc., blocking 3rd parties & other "unkosher" things the sites themselves want to do.

Trac:
Username: joebt

Adding to comment on Unseen.is & cookies: Obviously can't login w/o cookies. But UNchecking "don't record browsing history..." in Torbutton, apparently isn't enough to allow even 1st party cookies.

Unchecking that TBB option (for me) doesn't add a check in the Fx ESR Options > Privacy box, "Accept cookies from Sites." Which is good & bad. Unchecking that Torbutton option doesn't allow any & all sites to set cookies, but if that Fx: Options > "allow cookies" box is not also checked, you can't login (possibly not display) sites that require cookies - that I've tried.

So, TBB makes it cumbersome to turn on / off allowing cookies (maybe by design). But to use TBB to login, it also forces users to allow cookies from ALL sites - at least temporarily.

• Users are likely to get confused, cranky when allowing cookies for one trusted site takes several steps.  Perhaps modify how options changed in Torbutton changes associated Fx options.  Or add new Torbutton option(s), marked clearly for what they do.
• E.G., new Torbutton option to enable (1st party) cookies, that also changes 3rd party cookies option to "Never."
• Users are likely to forget cookies are enabled (no warning), allowing all sites to set them - not just one trusted site.
• When allowing cookies, users are likely to forget to change "Allow 3rd party cookies" to "Never."
• Using a cookie manager extension may make handling cookies a bit easier (or not), but official position is don't use extensions. Good advice, but I find it very cumbersome in TBB to enable cookies for 1 or 2 sites, then disable them again, then re-enable them... w/o using some cookie manager. Yes, it'd be great if all (reputable) sites worked w/o cookies.

Trac:
Username: joebt

According to an help desk report, http://www.bouyguestelecom.fr/mon-compte/ is affected.

Replying to lunar:

According to an help desk report, http://www.bouyguestelecom.fr/mon-compte/ is affected.

What does "affected" mean in this context? So far, I have not found a single hint that our Private Browsing Mode is indeed broken. What tests have been performed in order to put an issue with access to http://www.bouyguestelecom.fr/mon-compte/ here?

The user told me they were unable to login. They got an error message mentioning a bad cookie. I told them to deactivate Private Browsing Mode and then they were successfully able to login.

I unfortunately don't have credentials for that site.

The original case (en.mail.qq.com) is working for me although due to the timeout not really reliably. Closing this ticket (I am not convinced yet that we have a bug in our PBM) after having opened new ones for all the other cases added to this ticket.

Trac:
Status: new to closed
Resolution: N/A to worksforme

closed

mentioned in issue #10586 (moved)

mentioned in issue #10719 (closed)