Opened 4 years ago

Last modified 5 months ago

#18382 reopened enhancement

Tor Browser should offer an option to clear history in PBM

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-torbutton
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

By default, TBB uses private browsing mode. Cookies and other state (e.g. cache) are retained until the browser is restarted. There is neither an option to view the cookies nor to clear the history.

If the browser is left running for a long time, a lot of history can be linked.

TBB should offer an option to clear history in private browsing mode and/or clear all history associated with an URL bar domain when it is closed.

Child Tickets

Change History (14)

comment:1 in reply to:  description ; Changed 4 years ago by cypherpunks

Resolution: duplicate
Severity: MajorNormal
Status: newclosed

Replying to cypherpunks:

By default, TBB uses private browsing mode. Cookies and other state (e.g. cache) are retained until the browser is restarted.

There is neither an option to view the cookies nor to clear the history.

This is #10353 and is a Firefox bug. See for example:

If the browser is left running for a long time, a lot of history can be linked.

TBB should offer an option to clear history in private browsing mode and/or clear all history associated with an URL bar domain when it is closed.

This feature is called "New identity" in Torbutton.

Closing as duplicate. Please reopen and clarify if you think otherwise.

comment:2 in reply to:  1 Changed 4 years ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

By default, TBB uses private browsing mode. Cookies and other state (e.g. cache) are retained until the browser is restarted.

There is neither an option to view the cookies nor to clear the history.

This is #10353 and is a Firefox bug. See for example:

Those tickets are not about clearing the history.

TBB should offer an option to clear history in private browsing mode and/or clear all history associated with an URL bar domain when it is closed.

This feature is called "New identity" in Torbutton.

No it's not. "New identity" is a browser restart and loses all open tabs/windows.

comment:3 Changed 4 years ago by cypherpunks

Resolution: duplicate
Status: closedreopened

comment:4 Changed 4 years ago by cypherpunks

No it's not. "New identity" is a browser restart and loses all open tabs/windows.

The list of open tabs is the state which can be detected, right?

comment:5 in reply to:  4 Changed 4 years ago by cypherpunks

Replying to cypherpunks:

No it's not. "New identity" is a browser restart and loses all open tabs/windows.

The list of open tabs is the state which can be detected, right?

That shouldn't be possible.

Let's say you perform a Google search, Google will set a cookie. You close close all Google tabs. Later on, you perform another search. The tab for that new search will have access to the initial cookies and browser cache (the cache can be abused as cookie), since it doesn't get cleared if the browser isn't restarted.

So Google can link all your searches while you leave the browser running.

comment:6 Changed 4 years ago by cypherpunks

I find no value in your feature request. There are many more linkability/fingerprinting vectors than history, cookies and cache. If you think google/nsa/etc won't be able to link you if you clear just these, you are wrong.

I recommend you read Tor browser design document. It's outdated in some areas but should illustrate the point nicely.
https://www.torproject.org/projects/torbrowser/design/

"New identity" is a browser restart and loses all open tabs/windows.

New Identity is not a restart. The window is closed and re-opened, but the browser does not restart.

Unless you're fond of security theater I believe you should just improve your browsing habits and simply use New Identity (or perhaps more than one Tor Browser). Yeah it's a pain to lose currently open tabs, but really that just shows that you're not properly compartmentalizing your browsing into segregated identities.

Yours is a convenience issue, not a security one, and has been raised long ago and eventually dismissed: #10400.
Here's another somewhat related ticket: #17594.

I would close this as invalid or wontfix.

comment:7 in reply to:  6 ; Changed 4 years ago by cypherpunks

Replying to cypherpunks:

Yours is a convenience issue, not a security one, and has been raised long ago and eventually dismissed: #10400.
Here's another somewhat related ticket: #17594.

No, this ticket is the opposite. Those tickets above are about preserving session state across restarts and potentially allowing users to shoot themselves in the foot.

This ticket is about minimizing session state (purging it as soon as possible). Many users won't expect that the session state is kept behind their backs - the cookies in private browsing mode are invisible to the UI.

When all tabs related to an URL bar domain are closed, a reasonable user expectation is that that particular session is closed and that a new tab will start from a clean slate.

Unless you're fond of security theater

This is not security theater. This is about breaking up browser sessions into smaller pieces that are harder to correlate.

comment:8 in reply to:  7 ; Changed 4 years ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

Yours is a convenience issue, not a security one, and has been raised long ago and eventually dismissed: #10400.
Here's another somewhat related ticket: #17594.

No, this ticket is the opposite. Those tickets above are about preserving session state across restarts and potentially allowing users to shoot themselves in the foot.

This ticket is about minimizing session state (purging it as soon as possible).

Alright, good point. But you see why I mention them, don't you? New Identity was offered as a solution above and you rejected it because "loses all open tabs/windows". Maybe I read too much into it but you surely see the relation.

Many users won't expect that the session state is kept behind their backs - the cookies in private browsing mode are invisible to the UI.

Users knowledgeable enough to go looking for cookies, like you and me, would indeed be surprised that they are "hidden". This has been answered above as well: it's a Firefox bug, and tickets were already opened.

When all tabs related to an URL bar domain are closed, a reasonable user expectation is that that particular session is closed and that a new tab will start from a clean slate.

This sounds neat. However, reasonable expectation? What other web browser ever did this? I can't think of any. What makes you think that users would expect such behavior? Not to mention the amount of breakage doing this would result in.

Unless you're fond of security theater

This is not security theater. This is about breaking up browser sessions into smaller pieces that are harder to correlate.

I sympathize with your intention here. This sounds good. But you said nothing about the very important point I raised about the ineffectiveness of just focusing on history, cookies and cache. If Tor Browser were to clear those while leaving the rest of the state in place, the result is that correlation has only been made harder for some of the less resourceful adversaries. This would only lead to an unwarranted sense of security. Hence why I would call it security theater.

(Edit: typos)

Last edited 4 years ago by cypherpunks (previous) (diff)

comment:9 in reply to:  8 ; Changed 4 years ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

When all tabs related to an URL bar domain are closed, a reasonable user expectation is that that particular session is closed and that a new tab will start from a clean slate.

This sounds neat. However, reasonable expectation? What other web browser ever did this? I can't think of any. What makes you think that users would expect such behavior?

Private browsing claims not to save history (yet it does in volatile memory).

Tor browser before using private browsing was better behaved, it did allow users to clear the history while blocking disk access.

Not to mention the amount of breakage doing this would result in.

What breakage? Active cookies / logins will obviously be cleared. Beyond that nothing should break.

Unless you're fond of security theater

This is not security theater. This is about breaking up browser sessions into smaller pieces that are harder to correlate.

I sympathize with your intention here. This sounds good. But you said nothing about the very important point I raised about the ineffectiveness of just focusing on history, cookies and cache. If Tor Browser were to clear those while leaving the rest of the state in place, the result is that correlation has only been made harder for some of the less resourceful adversaries. This would only lead to an unwarranted sense of security. Hence why I would call it security theater.

The intent of this ticket is to do exactly the same as new identity for closed URL bar domains (open ones can obviously hang onto state, even if things like cookies are cleared). What correlation can be done if all session state associated with an URL bar domain is properly cleared when it is closed? What is that rest of the state you are talking about?

Window size is a sticky point, but there are open tickets for that.

Last edited 4 years ago by cypherpunks (previous) (diff)

comment:10 in reply to:  9 Changed 4 years ago by cypherpunks

Replying to cypherpunks:

Replying to cypherpunks:

Not to mention the amount of breakage doing this would result in.

What breakage? Active cookies / logins will obviously be cleared. Beyond that nothing should break.

Logins is the prime example.

I believe I already addressed all your other points and questions, and since I have nothing else to add, I'm leaving it at that.

comment:11 in reply to:  6 Changed 4 years ago by cypherpunks

(I'm another anon, not OP)

Replying to cypherpunks:

Yeah it's a pain to lose currently open tabs, but really that just shows that you're not properly compartmentalizing your browsing into segregated identities.

Some of us use Tor Browser as our sole browser. We shouldn't need to have to start another browser session and lose all my tabs just to do a search query that we don't want associated with previous queries on that site.

I shouldn't need to play spy and think about compartmentalization to avoid linking my search queries!

I currently use Tor Button's "protected cookies" feature to "protect" login cookies on a few sites, and then occasionally I use its "Remove all but protected" button to manually clear my other cookies. But, this is horrible, because it doesn't clear the cache etc!

I do know how to run multiple instances of Tor Browser, and how to use Tails, and I'll do that if i want to read Vafcver Zntnmvar or learn about secret ebg13 pelcgbtencul or whatever... but I still do my everyday reddit/Twitter/etc browsing in long-lived Tor Browser sessions, so, I would very much like to be able to purge state for all but a few domains the way I think this ticket is requesting.

Pls can haz kthx bye!

comment:12 Changed 3 years ago by gk

Keywords: tbb-torbutton added
Summary: Private browsing retains stateTor Browser should offer an option to clear history in PBM
Type: defectenhancement

comment:13 Changed 3 years ago by bugzilla

Users ask you for an option to clear "history" on a per-site basis.
And, yep, TBB has an option to clear history in PBM ;)

comment:14 Changed 5 months ago by marthasimons

Thanks for fixed this
--
#18382 https://goo.gl/LhppLn

Note: See TracTickets for help on using tickets.