[tor-talk] if browser remembers URLs visited before shutdown even during Never Remember History

[Joe]

In general, Tor Browser doesn't write any history to disk - by design.  
If you look in about:config at settings whether to use disk cache, it 
should be set to false.
browser.cache.disk.enable;false
If you have enough RAM, you can do the same in regular Firefox. Allow 
enough memory to handle browsing. 
browser.cache.memory.max_entry_size;512000  or 1000000.

RAM's a whole lot faster than a disk - even SSDs.

There have been many problems through the yrs on not deleting cache, 
cookies, history - you name it - the way it was supposed to.
I set the clear history UI to clear everything but site preferences 
(cookie exceptions).

Mozilla has changed the Privacy & Security area even more in v63, so I 
wouldn't be surprised if there are more bugs.

I used to use addons to clear cache, history, because Fx didn't do it 
completely.  Maybe 3 letter agencies are demanding (or paying) that 
history not be cleared as advertised. There have always been privacy (& 
security) issues w/ all browsers that dragged on forever.  As far as we 
know, it's still no where near as bad as IE of old, where they hid at 
least one history file, as a system, hidden file(s).  But you couldn't 
search & find it - no matter what.  You had to KNOW the exact, long path 
to the file & enter that before you could delete it.

Ol' Bill's a big philanthropist now. n!m





On 9/25/18 8:33 PM, Nick Levinson wrote:
> On Tuesday, September 25, 2018, 2:01:04 AM EDT, Joe 
> <joebtfsplk at gmx.com> wrote:
> > * * * * *
> > Is the claim that Firefox (vs. TorBrowser, based on Firefox esr 
> version) stores visited URLs in places.sqlite regardless of settings 
> under > Privacy & Security?
> > The subject of this message is confusing.  Is it asking the 
> question, "does browser remember URLs..."?
> > Or telling us, "browser does remember URLs..."?
> >
> > You said it's years old.  I doubt that would've slipped by Tor 
> Project & all users for years.
> > Where is the data claimed to be stored?
> >
> > The title sound like, "if Firefox remembers URLs visited before 
> shutdown, then they won't be deleted, even if that's checked under 
> Clear > History.
> > If I understand you & the subject, the claim is that even when 
> "Never Remember History" is checked, it is remembering visited URLs 
> *during* that session, but deletes them when the browser is closed, or 
> if "Clear History" is used during the session?
> >
> > However, if "remember browsing and download history" is checked AND 
> you DON'T have "Always Use Private Browsing Mode", TBB will > remember 
> history during the session, but not after shutdown.
> >
> > As far as I've ever seen, TBB deletes any history of any type, 
> whether you have "clear history" settings checked, or not.  That's by 
> design.
> >
> > How is it a security leak?  During a session, are sites supposedly 
> able to tell which sites you visited, directly or indirectly?
> >
> > There was a bug in Fx many, many yrs ago - where sites could make a 
> query of some type & determine if sites had been visited.  AFAIK, that 
> was fixed long ago.
> > During that period, users couldn't have visited links change colors.
>
> It's about Tor, but I'll explain as if Tor is based on Firefox by 
> describing the Firefox problem. Suppose it's set to Remember History. 
> I visit example.com. Firefox remembers the URL. So far, no problem. 
> Then I change Remember History to Never Remember History. I have no 
> idea that it's still remembering example.com. Someone inspecting my 
> computer can see that I visited example.com when I think they can't 
> see any history. That's a security leak.
>
> One could argue why I'd let anyone inspect my computer. However, Never 
> Remember History is offered for a reason, probably as protection 
> against anyone inspecting my computer.
>
> The URLs are definitely stored somewhere. I proved that. Which file 
> it's in, I don't know. It's stored somewhere available after powering 
> down and powering up, i.e., through a cold boot. I tried identifying 
> the exact location but failed. But it's somewhere there. I tested 
> without networking or a removable (flash) drive 
> (https://bugzilla.mozilla.org/show_bug.cgi?id=1476152#c10). Therefore, 
> it had to have been stored on my local hard drive.
>
> The complaint for Firefox is years old. It still has not been solved 
> for Firefox. Thus, unless Tor people monitor most unpatched Firefox 
> complaints (and there are many and most of them are unimportant), Tor 
> people could have missed this one. A wontfix or invalid for Firefox 
> might not be a decision appropriate for Tor.
>
> Users could easily miss it for years. The user interface says Never 
> Remember History. The meaning is unambiguous. The problem is that the 
> UI's meaning does not reflect the programming inside Firefox. Most 
> users would never test the truth of any UI. They would trust the UI. 
> Therefore, in this case, most users would be misled.
>
> The title was about Tor, albeit inspired by Firefox's problem. Firefox 
> is definitely storing the URLs. If Tor uses the same design insofar as 
> relevant, then Tor is also storing the URLs.
>
> Clear History is not the complaint's subject. As far as I know, Clear 
> History works. However, Never Rememmber History implies that the 
> history is being cleared just by selecting Never Remember History. If 
> a user should apply another step, the UI should not make a sweeping 
> overclaim or else it should explicitly tell the user to take that step.