notes: Private Browsing Mode

[Thorin-Oakenpants]

I thought I would start a thread on known PB mode issues/problems. Personally, I don't think I know of any real benefits to PB mode over a controlled normal mode, and quite a few downsides. I'll start the ball rolling by mentioning one item

You cannot see or control PB mode cookies, or so called "private cookies". So essentially, until you close Firefox, your cookies that you accept will be retained. Good luck to people who think running PB mode for days on end is a good idea

• https://bugzilla.mozilla.org/show_bug.cgi?id=823941
• I believe this is the reason cookie addons fail in PB mode as well
• Even running clear all cookies does not remove them
• Here's a Wilders post which is interesting reading - https://www.wilderssecurity.com/threads/issues-with-firefox-in-private-browsing-mode.393254/

This is why I always think its better to start in normal mode and flick open a new private window when needed. Indeed, without closing FF, just closing all PB Mode windows clears the data, and the next PB Mode window starts anew - as evidence by the tracking id PoC at http://www.radicalresearch.co.uk/lab/hstssupercookies

• normal window: Your tracking id was set. wzezgm
• new PB window: Your tracking id was set. l0ndfz (and then close all PB Mode windows)
• new PB window: Your tracking id was set. 9ub0k6

Maybe Francois can tell what benefits PB mode offers that we can't achieve in normal mode already using smarts

[ghost]

I don't use Private Browsing. Even if you bypass the false idea of anonymity many users believe in to consider only what it implies in reality my opinion is that it's not worth it.

Maybe this excerpt from this post can be recalled:

Private Sessions dont interact with the data of your normal sessions. But normal sessions can access the data of other normal sessions (i. e. Youtube can access the Google Coockie). Private browsing behaves the dame way. Private and normal browsing cannot interact with each other. Private windows can access cookies and such set by other private windows. This will reset when you close all private session.

Just a quick note: Using Chrome Incognito, Firefox private tab or various doesn't make you anonymous. It's not even close to anonymization. It's just a regular tab that will expose every data that it would send otherwise too. The only difference is the rollback it performs when you close the private window. The private session wont store any data on your device but it still exposes various data to the web provider and wont make you more secure or whatever on that end

The main idea is that Private windows can access cookies and such set by other private windows.

OK, all is removed once you restart Firefox ... but within the session you're vulnerable. That's how I see it.

[crssi]

In short, I see PB as browsing which clears "forensic" evidences on the computer/browser you are using for browsing.
Not to waste too much time, I find PB useless.
Only "pro", which @Thorin-Oakenpants mentioned, is that it clears HSTS when closed, but you need to close all PB windows to achieve that. So again... almost useless.
PB is just giving users false sense of security and I don't use it at all.

[Atavic]

a privacy-related feature that is confusing can do much more harm than good

https://w3ctag.github.io/private-mode/

Open a tab in private mode: https://addons.mozilla.org/en-US/firefox/addon/private-tab/

gorhill/uMatrix#350
gorhill/uBlock#104

[crssi]

@Atavic, for accesing multiple accounts on the same web page I more like the "container" feature. ;)
user_pref("privacy.userContext.enabled", true);

[earthlng]

PB is just giving users false sense of security

That's a bit harsh IMHO - it does say exactly what it does and doesn't do. And it's called "Private Window" and not "Anonymous Window" for a reason.

This is why I always think its better to start in normal mode and flick open a new private window when needed

I agree. It would still be nice if it was somehow possible to clear the "private" bits in memory without closing all PB windows. And also to be able to see the "private" cookies (for example).

[nodiscc]

I still fail to see how starting in PB mode is of any benefit.

PB is designed to make the browsing session resilient to unsophisticated local attackers, network level privacy is not an immediate goal (except through cookie jar isolation/cookie stealing mitigation which is, as you said, irrelevant when blocking all cookies in the first place/disabling cross-site requests)

https://wiki.mozilla.org/Private_Browsing

data [...] should not be written to the disk in a way that is exposed to the user either through the Firefox UI, or through the typical OS-provided mechanisms for viewing the information on the disk
[...] does not include protecting against scenarios such as [...] the OS caching the sensitive information in memory to the disk, probes inspecting the process memory at runtime, as such topics are outside of the scope of this feature's intended threat model.

Private Browsing is only a (convenient) master switch to toggle persistent local storage on/off. Basically all protection (other than cookie jar isolation) against remote attackers/tracking is already available in non-private browsing mode:

Is network level privacy a goal?

Experience suggests that users believe that private browsing implies some amount of network level privacy, but from a technical standpoint this is a challenging problem of its own so we have decided to not tackle it for now.

An Analysis of Private Browsing Modes in Modern Browsers has more info.

I would also like to know if PB mode respects any cookie settings made in the Options UI, and if it respects site permissions

This mozilla support page seems to indicate so: https://support.mozilla.org/t5/Firefox/Why-is-it-call-Private-Browsing-if-cookies-can-be-seen-from-the/td-p/1058044, but this could be verified

You can inspect the PB mode cookies via the command line in the Web Console (Firefox/Tools > Web Developer) via the document.cookie array. Note that the same rules for accepting and blocking cookies are used in PB mode and in regular mode, the only difference is a separate cookie jar that is joined among all PB mode tabs. (https://bugzilla.mozilla.org/show_bug.cgi?id=823941)

In short if you make sure to disable all kind of persistent storage in normal sessions through user.js Private Browsing should have no real advantage.

A good way to check for full coverage of the persistent storage preferences, would be to create 2 new fresh profiles configured with user.js, 1 with PB enabled, 1 with PB disabled, reproduce the exact same browsing session on 2 profiles, close the 2 browsers and compare their profile/cache directories (there should be no more information stored in the non-PB profile than in the PB-enabled one).

[nodiscc]

I still stand by my statement that starting in PB mode offers nothing you can't achieve in normal mode

I agree, apparently (though this needs to be actually tested/verified working). PB mode also has drawbacks

• Need to close the browser to clear memory caches/cookie jars
• Cookie management addons not working, no cookie viewer https://bugzilla.mozilla.org/show_bug.cgi?id=823941
• Same usability downgrade as with DISABLE CACHING settings (no history, slower due to disabled caches...).

My own method is to disable forced private browsing, re-enable persistent storage for usability/performance; the only use case for PB mode is using a shared/someone else's machine (eg. I don't care about the motivated local attacker scenario which can pwn me through memory/swap access/keylogging/... anyway. Mitigations against this are at the OS level).

It is fine to enforce Private Browsing if you want the most hardened setup, and usability is not a concern. It is fine to leave it disabled if you have other measures in place to mitigate local exploits/theft (sandboxing, FDE), and want access to history, or cookie management addons.

OT: The PK readme states [...] I have indexeddb off and uBo works perfectly.

^{Yes I have not tested this, it might be from an earlier version. Apparently related to pyllyukko/user.js@ce5ba07 -> http://forums.mozillazine.org/viewtopic.php?p=13842047; pyllyukko/user.js#8. I will open an issue for this, thanks.}

[Atavic]

@Thorin-Oakenpants regading your Cookies pointers, I rehash these:

https://github.com/ghacksuserjs/ghacks-user.js/issues/11
Synzvato/decentraleyes#99

[earthlng]

PB mode is best used as a one off windows

then that's no longer PB mode (only) as per this pref. I would write Private browsing is best .... without the "mode" and maybe also add "therefore this pref is commented out by default" or something like that.
Maybe enable "Always use private browsing mode" would be a better title too, idk

[earthlng]

Closing all Private Windows clears all traces. I think that's important to note.
👍 for the rest