Waterfox users : TLS tracking.

[DeathtoGnomes]

Found some interesting stuff and Tom's wrote an article about it. The Waterfox subreddit had a link to this how to stop this type of tracking.

https://github.com/MrAlex94/Waterfox/issues/768

 

[lexluthermiester]

This will get fixed. The thing with TLS sessions is that they are linked to cookie generation(IIRC) and if you delete cookies everytime you close your browser, a new cookie will need to be generated and thus a new TLS session will have to generate with it. So go into Waterfox settings and set them as shown below;

Additionally, if you use a cookie removal plugin such as " Self-Destructing Cookies " cookies will be deleted after closing the tab/Window and thus the TLS session will be forced to reset.

 

[Bill_Bright]

Are you

if you delete cookies everytime you close your browser, a new cookie will need to be generated and thus a new TLS session will have to generate with it.

Additionally, if you use a cookie removal plugin such as " Self-Destructing Cookies " cookies will be deleted after closing the tab/Window and thus the TLS session will be forced to reset.

Are you sure? I ask out of ignorance. And I ask because of the following statement found following the links above to Hacker News where it says (my bold underline added),

Whoa. I had no idea browsers were sending unique identifiers back to previously visited sites, even with cleared/disabled cookies.

It seems to me, that's the whole problem. That is, even if you clear the cookies, the tracking is still possible.

 

[lexluthermiester]

Are you
Are you sure? I ask out of ignorance. And I ask because of the following statement found following the links above to Hacker News where it says (my bold underline added), It seems to me, that's the whole problem. That is, even if you clear the cookies, the tracking is still possible.

You could be right, I might be wrong. My understanding about those intricate workings is somewhat dated. However, it's generally supposed to work the way I described. Perhaps there's an aspect of the TLS session that stores an LTSO that isn't being wiped like it's supposed to and thus the persistence.

 

[Bill_Bright]

However, it's generally supposed to work the way I described.

I agree. In fact, I don't see why any browser should be sending any information back to previously visited sites - whether cookies have been cleared or not. I am not a tin-foil hat wearing, paranoid privacy freak, but it seems to me, if I don't knowingly give my consent, when I leave a site, nothing should be sent back to that site about me, my computer or my computing habits.

 

[Liquid Cool]

Thanks for making me aware of this issue. I'm an avid fan of Waterfox. Don't have time to check into it closely at the moment(cooking), but I will delve into it later. I just wanted to send a thanks along to DtG for pointing it out.

,

Liquid Cool

 

[lexluthermiester]

Actually did a bit more research. The plugin I mentioned above, Self-Destructing Cookies( https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=api ), seems to work around this problem because it deletes all session data, not just cookies. However that plugin might not install as it's intended for older versions of the Firefox engine. If you're using a newer version of Waterfox, there is an excellent replacement plugin which carries out very similar functions called Cookie AutoDelete( https://github.com/Cookie-AutoDelete/Cookie-AutoDelete ). In the settings for this plugin, make sure the " Localstorage Cleanup " is checked.

Highly recommend the use of one of them as their use will, in theory, negate this TLS session problem.

 

[Bill_Bright]

Hmmm, I wonder if that plugin works for Pale Moon (my default browser), a forked FF spinoff? Or if it is even necessary after the last PM update where the change log says,

Removed support for TLS session caches in TLSServerSocket.

 

[lexluthermiester]

Hmmm, I wonder if that plugin works for Pale Moon (my default browser), a forked FF spinoff? Or if it is even necessary after the last PM update where the change log says,

I think you're safe with that browser.

 

[Bill_Bright]

Me too.

 

[DeathtoGnomes]

Actually did a bit more research. The plugin I mentioned above, Self-Destructing Cookies( https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=api ), seems to work around this problem because it deletes all session data, not just cookies. However that plugin might not install as it's intended for older versions of the Firefox engine. If you're using a newer version of Waterfox, there is an excellent replacement plugin which carries out very similar functions called Cookie AutoDelete( https://github.com/Cookie-AutoDelete/Cookie-AutoDelete ). In the settings for this plugin, make sure the " Localstorage Cleanup " is checked.

Highly recommend the use of one of them as their use will, in theory, negate this TLS session problem.

There are a lot of specific use addons for FF/WF/other browsers. While this might be a better choice for those less comfortable doing edits to about:config, overlapping addons can still cause the rare occasional problem. For the savvy, editing/adding these 2 lines is still better than installing an addon that has limited use or redundant.

 

[lexluthermiester]

There are a lot of specific use addons for FF/WF/other browsers. While this might be a better choice for those less comfortable doing edits to about:config, overlapping addons can still cause the rare occasional problem.

I've never seen a problem like that happen. Thinking most people would be ok.

For the savvy, editing/adding these 2 lines is still better than installing an addon that has limited use or redundant.

What two lines? Did you mean the the ones mentioned on the github post?

For those who want to give this a go and have never used the config tool built into FireFox and all of it's variants, open a new tab or window and type " about:config " into the address bar. You might get a warning a about a warranty, ignore it(because really what warranty?). In the search bar that comes up with the config page, to easily find the two setting above, just type in the first word and the set the options as shown above. The changes take effect on the fly and can be tested immediately. Here's the direct link to test site once you've finished. https://www.ssllabs.com/ssltest/viewMyClient.html

Please keep in mind this fix only applies to Waterfox. Firefox, Palemoon, Cyberfox and all other variants seem unaffected because the problem has been removed, disabled or patched. Waterfox will shortly be patched as well.

 

[John Naylor]

With all the browser updates, and user configuration changes, I wish these browsers would list each feature choices and describe, in detail, exactly what each one does.

 

[lexluthermiester]

With all the browser updates, and user configuration changes, I wish these browsers would list each feature choices and describe, in detail, exactly what each one does.

Wouldn't that be nice!

 

[DeathtoGnomes]

With all the browser updates, and user configuration changes, I wish these browsers would list each feature choices and describe, in detail, exactly what each one does.

Wouldn't that be nice!

haha for sure.