• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Waterfox users : TLS tracking.

Joined
Jul 16, 2014
Messages
2,920 (1.52/day)
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Joined
Jul 5, 2013
Messages
7,441 (3.24/day)
This will get fixed. The thing with TLS sessions is that they are linked to cookie generation(IIRC) and if you delete cookies everytime you close your browser, a new cookie will need to be generated and thus a new TLS session will have to generate with it. So go into Waterfox settings and set them as shown below;
WaterfoxPrivacySettings1.jpg
Additionally, if you use a cookie removal plugin such as " Self-Destructing Cookies " cookies will be deleted after closing the tab/Window and thus the TLS session will be forced to reset.
 
Last edited:
Joined
Jul 25, 2006
Messages
5,867 (1.21/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
Are you
if you delete cookies everytime you close your browser, a new cookie will need to be generated and thus a new TLS session will have to generate with it.

Additionally, if you use a cookie removal plugin such as " Self-Destructing Cookies " cookies will be deleted after closing the tab/Window and thus the TLS session will be forced to reset.
Are you sure? I ask out of ignorance. And I ask because of the following statement found following the links above to Hacker News where it says (my bold underline added),
Whoa. I had no idea browsers were sending unique identifiers back to previously visited sites, even with cleared/disabled cookies.
It seems to me, that's the whole problem. That is, even if you clear the cookies, the tracking is still possible.
 
Joined
Jul 5, 2013
Messages
7,441 (3.24/day)
Are you
Are you sure? I ask out of ignorance. And I ask because of the following statement found following the links above to Hacker News where it says (my bold underline added), It seems to me, that's the whole problem. That is, even if you clear the cookies, the tracking is still possible.
You could be right, I might be wrong. My understanding about those intricate workings is somewhat dated. However, it's generally supposed to work the way I described. Perhaps there's an aspect of the TLS session that stores an LTSO that isn't being wiped like it's supposed to and thus the persistence.
 
Joined
Jul 25, 2006
Messages
5,867 (1.21/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
However, it's generally supposed to work the way I described.
I agree. In fact, I don't see why any browser should be sending any information back to previously visited sites - whether cookies have been cleared or not. I am not a tin-foil hat wearing, paranoid privacy freak, but it seems to me, if I don't knowingly give my consent, when I leave a site, nothing should be sent back to that site about me, my computer or my computing habits.
 
Joined
Mar 2, 2011
Messages
976 (0.31/day)
Location
Omaha, NE
System Name It's A-L-I-V-E...Perfect 1080p gaming!
Processor Ryzen 5 2600
Motherboard Asrock Fatal1ty AB350 Gaming-ITX/ac
Cooling Cryorig M9 w/ be quiet! PURE Wings 2 ~ 92mm
Memory G.SKILL Ripjaws V ~16GB(2 x 8GB) ~ DDR 4 3000
Video Card(s) Sapphire PULSE Radeon RX 580 8GB
Storage Samsung 860 EVO - 500 GB
Display(s) Dell S2715H
Case In the market for a new case...need ideas!
Audio Device(s) Realtek ALC1220
Power Supply EVGA SuperNOVA 550 G3
Mouse Logitech Zone Touch Mouse - T400
Keyboard iKBC CD108 ~ Cherry MX Blues
Software Debian Buster 10/Windows 10
Benchmark Scores Fastest PC I've ever owned!
Thanks for making me aware of this issue. I'm an avid fan of Waterfox. Don't have time to check into it closely at the moment(cooking), but I will delve into it later. I just wanted to send a thanks along to DtG for pointing it out.

:),

Liquid Cool
 
Joined
Jul 5, 2013
Messages
7,441 (3.24/day)
Actually did a bit more research. The plugin I mentioned above, Self-Destructing Cookies( https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=api ), seems to work around this problem because it deletes all session data, not just cookies. However that plugin might not install as it's intended for older versions of the Firefox engine. If you're using a newer version of Waterfox, there is an excellent replacement plugin which carries out very similar functions called Cookie AutoDelete( https://github.com/Cookie-AutoDelete/Cookie-AutoDelete ). In the settings for this plugin, make sure the " Localstorage Cleanup " is checked.

Highly recommend the use of one of them as their use will, in theory, negate this TLS session problem.
 
Joined
Jul 25, 2006
Messages
5,867 (1.21/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
Hmmm, I wonder if that plugin works for Pale Moon (my default browser), a forked FF spinoff? Or if it is even necessary after the last PM update where the change log says,
Removed support for TLS session caches in TLSServerSocket.
 
Joined
Jul 25, 2006
Messages
5,867 (1.21/day)
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
Joined
Jul 16, 2014
Messages
2,920 (1.52/day)
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Actually did a bit more research. The plugin I mentioned above, Self-Destructing Cookies( https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=api ), seems to work around this problem because it deletes all session data, not just cookies. However that plugin might not install as it's intended for older versions of the Firefox engine. If you're using a newer version of Waterfox, there is an excellent replacement plugin which carries out very similar functions called Cookie AutoDelete( https://github.com/Cookie-AutoDelete/Cookie-AutoDelete ). In the settings for this plugin, make sure the " Localstorage Cleanup " is checked.

Highly recommend the use of one of them as their use will, in theory, negate this TLS session problem.
There are a lot of specific use addons for FF/WF/other browsers. While this might be a better choice for those less comfortable doing edits to about:config, overlapping addons can still cause the rare occasional problem. For the savvy, editing/adding these 2 lines is still better than installing an addon that has limited use or redundant.
 
Joined
Jul 5, 2013
Messages
7,441 (3.24/day)
There are a lot of specific use addons for FF/WF/other browsers. While this might be a better choice for those less comfortable doing edits to about:config, overlapping addons can still cause the rare occasional problem.
I've never seen a problem like that happen. Thinking most people would be ok.
For the savvy, editing/adding these 2 lines is still better than installing an addon that has limited use or redundant.
What two lines? Did you mean the the ones mentioned on the github post?
TLS.jpg

For those who want to give this a go and have never used the config tool built into FireFox and all of it's variants, open a new tab or window and type " about:config " into the address bar. You might get a warning a about a warranty, ignore it(because really what warranty?). In the search bar that comes up with the config page, to easily find the two setting above, just type in the first word and the set the options as shown above. The changes take effect on the fly and can be tested immediately. Here's the direct link to test site once you've finished. https://www.ssllabs.com/ssltest/viewMyClient.html

Please keep in mind this fix only applies to Waterfox. Firefox, Palemoon, Cyberfox and all other variants seem unaffected because the problem has been removed, disabled or patched. Waterfox will shortly be patched as well.
 
Joined
Jul 16, 2014
Messages
2,920 (1.52/day)
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Top