• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Waterfox users : TLS tracking.

Joined
Jul 16, 2014
Messages
2,600 (1.64/day)
Likes
1,319
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
#1
Joined
Jul 5, 2013
Messages
3,669 (1.87/day)
Likes
2,162
Location
USA
#2
This will get fixed. The thing with TLS sessions is that they are linked to cookie generation(IIRC) and if you delete cookies everytime you close your browser, a new cookie will need to be generated and thus a new TLS session will have to generate with it. So go into Waterfox settings and set them as shown below;
WaterfoxPrivacySettings1.jpg
Additionally, if you use a cookie removal plugin such as " Self-Destructing Cookies " cookies will be deleted after closing the tab/Window and thus the TLS session will be forced to reset.
 
Last edited:
Joined
Jul 25, 2006
Messages
4,615 (1.03/day)
Likes
3,095
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
#3
Are you
if you delete cookies everytime you close your browser, a new cookie will need to be generated and thus a new TLS session will have to generate with it.

Additionally, if you use a cookie removal plugin such as " Self-Destructing Cookies " cookies will be deleted after closing the tab/Window and thus the TLS session will be forced to reset.
Are you sure? I ask out of ignorance. And I ask because of the following statement found following the links above to Hacker News where it says (my bold underline added),
Whoa. I had no idea browsers were sending unique identifiers back to previously visited sites, even with cleared/disabled cookies.
It seems to me, that's the whole problem. That is, even if you clear the cookies, the tracking is still possible.
 
Joined
Jul 5, 2013
Messages
3,669 (1.87/day)
Likes
2,162
Location
USA
#4
Are you
Are you sure? I ask out of ignorance. And I ask because of the following statement found following the links above to Hacker News where it says (my bold underline added), It seems to me, that's the whole problem. That is, even if you clear the cookies, the tracking is still possible.
You could be right, I might be wrong. My understanding about those intricate workings is somewhat dated. However, it's generally supposed to work the way I described. Perhaps there's an aspect of the TLS session that stores an LTSO that isn't being wiped like it's supposed to and thus the persistence.
 
Joined
Jul 25, 2006
Messages
4,615 (1.03/day)
Likes
3,095
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
#5
However, it's generally supposed to work the way I described.
I agree. In fact, I don't see why any browser should be sending any information back to previously visited sites - whether cookies have been cleared or not. I am not a tin-foil hat wearing, paranoid privacy freak, but it seems to me, if I don't knowingly give my consent, when I leave a site, nothing should be sent back to that site about me, my computer or my computing habits.
 
Joined
Jul 5, 2013
Messages
3,669 (1.87/day)
Likes
2,162
Location
USA
#7
Actually did a bit more research. The plugin I mentioned above, Self-Destructing Cookies( https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=api ), seems to work around this problem because it deletes all session data, not just cookies. However that plugin might not install as it's intended for older versions of the Firefox engine. If you're using a newer version of Waterfox, there is an excellent replacement plugin which carries out very similar functions called Cookie AutoDelete( https://github.com/Cookie-AutoDelete/Cookie-AutoDelete ). In the settings for this plugin, make sure the " Localstorage Cleanup " is checked.

Highly recommend the use of one of them as their use will, in theory, negate this TLS session problem.
 
Joined
Jul 25, 2006
Messages
4,615 (1.03/day)
Likes
3,095
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
#8
Hmmm, I wonder if that plugin works for Pale Moon (my default browser), a forked FF spinoff? Or if it is even necessary after the last PM update where the change log says,
Removed support for TLS session caches in TLSServerSocket.
 
Joined
Jul 5, 2013
Messages
3,669 (1.87/day)
Likes
2,162
Location
USA
#9
Hmmm, I wonder if that plugin works for Pale Moon (my default browser), a forked FF spinoff? Or if it is even necessary after the last PM update where the change log says,
I think you're safe with that browser.
 
Joined
Jul 25, 2006
Messages
4,615 (1.03/day)
Likes
3,095
Location
Nebraska, USA
System Name Brightworks Systems BWS-6 E-IV
Processor Intel Core i5-6600 @ 3.9GHz
Motherboard Gigabyte GA-Z170-HD3 Rev 1.0
Cooling Quality case, 2 x Fractal Design 140mm fans, stock CPU HSF
Memory 16GB (2 x 8GB) DDR4 3000 Corsair Vengeance
Video Card(s) EVGA GEForce GTX 1050Ti 4Gb GDDR5
Storage Samsung 850 Pro 256GB SSD, Samsung 860 Evo 500GB SSD
Display(s) Samsung S24E650BW LED x 2
Case Fractal Design Define R4
Power Supply EVGA Supernova 550W G2 Gold
Mouse Microsoft Wireless 5000
Keyboard Microsoft Wireless Comfort 5050
Software W10 Pro 64-bit
#10
Me too.
 
Joined
Jul 16, 2014
Messages
2,600 (1.64/day)
Likes
1,319
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
#11
Actually did a bit more research. The plugin I mentioned above, Self-Destructing Cookies( https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/?src=api ), seems to work around this problem because it deletes all session data, not just cookies. However that plugin might not install as it's intended for older versions of the Firefox engine. If you're using a newer version of Waterfox, there is an excellent replacement plugin which carries out very similar functions called Cookie AutoDelete( https://github.com/Cookie-AutoDelete/Cookie-AutoDelete ). In the settings for this plugin, make sure the " Localstorage Cleanup " is checked.

Highly recommend the use of one of them as their use will, in theory, negate this TLS session problem.
There are a lot of specific use addons for FF/WF/other browsers. While this might be a better choice for those less comfortable doing edits to about:config, overlapping addons can still cause the rare occasional problem. For the savvy, editing/adding these 2 lines is still better than installing an addon that has limited use or redundant.
 
Joined
Jul 5, 2013
Messages
3,669 (1.87/day)
Likes
2,162
Location
USA
#12
There are a lot of specific use addons for FF/WF/other browsers. While this might be a better choice for those less comfortable doing edits to about:config, overlapping addons can still cause the rare occasional problem.
I've never seen a problem like that happen. Thinking most people would be ok.
For the savvy, editing/adding these 2 lines is still better than installing an addon that has limited use or redundant.
What two lines? Did you mean the the ones mentioned on the github post?
TLS.jpg

For those who want to give this a go and have never used the config tool built into FireFox and all of it's variants, open a new tab or window and type " about:config " into the address bar. You might get a warning a about a warranty, ignore it(because really what warranty?). In the search bar that comes up with the config page, to easily find the two setting above, just type in the first word and the set the options as shown above. The changes take effect on the fly and can be tested immediately. Here's the direct link to test site once you've finished. https://www.ssllabs.com/ssltest/viewMyClient.html

Please keep in mind this fix only applies to Waterfox. Firefox, Palemoon, Cyberfox and all other variants seem unaffected because the problem has been removed, disabled or patched. Waterfox will shortly be patched as well.
 
Joined
Jul 16, 2014
Messages
2,600 (1.64/day)
Likes
1,319
Location
SE Michigan
System Name Dumbass
Processor AMD-9370BE @4.6
Motherboard ASUS SABERTOOTH 990FX R2.0 +SB950
Cooling CM Nepton 280L
Memory G.Skill Sniper 16gb DDR3 2400
Video Card(s) GreenTeam 1080 Gaming X 8GB
Storage C:\SSD (240GB), D:\Seagate (2TB), E:\Western Digital (1TB)
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Logitech G700s
Keyboard Logitech G910 Orion Spark
Software windows 10
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
#15
Top