FireFox privacy mode not so private...

Flash plugin leaves traces of loaded flash files in:


In there Flash creates directories named as the domain from where the flashlet came, inside which is what appears to be settings for the flashlet.

I don’t know if this is a “bug” in FireFox, or simply feature FF cannot prevent.

FireFox 3.5.2-1.1 x86_64
Flash 10.0 r22
OpenSuse 11.1 x86_64

You have to set up privacy rules in flash. You can do this on the adobe website. The application itself is flash again. You set: amount of data applications can leave on the pc to 0. That should be fine.
Anyway privoxy itself is not a privacy warranty. You should use privoxy without squid, plus tor. You should also consider the use of noscript. You will then set: empty all cookies on exit of program. And things should become a bit better.

By the way, i noticed you use the alpha flash plugin:) There was recently an update :slight_smile: Check it out :slight_smile:

Plugin privacy policy is not governed by FF.

And for those thinking of anonymous surfing, FF (and for that matter, Chrome) privacy mode just means no history and no cookies retained. Your IP address and pages visited are still recorded by the sites you visit. Not surprising when you think about it, but may not be clear to all.


At least google-chrome warns about that. FF doesn’t say anything about the “server side”.

It’s just not explained in the browser itself, but on the web:

Private Browsing

@bender: wouldn’t this be a good moment to underline the usefulness of tor with privoxy?
The consciousness of the hight level of “profiling” that is currently going on seems to be too low.
Btw, as I did not follow up: is google-chrome now out of beta? In the beginning I recall some major pitfalls with privacy. Maybe my memory betrays me.:expressionless:

I don’t know about the state of google-chrome, i have the 3.0.197 version from here

Index of /buildbot/snapshots/chromium-rel-linux

I got a script that downloads new version every hour so i’m pretty on time with that. First impressions? There are some quirks (can’t import passwords from Firefox), BUT it start in a less than a second, is A LOT less memory hungry and faster. The good thing is that it isn’t slower than the windows version, (yes, i’m looking at you firefox). The incognito mode in google-chrome explains what it’s privacy mode does and what can’t be done (server side logging etc.) I’m not that paranoid to use tor with privoxy :slight_smile: I still live in a democratic country;)

By the way, linux version of google-chrome will have a bit more privacy since updates will have to be handled by the distro vendor and not by google itself so less data to be sent to google.

P.S. First cries about google-chrome privacy was just google’s search suggestions, which is also present in firefox if you use google’s search toolbar.

Yeah, I forgot about Flash privacy settings… Not that I was expecting absolute privacy (which does not exist anyways), but I was kinda disappointed to realize that the Privacy mode is just a selective cleaner of cookies, history and page cache.

I wonder why would it be so difficult to implement complete sandboxing, not allowing the plugin process to touch the system, except through an API provided by the browser.

perhaps something LIKE this in a run-during-logout script could be useful:

rm -fr ~/.macromedia/Flash_Player/

CAVEAT: The author of this posting does not warrant the accuracy,
completeness, legality, or usefulness of its content and is not
responsible for consequences resulting from its use.

You can implement a sandbox with AppArmor for example. If it goes about privacy, this is a myth. If there is someone that really want’s to get you then he will get you eventually. Tor does not guarantee your privacy, they can correlate the logs from every ISP and get to you easily so this is just an illusion of security. Fortunatelly if you are not an Al Kaida terrorist then the government don’t care what you do;)

This is good news, especially the speed and memory fact. And then I am convinced that whatever mono-culture is doing worse then good competition.
On what this comment:

I still live in a democratic country

That is highly relative. You can life in a democratic country but Internet has no borders and the people interested in your IP may not be at all from democratic countries. So I wouldn’t call it paranoid. For myself I use tor when I feel like it.

Fortunately most of people are behind a NAT with their ISP so in practice until they look at the logs can’t tell that it was You :slight_smile:

I am behind a NAT. Oh yes, google-chrome is A LOT speedier than firefox and it’s a breeze to install on linux, just download the newest number from the site i gave you. Unpack it to somewhere in /home/<user>/ and start from console and look what is needed for it to work. If it asks for a library with an ending like so.0d or so.1d then it is available in openSUSE’s repo but it is without that ending. What you need to do is to create a symlink
ln -s /usr/lib/ /usr/lib/

It’s that easy :slight_smile:

Unfortunately flash doesn’t work yet but i don’t watch movies in such case using chrome.

There is no such thing as privacy, the TCP/IP network wasn’t designed for that. If you want privacy then unplug your internet cord :stuck_out_tongue:

AppArmor is exactly how I found out this Flash cache. Was building and testing a profile.

However, this is all about “local” privacy, ie. automatic cleaning of local caches of data. Previous versions of FF had global personal data cleaning capabilities, and it could be configured to clean automatically on exit. Also, über paranoid types can write scripts that clean everything else, every now and then or on login/logout (as someone already suggested here).

So basically this new Privacy mode is just selective cleaner, in that it cleans only some data, that you designate not to be stored, while leaving other which you might want to keep (history, cookies to sites you revisit, etc…).

Speaking of which, my AppArmor Firefox profile found out something else as well.

Java plugin wants to mmap /etc/passwd. I have no idea why, but I denied it and applets (so far) work fine and do not appear crippled.

Now that is interesting. I wouldn’t be so much worried about that since it’s one way encrypted :wink:

/etc/passwd doesn’t contain (encrypted) passwords any more. Those are in /etc/shadow nowadays.

You’re right, i completely forgot about that :slight_smile:

Then it is worrying since a bad Java applet could check what users you got on the system and then try to crack the passwords (which is of course almost impossible ;)), or brute crack the ssh logins. The possibilities are endless lol!

Tor exposes you to a different risk. IIRC a researcher advertised his machine as willing to take Tor traffic. He then managed to collect traffic from users like embassies sending data in the clear, i.e. http and not https. What those users forgot is that anonymity is not the same thing as privacy.

Shouldn’t the embassies use something a bit safer like a VPN connections :)??