Closed Bug 472421 Opened 16 years ago Closed 8 years ago

turn off full-hash caching when in private mode

Categories

(Toolkit :: Safe Browsing, defect, P5)

Product:
Toolkit
Component:
Safe Browsing
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: dcamp, Assigned: ehsan.akhgari)

Details

(Keywords: privacy, Whiteboard: [private browsing mode][PB-P2]) 

As mentioned in bug 454792 comment #12, browsing to a phishing/malware site can leave a trace in private browsing mode (although a fairly small one, in the grand scheme of things).  It should be trivial to turn off full-hash caching during private browsing mode, or to cache the full hashes in memory for the lifetime of private browsing mode.
Flags: blocking-firefox3.1?
Can you give me a clue on what code to look at to make this happen?
(IMO Google's "safebrowsing" shouldn't be part of the browser AT ALL, so all such problems would be non-existent, but let's see what we got here...)

(In reply to comment #0)
> As mentioned in bug 454792 comment #12, browsing to a phishing/malware site can
> leave a trace in private browsing mode (although a fairly small one, in the
> grand scheme of things).  It should be trivial to turn off full-hash caching
> during private browsing mode,

/gethash requests are privacy-invasive enough and this change would make matters _worse_ (in terms of leaving traces on "safebrowsing provider" server), because it would contact Google with every visit (or would-be visit) of site that matches hash/hashes. With full hash cached it at least decreases number of /gethash requests.

This solution will also increase load on server-side.

Specification uses "MUST" regarding caching:
http://code.google.com/p/google-safe-browsing/wiki/Protocolv2Spec#3.8.2._Response_Body
"Each hash in the response MUST be stored as the full length hash for the prefix in the list and chunk indicated in the response, for the length of time that the hash prefix is a valid entry in the chunk. The full length hash should always be used when performing lookups instead of the prefix, when it is available. Thus, the client MUST not make any further full length hash requests for that hash (...)"

> or to cache the full hashes in memory for the
> lifetime of private browsing mode.

That's better solution (although not ideal...; "safebrowsing" should be disabled by default).
(In reply to comment #2)
> (IMO Google's "safebrowsing" shouldn't be part of the browser AT ALL, so all
> such problems would be non-existent, but let's see what we got here...)

Please stop the irrelevant advocacy. You've made yourself clear many times and it doesn't belong in bugs. If you don't like it turn it off. If you think NO one should have it then bring it up in product design fora -- there are several newsgroups and even a couple community-wide weekly phone conference calls (which feature IRC backchannel if you can't afford the phone charges).
Assignee: nobody → ehsan.akhgari
Status: NEW → ASSIGNED
I'd take a patch, but we don't need to block on this. Definite nice to have.
Flags: wanted-firefox3.1+
Flags: blocking-firefox3.1?
Flags: blocking-firefox3.1-
Whiteboard: [private browsing mode]
Whiteboard: [private browsing mode] → [private browsing mode][PB-P2]
Keywords: privacy
(In reply to comment #1)
> Can you give me a clue on what code to look at to make this happen?

Dave: ping?
Is this still relevant?

The code is in toolkit/components/url-classifier, if that helps. :)
Disabling the full hash caching indeed will have the opposite effect, comment 2 is right about that. We can only disable the service entirely during private browsing.
Product: Firefox → Toolkit
Once bug 1254766 is fixed, this will become an even smaller leak.
Priority: -- → P5
Since we are now only caching these to memory, I don't think it's worth working on this any further.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.