Open Bug 1848559 Opened 2 years ago Updated 1 year ago

Incomplete browser history is a security bug : or at least makes tracking phishing harder.

Categories

(Core :: Audio/Video: Playback, enhancement)

Product:
Core
Component:
Audio/Video: Playback
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: bryce2, Unassigned)

Details

Attachments

(1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1901.203

Steps to reproduce:

Visit "disney.org", now go to the browser history and what you'll see is just "disney.com". The browser is not recording redirects, the back button or more.

Visit "https://www.shopdisney.com/" then go to "https://www.shopdisney.com/collectibles/" then press the back button and it will erase the history of what took place.

Actual results:

Why is this bad?

Typo squatters and other malware providers rely heavily on redirects to obscure their activities. By tracing all their steps after landing on a malicious page, the user can both understand how they got there, and make appropriate URL reports to services like BrightCloud that track by URL.

Expected results:

By strengthening History, Firefox could help track URL redirect schemes, and have a subtle but useful security advantage over other browsers:

  • Keep a fully chronological URL history, omitting perhaps URLs differing only in ? parameters.
  • In the visible history roll the URLs up into a summary that looks like todays, but with a triangle control to open detail.
  • In the detail, include timestamps down to the second.
  • In the detail, include the IP address at the time of the event (malware sites may play DNS games to obscure their tracks).

There's a user level benefit also. On occasion I will dive deep into a site, back out a few steps,
but then want to go back. Dagnabbit, the history is gone.

So there's mild non-security use case as well for complete history.

The Bugbug bot thinks this bug should belong to the 'Core::Audio/Video: Playback' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Audio/Video: Playback
Product: Firefox → Core
Attachment #9386313 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: