If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

encrypt thumbnail image files

RESOLVED WONTFIX

Status

()

Firefox
Tabbed Browser
RESOLVED WONTFIX
5 years ago
5 years ago

People

(Reporter: Dave Garrett, Unassigned)

Tracking

(Blocks: 1 bug, {privacy})

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
The thumbnails dir in the Firefox profile contains surprisingly legible 480x300px screenshots of pages, including sites you were previously logged into. (e.g. I can read the text in a Bugzilla screenshot) When most people log out of a site they would expect to not be able to view their privately accessed pages so easily after the fact. People shouldn't have to resort to private browsing mode for everything. If these thumbnails are going to be this large then it might be a good idea to start encrypting them (at least for HTTPS sites). The file name already appears to be a hash of the URL so the obvious route would be to encrypt each one with a key comprised of the URL and some per-profile component. It would make it so that someone couldn't just browse through all of the thumbnails on a public computer looking for something to steal. They would still be easily visible via the parts of the browser using them, but encrypting the files would at least make it take some effort.

Updated

5 years ago
Blocks: 755996

Updated

5 years ago
Keywords: privacy
We don't store thumbnails at all for sites that we don't cache (bug 754608). So this is not much different than the existing disk cache, except perhaps in ease of access (an additional caveat: things like data entered into form fields is also screenshotted, but that's less likely to be a problem in practice because we screenshot shortly after page load - in any case bug 755996 tracks this). Encrypting the thumbnails would be a performance hit (both when storing the images and when loading them), so that is not an acceptable solution.

I am open to suggestions on straightforward ways to further obfuscate the data in the profile such that it's not quite so easy to access, but I don't think this is one of them, so I'll mark this WONTFIX.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 2

5 years ago
(In reply to :Gavin Sharp (use gavin@gavinsharp.com for email) from comment #1)
> an additional caveat: things like data entered into form
> fields is also screenshotted, but that's less likely to be a problem in
> practice because we screenshot shortly after page load

Less likely, but still possible. If I view my bank account page the screenshot can show things like my account balance and transaction history. My bank is bright enough to already obfuscate the account numbers, but there's likely some bank out there somewhere that doesn't.

> Encrypting the thumbnails would be a performance hit
> (both when storing the images and when loading them), so that is not an
> acceptable solution.

True, but to do the job here it can be fast low-grade encryption. We could even go as far as just scrambling the images with a single reused algorithm so as to at least not allow easy perusal of the files. This might be doable with enough speed so as to not be a problem. (possibly restricting this to HTTPS on desktop Firefox only)
(In reply to Dave Garrett from comment #2)
> Less likely, but still possible. If I view my bank account page the
> screenshot can show things like my account balance and transaction history.
> My bank is bright enough to already obfuscate the account numbers, but
> there's likely some bank out there somewhere that doesn't.

You conveniently snipped out the part that explained that we already have measures in place to avoid your bank account being thumbnailed at all :) If they're not working for your bank, or if you have suggestions for how to further improve those measures, then by all means do file that bug.
(Reporter)

Comment 4

5 years ago
(In reply to :Gavin Sharp (use gavin@gavinsharp.com for email) from comment #3)
> You conveniently snipped out the part that explained that we already have
> measures in place to avoid your bank account being thumbnailed at all :) If
> they're not working for your bank, or if you have suggestions for how to
> further improve those measures, then by all means do file that bug.

I was under the impression that sites had to specify a certain header and not all did that. I've now installed Live HTTP Headers and if I'm reading this correctly the page on my bank's site sets multiple no-cache headers yet it's very clearly creating a thumbnail image file for it. I initially noticed that Bugzilla had logged-in thumbnails and just checked my bank as an afterthought. For some odd reason it did not occur to me that this particular case of mine wasn't even supposed to happen as-is. :/

I'll dig into this a bit and post a new bug.

In any case, this is still why encrypting could be helpful. Things can get through the supposed filters to prevent certain things from ending up here...
You need to log in before you can comment on or make changes to this bug.