Schneier on Security
A blog covering security and security technology.
« Enigma? |
| Secret Doors »
March 27, 2006
Firefox Bug Causes Relationship to Break Up
A couple -- living together, I assume -- and engaged to be married, shared a computer. He used Firefox to visit a bunch of dating sites, being smart enough not to have the browser save his password. But Firefox did save the names of the sites it was told never to save the password for. She happened to stumble on this list. The details are left to the imagination, but they broke up.
Most bug reports aren't this colorful.
Posted on March 27, 2006 at 7:53 AM
• 58 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Doesn't seem so much like the Moz bug's fault.
Mozilla caused it alright - and because it was Jealous no doubt.
If not for Mozilla, they would still be in a loving, open, honest, and intimate relationship.
I just thought of the J. Geils Band and Love Stinks.
You love her
But she loves him
And he loves somebody else
You just can't win
The next song is Tryin' Not To Think About It. 1967 was all incense and peppermints, paisley and Pepper, and other things groovy.
Is that actually a bug? Is it any different than maintaining the history of the sites visited?
If Firefox did not ask to save my password at a site that I wanted it to, I would first check to see if I clicked the "Never for this site" button. If removing particular sites from the 'never save' list weren't possible, I would think that was a bug. As an alternative, clearing all the 'never save' sites from the list can be a large hassle not worth the effort.
Browsers do attract interesting bug reports from time to time - Mozilla used to track them but stopped to cut down on abuse. One I remember was "table of porn does not get reflowed correctly".
HOW TO AVOID THE SAME FATE
Is actually quite simple,
1, Buy an external serial modem or use
an Ethernet or other network connection that Knoppix supports.
2, Buy (or get from a show) a USB Dongle
3, Download Knoppix onto a CD
4, Using Knoppix create a secure (ie AES encrypted) loop back file system on the USB Dongle, and use this as your home directory (all this is documented in the Knoppix help available on the internet).
Now when you want to go online and visit "hot.picks.con" or other site use Knoppix and the USB dongle to store the book marks etc. As long as nobody actually catches you online, or with the dongle still active in knoppix you are fairly safe (remember if you are thinking of a life of crime most ISPs and a lot of employeres now log all your URLS etc)...
Why must we consider this fact a bug in the browser ?
Of course, if you click [Never for this site], the browser must remember this site. If you click [not Now], it has nothing to remember.
I think the bug was in the relationship, and was correctly debugged by removing the incompatible element.
That's an unwanted side effect - not a bug.
His girlfriend could as well have looked at the browser cache or the history, which also stre information on the sites visited.
Of course this problem could be avoided if Mozilla stored the sites not in cleartext but as hash values using a unique salt for each one. But even in that case, an attacker could scan the file for known URLs.
Ultimately, the only protection from leaving data traces by browsing is either to delete the whole profile folder and the temporary files or securely encrypt the whole stuff. But all that would probably be too cumbersome for most users.
It's definitely a bug--at least by my definition. The question is what to do about it.
1. If the two of them were using different accounts on the computer, then Firefox is leaking information across accounts.
2. If the two of them were using the same account, then Firefox should have a bit of text on the appropriate dialog box: "Warning: This program maintains a list of sites never to save passwords for, and that list is viewable."
Just because it's a bug doesn't mean it's a technical bug.
You have to consider the fact that the girl accessed the browser from a separate Windows user account.
Firefox should keep the profiles separate.
But, reading the bug, there were some strange things going on regarding the installation of the browser, so this may be a PEBKAC as well.
As for the site being in the history, the privacy-functions should clear the history when invoked. Apparently they do not clear the "don't save password for..." list.
Clearing the "Never save passwords for..." list would deactivate it! If the browser doesn't have a memory of the site, it will continue to prompt and/or save passwords as default.
It wasn't Mozilla which caused the break-up, but his stupidity. Blaming it on a piece of software rather misses the point. Yes, there should be proper separation of user data, but that still doesn't excuse his not being careful in the first place.
Is there really any good reason why the site name couldn't practically be hashed instead, rendering it impractical to see which sites the preferences in question apply to?
There's usually very little use in seeing your password retention preference outside the scope of the site you're currently browsing, anyway.
The problem is:
(1) The "Passwords Never Saved" list of sites also serves as a list of sites visited, and
(2) The "Clear Private Data" function doesn't remove that list.
As a result, the user believes she's removing all evidence of past browsing habits when she's not. Whether that's a bug or merely a confusing design choice is a matter of semantics, but it doesn't seem right.
This is not a bug.
They were using the same Firefox profile. The guy installed another copy of Firefox on the machine, thinking that by doing that he's using a different profile. He wasn't.
The girl (the one reporting the "bug") didn't even have to look at a prefs file. She was just using Firefox, and tried to clear a password she saved. She then noticed the list of "never saved" passwords.
The fact that a new installation of Firefox is using an existing profile is the only possible bug in this story. Well, guess what - the Mozilla people say it's actually a feature. I'm not sure I agree. At the very least, if the installation program notices there's an installed version, it should warn the user.
The point in storing the domains in clear text is actually pointed out in the bug report: Sometimes you might want to remove one or several sites from the list and you can't do that if you just have hashes.
While one can find technical solutions to this (such as being only able to remove the site you are currently visiting), they would not be as userfriendly.
Second, hashes would only help against casual overview. You could still find out if a particular site is on the list by attemting to add it and see if the list grows.
"It wasn't Mozilla which caused the break-up, but his stupidity. Blaming it on a piece of software rather misses the point. Yes, there should be proper separation of user data, but that still doesn't excuse his not being careful in the first place."
Be careful. Users are not necessarily security saavy -- or even necessarily computer saavy -- and we in the industry are wrong if we expect them to be.
Computers are mass-market consumer items. They need to work for mass-market consumers. When they don't, it's a bug.
There's an interesting essay here about security and usability. Or more precisely, usability bugs that affect security.
The number of banner ads that I see for "Internet history erasers" shows that there is a market of non-technical people looking to cover their tracks on a computer.
For a number of things, a non-tech savvy user can ask his friend who's a computer techie for advice, but when it comes to "how can I cover my tracks after I visit porn or dating sites", a lot of people simply cannot ask even their trusted friends.
What's interesting in this case, is that, if I understand correctly, the guy was careful enough to uninstall Firefox and then reinstall it under a separate Windows account, showing that he has at least a mild understanding of what profiles are.
What he forgot to check was if the new install would use a separate Firefox profile, and not the one he had under the previous install. If the new Firefox restored all his bookmarks, he should have been a little suspicious.
While I agree there may or may not be a problem with the software here, I think everybody is glossing over the real problem here, that two people are living together without trust, probably when that lack of trust is caused by the actions of one or both.
Sounds to me like this guy wasn't ready to commit to her, but he could have been more forthcoming about it to her. If there's a bug in the system, it's in the wiring in each of their heads.
That's because this is "Schneier on Security," not "Schneier on Relationships."
"That's because this is "Schneier on Security," not "Schneier on Relationships.""
I'd read that!
That's what I call a feature.
Funny, Firefox was the enabler in another break-up last week. Thanks to the 'save password' feature, a guy I knew accessed his girlfriend's (private) communications out of suspicion, which revealed infidelity.
This is interesting from a security point of view, but also from a moral one - I'd say he shouldn't have been looking in the first place, but he did reveal a gross violation of trust...
There is a big difference between 'don't save passwords for this site' and expecting the sites not to appear in history.
I never save passwords for my bank or credit card sites on the computer, but I don't consider the history list of those sites to be purged just by making that option.
I appreciate the non-savviness of many users (it keeps me employed, after all), but I still disagree with the thrust of the article, namely that Firefox was somehow responsible for his girlfriend's becoming upset with him. If he hadn't been misbehaving in the first place then there would never have been an issue.
But, as Jim points out, this blog isn't "Schneier on Relationship", so fair enough: the exposure of user data is still a concern, even where romance isn't an issue.
For one person it's a bug and she thought it was a feature and just used it. I guess some features bug you more than others.
Computers don't creat treachery, users do.
With so many new features, it's getting difficult to tell the bugs apart from the features. You can't please everybody, so K.I.S.S.
What I find intriguing is that he thought he was covering his tracks, but he was in fact leaving a record of sites he had visited.
"Mozilla Feature Causes Computer to Break Up"
Maybe somebody can script a movie.
Sleepless in San Jose
Boy meets computer, boy falls in love. Computer dies.
What if you kissed someone you never met, someone you never saw, someone you never knew who was the only someone for you?
I agree that it's totally ridiculous to say that the Firefox issue (bug? probably, yes) caused the break-up of the relationship. Clearly, the man's behaviour, and the woman's reluctance to tolerate it (hey, there are 'open' relationships out there), is what caused the break-up.
"Ultimately, the only protection from leaving data traces by browsing is either to delete the whole profile folder and the temporary files or securely encrypt the whole stuff."
No, the only protection from leaving data traces is not to go there. Anything else is going to rely on secure erasure, which is rather unlikely, given that current operating systems don't allow you to track data as it flows through memory, swap-space, re-assigned disk clusters, etc, etc.
The moment you decrypt data, it becomes available in memory and (unless you're very very careful) may be swapped out to disk.
I love my machine. Me so geeky ISO a cool bitty to do light home home chores in exchange for free computer time and possible free rent in LA area. Get a life!
This also speaks to the lack of trust from the "victim".
It goes back to "if you're doing nothing wrong, you have nothing to hide" conversation. Well, if I'm presumed to be innocent, why do you need to monitor me? Perverse curiosity is not an acceptable reason.
In this instance, (again, this is not "Schneier on Relationships") complete inspection of mutually owned (shared, whatever) property is to be expected, and the usability of the software is at odds with a security feature.
My solution? "Never remember passwords" (this should prevent a list from being maintained) combined with not maintaining a history. I'm still vulnerable to forensic analysis of my hard disk, but I rectify that occassionally when I think about it.
From the bug track:
"Although i only use opera for my porn-and-personal sites because of fears of the gf finding something in IE or Firefox...."
That kills me.
Opera: Yet Another Security-By-Obscurity Feature discovered!
Interesting problem... so Bruce, how would you solve this without adding complexity for the user (for example, requiring a meta-password)?
I guess Firefox could store a hash of the site address instead. That would still let you verify if someone visited a specific site but you wouldn't be able to get the list of sites. Is there a better solution?
While this issue definitely has interesting security implications, the specific problem in this case is non-technical: Relations between two people. Engaged to be married, yet browsing dating sites? What's wrong with this picture, folks, and what *technical* solution could possibly fix it?
>>or maybe by being honest w/mate.
that helps. My wife doesn't have a problem about my porn sites, but she would be upset if I started hiding dating sites.
My personal security maxim:
"Security without inconvenience isn't very secure"
My personal responsibility maxim:
"If you are standing there with a smoking gun in your hand and a painful hole in your foot, you shouldn't look around trying to find the culprit...get a mirror."
* In this case, the browser isn't the culprit. (IMHO)
From the Big Bambu album:
"Bailiff, whack his pee pee."
* sometimes it requires some personal discomfort in order to learn important lessons.
What I think is most interesting about this is that she reported the behavior as a bug even after exploiting it. She essentially says "it's wrong for my browser to tell me what sites my fiance has been visiting, but since it does so, I'm breaking up with him over the information."
Bug? That's the best feature ever! Mozilla freed that guy from a very serious relationship, and saved him from marriage. Speaking on behalf of men with a fear of commitment everywhere, thank you Mozilla!!!
In all seriousness, though, this is a bug. Say what you want about it in this context, but what if you're on trial by the RIAA, and they use this to prove that you have an account at The Pirate Bay, Mininova, TorrentSpy, etc.? Or what if a Chinse user has been very careful to use Tor/Privoxy, but the Gov't uses this feature to prove that he's been visiting democracy-for-china.org (I don't know if that's a real site)? Will you still call it a feature then?
Mozilla didn't cause this, the husband did. That's like saying that the bloody glove is the cause of OJ being in jail.... wait, bad example. But you get my point.
There are times I'm glad Windows doesn't have a public bug database.
They keep the bugs in private, out of sight out of mind. A team of crack MS engineers then examines them and then 6 months later you get a buggy patch which needs patched. The MS bugs are are sometimes just more features, the larvae of the bugs. Vista will be bug free, until the larvae hatches. More bugs, no public database=we ain't got no bugs. We got no love either.
I notice that no-one has wondered if perhaps the problem is not with Firefox, but with the Operating System that let two different user accounts see each others information so easily?
If Firefox can find the profile of the other user and read it then so, presumably, could Windows Explorer.
Good point. I use GNU/Linux desktops exclusively, and I notice that my personal settings are all stored in dot files and directories hanging off of my homedir. The permissions on these directories and files are largely owner-read/write/execute only.
I can't believe that after all these years Microsoft (and/or Microsoft application vendors) haven't gotten this right.
I'm always uncomfortable with the "never save this password" feature, because for me, it's basically lists all the sites I'm worried about someone else cracking eg. online banking.
I always try and click "not now", because it doesn't reveal that extra layer of information.
It's not designed around security.
The browser isn't insecure.
The whole thing is a security mess.
What's so difficult?
I think whether this is a bug or not is very debatable. Where I concur is that what the user expects - and what browsers don't have - is a "privacy mode" Opera and Firefox have gotten closer with the "erase private data" function,.
A real "privacy mode" would allow the user to flip a switch, metaphorically, and as long as it stays on, all surfing data - history, cache, passwords, everything - is "temporary". Once the browser is shut down, it's all forgotten - but without destroying the data cached for normal browsing convenience.
This would be just a nice feature that corresponds with our offline notions of privacy and the realities of sharing a computer in a hosuehold.
The key point here is that there appears to have been a mechanism, albeit complicated, by which profile information could leak between Mozilla accounts not protected by an encryption password. However, if you read carefully how it occurred, that is NOT what actually happened; there was no leakage between accounts or profiles.
What happened is this: two users (let's call them Alice and Bob) SHARED the same Windows account. Bob installed Firefox in this account, and saved some profile information, relying on "security by obscurity" because Alice was unaware of Firefox. Later Alice became aware of Firefox, and Bob uninstalled it. Bob went on to carry out various other activities (creating a new Windows XP account and creating a new Firefox profile) which activities are in fact irrelevant because at this point the damage has already been done. Later (actually, much later, but that doesn't matter) Alice reinstalled Firefox in her original account, and saw the old profile entries.
At no point has there been leakage of information across profiles or accounts; the information that Alice saw was shown to her because so far as both Windows and Firefox were concerned, it was HER profile in HER account!! Bob screwed up in three ways:
1. He relied on "security through obscurity" by saving his sensitive information in a (not very obscure) part of Alice's account, ignoring the optional additional encryption, and just hoping she wouldn't ever find it. Well, eventually, years later, she did.
2. He (presumably) thought that "Never save passwords for this site" meant something like "Record absolutely nothing about this site", which is nearly the opposite of what it meant.
3. He apparently thought that uninstalling Firefox would erase his profile as well.
Error 1, which is the biggy, and is the only thing which somehow "subverted" (actually, appeared to subvert) account permissions, was basically his own stupid fault. Arguably Firefox could do more to protect people from themselves by popping up a stronger warning about the necessity of a profile password before saving the first password list entry. Even more useful would be more recognition from security professionals that account != user because people do things like sharing accounts and then later splitting them. Perhaps we need mechanisms that recognise that if a home user version of Windows XP was set up with one account, and much later another is created, then a shared account is being split up and some cleaning up needs to be done. But there's only so much you can do. When two people effectively pretend to the computer that they are the same person, they can't later complain that it can't tell the difference!
Error 2 can be partly blamed on Firefox, although it's not so much a bug as unclear expression. The expressions used to label those buttons is not entirely clear. I'm pretty computer savvy, and I recall that the first time I saw that dialog, I had to think about the implications for a couple of seconds. I can easily see even fairly sophisticated users being confused by it. Maybe the buttons should be called "Save password for this site", "Forget this site this time" and "Put this site on a list of sites I shouldn't bug you about", or something like that.
Error 3 is not a bug, it's a feature, which Firefox shares with many (probably most) other applications. Most of the time if you uninstall and reinstall an application, you would be more than slightly peeved if all the user-created stuff associated with it had vanished. However one can also see that sometimes this isn't what the user wants. I think most uninstallers should probably give the user a clearly labelled option to clean out all profile entries (or saved games, saved documents, whatever) as well. In fact should I choose to uninstall a security related application, I would like the uninstaller to trawl through the file system and Windows registry and expunge every trace of the application, its associated file types, and any registry entries linked to those three letter extensions. But TTBMK the total list of applications which currently do this, is nil. This is one reason why some folk advocate occasionally wiping and completely reinstalling a non-server Windows installation, because installs and uninstalls occur all the time and many uninstalls don't completely clean up.
So I hope he's going to sue someone? It's the American way after all.
The worst part of this is the denial, the user's legitimate privacy expectations were violated. This did not worry people. If it was an IE bug I can guarantee that it would have been recognized as such bu the OSS community.
Security is not partisan. Usability errors are security bugs.
In this case the machine was unexpectedly keeping track of the user, worse still it appears that it was unexpectedly sharing information across Windows accounts.
This violates my second law of usability The behavior of the system was not predictable.
More importantly, I think that there should be some facility that provides explict support for non-trackable browsing, either by destroying the history file altogether or by storing the history information offsite.
What I find fascinating is just how little understanding of the actual events people have. It's a somewhat complicated situation, and most of the comments here make assumptions which don't hold up if you read the bug report (and Jesse's blog post) carefully.
Roger's fairly lengthy post is the only one which seems to jibe with the available data.
The key point is that when Firefox is uninstalled, and then installed again on the same account, it uses the old profile. This is something most users want by default.
The minimum solution is to at least warn the user that profile data will be kept by default, and allow the option to clean it.
> The key point is that when Firefox is uninstalled, and then installed again on the same
> account, it uses the old profile. This is something most users want by default.
Actually, this is more or less the default setting for just about every piece of Windows software that stores data in "c:\documents and settings\[username]\application data" or "c:\documents and settings\[username]\local settings\application data".
Properly speaking, this isn't a bug. Installers usually only uninstall the *program*, not any data files or config files associated with the program. If you think about it, this actually makes perfect sense -> would you want all your word docs and/or templates deleted if you uninstall word?
> The minimum solution is to at least warn the user that profile data will be kept by default,
> and allow the option to clean it.
I absolutely agree. A proper uninstaller should have three settings: #1 (default, just program) -> "remove all files placed by the installer in any location (usually c:\Program Files\[splat] and the system folder) and clean all references to any files copied by the installer in the system registry"; #2 (program and config) -> do #1 and also remove any files created by the program in "c:\documents and settings\application data" &/or "c:\documents and settings\local settings\application data"; and #3 (program, config, and data) -> do #1, #2, and delete any directories or files created in "c:\documents and settings\[username]\My Documents\"
This of course assumes that the program only stores data in those the "proper" locations and only installs executables in the proper place (which should also be default behavior, but that's a different thread).
this isn't a hardware or software bug, this is a skinware bug. one commentator above disputed this, saying that computers were made for the mass market. well, yes, but that doesn't mean they're suitable for every single customer in that market....
I am rather dumb when it comes to all this secruity stuff and have a question.Does a pop up show up in your history or in the addresses you have visited when you dont visit the advertised sites?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.