Sign in / up

back to article Firefox 85 crumbles cache-abusing supercookies with potent partitioning powers

The Mozilla Foundation has scorched a pair of monstrosities in the new version 85 of its Firefox browser. The big target is supercookies which, as explained by Mozilla privacy engineer Steven Englehardt and senior product manager for Firefox privacy and security Arthur Edelstein, are very nasty trackers indeed because they …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

  1. This post has been deleted by its author

  2. Hubert Cumberdale Silver badge

    Good stuff. However, I have caching of HTTPS pages disabled (which makes no discernible difference to page load times on my modest 36Mbit broadband), and I also enforce HTTPS (only occasionally making an exception when absolutely necessary), so this won't make too much difference to me. I re-iterate my call for HTTPS on every website, and I await the inexplicable downvoting from those who seem to think it's a bad idea because its hard work* or something.

    *Before anyone says LetsEncrypt is difficult to understand etc., I will note that I find it utterly seamless with my hosting provider. In any case, that's not an argument against HTTPS, it's an argument for simpler implementation of HTTPS certificate management.

    15 1 Reply
    1. Crypto Monad Silver badge
      Reply Icon

      This issue is not so much about caching of HTML pages themselves, but of the assets referenced within them - images, CSS stylesheets, Javascript etc.

      Even when fetching over HTTPS, I doubt your browser refetches *all* the assets for a page for every page view. For many sites that would be multiple megabytes per view; you'd certainly notice it.

      The problem described in the article is when two separate websites (site1 and site2) both reference an asset at the same URL, e.g. img src="https://example.com/foo.png". Colluding sites could generate an image (or stylesheet etc) dynamically, and then check its content. The solution in Firefox is to have separate caches when browsing site1 and site2.

      9 0 Reply
      1. Graham 32
        Reply Icon

        > I doubt your browser refetches *all* the assets for a page for every page view.

        All resources on an https page have to be loaded over https. So if he has https caching disabled it really will fetch everything on every page view.

        6 0 Reply
        1. Hubert Cumberdale Silver badge
          Reply Icon

          Indeed. And I maintain that if the load times are impacted at all, it's not in a way that I care about (after all, I grew up with a 56k modem). I sincerely hope that most sites aren't slinging multi-megabyte images at me anyway. Maybe blocking the ads helps with that.

          3 0 Reply
        2. Anonymous Coward
          Reply Icon
          Anonymous Coward

          The article states there's a separate HTTP cache & image cache - so I wouldn't automatically assume that "HTTPS cache disabled" (whatever that means exactly) disables cross-origin HTTPS image cache.

          0 0 Reply
    2. Paul Crawford Silver badge
      Reply Icon

      https everywhere

      I have no issue with sites offering only https for security.

      I do have an issue with web browsers disallowing http or self-signed certificates and no configuration to allow it, as that breaks lots of legacy equipment you might need to administer locally over http.

      15 0 Reply
      1. Hubert Cumberdale Silver badge
        Reply Icon

        Re: https everywhere

        I concur. That is a pain in the arse.

        5 0 Reply
    3. Snake Silver badge
      Reply Icon

      The simple expedient, available for many years, was to set Firefox to clear both your cookies and cache at every program exit.

      Am I the only [paranoid fool] who bothered to actually use this option??

      0 0 Reply
  3. iGNgnorr
    FAIL

    Firefox 85 hangs

    Firefox 85 is unusable: it hangs immediately. On the up side, that does prevent user tracking.

    2 27 Reply
    1. ThatOne Silver badge
      Reply Icon
      Trollface

      Re: Firefox 85 hangs

      > Firefox 85 is unusable

      Thank god you're here, nobody else had noticed yet!

      13 0 Reply
      1. Anonymous Coward
        Reply Icon
        Boffin

        Re: Firefox 85 hangs

        Latest Firefox packages for Fedora show this in the changelog:

        - Added fix for mozbz#1679933 - startup crash

        It's a Mozilla bug, so possibly affects lots of people, however I didn't see a crash myself with the first ff 85 package I installed.

        0 0 Reply
    2. Snake Silver badge
      Reply Icon

      Re: Firefox 85 hangs

      For the record, that seems to be on Linux or Fedora specifically. Runs fine on Win10 1909.

      2 0 Reply
      1. BenDwire Silver badge
        Reply Icon
        Go

        Re: Firefox 85 hangs

        It runs fine on Debian Testing too.

        1 0 Reply
      2. Chubango
        Reply Icon

        Re: Firefox 85 hangs

        Fine on arch as well.

        2 0 Reply
        1. Palpy
          Reply Icon

          Re: "Fine on Arch as well."

          I was poised to -Syu but thought, mmm, maybe extend an info-gathering antenna tentatively first. No need! Thank, Chubango.

          1 0 Reply
      3. Adair Silver badge
        Reply Icon

        Re: Firefox 85 hangs

        No probs on Mint so far.

        1 0 Reply
      4. Fruit and Nutcase Silver badge
        Reply Icon

        Re: Firefox 85 hangs

        Ok on Centos 7

        0 0 Reply

  4. This post has been deleted by its author

  5. razorfishsl

    The image tagging has been in use since about 2008,

    Why have they only decided to do something about it now?

    Facebook was the biggest user of the tech... via their off site links back to face book.

    each website has a link which serves a tagged image from FB to the users browser.

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like