What is exactly SiteSecurityServiceState.txt?

Discussion about official Mozilla Firefox builds
User avatar
Drumbrake
Posts: 1177
Joined: February 14th, 2011, 2:34 am

What is exactly SiteSecurityServiceState.txt?

Post by Drumbrake »

This SiteSecurityServiceState.txt file has been in the nightlies for a while and now it is also in my default Firefox profile ,I'm not sure what it is but it apparently stores a long list of visited websites.

No privacy setting that I can think of prevents this list from being created, neither I could find a way to clear its contents.

Any hints on what it actually does and how eventually get rid of it, or at least regularly expunge this list?
User avatar
Virtual_ManPL
Posts: 2052
Joined: July 24th, 2008, 5:52 am
Contact:

Re: What is exactly SiteSecurityServiceState.txt?

Post by Virtual_ManPL »

It's a text file database for HSTS supercookies which replaced SQLite database in Bug 775370 - Don't use PermissionManager to save stuff in nsStrictTransportSecurityService.
Virtualfox persona
Tired of constant Firefox UI changes? XUL extensions are not working anymore? Try SeaMonkey, Waterfox Classic, Pale Moon.
User avatar
Drumbrake
Posts: 1177
Joined: February 14th, 2011, 2:34 am

Re: What is exactly SiteSecurityServiceState.txt?

Post by Drumbrake »

Let me get this straight: apart from traditional cookies, dom storage and indexedDB, we now also have this file , that

• it's purposely meant to store supercookies
• cannot be disabled in about:config
• cannot be cleared from the GUI

and stores stuff like that

Like normal cookies, they allow him to fingerprint users who browse to his site in non-privacy mode, so if they return later, he will know what pages they looked at. There are two things that give his cookies super powers. The first is that once set and depending on the specific browser and platform it runs on, the cookies will be visible even if a user has switched to incognito browsing. The second is that the cookies can be read by websites from multiple domain names, not just the one that originally set the identifier. The result: unless users take special precautions, super cookies will persist in their browser even when private browsing is turned on and will allow multiple websites to track user movements across the Web.

Browsing in privacy mode? Super Cookies can track you anyway
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: What is exactly SiteSecurityServiceState.txt?

Post by patrickjdempsey »

Delete the file, create a new one with the same name then set it to read-only. ;)
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Drumbrake
Posts: 1177
Joined: February 14th, 2011, 2:34 am

Re: What is exactly SiteSecurityServiceState.txt?

Post by Drumbrake »

Well, of course ;)
Before doing that, I'm watching the file and expunging it regularly with

Code: Select all

echo ' ' >/SiteSecurityServiceState.txt
just to keep an eye on what gets in there.

Do you know how to read this file? A typical entry looks like that

Code: Select all

notification.adblockplus.org:HSTS       0       16506   1457724292222,1,0
what does it mean?

-On a side note, do you think they'll ever stop adding more and more exotic and half-hidden (I do mean for the non-tech folks,if you know where to look you'll find them) storage databases?

I guess not.
User avatar
JayhawksRock
Posts: 10433
Joined: October 24th, 2010, 8:51 am

Re: What is exactly SiteSecurityServiceState.txt?

Post by JayhawksRock »

No real surprise in Nightly 39, SiteSecurityServiceState.txt has been in Firefox since at least Firefox 35. The ABP item looks like ABP blocked and reported a site using its built in hosts file.
Last edited by JayhawksRock on March 12th, 2015, 1:06 pm, edited 1 time in total.
"The trouble with quotes on the internet is you never know if they are genuine" ...Abraham Lincoln
6lobe
Posts: 124
Joined: September 16th, 2014, 8:27 am

Re: What is exactly SiteSecurityServiceState.txt?

Post by 6lobe »

User avatar
Virtual_ManPL
Posts: 2052
Joined: July 24th, 2008, 5:52 am
Contact:

Re: What is exactly SiteSecurityServiceState.txt?

Post by Virtual_ManPL »

Drumbrake wrote:[...]
• cannot be disabled in about:config
• cannot be cleared from the GUI [...]
Time to report a bug? ;)
Virtualfox persona
Tired of constant Firefox UI changes? XUL extensions are not working anymore? Try SeaMonkey, Waterfox Classic, Pale Moon.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: What is exactly SiteSecurityServiceState.txt?

Post by patrickjdempsey »



Helps to read the entire article:

ars wrote:Update: The latest version of firefox, 34.0.5, no longer allows HSTS Super Cookies set in regular mode to persist in private mode. Greenhalgh said this fix is recent and produced screenshots showing his PoC worked on version 33 of Firefox, at least when running on Windows. Firefox 34.0.5 continued to allow multiple websites access super cookies. Chrome on Windows remained fully vulnerable, as did Chrome and Safari running on an iPad tested by Ars. Internet Explorer isn't vulnerable because currently supported versions of the browser don't support HSTS.


Edit: and tested in Firefox using the RadicalResearch link. Private Browsing Mode wipes these, and in fact since Private Browsing stores cookies and other data in RAM, this file isn't written to. Mine had old entries in it, presumably from Firefox 33 or whatever version it was introduced before Private Browsing support was implemented.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Drumbrake
Posts: 1177
Joined: February 14th, 2011, 2:34 am

Re: What is exactly SiteSecurityServiceState.txt?

Post by Drumbrake »

Virtual_ManPL wrote:
Drumbrake wrote:[...]
• cannot be disabled in about:config
• cannot be cleared from the GUI [...]
Time to report a bug? ;)


Yes, and to speed things up I'll wontfix it myself ;)


patrickjdempsey wrote:


Helps to read the entire article:

ars wrote:Update: The latest version of firefox, 34.0.5, no longer allows HSTS Super Cookies set in regular mode to persist in private mode.(...)


Edit: and tested in Firefox using the RadicalResearch link. Private Browsing Mode wipes these, and in fact since Private Browsing stores cookies and other data in RAM, this file isn't written to. Mine had old entries in it, presumably from Firefox 33 or whatever version it was introduced before Private Browsing support was implemented.


I did read the article, and I can confirm that the file doesn't get written in Private Browsing Mode, but still I shouldn't be forced to use Firefox in private mode just to get rid of this index.
Besides, data isn't written on disk but as you say it still is in memory, IMO there should be a way to disable/clear all this new storage methods from the GUI.
User avatar
Virtual_ManPL
Posts: 2052
Joined: July 24th, 2008, 5:52 am
Contact:

Re: What is exactly SiteSecurityServiceState.txt?

Post by Virtual_ManPL »

Drumbrake wrote:
Virtual_ManPL wrote:
Drumbrake wrote:[...]
• cannot be disabled in about:config
• cannot be cleared from the GUI [...]
Time to report a bug? ;)
Yes, and to speed things up I'll wontfix it myself ;)
If you're that "optimistic" and don't even bother to talk to devs on IRC or even create a bug report, I don't understand the point this topic, when you're asking about something and next you give reply by yourself in your second post here or it's just whining thread?
Chromium is fully affected and you're using it too (if it's not spoofing kinda big UA), kinda funny ;)
Virtualfox persona
Tired of constant Firefox UI changes? XUL extensions are not working anymore? Try SeaMonkey, Waterfox Classic, Pale Moon.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: What is exactly SiteSecurityServiceState.txt?

Post by patrickjdempsey »

I don't use Firefox so I'm not going to spend hours testing all of the possibly settings, but have you actually tried the various "delete history on exit" settings? Deleting cookies on exit actually uses the Private Browsing mechanism and deletes LSO's and several other things that fall under the general banner of "cookies". And presumably Mozilla didn't totally reinvent the wheel with this one in order to get it to work with Private Browsing.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Drumbrake
Posts: 1177
Joined: February 14th, 2011, 2:34 am

Re: What is exactly SiteSecurityServiceState.txt?

Post by Drumbrake »

Virtual_ManPL wrote:If you're that "optimistic" and don't even bother to talk to devs on IRC or even create a bug report, I don't understand the point this topic, when you're asking about something and next you give reply by yourself in your second post here or it's just whining thread?


Calm down, that was a joke. Although, not entirely disconnected from reality when you considered the amount of bugs marked as "wontfix" or "invalid".

Besides, I assume we have some right to whining, considering how much stuff is being constantly added to Firefox and -as a consequence of that- how many hidden settings we are forced to chase down in order to disable stuff that we don't need/want.
While at the same time some bugs are waiting for ages to be fixed.

Speaking of the subject of this very topic, IMO adding new modules/features/storage databases that may for their own nature present privacy/security risks and then wait for someone to file a bug it's not the right way to go: at the time this things are added, clear directions on how to disable/clear should be provided, all the better if from the GUI and not via some hidden setting or javascript trickery.


patrickjdempsey wrote:(...)Deleting cookies on exit actually uses the Private Browsing mechanism and deletes LSO's and several other things that fall under the general banner of "cookies". And presumably Mozilla didn't totally reinvent the wheel with this one in order to get it to work with Private Browsing.


Well, I didn't want you to try, I asked just in case you knew how to clear this file ;)
I can tell, on my part, that the following settings to clear the DOM storage (which I did find by accident here https://wiki.mozilla.org/DOM ) do not work with SiteSecurityServiceState.txt :

DOM Storage can be cleared via "Tools -> Clear Recent History -> Cookies" when Time range is "Everything" (via nsICookieManager::removeAll)
But not when another time range is specified: (bug 527667)
Does not show up in Tools -> Options -> Privacy -> Remove individual cookies (bug 506692)
DOM Storage is not cleared via Tools -> Options -> Advanced -> Network -> Offline data -> Clear Now.
Doesn't show up in the "Tools -> Options -> Advanced -> Network -> Offline data" list, unless the site also uses the offline cache. If the site does appear in that list, its DOM storage data is removed along with the offline cache when clicking the Remove button.


Which kinda proves my point, this stuff is actually hidden for normal people, who would have guessed that the combination described above would in fact clear the local storage too?
alta88
Posts: 1029
Joined: January 28th, 2006, 3:08 pm

Re: What is exactly SiteSecurityServiceState.txt?

Post by alta88 »

patrickjdempsey wrote:I don't use Firefox

This reduces credibility on a...firefox forum? No offense really, but come on.

The entries in SiteSecurityServiceState.txt can be cleared (on restart) if Privacy tab Clear History is checked, and in the Settings dialog Site Preferences is checked. However, this deletes any and all site cookie exception permissions, which is very inconvenient.

Plus, in Fx39 trunk, if browser.preferences.inContent is true, the default, the options to show cookies and exceptions and clear history settings seem to be removed, and the latter two's functionality is not found in about:preferences. If false, the window dialog still has them. It doesn't seem to be a good sign, perhaps this is an in transition thing. The bug to remove hsts from the sqlite permissions db, where it would have been easy to manage, doesn't say in initial comments why this was a good idea.

The direction Firefox dev is going with user control of privacy settings is exactly opposite of what it states elsewhere for marketing purposes, in this case so far.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: What is exactly SiteSecurityServiceState.txt?

Post by patrickjdempsey »

alta88 wrote:
patrickjdempsey wrote:I don't use Firefox

This reduces credibility on a...firefox forum? No offense really, but come on.


Get over yourself.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Locked