Permanent Private Browsing in SM

Discussion of features in Seamonkey
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Permanent Private Browsing in SM

Post by patrickjdempsey »

On the shared work machine, I have all browsers set to run in Private Browsing mode so my various co-workers don't end up logging into each other's ebay/facebook accounts... this was actually a problem prior to the advent of such features in modern browsers.

Firefox actually has three ways to set it to run in Private Browsing:
Options > Privacy > History: Never remember history
Options > Privacy > History: Custom Settings > check Always use Private Browsing mode.
Options > Privacy > History: Custom Settings > check Clear history when Firefox closes > Settings > check everything.

Regardless of the settings, it all works the same way... Firefox stores all chosen data about history, cookies, cache etc in RAM and it's destroyed when Firefox is closed. Requests are also made to 3rd party services like Flash to remove their data (LSO's).

SeaMonkey Browser uses the same mechanism in some settings, but in others there is a clear "paper trail". There are also a great many "conflicting" settings that will not work as expected. I'm going to try to go through all of the different settings and see if I can come up with a combination that mostly works. Note again, all of this applies to the Browser, I really am not sure what effect these settings have on other parts of SM.... don't expect your emails to remain private if you are using Mail/News on a shared machine!

The basics.

Preferences > Privacy & Security > Private Data > check Always clear my private data when I close SeaMonkey
Preferences > Privacy & Security > Private Data > uncheck Ask me before clearing private data
Then go down the list and check all of the private data categories. Lasty, press Clear Now to delete everything that's already stored. Now you have a clean slate and SeaMonkey is mostly "Private Navigating".

Weird Settings. The following settings will now no longer work correctly as set:

Preferences > Browser > Display on: Browser Startup > Restore Previous Session = shows blank page
Preferences > Browser > Display on: Browser Startup > Last page visited = shows Home page
Preferences > Browser > History > check Remember visited pages = only works per session
Preferences > Browser > History > check Enable Location Bar history = only works per session
Preferences > Browser > History > check Enable form and search history = only per session
Preferences > Browser > Downloads > Remove download entries: Never = does not work
Preferences > Privacy & Security > Passwords > check Remember passwords = only works per session

Paper Trail.
Unfortunately not everything is hooked up to this system yet and there are some privacy "leaks", most notably in the Data Manager:

1. Zoom levels. Per-site zoom stores the zoom level in permissions.sqlite and is displayed in the Data Manager. Preferences > Appearance > Content > uncheck Remember zoom levels on per-site basis to prevent these entries.

2. Download directories. If SeaMonkey is set to Ask where to save files, then the urls and directories are stored in permissions.sqlite and leaked in the Data Manager. To avoid this, choose a default download folder. Browser > Downloads > Save File To: Choose Folder.

3. TLS False Start using RSA. HTTPS sites requesting RSA are shown as encrypted goobledygoop. YAY! :) HTTP sites are not, just their real names. BOO! :( There's also no GUI mechanism for removing them in bulk, and no setting to delete them yet. Ideally TLS False Start data just wouldn't be listed in the Data Manager at all. You can temporarily remove these entries and the Zoom level entries by deleting permissions.sqlite in your profile. Yes, there is a setting security.ssl.enable_false_start in about:config, but setting it to false does NOT prevent the collection of TLS False Start sites, just the use of them.

4. SiteSecurityServiceState.txt is a "super cookie" feature that Firefox introduced, that is supposed to be deleted in Private Browsing mode... great except that SeaMonkey doesn't use Firefox Private Browsing, so it isn't deleted. Not really a problem anyway for general "private browsing" unless you've got people snooping in your profile.

Private Window. SeaMonkey does have the option like Firefox of opening a Private Window via the File menu. Which gives me hope that the feature could be plugged in for "permanent" use.

EDIT: For some time now I've been running SeaMonkey with default history settings but the following about:config option added: browser.privatebrowsing.autostart set to true. This does appear to put SeaMonkey into Permanent Private browsing just like Firefox without having to mess with any of the above settings.
Last edited by patrickjdempsey on May 12th, 2015, 2:45 pm, edited 7 times in total.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Private Browsing (Navigating) in SM

Post by patrickjdempsey »

All of this makes me wonder if it's possible to create an extension that will either add Firefox's Private Browsing mode, or at least make the settings in SeaMonkey act a bit more appropriately.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Permanent Private Browsing in SM

Post by barbaz »

patrickjdempsey wrote:Ideally TLS False Start data just wouldn't be listed in the Data Manager at all.

Please don't implement that suggestion, or at the very least provide an about:config pref to show everything in the Data Manager. I like being able to see everything in the Data Manager.

Better would be to give the option to clear all false start permissions with browsing history and always clear false start permissions for sites visited in Private Browsing (and not visited in normal browsing) when Private Browsing ends.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Permanent Private Browsing in SM

Post by patrickjdempsey »

This is a feature that has absolutely zero business being revealed in the UI to the user. There isn't a box somewhere in Page Info that displays the encryption key for HTTPS sites is there?
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Permanent Private Browsing in SM

Post by barbaz »

patrickjdempsey wrote:This is a feature that has absolutely zero business being revealed in the UI to the user.

For typical users yes, but power users like me really want to be able to see what our browser is storing. Which is why I said fine if hiding it is default but please make sure it's possible to display it, maybe with an about:config pref (most users wouldn't need to go to about:config either).

patrickjdempsey wrote:There isn't a box somewhere in Page Info that displays the encryption key for HTTPS sites is there?

I just thought of some use cases for that... :wink:
Again, most users will never need to see this stuff but power users could need that info sometime.
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Permanent Private Browsing in SM

Post by patrickjdempsey »

None of that has anything at all to do with Private Browsing, please kindly take it elsewhere. There are several threads around discussing that data.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
barbaz
Posts: 1504
Joined: October 1st, 2014, 3:25 pm

Re: Private Browsing (Navigating) in SM

Post by barbaz »

Sorry, didn't intend to hijack this thread :oops:
Anyway...

patrickjdempsey wrote:All of this makes me wonder if it's possible to create an extension that will either add Firefox's Private Browsing mode, or at least make the settings in SeaMonkey act a bit more appropriately.

I wonder the same. AFAICT the catch is knowing when a Private Browsing session has ended and how to keep track of which permissions were added during that session. It's even more of a snag for the case when some windows are private and others not, because each private window probably should be considered its own session...

- You can clear false start permissions in an extension easily enough, here's the code for that in my extension:

Code: Select all

   let p = Services.perms;
   let e = p.enumerator;
   while (e.hasMoreElements()) {
      let perm = e.getNext();
      if (perm.type.indexOf("falsestart-") == 0) p.remove(perm.host, perm.type);
   }

That clobbers *all* the false start permissions, probably too much of a sledgehammer for this purpose especially for people who don't disable false start.
- Seems SiteSecurityServiceState.txt stores HSTS permissions. If there's some way to track which HSTS permissions are added during Private Browsing, a similar method to clearing false start permissions could clear those too no? Would that be enough to take care of SiteSecurityServiceState.txt issues or does the file really have to be outright deleted?
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Permanent Private Browsing in SM

Post by patrickjdempsey »

Again, in both cases we are talking about settings related to website connections that IMO have no business being human-readable because they have absolutely nothing to do with settings the user should have any concern about, but blocking or deleting them will impact performance. In the specific case of HSTS, Firefox deletes them if you are in Private Browsing... presumably SeaMonkey will do the same for a Private Window but I don't understand enough about what those are to make any further comment. But again, I'm not terribly concerned about them because this is intented to be more a general guide/discussion about Private Browsing. If someone is digging around your files there's really no such thing as privacy in any browser.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Permanent Private Browsing in SM

Post by patrickjdempsey »

Edited the OP to reflect the fact that download directories are stored in Data Manager. Also experimenting a little with manually setting browser.privatebrowsing.autostart to see what happens.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Permanent Private Browsing in SM

Post by patrickjdempsey »

So browser.privatebrowsing.autostart does in fact work, without setting SM to delete data on exit! I'm also not seeing per-site Zoom settings in the Data Manager... and per-site zoom is now per-session. TLS False Start urls are still collected and I'll have to continue to experiment with it to see if there are other privacy leaks. All of the above "Weird Settings" still apply. An extension would ideally "gray out" the affected settings and automatically change ones that don't work, like the home page/session restore setting. If an extension was to add this feature it would have to be designed so the preference is destroyed if the extension is removed or disabled.
Last edited by patrickjdempsey on May 12th, 2015, 1:50 pm, edited 1 time in total.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Permanent Private Browsing in SM

Post by patrickjdempsey »

After running with browser.privatebrowsing.autostart for a week I can confirm that these behaviors are now acting the way we expect:

1. SiteSecurityServiceState.txt appears to only be storing data from adblock plus and AMO (pertaining to the blocklist).

2. All TLS False Start entries are encrypted.

3. Per-site zoom is now per-session.

Will have to do further testing for other features. But it looks to me like Permanent Private Browsing in SeaMonkey does in fact work.
Last edited by patrickjdempsey on May 12th, 2015, 1:49 pm, edited 1 time in total.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
Pim
Posts: 2215
Joined: May 17th, 2004, 2:04 pm
Location: Netherlands

Re: Permanent Private Browsing in SM

Post by Pim »

You misspelled browser.privatebrowsing.autostart as browser.privatebrowser.autostart. Twice. And people are already quoting from your posts...
Groetjes, Pim
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Permanent Private Browsing in SM

Post by patrickjdempsey »

Aha! Thanks. Fixing now.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Permanent Private Browsing in SM

Post by patrickjdempsey »

A few observations about browser.privatebrowsing.autostart:

In Firefox, running in Permanent Private Browsing does not display "Private Browsing" in the titlebar or any other visual notification unlike Private Windows. In SeaMonkey, "Private Browsing" is prominently displayed in the titlebar. Personally, this is not really an issue but I can see how some people might not like it.

In Firefox, Permanent Private Browsing causes the #main-window attribute [privatebrowsingmode="permanent"] to appear. This does not appear in SeaMonkey. This could for instance be used by a Theme or userStyle to provide a visual notification if the user so chose.

In Firefox, Permanent Private Browsing causes other settings in the Options panel to change and for some areas to become disabled to prevent users from selecting conflicting setups that will not work. For instance, one cannot select "When Firefox starts: Show my windows and tabs from last time" or "Remember passwords for sites". A full SeaMonkey implementation should consider those.
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
User avatar
patrickjdempsey
Posts: 23686
Joined: October 23rd, 2008, 11:43 am
Location: Asheville NC
Contact:

Re: Permanent Private Browsing in SM

Post by patrickjdempsey »

Another note about permanent private browsing: Due to the fact that the downloads manager is completely empty in PB mode, SeaMonkey instead shows the stand-alone download dialog. This dialog has some weird issues with the design as it was apparently redesigned by someone who didn't see the point in even having one. In order to access options like "Open file" or "Show downloads folder" you must click on the name of the file, which opens a menu with those options. It's not very friendly, and should probably be redesigned again with the proper buttons restored to the bottom if PPBM was ever to be fully supported in SeaMonkey.

Reference:
viewtopic.php?f=5&t=2936225
Tip of the day: If it has "toolbar" in the name, it's crap.
What my avatar is about: https://addons.mozilla.org/en-US/seamonkey/addon/sea-fox/
Post Reply