Researchers from the University of Hamburg published a study (https://arxiv.org/pdf/1810.07304.pdf) in which they warn against "Tracking Users across the Web via TLS Session Resumption". Only 3 browsers in the test blocked this kind of tracking: JonDoBrowser, Tor Browser and Orbot. A quick internet search got this thread on Reddit. Therein for Firefox it is suggested to create a boolean in about:config called 'security.ssl.disable_session_identifiers' and set it to 'true'.
As a matter of fact that setting mentioned above was added to Firefox already 4 years ago but is still hidden. You can test its effectiveness on https://www.ssllabs.com/ssltest/viewMyClient.html : If it's enabled "Session Tickets" show "No" in the Protocol Details section.
Unless you never close your browser, this doesn't seem like an issue. Keep in mind that the more of these things you disable, the more unique you become.
Well, the lifetime of the session ID/ticket in various browsers is several hours or even 1 day - enough time to get you tracked to some extent. Even if you close your browser once a day or so, this kind of tracking will be done the next day again and can be combined with other kinds of tracking/fingerprinting. So I wouldn't say that this is no issue. Anyway, some additional digging revealed that what I wrote earlier regarding 'security.ssl.disable_session_identifiers' is actually obsolete as this issue is covered in Firefox if you enable First-Party Isolation. While the Tor Browser documentation for Cross-Origin Identifier Unlinkability (which is the basis for FPI in Firefox) still says that above setting should be set to 'true' in order to block SSL+TLS session resumption, this bug report (which was closed 2 months ago) confirms that the FPI implementation in Firefox also isolates session tickets/identifiers by first party. Hence, that manually created boolean can be deleted if you're using FPI (that's what I'm doing anyhow) as FPI is clearly the superior solution which also isolates cookies, cache, indexeddb etc.
@summerheat Did you encounter any problems after enabling FPI? Does it provide any benefit if I regularly close my browser and delete cache, cookies... and visit only one "important" site per session?
Yup, this is important. I'd encountered some site's breakage so disabled it, but don't remember what sites they were.
No, I haven't had any problems with. (FWIW, the Temporary Containers add-on caused problems at times, that's why I don't use it anymore.) But it seems that some people do have problems on some sites. That's why I recommend to install the First Party Isolation add-on. Basically all it does is setting the respective switch in about:config to true. But the advantage is that it provides an icon in the add-ons bar - just click it and FPI is temporarily disabled. Very practical if you really run into problems. EDIT: Sorry, I forgot to answer your second question. I also automatically delete cache, cookies etc. whenever I close FF. However, this does not prevent being tracked during a session. FPI does - and btw., it probably also protects against 1st-party tracking cookies. I use it as an additional line of defense alongside blocking the trackers via uMatrix/uBlock Origin.
Yes, but: 1. I don't think that this applies to FPI. FPI does not block anything but isolates cookies, cache, DOM storage, IndexedDB etc. by first party. This makes tracking across websites nearly impossible. 2. It depends what you block. Tracking across websites is done via trackers/adservers. If you block them with, e.g., uBlock Origin this might make you more unique. But you stop being tracked from the beginning.
I can't speak for this "FPI" Firefox feature. I was speaking purely for disabling TLS session resumption. The fact that the SSL Labs website knows if you have it enabled or not proves that disabling it will actually make you more unique. Thereby, easier to track.
Yes, easier to track by fingerprinting. But fingerprinting is primarily performed by 3rd-party trackers. They are easy to block. A more in-depth discussion is here. And just for clarification: With FPI enabled, session tickets are shown as 'Yes' on SSL Labs. As mentioned , FPI doesn't disable them but isolates them by first-party. So this mechanism is different from that other setting.
This is all besides the point. Your original post tells users they should disable session resumption when they should not do that because it's counter to their end goal of not being tracked. If your original post said "enable x isolation feature" then it wouldn't be a problem.
Well, you could just create a tiny docker image with Firefox. For each browsing session, you create a new container from the image, and nuke it when you're done. And the same for Tor browser, obviously. And docker works well inside VirtualBox, vmWare, KVM, etc. https://www.linkedin.com/pulse/sandbox-browsing-using-firefox-docker-container-ivan-davidkov
Well, that's what I found as a recommendation as it mimicks what those 3 mentioned browsers do. Why do you call it a problem that further research resulted in new conclusions which were presented in subsequent posts? I don't get it.
The download link is dead but never mind that for now... @mirimir can you give quick crash course of docker for impatient? It's a application level virtual machine right? You create your image with only firefox plus it's depencies(?) in the image and run with docker right? And then it communicates with the outside world of it's isolated space with unix sockets or some other mechanism? Could I use the created docker image with any other machine with docker installed? In other words: Could I use those isolated docker images also as a way to deploy my own applications?
FPI is inefficient in Firefox 52 ESR. Who uses Pale Moon, Basilisk ........ can only insert the Boolean entry in about: config.
Yes, I think that's correct. However, I've configured FF such that any data is cleared when I close it. Besides, I'm using Forget Me Not which deletes cookies and localstorage periodically during a session. Hence, I don't see any benefit of using PB. Please correct me if I'm missing something.
So? That version is obsolete anyhow. End-of-life was on Aug. 28. I don't understand how someone continues to use a browser that doesn't get any updates any more.
Firefox 52 was the last one to support legacy extensions. So if someones favorite extension never got rewritten for new Fox then options are either to continue using the last Firefox 52 ESR or try to find some other browser that offers similar functionality. Also, FF 52 is the last one supported for Windows XP and XP is still extremenly popular (read: pirated ) in China ...
Sure Yes, basically. There are "images" and "containers", rather like "isos" and "vms". But you can easily go back and forth: "~# docker create --name STRING IMAGE" creates a container from an image "~# docker commit CONTAINER IMAGE" creates an image from a container If you start with a basic Debian image, say, you can just create a container, install Firefox, and then commit to a new image. "~# docker images" shows images "~# docker ps -a" shows containers For basic container management: "~# docker start CONTAINER" "~# docker attach CONTAINER" "~# docker stop CONTAINER" To run a throwaway container from an image with Firefox installed: "~# docker run -i --rm IMAGE" Yes, they're totally transportable. Sure. And not just "applications". Systems. Environments. Whatever you can install in machines.
This article explains better: https://www.privateinternetaccess.c...key-a-supercookie-built-into-tls-1-2-and-1-3/