Firefox/Feature Brainstorming:Privacy

From MozillaWiki
Jump to: navigation, search

« Firefox/Feature Brainstorming

Specific features References
Make Firefox behave like Safari when handling cookies

Safari is more choosy in deciding whom it passes cookie information out to, apparently. For this reason, Phorm spyware can't serve users of Safari targeted ads, although data can clearly still be intercepted.

See Guardian article for reference:

http://tinyurl.com/6jrwdv

Disallow third-party domains to be able to set cookies by default.

Built-in SSH Proxy Capabilities

It is very common for users of firefox to encrypt/tunnel their traffic using SSH proxies. I think a great feature for future versions of firefox would be a built-in SSH engine. For example, here's a typical setup:

1) Run "ssh -D [port] u...@host.com" 2) Enter password 3) Open up the firefox options, and switch to use SOCKS on the port specified in (1). 4) Browse securely 5) Close the ssh connection 6) Re-adjust the firefox options for normal internet connection

With a built in firefox SSH mechanism, it could work like this:

1) Click a "Tunnel Traffic ON" button in firefox. (SSH accounts and passwords would be pre-setup)

  • Firefox automatically connects to the SSH server and begins tunneling using SOCKS

2) Browse securely 3) Click "Tunnel Traffic OFF"

  • Firefox automatically disconnects from SSH server

This feature would be phenomenal, and would allow users to quickly secure their information when browsing on public terminals. This feature will probably not be possible using extensions to firefox.

Encryption of ALL firefox profile data

The idea is simple: protect ALL firefox profile data (cookies, historic, etc...) and not only passwords of password manager with an encryption system. It would be very secure...
It is interesting for security because a true security protects all data and there is more than a way to hack a computer: all data is useful for an cracker.


Allow users to edit the key/value pairs of cookies

Users should be given the ability to not only delete, but edit any cookies stored within Firefox. This would both be a boon to developers (I've load count of the number of times this feature would've been useful) and would also give the users more control over what data websites store on their PC.

Anti-phishing via a whitelist

This could be something like if a user is going to an online banking thing like ebay, paypal or citibank or whatever is there in a whitelist. He will be informed that he is at the right location. This will make anti-phishing easier. This can also be extended for a lot of other site like google and yahoo. Only on the right pages can u enter the sensitive information. Else the user is given a warning that "It might be a phishing page". Better and do able. I would like to work on this feature. You can contact me for future discussions at (the100rabh)....emailat....(gmail)..doitat..(.com)....Address is in parenthesis


A "persistent", "wanted" or "positive" Cookie list


I don't mean the same as in Persistent Cookies down there...


It would be nice to have the posibility of to mark some cookies as "not to be deleted". This means you could configure FF to delete all cookies when you close it, but the preferences for some Sites would still be there the next you start the Browser... The Cookies of the "persistent" list would never be erased.

Not Required any more as its already been done via an extension "View Cookie CS"

This is already possible in Firefox 1.0, 1.5 and 2.0 without any extension. However it would be nice to be able to mark cookies from a site "not to be deleted" without having to open the preferences dialog. --Dikrib 13:48, 17 December 2006 (PST)

Only allow cookies from sites you navigate to

Add an option to the cookie preferences menu that only allows the storage of cookies from sites you navigate to. In this way, e.g. cookies from advertisers on those sites will not be stored.

Camino ([1]) and Safari both have this feature.
Provide "One Click" privacy and security audit

It would be useful to have a "one-click" method of doing a security and privacy audit. Have it check for disabled or "unused" security and privacy features, check for non-secure or not up-to-date software and plugins, and provide an up-to-date report of known security defects or issues. Provide recommendations for those who are non-technical.

Kind of a corny example, but perhaps something conceptually similar to the final audit in TurboTax.
Automatically heighten privacy level for "sensitive" domains

The thing about privacy controls is occasionally forgetting to turn them on.

  • Keep "sensitive" domains in an MD5 hashed database. Visiting a domain that matches one in the hashed database would heighten the privacy level before entering the domain (turning off history, upping cookie and form security, etc). Navigating to other domains via links on a "sensitive" domain would keep the privacy level heightened until a whitelisted non-sensitive domain is visited or until navigating away by something other than a link (such as by explicitly typing in the URL or by using a bookmark).
  • Clear the <Back> history, Cache, session cookies, etc., when going from a sequence of "sensitive" domain links to a "non-sensitive" domain.
  • Automatically add to the "sensitive" list domains that are visited after the user has explicitly enabled the "privacy mode" suggested below.
Enhanced Cookie Management

Many firewall and antivirus applications have features to deny access to entire websites based on URL matching which is based on wildcards and regular expressions. i have long wanted something similar in Firefox's cookie manager. It would reduce a lot of overhead on the Exceptions List, keep it somewhat more tidy and manageable. Also, a better organizer for the EL would be nice: group by base site instead of absolute alphanumeric.

For example:

  • Set exceptions for *doubleclick.net* to match any cookies coming from a URL containing that string, or http://ad[0-9]\.ebay\.co(m|\.uk) for ad cookies coming from ebay.com or ebay.co.uk.
  • Group exceptions for "mozilla.org" so user can see all subdomain entries ("addons.mozilla.org", "download.mozilla.org", etc.)
  • In the instance of wildcards/RegExp, mozilla.* would also include "mozilla.com" Exceptions.

Would make things easier to find, and make troubleshooting sites easier by being able to determine if a cookie exception is preventing proper functionality of the site (blocking some subdomain cookie that is required for login, etc.).

Eliminate image based user tracking.
  • Do not load *any* invisible images. This includes single pixel and smaller pictures. It also includes images that are the same color as the background. Those can't be detected preload, but perhaps cookies could be refused to them.
  • Note: this would break a lot web analytics packages, since so many of them (if not all) use tracking. gif techniques. - sherman
  • That's the point. However, image tracking is only one method. Better would be to have an option to not load ANYTHING from a third-party domain, unless specifically allowed. - Meneth
Selectively disable offsite images.
  • Useful for e.g. webmail accounts that do not allow (anti-spam etc.) image blocking in received emails. Analogous to the Accept Cookie / Exceptions dialog, this feature would allow the user to specify certain sites (e.g. webmail.myisp.com) where offsite requests within a page (i.e. domain != myisp.com) would be blocked. Is this workable ? Not supported by existing addins, which block specific external sites, or, ALL images.


Public Terminal Version.
  • The person installing the firefox can enter a password protected option which automatically converts the browser into a public terminal version where no passwords are stored and everything is cleared on exit.
  • The only way to override is when the user specifies a directory to store all ALL collected data (see suggested feature below) where the specified directory is on removable media. This setting will expire when the browser is closed or after 1 hour of use.
Improved Cookie Management
  • Merge the "Exceptions" and "Show Cookies" dialogs under Tools:Options:Privacy into the same interface as the "History"/"Library" window (perhaps adding a new "tab" bar at the top of the "History:Show All History" window).
  • Similar to the pop-up blocker menu in the status bar -- and perhaps sharing code -- add a cookie management pop-up menu on the right edge of the lower status bar. Menu options might include "Block"/"Allow"/"Allow for session" for the current parent site, indicating the current setting with a checkmark; and at the top (most distant pointer travel), a list of domains within the current window or tab's parent/frames/iframes/embeds, each with sub-menus of cookie names stored or requested-but-blocked, each with a sub-sub-menu to "Block", "Allow", "Allow for session", "View/Edit" or "Delete" by individual cookie name.

    This might allow the pesky ancient "Confirm setting cookie" modal dialog to be terminated with extreme prejudice (which sometimes shows up empty, or with inoperable buttons if a window's title bar is being dragged to reposition it at the time the "Confirm setting cookie" dialog is spawned, or repeatedly for the same domain in succession if the site attempts to set multiple cookies before the first dialog receives a response from the user).
  • Offer separate global preference default settings for cookies from secure vs. unsecured URLs (e.g., "Allow" for secure URLs such as banks/shopping cart checkouts vs. "Allow for Session" for unsecured URLs).
  • For cookie status "Exceptions" that Firefox has been adding automatically, only store "Exceptions" that vary from the current global default setting of "Allow"/"Allow for Session"/"Block". (But if the global default setting is later changed, preserve/retain all prior values including those matching the new global setting.) This would shorten "Exceptions" lists dramatically, and make them a far less horrific affront to privacy concerns.
  • On the "Redirect Loop" error page, add radio buttons to set the site's cookie status to "Allow" or "Allow for Session" when the "Try Again" button is clicked, with the "Allow for Session" radio button marked by default (since presumably the user would prefer "Block" when possible).
  • Devise a meta tag standard that allows sites to identify their "cookies required" error pages as such, enabling any browser to gracefully prompt a user whether they'd like to accept cookies, instead of forcing the user to follow all those convoluted browser-specific instructions for editing preference settings.
  • In the cookies management box (accessible by clicking "Show Cookies... in Privacy Options), there are two different buttons a user can click ("Remove Cookie" and "Remove All Cookies"). There should be a third button: "Block Cookie" (or just "Block"), which removes the cookie and blocks it. This would save time, as a user wouldn't need to delete the cookie and then manually block it.
  • Clicking "Remove All Cookies" should display an "Are you sure?" dialog box to prevent accidental cookie clearing when trying to delete a specific cookie. There should be the option of turning this off in About:Config or by some other means.
  • A user should be able to select multiple cookies with the Ctrl and Shift buttons (or their Mac equivalents).
User specified directory to store ALL collected data.
  • Have one directory, where all history, cookies, bookmarks, and any other data that could be potentially used maliciously to be stored. And give the user the option of putting it elsewhere. Be it on a dongle, or an encrypted area/partition (like using TrueCrypt)
Private browsing
  • Implement a "private browsing" mode that prevents collection and recording of data. When privacy mode turned off previous history should be preserved.
  • Expand 'Private Browsing' mode to be available on a page by page or site by site basis (including child tabs). See Privacy>History for full suggestion.

bug 248970

Cookie Sandbox
  • The ability to put one or more tabs in a Cookie Sandbox - so that can eg stay logged into gmail in one tab, while having another tab with google searching open with a different set of cookies - so that my gmail is not able to automatically be associated with my search terms.

Despite this separation is not implemented internally in FF 1.5.* or FF 2.0.* it's achieved by CookiePie extension.--User:Swain

Privacy preferences
  • Add the option to suppress referrer information while browsing
    • Option to suppress referrer information to third-party domains.
  • Import/export passwords and/or privacy settings

User:Meneth/Referrer

1 bug 285790 already exists for form history

History
  • Ability to put a page on a blacklist (i.e. never show it in the history)
    • Should apply to all records including cookies, cache, login details, etc.
    • Should apply to individual pages or whole sites by user's choice, and any child tabs
    • Effectively allows for a 'Private Browsing' session on a page by page or site by site basis.
    • Would be useful to prevent blocked pages or sites showing up on a list of blocked pages and sites - otherwise it defeats the purpose! Perhaps no list, just a one-time thing; or perhaps a password would give access to the list?
    • Could be paired with 'Clear Recent History' exemptions (see Privacy>Secure Storage and Clearing of Private Data) to make three types of page or site: Block from storage, Normal, Keep Always
  • Ability to disable the history for the current session with a click/keycombo

n/a

Password management
  • While Firefox/Thunderbird is running, open password databases exclusively (lock for read/write), so that other applications (Trojans) cannot access or copy them.
  • Improve Master Password entry when viewing saved passwords.
    • Redundant master password entry fields: If the user has opted to set a master password for their browser's stored passwords, they have to enter it twice to actually view and show the passwords (once to View Saved Passwords, and then AGAIN to actually Show Passwords of those accounts). This redundancy is unnecessary.
    • on the Password Manager window, the Remove and Remove All buttons are right next to each other, however the Remove All button does NOT have a dialog that asks you if you are sure you want to remove all saved passwords. An accidental click on the Remove All button instantly deletes all of the user's saved accounts and passwords.
  • Don't propose any way in the UI to show passwords unless a Master Password is set and entered
  • Improve password management - allowing multiple passwords (like opera, also see Myk's post)
  • Ability to edit saved usernames and their respective passwords via the Privacy > Passwords > View Saved Passwords dialog
  • Search Saved Passwords - Add search feature to the saved passwords list.
    • Enable users to search by specific field (URL, username, or password) or perform a general search.
  • Add date added/modified field to records in the password list
  • Don't just save passwords, create them like Chris Zarate's Password Generator bookmarklet. It generates a hex-encoded MD5 hash of your master password and the domain name of the website you are visiting, and shortens it to the desired length. This allows users to remember just one master password, but use a unique strong password for every website (so your blackhat.com password is not the same as your bank.com password).
  • Add preference to prompt user to update stored password after the next page loads when the user submits a password that does not match the password stored for the form/username combo. This would greatly smooth out the currently clunky common task of updating stored passwords without having to dig through the preferences.
  • Wait until the password has been accepted before offering to save it.
  • Modeless handling of new passwords. To avoid the intrusive dialog box popping up to ask users if they want to save passwords, you could signal this on the status bar or with a modeless pop-over, like Windows uses for warning about unused desktop icons. That way, it's a lot easier to just ignore this feature if you're in a hurry, or using someone else's computer, where you typically just want to get wherever you're going.
  • Instead of "Never for this site" blocking of password storage, have a "never for this password" feature. For example, I might have a general use email account, and a super-secret private email account, both on the same webmail system. I'd like the regular account password remembered, but not the super-secret one. To implement this, take the [domain+username+password+salt] as a long string and SHA1 hash it, and store the hash - and nothing else. That can be safely (verify this carefully!) stored in user preferences without revealing anything, and still block rememberence of that password.
  • Instead of requiring another click on every form submit "Do you want to remember...." have a button which gives the option to remember the password, and otherwise do not offer to remember passwords.
  • Just make password management EXACTLY like Opera. People have already mentioned support for multiple users, but what about automatically logging in with one click as well like Opera's wand? And make it work on ANY website like Opera (ignore the code that says "don't even ask to remember this password", people don't like entering their password every time they check their bank balance because their bank set it up that way.. that's what "never for this site" is for).
  • A notification in the notification bar which informs that the current password form was automatically filled in by the password manager and not by the web page itself. One click on it would directly bring you to the entry in the "Password Manager" window. See bug 227880.
  • Option to only remember the login/username, but not the password.
  • Create "profiles" where one username/password combination is applicable to many URLs. Typical example is corporate intranet sites where everything is synced to AD. When changing AD password, it would be good to be able to change the password just once if FF too.
  • The default option should be NOT to save any password.
  • An option to disable seeing saved passwords at all. Some folks may prefer to save passwords but never be able to retrieve them. It is not apparent to everyone that saving a password makes it freely available for anyone with physical access to view.
  • indication in dialog of domain which triggered password autofill on master password request. When you restore a session it is often the case that the tab requesting the password does not have focus. This doesn't have any real security implications but it would be nice to know and I suspect is sufficiently trivial. I'm certain I'm not the only one bothered by this, though i've no confidence interval on said certainty :)


bug 227880 about password autocomplete notification.
Secure and Insecure Passwords
  • 2 separate password stores. One would require the Master password to access, the other would not. This would be useful to users who want convenience storage of simple passwords they do not care about exposing, but also have sensitive passwords. This would prevent the Master Password dialog from popping up for non-sensitive passwords. A use case is a user with all of the following examples on a laptop used at work and home, and left unattended at both as well.
  • Examples of non-sensitive passwords:
    • Forum log ins: A single user laptop, but the user wouldn't care if the forum password is compromised as a result of the laptop being stolen.
    • Foxmarks Add-on: The user doesn't want to enter the master password all the time to use Foxmarks, and doesn't really care if other users have access to something as trivial as bookmarks.
  • Examples of sensitive passwords on the same computer:
    • Bank log in: A single user laptop, but could be bad if the laptop is stolen.
    • FireFTP Add-on: The user doesn't want others accessing FTP site passwords.
    • Corporate Intranet sites.
    • External Corporate email sites.


Secure Storage and Clearing of Private Data
  • Optional password Protection for all Private Data including cookies, browsing and form history, cache, etc. using strong cryptography.
    • could use same master password as password manager
  • Integrate a feature to securely "wipe" saved browser information using various data overwriting algorithms such as Peter Gutmann's 35-pass wipe and U.S. DoD 7-pass specification 5220.22-M.
    • This is obsolete. Useful levels of protection are:
      1. delete the file -- protects against non-admin users
      2. zero the file -- protects against nearly everyone outside of foreign intelligence agencies
      3. melt, dissolve, or powderize the hardware -- protects against everyone
    • Multiple overwrite is not stronger than merely zeroing the file. It is an attempt to beat the rare case of somebody who can examine the disk surface, but it fails because modern disks will commonly write to different locations. Disks do sector/track substitution and they have write heads that wander a bit.
  • Ability to exempt certain web sites or individual pages from being cleared when 'Clear Recent History' is used, so that regularly used pages do not get removed when others are, eg search engines, email sites, news sites, social networking sites, etc.
    • Should apply to all records including cookies, cache, login details, etc. for that page or site.
    • Could have an option in 'Clear Recent History' to override this.
    • Could be paired with page/site history blacklist idea (see Privacy>History) to make three types of page or site: Block from storage, Normal, Keep Always


Password Protect the Browser
  • Require a password to launch a new instance of the browser in order to allow users to allow the browser to save passwords for websites, but still protect them from guest users of the PC.
  • Detect if Master Password required dialog box is open. If it is open, and a link is clicked instead of opening another instance (which opens another Master Password dialog box) focus the existing dialog box and open the page in the original window instead of a new window.
    • Only open one Master Password dialog box when there are two extensions that auto-login to accounts upon launch instead of two separate Master Password boxes for the same window.


bug 16489

Cookie search functionality

It would be nice if there was a search functionality on the cookie exceptions list. This is useful when someone wants to quickly find out about the status of a site without having to search through the entire exceptions list.

Persistent Cookies

Certain sites have cookies which are stored in the browser only as long as it does not exit. To logon to sites again we need to enter the password once more. It would be great if cookies for selected sites do not expire as the sites set then to. User must be able to override these settings.


Not Required any more as its already been done via an extension "View Cookie CS"

Selective History deletion and allowing/blocking

It should be possible to selectively delete history / private data of certain pages or even subpages. This could even be as fine-grained as to only allow deletion of a certain type of history data (like images, data entered in forms, search bar), in the case of forms and search bar even single entries. On top of that it would be useful to be able to specifically allow and/or deny to store certain data in the first place (with opt-in and opt-out options to store data in general with respect to defined exceptions).


General tasks

N/A

The password dialog "Do you want Firefox to remember this password?"
  • This Prevents the "enter password" form action page from loading so that the user must answer the question *before* he/she actually knows whether the username/password is correct. Ideally the password dialog would not block the page from loading and close automatically when the user leaves the "password accepted" page.
  • Add a "Never Remember Passwords" button. Novice users may never realize this feature can be disabled in the Privacy section of the Options menu, and may become annoyed that they can never "really turn it off."
Option to clear Cache exit on window close/program exit
  • This option is a blatent ripoff of IE with its Empty Temporary Internet Files on Exit.
  • This option would be seperate from the Clear Private Data as to not interfere with the settings there.
    • This will allow the user to clear the Cache on exit but not other items leaving them availible for execution when in the Clear Private Data option is invoked.
  • This has been requested for some time and some work has been done on it.

BugZilla for Auto Cache Clear
Potential Patch previously submitted for feature

Enhanced Certificate Management
  • This should enable users to preselect certificates for certficate enabled sites (if they have more than one certificate available for the site)
  • One-click editing and temporary dis- / enabling certificates via a better certificate-gui
  • Ability to store certificates encrypted without having to protect the entire browser using a master password. I don't want to enter my master password just to get my saved password for a online discussion forum, and I don't want to leave my certificate for my online banking unprotected neither.
  • Ability to label certificates with user specified labels - certificates is often based on auto-generated multi-digit user names and selecting the right certificate based on a generated number is not very user friendly. Furthermore it will be easy to select a certificate by mistake of several of different certificates exists from the same CA, leading to lax security. Implementing this feature might have other security implications however and should be carefully considered.
Green Internet Zone
  • Analog to the Zones in the Internet Explore, Firefox should provide a "green zone". This "green zone" should only work over HTTPS and it should come without any trusted sites (no root ca at all). If Firefox is showing a page in the "green zone" he should paint the Adress bar green (or something similar).
  • A user should manually add .cer Files of sites he trusts. Obtaining a .cer File should be the responsibility of a user.
  • Purpose of such a zone: A user can always see if he does his homebanking (or other critical things) over exactly that site he wants to.
  • This feature would be nice as well, if it comes with mltiple empty zones, so a user could use it for different sites.
Fine-tuned Private Data Management
  • It would be useful to mark certain cookies as desirable for long-term use. The functionality provided by allowing privacy data to be deleted easily is extremely useful. However, even though I certainly want the majority of cookies to be deleted when I am finished browsing, there are some cookies that I would like to be able to place on a white list of cookies that aren't deleted automatically with the others.
  • Perhaps there are others that would like similar functionality with regard to forms, cache, sessions, etc.
Fine-grained ad-blocking
  • Rather than blocking entire domains from displaying images, for example ads.foo.com, allow finer grained control over ad blocking, for example www.foo.com/ads or even www.foo.com/images/ad.gif. Such capability exists in Internet Explorer through the third-party plugin AdShield.
  • Rather than blocking only images, block all content from blocked zones, or be able to configure what content to block or not to block (specifically, be able to block Flash ads).
  • Allow to view ads that have been blocked, not always working in Firefox 2, especially when several ads tried to pop up.
User-agent Masking and Blocking

Similar to the the user-agent features in Opera and Konqueror, a user should have the ability to turn off user-agent broadcasting or change the browser's to a different FF version, OS, or other browser. Also allow for memory of individual sites and what identity to use for each site.

"Clear Search Bar" option under "Clear Private Data"

An option under Clear Private Data to clear the search bar contents. Currently, the last item searched is visible, and previous items are visible through Ctrl+Z.

Warn me when sending unencrypted passwords

In the "security warnings" dialog, add an option "Warn me when sending unencrypted passwords".

User:Kobelix


"Master password logout option" After entering master password some times I have to give my pc to somebody and they can easily view my password for particular website like by using firebug simply by opening the website's login page and change password field type from "password" to something different and anybody can view the password, we can not even close the browser for giving pc to somebody to use, so there should be a master password logout option so that we just have to logout and that password will not be visible to anybody using firebug. --Pankajk 10:04, 5 July 2010 (UTC)