I upgraded to FireFox 54 a few days ago and my normal daily workflow has become a nightmare because a plugin that I depended on (Multifox) is no longer supported.
With Multifox I could have a website open in a single tab (such as facebook or gmail) and I could instantly switch between user profiles without being forced to create a new tab. I can’t find an option for doing this in containers. Is this possible? If so, how can this be done?
Moving one URL from one container to another has the ability to increase tracking across containers.
Essentially you turn containers into a organisational tool rather than a privacy one. If you imagine that when visiting websites you always wear the clothing, containers give you different clothing to wear.
These disguises containers work by clearing what websites know about you, which works really well in stopping adverts from following you around the internet.
When you transfer one URL to another container you risk that website knowing about both of your disguises.
Essentially the URL itself can leak information about your previous container or the website could make the correlation that you have visited it twice with the same browser fingerprint but without the same cookies.
Containers don’t currently solve browser fingerprinting which is a technique where websites essentially monitor the hardware and OS that you have (graphics rendering, sound and performance). Containers add ambiguity in that fingerprinting isn’t perfect either. However the more you cross that boundary the bigger the risk you are in for this correlation.
URLs themselves also contain parameters like session id’s or google analytic campaigns that could be unique to you. There isn’t any simple way to filter these out without breaking pages also.
Take for example that obscure YouTube video you wanted to look at, it turns out maybe only 5 people visit it a day. It would be clear to YouTube that you crossed a container boundary when you switched the URL over to your personal container to login.
Once a website can link the histories for two containers, imagine anything you have done in the previous container potentially known to the website. So if you visited a medical site, financial advise, shopping, adult sites or just something about your childs next school play they might gain access to all of that.
This is exactly why we built Containers and also Lightbeam, to provide tools for people to see how much tracking there is on the internet.
Ah, tracking privacy. Yes, tracking is a concern but right now productivity is more important to me. I need an easy way to log into multiple accounts throughout the day that I manage for clients (gmail, pinterest, facebook, etc.).
I’m interested in having the moving between tab’s features. I’ll try to show why we could think a bit more about it. I’ll start by pointing that certain security breaches caused by this feature can also be caused without it. I’ll then talk about how I think the feature can be designed to reduce its problems and become secure enough compared to the global security without it.
It’s still possible to log in on the same account on two different containers (not even at the same time). In this case the website will be able to make the correlations.
I think this use case is something that is very likely to happen even by mistake especially if the user don’t know about security issues which is the case of the majority of the people who browse the web.
II. Reducing moving tabs problems
I propose that you add a “reopen in another container” feature as well as the moving feature.
I also propose that you add a popup to confirm the moving action. The popup should contain a little message that indicates a security issue and a link to read more about it. The popup will also permit to cancel the operation and explain the merging issues explained bellow.
Three cases to conserve the majority of the security features:
In the original container: Delete all the cookies from the transferred tab.
When the user ask to move a tab, also transfer all its friends from the same domain (explain it in the popup) + Delete their third party cookies before transferring them.
In the destination container: Close all the tabs of the same domain than the moving tab and remove their cookies (also explain it in the popup).
Example of the popup:
This way, this moving functionality don’t add new CSRF problem or “inability to grasp why containers are isolated” and it’s still possible to use more than one container for a website without letting the user merge two containers.
The only security issue that still exists is the fact that the moving tabs know what were in the original container before they leaved it and they can use it to make correlations while in the destination container. My point is: this issue can be “easily” explained in the warning popup and is not something unexpected because that’s precisely what the user accepted. The other tabs from both the original and the destination will not get any information they shouldn’t have from the transfer.
This little security issue must be compared to the two issues I pointed above. The security issue n°2 is reduced when using the moving feature because it will overwrite the accounts connected on the destination. The security issue n°1 is more impactful than the security issue of the moving tab and more difficult to understand for the user.
I hope you’ll consider my proposition.
Continue like that, the container feature is really interesting.
Sure containers doesn’t try to be a perfect solution, we can keep attacking at these problems potentially with containers however if you are a high value target you likely would want Tor, Qubes, multiple computers etc. The more we solve this fingerprinting problem and the more people use containers we are likely to solve this problem through ambiguity (however there hasn’t been enough research in this area).
I’m hoping we can do more things to prevent this in the future. Ultimately however this is the users problem like typing passwords into phishing sites. We can try to educate but ultimately it’s a hard problem to solve.
The problem here is more third parties, to cleanly move it would have to take all storages like cookies and cache from anything the website loaded and put it into another container. These cookies might be shared with more first parties which also would have to move.
If you think of lightbeam and it’s connected graph to cleanly move whilst solving the cookies issue you need to take anything on the graph connected to it. The problem comes when something common like Google Analytics has been loaded, which essentially connects all the webs history to the site you are trying to place in this container.
So you can instead try and break that connection by deleting the third party storage when you move the website over. This however would start breaking web properties because some third parties are important to the function of a website. Even basic things like a site might cope with Google Analytics being blocked on first page load but might not expect the cookies to randomly be removed halfway through a session.
Currently all of these storages can’t be cleanly accessed with Web Extensions either which would mean working on that first. Potentially there could be some intelligent allow/block list for removing these third parties, however again this isn’t remotely close to a perfect solution.
How context plus works was already rejected to be done internally part of out containers, the extension provides a right click context menu to copy the url into a new tab, closing off the other.
This has the previous stale cookies lying around which could be improved perhaps however because of third parties nothing can be forgotten anyway. This has the advantage of not littering the new container with old cookies.
So just adding a warning in my opinion isn’t sufficient, users won’t read it or understand. There is too much to explain even for a wiki page let alone a sentence.
The security issue n°1 is more impactful than the security issue of the moving tab and more difficult to understand for the user.
This is the worst of the security issues, however if more users had containers the ambiguity caused by potential anti-fingerprinting techniques and containers would reduce the effectiveness of sites being able to fingerprint.
The security issue n°2 is reduced when using the moving feature because it will overwrite the accounts connected on the destination.
Cleaning up storage is a risk for shared computers and also XSS etc. However as this stands clearing up this storage is actually harder than it seems without breaking lots of user flows (because of the messy nature of third parties etc).
I’m not an expert so I’m confident that you’re probably saying that with a lot of examples in head. But I still think the vast majority of the websites will continue to work even if you move the tabs without the third party storage.
You can even avoid to delete the third parties of the original container. In this case, don’t do the 1:
And in point 2:
Replace this by: “+ Do not transfer their third party cookies”.
ok. That’s probably the ultimate problem for this kind of moving feature.
I think what is nice is that we are opening this up to web developers to work on soon. Like the ability to control network requests via an extension, having the ability to control isolation is going to bring some interesting remixes of containers.
Advert blocking is similar, there isn’t always a perfect solution without breaking any sites.
Anyone interested in working on these problems after we release some more APIs I can help to try and solve these issues. We have a lot of open API requests for storage, tab and container management at the moment.