Firefox 3 won't have 'private browsing'

Correction at 7:50 a.m. PDT: The spelling of Johnathan Nightingale has been fixed.

At least one security feature won't make it into the final release of Firefox 3 on June 17, Mozilla confirmed again Thursday.

The feature, Private Browsing, would have disabled all caching, cookie downloads, history records, and form data used during the current session. In essence, you could surf the Web and leave no fingerprints.

"It basically said to the browser: I would like what I'm about to do to not be logged anywhere," said Johnathan Nightingale, Mozilla's "human shield," aka its security user interface designer.

He described the private browsing process as this: you hit a button and everything past that point isn't logged. Then, at some point in the future, you hit the button again and it's as though what you just did never happened.

One possible use might be when someone other than the computer owner uses the browser.

"We looked at ways to do this, but the problem is that it touches a lot of code," Nightingale said. "Because there are such rich interactions with Web sites and mashups and things like that, we didn't want to put in something that was half baked."

You can hear more of my interview with Nightingale on my Security Bites podcast here.

[bigfeet123]

yea right, we believe that. can we say "sold out to big brother"

[Penguinisto]

Err, make it an add-on? Firefox has literally hundreds (if not thousands) of nice little add-ons that you can get for free - hosted by Mozilla no less. It wouldn't take much to build and distribute a free add-on that allows one-click private browsing (basically it changes your settings to disallow cookies and such without having to make those settings yourself). In other words, I just don't get the hubbub over it. Besides, for perfectly pure browsing, a public proxy or a site like pagewash.com will do the trick of anonymizing far more efficiently and thoroughly.

[Lerianis]

The problem there is that a lot of sites will not work without caching, cookies, etc.
The guy writing this article was right on the money with the reasons why this would absolutely no work with the code base of today.

[rockosmodurnlife]

If it wouldn't take much, then why don't you do it?

[trevorbsmith]

I know what you meant to write, partly because I have enough technical background to know that it's not possible to "surf the web and leave no fingerprints" and partly because I use Safari on a Mac which already has this Private Browsing feature (and has had for some time).

However, your brief story above MIGHT mislead some readers into thinking that the proposed Firefox feature or the current Safari feature can actually allow you to surf the web without leaving "any fingerprints" on other web sites' logs. This is inaccurate. All your web browsing will still be recorded, most likely, it will just be less immediately obvious to the owners of those web sites or to 3rd parties (e.g. law enforcement) that it was you that did the browsing. The log of your visit will still exist, your computer's IP will still be recorded, etc.

This feature does/will eliminate "any fingerprints" of the activity on YOUR computer. It will only LI MIT the identifying information (through temporarily disabling cookies, for example) sent to other web sites.

[vorsprung_durch_technik]

This comment is spot on.

[Fil0403]

Any ideas when your Super "Safari on a Mac" will have anything like a Phishing filter? Having in mind the amount of time it took to have something so trivial as a "Find" tool (something Internet Explorer has had for ages), I would say maybe in a couple of years, LOL.

[bobcode]

Private Surfing is simply no cookies and history saved on the local computer. The evident is not on the local computer. Cookies and history is the simplest way to show where someone surfed.

[Lerianis]

A better way to prevent this is to allow ANYONE to clear the browser with that 'Ctrl-shift-del' shortcut key or by simply having a thing on the computer saying "Clear browser history".
Personally, I clear my browser history multiple times every single day, for numerous reasons.... why wouldn't other people do that.

[Fil0403]

@ Lerianis: Because not everyone is paranoid.

[oh4real]

Use memcache or similar!

Private Browsing should very, very easy to implement. User turns on Private caching and browser continues to 'log' everything, cookies/history/files/form fields but caches them in memory. Once instance of browser is closed, memory and cache is gone - no history of visit on computer.

Global Private Browsing: When visitor surfs a site or revisits during same instance of browser, browser gets cookie request from host server, writes cookie, checks form fields, etc. and checks cache instead of hard drive.

Site-specific Private Browsing: When visitor surfs a domain they've designated in prefs as private browsing site, browser only checks/writes to cache.

Yes, this could make memory rather large if user has global private browsing on but that is the user issue and they can always just restart firefox to clear memory and go again.

How does Safari do it? Does it write everything to special folder and overwrite it when session ends?

[vorsprung_durch_technik]

So how do we get a hold of "memcache"? Is that an about:config setting, some third party "for cost" sever/client utility, an esoteric add-on, or ???

Please let us know?

[Fil0403]

Probably no one knows (how Safari does it). They just claim to do it and Apple sheeps believe not only that it does as that it is perfect. Kinda the same way they claim Macs to be immune to malware and not crash and Apple sheeps just believe it.

@ vorsprung_durch_technik: you can very easily do that in Windows by creating a RAM disk drive. Just Google it and you'll find plenty of information.

[celticbrewer]

FireFox2 (and I'm sure most prowsers) under settings and security will let you clear your history, cache, cookies, and more automatically (with or without prompting) when you close the browser. I'd think that'd be good enough for most people. And trevor is right, this would only give privacy from the local computer's stance. Any intereactions from your ISP forward can still be logged by IP, sessions, database interactions, etc...

[Fil0403]

Good enough for most people, yes, not good enough for paranoid people...

[demon0]

There is an add-on for Firefox that accomplishes this already. It's called Stealther and is available through the Mozilla Add-ons site. It makes an entry in the Tools menu, and when you activate it, it disables cookies, history, etc. It works pretty well for my purposes.

[Fil0403]

Weird that the Mozilla team was working so hard on a feature that is already implemented in a simple add-on for Firefox 2 and even stated that it won't be in Firefox 3 because it requires a lot of code changing, isn't it?

[gwilliamp]

Us a sandbox.

I use the free and excellent Sandboxie. On starting a sandboxed FF session it only takes a few seconds extra for the browser to start. Once I have finished browsing I delete the entire sanadbox. ALL logs and cache are GONE.

[Fil0403]

I assume you don't read a lot of PDFs online nor upload many files (like pictures) to the Web.

[oh4real]

Deleting cookies and cache is not enough - you do that manually for pron sites already. Until the disk space is overwritten, it is still there. That's why memcache is the only real way to do it. Memory is overwritten to empty when application closes.

[Fil0403]

Memcache is no real way to do it, Memcache is simply a (supposed) more efficient and practical way of doing it (that won't be in Firefox 3).

[rranjan123]

Why can't they make private browsing password protected. If someone other than the owner of the computer uses it without prior permission he/she should be asked to enter a password to use private browsing. I agree it should not be at the click of a button but completely getting rid of it is no solution.

[alleyg]

A good general solution for a guest user is to have a separate guest account on the computer, so the guest's activities won't change anything for the primary user. In Mac OS X you can enable a Guest account. When a guest logs in, they get their own private data area to play in, and when they log out, all their data goes poof!

[Fil0403]

You basically described UAC for Vista in a specific situation (which, ironically, most people ignorantly complain about).

@ alleyg: In Windows Vista you can enable a Guest account too and the best thing is, when the user logs out, their data is not erased, so one can actually use it in a productive way!

[bluewolf815]

It already exists in prior versions of Firefox as an add-on under the name "Distrust"

[Fil0403]

How ignorant of Mozilla to (unsucessfully) work so hard on a feature that already exists, isn't it? Maybe you should enlighten them.

[vorsprung_durch_technik]

So what is/where do we get "memcache"?

[Jag99]

The best Firefox add-on to accomplish this is Distrust. Once you install the add-on an eye shaped icon shows appears at the bottom right corner of the browser. Click on it and from that point on everything you do will be tracked by distrust (including files that you download on desktop etc), surf as much as you like and open new tabs etc, when done, just click on it again and everything will be erased (all new windows will be automatically closed also). You will be left with the page where you initially started from. Below is the link...trust me it is awesome.

https://addons.mozilla.org/en-US/firefox/addon/1559

[vorsprung_durch_technik]

@Jag99, it doesn't appear to me that the Distrust add-on works on Firefox 3.x, so it is useless to me, alas.

[alleyg]

?FireFox2 (and I'm sure most prowsers) under settings and security will let you clear your history, cache, cookies, and more automatically (with or without prompting) when you close the browser. I'd think that'd be good enough for most people....?

That's fine, if you don't mind losing ALL history and cookie info.

[Fil0403]

As I said before, good enough for most people, yes, definitely, just not good enough for paranoid people, LOL.

[eglazier]

first learn how to spell or at least get rid of the sophomoric title of the blog. why should and 'expert' act like a child?

D3F3NS3 1N D3PTH indeed

[Fil0403]

LOL

[Jim1921]

That is because FF 3's awesome bar utilizes you history and bookmarks to give you suggestions whenever you type in the address bar. Poor decision on Mozilla's part, and quite a security risk for many. BIG MISTAKE Mozilla

[Fil0403]

Internet Explorer already has "private browsing": Tools > Internet Options > Browsing History > Delete... > Delete all....

[Fil0403]

Even easier: Tools > Delete Browsing History... > Delete all....

[lynjs]

Yep, sold out to big brother, big time. It needs to be listed as an add on for those who share computers.

[seybernetx]

Yeah. They could offer this and a keystroke monitor in one package.

(joke)

(i think)