Mozilla announces the contents of "referrer reduction function" to enhance privacy protection function in "Firefox 59"

ByThanh Nguyen

Web browser scheduled to be released on March 13, 2018 In Firefox 59, during private browsing modeA function to partially reduce the referrer value (referrer value)Will be implemented on January 31, 2018Mozilla Security BlogIt was announced in. This feature allows users using Firefox to turn on / off the private browsing mode, thereby widening the range of information you can notify during browsing and enhancing the protection of users' privacy information .

Preventing data leaks by stripping path information in HTTP Referrers | Mozilla Security Blog
https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/

Implementation of the function to partially reduce the URL of this referrer was previously announced on Mozilla blog on January 26, 2018. We conducted an activity survey of 19,000 users and it means that it was materialized in this announcement. In Firefox 59 browsing while in private browsing mode reduced the URL sent as a referrer and connected as the content embedded in the visited web pageThird party siteSince it is possible to reduce information flowing to you, you can strengthen privacy protection.

In Mozilla security blog,Electronic Frontier Foundation(EFF) didSurvey report that personal information of HealthCare.gov leaked by trackingBased on "cases of danger of leakage of referrers" based on the case, and "Referer protected when using Firefox 59Specific examples of "is shown. The content of the survey report is based on the US government medical websitehealthcare.govPersonal health data of the user who visited the store is saved in the browserTracking cookieIt is said that doubleclick.net leaks through referrers collected. The following URLs were collected referrers.

https://www.healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&pregnant=1&zip=85601&state=AZ&income=35000

As can be seen from the fact that "age = 40 & amp;" is written in a part of the URL of the referrer transmitted in this case, the information that the age of the user of healthcare.gov is "40 years old" It will be grasped by doubleclick.net side who does not remember using it. Likewise, whether "smoker = 1 & amp;" is a smoker, "& amp; zip = 85601" can grasp the postal code and "income = 35000" and the income of the healthcare.gov user is also grasped It will be said that.

There is also concern about the leakage of referrers by another method,Dropbox,facebookCases and vulnerabilities are unexpectedly discovered on websites such as websites such as websites such as websites.

Mozilla wrote in the security blog "To change referrer transmission information in private browsing mode" in order to prevent referer's leak as mentioned above while users are using Firefox. The referrer reduction function implemented from Firefox 59 reduces referrer information sent to a third party site like the case described above. The method of reducing referrers is closer to when using the value strict-origin-when-cross-origin IE setting "Do not send referrer when moving from https website to http website".

For example, while using Firefox 59 scheduled for release, during privacy browsing, using healthcare.gov, the URL of the referrer containing personal information ......

https://www.healthcare.gov/see-plans/85601/results/?county=04019&age=40&smoker=1&pregnant=1&zip=85601&state=AZ&income=35000

It will be reduced as follows.

https://healthcare.gov/

In this way Firefox 59 will prevent users from sending referrers to third party sites that are not visited by choosing the private browsing mode. Mozilla has announced that it applied this change with confidence that it will not affect the convenience of the website used by the user.


Mozilla recommends website vendors and website operators to encourage improvements to the privacy, security and functionality of the website. Also, in 2014World Wide Web Consortium (W3C)Made by the web and application security working group expressedReferer's policy recommendations, Mozilla is dangerous in this recommendation and concerns the possibility that vendors and website operators can control referrers. For example, it is said that the effect of "setting the setting not to send referers as normal" effect is diminished, or "information on the HTTPS web page is not allowed to flow on the HTTP web page".

Mozilla claims that the publisher deliberately changed the referrer and is requesting the following:

· Restrict the setting on the website side regardless of Firefox's normal mode and private browsing mode
· To set up a liberal referrer policy from browser default settings
- When the above request is dissolved, the browser side shows respect to the website operation side

In addition, Mozilla is using Firefox usersOptional way to change referrer with default settingWe are publishing. Changes to these options will invalidate referrer policies in browsers in default state and referrers in website operators, and will make users' choices top priority.

ByRobert Couse-Baker

Regarding tracking from the website,"Super cookie" ignoring the privacy mode of the browserSuch as Firefox 34.0.5 with private browsing mode that implements countermeasures, and so on. People who "can not feel how much a third party is connecting in usual browsing" are Firefox add-ons "Firefox LightbeamBy installing it, you can realize how many third-party sites are connected to your browser in usual browsing.