Bug#761984: private browsing mode unclear / leaks information across session

chrysn chrysn at fsfe.org
Wed Sep 17 14:27:39 UTC 2014 

Package: epiphany-browser
Version: 3.13.90-1
Severity: normal

the "--private-instance" mode of epiphany allows tracking a user across
different sessions, as can be shown using the evercookie website[1] by
invoking `epiphany -p`, going to the site, "create an evercookie",
closing the browser, invoking `epiphany -p` again, going there again and
clicking "rediscover cookies".

i would originally have reported this as security critical (earlier,
-p was described as "private browsing"), but now that epiphany has more
options (including --incognito-mode and --netbank-mode which i didn't
find documentation on), it is not clear any more whether -p is supposed
to invoke the expectancy of private browsing, so the updated bug issue
is:

for the --private-instance option, it is not clear from neither --help
nor man page, whether a user can expect be as unrelated to his other
browsing behavior as it can be expected from a web browser (eg. i'd
expect that there is no cross-session persistence, but wouldn't expect
tor-like anonymizaton).

[1] http://samy.pl/evercookie/

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-trunk-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages epiphany-browser depends on:
ii  dbus-x11                     1.8.8-1
ii  epiphany-browser-data        3.13.90-1
ii  gnome-icon-theme             3.12.0-1
ii  gnome-icon-theme-symbolic    3.12.0-1
ii  gsettings-desktop-schemas    3.12.2-1
ii  iso-codes                    3.56-1
ii  libatk1.0-0                  2.12.0-1
ii  libavahi-client3             0.6.31-4
ii  libavahi-common3             0.6.31-4
ii  libavahi-gobject0            0.6.31-4
ii  libc6                        2.19-11
ii  libcairo-gobject2            1.12.16-5
ii  libcairo2                    1.12.16-5
ii  libgcr-base-3-1              3.12.2-1
ii  libgcr-ui-3-1                3.12.2-1
ii  libgdk-pixbuf2.0-0           2.30.8-1
ii  libglib2.0-0                 2.41.4-1
ii  libgnome-desktop-3-10        3.12.2-2
ii  libgtk-3-0                   3.13.8-1
ii  libjavascriptcoregtk-4.0-18  2.5.3+dfsg1-1
ii  libnotify4                   0.7.6-2
ii  libnspr4                     2:4.10.7-1
ii  libnspr4-0d                  2:4.10.7-1
ii  libnss3                      2:3.17-1
ii  libnss3-1d                   2:3.17-1
ii  libpango-1.0-0               1.36.7-1
ii  libpangocairo-1.0-0          1.36.7-1
ii  libsecret-1-0                0.18-1
ii  libsoup2.4-1                 2.46.0-2
ii  libsqlite3-0                 3.8.6-1
ii  libwebkit2gtk-4.0-37         2.5.3+dfsg1-1
ii  libwnck-3-0                  3.4.9-1
ii  libx11-6                     2:1.6.2-3
ii  libxml2                      2.9.1+dfsg1-4
ii  libxslt1.1                   1.1.28-2

Versions of packages epiphany-browser recommends:
ii  ca-certificates  20140325
ii  evince           3.12.2-1
ii  yelp             3.12.0-1

epiphany-browser suggests no packages.

-- no debconf information

-- 
To use raw power is to make yourself infinitely vulnerable to greater powers.
  -- Bene Gesserit axiom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20140917/f1131424/attachment.sig>

More information about the pkg-gnome-maintainers mailing list