If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Separate browser windows
I don't know whether this is a Windows thing or varies by browser.
My question is, if I have open two windows (not tabs) of Firefox, or two of Chrome, or two of any browser -- if I open, say, my bank account or other secure Web site in one window, is it sufficient for security to close that window after logging off, or should I close all open windows of the browser? Asked another way, when two windows are open in a browser, can a malicious Web site accidentally opened in one access the usernames and passwords I have typed in the other? If it matters, I don't let any browser store usernames and passwords; those are all in an external non-Cloud password manager. -- Stan Brown, Oak Road Systems, Tompkins County, New York, USA http://BrownMath.com/ http://OakRoadSystems.com/ Shikata ga nai... |
Ads |
#2
|
|||
|
|||
Separate browser windows
Stan Brown wrote:
I don't know whether this is a Windows thing or varies by browser. My question is, if I have open two windows (not tabs) of Firefox, or two of Chrome, or two of any browser -- if I open, say, my bank account or other secure Web site in one window, is it sufficient for security to close that window after logging off, or should I close all open windows of the browser? Asked another way, when two windows are open in a browser, can a malicious Web site accidentally opened in one access the usernames and passwords I have typed in the other? If it matters, I don't let any browser store usernames and passwords; those are all in an external non-Cloud password manager. Neither of these, offers that kind of promise. https://en.wikipedia.org/wiki/Process_isolation https://en.wikipedia.org/wiki/Privacy_mode Notice how in the second article, it took security researchers to figure out what it's really good for (section half way down the page on the second link). It may require post-analysis, to figure out how safe it really is. I'd just use two separate browsers, to put your mind at rest. As you're unlikely to strike up a conversation with a Firefox developer, to get a very exact answer. And in terms of leakage paths, both main system memory, and GPU video card memory, can both contain information from a session. The video card memory has pictures of screens you've been viewing, which have been "composited" in that memory. I expect your best protection there, is via obscurity (nobody will be able to figure out how to "sweep" that memory). Paul |
#3
|
|||
|
|||
Separate browser windows
Paul wrote:
Stan Brown wrote: I don't know whether this is a Windows thing or varies by browser. My question is, if I have open two windows (not tabs) of Firefox, or two of Chrome, or two of any browser -- if I open, say, my bank account or other secure Web site in one window, is it sufficient for security to close that window after logging off, or should I close all open windows of the browser? Asked another way, when two windows are open in a browser, can a malicious Web site accidentally opened in one access the usernames and passwords I have typed in the other? If it matters, I don't let any browser store usernames and passwords; those are all in an external non-Cloud password manager. And Firefox isn't even sliced the way I expected. One process holds the UI (window decorations, controls), while a second process holds all the web page contents. https://developer.mozilla.org/en-US/...rocess_Firefox "In future iterations, we expect to have more than one content process." Paul |
#4
|
|||
|
|||
Separate browser windows
On 10/9/2017 4:43 PM, Stan Brown wrote:
I don't know whether this is a Windows thing or varies by browser. My question is, if I have open two windows (not tabs) of Firefox, or two of Chrome, or two of any browser -- if I open, say, my bank account or other secure Web site in one window, is it sufficient for security to close that window after logging off, or should I close all open windows of the browser? Asked another way, when two windows are open in a browser, can a malicious Web site accidentally opened in one access the usernames and passwords I have typed in the other? If it matters, I don't let any browser store usernames and passwords; those are all in an external non-Cloud password manager. With SeaMonkey (and thus I assume also Firefox since they share the same core components), you get only one process whether you have multiple windows, multiple tabs, or multiple windows each with multiple tabs. To see whether this is true for any browser: 1. Launch multiple windows. 2. Open the Windows Task Manager. 3. On the top of the Process tab, select Image Name to sort the processes alphabetically. 4. Scroll down to find an instance of the browser's process, which will be the name of the browser's .exe file. Check to see whether the process appears only once or multiple times. -- David E. Ross http://www.rossde.com/ By allowing employers to eliminate coverage for birth control from their insurance plans, President Trump has guaranteed there will be an increase in the demand for abortions. |
#5
|
|||
|
|||
Separate browser windows
David E. Ross wrote:
On 10/9/2017 4:43 PM, Stan Brown wrote: I don't know whether this is a Windows thing or varies by browser. My question is, if I have open two windows (not tabs) of Firefox, or two of Chrome, or two of any browser -- if I open, say, my bank account or other secure Web site in one window, is it sufficient for security to close that window after logging off, or should I close all open windows of the browser? Asked another way, when two windows are open in a browser, can a malicious Web site accidentally opened in one access the usernames and passwords I have typed in the other? If it matters, I don't let any browser store usernames and passwords; those are all in an external non-Cloud password manager. With SeaMonkey (and thus I assume also Firefox since they share the same core components), you get only one process whether you have multiple windows, multiple tabs, or multiple windows each with multiple tabs. To see whether this is true for any browser: 1. Launch multiple windows. 2. Open the Windows Task Manager. 3. On the top of the Process tab, select Image Name to sort the processes alphabetically. 4. Scroll down to find an instance of the browser's process, which will be the name of the browser's .exe file. Check to see whether the process appears only once or multiple times. I just checked, and it seems to be using a process per tab in Firefox 56. The last time I checked for this (in an earlier Firefox) it wasn't doing that. https://s1.postimg.org/9a5c7gvlfj/FF56_process.gif With one tab, there are four processes in Task Manager With two tabs, there are five processes in Task Manager Paul |
#6
|
|||
|
|||
Separate browser windows
On 10/9/2017 8:34 PM, Paul wrote:
David E. Ross wrote: On 10/9/2017 4:43 PM, Stan Brown wrote: I don't know whether this is a Windows thing or varies by browser. My question is, if I have open two windows (not tabs) of Firefox, or two of Chrome, or two of any browser -- if I open, say, my bank account or other secure Web site in one window, is it sufficient for security to close that window after logging off, or should I close all open windows of the browser? Asked another way, when two windows are open in a browser, can a malicious Web site accidentally opened in one access the usernames and passwords I have typed in the other? If it matters, I don't let any browser store usernames and passwords; those are all in an external non-Cloud password manager. With SeaMonkey (and thus I assume also Firefox since they share the same core components), you get only one process whether you have multiple windows, multiple tabs, or multiple windows each with multiple tabs. To see whether this is true for any browser: 1. Launch multiple windows. 2. Open the Windows Task Manager. 3. On the top of the Process tab, select Image Name to sort the processes alphabetically. 4. Scroll down to find an instance of the browser's process, which will be the name of the browser's .exe file. Check to see whether the process appears only once or multiple times. I just checked, and it seems to be using a process per tab in Firefox 56. The last time I checked for this (in an earlier Firefox) it wasn't doing that. https://s1.postimg.org/9a5c7gvlfj/FF56_process.gif With one tab, there are four processes in Task Manager With two tabs, there are five processes in Task Manager Paul Strange! With four tabs plus three single-tab windows open for SeaMonkey, I get only one process. However, my SeaMonkey 2.48 is based on Firefox 51.0, not 56. -- David E. Ross http://www.rossde.com/ By allowing employers to eliminate coverage for birth control from their insurance plans, President Trump has guaranteed there will be an increase in the demand for abortions. |
#7
|
|||
|
|||
Separate browser windows
On Mon, 09 Oct 2017 23:34:20 -0400, Paul wrote:
I just checked, and it seems to be using a process per tab in Firefox 56. So long as all your extensions are multiprocess compatible. For example, User Agent Switcher is not multiprocess compatible. Here I get only one process whether I have multiple windows, multiple tabs, or multiple windows each with multiple tabs. The last time I checked for this (in an earlier Firefox) it wasn't doing that. https://s1.postimg.org/9a5c7gvlfj/FF56_process.gif With one tab, there are four processes in Task Manager With two tabs, there are five processes in Task Manager -- Kind regards Ralph 🦊 |
#8
|
|||
|
|||
Separate browser windows
On Mon, 9 Oct 2017 19:43:10 -0400, Stan Brown
wrote: I don't know whether this is a Windows thing or varies by browser. My question is, if I have open two windows (not tabs) of Firefox, or two of Chrome, or two of any browser -- if I open, say, my bank account or other secure Web site in one window, is it sufficient for security to close that window after logging off, or should I close all open windows of the browser? As others have pointed out, there is no easy and quick answer to this, and certainly the answer will be different even between different versions of the same browser, let alone between browsers. For Firefox, at least legacy and possibly current versions, see below, but if you're in the habit of visiting 'dodgy' sites, you'd do better to do that on an entirely seperate PC, perhaps even in a VM which is 'reset' back to a known state at the start of every session. However, for something a bit simpler than that, it may or may not be relevant that I once asked a similar question of the Firefox developers, but it was several years ago and in relation to debugging - I was developing a process for a web page that, until I got it right, tended to hang the browser, and I hadn't got to the point of devising an 'escape' mechanism should this happen, so I wanted to isolate the web-page I was developing in a seperate process from other tabs and windows already open, so that I didn't lose my normal everyday content if made a mistake and hung the browser. To my surprise and disappointment, I'd discovered that just using a second window for development work did NOT achieve such isolation. I was advised to create a seperate profile, using switches on the FF command-line. The switch to choose an existing profile is -P profile name. Hence, I have now two profiles and two shortcuts: "path\firefox.exe" -P everyday profile name "path\firefox.exe" -P debug profile name I can't remember now what switch creates a new profile, but you could edit ... %USERPROFILE%\Application Data\Mozilla\Firefox\profiles.ini .... and duplicate the section for your existing profile, giving the copy a new section name, then copy the contents of your existing directory ... same path as above*\profiles\name .... into a new directory ... same path as above*\profiles\new name * Or if you wish, you can edit this path in profiles.ini to keep one or both the profiles on a 'data' partition which is seperate from the 'system' partition. This is not the near total isolation such as you'd get from a VM, but at least it will ensure that the Firefox windows do indeed use seperate processes. -- ================================================== ====== Please always reply to ng as the email in this post's header does not exist. Or use a contact address at: http://www.macfh.co.uk/JavaJive/JavaJive.html http://www.macfh.co.uk/Macfarlane/Macfarlane.html |
#9
|
|||
|
|||
Separate browser windows
On Mon, 9 Oct 2017 19:43:10 -0400, Stan Brown wrote:
I don't know whether this is a Windows thing or varies by browser. Asked another way, when two windows are open in a browser, can a malicious Web site accidentally opened in one access the usernames and passwords I have typed in the other? If it matters, I don't let any browser store usernames and passwords; those are all in an external non-Cloud password manager. Thanks to all who have answered. I'm not in the habit of _knowingly_ visiting dodgy sites, but a worst-case scenario would be if say my bank's site is taken over by hackers. I normally run with Javascript off, but have to turn it on for banking and a few other commerce sites. Paul's test was simple and elegant: an extra tab meant an extra process. But it seems I still can't count on isolation, based on some other comments. So it's either install a second browser, or continue closing the browser and then reopening it when both sites need Javascript. I'm under no illusion that that's perfect security, but there's no such thing as perfect security. It's always a tradeoff between getting things done and one's individual level of paranoia. Mine is higher than most about some things, like Javascript. -- Stan Brown, Oak Road Systems, Tompkins County, New York, USA http://BrownMath.com/ http://OakRoadSystems.com/ Shikata ga nai... |
#10
|
|||
|
|||
Separate browser windows
On Mon, 09 Oct 2017 21:06:22 -0400, Paul wrote:
And Firefox isn't even sliced the way I expected. One process holds the UI (window decorations, controls), while a second process holds all the web page contents. https://developer.mozilla.org/en-US/...rocess_Firefox "In future iterations, we expect to have more than one content process." Thanks for this, Paul! I see the page is dated 8 May 2017, but the "future iterations" sentence could of course have been written much earlier. One of my beefs with Fore fox is that none of the pages seem to specify which release numbers they apply to, and Firefox changes so often that I've often found that a page describes a solution from some older version of the GUI. -- Stan Brown, Oak Road Systems, Tompkins County, New York, USA http://BrownMath.com/ http://OakRoadSystems.com/ Shikata ga nai... |
Thread Tools | |
Display Modes | Rate This Thread |
|
|