The New Tab Page feature may be temporarily turned of or totally disabled relatively easily, but you are correct it may disclose information.

I am sure this is a potential security issue that would have been considered when the feature was implemented. There are of course the options of

• using the OS to create separate accounts for different users
• (It is also possible to set up separate Firefox profiles for separate users, but it is simpler to use the OS)
• using private browsing when doing banking etc

Also besides temporarily toggling the feature on and off with (click icon top right in new tab) it may be turned off to revert to the old type pages by using about:config.

• see Customize your Firefox New Tab page

The feature is picking up cached information. Anyone with access to the Firefox account and knowledge of cache use would be able to obtain the same sort of information as is shown on the New Tab Page, so rather than being a security risk perhaps consider it as a reminder of what information you are leaving lying around on the computer, and whether you should tighten up on access policies, and ensure sensitive information is removed.

John This is not 'information left lying around on my Computer' as you put it, it is information from an encrypted site, accessed via various (3 sets) passwords! Toggling the feature on and off just hides the feature from view, it does not prevent the Browser from obtaining and storing this information. I am not a IT expert and not privy to all the tricks and traps in modern day internet access. I am using standard software on a standard computer, accessing my high street bank through their supplied software and encrypted portal. This service is available to me throughout the world on any computer with internet access. I am just amazed that this information is then available to anybody else subsequently using these computers, even having logged out! This feature has also exposed emails, facebook pages and other sites visited by myself. Although not embarrassing to me, it could be disastrous for other users! I understand that I should tighten up my security and use private browsing (whatever that is?) but as I remarked earlier, I am not a IT Geek and am using the software as presented to me, like (I am sure) 99.9% of other users. This feature has only appeared recently and would seem to be a new update? Whatever it is it would seem to be exposing a serious problem with web browsers....

You say

Toggling the feature on and off just hides the feature from view, it does not prevent the Browser from obtaining and storing this information.

That is true, but the feature can be turned off see

• Customize your Firefox New Tab page_how-do-i-turn-the-new-tab-page-off
• if reading this from an email link is
  • https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites#w_how-do-i-turn-the-new-tab-page-off

I agree it is exposing potentially sensitive information, and that such problems exist on other browsers.

This happens because details of browser pages are cached. Consider it like going into your bank, you may need to pass security check, and have keys, but can then walk out with statements, cash and safe-deposit content in your briefcase. If you loose the briefcase you loose the valuables. It would have been safer to use electronic transfer and bank courier services instead.
.

This service is available to me throughout the world on any computer with internet access. I am just amazed that this information is then available to anybody else subsequently using these computers, 

The information displayed in the NewTab Page is information that is stored on your computer. Unless you transfer that information, or recreate it it is NOT available to others all over the world. If you use Private Browsing that information will not be retained and will not even show up on your computer.

The private browsing option removes most of this risk because it does not save unnecessary information. It is explained in the article I linked to:

• https://support.mozilla.org/en-US/kb/private-browsing-browse-web-without-saving-info

The article contains explanatory notes and you may find it worth reading.

There are all manner of potential pitfalls and security problems with using computers. Good practice would be to make use of private browsing where necessary, and to consider restricting access to your computer and to the computer OS accounts that you personally use. You are using Windows 7 it may be wise to set that up with passwords, and to use separate Windows 7 accounts for separate users, or at least one for admin, one for you,and one for other users.

Another problem is that deleted files are not normally deleted, the computer only does the equivalent of crossing out the index to them, or maybe storing it in the "rubbish bin" so you can get them back easily! but that is a slightly different subject.

unclepeter,

I am not seeing that happen with secure, encrypted HTTPS pages that I load from the NewTab page. What the NewTab is showing is your "browsing history" - if that is a problem for you, clear your browsing history when Firefox closes.

The few times one of my secure banking pages did appear in a NewTab, when I did load that page by clicking on it in the NewTab it came up as
Not Authenticated
Your session has not been authenticated or has timed out. Please log in again
because I wasn't logged in. I trust that you are logging out of secure websites each and every time you use those websites?

ed I have logged out of these sites. If you read the previous threads you will note that the screen-shots are the problem! They show the encrypted information even after you have logged out of the site, try it yourself! Yes, clearing your browser history does delete this information, however this is a proactive function and is not automatic. However this is not the point! The encrypted information is stored by the browser after you have logged out of the site. That is the issue!

It is always best to switch to Private Browsing if you want to prevent Firefox from storing data on disk from sensitive sites.

• https://support.mozilla.org/kb/Private+Browsing

Not using the new tab page will only hide that the cache and history data is stored on disk and can be retrieved or accessed in various ways (e.g. switching to offline mode and access the page via the history).
The new tab page only makes you aware of such 'features'.

You can also Clear Recent History to clear data from the last hour(s).

• https://support.mozilla.org/kb/Clear+Recent+History

Not only that, after you sign out and close your banking tab, leaving other tabs open, type "about:cache" in the URL address bar.

Check out the memory cache and you'll see all your banking data until you completely close Firefox the data in memory will remain in your memory cache - YIKES!

sroberts, you've hit the nail on the head, 'yikes'!! I've switched to private browsing but when I switch private browsing off, back comes the snapshots! The only solution I can see is for the site preview function to only show the signing in portal on encrypted sites and nothing past that point.? What do you think? Is it possible?

For the sake of security, many sites, including banks, recommend closing the browser and clearing your browser cache after logging off. What does your bank recommend?

• See --> https://encrypted.google.com/search?q=%22clear+browser+cache+after+bank+sign+on%22&btnG=Search&hl=en&lr=&tbs=qdr%3Ay&gbv=1

If this reply solves your problem, please click "Solved It" next to this reply when signed-in to the forum.

To not use Firefox.

Google Chrome, IE and others clear the memory cache on the close of the tab; not the browser. (i.e. they honor the no-store directive under https.)

If the site developer knows the difference between the Cache-Control: no-cache and Cache Control: no-store and has used the appropriate header on their page:

• See --> http://superuser.com/questions/308883/do-i-really-need-to-clear-my-browser-cache-after-using-a-https-site-to-protect-t

My bank, a major U.S. bank, appears to use Cache-Control: no-cache throughout their site.

Taking the short time necessary to close your browser and clear its cache seems a short time well spent to me. That depends on how highly you rank your online security. I usually operate in Private Browsing mode anyway and clear all cookies, all, etc., on closing, which I do multiple times per day and do not store passwords in my browser. Not necessarily appropriate for all users, but works great for me.

Sorry Safebrowser, totally over my head! I see the problem as being out of the control of your average on line bank customer. You give proactive steps to avoid encrypted information being available to others but this is not the point! I am sure if I spent 3 months at night-school, purely dedicated to IT security, I would be able to operate a reasonably secure PC. My original query was that a update to my Browser was causing this issue. There must therefore be an update to cure this?

The update to Firefox 13 just made the fact of the data stored on your computer more visible to you on the New Tab Page.

It is up to the website to use the proper "no store" header so that the information will not be written to your cache. I do not know how/if Firefox handles the "no store" header as I am not well versed in that area of Firefox.

I know of no change proposed at this time to Firefox future versions.

When accessing your bank, I would suggest that you

1. close all Firefox sessions
2. start a new session and switch to Private Browsing (See --> https://support.mozilla.org/en-US/kb/private-browsing-browse-web-without-saving-info )
3. do your banking
4. when finished, be sure that you have the appropriate setting to clear the cache in Options > Privacy > [x] Clear history when Firefox closes > Settings > [x] Cache (do not check other items unless you want them cleared), then close Firefox. See --> https://support.mozilla.org/en-US/kb/settings-privacy-browsing-history-do-not-track
5. after restarting (not in Private Browsing), you may want to do the following for reassurance
   • Clear Network Cache --> https://support.mozilla.org/en-US/kb/clear-cache-delete-temporary-files-fix-issues#w_clear-the-cache
   • check and clear any history for your bank's site (if you keep browsing history) --> https://support.mozilla.org/en-US/kb/remove-recent-browsing-search-and-download-history#w_how-do-i-remove-a-single-website-from-my-history

Hope this helps and works to alleviate your concerns.

More about New Tab Page -->https://support.mozilla.org/en-US/kb/new-tab-page-show-hide-and-customize-top-sites and https://support.mozilla.org/en-US/kb/thumbnails-on-new-tab-page-are-missing

If this reply solves your problem, please click "Solved It" next to this reply when signed-in to the forum.

SafeBrowser, wrote, "It is up to the website to use the proper "no store" header so that the information will not be written to your cache. I do not know how/if Firefox handles the "no store" header as I am not well versed in that area of Firefox."

The websites I'm using as an example do use the correct directives.

There are two types of cache to consider, disk and memory.

Firefox ignores HTTPS NO-STORE directives as it relates to memory cache if the tab is closed but the browser stays open.

unclepeter has it right, browser developers need to make sure these kinds of things simple work.

I'm not an Apple fan but, making things "just work" certainly helped their success.

sroberts:

We are all uncompensated volunteers here to help users find solutions to problems. We are not the developers.

If you can post an instance with all the necessary details to replicate the problem, post it here --> https://bugzilla.mozilla.org/
If you know the code that you believe will solve the problem within Firefox, post that so that the developers can review it.
Otherwise, good luck with Apple's browser.

I presented a solution that I know will work for the original poster.

Sorry SafeBrowser, no offense intended. I'm just trying to provide facts and provide some healthy discussion with the group on a serious issue.

I'm not a developer either, just reading up on the issues. I don't use Apple's browser, I use Chrome and Firefox on Windows.

I agree with you the simplest temporary is Private Browsing.

Is there is a bug for unclepeter's issue?

If there is it might be helpful to link it here so that it can be tracked to a resolution.

Hi sroberts,
I have not specifically checked for a bug (the new tab privacy issue).

This is a subject I would rather leave to others to discus. I am attempting to add brief constructive comments to your healthy discussion.

I did mention security issues would have been considered when developing the feature, although IIRC perhaps surprisingly no specific security review was mentioned in the article I found, it was marked as unnecessary.

I would not expect there to be a bug for this issue. In my opinion; the issue in the eyes of the developers is perhaps; that the new feature highlights and alerts users to data already stored and existing on the computer, and is thus a security enhancement !

File a bug if you wish, but probably there is little chance of it progressing unless you are first of all able to open discussion with developers and have them agree this is a problem. That is unlikely to be achieved by discussing in this forum, (most developers will not monitor the site). You would presumably need to use one of the developers newsgroups.

• http://www.mozilla.org/about/forums/

Certainly you or anyone else may use the feedback option, that is monitored and information made available to developers. There is a menu button or use

• http://input.mozilla.org/en-US/feedback

from a current Firefox version.

N.B.
NO-STORE

If you are talking about your concerns that Firefox does not use the header https no-store correctly it may be worth opening a new thread about that. Provide again what links and evidence you are able to.

I agree this is a factor that seems to need clarification. No doubt knowledgeable contributors/staff will quickly provide reassurance that Firefox is using this correctly.

If you do open a thread mention it in this one so that we may all find it.

I admit I do not at present know the answer, but if necessary I will obtain advice to ensure a correct factual answer is provided. (I did find Bug 338542 & 340041)

• you will already have seen the link SafeBrowser provided http://superuser.com/questions/308883/do-i-really-need-to-clear-my-browser-cache-after-using-a-https-site-to-protect-t
• another I found is http://stackoverflow.com/questions/866822/why-both-no-cache-and-no-store-should-be-used-in-http-response
  that discusses the W3C spec and browsers differing interpretations

Forgive me if I am wrong but I thought this was the Mozilla Firefox help Forum? If the developers are not reading it then I give up!

The "Forum and chat rules and guidelines" states the purpose in the first bulleted item:

• Posts in the Firefox support forum must be either questions about the use of Firefox or answers to those questions... (underscore/bold added)

That is true of most forums for various browsers. The developers of all browsers are always busy investigating and correcting found security and stability issues as well as developing the next version(s) of the browser.

As stated earlier, the item in your original question concerning pages being saved in your cache is not new and is not unique to Firefox. The New Tab Page just makes what has always been saved to your hard drive more visible to you.

If this reply solves your problem, please click "Solved It" next to this reply when signed-in to the forum.

I appreciate everybody is trying to be helpful but links and fixes are not the issue. Private browsing only hides the information from view, as soon as you switch off Private Browsing, back comes the encrypted information. This is not just my problem, this is a problem for us all! I can understand the convenience of previewing sites you have used recently, however snapshots of encrypted information, even when you have signed out of the site, would seem to be utter madness!