Is firefox crash report secure/anonymous?
Is firefox crash report secure/anonymous? Does it capture ip address of the report sender? If the address of the page submitted during the crash contains personal information, should there be any privacy concern? I think the url during the crash is not visible in the crash report, but what is it used for and who has access to it?
Все ответы (7)
I think the site URL and email are protected and cannot be viewed using the public link to the crash-stats server. I've never noticed any IP address in the data. That seems very unlikely to be useful in figuring out the cause of the crash, so I would be surprised if it were collected with crash data.
IP addresses are usually stored in web server logs, which may be kept for varying length of time, but form data usually is not in web server logs, just the address of the page to which the form data was submitted.
Even though the url of the page is not published in the crash report for public viewing, it is captured anyway and what is it used for? Will be accessed by any chance and if the url contains personal information, should there be any privacy concern?
When the Mozilla Crash Reporter dialog pops up, you can select/deselect including the URL of the page in your report. I think the box is checked by default so if you did not deselect it then it probably was sent. Crash reports are used for detecting trends and major problems to prioritize developer attention. URLs sometimes are useful in this process. For example, if suddenly there are 500 new crashes a day only on one website after a change in Firefox, that could lead to reaching out to the site to have them change something, or at least help figure out the problem.
Now, regarding the URL leading to a page containing personal information, if the URL does not require a login to see the information, then you probably should not include it with your report. But my guess is that most personal information is protected by a login, and your crash report should not contain that information unless it is in the URL. It would be terrible security if a site included your username and password in the URL! There are sites that do not use cookies to keep track if your session and instead put a (usually long) code into the URL (sometimes called an sid or session id). Depending on the site's design, that sid might expire after some period of inactivity, or it might only work when used from one IP address, or it might be a magic key to the page. To void an sid, make sure to log out of a site to end your session as soon as you are done working with the site.
Thanks jscher2000 for the helpful reply!
The crash reporter shows what data is send to the server apart from the actual crash data and you check and edit this data if you see that it includes data that you consider personal. This data includes the website URL where the crash occurs and installed extensions.
cor-el said
The crash reporter shows what data is send to the server apart from the actual crash data and you check and edit this data if you see that it includes data that you consider personal. This data includes the website URL where the crash occurs and installed extensions.
Hi cor-el, thanks for the advice but how does one check and edit the data sent?
Next time you have a crash, look carefully at the box. You have the option of what gets sent, and can view it yourself before sending it.