A few days ago, I received a tweet from Sean Malarkey regarding a worrisome observation:
After pulling up the security post and reading it, I was naturally concerned since I make extensive use of Gmail, Twitter, and sometimes Facebook. And now that Google Apps email has been changed to behave more like regular Google Gmail, I had more reason to be concerned.
What this blog post reveals is that with a little programming knowledge, someone can create a web page on their site and exploit the standard status codes that make the Internet run. Using those codes, they can determine if you, the visitor, are logged into Gmail, Google Apps email, Twitter, Facebook, and possibly other sites as well.
But here’s the kicker—I wasn’t seeing the behavior that was outlined in the blog post.
I was on the site and after reading the post, I came to the part where their code checked to see if I was logged into Gmail. The program recorded my status as not logged into Gmail, in spite of me having one of my Google Apps accounts opened in another window.
Turns out that the way I have Firefox setup limits the impact of this cross site data leak.
Several months ago, I was investigating how to run multiple Gmail accounts in different IE8 browsers. In the process, I also discovered how to set up my Firefox browser to do the same thing, allowing me to open multiple Gmail and Google Apps accounts in different Firefox browser windows simultaneously on the same machine.
But it doesn’t just work for Gmail and Google Apps. I can also manage multiple LinkedIn accounts, Facebook accounts, and Twitter accounts…
And now I find that this configuration also limits the impact of this cross site bug.
I say ‘limit’ because this isn’t a real solution. Each instance of Firefox shares application data within that window. So the effects of this cross site problem can still be felt between all applications operating in a common window.
However, if you are looking for a way to increase your productivity, manage several accounts simultaneously on one machine, and keep this particular version of the cross site problem in compartments, this Firefox setup may help you.
Firefox Browser Windows Share All Online Data
In case you are wondering how all of this works, the following analogy may help.
Think of your Firefox browser as a big sandbox. In this box you’ve got your login passwords to any number of online applications and various session cookies which control how your online applications interact with you.
And all of the applications are allowed to share data with other applications.
Anytime you open a new Firefox browser window, it has access to all of the data in the sandbox, which can sometimes be problematic.
If I am logged in as “Google Apps user Bob” in one window, every Firefox browser window already opened or opened later will be under the control of Bob’s Google Apps profile.
One user, one profile, one account on my one bitty laptop with multiple browser windows opened. My machine is one big sandbox where “Google Apps user Bob” gets to play all by himself.
Every time I need to run a check on another Google Apps user account, for example “Google Apps user Bill”, I have to log off as Bob and login as Bill, the new Google Apps user. Or, to continue the sandbox analogy, “Google Apps user Bob” has to get out of the box before “Google Apps user Bill” can get in.
As I mentioned, Google Apps now behaves like Gmail. So if your company is using Google Apps as its cloud collaboration app, and if you’re logged into the company’s Google Apps account, you can’t log into your personal Gmail account unless you first logout of the Google Apps account.
There’s no more sneaking a quick peak at your personal Gmail account without first dropping off the Google Apps grid—also known as Google Chat.
And if you are a consultant managing several clients, it can also be frustrating trying to keep track of several clients. Unless you own several laptops, you will need to use a different browser app to manage each client.
Creating Unique Firefox Browser Profiles That Don’t Share Data
Here’s the way to get around this limitation. Check this out.
Right click on your Firefox desktop shortcut and change the application target from this:
“C:Program FilesMozilla Firefoxfirefox.exe”
“C:Program FilesMozilla Firefoxfirefox.exe” -p -no-remote
The “-p” pulls up the Firefox profile manager before running the browser, giving you the ability to setup and run separate Firefox users profiles. The “-no-remote” switch causes the browser to keep everything separate. This means no login, application, or security information is shared between browser windows.
Now, when you double click the desktop shortcut, instead of popping up the Firefox browser window, the profile manager pops up
From here, as you can see, I can open one of several Firefox profiles that I’ve created or I can create a new one:
Now, when I click the “Start Firefox” button in the profile manager, my new browser window opens (and yes, it gets cold in Cleveland):
I can treat each Firefox profile as its own sandbox with its own login and security credentials.
Which means I can now manage two separate Twitter accounts open in two different Firefox browsers and each browser window will remain its own separate, self contained universe.
Every Firefox profile gets its own sandbox to play in.
As mentioned before, this applies not only to Twitter accounts, but also to Gmail accounts, Google Apps accounts, Linkedin accounts, Facebook accounts… Remember, none of the security and login credentials are shared between new browser windows.
Now you can group your applications according to your projects and clients, confining each project, with all of its associated applications, to its own Firefox window.
Imagine how much you can accomplish if you can manage two separate Salesforce.com databases simultaneously while keeping all of the applications for the Acme Group confined to a single Firefox browser window.
Just like anything in life, there’s a downside to configuring your system this way.
Each new profile behaves like a new installation of Firefox. This means the browser keeps the plugins separate, just like the security and login data. If you install the Google Toolbar in one of your profiles, that toolbar won’t be present in your other profiles. You have to reinstall the plugins for each new profile you create.
Still, it’s a small inconvenience to keep all of your projects in separate containers and accessible at the same time.
And you can even read the messages in your personal Gmail account without your “work Google Apps” account knowing about it.
You can find more information on creating and managing profiles on the Firefox Help page.