Privacybadger: Privacy Badger maintains a separate, plain-text list of e̶v̶e̶r̶y̶ ̶d̶o̶m̶a̶i̶n̶ ̶y̶o̶u̶'̶v̶e̶ ̶e̶v̶e̶r̶ ̶v̶i̶s̶i̶t̶e̶d̶ some visited domains

I agree, there should be an option to hash the domains. But only an option—if it slows the browser down, I'd prefer no hashing.

What's more concerning is the fact that it appears to also remember URLs I've visited in Private mode. Perhaps it would be reasonable not to remember these (at least not by default), restrict new tracker identification to non-private windows.

There's no way hashing would be secure. A rainbow table could decode the list trivially.

@bitJericho You could use a salt depending on the user and/or browser. Or simply randomly generate one when the extension is installed.

@Sebb767 I don't think this would resolve the issue. If an attacker has your local database, the attacker would have your salts.

Please see #266 for previous discussion.

The result of the discussion in #266 was that any form of hashing would still let the attacker know if you've visited a certain site if he has your database (by hashing the domain of that website and checking if it's in your database).

But I do believe there is some merit in hashing, because it would stop potential attackers, who, e.g.:

• Search all files on your computer for certain strings, but don't check for (salted) hashes (the Evil Empire is mass-searching citizens' computers for any references to www.rebelalliance.net)
• Don't know what they are looking for, but "know it when they see it" (your wife has noticed that the computer screen is unlocked, decides to take a peek at your database and notices that you have www.male-bondage-submission-dating.com in it, even though she previously didn't know it even existed).

In any case, I do think websites visited in Private windows shouldn't be put into the database. It is especially important in Firefox, where you can't selectively prevent add-ons from running in Private mode, unlike in Chrome.

Private mode browsing should not be getting recorded in any way by Privacy Badger. If it is, that's a bug. (Previously: #829.)

I'm also pro hashing. Assuming the salt is stored in chrome local storage:

• The attacker would need to have access to the list as well as to the chrome local storage (I'm not sure if the list is saved there, too).
• An attacker would have a much harder time to profile someone. You might be able to get a few common ones (Google, GitHub, YouTube, ...) but you need to do a lot of cracking to find every website I frequent. Also, it makes mass attacks on privacy badger much harder.
• It prevents domain leakage. A potential attacker can not deduce that https://secret-dev.google.com exists when the files are hashed.
• Plus all the points named by @Acharvak .

Different topic, you need to notify the user that privacy badger doesn't learn in private browsing mode. I know a few people who exclusively use private browsing mode and they should know that they either need to allow PB to learn in private mode or it's of no use for them.

Private mode browsing should not be getting recorded in any way by Privacy Badger. If it is, that's a bug.

I've retested. Now it isn't happening anymore. I may have been careless during my initial test, I guess, sorry about the false alarm.

@Acharvak No problem!

Agree that the way domains are stored locally for the purposes of heuristic learning, and how private browsing is handled by Privacy Badger are both issues worth revisiting. Good point that some people use Private Browsing mode exclusively! I suggest opening a new issue for each distinct proposal.

Reopening #266; I think we should definitely do some version of that.

Also I'm going to change the title of this bug, since PB2 doesn't store every domain you've ever visited; it stores the first two first party domains on which you've seen a given third party. After that, it's counted to three and it blocks the third party.

I think one big issue you need to address here is that if I wipe my history, this isn't wiped. I can understand why, but this behaviour needs to be made much more explicit.

@pjlsergeant agreed! I think we can do a much better job. I'm inclined to work on this over in #266; would you be fine with closing this ticket as a duplicate of #266, and moving to technical discussion in that issue?

@pde Although I like the immediacy of the title on this one, that's probably the right thing to do. Closed, as a duplicate of #266