Network News

X My Profile
View More Activity

Covering Your Tracks in Firefox

Firefox users looking for a little more control over the privacy of their Web browsing habits should check out a handy add-on called "RefControl," a Firefox extension that lets you decide which sites should be allowed to see your most recent browsing history.

When you visit a Web site, the people who run that site can see by looking at their traffic logs the name and Internet address of the site you were at directly before visiting their site, also known as the "referrer" link.

Using RefControl, Firefox users can block all referrers, or block referrers for all sites except those included on your personal exclusion list. RefControl users can even set a fake referrer for all or specific sites that includes a custom message (e.g., "NoReferrerForYou"), a sentiment that will show up in the visited Web site's logs.


RefControl is very easy to use. By default, the add-on doesn't block any referrers. To block all referrers, simply open RefControl options, select "Edit," and then "Block." Alternatively, you could set it to "forge" a referrer, which basically sends the root domain of the site you're visiting as the referrer (e.g., if you're visiting, a "forge" setting will send as the referrer).

If you don't have a personal blog or Web site to test this out on, you can check to see if your RefControl settings are the way you want them by visiting this test page.

By Brian Krebs  |  February 9, 2009; 6:45 AM ET
Categories:  From the Bunker , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Consider the Source, Not Just the File Type
Next: Critical IE, Exchange Flaws in Microsoft's Patch Tuesday


Interestingly, this is how the WaPo determines whether to let you view an article on the main site or force you to sign in. If the referring site is also WaPo, they make you sign in. Otherwise, they let you see the article, assuming you are following a link from an email or different site. RefControl could make it unnecessary to sign in on WaPo's site.

Posted by: josef2 | February 9, 2009 9:55 AM | Report abuse

Josef2, I went to Brian's blog by clicking the link in the Washington Post's «Technology» section, but was not asked to sign in (of course, to post to this forum I did have to sign in). Now I have (finally) installed RefControl and blocked «referrers» ; it will be interesting to see if I shall be asked to sign in in the future....


Posted by: mhenriday | February 9, 2009 12:10 PM | Report abuse

Why should I care if a website I visit can determine which site I visited previously?

Posted by: gtodon | February 9, 2009 4:41 PM | Report abuse

This is great! I didn't know Firefox let other sites see my browsing history. Well, not anymore. It's annoying how nobody has any privacy, and we don't even know in what ways we are being spied on.

Posted by: tlkst21 | February 9, 2009 5:27 PM | Report abuse

Back in the day before the web went commercial, I had some kids and holiday websites. I depended on the referral urls to help me determine my audience source. When I found that the majority of my Thanksgiving visitors were coming from educational links, I knew I was on the right track.

Posted by: Eremita1 | February 9, 2009 6:07 PM | Report abuse


Does it work with FireFox ? This is also a good way to cover your tracks.

Posted by: gannon_dick | February 9, 2009 6:48 PM | Report abuse

I use a different approach with the extension: Stealther.

It disables temporally:
Browsing History (also in Address bar)
- Cookies
- Downloaded Files History
- Disk Cache
- Saved Form Information
- Sending of ReferrerHeader
- Recently Closed Tabs list

It covers completely browsing tracks.

In combination with the extensions: AdBlock Plus and noScript you can have a very secure and private browsing.


Posted by: marcohp11 | February 9, 2009 8:34 PM | Report abuse

I can think of more cases where I would want a site to have the referrer's information than not. This add-on is not for everyone.

Posted by: b_100666 | February 10, 2009 8:49 AM | Report abuse

"Why should I care if a website I visit can determine which site I visited previously?"

If your Internet privacy doesn't matter to you, then don't worry about this program. Companies like to know what site you visited before you browsed over to their sites, though. If you let them, they'll track whether an ad convinced you to click on it, how long you spent on their sites, and what parts of their sites interested you most. They use this information to try to make their ads and/or websites more attractive to customers and/or advertisers.

Some people don't find this sort of tracking behavior bothersome. Many don't even know it's happening in the background. Others of us see it as an invasion of our browsing privacy, though, and are interested in finding new ways to thwart it.

Thanks for the heads-up, Brian. I like how customizable Firefox is.

Posted by: Heron | February 10, 2009 9:39 AM | Report abuse

Ugh. Referer information only exposes the address of "the site you were at directly before visiting their site" *if you clicked a link from that site to the on you're on now*. In other words, if I click a link from my homepage to the Washington Post's site, that shows up as a referer to WaPo's server. If, on the other hand, I use a bookmark, or type the address of the site directly into the browser window, then no referer info is shown to the site I'm going to.

It's not just Firefox. It's all browsers. It's part of the HTTP specification, which is a technical document that sets out how the web works, for the use of software developers wishing to write web browsers or other web software.

And it's not "spying," for the love of Pete, when this same information (what sites link to another) can be obtained by anyone by going to Google and typing "," minus the quotes, into the search box.

I have been an Internet programmer since 1995 and I really love how people see privacy violations and abuses up every tree. Imprecise news reporting contributes to the problem. Back in those years, when the internet was the hot new thing, my dad used to call me up all worried about how cookies were spying on him. I told him he was probably OK... since he had never used a computer in his life. True story.

Posted by: bug451 | February 10, 2009 10:21 AM | Report abuse

@gannon_dick: I was able to install the plugin successfully on Portable Firefox.

Posted by: tj722 | February 10, 2009 10:47 AM | Report abuse

One reason you may not want a site to know the referrer is that there are some websites that don't like it when they're essentially used as a picture/spec reference and block traffic from certain referring sites. Now of course, all you would need to do is go directly to that site, but it is an extra step to some people.

Posted by: koalatek | February 10, 2009 10:51 AM | Report abuse

Thanks for the information! Knowledge is power.

Posted by: davebeedon | February 10, 2009 2:55 PM | Report abuse

Many tracking mechanisms make use of things that are written into 'specifications', but that does not mean that sometimes, they are put to uses that I might not approve of.

Me, I'm the type that enjoys setting my referrer address to something like '', and gumming up the works for sites that want to *use* the referrer field for something. If that means that sometimes I have to whitelist something (like WaPo) to get to what I want, so be it. I'm willing to do a little extra work as long as I can help corrupt the data files of those who want to track the movements of people on the web.

That's why I use Firefox; Firefox is not trying to somehow make money off of my browsing, which is why you see this kind of add-on for Firefox. Both Microsoft and Google are more interested in the concerns of advertisers, retailers, and other web businesses than they are of you and I, which is why I don't use their browsers...

Posted by: SmallTownVet | February 10, 2009 3:04 PM | Report abuse

I use my analytics to determine how people find my site. The referrer information is very helpful and I really don't understand why RefControl is useful. For me, knowing how people found my site is simply a tool that helps me get feedback from my marketing efforts.

Stu Kushner

Posted by: stukushner | February 10, 2009 5:22 PM | Report abuse

Thanks you for the info. I've "customized" my refcontrol site properties.

After the release version 3.0 of firefox last year, I found one item annoying, the 7-14 url's most often visited would fill in the address field when manually typing a url which would otherwise would be in my bookmarks, it would distract my typing a url in the address field so I search the about:config option to customize Firefox. To disable the setting.
In the address field,
1. Type "about:config"
2. You will receive a "This might void your warranty! message, click on the button "I'll be careful, I promise!
3.Search for browser.sessionhistory.max_total_viewers row.
4.Double click the browser.sessionhistory.max_total_viewers row.
5.Enter integer value pops up, the default is either 7 or 14.
6. Type -1 and click ok.
7. Close the firefox and open and again. The most often manually type urls are cleared from the history bar.

Posted by: Okumuraw | February 10, 2009 5:39 PM | Report abuse

thx tj722.

Posted by: gannon_dick | February 10, 2009 6:41 PM | Report abuse

So which is better, the RefControl add-in or using an anonymous proxy server?

Posted by: RFinMD | February 10, 2009 7:33 PM | Report abuse

I installed the RefControl add-on after reading your article, but then found that most secure websites, such as banks, will see this as possible spyware and not let you log on to your account. So RefControl was deleted and, after a restart, I can again access secure sites.

Posted by: candango | February 11, 2009 8:13 AM | Report abuse

Wouldn't using an add-on like this muck up the income received for pay-per-click advertising sites? Without a valid log of "who's coming from where" I would think that it could create a problem for partner sites getting paid properly. Though I do not know exactly how they log hits for pay-per-click advertising, it's just a thought.

Posted by: mcarmean09 | February 12, 2009 8:27 AM | Report abuse

Stripping referrers prevents sites from using referrer as CSRF protection. This forces sites to either block you from making changes or use "form tokens", which are more wasteful and harder to get right than referrer checking.

*Forging* referrers is like standing in a crowded mall and screaming "CSRF all of my accounts".

It's reasonable to block cross-site referrers, but please don't mess with same-site referrers.

Posted by: jesseruderman | February 12, 2009 7:20 PM | Report abuse

I unwisely set refControl to give bogus referrer information for all sites, and paid the price.

The most notable was that my Google Apps account would not authenticate me when I attempted to log back in to my Google Apps account. Apparently, their authentication scheme depends on proper referrer information. As soon as I set refControl back to provide referrer information, I was able to log-in without any trouble.

Posted by: Annorax | February 13, 2009 9:45 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company