Browser Privacy Test

lazyforker writes "A NYTimes blog post reports the results of security researcher Kate McKinley's tests of various browsers' (FireFox, Chrome, IE, Safari) privacy protection mechanisms. Specifically she tested their cookie handling. She also examined their handling of Flash's cookies. In summary: Safari on Mac OS X (in the 'private browsing' mode) is not so private ('quirky'). Safari on XP is not private at all. Flash behaves awfully everywhere."

Hey cats! Speaking of privacy...

Looking for a new year's resolution? How about ratting out a business for money? Slashdot recommends genuine Business Software Alliance snitching, coming to a workplace near you!

Flash

[NoobixCube]

Under what circumstances does Flash not behave awfully? Despite being a Linux fan, and more than a little cold on Microsoft (though I did buy an Xbox 360 - matter of price at the time...), I almost hope Silverlight takes off so Adobe have some serious, commercially driven competition for Flash. Maybe then they won't take their user base for granted and; oh I don't know, maybe put some work into making Flash GOOD?

Re:Flash

[mmu_man]

flash is not a standard. it's closed source, so not available everywhere, and unaccessible, unindexable... exactly what the web is not supposed to be.
cf. http://www.anybrowser.org/campaign/
Sorry no, gnash or swfdec are not there yet, besides, whoever looked at porting them must have noticed they aren't portable despite being opensource, dependancy hell here I come. Just check the never finished BeOS port of gnash. I don't see silverlight being better anytime soon.
At least Java is open now, so it can be ported.
But it's not accessible to blind people for ex.

Why don't they make websites instead ?

Re:Flash

[howlingmadhowie]

SWF is open

every time someone repeats this lie i end up posting a link to this film: http://www.youtube.com/watch?v=zoNvsiBTQDE

Pragmatically, is there a really important reason why you want the Flash Player to be entirely open? Would an open source Flash Player really be a better working piece of software than what we've got now?

it would allow me to do everything a wanted with a non-intel architecture. flash is the last bastion of hardware (and operating system) lock-in for me.

Who is Kate McKinley?

[bogaboga]

I was just wondering who Kate McKinley really is. Most of all, I am skeptical as to whether she is even qualified to be called a "security researcher" at all.

Why? Because Wikipedia returns no hits for "Kate McKinley" and a Google search returns results that are sketchy or even anemic when it comes to browser security at best.

May be I should also put up my own research...may be, then call my self a "Security researcher."

Re:Who is Kate McKinley?

[Klootzak]

Who cares who she is? The paper she's credited with writing is by no means revolutionary...

Here's a couple of easy tips to help maintain a minor level of privacy while browsing:

- Disable Third-Party cookies (Option under "privacy" tab under Firefox versions >3.0).
- Add entries to your local hosts file fudging the DNS of known "WebSpy", sorry, I mean "WebAnalytics" domains.

My current hosts file contains entries similar to the following (but a few more than I list here):

--- Hosts File Example ---
127.0.0.1 localhost
127.0.0.1 www.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 ths.news.com.au
127.0.0.1 adsfac.net
--- End Hosts File Example ---

Host File Locations:
Windows - %SystemRoot%\system32\drivers\etc\hosts
Most Unixes - /etc/hosts
Mac OS X - /etc/hosts

The reason for utilizing the hosts file is to prevent such things as uniquely-generated transparent images (GIFs for instance) being used as inserts in pages to track your browsing in the advent you disable cookies, just add new domains/hosts to the file as you find them.

In any case, the point is more or less moot, you can minimize your privacy issues, but as any good security professional knows, where there's a will there's a way... and you can be tracked in a number of ways, understanding of how HTTP, DNS and other transfer protocols (also lower-level protocol layers) work will help you minimize your exposure though... if you're concerned, read up on the OSI/ISO network model and how IP and TCP work.

Re:Clean out the '\Flash Player' folder

[robo_mojo]

For Linux users you want to (after rm'ing) symlink ~/.adobe and ~/.macromedia to /dev/null.

Re:One word

[Snowblindeye]

I agree. If the website doesn't bother to serve proper web pages to javascript disabled browsers, then it is not really worth it.

I'm not sure if that's true when you are using noscript. Certainly for flashblock it isn't true, because the site identifies your browser as being able to run flash.

In other words, they might have a flash and a non flash version, but they serve you the full flash version cause you *are* flash enabled, just blocked. With noscript you might get a javascript page, even though you block it. Of course that depends on how they implement the degradation of service, some websites will do it right.

That's apart from the fact that your assume that bad web programming means bad content. That's not the case. If I want to go to a site cause using it is beneficial to me, then I want to use it, whether they have smart or dumb people coding it.

I know I've found that with noscript I find myself constantly managing permissions, instead of browsing. Flashblock is a little less annoying, but obviously less complete in its blocking.

Re:One word

[xenobyte]

You can easily turn that on which you need to work. But stupid ad-serving junk, dumb statistics which delay loading significantly, annoying animations and downright mean stuff stays turned off for me.

I find NoScript absolutely vital to a useful web surfing experience, and it's always the first extension I install on new FF installations.