Browser Privacy Test

lazyforker writes "A NYTimes blog post reports the results of security researcher Kate McKinley's tests of various browsers' (FireFox, Chrome, IE, Safari) privacy protection mechanisms. Specifically she tested their cookie handling. She also examined their handling of Flash's cookies. In summary: Safari on Mac OS X (in the 'private browsing' mode) is not so private ('quirky'). Safari on XP is not private at all. Flash behaves awfully everywhere."

Re:Hey cats! Speaking of privacy...

[Ethanol-fueled]

Those bastards! Quick, somebody report Sourceforge!

Me know how to handle cookie!

Om nom nom nom nom!!!

Re:Me know how to handle cookie!

[anomnomnomymous]

^ This.

My Privacy Test

[ian_from_brisbane]

My undies are blue.
I'm secretly in love with my best friend's wife, but I like gay midget porn.

[preview]

Damn, Firefox privacy test failed :(

Re:My Privacy Test

[SpottedKuh]

Damn, Firefox privacy test failed :(

Next time, try "Post Anonymously"

...ah, hell, it's New Year's Eve. Go ahead and try your best friend's wife instead ;)

...or, you know, some midgets. Your call...

Re:My Privacy Test

[BlueParrot]

My undies are blue.

You sick pervert!

Re:My Privacy Test

[larry+bagina]

or maybe his best friend's wife IS a gay midget.

Re:My Privacy Test

[syousef]

I'm secretly in love with my best friend's wife, but I like gay midget porn.

You think you have problems? Your best friend's wife's name is Steve. She has a beard and is 86cm tall.

One word

Flash behaves awfully everywhere

FlashBlock

NoScript works too but I find it sort of annoying because it stops half the web from working.

Re:One word

NoScript works too but I find it sort of annoying because it stops half the web from working.

Exactly why I love it. Half the web annoys me.

Re:One word

[Snowblindeye]

I agree. If the website doesn't bother to serve proper web pages to javascript disabled browsers, then it is not really worth it.

I'm not sure if that's true when you are using noscript. Certainly for flashblock it isn't true, because the site identifies your browser as being able to run flash.

In other words, they might have a flash and a non flash version, but they serve you the full flash version cause you *are* flash enabled, just blocked. With noscript you might get a javascript page, even though you block it. Of course that depends on how they implement the degradation of service, some websites will do it right.

That's apart from the fact that your assume that bad web programming means bad content. That's not the case. If I want to go to a site cause using it is beneficial to me, then I want to use it, whether they have smart or dumb people coding it.

I know I've found that with noscript I find myself constantly managing permissions, instead of browsing. Flashblock is a little less annoying, but obviously less complete in its blocking.

Re:One word

[BrokenHalo]

If you really prefer monospaced fonts, just use Lynx/Links. Please don't inflict them on us just to make your post stand out. It's rude.

Re:One word

[Jurily]

More like 90%. it's actually less annoying to "Temporarily allow all of this page" when necessary than it is the other way around.

Re:One word

[xenobyte]

You can easily turn that on which you need to work. But stupid ad-serving junk, dumb statistics which delay loading significantly, annoying animations and downright mean stuff stays turned off for me.

I find NoScript absolutely vital to a useful web surfing experience, and it's always the first extension I install on new FF installations.

Flash

[NoobixCube]

Under what circumstances does Flash not behave awfully? Despite being a Linux fan, and more than a little cold on Microsoft (though I did buy an Xbox 360 - matter of price at the time...), I almost hope Silverlight takes off so Adobe have some serious, commercially driven competition for Flash. Maybe then they won't take their user base for granted and; oh I don't know, maybe put some work into making Flash GOOD?

Re:Flash

[mmu_man]

flash is not a standard. it's closed source, so not available everywhere, and unaccessible, unindexable... exactly what the web is not supposed to be.
cf. http://www.anybrowser.org/campaign/
Sorry no, gnash or swfdec are not there yet, besides, whoever looked at porting them must have noticed they aren't portable despite being opensource, dependancy hell here I come. Just check the never finished BeOS port of gnash. I don't see silverlight being better anytime soon.
At least Java is open now, so it can be ported.
But it's not accessible to blind people for ex.

Why don't they make websites instead ?

Re:Flash

Good heavens, someone is wrong on the Internet!

SWF is open, and we can glimpse the Flash Player's innards in Tamarin- but none of that even matters.

Pragmatically, is there a really important reason why you want the Flash Player to be entirely open? Would an open source Flash Player really be a better working piece of software than what we've got now?

Also, the Flash Player has support for screen readers and SEO indexing. Flash has support for lots of things that just aren't implemented in 90% of the SWFs you'll come across. A poorly scripted program says little about the platform it runs on. You wouldn't blame the Mozilla Foundation for bad websites, would you? That wouldn't make any sense.

I agree that Flash is not a standard, although wide adoption of SWF as a web standard is possibly a stronger motivation for Adobe to clean up the player than any competitive pressure that Silverlight may provide. And despite not being a standard, people will continue to use Flash to create web content, because it is a successful medium.

Just not the right medium for handling online banking. Wrong tool for that task. (Sorry Arcot.)

Re:Flash

Would an open source Flash Player really be a better working piece of software than what we've got now?

If it respected my 'zero animations' browser setting, yes it would be. If it had a working 'STOP' button, yes it would be. If it had simple, basic functionality of Flashblock, yes it would be.

Re:Flash

[howlingmadhowie]

SWF is open

every time someone repeats this lie i end up posting a link to this film: http://www.youtube.com/watch?v=zoNvsiBTQDE

Pragmatically, is there a really important reason why you want the Flash Player to be entirely open? Would an open source Flash Player really be a better working piece of software than what we've got now?

it would allow me to do everything a wanted with a non-intel architecture. flash is the last bastion of hardware (and operating system) lock-in for me.

Re:What I know about *BSD

11. ...
12. Profit!

Who is Kate McKinley?

[bogaboga]

I was just wondering who Kate McKinley really is. Most of all, I am skeptical as to whether she is even qualified to be called a "security researcher" at all.

Why? Because Wikipedia returns no hits for "Kate McKinley" and a Google search returns results that are sketchy or even anemic when it comes to browser security at best.

May be I should also put up my own research...may be, then call my self a "Security researcher."

Re:Who is Kate McKinley?

[Earthquake+Retrofit]

I was just wondering who Kate McKinley really is. Most of all, I am skeptical as to whether she is even qualified to be called a "security researcher" at all.

Why? Because Wikipedia returns no hits for "Kate McKinley" and a Google search returns results that are sketchy or even anemic when it comes to browser security at best.

Maybe she's a privacy expert too.

Re:Who is Kate McKinley?

[buchner.johannes]

First links I tried, after reading the header of the paper, saying:

                    Cleaning Up After Cookies
                              Version 1.0
Katherine McKinley – kate[at]isecpartners[dot]com
                            iSEC Partners, Inc
                    444 Spear Street, Suite 105
                      San Francisco, CA 94105
                https://www.isecpartners.com/

would be ... I don't know, maybe http://en.wikipedia.org/wiki/@stake ;-) ?

Re:Who is Kate McKinley?

[fermion]

From the papers, the paper is credited to iSec partners. This company has almost no details on itself on the web page. The domain was registered in late 2004, and appears to be renewed year to year, which, to me, is suspicious for a going concern.

That and the way the paper is written makes me suspicious as well.

Re:Who is Kate McKinley?

[ScrewMaster]

What the average Slashdotter wants to know is: Is she hot ?

You be the judge.

Re:Who is Kate McKinley?

[argiedot]

May be I should also put up my own research...may be, then call my self a "Security researcher."

Well, yes, yes you could. Why on earth does the author of the paper have to be on Google or Wikipedia? All the information you need is in the paper itself including an explanation of the methodology and _the freaking damn code itself_!

Re:Who is Kate McKinley?

[Klootzak]

Who cares who she is? The paper she's credited with writing is by no means revolutionary...

Here's a couple of easy tips to help maintain a minor level of privacy while browsing:

- Disable Third-Party cookies (Option under "privacy" tab under Firefox versions >3.0).
- Add entries to your local hosts file fudging the DNS of known "WebSpy", sorry, I mean "WebAnalytics" domains.

My current hosts file contains entries similar to the following (but a few more than I list here):

--- Hosts File Example ---
127.0.0.1 localhost
127.0.0.1 www.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 ths.news.com.au
127.0.0.1 adsfac.net
--- End Hosts File Example ---

Host File Locations:
Windows - %SystemRoot%\system32\drivers\etc\hosts
Most Unixes - /etc/hosts
Mac OS X - /etc/hosts

The reason for utilizing the hosts file is to prevent such things as uniquely-generated transparent images (GIFs for instance) being used as inserts in pages to track your browsing in the advent you disable cookies, just add new domains/hosts to the file as you find them.

In any case, the point is more or less moot, you can minimize your privacy issues, but as any good security professional knows, where there's a will there's a way... and you can be tracked in a number of ways, understanding of how HTTP, DNS and other transfer protocols (also lower-level protocol layers) work will help you minimize your exposure though... if you're concerned, read up on the OSI/ISO network model and how IP and TCP work.

Fundamental flaw in survey

[QuietLagoon]

Since it appears that the author of the "study" chose the browsers to test based upon popularity, the "researcher" based the survey upon the mistaken assumption that popularity is an indication of security perception.

Microsoft's Internet Explorer, as the mos tpopular browser, disproves tha tpopularity does not equate to the perception of security.

A better basis for the selection of browsers would be to select those thought to be secure. That would eliminate IE and Safari at the start, and it might even add Opera.

Clean out the '\Flash Player' folder

[schwit1]

For windows users you should delete everything in this folder: C:\Documents and Settings\username\Application Data\Macromedia\Flash Player

Re:Clean out the '\Flash Player' folder

[robo_mojo]

For Linux users you want to (after rm'ing) symlink ~/.adobe and ~/.macromedia to /dev/null.

Re:Clean out the '\Flash Player' folder

[thePowerOfGrayskull]

Actually for Flash you should take a look at these instructions which will work cross-platform.

Re:Clean out the '\Flash Player' folder

[gnud]

In case someone takes this at blind faith -- the ~/.adobe folder also contains Acrobat data.

But kill ~/.macromedia, and ~/.adobe/Flash_Player =)

cringe-inducing bug in konqueror

Posting this anonymously, for reasons that will soon be evident.

Here's a really nasty privacy bug in konqueror. Let's say you visit gaymidgetsex.com. Then you go to View : View Document Source. Well, on my default install of Ubuntu, this doesn't actually show you the html source code of the web page. Instead, it downloads the html file to /tmp and opens it in OpenOffice, which attempts to render it as an OpenOffice document -- it doesn't actually show you the html source, which is what you asked it to do. Okay, so now you have gay midget porn open in an OOo document, which isn't what you wanted. So you close the OOo window.

Now the next time you start Ooo, go to File : Recent Documents. Oops.

Re:cringe-inducing bug in konqueror

[ScrewMaster]

Posting this anonymously, for reasons that will soon be evident.

You do realize that you didn't have to use your real sexual preferences as an example, don't you?

Re:cringe-inducing bug in konqueror

[slash.duncan]

WTF gave you the idea that's a konqueror bug? Why would opening a document in OOo, which isn't even developed/shipped by the same (upstream) people as konqueror, be a konqueror bug?

No, rather, as AC already posted, konqueror will with default associations as shipped by upstream (KDE), using the "view source" function, open pages using kwrite or kate or kedit. Assuming it's not a PEBCAK issue of the local sysadmin or user, OOo at least as shipped by Ubuntu appears to change that default by associating HTML (or possibly XML) files with itself, at a higher priority than kwrite/whatever-else. That's either Ubuntu's fault or OOo's (or the sysadmin/user for overriding the distribution defaults, if that's why the associations are set the way they are), but it certainly isn't KDE/Konqueror's, as KDE isn't what setup those associations, it's just doing what it's supposed to and following the file associations config as setup on the system it's installed on, as overruled by the config of the user running it, if they have chosen to do so.

Looked at a different way, it would be either OOo's bug, for having a recent documents history that can't be disabled (if that's indeed the case), or a user PEBCAK, for not disabling said history or wiping it out after opening a document they don't wish to appear in said history.

Re:Konqueror and Safari should not be left out.

[fuzzyfuzzyfungus]

Now, I'm posting this from Konqueror on Linux as god intended and all that; but http://windows.kde.org/ is the place to look if you want Konqueror goodness on Windows. Quite possibly still in the rough edges stage, but a large amount of KDE 4 stuff is being brought over to Windows.

Re:It's spelt Firefox

[Mozk]

It's spelled spelled.

That is, unless you're British.

Re:Microsoft is Still Evil! Hurray!

[grcumb]

Privacy issues aside, I've never had any trouble with Flash.

I like your logic: Aside from a single tile, Columbia's last mission went flawlessly.

Seriously, though: you've underlined the single greatest problem in computer security today - what we don't see can hurt us. I've written about this at greater length elsewhere, but to put it simply, privacy is the battleground of our decade.

The struggle to come to terms with privacy will manifest itself in the legal, moral and ethical arenas, but it arises now because of technology and the cavalier approach that the vast majority of people take to it.

The ramifications of our ability to transmit, access and synthesise vast amounts of data using technology are consistently underestimated by people because of the simple fact that, as far as they're concerned, they are sitting in the relative privacy of their own room with nothing but the computer screen as an intermediary.

On the consumer side of things, this creates what Schneier calls a Market for Lemons in which the substance of the product becomes less valuable than its appearance. As long as we have the illusion of security, we don't worry about the lack of real protection.

On the institutional side, we see countless petty abuses of people's privacy. There is nothing stopping a low-level employee from watching this data simply out of prurient interest. In fact, this kind of abuse happens almost every time comprehensive surveillance is conducted. In a famous example, low-level staffers in the US National Security Agency would regularly listen in on romantic conversations between soldiers serving in Iraq and their wives at home. The practice became so common that some even created 'Greatest Hits' compilations of their favourites and shared them with other staffers.

They would never have done so had the people in question been in the room, but because the experience is intermediated by an impersonal computer screen, which can inflict no retribution on them, their worst instincts get the better of them.

When discussing software in the 21st Century, we cannot ever treat privacy as just one incidental aspect of a greater system. Privacy defines the system. Starting an argument by throwing it aside in the first subordinate clause gives little weight to any argument that follows.

Safari's privacy mode is for local privacy

[hayne]

Safari's "Private browsing" mode is not intended to keep info on your computer (e.g. previous cookies etc) from being sent to web servers. It is intended for the reverse - to keep the details of your browsing session private from others who might access your account using that computer. I.e. it merely prevents records being kept about your browsing session.

solution on Firefox ..

[rs232]

clear private data on close ..