Browser Privacy Test

lazyforker writes "A NYTimes blog post reports the results of security researcher Kate McKinley's tests of various browsers' (FireFox, Chrome, IE, Safari) privacy protection mechanisms. Specifically she tested their cookie handling. She also examined their handling of Flash's cookies. In summary: Safari on Mac OS X (in the 'private browsing' mode) is not so private ('quirky'). Safari on XP is not private at all. Flash behaves awfully everywhere."

Me know how to handle cookie!

Om nom nom nom nom!!!

My Privacy Test

[ian_from_brisbane]

My undies are blue.
I'm secretly in love with my best friend's wife, but I like gay midget porn.

[preview]

Damn, Firefox privacy test failed :(

Re:My Privacy Test

[SpottedKuh]

Damn, Firefox privacy test failed :(

Next time, try "Post Anonymously"

...ah, hell, it's New Year's Eve. Go ahead and try your best friend's wife instead ;)

...or, you know, some midgets. Your call...

One word

Flash behaves awfully everywhere

FlashBlock

NoScript works too but I find it sort of annoying because it stops half the web from working.

Re:One word

NoScript works too but I find it sort of annoying because it stops half the web from working.

Exactly why I love it. Half the web annoys me.

Flash

[NoobixCube]

Under what circumstances does Flash not behave awfully? Despite being a Linux fan, and more than a little cold on Microsoft (though I did buy an Xbox 360 - matter of price at the time...), I almost hope Silverlight takes off so Adobe have some serious, commercially driven competition for Flash. Maybe then they won't take their user base for granted and; oh I don't know, maybe put some work into making Flash GOOD?

Re:Flash

Good heavens, someone is wrong on the Internet!

SWF is open, and we can glimpse the Flash Player's innards in Tamarin- but none of that even matters.

Pragmatically, is there a really important reason why you want the Flash Player to be entirely open? Would an open source Flash Player really be a better working piece of software than what we've got now?

Also, the Flash Player has support for screen readers and SEO indexing. Flash has support for lots of things that just aren't implemented in 90% of the SWFs you'll come across. A poorly scripted program says little about the platform it runs on. You wouldn't blame the Mozilla Foundation for bad websites, would you? That wouldn't make any sense.

I agree that Flash is not a standard, although wide adoption of SWF as a web standard is possibly a stronger motivation for Adobe to clean up the player than any competitive pressure that Silverlight may provide. And despite not being a standard, people will continue to use Flash to create web content, because it is a successful medium.

Just not the right medium for handling online banking. Wrong tool for that task. (Sorry Arcot.)

Re:Flash

[howlingmadhowie]

SWF is open

every time someone repeats this lie i end up posting a link to this film: http://www.youtube.com/watch?v=zoNvsiBTQDE

Pragmatically, is there a really important reason why you want the Flash Player to be entirely open? Would an open source Flash Player really be a better working piece of software than what we've got now?

it would allow me to do everything a wanted with a non-intel architecture. flash is the last bastion of hardware (and operating system) lock-in for me.

Re:Who is Kate McKinley?

[Earthquake+Retrofit]

I was just wondering who Kate McKinley really is. Most of all, I am skeptical as to whether she is even qualified to be called a "security researcher" at all.

Why? Because Wikipedia returns no hits for "Kate McKinley" and a Google search returns results that are sketchy or even anemic when it comes to browser security at best.

Maybe she's a privacy expert too.

Re:Microsoft is Still Evil! Hurray!

[grcumb]

Privacy issues aside, I've never had any trouble with Flash.

I like your logic: Aside from a single tile, Columbia's last mission went flawlessly.

Seriously, though: you've underlined the single greatest problem in computer security today - what we don't see can hurt us. I've written about this at greater length elsewhere, but to put it simply, privacy is the battleground of our decade.

The struggle to come to terms with privacy will manifest itself in the legal, moral and ethical arenas, but it arises now because of technology and the cavalier approach that the vast majority of people take to it.

The ramifications of our ability to transmit, access and synthesise vast amounts of data using technology are consistently underestimated by people because of the simple fact that, as far as they're concerned, they are sitting in the relative privacy of their own room with nothing but the computer screen as an intermediary.

On the consumer side of things, this creates what Schneier calls a Market for Lemons in which the substance of the product becomes less valuable than its appearance. As long as we have the illusion of security, we don't worry about the lack of real protection.

On the institutional side, we see countless petty abuses of people's privacy. There is nothing stopping a low-level employee from watching this data simply out of prurient interest. In fact, this kind of abuse happens almost every time comprehensive surveillance is conducted. In a famous example, low-level staffers in the US National Security Agency would regularly listen in on romantic conversations between soldiers serving in Iraq and their wives at home. The practice became so common that some even created 'Greatest Hits' compilations of their favourites and shared them with other staffers.

They would never have done so had the people in question been in the room, but because the experience is intermediated by an impersonal computer screen, which can inflict no retribution on them, their worst instincts get the better of them.

When discussing software in the 21st Century, we cannot ever treat privacy as just one incidental aspect of a greater system. Privacy defines the system. Starting an argument by throwing it aside in the first subordinate clause gives little weight to any argument that follows.

Re:Who is Kate McKinley?

[Klootzak]

Who cares who she is? The paper she's credited with writing is by no means revolutionary...

Here's a couple of easy tips to help maintain a minor level of privacy while browsing:

- Disable Third-Party cookies (Option under "privacy" tab under Firefox versions >3.0).
- Add entries to your local hosts file fudging the DNS of known "WebSpy", sorry, I mean "WebAnalytics" domains.

My current hosts file contains entries similar to the following (but a few more than I list here):

--- Hosts File Example ---
127.0.0.1 localhost
127.0.0.1 www.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 ths.news.com.au
127.0.0.1 adsfac.net
--- End Hosts File Example ---

Host File Locations:
Windows - %SystemRoot%\system32\drivers\etc\hosts
Most Unixes - /etc/hosts
Mac OS X - /etc/hosts

The reason for utilizing the hosts file is to prevent such things as uniquely-generated transparent images (GIFs for instance) being used as inserts in pages to track your browsing in the advent you disable cookies, just add new domains/hosts to the file as you find them.

In any case, the point is more or less moot, you can minimize your privacy issues, but as any good security professional knows, where there's a will there's a way... and you can be tracked in a number of ways, understanding of how HTTP, DNS and other transfer protocols (also lower-level protocol layers) work will help you minimize your exposure though... if you're concerned, read up on the OSI/ISO network model and how IP and TCP work.