Slashdot Mirror

← Back to Stories (view on slashdot.org)

Browser Private Modes Not So Private After All

Posted by CmdrTaco on from the don't-look-at-my-prvates dept.

CWmike writes "Browsing in 'private mode" isn't as private as users think, reports Gregg Keizer. 'There are some traces left behind [by all browsers] that could reveal some of the sites that you've been to,' said researcher Collin Jackson. He, along with three colleagues, will present their findings on Tuesday at the Usenix Security Symposium in DC. IE, Firefox and Safari, for instance, leave traces of SSL encryption keys even when run in private mode, while IE and Safari on Windows preserve self-signed SSL certificates in a 'vault' file that could be read by others to track the browser's path. Firefox also retains evidence of some certificates. Private mode has also been billed as a way for users to hide themselves from the prying eyes of sites that try to track habits and histories. Jackson said most users see that as the biggest attraction to private mode. 'Some browsers do a better job of protecting you from other types of scenarios, such as Web site tracking,' Jackson said. 'Safari is very much more willing to reveal you to Web sites than the others.'"

9 of 198 comments (clear)

  1. Biggest Attraction by ceoyoyo · · Score: 5, Insightful

    "Jackson said most users see that as the biggest attraction to private mode."

    Nonsense. The biggest attraction of private mode is that hotteennymphosexkittens.com doesn't show up in the suggestions when someone borrows your computer to check Hotmail.

    If you want real privacy you shouldn't be trusting a web browser privacy mode.

    1. Re:Biggest Attraction by Surt · · Score: 5, Funny

      I cannot believe how lazy the porn people are. It has been like a whole minute and that site is STILL not up.

      --
      "Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
  2. Re:You need all of your files on a ramdisk by vux984 · · Score: 5, Interesting

    When I want to browse in high security / high privacy I use a virtual machine and delete all changes when shutting it down. (ie so the vm is in precisely the same state it was in when i turned it on.) This also gives me some reasonably good protection from viruses/malware/ and other crud, since unless it manages to break out of the VM, it goes away when I shut the VM down.

  3. Doesn't seem like a hard problem to solve ... by BitZtream · · Score: 5, Interesting

    In private browsing mode, hook fopen, all "w" calls get redirected to a special directory, all fopen "r" calls get checked to confirm they are either referencing that directory or referencing known acceptable files (maybe certain preferences).

    That instantly solves ALL in-process code. Its not something that would share all its code across platforms since the hooking mechanisms are different but it is going to be the only sure fire way to be safe.

    Out-of-process plugins would require a different approach, but since the browser starts them it could hook them as well if the effort was put forth. You hook flash and don't let it write anywhere but where you tell it too, then those retarded flash cookies can't give you away either.

    Clear the directory when leaving private browsing mode.

    I can't think of any real OS that you can't do this on fairly easy. Windows is doable although it takes a little bit of effort, most UNIX clones are trivial to hook. Might be a problem for browser ports to oddball devices (which I'm counting phones in this group since they are radically different, even if common) but its also probably much less of a concern there. I'm not aware of a private mode for Mobile safari so it doesnt' seem that anyone cares anyway, or am I just missing it?

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Re:It's good enough.. by Anonymous Coward · · Score: 5, Funny

    If your wife/girlfriend is a CS major with cryptology in her repertoire though... might want to find a different 'hobby'.

    If I had a wife/girlfriend with a CS major in cryptology in her repertoire I wouldn't need a hobby.

  5. Re:It's good enough.. by ciaohound · · Score: 5, Funny

    Your wife is a CS major with cryptology in her repertoire. She just hasn't told you because you'd blow her cover.

    --
    Oh, yeah, it's not easy to pad these out to 120 characters.
  6. Re:Don't forget about flash by ytpete · · Score: 5, Informative

    Just fyi, the current version of Flash does respect "Private Browsing" settings in all major browsers.

  7. Re:Clean on close by maxwell+demon · · Score: 5, Funny

    But the FBI/CIA/NSA have ways of reading even zeroed drives! (so I hear) Will we ever be safe??

    That's why I one them instead. I've never heard that they can read a oned drive. :-)

    --
    The Tao of math: The numbers you can count are not the real numbers.
  8. Re:Flash cookies remain too by Anonymous Coward · · Score: 5, Funny

    I run a virtual machine on a live CD, then restore the snapshot, reboot the machine, snap the CD in half, attach a high powered electromagnet to the tower, then burn down the building.