Slashdot Mirror
Microsoft Edge's Private Browsing Mode Isn't Actually Private (betanews.com)
JustAnotherOldGuy writes: The forensic examination of most web browsers has proven that they don't have a provision for storing the details of privately browsed web sessions. However, in the case of Microsoft Edge, the private browsing isn't as private as it seems. Previous investigations of the browser have resulted in revealing that websites visited in private mode are also stored in the browser's WebCache file. The Container_n table stores web history, and a field named 'Flag' with a value of '8' shows that website was visited in private mode. An investigator can easily spot the difference and use this evidence against a person. The not-so-private browsing featured by Edge makes its very purpose seem to fail, and you can't help but ask how such a fundamental aspect of private browsing could be so fantastically borked. It beggars belief.
I would say, it's just not a surprise anyone here. An antonym of privacy or security is Microsoft.
So, InPrivate is to Private as InVisible is to Visible.
The rest of us have been here also, all along, but just in "Private Mode". There are actually 1203 "first posts" before yours. Look harder. :-)
Proof? I think security researchers looking into this would've noticed packets going out encrypted or not during privacy mode.
Custom electronics and digital signage for your business: www.evcircuits.com
I'm not sure why I'm feeding the trolls (troll being the summary itself).
I'd appreciate an actual "private" mode, but none of the browsers do what I'd expect from that. My expectation would be that the browser would behave as if it is a clean slate, not store anything to disk, possibly encrypt or at least attempt to hide memory contents, and possibly attempt to hide other identifying details (screen resolution, "agent" header string, plugin list, etc).
Personally, I find little benefit to the make believe "private" mode in that it hides its actions from my own computer. I am not worried about other legitimate users of my computer finding out secrets about me (and if I was, I'd use something much more hidden than "private" mode - another vm with encrypted drives, powered off or in hibernate when I'm not using it).
With that in mind, this info seems to be quite an exaggerated diff between the various private mode expectations. Not that I care much as long as the behavior is what it is, but what I'd want to know is:
* can normal, unprivileged user accounts access these history records?
If not, then it's doing its job just about as well as any of the others.
By "illegal" I mean a civil violation of warranty- and false-advertising laws that say products are supposed to meet their intended purpose, as a common everyday consumer would understand the term "intended purpose."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Wrong. I don't know about Google, but I do know about Safari. When it's in private mode, all of the data that is normally saved to disk for any purpose is stored in encrypted memory, so within a private session, you get the benefit of caching, go forward/back, etc. But once you close the private window, all that encrypted memory is erased and released. Apps using the NSURLSession APIs can do exactly the same thing.
I've concluded in the past couple of years that large parts of Microsoft as an organization have stopped being able to coherently sell to the end user market, and whatever people in the management that would have in the past noticed this sort of thing and taken steps to correct it have left or moved on to other roles.
Signs of things slipping I've personally noticed in recent years:
- The faulty Microsoft web-based store (do they expect developers whose first experience with Microsoft is a web site that can't even sell a Windows upgrade are going to turn around and want to build things on ASP.net?)
- Contradictory descriptions of the different Windows SKUs (with respect to use as upgrades, new machine installs, usability by end users vs. system integrators, etc.)
- Software with seriously flakiness in features that worked in previous versions (e.g. Windows 10 Start Menu search and keyboard navigation), with broken help links, without an integrated installer (e.g. Lync, Sharepoint)
Microsoft Edge's Private Browsing Mode Isn't Actually Private
I'm shocked! Shocked, I tell you!
On the other hand, it has been obvious to me for a long time that if you want privacy, you don't use Microsoft products.
I'm an American. I love this country and the freedoms that we used to have.
not a bug.
This is Microsoft we're talking about. Misrepresentation about their products is what they do.
You're thinking of "implied warranty of fitness for a particular purpose ", as it's called in the Uniform Commercial Code. There's also warranty of merchantability. Let's look at each in turn.
The terms and conditions can explicitly and clearly disclaim the warranty of fitness for a particular purpose, and I'm sure Microsoft's terms do so. They can't disclaim warranty of merchantability so easily. If they do disclaim fitness for a particular purpose, that's the end of that. If they didn't disclaim the warranty, UCC has two conditions. First, the seller must have reason to know what purpose the buyer intends to use it for - browsing porn without having the address bar later autocomplete xvideos.com? National security level espionage? Secondly, the seller must habe reason to know that the buyer is relying on the seller's expertise to recommend an appropriate product.
Microsoft doesn't know whether you intend to use it to avoid having autocomplete accidentally embarrass you or if you're trying to foil expert forensic investigators. Since they don't know which purpose(s) you might use it for, there is no warranty of fitness for a particular purpose.
On to warranty of merchantability. This applies even when the seller does NOT know what purpose you plan to use it for. Because the seller doesn't know, he warrants only that it's useable for SOME purpose. If the mode successfully avoids accidental embarrassment from autocomplete, accidentally hitting the back button down-arrow, etc, then it is useful for SOME purpose and therefore the warranty of merchantability is met.
Suppose some warranty was NOT met (and not successfully disclaimed). Then you could sue Microsoft for actual damages. If you prove that an accidental autocomplete during a business presentation got you fired, they would need to compensate you for the lost pay.
Lastly, you mentioned false advertising. What exactly do Microsoft's ads say about the feature? I suspect they do not say "prevents forensic examiners from determining anything about your browsing history".
Exactly, it wouldn't have surprised me if they sent private browsing data direclty to their Redmond office.
Even so, if you put the safety on on your gun, that doesn't make the weapon truly and completely safe and nobody is suggesting it does.
But can you imagine if putting the safety on merely lowered the muzzle velocity by 5%?
Or a door lock that simply turned a red LED on some dashboard somewhere labelled locked, and nothing else.
There is not, and never will be, a truly "private" browsing experience, regardless of browser.
But some browsers actually do a little more than next to NOTHING to remove the session history from the local PC.
It isn't a surprise.
But in MS's credit Google and Apple both do the same thing too
How does other people doing "the same thing too" work to Microsoft's credit or speak in any way to merits of underlying issues?
This line of argument is nothing more than bandwagon fallacy. It's completely worthless.
Thats why I do my really serious browsing in a new VM that is read-only. After, I delete the vm. Then light the computer on fire.
Chrome Incognito mode is the same. One of the drawbacks being that if you accidentally close a tab, you can't undo it. That tab is gone for good. I don't think it's encrypted in memory though, so if Windows pushes it to the pagefile it could (temporarily) be written to disk.
Sounds like, from the description, that it is working as designed.
No sig. Move along - nothing to see here.
Hey man, I was a Microsoft sympathizer for the longest time (and a *BSD fanboy, but that's beside the point). However, I installed Windows 10 last week, and it impressed me so much that I downgraded back to Windows 7 after a couple of days, never to return. After using the UI that's worse than GNOME's wildest hallucinations and having to edit group policy and stop services to get the system where I want it to be, I had enough.
Honestly, compared to Win7, Win10 feels like Windows 3.11 with a factory-provided backdoor.
Considering how much spying is baked into Windows 10 frankly the thought that anything done in that OS is "private" is beyond belief.
ACs don't waste your time replying, your posts are never seen by me.
How am I meant to browse for gifts and flowers for my wife (WHICH IS ALL ANYONE EVER DOES WITH PRIVATE BROWSING) if its not actually private? Oh and in case the wife does find traces of activity, yes cumgarglingsluts.com is a site that sells flowers and gifts. Way to ruin the surprise Edge.
Chrome's Incognito mode does have a separate set of cookies - which is empty when you open the first Incognito window and are deleted when the last window is closed.
This means that web sites can't use cookies to track you between sessions. They could track you by your IP address, but the IP addresses are at a lower level than HTTP/HTTPS. If you are really paranoid then you would use something like Tor anyway.
However, there is one big flaw: All incognito windows are in the same session. If you forget to close the last window then the session will linger: when you open a new link "In Incognito Window" then the new link will be attached to the old Incognito session instead of a new one.
This could be remedied by supporting multiple Incognito sessions at once. I think that a straightforward model for the user would be to let each Incognito Window represent a separate session.
Myself, I use Incognito mode primarily to be able to use gmail and Youtube with separate accounts. Commenting on cat videos requires much less security than my private emails.
It is also convenient to log out just by closing the window.
"We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
They invented unsafe OS with user processes running in kernel mode.
They invented the mail-transported virus, when outlook auto-executed attachments received by email
They invented web vulnerabilities with activeX (Execute code found on web pages - no need to look for buffer overflows when this sort of thing is designed in.)
So indeed, no surprise from microsoft here.
This is very likely specific to your phone or some app you have installed (neither of which did you mention). Without context your assertion means nothing.
At Microsoft the security badge logo goes on the package before the security is added, comrade.
Trust in the computer!
-- Tigger warning: This post may contain tiggers! --