Private browsing modes in four biggest browsers often fail

[techbeck]

Features in the four major browsers designed to cloak users' browser history often don't work as billed, according to a research paper that warns that users may get a false sense of security when using the built-in privacy settings.

The private-browsing modes are supposed to allow users to visit a website without leaving any trace on their computers, and yet Internet Explorer, Firefox, Chrome, and Safari frequently leave tracks, according to the research, which is scheduled to be presented at next week's Usenix Security Symposium in Washington DC. The makers of those browsers ? Microsoft, Mozilla, Google, and Apple respectively ? often hail the offerings as a way to enhance privacy when using shared computers.

One failure that affects IE, Firefox, and Safari happens when users save SSL, or secure sockets layer, client certificates while browsing in private mode. The browsers store a record of those actions in a file that allows anyone who has physical access to know exactly what site the user was visiting at the time. Similarly, when IE and Safari encounter a self-signed certificate, it is stored in a certificate vault that is preserved even after the private session ends.

Similarly, Firefox users who make security certificate settings while in private mode will have a partial copy of their browsing history stored in a file called cert8.db, the researchers said.

?We discovered that all these browsers retain the generated key pair even after private browsing ends,? the researchers wrote. ?Again, if the user visits a site that generates an SSL client key pair, the resulting keys will leak the site's identity to the local attacker.?

The study (PDF here) showed each browser failing in specific settings.

The privacy mode in Firefox, for instance, is undermined when a user sets site-specific preferences or uses a variety of Mozilla-sanctioned plug-ins. The open-source browser also stores websites visited that dole out custom protocol handlers based on the HTML5 standard.

For its part, IE's InPrivate mode can be undermined when websites make SMB queries, since the Microsoft browser shares large chunks of code with Windows Explorer.

The researchers also devised a way for webmasters to detect when someone visiting their sites is using the privacy mode. It involves placing an iframe with a unique web address and then ?using JavaScript to check whether a link to that URL was displayed as purple (visited) or blue (unvisited).?

The researchers said that to the best of their knowledge they are the first to demonstrate a way to detect private browsing mode ? but that may not really matter for much longer. The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox. It's only a matter of time before Microsoft and Google follow suit.

Using the technique, they confirmed what we all suspected: the feature is mainly used when surfing to porn sites. Gift and news sites, not so much. ?

http://www.theregister.co.uk/2010/08/06/private_browsing_mode_failure/

[The_Decryptor Veteran]

I think people put too much trust in these modes, but at the same time I think the browser makers hype it up a bit.

That being said, these would be flaws that should be fixed.

...

The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox.

...

Uh, Mozilla came up and implemented it first, Apple was second.

[hdood]

What happens to Flash when you run it in private mode? I mean, it has its own private caches and cookies.

[The_Decryptor Veteran]

Current versions of Flash respect the private browsing modes (it can query the current mode and get notified of changes), so if there is any information leakage it's Adobe's fault, not the browsers.

[bjoswald]

Well, porn is a multi-billion-dollar business for a reason. But even so, people can't afford to lose the jobs they have over it. Thus, "porn mode" was born.

[techbeck]

Well, porn is a multi-billion-dollar business for a reason. But even so, people can't afford to lose the jobs they have over it. Thus, "porn mode" was born.

Porn mode was born because porn is a really booming internet business...and people cannot control their urges. If people feel the need to wack it all the time, they have problems. Friend of mine, her EX had porn on every laptop and mobile device he had....and thats not even the half of it.

But anyway, at work I dont even bother trying to mask where I am going to because I respect the rules.

[Growled Member]

I'm not surprised. I've always have been a bit dubious of private mode.

[MR_Candyman]

Opera FTW!

[Tech Star]

Uh, Mozilla came up and implemented it first, Apple was second.

It was saying that Apple got the issue fixed and that Mozilla is going to fix it soon. It didn't say who implemented it first or second. :pinch:

[nullie]

Opera FTW!

My thought was 'why didn't they mention the fifth major browser' - I wonder if it's the only one that actually works?

[riceBox]

Probably they don't think Opera is a major browser. Hope not. :(

[Colin-uk Veteran]

I've never bothered to use those modes tbh, I guess a better private browsing mode would be running a browser normally in a sandbox, then deleting the sandbox when you close the browser.

[tiagosilva29]

I've never bothered to use those modes tbh

That's because you never bothered to upgrade from IE6.

[+DonC Subscriber²]

I've never bothered to use those modes tbh, I guess a better private browsing mode would be running a browser normally in a sandbox, then deleting the sandbox when you close the browser.

You do know that there's a market for VMware vulnerabilities too. I can only imagine that VirtualBox, Virtual PC and the OSX ones are would be similar.

But I agree - I never use these modes since I've never really believed that they can self contain whatever happens. I wonder if these modes lead people to believe that they're protected from malware, tbh.

[Colin-uk Veteran]

That's because you never bothered to upgrade from IE6.

I dont need to, I dont use private browsing anyway.

You do know that there's a market for VMware vulnerabilities too. I can only imagine that VirtualBox, Virtual PC and the OSX ones are would be similar.

I meant something like sandboxie, but I guess there are vulnerabilities there too.

[+DonC Subscriber²]

I meant something like sandboxie, but I guess there are vulnerabilities there too.

I had totally forgotten about sandboxie!

[cork1958]

When did they add private browsing to these browsers?

Just kidding. I knew it was there, but have never used it, in any browser!

Most people I know, don't even know it exists and I've never seen it hyped anywhere.

[Nightwind Hawk]

My thought was 'why didn't they mention the fifth major browser' - I wonder if it's the only one that actually works?

Major? I guess we can round it up to 3% market share if we're being really nice? :unsure:

[e-berlin.org]

Hehe, I'm not so surprised. So, what about Opera?

[thealexweb]

Probably they don't think Opera is a major browser. Hope not. :(

In terms of how much they've innovated and contributed to the browsing community in the past no their not, in terms of market share yes their tiny.

[nullie]

You can't count Chrome or Safari as major browsers if Opera is not. It's been in development far longer and has plenty of commercial ties especially in embedded devices, and was "innovating" far longer than than any other. It uses it's own engine and isn't simply a front-end and has a sizable market share when you consider how many browsers are in use, total. 10's of millions of people at least... 'bout the only thing they don't do a lot of is marketing and bundling which is practically the only way anyone else got their browser in use, 'cept for Firefox...

[Growled Member]

You can't count Chrome or Safari as major browsers if Opera is not.

Most people go by market share to determine what is a major browser. Unfortunate Opera market share is tiny.

[nullie]

Most people go by market share to determine what is a major browser. Unfortunate Opera market share is tiny.

Exactly, but so is Safari and Chrome's. It's rare to ever come across someone in the general public that actually uses these as their primary browser. So to include Safari and Chrome is to expand the definition of major browser to including anyone with a single digit of market share, which Opera should be included. The only reason anyone might think Safari and Chrome are otherwise major browsers are because the image their parent company has to the media..

[c3ntury]

Porn mode was born because porn is a really booming internet business...and people cannot control their urges. If people feel the need to wack it all the time, they have problems. Friend of mine, her EX had porn on every laptop and mobile device he had....and thats not even the half of it.

Well, I don't see the point of having X rated material on mobile devices. Pointless.

[mdtaUK]

Porn is great and all, but not good enough for me to install Opera on my machine!!! :D