Private browsing modes in four biggest browsers often fail

By techbeck
in Back Page News

 Share

Recommended Posts

Grand Master

techbeck

Posted
Posted
Features in the four major browsers designed to cloak users' browser history often don't work as billed, according to a research paper that warns that users may get a false sense of security when using the built-in privacy settings.

The private-browsing modes are supposed to allow users to visit a website without leaving any trace on their computers, and yet Internet Explorer, Firefox, Chrome, and Safari frequently leave tracks, according to the research, which is scheduled to be presented at next week's Usenix Security Symposium in Washington DC. The makers of those browsers ? Microsoft, Mozilla, Google, and Apple respectively ? often hail the offerings as a way to enhance privacy when using shared computers.

One failure that affects IE, Firefox, and Safari happens when users save SSL, or secure sockets layer, client certificates while browsing in private mode. The browsers store a record of those actions in a file that allows anyone who has physical access to know exactly what site the user was visiting at the time. Similarly, when IE and Safari encounter a self-signed certificate, it is stored in a certificate vault that is preserved even after the private session ends.

Similarly, Firefox users who make security certificate settings while in private mode will have a partial copy of their browsing history stored in a file called cert8.db, the researchers said.

?We discovered that all these browsers retain the generated key pair even after private browsing ends,? the researchers wrote. ?Again, if the user visits a site that generates an SSL client key pair, the resulting keys will leak the site's identity to the local attacker.?

The study (PDF here) showed each browser failing in specific settings.

The privacy mode in Firefox, for instance, is undermined when a user sets site-specific preferences or uses a variety of Mozilla-sanctioned plug-ins. The open-source browser also stores websites visited that dole out custom protocol handlers based on the HTML5 standard.

For its part, IE's InPrivate mode can be undermined when websites make SMB queries, since the Microsoft browser shares large chunks of code with Windows Explorer.

The researchers also devised a way for webmasters to detect when someone visiting their sites is using the privacy mode. It involves placing an iframe with a unique web address and then ?using JavaScript to check whether a link to that URL was displayed as purple (visited) or blue (unvisited).?

The researchers said that to the best of their knowledge they are the first to demonstrate a way to detect private browsing mode ? but that may not really matter for much longer. The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox. It's only a matter of time before Microsoft and Google follow suit.

Using the technique, they confirmed what we all suspected: the feature is mainly used when surfing to porn sites. Gift and news sites, not so much. ?

http://www.theregister.co.uk/2010/08/06/private_browsing_mode_failure/

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted

I think people put too much trust in these modes, but at the same time I think the browser makers hype it up a bit.

That being said, these would be flaws that should be fixed.

...

The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox.

...

Uh, Mozilla came up and implemented it first, Apple was second.

Grand Master

techbeck

Posted
  • Author
Posted

Well, porn is a multi-billion-dollar business for a reason. But even so, people can't afford to lose the jobs they have over it. Thus, "porn mode" was born.

Porn mode was born because porn is a really booming internet business...and people cannot control their urges. If people feel the need to wack it all the time, they have problems. Friend of mine, her EX had porn on every laptop and mobile device he had....and thats not even the half of it.

But anyway, at work I dont even bother trying to mask where I am going to because I respect the rules.

Veteran

+DonC Subscriber²

Posted
  • Subscriber²
Posted

I've never bothered to use those modes tbh, I guess a better private browsing mode would be running a browser normally in a sandbox, then deleting the sandbox when you close the browser.

You do know that there's a market for VMware vulnerabilities too. I can only imagine that VirtualBox, Virtual PC and the OSX ones are would be similar.

But I agree - I never use these modes since I've never really believed that they can self contain whatever happens. I wonder if these modes lead people to believe that they're protected from malware, tbh.

Grand Master

Colin-uk Veteran

Posted
  • Veteran
Posted

1195970568513ij6.jpg

That's because you never bothered to upgrade from IE6.

I dont need to, I dont use private browsing anyway.

You do know that there's a market for VMware vulnerabilities too. I can only imagine that VirtualBox, Virtual PC and the OSX ones are would be similar.

I meant something like sandboxie, but I guess there are vulnerabilities there too.

Grand Master

thealexweb

Posted
Posted

Probably they don't think Opera is a major browser. Hope not. :(

In terms of how much they've innovated and contributed to the browsing community in the past no their not, in terms of market share yes their tiny.

Proficient

nullie

Posted
Posted

You can't count Chrome or Safari as major browsers if Opera is not. It's been in development far longer and has plenty of commercial ties especially in embedded devices, and was "innovating" far longer than than any other. It uses it's own engine and isn't simply a front-end and has a sizable market share when you consider how many browsers are in use, total. 10's of millions of people at least... 'bout the only thing they don't do a lot of is marketing and bundling which is practically the only way anyone else got their browser in use, 'cept for Firefox...

Proficient

nullie

Posted
Posted

Most people go by market share to determine what is a major browser. Unfortunate Opera market share is tiny.

Exactly, but so is Safari and Chrome's. It's rare to ever come across someone in the general public that actually uses these as their primary browser. So to include Safari and Chrome is to expand the definition of major browser to including anyone with a single digit of market share, which Opera should be included. The only reason anyone might think Safari and Chrome are otherwise major browsers are because the image their parent company has to the media..
Grand Master

c3ntury

Posted
Posted

Porn mode was born because porn is a really booming internet business...and people cannot control their urges. If people feel the need to wack it all the time, they have problems. Friend of mine, her EX had porn on every laptop and mobile device he had....and thats not even the half of it.

Well, I don't see the point of having X rated material on mobile devices. Pointless.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.