Private browsing modes in four biggest browsers often fail

By techbeck
in Back Page News

 Share

Recommended Posts

Grand Master

techbeck

Posted
Posted
Features in the four major browsers designed to cloak users' browser history often don't work as billed, according to a research paper that warns that users may get a false sense of security when using the built-in privacy settings.

The private-browsing modes are supposed to allow users to visit a website without leaving any trace on their computers, and yet Internet Explorer, Firefox, Chrome, and Safari frequently leave tracks, according to the research, which is scheduled to be presented at next week's Usenix Security Symposium in Washington DC. The makers of those browsers ? Microsoft, Mozilla, Google, and Apple respectively ? often hail the offerings as a way to enhance privacy when using shared computers.

One failure that affects IE, Firefox, and Safari happens when users save SSL, or secure sockets layer, client certificates while browsing in private mode. The browsers store a record of those actions in a file that allows anyone who has physical access to know exactly what site the user was visiting at the time. Similarly, when IE and Safari encounter a self-signed certificate, it is stored in a certificate vault that is preserved even after the private session ends.

Similarly, Firefox users who make security certificate settings while in private mode will have a partial copy of their browsing history stored in a file called cert8.db, the researchers said.

?We discovered that all these browsers retain the generated key pair even after private browsing ends,? the researchers wrote. ?Again, if the user visits a site that generates an SSL client key pair, the resulting keys will leak the site's identity to the local attacker.?

The study (PDF here) showed each browser failing in specific settings.

The privacy mode in Firefox, for instance, is undermined when a user sets site-specific preferences or uses a variety of Mozilla-sanctioned plug-ins. The open-source browser also stores websites visited that dole out custom protocol handlers based on the HTML5 standard.

For its part, IE's InPrivate mode can be undermined when websites make SMB queries, since the Microsoft browser shares large chunks of code with Windows Explorer.

The researchers also devised a way for webmasters to detect when someone visiting their sites is using the privacy mode. It involves placing an iframe with a unique web address and then ?using JavaScript to check whether a link to that URL was displayed as purple (visited) or blue (unvisited).?

The researchers said that to the best of their knowledge they are the first to demonstrate a way to detect private browsing mode ? but that may not really matter for much longer. The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox. It's only a matter of time before Microsoft and Google follow suit.

Using the technique, they confirmed what we all suspected: the feature is mainly used when surfing to porn sites. Gift and news sites, not so much. ?

http://www.theregister.co.uk/2010/08/06/private_browsing_mode_failure/

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted

I think people put too much trust in these modes, but at the same time I think the browser makers hype it up a bit.

That being said, these would be flaws that should be fixed.

...

The technique appears to use the decade-old browser history attack, which was recently fixed in Safari and will soon be fixed in Firefox.

...

Uh, Mozilla came up and implemented it first, Apple was second.

Grand Master

techbeck

Posted
  • Author
Posted

Well, porn is a multi-billion-dollar business for a reason. But even so, people can't afford to lose the jobs they have over it. Thus, "porn mode" was born.

Porn mode was born because porn is a really booming internet business...and people cannot control their urges. If people feel the need to wack it all the time, they have problems. Friend of mine, her EX had porn on every laptop and mobile device he had....and thats not even the half of it.

But anyway, at work I dont even bother trying to mask where I am going to because I respect the rules.

Veteran

+DonC Subscriber²

Posted
  • Subscriber²
Posted

I've never bothered to use those modes tbh, I guess a better private browsing mode would be running a browser normally in a sandbox, then deleting the sandbox when you close the browser.

You do know that there's a market for VMware vulnerabilities too. I can only imagine that VirtualBox, Virtual PC and the OSX ones are would be similar.

But I agree - I never use these modes since I've never really believed that they can self contain whatever happens. I wonder if these modes lead people to believe that they're protected from malware, tbh.

Grand Master

Colin-uk Veteran

Posted
  • Veteran
Posted

1195970568513ij6.jpg

That's because you never bothered to upgrade from IE6.

I dont need to, I dont use private browsing anyway.

You do know that there's a market for VMware vulnerabilities too. I can only imagine that VirtualBox, Virtual PC and the OSX ones are would be similar.

I meant something like sandboxie, but I guess there are vulnerabilities there too.

Grand Master

thealexweb

Posted
Posted

Probably they don't think Opera is a major browser. Hope not. :(

In terms of how much they've innovated and contributed to the browsing community in the past no their not, in terms of market share yes their tiny.

Proficient

nullie

Posted
Posted

You can't count Chrome or Safari as major browsers if Opera is not. It's been in development far longer and has plenty of commercial ties especially in embedded devices, and was "innovating" far longer than than any other. It uses it's own engine and isn't simply a front-end and has a sizable market share when you consider how many browsers are in use, total. 10's of millions of people at least... 'bout the only thing they don't do a lot of is marketing and bundling which is practically the only way anyone else got their browser in use, 'cept for Firefox...

Proficient

nullie

Posted
Posted

Most people go by market share to determine what is a major browser. Unfortunate Opera market share is tiny.

Exactly, but so is Safari and Chrome's. It's rare to ever come across someone in the general public that actually uses these as their primary browser. So to include Safari and Chrome is to expand the definition of major browser to including anyone with a single digit of market share, which Opera should be included. The only reason anyone might think Safari and Chrome are otherwise major browsers are because the image their parent company has to the media..
Grand Master

c3ntury

Posted
Posted

Porn mode was born because porn is a really booming internet business...and people cannot control their urges. If people feel the need to wack it all the time, they have problems. Friend of mine, her EX had porn on every laptop and mobile device he had....and thats not even the half of it.

Well, I don't see the point of having X rated material on mobile devices. Pointless.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • EA Sports UFC 6 review: Brutal, satisfying, and surprisingly accessible to newcomers

      By Astra.Xtreme · Posted

      It's really pathetic that an MMA video game triggers your political rage...
    • Nvidia GeForce NOW gains support for seven more games as discounts continue

      By LoneWolfSL · Posted

      Nvidia GeForce NOW gains support for seven more games as discounts continue by Pulasthi Ariyasinghe There's a brand-new update rolling out to Nvidia's GeForce NOW streaming service, and like every week, that means more games have received support on the platform. This week's drop has additions like Aphelion and Pro Cycling Manager 26 attached to it. Don't forget that the GeForce NOW summer sale is still active too. This limited-time offer drops the 12-month Performance membership from $99.99 to $64.99, saving members $35. At the same time, the 12-month Ultimate membership is currently going for $129.99, dropping the price by $70 from the original $199.99. Moreover, Nvidia reiterated that support for GOG single sign-in and game library is incoming this summer, joining stores like Steam, Ubisoft Connect, Battle.net, and Xbox. "Connect supported game store accounts and stream titles with GeForce RTX power. Games that include cloud-save functionality help keep progress intact across devices," added the company. "Start a game on one screen, pick up where playtime left off on another, and spend less time managing installs and storage space." Here are the games joining GeForce NOW's supported list this week: Embers of the Uncrowned Demo (New release on Steam, available 13) Pro Cycling Manager 26 (New release on Steam, available June 15) Aphelion (Steam) Citizen Sleeper (Epic Game Store, Free from June 18-25) Megastore Simulator (Steam) OPERATOR (Steam) Super Meat Boy 3D (Xbox, available on Game Pass) Keep in mind that, unlike subscription services like Game Pass or EA Play, a copy of a game must be owned by the GeForce NOW member (or at least have a license via PC Game Pass) to start playing via Nvidia's cloud servers. There is also a limit to how many hours subscribers can use the service per month, with extra time being purchasable in chunks.
    • Epic Games says Unreal Engine 6 will help developers "build content faster" using AI models

      By SidVicious · Posted

      AI slop.
    • This is how much iPhone 18 Pro could cost after Apple's price hike confirmed

      By cork1958 · Posted

      47% profit margin? Wtf!! I know companies are in business to make money but come on man. I know for a fact I'll never own one of these.
    • Most AI-powered mainframe migration vendors expected to fail by 2030, Gartner warns

      By zikalify · Posted

      Most AI-powered mainframe migration vendors expected to fail by 2030, Gartner warns by Paul Hill Credit: Pexels You may have read that many companies still run code written in ancient programming languages like COBOL and pay a handsome sum for those who can maintain that code. Well, it looks like this area of the tech world could be the scene of an AI bubble. It turns out that there are mainframe exit vendors, helping companies move their legacy mainframe systems to modern cloud environments or servers such as Microsoft Azure and AWS, using generative AI tooling. Unfortunately, 75% of these vendors are now expected to pivot or cease operations as market realities take hold by 2030. Alessandro Galimberti from Gartner said: Some of the companies in the mainframe exit market are IBM, 21CS, BMC, Broadcom, Rocket Software, DXC, GTSG, and Kyndryl. The reasons some of these firms are expected to quit the market are a reset of market expectations and a decline in demand for one-size-fits-all migration solutions. The reset in expectations is likely to be driven by cost overruns and threats to business, and the potential occurrence of critical failures within businesses as a result of bad transition implementations. These insights from Gartner are pretty interesting because it’s a specific area of the market where doubt is being cast on generative AI. Many people have cast doubt on whether AI companies will successfully justify the massive amounts spent on GenAI to date, and this data from Gartner suggests the road could be rocky for GenAI.

  • Recent Achievements

    • Week One Done
      Classifyskilleducation earned a badge
      Week One Done
    • One Month Later
      eurospharma62 earned a badge
      One Month Later
    • Week One Done
      With What earned a badge
      Week One Done
    • Week One Done
      Harris Gilbert earned a badge
      Week One Done
    • One Month Later
      Vincian earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      532
    2. 2
      +Edouard
      166
    3. 3
      PsYcHoKiLLa
      71
    4. 4
      neufuse
      64
    5. 5
      ATLien_0
      63
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!