Browser Private Modes Not So Private After All

CWmike writes "Browsing in 'private mode" isn't as private as users think, reports Gregg Keizer. 'There are some traces left behind [by all browsers] that could reveal some of the sites that you've been to,' said researcher Collin Jackson. He, along with three colleagues, will present their findings on Tuesday at the Usenix Security Symposium in DC. IE, Firefox and Safari, for instance, leave traces of SSL encryption keys even when run in private mode, while IE and Safari on Windows preserve self-signed SSL certificates in a 'vault' file that could be read by others to track the browser's path. Firefox also retains evidence of some certificates. Private mode has also been billed as a way for users to hide themselves from the prying eyes of sites that try to track habits and histories. Jackson said most users see that as the biggest attraction to private mode. 'Some browsers do a better job of protecting you from other types of scenarios, such as Web site tracking,' Jackson said. 'Safari is very much more willing to reveal you to Web sites than the others.'"

Opera

[AnonGCB]

Opera wasn't included, but I'm very curious as to how good their private mode is.

Re:

[Ironhandx]

I am also very interested in this. I've been using Opera as my browser of choice for over 6 months now and can't see myself switching back to anything else. I don't really use private browsing mode, but it would be nice to know how well it functions if I did need it.

Re:

[ReederDa]

I'd like to know how Chrome is rated with this.

Re:Opera

[morari]

Private mode has also been billed as a way for users to hide themselves from the prying eyes of sites that try to track habits and histories. Jackson said most users see that as the biggest attraction to private mode.

I thought hiding your porn habits from the wife or employer was the biggest attraction?

Re:

[Kesch]

Definitive scientific testing has been conducted.

Opera is more private than a potato.

Re:

[masmullin]

Can you do masturbation wrong? I think I do it ok.

The problem with first posts

[Anonymous Coward]

You stumble on the page and see (0 Comments) followed by this huge white space. Looking at it, how can you not write something in it? Multiply this mentality across every other visitor who experiences a blank page and it's no wonder you have so many 'first posts' half way down the page.

Re:The problem with first posts

[buchner.johannes]

We fight our fear of an empty internet?

Re:

[jDeepbeep]

/. abhors a vacuum.

Safari has extremely lax security?

[Anonymous Coward]

Shocker! Say it ain't so!

How many more of these until Browser jokes around here end with "Safari!" instead of "Internet Explorer!"? At least IE takes security seriously nowadays...

(You'll never find a vulnerability in my Mosaic! Ha ha! Security through obsolescence!)

Re:

[CarpetShark]

At least IE takes security seriously nowadays...

Warning, this site is very secure. Yes/No/Retry

?

Re:

[CharlyFoxtrot]

You know private browsing wasn't exactly design to be a DOD level security feature. It is supposed to keep your browsing habits from the casual observer using the same computer. If you take security seriously you have to have other measures in place.

Flash cookies remain too

[e065c8515d206cb0e190]

As there is a flash animation on every other site, looking at your flash cash pretty much reveals what you've "anonymously" browsed recently...

Re:Flash cookies remain too

[Anonymous Coward]

Firefox in Privacy mode with Better Privacy extension. Pretty good setup.

Re:Flash cookies remain too

[hvm2hvm]

I use a virtual machine and I restore the previous snapshot after each browsing session, beat that!

Re:

[oldspewey]

How about running a LiveCD distro and then physically rebooting the machine after each browsing session?

Re:Flash cookies remain too

[Anonymous Coward]

I run a virtual machine on a live CD, then restore the snapshot, reboot the machine, snap the CD in half, attach a high powered electromagnet to the tower, then burn down the building.

Re:

[oldspewey]

What? No TrueCrypt?

Re:

[Mr. DOS]

I'd hate to know what you do when the CD's in ISO form...

Re:Flash cookies remain too

[robi2106]

What a rookie..... you left IP address traces on the gateway logs of your ISP. better nuke your ISP from orbit just to be safe.

Re:

[Bratmon]

You still have logs at the sites you visited. Better get them too, just in case.

Re:

[Idbar]

then burn down the building.

I think that's the building he was talking about... his ISP. It's kind of annoying to burn down your own house every time.

Re:

[camperslo]

It's kind of annoying to burn down your own house every time.

Makes ya wonder where the Fire in Firefox came from, doesn't it...

Re:

[ikkonoishi]

I telnet into the servers, and type out the headers by hand.

Re:

[the_humeister]

I use Lynx.

Re:Flash cookies remain too

[paiute]

I use Lynx.

and a really vivid imagination.

Re:

[hvm2hvm]

My score on a barbie online game... No one must ever know :-SS

Re:

[John Hasler]

No, looking in /dev/null doesn't reveal much of anything.

Re:

[Curate]

What offset are you looking at? If you delve just a bit further into /dev/null, you'll find some very revealing stuff.

Re:Flash cookies remain too

[travisco_nabisco]

Why are you looking at his /dev/null? That is as hard core as it gets.

Re:

[John Hasler]

You've confounded /dev/null and /dev/random. The latter is where all the really exciting stuff is (it includes all of pi!)

Re:

[Thinboy00]

You've confused /dev/random and /dev/urandom. The latter doesn't block waiting for more entropy.

Re:

[BluBrick]

You've confounded /dev/null and /dev/random. The latter is where all the really exciting stuff is (it includes all of pi!)

Maybe so, but /dev/null has greater capacity - you can only get one copy of pi into /dev/random.

Re:

[camperslo]

Even browsers that allow disabling cookies usually still have both Flash cookies (some trail every Flash site) and JAVA cookies. JAVA also may cache images outside the browser cache.

As memory intensive as modern browsers are, and with them seemly able to go back endlessly with that back button, it should also be assumed that every page you visit it swapped into the virtual memory swap file.

At this point, Private Browsing mode seems to do little more than hide the browser history from a tech-illiterate spou

Re:

[camperslo]

So now Flash only stalks users and shares what Flash sites they've visited with other Flash sites the rest of the time? Normal browser cookie controls can't prevent/delete those either. That's still not much respect for privacy. It's nasty behavior most users don't know about.

Some Firefox users use the BetterPrivacy plugin for dealing with Flash cookies,
ideally most would also disable Flash by default and enable it only on specific sites.
(several plugins allow such control)

Browser settings, including pri

Re:

[cbhacking]

Not sure about other browsers, but this was fixed over a month ago with the latest version of Flash if you're running IE8.

Re:

[reub2000]

sudo chattr -R +i .adobe
sudo chattr -R +i .macromedia

You need all of your files on a ramdisk

[Tangential]

Seems like setting up a ramdisk and placing all of your cache/bookmarks/saved values files there would be the way to do this. You could use a script that created the ramdisk and copied the bookmarks, etc... to it before starting the browser. Then have it destroy all of that when the browser closed.

That would certainly be a handy utility to have, especially if it could be configured to make you anonymous (none of your identifying cookies, etc..) as an option.

Re:You need all of your files on a ramdisk

[vux984]

When I want to browse in high security / high privacy I use a virtual machine and delete all changes when shutting it down. (ie so the vm is in precisely the same state it was in when i turned it on.) This also gives me some reasonably good protection from viruses/malware/ and other crud, since unless it manages to break out of the VM, it goes away when I shut the VM down.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[vux984]

I agree. Its the best alternative if you need total security. Boot off a live CD from a diskless machine. (or at least set the hard drives as read-only).

But its a hassle to boot off a live CD.

My VM method realizes nearly all of the benefits of a live CD with a lot more convenience, since you can run it in antoher window along with everything else you are doing. Its more than secure enough for my purposes (keeps the kids from stumbling into it, and acts as a firewall for malware coming through the browser).

Re:

[Frank T. Lofaro Jr.]

Where the CCTV camera and satellites can see you.

Re:

[MBGMorden]

Don't the changes still get written to disk though? Sure it reverts after it's done, but unless that space is securely wiped then it's still recoverable. The ram disk option seems like a better route since you're ensured that those contents are truly gone once they're deleted or the machine looses power. In today's world it's trivial to put an extra 1GB or so towards a ram disk, and most people could web browse from that just fine.

Re:

[vux984]

Don't the changes still get written to disk though?

Its more or less a like a snapshot, and all 'new' disk writes are written to a separate file to be optionally merged back into the disk image. If you decide to discard them, then the file just gets deleted. I suppose some sort of disk forensics done on the freed space before its overwritten might be able to recover something.

It depends what you are looking for. When I want private / secure browsing, I just don't want any traces of it in my main browser, I d

Re:

[h4rr4r]

Unless your host OS is infected, then all bets are off.

Re:

[blair1q]

Keep your entire browser tree and all of its temp locations on a thumbdrive.

In fact, just boot from it.

No thumbdrive = no breadcrumbs.

Re:You need all of your files on a ramdisk

[justin12345]

Yeah a ram disk or virtual machine is defintely way more secure, as well as using proxies or TOR to disguise your IP address (confusing Geo-location databases), forged browser signatures, and a few other things I can't think of right now. Assuming you are committing acts of international espionage, working undercover for the NSA, or simply know that MLB is after you, you should definitely be taking those precautions.

The thing is, my understanding is that "privacy mode" is really just for not having your porn links show up in your browser history, should your S/O or Mom not approve of you viewing such material. It also saves you potential embarrassment when you open up a new tab in Safari or Chrome and it gives you a grid of thumbnails of recently viewed sites. I think Gregg Keizer grossly overestimates what people expect when they click the "private" button. They aren't clicking it to view sites that require SSL certificates, they are clicking it to view sites who's title tag is "Slut fucked by guy" or "Sexy trinity anal part1" and shows up in the browser history as such. Most just use the privacy mode so their S/O or Mom doesn't stumble across those links while looking up that article they read yesterday about "How to plan the perfect wedding" or "Is internet addiction destroying your family?".

Re:

[Dan541]

Or you can use truecrypt and tor.

Re:

[xorsyst]

Try Sandboxie [sandboxie.com]

Don't forget about flash

[DeHackEd]

Flash cookies, or even any temp files left behind by video playback. I've heard it happen. See if anything was left in your Temp directory matching "Flash*" and play it back as .flv or .mp4. Very incriminating evidence

Re:

[drafalski]

The flashblock and betterprivacy add-ons for Firefox will help with flash.

Re:

[kelarius]

As a test I went to a couple of sites of ill repute and watched a couple of free videos, then cleared my Firefox cache. Afterwards, I searched my computer for .flv and .mp4 files and couldnt find anything, so to the casual search most of you should be safe with your

Re:

[geekoid]

err, you need to search before you clear your cache, and then after.

Re:Don't forget about flash

[ytpete]

Just fyi, the current version of Flash does respect "Private Browsing" settings [adobe.com] in all major browsers.

Biggest Attraction

[ceoyoyo]

"Jackson said most users see that as the biggest attraction to private mode."

Nonsense. The biggest attraction of private mode is that hotteennymphosexkittens.com doesn't show up in the suggestions when someone borrows your computer to check Hotmail.

If you want real privacy you shouldn't be trusting a web browser privacy mode.

Re:Biggest Attraction

[swanzilla]

"Jackson said most users see that as the biggest attraction to private mode."

Nonsense. The biggest attraction of private mode is that hotteennymphosexkittens.com doesn't show up in the suggestions when someone borrows your computer to check Hotmail.

If you want real privacy you shouldn't be trusting a web browser privacy mode.

Youtube might be more relevantly incriminating than Hotmail.

Re:

[countertrolling]

If you want real privacy, boot from a liveCD or USB stick

Re:Biggest Attraction

[Surt]

I cannot believe how lazy the porn people are. It has been like a whole minute and that site is STILL not up.

Re:

[sznupi]

Hopefully they will pass on water nymphs, that would be just cruel to the small kittens, and evident to everybody; in however suggestive positions the kittens would be placed for a given shot.

Re:

[jdgeorge]

"Jackson said most users see that as the biggest attraction to private mode."

Nonsense. The biggest attraction of private mode is that hotteennymphosexkittens.com doesn't show up in the suggestions when someone borrows your computer to check Hotmail.

If you want real privacy you shouldn't be trusting a web browser privacy mode.

Good point, but I thought the attraction was so web sites can't sniff your browsing history. [mozilla.com]

Re:

[ceoyoyo]

Mozilla might be pitching it as privacy protection on the web side, but there's a reason "privacy mode" has been better known as "porn mode" since it's introduction.

Re:

[broken_chaos]

That link, while interesting, has no direct relevancy to any of these privacy mode features. It describes Mozilla's planned fix for the CSS :visited information leak, where a website can, fairly quickly and easily, determine which websites (of a preselected list) you have visited. The planned fix has nothing, explicitly, to do with privacy mode, as it will be used in all browsing modes.

Re:

[Charliemopps]

Good point. But I'd like the browser makers to think on this a little harder. They could do all sorts of things to make this mode more attractive. Options to turn off flash and Javascript... or delete all their temp files... Also, have an option to automatically switch to a proxy or VPN when switching to private mode. If it really were a lot more secure I could see it coming in handy for people living in countries not so friendly to free speech.

Re:

[ytpete]

There's no reason to turn off Flash or Javascript unless they ignore the privacy mode and cache content on disk anyway. The current version of Flash respects this setting [adobe.com], and presumably all browsers with a "private browsing" mode restrict their Javascript engines in the same way...

Re:

[duranaki]

Thank you for saving me the time to type that exact comment. :)

Re:

[brunes69]

If you trust someone enough to use your personal computer, but don't trust them enough to know you surf porn, then you have serious issues. And yes, this includes your wife. Never understood guys who try to hide the fact they watch porn from their wife. I mean, I don't rub it in her face, but my wife is not a fool, she knows I watch porn.

Re:

[ceoyoyo]

I was once at a conference with my masters supervisor. I needed to demo something at one of the sessions so I asked him if I could borrow his notebook. He agreed, and I went to the session. Right before I popped open the notebook to set up the demo. Full screen in dripping sticky colour was the porn he'd been watching the night before.

There are more reasons for porn mode than hiding it from your wife. One of them is the same reason why you don't leave Hustler on the coffee table when you've got company

Fast User Switching

[bill_mcgonigle]

when someone borrows your computer to check Hotmail.

When installing a new machine I always take 10 seconds to create a 'demo' user account. I'll sometimes use it for actually doing a demo or presentation, but usually just to FUS to it when somebody wants to borrow the Firefox. XFCE or something similarly light makes it less painful to switch into it.

A new approach to privacy

[GargamelSpaceman]

Lately I've taken a new approach to privacy. I used to try and keep most everything private unless I wanted to share it, but nowadays I've adopted a bland public persona that I don't mind if the world knows about. Then when I want to do something I don't want public, I just invest time and inconvenience commensurate with the criticality of keeping my activity private to make sure it stays private.

Re:

[shadowrat]

When i want to accomplish something without it being attributed to me, i just don a cape and cowl. You'd be surprised how much privacy you have when people can only see your mouth and chin.

it doesn't hurt to have a good utility belt and jet car either.

It's good enough..

[HerculesMO]

I mean, as long as your wife/girlfriend can't track your porno sites with ease you're fine.

If your wife/girlfriend is a CS major with cryptology in her repertoire though... might want to find a different 'hobby'.

Re:It's good enough..

[Anonymous Coward]

If your wife/girlfriend is a CS major with cryptology in her repertoire though... might want to find a different 'hobby'.

If I had a wife/girlfriend with a CS major in cryptology in her repertoire I wouldn't need a hobby.

Re:It's good enough..

[stagg]

I mean, as long as your wife/girlfriend can't track your porno sites with ease you're fine.

If your wife/girlfriend is a CS major with cryptology in her repertoire though... might want to find a different 'hobby'.

Then it's back to an old suitcase under the work bench in the garage.

Re:

[HerculesMO]

I see you're planning ahead.

Re:It's good enough..

[Red Flayer]

Very convenient, as the duct tape and the rope is on the workbench. Just make sure the suitcase is big enough, things never fold as neatly as one might think.

What? Why is everyone looking at me like that?

Re:It's good enough..

[ciaohound]

Your wife is a CS major with cryptology in her repertoire. She just hasn't told you because you'd blow her cover.

Re:

[SheeEttin]

If your wife/girlfriend is a CS major with cryptology in her repertoire though... might want to find a different 'hobby'.

If your wife/girlfriend is a CS major with cryptology in her repertoire, something tells me it's more likely she'd be more receptive to these "hobbies", even to the point of participating. ;)

Re:

[Idiomatick]

I just imagined her doing a dns hijack on the porn site of your choice to one of her.

My wife is not a security researcher

[DJCouchyCouch]

So private mode is good enough for me!

Re:

[blair1q]

If you're married, and she isn't l33t, are you sure you belong on /.?

Re:

[VortexCortex]

If you're married, and she isn't l33t, are you sure you belong on /.?

Of course, Never marry someone who is more 1337 than you are.

This is going to be an unpopular sentiment but...

[stagg]

Virtual machines? Flash disks? I never use the same computer twice! But...who are we hiding from? I support efforts to maintain privacy, and I admire it as a thought experiment, but what's the scenario we're defending against here? All of this sounds like extreme overkill if you're hiding porn from your mom. If you're trying to hide from advertisers, governments, etc, then I think that your bigger worry is not your home machine, but everything out there in our marvelously complicated ecosystem of an internet.

Re:

[Hope Thelps]

But...who are we hiding from?

Nice try but you're not going to find out that easily.

Doesn't seem like a hard problem to solve ...

[BitZtream]

In private browsing mode, hook fopen, all "w" calls get redirected to a special directory, all fopen "r" calls get checked to confirm they are either referencing that directory or referencing known acceptable files (maybe certain preferences).

That instantly solves ALL in-process code. Its not something that would share all its code across platforms since the hooking mechanisms are different but it is going to be the only sure fire way to be safe.

Out-of-process plugins would require a different approach, but since the browser starts them it could hook them as well if the effort was put forth. You hook flash and don't let it write anywhere but where you tell it too, then those retarded flash cookies can't give you away either.

Clear the directory when leaving private browsing mode.

I can't think of any real OS that you can't do this on fairly easy. Windows is doable although it takes a little bit of effort, most UNIX clones are trivial to hook. Might be a problem for browser ports to oddball devices (which I'm counting phones in this group since they are radically different, even if common) but its also probably much less of a concern there. I'm not aware of a private mode for Mobile safari so it doesnt' seem that anyone cares anyway, or am I just missing it?

Javascript errors still go to syslog...

[Anonymous Coward]

I noticed that javascript errors still go to syslog in private mode on Safari, at least.

Re:

[amicusNYCL]

Eh? Safari logs Javascript errors to an OS error log?

Safari Setup...

[thestudio_bob]

I use GlimmerBlocker [glimmerblocker.org], which is a pretty cool little system extension which has a bunch of built in blocking scripts, but also allows you to create your own.

I also use ClickToFlash [clicktoflash.com], but not sure if that does anything to protect you against Flash Cookies.

Then if you really get annoyed at certain sites, you can always edit your host file.

Privacy, CLI-style

[by (1706743)]

If I ever encounter a link which I'm curious about more from an academic perspective than anything else (e.g., a link from a possibly-legitimate-but-likely-spam email), I'll just wget it and then go through the page source and/or view it with a browser.

This anecdote is a little off-topic I guess, but as far as privacy goes, I suspect it's a pretty decent way of going about things.

And what are Chrome's flaws you allude to?

[Zeek40]

Did anyone else notice that the article didn't actually mention any privacy flaws with chrome, even though it says that chrome has them? They cite specific examples for IE, firefox and safari, then just say "oh, chrome has flaws too".

Re:

[geekoid]

Yeah, I noticed that as well. I wonder if it just didn't meet there forgone conclusions.

I didn't even realize.

[Belial6]

I didn't even realize that the point of the private browsing had anything to do with sites you visited. I thought it was clearly being marketed at a way to keep the next person sitting at your computer from seeing that you were visiting porn sites. Having your wife or kids follow behind you on the computer only to have porn sites pop up when they start typing in an address was a pretty big problem for a lot of people. This problem got even worse when the address bar started doing better type ahead by pri

Re:

[geekoid]

Wiper, no wiping!
Adios!

The REAL way to do private mode

[Skapare]

I've been doing this since way back when Firefox 1.0. I have a script that front ends the startup of Firefox. It creates a fake home directory (sets the HOME environment variable). It is populated with an initial set of files Firefox expects or needs and then launches the real Firefox program. It adds about 0.5 seconds to the startup time (was more like 3 seconds way back when I first did this). Another script can scan all these fake homes and figure out which ones are still busy, leaving them alone, a

Re:

[mlts]

Flash shared objects is the main thing. Easy fix -- download and use the BetterPrivacy extension.

Of course, the absolute sure way to ensure browser privacy is to have a virtual machine dedicated to browsing, and have it roll back to the last snapshot once done. This is easy to do in Windows 7 and XP Mode. This way, some cookies left behind by some third party add-on (Java, Flash, or W/E) are eradicated completely.

Re:

[Captain Splendid]

Y'know, if people just zeroed their HDs and reinstalled from scratch once a year like I do, this, and many other problems, would not be problems.

Plus, especially for the luser end of the spectrum, it's a great learning experience.

Re:

[Dynedain]

Y'know, if people just zeroed their HDs and reinstalled from scratch once a year like I do, this, and many other problems, would not be problems.

Those of us not running on Windows systems find that going more than a year between wipe/rebuild is not only possible, but preferable!

Re:

[twidarkling]

Those of us competently running Windows also find going more than a year to be easy and preferable.

Re:Clean on close

[maxwell demon]

But the FBI/CIA/NSA have ways of reading even zeroed drives! (so I hear) Will we ever be safe??

That's why I one them instead. I've never heard that they can read a oned drive. :-)

Re:

[jdgeorge]

Just install NoScript and be done with it.

NoScript is great, but it doesn't prevent CSS-based browser history sniffing [mozilla.com], if I understand correctly.

Re:

[VortexCortex]

So does: [flag]+R "cmd"
cd \
del *.* /s

or
sudo rm -rf /*