Browser 'Privacy Modes' Not So Private After All

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

All the major Web browsers have a privacy mode that's supposed to cover a user's tracks after he or she finishes an Internet session, but a trio of researchers have found those modes fail to purge all traces of a Net surfer's activities.

For instance, Mozilla Firefox has something called a "custom handler protocol" that creates URLs that hang around even after a user leaves privacy mode.

Privacy Modes in Browsers Not So Private
Artwork: Peter and Maria Hoey
Secure certificates can also be used to thwart the purpose of privacy modes. Firefox, Internet Explorer and Safari all support the use of SSL client certificates. A Website, through JavaScript, can instruct a browser to generate an SSL client public/private key pair. That key pair is retained by the browser even after the privacy session ends. In addition, if a site uses a self-signed certificate, IE and Safari will store it locally in a Microsoft certificate vault and it stays there when the privacy session ends. So anyone who knows where to look for it can find it and get a glimpse of a user's Internet travels.

Internet Explorer also blows a user's cover in privacy mode when it initiates SMB requests with a Web server. "Even if the user is behind a proxy, clears the browser state, and uses InPrivate, SMB connections identify the user to the remote site," the researchers--Gaurav Aggarwal and Dan Boneh, of Stanford University, and Colin Jackson, of Carnegie Mellon University--wrote in a paper scheduled to be presented next week at the Usenix Security Symposium in Washington, D.C.

However, the trio found that the SMB flaw may be negligible because many ISPs filter SMB port 445.

They also raised a red flag about the potential for browser add-ons to undermine privacy modes. "Browser add-ons (extensions and plug-ins) pose a privacy risk to private browsing because they can persist state to disk about a user's behavior in private mode," the researchers wrote.

"The developers of these add-ons may not have considered private browsing mode while designing their software and their source code is not subject to the same rigorous scrutiny that browsers are subjected to," they added.

The researchers also discovered a way for Webmasters to determine whether a user was accessing their site in privacy mode. They acknowledged, however, that the technique they used exploited an attack that had already been fixed in Safari, was soon to be shut down in Firefox, and was expected to be closed up soon in IE and Chrome.

The bottom line from the trio's research: Don't do anything in privacy mode that you wouldn't do with your boss looking over your shoulder.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Shop Tech Products at Amazon