Private browsing mode leaves data trail, says research
New research at Stanford University's Computer Science Security Lab has revealed that the private browsing modes of the major web browsers are not as anonymous as most users believe them to be. Due to be presented at next week's USENIX security conference, the study examined the top browsers such as Microsoft (NASDAQ: MSFT) Internet Explorer (IE), Google (NASDAQ: GOOG) Chrome, Mozilla Firefox and Apple (NASDAQ: AAPL) Safari.
Called InPrivate Browsing, Incognito and Private Browsing (Firefox and Safari) respectively, the existence of these private modes were meant to make it impossible for other users to figure out the sites visited by the browser, as well as preventing sites from being able to track returning visitors.
In a nutshell, the privacy protection is imperfect due to the fact that browsers did not properly differentiate their private sessions with the non-private ones. The result is that specially crafted sites can exploit this to track visitors between the two modes. Among other tricks, local "attackers" can also access cached DNS resolution history to determine if a user has visited a particular site, defeating its goal of achieving anonymous web browsing.
In addition, the use of software that extends a browser's capabilities--called add-ons--have also exacerbated the problem. While IE and Chrome disabled plug-ins by default, Firefox does not, potentially leaking information via log files or other data that are written to disks.
Overall, the researchers say that all four browsers fall short in the research. Their conclusion: "Current private browsing implementations provide privacy against some local and web attackers, but can be defeated by determined attackers." The paper can be viewed here. (.pdf)