Private browsing mode leaves data trail, says research

August 10, 2010 | By Paul Mah

Tools

New research at Stanford University's Computer Science Security Lab has revealed that the private browsing modes of the major web browsers are not as anonymous as most users believe them to be. Due to be presented at next week's USENIX security conference, the study examined the top browsers such as Microsoft (NASDAQ: MSFT) Internet Explorer (IE), Google (NASDAQ: GOOG) Chrome, Mozilla Firefox and Apple (NASDAQ: AAPL) Safari.

Called InPrivate Browsing, Incognito and Private Browsing (Firefox and Safari) respectively, the existence of these private modes were meant to make it impossible for other users to figure out the sites visited by the browser, as well as preventing sites from being able to track returning visitors.

In a nutshell, the privacy protection is imperfect due to the fact that browsers did not properly differentiate their private sessions with the non-private ones. The result is that specially crafted sites can exploit this to track visitors between the two modes. Among other tricks, local "attackers" can also access cached DNS resolution history to determine if a user has visited a particular site, defeating its goal of achieving anonymous web browsing.

In addition, the use of software that extends a browser's capabilities--called add-ons--have also exacerbated the problem. While IE and Chrome disabled plug-ins by default, Firefox does not, potentially leaking information via log files or other data that are written to disks.

Overall, the researchers say that all four browsers fall short in the research. Their conclusion: "Current private browsing implementations provide privacy against some local and web attackers, but can be defeated by determined attackers." The paper can be viewed here. (.pdf)

For more on this story:
- check out this article at CNET News
- check out this article at Ars Technica
- check out this article at PC Mag
- check out this article at ZDNet.co.uk