Home & Office

Private browsing security claims wrongly construed

Browser makers say private Web browsing mode designed to omit obvious traces of surfing activity and not meant to protect against attacks described in recent security study.
Written by Vivian Yeo, Contributor

Security researchers made wrong assumptions when they highlighted in a recent paper that private-browsing features in major Web browsers can in fact expose user data, according to an Opera Software executive.

Three academics from Stanford University and Carnegie Mellon University noted in their study that private browsing sessions, which allow users to surf without leaving any trace of Web sites they had visited on the computer, can still be reconstructed by hackers who have gained physical control of the machine. This is possible by accessing the DNS resolution history stored in the cache of a computer that uses the latest versions of Internet Explorer, Firefox, Chrome and Safari.

Another goal of private sessions, they claimed, is to protect against Web attackers by deterring Web sites from making a connection between a user's surfing activities in private mode and those in public mode. This accords some level of privacy to the user by, for example, manipulating browser cookies associated with private browsing.

The researchers noted that achieving these objectives can be made difficult by browser extensions and plugins, and concluded that while private-browsing implementation can afford users some protection, it can be circumvented by determined attackers. More details of the research can be found in their paper, which was presented at the 19th Usenix Security Symposium in Washington D.C. last week.

However, Charles McCathieNevile, Opera Software's chief standards officer, pointed out that contrary to the "simply incorrect" assumptions made by the authors of the paper, private browsing was designed to "enable a user to do something and not leave obvious traces afterward".

For instance, a user who borrows another person's computer for 5 minutes would want to run a private session so that he does not disturb the browsing history and at the same time, not be inconvenienced by prompts based on the usage of the computer owner.

"There is no basis offered for the assumption that privacy mode is meant to protect against 'Web attackers' as defined by the authors," McCathieNevile explained in an e-mail to ZDNet Asia. "There are other browser features which perform that task but private mode does not."

"Likewise, private mode is not designed to protect against an attacker [who gained physical control of the computer] or a skilled hacker trying to guess where you have been by interrogating the swap space on disk," he said.

A Google spokesperson also explained in an e-mail statement: "Incognito mode helps you limit the information that is saved on your computer when you browse the Web. It does not remove all records, as we make clear in our Help Center."

Browser makers weigh in on recommendations
McCathieNevile, who is an advisory board member of the Worldwide Web Consortium (W3C) and co-chair of its Web Applications Working Group, further noted that some of the recommendations made by the researchers were not practical or might be limited in use.

One suggestion was for browser makers to protect swap memory in private mode. Swap space or memory is a part of a disk that temporary stores a process memory image.

Terming the recommendation as one made at the wrong level, McCathieNevile said: "If a user wants a highly secured computer, they should protect their entire swap space [and] run in encrypted mode. While Opera offers features such as clearing various types of private data from storage these are fundamentally OS-level features, and certainly not restricted to private-mode browsing."

According to the executive, the researchers' proposal of noting which Web sites respect users' private browsing is "interesting" but it is still unclear whether users will actually benefit from it.

"Users understand that if they buy something [from a Web site] in private mode, it [has been] bought and money [has been] spent. If they create an account on a social network while in private mode, that account still exists when they exit private mode," he pointed out. "It's not that actions in private mode have no impact in the real world, [they] just have no obvious impact when a subsequent user is running the browser."

Johnathan Nightingale, Mozilla's director of Firefox development, acknowledged in an e-mail that there were some areas highlighted by the researchers that the browser maker could improve on concerning its open source platform.

"There are a couple of findings in the paper that point to areas where we can tighten up our implementation even further, and we have bugs open on that work," he said without elaborating on the specific areas.

However, Nightingale noted that the findings do not pose a "significant risk" to Firefox users in private browsing mode. "Some of the generic attacks described in the paper like the CSS History Sniffing have already been fixed in Firefox 4, currently in beta.

"Many of the remaining attacks require users to explicitly ask for information to be saved before any leakage can occur--the data won't be stored automatically," he said.

At time of writing, Microsoft and Apple did not respond to queries about Internet Explorer and Safari.

Editorial standards