Private Browsing Not So Private After All
The last year or so has been filled with announcements about private browsing, a new option implemented in modern web browsers to improve the privacy of users that are browsing the Internet.
Private browsing usually means to offer a sandboxed browsing session in computer memory with no information written and stored on the computer's hard drive. Privacy is one of the biggest buzz words around and will continue to grow in popularity in 2009 and beyond.
The public understanding of private browsing may differ from what private browsing actually does. It definitely does not add privacy to anything that is happening remotely on the Internet. The only gain of private browsing is an increase of privacy in the local environment.
This may however be not the only problem associated with private browsing. A recent paper by security researcher Kate McKinley confirms deficiencies in all web browsers and especially in Apple's Safari.The researcher tested cookies and data handling but also how plugin data was handled while in private browsing mode.The surprising result was that no browser passed all private browsing tests.
In fact, all of the existing private browsing modes have some form of data which is not cleared when users enter or leave private browsing modes. Although Chrome cleared the only tested type of data it stored, it was surprising to find that Gears data was not cleared, since Gears is included in the browser. However, this behavior is consistent across all browsers tested, as we will see later.
Firefox 3.1 Beta 2 clears cookies and session storage properly, but the persistent storage (window.globalStorage) is preserved between a normal and private browsing session.With IE 8 (Beta 2), both cookies and session storage were cleared properly, user Data stores were not cleared between the normal and private browsing sessions.
Safari on Windows fared the worst of all in these tests with respect to private browsing, and did not clear any data at all, either before entering or after exiting the private mode.
On OSX, Safari’s behavior was quirky; in no case was the HTML 5 database storage cleared before or after private browsing. Previously set cookies seem to continue to be available if the user entered a private browsing session, but if the user started the browser and went directly into private browsing, it seemed to behave as expected.
All browsers have troubles with Flash Cookies and their private browsing modes. This is largely due to the way Flash Cookies are created and stored (without user interaction and means to display warnings).
So what's the conclusion in this matter? Users who like to use the private browsing mode should not use Apple's Safari in its current stage. They should also make sure to either disable Flash and other third party plugins or use settings that prevent them from acting automatically (for example by using NoScript in Firefox).
Check out the Flash Cookies Explained article if you want to read up on Flash Cookies and find out where they are stored and how they can be deleted from a computer system.
Patches have landed on Firefox for this problem. Now it’s up to the plugin makers to patch their stuff so that they realize when Firefox is in Private Browsing NOT to write flash cookies or whatever. :)
Maybe use another firefox profile, with delete everything on exit option.
and if combined with some tool/kernel driver that allows mounting some of computer RAMs as a drive (like what happens on live distros) one can create a profile on the fly on that memory and gooooooooooo (locally) private!
as one once called it “pr0n mode”, not private browsing mode.
Flash’s horrendous “Settings Manager” is a server/web-based app that controls the client comp’s settings using Flash itself. That itself is enuf for me to uninstall that but it’s a necessary evil.
Mostly agree with Vijay. The ‘original’ internet (ie TCP/IP, etc) was not really designed for privacy, and even security and whole host of other things.
The Flash Cookie destroying Firefox extension, Better Privacy, deserves another mention here; ghacks has a nice article on it: https://www.ghacks.net/2008/05/23/manage-flash-cookies-with-better-privacy/
@Vijay:
That is a great point. The whole “private browsing” thing is getting so much undeserved attention, it seems that the internet really is for pr0n!
Vijay, yes you are right. Private Browsing is only there to hide browsing traces on the local computer and apparently that not as good as most users would have thought.
Darkkosmos this will not delete Flash cookies if I’m not mistaken. Not sure about Google Gears and other plugins as well.
In short Safari Sucx!
Here is a tip, just get a portable browser and delete the folder once your done with your browsing.
The Internet was never designed to protect privacy. Every IP is traceable. Tor is a good but painfully slow, but an organisation with resources can track back and find a person IP. Personally, I think private browsing in browsers is only for those who are trying to hide their behaviour from a family member rather than from any external entity.
An implication of this “private browsing†mode is that it makes parental supervision of a child’s browsing behaviour difficult. An option would be for browsers to implement parental controls to they can be switched off if required.