Hide Private Mode for Firefox prevents private browsing mode detection
Hide Private Mode is a brand new extension for the Firefox web browser that closes a private browsing mode detection loophole that sites use to detect if the browser is in private browsing mode.
Private browsing mode is a special mode of web browsers that blocks certain data from being saved to the local system. Browsing data or cookies are not stored in that mode among other things. Many newspaper and magazine sites that paywall content use cookies to determine how many free articles a visitor read to allow or block access to the content.
Private browsing mode bypasses this as it prevents the permanent setting of cookies. Developers found loopholes to detect if private browsing mode (or Incognito Mode) was used, and some magazines may block access to the entire site if the mode is detected.
Google closed a loophole in Chrome 76 that allowed sites to detect if the browser's Incognito Mode was used. The fix offered temporary protection against the detection only as new workarounds were soon discovered and implemented by sites.
Hide Private Mode in Firefox
The Firefox extension Hide Private Mode disables the workaround (that uses the IndexedDB API). All it takes is to install the browser extension in the Firefox web browser and allow it to run in private windows. Just open about:addons in Firefox, click on the Hide Private Mode extension, and switch the "Run in Private Windows" option from don't allow to allow.
You can test this easily on sites that allow a fixed number of free articles if you are not subscribed and detect private browsing mode, or on a site that detects the mode and blocks access completely.
Just visit the sites in private browsing mode before installing the add-on and then again after installing it. You should notice that the site won't block your access based on private browsing mode. It may still prevent access based on other parameters
Privacy tests sites like Device Info won't be able to determine if private browsing mode is enabled either.
The extension is open source, you can check out the source code on GitHub and report issues there as well.
Closing Words
Mozilla should consider implementing this natively in the Firefox web browser to prevent the detection of the browser's private browsing mode. For now, it is necessary to install the extension if you run into sites that detect the mode and act on the information.
Now you: do you use private browsing mode?
The incognito mode does not provide the same privacy as a browser with pre-installed web proxies. For surf the Internet and remain anonymous I use browser from the Utopia P2P. Utopia has a browser with a pre-installed web proxy. This is one of the safest and most reliable ways to start using an anonymous web browser to browse the web.
I guess some people just don’t get it:
https://betanews.com/2019/10/10/online-anonymity-is-a-lie/
This betanews.com article is about de-anonymization of anonymized data. While it’s great to debunk companies that pretend that anonymized data collection is private (and even if it was, it should still not be for them to take without real consent), the problem comes much earlier: companies do often not even anonymize data that they process against the user’s interest. Often against the law. Like Google and Facebook in the European Union (GDPR lawsuits going on).
But privacy is not binary, it’s a continuum. If sites are partially prevented from collecting data accross sessions by a private browsing mode that disables cross-session storage, then it’s still something good for privacy. Of course they have other ways to identify users like IP addresses and fingerprinting, in principle, but it’s still hurting them, because not all of them have as efficient identification mechanism already in place if cross-session storage fails.
Private browsing mode’s objectives are not really clear. The original intent is protection from the local attacker only, not from web tracking: hiding from your spouse that you’ve been buying flowers online for him/her/them/it/… instead of browsing porn as usual (the savvy spouse can still spot the flower shop domain name in the OS DNS cache for example as Martin snitched). But then they decided to add some protection from web tracking too, so it’ a mixed thing.
@VioletMoon, indeed, and Private/Incognito modes are but a bandage on a broken leg and worse for those who believe they are new legs.
All in the name of “thievery” ~ Some news article paysites.
I, personally, do not care.
Note that there is another easy way to detect the private browsing mode, that I have seen used by sites to deny service. By default Firefox doesn’t send the DNT header, but sends it in private browsing:
“The Do Not Track feature is turned off by default except in Private Browsing, where it is always on by default.”
https://support.mozilla.org/en-US/kb/how-do-i-turn-do-not-track-feature
I tested that this is how my browser behaves by default.
The obvious solution would be for Firefox to send the header by default in normal browsing mode too (or, inferior solution, not send it by default in either mode). In fact, this is what Mozilla should do even if this PB detection problem did not exist, to provide everyone with the little privacy benefits that complying sites (like theirs) will provide in answer to DNT, and reduce the little extra fingerprinting this header allows. But Mozilla is often hostile to the “privacy by default” principle. Their long time inaction on this problem suggests that this may even be a deliberate design to help sites to spot and punish privacy minded users that use the private browsing mode.
> Browsing data or cookies are not stored in that mode among other things. Many newspaper and magazine sites that paywall content use cookies to determine how many free articles a visitor read to allow or block access to the content.
Just to clear a possible ambiguity, in Firefox private browsing, cookies *are* stored for the duration of the session, at least in memory, and can be accessed by sites for the session, for example to count how many articles a user has read during the session, if cookies is what they use. But a counting that uses session cookies will be reset to zero after a browser restart.
Private browsing cookies do not appear in the “Manage data…” user interface, but they are still here, tracking you for the session, and visible using the storage inspector (shift+F9).
PrivateWindowCheck
Demo: https://jlynx.github.io/PrivateWindowCheck/
Javascript used to check weather a users browser is in private mode or not
Mozilla Tools for site owners:
https://dxr.mozilla.org/mozilla-central/source/toolkit/modules/PrivateBrowsingUtils.jsm
Highly rated code, but . . . I don’t know:
Private or Incognito Browsing Detector / Paywall
https://github.com/Maykonn/js-detect-incognito-private-browsing-paywall/
“Even if you’re on your own network at home, the request goes through your Internet service provider – your Internet Service provider can log the traffic at this point. The request then reaches the website’s server itself, where the server can log your access.
Private browsing doesn’t stop any of this logging. It doesn’t leave any history lying around on your computer for people to see, but your history can always be – and usually is — logged elsewhere.”
from HTG
I’m always surprised to read about some “new” privacy tool when the Internet, by nature, is an “open system.”
Whatever “privacy” features one thinks is hiding him/her from something, I think, he/she is delusional.
For fun, enter “ULBoom said on October 9, 2019 at 2:05 pm” {no quotes}; now, “ULBoom said on ghacks.”
Everything written, etc.
Sorry, but the addon doesn’t work. Just tried it on the LA Times in a private window and the page gets blocked with a huge banner to subscribe. (I did allow the addon to run in Private Windows).
Wonder if something like this could be handy for flight shoppers?
You know how it is…
You spend a bit of time shopping for a flight and after a minute, the price suddenly jumps up.
Have to wonder if there are multiple methods for sites to detect private mode and if blocks, article counts are sometimes generically claimed to be because of private mode when it’s not being used.
A little clearer: I never use private mode but regularly get the type of blocks mentioned here accompanied by a banner that claims I’m in private mode. FF and Chromium behave identically.
Could ad blockers, anti-trackers trigger private mode warnings? Device Info says I’m not in private mode but I still get blocked by, say, WaPo for being in private mode.
Hide Private Mode has no effect on any site I’ve tried, including WaPo. I’ve yet to find an extension that reliably opens these sites.
I don’t use Firefox’s private browsing mode but I do run an extension called ‘API-Killer-IndexedDB’ which “kills HTML5′ IndexedDB API” and interestingly enough when checking Private Browsing Mode on the ‘Device Info’ site mentioned in the article, my Firefox is checked as using private browsing mode; disabling ‘API-Killer-IndexedDB’ shows that I’m not using private browsing.
This corroborates the article’s “The Firefox extension Hide Private Mode disables the workaround (that uses the IndexedDB API).”.
I’ll have to test the ‘Hide Private Mode’ extension to see if it manages to bypass what is performed with ‘API-Killer-IndexedDB’ without actually opening the door closed by the latter.
I haven’t encountered issues with sites because of the ‘API-Killer-IndexedDB’ extension, is it because sites have other means to determine if a user is in private browsing mode than the only IndexedDB status? No idea, but this is interesting.
I use the extension ‘ API-Killer-IndexedDB’ ever since I got fed up with sites laying data in my Firefox’s profile folder under storage/permanent folder (IndexedDB) when everything works perfectly well when they are forbidden to do so. Storage is the new leitmotiv for tracking.
I can not find the extension ‘API-Killer-IndexedDB’ through internet !!
Can you verify the name of the extension please Tom? On the addons site the addon you mentioned results in: “No results were found for “API-Killer-IndexedDB”.
As regards the extension mentioned in the article, it needs minumum FF68. I’m on Waterfox 56.2.14 unfortunately.
There’s also this: https://www.ghacks.net/2019/05/10/simple-ping-blocker-for-firefox/
@TelV, the extension’s developer is Elad Karako and his extensions don’t appear anymore on AMO because of obfuscated code, nevertheless his add-ons are all Mozilla-signed, available on his GitHub repositories. Though I’m no expert I may say, pragmatically, that I consider this guy as particularly skilled. By the way, his extensions wouldn’t be Mozilla-signed should they be malicious. He develops for Chrome and for Firefox.
Elad Karako – List and description of all his extensions :
https://github.com/eladkarako/chrome_extensions/tree/store/
—
Elad Karako – Releases for Firefox :
https://github.com/eladkarako/chrome_extensions/releases/tag/LatestFirefox
———
Elad Karako – API-Killer-IndexedDB – Description :
https://github.com/eladkarako/chrome_extensions/tree/store/API-Killer-IndexedDB
—
Elad Karako – API-Killer-IndexedDB – Download for Firefox :
Download at https://github.com/eladkarako/chrome_extensions/releases/tag/LatestFirefox
———
I use only his API-Killer-IndexedDB extension at this time. Seems to me Elad thinks his code for Chrome and then modifies it for Firefox, but because Firefox has built-in privacy switches that Chrome doesn’t have, some of his extensions may be more pertinent for Chrome than for Firefox.
API-Killer-IndexedDB is, IMO, a master extension; ever since I use it I no longer have sites pouring data in my Firefox profile via IndexedDB, YouTube to start with (used to be MBs) but also all these places which lay their data like in the old days they’d lay their cookies (and still nowadays but less efficient given privacy tools) . I disagree, need to say. I linger to understand the pertinence of IndexedDB, by the way.
Nice find Martin.
I use also the private mode. I am even considering to make the switch and use it standard (always).
Maybe this extension helped me over the hill.
This because I can’t see any advancement of not using the private mode not all the time?
When I am starting to use it always am I then missing then something functionality-wise speaking?
I agree with you Martin than Mozilla should consider implementing this functionality in the standard Mozilla Firefox browser.
Some features are not available in private browsing mode, e.g. the browsing history is not filled with sites you visit which means that they are not suggested to you when you type in the address bar.
Thanks, Martin,
For letting me know!
I am going to think about (the browsing history suggesting to me in the address bar from sites I visited) or I can miss it.