Gaurav AGGARWAL, Elie BURZSTEIN, Collin JACKSON and Dan BONEH published an analysis of the private browsing mode in Internet Explorer, 8, Firefox 3.5, Safari 4, and Chrome 5.
What is private browsing mode? According to Mozilla:
Firefox 3.5 and later provide “Private Browsing,” which allows you to browse the Internet without Firefox saving any data about which sites and pages you have visited.
According to the researchers, all four browsers failed. Don’t panic!
The researchers provided a very drastic definition of private browsing that extends further than Mozilla’s one. For instance, they define four types of persistent state changes:
- Initiated by the web site without user interaction such as cookie, adding entry in the history file…
- Initiated by a web site but with user interaction such as generating a client certificate, adding a password to the password database
- Initiated by the user such as adding a bookmark
- Installing a patch or updating a blocking list
All browsers do a decent job for the first category. Nevertheless, they are less well-performing for the other categories. For instance, all the four browsers retain a SSL certificate generated while in private browsing mode. The certificate will leak the site address.
Most of the people are only concerned with the first category. Thus, they are safe. More paranoid people should study their browser and act correspondingly.
Interestingly, the paper proposed three goals versus a web attacker:
- A web site cannot link a user visiting in private mode to the same user visiting in public mode
- A web site cannot link a user in one private session to the same user in another private session.
- A web site should not be able to guess if the browser is in private mode
They also highlighted an under evaluated risk. Although the browser supports a private mode, it does not mean that the plug-ins act also in private mode. In other words, while the browser is in private mode, your addons may still leak information :Happy: