Private browsing: it’s not so privateAugust 13, 2010 – 5:50 AM
Research by Stanford University to investigate the privacy of the “private browsing” feature of many Web browsers suggests that the tools aren’t all that private after all, and that many kinds of information can be leaked by browsers when using the mode.
The paper is due to be presented next week at the USENIX security conference.
“InPrivate Browsing” in Internet Explorer, “Incognito mode” in Chrome, and “Private Browsing” in Firefox and Safari all strive to do the same two things: make it impossible for users of the same computer to figure out which sites the browser has been used to visit, and make it impossible for sites to know whether or not a particular user has previously visited them.
To keep browsing private from other users of the same machine, browsers must discard (or avoid creating) any history entries, cached items, cookies, and so on. To prevent sites from being able to track visitors, the browsers must ensure that they don’t send any cookies or other identifiable information from non-private sessions when in private mode.
The researchers found that the browsers’ protections were imperfect. Browsers did not properly isolate their private sessions from non-private ones, with the result that suitably crafted sites could trace visitors between private and non-private sessions. Sites could also leave persistent indications that they had been visited, allowing visits to be detected by local users.