ComputerWorld.in

Browsers' private modes leak info, say researchers

Browsing in "private mode" isn't as private as users think, a researcher said.

"There are some traces left behind [by all browsers] that could reveal some of the sites that you've been to," said Collin Jackson, an assistant research professor at the Silicon Valley campus of Carnegie Mellon University. Jackson, along with three colleagues from Stanford University, will present their findings later today at the Usenix Security Symposium in Washington, D.C.

Internet Explorer (IE), Firefox, Chrome and Safari offer private browsing intended to cloak a user from Web sites and erase all browsing evidence from the PC or Mac.

Apple's Safari was the first browser to feature private browsing, followed in 2008 by Google's Chrome, and in the next year, by Microsoft's IE and Mozilla's Firefox . Opera added a similar feature this summer, but was not included in the research.

The tools are designed primarily to prevent Web destinations from being recorded to the browser's history so that someone else with access to the computer -- a spouse, say, or child -- can't see where the browser's been. Chrome, calls its feature "Incognito," while IE dubs it "InPrivate."

"All the browsers are trying to protect you from this local attacker," said Jackson, using the term he and his fellow researchers applied to others who could put hands on the computer's keyboard or otherwise access the machine.

IE, Firefox and Safari, for instance, leave traces of SSL (secure socket layer) encryption keys even when run in private mode, while IE and Safari on Windows preserve self-signed SSL certificates in a "vault" file that could be read by others to track the browser's path across the Web.

Firefox also retains evidence of some certificates, particularly non-standard certificates used by some government agencies, in a file that can be mined by others, the four researchers said in their paper.