Private web browser modes not as anonymous as you might think

In a research paper due to be presented at the Usenix Security Symposium later this week, the anonymous features of the 'big four' browsers – Chrome, Firefox, IE and Safari – are not as secure as users might think.

The paper observes that "current private browsing implementations provide privacy against some local and Web attackers, but can be defeated by determined attackers".

Reporting on the paper over the weekend, CNET writer Seth Rosenblatt says that features such as 'visited-site history, cookies, search history, download history, web form data, and temporary files' are not recorded on the user's PC.

The security problem, says the Stanford University research paper, stems from the add-ons that users choose to install in their favorite web browser.

According to CNET's Rosenblatt, under Mozilla Firefox, half of the top 32 Javascript-only extensions wrote data to the user's hard drive that a hacker could then later uncover.

"The study actually looked at the top 40 Firefox add-ons, and treated any binary extensions as unsafe in private browsing mode because of what the study called the inherent difficulty in parsing their arbitrary read-write behaviour", he said.

Similar problems exist with the private modes of the other three of the mainstream web browsers.

The good news, Infosecurity notes, is that Opera appears to be immune from this issue in its private browser mode, mainly because it doesn't use extensions, but opts for 'widgets' that are memory sandboxed from the main browser code.

The Stanford University research paper makes the following useful observation: "The browser is the gateway to the internet for many consumers. Ensuring that browser privacy controls are easy to find and simple to use is one crucial component of empowering consumers to maintain their privacy online."

"Improvements in this area cannot replace the need for a robust national privacy law, but they go a long way towards putting consumers in control of their own data."

What’s hot on Infosecurity Magazine?