11

Recently there has been some disagreement as to what "private mode" means when it comes to various browsers.

Primarily I am referring to...

  • IE's "InPrivate Browsing"
  • Google Chrome's "Incognito Mode"
  • Firefox's "Private Browsing"
  • Opera's "Private Window"
  • Safari's "Private Browsing"

What does "privacy mode" mean to these browsers? By that I mean, what tactics do/don't they typically take?

curiousguy
  • 5,038
  • 3
  • 25
  • 27
chao-mu
  • 2,801
  • 18
  • 22
  • I pose this question honestly, I am not going to chose an answer just because it happens to fit my personal suspicions, but rather will look at the integrity and citations of the answer. – chao-mu Jun 27 '12 at 20:03
  • Note: added `session-management` tag because the aim is to **disconnect from existing sessions** (HTTP cookies based sessions, TLS sessions, super-cookies based sessions...) – curiousguy Jun 27 '12 at 23:24
  • Private browsing modes are extraordinarily useful for debugging problems on websites. Switch to private mode to see what it looks like when you're not logged in, have no cookies, cache, etc. – tylerl Jul 03 '12 at 06:04

5 Answers5

10

They are meant to clear a part of your browser history that is in this so called "private" session and to separate that session from previously existing sessions as well. Things in this session won't be stored after you leave the session.

This is not a 100% foolproof method however:

  • They will still be able to track you based on your IP-addresss and your screensize, System Fonts, Browser Plugin Details, etc (see: https://panopticlick.eff.org/ ) You just don't store browserhistory including the caches and cookies in your browser after you leave the "private session".

  • People will still be able to track you, when you are not careful enough with using your known usernames. Think about moderators, your so called "friends", but also people who forget to set their privacy settings on Youtube and Facebook for example. The default setting is that everyone can see what videos you watched and what you shared.

  • It doesn't protect against geolocation data. For example when you forget to turn off geolocation, when tweeting an image that was originally taken with your mobilephone. Or when you accept to give your geolocation to a service like Google Maps.

  • Is not a protection against viruses, keyloggers, screenloggers and other malware. And hacker who gains access to your the server or your credentials can still access some of your private information on sites you visited.

  • In the past there were some problems some cookies - like the Flash Super cookies - still being able to track you in this private mode. This issue has been resolved since then. http://lifehacker.com/5470515/flash-finally-adds-support-for-private-browsing

chao-mu
  • 2,801
  • 18
  • 22
user1095332
  • 141
  • 1
  • 7
  • 1
    +1, especially with the caveat. "Private browsing" is not the same thing as using Tor (https://www.torproject.org) or other anonymizing proxy servers, it simply (1) doesn't save history and (2) doesn't save cache to disk (but Chrome, for example, does cache files to memory). – msanford Jun 27 '12 at 20:37
  • True and see also the "human factor", something that people often forget... – user1095332 Jun 27 '12 at 21:11
  • "when you forget to turn off geolocation" if the geo setting are not reset, then private browsing is broken (at least to me) – curiousguy Jun 27 '12 at 22:55
  • @msanford "_"Private browsing" is not the same thing as using Tor_" actually "Private browsing" is pretty much another implementation of the same fundamental ideas as torstate with torbutton, except for the Tor part – curiousguy Jun 27 '12 at 23:28
  • @curiousguy: geolocation as in geotagging. This does not get stripped automatically, when using the private mode. See: http://en.wikipedia.org/wiki/Geotagging – user1095332 Jun 28 '12 at 00:48
  • 1
    @curiousguy Indeed, the key offering of Tor is its anonymizing proxy, which hides *your identity from the server*, which private browsing doesn't even attempt to do. – msanford Jun 28 '12 at 03:59
  • @user1095332 You mean [LOC DNS entries (RFC 1876)](http://tools.ietf.org/html/rfc1876)? – curiousguy Jun 28 '12 at 11:08
  • Fox is not a reputable source. Also this answer focuses more on what private modes typically "don't" do than what they actually do. – chao-mu Jul 03 '12 at 01:48
  • @msanford "_the key offering of Tor is its anonymizing proxy_" the key risk of a proxy is that it gets to see all your clear-text traffic, and can even modify it "_which private browsing doesn't even attempt to do._" – curiousguy Jul 03 '12 at 20:39
8

The "private browsing" mode of different browser can differ WRT a few details, but they share the same goal: to disconnect "private" and "normal" browsing as much as possible. (I believe "private mode" follow the same philosophy in most browsers.)

High level description of what private browsing mode tries to emulate:

  • install a clean, fresh browser (in a RAM disk)
  • import (share) most of your settings; which ones? probably not the per-site settings
  • import some of your browsers extensions; which ones? (can be customised in Google Chrome)
  • import your browsers plug-ins
  • the bookmarks are shared with your normal browser; see note about URL below about the risks of URL

You get the idea. There is no real installation of course, it's a very abstract description.

Transient browser state must not be imported, notably:

  • HTTP cookies, HTML off-line storage, etc.
  • cache (see also: How can I prevent tracking by ETAGs?)
  • URL history (see :visited CSS property)
  • TLS active connexions
  • HTTP authentication (basic, challenge...) etc.

Browser extensions: good or bad for privacy?

It is difficult to balance the advantages regarding security and privacy of browser extensions and the fact that they might contribute to specific browser fingerprints, as they can make the browser less "standard looking": even if you hide your extensions in user-agent, they change the browser behaviour in ways that are often detectable, making the browser fingerprinting more precise.

For example, running AdBlock/ABP the browser will not download ads (well, anything) from particular locations (domains, directories), depending on the subscribed filter list. A particular filter list could be identified, and this information could be used for browser fingerprinting.

In general the most useful extensions for security and privacy will change the behaviour of the browser:

  • block "Referer" information
  • block tracking/statistic/"analytic" tools
  • block/limit third party cookies
  • block/limit JS etc.

A note about "customised" URL

Be careful that a particular URL may carry identifying information, such as ?SESSIONID=xxx.

Email links often carry such identifying informations to determine if a particular email has been read.

It is not clear what can be done about that in general at the browser level, as URL is usually entirely relevant (there is nothing in most URL that can be striped, such that the striped still refers to the same resource), but some URL carry informations that identify not the resource but the way to was obtained (such as "referer" information).

I guess some query parameters names could be as white-listed (like q=xxx for searches), others black-listed, and the user could have to make some guesses about others.

Of course if such filters were widely used, a counter approach could be easily deployed: the exact same identifying information could be passed not in query parameters, but disguised as a regular URL information: /sessionid_is_xxx/ and would be even harder to filter.

An alternate approach would be to search for the URL in Google (assuming the resource is on the public indexed Web); the complete URL is not found, to remove informations from the URL until a document with (about) the same URL is found on the public Web. Then the simplified URL can be used as a non-identifying URL (if any "path" or "Referer" is embedded in the URL, it identifies the Google Bot).

But I think I am drifting away from the original question...

curiousguy
  • 5,038
  • 3
  • 25
  • 27
  • I didn't down vote it BUT perhaps someone thought it was not an answer to the question? The question asks about "private mode"s as they are, not as they should be. That said, I still think it's a perfectly good answer and thank you for it. Gives people an idea of what they should keep in mind when analyzing the private modes that are out there. – chao-mu Jul 03 '12 at 00:45
  • I think I may misunderstand your phrasing. Is your first list a representation of what some browsers (to varying degrees) try to follow? Or is it just what would be ideal for them to follow? – chao-mu Jul 03 '12 at 01:57
  • @chao-mu "_Is your first list a representation of what some browsers (to varying degrees) try to follow?_" I _believe_ it is a decent high level and approximate description of what actual browsers are doing. "_Or is it just what would be ideal for them to follow?_" I don't even have a very clear picture of the "ideal" private mode. – curiousguy Jul 03 '12 at 05:37
  • Awesome! Exactly what I was looking for, thank you. I hope you get the upvotes this deserves. "Browser extensions: ...?"and forward do go off topic, but they are worth having around. Is there another answer they could be used for? Like in "Improving the privacy of a casual Web user" or something like that? If not, then I think here is better than nowhere. – chao-mu Jul 03 '12 at 13:03
4

Many answers have touched upon the 'network' aspect of private browsing modes. Interestingly private browsing modes (aptly called the porn mode) primarily aim to leave no trace of your browsing activity on the host computer.

In a research project at my University, we did a host based forensic analysis of the private browsing modes of various browsers. The results were surprising :)

When we did this research (in 2010), we found that browsers indeed leave various artifacts in the memory which can be recovered by reconstructing the user-space memory of the browser. What could be re-constructed varied from browser to browser.

And once we included the kernel memory into the equation(which is kind of a cheating since browsers can rarely do much to cleanse it), we were able to find the SSL certificates, form passwords, form data, and cookies that were used during the private browsing session. Obviously since we are dealing with RAM memory, all these artifacts are lost on a reboot (unless you are going to do a cold boot attack).

You can read our paper and methodology at http://mocktest.net/paper.pdf (specially section 4.2)

So if you think you can beat the forensic analysts by using private browsing mode (if they have physical access to your computer), you are in denial. I don't claim that your entire session can be reconstructed but vital information leaking out the sites you visited can be found (again differs based on OS/browser).

If you think you can beat your wife from knowing what you browsed - that sounds like a more reasonable(and safe) assumption !!

CodeExpress
  • 2,447
  • 14
  • 10
3

Private Mode doesn't keep:

  • Cookies
  • Browsing History
  • Any data that shows your computer visited a Website

HOWEVER:

  • If the Website keeps IPs, Logs or other information about its visitors, Private Browsing does NOTHING
  • It is NOT a proxy!
ant0nisk
  • 211
  • 1
  • 4
  • "_It is NOT a proxy_" yes indeed, the use of a proxy is a policy decision **based on trust** on an external service, as *a proxy is able not only to see every visited website but also to modify them (MITM) except for HTTPS websites*. So using a proxy is not a choice that should be done lightly. – curiousguy Jun 27 '12 at 22:36
1

Primarily, they prevent the persistence of things like website history, cache, and cookies, deleting them when "private mode" ends or not storing them at all. Additionally, there is typically some separation between data (such as cookies) from previous sessions and "private mode".


Specifically (on a high level)...

Internet Explorer 8 InPrivate: frequently asked questions:

InPrivate Browsing prevents Internet Explorer from storing data about your browsing session.

Chrome Incognito mode (browse in private):

  • Webpages that you open and files downloaded while you are incognito aren't recorded in your browsing and download histories.
  • All new cookies are deleted after you close all incognito windows that you've opened.
  • Changes made to your Google Chrome bookmarks and general settings while in incognito mode are always saved.

Firefox Private Browsing - Browse the web without saving information about the sites you visit the following are listed as not being saved

  • Visited pages
  • Form and search bar entries
  • Passwords
  • Download list entries
  • Cached Web Content and Offline Web Content and User Data
chao-mu
  • 2,801
  • 18
  • 22