Your browser’s private mode isn’t as private as you think

Internet Explorer’s InPrivate Browsing, Chrome’s Incognito mode, and Firefox’s and Safari’s Private mode all seek to do the same thing: Prevent other users from seeing what sites were visited by the browser and prevent sites from being able to track returning visitors. This means getting rid of things like cached items, browser history entries, cookies, and the like, all in the name of covering your online tracks.

Unfortunately, as Stanford researchers demonstrated at the Usenix Security Symposium yesterday (PDF), private modes aren’t necessarily private.

[ In July, Internet Explorer was deemed the least vulnerable browser. | Check out InfoWorld’s Web Browser Security Deep Dive. ]

Even in private mode, your browser is leaving hints of your browsing history — a cached DNS registration history here, an SSL encryption key there — that could end up compromising the very information private mode is supposed to protect. As a result, the researchers say that “current private browsing implementations provide privacy against some local and Web attackers, but can be defeated by determined attackers.”

Making matters worse is the increasing popularity of add-ons. Firefox has made add-ons a cornerstone of the browser (its official add-ons page lists more than 13,000), and Google’s Chrome boasts more than 6,000 available and 10 million downloads a month. As handy as add-ons can be, they often store (and possibly reveal) in log files the kind of data private modes seek to hide. IE and Chrome both mitigate this problem by disabling extensions by default in private mode, but Firefox does not.

Oh, and the biggest nonshocker of the paper: Private mode isn’t used to cover users’ tracks while shopping online for the perfect surprise gift for a loved one, as it is typically pitched in advertising. Rather, private mode is mostly used for exactly what you’d expect: covering users’ tracks while they look at porn.

This story, “Your browser’s private mode isn’t as private as you think,” was originally published at InfoWorld.com. Get the first word on important tech news with the InfoWorld Tech Watch blog.