Private Browsing Not So Private After All
The last year or so has been filled with announcements about private browsing. Each web browser developer implemented or announced plans to add private browsing to their web browser. Private browsing usually means to offer a sandboxed browsing session in computer memory
with no information written and stored on the computer’s hard drive. Privacy is one of the biggest buzz words around and will continue to grow in popularity in 2009. The public understanding of private browsing might differ from what private browsing actually does. It definitely does not add privacy to anything that is happening remotely on the Internet. The only gain of private browsing is an increase of privacy in the local environment.
This may however be not the only problem associated with private browsing. A recent paper
by security researcher Kate McKinley confirms deficiencies in all web browsers and especially in Apple’s Safari. Not only normal cookie and data handling was tested but also plugin related handling of Flash and Google Gears data. The surprising result was that no browser passed all private browsing tests.
In fact, all of the existing private browsing modes have some form of data which is not cleared when users enter or leave private browsing modes. Although Chrome cleared the only tested type of data it stored, it was surprising to find that Gears data was not cleared, since Gears is included in the browser. However, this behavior is consistent across all browsers tested, as we will see later.
Firefox 3.1 Beta 2 clears cookies and session storage properly, but the persistent storage (window.globalStorage) is preserved between a normal and private browsing session.With IE 8 (Beta 2), both cookies and session storage were cleared properly, however the IE user Data stores were not cleared between the normal and private browsing sessions.
Safari on Windows fared the worst of all in these tests with respect to private browsing, and did not clear any data at all, either before entering or after exiting the private mode. On OSX, Safari’s behavior was quirky; in no case was the HTML 5 database storage cleared before or after private browsing. Previously set cookies seem to continue to be available if the user entered a private browsing session, but if the user started the browser and went directly into private browsing, it seemed to behave as expected.
All browsers have troubles with Flash Cookies and their private browsing modes. This is largely due to the way Flash Cookies are created and stored (without user interaction and means to display warnings). So what’s the conclusion in this matter? Users who like to use the private browsing mode should not use Apple’s Safari in its current stage. They should also make sure to either disable Flash and other third party plugins or use settings that prevent them from acting automatically (for example by using NoScript in Firefox).
Check out the Flash Cookies Explained
article if you want to read up on Flash Cookies and find out where they are stored and how they can be deleted from a computer system.