
Furtive web surfers might not be able to rely on their web browserâs private mode to hide their tracks.
Most web browsers offer a private mode, intended to leave no trace of surfing history on the computer. But at Carnegie Mellon University in Silicon Valley, California, and colleagues, have found ways to detect which sites were visited with the mode enabled.
For example, many banking websites encrypt their data for security reasons by automatically establishing a secure key with the userâs computer â but even if private browsing is enabled, details relating to the key remain stored on the computerâs hard drive, allowing a hacker to establish that a particular site had been visited. A hacker could âguess what sites youâve been to based on traces left behindâ, says Jackson.
Advertisement
These attacks on privacy âdo not require a great deal of technical sophistication and could easily be built into forensics toolsâ, he adds.
Alternative attacks
Although the work clearly shows there are weaknesses in browsersâ private-browsing implementations, says a UK-based security researcher at Trend Micro of Tokyo, Japan, any attacker with the knowledge to exploit the weaknesses would probably look to other attacks first, which may yield more detailed information.
âIf someone is capable of tracking your browsing habits in this way, then they are probably also tech-savvy enough to know about commercial spyware which could much more effectively track your computer use,â says Ferguson.
The research will be presented at next monthâs Usenix Security Symposium in Washington DC.