A N A NALYSIS OF P RIVATE B ROWSING
M ODES IN M ODERN B ROWSERS
1
2
O UTLINE

Introduction

Private browsing: goal and threat model

A survey of private browsing in modern browsers

Usage measurement

Weaknesses in current implementations

Browser addons

Conclusions
3
O UTLINE

Introduction

Private browsing: goal and threat model

A survey of private browsing in modern browsers

Usage measurement

Weaknesses in current implementations

Browser addons

Conclusions
4
I NTRODUCTION

The four major browsers (IE, Firefox, Chrome
and Safari) recently added private browsing
modes to their user interfaces
- Sites visited while browsing in private mode
should leave no trace on the user’s computer
- Users may want to hide their identity from web
sites they visit by
5
I NTRODUCTION

While all major browsers support private
browsing, there is a great deal of inconsistency
in the type of privacy provided by the different
browsers

Even within a single browser there are
inconsistencies
6
I NTRODUCTION

Even if a browser adequately implements
private browsing, an extension or plug-ins can
completely undermine its privacy guarantees
7
O UTLINE

Introduction

Private browsing: goal and threat model

A survey of private browsing in modern browsers

Usage measurement

Weaknesses in current implementations

Browser addons

Conclusions
8
P RIVATE BROWSING :
GOAL AND THREAT MODEL

Defined two types of attackers:
1. An attacker who controls the user’s machine
(a local attacker)
2. An attacker who controls web sites that the
user visits (a web attacker)
9
L OCAL ATTACKER

Security against a local attacker means that an
attacker who takes control of the machine after
the user exits private browsing can learn nothing
about the user’s actions while in private
browsing

Limitation: local attacker has no access to the
user’s machine before the user exits private
browsing
10
L OCAL ATTACKER

We need adequately erase persistent state
changes during a private browsing session
1. Changes initiated by a web site without any
user interaction
2. Changes initiated by a web site, but requiring
user interaction
3. Changes initiated by the user.
4. Non-user-specific state changes
11
L OCAL ATTACKER :S ECURITY M ODEL

Attacker’s capabilities
1. The attacker does nothing until the user leaves
private browsing mode
2. While active, the attacker cannot communicate
with network elements that contain information
about the user’s activities while in private mode
12
L OCAL ATTACKER :S ECURITY M ODEL

Attacker’s goal
- For a set S of HTTP requests of the attacker’s
choosing, determine if the browser issued any of
those requests while in private browsing mode
13
L OCAL ATTACKER :S ECURITY M ODEL

Challenge
- The browser will need to ensure that all DNS
queries while in private mode do not affect the
system’s DNS cache: no entries should be added
or removed
- Operating system can swap memory pages to the
swap partition on disk which can leave traces of
the user’s activity.
14
L OCAL ATTACKER :S ECURITY M ODEL

Solution?
- VMM(Virtual Machine Monitor)
- User profile backup
- Not recording certain date in private mode
15
W EB ATTACKER

Goal
1. A web site cannot link a user visiting in private
mode to the same user visiting in public mode
2. A web site cannot link a user in one private
session to the same user in another private
session
3. A web site should not be able to determine
whether the browser is currently in private
browsing mode
16
O UTLINE

Introduction

Private browsing: goal and threat model

A survey of private browsing in modern browsers

Usage measurement

Weaknesses in current implementations

Browser addons

Conclusions
17
SURVEY OF PRIVATE BROWSING IN
MODERN BROWSERS

User Interface
18
SURVEY OF PRIVATE BROWSING IN
MODERN BROWSERS

User Interface
19
SURVEY OF PRIVATE BROWSING IN
MODERN BROWSERS

Internal behavior
20
SURVEY OF PRIVATE BROWSING IN
MODERN BROWSERS

Internal behavior
21
SURVEY OF PRIVATE BROWSING IN
MODERN BROWSERS

Internal behavior
22
SURVEY OF PRIVATE BROWSING IN
MODERN BROWSERS

Initial privacy violation examples
1. Custom Handler Protocol
- Custom protocol handlers(CPH)
2. Client Certificate
- SSL client certification
23
O UTLINE

Introduction

Private browsing: goal and threat model

A survey of private browsing in modern browsers

Usage measurement

Weaknesses in current implementations

Browser addons

Conclusions
24
U SAGE MEASUREMENT:D ESIGN

Ad network
- Ran two simultaneous one-day campaigns:
targeted adult sites, gift shopping sites and
news sites
25
U SAGE MEASUREMENT:R ESULT

Private browsing was more popular at adult web
sites than at gift shopping sites and news sites

Private browsing was more commonly used in
browsers that displayed subtle private browsing
indicators
26
O UTLINE

Introduction

Private browsing: goal and threat model

A survey of private browsing in modern browsers

Usage measurement

Weaknesses in current implementations

Browser addons

Conclusions
27
W EAKNESSES IN CURRENT
IMPLEMENTATIONS

Manual code review
- Firefox keeps all the state related to the user’s
browsing activity including preferences, history,
cookies, text entered in forms fields, search
queries, etc. in a Profile folder on disk
28
W EAKNESSES IN CURRENT
IMPLEMENTATIONS

Manual code review
1. nsIFile
- A cross-platform representation of a location
in the file system used to read or write to
files
2. Storage
- A SQLite database API that can be used by
other Firefox components and extensions
to manipulate SQLite database files
W EAKNESSES IN CURRENT
29
IMPLEMENTATIONS

Security certificate settings(stored in file cert8.db)
- Stores all security certificate settings and any SSL
W EAKNESSES IN CURRENT
30
IMPLEMENTATIONS

Site-specific preferences (stored in file permissions.sqlite)
- Stores many of Firefox permissions that are decided on a
per-site basis.
W EAKNESSES IN CURRENT
31
IMPLEMENTATIONS

Download actions (stored in file mimeTypes.rdf)
- Stores the user’s preferences with respect to what
Firefox does when it comes across known file types like
pdf or avi.
W EAKNESSES IN CURRENT
32
IMPLEMENTATIONS

An automated private browsing test using unit tests
- All major browsers have a collection of unit tests for
testing browser features before a release
- MozMill, a Fire fox user-interface test automation tool
W EAKNESSES IN CURRENT
33
IMPLEMENTATIONS

Use fs usage to output the name of the system call
used to access the filesystem and the file descriptor
being acted upon

Also use the “last modified time” for files in the
profile directory to identity those files that are
changed during the test.
W EAKNESSES IN CURRENT
34
IMPLEMENTATIONS

Search Plugins (stored in search.sqlite and search.json)
35
O UTLINE

Introduction

Private browsing: goal and threat model

A survey of private browsing in modern browsers

Usage measurement

Weaknesses in current implementations

Browser addons

Conclusions
36
B ROWSER

ADDONS
Browser addons (extensions and plug-ins) pose a
privacy risk to private browsing because they can
persist state to disk about a user’s behavior in
private mode
37
B ROWSER

ADDONS
Internet Explorer
- Default set extensions disabled, but plugins are
still functional.

Firefox
- Both are enable in private mode

Google Chrome
- Disables most extension functionality in private
mode, but plugins are enabled

Safari
- Does not have a supported extension API
38
B ROWSER
ADDONS

URL whitelist/blocklist/queues

URL Mappings

Timestamp
39
B ROWSER
ADDONS

Manual check
- Extensions that opt-in to running in private browsing
mode

Disallow writes
- Prevent extensions from changing any local state
while in private browsing mode

Override option
- Discard changes made by extensions to local state
while in private browsing mode, unless the
extension explicitly indicates that the write should
persist beyond private browsing mode
40
B ROWSER

ADDONS
ExtensionBlocker in JavaScript
- Disable all extensions that are not safe for
private mode.
41
O UTLINE

Introduction

Private browsing: goal and threat model

A survey of private browsing in modern browsers

Usage measurement

Weaknesses in current implementations

Browser addons

Conclusions
42
C ONCLUSION

Manual review and automated testing tool
pointed out several weaknesses in existing
implementations

Performed the first measurement study of
private browsing usage in different browsers and
on different sites

Keeping browser extensions and plug-ins from
undoing the goals of private browsing