On the privacy of private browsing – A forensic approach

https://doi.org/10.1016/j.jisa.2014.02.002Get rights and content

Introduction

In 2005, Safari first introduced private browsing, a feature that enables a user to surf the Internet without leaving traces on her local computer, such as history, cookies and temporary files (Aggarwal et al., 2010). Since then, all other mainstream browsers have added the same feature, including Internet Explorer (IE) (Internet Explorer private browsing mode), Chrome (Chrome private browsing mode) and Firefox (Mozilla Firefox private browsing mode).

Although the basic aim of private browsing is the same, the implementations vary greatly across different browsers. This adds significant complexity to the subject. In USENIX Security'10, Aggarwal, Burzstein, Jackson and Boneh first initiated the study of the security of private browsing in modern browsers and discovered several vulnerabilities (Aggarwal et al., 2010). In particular, they studied the dire impact of browser extensions on private browsing in Firefox (v3.6). A year later, Said et al. (2011) continued the study of private browsing. They focused on examining the content in the volatile memory and found that artifacts from the private session remained in memory even after the session had been closed. Recently, in ESORICS'13, Lerner et al. (2013) presented a software tool that allows automatic verification of the browser extensions' compliance with the private mode. The tool was mainly tested on Firefox extensions, although in principle it could be easily extended to other browsers.

Apart from these three papers, the security of private browsing seems to have been almost entirely neglected by the security research community. To date, no study has existed that systematically analyses the security of private browsing across major web browsers and from multiple angles: not just examining the memory, but also the underlying database structure on the disk and web traffic.

We believe this lack of attention is disproportionate to the importance of the subject. Over the past five years since 2008, private browsing has been extensively used by a significant portion of Internet users (19% according to a survey (Aggarwal et al., 2010)) to protect their privacy during web navigation (Lerner et al., 2013). Given the prevalent use of private browsing and the fact that many users are relying on it for privacy, it is important to ensure that private browsing is really as “private” as the browser vendors have claimed.

In this paper, we will present an independent and systematic evaluation of the current state of private browsing in popular browsers. Our contributions are summarised below.

  • 1.

    Threat model: We refine a threat model for private browsing based on adjusting a previous model (due to Aggarwal et al. (2010)) in order to capture more realistic threats in practice. This new model provides a concrete definition of security, which allows us to evaluate the security of private browsing in a systematic manner.

  • 2.

    Discovery of new attacks: We have performed a series of concrete experiments and discovered a number of new vulnerabilities across all the web browsers under study. In particular, the attacks based on application crash, cross-mode interference and remote timing measurements are novel and are demonstrated to work in practice for the first time.

  • 3.

    Validation of known attacks: We have tested all previously known vulnerabilities against the latest versions of web browsers and are able to confirm that some still remain unfixed.

Our preliminary research results were presented as a short paper (8 pages) at the ESORICS workshop on Data Privacy Management in September, 2013 (DPM'13) (Satvat et al., 2013). They were based on evaluating the latest versions of the mainstream web browsers as of April, 2013. However, being a short paper, only the main outcomes of the attacks are summarised. This journal paper includes full technical details for each of the attacks, especially the working and quantitative analysis of a novel remote timing attack in Section 5.2. Furthermore, suggestions for countermeasures are added in Section 6. We have informed the relevant browser vendors about the attacks and received useful responses that are also included in this paper. Some of the attacks have been fixed as a result. To inform the reader about the latest situation, we have re-tested all our attacks against the newest versions of browsers as of February 2014 with updates to the previous results included in this paper.

The rest of the paper is organised as follows. Section 2 explains the research methodology used for this study. Section 3 defines a threat model for private browsing. The next two sections, 4 and 5, present a series of experiments to expose vulnerabilities of private browsing against local and remote attackers respectively. Section 6 discusses countermeasures for discovered vulnerabilities. Finally, Section 7 concludes our study and suggests future research.

Section snippets

Research methodology

In this research work, we took a forensic approach to collect and analyse residual data left on the host computer after the private browsing session. Virtualisation was used to prevent any cross-contamination between experiments. In particular, VMware Player (a free version of VMware) was installed (VMware Player Version 4.0.0). In terms of the operating system, Windows 7 was chosen based on its popularity among the Internet users. The latest versions of the four popular browsers (as in April,

Threat model

The threat model for private browsing is defined in terms of the attacker's capabilities and their goals. In 2010, Aggarwal et al. defined one threat model for private browsing. Our model is similar to theirs but with some differences, as we will explain. Same as in Aggarwal et al., (2010), we will categorise attackers into two types: local and remote attackers.

Domain name system (DNS)

DNS caching has long been known as a major threat to private browsing (Aggarwal et al., 2010). This vulnerability is caused due to the operating system caching the DNS queries sent by a web browser regardless if it is in the private mode or not. The results of our testing on DNS caching have confirmed that, three years after it was reported in Aggarwal et al. (2010), this vulnerability still persists in all browsers. Some third-party extensions have been developed to address this issue (Click &

Remote attacks

Based on the threat model explained in Section 3, the fact that a person used or is using the private mode is considered a privacy feature by itself. However, existing implementations of private browsing in several browsers allow a remote website to easily tell if the user is using the private mode. In this section, we will explain two attacks, based on checking the colour of hyperlinks and the side-channel timing information of writing cookies.

Countermeasures

We divide the causes of attacks into two categories: internal elements that only concern the internal design of a browser, and external elements that involve external interactions with the rest of the system.

Conclusion

We have presented a range of vulnerabilities in the existing implementations of private browsing across four popular web browsers. The revealed problems highlight the complexity of the subject and call for more attention from the security community. They also show that ad-hoc efforts to implement private browsing – as currently adopted by browser vendors – can easily lead to important security considerations being ignored. A more systematic approach to design, implement and test the private

Acknowledgement

The Firefox inspector extension was initially written by a previous MSc student, Nicoleta Nicolaou, in 2011 in the School of Computing Science, Newcastle University. The initial idea of the remote attack based on writing cookies was inspired by a freely available on-line manuscript (http://mocktest.net/paper.pdf).

First page preview

First page preview
Click to open first page preview

References (31)

  • W.E. Felten et al.

    Timing attacks on Web privacy

  • Google Chrome Extensions, http://code.google.com/chrome/extensions/overview.html [Accessed April...
  • Index.dat Analyzer, http://www.systenance.com/indexdat.php [Accessed April...
  • Internet Explorer private browsing mode, http://windows.microsoft.com/en-us/windows-vista/what-is-inprivate-browsing...
  • S. Jeon et al.

    A recovery method of deleted record for SQLite database

    Personal Ubiquitous Comput

    (2011)
  • Cited by (13)

    • Repositioning privacy concerns: Web servers controlling URL metadata

      2019, Journal of Information Security and Applications
      Citation Excerpt :

      On the client side there are multiple tools for browser privacy protection. For example most browsers currently implement a private browsing mode (PBM), under which no browsing records are stored, although these are sometimes faulty, can be undermined by third party components [35,41,42], or fail against forensic inspection [43]. The same can be said of privacy savy habits, such as regularly cleaning the cache and history, or using specialised extensions.

    • A new security model for web browser local storage

      2019, International Journal of Advanced Computer Science and Applications
    • Away from prying eyes: Analyzing usage and understanding of private browsing

      2019, Proceedings of the 14th Symposium on Usable Privacy and Security, SOUPS 2018
    • Privacy preserving Internet browsers: Forensic analysis of Browzar

      2017, Computer and Network Security Essentials
    View all citing articles on Scopus
    View full text