Browser Privacy Features Leave Users Exposed

When using "private browsing mode" included in many of the current (and beta) Web browsers, do you know just how well it is working at preventing your Internet browsing from being tracked? What about the protection provided when you hit the button to clear your Web browsing history, cookies, and cached files?According to research from Kate McKinley, a researcher at iSec Partners, all four major browsers are failing at performing comprehensive privacy protection for users.

Whether your company relies on Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, or Google Chrome, the privacy protection features that allow a user to browse the Web without leaving evidence in the history or clear-all browsing history does not extend to third-party plug-ins like Adobe Flash, McKinley's recently published research shows.

Employers who are concerned about what their workers are doing on corporate laptops can purchase many different tools that lets them online track behavior, but not every company is willing to invest the time and effort into doing this. The cases I've assisted that dealt with users' spending too much time surfing the Web and using social networking sites came about through the employer noticing a lack of productivity, or the user being reported by another employee. They weren't a result of directly monitoring the user.

In about 85 percent of those cases, users were smart enough to clear their Web browsing history or use a private browsing mode that prevented a casual investigation from finding evidence of time-wasting activities that full, disk-based forensic investigations would have uncovered. Saving some time, a quick forensic preview of the workstations could have yielded faster results by analyzing the Flash cookies left behind from many sites, including MySpace and Hulu.com, that would have yielded evidence of visiting nonwork-related sites (depending on your business).

Kudos to Kate McKinley on some very good research and for providing the source code she used in her testing so that others can duplicate her results and test other Web browsers, such as Opera and Konqueror. Her research and code is included in a 12-page PDF titled "Cleaning Up After Cookies."

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.