Demystifying privacy in Google Chrome and Mozilla Firefox
We evaluated private browsing modes in Chrome and Mozilla, analyzed and measured the effectiveness of the claims made by Google and Firefox. Our main motive is to secure the local user from local attacker such that user’s private browsing experience does not leave any trace on the browser. so that when the browser is opened in public mode by anyone, our local user feels safe. We also propose the notion of ideal private browsing from a browsing experience perspective. We tested the browser from a local user point of view and found the leaks present during and after the browser was exited. Our results suggest that the bookmarks, extensions or plugins and DNS cache leaks present a major threat to the security of the local user from a local attacker. We also studied and analyzed the disk usage and DNS cache leak by both browsers and found the conflict between privacy and performance. We also found that Firefox bookmarking policy has a serious leak which reveals the bookmarks of unvisited URLs that were added in private mode and distinguishes them from those that were added in public mode. We also propose two solutions to make bookmarking and plugins/extension more secure so that they do not leave any explicit trail when private browsing is exited.
Experiments
In Mozilla Firefox, the Bookmarks from Private Browsing mode are displayed using a different icon (dashed square). They are visible even in the Public Browsing mode. The same site, if visited in the Public browsing mode, will show up differently.
Bookmark saved in Private mode
1st and 3rd Bookmarks were saved in Private Browsing mode (no icons for url saved when viewed in public mode)
Bookmark saved in Private mode
1st and 2nd Bookmarks were saved in Public mode (icons for url were saved this time in a few seconds)
We believe that typically user would visit a site in private mode which he/she would not visit in public mode. The current functionality, described above, poses a concern as bookmarks from Private mode can be clearly identified by anyone in the Public mode.
Motivation:
User typically overlooks the warning given by these modern browsers at the entry of private browsing mode and doesn’t bother to read the full instructions. He/she assumes that private Browsing mode History, Bookmarks, Auto-complete text, cookies at all are not visible to anyone.
For vigilant and attentive user, there is no way to keep his bookmarks private in any of the browsers.
We have proposed two solutions to add private bookmark in Mozilla Firefox.
1.Securing Bookmark feature in Firefox based on protection Level
This solution is simple and easy to implement. It alerts the user of his implicit actions that can leak his private browsing data to public browsing session. We propose not having ‘Add Bookmark’ functionality by default in private browsing mode. Users, however, will have the ability to enable the bookmark option feature in private mode explicitly. At this point, user will be warned of the caveats.
Following changes would be required to implement this functionality:
- Add a button to enable/disable bookmark feature in Privacy tab
- Make changes in file “nsNavBookmarks.cpp”. E.g.
2. Securing Bookmark feature in Firefox based on User Privacy Level
This solution will let the user add private bookmarks in private browsing mode that can be seen either by him only or by PB mode users depending on the protection level he wants.
Two different levels of protection for securing Bookmark feature in Firefox would be
A. Private/Public level
B. User–level (most secured)
Private/Public level: In this protection level the user will not need to login into any account. As soon as user enters into private browsing mode, he can start adding private bookmarks.
- Public browsing mode: All the bookmarks saved by any users while browsing in public mode would be visible.
- Private browsing mode: All the public bookmarks and the private bookmarks saved by unsigned users while in private mode would be visible.
User–level: In this protection level the user will need to login into his sync account.
- Public browsing mode: All the public bookmarks (saved by any user) would be visible.
- Private browsing mode: All the public bookmarks (saved by any user), private bookmarks of the user, and private bookmarks of all unsigned users would be visible.
Current database file used in Firefox to store Bookmarks entries is Places.sqlite (Table :
moz_bookmarks). To incorporate this feature, the following changes would be required:
-Make changes in file “nsNavBookmarks.cpp” to check whether a user is in private mode or not.
-Add 2 more columns in moz_bookmarks table
1. browsing_mode // Private/Public
2. user_id // firefox sync id
Let us walk through the process using our proposed solution. We will elaborate on both the aspects:
a. Creating Bookmarks
b. Retrieving Bookmarks
Fig. 1 — Creating Bookmarks — Entries in moz_bookmarks table for various scenarios
Our proposed solution will store the information in moz_bookmarks table in the above described fashion when a user bookmarks a site.
Fig. 2 — Retrieving Bookmarks — Logic Table for various scenarios
Based on the additional attributes stored in the moz_bookmarks table, we will use the above described logic table to show the bookmarks.
- In public mode when user is not signed in, then all the bookmarks where browsing_mode is “Public” would be visible.
- In public mode when user is signed in, then all the bookmarks where browsing_mode is “Public” and used_id is equal to sync account id would be visible.
- In private mode if user is not signed in, then all public bookmarks and bookmarks where user_id is null would be visible.
- In private mode if user is signed in, then all public bookmarks and bookmarks where used_id is null or equal to sync account id would be visible.
Conclusion:
While analyzing private browsing modes in modern browsers, we found some new leaks (bookmark icon leak, chrome disk usage leak) in private browsing. We also propose two novel solutions to handle bookmarks for Mozilla private browsing. Finally, we analyzed the current DNS prefetch leak status and disk usage status in private browsing and reasons why vendors are not fixing them.
Future Work:
Our analysis revealed that the private browsing mode, though an advancement, still needs to be more comprehensive in safeguarding user data. There needs to be a two pronged approach — Private Browsing in browsers need to address the security and privacy leaks like the ones highlighted in this paper; and Users need to be better educated about what Private Browsing will and, more importantly, will not entail. We also see a need for development of a standard for Private Browsing mode which would be adhered to by all browsers. Since, Public and Private browsing modes will continue to co-exist in the foreseeable future, the interaction of these two modes with the plug-ins and browser extensions raises further questions about the privacy violations.
References:
Gaurav Aggarwal, Elie Burzstein, Collin Jackson, and Dan Boneh — An Analysis of Private Browsing Modes in Modern Browsers. In Proc. of the 19th USENIX Security Symposium. (USENIX Security 2010)
Zack Weinberg, Eric Chen, Pavithra Ramesh Jayaraman, and Collin Jackson — I Still Know What You Visited Last Summer: Leaking browsing history via user interaction and side channel attacks. In Proc. of the IEEE Security and Privacy Symposium (Oakland 2011)
Google chrome source code: http://code.google.com/chromium/
Google, Incognito mode (private browsing): http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95464
Google chrome, DNS prefetching: http://www.chromium.org/developers/design-documents/dns-prefetching
Google Chrome, Bug list: http://code.google.com/p/chromium/issues/list
https://developer.mozilla.org/En/Supporting_private_browsing_mode
Mozilla Firefox, source code: https://developer.mozilla.org/en/Download_Mozilla_Source_Code
Mozilla Firefox, Private Browsing: http://support.mozilla.org/en-US/kb/Private-Browsing
Mozilla Firefox, Controlling DNS prefectching: https://developer.mozilla.org/En/Controlling_DNS_prefetching
Mozilla Firefox, bug list: https://bugzilla.mozilla.org
Mozilla Firefox, Private browsing: https://developer.mozilla.org/En/Supporting_private_browsing_mode
Mozilla Firefox, Plugins: https://developer.mozilla.org/en/Creating_OpenSearch_plugins_for_Firefox
Mozilla Firefox, Private browsing: https://wiki.mozilla.org/Firefox3.1/PrivateBrowsing/FunctionalSpec#Passwords
http://www.zdnetasia.com/private-browsing-security-claims-wrongly-construed-62202150.htm
