Wednesday, 30 November 2011

Private mode surfing is realy private ???...
Most modern browsers support "private browsing mode" (also known in Chrome as "Incognito mode"), where the browser does not save any information to disk about your browsing while in this mode.
In modern browsers, can a web site detect whether a user who is visiting the web site has private browsing mode enabled or not?
The background research I've done. Here's what I've been able to find related to this question. Unfortunately, it doesn't really answer the question above.
·         A 2010 study of private browsing mode showed that it is possible for web sites to detect whether the browser is in private browsing mode, by using a CSS history sniffing attack. (In private browsing mode, sites are not added to the history, so you can use history sniffing to check whether the visitor is in private browsing mode.) Since then, though, modern browsers have incorporated defenses against CSS history sniffing attacks.
Consequently, I would not expect that method of detecting whether the browser is in private browsing mode to be successful any longer. (I realize the defenses against history sniffing are not perfect, but they may be good enough for these purposes.)
·         There may be ways for a website you're visiting to learn whether you are currently logged into other sites (think: Facebook). If the user is currently logged into other services (like Facebook), a website could plausibly guess that the user is not currently using private browsing mode -- this is not a sure thing, but perhaps one could make some kind of probabilistic inference. However, if the user isn't logged into other services, then I guess all we can say is that we don't know whether private browsing mode is in use. It is possible this might yield a partial leak of information, I suppose, but it sounds unreliable at best -- if it even works. It is also possible that this might not work at all.
So, can anyone provide any more recent information about whether there's a way for a website to test whether its visitors are using private browsing mode?

No comments:

Post a Comment