While private browsing is a standard feature, its implementation has been inconsistent among the major browsers. More seriously, it often fails to provide the adequate or even the intended privacy protection. For example, as shown in prior research, browser extensions and add- ons often undermine the goals of private browsing. In this paper, we first present our systematic study of private browsing. We developed a technical approach to identify browser traces left behind by a private browsing session, and showed that Chrome and Firefox do not correctly clear some of these traces. We analyzed the source code of these browsers and discovered that the current implementation approach is to decide the behaviors of a browser based on the current browsing mode (i.e., private or public); but such decision points are scattered throughout the code base. This implementation approach is very problematic because developers are prone to make mistakes given the complexities of browser components (including extensions and add-ons).
You can find the source code of Ucognito project on Github Any comments or feedbacks are welcomed!
UCognito: Private Browsing without Tears (CCS 2015) [paper]
- Observer. The article by Brady Dale provides very good summarization for the UCognito project, for both technical and non-technical readers.
Please view in full-screen mode for better visibility.
- Meng Xu
- Yeongjin Jang
- Xinyu Xing
- Taesoo Kim
- Wenke Lee