Technology, Top News

MIT boffins reckon private browsing still leaks data, but they have the answer

THINK YOU’RE SNEAKING around on the web like a digital ninja? Then think again, as the boffins at Massachusetts Institute of Technology (MIT) reckon private browsing isn’t covering your tracks.

At MIT’s Computer Science and Artificial Intelligence Laboratory, the smart folk found that so-called private browsing modes aren’t nearly private enough. The researchers noted that such modes still leak data like DNS cache, file system info and “on-disk reflections of RAM such as the swap file”.

Such data can effectively leak revealing information about browsers despite modes like Chrome’s ‘Incognito’ window feature claiming to keep browsing habits and data private.

In a paper entitled Veil: Private Browsing Semantics Without
Browser-side Assistance, the researchers detailed a solution to the privacy problem called the Veil.

It acts as a framework that puts the duties of privacy into the hands of a website rather than leaving a browser’s privacy tech to try and do all the heavy lifting.

In a nutshell, users can simply navigate to the Veil website and enter the URL of the site they want to visit in from there. What looks like a simple web page is, in fact, taking care of all manner of encryption and data masking processes in the background.

Veil creates a URL loaded with encryption that can’t be linked to the website’s original URL once HTML and CSS files are passed through a compiler. From there the compiler sends web page objects to the service’s “blinding servers”.

From there, web page data is sent to the user with mutated content in HTML, CSS and JavaScript. That content ends up on the user’s browser where the original content of the web page is then restored to look like it should do normally to the user, only at a code level is has data in it to make every webpage served up through Veil look unique.

At no time has the user typed the URL for the website they are visiting in the browser so it can’t hoover up their data. And data from the web page is kept in-memory for the time it’s being browsed with Veil using some coding wizardry to prevent the system from caching the webpage, therefore keeping it out of the data collection of browsers.

For added levels of privacy, users can request that Veil only sends them a dumb graphic of the web page they are requesting to prevent any executable code from popping up in their browser and thus removing the change of any data leakage.

When a user clicks on part of what is essentially an image of a web page, Veil records the clicking coordinates and pipes it to the blinding server, which in turn contacts the web page’s server, meaning all web page rendering takes place server side rather than on a client machine.

So for people after an extra dose of privacy, Veil looks like a pretty decent service. But there are some shortcomings because life ain’t that peachy chaps.

Website operators will need to have the extra infrastructure to handle the back and forth between Veil. And Veil-compatible versions of web pages will be needed.

For websites priding themselves on high levels of privacy, this shouldn’t be too much of an issue. But for those who don’t give a hoot, adding in extra infrastructure will be a headache for web administrators that they’d likely want to do without.

Then there’s the question of who operates and maintains the blinding servers; will it be a group of privacy advocates, a for-profit firm, or the collective responsibility of websites wanting to get involved in Veil.

For now, this is all academic, but Veil could be the answer to private browsing the privacy paranoid and tin foil hat fans have been looking for. µ

Source : Inquirer

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend