Friday, August 29, 2008

FoxIT Exposes IE8 Beta Privacy Limits

There is a breaking story out of the Netherlands this hour regarding the recently-announced privacy features of the new Microsoft IE8 browser currently in beta.

Webwereld reported that forensics firm FoxIT has found that retrieving a user history is trivial, even with IE8's new privacy features turned on. Christian Prickaerts, a researcher with FoxIT had this to say about the IE8 beta:

"The privacy option in this beta is mainly cosmetic. For a forensic investigator, retrieving the browsing history should be regarded as peanuts. The remaining records in the history file still enable me to deduce which websites have been visited."

The IE team's response was interesting: "InPrivate Browsing is to prevent other users of the same computer to gain access to the browsing history. The feature isn't designed to protect a user's privacy from security experts and forensic researchers."

That isn't a great response. "Security experts" could conceivably write tools based on their techniques that are user-friendly, defeating the whole purpose. Which brings us to the real issue at stake here, and the reason why the stated design aim was to secure the browser history from "other users".

The feature has been roundly dubbed "porn mode" by many in the blogosphere. However, now that these issues have been raised, one wonders how many people desiring of this "porn mode" feature will migrate from Safari, the current "private browser" of choice, to IE.

Firefox, which has had issues of its own, is helped greatly by its adoption of a truly open developer polatform. Several plug-ins for the browser have been written using the XPI and XUL framework and tools that increase Firefox user security to acceptable levels.

Of course, the above is not an unbiased view - we have had the goal of building a secure and private browsing environment for several years, not for the stated purpose above, but for ensuring the privacy of online banking transactions.

With SafeCentral, we've achieved that purpose, and we now have the best solution for browser privacy on the market today - with the added claim of offering a security posture that protects privacy from the hardware layer of the PC all the way to the user's (private) web server of choice.

How do we achieve better security that the leading browser manufacturers? By not just focusing on the browser, and more specifically, its plug-in environment. Authentium SafeCentral includes its own secure virtual desktop, supported by a system-level security library developed over many years, a secure look-up system, and a global secure DNS infrastructure.

Because of this clsoed system, we are able to offer much greater control of what is stored (or not stored) when it comes to user privacy.

No comments: