New system patches security holes for more private browsing
Researchers have developed a new system that uses JavaScript decryption algorithms embedded in web pages to patch security holes left open by web browsers' private-browsing functions.
Researchers from Massachusetts Institute of Technology (MIT) described the system "Veil" that makes private browsing more private, at the Network and Distributed Systems Security Symposium in San Diego.
"We asked, 'What is the fundamental problem?' And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it," Frank Wang, an MIT graduate student, said.
"But at the end of the day, no matter what the browser's best effort is, it still collects it. We might as well not collect that information in the first place," Wang added.
Generally, a browser won't know where the data it downloaded has ended up. Even if it did, it wouldn't necessarily have authorisation from the operating system to delete it.
"Veil" gets around this problem by ensuring that any data the browser loads into memory remains encrypted until it's actually displayed on-screen.
Rather than typing a URL into the browser's address bar, the user goes to the "Veil" website and enters the URL there.
A special server -- which the researchers call a blinding server -- transmits a version of the requested page that's been translated into the "Veil" format.
Once the data is decrypted, it will need to be loaded in memory for as long as it's displayed on-screen. That type of temporarily stored data is less likely to be traceable after the browser session is over.
"Veil" would provide added protections to people using shared computers in offices, hotel business centres, or university computing centres.
It can be used in conjunction with existing private-browsing systems and with anonymity networks such as Tor -- which was designed to protect the identity of web users living under repressive regimes.