Research Project Makes Incognito Browsing Even More Private

• By Dian Schaffhauser
• 03/02/18

There are legitimate reasons to go "incognito" with your web browsing. You may be at a public computer in a library, campus lab or hotel lobby and doing activities you'd rather not share with others once you've logged out. You could be living and working in a country with a repressive regime that has eyes everywhere. Whatever the reason, no matter what you do, your private browsing can leave signs of your presence behind. Or, as a joint research project put it, "private browser modes are leaky."

Researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) and Harvard University recently presented a paper describing "Veil," a new system intended "to make private browsing more private."

As the paper described, the privacy modes on browsers do one thing well: They stop recording the user's browsing history and attempt to remove whatever was viewed by the user when the session is over. Yet some of the data generated may still be "tucked away" in the computer's memory, allowing somebody with sufficient motivation to extract images and URLs from the session or find cleartext remnants.

A primary reason for the leaks is the complexity of memory management. Data is shifted continuously among different cores and caches. When a specific memory bucket fills up, the operating system might move data to the hard drive, where it could sit for days. The browser isn't designed to keep track of all of this action. But a version of the website visited through Veil can.

The user goes to a Veil version of the given website and types the URL. Then Veil encrypts any data stashed by the browser in memory until it's displayed on the screen. A "blinding server" generates a version of the requested page that's been translated into the Veil format.

According to the researchers, the Veil page looks like any other webpage: It could be loaded by any browser. However, embedded in the Veil version of the page is a tiny bit of code that executes a decryption algorithm. The data associated with the page is unintelligible until it passes through that algorithm. The URLs exposed to system interfaces like the DNS cache become unintelligible to attackers who lack the user's key.

"Veil was motivated by all this research that was done previously in the security community that said, 'Private-browsing modes are leaky — here are 10 different ways that they leak,'" explained Frank Wang, an MIT graduate student in electrical engineering and computer science and first author on the paper, in an article about the project. The fundamental problem, he said, was that the browser collects information and does its best to fix it. "But at the end of the day, no matter what the browser's best effort is, it still collects it. We might as well not collect that information in the first place."

Veil includes additional security features. The blinding servers randomly add meaningless code to every page they serve, which changes the appearance of the underlying source file and prevents the code for a given page from looking like any other version of the same page. And a Veil option allows the user to receive only a picture of a given requested page, preventing executable code from being delivered to the user's device. If the user clicks on some part of the image, the browser relays the location of the click and sends it to the blinding server, which generates the new request it and returns an image of the updated page.

On the back side, developers who want to take advantage of the privacy aspects of Veil need to create Veil versions of their websites. To simplify this process, the researchers have developed a compiler that performs automatic conversion of a website after the developer has fed the existing content into it. The prototype of the compiler will even upload the converted site to a blinding server.

What's still being worked out is who will maintain the blinding servers. As the researchers described, these could be hosted by a group of volunteers or a for-profit company. Or site managers might choose to run the blinding servers themselves to host Veil versions of their sites directly.

Wang was joined on the research by his two thesis advisers, James Mickens, an associate professor of computer science at Harvard, and Nickolai Zeldovich, an associate professor of electrical engineering and computer science at MIT.

The research paper was presented at the Network and Distributed Systems Security Symposium. It's openly available on Wang's website along with the slides from his presentation.