Last updated March 7, 2018 at 2:31 pm
Veil, an incognito web browser system, will turn your private browser truly private and prevent snoopers.
Veil patches security holes left open by web browsers’ private-browsing functions. Credit: MIT
Contrary to what you might think, the “private browser” setting on your web browser isn’t actually private.
You might think it is no longer recording your browsing history, but data accessed during private browsing sessions can still end up stored away in your computer’s memory, retrievable by motivated hackers.
This little known vulnerability has been tackled by a group from the Massachusetts Institute of Technology with Veil – a new protective layer which turns your private browsing truly private from your own computer.
Best of all – it’s able to be used on any computer, even public shared computers in hotels, offices or libraries.
Plugging the leak
When you engage private browsing mode, a browser will still retrieve data much as it always does, and load it into memory. When the session is over, it attempts to erase whatever it retrieved.
However, this is not as simple as it seems. Data is continuously being shuffled between processor cores and caches. The system can occasionally transfer the data to the computer’s hard drive, where it could remain for days, even after it’s no longer being used.
Amongst all this shuffling, a browser won’t necessarily know where the data it downloaded has ended up. Even if it did, it might not have authorization from the operating system to delete it.
The end result is your private data remaining within the system, even though you thought it wasn’t being collected in the first place.
“Veil was motivated by all this research that was done previously in the security community that said, ‘Private-browsing modes are leaky — Here are 10 different ways that they leak,’” says Frank Wang, who led the research.
“We asked, ‘What is the fundamental problem?’ And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser’s best effort is, it still collects it. We might as well not collect that information in the first place.”
Encrypted browsing to prevent snoopers
To get around this problem, the team created Veil. Rather than using the browser as normal, users will need to go to the Veil website, which can be loaded through any browser, and then visit webpages through that portal.
The Veil website sends through a specially encrypted version of the website the user wants to visit via an intermediate server, called a blinding server.
The webpage remains encrypted in transit and in the browser cache, and is decrypted only for viewing, allowing it to display just like its ordinary counterpart.
Once the data is decrypted, it is loaded in memory for only as long as it’s displayed on-screen. According to the Veil team, that type of temporarily stored data is less likely to be traceable after the browser session is over.
But to further trip up attackers, Veil added some more security features.
Firstly, the blinding servers randomly add a bunch of meaningless code to every page they send. That code doesn’t affect the way a page looks to the user, but it drastically changes the appearance of the underlying source data, and no two codes are the same. So, even if someone was able to capture a few stray snippets of decrypted code after a Veil session, they probably wouldn’t be able to determine what page the user had visited.
However, if those measures aren’t enough, Veil kicks it up another level. An optional setting tells the blinding server to open the requested page itself and take a picture of it. Only the picture is sent to the Veil user, so no executable code ever ends up in the user’s computer.
If the user clicks on some part of the image, the browser records the location of the click and sends it to the blinding server, which processes it and returns an image of the updated page. Moving all the processing off the computer entirely makes it almost impossible to retrieve data after a session.
The only snag to Veil’s plan is a pretty big one though. It requires web developers to create versions of their site which support Veil. Realising that this would severely limit the usefulness of Veil, the developers have created automatic tools to assist in the creation of the webpages. And they claim that for security-conscious websites, it could be a marketable feature to make their sites even more secure.
It will also be interesting to see when it becomes more widely available whether we’ll have to wait longer for encrypted websites and images to load. With a spluttering NBN connection, some might find it all just a bit too much.
You can read the research paper via MIT
