Friday, September 6, 2013

Ctrl-Shift-P – your new best friend

Do you flip among reading webmail, social networking, gossip sites, research, and shopping or banking in the same browser? Do you realize that browsing history, search details, and even some logon information could leak from site-to-site?

Google – and, not to pick on just them, many other providers – encourages you to sign in to your account “for a fuller browsing experience” as soon as you open your browser. What they’re really wanting is to establish a relationship – ie: a cookie – with you so they can follow what you’re doing and suggest (sponsored) alternatives to your current choice. This tracking capability is not hidden, nefarious, or necessarily malicious. It’s designed into the Web and browsers as well as your user agreement, and can only be thwarted with obscure configurations in each browser’s profile.

I used to alleviate my concerns over this leakage by ensuring I closed all my browser sessions and reopened the browser before doing any financial transactions. One time I was trying to sign in to a major shopping site with a different profile than I usually used. No matter which of my usual tricks I used, it still insisted on pulling up my personal profile. Obviously they were tracking me with multiple cookies from multiple domains and I would have had to completely clear my history from that browser to get a fresh login. My only alternate option was to use a company computer from which no one had ever signed into that site.

Most modern browsers now offer some form of “private” or “incognito” browsing. A private session is a pristine instance of the browser with no history, no cookies, no remembered passwords. When you close the private instance of the browser (the entire window and all child windows – not just logging off the signin), it deletes all record of that session so the details can’t be tracked across other websites. The next time you open a private instance, you’re starting over again.

When private browsing was first introduced it closed or locked out your “regular” instances of that browser so you couldn’t do anything else while in it. Now it functions just like another browser window that you can switch back and forth between. Identify your private session by the notation in the title bar.


A private browser instance only protects you against successive session browser tracking, persistent cookies, and cross-site leakage. It doesn’t stop the web server from fingerprinting(1) your computer or any malware already installed on your computer or the server. All the cookies and history already in your system are still available to the browser – it just makes all cookies you get now “session” cookies. And, if you browse to any other sites in the same private instance, you might as well have used a default instance.

Private browsing is not a sandbox you can use with abandon; just a slight improvement over the wide open web. For better protection against tracking and leakage you need to use a pristine “computer” by booting to a live CD or a clean virtual machine. This works whether doing your banking or surfing to questionable websites – just be sure you reboot in between.

A private browser session is available from the main menu of most browsers. In Firefox and Internet Explorer, you can use the hotkey Ctrl-Shift-P. Chrome and Opera use Ctrl-Shift-N.


Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 3.0 US License. Permissions beyond the scope of this license may be available at
(c) 2013 Bill Barnes - Disclaimer - Home Page - Blogs Home

No comments: