Browsing gets more private

  • Today, most web browsers have private-browsing modes, in which they temporarily desist from recording the user’s browsing history.
  • But data accessed during private browsing sessions can still end up tucked away in a computer’s memory, where a sufficiently motivated attacker could retrieve it.
  • With existing private-browsing sessions, Wang explains, a browser will retrieve data much as it always does and load it into memory. When the session is over, it attempts to erase whatever it retrieved.
  • But in today’s computers, memory management is a complex process, with data continuously moving around between different cores (processing units) and caches (local, high-speed memory banks).
  • When memory banks fill up, the operating system might transfer data to the computer’s hard drive, where it could remain for days, even after it’s no longer being used.
  • Generally, a browser won’t know where the data it downloaded has ended up. Even if it did, it wouldn’t necessarily have authorization from the operating system to delete it.
  • A special server which the researchers call a blinding server transmits a version of the requested page that’s been translated into the Veil format.
  • This looks like an ordinary webpage,Any browser can load it. But embedded in the page is a bit of code much like the embedded code that would, say, run a video or display a list of recent headlines in an ordinary page that executes a decryption algorithm.
  • The data associated with the page is unintelligible until it passes through that algorithm.
  • Once the data is decrypted, it will need to be loaded in memory for as long as it’s displayed on-screen.
  • That type of temporarily stored data is less likely to be traceable after the browser session is over. But to further confound would-be attackers, Veil includes a few other security features.
  • One is that the blinding servers randomly add a bunch of meaningless code to every page they serve. That code doesn’t affect the way a page looks to the user, but it drastically changes the appearance of the underlying source file. No two transmissions of a page served by a blinding sever look alike, and an adversary who managed to recover a few stray snippets of decrypted code after a Veil session probably wouldn’t be able to determine what page the user had visited.
  • If the combination of run-time decryption and code obfuscation doesn’t give the user an adequate sense of security, Veil offers an even harder-to-hack option.
  • With this option, the blinding server opens the requested page itself and takes a picture of it.
  • Only the picture is sent to the Veil user, so no executable code ever ends up in the user’s computer. If the user clicks on some part of the image, the browser records the location of the click and sends it to the blinding server, which processes it and returns an image of the updated page.

 

Leave a Reply

PAYMENT METHOD