tags:

views:

362

answers:

4
+11  Q: 

Detecting if a browser is using Private Browsing mode

I'm building an extranet for a company paranoid about security. They want to make sure that (among other things) their users are browsing the site with the Private Browsing mode switched on in their web browser so that no cookies or history is kept.

I found only this http://jeremiahgrossman.blogspot.com/2009/03/detecting-private-browsing-mode.html and http://serverfault.com/questions/18966/force-safari-to-operate-in-private-mode-and-detect-that-state-from-a-webserver

The ideal solution would use no or minimal javascript. Would attempting to set a unique cookie work for all browsers and platforms? Anyone done this before?

thanks!

update

http://crypto.stanford.edu/~collinj/research/incognito/ uses the CSS visited technique of the browser fingerprinters mentioned by other posters- thanks for the hints.

I like it because it is small and elegant, but still want to be able to do it without javascript if possible.

+5  A: 

There's no way for your web page to know, absolutely for sure, that the user is in private browsing mode.

If the company is that paranoid about security, I'd suggest rolling your own local Firefox distribution with locked down privacy settings, and only allowing that client to connect to the extranet.

Matt S  2010-05-18 20:38:23
What supporting evidence? The "fingerprint" that doesn't tell you if private browsing is on? The company is "paranoid about security", so relying on so-called fingerprints isn't sufficient.
Matt S  2010-05-18 23:18:35
hmmm... my own cross platform FF distribution? Thats a bit much effort... Are you aware of an 80% solution? (eg 80% of the time we can guess if the user is in private browsing mode). I'm looking to combine a number of security recommendations to the visitor: using private browsing is one of them. As others have suggested, not all visitors will be willing to do that, and maybe 1/4 of them will be in "safe" locations and will not need to.
Steve  2010-05-19 21:25:26
A: 

Well, you wouldn't really distinguish private mode from "block all cookies" in that way, but apart from that rare situation I guess it should work.

The big problem IMO, is that this is a very very bad site design, not better than the good ol' "you need browser xxx to see this website" that was common in the '90s. Not all browser have a Private Browsing mode (as much as I despise IE, your cutting out IE7 users for instance) and those users won't be able to access your site at all.

Also, when I'm on the Internet I often have several tabs open with multiple website. It would be really annoying for me to have to switch to private mode just to see that website and not being able to access the other sites at the same time.

One thing you could do would be designing the site using sessions instead of cookies, so they won't be stored (as you don't use them...). And as for the history... really, what's the problem with that?

nico  2010-05-18 20:39:50
Or put the whole site behind a password protected, encrypted connection with caching aggressively disabled.
Marcel Korpel  2010-05-18 22:30:52
You must be stuck in a box writing boring code.
Rook  2010-05-19 11:09:40
@The Rook: nah: its pretty interesting. There are some bizarre technical challenges like requiring all users to go via https but knowing that some countries block ssl connections, or knowing that 10% of my users will be logging in via very flaky 24k dial up lines and only have electricity for a couple of hours a day if they are lucky...
Steve  2010-05-19 21:21:37
@Marcel: yep, done all that. need to go further
Steve  2010-05-19 21:29:15
A: 

Web browsers behave differently when privacy mode is activated.

On many browsers the caching of resources is limited. It is possible to detect where a browser has been based on their CSS cache. Its possible to conduct this this attack without JavaScript.

The EFF is working on a project to fingerprint browsers. Parts of the browsers fingerprint will be different when privacy mode is activated. Go ahead, try it.

Rook  2010-05-19 11:21:02
Thanks for the interesting links. I had a go but all it does is change the fingerprint. If I've done my job right I'll not be able to tell if a visitor has come before with a different fingerprint and therefore be able to detect private browsing?
Steve  2010-05-19 21:36:15
@Steve Although I haven't done much digging, I suspect that there is a part of the fingerprint that is always abnormal when private browsing is enabled. But this is highly browser specific.
Rook  2010-05-19 21:41:56
A: 

http://crypto.stanford.edu/~collinj/research/incognito/ uses the CSS visited technique of the browser fingerprinters mentioned by other posters.

seems to be the best answer so far

Steve  2010-05-25 21:32:13

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?