I have not had time to read the entire article (a 19-page .pdf file, if you pursue though several links to get to it), and so I don't know how to react yet. But there's one thing I'd like to comment on now:
IE8's InPrivate Browsing feature "allows you to browse the web without recording a history in the browser [on the PC you're using]... This helps prevent anyone else who might be using your computer from seeing where you visited and what you looked at on the web." In other words, if you're at a public, shared, or work machine, and want to [try to] prevent people who later access that same machine [such your work colleagues or boss(es), or even your family on a home PC] from finding a [local] record of what/where you've been surfing. But that would have no impact on information that was transferred over the web, if it's been recorded elsewhere.
Having now had the time to read the entire .pdf paper, I'm still not sure what to make of all this.
It would seem to say there's a high likelihood that any browser I'm using on a given machine has a "fingerprint"... so that, with the proper detection algorithm, someone can match my fingerprint at site B as having come from the same browser/PC combination that previously had visited site A.
To me, however, the more sensitive/important question is just how much information about ME can be revealed/obtained in this manner? I mean, it's one thing to say that browser fingerprinting can reveal which particular fonts I have installed on my PC... I believe such information is completely harmless, and so I am not at all worried about it. What I WOULD be concerned about... which I don't believe the article explicitly addressed... would be if browser fingerprinting could reveal things like my real name, address, and/or phone number, my credit card or banking information, my online purchases, or anything that i've entered/transacted at a secure website. I am hoping that such information is NOT accessible via browser fingerprinting.
the question of "guilt by association" is more tenuous. If I logged-in to site B, revealing some personal information there, then someone at site B, if they use fingerprinting, could then trace ME back to site A via the fingerprint. However, if site B is secure (and its employees honest), hopefully that would prevent my personal information there from getting out to anyone else... meaning no one else could associate me personally to site A.
The bottom line still being, I'm very unsure what to make of all this... what are they REALLY talking about? And how much of a real/practical concern should it be to me?
---------------------------------------
I think we also need to clarify precisely what we (or they) mean by browser "privacy".
As I noted above, IE8's InPrivate Browsing was intended to keep other users on the same physical PC from "finding" whatever you had surfed/visited on it previously. I don't see that as in any way implying it would protect your "identity" or any information you transfer OUT of your browser into the realm of cyberspace.
Joe mentioned sandboxing. Let me preface this comment by saying I know next to nothing about sandboxing. What I THOUGHT it did was provide a protective "virtual" environment so that, if one accidentally downloaded a virus [or any type of malware] there, it would be "trapped" within the confines of the sandbox, meaning the sandox could protect your "real" machine from getting infected. A secondary usage, perhaps comparable to IE8's InPrivate Browsing, would be to purge the sandbox's contents when you were done "playing" in it... "destroying" any local record of what you had done there. But again, anything you transmitted over the internet, even from a sandbox, would nonetheless be "floating" in cyberspace.
So if, as I think Joe was trying to get to, you are concerned about what's available in cyberspace, then something like "AnonyMouse" [which I don't believe I've ever used, nor am I familiar with it] would certainly seem to be a preferable "tool"/vehicle through which to [try to] obtain such anonymity.
Dale wrote: "I decided to stick with IE7 on this computer with Vista...didn't see any improvement on my other one with IE8".
Many of IE8's new/improved features might not be obvious... but they are certainly there.
IE7 has a Phishing Filter. IE8 extends this to a SmartScreen Filter, which (in addition to blocking some phishing) also blocks some malware/bad sites and downloads.
IE8 also offers Domain HighLighting, Data Execution Prevention, Automatic Crash Recovery, InPrivate Browsing, a Cross-Site Scripting Filter, and Click-Jacking prevention... for details on these (and more), see http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
The test show a lot of configurations of all types, but don't remember seeing my IP address or the routing to it. I decided to stick with IE7 on this computer with Vista...didn't see any improvement on my other one with IE8. At any rate, the browser timed out and had to be "restarted" after about 30 seconds. Tried this three times with the same result. It also does when I awaken the computer from sleep, not sure why this happens.
But I never would expect privacy while computing on the Internet any more than I would expect it outside my home, what with all kinds of camera being everywhere in this day and age.
I too don't know the implications of that paper (and I'm impressed you read it- I found most of it incomprehensible). I don't obsess or worry much about tracking cookies, but all things being equal I'm just as glad to find ways to defeat them.
So I was surprised to hear about Browser Fingerprinting, which as far as I can tell is just another way for 3rd parties to track your surfing. I'm not losing any sleep over it, and posted just as an FYI for those that worry over such things. (Who knows- they might be right?)
I agree with Dale - there is no expectation to privacy on the internet. I consider everything I post, email, IM or PM as a postcard for all to read, and govern what I transmit accordingly.
I dabbled with Anonymouse a while back, and found it interfered with website content a bit too much for my taste, considering I generally visit only trusted websites. Your take on Sandboxing seems correct, and I seldom use it for the same reason (except for searches).
"that paper (and I'm impressed you read it- I found most of it incomprehensible)".
I said I "read" through it... but never claimed I actually understood it ;-)
i simply glanced over the forumulas there, without even attempting to understand the mathematics... I was just trying to get the gist of what they were implying by the term "browswer fingerprinting".
Most browsers silently expose intimate viewing habits Zip codes, news articles, free for the taking
By Dan Goodin in San Francisco
20th May 2010 23:26 GMT
"The vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms.
According to results collected from more than 271,000 visits to a site called What the internet knows about you, 76 percent of users exposed their browser histories, with the proportion of those using Apple's Safari and Google Chrome browsers even higher."
Read this brief article, then go to this website it links to: http://whattheinternetknowsaboutyou.com/ Test for yourself among the various categories listed in the left-hand column, to see how much of your browsing history is detected.
My tests there, using IE8, only found one site that I had recently visited: Sunbelt's blog (not surprising, as I had just used a link from there to find this article and test site, in the same browser session). This despite the fact that I have 9 sites listed in my browsing history in the last 24 hours, including popular news sites. I do not delete my browser history on exit, but do limit it to a 24 hour period.
let me preface these comments by saying that I do NOT generally clear my browser history --- unless I'm on a shared PC, which is rare.
In terms of sites I've visited recently, it found several innocent-enough things such as Yahoo!, FaceBook, Microsoft, SpeedTest, PC PitStop, Gizmo's Freeware, and Defensio. It also listed a site from which someone might have been able toconjecture about my approximate "regional" location... but then again, it could equally have represented a location I was contemplating visiting as a tourist. It did NOT find anything "damaging" (e.g., pornography), but I can certainly understand how embarrassing that could be for some people.
it did NOT find any zipcode references.
as for more sensitive sites, it DID find two of my credit card companies and one of my insurance companies. For two of these three, links were simply to their homepages --- meaning that it was unclear whether I was actually a client of these, or simply "checking out" these companies. However for the third, there were links showing a logon/logoff there, from which one might conclude that I was actually of client of that company [but so far as I could tell, no information to reveal specific details of my relationship/account with that firm].
Perhaps a little more than I was aware was available... but again [so far], none of the specifics I cited above that could personally identify me, "like my real name, address, and/or phone number, [specifics about] my credit card or banking information, my online purchases, or anything that i've entered/transacted at a secure website".
ky331
3 Apprentice
•
15.6K Posts
0
May 20th, 2010 07:00
I have not had time to read the entire article (a 19-page .pdf file, if you pursue though several links to get to it), and so I don't know how to react yet. But there's one thing I'd like to comment on now:
IE8's InPrivate Browsing feature "allows you to browse the web without recording a history in the browser [on the PC you're using]... This helps prevent anyone else who might be using your computer from seeing where you visited and what you looked at on the web." In other words, if you're at a public, shared, or work machine, and want to [try to] prevent people who later access that same machine [such your work colleagues or boss(es), or even your family on a home PC] from finding a [local] record of what/where you've been surfing. But that would have no impact on information that was transferred over the web, if it's been recorded elsewhere.
ky331
3 Apprentice
•
15.6K Posts
0
May 20th, 2010 11:00
Having now had the time to read the entire .pdf paper, I'm still not sure what to make of all this.
It would seem to say there's a high likelihood that any browser I'm using on a given machine has a "fingerprint"... so that, with the proper detection algorithm, someone can match my fingerprint at site B as having come from the same browser/PC combination that previously had visited site A.
To me, however, the more sensitive/important question is just how much information about ME can be revealed/obtained in this manner? I mean, it's one thing to say that browser fingerprinting can reveal which particular fonts I have installed on my PC... I believe such information is completely harmless, and so I am not at all worried about it. What I WOULD be concerned about... which I don't believe the article explicitly addressed... would be if browser fingerprinting could reveal things like my real name, address, and/or phone number, my credit card or banking information, my online purchases, or anything that i've entered/transacted at a secure website. I am hoping that such information is NOT accessible via browser fingerprinting.
the question of "guilt by association" is more tenuous. If I logged-in to site B, revealing some personal information there, then someone at site B, if they use fingerprinting, could then trace ME back to site A via the fingerprint. However, if site B is secure (and its employees honest), hopefully that would prevent my personal information there from getting out to anyone else... meaning no one else could associate me personally to site A.
The bottom line still being, I'm very unsure what to make of all this... what are they REALLY talking about? And how much of a real/practical concern should it be to me?
---------------------------------------
I think we also need to clarify precisely what we (or they) mean by browser "privacy".
As I noted above, IE8's InPrivate Browsing was intended to keep other users on the same physical PC from "finding" whatever you had surfed/visited on it previously. I don't see that as in any way implying it would protect your "identity" or any information you transfer OUT of your browser into the realm of cyberspace.
Joe mentioned sandboxing. Let me preface this comment by saying I know next to nothing about sandboxing. What I THOUGHT it did was provide a protective "virtual" environment so that, if one accidentally downloaded a virus [or any type of malware] there, it would be "trapped" within the confines of the sandbox, meaning the sandox could protect your "real" machine from getting infected. A secondary usage, perhaps comparable to IE8's InPrivate Browsing, would be to purge the sandbox's contents when you were done "playing" in it... "destroying" any local record of what you had done there. But again, anything you transmitted over the internet, even from a sandbox, would nonetheless be "floating" in cyberspace.
So if, as I think Joe was trying to get to, you are concerned about what's available in cyberspace, then something like "AnonyMouse" [which I don't believe I've ever used, nor am I familiar with it] would certainly seem to be a preferable "tool"/vehicle through which to [try to] obtain such anonymity.
ky331
3 Apprentice
•
15.6K Posts
0
May 20th, 2010 11:00
Dale wrote: "I decided to stick with IE7 on this computer with Vista...didn't see any improvement on my other one with IE8".
Many of IE8's new/improved features might not be obvious... but they are certainly there.
IE7 has a Phishing Filter. IE8 extends this to a SmartScreen Filter, which (in addition to blocking some phishing) also blocks some malware/bad sites and downloads.
IE8 also offers Domain HighLighting, Data Execution Prevention, Automatic Crash Recovery, InPrivate Browsing, a Cross-Site Scripting Filter, and Click-Jacking prevention... for details on these (and more), see http://www.microsoft.com/windows/internet-explorer/features/safer.aspx
or for even more detail, you could open (or save) the "white paper" http://download.microsoft.com/download/A/6/7/A67974CC-84E7-4F62-B09E-5C575E1E7A3C/A%20Safer%20Online%20Experience%20FINAL.PDF
By virtue of all these security improvements, I see no reason why anyone should be sticking to IE7 at this point!
(Anyone still using Win98 or WinME is unfortunately "stuck" with IE6.)
dalem29
2 Intern
•
2.2K Posts
0
May 20th, 2010 11:00
The test show a lot of configurations of all types, but don't remember seeing my IP address or the routing to it. I decided to stick with IE7 on this computer with Vista...didn't see any improvement on my other one with IE8. At any rate, the browser timed out and had to be "restarted" after about 30 seconds. Tried this three times with the same result. It also does when I awaken the computer from sleep, not sure why this happens.
But I never would expect privacy while computing on the Internet any more than I would expect it outside my home, what with all kinds of camera being everywhere in this day and age.
joe53
2 Intern
•
5.8K Posts
0
May 20th, 2010 21:00
ky:
I too don't know the implications of that paper (and I'm impressed you read it- I found most of it incomprehensible). I don't obsess or worry much about tracking cookies, but all things being equal I'm just as glad to find ways to defeat them.
So I was surprised to hear about Browser Fingerprinting, which as far as I can tell is just another way for 3rd parties to track your surfing. I'm not losing any sleep over it, and posted just as an FYI for those that worry over such things. (Who knows- they might be right?)
I agree with Dale - there is no expectation to privacy on the internet. I consider everything I post, email, IM or PM as a postcard for all to read, and govern what I transmit accordingly.
I dabbled with Anonymouse a while back, and found it interfered with website content a bit too much for my taste, considering I generally visit only trusted websites. Your take on Sandboxing seems correct, and I seldom use it for the same reason (except for searches).
And of course I agree with your opinion of IE8.
ky331
3 Apprentice
•
15.6K Posts
0
May 21st, 2010 06:00
"that paper (and I'm impressed you read it- I found most of it incomprehensible)".
I said I "read" through it... but never claimed I actually understood it ;-)
i simply glanced over the forumulas there, without even attempting to understand the mathematics... I was just trying to get the gist of what they were implying by the term "browswer fingerprinting".
joe53
2 Intern
•
5.8K Posts
0
May 21st, 2010 20:00
More interesting info of relevance to the topic:
Most browsers silently expose intimate viewing habits
Zip codes, news articles, free for the taking
By Dan Goodin in San Francisco
20th May 2010 23:26 GMT
"The vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they've read and the Zip Codes they've entered into online forms.
According to results collected from more than 271,000 visits to a site called What the internet knows about you, 76 percent of users exposed their browser histories, with the proportion of those using Apple's Safari and Google Chrome browsers even higher."
Full read: http://www.theregister.co.uk/2010/05/20/browser_history_attack/
Read this brief article, then go to this website it links to: http://whattheinternetknowsaboutyou.com/
Test for yourself among the various categories listed in the left-hand column, to see how much of your browsing history is detected.
My tests there, using IE8, only found one site that I had recently visited: Sunbelt's blog (not surprising, as I had just used a link from there to find this article and test site, in the same browser session). This despite the fact that I have 9 sites listed in my browsing history in the last 24 hours, including popular news sites. I do not delete my browser history on exit, but do limit it to a 24 hour period.
I must be doing something right ...
ky331
3 Apprentice
•
15.6K Posts
0
May 21st, 2010 22:00
I tried the site/test Joe suggested...
let me preface these comments by saying that I do NOT generally clear my browser history --- unless I'm on a shared PC, which is rare.
In terms of sites I've visited recently, it found several innocent-enough things such as Yahoo!, FaceBook, Microsoft, SpeedTest, PC PitStop, Gizmo's Freeware, and Defensio. It also listed a site from which someone might have been able to conjecture about my approximate "regional" location... but then again, it could equally have represented a location I was contemplating visiting as a tourist. It did NOT find anything "damaging" (e.g., pornography), but I can certainly understand how embarrassing that could be for some people.
it did NOT find any zipcode references.
as for more sensitive sites, it DID find two of my credit card companies and one of my insurance companies. For two of these three, links were simply to their homepages --- meaning that it was unclear whether I was actually a client of these, or simply "checking out" these companies. However for the third, there were links showing a logon/logoff there, from which one might conclude that I was actually of client of that company [but so far as I could tell, no information to reveal specific details of my relationship/account with that firm].
Perhaps a little more than I was aware was available... but again [so far], none of the specifics I cited above that could personally identify me, "like my real name, address, and/or phone number, [specifics about] my credit card or banking information, my online purchases, or anything that i've entered/transacted at a secure website".