"Private Browsing" in web browsers

[S&WForty]

If someone uses IE or Firefox's private browsing option for all online banking/bill-pay website sites, can a computer savvy thief still hack into those sites somehow, or does the private browsing really leave no trail on the PC? I just reloaded my O/S on my old laptop. I wondered if it would be worthwhile to surf those type of sites with that feature enabled.

[Oh Shoot]

No expert here, but my take is that private browsing ain't all that. It's mainly helpful to hide porn activity from one's somewhat 'puter savvy parents or spouse.

Though it's implemented a bit differently in different browsers, the main thing it does is negate cache on your own puter, and disallows storage of many cookies, but not necessarily all. Like most things in 'putering, it's a constant battle between browser developers and online programming.

It does NOT hide your IP, however. It also has zero added security for online transactions.

IP anonymizers will, but also have zero affect on transaction security.

Your best and simplest hack security is still a hardware firewall (router), assuming you activate security protection/encryption on it, change default username/password and etc.

- OS

Edited December 4, 2012 by Oh Shoot

[monkeylizard]

What OS said.

It varies by browser, but Private Browsing (aka Porn Mode) usually means that the history of that browsing session is not stored in the browser's history files, passwords are not stored, and most cookies are not retained. The router used to connect to the internet will still have a site history, but probably wouldn't have anything like IDs or passwords.

If you mean could a hacker obtain your login information from your PC if you used Private Browsing, that depends on a few things. It certainly makes it harder. Your browser may be setup to store your passwords for you. If so, those are in the browser's files and are often used even when in Private Browsing so that it can help you login faster.

Communications between your browser and a website are generally unencrypted. Anyone able to intercept or listen in on that communication would be able to see what's being passed back and forth, including an ID and password. That's where HTTPS comes in. Instead of a URL beginnnig with http:\\ it will begin with https:\\ . The "S" mmeans "Secure". Most browsers also have a padlock icon that will appear somewhere, like at the end of the address bar or down in the bottom right corner of the browser if https: is in use. Some also color-code the address bar to green.

Using http: vs https: can vary across a site as you move from page to page. A main landing page for a site may be unencrypted http: but when you click the "Login" button you are taken to an https: encrypted page. What you don't see is that the main page may very well have an https: option, it just isn't the default option.

There are plugins for most browsers (IE, Chrome, Firefox) that will automatically attempt to make all connections using https: and then default back to http: if the page doesn't support https:

[Sam1]

Truncated version of what they said:

Yes

[Chucktshoes]

[quote name='Oh Shoot' timestamp='1354650842' post='854855']It's mainly helpful to hide porn activity from one's somewhat 'puter savvy parents or spouse.

- OS[/quote]
True story.

[S&WForty]

Thanks for the replies. My only concern is if a thief got my laptop, what identity-theft type stuff could they pull from the browsers.

[BryanP]

Get a PortableApps install. I run one from a USB key, but there's no reason it can't be run from the hard drive directly. Encrypt the entire PortableApps folder with TrueCrypt. Run Firefox or Chrome from PortableApps. Unless someone gets your TrueCrypt password they will not be able to access that browser at all.

For the truly paranoid, or those who can't keep a PC from getting infected due to carelessness, idiocy, or the actions of family who have access to the PC, I recommend picking up a cheap PC (desktop or laptop as preferred) and doing all online banking and similar activities from a read-only Linux LiveDVD session. You can skip the extra PC if you don't mind booting your existing PC from the LiveDVD. Edited December 5, 2012 by BryanP

[S&WForty]

That's cool! My dad could use that LiveDVD option as nasty as his PC gets from my step mother and sister's surfing. I have to reload the O/S about once a year for him. They clog it up with crap that bad.

[Oh Shoot]

[quote name='S&WForty' timestamp='1354675511' post='855064']
Thanks for the replies. My only concern is if a thief got my laptop, what identity-theft type stuff could they pull from the browsers.
[/quote]

Well, if you're only worried about the browser parts, you can run without caching or clear cache and cookies after each session. Or can use any number of freebie programs to make a macro that will do those things with one click and even shut down puter afterwards it you want.

Of course running without cache and cookies don't make for the most pleasurable or convenient web experience, depending on what all you normally do.

Motherboard password is pretty easily hacked by anyone sophisticated enough to know how to search for hidden stuff in the first place, but should stop your average thief from snooping who only wants to resell the puter itself for some toot or whatever.

There are encryption programs that will let you run everything encrypted, but haven't kept up with that branch of the industry. Haven't even kept up with the various encryption methods allowed by some operating systems.


- OS Edited December 5, 2012 by Oh Shoot

[Guest Grubbah]

[quote name='S&WForty' timestamp='1354675511' post='855064']
Thanks for the replies. My only concern is if a thief got my laptop, what identity-theft type stuff could they pull from the browsers.
[/quote]

If you're worried about theft of your laptop ( and rightfully so ) what I suggest is to use something like truecrypt to encrypt the hard drive. That will make it virtually impossible for anybody to get the data off your drive. You'll be prompted for a password at bootup and without that password you cant get into anything.

[S&WForty]

[quote name='Grubbah' timestamp='1354716740' post='855213']

If you're worried about theft of your laptop ( and rightfully so ) what I suggest is to use something like truecrypt to encrypt the hard drive. That will make it virtually impossible for anybody to get the data off your drive. You'll be prompted for a password at bootup and without that password you cant get into anything.[/quote]

Does that software slow a machine down very much? Can you pick and choose what file types are encrypted? Or by file location?

[Jonnin]

Encryption is, in general, too much trouble to break. Its not going to slow you down much for daily type tasks, but it will give you a big performance hit on any "real" (not solitaire, but 3-d serious stuff) games. We have a cartoon up at work that compares "what you hear" vs "what happens" and it basically in frame 1 says you think they will spend 1billion on a supercomputer to break in, and frame 2 they buy a $10 wrench and beat the password out of you.

Private browsing just blocks some of the most basic aggravations --- cookies and tracking that is legit, well known, and used to profile you for advertising. It does not block anythiing serious.

Secure websites such as banks do not keep your login data on the PC and the browser also will not retain it. Its pretty much gone after you close the browser session.

Most PC crooks are looking for the billions of computer illiterate folks that have no clue how to protect their info. These people are easy targets and cybercrooks are smart enough to skip the few that put up even modest defenses in favor of racking up money from the defenseless. Keyloggers are one of the top ways to get taken --- its a lot easier to read it as you type it than try to decrypt it. And that is not stopped by an encrypted drive or anything either, its sent on back to the crook within a day or so of you having typed it.

[Guest Wildogre]

In my opinion if you keep your OS, updated, use a good anti virus program, and strong passwords you should be fine. I could be wrong but I think most of the problems with identity theft are not from someone breaking in to your machine but from someone breaking in to the company that you are doing business with.

Look at the cost benefit ratio. The time it takes for one person to break in and get one persons information verses the time it takes to get 1.5 million peoples information. Where are you likely to get more money for your time?

Now if you are a famous or rich person that could all change.

The phrase “Hang with stupid people, go stupid places, do stupid things, win stupid prizes” works with computers too.

If you do not go to the “bad part” of town, do most of your shopping during daylight, and have good situational awareness then the odds of being a victim are low.

So if you stay away from peer to peer sites in Russia, do not answer emails from bankers in Nigeria, and type in the URL for your bank rather than clicking on a link you should be ok.

I also use paypal for my online shopping (whenever possible) it just adds another layer of security.

[Guest Grubbah]

[quote name='S&WForty' timestamp='1354718523' post='855220']
Does that software slow a machine down very much? Can you pick and choose what file types are encrypted? Or by file location?
[/quote]

The way we use truecrypt is to do whole drive encryption. Everything is encrypted, so even if someone stole your laptop and pulled the drive out, they couldnt retrieve any information without breaking your encryption password first. We have used several different apps for drive encryption for our laptops, and some have had big performance hits. We have not experienced any notable performance hits with Truecrypt however.

[Steelharp]

If you use Avast antivirus, it has a "sandbox" option that you can open your browser in. It literally keeps everything in that "sandbox," and when you close the browser, everything is gone. Never goes to your drive.

[Guest Lester Weevils]

Have for quite awhile been in the habit net browsing in "paranoia mode" with just about every modern convenience feature disabled. Type in passwords every time. Browser asks for permission to run javascript, etc. Also full-disk virus scans daily, all real-time protections turned on, etc. And then one day was just cruising typical old right-wing-nutcase news sites on the Win 7 PC, and a nasty virus just waltzed right in from the internet and took up shop, easy-peasy. Spent days working to purge whatever the drive-by virus had done in a couple of minutes. With such as keyloggers, you never know for dam sure if all traces are gone, because they are so easy to hide and can lurk so well. You don't know fer sure you ever had one, so you don't know fer sure you got rid of a keylogger that may or may not have got installed. The man who wasn't there, living under the stair.

Had been in the habit for years, all financial data and work is restricted to one laptop mac. That dedicated machine is turned off most of the time, and the only browsing it does is to banking sites and automatic system updates. WIFI turned off. I only connect the ethernet cable if I want to do online financial, and after the task I unplug the ethernet cable. The strategy is to keep a very low profile that would have low probability of getting "pounced on" by an online hacker.

But that virus-takeover of the PC earlier this year-- It is a programming puter, and it is labor-intensive to install the programming tools house-of-cards "just right" from scratch. So it was a mistake to recreational browse on that machine because it would be such a PITA in case it had to be reinstalled from scratch.

So I only recreational browse any more on an android pad and my Mac Pro. If a hacker gets to the android pad it will be easy to reset to factory condition. I swore off programming mac and so if a hacker takes over that one it won't be painful to wipe it and reinstall from backup. And reinstall from backup is less painful on Mac.

One "weakness" that was in my Win 7 dev puter-- With Vista and Win 7, I despise user account control. It makes many operations slow and annoying, and occasionally breaks operations so you have to turn off UAC, do the operation, then turn it back on. So I routinely run with UAC disabled. Had all the virus scanning and such enabled, practiced safe browsing with primitive feature set, etc. The only "hole" was disabled UAC. I knew all along that UAC is a security feature, but didn't fully appreciate that. Apparently UAC is a PITA for malware as well. I'm not "for dam sure certain" that I've wiped every shred of that virus that got me, but with UAC enabled I can't detect any symptoms of any lurking shreds that might remain. So until I get a new puter sometime and have to reinstall from scratch because there's no other choice, have to run the thing with UAC turned on.

So if I'd just avoided doing recreational online work on the mission-critical machine, things would have been fine with UAC disabled. Swore off browsing on a programming puter.

[analog_kidd]

I use VMware Player to run a virtual Windows 7 machine on my computer. I installed the O/S and all updates and an antivirus on the VM. Other than that, it is a plain install. Then I set the virtual disk to be non-persistent. What this does is when I power off the VM, any changes that happened on the drive are completely forgotten and erased. It rolls back to just like the day I first set it up.

I use this VM to browse websites, especially ones I don't trust. Also use it to test out freeware that I may download from the net. Then if anything gets onto the VM, I just power it down and restart it and it's like it never happened.

[S&WForty]

I appreciate all of the replies this thread got. It's been good reading and learning.

[Jesse]

I dont have to hide my porn fron my wife. She is cool with it. Sometimes watches it with me.