Browser privacy modes aren’t really guaranteed to be private.
Unavoidably, browsers must temporarily store data from main memory in secondary processor caches, swap files squirrelled away in corners of the hard drives, and OS-managed DNS caches.
That’s a lot for a humble browser to keep track of, let alone delete with certainty at the end of the session, which means that forensic tools will often find traces if they know where to look.
To close this weakness, researchers at MIT and Harvard University have proposed that a completely new type of server – called Veil – takes over the privacy job instead.
One of the Veil team, Frank Wang, explained the current issue:
The fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it.
But at the end of the day, no matter what the browser’s best effort is, it still collects it. We might as well not collect that information in the first place.
It’s a tall order but what they came up with is as inventive as it is unfamiliar.
The basic idea is that the browser accesses a web page through a special “blinding” server that re-compiles its content into an encrypted form that is decrypted using a symmetric AES key known only to the user.
From the user’s point of view, everything looks as it would on any other website even as behind the scenes the URLs, HTML, CSS, and JavaScript have been turned into abstract references cryptographically unlinkable to the pages from which they come.
No two versions of any page passed through Veil’s blinding will ever look the same, aided by content mutation (dynamically altering HTML, CSS and JavaScript), and heap walking (marking sensitive page content so that it is never swapped out to disk). Cached content that remains at the browser end becomes unreadable.
Where even higher privacy is desired, Veil offers a mode which turns the browser into a sort of “dumb terminal” through which all content is transmitted as simple bitmaps that are constantly overwritten.
Apart from superior privacy, the advantage of this setup is really that the user doesn’t need a special browser or plug-in to make it work – the only change is that they access sites through a blinding server address instead of a web URL.
The downside is that because developers must hook their websites to work with Veil, it can’t be used to browse any site, nor is it ever likely to be as fast or responsive as conventional web access.
Currently, Veil exists only in a prototype form, albeit one that its makers appear to have tested thoroughly to ensure the concept holds water.
Who would use something like Veil?
Its developers suggest whistleblowing websites, which have a strong need to preserve their visitor’s privacy. It can also be combined with anonymity networks like Tor.
If the idea of blinding servers catches on with publishers, the user base could in theory be as big as the user base for browser privacy modes – in other words, everyone at some point.
In 2009, Google’s then CEO Eric Schmidt was infamously quoted as saying:
If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.
But in today’s internet, where privacy can often appear to be crumbling under pressure from different forms of surveillance, this sentiment might find fewer supporters.
This gives Veil a chance of getting off the MIT drawing board and into real life.
Leave a Reply