Detecting Private Browsing mode: 2019 edition - browser

It used to be the case, as described in this answer from five years ago, that web sites could not reliably tell whether a client's browser was in Incognito Mode. However, in the past few months, I've started encountering sites which are able to throw up a banner that says, "hey, you're in Private Browsing mode, so we won't show you any content."
I have two questions, which are opposite sides of the same coin:
As a web developer in 2019, how would I construct a reliable check for a user's Private Browsing status?
As a privacy-conscious web user in 2019, who might like to keep the meta-information of his privacy-consciousness private as well, how could I reliably generate a first-time-visitor experience from a site that is desperate to track me?
In pre-Incognito days I would have accomplished #2 by using a "clean profile" to visit a site that I didn't want to follow me around. User profiles are apparently still in Firefox, though I suspect they probably don't protect against browser fingerprinting. But I'm not sure whether that is a good summary of my threat model --- my interest is mostly in opting out of the advertisement-driven data-mining ecosystem, without being treated differently for doing so.

I'll leave the main question to others who know how each browser's Private mode may differ from default. I do use Private modes extensively, but when I encounter a page that won't work, I simply use a clean non-private window, then clear all cookies and other stored state again afterwards.
You also mention fingerprinting, which is more insidious. Often it's based on collection by a client-side script, which is detectable but only somewhat defendable in practice. But server-detectable characteristics can also provide a good enough correlation for cross-site, even cross-device correlation.
Fingerprinting is very difficult to thwart. but I recommend using Tor for as much casual browsing as practical, using multiple browsers with your activity partitioned across them in a disciplined way, using a common browser with the best fingerprinting protections or at least using the most common browser config for your platform(s), keep your browsers updated and never install Java or Flash, change your IP address(es) often, change your window size often, and clear all cookies and other stored state often. Use a common platform (machine + display size + os) if possible. Making your browser more unique by loading it up with privacy extensions is quite likely to make you look more unique. There are also a few resources out there that list fingerprinting servers / domains, and you can block those in your machine, DNS, router, or wherever practical.
Keep in mind that Panopticlick and sites like it suffer from selection bias, and also combine all platforms, obscuring how unique your browser is compared to other browsers on the same platform (it's hard to change your platform, but at least you can try to make your browser look more like others used on your platform).

Related

Why do browsers still spoof user agents?

I know that browsers originally spoofed user agents in order to allow for feature detection. But I am wondering why they still do so. I don't think user agent spoofing has a place in the modern era of standards compliance; what is basically a browser nirvana for web developers compared to the situation during the infancy of the web.
Someone will probably say that it's for backwards compatibility for all the old code out there. Is that the only reason? After all this time I think browser vendors would be looking beyond those sites with old code. Is this being worked on, or are these user agents just forgotten relics from tougher times for browsers?
Additionally, most feature detection these days seems to be done with JavaScript, which makes part of the feature detection use case for a user agent irrelevant.
Because nowadays we have multiples possibles user agents like Iphone5s, Galaxy SIII, IPad 2 and so on. Because that it is sometimes necessary to handler the site features in different ways to specific rules for example.
Think in the scenario with user requirements look like that:
The site should be able to chat with customer only for tablet.
In mobile should not be able because it is smaller.
Thus, because we have multiples devices, we sometimes have to handler in different ways to give for user a great experience.
I'm not aware that they do. Some smaller browsers user agents might not be recognized by a server so they announce themselves as one of the major ones so they don't get ignored or treated as malicious but, otherwise, you are right; there is no need to do so and the major ones don't.

How Big a Security Risk are Browser Extensions?

One of the more powerful features of modern day browsers is the ability for software developers to write browser extensions to enhance, modify and tweak the pages visited by the user. As more of our lives migrate onto the browser, aren't we potentially exposing ourselves to a massive privacy and security holes created by the installation of a browser extension that is malicious in nature?
I realize the source code of these extensions is extractable and readable if the author has not made attempts to obfuscate the behavior. But the effectiveness of this type of review is compromised by the browser encouraging users to keep their extensions up to date. While version 1.0 of an extension may be innocuous, a users browser may suggest an upgrade to version 1.1 which could contain malicious code which could be used to scrape information from the screen of the compromised browser.
As both a user and developer of browser extensions, is the developer's reputation the only thing in place to provide assurances to their users that their browsing activity will be secure? Are there any mechanisms in place to help protect users from a compromised browser extension?
Are there any best-practices to develop extensions in a manner that provides users with the assurance that the code they install and update is benign in nature?
Browser extensions can do almost anything user can do. They can send your bank passwords, read files on local disk, execute commands etc. Security of a browser depends not only on browser itself, but also on all installed extensions.
I've written a few extensions for Chrome recently, and I had no idea how much harm extensions could really do before that.
Extensions ask for permissions, but these are very broad. Any non-trivial extension would most likely end up asking for "Full Permission", and most users would just bang the "YES" button. Even a tech savvy user may shrug this off as legitimate, I know I have.
Most extensions are free. It costs time and money to code them up, so how are developers getting their investment back? Some do it for fun, but chrome web store specifically asks if you are planning to inject adds - I can only deduce that this is a common practice for extension developers. Extensions could also act as tracking cookies, and sell usage stats to whomever.
It's near trivial to write an extension that would glob up your passwords and send them on to a third party. Even if these passwords are 'saved'. One of my extensions had a legitimate use case to modify all input fields on all pages, and I found out that chrome would just happily paste-in stored passwords in plain text. Same goes for CC information.
Many extensions include analytics packages, to help developers identify who their users are, which parts of the app is used and so forth. I think that this is a legitimate use case, but you may not necessarily agree.
If you are a developer, be advised that Chrome extensions could significantly impact page load times. My own extension, which I tirelessly optimized to be as lightweight as possible, caused all pages to have an additional 50-200ms load time.
So after I've seen what's possible, I've disabled all extensions in Chrome except for my own. I really only miss AdBlock.
Internet Explorer Browser Helper Objects are extremely unsafe. They basically allow the browser to run native code, which could be anything. I'm not sure if they're still as pervasive now as they were in years past, but they're one of the reasons why Internet Explorer is so much less secure than Firefox and other browsers.
Mozilla style plug-ins using XUL and Microsoft's Silverlight plug-ins are sandboxed to try and prevent malicious behavior. Ultimately it rests on the developer's reputation for any kind of software to be deemed trustworthy by its users, however. Even in cases where the developer is not trying to write malware, bugs in the program may expose security exploits.
Which is why you have multiple machines, and if you can't afford a new one, use a virtual machine to run most of the stuff and monitor it's behavior. Its what i do atleast before I do anything.
RnVja3Mgd2l0aCBtZSBmYW0hIGhpdCBtZSB1cCBhdCB0aGVib3NzODkwN0B5YWhv
by5jb20gaWYgeW91IGhhdmUgYW55IHF1ZXN0aW9ucw==

How To Distract Clients From Using IE6

How can we distract our clients from using IE6. We know IE6 is not a good standard-compliant browsers; has many issues. How to satisfy clients so that they do not use IE6?
Thanks...
I'm currently in the process of building a new site for my company and I've been looking at http://code.google.com/p/ie6-upgrade-warning/.
Essentially it's a little javascript lib that checks to see if the user is running IE6 and if so it displays a nice little overlay on top of your site. The only problem I've got with it is that it completely blocks the user from using your site. I'd like to allow for them to use it anyways but I'd like them to know that their experience may not be as good as it could be. I'm sure it can be adapted though, you should never exclude people from using your site based on their user agent. That being said I think it's a good tradeoff that you try to get your users to upgrade and if they don't wan't to they can still use your site but they probably won't see all of the fancy pancy browser tricks that you can do with modern browsers.
(source: googlecode.com)
It sure looks nice anyway
Other resources include http://ie6update.com/ (not a fan though, you shouldn't trick users)
Update: Seems like someone made a bit more customizable version of this written in jQuery. See jreject.turnwheel.com
One of the reasons this problem exists is as follows.
Many IE6 user have no choice. They sit behind corporate firewalls with locked down machines and while on their home machines they will have the latest technology they are constrained by the workplace rules and policies.
So why do the corporates not upgrade from IE6 to 7 or 8? Well here is one reason. Workload.
As a sysop you need to upgrade 500 machines to the new browser.
In many cases these browsers run mission critical add-ins as ActiveX's etc so to do the upgrade you have to do all the testing and verification and then do a planned roll out upgrade, which will have problems, hiccups and glitches, a lot of work and late nights and unpaid overtime and a lot of flak from the users as you do this.
And what is the payback for this upgrade? Well the internal systems work on IE8 exactly as they worked on IE6, (well not always and you may need to rewrite that as well) but the users can now access the latest startup site that plugs into Facebook (but will be gone in 6 months) perfectly but it is not work related.
So unless there is a tangible business benefit many shops simply cannot se a reason, or justify the cost of a browser upgrade.
These locations will convert, when they go to Windows 7 perhaps or because the "application" they use internally is upgraded and needs the newer browser version. But at this point there is a justification for doing it.
N.B. I have recently worked in two jobs where IE6 compatibility was a must for this reason, large client bases, behind firewalls with lockdown, and i am not stating the above as a reason/excuse not to do it. The sooner the better.
Provided they have the proper permissions to do install software on their machines, use Chrome Frame. The speed boost, if nothing else, should be incentive alone.
"The customer is always right."
You can advise them otherwise, but if they want IE6 for whatever reason then it's up to them.
The best way is by educating them, make them aware of why you are blocking IE6. Do a comparison, case study, etc to convince them, try and put it in terms they may understand, try to convince them that using IE6 is a bad idea (whatever your reasons).
Its simple to implement a script to prevent IE Browsers from connecting to your site, however doing that may result in users being turned away. If this is a public site take into consideration the market share internet explorer has, unless your site is really incredible it is unlikely you will get a user to install a new browser.
To get around this in the past a simple splash page that informes them of the reasons not to use IE6, Example:
You are currently using internet explorer, while you may continue to browse this site using IE, please be aware that some functionality may not be available due to compliance standards within internet explorer, and due to this we do not support issues that arise when using Internet Explorer. We recommend using Google Chrome (Download here) or Mozilla Firefox (Download here).
If this is within a corprate environment you can always work with the IT department to ensure that alternate browsers are distributed. I recommend Google Chrome, simply beacuse of the ability to create "Application Windows" that eliminate problmem causing elements of the browser GUI (Back buttion etc...)
Having a site that elegantly degrades when the user's browser is IE6 is the best option. IE6 users should still be able to use your web site - if a particular feature requires a modern browser a user will be more likely to switch if they already find your site useful.
Another point: modern javascript libraries like jQuery makes it easier to code sites that are compatible with IE6. There's no need to turn away potential customers because of their web browser choice. If you're a web designer it's your job to make sure they have a good experience.
A lot of this comes down to the reasons you want them to stop using IE6. IE6/7 are a pain in the bum if you let them be. We're now taking a more aggressive approach to browser adoption when it comes to what you can/can't do.
For instance, when you visit our new sites in most browsers you'll get rounded corners, transparency, gradients etc. When you visit in IE6 you get a square, opaque, monotone website. Wherever you have PNGs you'll get a simple GIF (even if it looks pants).
Unfortunately IE6 is tied to many businesses for internal reasons (using apps etc) and you can't force them to upgrade but you can give them a subtle message.
make them understand that ie is not bad, its ie 6 thats bad .. if they wish to use ie they can surely use it but could use ie 7 ir even ie 8... make them see that how ie 7 and 8 provide some great features which are not there in ie 6..
also ie 8 is the only browser that follows strict css 2.1 methodology
plus there are many websites which previously were running in ie 6 (with no problem) are running under a warning message that some context may not be suported by ie 6 for eg. www.yahoo.com, so why to use it?
thanks
We had the same issue in one of our projects. I made a simple conditional check and displayed an additional div with links to download firefox, Chrome and IE-8.
Try facebook.com on IE-6. This was my inspiration for the additional div.
In line with Markus' post, it's simple enough to display a popup when the site loads with a warning. Ideally you won't show this every time they load a page of course, that will get old fast.
You have a good opportunity when working on a spec with your client, to tell them "it will cost $X more if we have to support older browsers including IE6 (don't just say IE6), and it will mean we can't easily add more advanced functionality... supporting older browsers will detract from the overall quality and increase time & cost.
A while ago there was a collective effort in Norway to get users away from IE6. Several of the largest sites in Norway participated, and the user got a kind warning on top of the site that recommended him to upgrade or switch browser for an improved browsing experience - if using IE6.
Check out what Wired said about it!
make a whitepaper
Two things:
Charge extra -- double or treble rates or more -- to support IE6. (even IE7 these days).
Point out that IE6 (and WinXP too) will be losing the last vestiges of support in the near future. If you think they're insecure now, just wait till that happens -- no more security fixes. If you're still developing for IE6 now, then you're clearly not going to be ready for the upgrade in time, so you will be hacked, and hacked badly. If your client is willing to accept that, then that's his problem, but you need to help him understand the gravity of the problem. He needs to be putting his upgrade plans in now, not getting more dev work done for the old systems.

What advice are you giving your Web user community about the IE security issue?

Perhaps not directly programming related, but definitely product / commercially related. And I can't find a dupe, so I thought I would ask.
I have had a bit of trouble trying to figure out what best to say to people who have called and asked for advice. The Microsoft message is a bit worrying - basically, be worried, lock up everything and hold on tight. Some of the people I have directed towards that route have objected because of what it does to their browsing experience.
The "go get Firefox" message seems to be going down a bit better. What is the real story and what is the best advice to give?
How much actual risk does it pose between now and when MS patches it?
Edit: here are the links that my community seem to be reading...
WSJ
NP
BBC
Switch to another browser, already.
Chrome and Firefox would be my first two choices. Firefox would probably be best for now, just because it has a longer history.
The only way to prevent this on IE is to follow Microsoft's workaround procedures, which will cause a huge headache for users.
Use Firefox
Use NoSript (if you want proper defence in depth). I can simply say 95+% of all client-side exploits requires JavaScript and 90% of the time these are loaded from a 3rd party website. Therefore switching FF and using NoScript is a really good solution.
How much actual risk does it pose
between now and when MS patches it?
If you look at 0days in IE there are bunch of them, and IE got the worst security track. Also it's one of the most targeted application for attackers because there is clear profit in it. Therefore using IE generally not a good idea.
If you have to use IE,
Use protected mode
Use the latest stable version
Keep your windows updated
Run it as least priviliged user
Use a process control and personal firewall application such as Comodo Firewall (process control application if you can use them right can solve many of these problems, but got a massive overhead in user)
Details of previous IE issues, there are lots of them!
http://secunia.com/advisories/product/11/?task=advisories (IE 6)
http://secunia.com/advisories/product/12366/?task=advisories (IE 7)
You can inform them to patch by following some workarounds but as you notice it's not going to save them on the long run.
Apart from switch browser, pay attention to the emergency patch - get it installed.

When is a browser considered "dead"? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
Keep in mind that I'm not looking for a list of current browsers to support, I'm looking for logical ways to make that list, backed by some kind of hard statistics.
Since it's been a while since my last web job, I decided to do this latest site up from scratch. Now I have to decide again what to support in terms of browsers. Certainly I have a list of what I'd like to support, but the decisions that went into that list seem to be a little arbitrary to me. Where can I go to get a reliable picture of browser usage and what seems to be a good point at which to cut off an old version of a browser from support?
Browsers don't die out completely for about a decade. The first thing you must realise is that you will have some visitors that are using a browser you don't support. The question is not which browsers are not dead, but which browsers are worth supporting (the benefit) relative to the work it takes to do so (the cost).
I've never seen browser statistics I'm comfortable recommending, they all seem to be snake oil. A rule of thumb I feel is appropriate is that a browser isn't worth supporting if somebody using that browser is going to regularly run into problems on other websites as well. In other words "stick with what everybody else is supporting". To that end, Yahoo's graded browser support is useful.
Ultimately, the best choice depends on your individual circumstances and will change over time. For instance, 37signals have recently dropped support for Internet Explorer 6 and Facebook are slowly heading in the same direction. This isn't a decision that most organisations can make yet, but give it a year or two and you'll see a lot more organisations follow suit. Right now, it's a bold step that you probably can't justify, but give it time.
Don't fall into the trap of thinking that supporting as many browsers as possible is automatically the best choice - it may be that you are doing your visitors a disservice by wasting time working on compatibility with a browser used by five people when you could be improving the experience for the other million users you have.
Also, it's worth considering that you can "officially" not support a browser. For example, one thing I've done in the past is use JavaScript served only to Internet Explorer 5.5 and below (via a conditional comment), to automatically remove stylesheets, JavaScript and replace images with their alt text. Without those measures, the site would be unreadable due to Internet Explorer's many layout bugs, but with it, the site at least works, even if it's too much work to "support" it.
The easiest way to do it is sign up for Google Analytics and add their tracking code to your site (there are a number of similar services, but Google's one is the best I've found). It gives you detailed statistics as to what browsers people who visit your site use.
Once you have a couple of months data, you can start making decisions as to which browsers you will support. I work for a mainstream web company who want to make our site work for as many users as possible, so we consider any browser with above 0.5% market share to be within our testing matrix. However, other sites may choose to only support and test on major browsers such as IE and Firefox.
As a rough guide, the major browsers you'll see are IE 6 and 7, and Firefox 2 and 3. This should cover well over 90% of your audience so is a good starting point for the first couple of months. Then use your analytics data and make a business decision as to whether the potential revenue (or whatever you're trying to achieve) is worth the additional effort it will take to support other browsers.
Added 2008-09-18:
Admittedly one issue with this method is that if your support for some browser types is so bad that your site is unusable with them then it will potentially skew the statistics as those people will stop coming back, and thus those browsers will appear to have a lower percentage of users.
To determine whether this is happening, you can use Google Analytics' detailed breakdown of behaviour for each browser type and version. This gives you the bounce rate, average time on site, pages per visit, and percent of new visits. If the figures for a given browser type and version are significantly worse than others (i.e. the bounce rate is higher, time on site is lower, pages per visit is lower, or percent of new visits is higher) then it's possible that your site isn't supporting that browser sufficiently well and that you might get more users with it if you had better support.
At this point the figures will still give you a reasonable feeling for how important the browser is (i.e. if it you don't support Google Chrome and it is being shown as 2% of your traffic, then it wouldn't jump to 20% just because you added support) so you can use that browser to see how bad your site is, and make a judgment call as to whether you add support; sometimes this may involve fixing only the worst issues and leaving the site imperfect but usable until the browser gets to a higher percentage of users, or out of beta status.
You could take a look at the way Yahoo! supports browsers at Graded browser support.
The browser is dead when (a) a very small percentage of people use it and (b) you don't care about (selling to? educating? whatever your business is) such a small percentage of people.
Unfortunately, you won't find a good answer to this; even if you found some hard statistics on browser versions for visitors to your website, that almost certainly doesn't tell you what you need to know.
What you need to know isn't "what percent of my visitors use Browser X", it's "what percent of my revenue comes from visitors who use Browser X". That one guy visiting your site using an ancient copy of IE might be the managing director of a big company wanting to buy a site license; the 10k visitors you had last month using Firefox 3 might be college students wanting to plagiarize your documentation for an essay.
Really, you need to know your market - not just the raw browser statistics. If you pay the bills by selling stuff to graphic designers, then rock solid Safari support matters a lot more than if you're in the job of selling Visual Studio plugins. Not helpful, I know!
There are 2 main groups to target. (There are plenty of others though)
Group #1 is browsers that use Webkit (Safari for example), Presto (Opera for example), KHTML (Konqueror for example) or Gecko (Firefox for example). These browsers should all get the same markup, CSS and Javascript code (as they're all in the same group of standard-compliant browsers). Only work around bugs in one of these if you absolutely have to and have the resources to do so. Instead, test in the latest stable versions of each (as you're developing so they can keep each other in check as to what the expected behavior is) and (after checking in the nightlies for the bugs) file bug reports. Again, avoid workarounds for a specific browser if you can. Instead, plan a cross-browser compatible solution from the beginning.
With Group #1, you don't have to worry about older versions much, if it all.
Group #2 is browsers that use Trident (IE for example). Target IE versions you care about and still only workaround the most severe bugs.
Also, don't deny browsers you don't officially support. Let them fend for themselves instead of blocking them (either intentionally or through crappy browser detection).
Also, remember that when looking at market share percentages, try to figure out the numbers they represent so you can see how many millions of potential visitors with that browser there are. 1% or 5% might not seem like a lot, but that could still mean millions.
Most of all, listen to the visitors. If you're getting multiple complaints about a certain browser, look into it if you can. Even if it's for a browser with low market share, if it's a trivial fix, you should just do it.
Ones that are definitely not dead are: IE6 (starting to push it), IE7, IE8, latest Opera 9.x, latest FF 3.x, latest Safari 3.x and others that have about the same capabilities. FF 2.x isn't dead either and is needed for Win9X users (if they don't want to use Opera)
See also this topic
You should use a good UI framework that solves most of the compatibility issues among browsers, like YUI!, jQuery, and so on...
Personaly, I recommend YUI!
Try to answer this locally, consider your audience. For example when I was developing my own Blog Engine, my appeal was mostly to .NET developers. I hope it stands to reason what browser I primarily develop for. From that point I consider the market share and try to ensure a "reasonable" support level for all other browsers. For example even .NET developers occasionally use Firefox, maybe even Opera. Safari and Chrome are possibilities too now. So my current level of support ranks in this order:
It MUST run perfectly in Internet Explorer 7. All features I intended to build are there
It MUST run reasonably in Internet Explorer 6, Firefox 3.0, Opera 9+ and Safari for Windows, not everything has to be flawless, but it can't look downright ugly either
Everything else I don't care about. I just don't have the time and willing effort to support everything.
How do I determine whether or not I want to even consider supporting another browser or continuing supporting one of the above browsers any more? Simply I look at the market share and the statistics of who is hitting my page. If someone is dying, or I just haven't seen them in awhile, then I consider support dropped.
So in short, I would simply make a statement to yourself about the browsers that must run your code perfectly then reasonably and update periodically as the browser world changes. For the first run of your website, just think about your audience, for subsequent updates, your statistics should tell you enough.
My (very poor) solution was to get stats from w3schools and base my decisions on that. While those numbers aren't really terrible, they are skewed because viewers of that site are more likely to be upgrade-conscious. Also, it doesn't give a breakdown of any browser versions except FF.
If you purely build to standards, some browser won't render correctly since no browser supports all standards. You have to pick a few browsers and test your site in those.
Don't try to be too bleeding edge. If you must use some cutting edge CSS, then you have to expect it not to work 100% of the time.
What are you really going to do with the list? Are you planning to block browsers you don't support? What if the user hacks the User-Agent response?
Like others, I would strongly suggest going with something like Yahoo's "Graded Browsers" and, if possible, leveraging YUI or other libraries so you don't have to do it yourself.
<1% market share isn't a criteria - esp if the browser is new.
For me, < IE6 is dead, and the HTML monkeys I work with WISH it was dead. < FF2 is dead. Opera is a nice to have. < Safari 2 is dead, tho most are designing for Saf 3 now.
So it's:
IE6,7,8
FF 2,3
Saf 3,4
Chrome (which is basicly Saf4)
But depending on your app, and how many people you think you are going to get wih hold machines, you COULD drop IE6, which would make your life so much easier.
I would say IE6 and below are dead... but many are still stuck using it.
This site has a nice live listing of each browser and its actual age.
http://webbugtrack.blogspot.com/2008/08/browser-life-statuses.html
I'd go with the http://browser-update.org/ defaults, which currently say the following are dead:
IE <= 6
FF <= 2.0
Op <= 10.01
Sf <= 2.0
My opinion (has always been) build it to the standards and leave it to the browsers to render it correctly.
Start with the browser with the highest market share and work your way down from there.
If you have existing metrics on browsers that visit your site, use those instead of the general market share.
Whichever has < 1% market share.
I agree with Unkwntech.
You should try to make the website compatible to both IE and Firefox
It's simple - most users keep using the browser that came with the PC when they bought it (think of your mom). The browser is dead when the machines that it pre-installed with are not longer used for Internet access... which is probably around 5 years. As prices of new PC's drops and they become more of a consumer electronics item then this period will drop as people will easily buy a new PC

Resources