Researchers from the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) and Harvard University proposed a new system that enforces privacy protections for users — without any help from their web browsers.

The system, known as Veil, allows developers to set up private browsing measures for their pages. According to the researchers’ paper, the system requires no assistance from the user’s web browser, yet can still reduce the likelihood of information leakages resulting from a browser’s privacy mode.

A Unique Approach to Private Browsing

After developers feed their HTML and CSS files through Veil’s compiler, the system searches for cleartext URLs in the data. It then applies the user’s secret key to the URLs it locates and coverts them to blinded references — encrypted URLs that are cryptographically unlinkable — so that attackers can’t trace them back to their original forms.

Blinding servers then receive items uploaded by the compiler and collaborate with the page’s JavaScript to create the blinded URLs. The program also changes the syntax of a page’s content, which alters the clientside representation of the page for each user.

Where Web Browser Protections Fail

The use of blinding servers differentiates Veil from existing private browsing modes, which commonly use the file system or SQLite database to store a session’s data. However, these tools don’t completely delete that information when the session ends.

Curious individuals can also learn about a private browsing mode session by obtaining a webpage state using random access memory (RAM) reflections after the session’s termination. Such weaknesses make it difficult to fully protect users’ privacy when they’re using a private browsing mode.

In the paper, the researchers noted that the way browsers work also contributes to security gaps. “Web browsers are complicated platforms that are continually adding new features (and thus new ways for private information to leak),” they wrote. “As a result, it is difficult to implement even seemingly straightforward approaches for strengthening a browser’s implementation of incognito modes.”

Hope for the Future

The researchers asserted that Veil can have numerous practical applications for helping developers protect users’ digital privacy when browsing the web. For example, they envision developers of a whistleblowing service using the system to prevent employers from tracking visits to the site on employees’ workstations.

Veil can’t protect users’ privacy in every scenario, however. It only works against local attackers who access a user’s computer after terminating a private browsing session. In addition, the system is currently powerless against situations in which a bad actor compromises the computer during a protected session and uses keylogging to exfiltrate sensitive information. These risks highlight the importance of users and organizations taking appropriate steps to protect themselves against phishing attacks and other digital threats.

More from

Security Awareness Training 101: Which Employees Need It?

4 min read - To understand why you need cybersecurity awareness training, you must first understand employees' outsized roles in security breaches. “People remain — by far — the weakest link in an organization’s cybersecurity defenses,” noted Verizon on the release of their 2022 Data Breach Investigations Report (DBIR). They elaborate that 25% of all breaches covered in the report were the result of social engineering attacks, and when you add human errors and misuse of privilege, the human element accounts for 82% of…

4 min read

Beyond Requirements: Tapping the Business Potential of Data Governance and Security

3 min read - Doom and gloom. Fear, uncertainty and doubt. The "stick" versus the "carrot". What do these concepts have in common? They have often provided the primary motivation for organizations’ data governance and security strategies. For the enterprise, this mindset has perpetuated the idea that data governance, data security and data privacy are reactive cost centers existing due to externally imposed requirements or mandates. Yet, what if data governance and security practices could upend the prevailing paradigm and demonstrate direct business value?…

3 min read

Protecting Against Remote Monitoring and Management Phishing

3 min read - You use remote monitoring and management (RMM) software to closely monitor your cyber environment and keep your organization safe. But now cyber criminals are specifically targeting these tools, causing legitimate software to become a vulnerability. This is the latest type of attack in an increase in a recent trend of disruptive software supply chain attacks. The Cybersecurity and Infrastructure Security Agency (CISA) recently released an alert about the malicious use of legitimate remote monitoring and management (RMM) software. Last fall,…

3 min read

Secure-by-Design: Which Comes First, Code or Security?

4 min read - For years, developers and IT security teams have been at loggerheads. While developers feel security slows progress, security teams assert that developers sacrifice security priorities in their quest to accelerate production. This disconnect results in flawed software that is vulnerable to attack. While advocates for speed and security clash, consumers must often pay the price when threat actors strike. 48% of developers admitted they were still shipping code with vulnerabilities in 2022. It’s clearly time for a change. Many believe…

4 min read