Private browsing (incognito mode) is useful for more than just porn. It can protect you against websites that are storing your sensitive data on your hard drive when they shouldn’t be.
When you visit a site that uses the HTTPS or SSL encryption protocol to protect sensitive data, you might expect that sensitive information to be cleared once you close the browser. You know, things like your customer account number, account balances, statements and credit reports.
Unfortunately, this isn’t the case, according to a recent study by security firm Independent Security Evaluators. It found that 21 of the 30 sites evaluated (70 per cent) are saving sensitive data to users’ disk caches.
That means if you ever share your computer with someone else, or if your laptop is stolen, that data is at risk. According to ISE:
The fact that the unencrypted, disk cached data is only stored on the user’s personal machine should not be discounted. The possibilities for this information to be exposed are numerous: malware infections, theft of laptops and mobile devices, theft of physical backup media or compromise of “cloud” backup services, shared machines and user accounts, and of course, shared computers in libraries, hotels, and Internet cafes.
The sensitive information is stored on your computer and easily retrievable (even if you didn’t know it’s saved to disk).
The problem stems from the way browsers and web servers communicate about caching content to disk. Web servers — especially the financial ones we’re talking about — are supposed to send a standard “Browsers Control: no store” header to tell browsers not to cache the content. ISE found that some don’t send any caching instructions. Others do send a “no cache” header, but they are using antiquated, non-standard instructions that only work with Internet Explorer, and not Chrome or Firefox. All three browsers enable disk caching by default even for HTTPS sites, rather than letting you opt-in. So, in short, there’s plenty of blame to go around between the browsers and the websites themselves.
There are two things you can do to prevent your sensitive information from being saved to disk: the easiest is to just use private browsing mode for your financial and similar sensitive accounts or restrict disk caching for encrypted sites.
Alternatively, ISE offers these recommendations:
To End-Users. Users should make the following configuration changes, depending on each browser:
Internet Explorer. Internet explorer already abides by most web application attempts to prevent disk caching. To further restrict what can be cached, a user can open Internet Options, choose the Advanced tab, and under Security, check “Do not save encrypted pages to disk”. This option may have unwanted side effects, such as interfering with file downloads from HTTPS sites. Alternatively, use InPrivate Browsing mode.
Firefox. Install our “HTTPS Caching Controller” Firefox add-on, which adds a toolbar button allowing disk caching of SSL content to be disabled or enabled at any time. This add-on works only on the desktop version of Firefox. Manually, or on the mobile version, navigate to “about:config,” enter the preference “browser.cache.disk_cache_ssl,” and double-click to switch the value from “true” to “false.” Alternatively, use Private Browsing mode.
Chrome. ISE could not locate any settings in Chrome to easily limit disk caching of HTTPS requests. Instead, use Incognito mode.
Safari. Safari users (both desktop and mobile) need not take any action, since, as of this writing, Safari does not cache any content transferred over HTTPS.
In addition to taking these precautions, never log into account-related or other security-sensitive sites from a computer or other device you do not own and control.
You could also clear your browser’s cache whenever you close it or on a schedule. For example, you could run CCleaner after browsing or create a cleanup script to run after your browsing session. Firefox users can set their browser to automatically clear the cache when the browser closes, and Chrome users can use the Click & Clean extension to do this. Here are instructions on WikiHow for clearing the cache manually for all browsers. This, however, wipes out everything cached by your browser, including stuff from regular HTTP sites.
Until browsers and web servers get their act together, it’s better to be safe than sorry and keep your sensitive info safe from being saved to your computer unencrypted.