Although web browsers come equipped with private-browsing modes, where they temporarily halt recording the user’s browsing history, it remains that any data accessed during such private browsing sessions can still become tucked away in a computer’s memory. This means that a knowledgeable cyber-attacker could still find a way to retrieve it. To overcome this, a new security system has been proposed.
The new system, from the Massachusetts Institute of Technology, makes use of JavaScript decryption algorithms, embedded in web pages and code obfuscation, in order to patch security holes left open by web browsers’ private-browsing functions. The new system is called Veil.
Veil is intended to make private browsing more private. Here Veil provides added protections to any person who uses a shared computer, such as in an office or hotel. The system can be used in conjunction with existing private-browsing systems or alongside other anonymity networks like Tor (a method designed to protect the identity of web users living in countries with comparatively less Internet freedom use).
According to lead researcher Frank Wang, the developers began by posing reflective questions: “We asked, ‘What is the fundamental problem?’ And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser’s best effort is, it still collects it. We might as well not collect that information in the first place.”
Veil ensures that any data the browser loads into its memory remains encrypted until it is actually displayed on-screen. A user, instead of keying in a URL into the browser’s address bar, goes to the Veil website and enters the URL address here. Then a special server (a blinding server) transmits a version of the requested page that has been translated into the Veil format.
The new system was demonstrated at the Network and Distributed Systems Security Symposium, which took place in February 2018 in San Diego. The conference is designed to foster information exchange among researchers and practitioners of network and distributed system security.
