Skip to content

Visited Sites tracked in Incognito Mode by Enforced and Ignored Lists #99

New issue
New issue
Open
Open
Visited Sites tracked in Incognito Mode by Enforced and Ignored Lists#99
Labels
Priority-MediumType-Defectauto-migrated
@GoogleCodeExporter

Description

@GoogleCodeExporter
GoogleCodeExporter
opened on Mar 21, 2015
What steps will reproduce the problem?
1. Set KB SSL Enforcer to run in Incognito Mode
2. Clear the Enforced and Ignored Site Lists
3. Open a tab in Incognito Mode
4. Go to www.google.com
5. Check the Enforced & Ignored List

What is the expected output? What do you see instead?

The expected output is an empty enforced and ignored list.
This is because I expect that sites visited in Incognito tabs will not be added 
to these lists, as documented at
https://code.google.com/p/kbsslenforcer/wiki/FAQ
"The extension has been made to not save any information in incognito."

Instead, I see google.com and www.google.com (and regional variations) added to 
the Enforced list. This is persistent information about sites visited, an 
obvious security hole.


What version of the product are you using? On what operating system?

KB SSL Enforcer 2.0.3
Google Chrome 31.0.1650.63
OS X 10.9 (13A603)


Please provide any additional information below.

If I were paranoid about someone on my machine discovering which sites I'd 
visited, I'd use Incognito mode.

If I were paranoid about someone on the network discovering what I retrieved 
from sites I'd visited, I'd use KB SSL Enforcer to secure the content I 
received from those sites. (The site itself could be discovered from the IP 
address on the packets, and/or my DNS requests.) 

However, using Incognito & KB SSL Enforcer together violates the "do not record 
history" guarantee of Incognito mode, by recording sites (not URLs) in KB SSL 
Enforcer's Enforced and Ignored lists. This is counter to user expectations of 
Incognito mode, and KB SSL Enforcer's own documentation.

However, disabling the caching of site detection in KB SSL Enforcer could 
dramatically slow down browsing, so it should probably be available as an 
option which is *on* by default (as most users won't change the option, and KB 
SSL Enforcer should be secure before being fast).

Original issue reported on code.google.com by timothy....@gmail.com on 11 Dec 2013 at 12:39

Metadata

Metadata

Assignees

No one assigned

    Labels

    Priority-MediumType-Defectauto-migrated

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions