Loss of Privacy

The new Safari 4 beta has been released and it boasts many new features, including what is now being called a security nightmare for the browser.  The data trail within the browser reveals hidden files of a user’s history and XML files that can, quite literally, add up to gigabytes of personal information left on the computer.  Much of this information is kept in obscure locations, making it difficult for the average user to find and clean out.

Let’s start with the easy stuff. In ~/Library/Caches/Metadata/Safari reside two folders: Bookmarks and History. Inside the history folder is a file for every webpage you’ve visited, regardless of when you’ve set Safari to delete history items in your preferences. I suspect Safari does some cleanup here as the files become slightly more sparse as one travels farther back in time (the past week – the time I’ve set Safari to delete history items after – usually comprise about half of the items, and I’m pretty sure my browsing habits aren’t increasing logarithmically), but I cannot figure out what gets kept and what doesn’t. Each item can be anywhere from 4-200k, but those add up when you get thousands of them. Deleting everything past a week old saved me over 100Mb.

This particular dump has been around at least since a version of Safari 3, but Safari 4 is even more egregiously unhygenic. You know the fancy new Top Sites feature, and how it tells you with a little blue star peeled away from the page preview if it’s been updated since you last checked? Safari makes a little file for every site, every time it checks on them, which if RefreshInterval is in seconds as I suspect it is, means it creates a nice XML file for every one of your top sites every 30 minutes (1800 seconds). These are located in ~/Library/PubSub/Feeds/ and given arcane hexadecimal names, and contain whatever turned out to be new on the webpage. As the Wikipedia homepage is one of mine and changes just about constantly, the vast majority of my XMLs were filled with Wikipedia content. I had over 24000, and deleting everything more than a week old (again, about half of the items) saved me about 93Mb.

But even this isn’t the worst of it. The most outrageous thing I found, and it took drinking from Spotlight’s firehose of filesystem changes with FSEventer to find it, was that Safari does not delete the webpage previews it generates for Quicklook. Ever. 2.03 GB of webpage previews (2 per website – a full resolution and a thumbnail), all generated since downloading the Safari 4 beta, residing – not in the user library, not even in the root library – in /private/var/folders/et/etuAKaR1GTeV9DVeRGfst++++TI/-Caches-/com.apple.Safari/Webpage Previews/, a hidden folder far away from the mouseclicks of all but the most relentless tinkerers.

This is a huge problem considering how fast the folder grew in such a short amount of time.  It is also a problem for the myriad users that don’t know these files even exist.  The privacy nightmare emerges when one realizes just how much information is being kept and that most of it needs to be removed manually.

There are some tips you can follow that may help you with the new beta at Mac OS X Tips.  Remember, this is still in beta, so if you are using it, you are presumably wanting to help fix problems such as these.  Private browsing will also eliminate these worries, but you have to know about it first in order to actually use it.

iSec Partners recently tested Mozilla’s Firefox, Google’s Chrome, Microsoft’s Internet Explorer, and Apple’s Safari privacy and security.  In particular, researcher Kate McKinley tested each browsers handling of cookies.

In their published paper [pdf], Ms. McKinley discovered several problems.

Ms. McKinley found particular problems with Safari and concluded that none of the four major browsers extends its privacy protections to Adobe’s immensely popular Flash plug-in, which is used to display Web animations and video.

Apple’s Safari fared the worst of the browsers in Ms. McKinley’s tests. When used in “private browsing mode” on a Macintosh running OS X, Safari was “quirky,” Ms. McKinley wrote, accessing some of the cookies previously stored on her computer, but not others. When used on a machine running Windows XP, Safari’s private browsing mode was not private at all -– it accessed previously set cookies and did not delete any new ones.

Sites such as MySpace, Hulu.com, CrateandBarrel.com and Amazon.com all use Flash cookies to record some kind of information about their users.

Ms. McKinley found that this information cannot be deleted by average users in the browser privacy settings, should they wish to do so. “Flash elevates the interest of developers over the interest of the end user,” she said.

You can delete flash cookies, however, the document [PC]  [MAC] that explains it is difficult for the average user to understand, if they even know of it at all.  A user could also try CCleaner, which works effectively at erasing flash cookies, while Flashblock (for Firefox) prevents any flash from loading.

And remember, always clear your private data when closing your browser.

Firefox
You can tell Firefox which bits to clear automatically each time you close your browser.  Go to Tools > Options and then click on the Privacy Tab.  Look at the settings listed under Private Data.  You can then choose Always clear my private data when I close Firefox or Ask me before clearing private data.

Opera
Use this tutorial.

Google Chrome
You can use Chrome in incognito mode or Load Chrome and choose “Clear Browsing History” from the Tools menu. This will clear all your private data.

Internet Explorer
Click the Tools button in the Internet Explorer toolbar. Select Delete Browsing History… from the menu. Click Delete All…. (As an alternative, you can choose to delete Temporary Internet Files (the browser cache), Cookies, Form Data or Passwords selectively using their respective buttons.). Click Yes. Close all Internet Explorer windows.

Safari
Click on “Reset Safari” and a window will pop up.  Then click on the items you wish to remove and click reset/ok.