IE8: InPrivate browsing and plug-ins threat

Send to friend

Users alerted to an easily overlooked consequence of using the new InPrivate browsing mode.

Users will use the InPrivate browsing mode when they wish to leave no trail of their browsing on the machine. By default, IE8 disables all add-ons whilst in this mode. This is not surprising - the browser has no control over what third-party plug-ins may do with browsing data (history, page contents, form data etc) and so they have to be disabled in order for private browsing to be possible.

However, the side-effect of this is that security related plug-ins, such as the Sophos web content scanner, are also disabled by default in this browsing mode! Do not be deceived by the status shown in the Manage Add-Ons dialog. Whilst browsing in InPrivate mode with all add-ons disabled, opening the dialog suggests something different.

There is some irony in this situation

The types of site users may want to cover their browsing tracks on correlate quite closely to those commonly used by the bad guys to distribute malware (sex sells, humans are weak).

Users can choose to enable plug-ins via the Tools - Options - Privacy tab, but there does not appear to be a way of configuring individual plug-ins separately (within InPrivate mode specifically, not globally). Well, at least users do have the option of getting their security plug-ins enabled.

Remember though, with plug-ins comes the loss in privacy (why Microsoft had to make this choice in the first place).

Consider a security plug-in detecting malicious content on a site - the URL (and perhaps page content) will most likely be stored locally, or reported centrally (product quarantine, report logs etc).

Similarly content management or viewing plug-ins - these will typically manage their own content cache separately to the browser.

So make your choice, privacy or security.

Comments (0)

Add a Comment

This thread has been closed from taking new comments.