Shantanu tells us about Firefox’s Incognito mode and asks us to stop drooling over Google Chrome’s privacy mode labeled Incognito. Does Firefox have an Incognito mode? – Yes. Is it better than Google Chrome’s Incognito mode? – Hell no.
When it comes to the masses security is 80% usability and just 20% technology.
Picture the following 2 scenarios involving an imaginary but very plausible conversation with my very real and reasonably tech-savvy Dad (2 email accounts, has an Orkut profile, uses Linux once in a while, online banking, composes videos of family photos with narration etc… is he cool or what!)
Scenario 1 (Google Chrome)
[ Varun ]
- Dad open up Google Chrome.
- Click on the page icon at the end of the address bar.
- Select “New Incognito Window” from the menu options.
Whenever you do serious stuff such as online banking use this mode, OK?
[ Dad ] - Sure son! That’s easy. You are the bestest son ever!
Scenario 2 (Mozilla Firefox)
[ Varun ]
- Dad open up the Windows Run dialog.
- Type firefox -ProfileManager.
- Click on “Create profile”.
- Enter “Incognito” as the profile name.
- Hit Finish.
- Select “Incognito” from the list of profiles.
- Click on”Start Firefox”.
- Go to Edit >> Preferences >> Privacy.
- Select “Always clear my private data when I close Firefox”.
- Unselect “Ask me before clearing private data” and you are done.
[ Dad ] - My dear Varun, let me tell you about something called Google Chrome and something called the Incognito mode… Step 1 – Open Google Chrome….
Browsing is an everyday affair for a large chunk of the computer user population. Privacy mode should be an equally “everyday” affair and should not involve them having to change settings, create new profiles, shortcuts etc.
Another reason why I prefer Google Chrome over Mozilla Firefox is the safer process model. Even if one were to use the Firefox Incognito mode the individual tabs are not protected from each other and bad stuff like CSRF (cross-site request forgery) and XSS (Cross-site scripting) can still happen. In Chrome, by design, individual applications/websites are cordoned off from each other. I am sure it is not fool-proof but it is way better than all current browsers.
Lastly the Google Chrome Incognito mode is a read-only mode. It does not write anything to disk. No cache, no cookies, nothing. It’s default behaviour is secure and there is nothing you can do to change it. The Incognito mode will remain what it is on every Google Chrome browser, whether it is my home PC or work PC.
The Firefox Incognito mode outlined in Shantanu’s post still writes to the hard disk. The cleaning up is post-event and not by design. Also if you do exactly what is mentioned in that post you are still NOT cleaning up persistent cookies, offline website data (created by extensions) and saved passwords. You have to check a few more boxes to clean these up. If a hardcore geek like Shantanu (the dude writes well, hacks stuff and has a bunch of interesting-looking downloads on his blog!) can oversee these options imagine what it imagines for people who want their browser to just work.
Am I drooling over Chrome’s Incognito feature? – Not exactly but I _am_ impressed. When designing software especially end-user software think secure by design, think secure out of the box, think usability and think of my Dad-equivalent whoever it might be in your case.
P.S. – Dad if you are reading this do you agree with me? 
EDITS – 2008-09-12 Chrome not resilient to XSS, just CSRF (Thanks Shantanu!)
Blogposts
Yes, you are right about the usability part. Actually that should be fixable easily. I had earlier thought of doing all the above steps in a script that someone could just download and double click and be “incognito” before being able to say “voila!”
, maybe subconciously assumed that people would know about that, but yes that counts as an oversight and you are right again that usability takes a step back when there is an “extra” step involved.
Or maybe firefox guys should make it more prominent. Moreover, once the “setup” is done then there is no extra efforts after that.
Well, abt the extra options, I did check the boxes for my use but forgot to write about them
About the writing to disk part, Google says that the cookies are cleared only after you close the windows and read at some places while googling that it is not, infact, clearing everything up. So, cookies definitely go to hard disk. Not sure about rest of the things going to hdd or not. Any links?
About the rest of the stuff, XSS prevention etc, I completely agree its better in chrome (though I use NoScript extension to prevent myself in firefox but its obviously better if its not needed at all).
One more thing, I’m not too well-versed with web technologies, but do you know if/what would be “legal/positive” use cases for XSS?
BTW just thought of a way to do the “not saving to disk” method for firefox as well. Completely hypothetical (and might work only in linux), but maybe i can do it. Wait till weekend, will try and let you know
Thanks for pointing this out, gives me something better to ponder about and do a real hack than just clicking around making a new profile and checking a few boxes…
Firefox Incognito / Private Browsing Mode - Part II | Shantanu's Technophilic Musings // Sep 12, 2008 at 12:46 am
[...] Add comments My Sites: My Blog | My Tech Blog | Follow me on Twitter—-A few people (e.g. Varun) told me my previous post differed from the way how google chrome / Microsoft IE8 handle Incognito [...]
Hi. I’m the mom in the scenario and I want to know where my 12 year old is surfing. Can I disable the incognito feature of Chrome? (It took me a few weeks to figure out how he was surfing without leaving a trace.) Thanks
@Rachel – The incognito mode in Chrome cannot be disabled or locked. And uninstalling the browser also does not help because the recent versions of IE and Firefox both have private browing capability.
To monitor the surfing activity that takes places on your computer you can do 1 of 2 things (you can even do both):
1. Use the logging capability of your wireless router. All computers in your household that access the Internet through your wireless router can be tracked via this mechanism. Most modern routers can even email you this log at regular intervals instead of you having to check the log manually.
2. Use a service like OpenDNS (http://www.opendns.com/solutions/overview/) Each computer that you want to monitor has to be configured to use the OpenDNS servers. OpenDNS can either block unwanted content or merely log all DNS requests that you can review later.