Evaluating private modes in desktop and mobile browsers and their resistance to fingerprinting.

Modern browsers implement private mode to protect user privacy. However, they do not agree on what protection private mode should provide. We performed the first study on comparing private modes in popular desktop and mobile browsers and found many inconsistencies between different browsers and between the desktop and mobile versions of the same browser. We show that some inconsistencies result from the tradeoff between security and privacy. However, even if private mode leaks no information about the user, the attacker could still track the user by fingerprinting the browser. Recent work suggested that a browser could report randomized configurations, such as font sizes and installed plugins, to defeat fingerprinting. To show that randomizing configuration reports is insecure, we propose an attack that estimates the true configuration based on statistical methods. We demonstrated that this attack was easy and effective.