After reports and studies revealed that browsers’ private modes aren’t that secure, MIT graduate student Frank Wang decided to take things into his own hands. He and his team from MIT CSAIL and Harvard have created a tool called Veil, which you could use on a public computer — or on a private one on top of using incognito mode and Tor if you have big secrets to keep or if you’ve just become paranoid after years of hearing about hacks and cyberattacks.
Wang said in a statement:
“Veil was motivated by all this research that was done previously in the security community that said, ‘Private-browsing modes are leaky — Here are 10 different ways that they leak. We asked, ‘What is the fundamental problem?’ And the fundamental problem is that [the browser] collects this information, and then the browser does its best effort to fix it. But at the end of the day, no matter what the browser’s best effort is, it still collects it. We might as well not collect that information in the first place.”
MIT explained that data tends to move between different cores in multicore chips and caches, which attackers could access by exploiting flaws. Once those memory banks are full, computers could transfer data to their hard drive, and browsers can’t always delete them. Veil works by encrypting a website before showing it on your screen. You’ll have to type out a URL on Veil’s website instead of your address bar, but it will work whatever browser you use. The encrypted Veil-version of a website will look like its ordinary counterpart, except it has a decryption algorithm embedded in the page. Without that algorithm, the website will be unintelligible — with it, the website’s data will only be loaded so long as it’s displayed on screen.
If that isn’t enough, Veil was designed to be able to offer even more security features. Its “blinding” server can add a bunch of nonsense code to every page, and no two pages with meaningless codes will be the same. Further, it can take a picture of the website you want to visit and serve you that photo. The image won’t have any executable code, but when you click on parts you want to see, Veil will send you an updated image.
It’s unclear whether you’ll have to endure a considerable lag to load encrypted websites or their photos. Developers will have to create Veil versions of their websites first, so we can test it out. Wang and his team created a compiler that can automatically do that, but that means you can only use Veil with websites that actively want to support it.
Source: MIT