Web browsers are usually quite chatty. Among other things, they tell the owners of websites their names and which site their users last visited; web apps leave cookies and use JavaScript to retrieve more information about the system, making the surfer transparent. In this article, I focus on putting the anonymization functions of the Chrome [1], Epiphany [2], Firefox [3], and Konqueror [4] browsers to the test. Opera [5] was left out because it was in a transitional phase at the time of testing (see the box "Opera and Opera Next").

In my tests, I wanted the candidates to indicate whether they delete cookies or just return them to the pages from which they originated. Web storage, "an API for persistent data storage of key-value pair data in Web clients" [9] introduced in the context of HTML5, is also becoming more and more fashionable: Secure browsers must be able to delete this stored data. Other features browsers should offer to disable are JavaScript, web fonts, access to the geolocation API [10] for querying locations, Java, and Flash.

Browsers should send do-not-track information, even though most sites ignore it. Another useful addition is a built-in ad banner and pop-up blocker. The ability to disable sending the referrer and browser ID and to delete all data collected while surfing (cookies, history, and so on) when you exit the program are also important considerations.

Our lab computer ran openSUSE 12.3 (64 bit), Debian 7 (64 bit), and Linux Mint 15 (32 bit). Test settings and functions were restricted to those accessible via the menu.

Chrome

The web browser by Google has been available since September 2008. Although the company has released a large part of the BSD-licensed Google Chrome [1] source code as an open source project under the name Chromium [11], the Chrome binary itself may not be copied or modified.

The candidate in our test was Google Chrome 27.0.1453.93; it prompts the user to log in with a Google account directly after launching. In this way, using the Google servers, the browser synchronizes the history, bookmarks, and other features with other Chrome installations.

Chrome is talkative in other respects, too: If you commit a typo in the web address, the program sends the URL to the Google server, which then returns alternative proposals. Also, the terms entered in the address bar migrate to Google, and the search engine suggests suitable sites (Figure 1).

Figure 1: The Chrome instant search retrieves search results while the user is still typing.

Once the browser has loaded a page, it automatically determines the IP addresses of the links to accelerate loading newly requested pages. Chrome also tries to load pages in advance. Consequently, the pre-rendering method retrieves web content without authorization. Users can disable it in the settings, where it is somewhat misleadingly titled Predict network actions to improve page load performance.

The built-in phishing and malware protection accesses a locally stored blacklist. If the URL is listed in it, Chrome sends it to Google for further review. This function is enabled by default. In the History view, a button lets you delete the history, all form data, the cache, and the data for all extensions and applications that the user has downloaded via the Chrome Web Store. This includes the local memory used by Gmail.

Chrome not only removes cookies but also the information in web storage and the data stored by extensions via the NPAPI ClearSiteData API [12]. Unfortunately, it is impossible to keep data for individual areas.

Debit and Credit

Google Chrome only sends usage statistics and crash reports if the user has allows this. You also need to enable the Do Not Track request and spell checker explicitly. The latter sends the text to be corrected to a Google web service. Alternatively, you can rely on a local dictionary for spell checking.

By default, Chrome stores passwords and form data and puts this data into Google's cloud as well for later synchronization. Users are not allowed to turn off synchronization. Once you sign up, all your data ends up in your own Google account.

Chrome accepts all cookies. In the settings, users can instruct the browser to block third-party cookies or refuse them outright. On request, the program deletes the cookies on exit and defines exceptions for individual sites. Cookie management displays the information stored, and it can remove some cookies directly or all cookies at once (Figure 2).

Figure 2: Cookie management in Chrome is limited to the bare minimum and either removes individual cookies or all cookies.

Chrome only blocks pop-ups and JavaScript on request. In both cases, the user can define exceptions for specific sites. The browser shows the location, allows access to the microphone and webcam, and shows incoming notifications on the desktop. Google Calendar users rely on the latter feature. By default, users always need to confirm all of this explicitly, but it can also be disabled completely in the settings. When you Show advanced settings, Chrome lets you define exception rules for cookies and images in the Privacy section under Content settings.

To browse in private, open a New Incognito Window from the Chrome drop-down menu. Incognito mode does not create a history, and it deletes cookies and data in web storage after closing the last incognito window.

However, before setting incognita mode, Chrome accepts cookies and makes them available in all incognito windows. The browser continues to send data to Google in this mode as well, which is not everyone's understanding of being incognito.

Extensions run in a sandbox with limited privileges. If an add-on tries to break out or prompts the user for personal data, the browser asks whether you agree. In the settings, the user can suppress this behavior or define special rules for individual sites. Users also can switch to a click-to-play version, wherein the browser asks for permission whenever it needs an extension.

The Chrome Web Store [13] has numerous add-ons that promise anonymous surfing. For example, Adblock Plus disables ads, NotScript switches off active content in a "NoScript"-like way, DoNotTrackMe blocks cookies and other tracking elements.

Epiphany

Epiphany version 3.8 [2] is now available. Because most current distributions use Gnome 3.6, the testers looked at this more widespread release. The default browser on the Gnome desktop always creates a history, and this is not automatically cleaned when you exit. The history management window also only offers to remove the complete history; targeted deletion of entries is not possible.

The Gnome browser accepts cookies always, only returns them to the requested page, or rejects them across the board. Exceptions for individual pages are not possible. Epiphany provides rudimentary cookie management in which users can view and remove cookies individually. In the Privacy settings, you will also initially find a Clear button that not only removes all the cookies, but also your saved passwords, the complete history, and all temporary files. The remaining configuration is also easy to understand. Users can disable all extensions, suppress pop-ups, completely disable JavaScript, and disable tracking (Figure 3). On the test system, no extensions were enabled. To turn them on or off, users need to access the rather spartan Extension Manager, made available by installing epiphany-extensions when you install the Epiphany web browser.

Figure 3: The Gnome browser Epiphany adheres to the adage "less is more."

Users search in vain for a function that lets them uninstall, add on, or add new extensions, but at least Epiphany includes an advertising filter that blocks all URLs on a blacklist. By default, this is the blacklist maintained by Mozilla; however, users can add other directories. If Epiphany wants to access the geolocation API, the program asks for permission; users cannot turn off the geolocation feature permanently. (However, in our lab, geolocation failed reproducibly.) After starting, the Gnome browser always displays the most recently accessed websites. Again, the user cannot disable this behavior.

This is the full extent of Epiphany's functionality. Users cannot define exceptions for JavaScript, influence web storage, or start in privacy mode.