IE8: InPrivate browsing and plug-ins

As a quick follow up to my previous IE8 post, I would like to alert users to an easily overlooked consequence of using the new InPrivate browsing mode.

Users will use the InPrivate browsing mode when they wish to leave no trail of their browsing on the machine. Whilst playing around with the RC1, I noticed that by default, IE8 disables all add-ons whilst in this mode. This is not surprising – the browser has no control over what third-party plug-ins may do with browsing data (history, page contents, form data etc) and so they have to be disabled in order for “private” browsing to be possible.

However, the side-effect of this is that security related plug-ins, such as the Sophos web content scanner, are also disabled by default in this browsing mode! Do not be deceived by the status shown in the ‘Manage Add-Ons’ dialog. Whilst browsing in InPrivate mode with all add-ons disabled, opening the dialog suggests something different:

There is some irony in this situation.

The types of site users may want to cover their browsing tracks on correlate quite closely to those commonly used by the bad guys to distribute malware (sex sells, humans are weak) [1,2].

Users can choose to enable plug-ins via the Tools – Options – Privacy tab, but there does not appear to be a way of configuring individual plug-ins separately (within InPrivate mode specifically, not globally). Well, at least users do have the option of getting their security plug-ins enabled.

Remember though, with plug-ins comes the loss in privacy (why Microsoft had to make this choice in the first place).

Consider a security plug-in detecting malicious content on a site – the URL (and perhaps page content) will most likely be stored locally, or reported centrally (product quarantine, report logs etc).

Similarly content management or viewing plug-ins – these will typically manage their own content cache separately to the browser.

So make your choice, privacy or security. I know which side of the fence I sit on.