‘Incognito mode’ doesn’t hide your browsing history. Here’s why

Updated on: 15 November 2023

Cybernews Team

We’ve all been there: when using a foreign device, we don’t want to leave traces on or journeying into darker parts of the net. Whatever the reason, ‘private browsing’ is there to keep us safe. Or is it? Our research shows that your browsing history is as safe from attackers as the websites you visit make it to be.

If you’re like 90% of humanity, you likely use one of the five most popular web browsers. All equipped with the infamous ‘private’ or ‘incognito’ modes. To escort the elephant out of the room, we’re not trying to debunk a myth on perceived privacy various browsers claim to guarantee.

By now, it’s common knowledge that neither of the private modes browser vendors offer is meant to guarantee privacy from internet service providers (ISPs) or website tracking. Whether ‘private mode’ is on or not, it’s still possible to identify users via IP addresses and user accounts.

That said, ‘incognito’ should, in theory, allow history-free browsing. Meaning that whatever you’re doing in an internet café or a device you don’t own, there should be no traces of where you were going. At least in theory.

To find out whether any of that is true, we decided to skip past the browsers and look where it actually matters – websites.

Time to live

As it usually is with privacy and the web, we did uncover that no matter what browser or privacy mode a person uses, at least for a short time browsing history is saved on the local machine.

Our team found out that browsing history is saved onto the device for a period ranging from 1 second to 24 hours, depending on the website. That’s terrible news if there’s someone keen on learning what browsing habits a user wants to hide.

Whichever browser a person employed is entirely irrelevant. The history is saved in the DNS cache format, and the domain owner controls the time for which the record is kept through the time-to-live (TTL) property of a DNS entry.

TTL is a vital tool used to reduce workload for authoritative name servers. Meaning that the TTL value cannot be set at zero since that might be a heavy burden for an authoritative name server.

However, if the domain owner of a website you don’t want to admit using is old-fashioned, your browsing history might stay on the computer for hours, laying there, waiting for someone to exploit it.

Seconds matter

While it was a lot more common for the TTL setting to stand at 24 hours in the past, our research shows that more and more websites change ‘hours’ to ‘seconds,’ meaning your browsing history is gone faster than it takes Jared Leto to go to Mars.

However, threat actors can still use local DNS cache as a stream of data to aggregate an extensive list of websites a user is visiting.

If the computer is compromised with malware built to ask for DNS cache every 10 seconds, a threat actor can interpret it as a data stream and export it elsewhere. This stream can be stored for each compromised computer separately in a device-specific text file for an indefinite period of time.

An attacker, for example, could track a victim's browsing history without an active keylogger even if a victim is surfing the web in ‘private’ mode.

That means that someone willing to eavesdrop can have a way to determine what sites a target has been visiting and to what IP addresses the domains resolve to. With a bit of technical know-how, a threat actor could determine even specific visit times.

If you’re using a computer you do not own, be it in a library, internet café, or an educational institution, ‘private’ or ‘incognito’ modes do not guarantee that you leave no traces of websites you’ve visited.

What to do

First and foremost, domain-owners should be aware of the risks that their reliance on TTL creates. To minimize these risks, the TTL setting should be as low as possible.

Browsing experience, of course, is essential, but security risks should always be kept to a minimum, especially if that’s as easy to guarantee as with changing a single setting.

Second, it is possible to reduce the online footprint left on the device. Computers running on Windows OS allow you to check local DNS cache with a PowerShell command ‘Get-DNSClientCache.’ The history can be cleared manually with a PowerShell command’ Clear-DnsClientCache.’

Another way to buff your online security is by considering using a VPN service. You might want to try NordVPN or Surfshark. If you are considering ‘vaccinating’ your computer, we have recommendations for the best antivirus protection.