[barbegal]

>Probably the easiest, yet most powerful one is to only use the browser in incognito mode while surfing on insecure networks. This way, no information (like passwords or cookies) can leak out and no evil cache entries can sneak in.

Is only partially true. If you sign in using incognito mode your passwords and cookies will leak. And you have to remember to open the incognito window after connecting to an insecure network and close it before you connect to a secure network because the cache and cookies are maintained until you close the window.

[bonyt]

Here is an interesting dilemma: should HSTS persist in incognito mode?

If not, then this becomes bad advice, because all the attacker has to do to disable HTTPS is not redirect http sites to https ones (sslstrip).

If so, then the list of sites for which your browser attempts HTTPS connections without being told to is the list of sites you’ve accessed in the past. This information could become a supercookie allowing sites to identify and track you even in incognito mode.

https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-bro...

[varenc]

This is possible! HSTS does apply to incognito to my knowledge

Here’s a project that uses this fact to look up browser history: https://github.com/diracdeltas/sniffly

[crunchatized]

At least it only works on chromium-based browsers. Firefox fixed the supercookie problem when opening up a private browsing session back in Firefox 34.0.5 after it was discovered.

Which then makes the HSTS preload list and HTTPS Everywhere extension all the more valuable to defend against active attacks.

[Klathmon]

Unless the website makes use of HSTS preload

[crunchatized]

Yeah the only true part there was 'no evil cache entries.' Chrome's incognito mode even explicitly warns that it does not defend against your ISP/employer/school (aka any man-in-the-middle). All incognito does is keep any data from the session from being saved to disk.