Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fixing Chrome API To Prevent Incognito Mode Detection (bleepingcomputer.com)

Posted by msmash on from the patch-incoming dept.

AmiMoJo writes: When browsing the web with Google Chrome, some sites are using a method to determine if a visitor is in a regular browsing session or in incognito mode. As this can be considered a breach of privacy, Google will be changing how a particular API works so that web sites can no longer utilize this technique.

Chrome supports the FileSystem API, which allows sites to create a virtual file system that lives within the sandbox of the browser. This allows sites that utilize large assets, such as online games, to download these assets to a virtual file system so that they do not have to download them each time they are needed. Currently the FileSystem API is not available in incognito sessions, because it leaves files behind and could be considered a privacy risk. Currently the API doesn't work in incognito mode, offering sites a way to check for it. In a Chrome Gerrit post started this week and updated earlier this morning, Google has stated that they are changing the FileSystem API so that it can be used in incognito mode, without the risks to privacy.

42 comments

  1. Does not compute by AmiMoJo · · Score: 0, Flamebait

    This story makes no sense. Slashdot assures me that Google is evil and hates privacy, yet here they are doing something to improve privacy.

    It makes about as much sense as that time they tried to ban ad-blocking by introducing a new high performance ad-blocking API built right into the browser, and then listened to feedback and decided to keep the old one around for good measure, even though they hate ad-blockers and live for ads.

    Can someone explain this latest move, preferably with an outlandish conspiracy theory about how Google is secretly taking over the entire internet and all this privacy/ad-blocking stuff is just to drive all rivals out of business so they can get to the anti-trust break-up stage as quickly as possible.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re: Does not compute by Anonymous Coward · · Score: 0

      I would have put this in the who cares department

    2. Re:Does not compute by Anonymous Coward · · Score: 0

      " Slashdot assures me that Google is evil and hates privacy " - Really? So you've never found a single example of that for yourself, are spoon fed all your opinions, and also think this one counter example is the ultimate proof otherwise?

      Sure, slashdot is the one making up all the privacy concerns with Google. You assertively imply that, so of course it's accurately describing reality.

    3. Re:Does not compute by AHuxley · · Score: 1

      Allowing more ads does not improve privacy.

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re: Does not compute by Anonymous Coward · · Score: 0

      Unless you arenâ(TM)t using chrome and chrome keeps hijacking your computer, then ads are none of googles concern

    5. Re: Does not compute by Anonymous Coward · · Score: 0

      Easy to explain: Google already knows who you are incognito or not, they want to keep this data profitable, and private for Google. Also if obvious data breaches become public people will switch to non Google browsers, both bad for Google.

    6. Re: Does not compute by Anonymous Coward · · Score: 0

      If you think you have privacy with googke then go visit https://myactivity.google.com and then come back here and tell us all about your youtube history.

    7. Re:Does not compute by Anonymous Coward · · Score: 0

      https://www.youtube.com/watch?v=TBEXGL1Brw4 Trump's taxes are about to end his Presidency for real, followed by prison. Privacy that, bitch.

    8. Re:Does not compute by Anonymous Coward · · Score: 0

      So you've never found a single example of that for yourself, are spoon fed all your opinions, and also think this one counter example is the ultimate proof otherwise?

      Yes, how should I feel about this?

    9. Re: Does not compute by Anonymous Coward · · Score: 0

      Wow! Like an alcoholic Santa Claus in a schnapps factory!

    10. Re:Does not compute by Anonymous Coward · · Score: 2

      Google's mistake with it's incognito mode was actually having it behave differently rather than having it behave the same and just sandboxing -everything-

      There's another thing that incognito mode destroys your privacy with, and that is the browser history if you've visited the site before without incognito. try it, go to google.com and then open an incognito window and start typing google.com, it will auto-fill it. If you open the browser history, it will then toss you back to the non-incognito mode.

      That's not very private is it?

    11. Re: Does not compute by DontBeAMoran · · Score: 1

      Oh, come on now. We're all adults here. We know this is just stories we tell children. Schnapps doesn't really exist.

      --
      #DeleteFacebook
    12. Re: Does not compute by AmiMoJo · · Score: 2

      "Here's a tool that lets you review all the data we have, which you explicitly opted in to allowing us to collect and which is used to provide the services you enjoy. Here is a button to disable collecting it, and here is a button to delete it."

      "OMG mah privacy!!1"

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:Does not compute by AmiMoJo · · Score: 2

      Maybe why Google is also starting to block the worst ads by default anyway. Chrome has a built-in ad blocker now.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    14. Re:Does not compute by petermgreen · · Score: 1

      Companies are neither inherently good or inherently evil, they just do what they think will help their bottom line and/or strategic goals, and yes keeping up a good PR face can be part of that.

      This fix probablly hurts google's competitors more than it hurts google. Google can probablly make a pretty damn good guess whether someone is in incognito mode without resorting to tricks (if a browser shows up with no google cookies it's a pretty good bet it's in incognito mode). Smaller sites will find it harder to guess.

      Similarly with ad-blocking if google sets up the defaults such that they let google's ads through while blocking the more obviously obnoxious ads from competitors they reduce the risk that people will seek-out a third party ad-blocking soloution which may block more aggressively. The web giants nightmare is that the more obnoxious end of the internet ad-market drives the majority of Internet users to install an agressive ad-blocker.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    15. Re: Does not compute by Anonymous Coward · · Score: 0

      They only offered that after the GDRP went into effect. And who says the delete the info? What guarantees do I have?

      Why are you blindly taking google for their word? They have lied before and will lie again.

    16. Re: Does not compute by Anonymous Coward · · Score: 0

      Exactly. This tool has been available since Google existed. You are in complete control of what data Google collect and what they do with it.

    17. Re: Does not compute by Anonymous Coward · · Score: 0

      You wish... FAKE NEWS. Keep on dteaming
      bra.. .ðY'OE.ðY

  2. Written by? by hcs_$reboot · · Score: 1

    TFA "Since the data is kept in memory in the browser process, a malicious website could try to exhaust the memory of the browser process and make it more likely to crash"

    Google is the best at algorithms, how could they miss checking such an obvious trait and ensure the FS does not go over x MB?

    --
    Slashdot, fix the reply notifications... You won't get away with it...
    1. Re:Written by? by GuB-42 · · Score: 2

      TFA "Since the data is kept in memory in the browser process, a malicious website could try to exhaust the memory of the browser process and make it more likely to crash"
      Google is the best at algorithms, how could they miss checking such an obvious trait and ensure the FS does not go over x MB?

      They didn't miss it, quite the opposite, it is a potential problem they identified for a solution that isn't out yet.
      As for limiting to x MB, it is exactly what they intend to do, but while it is an obvious solution, finding the value of x isn't.

    2. Re:Written by? by bluefoxlucid · · Score: 1

      Alternatively, they could generate an encryption key and keep it in the incognito browser's memory. Use operating system APIs to pin that page to memory (standard for encryption keys) so it doesn't go to swap. Encrypt and encode filenames, and stream the files to disk encrypted. Mark the whole thing as temporary.

      It leaves evidence that you used incognito mode, but only gibberish about what actually happened in incognito mode.

      --
      Support my political activism on Patreon.
    3. Re:Written by? by Anonymous Coward · · Score: 0

      Brrrrrilliant!

  3. Other methods to check by guruevi · · Score: 4, Informative

    This has been known for several years (https://stackoverflow.com/questions/2909367/can-you-determine-if-chrome-is-in-incognito-mode-via-a-script)

    There are plenty of other methods to check whether or not you're in incognito mode (http://www.collinjackson.com/research/private-browsing.pdf)

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Other methods to check by Anonymous Coward · · Score: 0

      We probably won't ever have online sites like magazines, so there is only one site to download from, though it would be nice. I tend to think some rules could be established to reduce the chaos and the countless trackers from countless sources. Perhaps we need some kind of amendment establishing a cyber bill of rights.

    2. Re:Other methods to check by AmiMoJo · · Score: 2

      You will note that after this fix none of the methods outlined in either of your links work any more. The CSS visited link hack was fixed years ago, for example. The paper suggests testing things like SMB links, which are only supported in Internet Explorer anyway.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re: Other methods to check by Anonymous Coward · · Score: 1

      I browse in âoeprivate modeâ on my iPhone exclusively, and I see a lot of ads for Ashley Madison. I had always assumed this was because they knew I was in private mode. And no, I have never visited that site!

  4. News Sites by crow · · Score: 2

    Many news sites let you have a few free articles every month. The number gets reset if you clear your cookies, but if you read in incognito mode, you start fresh every time. Taking this into account, I've hit one news site that simply blocks incognito mode. I'll be happy if this breaks their block.

    Of course, with the vast number of APIs available now, fingerprinting is just about as good as cookies. Browsers reveal far too much information.

    1. Re:News Sites by cshay · · Score: 1

      There are cookie related add-ins that will delete cookies after a certain amount of time away from the site. On Chrome I use Vanilla Cookie Manager and on Firefox I use Self-Destructing Cookie (pre-extension apocalypse)

      If websites focus their efforts on incognito mode, I would just use one of those extensions.

  5. If any Chrome devs reading this by Billly+Gates · · Score: 1

    Can you please put the option to put the tabs and blinding white off back to where it was at version 70?

    I still use that version as I get migraines easily and it's hard to differentiate tabs with my multiple monitors

    --
    http://saveie6.com/
    1. Re:If any Chrome devs reading this by Anonymous Coward · · Score: 0

      Just change a skin. Was it that hard?

  6. comment subject by Anonymous Coward · · Score: 0

    If "incognito mode" is your idea of privacy, this won't change your status from Sucker

  7. There is no such thing as "anonymous" by Tony+Isaac · · Score: 1

    If you want to browse the web anonymously, forget it. No matter what tricks you use, you can be tracked. Sure, some methods of going incognito are better than others, but when it comes down to it, don't ever, ever trust that what you are doing on the Web can't be found out.

    1. Re:There is no such thing as "anonymous" by Anonymous Coward · · Score: 0

      Could get it back if privacy laws would let me sure any site that violated my privacy. Disregard my "Do not track" flag. Jackpot!

    2. Re:There is no such thing as "anonymous" by Anonymous Coward · · Score: 0

      Not really. If internet was truly anonymous... websites wouldn't know which computer wanted to see its content. If you can see a website, /. say, then the server knows who made the request and it is therefore non-anonymous.

      Plus, when you connect to the internet you really connect to your ISP, which then gives you access to the net. Unless you use a burner phone, they know who is making the requests for what. And, this time, `who' is not an IP address but a full name and (physical, non-hexadecimal) address.

    3. Re:There is no such thing as "anonymous" by Anonymous Coward · · Score: 0

      Qubes OS + and or Whonix

      VM for secure, VM for shitbrowsing

      There.

      A shame its tricky to implement, i hope it'll be more readily installable within a VM for testing, and multi-monitor support.

      who knows, maybe one day we can get a gamer PC instance in such a setup, too, if a non-enpterise video card company can have the 'courage' to support SRIOV.

      Probably not novidia, they like their telemetry.

  8. A Potentially Dumb But An All Seriousness Inquiry by osswmi · · Score: 1

    If Chrome has plans to remove the FileSystem API if it sees no legitimate use outside of the aforementioned discovery technique, would this have any impact on the FileReader API in any way shape or form? I only ask this as the FileReader API is key component of a major web project of mine.

  9. Re:A Potentially Dumb But An All Seriousness Inqui by Anonymous Coward · · Score: 0

    They're not removing the API, quite the opposite. They're making it available in private mode, where it isn't currently.

  10. MIT Technology Review's tracking blocker blocker by tepples · · Score: 1

    Many news sites let you have a few free articles every month. The number gets reset if you clear your cookies, but if you read in incognito mode, you start fresh every time. Taking this into account, I've hit one news site that simply blocks incognito mode.

    Was it MIT Technology Review? If so, I think it was testing for existence of third-party analytics/advertising ID cookies, not any file system API. I don't use incognito per se, but I have encountered that message while using Firefox built-in tracking protection, which blocks URLs known to be involved in cross-site interest gathering. (It uses the same list as the Disconnect extension.)

    I'll be happy if this breaks their block.

    If a paywalled site doesn't detect a third-party analytics/advertising ID cookie, it may require the user to log in through Facebook, Google, Twitter, GitHub, or the like so that such a cookie can be dropped.

  11. Re:A Potentially Dumb But An All Seriousness Inqui by osswmi · · Score: 1

    Subsequently I saw this article that seem to indicate there was a stance to potentially remove the API all together if Chrome sees fit. https://www.theverge.com/2019/...