Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Chrome Google Privacy

Google Fixing Chrome API To Prevent Incognito Mode Detection (bleepingcomputer.com) 42

AmiMoJo writes: When browsing the web with Google Chrome, some sites are using a method to determine if a visitor is in a regular browsing session or in incognito mode. As this can be considered a breach of privacy, Google will be changing how a particular API works so that web sites can no longer utilize this technique.

Chrome supports the FileSystem API, which allows sites to create a virtual file system that lives within the sandbox of the browser. This allows sites that utilize large assets, such as online games, to download these assets to a virtual file system so that they do not have to download them each time they are needed. Currently the FileSystem API is not available in incognito sessions, because it leaves files behind and could be considered a privacy risk. Currently the API doesn't work in incognito mode, offering sites a way to check for it. In a Chrome Gerrit post started this week and updated earlier this morning, Google has stated that they are changing the FileSystem API so that it can be used in incognito mode, without the risks to privacy.

This discussion has been archived. No new comments can be posted.

Google Fixing Chrome API To Prevent Incognito Mode Detection

Comments Filter:
  • TFA "Since the data is kept in memory in the browser process, a malicious website could try to exhaust the memory of the browser process and make it more likely to crash"

    Google is the best at algorithms, how could they miss checking such an obvious trait and ensure the FS does not go over x MB?
    • by GuB-42 ( 2483988 )

      TFA "Since the data is kept in memory in the browser process, a malicious website could try to exhaust the memory of the browser process and make it more likely to crash"
      Google is the best at algorithms, how could they miss checking such an obvious trait and ensure the FS does not go over x MB?

      They didn't miss it, quite the opposite, it is a potential problem they identified for a solution that isn't out yet.
      As for limiting to x MB, it is exactly what they intend to do, but while it is an obvious solution, finding the value of x isn't.

      • Alternatively, they could generate an encryption key and keep it in the incognito browser's memory. Use operating system APIs to pin that page to memory (standard for encryption keys) so it doesn't go to swap. Encrypt and encode filenames, and stream the files to disk encrypted. Mark the whole thing as temporary.

        It leaves evidence that you used incognito mode, but only gibberish about what actually happened in incognito mode.

  • by guruevi ( 827432 ) on Sunday February 17, 2019 @06:58PM (#58137128)

    This has been known for several years (https://stackoverflow.com/questions/2909367/can-you-determine-if-chrome-is-in-incognito-mode-via-a-script)

    There are plenty of other methods to check whether or not you're in incognito mode (http://www.collinjackson.com/research/private-browsing.pdf)

    • by AmiMoJo ( 196126 )

      You will note that after this fix none of the methods outlined in either of your links work any more. The CSS visited link hack was fixed years ago, for example. The paper suggests testing things like SMB links, which are only supported in Internet Explorer anyway.

    • by Anonymous Coward

      I browse in âoeprivate modeâ on my iPhone exclusively, and I see a lot of ads for Ashley Madison. I had always assumed this was because they knew I was in private mode. And no, I have never visited that site!

  • by crow ( 16139 ) on Sunday February 17, 2019 @07:07PM (#58137158) Homepage Journal

    Many news sites let you have a few free articles every month. The number gets reset if you clear your cookies, but if you read in incognito mode, you start fresh every time. Taking this into account, I've hit one news site that simply blocks incognito mode. I'll be happy if this breaks their block.

    Of course, with the vast number of APIs available now, fingerprinting is just about as good as cookies. Browsers reveal far too much information.

    • by cshay ( 79326 )

      There are cookie related add-ins that will delete cookies after a certain amount of time away from the site. On Chrome I use Vanilla Cookie Manager and on Firefox I use Self-Destructing Cookie (pre-extension apocalypse)

      If websites focus their efforts on incognito mode, I would just use one of those extensions.

    • Many news sites let you have a few free articles every month. The number gets reset if you clear your cookies, but if you read in incognito mode, you start fresh every time. Taking this into account, I've hit one news site that simply blocks incognito mode.

      Was it MIT Technology Review? If so, I think it was testing for existence of third-party analytics/advertising ID cookies, not any file system API. I don't use incognito per se, but I have encountered that message while using Firefox built-in tracking protection, which blocks URLs known to be involved in cross-site interest gathering. (It uses the same list as the Disconnect extension.)

      I'll be happy if this breaks their block.

      If a paywalled site doesn't detect a third-party analytics/advertising ID cookie, it may require the user to log in through

  • Can you please put the option to put the tabs and blinding white off back to where it was at version 70?

    I still use that version as I get migraines easily and it's hard to differentiate tabs with my multiple monitors

  • If you want to browse the web anonymously, forget it. No matter what tricks you use, you can be tracked. Sure, some methods of going incognito are better than others, but when it comes down to it, don't ever, ever trust that what you are doing on the Web can't be found out.

  • If Chrome has plans to remove the FileSystem API if it sees no legitimate use outside of the aforementioned discovery technique, would this have any impact on the FileReader API in any way shape or form? I only ask this as the FileReader API is key component of a major web project of mine.

The best things in life go on sale sooner or later.

Working...