Chrome Deploys Deep-Linking Tech in Latest Browser Build Despite Privacy Concerns

Google has implemented a browser capability in Chrome called ScrollToTextFragment that enables deep links to web documents, but it has done so despite unresolved privacy concerns and lack of support from other browser makers. From a report: Via Twitter on Tuesday, Peter Snyder, privacy researcher at privacy-focused browser maker Brave Software, observed that ScrollToTextFragment shipped earlier this month in Chrome 80 unflagged, meaning it's active, despite privacy issues that have been raised. "Imposing privacy and security leaks to existing sites (many of which will never be updated) REALLY should be a 'don't break the web,' never-cross redline," he wrote. "This spec does that." The debate over the feature percolated last year on mailing lists and in GitHub issues posts and picked up in October when the team working on Chrome's Blink engine declared their intent to implement the specification. The feature rollout serves to illustrate that the consensus-based web standards process doesn't do much to constrain the technology Google deploys.

Engelbart

[michaelmalak]

During the dot-com boom, I attended a one-evening presentation given by Douglas Engelbart, held at the University of Maryland. At the end, someone asked him what the "next big thing" after the web would be. Engelbart's response was deep-linking to specific text on a page.

Re:

[paralumina01]

Uh huh.

Privacy Concerns

[DarkRookie2]

Chrome is just 1 big Privacy Concern. How is adding this change anything.

Re:

[Sebby]

Chrome is just 1 big Privacy Concern. How is adding this change anything.

That's why I avoid Chrome, or even Chromium-based browsers at all costs.

Yes, I know Chromium is the 'basic' browser without all Privacy Rapists 2.0's [slashdot.org] crap, but I consider it "tainted" - for example, Brave knows about this new deep linking and can remove it, but would other Chromium-based browsers (MS Edge, etc.) notice/know to remove it too?

Re:

[ChoGGi]

Open chrome://flags/ and search for "Enable Text Fragment Anchor." then disable it.

Re:

[Sebby]

Open chrome://flags/ and search for "Enable Text Fragment Anchor." then disable it.

Don't need to - I don't have Privacy Rapists 2.0's [abc.xyz] privacy raping crap on my system :).

more info, pls

[jm007]

read the article, still not clear to me how this is a privacy thing; the one lame example given seemed stretched pretty thin

it's a way to specify in a URL/link which part of the text in a site you'd like to locate; this is different than the site author putting in an anchor tag with the '#' parameter

how is locating text that is already being sent to the browser a privacy thing? if it shouldn't be read, don't send/include it on the site

legit question, what am I missing?

Re:

[barakn]

I still don't get it. This sounds like security by obscurity, which isn't security at all.

Re:

[SWPadnos]

In most browsers, you can look at the page source and search through it. This kind of "deep linking" is basically a shortcut for CTRL-U / CTRL-F.

Re:

[Synonymous Cowered]

Uhhh...any dynamic website can do the same. But maybe if you throw in a "think of the children" it will all make sense to me.

Re:more info, pls

[MagicM]

Imagine I run a website that serves ads. I know the ad company is shady and knows everything about my visitors. I also know the ad company will serve Trump ads to Republican visitors and Bloomberg ads to Democratic visitors.

Now I can give visitors a URL that scrolls to "Trump" in one of my pages. I can also detect whether that scrolling happened via javascript (e.g. timers) or other ways (e.g. delayed-loading images or iframes). That means now I can tell whether my visitor is a Republican or a Democrat.

Maybe this exact example wouldn't work this way, but it's the general idea.

Re:

[110010001000]

What? That makes zero sense. You can make a website "scroll" to whatever you want using an anchor tag.

Re:

[augo]

Anchor is not sent to the server. But I guess it can be retrieved via Javascript and then sent to the server via Javascript.

Re:

[bluefoxlucid]

The deep linking standard IS an anchor. It's not forwarded, but yes it's available through JS just like all anchor queries.

Re:

[fahrbot-bot]

What? That makes zero sense. You can make a website "scroll" to whatever you want using an anchor tag.

This "feature" allows scrolling (technically, direct navigation) to any arbitrary word/phrase regardless of whether there's an anchor at that location. So, navigation based on content, not markup.

I'm still uncertain about the privacy affects of using this, but I believe it can be disabled in Chrome using the flag

Enable Text Fragment Anchor.
Enables scrolling to text specified in URL's fragment. – Mac, Windows, Linux, Chrome OS, Android
#enable-text-fragment-anchor

Re:

[MagicM]

Clarification: Imagine I run a news website that embeds ads from a shady third-party ad company.

The result is that I, as the news-site-owner, get information about my visitors that otherwise only the ad-company has.

Re:

[TheSunborn]

How is this different from you simple adding partyAffiliation=Democrat to the url?

Re:

[Sloppy]

Before this "feature" you could just have a Trump id/anchor, and give out links to #Trump. Wouldn't that be the same thing?

Re:

[vbdasc]

So, you just robbed the ad company of their hard-earned data about your visitors. I fail to see the privacy concern here. At worst, you profited from a privacy breach someone else has already exploited.

Re:more info, pls

[Ghostworks]

The goal of the feature is basically similar to "go to this page, then cntl+f for this text". One of the Google docs linked in the article suggests that for Chrome, that might even be the literal the implementation. The privacy concern is that the linked website would be able to detect the act of this automated scrolling, then infer roughly what text snippet was linked.

(The Google doc mentions timing-based detection as a possibility, as well as scroll-event-based detection.)

This sort of search is only worth doing if the snippet being searched for is relatively unique on the page, and thus has high information content. Because the user clicked on such a link rather than looking at a page from a web search, or even a link to the site at a high-level, the text is presumably very relevant to the link-follower. For example, you won't create a link with the text "from the" because it will misfire more often than not, but you mightfor something like "from the office of the Surgeon General".

This also assumes that the attack is conducted by the linked site. That means this is a website you want to go to, but which you don't necessarily trust. That's actually a pretty safe assumption for any site in the age when everything is used to fingerprint the user for advertising purposes, and that information is then sold of. But the example of someone who you want to control the flow of information towards -- an insurance company, a customer, an employer, a competitor, a lawyer -- is also a solid one.

An alternative attack is to use the linked page to infer something about the reader. An example is "if the page contains a string like "User Type: Admin", then the person who followed the link is a system admin that can be targeted for attack.

An alternative attack is a cross-site search attack. The success/failure in finding the linked text leaks information. This can give you a yes/no on some questions like "did they receive an email from "hiring@snap.com"? (The trick is searching for link text "No messages matched your search" to indicate they did NOT receive such a message.)

So far, they've figured out a few cases that demonstrate this can leak 1 bit (yes or no) of information, which is a privacy concern by not a security concern. More information could be leaked if a user action were not required to follow the link, which is not the case so far (but sounds like something easy to forget about over time).

Re:

[jm007]

thanks for the reply

not to discount humanity's innovations of new ways to exploit/advance something nefarious, but those 'data leaks' seems fairly minor compared to many other issues of real privacy concern

white hat uses seem fine for me, helpful even, for this; accepting a bit of risk or downside is usually how (my) life works; also, if it does become a concern, it would be trivial for a plugin or the like to strip such things from the URLs/sites your browser visits

there's a part of me that thin

Re:more info, pls

[swillden]

This also assumes that the attack is conducted by the linked site.

In which case the linked site could also have conducted the "attack" by providing an anchor to link to. Maybe I'm missing something here, but I'm really not seeing how this leaks even a single bit that couldn't be "leaked" in other ways with existing tech.

What it breaks

[fibonacci8]

The illusion that client side security/filtering/privacy is good enough by itself. This is roughly as much of a privacy risk as people discovering they can get around badly crafted paywalls by using the print preview function of the browser.

Google's hedonic calculus

[hey!]

This will cost you some privacy. On the other hand this will make us a little money.

When you put it that way, it's clear what each party in this would prefer, but only one party gets to make the decision.

Let's fork the web?

[peppepz]

Let's create a new stack to replace HTTP / HTML / JS. Those standards have become so complex and laden with unnecessary backward compatibility that they're effectively a barrier to entry to both software developers who would implement them, and to hardware / software platforms who would want to access the web.

In addition, they are controlled by for-profit monopolist amoral companies who direct their development not towards maximizing the freedom of the users of the web, but rather in the direction of increasing their own profits and ensuring that their position of power remains unchallengeable.

In the 90s Linux proved to the world that software developed for passion can smash the prospects of domination of even the most entrenched monopolist. Protocols are meant for achieving interoperability, not to limit citizenship. People don't need the same web that Google and Microsoft want, so why don't we just design our own? The IP protocol still gives us that freedom.

(My first proposal is to restore the <BLINK> tag.)

Re:

[DogDude]

There's nothing inherently wrong with HTTP or HTML or Javascript. They're super easy to us; anybody can make a web page in minutes. The problem is with how (most) people use them.

Re:

[peppepz]

Then you might want to serve the page that you have made, and if so you'd have to implement these:

https://www.ietf.org/id/draft-... [ietf.org]
https://www.rfc-editor.org/inf... [rfc-editor.org]
https://www.rfc-editor.org/rfc... [rfc-editor.org]
https://www.rfc-editor.org/inf... [rfc-editor.org]
https://www.rfc-editor.org/inf... [rfc-editor.org]
https://www.rfc-editor.org/inf... [rfc-editor.org]

These cover just the bare minimum for your recipients to be able to receive your page. We're not even talking about displaying it.

Re:

[DogDude]

I didn't implement any of those. I make simple HTML pages and I slap them on a web server than I pay a few pennies a month for.

How is ScrollToTextFragment a security leak?

[Ungrounded Lightning]

How is "ScrollToTextFragment" more of a security leak than <a href="https://site.tld/page">(do a find on "target text fragment")</a>?

So it does it automagically for you, rather than requiring you to cut, paste, and hit return. So what? Anybody can point you to the text at the "deep spot" and show you how to get there using the built-in text searching tools of existing browsers.

When someone publishes a page he publishes the whole page, including its source code. There's nothing "secret" about a string buried in a tl;dr wall of text. So there's no "security leak" when someone linking to it points out the particular snippet he's linking to.

Re: How is ScrollToTextFragment a security leak?

[viperidaenz]

The contrived example given is sometime who can snoop on your DNS queries can infer where in the page you just clicked to from a search engine with these deep links containing your search query by the order of the DNS queries your browser makes, assuming it loads 3rd party content in the scrolled to view port first.

Assuming they control your DNS server
Assuming they know the exact content of the page your loading
Assuming your computer hasn't already cached the DNS queries
Assuming you're not blocking the 3rd