Incognito Mode Detection Still Works in Chrome Despite Promise To Fix (zdnet.com) 40
Websites are still capable of detecting when a visitor is using Chrome's incognito (private browsing) mode, despite Google's efforts last year to disrupt the practice. From a report: It is still possible to detect incognito mode in Chrome, and all the other Chromium-based browsers, such as Edge, Opera, Vivaldi, and Brave, all of which share the core of Chrome's codebase. Furthermore, developers have taken the scripts shared last year and have expanded support to non-Chrome browsers, such as Firefox and Safari, allowing sites to block users in incognito mode across the board. Currently, there is no deadline for a new Chrome update to block incognito mode detections, however, today, Google might be interested more than ever in fixing this issue.
That's going to be pretty hard to fix (Score:5, Insightful)
It would be a fair assumption that if a website isn't receiving telemetry from the browser at all, it's in incognito mode.
Re: (Score:2)
You're right. Web sites worldwide can assume "it's either incognito mode, or Joe."
Re:That's going to be pretty hard to fix (Score:4, Informative)
uBlock with the "Annoyances" filters on at least blocks the "you're browsing in private mode so fuck you" preventers everywhere I've run into them.
SRSLY "turn off private mode or create an account with us?" Go fuck yourself.
Re:That's going to be pretty hard to fix (Score:5, Informative)
Re: (Score:3)
Re: (Score:2)
Okay, but then what stops me from using the browser in normal, non-incognito mode, and running manually a script that cleans the history, cookies etc. after closing it? Isn't this equivalent to incognito mode?
Re:That's going to be pretty hard to fix (Score:5, Informative)
Re: (Score:2)
It's also to stop the website identifying you, which means it has to be indistinguishable from normal browsing mode on the server end. Otherwise they can just track the incognito browser from a particular IP address.
What does the FileSystem API do? (Score:3)
From the article
"Before Chrome 76, the FileSystem API was simply not available in incognito mode, and website operators only had to query this API to find out if a user was using incognito mode. With Chrome 76, Google activated the FileSystem API for incognito mode windows making previous detection scripts useless. However, this update wasn't foolproof. Google didn't fully activate the FileSystem API, but merely set up a hard limit to the amount of storage space that incognito mode windows could access, at 120 MB."
So what does the the FileSystem API actually do? What would a website legitimately use it for?
Re:What does the FileSystem API do? (Score:4, Interesting)
It's mostly for web-based apps. Self-managed caching for resources (like game assets or emails or documents for offline editing) being one example. It's Google - they make their browser cater to their own web projects regardless of whether it's in the public interest.
Re: (Score:2)
"So what does the the FileSystem API actually do? What would a website legitimately use it for?"
Trackers and cookies but those aren't stored to any file in incognito mode.
I also don't get it, 'incognito' means just that daddy won't see that you used his computer, the websites still strip you naked.
Re: (Score:2)
I use Incognito near daily to log into the same web site twice with different logins without having to use multiple browsers. Or just using any login of a client of mine where I don't want my tracking cookies mixed with theirs. If I used a shared computer at home, I might hide holiday gift shopping.
Anyone thinking Incognito protects their private information is insane.
Re: (Score:1)
It's not just that it doesn't save data to the client's disk permanently. It doesn't load anything from the disk either. When you start incognito mode it's like a brand new PC with a brand new browser with no cookies, no saved data, and nothing to identify a user. Closing incognito mode and re-opening resets all that and you're starting from scratch again.
If you want to be logged into a web site under 2 different accounts at once but want to use Chrome for both instances, you can do this just by opening an
Re: (Score:3)
Basically it's large storage support. One use would be caching - a web email client can download a list of headers and display them quickly, and it can pre-cache unread emails so you can read them and it wouldn't have to cross the network.
Alternatively, games could use them to store assets and save files. Think of the internet archive letting you play MS-DOS games in DosBox in the browser - the WebAssembly version
Re: (Score:2)
Legit uses: Office 365, Google Docs, and any other "Web App" which you prefer worked with data on your machine rather than the cloud. The API basically punches through the isolation that is your browser to allow you to access your disk. Ever wonder why Java Applet's save dialogue looked so different to Windows's back in the day? Same reason.
If a site won't let me access because of settings (Score:5, Informative)
I probably didn't need to access that particular site, there's probably another one or ten just like it.
The same is true of sites that block you because you are running an ad-blocker, or tracker blocker.
Re: (Score:2)
The cold war between privacy and ad revenue is become very hot. It is difficult to stop autoplay, and difficult to close the floating windows. Tracking is becoming more subtle even as browsers claim to stop it.
And it seems to just be a philosophical battle at this point. I mean if you pay $5 or $10 a month, it see
Consequences of browser monoculture (Score:3, Insightful)
Re: (Score:2)
As the summary says, Web sites are also able to tell if you are in incognito mode on non-Chromium browsers like Firefox and Safari.
While I agree with your basic point, in this specific instance it doesn't matter if you are part of the monoculture or not.
Re: (Score:2)
Firefox and Safari don't belong to a company that relies on user tracking as a core business model.
If sites can detect incognito mode on those browsers it's because they still need a bit of work.
Re: (Score:2)
How does that fact support the argument that this vulnerability is a consequence of the Chromium monoculture?
The fact that Web sites can detect incognito mode in any browser, even those that don't depend on tracking as a business model, it's an indication of just how hard it is to hide the fact that you are in incognito mode. The basic fact is, incognito mode must by definition behave differently than "normal" mode, in some way. And if there is a difference in the way the browser behaves, then clever develo
Im torn on this (Score:2)
A government provided service should only collect the minimum amount of information about a visitor.
The kick in the nuts is the tracking service that Google provides to websites. That i
Re: (Score:2)
Complaining about Google's privacy violating services is no different than complaining about having to pay money at a restaurant for food.
Yes it is.
(And I justified my statement as much as you did yours.)
Re: Im torn on this (Score:3)
When you go to a restaurant, they give you a menu (at some restaurants it is posted outside before you go in) with the prices. You make the decision whether you are willing to pay the listed price.
The privacy-invading, ad-based model that the majority have willingly agreed to is horrendous. There is little evidence that i
Re: (Score:1)
about the same difference putting "crap" on my computer.
Private Internet Access, Win10 host and linux guest with no interactions] + adguard and srpitblock.
Re: Im torn on this (Score:2)
Don't visit the site--you are just encouraging the business model. They are still selling ads and you are helping to keep them in business. In my ideal world, ad-supported websites would run their own ad-sales and there would be no privacy-invading network. Ad bureaus would buy ads from the content providers. Google and Faceb
Re: (Score:2)
How is it different?
Would you go to a restaurant that required you to pay for the food before they even let you see the menu?
Re: Im torn on this (Score:2)
Likewise, if I go to a restaurant and order food without looking at the menu, then I have obligated myself to pay.
Going to a new website using incognito mode and an adblocker is a good idea. It allows you evaluate how they operate the website.
Re: (Score:2)
I've done this. It was a Chinese buffet. Sometimes it works out sometimes it doesn't.
Purpose (Score:1)
Re:Purpose (Score:4, Informative)
Incognito mode does not stop ads. It doesn't stop anything at all really. It just erases history, cookies, and session/local storage once the window gets closed. That's all it does.
They care because what it stops is their ability to easily recognize and track your individual habits. Every time you return you look like a brand new user they have never seen before, and if they are in the business of monetizing their ability to track and target you it wastes their time and resources because they can't determine how best to exploit your habits over time.
i.e. It does not stop ads, it just makes it so they advertising networks can't use your browsing habits to figure out WHAT you will click on.
Re: (Score:1)
Re: (Score:1)
Firefox has had this issue for at least 8 years (Score:1)
https://bugzilla.mozilla.org/show_bug.cgi?id=781982 - it sounds like a variation on the Chrome issue.
Surprised... (Score:2)
It's time to limit Javascript's power (Score:3)
Javascript inside the browser is waaaaay too powerful. It's time to separate it into e.g. and "App-Mode" (for sophisticated Web-Apps) and a "Browser-Mode" where it is really only allowed to do a very narrow set of things, good enough for a rendering content that doesn't require much interaction. Then let the user consciously enable "App-Mode" for each site. If they discover that 90% of the web still works fine (not the case if you run NoScript now), they'll ignore the other 10% and these sites need to adapt.