Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Chrome IT

Incognito Mode Detection Still Works in Chrome Despite Promise To Fix (zdnet.com) 40

Websites are still capable of detecting when a visitor is using Chrome's incognito (private browsing) mode, despite Google's efforts last year to disrupt the practice. From a report: It is still possible to detect incognito mode in Chrome, and all the other Chromium-based browsers, such as Edge, Opera, Vivaldi, and Brave, all of which share the core of Chrome's codebase. Furthermore, developers have taken the scripts shared last year and have expanded support to non-Chrome browsers, such as Firefox and Safari, allowing sites to block users in incognito mode across the board. Currently, there is no deadline for a new Chrome update to block incognito mode detections, however, today, Google might be interested more than ever in fixing this issue.
This discussion has been archived. No new comments can be posted.

Incognito Mode Detection Still Works in Chrome Despite Promise To Fix

Comments Filter:
  • by kwelch007 ( 197081 ) on Thursday June 04, 2020 @04:30PM (#60146318) Homepage

    It would be a fair assumption that if a website isn't receiving telemetry from the browser at all, it's in incognito mode.

    • by samwichse ( 1056268 ) on Thursday June 04, 2020 @05:25PM (#60146536)

      uBlock with the "Annoyances" filters on at least blocks the "you're browsing in private mode so fuck you" preventers everywhere I've run into them.

      SRSLY "turn off private mode or create an account with us?" Go fuck yourself.

    • by galvanash ( 631838 ) on Thursday June 04, 2020 @05:36PM (#60146576)
      That isn't the issue really. Cognito mode does not stop telemetry from working, it doesn't stop anything from working really. All it does is make ookies/localstorage/sessionstorage/etc disappear when you close the browser. That's it. While your interacting with a website you should look exactly the same to them whether cognito is on or off. The problem is that right now their are various side channel leaks that can detect that you have it turned on. Many have been fixed, but not all of them yet apparently. tldr; if it is working right there would be no way to detect that it was turned on.
      • by Revek ( 133289 )
        I never have mod points when I need them. The statement above needs to be modded up.
      • by vbdasc ( 146051 )

        Okay, but then what stops me from using the browser in normal, non-incognito mode, and running manually a script that cleans the history, cookies etc. after closing it? Isn't this equivalent to incognito mode?

    • by bloodhawk ( 813939 ) on Thursday June 04, 2020 @05:46PM (#60146608)
      incognito mode doesn't stop telemetry etc. It is about not leaving a trace of your history, cookies etc on the machine after you close the browser window and not sharing details with other non incognito windows.
      • by AmiMoJo ( 196126 )

        It's also to stop the website identifying you, which means it has to be indistinguishable from normal browsing mode on the server end. Otherwise they can just track the incognito browser from a particular IP address.

  • by ardmhacha ( 192482 ) on Thursday June 04, 2020 @04:36PM (#60146346)

    From the article

    "Before Chrome 76, the FileSystem API was simply not available in incognito mode, and website operators only had to query this API to find out if a user was using incognito mode. With Chrome 76, Google activated the FileSystem API for incognito mode windows making previous detection scripts useless. However, this update wasn't foolproof. Google didn't fully activate the FileSystem API, but merely set up a hard limit to the amount of storage space that incognito mode windows could access, at 120 MB."

    So what does the the FileSystem API actually do? What would a website legitimately use it for?

    • by omnichad ( 1198475 ) on Thursday June 04, 2020 @04:42PM (#60146384) Homepage

      It's mostly for web-based apps. Self-managed caching for resources (like game assets or emails or documents for offline editing) being one example. It's Google - they make their browser cater to their own web projects regardless of whether it's in the public interest.

    • "So what does the the FileSystem API actually do? What would a website legitimately use it for?"

      Trackers and cookies but those aren't stored to any file in incognito mode.

      I also don't get it, 'incognito' means just that daddy won't see that you used his computer, the websites still strip you naked.

      • I use Incognito near daily to log into the same web site twice with different logins without having to use multiple browsers. Or just using any login of a client of mine where I don't want my tracking cookies mixed with theirs. If I used a shared computer at home, I might hide holiday gift shopping.

        Anyone thinking Incognito protects their private information is insane.

      • It's not just that it doesn't save data to the client's disk permanently. It doesn't load anything from the disk either. When you start incognito mode it's like a brand new PC with a brand new browser with no cookies, no saved data, and nothing to identify a user. Closing incognito mode and re-opening resets all that and you're starting from scratch again.

        If you want to be logged into a web site under 2 different accounts at once but want to use Chrome for both instances, you can do this just by opening an

    • by tlhIngan ( 30335 )

      So what does the the FileSystem API actually do? What would a website legitimately use it for?

      Basically it's large storage support. One use would be caching - a web email client can download a list of headers and display them quickly, and it can pre-cache unread emails so you can read them and it wouldn't have to cross the network.

      Alternatively, games could use them to store assets and save files. Think of the internet archive letting you play MS-DOS games in DosBox in the browser - the WebAssembly version

    • Legit uses: Office 365, Google Docs, and any other "Web App" which you prefer worked with data on your machine rather than the cloud. The API basically punches through the isolation that is your browser to allow you to access your disk. Ever wonder why Java Applet's save dialogue looked so different to Windows's back in the day? Same reason.

  • by bobstreo ( 1320787 ) on Thursday June 04, 2020 @04:53PM (#60146426)

    I probably didn't need to access that particular site, there's probably another one or ten just like it.

    The same is true of sites that block you because you are running an ad-blocker, or tracker blocker.

    • by fermion ( 181285 )
      Many sites are becoming much more aggressive about blocking users that don't allow fully tracking and data mining access. I noticed that I locked down Safari, many sites failed to function.

      The cold war between privacy and ad revenue is become very hot. It is difficult to stop autoplay, and difficult to close the floating windows. Tracking is becoming more subtle even as browsers claim to stop it.

      And it seems to just be a philosophical battle at this point. I mean if you pay $5 or $10 a month, it see

  • by xack ( 5304745 ) on Thursday June 04, 2020 @05:02PM (#60146472)
    You were warned not to touch the chromium fruit, now you have to deal with cross browser exploits. If you had an independent engine the attack surface would be smaller.
    • As the summary says, Web sites are also able to tell if you are in incognito mode on non-Chromium browsers like Firefox and Safari.

      While I agree with your basic point, in this specific instance it doesn't matter if you are part of the monoculture or not.

      • Firefox and Safari don't belong to a company that relies on user tracking as a core business model.

        If sites can detect incognito mode on those browsers it's because they still need a bit of work.

        • How does that fact support the argument that this vulnerability is a consequence of the Chromium monoculture?

          The fact that Web sites can detect incognito mode in any browser, even those that don't depend on tracking as a business model, it's an indication of just how hard it is to hide the fact that you are in incognito mode. The basic fact is, incognito mode must by definition behave differently than "normal" mode, in some way. And if there is a difference in the way the browser behaves, then clever develo

  • I do believe that a non-governmental website should have the ability to restrict access to the service they provide. If you don't like the privacy stealing deal, don't use the service. Complaining about Google's privacy violating services is no different than complaining about having to pay money at a restaurant for food.

    A government provided service should only collect the minimum amount of information about a visitor.

    The kick in the nuts is the tracking service that Google provides to websites. That i

    • by starless ( 60879 )

      Complaining about Google's privacy violating services is no different than complaining about having to pay money at a restaurant for food.

      Yes it is.

      (And I justified my statement as much as you did yours.)

      • How is it different? The web site has stated upfront the price of receiving the service from them. You as a consumer have the decision whether that is a reasonable price you want to pay.

        When you go to a restaurant, they give you a menu (at some restaurants it is posted outside before you go in) with the prices. You make the decision whether you are willing to pay the listed price.

        The privacy-invading, ad-based model that the majority have willingly agreed to is horrendous. There is little evidence that i

        • Just because I accept their price does not mean I would accept their "salmonella salad" even though it was included in the price as that just cost me more.
          about the same difference putting "crap" on my computer.
          Private Internet Access, Win10 host and linux guest with no interactions] + adguard and srpitblock.
          • If they advertised a "salmonella salad" and you chose to buy it, that's on you. We all know that any website blocking incognito mode visitors is the equivalent of a salmonella salad.

            Don't visit the site--you are just encouraging the business model. They are still selling ads and you are helping to keep them in business. In my ideal world, ad-supported websites would run their own ad-sales and there would be no privacy-invading network. Ad bureaus would buy ads from the content providers. Google and Faceb

        • How is it different?

          Would you go to a restaurant that required you to pay for the food before they even let you see the menu?

          • If I go to a website in incognito mode and it prompts me to turn it off, then I know the price of admission.

            Likewise, if I go to a restaurant and order food without looking at the menu, then I have obligated myself to pay.

            Going to a new website using incognito mode and an adblocker is a good idea. It allows you evaluate how they operate the website.

          • I've done this. It was a Chinese buffet. Sometimes it works out sometimes it doesn't.

  • Why would a website care if I am using incognito mode? I suppose it stops them from creating a user profile for advertising purposes? But blocking browsers that are in incognito mode also means that they will not be displaying any ads. I must be missing something.
    • Re:Purpose (Score:4, Informative)

      by galvanash ( 631838 ) on Thursday June 04, 2020 @06:24PM (#60146748)

      Incognito mode does not stop ads. It doesn't stop anything at all really. It just erases history, cookies, and session/local storage once the window gets closed. That's all it does.

      They care because what it stops is their ability to easily recognize and track your individual habits. Every time you return you look like a brand new user they have never seen before, and if they are in the business of monetizing their ability to track and target you it wastes their time and resources because they can't determine how best to exploit your habits over time.

      i.e. It does not stop ads, it just makes it so they advertising networks can't use your browsing habits to figure out WHAT you will click on.

      • Thanks for the reply. I know that incognito does not stop ads. As I said, it stops them from creating a 'profile' on you. I can see why ad networks would not like that. But for a website which displays ads then not displaying an ad (if they block the user) would not make sense. ie. Even without a profile an ad can be displayed. I suppose that the revenue would be lower (advertisers pay more for a targeted audience), but I don't see this being a major factor (what percentage of users use incognito? Ad-blocke
    • by Tom239 ( 705010 )
      Paywalled media sites that let you read a limited number of articles a month for free have an interest in detecting incognito mode. Before they plugged the loophole, incognito used to let you read as much as you wanted for free.
  • https://bugzilla.mozilla.org/show_bug.cgi?id=781982 - it sounds like a variation on the Chrome issue.

  • Surprised that seemingly so many of the Slashdot community aren't running DNS ad blackholers.
  • by andi75 ( 84413 ) on Friday June 05, 2020 @06:36AM (#60148368) Homepage

    Javascript inside the browser is waaaaay too powerful. It's time to separate it into e.g. and "App-Mode" (for sophisticated Web-Apps) and a "Browser-Mode" where it is really only allowed to do a very narrow set of things, good enough for a rendering content that doesn't require much interaction. Then let the user consciously enable "App-Mode" for each site. If they discover that 90% of the web still works fine (not the case if you run NoScript now), they'll ignore the other 10% and these sites need to adapt.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...