Most of the browser privacy features that I see being implemented across browsers (Firefox, Chrome, Brave, Safari) are little more than privacy theatre with unclear end goals. If they want to hide that Incognito is being used, they should state that and publish a design document.
Conversation
A nice example is Safari hiding WEBGL_debug_renderer_info to supposedly mitigate hardware fingerprinting distinguishing between Apple devices. I don't see how that's actually supposed to work. This applies to a huge portion of the privacy mitigations in browsers and extensions.
1
3
Instead of aiming to provide fundamental privacy improvements, browsers are primarily shipping mitigations for specific code being used in the wild. They target the lowest common denominator of tracking. Safari at least has some actual substance with Chromium starting to copy it.
1
2
Mitigations should not simply be aiming to make adversaries rewrite their code and cope with minor annoyances and barriers. They should have clear threat models / goals, aiming to provide some fundamental improvement that can actually be quantified and explained in documentation.
2
6
12
Hm, I'm clearly not an expert in computer security, but as far as I can see that model needs to incorporate a lot of stochastic aspects, in which case all but very few mitigations (e.g. air-gapping) are mostly barriers, just with varying likelihood of getting surmounted.
1
If the benefits of a mitigation cannot be quantified, that doesn't sound useful. Privacy and security features need to be designed with a clear threat model and goals from the start. If they simply break existing malicious code the burden being created is really on the defenders.
1
Chromium added substantial complexity to try to remove one of the widely used methods to detect Incognito mode. It doesn't work and the goals are unclear. The only thing that has been accomplished is forcing the adversaries to update their library for detecting Incognito mode.
1
If they commit to making this a property of Incognito mode and actually come up with a plan, that would be a different story. It wouldn't look like this. It doesn't make sense to take action without having a threat model and a plan to address it. It's harmful rather than helpful.
2
I'd argue that "we've got this specific exploit, and it's being used to harm users" is a clear threat model.
Building a workaround for that single threat is a goal-oriented solution to that, no?
1/2
1
Not following on the harmfulness part: sure, it's work, but in reality not every solution generalizes, so at times (and even usually):
particular problems require particular solutions, no matter how much we wish we could solve "the bigger picture". Engineering :( ! 2/2
1
Chromium now has more attack surface and maintenance burden than before. It doesn't have improved privacy or security. It has weaker security due to this change. The defenders have more code to defend and more complexity to wrap their heads around. It had an opportunity cost too.
let me get opportunity cost out of the way: exploit is found, mitigation known. Vendor doesn't fix it, says "waiting for the big solution". Good situation?
re: weaker security: could you elaborate on that? That sounds like the usual "attack surface is proportional to code" 1/2
2
(or at least somewhere strictly monotonous with code amount), and I don't see that being the case with mitigations, because you literally reduced the amount of attacks by a number >= 1, and didn't introduce any *known* vulnerabilities, so you net gained measurable security. 2/2
1
Show replies
The adversaries are temporarily inconvenienced by the fact that they need to update their Incognito mode detection library. The defenders have taken on the burden of maintaining this additional complexity providing no ongoing benefits. It has zero benefit right now. It's useless.
1
"zero benefits": That's simply not true.
Remove it, and tadah, you gain vulnerabilities that are known to be exploited.
If you're in favor of metrics, then that's the one:
cost(this mitigation)=++maintenance
cost(not this mitigation)=exploited vulnerability
Clear, isn't it?