let me get opportunity cost out of the way: exploit is found, mitigation known. Vendor doesn't fix it, says "waiting for the big solution". Good situation?
re: weaker security: could you elaborate on that? That sounds like the usual "attack surface is proportional to code" 1/2
Conversation
Chromium didn't prevent detecting Incognito mode, and it still doesn't do that. They didn't fix anything, and they haven't committed to changing this. There is no increase to privacy or security. There is more attack surface, and users are less informed about Incognito provides.
1
how can you first state that it required abusers to rewrite their attacks (so, it was effective against the attack that was actively deployed), and then state it has no effect? That's a contradiction.
2
That's a complete misrepresentation of what I've been saying. I never said that it has no effect. I said Chromium privacy and security is no better than before, and it now has additional complexity and maintenance burden. You don't seem to disagree, and need a strawman instead.
1
hey, sorry if I came across like that.
It's just that I feel you're proposing better metrics, and I feel that metrically, that mitigation seems like the thing to do (one problem down, only a potential problem appears).
Could you explain your metric? How's not doing that better?
1
I'm stating the obvious, which is that if a feature does not provide quantifiable privacy or security benefits it isn't actually a real privacy or security improvement. Breaking very specific legacy code is a much different thing than fundamentally improving privacy or security.
1
hey, don't call it obvious if the village idiot (that's me!) doesn't understand it ;)
And I still don't see how "it breaks a class of malicious sites" isn't quantifiable. That's simply a false statement, if you ask me.
1
It was trivial to detect Incognito mode, and it's at least as trivial to do it as it was before. The browser project has more attack surface and maintenance burden along with the opportunity cost from taking this approach rather than making real improvements with those resources.
2
Ok, I really need to stop getting sidetracked here, and ask the central questions more directly:
· What's the metric that says this mitigation has negative effect, aside from the Daniel-says-so metric?
1
More code, more complexity, time spent by developers and users further misled about what Incognito provides and is intended to provide. It's no harder for someone to detect Incognito compared to before so as software the browser doesn't provide any additional privacy than before.
1
There isn't an unlimited budget for privacy and security features. Substantial resources were dedicated to do something that doesn't work, and resources will continue to be allocated to it since it's part of the software project. It reduces the time spent on actual improvements.
Seriously, metric. How is time better spent on fixing potential issues than fixing one that is acute, now.
1
The metric is that Incognito is no harder to detect than before. No issue was fixed. No problem was addressed. The code is larger, more complex and harder to maintain. This change was not part of a path to addressing the problem. It has no place in a solution. It's not progress.
1
Show replies