It was trivial to detect Incognito mode, and it's at least as trivial to do it as it was before. The browser project has more attack surface and maintenance burden along with the opportunity cost from taking this approach rather than making real improvements with those resources.
Conversation
As software, Chromium is not more private or more secure. It's slightly more complex and harder to maintain. It's not better positioned than it was before to address this, if they deem it to be something worth properly addressing in a meaningful way.
1
It doesn't break a class of malicious sites. That's a misrepresentation of it. The only thing that it accomplished is a one time adjustment by the adversaries. It only addressed one way this was being detected, and they had the time they needed to adjust. Code is still there.
1
Metric that breaking things for one evil agent for a limited amount of time is worse than letting that actor do what it's doing, including the cost of implementing that mitigation, please.
You're beating around the bush.
1
Incognito is no harder to detect than before. There is no way to present the software as having improved privacy. The adversaries weren't prevented from doing it for any period of time. They weren't even inconvenienced in any substantial way but rather had to update a library.
1
yes, so they had to update a library, and that means the attack didn't work for a period of time. That's quantifiable, and you're acting like it isn't.
You're a proponent of setting goals and measuring success in metrics of goal achievement, but if your declared goal was privacy
2
There was never a point in time where it was prevented. You can't even claim what you're trying to claim because the feature wasn't developed in secret and then launched as a surprise way to temporarily disrupt privacy-invasive code. That would be quite silly, and didn't happen.
1
Then I might have fundamentally misunderstood the point of the mitigation. I thought it was addressing a approach done by a set of websites in the wild, which then couldn't use that approach for a limited duration of time, and hence didn't work. Not "generally", not "forever".1/2
2
So, if you said that there was 0 malicious sites that were non-functional for any time (not even "like only for a week", not any time), then I was wrong to argue. 2/2
1
That's not relevant to whether the privacy or security of the software has been improved. As I keep mentioning, Safe Browsing already exists and code doesn't need to be added to the browser to disrupt malicious sites by blacklisting them as malicious or otherwise harmful.
1
Safe Browsing already provides support for the enumerating badness approach, and in a low latency way. This change was developed and went through the usual release cycle. It wasn't released as a surprise. It wasn't disruptive. It even had tons of media coverage before shipping...
... but regardless, anything not providing any fundamental privacy or security improvements is not a real privacy or security feature. Safe Browsing already exists and no code needs to be added to blacklist a site as malicious with low latency (unlike 18+ week release cycles).