
Chromium calls home even in incognito mode with safe browsing turned off - calpaterson
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=792580
======
andor
Chrome can log SSL keys if you want. There's need to speculate about "unknown"
data.

[https://www.imperialviolet.org/2012/06/25/wireshark.html](https://www.imperialviolet.org/2012/06/25/wireshark.html)

~~~
paulirish
I'll add that I can't find a report of this issue upstream on the Chromium
issue tracker. :/

If we remember the hotword detection issue from a few months ago, once the
issue was filed, Chrome engineers responded rather quickly. (As of today,
hotword detection is 100% removed not just from Chromium but Chrome as well).

If anyone can reproduce this issue, I'd like to help getting it filed so we
can determine what's going on.

Edit: We've found the upstream issue:
[http://crbug.com/498272](http://crbug.com/498272) In it, we've isolated two
separate pings in this scenario. One is to grab an experiment status; we're
looking into if this is neccessary. The other ping is for the component
updater, to evaluate if your Chrome extensions should be updated. Neither of
these pings report what sites you are visiting to Google.

~~~
rattray
Great response IMO. Thanks Paul!

------
awqrre
I don't think that chromium should call home at all but incognito mode is not
about this... it is about not leaving traces of your browsing history on the
local computer.

~~~
pavement
There's an implicit corollary that, if your trying to avoid leaving behind
traces of activity on your own computer, you probably would also like to
minimize traces of activity left behind on other computers as well.

This might carry the expectation that unintentional interactions with other
systems should be eliminated, since, the fewer systems touched, means the
fewer traces of said activity there are in the entire world, no?

~~~
brbsix
That is a common misconception, but bears no resemblance to reality. As the
other commenter noted, incognito mode (for any browser) only concerns with the
local machine.

What you mentioned, "minimize traces of activity left behind on other
computers as well", is a difficult task. Attempting to do so requires more
advanced techniques that entail tough compromises. Consider using Tor, you are
anonymous to the endpoint (e.g. the website you visit does not have your IP),
but confidential data is not safe from prying eyes in the process.
Alternatively you can use some sort of crypt to sign and encrypt your
connection... your data is safe from prying eyes (potentially verified as
well) but you are no longer anonymous. This can all be mitigated to some
extent, but it is well outside the scope of a browser.

~~~
pavement
Certainly is an echo chamber in this whole thread.

Count the motivations to resist alterations that would doubtless improve
Chromium's respect for privacy.

~~~
sangnoir
> Count the motivations to resist alterations that would doubtless improve
> Chromium's respect for privacy.

That's a very indirect way of explaining motivations. I am certain that there
are conflicting requirements that have tradeoff and not as black-and-white as
you make it seem.

Firefox is a great contrast to Chromium since they are likely to have greater
respect for privacy. Is there a privacy aspect that Chromium lags
significantly behind Firefox? If not, then your hypothesis (on motivation) is
wrong (proof by contradiction: Mozilla doesn't have the same motivations)

------
srtjstjsj
Chromium is an open source branch of chrome, offered as a convenience. It is
not a standalone product with its own goals. Shouldn't there be a "Chromium-
Privacy" project that branches Chromium and reviews code changes, to keep it
aligned with such goals?

~~~
slasaus
> Shouldn't there be a "Chromium-Privacy" project that branches Chromium and
> reviews code changes, to keep it aligned with such goals?

Maybe Iridium is what you're looking for. From their fp:

> Iridium is a free, open, and libre browser modification of the Chromium code
> base, with privacy being enhanced in several key areas. Automatic
> transmission of partial queries, keywords, metrics to central services
> inhibited and only occurs with consent. In addition, all our builds are
> reproducible, and modifications are auditable, setting the project ahead of
> other secure browser providers.

[https://iridiumbrowser.de/](https://iridiumbrowser.de/)

~~~
kentonv
Unfortunately these forks -- of which there are many -- often fall behind
Chromium's security updates and even introduce serious bugs of their own. E.g.
"WhiteHat Aviator", another "security-oriented" fork, had this fiasco:

[https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z](https://plus.google.com/+JustinSchuh/posts/69qw9wZVH8z)

Maybe Iridium has a better record but with so few eyes on them it's hard to
have much confidence.

Probably the best thing to do if you're worried about Chromium spying on you
is to use Firefox.

~~~
tptacek
More went wrong with Aviator than that: they munged up the code rebranding it
and made it much harder to track upstream. It also didn't start out open
source!

------
rdancer
Yep, that AS is Google:

    
    
        $ whois 2a00:1450:4009:80c::200d
        [snip]
        inet6num:       2a00:1450::/29
        netname:        IE-GOOGLE-20091005
        descr:          Google Ireland Limited
        country:        IE
        org:            ORG-GIL4-RIPE

------
jryan49
If you're using incognito mode for anything more than not recording local
browser history, I think you're using it wrong.

~~~
daveloyall
I use incognito mode to get Chrome (or Firefox) to pretend to have an empty
cookie jar. So that I can log into some site again with a different account,
for example.

~~~
jryan49
I stand corrected. No local history + cookies then.

~~~
anpk
And making sure there is nothing cached

------
drdaeman
What's this about?

The link doesn't contain any useful information besides that Chromium was
somehow opened "in incognito mode" (there's no such thing, incognito mode
applies to windows, not browser itself) and there are some connections
spotted. No information whenever Chromium had sync enabled, whenever it has
Google account associated, whenever it has any extensions installed, etc.

Say, I see a C2DM connection to get push notifications about updates. Whenever
it's legit or not depends on the context. If browser's core has logged in user
and a bunch of extensions installed, I'd say it's a bug if said connection is
not present, even if no non-incognito windows are open at the moment.

------
kragen
Maybe it's updating its list of sites that are known to be infected with
malicious code? Firefox does this, and it seems like a good idea to me. (I
wish it didn't.) How is Chromium's malicious site filtering implemented?

It's good to be transparent about this, but maybe this is something legitimate
and safe that's already documented, and the Debian user and maintainer just
haven't found the documentation yet.

~~~
scintill76
That's what "safe browsing turned off" (or "malware protection" in the report
text) is ruling out.

~~~
kragen
Oh, thanks! I didn't understand that part.

------
kbenson
Is this the hotword component[1][2] again?

1:
[https://news.ycombinator.com/item?id=9758759](https://news.ycombinator.com/item?id=9758759)

2:
[https://news.ycombinator.com/item?id=9771212](https://news.ycombinator.com/item?id=9771212)

~~~
abraham
No, the hotword component has been removed.

[https://productforums.google.com/forum/#!topic/chrome/6wIqlx...](https://productforums.google.com/forum/#!topic/chrome/6wIqlxPZq4o)

------
blub
Using a web browser from a company basing most of its income on web
advertising does come with such unpleasantness.

I was hoping mozilla would have their users' back, but a default install of
Firefox also makes multiple connections to mozilla, google and other domains
when started. Some extensions (notably NoScript and Ghostery) ping the
mothership.

Safari connects to configuration.apple.com and the google website blacklist.
uBlock for Safari tries to update itself even if no one asked it to.

Later edit: I have been told that I am perhaps being unfair to Mozilla. Let's
see - I started reading [https://support.mozilla.org/en-US/kb/how-stop-
firefox-making...](https://support.mozilla.org/en-US/kb/how-stop-firefox-
making-automatic-connections), to see how I can stop Firefox from connecting
to servers without being requested to. While it's nice that they provide this
page, this article's breadth only serves to prove that this browser is out of
control when it comes to making connections to servers by itself.

I have the following settings:

* disabled Firefox health report

* disabled crash reporting

* never check for updates

* do not check for addon updates

* block reported attack sites

* block reported forgeries

After reading the page, it turns out that I also have to disable the following
from about:config:

* the addons blocklist

* link prefetching

* DNS prefetching

* speculative pre-connections

* firefox Hello

* tiles, even if they were already disabled from the UI

* the default search engine geo-location

* the what's new page

* add-on metadata updating

* the heartbeat

For reference, here are the connections that Firefox tries to establish
immediately after startup:

Outgoing to self-repair.mozilla.org (54.230.200.16), Port https (443),
Protocol TCP (6), 0 B sent, 0 B received

Outgoing to shavar.prod.mozaws.net (52.26.89.67), Port https (443), Protocol
TCP (6), 0 B sent, 0 B received

Outgoing to safebrowsing.google.com (2a00:1450:4001:809::1005), Port https
(443), Protocol TCP (6), 0 B sent, 0 B received

Outgoing to tiles.r53-2.services.mozilla.com (52.25.98.110), Port https (443),
Protocol TCP (6), 0 B sent, 0 B received

Outgoing to cmp-cdn.ghostery.com (54.152.180.212), Port https (443), Protocol
TCP (6), 0 B sent, 0 B received

Outgoing to search.services.mozilla.com (54.69.18.27), Port https (443),
Protocol TCP (6), 0 B sent, 0 B received

~~~
ljk
> _Some extensions (notably NoScript and Ghostery) ping the mothership._

could you explain what this means? Been using uBlockOrigin+NoScript+Ghostery
combo for quite a some time now and never realized how NoScript might be
unsafe

~~~
blub
NoScript is unfortunately quite sketchy, I don't use it any more.

It has a whitelist supposedly to not break "top websites", but this list
contained IMO some questionable choices last I checked it. It also tries to
connect to the dev's website for no reason at all (addons are updated directly
from Firefox) and after updates, "to show the release notes".

Last but not least, this is the same dev which got involved in a scandal for
trying to underhandedly whitelist the said website into an ad-blocking addon.

~~~
okasaki
What list is that? I'm looking at it and I'm pretty sure I personally
whitelisted all of those domains. The only ones that seem to have come from
NoScript are the about:... ones

~~~
blub
I reinstalled it to check again and it seems you are correct, there's nothing
except about:* links. I remember it had some big portal websites I hadn't
visited and would not enable JS for, however I am willing to accept I was
wrong. Unfortunately, I can't edit my initial comment any more.

Thanks for checking and sorry for my confusing initial post...

------
Justsignedup
Could be it is pinging home for synchronization and not actual browsing data.

~~~
sigjuice
What do you mean by synchronization?

~~~
mod
Chromium & chrome sync all of your bookmarks, settings, etc across browsers.
If I fav something in my mobile, it shows up in my desktop.

~~~
azakai
That should only happen when logged in, and given the context here, I assume
the user was _not_ logged in (since when you're logged in, all privacy is
definitely completely lost).

------
calpaterson
The maintainer's reply is a sad statement on how hard it is just to package
and distribute a modern web browser.

~~~
api
Packaging and distributing _anything_ for endpoint devices is a profound
exercise in pain and suffering. If your target is anything other than a Mac or
a phone, multiply it even further.

It's a major driver of Internet centralization: things must be centralized to
escape the deployment nightmare. It's exponentially easier to manage
deployment on a handful of servers than it is to actually ship an app to
users.

With our app, we test our Windows build on Windows Vista, 2008 Server, 7, 2012
Server, 8, 8.1, and 10, on both x86 and x86_64. It always passes before we
ship. Then inevitably we get bug reports: the UI won't open, device drivers
won't install, the app mysteriously crashes, etc. Investigation always reveals
some weird little variation or clashing piece of software on the customer's
machine. Every Windows machine is a special snowflake, and as Windows machines
run they accumulate 'OS rot' and gradually become less reliable (due to the
mutability of the OS and dependencies). To fully test deployment you'd have to
test hundreds of thousands of VMs with different software install histories,
etc. In the end we have to tell people 'sorry, we tested with clean Windows
installs on eight different versions, you're on your own.'

Mac is the only tolerable deployment target and that's because it's a fascist
dictatorship compared to Windows: uniform hardware, strict restrictions on OS
modification, and enforced software conformity. Phones aren't too bad either
but that's because they're also fascist dictatorships with locked-down OSes.

Basically the modern OS is broken. Things are mutable that shouldn't be,
process isolation is a joke, etc. Server OSes are broken too but at least if
you own all the servers you can make sure they're all broken in the same way.
Even there the trend is toward statically linked binaries (Go) and packaging
apps as entire containers with their own OS (Docker) to basically deprecate
the OS and achieve predictable deployment.

~~~
skrebbel
Insightful! I didn't know it was that bad. Did your team ever consider using
something like Turbo Studio (called Spoon Studio until recently), which is a
bit like Docker, but different, and for Windows?

Their promise is that they basically solve most of the problems you mention,
so I'm curious how well it stands up in practice or why you choose not to use
it.

[https://turbo.net/studio](https://turbo.net/studio)

EDIT: I'm a bit confused: I just got two downvotes for asking a question. So
just to be absolutely clear: I don't have any relationship with Turbo or
whatsoever.

~~~
given
You shouldn't be confused. It's all just numbers and ideas. There isn't really
such a thing as a "vote" or "clear" or even "Hacker News" apart from the idea
you have of it in your mind.

------
necessity
Anyone monitoring their connections has already noticed this long ago, I know
I have. It is not a bug. If privacy is a concern you wouldn't (or at least
shouldn't) be using chromium in the first place.

~~~
copsarebastards
> If privacy is a concern you wouldn't (or at least shouldn't) be using
> chromium in the first place.

Privacy is a concern for everyone, whether they understand that or not.

~~~
bduerst
So is oxygen, but I'm not going to carry a scuba tank with me everywhere. Just
when I'm diving or doing something where it is equally important.

Same reason you don't use TOR on a virtual machine over a drone mesh network
to starbucks for the majority of your internet browsing.

~~~
copsarebastards
You can say anything with faulty analogies.

The fault in your analogy is that you seem to think that oxygen is somehow
less important in situations where it's easily available. You say, "Just when
I'm diving or doing something where it is equally important." But oxygen is
_always_ equally important. It's just that in most situations it's easily
available to you: all you have to do is inhale.

Your analogy isn't even internally correct, but even if it were, it still
doesn't prove anything about privacy, because privacy _isn 't_ easily
available, at least not over technological channels. Privacy isn't oxygen, so
accurate claims about oxygen don't imply anything about privacy at all.

Analogies are for explanation, not evidence. If you can't make an argument
without an analogy, you're may want to consider that you're wrong.

~~~
bduerst
Analogies are inexact by semantic definition, and that doesn't make then
"faulty".

Privacy is readily available through https, two factor OAuth, etc. just like
oxygen generally is. What's your point?

~~~
copsarebastards
> Analogies are inexact by semantic definition, and that doesn't make then
> "faulty".

Well, it makes them useless as evidence. An argument by analogy simply isn't a
valid argument. Don't you remember the "You wouldn't steal a car" ads?

> Privacy is readily available through https, two factor OAuth, etc.

HTTPS is broken by privileged man-in-the-middle attacks (attacks where the
attacker has key signing power) and downgrade attacks. And that is when it's
even available (it isn't always). And even against attackers with less power,
it only provides privacy for _what_ you send over the wire, not _who_ you send
it to. And finally, this all assumes that you're sending your data to an
entity which won't simply sell it to whoever is willing to pay a few bucks (an
uneducated user might think, for example, that data sent through GMail is
private).

I'm not even gonna touch "two factor OAuth"; I'm not sure what kind of privacy
you even think that provides.

In short, you clearly have no knowledge about what does and does not provide
privacy. It would behoove you to not make claims on topics you are ignorant
of.

~~~
bduerst
Analogies aren't evidence, they're a tool for explanation, again by semantic
definition.

It's committing a no-true-scotsman to say that "privacy isn't as easily
available as oxygen" when you change it to "true privacy is is really
_perfect_ privacy" when faced with HTTPs and OAuth.

All privacy & security tools are are imperfect, but most of us find the right
level, rather than live in a faraday cage in our mother's basements (that's
the point). Unless of course, copsarebastards, you need that level of privacy
- then I'm not going to judge.

~~~
copsarebastards
> Analogies aren't evidence, they're a tool for explanation, again by semantic
> definition.

Agreed, that's what I've been saying all along.

So then why did you use an analogy? Did you really think the sentences
"Privacy is easily available" or "People only have to use privacy tools when
they are doing something that they want to keep private" needed explanation?
Perhaps I assumed you were using it as evidence when you weren't, but you have
to admit that's a reasonable assumption given that the analogy is completely
pointless otherwise.

> It's committing a no-true-scotsman to say that "privacy isn't as easily
> available as oxygen" when you change it to "true privacy is is really
> perfect privacy" when faced with HTTPs and OAuth.

Imperfect privacy _isn 't privacy_. Either people are able to look at your
data or they aren't. If people are able to look at your data, you don't have
privacy. This isn't a complicated idea or a "no true scotsman" fallacy, it's
the meaning of the word "privacy".

We have plenty of evidence showing that the NSA surveils data which is
"protected" by HTTPS, ergo, HTTPS does not provide privacy. And the NSA isn't
the only actor with this capability.

And OAuth doesn't provide privacy. It's not even the problem that OAuth
_tries_ to solve. OAuth provides authentication, which is an element of
privacy, but it takes more than simply showing that a person is who they claim
to be to provide privacy.

> All privacy & security tools are are imperfect, but most of us find the
> right level, rather than live in a faraday cage in our mother's basements
> (that's the point).

That's exactly not what happens. The average user simply is not informed
enough to make an educated choice about what level of privacy they want and
make choices to get that level of privacy. As a result, people _don 't_ find
the right level of privacy. Closeted gay people get outed by their Facebook
friend graph, pregnant teenagers have their pregnancies publicized by their
targeted ads, celebrities have their nude photos leaked to the public,
adultery website users and corporate employees have their information leaked,
women are found by their jealous law enforcement exes misusing surveillance
technologies. Only a fraction of these people actually knew what risk they
were taking when they friended someone on Facebook, searched for goods on
Amazon, texted a nude photo to a lover, put their credit card into a website,
gave their info to their employers, or made a phone call.

Obviously living in a faraday cage in your mother's basement isn't the answer:
that's a straw man argument.

The answer, in my opinion, is both social and technical. Socially, we need to
get people to prioritize privacy and use privacy by default, we need people in
power to respect and protect the right to privacy rather than actively taking
it away from people. From the technical side, we need privacy tools that are
faster, more secure, and easier to use, and we need decentralization so that
violating people's privacy is no longer an option.

------
drstrangevibes
but isnt chromium open source?

~~~
brudgers
Sure. But the theory that open source prevents problems of this sort is a
theory, not a universal law. The solution is social and based on trust.

[https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...](https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)

~~~
4ad
You mean hypothesis, not theory.

~~~
Karunamon
Working theory: This is not a useful distinction in colloquial usage of
english.

~~~
4ad
Yes it is. Words have meaning, we would all benefit if we used them correctly.

~~~
Karunamon
And language evolves, c.f. "literally".

------
wonkaWonka
I'm not puzzled, at all. In fact, I'm puzzled that _your_ puzzled.

What's hard to understand about maintaining radio silence?

Does no one understand that keeping your mouth shut, and not accidentally
blabbing packets across the network is ALSO a security posture?

Anyone between you and The Mother Ship now has a shiney new target to MITM
payloads at.

Why do you hate freedom?

~~~
coldtea
> _What 's hard to understand about maintaining radio silence?_

What's hard to understand about the fact that "radio silence" is a desirable
trait in war (and that in certain circumstances only) -- not in desktop
software, and even less so in one whose PRIMARY PURPOSE is connecting to
thousands of addresses everyday?

And that, being up-to-date with the latest security patches, including for
users who would otherwise wouldn't bother to install is better for everyone
involved?

~~~
jellicle
The point of incognito mode is to send out less information. The web browser
can update itself perfectly well a) through the normal OS software update
process b) when started in regular browsing mode.

~~~
finnn
Incorrect. The point of incognito mode is to record less information locally,
not send less information. It doesn't store cookies (beyond the duration of
the session), doesn't record history (beyond the duration of the session),
etc. On the Chrome incognito start page, it clearly says:

>Going incognito doesn’t hide your browsing from your employer, your internet
service provider, or the websites you visit.

------
BuckRogers
These codebases are too large to vet easily, and I've always been suspicious
of someone hiding something like this in plain sight. I'm a FF user since
before 1.0 and I never switched to Chrome, for obvious reasons. I did keep
Chromium as a media browser on Linux, now I'm done with Chromium too.

