
Bypassing anti-incognito detection in Google Chrome - Cub3
http://mishravikas.com/articles/2019-07/bypassing-anti-incognito-detection-google-chrome.html
======
hedora
Am I the only one that wants their browser to be 100% stateless? I always run
in incognito mode, and I have an external password manager. I have no problems
with this setup except sites that detect and block incognito mode.

Other than caching, there is no legitimate benefit to allow pages to store
local state beyond a session, and I can forgo caching at this point in the
game. (I don’t care about offline web apps, to be clear)

Maintaining a whitelist of sites that can have session state would be trivial
(the sites in my password manager are a great first cut). I don’t want to
restart my browser periodically to clear everything else’s session state.

How hard would it be to build something like this?

~~~
ShakataGaNai
On HackerNews? You're probably not the only one.

In the world of real users? You're probably the extreme minority.

Most people want convenience, and will trade almost anything for it.
Especially if they don't realize they are trading something like "privacy" or
"trackability" for convenience.

~~~
nsajko
Why do you try to imply that a Web browser experience not built around making
the user trackable most effectively, like it is by default with the big
browsers, has to be inconvenient?

The way I use Chromium [0], is very convenient to me. The downsides are almost
nonexistent, and the upsides are not just in privacy: it is convenient (albeit
perhaps of questionable morality?) to not have to worry about newspaper
article quotas; likewise with having more control over cookies and other
browser data in the "simultaneous multiple sessions" model. For example having
more than one user logged in to some Web site does not take any extra effort
compared to just one user being logged in.

On the other hand there is a difference between "real users" and those willing
to exploit the Unix programming environment/interface to its full potential,
and that is required knowledge, or the willingness to get it. For example to
use my script _tb_ effectively one has to understand that "being logged in
with a Web site" means temporarily storing appropriate data chunks gotten from
the Web site (cookies) so that they are accessible to the browser and it could
send them back to the server to authenticate.

[0]
[https://news.ycombinator.com/item?id=20484845](https://news.ycombinator.com/item?id=20484845)

~~~
elefanten
You answered your own question. The vast majority of users are not "willing to
exploit the Unix programming environment."

For the vast majority of people who do not already have Unix skills (or
whatever), it is convenient not to have to learn them.

------
nsajko
I run Chromium with _\--user-data-dir_ , the _current directory_ , and the
environment variables _HOME_ and _XDG_CACHE_HOME_ all set to directories
within a tmpfs (/tmp).

It is better than "Incognito mode".

[https://bbs.archlinux.org/viewtopic.php?pid=1733332](https://bbs.archlinux.org/viewtopic.php?pid=1733332)

~~~
haunter
Wonder if it's possible to make something like that on Windows

~~~
Zarel
Chrome does have guest profiles: Click your user icon, and there'll be an
"Open Guest Window" button.

> "You’re browsing as a Guest"

> "Pages you view in this window won’t appear in the browser history and they
> won’t leave other traces, like cookies, on the computer after you close all
> open Guest windows. Any files you download will be preserved, however."

It's kind of like Incognito, except none of your preferences or extensions are
there, either, it's just an entirely new profile that self-destructs when you
close it.

The OP's detector considers a guest profile not to be Incognito mode.

------
em-bee
there is only one way to get around this. incognito mode needs to emulate all
system resources without actually making them available.

even without that consideration, for things like disk storage, there is no
reason[1] why incognito mode should have less access than normal mode. all
websites should function as normal. the only difference is that in incognito
mode everything is wiped once it is closed, and nothing is written to disk.

[1] ok, so the reason for the limitation is that the disk has to be emulated
in memory because incognito mode must not write to the disk which could leave
artifacts behind.

this makes me wonder if it is possible to detect a difference in timing for
example when writing lots of data with an emulated disk vs a real one.

~~~
13of40
I think there are two use cases for incognito mode:

1\. I don't want others who have access to my client machine to be able to see
a history of what I did online.

2\. I don't want servers to be able to know anything about me except maybe my
IP address.

It feels like tying these two together under one setting makes them both
fragile. E.g. for scenario 2, I don't care whether a web page can use local
storage as long as they don't have access to the data between sessions.

I'd much rather have two options - hide from the server and hide from your
boss (or whoever). And maybe some UI to help me always hide from specific
servers or delete all the artifacts from a specific session after the fact.

~~~
14of40
I want #1 for all machines, almost 100% of the time. Maybe 99%.

I try to wipe my drives and repartition every 30 to 60 days, with a full OS
reinstall. The Virtual Machines I run with VirtualBox are even _less_
persistent than the bare metal, often stateful for mere hours. I do not retain
browser history, and I have only about 5 bookmarks, and trash my cookies and
cache at least every day, multiple times usually.

But I want #2 for like 75% of the time. The other 25% of the time, that state
almost never lasts 48 hours. When I go to bed, the current browser state dies
forever. I usually have a hard time staying awake for 48 hours straight.

This means #2 will become 100% every 48 hours, with 48 hours being an extreme
_maximum_ lifetime for session data, and the true norm being 8 hours (9 to 5,
each work day).

Considering that #1 & #2 are sure to intersect every 48 hours, dividing
attention between them seems burdensome.

~~~
13of40
I'm going to go out on a limb and say you're not the typical user. Besides, in
your case it would be a matter of selecting "hide from everyone" in the drop-
down.

------
puzzledobserver
Why is incognito mode so difficult for browsers to implement? If the browser
already comes with support for profiles, then isn't switching to incognito
mode the same as running from the empty profile?

In particular, why do particular APIs need to be shimmed or disabled? In my
empty-profile based proto-proposal, even if a website writes to disk, wouldn't
closing the session cause any data written to be rolled back?

~~~
dredmorbius
Not accidently unintentionally saving state is in fact hard.

------
lgats
See the result your browser [https://luke.lol/check-fs-
quota.php](https://luke.lol/check-fs-quota.php)

~~~
em-bee
nice. can't see any difference in firefox. however, it is still possible to
detect incognite mode in firefox as i have just been to a site that did so.
(they didn't detect reader-mode however, so i was able to read the article
after all)

~~~
shakna
For Firefox it's simple enough - can you open indexedDB? That goes the same
for IE 10+. If instead it's Safari, can you successfully modify localStorage?

Unfortunately, every browser seems to change it's behaviour as soon as you try
not to store your history.

Some browsers do try and stop these detection methods... And by the time
they've patched them out new methods have emerged.

~~~
em-bee
wait what? safari blocks access to localStorage in incognito mode? that ought
to break some sites functionality.

~~~
realusername
yes that does break a lot of websites, the Safari team hasn't made the best
choices on this one.

------
btown
Why not let incognito mode write to disk, but entirely encrypted and randomly
padded (to avoid size memorization attacks), with keys only stored in memory?
That way you can use practically the entire storage space and avoid quota
mismatches, as well as service attempts to fill the storage for detection. And
in the event of a crash or power outage, no data is recoverable.

~~~
xg15
I wonder if encryption is even necessary.

Isn't the purpose of Incognito mode to protect against tracking _inside the
browser_? At least I haven't heard so far that its also supposed to shield
data from access outside the browser.

So, wouldn't be enough to simply delete the space after closing the tab? (Or
use a new, empty storage location for each newly opened tab)

~~~
AbacusAvenger
Deletion doesn't mean the data is actually _gone_ from disk though, so it
would basically leave unencrypted evidence of incognito browsing history.
There are multiple use cases for incognito, and tracking inside the browser is
only one of them.

------
jalk
How is an additional chrome user profile that removes all history/cookies/
local storage on close different tracing-wise from an incognito session?

~~~
em-bee
a profile that removes all history still writes to disk, and potentially
leaves traces behind. (a backup could be running while the session is open, or
a data could be left behind on a disk block because the files are deleted but
not wiped)

incognite mode is useful for two situations:

A: you want to hide the fact that you visited a site.

B: you want to hide from the site that you have visited before.

the incognito-detection is largely against the second case (B), so your
suggested workaround would work. what would also work is firefox tab groups.
since each tab-group starts off empty.

the problem is that both ways are cumbersome. you have to open a new browser
with that profile or you have to create a new tab-group and remove it after
each use.

in firefox the problem could be solved by adding a "wipe, but don't delete tab
group" feature. for the profile method you'd need a feature to "open link in
new profile" to make that convenient.

~~~
pbhjpbhj
A lot of people will be trackable still under B by IP address (yes, I know
it's not identifying in general).

I get arbitrary IP addresses from my ISP but if my router isn't reset then it
can be the same for weeks; Brave solves this with incognito+tor.

~~~
em-bee
tracking by ip address is for the lazy, and it doesn't work with dynamic IPs.
at least not if the goal is to eg limit your access to how many articles you
read per month. you'd not be happy if you go to a site for the first time but
are blocked because you got a new IP that has already been to that site 5
times this month.

i'd use full browser/device fingerprinting to achieve the same effect. much
more reliable.

------
reaktivo
This could also be solved by having any FileSystem API be unaccessible until a
User Permission request is accepted. Both in incognito and normal mode.

~~~
remus
You might solve the incognito detection problem but you open up the
opportunity for notification-fatigue if users end up getting lots of these
permission requests.

~~~
chrisan
Plus it wouldnt get around the root problem, which I assume to believe is

"you have reached your monthly limit of articles, please pay"

opens private tab to read article

"we see you are in a private window, please load our site in a normal window"

browser perfectly mimics regular mode but now you need to grant permission

"we see you havent granted permission, please allow access to read our
article"

------
kijin
Is there any legitimate reason to allow arbitrary web apps to use gigabytes of
space on my precious SSD, especially on mobile devices?

I'm becoming increasingly wary of web apps having all sorts of access to
things outside of the browser, sometimes without explicit permission. Browsers
should limit every app to the same amount, perhaps 100MB, or maybe even 10MB.
Apps that need more should ask for permission.

~~~
TomAnthony
I believe the “Quota Management API” [1] the author is using is an
experimental API for the browser to request more space, beyond the default
maximum of 5MB.

[1]
[https://developer.chrome.com/apps/offline_storage](https://developer.chrome.com/apps/offline_storage)

~~~
geekroutine
On the contrary its on active development, The one you are referring to "Quota
Management API" [1] is not what's being used in the article. It's the
"Storage" API's Estimate method [2] which is in active development.
[1][https://w3c.github.io/quota-api/](https://w3c.github.io/quota-api/)
[2][https://storage.spec.whatwg.org](https://storage.spec.whatwg.org)

------
ericlaw
Tracked by [https://crbug.com/959839](https://crbug.com/959839)

------
Cub3
Reddit discussion:
[https://www.reddit.com/r/javascript/comments/cetrkq/private_...](https://www.reddit.com/r/javascript/comments/cetrkq/private_browsing_still_detectable_in_chrome_76/)

------
benj111
From the title I was expecting the opposite.

Surely websites are using anti incognito tactics, and users would want to
bypass those detection schemes.

~~~
narshaven
That's exactly what I felt! Many websites are using anti-incognito tactics

------
tinus_hn
I have to say I have been avoiding the Oath family of sites (on mobile)
because of their cookie wall that doesn’t allow declining, and really I don’t
feel like I’ve been missing out.

------
swinglock
What sites worry about incognito mode and why?

~~~
vermontdevil
Buying airplane tickets.

~~~
inlined
For those who don’t understand this one, airlines will sometimes artificially
inflate tickets faster for people who visit their site multiple times to
create a sense of urgency. I always shop for airline tickets in incognito and
only log in at checkout.

------
dreamcompiler
The easy solution for sites that need revenue is to abandon this stupid arms
race and do two things:

1\. Force their ad networks to police ads for malware, movies, tracking code,
and slow-loading crap.

2\. Stop sharing private user data with others.

I would turn off my ad blocker and incognito mode tomorrow if e.g. the
Washington Post would take these steps.

~~~
MiddleEndian
Regarding 2: Probably impossible. Regarding 1: hold websites and ad networks
legally culpable for delivering malware from ads. Probably also not possible.

Keep blocking ads.

~~~
glloydell
I agree with you on 2 most likely not being possible (or reasonable) given
that the revenue model is based in sharing user data, but I'm not so sure that
1 is completely out of the question.

I don't necessarily think that it's reasonable to have a zero tolerance policy
for ad networks or the sites serving them regarding malware (cuz perfect
security doesn't exist), but what about requiring some basic standard of due
diligence for the ad networks themselves?

~~~
MiddleEndian
Zero tolerance, maybe maybe not. But if I ran a restaurant and kept ordering
from a supplier that kept giving me deliberately poisoned meat, I should be
held responsible.

And there's a reason ads are slow, easily blocked, client-side javascript.
Site operators know they serve malware and don't want it on their own servers.

------
emptyparadise
Great, now we're going to discriminate on the web because people don't have a
lot of hard drive space free.

