Hacker News new | past | comments | ask | show | jobs | submit login
Bypassing anti-incognito detection in Google Chrome (mishravikas.com)
245 points by Cub3 on July 20, 2019 | hide | past | favorite | 109 comments



Am I the only one that wants their browser to be 100% stateless? I always run in incognito mode, and I have an external password manager. I have no problems with this setup except sites that detect and block incognito mode.

Other than caching, there is no legitimate benefit to allow pages to store local state beyond a session, and I can forgo caching at this point in the game. (I don’t care about offline web apps, to be clear)

Maintaining a whitelist of sites that can have session state would be trivial (the sites in my password manager are a great first cut). I don’t want to restart my browser periodically to clear everything else’s session state.

How hard would it be to build something like this?


On HackerNews? You're probably not the only one.

In the world of real users? You're probably the extreme minority.

Most people want convenience, and will trade almost anything for it. Especially if they don't realize they are trading something like "privacy" or "trackability" for convenience.


Why do you try to imply that a Web browser experience not built around making the user trackable most effectively, like it is by default with the big browsers, has to be inconvenient?

The way I use Chromium [0], is very convenient to me. The downsides are almost nonexistent, and the upsides are not just in privacy: it is convenient (albeit perhaps of questionable morality?) to not have to worry about newspaper article quotas; likewise with having more control over cookies and other browser data in the "simultaneous multiple sessions" model. For example having more than one user logged in to some Web site does not take any extra effort compared to just one user being logged in.

On the other hand there is a difference between "real users" and those willing to exploit the Unix programming environment/interface to its full potential, and that is required knowledge, or the willingness to get it. For example to use my script tb effectively one has to understand that "being logged in with a Web site" means temporarily storing appropriate data chunks gotten from the Web site (cookies) so that they are accessible to the browser and it could send them back to the server to authenticate.

[0] https://news.ycombinator.com/item?id=20484845


You answered your own question. The vast majority of users are not "willing to exploit the Unix programming environment."

For the vast majority of people who do not already have Unix skills (or whatever), it is convenient not to have to learn them.


When framed correctly, a stateless browser is totally acceptable for general users. General users have no concept of cookies, so if you describe browsers as just a dumb window to let you load websites, it totally makes sense that you would have to log back in when you close the window.

For example, I set my Mom up with a Firefox configuration that doesn't remember anything when you close the window (basically incognito by default). She has used that configuration for years and never complained. In fact, she always compliments me for how safe and reliable I've made her browser. When she sees other people on other computers just load their logged-in websites without having to log in, she thinks they're totally unsafe and exposed.

She associates closing the window == back to safety, so whenever she ends up on a scary website or sees a scary popup, she just closes firefox and opens it back up again. It's wonderful. I didn't have to teach her about cookies or sessions or anything. All I had to teach her was that if she ever got into a situation where she didn't know what to do, just close the window and you're safe again.

Anyway, I feel pretty strongly that if browsers were incognito by default and you had to opt-in to persist sessions (e.g. whitelist cookies), general users would get used to it pretty quickly and end up thinking the time back before was a very unsafe place (like the free love era before the AIDS epidemic).


> Most people want convenience, and will trade almost anything for it.

No, this is what indoctrinated "UX" people think.

I hear it every day from ordinary office workers how sick they are from dysfunctional, progressively dumbed down UIs.

Ask just how many people keep MS Office 2003 just because they can't use the "ribbon" UI.


You're conflating bad UI design with user-friendly, intuitive, comfortable UX.

Also, design is simplified because that strategy works. People want simple UIs, while business doesn't want to invest in design, costs of which rise exponentially unless you have talent both in development as well as management at work, or deal with too many unique support requests.


Doesn't using Chromium in the first place kinda defeat the purpose? I mean, you'll thwart others' tracking with your methods (though you made no mention of blocking tracking scripts/images which is a huge piece) but you're still handing data directly to Google.


You can turn that off in the settings.


There's a setting, but it doesn't really prevent anything. You're still tracked.


This reminds me of firefox's telemetry for people who turn off telemetry [1]. None of the big three browsers respect your privacy enough to not track you in any way. Not a single one.

Here's to hoping that a browser that truly respects its users appears soon.

[1] https://www.ghacks.net/2018/09/21/mozilla-wants-to-estimate-...


You could use ungoogled-chromium to circumvent the Google-parts.


Better to use brave maybe? Or Firefox?


I, too, almost always use Chromium so it is basically stateless (except when I want bookmarks). My way is better than Incognito mode because you can have multiple sessions (example: one for Google's services that require a login, one for Stack Exchange, one for browsing); and of course because it can not be detected, unlike Incognito mode.

Take a look at my comment here: https://news.ycombinator.com/item?id=20484845


> it can not be detected, unlike Incognito mode

This may be true today, but that's because Chrome has a bug. (At least, I can't see why we wouldn't view it as a bug.)

Incognito Mode shouldn't be detectable. Hopefully they'll fix that.


It is true that Google will supposedly start making an effort to make Incognito mode non-detectable [0], but Incognito mode is still crippled compared to the way I use Chromium (through a simple shell script), mostly because of the option to use multiple "sessions" simultaneously and whitelisting of browser data that gets copied/used.

[0] https://www.blog.google/outreach-initiatives/google-news-ini...


What do you do for sites that complain each session you're using an "unrecognized browser" and require additional forms of authentication? Just deal with it every single session?


I assume by additional forms of authentication you mean codes sent over either email or SMS? Email is not a bother to deal with, because one can just copy the code over from the email; while phone SMS is not an issue because I did not confirm my phone number to any Web services. (For example, I think Paypal asks me to "confirm" my phone number every time I log in, even though Paypal knows the number is mine it is probably bound by regulation or law not to force multi-factor-authentication on me. So, just say no when asked about confirming your phone number.)

Do you have an example of a site that requires "additional forms of authentication"? I remember something like that happening to me before, but I can not remember which site it happened on.


I made a Microsoft account to use Skype. Twitter too recently. Both sent me messages immediately saying I had either broken the terms of service, or had been potentially compromised, and needed sms second factor to log in.

Since I had never used either account before this happened, it’s just a thinly veiled requirement that they can connect my account to an identifiable human.

Perhaps twitters bot problem is some justification, but when they warned me about violating their rules I just deleted my almost-unused account. It was insulting


Many sites ask for your phone just to simplify the "forgot my credentials, help me" customer support calls. Some, especially money-related, want to know your phone as a separate confirmation of your state-controlled identity, in countries where buying a SIM card required legal identification (which likely can be retrieved by a court order if need be).

Yes, SMS can easily be diverted so it's not great for 2FA purposes; a voice call is often an option, and is harder to spoof.

Sites that actually care about your security would go for things like TOTP, or SSH key, or a certificate. These forms do not map easily to your legal identity, but are more reliable proofs of knowing a secret.


For most services I cancel the account and explain why.


That's what I do.


Do you use Firefox multi-account containers?

https://addons.mozilla.org/en-US/firefox/addon/multi-account...

It's the biggest reason I use Firefox. Intuitive, straightforward session partitioning. Every browser should have it.


I'd like every single tab to be stateless which I believe Firefox has an end goal of with containers


If you assume (big ask) that your browser is trustworthy and your computer won’t be compromised, it’s nice to have bookmarks, history, and a password manager built in.


That definitely exists on mobile. I use FF Focus, which just clears the entire session as soon as you close the window.

Also, on iOS Safari and Firefox can be defaulted to private browsing.

On desktop, Firefox can be configured to clear all cookies and site data whenever it is closed.


If lots of people did this, websites would start saying "sorry, you can only enter this website if you have cookies that are at least a month old"


What’s your motivation for doing this?

Btw, I store my passwords in Firefox Sync. What would the benefit be of storing them in a third-party password manager, from a security and privacy perspective?


> What’s your motivation for doing this?

Maybe he, like me, just thinks there is no reason for history, form data, cookies and all that stuff to be saved after starting a new browser instance, except in rare circumstances.

> What would the benefit be of storing them in a third-party password manager

Decoupling, less dependance on a specific browser. "Unix philosphy".


A concrete example of why a 3rd party pw manager is useful- git(hub/lab) credentials. On both sites, I can easily want to enter account credentials in a terminal as well as the browser. Not every password will exclusively be used in the browser, and 3rd party managers are handier outside the browser.


To make the browser stateless and, thus, harder to track.


Do you use any form of tracking protection (either as a built-in browser feature or via browser extensions)?


>Am I the only one that wants their browser to be 100% stateless?

I achieved it by using Disposable Virtual Machines in Qubes OS. Works flawlessly.


Do you use two-factor authentication? Staying logged in with the same trusted browser/device is a big benefit for security. It makes it a lot easier for companies to spot suspicious login attempts.


Not the only one - there are probably dozens of us :)

I use Firefox for this purpose, not in private mode - I just let FF delete everything whenever I close it. It's not "100% stateless", as I still allow cookies and such while my browser is open (I use uBlock and Privacy-Badger to block out the worst), but whenever I close the browser I still have a "clean slate" whenever I reopen it.

There are definitely a few downsides (as much as I love the GDPR, the compliance banners are annoying), but together with a password manager, it's definitely a setup that works for me.


I guess what benefits do you get out of that, and at what cost? I just don't see the amount of privacy I give up worth losing the convenience of the features.


I run Chromium with --user-data-dir, the current directory, and the environment variables HOME and XDG_CACHE_HOME all set to directories within a tmpfs (/tmp).

It is better than "Incognito mode".

https://bbs.archlinux.org/viewtopic.php?pid=1733332


Wonder if it's possible to make something like that on Windows


Chrome does have guest profiles: Click your user icon, and there'll be an "Open Guest Window" button.

> "You’re browsing as a Guest"

> "Pages you view in this window won’t appear in the browser history and they won’t leave other traces, like cookies, on the computer after you close all open Guest windows. Any files you download will be preserved, however."

It's kind of like Incognito, except none of your preferences or extensions are there, either, it's just an entirely new profile that self-destructs when you close it.

The OP's detector considers a guest profile not to be Incognito mode.


please do realize that using chrome, even in incognito mode, everything you do is sent to google.

Re your question: I use Firefox with 1st party cookies only (and the other associated privacy options) and it works pretty good. Some WebApps break, but very rarely.


there is only one way to get around this. incognito mode needs to emulate all system resources without actually making them available.

even without that consideration, for things like disk storage, there is no reason[1] why incognito mode should have less access than normal mode. all websites should function as normal. the only difference is that in incognito mode everything is wiped once it is closed, and nothing is written to disk.

[1] ok, so the reason for the limitation is that the disk has to be emulated in memory because incognito mode must not write to the disk which could leave artifacts behind.

this makes me wonder if it is possible to detect a difference in timing for example when writing lots of data with an emulated disk vs a real one.


I think there are two use cases for incognito mode:

1. I don't want others who have access to my client machine to be able to see a history of what I did online.

2. I don't want servers to be able to know anything about me except maybe my IP address.

It feels like tying these two together under one setting makes them both fragile. E.g. for scenario 2, I don't care whether a web page can use local storage as long as they don't have access to the data between sessions.

I'd much rather have two options - hide from the server and hide from your boss (or whoever). And maybe some UI to help me always hide from specific servers or delete all the artifacts from a specific session after the fact.


I want #1 for all machines, almost 100% of the time. Maybe 99%.

I try to wipe my drives and repartition every 30 to 60 days, with a full OS reinstall. The Virtual Machines I run with VirtualBox are even less persistent than the bare metal, often stateful for mere hours. I do not retain browser history, and I have only about 5 bookmarks, and trash my cookies and cache at least every day, multiple times usually.

But I want #2 for like 75% of the time. The other 25% of the time, that state almost never lasts 48 hours. When I go to bed, the current browser state dies forever. I usually have a hard time staying awake for 48 hours straight.

This means #2 will become 100% every 48 hours, with 48 hours being an extreme maximum lifetime for session data, and the true norm being 8 hours (9 to 5, each work day).

Considering that #1 & #2 are sure to intersect every 48 hours, dividing attention between them seems burdensome.


I'm going to go out on a limb and say you're not the typical user. Besides, in your case it would be a matter of selecting "hide from everyone" in the drop-down.


Yes! I think this is exactly the way to think about it. Especially the part about giving the user control over just what sites they hide in this manner.


What if you want both?


Indeed – I have a hard time believing that the vast majority of people who want one of these things wouldn't also want the other.


Hypothetical examples:

I don't want the New York Times to ID me, but I don't care if my wife knows I read it.

I don't want red tube to forget about my all access pass, but I don't want it in my browser history.


right, and i do want the times in my history so i know if i have seen it already. but as is suggested elsewhere, private mode does not prevent ID.

the times could switch to genuine browser/device fingerprinting and store that information server side. if they are careful enough so that false possibles are not possible (rather let a few slip through) then they could effectively control how much free access everyone gets.


If Chrome encrypted the data it wrote to disk, it can throw away the encryption key and delete the file when you close the incognito window, thus giving you access to the disk securely.


Any sort of file system imprint would at least leave a trace that incognito had been used. I’m not sure how much of a problem at is, and how much of a trace it currently leaves.


What about swap space used on the disk by the OS, transparent to the application? Is that also a concern for “file system imprint”? What’s the threat model here? The application would have to use RAM that’s never swapped for storing this sort of information. That would make it quite heavy.


I think chrome devs want to limit the "file system imprint" as much as possible to enforce "no-history in incognito". There's been some discussions on finding a way around crash reporting in incognito session which stores the dump in the disk, and to my knowledge this is the only violation of this policy. [1]https://bugs.chromium.org/p/chromium/issues/detail?id=876270...


there are many mundane reasons to use incognito mode. and the system would work in a way that the user will not even know the decryption key since it can be generated on the fly for each session.

the browser could even encrypt all their data by default. (but for non-incognito mode with a known key) it could then write the normal and incognito data in such a way that you can't even see that there is incognito data in there if you don't have the incognito key


Initialising a fixed storage image with random data offers plausible deniability.


> thus giving you access to the disk securely

The amount of encrypted data could be a side channel


We need the same thing on mobile apps too. If the Facebook app wants access to my entire storage or else it refuses to take a picture, then why not show it a facade filesystem instead?


indeed, i come across that several times. for some apps that i don't trust i'd like them to get access to a private storage. or a fake location. some apps insist that they need my real location in order to serve me properly. sure, that would make things convenient, but i am perfectly fine with using the app with out that convenience.


Incognito mode was conceived to not leave traces in your local system, hence its shortcomings to bypass paywalls. Making websites unaware of incognito mode was not part of the original design.


Why is incognito mode so difficult for browsers to implement? If the browser already comes with support for profiles, then isn't switching to incognito mode the same as running from the empty profile?

In particular, why do particular APIs need to be shimmed or disabled? In my empty-profile based proto-proposal, even if a website writes to disk, wouldn't closing the session cause any data written to be rolled back?


Not accidently unintentionally saving state is in fact hard.


See the result your browser https://luke.lol/check-fs-quota.php


Nice. On my Android it worked out Private Tab for Brave, however Firefox Focus did not get detected as such.

Not even using Chrome, except have to have it installed because lots of apps depend on it. :P


nice. can't see any difference in firefox. however, it is still possible to detect incognite mode in firefox as i have just been to a site that did so. (they didn't detect reader-mode however, so i was able to read the article after all)


For Firefox it's simple enough - can you open indexedDB? That goes the same for IE 10+. If instead it's Safari, can you successfully modify localStorage?

Unfortunately, every browser seems to change it's behaviour as soon as you try not to store your history.

Some browsers do try and stop these detection methods... And by the time they've patched them out new methods have emerged.


wait what? safari blocks access to localStorage in incognito mode? that ought to break some sites functionality.


yes that does break a lot of websites, the Safari team hasn't made the best choices on this one.


Why not let incognito mode write to disk, but entirely encrypted and randomly padded (to avoid size memorization attacks), with keys only stored in memory? That way you can use practically the entire storage space and avoid quota mismatches, as well as service attempts to fill the storage for detection. And in the event of a crash or power outage, no data is recoverable.


Random padding can be detected and the existence of encrypted files would be a giveaway that users use incognito often (which may not be wanted)

Iirc on *nix there’s a difference between inodes and vnodes that you might be able to take advantage of as well. The supervisor would create, open, and delete the directory before filling it. Holding the directory open gives it a vnode count of one and deleting it gives an inode count of zero thus making the current process the last thing to ever be able to reach the directory. You’d have to make sense of a full disk binary scan to guess what used to there if the disk wasn’t zeroed out, so encryption could help there too.


I wonder if encryption is even necessary.

Isn't the purpose of Incognito mode to protect against tracking inside the browser? At least I haven't heard so far that its also supposed to shield data from access outside the browser.

So, wouldn't be enough to simply delete the space after closing the tab? (Or use a new, empty storage location for each newly opened tab)


Deletion doesn't mean the data is actually gone from disk though, so it would basically leave unencrypted evidence of incognito browsing history. There are multiple use cases for incognito, and tracking inside the browser is only one of them.


I've wondered why many things don't do this. Is it because it's difficult to guarantee that writing to memory doesn't eventually get swapped to disk by the OS?


In some OS’s you can specify that certain pages of memory should never be swapped.


How is an additional chrome user profile that removes all history/cookies/ local storage on close different tracing-wise from an incognito session?


a profile that removes all history still writes to disk, and potentially leaves traces behind. (a backup could be running while the session is open, or a data could be left behind on a disk block because the files are deleted but not wiped)

incognite mode is useful for two situations:

A: you want to hide the fact that you visited a site.

B: you want to hide from the site that you have visited before.

the incognito-detection is largely against the second case (B), so your suggested workaround would work. what would also work is firefox tab groups. since each tab-group starts off empty.

the problem is that both ways are cumbersome. you have to open a new browser with that profile or you have to create a new tab-group and remove it after each use.

in firefox the problem could be solved by adding a "wipe, but don't delete tab group" feature. for the profile method you'd need a feature to "open link in new profile" to make that convenient.


A lot of people will be trackable still under B by IP address (yes, I know it's not identifying in general).

I get arbitrary IP addresses from my ISP but if my router isn't reset then it can be the same for weeks; Brave solves this with incognito+tor.


tracking by ip address is for the lazy, and it doesn't work with dynamic IPs. at least not if the goal is to eg limit your access to how many articles you read per month. you'd not be happy if you go to a site for the first time but are blocked because you got a new IP that has already been to that site 5 times this month.

i'd use full browser/device fingerprinting to achieve the same effect. much more reliable.


It does not have to be cumbersome if you do it like I do:

https://news.ycombinator.com/item?id=20484845


that doesn't help. having a profile that cleans itself isn't the problem. switching between a normal and a cleaning profile is.

for most of my stuff i want to keep the history and whatever else around. i also never restart my browser or my machine if i can't avoid it. (restarts happen when i don't want them, and that's when i don't want to loose my current state). so i am still stuck with specific sites that i need a second, cleanable mode for. it's the mode switching that is the issue. switching into incognito mode or to a new browser group is easy enough. so fixing either is the way to go.


I do not quite understand what do you mean by "switching".

In my workflow, when I want "Incognito", I just start a new Chromium session on tmpfs. No switching needed.


i am reading stuff, like HN, and a topic comes along that is considered controversial where i live. i do not want it to show up in my browser history.

so i right-click, open link in private mode, or in a tabgroup.

i am done reading, i close the private window or wipe the group.

with your method i'd have to first start a new browser with that second profile, then copy the link to the new browser to read. that's a lot more work than just selecting an entry from the right-click menu.


> with your method i'd have to first start a new browser with that second profile, then copy the link to the new browser to read.

But that is just about a second of work: my wrapper executable for chromium is named tb, and I use Dmenu with DWM for X window management, thus in four key presses and one mouse middle click the new browser instance is started and the URI copied: "ALT-P" "t" "b" "Mouse button 2".


Is there an extension available to add an option to open a link in a new profile? (Genuinely curious)


If the computer or Chrome crashes during an incognito session a nanny thread would leave the incognito history on disk forever. It’s better to use lower level tools.


This could also be solved by having any FileSystem API be unaccessible until a User Permission request is accepted. Both in incognito and normal mode.


You might solve the incognito detection problem but you open up the opportunity for notification-fatigue if users end up getting lots of these permission requests.


Plus it wouldnt get around the root problem, which I assume to believe is

"you have reached your monthly limit of articles, please pay"

opens private tab to read article

"we see you are in a private window, please load our site in a normal window"

browser perfectly mimics regular mode but now you need to grant permission

"we see you havent granted permission, please allow access to read our article"


Is there any legitimate reason to allow arbitrary web apps to use gigabytes of space on my precious SSD, especially on mobile devices?

I'm becoming increasingly wary of web apps having all sorts of access to things outside of the browser, sometimes without explicit permission. Browsers should limit every app to the same amount, perhaps 100MB, or maybe even 10MB. Apps that need more should ask for permission.


I believe the “Quota Management API” [1] the author is using is an experimental API for the browser to request more space, beyond the default maximum of 5MB.

[1] https://developer.chrome.com/apps/offline_storage


On the contrary its on active development, The one you are referring to "Quota Management API" [1] is not what's being used in the article. It's the "Storage" API's Estimate method [2] which is in active development. [1]https://w3c.github.io/quota-api/ [2]https://storage.spec.whatwg.org


In a distributed environment like the web, how do you define an 'app'? If the restriction is e.g. 10MB per domain, what stops an entity registering a hundred domains?


One possibility is to require the user to explicitly set up an "app", to allow the user to specify the limits independentlyf or each one, to allow the user to put multiple domains into an app if they wish, and to allow the user to define multiple apps for a single domain in case they want to have separate sets of data to send in different cases.




From the title I was expecting the opposite.

Surely websites are using anti incognito tactics, and users would want to bypass those detection schemes.


That's exactly what I felt! Many websites are using anti-incognito tactics


I have to say I have been avoiding the Oath family of sites (on mobile) because of their cookie wall that doesn’t allow declining, and really I don’t feel like I’ve been missing out.


What sites worry about incognito mode and why?


To give one legitimate use:

One of the clients I work with is a university. Staff are forced to set-up 2FA.

We received numerous support calls, particularly from users of Safari, who would find themselves accidentally in incognito/private browsing mode - and then complain that the "remember my device" functionality (which relies on a cookie) didn't work.

We solved this with a visible warning to users who are in incognito mode to remind them that they will need to provide a new code each time they login.


News websites want to limit the amount of articles one can read.


Buying airplane tickets.


For those who don’t understand this one, airlines will sometimes artificially inflate tickets faster for people who visit their site multiple times to create a sense of urgency. I always shop for airline tickets in incognito and only log in at checkout.


The easy solution for sites that need revenue is to abandon this stupid arms race and do two things:

1. Force their ad networks to police ads for malware, movies, tracking code, and slow-loading crap.

2. Stop sharing private user data with others.

I would turn off my ad blocker and incognito mode tomorrow if e.g. the Washington Post would take these steps.


Regarding 2: Probably impossible. Regarding 1: hold websites and ad networks legally culpable for delivering malware from ads. Probably also not possible.

Keep blocking ads.


I agree with you on 2 most likely not being possible (or reasonable) given that the revenue model is based in sharing user data, but I'm not so sure that 1 is completely out of the question.

I don't necessarily think that it's reasonable to have a zero tolerance policy for ad networks or the sites serving them regarding malware (cuz perfect security doesn't exist), but what about requiring some basic standard of due diligence for the ad networks themselves?


Zero tolerance, maybe maybe not. But if I ran a restaurant and kept ordering from a supplier that kept giving me deliberately poisoned meat, I should be held responsible.

And there's a reason ads are slow, easily blocked, client-side javascript. Site operators know they serve malware and don't want it on their own servers.


If you have your ad blocker on and the WaPo did this, how would you know to turn it off?


First, word of mouth. Second (better solution) a non-profit certification authority something like Underwriters Laboratories that monitors ad networks for malware, and gives its seal of approval for good ones. WaPo could then advertise that seal on their website.

Then of course when an ad network screws up you have a certificate revocation problem, but that's another story.


Great, now we're going to discriminate on the web because people don't have a lot of hard drive space free.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: