The latest version of Google’s browser will plug a hole in Incognito Mode that allowed publishers to track private browsing sessions
Google today (July 30) is set to launch Chrome 76 and close a well-known loophole in the browser that was allowing publishers to track private web surfing sessions.
Chrome 76, which has been in beta since June 13, will bring a variety of new features – including API tweaks to prevent the detection of Incognito browsing sessions.
The fix is related to the implementation of Chrome’s FileSystem API.
Previous versions of Chrome have the FileSystem API disabled in Incognito Mode to avoid leaving any traces of a browsing session.
However, websites have been able to check whether or not the API is active and if Incognito Mode is enabled, thereby defeating the point of ‘private’ browsing.
The latest Chrome update will not impact publishers who implement ‘hard’ subscription-only paywalls, but rather those that allow visitors to read a handful of free articles before blocking access to content.
Incognito Mode is not as secure as the Tor network, but is still considered more private than standard sessions, as it does not save browsing history or cookies.
Google has vowed to adhere to private browsing principles in future updates.
“Chrome will likewise work to remedy any other current or future means of Incognito Mode detection,” Google says.
The changes will make publishers and advertisers rethink metered access strategies.
Google has suggested that the changes to the FileSystem API should be “monitored” when considering their next steps, as “any impact on user behavior may be different than expected and any change in meter strategy will impact all users, not just those using Incognito Mode.”
Chrome 74, released in April, included an Incognito detection blocking feature, which served the same purpose, but this required users to enable it themselves, rather than it being default browser behavior.
“When it comes to private browsing features, it will continue to be a cat and mouse game between websites and browsers to detect things like Incognito mode, since these features can affect a sites ability to monetize users,” Paul Griswold, director of IBM X-Force Threat Intelligence, told The Daily Swig.
“Users that are very serious about privacy will use a ‘defense in depth’ approach – such as using both a VPN and a privacy-focused DNS (like Quad9) in conjunction with a browser’s Incognito mode.”
Chrome 76 will also block Adobe Flash by default, allow websites to automatically display dark mode based on user preferences, and includes improvement to its payments API.
It will now be less of a challenge for developers to use the payments API with self-signed certificates.
Developers may also find the streamlined installation of Progressive Web Apps via new omnibox buttons useful. Starting in Chrome 76, Chrome will be checking WebAPK manifests every 24 hours, rather than every three days.
Earlier this month, Google announced the depreciation of XSS Auditor for Chrome.
XSS Auditor was subject to bypass exploits and information leaks and was also known to produce false positives in past versions of the browser, leading Chrome developers to retire the feature.