Stories
Slash Boxes
Comments

SoylentNews is people

Privacy Concerns Flare Over Latest Chrome Browser’s ‘Forced Login’

posted by mrpg on Tuesday September 25 2018, @09:54AM   Printer-friendly
from the do-evil dept.

chromas (from IRC) writes:

Privacy concerns flare over latest Chrome browser's 'forced login'

When Google LLC launched its updated version of Chrome browser, Chrome 69, earlier this month, users were told a lot of small changes would happen all aimed at boosting productivity.

But some users now are not happy about something Google wasn't exactly selling prior to the release of the browser. That is, if you’re logged into a Google website, you will automatically be signed into the browser.

What that means is that if you're using Gmail or YouTube, for instance, because it's a Google site you will be signed into Chrome 69. Users have the option to keep signed-in of course, but they also have the option to use Chrome in Basic Mode.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Privacy Concerns Flare Over Latest Chrome Browser’s ‘Forced Login’ | Log In/Create an Account | Top | 25 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Tuesday September 25 2018, @01:45PM (3 children)

    by Anonymous Coward on Tuesday September 25 2018, @01:45PM (#739663)

    Correction,

    If you use the WWW at all, you're their bitch, since their analytics collectors are plugged into probably a more than a million popular websites. But that is actually less intrusive than the DNS mining and switch level surveillance that some of the carriers do.

    Maybe anti-trust could have helped decades ago. The government has been petitioned repeatedly for the past decade. It refused to answer for it. A new generation has been born into digital slavery. They don't know the value of what they never had. But as this whole thing gets worse and worse, they are going to figure it out.

    The economic cycle here is self evident. Somebody creates a technology that is generally good. Somebody else decides that this new technology is somehow different when it comes to civil rights. Then they extend the technology to commoditize civil rights. Some people protest. Then there is violence, and the status quo is returned. It has happened hundreds of times throughout history. Where we are now, is between the part where people have protested, and people start to do violence.

    It would be nice if the government was able to intercede. But it has so capitalized on the the liquidation of civil rights, that it's own capital investments are making decisions for it. It will not relent until those capital investments are reallocated. One way to do that is through litigatigation. Of course Cody Wilsons case (almost assuredly a a case of parallel construction) suggests that the lack of a 4th amendment, mitigates most of the utility in the 1st amendment right to petition.

    The state is operating under a mass hysteria that is creating precisely the illness it expects to find.

    Cheers!

  • (Score: 2) by bob_super on Tuesday September 25 2018, @04:39PM (1 child)

    by bob_super (1357) on Tuesday September 25 2018, @04:39PM (#739745)

    > you're their bitch, since their analytics collectors are plugged into probably a more than a million popular websites

    True question: Is blacklisting the analytics in NoScript still sufficient, or did they add more roundabout ways to spy on you?

    > more than a million popular websites

    But not SN ! Safety through obscurity !
    Muahahahaha !

    • (Score: 2, Informative) by Anonymous Coward on Tuesday September 25 2018, @06:13PM

      by Anonymous Coward on Tuesday September 25 2018, @06:13PM (#739794)

      "add more roundabout ways to spy on you?

      Yes.

      Server side session tracking is common. I haven't looked that hard at Google, but I do know that providing css via cgi is often used for this. Many sites link third party (often provided by Google) css instead of copying the files to local directories. Soylent doesn't doesn't do this, (thank you) though slash which it is based on does provide css from a cgi script, so it is able to do session tracking this way, it just doesn't appear to be configured to.

      So this is probably one of the ways they do global session tracking without client side consent. And if Google isn't doing session tracking this way, you can be sure some of the more popular CMS's and social media sites are doing it that way.

      But you don't need any particular file type. You can do it with cgi as a straight html file GET if you control the httpd server configuration file. You see this sometimes in the format of:

      http://example.com/index.html?foo=bar;baz=bam [example.com]
      http://example.com/foo.css?scooby=doo [example.com]

      In this case index.html and foo.css are actually server side executables, and the argument pairs will typically have some signature based session tracking that is being maintained in a SQL database on the server side.

      What is scary stupid, is that you see a lot of sites on TOR that use external clearnet CSS and js calls. Probably because most of them are run by the fed at this point. So while the site is TOR-ified, the session tracking is passing over the clearnet after exiting a relay node. This means that regardless of exit node, the sessions can be reassembled after the fact. None of the TORified browsers I've seen do anything about this.

      Really all browsers should have fixed this long ago. There should be NO mixed content, PERIOD. though all browsers do it. No SSL/clearnet and no onion/clearnet sites should ever load correctly. It should default to the most secure protocol, and just not load the less secure content. Browsers should also ALWAYS truncate cgi arguments from all mime types except for maybe a handful of file extensions. But that would give the appearance of breakage, and we all know that the APPEARANCE of working correctly, is more important to browser developers than actually working correctly.

      Sufficed to say that there is still a market for a secure browser. Because all the ones I've seen to date, clearly aren't, and that has been quite a few over the years. I've considered writing a localhost proxy with more granular controls to fix this. Fuck the browser manufacturers.

      And btw, that is all that is before we get into session tagging and overlay networks, where the real fun begins. Most digital communications made today are interferred with in ways that could be reasonably argued as criminal. Civil rights preclude convenience. Which is to say, that millions upon millions of felony acts of wiretapping acts are perpetrated every day. They are just being shrugged off, because there aren't a lot of people who know the technology who are willing to characterize the concepts in a legally interpretable way.

      While Google may be one player in this game, they are hardly the biggest or most offensive.

      The thing is, I really don't know all of this that well. What is most amazing is that there are tech solutions being worked on, but they are completely redundant. The problem is people are being fucked, not that we need a chastity belt. And that is a legal problem, not a technical one.

  • (Score: 2) by The Shire on Tuesday September 25 2018, @11:39PM

    by The Shire (5824) on Tuesday September 25 2018, @11:39PM (#739938)

    The google analytics and tag managers are all blockable. It's possible, though more and more technically challenging, to evade googles prying eyes.