Oh geez now even Favicons are the enemy!
Browser ‘Favicons’ Can Be Used as Undeletable ‘Supercookies’ to Track You Online
Favicons can break through incognito mode, VPNs, and Pi-holes to track your movement online
The scariest part of the favicon vulnerability is how easily it bypasses traditional methods people use to keep themselves private online. According to Strehle, the supercookie bypasses the “private” mode of Chrome, Safari, Edge, and Firefox. Clearing your cache, surfing behind a VPN, or using an ad-blocker won’t stop a malicious favicon from tracking you.
The researchers at the University of Illinois came to similar conclusions. “We find that combining our favicon-based tracking technique with immutable browser-fingerprinting attributes that do not change over time allows a website to reconstruct a 32-bit tracking identifier in 2 seconds,” they said. “Due to the severity of our attack we propose changes to browsers’ favicon caching behavior that can prevent this form of tracking, and have disclosed our findings to browser vendors who are currently exploring appropriate mitigation strategies.”
Oh nooooo!! Just not Favicons!!
@Stardust Why are people so mean?
@guigirl Yep! I loved Favicons
@guigirl Yet another reason to "CLOSE TABS"
@TbGbe Somehow it suddenly feels like i'm being reprimanded. What evil deed have i done now, unawares?
@guigirl I wasn't referring to your habits
@TbGbe Thanks! Dunno how, but i seem to have entirely missed that thread til now after you've told me. Doh!
potmeklecbohdan last edited by
guigirl last edited by guigirl
@potmeklecbohdan I've now fully embraced & deployed your policy..
Posted from my air-gapped abacus, via ungoogled-carrier-pigeon.
& delete all bookmarks
That's what search engines are for! :face_with_stuck-out_tongue:
& clear all history
& remove all web-panels
& have no RSS feeds
Again search engines
& actually, not browse at all…
That works too.
So just a minor issue really
@TbGbe Hmmmm, now what does that ethos remind me of?
None shall pass!
It's only a flesh wound.
Oh. Oh, I see. Running away, eh? You yellow bastards! Come back here and take what's coming to ya! I'll bite your legs off!.
@Stardust If you do my uBO procedure, but not also @Streptococcus' procedure, all the favicons simply get loaded again. Given these can't now be coming from "the web", i presume they're being fetched from the Favicons file.
I honestly do not understand these Dark Arts enough to grasp if that then leaves the user just as vulnerable to the original favicon "supercookie" tracking as if she'd never made any changes, or not. That's why yesterday, after i'd finished developing my uBO filters in Stable [in which btw i had already deployed "the @Streptococcus trick"], when i then returned to Snapshot [ie, my daily default browser], i decided to apply my uBO filters initially without doing "the @Streptococcus trick" [but i did delete the cache], as an experiment. The result was that all the favicons still loaded [tabs & web-panels]. So then i did also apply "t@St"... leading to my current browsing experience of having no tab/wp/bm favicons anywhere.
Now, i have to mention this. So far, i simply HATE browsing like this. I'd never before really paused to think about just how much i implicitly relied on these favicons to ease & accelerate my moment by moment browsing experience. Before, i never needed to waste clicks on the wrong WP or Tab, or otherwise pause the pointer on hover to await the tooltip to pop up. Now, i do, & it's super annoying + inefficient.
Either i'm gonna eventually adjust to this unpleasant new browsing friction, or else i'm gonna have to abandon this de-favicon'd approach & revert to standard, hang the tracking consequences. Tbh, i suspect it'll be the latter...
Snapshot [ie, my daily default browser]
Now, i have to mention this. So far, i simply HATE browsing like this.
Yep! And what about the Vivaldi android version? There is no uBO support yet.
I think, that the real solution lies on the browser (engine) side
We need our Favicons back!
@guigirl Well, surely it can't be that difficult for their devs to put a Goggle favicon on every site/bookmark etc?
I have used Mozilla-derived browsers for years, and always blocked favicons. I have gotten used to that, and have no problems. Of course, the handy all-tabs button helps on rare occasions where the tab bar gets really crowded.
One possible solution to this is to use a heuristic. If I visit the same site over and over, then I have enough trust in that site, so it's fine to store a favicon; sites I repeatedly visit have plenty of other, much easier, ways of tracking me.
What I really want to avoid is a "drive by" tracking attempt.
But the more I think about it the less likely it becomes that any given site will actually perform an attack themselves. The concept is very non trivial. If anyone is going to implement it, it will likely be through some kind of external library or service. And from that perspective, existing blocking tools would be enough to hamper any attempts.
Until there is evidence of this being actively exploited in the wild I am not concerned.