Chrome's private browsing is broken
This defeats the purpose of Incognito. If any website is able to tell you're browsing in private mode, then the browser is leaking data that shows it's not private
@cypnk I wonder *how* they notice it. Also, does it work in Firefox?
@rysiek It seems to work in FF. I have no-script installed and settings to forget all cookies on exit. Which I guess is a roundabout way to get "Incognito"
@cypnk there's a private browsing mode in FF too. What I wonder is if this site detects FF private mode too.
@rysiek Yup. It does. It only happens when I enable JavaScript so Firefox is leaking incognito mode info as well
@cypnk right, so they're using JavaScript to detect this? Interesting.
@cypnk @rysiek it actually seems like that specific attack vector has been taken care of:
https://stackoverflow.com/questions/7290959/how-can-i-detect-visited-and-unvisited-links-on-a-page#7291538
@grainloom @rysiek Once again, JS proves to be the weak point
@grainloom @cypnk yeah, it's an old one. I remember this being a think some decade ago or so.
@rysiek @cypnk they have other ways though, at least for detecting if something has been loaded (this probly won't detect private browsing): measuring loading times.
If stg has been cached, it will load faster.
This, afaik, does not have a mitigation.
(but it still doesn't answer how private browsing is detected)
@rysiek Yeah. Something either failing in adblocking (I have uBlock Origin) or there's a secondary route that's causing the browser itself to leak the status