Privacy

49039 readers

1506 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 6 years ago

MODERATORS

122

Researchers have just unveiled a technique called FROST that lets a website work out which other websites and apps you have open, without you clicking a single thing (protonprivacy.substack.com)

submitted 1 day ago by Innerworld@lemmy.world to c/privacy@lemmy.ml

23 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] Jesus_666@lemmy.world 18 points 1 day ago* (last edited 1 day ago) (1 children)

I read about this a while ago and people then concluded that FROST is harder to exploit in real-world scenarios than in the lab. Still worth addressing and a fix shouldn't be too difficult, e.g. by adding small amounts of random latency to OPFS accesses. Firefox already does this with other APIs to make fingerprinting harder. Chromium doesn't because they love fingerprinting.

Honestly, I'm not thrilled with the OPFS model in general. Each page can randomly occupy part of your storage with you having no control over the process. You don't get asked. You can't even inspect the data. Even if it turns out to be useless for fingerprinting, the ability to use your storage invisibly with zero effort is not a power I want to hand out like candy in an environment that supposedly is assumed to be adversarial by default.

The only upside is that browsers do have a quota which is apparently shared between all instances of IndexedDB and OPFS. So the threat model of "use OPFS to fill up the user's entire storage" isn't plausible per se even if you have multiple tabs to attack with. Filling up the storage to evict other sites' stored data might actually work, though, and while it sounds like more of an annoyance, it might also become a step in some other attack.

Besides, quota size is entirely up to the browser; while Firefox uses 10% of total storage or 10 GB, whichever is lower, Chromium can in principle take up to 60% of total storage. When I tried, both a Firefox-based browser and a Chromium-based one had quotas of exactly 10 GB; I suspect that my distro's packagers configured the latter when the built the browser package.

[–] historicaldocuments@lemmy.world 2 points 1 day ago (1 children)

people then concluded that FROST is harder to exploit in real-world scenarios than in the lab

What happens if there's an extra 4GB of stuff laying around?

https://arstechnica.com/google/2026/05/no-google-hasnt-changed-chromes-local-ai-features-its-just-as-confusing-as-ever/

[–] Jesus_666@lemmy.world 2 points 1 day ago (1 children)

From what I remember, the measurements taken by the researchers were under rather controlled conditions with little other storage access to muddy the waters.

As for the 4 GB LLM Chrome now ships with: If those 4 GB create significant storage issues on your system you probably have other issues to worry about already. I'm not a huge fan of LLMs being crammed into everything but it shouldn't make much of a difference in this case.

[–] historicaldocuments@lemmy.world 1 points 23 hours ago

Hm. Had been thinking of it in terms of controlling the local file system.

Thanks.