@@florinbaciu2325 Everything is now advertised as a hack or tool to track your IP adress what you do what you download, BUT HEY THERE IS A VPN, THIS VIDEO IS ALSO SPONSORED BY VPN! :D SO what they want to know? What kind of porn I like? Seriously? Videos full of crap bulls**t to make people use VPN.
@@ruakij6452 doesn't protect from that... MISSING favicons are requested regardless, it basically tracks your computer's hard-drive. completely bypassing everything based on simple http requests that happen in the background whenever you enter a site. the command in question is GET /favicon.ico HTTP/1.1 Host: localhost:27015 Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 OPR/73.0.3856.415 Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: localhost:27015/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 this is from my simple web server the response can be either an "HTTP/1.0 200 OK" or "HTTP/1.0 404 Not Found" or whatever other code it might try and use. there is even the apache meme code "HTTP/1.1 218 This is fine"
@@ChrisJones-rd4wb LOL ;) "Sure You are..." That explains why You are here, on a JAVASCRIPT driven comment section of a Video !!! I'm sure You must be "quite the hacker" accomplishing that little feat ;)
From time to time I get redirected to this fake yt advert that holds you in redirects loop until you close the tab hmmm, does anybody know what I'm talking about?
"only 2 seconds to page load time" That is huge! (and I'm not surprised) Plus I could see 32 redirects taking a lot longer than that for certain people's internet connections that are higher latency.
Yeah, no kidding. 2 seconds will easily rank you down on Google and would affect your traffic even if it didn't. People usually click off a site and go to the next one when it doesn't load quickly.
what if they use randomness to the equation ex: sometimes it loads sometimes it doesn't or 1 for each 4 websites it download the favicon even if its in the database
From supercookie: In the article a possible threat model is explained that allows to assign a unique identifier to each browser in order to draw conclusions about the user and to be able to identify this user even in case of applied anti-fingerprint measures, such as the use of a VPN, deletion of cookies, deletion of the browser cache or manipulation of the client header information. So the ad at the end isn’t true to what you said in the video
Here's a few solutions to that: Eat favicons: Have your browser always download favicons whenever it goes on a website, no matter if the browser already has it cached. Block multiple redirects: This is already a security in many browsers, you may sometimes see an error called ERR_TOO_MANY_REDIRECTS, we just need to set a threshold of redirects per tab and per second to prevent anything over 10 redirects.
Honestly anything beyond 2-3 redirects is already too much and should at least trigger a warning to the user... Also, this should be in the space of like 5 seconds or so, because there's A TON of annoying websites who chain redirect you either via HTTP or JS so that you can't click the back button.
@@jadsdoeslights combine both. after x number of redirects make the browser redownload favicons. You'll the get the performance benefits of caching in most cases, and if some website using a lot of redirects to function (it's dumb, but some do) it will minimally affect them.
What we really need is a browser that spams any favicons used in a redirect. Even better, the urls could be shared by peer to peer so that every redirect favicon is background downloaded at random times from a few hundred randomly selected users none of whom are the original user. Generate enough clutter and the tracking won't work.
How would a VPN even help you at all against this? In the supercookie.me example, your unique tracking ID won’t be affected by your IP address and can be tracked back to you no matter what your IP is.
@@Seytonic Yeah, I must’ve missed the “not from this” part. It’s still a bit misleading since you go from talking about how to prevent the supercookies to immediately advertising a VPN, mentioning “how to protect yourself” in both the video and video segment labels.
Most websites use nefarious techniques to acquire browser and user data, often including personally identifiable tracking information and that's just at the very surface of their activities.
How exactly would VPN help against supercookies? AFAIK they don't delete favicon caches on your PC. They just fake the IP address you're connected from which in this case is useless in preventing tracking.
4:28 your sponsor message is a bit misleading. It sounds like you are implying that a vpn will protect you from these supercookies, even though that is not something VPNs can do.
One wonders if this vulnerability would exist in other programs using favicons (ie kerpass with the favicon downloader plugin installed) As always great job. Happy to see you have a sponsor for this. Hoping that means you are planning on keeping up the quality good work. Thanks you seytonic.
Actually, you can delete the Favicon-Cache easily, and they are not permanent (they have Time-To-Live). Different browsers may have different paths for the Favicon-Cache directory/file. For example on Chrome, they are stored in an SQLite file called "Favicons". There are also different techniques for forcing favicon refreshes, but I think the easiest one is deleting the Favicon-Cache file/directory. You can even make a script to automate it.
When I clicked on this I really thought it was something like reading the favicon pixels in a canvas or something. A chain of redirects sounds like it'd be slow...
Same here but after thinking about it if it's like stignography encryption it wouldn't be on every site now it's like your favicon for the website is saved to another database you can't really get rid of it
Brave still has a variety of issues here and there but I've found that for the most part it offers more benefits than it does problems. I like Firefox too but Chrome and Safari can eat me.
It seems like the easy solution is to just download the favicon every time. 32^2 = 2^10 = 1024, 1024 * 3B = 3kiB. 3kiB plus a few bytes of overhead is *nothing* nowadays, I'm pretty sure, and surely the tiny bit of time save isn't worth the space and headache (and now, tracking risk) it takes to implement.
I just found it cringy that this video is also sponsored by ExpressVPN. Clever most marketing tactics. I think you will be the most profitable person from this video. People will rush out to download it.
Most people being "snarky" about Edge fail to realise that it basically is "the same browser" as they are using. Except maybe for the "look and feel" and some differences in the "feature set"... What I'm getting at is the fact that Edge nowadays is based on Chromium, Just like ALL other browsers out there with two exceptions* ... So most people being "snide" about "Edge" are simply ignorantly presuming that it "the same as I.E."... *The only two browser engines existing (not counting "hobby projects") are Firefox and Safari... Every other browser is based on "chromium" i.e. Chrome... Best regards.
Yes image files have been vulnerable for over a decade now from anything to masking executables to hiding Java drive-bys. I don't know why people decided that fave icon image files were somehow excluded from that issue lol
Firefox as main, Edge as backup and for Microsoft stuff (Azure, Exchange ECP etc.) Firefox 45 portable for legacy stuff Firefox 12 portable for legacy legacy stuff I never understood why people choose Chrome
Not loading favicons from cache is only a bug if it piles up in the memory for the same favicon otherwise it's not. Maybe Firefox load them from cache when you're out of network/ offlin, if not they shouldn't even bother saving them... 2kb are nothing compared to several MB of ads of all kinds. And I remember how annoying it was when trying to change a favicon for a website, there were different sizes and formats for different browsers and it didn't seem to change even after cache deletion.
I have been following you for not too long but i love the way you tell the story. For someone who hates podcasts because of my short attention span, it is a please to listen to you. Anyway, when my NordVPN subscriptions ends next month, i will switch to ExpressVPN (bookmarked it with your ref code ;-)). what was i saying again? Oh right, shot attention span and all.... Have a good one!
I have noticed something weird with favicons in chrome android incognito mode. New random websites have favicons of other websites in tab list view( or whatever its called). Now all websites even Google has linkedin's favicon.
Getting tracked by favicon.ico 🤨 Good thing is that I'm using Brave for a year now and couldn't be more happy with it.Also I'm sad that person like you advertise VPN as safe,but I get it you got to get that bread
All I just know is that a site sees you as your IP. When you visit a site, it will store your IP, Browser you use and the device you use (PC or Mobile). Even if you use Incognito, it will still store those things and if it's the same as when you visited that site. It will show you the most relevant thing that you search on that site. I still don't know what's the big deal about this cookies ( because I still don't know other use of it other than as a token for someone that visits a site ) because I think you can't use a cookie from a site to the other site.
Private internet access is still cheaper and faster than express. I get virtually no bandwidth loss, but I did when I used Express like you usually would with others. Albeit it was an older version of express, but still, PIA is king.
Actually kinda prefer the way Firefox handles that. Not loading the fav.ico on page load with a chrome browser = you are a new person that never has been there. On the other hand, someone in Chrome using incognito mode so no cookies will not load it, so the page can basically directly tell that you are hiding something.
VPNs show a big problem with the internet today: We can't trust the big corporations that we pay for our internet, so we buy another service to prevent them from doing so.
Firefox: search for favicons.sqlite. Use a sqlite tool to empty all tables and then change the file to "read-only". You may be amazed how many records there are. The clear browser data feature in Firefox does not delete the data in this tables.
If the cache is constantly deleted, could the damage be mitigated? could be: on Mac: delete the following file ${user.home}/Library/Application Support/Google/Chrome/Default/Favicons on Windows: delete Favicons-journal and Favicons files from the following location C:\Users omeutente\AppData\Local\Google\Chrome\User Data\Default and browser restart is suggested. sorry my bad english
Btw those icons are now part of html bookmarks, spreading so easy everywhere (dropbox clouds, Gdrive) and are pgp-like part of code, invented to compress pngs more and put in bookmarks itself!
Uninstall your browser, reinstall your OS, use a new account for syncing browsing preferences and information and if you're THAT concerned, use a VPN. A VPN will provide the fresh installation of the browser with an IP that isn't your own, plus the browser won't be able to tell that the IP isn't actually yours. Software isn't alive or sentient, thank goodness, internet applications generally assume that the requesting IP address is the actual location and ID of the client (there are exceptions to this rule - but they are few and far between) Edit: I wrote this comment before watching till the end 😅 but I'm an IT student anyway, so naturally our clan all know of the benefits of VPN use...
Short, to the point, and chopped up into a bunch of little sections for easy access. Very good work on the video! Also, I started using Brave recently and am pleased to hear that it blocks this.
So that's why ad fly's system has been less annoying nowadays. I knew there was something up with the whole being-redirected-a-billion-times-before-downloading thing.
Honestly, why do you need a favicon cache? They are, as you said, 32x32 pictures, sometimes 16x16, and rarely bigger than 128x128 in my experience, and to my mind they are negligible enough amount of data to just download each time.
I do have one question though... (multiple parts) How does this introduce a data security risk? Can webpages retrieve information directly or indirectly from the favicon database allowing them to read these favicon stamps? How would a stamp differ in terms of function from your device's IP address when communicating with servers? I could think of one way to access stamps, which is through essentially re-stamping, running the user through the redirect list again and checking if a request is made by that device for the favicon. I suppose the server doesn't have to actually send the favicon if it's checking, so the checking method can be used repeatedly. If multiple sites share specific checks then, they can share information about the user between them. You can use the stamp as an id, then store the information about their activities server-side. The checking site can then read the stamp as a binary string and send requests to a central service for any of the information on the user. ah, I see... How would it be different from an ip address though? Could it circumvent VPNs perhaps. I need more information on this 😩
While you could get 16 unique IDs using 4 redirects, what about randomly generating each favicon during every redirect into a kind of QR code looking image. If each favicon is 32x32 then that gives us 1024 pixels we can use, each can be any of the 16 million colors It would be possible to assign a unique favicon ID to a user upon a single redirect/page visit as the odds of 2 identical favicons getting randomly generated are near zero
@@Seytonic Well simple, my original idea was proposed without me actually using my brain lol Yeah didn't think that last part through...Maybe I'll come up with something but for now that kinda stops my idea :D, thanks for pointing it out
Now Firefox can say "Its not a bug, its a feature"
LoL
@@trueriver1950 league of legends?
@@user-qh8vm1me5w Lots of Lesbians
@@TheOneAndOnly_skiF ohhhh
Lol
Dear Firefox, please don't fix that bug.
It's not a bug, it's a 'feature'
Shh
@@Seytonic you said it's a bug
@@romoney r/wooosh
Dear firefox, please don't fix the bug that literally does nothing.
This is probably the most I have ever heard "favicon" in one video.
After you've said favicon 100 times you start questioning if that's even a real word.
@@Seytonic That's a documented fenomenon! It's called semantic satiation
@@Aura_Mancer also colloquially referred to as “jamais vu” which roughly translates to “never seen”
@@Seytonic 🤣🤣🤣🤣🤣🤣🤣🤣
i have never heard someone say favicon before
2021: what could go wrong?
Also 2021: getting tracked using favicons.
Also 2021: this video is sponsored by xyz vpn
@@florinbaciu2325 Everything is now advertised as a hack or tool to track your IP adress what you do what you download, BUT HEY THERE IS A VPN, THIS VIDEO IS ALSO SPONSORED BY VPN! :D
SO what they want to know? What kind of porn I like? Seriously?
Videos full of crap bulls**t to make people use VPN.
@@WarframeCrunch I don't think you know how sponsors work
@@safeforwork8546 money :D
@@ruakij6452 doesn't protect from that... MISSING favicons are requested regardless, it basically tracks your computer's hard-drive. completely bypassing everything based on simple http requests that happen in the background whenever you enter a site.
the command in question is
GET /favicon.ico HTTP/1.1
Host: localhost:27015
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 OPR/73.0.3856.415
Accept: image/avif,image/webp,image/apng,image/*,*/*;q=0.8
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: image
Referer: localhost:27015/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
this is from my simple web server
the response can be either an "HTTP/1.0 200 OK" or "HTTP/1.0 404 Not Found" or whatever other code it might try and use.
there is even the apache meme code "HTTP/1.1 218 This is fine"
Psychiatrist: Evil mosquito hacker is not real, don't worry about him!
Evil mosquito hacker: 0:17
🤣🤣🤣🤣🤣
Lmfaooo
😂😂😂😂😂😂
XD
😭😭😭
Of course, there is a vulnerability with those little icons.
Why shouldn't it be... *disappointed noise*
Or even a slide whistle sound would work. Haha.
I thought this was already a thing
me only using text based browser with no javascript: huh
@@ChrisJones-rd4wb LOL ;) "Sure You are..."
That explains why You are here, on a JAVASCRIPT driven comment section of a Video !!!
I'm sure You must be "quite the hacker" accomplishing that little feat ;)
@@onlyeyeno r/murderedbywords
Good job sir, you gottem
Golden rule of IT:
Someone's bug is someone's feature
Can't wait for every sketchy website in the world to suddenly start taking a REALLY long time to load.
From time to time I get redirected to this fake yt advert that holds you in redirects loop until you close the tab hmmm, does anybody know what I'm talking about?
@@madghostek3026 I've had those
Yeah lol
"only 2 seconds to page load time" That is huge! (and I'm not surprised) Plus I could see 32 redirects taking a lot longer than that for certain people's internet connections that are higher latency.
Yeah, no kidding. 2 seconds will easily rank you down on Google and would affect your traffic even if it didn't. People usually click off a site and go to the next one when it doesn't load quickly.
I am a grade a idiot but would a fake cloudflare like page conceal most things
how do i know if this happened to me? pages take arround 10 seconds to load :
It is very sneaky how you said "not from this" while marketing the VPN.
"which browsers are affected? ...
Chrome"
so basically all of them lol
I'm immortal my compute is so crummy it cant run chrome
Except brave
@Mitex imagine not using edge on windows
fucky situation since every single Chromium based Browser has that vulnerability except Brave
@@Giovanni-rh1pw imagine using windows
Firefox: task failed sucessful
ly
Well, since I use firefox, nothing to be worried about.
It's not a bug, it's a 'feature'
@@Seytonic Lol
Firefox on top!
"Perfect." says the NSA.
;)
Jus say fire.... They killed the fox😭
Me who uses firefox: *signature look of superiority*
Yea... "FireFox" the browser that keeps You secure by it's incompetence ;)
Me, who has used Brave since its release and Duck Duck Go ... Even smugger look than usual! 🥰🥰
Me, with JavaFX browser:
Or just AWT
@@onlyeyeno Explain.
naah brave beats you all
At this point I won't be surprised if the fookin scrollbar is used to track us!
tor users: ooff, that was close
Tor: laughs in Firefox browser engine
@@emmanuelsinger1513 tor dont have the firefox browser engine bro
@@kelu5439 it literally uses firefox as its base
@@kelu5439 it’s literally mentioned on their website, and Wikipedia that Tor uses Firefox browser engine as its base. The hell you talking about?
Tails: Oh no, anyways
Time to boot up Tails it seems. And probably reboot it between different web pages just to be sure.
Next level tinfoil hat
@@Giovanni-rh1pw at this point why use the Internet at all?
Tails is for people who are being hunted or tracked 24/7.
@@alouisschafer7212 Ironic seeing as you are using the internet right now.
@@catgoesgaming ...no? They're not the one using Tails.
An upatched bug turned out to be a feature!
Now firefox developers can say "It's not a bug! It's a security feature"
what if they use randomness to the equation
ex: sometimes it loads sometimes it doesn't
or 1 for each 4 websites it download the favicon even if its in the database
From supercookie: In the article a possible threat model is explained that allows to assign a unique identifier to each browser in order to draw conclusions about the user and to be able to identify this user even in case of applied anti-fingerprint measures, such as the use of a VPN, deletion of cookies, deletion of the browser cache or manipulation of the client header information.
So the ad at the end isn’t true to what you said in the video
Here's a few solutions to that:
Eat favicons: Have your browser always download favicons whenever it goes on a website, no matter if the browser already has it cached.
Block multiple redirects: This is already a security in many browsers, you may sometimes see an error called ERR_TOO_MANY_REDIRECTS, we just need to set a threshold of redirects per tab and per second to prevent anything over 10 redirects.
10 redirects still allows 2^10 unique favicon combos, I would've thought a much lower value would make sense
Honestly anything beyond 2-3 redirects is already too much and should at least trigger a warning to the user... Also, this should be in the space of like 5 seconds or so, because there's A TON of annoying websites who chain redirect you either via HTTP or JS so that you can't click the back button.
@@jadsdoeslights combine both. after x number of redirects make the browser redownload favicons. You'll the get the performance benefits of caching in most cases, and if some website using a lot of redirects to function (it's dumb, but some do) it will minimally affect them.
Please note that the redirects [on supercookie.me] are performed on the client side via JavaScript. There’s no limit and no TO_MANY_REDIRECTS-error.
Why would it ever benefit you to do 10 redirects? Why not just disable redirects simpliciter
Tip: You can set browser.chrome.site_icons to false in Firefox about:config. Since Firefox downloads Favicons each time, this way, I think, it won't.
These attacks have been in the wild for a while now. There are other related issues the publisher is either missing or intentionally not releasing.
Please love me
What we really need is a browser that spams any favicons used in a redirect.
Even better, the urls could be shared by peer to peer so that every redirect favicon is background downloaded at random times from a few hundred randomly selected users none of whom are the original user.
Generate enough clutter and the tracking won't work.
How is that browser called?
2016: Websites track you
2021: Icons track you
How would a VPN even help you at all against this? In the supercookie.me example, your unique tracking ID won’t be affected by your IP address and can be tracked back to you no matter what your IP is.
I made clear a VPN will not help right before the ad :)
@@Seytonic Yeah, I must’ve missed the “not from this” part. It’s still a bit misleading since you go from talking about how to prevent the supercookies to immediately advertising a VPN, mentioning “how to protect yourself” in both the video and video segment labels.
Most websites use nefarious techniques to acquire browser and user data, often including personally identifiable tracking information and that's just at the very surface of their activities.
I like Brave browser, removes ads almost anywhere
Le shill lion
It's the best privacy focused browser for the average joe IMO
@@tato1271 And brave rewards, which you can use to donate to Wikipedia.
lol no i see tons of ads
Opera is the best browser removes every and any ad
How exactly would VPN help against supercookies? AFAIK they don't delete favicon caches on your PC. They just fake the IP address you're connected from which in this case is useless in preventing tracking.
They don’t help, I made sure to mention this before the ad
@@SeytonicIt's cool then. It was so brief that I missed it on first watch
Why can't there just be a program made that automatically clears your favicon database on page load. I'd imagine it would be pretty simple.
Basically it's like cookies if you clear all cookies the website will load for long time each time you open it
_'Good thing advertisers can't influence me'_
2:32
*Starts looking for pants so I can go find a store that sells snickerdoodles*
4:28 your sponsor message is a bit misleading. It sounds like you are implying that a vpn will protect you from these supercookies, even though that is not something VPNs can do.
> To protect yourself, not from this but other things
Something doesn't add up
Reminds me of the time a friend's website got some PHP infection and the favicons were turned into small PHP snippets which executed its payload
What happened to the portable bathtub???😂😂😂🤣
Oh dear 😅😅
You know, it's amazing how often these attacks show up that are so obvious when you understand them, but so genius at the same time.
One wonders if this vulnerability would exist in other programs using favicons (ie kerpass with the favicon downloader plugin installed)
As always great job. Happy to see you have a sponsor for this. Hoping that means you are planning on keeping up the quality good work.
Thanks you seytonic.
"a picture worth a thousand words" taken to a whole 'nother level
Me, using firefox: i am above consquences
Actually, you can delete the Favicon-Cache easily, and they are not permanent (they have Time-To-Live). Different browsers may have different paths for the Favicon-Cache directory/file. For example on Chrome, they are stored in an SQLite file called "Favicons".
There are also different techniques for forcing favicon refreshes, but I think the easiest one is deleting the Favicon-Cache file/directory. You can even make a script to automate it.
Brave browser is the Future it's so good, and when you are into Crypto it's even better :D
also scummy
2020:Old logos
🆚
2021:Ultimate nice new logos
Holy shit that is fascinating and frightening at the same time. Im just in awe at some peoples ingenuity.
Hey, it's me. That one guy still using edge. Thanks for mentioning me in your video
"...for the one person using Edge."
Me: Watching this on Edge
I AM THE CHOSEN ONE
SAME LMAOOOO
When I clicked on this I really thought it was something like reading the favicon pixels in a canvas or something. A chain of redirects sounds like it'd be slow...
Same here but after thinking about it if it's like stignography encryption it wouldn't be on every site now it's like your favicon for the website is saved to another database you can't really get rid of it
Mates, what is this stock footage today
I don't know about you, but now I want that beanie-sunglasses combo hat
@@dafoex yesss
Brave still has a variety of issues here and there but I've found that for the most part it offers more benefits than it does problems. I like Firefox too but Chrome and Safari can eat me.
"not even incognito will help you"
wellll shit
Condensed but not boring, concise but feels exhaustive
Do you want to bs people? Talking bout that and then say "You need VPN" which would not help AT ALL on this topic...
I made clear a VPN will not help right before the ad :)
@@Seytonic VPNs aren't even helpful since they're run by private companies. Tor is much better as a proxy.
@@moth5799 ye but video streaming over tor for instance is not feasible
This explains why sometimes websites redirects me to google favicon link
Wouldn't favicon tracking have to be opt-in in Europe
lol gtfo xD
Like yeah. That would work
They could solve ransomeware too by making that opt-in, too...
@@trueriver1950 unlike people who make ransomeware, the companies that make websites are known by the government.
It seems like the easy solution is to just download the favicon every time. 32^2 = 2^10 = 1024, 1024 * 3B = 3kiB. 3kiB plus a few bytes of overhead is *nothing* nowadays, I'm pretty sure, and surely the tiny bit of time save isn't worth the space and headache (and now, tracking risk) it takes to implement.
As I sayed on instagram , you will have a vpn sponsor soon 🤣
maybe thats why opera's incognito doesnt have favicons
I just found it cringy that this video is also sponsored by ExpressVPN. Clever most marketing tactics.
I think you will be the most profitable person from this video. People will rush out to download it.
"My vpn of choice" is really "the vpn who paid me the most money"
NordVPN pays more
@@Seytonic but how about creating your vpn yourself. On a vds?
I am that guy that's still using Edge.. And I absolutely LOVE IT!
Most people being "snarky" about Edge fail to realise that it basically is "the same browser" as they are using. Except maybe for the "look and feel" and some differences in the "feature set"... What I'm getting at is the fact that Edge nowadays is based on Chromium, Just like ALL other browsers out there with two exceptions* ... So most people being "snide" about "Edge" are simply ignorantly presuming that it "the same as I.E."...
*The only two browser engines existing (not counting "hobby projects") are Firefox and Safari... Every other browser is based on "chromium" i.e. Chrome...
Best regards.
Yes image files have been vulnerable for over a decade now from anything to masking executables to hiding Java drive-bys. I don't know why people decided that fave icon image files were somehow excluded from that issue lol
I just realized that im probably that one guy still using Edge 😥
nope, the new one is pretty good
U r not alone. I use it 80% more than chrome
Firefox as main, Edge as backup and for Microsoft stuff (Azure, Exchange ECP etc.)
Firefox 45 portable for legacy stuff
Firefox 12 portable for legacy legacy stuff
I never understood why people choose Chrome
No you are not. I use firefox as main, and Edge as backup and microsoft stuff
Not loading favicons from cache is only a bug if it piles up in the memory for the same favicon otherwise it's not. Maybe Firefox load them from cache when you're out of network/ offlin, if not they shouldn't even bother saving them... 2kb are nothing compared to several MB of ads of all kinds. And I remember how annoying it was when trying to change a favicon for a website, there were different sizes and formats for different browsers and it didn't seem to change even after cache deletion.
me, who uses brave for 3 years:
*laughs in adblock*
I have been following you for not too long but i love the way you tell the story. For someone who hates podcasts because of my short attention span, it is a please to listen to you. Anyway, when my NordVPN subscriptions ends next month, i will switch to ExpressVPN (bookmarked it with your ref code ;-)). what was i saying again? Oh right, shot attention span and all.... Have a good one!
Cheers my dude :) really glad you enjoyed the video!
@@Seytonic Thanks! I hit you up on your maltronics e-mail about an order i want te place, awesome.
Sure thing, I respond to emails every morning. I’ll get back to you shortly.
@@Seytonic Thanks, no rush!
makes a video about internet security, but the sponsor is a vpn. biggest dissapointment in my entire life.
I have noticed something weird with favicons in chrome android incognito mode. New random websites have favicons of other websites in tab list view( or whatever its called). Now all websites even Google has linkedin's favicon.
Still been repping Firefox, glad to be safe from fuckin favicons
I remember since a lot of years getting redirected to favicon from a streaming website and searching what it was and it was just an icon
they tracked down my hentai
Good but bad.
Seytonic: Not even incognito mode wont stop them from tracking you.
Me: *chuckles* im in danger
Getting tracked by favicon.ico 🤨 Good thing is that I'm using Brave for a year now and couldn't be more happy with it.Also I'm sad that person like you advertise VPN as safe,but I get it you got to get that bread
I made sure to explicitly state that using a VPN does not protect you from this.
That was a smooth segway into the ad 🤣🤣🤣
Respect
:)
You can do something: finally switching to Firefox!
Why are you waiting?
I think that Firefox had a problem with storing favicons because only Firefox allows Favicons to be in GIF format
Brave ftw
h
All I just know is that a site sees you as your IP. When you visit a site, it will store your IP, Browser you use and the device you use (PC or Mobile). Even if you use Incognito, it will still store those things and if it's the same as when you visited that site. It will show you the most relevant thing that you search on that site. I still don't know what's the big deal about this cookies ( because I still don't know other use of it other than as a token for someone that visits a site ) because I think you can't use a cookie from a site to the other site.
Wait, what if I've never downloaded any of those favicons, and some other guy also never downloaded them, our signatures would be the same, right?
Yeah, more like non existing ore emtpy, for example 16bit = 0000000000000000d
Private internet access is still cheaper and faster than express. I get virtually no bandwidth loss, but I did when I used Express like you usually would with others. Albeit it was an older version of express, but still, PIA is king.
Microsoft Edge (Chromium) i.e. the new one, came out last year) is actually better performing and privacy than chrome, I encourage you to look into it
TELL ME THIS! How does a vpn stop a fav icon from loading from cache or downloading?
Firefox : has a bug that actually increases security.
Also Firefox: "It's not a bug, it's a feature.".
Actually kinda prefer the way Firefox handles that. Not loading the fav.ico on page load with a chrome browser = you are a new person that never has been there. On the other hand, someone in Chrome using incognito mode so no cookies will not load it, so the page can basically directly tell that you are hiding something.
VPNs show a big problem with the internet today: We can't trust the big corporations that we pay for our internet, so we buy another service to prevent them from doing so.
and then those services also, cannot be trusted.
@@Blastbrean yep
After 3rd redirect I navigate out of that page and never visit it again. Pages that redirect like that tend to be scam in 99% of cases
Fonts are also overlooked. :) So much can be done with just one pixel.
Firefox: search for favicons.sqlite. Use a sqlite tool to empty all tables and then change the file to "read-only". You may be amazed how many records there are. The clear browser data feature in Firefox does not delete the data in this tables.
If the cache is constantly deleted, could the damage be mitigated?
could be:
on Mac: delete the following file
${user.home}/Library/Application Support/Google/Chrome/Default/Favicons
on Windows: delete Favicons-journal and Favicons files from the following location
C:\Users
omeutente\AppData\Local\Google\Chrome\User Data\Default
and browser restart is suggested. sorry my bad english
Btw those icons are now part of html bookmarks, spreading so easy everywhere (dropbox clouds, Gdrive) and are pgp-like part of code, invented to compress pngs more and put in bookmarks itself!
This video is the living proof of "Its not a bug, its a feature"
Uninstall your browser, reinstall your OS, use a new account for syncing browsing preferences and information and if you're THAT concerned, use a VPN. A VPN will provide the fresh installation of the browser with an IP that isn't your own, plus the browser won't be able to tell that the IP isn't actually yours. Software isn't alive or sentient, thank goodness, internet applications generally assume that the requesting IP address is the actual location and ID of the client (there are exceptions to this rule - but they are few and far between)
Edit: I wrote this comment before watching till the end 😅 but I'm an IT student anyway, so naturally our clan all know of the benefits of VPN use...
does this bug in Firefox only exist in specific OS or all
Short, to the point, and chopped up into a bunch of little sections for easy access. Very good work on the video!
Also, I started using Brave recently and am pleased to hear that it blocks this.
Thank you very much, great explanation 👍👍👍
Great to know that Brave already fixed it! 👍
Is there a way to disable favicon storage in the OS, or is it only an option dependent on a browser?
So that's why ad fly's system has been less annoying nowadays. I knew there was something up with the whole being-redirected-a-billion-times-before-downloading thing.
feeling proud for using brave
Honestly, why do you need a favicon cache? They are, as you said, 32x32 pictures, sometimes 16x16, and rarely bigger than 128x128 in my experience, and to my mind they are negligible enough amount of data to just download each time.
Guess that’s because favicons are displayed in offline mode in your bookmark section
I do have one question though... (multiple parts)
How does this introduce a data security risk? Can webpages retrieve information directly or indirectly from the favicon database allowing them to read these favicon stamps? How would a stamp differ in terms of function from your device's IP address when communicating with servers?
I could think of one way to access stamps, which is through essentially re-stamping, running the user through the redirect list again and checking if a request is made by that device for the favicon. I suppose the server doesn't have to actually send the favicon if it's checking, so the checking method can be used repeatedly.
If multiple sites share specific checks then, they can share information about the user between them. You can use the stamp as an id, then store the information about their activities server-side. The checking site can then read the stamp as a binary string and send requests to a central service for any of the information on the user. ah, I see...
How would it be different from an ip address though? Could it circumvent VPNs perhaps.
I need more information on this 😩
While you could get 16 unique IDs using 4 redirects, what about randomly generating each favicon during every redirect into a kind of QR code looking image. If each favicon is 32x32 then that gives us 1024 pixels we can use, each can be any of the 16 million colors
It would be possible to assign a unique favicon ID to a user upon a single redirect/page visit as the odds of 2 identical favicons getting randomly generated are near zero
How are you going to retrieve the favicon from the user's computer?
@@Seytonic Well simple, my original idea was proposed without me actually using my brain lol
Yeah didn't think that last part through...Maybe I'll come up with something but for now that kinda stops my idea :D, thanks for pointing it out