Doesn't the idea of swapping extension specific IDs to your browser specific extension IDs mean that instead of your browser being identifiable, you become identifiable?
I mean, it goes from "Oh they have X, Y , and Z installed" to "Oh, it's jim bob, only he has that unique set of IDs for extensions"
16 bytes is a lot. 4 bytes are within reach, we can scan all of them quickly, but even 8 bytes are already too much.
Kolmogorov said that computers do not help with naturally hard tasks; they raise a limit compared to what we can fo manually, but above that limit the task stays as hard is it was.
Let's go a step further and just iterate through them on the client. I plan on having this phone well past the heat death of the universe, so this is guaranteed to finish on my hardware.
function* uuidIterator() {
const bytes = new Uint8Array(16);
while (true) {
yield formatUUID(bytes);
let carry = 1;
for (let i = 15; i >= 0 && carry; i--) {
const sum = bytes[i] + carry;
bytes[i] = sum & 0xff;
carry = sum > 0xff ? 1 : 0;
}
if (carry) return;
}
}
function formatUUID(b) {
const hex = [...b].map(x => x.toString(16).padStart(2, "0"));
return (
hex.slice(0, 4).join("") + "-" +
hex.slice(4, 6).join("") + "-" +
hex.slice(6, 8).join("") + "-" +
hex.slice(8, 10).join("") + "-" +
hex.slice(10, 16).join("")
);
}
I don't think that's the case. I have the Earth View extension installed which shows a random google earth image.
I have this set as my homepage in Firefox as moz-extension://<extension-id>/index.html, and this has not changed since installing the extension. The page still works.
Doing it on restart makes the mitigation de facto useless. How often do you have 10, 20, 30d (or even longer) desktop uptime these days? And no one is regularly restarting their core applications when their desktop is still up.
There isn't enough energy in the solar system to count to 2^128. Now a uuid v4 number "only" has 2^122 bits of entropy. Regardless, you cannot realistically scan the uuid domain. It's not even a matter of Moore's law, it is a limitation of physics that will stand until computers are no longer made of matter.
Why does the browser even allow a website to query for installed extensions? I really don't see what the point of that would be.
The website should never be able to tell what's running in my browser, or on my computer in general. The browser renders the page, maybe runs a little Javascript, but there's no reason why it should be able to query anything about my environment.
I wonder how much stuff would break if the Chrome sandboxing was extended to preventing access to chrome-extension:// from Javascript loaded of random websites.
And just in case the magnitude of that isn't obvious to people, that means there are 340,282,366,920,938,463,463,374,607,431,768,211,456 total possible UUIDs. Good luck.
yes thats how browser fingerprinting works and it is impossible to defeat because there are just too many variations in monitors (relevant for fonts), simple things like user agent, etc.
And browsers trying to mitigate fingerprinting are miserable to use (fixed window size with only Arial available, etc) and probably fingerprintable anyway.
If nothing else this puts the spotlight on alternatives to Teams/Slack, which will increase adoption, and should increase pressure to improve (as far as that goes...)
I've not liked Slack for FOSS projects (it's not IRC, it has problems with moderation enforcement), and NOBODY likes Teams.
This was always going to happen as soon as the USA decided to be overtly all about itself.
Tact and diplomacy meant that previously the USA was seen as, yes being all about itself, but not threateningly so when it came to its allies/friends. As soon as that veneer was removed the reaction was always going to be, "we'll look after ourselves then" - using the same tools China has (see: China having its own linux distribution)
That would be fine, if countries like the USA weren't actively turning their backs on logic and facts, and returning to a period that history refers to as the "dark ages"
SpaceX is slated to go public some time this year - June IIRC
The biggest selling point /was/ that Musk was being managed there, he wasn't tinkering with SpaceX like Twitter or Tesla, and his foolhardy direction was kept out of the company.
BUT, like Tesla, Musk cannot help himself and is making SpaceX look like a very bad investment - tying his other interests with SpaceX, allegedly using SpaceX money as a "war chest" in his battles.
There is also a danger that investors will see xAI as politically dangerous, which will really hurt SpaceX IPO
They want to go public, but have to sell the hell out of it in the meantime.
I'll bet SpaceX financials aren't as great as some people think. Remember, Elon was the guy who tried to take Tesla private, and talked a lot of smack about how silly it is to be a public company. All of a sudden he wants SpaceX to go public?
Musk has a pattern here - he used Tesla the same way, diverting resources to xAI and treating it as a funding vehicle for other ventures. Once he started doing that, Tesla's financials got murky and harder to trust. Now he's doing it with SpaceX right before the IPO. For investors, that's not 'too big to fail' protection - it's a red flag that the company finances are entangled with his personal empire instead of focused on the core business.
> The biggest selling point /was/ that Musk was being managed there, he wasn't tinkering with SpaceX like Twitter or Tesla, and his foolhardy direction was kept out of the company
The biggest selling point to who? Definitely not wall street
I think Musk is just that obsessed with his mission of reversing social progress and controlling the direction of the world, using the anti-woke combination of xAI and Twitter. He knows that tying them to SpaceX will hurt its IPO, but now they're part of an entity that's too essential to fail.
They're also probably rushing out the IPO to beat the bubble pop. I think everyone earlier expected to keep the bubble going a few more years, that's why they made all those circular deals. But then Trump spooked Europe into possibly scaling back US investments and decoupling from US tech. So now you have an unsure Nvidia walking back their OpenAI deal, etc.
AWS meant that (a lot of) "developers" were needing "Ops" skills
AI hasn't "forced" domain knowledge to be required at all, it's been there as a requirement for a long time (I had several medical projects turn myself and many other good developers away because we didn't have domain knowledge, which was fair because we needed to have some idea of the subtext in the field)
It's good English, it has actual meaning (your thinking of "at this time" is only one interpretation, it more likely means "We're not entertaining changes of that kind/nature" )
Doesn't the idea of swapping extension specific IDs to your browser specific extension IDs mean that instead of your browser being identifiable, you become identifiable?
I mean, it goes from "Oh they have X, Y , and Z installed" to "Oh, it's jim bob, only he has that unique set of IDs for extensions"
reply