Update List of Interesting Experimental Flags for Google Chrome

Moonhorse

Level 30
Verified
Content Creator
May 29, 2018
1,957
@Moonhorse

When you use uBloc0 you can simply keep using the block WebRTC.

I like to use what is there. In Firefox and Edge it is possible to hide private IP adres (the one your router gives you on your internal network) using browser settings. In Chrome it was also possible in the past, but they removed that option some time. Extensions like WebRTC block and uBlock0 filled in the gap and offered an easy way to disable this 'leak'.

There are so many ways you can be traced. While most of this data does not mark you as an individual, combining several fields makes it possible to track you, no matter how many blocklists people keep adding in there adBlocker.

I consider Privacy a lost war. I use AdGuard beta (with stealth mode including a limited lifetime of first-party cookies of 150 minutes) and Privacy Possum to make it a little harder for advertising networks to track me.

Most used tracking methods:
- using UTM codes in URL: What Are UTM Codes and How Do You Use Them?
- misusing the browser cache (etag headers)
- long life time of (first-party) cookies (most people don't delete history or know the settings to limit it to browser is closed)
- referrer imfo passes at cross origin requests)
For sure its lost war indeed, just was curious should i enable the webRTC to leak my local ip, and does it matters at all if i do

Myself i kinda find trace+ decentraleyes+ ublock origin to do everything on privacy side, but then again im thinking im fine without :rolleyes:
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mar 13, 2016
1,303
@Moonhorse

Yes local IP is usually the same because most routers use DHCP reservation, so with external IP, browser data and some fingerprinting they know it is you, so have a look at browserleaks.com and panopticlick.eff.org.

Easylist and Adguard have included Content Delivery Networks in their blocklists which makes decentral eyes sort of redundant.Also Trace+ does not do well in above mentioned tests of websites last time I checked them, but it might have improved, better check it out.

Regards Kees
 

Moonhorse

Level 30
Verified
Content Creator
May 29, 2018
1,957
@Moonhorse

Yes local IP is usually the same because most routers use DHCP reservation, so with external IP, browser data and some fingerprinting they know it is you, so have a look at browserleaks.com and panopticlick.eff.org.

Easylist and Adguard have included Content Delivery Networks in their blocklists which makes decentral eyes sort of redundant.Also Trace+ does not do well in above mentioned tests of websites last time I checked them, but it might have improved, better check it out.

Regards Kees
Since i enabled that flag my fingerprint went to > 100% (0 of 358283 user agents have the same signature)
So it hides your public ip on browserleaks and aswell the fingerprint is more unique?
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mar 13, 2016
1,303
@Moonhorse: that is because it is a blank value :) now.

My advice would be replace two useless extensions (decentral eyes and trace) with privacy possum and canvasdefender

See for some background info HTML5 APIs Fingerprint Users - How to Prevent - Blog | add0n.com

Take the test results with a grain of salt. Notice the NEARLY-unique* in the results below :), also the red X-mark in the 'Unblock 3rd-party cookies which PROMISE to honor do not track', is a positive result IMO

1549111954988.png


* P.S.
Based on your public IP, it is relatively easy to track your location on zip-code level. I have my OS, Office and Chrome in US-English, because it is much easier to troubleshoot something when using the English version. I had Dutch version for some time, but it was hard to find the corresponding Dutch settings in Windows/Office/Chrome/etc.

The NEAR uniqueness is caused (when allowing website to track your location) because there are probably very few people in my ZIP code using US English version of browser and OS. So when they know my location, I am nearly-unique and very easy to track. Even when I raised the threshold by using Adguard to remove UTM identifiers, Privacy Possum blocking etag-headers misuse in cache, Canvas fingerprint to generate a new unique fingerprint-ID.

As explained earlier when I am looking for a good deal for a flight, holiday destination or hotel accomodation, I will be reviewing the same bookable/purchasable objects with a time frame of say 15 minutes. When a US-UK visitor with my Zip-code looks at 70% of the same bookable/purchasable objects the next day, it is probably me again. So after two-three returning visits without actual purchase, don't be surprised to see prices rising or availability reducing.

We are the GAFAM. Lower your shields and surrender your privacy. We will add your biological and technological distinctiveness to our own telemetry. Your buying behavior will adapt to our ad--services. Resistance is futile.
 
Last edited:

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,053
New tab button position
Controls placement of the new tab button within the tabstrip. – Mac, Windows, Linux, Chrome OS.
  • Default
1549479407022.png

  • Opposite caption buttons (looks same as below)
  • Leading
1549479467845.png

  • After tabs
1549479492023.png

  • Trailing
1549479550879.png

chrome://flags/#new-tab-button-position
 

LDogg

Level 33
Verified
May 4, 2018
2,193
On topic with flags, what are the best flag to enable for security & privacy which are stable?

~LDogg
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mar 13, 2016
1,303
Privacy
Anonymize local IPs exposed by WebRTC (enable)
Reduce default 'referer' header granularity. (enable)
Hyperlink auditing (disable)

Security
Enable AppContainer Lockdown (enabled - by default, but as long as it is in flags I enable it)
Enable GPU AppContainer Lockdown (enable)
PDF isolation enabled
Block unsafe downloads over insecure connections (enabled)
Mark non-secure origins as non-secure (mark actively as dangereous)
TLS 1.3 downgrade hardening (enabled)


Question
Any proven performance flags welcome, so please post
(I have parallel downloading enabled, but quite frankly can't measure difference)
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mar 13, 2016
1,303
Trick to get a blank new tab with chrome :cool:

1. Make startpage/duck duck go your default search engine (for startpage enter manually)
- search engine: Startpage
- keyword: startpage.com
- query URL: hxxps://startpage.com/search?q=%s
(change hxxps in https)

2. Type NTP in about://flags
Disable minimum for server-side tile suggestions on NTP (disable)
Enable using the Google local NTP (enable)
Enable doodles on the local NTP (disable)
Enable search suggestions on the local NTP (disable)
Enable promos on the local NTP (disable)
New Tab Page Background Selection (disable)
New Tab Page Custom Links (enable)
Top Sites from Site Engagement (disable)

3. Install an extension to auto wipe history like: Auto History Wipe (make sure too enable all options)

4. Click away (X) what is left on NTP

That is it
 
Last edited:

Moonhorse

Level 30
Verified
Content Creator
May 29, 2018
1,957
Privacy
Anonymize local IPs exposed by WebRTC (enable)
Reduce default 'referer' header granularity. (enable)
Hyperlink auditing (disable)

Security
Enable AppContainer Lockdown (enabled - by default, but as long as it is in flags I enable it)
Enable GPU AppContainer Lockdown (enable)
PDF isolation enabled
Block unsafe downloads over insecure connections (enabled)
Mark non-secure origins as non-secure (mark actively as dangereous)
TLS 1.3 downgrade hardening (enabled)


Question
Any proven performance flags welcome, so please post
(I have parallel downloading enabled, but quite frankly can't measure difference)
Currently using these, thanks for tips. + Privacy possum. Can you post your opinions on updated trace somewhere in mt?
 

bribon77

Level 34
Verified
Jul 6, 2017
2,383
Trick to get a blank new tab with chrome :cool:

1. Make startpage/duck duck go your default search engine (for startpage enter manually)
- search engine: Startpage
- keyword: startpage.com
- query URL: hxxps://startpage.com/search?q=%s
(change hxxps in https)

2. Type NTP in about://flags
Disable minimum for server-side tile suggestions on NTP (disable)
Enable using the Google local NTP (enable)
Enable doodles on the local NTP (disable)
Enable search suggestions on the local NTP (disable)
Enable promos on the local NTP (disable)
New Tab Page Background Selection (disable)
New Tab Page Custom Links (enable)

3. Install an extension to auto wipe history like: Auto History Wipe (make sure too enable all options)

4. Click away (X) what is left on NTP

That is it
Fact. In SlimjetThank you(y)
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mar 13, 2016
1,303
I thought Hyperlink auditing flag #disable-hyperlink-auditing should be set to (enable) for privacy.
When enable flag #disable-hyperlink-auditing isn't it disables hyperlink auditing?

I thought the same, but then why would this switch be enabled by default when disabling hyperlink auditing would increase privacy. Somehow enabled by default increasing privacy just did not sound like standard Google practices to me.

Maybe more knowledgeable members can join in with insiders information
 
Last edited:

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mar 13, 2016
1,303
My updated flags

Privacy
Anonymize local IPs exposed by WebRTC (enable)
Reduce default 'referer' header granularity. (enable)
Hyperlink auditing (disable)
New history entries require a user gesture (enable)
History Manipulation Intervention (enabled)
Unified Consent (enabled)
Disable minimum for server-side tile suggestions on NTP (disable)
Top Sites from Site Engagement (disable)
Enable search suggestions on the local NTP (disable)

Security
Enable GPU AppContainer Lockdown (enable)
PDF isolation enabled
Block unsafe downloads over insecure connections (enabled)
Mark non-secure origins as non-secure (mark actively as dangereous)
TLS 1.3 downgrade hardening (enabled)
Extension Content Verification (enforce strict - hard fail ...)
User consent for extension scripts (enabled)
Framebusting requires same-origin or a user gesture (enabled)

Performance
GPU rasterization (enabled)
Enable lazy image loading (enabled)
Enable lazy frame loading (enabled)
Parallel downloading (enabled)
Enable doodles on the local NTP (disable)

Advertising
App Banners (disabled)
Autoplay policy (document user activation required)
Enable promos on the local NTP (disabled)
User Activation V2 (disabled)

Blank NTP trick
* change default engine toStartpage , remove others also Chrome
Enable using the Google local NTP (enable)
[ Enable doodles on the local NTP (disable) ] also performance
[ Enable search suggestions on the local NTP (disable) ] also privacy
[ Top Sites from Site Engagement (disable) ] also privacy
[ Disable minimum for server-side tile suggestions on NTP (disable) ] also privacy
[ Enable promos on the local NTP (disabled) ] also advertising
 
Last edited:

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,053
GOOGLE CHROME FOR ANDROID: Site Isolation For Password Sites
  • Security mode that enables site isolation for sites based on password-orientated heuristics, such as a user typing in a password.
#enable-site-isolation-for-password-sites
version 74.0.3729.112
 

Sunshine-boy

Level 27
Verified
Apr 1, 2017
1,690
My updated flags
Hello! very nice:emoji_clap: thanks for sharing. I added some of those to my flags.if you want a better list check here:
this guy has some interesting and unique registry tweaks for windows too:
 

DeepWeb

Level 25
Verified
Jul 1, 2017
1,418
Chrome 74 has brought so many new flags. Geez! They need to start removing flags that are already implemented. Either way. Here are some newer ones that I recently enabled related to security:

Anonymize local IPs exposed by WebRTC.
Site settings
Newblue
User consent for extension scripts
TLS 1.3 downgrade hardening
Web Authentication API BLE support (for U2F keys e.g Yubikey)
Web Authentication caBLE support (for U2F keys)
Enable Account Manager
Request Advanced Protection verdicts when inspecting downloads
 

Windows_Security

Level 23
Verified
Trusted
Content Creator
Mar 13, 2016
1,303
Request Advanced Protection verdicts when inspecting downloads

Thanks that is an interesting find (y)

Did some Googling, you need to have Safe Browsing enabled and it seems to create a set of (additional control) strings for the download surfaces to provide extra protection against malicious downloads.

Some veteran members might remember BCclean which did something simular for new processes starting on your PC. knowing Google it will probably be implemented in a modern way. Artificial Intelligence systems look at file attributes to determine (pre-execution) whether something is malware. This new protection maybe adds a variable set of attributes by looking for 'string' patterns and combines this with big-data about the source of the download. When (a big conditional when) my guess is right, this could be the start of the next-level safe browsing feature.
 
Last edited:
Top