HarborFront

Level 54
Verified
Content Creator
Experimental QUIC Protocol - Disabled

Please read the comment inside the below article to disable it


Quote from comment

The ‘QUIC’ protocol (Google originated BTW) appears to be insecure against webtracking by commercial as well as govt. trackers & surveillance. A user/browser may be (passively) uniquely tracked across a browsing session (and possibly across multiple sessions in some instances), without the need for cookies, other trackers, or fingerprinting, according to a recent University of Hamburg paper:

https://content.sciendo.com/downloadpdf/journals/popets/2019/3/article-p255.pdf

Thus, probably best not to enable this in your browser if you are privacy-minded, until this hole is patched … (I haven’t been able to find any mention that browser vendors have even addressed this to-date)

QUIC has already been enabled in Chrome for quite some time, surprise, surprise (Google builds in yet another hidden, powerful privacy-shredding tracker into its next-generation web technology and as well as its 60%-market-share-browser?? There’s a shocker for ya…)
You can disable this in most Chromium-based browsers, tho’, and/or otherwise at your OS firewall:

How to disable QUIC protocol in Google Chrome

Unquote
 

CyberTech

Level 32
Verified
Web browsers uses a lot of battery when they are run on mobile devices such as laptops. While it helps to use content blockers and other extensions to remove or block elements that may draw additional power, it is still problematic from a user perspective.

Google has run experiments in the past couple of months in its Chrome web browser to find out if the throttling of JavaScript in background tabs has an effect on the battery usage of the web browser.

Chromium engineers decided to analyze "the work done by popular sites in the background" and determined that "a lot of work was done from JavaScript timers"at were not "valuable to the user" often.

The idea was born to reduce the number of wake ups from JavaScript timers in background tabs in the web browser to find out if that would improve battery life.
Currently, JavaScript wake ups are limited to 1 wake up per second in stable versions of the Chrome web browser.
A new Chrome experimental flag is available to enable the feature in development versions of the Chrome we browser (Canary).
  • Name: Throttle Javascript timers in background.
  • Description: When enabled, wake ups from DOM Timers are limited to 1 per minute in a page that has been hidden for 5 minutes.
Here is how to enable the experiment:
  1. Load chrome://flags in the web browser's address bar.
  2. Search for Throttle Javascript timers in background.
  3. Set the flag to Enabled.
  4. Restart the browser.

 

SpiderWeb

Level 2
I have been using the post-quantum key exchange flag for 2 months now with no issues. What you will see in the Security tab is "CECPQ2" (screenshot) as you navigate Google and Cloudflare websites. It's a combination of X25519 + an updated structured-lattice scheme (NTRU-HRSS). The links below go into way better detail. For me it appears to only trigger PQ encryption on Google domains but it's still worth turning on:

chrome://flags/#post-quantum-cecpq2

Information on CECPQ2:
NIST Research Presentation (PDF)

Observations:
-I have not noticed a discernible difference in performance compared to TLS 1.3 with just X25519
-It is slower than QUIC X25519 and Google Chrome will prefer QUIC over TLS 1.3 CECPQ2
-There are reports that it does break a few sites (ERR_CONNECTION_RESET): Source
 

Attachments

HarborFront

Level 54
Verified
Content Creator
Please enable the following flags in Chrome 85 if you have them

Framebusting requirers same-origin or a user gesture
Top document isolation
Strict site isolation

I'm basing on my latest Kiwi browesr version
 
Last edited:

HarborFront

Level 54
Verified
Content Creator
Enable flag 'Insecure origins treated as secure'

In my case I added the below HTTP sites (separated by a comma). By doing so the word 'Not secure' will no longer appear before the http://xxxxxxxxx in the address bar. Since some of the HTTP sites also cannot be upgraded to HTTPS sites in this case the Smart HTTP extension is of no use.

httx://budgetlightforum.com/, httx://eng.chinamil.com.cn/, httx://forum.notebookreview.com/, httx://www.candlepowerforums.com/, httx://www.globaltimes.cn/index.html, httx://www.ecns.cn/

Replace the 'x' by 'p'
 
Last edited:
Top