this post was submitted on 27 May 2026
81 points (97.6% liked)

Privacy

5701 readers
205 users here now

Welcome! This is a community for all those who are interested in protecting their privacy.

Rules

PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!

  1. Be civil and no prejudice
  2. Don't promote big-tech software
  3. No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
  4. No reposting of news that was already posted
  5. No crypto, blockchain, NFTs
  6. No Xitter links (if absolutely necessary, use xcancel)

Related communities:

Some of these are only vaguely related, but great communities.

founded 2 years ago
MODERATORS
otter@lemmy.ca
shaytan@lemmy.dbzer0.com
81
Websites have a new way to spy on visitors: analyzing their SSD activity (arstechnica.com)
submitted 1 day ago by schnurrito@discuss.tchncs.de to c/privacy@lemmy.dbzer0.com
33 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[โ€“] alapakala@quokk.au 1 points 11 hours ago* (last edited 11 hours ago) (1 children)

bruv, have you ever designed a fighter jet from a raft?

Because that is the equivalence of comparing OPFS is to a secured PostgreSQL query.

You cannot attain security from a raft, when fighter jets only need to drop bomps like a carpet to write on cities, and traverse microseconds of distances compared to whatever the wind is.

OPFS is insecure by design.

[โ€“] 9point6@lemmy.world 1 points 9 hours ago* (last edited 9 hours ago)

A postgres query is not a filesystem and also not intended at all for large binary blob storage and arbitrary range access? That's an entirely different tool for completely different use cases.

The existing filesystem API (that the OPFS API appears to build on) is entirely reasonable for its intended use case, and is actually even more entrenched than OPFS given it exists for non-sandboxed uses, and has done for quite a long time. Remember, browser vendors will not break web APIs unless there's no other option, for good reason.

I also feel like you keep shooting past the fact this is a side channel attack. It's fairly reasonable to conclude any storage operation that hits the SSD could be used for this kind of thing. So basically any equivalent approach would require the same mitigations.

You've still not made any valid case for your claim that it's insecure by design.

Just so we can draw this to a close: please explain, specifically and succinctly, which fixes you would make and why specifically the existing OPFS is fundamentally incompatible with your suggestions.

So far there has been nothing like that in this thread, just hand waving and it's insecure by design, just trust me bro