Websites have a new way to spy on visitors: analyzing their SSD activity
Telltale SSD activity can be measured in the browser using simple JavaScript.
https://arstechnica.com/security/2026/05/websites-have-a-new-way-to-spy-on-visitors-analyzing-their-ssd-activity/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social
verissimum
@paul_ipv6 @SteveBellovin @arstechnica I studied in the actual Carthage (few miles from Tunis).
This hits different
@ocktoboy14 @KellicTiger @SteveBellovin @arstechnica
There is an extension called „NoScript“ that lets you configure what individual domains are allowed to run JS on a per-tab basis. Been using that for a while now, it is pretty neat.
That obviously won‘t do much on pages where you have to get past, for example, a Google captcha, because you either allow all or no JS from that domain for that tab.
@DavidNielsen @arstechnica "In the beginning the Universe was created.
This has made many people very angry and has been widely regarded as a bad move."
- Douglas Adams
I have to wonder if the required read/write mechanisms for this particular mode of attack would have the added 'benefit' of shortening SSD lifespans.
Fuck data merchants.
Blocking JavaScript is ugly but JavaScript is a huge problem of malware, viruses, surveillance and bullshit.
Can a subset of JavaScript be used, so the page displays, but JavaScript isn't analysing my drives?
It doesn't.
Remember who owns the JavaScript trademark, Oracle.
Oracle is owned by Larry Ellison.
https://www.theregister.com/software/2025/02/05/oracle-lays-mines-in-javascript-trademark-battle/303348
https://www.infoworld.com/article/3818005/oracle-maintains-hold-on-javascript-trademark.html
https://lakin-mohapatra.medium.com/oracle-owns-javascript-cf8eeb90fa9b
Larry Ellison is a Jan 6 coup plotter & owner of a one-party media monopoly, funded by fossil fuel despots.
https://puck.news/inside-paramount-bros-49-billion-debt-blockbuster/
https://newrepublic.com/post/210208/larry-ellison-promised-fire-cnn-anchors-donald-trump-takeover
https://www.washingtonpost.com/politics/2022/05/20/larry-ellison-oracle-trump-election-challenges/
https://www.status.news/p/larry-ellison-2020-election-cbs-news-january-6
https://popular.info/p/kushner-and-saudis-back-hostile-takeover
https://www.theguardian.com/commentisfree/2025/dec/11/jared-kushner-paramount-warner-bros-deal
@Npars01 @Tristan @arstechnica
We need a replacement for JavaScript.
@arstechnica how it works: It's all based on timing how long it takes for JavaScript statements to access the local storage for the (malicious) website. If other websites or local apps are also accessing the same SSD at the same time, those accesses will take longer because of contention for the SSD. Different websites and apps have different usage patterns of the local storage. You can take all that timing data and feed it into a pretrained convolutional neural network to detect which websites and apps are running.
It requires at least 1G of storage, so savvy users can detect unusual storage usage, and for everyone else browser makers can reduce storage limits per website below that.
@arstechnica Techniques like this are why I run JShelter ( https://jshelter.org )
Unfortunately Cloudflare requires fingerprinting to be allowed 🤮
New attack fingerprints you by SSD timing. My threat model is just being too cheap to upgrade.
TagHunt
Ars Technica
Steve Bellovin
Paul_IPv6
Syntax
Kellic Tiger 
marcu
Bit
Angela Scholder
Hans van Zijst
Sir David Nielsen
Steen Eiler Jørgensen
Jennifer Kayla | Theogrin 🦊
Epic Null
Paul
Bob K Mertz 
Kevin Russell
Dr. Dek 👨🚀🐧🚀 )
B05H
FossThought
Andreas, DJ3EI, he/him
Tristan
Nicole Parsons
Francis Mangion (M)
James M.
Max L.
GrumpyDad 🇺🇦🇵🇸
Justin O'Leary
ĞÖKÜ👻👻™
Bruno Nicoletti