The Freedom to Tinker has a post on using Javascript to facilitate the exfiltration of personal data by session-replay scripts.
You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use "session replay" scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.
The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations [1]; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can't reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user's real identity.
Though the post refers to scripts added by the web server intentionally, if third party, such an ISP, competiting company, or government agency, is in control of a certificate already loaded into a target's browser, either overtly or covertly, a Man-in-the-Middle attack is trivial with SSL/TLS and exfiltration scripts can be sent as payload. If you want to see the latency burden that even ostensibly well-behaved scripts cause, press ctrl-shift-i in the browser, select "network" and then reload the page.
(Score: 3, Informative) by Anonymous Coward on Saturday November 18 2017, @10:37PM (11 children)
Not if you disallow scripts.
If a page|site is completely useless without scripts, it's junk.
If it appears to have useful content, you might try to run it through archive.is.
That site will run the scripts on its boxes and show you the results.
.
...and the word JavaScript, properly written, uses CamelCase.
-- OriginalOwner_ [soylentnews.org]
(Score: 3, Interesting) by Snotnose on Saturday November 18 2017, @10:41PM (3 children)
I'd never heard of archive.is. Bookmarked, and Thank You!
I'm guessing about half the sites that won't work without javascript I just exit, and about half those I was really interested in the info on that site. Now I have a way to see what's there without subjecting myself to javascript BS.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by takyon on Saturday November 18 2017, @10:59PM (1 child)
Whenever I use a link to Washington Post and some other sites, I add an (archive) link next to it (WaPost paywall can be easily beaten, but whatever). They are also known by the domain archive.fo.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Informative) by Anonymous Coward on Saturday November 18 2017, @11:28PM
Yup. (Faroe Islands.)
The original site is in Iceland (.is).
They also have servers in Liechtenstein (.li) and the European Union (.eu).
.
Additionally, archive.org respects changes to robots.txt by malicious actors and will disallow access.
archive.is, archive.li, archive.fo, and archive.eu couldn't care less about robots.txt.
Once they have a copy of the content, it won't be blocked by them.
You can also use it as a proxy.
Packets will carry the metadata of -their- stuff.
(I've seen a notice on a page that they rendered which said that [browser name (not my browser; their browser)] is not fully supported.)
-- OriginalOwner_ [soylentnews.org]
(Score: 0) by Anonymous Coward on Saturday November 18 2017, @11:11PM
The replacement for btdigg.com whose source code is up on github.com
It works pretty well depending on what you are searching for in a torrent and if that torrent is on trackers, not just a limited distribution magnet.
(Score: 3, Informative) by beernutz on Sunday November 19 2017, @01:56AM (3 children)
(Score: 0) by Anonymous Coward on Sunday November 19 2017, @03:51AM
Hmmm. Ya learn something new every day.
-- OriginalOwner_ [soylentnews.org]
(Score: 0) by Anonymous Coward on Sunday November 19 2017, @07:06AM (1 child)
Pascal doesn't care about case.
Old-style programmers stick to UPPERCASENAMES. Decent modern programmers use lowercasenames, or even lower_case_names if the compiler allows it.
Realistically, you can expect to find inconsistent case within a program: myVariableName MyVariableName MYVARIABLENAME myvariablename Myvariablename
(Score: 0) by Anonymous Coward on Sunday November 19 2017, @07:02PM
You call it inconsistent, I call it coding style. UPPERCASE for #defines, camelCase for variables, and PascalCase for class names.
(Score: 2) by Arik on Sunday November 19 2017, @04:13AM
There's nothing java about it and never was.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Pino P on Sunday November 19 2017, @11:32PM (1 child)
Would you prefer a site that is functional with scripts but shows only a "Download our native app" notice without them?
(Score: 1, Insightful) by Anonymous Coward on Monday November 20 2017, @12:54AM
I thought that I had already made it clear that I want an HTML page that will work in any browser.
Download our native app
That doesn't require a script.
A plain old hyperlink will do.
...which is the whole point.
Oh, wait. I remember you.
You're one of those nitwits who think that an "intellectual property" owner is never wrong.
-- OriginalOwner_ [soylentnews.org]
(Score: 4, Informative) by Snotnose on Saturday November 18 2017, @10:38PM (5 children)
why I don't want to automagically block cookies, nor block javascript. Cuz seems to me the hazards of allowing both far outweigh any benefits I may get allowing them.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by Arik on Sunday November 19 2017, @04:11AM (4 children)
But cookies? What's your problem with cookies?
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Snotnose on Sunday November 19 2017, @10:15AM (3 children)
Cookies let them track you across various web sites. I whitelist sites like soylent, but by default no cookies are allowed.
When the dust settled America realized it was saved by a porn star.
(Score: 2) by Arik on Sunday November 19 2017, @10:47AM (2 children)
Not exactly. Not just cookies by themselves, at least.
Of course companies that run multiple websites (Google obviously, but any hosting provider could qualify to some extent) could do this. But they don't need cookies to do that. Your IP address works just fine.
And, of course, there are *third party* cookies which are used in this way, I was assuming everyone here blocks those of course.
Blocking regular cookies doesn't really do much other than keep you from using the 'stay logged in' feature on websites in general.
If laughter is the best medicine, who are the best doctors?
(Score: 3, Informative) by maxwell demon on Sunday November 19 2017, @11:55AM
For sites where you log in, that may be true (your login already identifies you). But for sites where you don't log in, persistent cookies can provide an identity across sessions, which you may not want.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Snotnose on Sunday November 19 2017, @01:02PM
As I said before, sites I visit often are whitelisted. But most of those sites are aggregators (soylent, /., fark, etc), when you click on a link to the story you're going god knows where. I probably visit a couple hundred web sites a day, only 3-4 of those sites are allowed to set a cookie.
When the dust settled America realized it was saved by a porn star.
(Score: 0) by Anonymous Coward on Saturday November 18 2017, @10:40PM (3 children)
ctrl-shift-i
nothing happens. saved by a crappy firefox fork (palemoon)!
(Score: 1, Informative) by Anonymous Coward on Sunday November 19 2017, @02:04AM
Lol, nope not saved, just means you don't have an inspector. The js still pwns u.
(Score: 2) by tibman on Sunday November 19 2017, @03:00AM (1 child)
F12 also usually works in every browser. I prefer it.
SN won't survive on lurkers alone. Write comments.
(Score: 1, Informative) by Anonymous Coward on Sunday November 19 2017, @04:51AM
F12 works in pale moon. It can be customized, accessed via menu, etc.
(Score: 0) by Anonymous Coward on Sunday November 19 2017, @01:49AM (1 child)
But I'd like to make sure people know, reddit 100% does this and should be boycotted. Hard for many of us, but still
(Score: 0) by Anonymous Coward on Sunday November 19 2017, @10:48PM
hard?
This whole place came about because of people giving up on something they loved that had been ruined by profit motive.
I just don't think Reddit users are, on the whole, savvy enough to understand there is a problem and to collectively do something about it. Even if its stopping going there on an individual level. If enough people did that, it'd foster change.
(Score: 2) by DrkShadow on Sunday November 19 2017, @02:17AM (2 children)
Other than NoScript (currently using), are there any scripts to detect/block this?
I've been wondering this as well about bitcoin mining javascript (what a horribly inefficient method..). Are there any browser extensions that will detect and block these scripts? does Adblock/uOrigin do it (with known scripts)?
Seems like it would be somewhat easy -- any domain that has a click handler AND a keyboard handler AND a mouse-move handler should be looked into.. and if third party, blocked completely. (There was something using an onMessage handler on the HTML element..)
(Score: 0) by Anonymous Coward on Sunday November 19 2017, @02:56AM
Inefficient? Haha, I get what you mean as far as language and hardware for mining however being able to skim cycles off of millions of computers beats the pants off any farm I'm sure.
(Score: 0) by Anonymous Coward on Sunday November 19 2017, @04:42AM
How about Privacy Badger from EFF https://www.eff.org/privacybadger [eff.org]
Claims "blocks spying ads and invisible trackers" but I'm not sure if it catches session replay scripts or not??
I've been running it for awhile now and it's interesting to see some sites with a couple of dozen trackers blocked. Sometimes the number starts out high, and then drops off as various trackers give up(?)
As expected, SN always shows a nice green 0 (zero).
It blocked a video that I wanted to play (posted by a friend). Since it has individual controls it was easy, for example, to allow Vimeo to run, and none of the other trackers.
(Score: 4, Insightful) by Arik on Sunday November 19 2017, @04:08AM
And unfortunately that's all the commonly used ones.
How to turn mankinds greatest achievement into a steaming pile of shit in just a few years. Just start with javascript and money and all the rest follows.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Sunday November 19 2017, @09:57AM
Purportedly this is for "discovering broken or confusing pages".
It seems the intention on most websites is to make them more confusing, not less.
(Score: 2) by canopic jug on Thursday November 23 2017, @04:27AM
The methodology for detecting evidence of session recording and supporting data [princeton.edu] have been published.
Money is not free speech. Elections should not be auctions.