Submitted via IRC for AnonymousLuser
Blocking Hyperlink Auditing Tracking Pings with Extensions
For those who are not familiar with hyperlink auditing, or Pings, it is an HTML feature that allows sites to track when a link is clicked. Creating hyperlink auditing URLs is very easy, as you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable as shown below.
<a href="https://www.google.com/" ping="https://www.bleepingcomputer.com/pong.php">Ping Me</a>
[...] With most popular browsers now enabling this feature by default, with Firefox doing so in the future, the only way to disable hyperlink auditing is through the use of browser addons and extension. For those who want to retain control over whether this feature can be used, below are three extensions that allow you to disable hyperlink auditing pings in Chrome and Firefox.
(Score: 2, Informative) by Anonymous Coward on Tuesday May 14 2019, @04:27AM (4 children)
Assuming firefox doesn't remove the about:config option, but just changes the defaults, add to your user.js (so firefox new default is overruled):
user_pref("browser.send_pings", false);
No extension needed.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @04:42AM
Cool, thanks for the suggestion. Just looked at my FF 60.6.1esr and it is already set:
browser.send_pings;false
On the other hand, these look related--maybe they need to be changed to make sure?
browser.send_pings.max_per_link;1
browser.send_pings.require_same_host;false
And several others that include that ominous word, "telemetry"...
Since EFF Privacy Badger attempts to stop tracking, I wonder if they will add this to a future version of their extension?
(Score: 3, Informative) by Anonymous Coward on Tuesday May 14 2019, @11:48AM (2 children)
https://www.bleepingcomputer.com/news/software/mozilla-firefox-to-enable-hyperlink-ping-tracking-by-default/ [bleepingcomputer.com]
Isn't it nice to see the weaselspeak? It's for your own good, else they'll do it without the lube the next time.
This is what happens when politickers masquerading as programmers take over a FOSS project. Not just the other devs get screwed; users too.
(Score: 3, Informative) by The Shire on Tuesday May 14 2019, @02:20PM
They said the only reason it hasn't been enabled is because they haven't finished the implementation. I have to wonder if they're working out ways to prevent extensions from blocking the functionality.
That would piss me off something fierce.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @06:28PM
Beside, even if it is enabled, there isn't anything stopping them from using hyperlink auditing and the other mechanisms they were already using.
(Score: 5, Interesting) by deimtee on Tuesday May 14 2019, @04:49AM (5 children)
How about a browser extension that remembers every ping link it comes across and sends all of them random data continuously.
If you cough while drinking cheap red wine it really cleans out your sinuses.
(Score: 1, Interesting) by Anonymous Coward on Tuesday May 14 2019, @05:24AM (2 children)
Awesomely evil. I was going to make a tampermonkey userscript to strip these out. Now I'll add an option to ping every single one before I remove it :)
(Score: 2, Interesting) by Anonymous Coward on Tuesday May 14 2019, @07:35AM (1 child)
I have a RaspPi running 24/7 which I use for tasks such as this (e.g. poisoning data that I haven't agreed to share). This seems like an excellent job for that computer. It can switch proxies regularly or can access the web via TOR, making it a little harder to block it based on originating IP. Sending pings to a different link every minute or so, or even more frequently, is a negligible workload. I can't find any details of the ping data. Is it simply accessing a specific URL or might there be some other data attached to it? Anyone got any ideas?
(Score: 2) by corey on Tuesday May 14 2019, @11:01AM
Lol. This is what I love about this community.
Make sure to share the code/procedure.
I just wish I had time to do this stuff now I've got kids.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @03:28PM (1 child)
New opportunities for DDOS and amplification.
(Score: 0) by Anonymous Coward on Saturday May 18 2019, @03:18AM
So, that's the point. Treat us with some respect or we'll burn the fucking house down.
(Score: 5, Insightful) by Rosco P. Coltrane on Tuesday May 14 2019, @04:52AM (5 children)
as with many others, is that no users ever asked for it. It's just sneakily imposed on them without their consent.
Welcome to the marvelous world of Big Data...
(Score: -1, Flamebait) by Anonymous Coward on Tuesday May 14 2019, @05:19AM
Nah, it's the marvellous world of people who want others to write them free web browsers, while not lifting a finger to assert any control.
(Score: 5, Insightful) by canopic jug on Tuesday May 14 2019, @05:30AM (1 child)
You'll also note that M$ has had quite a few of their people on the HTML5 committee [w3.org], with more at lower levels, screwing things up. That fact and the standard subsequently getting fscked up are no coincidence. The W3C has been out of the hands of developers and academics for years now. Those that run it now have no qualms about killing off the web [defectivebydesign.org] and, indeed, are moving that direction. pings in anchor elements are just extra nails in the coffin.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @09:36AM
And Tim Berners-Lee works for Microsoft to screw stuff up? The last I checked he was allegedly the inventor of the World Wide Web.
See also: https://lists.w3.org/Archives/Public/www-tag/2008Jan/0040.html [w3.org]
He also seems kinda dumb to suggest UDP. It should be obvious that if the browser is going to do a ping it should use whatever protocol is specified in the URL if the browser supports it.
(Score: 4, Interesting) by digitalaudiorock on Tuesday May 14 2019, @12:20PM (1 child)
Exactly. It's bad enough they jam "tracking without javaScript" into the standard. But if browsers like Firefox implement this as anything other than an opt-in feature, that tells you just how far down at the bottom the end user falls in this picture. Disgusting frankly. I wonder how/if Palemoon will deal with this one.
(Score: 1, Insightful) by Anonymous Coward on Wednesday May 15 2019, @12:41PM
Opt-in so so last century. Now you are expected to say “no, I don't want to be dataraped” every fews days and sometimes in different places, sometimes hidden away where the sun doesn't shine.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @06:05AM (3 children)
The web is a piece of shit controlled by advertising.
This just makes it obvious.
Shitty, resource hogging, lockup prone SPYWARE, nothing more.
(Score: 3, Insightful) by corey on Tuesday May 14 2019, @11:05AM
The alternative is to install the App.
Which is also:
Shitty, resource hogging, lockup prone SPYWARE, nothing more.
But worse.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @09:55PM
not my stuff. guess how many people care to search and find applications/sites that treat them with respect? like zero. that's how many.
(Score: 2) by radu on Thursday May 16 2019, @04:58AM
It's not the "web"'s fault. It's the users'.
"Would you like *free* email?"
"Yes, thank you, google (yahoo, ms, etc)! Really? Free? Just for me? And my family? Thank you! I'm sure you just care for us and our well-being. Even though you're not a religion or something, I believe you are some magical gift-making organization or stuff... whatever... give me, I promise I won't use my brain"
"Would you like *free* videos in this *boring* webpage, which is *just* showing text and pictures? How about *free* *videos*? How about *free* Coca Cola (TM)? For your family? Ice cold? With *and* without lube!"
"Yes, thank you! I really appreciate entertainment! Please, give me *everything* you think will be pleasing for me and my family!"
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @07:36AM
*skip a few months*
Mozilla enables a feature which by default will spy on users.
SSDD
Drink the koolaid kiddies cause the folks at Mozilla are drowning in it.
(Score: 4, Interesting) by RamiK on Tuesday May 14 2019, @09:48AM
Overall, the feature's existence is a net gain:
1. It lets site operators monetize linking to affiliates without incurring the performance loss the minifiers' redirect involved.
2. When disabled, users can avoid some 3rd party tracking. That is, you're still being tracked by the source and target domain, but there isn't a minify service logging you coming and going in-between.
compiling...
(Score: 3, Informative) by KritonK on Tuesday May 14 2019, @09:53AM (7 children)
From TFA:
(The option is called "Disable hyperlink auditing", if for some reason you need to disable it.)
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @01:13PM (6 children)
uBlock is for babies, grownups use uMatrix (by the same developer)
The author himself stated "uBlock Origin's main goal is to help users neutralize such privacy-invading apparatus — in a way that welcomes those users who don't wish to use more technical, involved means (such as uMatrix)." -- https://github.com/gorhill/uBlock [github.com]
So upgrade today to https://github.com/gorhill/uMatrix [github.com]
(Score: 2) by The Shire on Tuesday May 14 2019, @02:17PM (4 children)
The assumption there is that privacy can only be obtained if you have absolute granular control over the network stream, but that's not the case. And you have to consider the audience. The vast majority of end users want their privacy but they want it in an uncomplicated way. uBlock Origin fills that niche.
The ultra paranoid or the geeks who want to see whats going on in the background and selectively block it can use uMatrix, or even a combination of other addons that accomplish the same function. But for most folks the cost/benefit of uMatrix isn't worth it. People who are that paranoid should use Tor.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @04:25PM (2 children)
Lazy baby want all now but with zero effort! A blacklist is the naive approach here, only a whitelist makes sense. But then it does require a little bit of work...
Fortunately we're given this choice. I think people should value their privacy for the sake of democracy.
(Score: 2) by RamiK on Tuesday May 14 2019, @07:56PM (1 child)
uMatrix has built-in blacklists in the Settings under Assets which are applied to the global scope.
Also, it comes per-configured for casual users to only block third-party scripts and such. Personally I've manually edited the defaults to block everything except images and css from anywhere:
* * * block
* * css allow
* * frame allow
* * image allow
compiling...
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @08:14PM
i.e. whitelist
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @08:24PM
Private mode cookies don't get scrubbed without a new identity and with 10-15 minute tunnel intervals, they can track you across enough circuits to deanonymize you. I use uBlock+uMatrix+Tor. Ensures cookies never get set to begin with, and ad links aren't used.
Personally I think you are probably better off with a normal web browser those features, plus all TBB patches EXCEPT starting into private mode. If private mode is off then plugins like uMatrix and others can do periodic scrubbing, scanning, or filtering of cookies, html5 data, etc. Something that is disallowed inside of Private Windows/Incognito Mode sessions, meaning that you can't keep track of what data needs scrubbing, or if your plugins are scrubbing it adequately for your purposes.
If you use TBB, be sure to warn others so they understand the ramifications. This issue with the Private Window sessions has been reported to both Mozilla and the Tor Project since 2012 and 2015(?) and both have said it is not a bug. Personally I consider it a dangerously misleading feature.
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @03:25PM
ISTR from the end days of HTTP switchboard that uBlock and uMatrix were complimentary add-ons, in fact, on checking
https://github.com/gorhill/httpswitchboard/blob/master/README.md [github.com]
'..Important: No longer developed. Project has been split into two distinct, more advanced extensions: uBlock Origin and uMatrix.'
Bold added, my reading of this is that if you're only using uMatrix, then you're missing out on functionality that uBlock provides that it doesn't..
(Score: 3, Informative) by The Shire on Tuesday May 14 2019, @01:24PM
Most folks using FF also use some type of adblocker. One of the more popular ones is uBlock Origin and it blocks this by default. You can find it in the addon's settings under "Privacy: Disable hyperlink auditing".
A good refutation of Mozilla's stance on prohibiting the user from disabling this "feature" can be found here [wilderssecurity.com]
(Score: 0) by Anonymous Coward on Tuesday May 14 2019, @05:29PM
If sites really want to do this, couldn't they just munge the hyperlink into their own URL that hits a tiny script that logs the click and then sends you to the hyperlink?
ie, something like <a href="https://www.bleepingcomputer.com/tracker.php&url=google.com">Innocent URL, Trust us.</a>
Of course you'd see their URL when hovering the link, but most people aren't that careful.