|
|
Subscribe / Log in / New account

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

[Posted April 8, 2019 by corbet]

BleepingComputer reports that browser developers are removing the ability to disable "ping=" click tracking. "Google Chrome also enables this tracking feature by default, but in the current Chrome 73 version it includes a 'Hyperlink auditing' flag that can be used to disable it from the chrome://flags URL. In the Chrome 74 Beta and Chrome 75 Canary builds, though, this flag has been removed and there is no way to disable hyperlink auditing." Firefox still allows this "feature" to be disabled (and disables it by default).
to post comments

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 17:34 UTC (Mon) by hkario (subscriber, #94864) [Link]

good thing that everybody now is using the botnet advertising company "engine" to render pages /s

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 19:28 UTC (Mon) by rc (subscriber, #108304) [Link] (15 responses)

I had a really hard time parsing the title and the summary. Basically, "ping" is an HTML attribute you can use for an <a> tag. When you click a link that has a ping attribute, the browser will POST information to the URL specified in ping= and you will get directed to the URL specified in href=. Some browsers had options to disable the "ping" (or never had it at all) but are removing those options. TL;DR is to use Firefox (or Brave) and make sure that browser.send_pings is set to false.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 19:31 UTC (Mon) by remicardona (guest, #99141) [Link]

Thank you, I couldn't make sense of blurb either.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 20:25 UTC (Mon) by MarcB (guest, #101804) [Link] (12 responses)

TL;DR actually is: Hopefully Firefox will also make disabling this hard so that anyone who feels the need to do this kind of tracking can rely on ping.

Otherwise they will just continue to do tracking via redirects (and then, optionally, hide the redirects again via Javascript) and get *exactly* the same information.

As a demonstration of this, visit google.com and search for "lwn".

Then admire the nice, first link seemingly pointing to https://lwn.net.

Then use the "copy link to clipboard" function and paste it in the address bar.

Then realize, that the link actually is https://www.google.com/url?sa=t&rct=j&q=&esrc... (will likely vary).

Then ask yourself what "ping" would make worse (I can tell you what it would improve: Copying links would work again).

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 20:42 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (9 responses)

There are extensions that remove that crap. Works on Reddit and many other sites which inject such things. Link following shortcut extensions also usually evade this problem.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 20:53 UTC (Mon) by MarcB (guest, #101804) [Link] (5 responses)

Yes, that is often possible, but it is site-specific, could break at any time and could be made impossible if the site really wanted to (just use an ID that needs to be resolved server-side instead of the actual target in the redirect URL).

Any such extension could also be written for the ping attribute and would be complete site-agnostic, simpler and robuster.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 9, 2019 8:06 UTC (Tue) by alonz (subscriber, #815) [Link] (4 responses)

As someone who has actually implemented a click-tracking solution — it is relatively common practice to encrypt the real target URL, so the link you get from the original site only includes an opaque blob, and only the click-tracking redirector can decode and decrypt it.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 9, 2019 16:56 UTC (Tue) by leromarinvit (subscriber, #56850) [Link] (3 responses)

As someone who has to deal with such shite as a user, this is the reason the web sucks.

No offense meant against you personally, but the fact that people/companies feel the need to do such shady things is an indicator of a very sorry state of affairs.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 10, 2019 0:13 UTC (Wed) by codewiz (subscriber, #63050) [Link] (2 responses)

Often, click-tracking has nothing to do with "tracking users". Knowing the frequency of clicks is an essential signal for search result ranking, among other things. For sponsored links, clicks are used for billing customers, so you'd go a long way to avoid miscounting.

I'm a privacy advocate, but I don't see anything wrong with encrypting the url in response to user agents not honoring the ping attribute and stripping redirects.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 20, 2019 17:52 UTC (Sat) by Tomasu (guest, #39889) [Link] (1 responses)

And I don't see anything wrong with stripping the tracking. I'd even go so far as to strip it in a proxy if I have to. Making it non optional is shady af. Encrypting it is worse. I just don't even. I'll be Paying more attention to sites now to see if they are doing anything like that and reconsider my use of such sites. Googles crazy links were obnoxious enough but I've been too lazy to bother with them... Anything that hopes further may just get me to act.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 21, 2019 4:37 UTC (Sun) by codewiz (subscriber, #63050) [Link]

This is clearly an arms race, where each action and countermeasure makes the web a little slower, a little more complex, and a little more fragile for both sides.

As other comments have already pointed out, we'd be better off with user agents honoring a privacy-respecting form of ping=, so web developers doesn't feel compelled to escalate it to JavaScript, encrypted urls and other opaque techniques that achieve the exact same result.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 10, 2019 7:23 UTC (Wed) by LtWorf (subscriber, #124958) [Link] (2 responses)

Can you link one such extension? It has always annoyed me but I could not really solve it in any way.

But IMO it is a grave security issue from browsers, because the preview of the link shows an URL, but then copying it or clicking it actually takes me to a completely different URL.

Back in the days they were always recommending to check the preview of the link to know if it was safe to click or not, and now browser vendors have made that unsafe to trust.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 10, 2019 8:11 UTC (Wed) by roc (subscriber, #30627) [Link] (1 responses)

What's your thread model here?

Since JS was invented, scripts have been able to navigate the current page to some arbitrary URL with or without any user action.

> Back in the days they were always recommending to check the preview of the link to know if it was safe to click or not

That advice makes sense if you trust the page containing the link (e.g. results from a search engine you trust).

If you don't trust the page containing the link, there's no point in checking the link preview because the page can send you wherever it wants at any time, and that's been true for 20 years.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 10, 2019 8:13 UTC (Wed) by roc (subscriber, #30627) [Link]

Ah, I understand now. Sorry. You're talking about situations where you do trust the page but you want to check the destination before you click on a link.

This is a good argument in favour of <a ping> actually; it allows sites to stop obfuscating outbound links.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 11, 2019 14:56 UTC (Thu) by benoar (guest, #52466) [Link] (1 responses)

FYI, Google does only clobber links *if your browser supports redirects*. I browse with accessibility.blockautorefresh=true by default (blocks meta refresh) and Google's first response is a page containing direct links; it adds a meta refresh redirecting to a page with the tracking redirects results.

This is clever, as it allows (very) “dumb” UA to still work, and tracks only those who can follow redirect; but have the good side-effect of offering a tracking-free experience.

Of course, this is all with Javascript disabled (NoScript). Not quite a standard user setup, I admit.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 16, 2019 7:31 UTC (Tue) by anton (subscriber, #25547) [Link]

Thanks for the tip. Unfortunately, it does not work in my setup (Debian 8 Iceweasel with disabled JavaScript). I guess there is something additional in your setup to achieve that result.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 15, 2019 4:17 UTC (Mon) by marcH (subscriber, #57642) [Link]

> I had a really hard time parsing the title and the summary.

I guess the double negation didn't help:

> developers are removing the ability to disable ...

Now unlike the various and silly "disable_foo" in /sys/, I don't see how to simplify this one.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 19:51 UTC (Mon) by roc (subscriber, #30627) [Link] (23 responses)

"ping" is actually a good feature and Firefox should enable it by default.

In practice, having it disabled does not improve anyone's privacy. Web sites still track link clicks; they just change the link to point to a URL on their own server which redirects to the actual destination. This is slower and more user-unfriendly than "ping" (e.g. it breaks "copy link URL to clipboard"). We rightly decry "security theatre"; disabling ping is privacy theatre.

In fact, enabling "ping" by default (but some browsers still allowing users to disable it) would probably be a net increase in privacy. If all major browsers enable ping by default, then some sites would stop implementing the redirect workaround, and the small set of users who manually disable the feature would get increased privacy.

This is a classic case of the Web being a complex ecosystem and users being unable or unwilling to understand the second-order effects of browser decisions. Unfortunately there are enough vocal critics of "ping" pressuring Firefox to do the wrong thing that Mozilla probably can't afford to do the right thing here.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 20:06 UTC (Mon) by nilsmeyer (guest, #122604) [Link]

I currently use a plugin that extracts the original URL from those redirect links (if possible). This could be made a lot simpler if it could simply strip the "ping" attribute.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 20:10 UTC (Mon) by brunowolff (guest, #71160) [Link] (15 responses)

I disagree that enabling "ping" by default is a good feature. It makes it less obvious that link tracking is going on. Forcing redirects on the service, makes them pay more for tracking (to handle more requests or to proxy requests) which discourages tracking. It also makes it more obvious to the user if they have redirects blocked or needing approval.

Mozilla doesn't do the right things because they get a lot of money from a company that wants tracking to be easier.

Arguably ping shouldn't have been implemented at all, because almost all sites that want that information don't want to let people opt out of it, so need to do it server side instead of client side anyway, leaving very few users of the feature.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 20:32 UTC (Mon) by roc (subscriber, #30627) [Link] (8 responses)

> It makes it less obvious that link tracking is going on.

It's actually the opposite situation. It's impossible for users to distinguish tracking redirects from other kinds of redirects, if they notice the redirect at all. On the other hand, with "ping" a single line of user CSS (e.g. delivered by a browser extension) will show you which links are tracked --- before you click on them:

a[ping]::before { content: "(tracked) "; }

> Forcing redirects on the service, makes them pay more for tracking (to handle more requests or to proxy requests) which discourages tracking.

Using redirects or "ping", the site has to handle the same number of requests. There is almost no difference in server work required. There is no evidence disabling "ping" discourages tracking in practice.

> It also makes it more obvious to the user if they have redirects blocked or needing approval.

Essentially nobody blocks redirects. Redirects are used for many things, many of which are essential to the function of sites (e.g. OAuth), so blocking them breaks the Web. "ping" on the other hand is a much narrower feature which makes far more sense to block.

> Mozilla doesn't do the right things because they get a lot of money from a company that wants tracking to be easier.

As someone who worked there for a long time but doesn't now: this is just not true. You don't have any evidence for such a connection, and you are just making stuff up.

> Arguably ping shouldn't have been implemented at all, because almost all sites that want that information don't want to let people opt out of it, so need to do it server side instead of client side anyway, leaving very few users of the feature.

That may have been true up to now, but now that Safari and Chrome prevent disabling "ping" I expect sites to use UA-sniffing to use "ping" instead of redirects for those browsers ... leaving Firefox users with a worse user experience for no privacy benefit.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 21:23 UTC (Mon) by brunowolff (guest, #71160) [Link] (2 responses)

I'll give you most people won't notice. I did notice when Google started doing it. I notice when duck duck go does it. (The latter is affected by the link used to do the search.)

Lot's of sites work with redirects blocked. Whether it's too annoying to have on by default depends on the mix of sites one typically visits.

Google gives Mozilla money. Google is very interested in being able to track what people do on the web. Mozilla does some things with the design of Firefox that do not maximalize privacy. There may be other reasons they do that, but it is reasonable to conclude that it is likely Google's money influences those decisions.

I usually don't send a UA (it's officially an optional header), but pretending to be using a browser that doesn't allow disabling ping while actually disabling ping might be an easy way to avoid most link tracking. But that assumes the web site cares more about how the user preceives performance than being able to be able to track people, since the clients can't be trusted to honor ping, no matter what browser they claim to be.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 21:56 UTC (Mon) by roc (subscriber, #30627) [Link] (1 responses)

> Whether it's too annoying to have on by default depends on the mix of sites one typically visits.

It is arrogant to demand that Mozilla set Firefox default preferences to suit the needs of the incredibly rare user who blocks redirects.

> Mozilla does some things with the design of Firefox that do not maximalize privacy. There may be other reasons they do that, but it is reasonable to conclude that it is likely Google's money influences those decisions.

That's not reasonable at all, given that there are many things Google would like (or would have liked) Mozilla to do that Mozilla doesn't do (e.g. adopt Chromium, abandon Tracking Protection, support PNaCl). You have no evidence that something nefarious is going on and apparently expect Mozilla to somehow prove the complete absence of such influence. If you want Mozilla to turn down Google money on principle and go broke "for the good of the Web", then you are misguided because that wouldn't be good for the Web at all.

Honestly I don't think your position is rational at all. If Firefox shipped ping by default you'd disable it, sites would use it, you could easily see which sites and links are trying to use it, and you'd deal with less Web breakage because you would have to do less blocking of redirects. What's not to like?

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 22, 2019 9:41 UTC (Mon) by oldtomas (guest, #72579) [Link]

> It is arrogant to demand that Mozilla set Firefox default preferences to suit the needs of the incredibly rare user who blocks redirects.

Hm. In my eyes, it is arrogant that Mozilla reduces their users to the lowest common denominator. Arrogance, it seems, is in the eye of the beholder.

(A proposal towards a compromise: enable ping by default, but highlight those links especially (perhaps by adding a little ⚠ next to it) with a short explanation in the hover text -- but I have the hunch that this won't fly with Mozillians, for... reasons).

> > Mozilla does some things with the design of Firefox that do not maximalize privacy [...]

I concur with that.

> That's not reasonable at all, given that there are many things Google would like (or would have liked) Mozilla to do that Mozilla doesn't do [...]

"Some things" != "all things". Let me apply Hanlon's razor here and assume you didn't notice your fallacy.

I don't think anybody's saying here that Mozilla is thoroughly evil. I consider it worth arguing with Mozillians, while I won't waste my time arguing with Chromians -- just hoping my life (or Chrome's) is short enough I won't have to.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 10, 2019 14:07 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (4 responses)

> It's impossible for users to distinguish tracking redirects from other kinds of redirects, if they notice the redirect at all.

Actually, I have uMatrix set up to block cross-domain redirects by default. It is only really a problem for shopping carts and OAuth stuff which bounce the browser around, but this is a known situation and I can reasonably predict when such stuff is actually going on to know when to relax the behavior.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 10, 2019 19:58 UTC (Wed) by roc (subscriber, #30627) [Link] (3 responses)

OK, but understand that this places you far outside the range of regular users and should have no bearing on Firefox's *default* settings.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 10, 2019 20:33 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

I'm well aware, but this news item is about Chrome *removing* the setting, not changing the default. In any case, blocking `<a ping>` seems like something that would be hard to actually enforce since anything from DNS on up could make the `POST` request just disappear into the aether anyways.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 15, 2019 10:39 UTC (Mon) by ballombe (subscriber, #9523) [Link] (1 responses)

Because there are powerful interest to keep 'regular users' as ignoraminii ?

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 15, 2019 11:06 UTC (Mon) by farnz (subscriber, #17727) [Link]

Yes - specifically that this is an arms race between trackers (who understand that they won't ever get to track the 1% of people who will accept functionality degradation as a consequence of getting privacy) and privacy advocates (who want it to be easier to opt-out of unwanted tracking, and easier to see what tracking is happening).

Ensuring that a tracker can hit the 99% by using things like ping attributes that are both easy to identify and easy to filter makes privacy easier to fix; firstly because the 1% can turn off ping (easy) instead of having to deal with layer upon layer of JavaScript based obfuscation of the real link destination designed to help trackers, and secondly because it becomes easier to change browser UIs to identify tracking and inform "regular users" - e.g. by changing the hover behaviour for tracked links to include "(and notify tracker.example.com") for links with pings.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 20:47 UTC (Mon) by MarcB (guest, #101804) [Link] (5 responses)

Modern tracking via redirects is not easily visible (see google.com), unless you disable Javascript. But users doing that might simply use the semi-hidden feature to disable ping.

The cost to the site operator is actually identical for redirects and ping. However, for the user, pings are cheaper, because the ping and the request to the link target can be done simultaneously while for redirects the client needs to wait for the first response to know the real target. Add to that the cost of the Javascript. Add to that the issue of broken link copying.

I doubt disabling redirects in general is actually feasible. Redirects are a core concept of HTTP and disabling them would break countless legitimate use cases (asking for permission would be quite annoying).

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 21:07 UTC (Mon) by brunowolff (guest, #71160) [Link] (4 responses)

I actually noticed when Google started doing that. On the few occasions I use them, I usually copy and paste the real links and edit them to keep google from getting a log of which links I used.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 9, 2019 15:41 UTC (Tue) by nivedita76 (subscriber, #121790) [Link] (3 responses)

Doesn't Google also use this to improve search results, by determining which result was the one you actually wanted? Removing that information from them seems sub-optimal if you want good search results.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 9, 2019 16:13 UTC (Tue) by micka (subscriber, #38720) [Link] (2 responses)

You don't really need a "filter bubble" to have good search result. I'd even say you probably have better results overall without one.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 11, 2019 9:56 UTC (Thu) by mp (subscriber, #5615) [Link] (1 responses)

Maybe?
Sadly what happens for me now is: I search for 'foo' using DDG, then in more than half of the cases I add !g to the search and usually immediately get what I was unsuccessfully looking for. This may be related to the general relevance algorithms used by both engines, not to a "filter bubble" per se, but click tracking is probably relevant either way.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 11, 2019 20:31 UTC (Thu) by mathstuf (subscriber, #69389) [Link]

I use DuckDuckGo as well, but fewer than 2% (certainly less than 5% at least) of my searches end up going to Google. A coworker said the same thing: DDG isn't as useful. Maybe I search for things that DDG is better at or make better search terms by default?

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 9, 2019 9:21 UTC (Tue) by NAR (subscriber, #1313) [Link] (1 responses)

some sites would stop implementing the redirect workaround,

I'm not sure how significant this would be. There's probably a huge inertia here, either in the "this is how it's usually done" form or in actual web frameworks. The frameworks need to be updated, the actual instances need to be upgraded, etc. before we see any of this.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 9, 2019 19:43 UTC (Tue) by roc (subscriber, #30627) [Link]

There is huge inertia, but code gets rewritten over time for various reasons, new sites or new versions of sites are deployed, etc.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 13, 2019 10:46 UTC (Sat) by oldtomas (guest, #72579) [Link] (3 responses)

Yeah. Very compelling. Basically "Just swallow this nasty little tracker or else."

Oh veh. Mozilla. I wanna love you -- I gotta hate you. It seems that this "ad industry" way of thinking just oozes into the community member's brains without them really noticing.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 15, 2019 15:07 UTC (Mon) by mathstuf (subscriber, #69389) [Link] (2 responses)

So I've been convinced to some extent. The ping attribute is *much* easier to block. The problem is that sites go and see "oh, you're Firefox, let's go and do our JS redirect crap". So if Firefox starts doing ping stuff by default, then security conscious users actually get what they want much more easily: don't send the ping.

> Oh veh. Mozilla. I wanna love you -- I gotta hate you.

So, uh, how is lynx these days? Less snarkily, what is the alternative you've chosen?

Remember, the real culprit here is Google for disabling the ability to not send the ping. Though I suppose an extension could do it as well if it really wanted to, it's just not an in-browser setting anymore.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 21, 2019 15:51 UTC (Sun) by oldtomas (guest, #72579) [Link] (1 responses)

> Less snarkily, what is the alternative you've chosen?

Firefox. My main profile has javascript disabled (don't ask). For good measure, my /etc/hosts contains "things" (yes, I'll go berserk again when browsers start doing "DNS requests" via HTTP).

Sure, the measure is extreme, and perhaps Ghostery might fare better, perhaps not.

Many sites which I'm interested in still work (LWN is one of them). When something doesn't work... I consider whether it's worth to me to use some more permissive profile: most of the time it just isn't.

My beef with Mozilla is that it makes those choices more and more difficult -- e.g. making disappear this easy choice ("turn off Javascript) in the UI precludes more timid users from even experimenting with it... with the (umm...) justification that those users are Just Too Stupid to switch it on again (just an example).

> Remember, the real culprit here is Google [...]

Don't get me wrong: Google, for me, is in quite another category. I said I want to love Mozilla. I definitely don't want to love Google.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 22, 2019 15:52 UTC (Mon) by foom (subscriber, #14868) [Link]

> For good measure, my /etc/hosts contains "things" (yes, I'll go berserk again when browsers start doing "DNS requests" via HTTP).

You could look into "proxy autoconfig" (PAC) files. This mechanism allows you to write a simple JavaScript function to tell the browser how to access a given hostname (e.g. directly to the host, through an http proxy of your choice, etc). You can configure the browser to read it off a file on your machine, or via http. Every browser supports this, as it's commonly used in corporate situations.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 21:02 UTC (Mon) by bokr (guest, #58369) [Link] (3 responses)

I am wondering what gui email readers do with ping= -- e.g. Thunderbird, which being
from Mozilla presumably is careful about html rendering in preview formats etc.

lynx presumably doesn't do js or images unless specifically extended and configured to do so,
and likewise mutt and emacs M-x eww, but who is keeping an eye out so it doesn't get snuck in somehow?

If it did get snuck in, how much damage could happen before it became a CVE and got corrected?

The question is what can <your idea of bad guys> do if they can insert involuntary action triggers
like ping= into email streams or html streams passing through their computers.

Ransom notes that you can't help acknowledging that your browser or gui email reader has seen? Nice ;-/

To get bad stuff to your html renderer, maybe more simply than owning the computers, buying an ad slot
and preparing html ad material for automatic insertion -- I have seen lots of ads injected locally by isps even
as I browse a foreign web site, and guess the local isp is getting paid by the advertiser to insert their stuff.
(idk how all that is arranged, and who sanitizes what, and who determines the final hrml my browser sees).

BTW, what would LWN do if I posted this post in HTML mode and included a ping= ? Could I do my own analytics
on the reading of my post? ;-)

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 8, 2019 21:56 UTC (Mon) by MarcB (guest, #101804) [Link] (2 responses)

Ping is in no way automatic. The link needs to be clicked. Javascript in mails is virtually never enabled.

So what would change with ping in mails or forums is precisely...nothing.

Redirects in mails are a "best-practice" for quite some time, for various reasons. Professional ESP add them, because interaction with those links is a valuable indicator if the sending customer is clean (low interactions indicated that the mails are unwanted). Additionally it is a marketing analytics tool they can sell.

Phishing uses redirects as well, because the indirection can delay take-downs or slow down recognition by spam filters if multiple domains are used.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 11, 2019 10:55 UTC (Thu) by bokr (guest, #58369) [Link] (1 responses)

Ping is in no way automatic. The link needs to be clicked. Javascript in mails is virtually never enabled.

I was afraid someone could mistakenly enable ping= in other tags like <img ... >, not just <a ...>, so that it might have effect
even where alt text is being rendered by a text-only presenter of html -- depending of course on where the presenter's html parser
comes from and what the implementers of that parser decided to do with ping= if seen in <any ...>.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 11, 2019 12:14 UTC (Thu) by excors (subscriber, #95769) [Link]

The HTML spec is pretty clear that it only applies to <a> and <area> elements, when "the user follows the hyperlink" (https://html.spec.whatwg.org/multipage/links.html#hyperli...). Since this feature was added after the time when browser developers started taking standards seriously, and since binding behaviour to content attributes is (as far as I'm aware) nearly always done explicitly with an element-specific IDL interface, it's very unlikely that they'll have implemented it completely wrong.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 9, 2019 1:38 UTC (Tue) by flussence (guest, #85566) [Link] (2 responses)

Chrome's falling in line behind Firefox for a change.

Unfortunately, the change is to make privacy worse for everyone in the same way Microsoft sending DNT by default did.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 9, 2019 2:17 UTC (Tue) by roc (subscriber, #30627) [Link] (1 responses)

What are you talking about? Firefox currently disables <a ping> by default.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Posted Apr 9, 2019 19:40 UTC (Tue) by flussence (guest, #85566) [Link]

My bad. I misread it as Google doing the worst imaginable thing (turning it *off*, so everyone continues to use JS tracking), but my imagination's clearly lacking.

They still ping google searches in Firefox

Posted Apr 9, 2019 15:22 UTC (Tue) by scientes (guest, #83068) [Link]

For Firefox user-agents, these still use javascipt to re-write urls when you click on them to go to https://www.google.com/url first, which then 403s you. If you use a user-agent that google doesn't think supports javascirpt, then the urls are this way by default (they only do the javascript trick so that the tooltip works).

If you spoof a chrome user-agent though, then don't send you the evil google redirect, which means you can copy urls no problem.

However, with a chrome user-agent youtube won't work anymore, because it will use chrome-specific extensions:

https://fossbytes.com/google-accused-of-sabotaging-micros...


Copyright © 2019, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds