LWN: Comments on "Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)"

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

foom — Mon, 22 Apr 2019 15:52:00 +0000

> For good measure, my /etc/hosts contains "things" (yes, I'll go berserk again when browsers start doing "DNS requests" via HTTP).

You could look into "proxy autoconfig" (PAC) files. This mechanism allows you to write a simple JavaScript function to tell the browser how to access a given hostname (e.g. directly to the host, through an http proxy of your choice, etc). You can configure the browser to read it off a file on your machine, or via http. Every browser supports this, as it's commonly used in corporate situations.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

oldtomas — Mon, 22 Apr 2019 09:41:53 +0000

> It is arrogant to demand that Mozilla set Firefox default preferences to suit the needs of the incredibly rare user who blocks redirects.

Hm. In my eyes, it is arrogant that Mozilla reduces their users to the lowest common denominator. Arrogance, it seems, is in the eye of the beholder.

(A proposal towards a compromise: enable ping by default, but highlight those links especially (perhaps by adding a little ⚠ next to it) with a short explanation in the hover text -- but I have the hunch that this won't fly with Mozillians, for... reasons).

> > Mozilla does some things with the design of Firefox that do not maximalize privacy [...]

I concur with that.

> That's not reasonable at all, given that there are many things Google would like (or would have liked) Mozilla to do that Mozilla doesn't do [...]

"Some things" != "all things". Let me apply Hanlon's razor here and assume you didn't notice your fallacy.

I don't think anybody's saying here that Mozilla is thoroughly evil. I consider it worth arguing with Mozillians, while I won't waste my time arguing with Chromians -- just hoping my life (or Chrome's) is short enough I won't have to.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

oldtomas — Sun, 21 Apr 2019 15:51:58 +0000

> Less snarkily, what is the alternative you've chosen?

Firefox. My main profile has javascript disabled (don't ask). For good measure, my /etc/hosts contains "things" (yes, I'll go berserk again when browsers start doing "DNS requests" via HTTP).

Sure, the measure is extreme, and perhaps Ghostery might fare better, perhaps not.

Many sites which I'm interested in still work (LWN is one of them). When something doesn't work... I consider whether it's worth to me to use some more permissive profile: most of the time it just isn't.

My beef with Mozilla is that it makes those choices more and more difficult -- e.g. making disappear this easy choice ("turn off Javascript) in the UI precludes more timid users from even experimenting with it... with the (umm...) justification that those users are Just Too Stupid to switch it on again (just an example).

> Remember, the real culprit here is Google [...]

Don't get me wrong: Google, for me, is in quite another category. I said I want to love Mozilla. I definitely don't want to love Google.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

codewiz — Sun, 21 Apr 2019 04:37:06 +0000

This is clearly an arms race, where each action and countermeasure makes the web a little slower, a little more complex, and a little more fragile for both sides.

As other comments have already pointed out, we'd be better off with user agents honoring a privacy-respecting form of ping=, so web developers doesn't feel compelled to escalate it to JavaScript, encrypted urls and other opaque techniques that achieve the exact same result.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

Tomasu — Sat, 20 Apr 2019 17:52:12 +0000

And I don't see anything wrong with stripping the tracking. I'd even go so far as to strip it in a proxy if I have to. Making it non optional is shady af. Encrypting it is worse. I just don't even. I'll be Paying more attention to sites now to see if they are doing anything like that and reconsider my use of such sites. Googles crazy links were obnoxious enough but I've been too lazy to bother with them... Anything that hopes further may just get me to act.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

anton — Tue, 16 Apr 2019 07:31:43 +0000

Thanks for the tip. Unfortunately, it does not work in my setup (Debian 8 Iceweasel with disabled JavaScript). I guess there is something additional in your setup to achieve that result.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

mathstuf — Mon, 15 Apr 2019 15:07:05 +0000

So I've been convinced to some extent. The ping attribute is *much* easier to block. The problem is that sites go and see "oh, you're Firefox, let's go and do our JS redirect crap". So if Firefox starts doing ping stuff by default, then security conscious users actually get what they want much more easily: don't send the ping.

> Oh veh. Mozilla. I wanna love you -- I gotta hate you.

So, uh, how is lynx these days? Less snarkily, what is the alternative you've chosen?

Remember, the real culprit here is Google for disabling the ability to not send the ping. Though I suppose an extension could do it as well if it really wanted to, it's just not an in-browser setting anymore.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

farnz — Mon, 15 Apr 2019 11:06:27 +0000

Yes - specifically that this is an arms race between trackers (who understand that they won't ever get to track the 1% of people who will accept functionality degradation as a consequence of getting privacy) and privacy advocates (who want it to be easier to opt-out of unwanted tracking, and easier to see what tracking is happening).

Ensuring that a tracker can hit the 99% by using things like ping attributes that are both easy to identify and easy to filter makes privacy easier to fix; firstly because the 1% can turn off ping (easy) instead of having to deal with layer upon layer of JavaScript based obfuscation of the real link destination designed to help trackers, and secondly because it becomes easier to change browser UIs to identify tracking and inform "regular users" - e.g. by changing the hover behaviour for tracked links to include "(and notify tracker.example.com") for links with pings.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

ballombe — Mon, 15 Apr 2019 10:39:03 +0000

Because there are powerful interest to keep 'regular users' as ignoraminii ?

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

marcH — Mon, 15 Apr 2019 04:17:05 +0000

> I had a really hard time parsing the title and the summary.

I guess the double negation didn't help:

> developers are removing the ability to disable ...

Now unlike the various and silly "disable_foo" in /sys/, I don't see how to simplify this one.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

oldtomas — Sat, 13 Apr 2019 10:46:24 +0000

Yeah. Very compelling. Basically "Just swallow this nasty little tracker or else."

Oh veh. Mozilla. I wanna love you -- I gotta hate you. It seems that this "ad industry" way of thinking just oozes into the community member's brains without them really noticing.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

mathstuf — Thu, 11 Apr 2019 20:31:02 +0000

I use DuckDuckGo as well, but fewer than 2% (certainly less than 5% at least) of my searches end up going to Google. A coworker said the same thing: DDG isn't as useful. Maybe I search for things that DDG is better at or make better search terms by default?

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

benoar — Thu, 11 Apr 2019 14:56:40 +0000

FYI, Google does only clobber links *if your browser supports redirects*. I browse with accessibility.blockautorefresh=true by default (blocks meta refresh) and Google's first response is a page containing direct links; it adds a meta refresh redirecting to a page with the tracking redirects results.

This is clever, as it allows (very) “dumb” UA to still work, and tracks only those who can follow redirect; but have the good side-effect of offering a tracking-free experience.

Of course, this is all with Javascript disabled (NoScript). Not quite a standard user setup, I admit.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

excors — Thu, 11 Apr 2019 12:14:03 +0000

The HTML spec is pretty clear that it only applies to <a> and <area> elements, when "the user follows the hyperlink" (https://html.spec.whatwg.org/multipage/links.html#hyperli...). Since this feature was added after the time when browser developers started taking standards seriously, and since binding behaviour to content attributes is (as far as I'm aware) nearly always done explicitly with an element-specific IDL interface, it's very unlikely that they'll have implemented it completely wrong.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

bokr — Thu, 11 Apr 2019 10:55:39 +0000

Ping is in no way automatic. The link needs to be clicked. Javascript in mails is virtually never enabled.

I was afraid someone could mistakenly enable ping= in other tags like <img ... >, not just <a ...>, so that it might have effect
even where alt text is being rendered by a text-only presenter of html -- depending of course on where the presenter's html parser
comes from and what the implementers of that parser decided to do with ping= if seen in <any ...>.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

mp — Thu, 11 Apr 2019 09:56:20 +0000

Maybe?
Sadly what happens for me now is: I search for 'foo' using DDG, then in more than half of the cases I add !g to the search and usually immediately get what I was unsuccessfully looking for. This may be related to the general relevance algorithms used by both engines, not to a "filter bubble" per se, but click tracking is probably relevant either way.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

mathstuf — Wed, 10 Apr 2019 20:33:29 +0000

I'm well aware, but this news item is about Chrome *removing* the setting, not changing the default. In any case, blocking `<a ping>` seems like something that would be hard to actually enforce since anything from DNS on up could make the `POST` request just disappear into the aether anyways.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

roc — Wed, 10 Apr 2019 19:58:59 +0000

OK, but understand that this places you far outside the range of regular users and should have no bearing on Firefox's *default* settings.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

mathstuf — Wed, 10 Apr 2019 14:07:46 +0000

> It's impossible for users to distinguish tracking redirects from other kinds of redirects, if they notice the redirect at all.

Actually, I have uMatrix set up to block cross-domain redirects by default. It is only really a problem for shopping carts and OAuth stuff which bounce the browser around, but this is a known situation and I can reasonably predict when such stuff is actually going on to know when to relax the behavior.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

roc — Wed, 10 Apr 2019 08:13:14 +0000

Ah, I understand now. Sorry. You're talking about situations where you do trust the page but you want to check the destination before you click on a link.

This is a good argument in favour of <a ping> actually; it allows sites to stop obfuscating outbound links.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

roc — Wed, 10 Apr 2019 08:11:09 +0000

What's your thread model here?

Since JS was invented, scripts have been able to navigate the current page to some arbitrary URL with or without any user action.

> Back in the days they were always recommending to check the preview of the link to know if it was safe to click or not

That advice makes sense if you trust the page containing the link (e.g. results from a search engine you trust).

If you don't trust the page containing the link, there's no point in checking the link preview because the page can send you wherever it wants at any time, and that's been true for 20 years.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

LtWorf — Wed, 10 Apr 2019 07:23:42 +0000

Can you link one such extension? It has always annoyed me but I could not really solve it in any way.

But IMO it is a grave security issue from browsers, because the preview of the link shows an URL, but then copying it or clicking it actually takes me to a completely different URL.

Back in the days they were always recommending to check the preview of the link to know if it was safe to click or not, and now browser vendors have made that unsafe to trust.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

codewiz — Wed, 10 Apr 2019 00:13:01 +0000

Often, click-tracking has nothing to do with "tracking users". Knowing the frequency of clicks is an essential signal for search result ranking, among other things. For sponsored links, clicks are used for billing customers, so you'd go a long way to avoid miscounting.

I'm a privacy advocate, but I don't see anything wrong with encrypting the url in response to user agents not honoring the ping attribute and stripping redirects.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

roc — Tue, 09 Apr 2019 19:43:40 +0000

There is huge inertia, but code gets rewritten over time for various reasons, new sites or new versions of sites are deployed, etc.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

flussence — Tue, 09 Apr 2019 19:40:10 +0000

My bad. I misread it as Google doing the worst imaginable thing (turning it *off*, so everyone continues to use JS tracking), but my imagination's clearly lacking.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

leromarinvit — Tue, 09 Apr 2019 16:56:50 +0000

As someone who has to deal with such shite as a user, this is the reason the web sucks.

No offense meant against you personally, but the fact that people/companies feel the need to do such shady things is an indicator of a very sorry state of affairs.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

micka — Tue, 09 Apr 2019 16:13:03 +0000

You don't really need a "filter bubble" to have good search result. I'd even say you probably have better results overall without one.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

nivedita76 — Tue, 09 Apr 2019 15:41:32 +0000

Doesn't Google also use this to improve search results, by determining which result was the one you actually wanted? Removing that information from them seems sub-optimal if you want good search results.

They still ping google searches in Firefox

scientes — Tue, 09 Apr 2019 15:22:41 +0000

For Firefox user-agents, these still use javascipt to re-write urls when you click on them to go to https://www.google.com/url first, which then 403s you. If you use a user-agent that google doesn't think supports javascirpt, then the urls are this way by default (they only do the javascript trick so that the tooltip works).

If you spoof a chrome user-agent though, then don't send you the evil google redirect, which means you can copy urls no problem.

However, with a chrome user-agent youtube won't work anymore, because it will use chrome-specific extensions:

https://fossbytes.com/google-accused-of-sabotaging-micros...

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

NAR — Tue, 09 Apr 2019 09:21:55 +0000

some sites would stop implementing the redirect workaround,

I'm not sure how significant this would be. There's probably a huge inertia here, either in the "this is how it's usually done" form or in actual web frameworks. The frameworks need to be updated, the actual instances need to be upgraded, etc. before we see any of this.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

alonz — Tue, 09 Apr 2019 08:06:55 +0000

As someone who has actually implemented a click-tracking solution — it is relatively common practice to encrypt the real target URL, so the link you get from the original site only includes an opaque blob, and only the click-tracking redirector can decode and decrypt it.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

roc — Tue, 09 Apr 2019 02:17:57 +0000

What are you talking about? Firefox currently disables <a ping> by default.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

flussence — Tue, 09 Apr 2019 01:38:55 +0000

Chrome's falling in line behind Firefox for a change.

Unfortunately, the change is to make privacy worse for everyone in the same way Microsoft sending DNT by default did.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

roc — Mon, 08 Apr 2019 21:56:31 +0000

> Whether it's too annoying to have on by default depends on the mix of sites one typically visits.

It is arrogant to demand that Mozilla set Firefox default preferences to suit the needs of the incredibly rare user who blocks redirects.

> Mozilla does some things with the design of Firefox that do not maximalize privacy. There may be other reasons they do that, but it is reasonable to conclude that it is likely Google's money influences those decisions.

That's not reasonable at all, given that there are many things Google would like (or would have liked) Mozilla to do that Mozilla doesn't do (e.g. adopt Chromium, abandon Tracking Protection, support PNaCl). You have no evidence that something nefarious is going on and apparently expect Mozilla to somehow prove the complete absence of such influence. If you want Mozilla to turn down Google money on principle and go broke "for the good of the Web", then you are misguided because that wouldn't be good for the Web at all.

Honestly I don't think your position is rational at all. If Firefox shipped ping by default you'd disable it, sites would use it, you could easily see which sites and links are trying to use it, and you'd deal with less Web breakage because you would have to do less blocking of redirects. What's not to like?

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

MarcB — Mon, 08 Apr 2019 21:56:02 +0000

Ping is in no way automatic. The link needs to be clicked. Javascript in mails is virtually never enabled.

So what would change with ping in mails or forums is precisely...nothing.

Redirects in mails are a "best-practice" for quite some time, for various reasons. Professional ESP add them, because interaction with those links is a valuable indicator if the sending customer is clean (low interactions indicated that the mails are unwanted). Additionally it is a marketing analytics tool they can sell.

Phishing uses redirects as well, because the indirection can delay take-downs or slow down recognition by spam filters if multiple domains are used.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

brunowolff — Mon, 08 Apr 2019 21:23:20 +0000

I'll give you most people won't notice. I did notice when Google started doing it. I notice when duck duck go does it. (The latter is affected by the link used to do the search.)

Lot's of sites work with redirects blocked. Whether it's too annoying to have on by default depends on the mix of sites one typically visits.

Google gives Mozilla money. Google is very interested in being able to track what people do on the web. Mozilla does some things with the design of Firefox that do not maximalize privacy. There may be other reasons they do that, but it is reasonable to conclude that it is likely Google's money influences those decisions.

I usually don't send a UA (it's officially an optional header), but pretending to be using a browser that doesn't allow disabling ping while actually disabling ping might be an easy way to avoid most link tracking. But that assumes the web site cares more about how the user preceives performance than being able to be able to track people, since the clients can't be trusted to honor ping, no matter what browser they claim to be.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

brunowolff — Mon, 08 Apr 2019 21:07:16 +0000

I actually noticed when Google started doing that. On the few occasions I use them, I usually copy and paste the real links and edit them to keep google from getting a log of which links I used.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

bokr — Mon, 08 Apr 2019 21:02:19 +0000

I am wondering what gui email readers do with ping= -- e.g. Thunderbird, which being
from Mozilla presumably is careful about html rendering in preview formats etc.

lynx presumably doesn't do js or images unless specifically extended and configured to do so,
and likewise mutt and emacs M-x eww, but who is keeping an eye out so it doesn't get snuck in somehow?

If it did get snuck in, how much damage could happen before it became a CVE and got corrected?

The question is what can <your idea of bad guys> do if they can insert involuntary action triggers
like ping= into email streams or html streams passing through their computers.

Ransom notes that you can't help acknowledging that your browser or gui email reader has seen? Nice ;-/

To get bad stuff to your html renderer, maybe more simply than owning the computers, buying an ad slot
and preparing html ad material for automatic insertion -- I have seen lots of ads injected locally by isps even
as I browse a foreign web site, and guess the local isp is getting paid by the advertiser to insert their stuff.
(idk how all that is arranged, and who sanitizes what, and who determines the final hrml my browser sees).

BTW, what would LWN do if I posted this post in HTML mode and included a ping= ? Could I do my own analytics
on the reading of my post? ;-)

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

MarcB — Mon, 08 Apr 2019 20:53:08 +0000

Yes, that is often possible, but it is site-specific, could break at any time and could be made impossible if the site really wanted to (just use an ID that needs to be resolved server-side instead of the actual target in the redirect URL).

Any such extension could also be written for the ping attribute and would be complete site-agnostic, simpler and robuster.

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk (BleepingComputer)

MarcB — Mon, 08 Apr 2019 20:47:21 +0000

Modern tracking via redirects is not easily visible (see google.com), unless you disable Javascript. But users doing that might simply use the semi-hidden feature to disable ping.

The cost to the site operator is actually identical for redirects and ping. However, for the user, pings are cheaper, because the ping and the request to the link target can be done simultaneously while for redirects the client needs to wait for the first response to know the real target. Add to that the cost of the Javascript. Add to that the issue of broken link copying.

I doubt disabling redirects in general is actually feasible. Redirects are a core concept of HTTP and disabling them would break countless legitimate use cases (asking for permission would be quite annoying).