[HN Gopher] Firefox 85 cracks down on supercookies
___________________________________________________________________
Firefox 85 cracks down on supercookies
Author : todsacerdoti
Score : 972 points
Date : 2021-01-26 15:06 UTC (7 hours ago)
(HTM) web link (blog.mozilla.org)
(TXT) w3m dump (blog.mozilla.org)
| abcd_f wrote:
| Per-site caching negates the principal selling point of
| centrally-hosted JS and resources, including fonts. The
| convenience remains, but all speed-related perks (due to the
| resources being reused from earlier visits to unrelated sites)
| are no more... which is actually great, because it reduces the
| value that unscrupulous free CDN providers can derive from their
| "properties".
|
| It also means that I can remove fonts.google.com from the uBlock
| blacklist. Yay.
| dathinab wrote:
| > Per-site caching negates the principal selling point of
| centrally-hosted JS and resources
|
| It doesn't or more correctly the benefit wasn't really a think
| in most cases.
|
| I will not start the discussion her again but on previous
| hacker news articles about this topic you will find very
| extensive discussions about how in practice the caches often
| didn't work out well for all kinds of reasons and how you still
| have a per-domain cache so it anyway mainly matters the first
| time you visit a domain but not later times and how the JS
| ecosystem is super fragmented even if it's about the same
| library etc. etc.
|
| > cause it reduces the value that unscrupulous free CDN
| providers can derive from their "properties".
|
| Not really, the value of a CDN is to serve content to the user
| from a "close by" node in a reliable way allowing you to focus
| on the non static parts of your site (wrt. to traffic balancing
| and similar).
|
| Shared caches technically never did matter that much wrt. CDN's
| (but people used it IMHO wrongly as selling point).
| kristofferR wrote:
| LocalCDN is an extension I would recommend, both for privacy
| and performance reasons.
|
| https://www.localcdn.org/
| milofeynman wrote:
| Decentraleyes is what I use. I assume they're similar
| https://addons.mozilla.org/en-
| US/firefox/addon/decentraleyes...
| [deleted]
| kristofferR wrote:
| LocalCDN is an updated fork of Decentraleyes.
|
| Decentraleyes hasn't been updated in ages, has few assets
| and its assets are massively out of date.
|
| https://git.synz.io/Synzvato/decentraleyes/-/tree/master/re
| s...
|
| vs
|
| https://codeberg.org/nobody/LocalCDN/src/branch/main/resour
| c...
| takeda wrote:
| My Decentraleyes was updated in November 5th, that's not
| that long ago.
| zamadatix wrote:
| I wouldn't say all speed related perks, CDNs for resources like
| that are still probably wider (and therefore closer) and faster
| than whatever is hosting your stuff for most sites. Overall it
| is a pretty big cut out of the performance selling point
| though.
| ogre_codes wrote:
| > It also means that I can remove fonts.google.com from the
| uBlock blacklist. Yay.
|
| If you are downloading fonts from Google, Google harvests your
| IP and likely the referring site from the request. Even if your
| browser doesn't sent the referrer, many sites have a unique
| enough font-fingerprint that Google can figure out where you
| are.
| cactus2093 wrote:
| It doesn't seem like centrally-hosted resources ever
| centralized enough to be all that useful. Even for sites that
| are trying to play ball, there are multiple CDNs so everyone
| has to agree which one is the standard. Plus everyone has to be
| using the same version of each resource, but in practice most
| js tools release so often that there will always be many
| different versions out in the wild.
|
| On top of that a lot of the modern frontend tools and best
| practices are pushing in the other direction. Out of the box,
| tools like webpack will bundle up all your dependecies with
| your app code. The lack of JS namespacing and desire to avoid
| globals (which is pretty well-intentioned, and generally good
| advice) means that your linter complains when you just drop in
| a script tag to pull a library from a cdn instead of using an
| es6 import and letting your bundler handle it. Typescript won't
| work out of the box I don't think. Your integration tests will
| fail if the cdn is down or you have a network hiccup, as
| opposed to serving files locally in your test suite. And on and
| on. This is just anecdotal, but I haven't seen most teams I've
| worked with value the idea of centrally-hosted JS enough to
| work around all these obstacles.
| jahewson wrote:
| Per-site caching is the new norm. Shared caches are vulnerable
| to timing attacks that infer your web history. It's a shame but
| that's just the reality of caching. Shared caches were never as
| useful as claimed due to the large numbers of versions of most
| resources.
| PaulHoule wrote:
| That idea of having JS files hosted elsewhere always struck me
| as a Girardian scam (e.g. "everybody else does it") and always
| getting voted down when I showed people the reality factor.
|
| Nobody seemed to think it was hard to host a file before this
| came along, just as nobody thought it was hard to have a blog
| before Medium.
|
| Of course this creates the apocalyptic possibility that one of
| these servers could get hacked (later addressed with some
| signing) but it's also not easy to say you're really improving
| the performance of something if there is any possibility you'll
| need to do an additional DNS lookup -- one of the greatest
| "long tails" in performance. You might improve median
| performance, but people don't 'experience' median performance
| in most cases (it goes by too fast for them to actually
| experience it), they 'experience' the 5% of requests that are
| the 95% worst, and if they make 100 requests to do a task, 5 of
| them will go bad.
|
| People are miseducated to think caching is always a slam dunk
| and sometimes it is but often it is more nuanced, something you
| see in CPU design where you might "build the best system you
| can that doesn't cache" (and doesn't have the complexity, power
| and transistor count from the cache -- like Atmel AVR8) to
| quite a bit of tradeoff when it comes to 'computing power' vs
| 'electrical power' and also multiple cores that see a
| consistent or not view of memory.
| conradfr wrote:
| Wasn't that also because before http2 browsers were limiting
| the number of concurrent requests to a domain?
| gamacodre wrote:
| This. If you are loading some scripts that are actually
| required for your app or page to work right, why would you
| get them from someone else's infrastructure? Terminal
| laziness? Or is the assumption that XYZ corp has more
| incentive than you do to keep your page working? This never
| made much sense to me except for developer toys & tutorials.
| sanxiyn wrote:
| It's not about being hard, it's about being convenient.
| Convenience is important. Even trivial convenience.
| mdavidn wrote:
| Browsers can check "subresource integrity" to guard against
| hacks of third-party services.
|
| https://developer.mozilla.org/en-
| US/docs/Web/Security/Subres...
| jimbob45 wrote:
| By Supercookie they mean Evercookie, right? That seems to be what
| they're describing.
| baliex wrote:
| Is either a formal enough term to argue that one is more
| correct than the other?
| kristofferR wrote:
| Evercookie is a Javascript project that produces respawning
| super cookies:
|
| https://github.com/samyk/evercookie
|
| It's quite dead now, stopped working around 2017:
| https://github.com/samyk/evercookie/issues/125
| hereisdx wrote:
| Can you please detect I'm using Firefox, and not show the
| "Download Firefox" banner on top? I'll be able to save a few
| pixels of vertical space.
| tangoalpha wrote:
| Firefox takes privacy so seriously that they fail to detect you
| are on Firefox, if you are using Firefox!
| Nextgrid wrote:
| But not seriously enough to remove Google Analytics from
| their website.
| fsflover wrote:
| Google currently pays for Firefox development. Are you
| ready to be the money source instead?
| floatingatoll wrote:
| I looked because I was curious, and on both desktop and mobile,
| in all browsers, the site's topnav includes their Mozilla logo,
| a Download Firefox button, and links to a couple of other
| Mozilla sites about Internet Health and Donate.
|
| I imagine they could still choose to hide the blue button when
| you're on Firefox, but that wouldn't save you any vertical
| space, since the topnav menu of links and logo would remain.
| noja wrote:
| It's there always in the same place so you can download Firefox
| for someone else, or for another device.
| Shivetya wrote:
| So eventually we will have private browsing for every site so
| that there is no possible cross pollination? How far can that be
| taken?
|
| Or am I off in the weed here about how this will play out?
| jypepin wrote:
| Tracking has become so bad that it seems like users have to spend
| money (more bandwidth) to protect themselves from it.
|
| Crazy and sad to see where we've come :\
| wejick wrote:
| Which one more annoying for you between today's tracker and
| early 2000ish popup on top IE?
|
| Or remember adware on windows XP and how many antivirus tools
| advertised to eradicate that.
|
| * they're hilarious comparison but I found it amusing.
| foepys wrote:
| Nobody would accept interconnected face scanners in every
| building they walk into but online it's somehow okay.
| vaduz wrote:
| Maybe not yet, but neither did we arrive at the current state
| where e.g. London has an estimated 691k _registered_ CCTV
| cameras [0] (and many hundreds of thousands more
| unregistered, as you don 't need to register ones that point
| only at your own property) in a day. Note that a lot of those
| are already interconnected and linked to recognition systems:
| TfL and various borough council cameras in particular as part
| of anti-"serious crime" initiative are an example [1].
|
| Private exercise of the same technology is merely deterred,
| but not stopped by GDPR (especially now that UK is "happily
| gone" from "EU overregulation"...).
|
| And of course that ignores China which has cities that have
| both more total(Beijing, Shanghai) and more per-kilopop
| (Taiyuan, Wuxi) cameras than London.
|
| [0] https://www.cctv.co.uk/how-many-cctv-cameras-are-there-
| in-lo... [1]
| https://www.nytimes.com/2020/01/24/business/london-police-
| fa...
| ogre_codes wrote:
| > Nobody would accept interconnected face scanners in every
| building they walk into but online it's somehow okay.
|
| There are cars with license plate scanners that wardrive the
| world. They scan plates in shopping centers, businesses, and
| even apartment buildings so on the off chance law
| enforcement, repo businesses, or anyone who wants to know
| where your car is parked can track you.
|
| People accept that. Or rather, most are blissfully unaware
| that it happens.
|
| If your grocery store added face tracking to their existing
| security cameras, would you even know it? Would you know if
| they sold that data?
| upofadown wrote:
| People accept that in the USA. Privacy laws in most
| countries make the free interchange of such information
| illegal
| ogre_codes wrote:
| Fair point.
|
| The Wild West mentality in the US kind of sucks when
| technology allows even small businesses the ability to
| screw over large numbers of people.
| novaRom wrote:
| Even worse: foreign powers get that ability to screw
| whole country.
| saagarjha wrote:
| > Or rather, most are blissfully unaware that it happens.
|
| That is the problem.
| shaan7 wrote:
| You know what is surprising? A lot of people will easily
| accept those face scanners too :/
| ogre_codes wrote:
| A lot of people accept that which is beyond their control.
| That doesn't mean they are Ok with it, just that they don't
| know how to do anything about it or often that it's even
| happening.
| franga2000 wrote:
| Wasn't there an article about paying with your face
| around here just a bit ago? People clearly don't just
| tolerate this, but embrace it.
|
| Only people from places where it's too late to go back
| (like China) are aware of the dangers of these systems,
| but they can hardly warn the rest of us and when they do,
| we generally don't listen as "something like that surely
| wouldn't happen in my free country".
|
| It would seem that people only get slightly spooked when
| a government does something that could impact their
| privacy (even when it actually doesn't - see the recent
| covid tracking app backlash in basically every country)
| but when private companies do it, they eat it up hapily.
| ogre_codes wrote:
| > People clearly don't just tolerate this, but embrace
| it.
|
| If there were an opt-in way of doing this, it wouldn't
| bother me. Similarly with online tracking, if it were opt
| in only, it wouldn't bother me.
|
| What is frustrating is the lack of transparency or
| ability to control who and where my data is collected.
| notyourwork wrote:
| Amazon Go disagrees with you. We're moving that direction and
| I think the pace will accelerate.
| adolph wrote:
| _Unfortunately, some trackers have found ways to abuse these
| shared resources to follow users around the web. In the case of
| Firefox's image cache, a tracker can create a supercookie by
| "encoding" an identifier for the user in a cached image on one
| website, and then "retrieving" that identifier on a different
| website by embedding the same image. To prevent this possibility,
| Firefox 85 uses a different image cache for every website a user
| visits. That means we still load cached images when a user
| revisits the same site, but we don't share those caches across
| sites._
|
| Wait, so one form of "supercookie" is basically the same as the
| transparent gif in an email?
|
| https://help.campaignmonitor.com/email-open-rates#accuracy
| suvelx wrote:
| Are there any plans for complete partitioning?
|
| I'd like to see a point where browsing on two different websites
| are treated as a completely different user. Embeds, cookies,
| cookies in embeds, etc.
| Santosh83 wrote:
| I believe the 'First-party isolation' feature does this, but
| you need to enable it from about:config, and even then, I'm not
| sure if it is complete or bug-free.
| cassianoleal wrote:
| Have you tried Temporary Containers[0]?
|
| I use it to automatically open every new tab in its own
| temporary container.
|
| [0] https://addons.mozilla.org/en-US/firefox/addon/temporary-
| con...
| cmeacham98 wrote:
| privacy.firstparty.isolate :)
| andrewaylett wrote:
| I've had first party isolation turned on for possibly a couple
| of years now (certainly since before the pandemic) and it does
| break a small number of sites but nothing I particularly care
| about. Except that one internal tool that I've taken to loading
| in Chrome :P.
|
| I don't recall the last time I had to temporarily disable it to
| allow something to work.
| ajvs wrote:
| This is called First-Party Isolation, a key principle of the
| Tor Browser and an optional preference in Firefox.
| jrmann100 wrote:
| That's probably Firefox's own Firefox Multi-Account
| Containers[0]. Groups caches/cookies into designated categories
| for each tab (personal, work, shopping, etc.), with smart
| recognition for assigned sites.
|
| [0] https://addons.mozilla.org/en-US/firefox/addon/multi-
| account...
| nixpulvis wrote:
| Someone should do a study on the performance impacts of using
| something like this on all sites for various kinds of
| "typical" web browsing profiles. I'm honestly guessing a lot
| of the losses would be in the noise for me personally.
| greggyb wrote:
| There is an additional Firefox extension that integrates
| with multi-account containers, Temporary Containers. This
| is highly configurable - I have it create a new container
| for every domain I visit, with a couple of exceptions that
| are tied to permanent containers.
|
| I run that on my personal devices.
|
| At work, there is so much in terms of SSO the amount of
| redirects that happen mean that temp-container-per-domain
| breaks all sorts of workflows, so I go without on the work
| machine.
|
| I notice no major difference between these two
| configurations, although I'm sure that there would be
| things that are measurable, though imperceptible.
| jniedrauer wrote:
| I'd like to see something like the firefox container extension
| automatically open a new container for every unique domain
| name. It could get tricky for eg. federated logins, so I'm not
| 100% sure what the implementation would look like. But it'd be
| nice to have the option.
| SAI_Peregrinus wrote:
| The Temporary Containers addon[1] does this. Combined with
| the usual Multi-Account Containers "always open this site
| in..." mechanism you can have some sites always open in a
| single container, but all other sites open in temporary
| containers that get deleted shortly after you close their
| tab.
|
| [1] https://addons.mozilla.org/en-US/firefox/addon/temporary-
| con...
| jniedrauer wrote:
| I don't want the containers to be transient. I want to be
| able to persist session cookies and local settings.
| cmeacham98 wrote:
| I commented on the main post, but First Party Isolation
| is exactly what you want, and breaks relatively few
| websites (and there's an extension to turn it on/off if
| you do use a website it breaks).
| adkadskhj wrote:
| For clarity - the workflow is basically that all sites
| would be temporary containers, _except_ sites you
| explicitly set to be managed by Multi-Account Containers?
|
| _edit_ : I'm trying this out, seems to work nicely - but
| assigning all the sites that i want permanent state on to
| different account containers is a bit of a chore. Feel like
| i'm doing something wrong there.
|
| But the temporary containers are working great
| noctua wrote:
| A few days ago there was a paper posted here about favicon cache
| being used for tracking [1]. I wonder if cache partitioning also
| prevents that?
|
| [1] https://news.ycombinator.com/item?id=25868742
| floatboth wrote:
| Favicons are mentioned in the article as one of the caches that
| get partitioned now.
| eslaught wrote:
| Is this the same as the old privacy.firstparty.isolate setting in
| about:config? If not what's different?
| Caligatio wrote:
| There still appears to be some confusion but, from what I read,
| FPI is a superset of this partitioning stuff:
| https://github.com/arkenfox/user.js/issues/930
| hassanahmad wrote:
| Hopefully it will speed up my Mozilla a bit.
| w0mbat wrote:
| Ironically, the Hush extension for Safari (which aims to limit
| cookie tracking, amongst other goals) blocks that page.
|
| I mean this one, not the Chrome extension of the same name.
| https://oblador.github.io/hush/
| amenod wrote:
| Good job Mozilla! Do what Google never will - put users' privacy
| front and center.
|
| On a sidenote, I might now re-enable cache that I kept disabled
| (well - cleared on exit) because of supercookies. I don't care
| that much if a single page tracks me, but I _really_ don't want
| Google to track me across sites. If Firefox protected me against
| that.. they would have one very grateful user. :)
|
| EDIT: this also highlights why Google is so invested in Chrome -
| they can make sure that privacy doesn't interfere with their
| money-making machine. They really are brilliant. Brilliantly
| evil.
| sanxiyn wrote:
| Eh, Google was first to implement this:
| https://developers.google.com/web/updates/2020/10/http-
| cache....
| [deleted]
| amenod wrote:
| So? Mozilla should still catch up (if/where needed) and
| surpass Google on all privacy fronts. The goal should be that
| Google can't track Firefox users in default configuration -
| rest assured, this will never happen with
| Chrome/Chromium/Edge, and probably not with any other Chrome-
| base browser either.
| livvelupp wrote:
| Thank you, now i am resting assured.
| ahupp wrote:
| From the article: " These impacts are similar to those reported
| by the Chrome team for similar"
| huron wrote:
| From a purely web browsing experience the first iPad 'should be'
| powerful enough to browse ANYTHING out there these days. But it
| can't. The last few models will increasingly have the same issues
| as the sheer volume of muck and cruft that's included with the
| advertising gack just continues to explode.
|
| I'm definitely of the opinion that our web browsing devices are
| marketing tools that we are allowed to use for media consumption.
| Synaesthesia wrote:
| The first iPad sucked a whole bunch. Only 256mb RAM especially
| hurt. But I hear what you're saying.
| 725686 wrote:
| I beg to differ. Of course if you compare it with today's
| spec it sucks... its been more than 10 years since launch! I
| can still use my iPad 1 to watch Netflix and play some old
| games I like (i.e. Carcassonne). The battery still works
| pretty good. I would say that the iPad 1 rocked, and should
| be able to browse today's web ... except it can't because of
| the amount of cruft that is pushed our thoughts nowadays.
| woof wrote:
| I loved mine at least a year and was quite happy for another
| year. Some sites worked awesome, others sucked hard due to
| crazy pay loads.
|
| I blame shitty sites more than Apples architecture :(
| bawolff wrote:
| Wait does that mean hsts cache is per origin?
|
| That seems like it would make tls stripping attacks a lot easier.
| kag0 wrote:
| Maybe. But a more clever approach might be to limit the size of
| the HSTS cache per second-level-domin per orign. Or to randomly
| respect the cache. Or to simply make every request to both the
| TLS and non-TLS port but do so in parallel and discard the non-
| TLS response if the domain was in the HSTS cache.
|
| I'm not saying any of those approaches is bulletproof, just
| that maybe they have a more complex strategy in mind to
| mitigate risk.
| bawolff wrote:
| Those would be much worse strategies than even just not
| supporting hsts at all.
|
| > Or to randomly respect the cache
|
| If the goal is to manipulate a single request to insert
| malicious js that gets cached, you only need a single non tls
| request. If you're an on path attacker, you can probably get
| the user to request things multiple times (e.g. randomly
| break and unvlbreak internet connectivity) until you get
| lucky with an unencrypted connection. If you're trying to
| make a super cookie you can just repeat and average out the
| random failures (random pertubation almost never prevents a
| side channel leak, at most it makes it more expensive)
|
| >Or to simply make every request to both the TLS and non-TLS
| port but do so in parallel and discard the non-TLS response
| if the domain was in the HSTS cache.
|
| Fails at confidentiality 100% of the time
| gennarro wrote:
| If only DNT had been enforced and respected, so much effort could
| have been avoided. I appreciate these protections, but it's
| unfortunate this whole cat and mouse game is necessary.
| nerdponx wrote:
| Who would enforce it?
| seumars wrote:
| Maybe they should crack down on how awful the UI has become.
| f430 wrote:
| is it just me or more people switching to Firefox these days?
| ff4lyfer99 wrote:
| I switched in late 2017 when they released quantum or neutrino
| or whatever they called it, a huge performance release.
|
| As a backend dev and security focused eng I have little reason
| to test drive changes in all browsers.
|
| FF has been smooth and stable for me across desktop OSs. Having
| no reason to alternate between that and Chrome, I've been
| confused by people saying it's slow.
|
| It's been, to my memory, a flawless experience for 3+ years.
|
| On the flip side, Chrome is a spy app, and a cognitive
| perception of web devs it's faster does little to move me to
| use it.
| kriops wrote:
| Just interact with the Facebook chat in Chrome and FF, and
| you'll see that FF is significantly slower.
|
| That being said I use 90% FF, 9% safari and 0.999...% Chrome,
| because FF handling of tabs/containers/add-ons offers
| superior UX _despite_ the performance annoyances. IMO,
| obviously.
| ff4lyfer99 wrote:
| Ah well I nuked my FB account in 2010, as the spyware
| nature of it was obvious to me then
| vorticalbox wrote:
| I think is down to the fact that most websites target
| chrome first as it has the biggest market share.
|
| I've noticed reddit is rather slow in ff but other than
| that not really nocoed anything massively slow or broken.
| mynameisash wrote:
| I've had a similar experience. My only gripe is that the
| Facebook Container extension / Multi-Account Containers[0]
| stopped working for some reason, and I haven't been able to
| get them working again. I _love_ that I was able to sequester
| all of Google 's real estate from all of Amazon from all of
| my work tabs, and so on.
|
| [0] https://support.mozilla.org/en-US/kb/containers
| wejick wrote:
| The FB container is working Ok on my side. It's not helpful
| tho
|
| May be try on new profile to isolate the issue.
| mlok wrote:
| FB Container never stopped working fine for me. You should
| be able to use them again, as we do.
| billiam wrote:
| Evergreen comment.
| devenblake wrote:
| Not sure. People on-line are switching but I haven't been able
| to convince many off-line - Chrome is necessary for a lot of
| poorly coded sites.
| eitland wrote:
| > Chrome is necessary for a lot of poorly coded sites.
|
| Just like IE was.
|
| And just like in the IE days some of us are cheering
| enthusiastically for every better alternative while others
| are defend the incumbent alternative :-)
|
| It will take time but if we all do something sooner or lesser
| the old "best viewed in IE6/Chrome" websites become an
| embarrassment to management and then it will get fixed ;-)
|
| Edit: Same will probably (IMO) happen with WhatsApp now and
| possible (again IMO) even Facebook and Google if they don't
| catch the drift soon. I can sense a massive discontent with
| them everywhere and for at least a 3 different reasons:
| spying, ux and functionality regressions and also because of
| their stance on politics (ironically I think large groups on
| all sides of politics want to bludgeon those companies over
| various issues and few except investors really love them).
| gilrain wrote:
| Not according to their own metrics. Monthly Active Users and
| New Profile Rate are the relevant metrics, and both are in
| decline.
|
| https://data.firefox.com/dashboard/user-activity
| dang wrote:
| We detached this subthread from
| https://news.ycombinator.com/item?id=25917559.
| kristofferR wrote:
| That's my impression too. Not surprising though - Firefox has
| just recently started to get good again (trackpad support, GPU
| rendering, privacy protections etc), while Chrome gets
| progressively worse.
| StLCylone wrote:
| On the desktop there has been minor movement as percentage of
| the whole market, but up 9% on their own share.
|
| https://gs.statcounter.com/browser-market-share/desktop/worl...
| hinkley wrote:
| Chrome is losing market share since October? What changed?
| aquova wrote:
| I downloaded and looked at the raw data. The biggest reason
| seems to be the new Edge browser gaining popularity. It
| went from 5.8% to 7.4% market share since October. I'm not
| sure why this chart displays both IE and the old Edge, when
| together they're a third of the market share of new Edge.
|
| Safari and Firefox also are up since October, but I'm not
| sure why that is. For Safari I suspect new Apple devices
| being purchased around the holidays, but that's just a
| guess.
| supernova87a wrote:
| Whenever a change to an ecosystem / business model comes along
| and some entrenched interest complains, I think:
|
| "I have no doubt that someone will succeed under these new rules
| to come. You're just upset that it isn't you any more."
| beervirus wrote:
| Firefox is so good.
|
| It's a continual source of amazement for me that a majority of
| HNers are using a browser made by the largest data gobbler in the
| world, instead of one that actually tries to prevent spying on
| users.
| mschuster91 wrote:
| Speed, especially with a large number of tabs opened, and the
| Dev tools. Chrome's are the most polished _by far_ , and it's
| trivial to do remote debugging on Android devices.
| dang wrote:
| > _a majority of HNers are using a browser made by_
|
| How do you know what browser the majority of HNers are using?
| saagarjha wrote:
| I'm curious: what _is_ the browser that the majority of
| Hacker News users are using?
| tannhaeuser wrote:
| How do you know user-agent strings of HNers? My guess would be
| that FF has above-average usage here, with FF topics getting
| upvotes regularly.
|
| Hmm, come to think of it, does anybody know an easy Chrome-
| blocking trick for displaying "this page is best viewed using
| FF"? Might be an effective deterrent for non-"hackers" and the
| start of forking the web for good.
| goalieca wrote:
| I used chrome from 2008 to about 2013. At the time Chrome was
| fast and their macOS experience was amazing. But you could tell
| that Google was focusing more and more on integrations and
| services and less on the browsing experience.
| mschuetz wrote:
| I've been switching to Firefox for private use a year ago, but
| overall I find it not good. Weird bugs, usability issues, dev
| tools not that great, etc. And privacy-wise, the defaults don't
| seem great either. There was something about containers that
| are supposed to prevent tracking between different domains, but
| if you actively have to create containers rather than them
| being automatically applied on each domain, then that's not
| much use since it makes things cumbersome to use.
| jedberg wrote:
| You need the temporary containers plug-in to manage it for
| you.
|
| https://addons.mozilla.org/en-US/firefox/addon/temporary-
| con...
| mschuetz wrote:
| This is not something that should require a plugin. Each
| plugin is an additional source I need to trust.
| jedberg wrote:
| The reason it is a plugin is because it's really
| complicated and confusing. Even as someone who has a deep
| understanding of web protocols I get tripped up by
| temporary containers sometimes when things don't work
| quite right.
|
| Firefox built the core container technology, which drives
| their built in Facebook container (isolating Facebook
| from everything else). But isolating everything has a lot
| of weird edge cases, and I can't blame them for not
| supporting it out of the box.
| paulpauper wrote:
| I have not noticed Fiarefox to be faster
| ceejayoz wrote:
| I haven't noticed it to be _slower_ , but I'd accept slower
| for the privacy benefits.
| paulpauper wrote:
| It depends. For work related stuff I will always choose
| speed and responsiveness.
| rational_indian wrote:
| I have noticed it to be slower, and with more broken
| websites. I still prefer it over chrome.
| BasicObject wrote:
| I don't know about others but when I click youtube links
| on reddit the back button is disabled. Not sure if it's a
| bug or by design but I don't remember it always being
| that way.
| iscrewyou wrote:
| Google websites work better on chrome. Not sure if it's because
| google is doing something nefarious or if Firefox is just not
| keeping up with google website technologies.
|
| So, I've trained my brain to use chrome as an app only for
| google websites. When I need to check gmail or YouTube or
| google calendar, I use chrome. Otherwise I'm on Firefox or
| safari.
|
| It's worked pretty well. I found I was only really unhappy with
| Firefox when using google websites. No longer a problem.
| LittlePeter wrote:
| What is exactly better? I am using FF and browse Google
| websites, but never noticed anything.
| iscrewyou wrote:
| I replied to one of the other replies above.
| derefr wrote:
| It's the latter, but I would describe it less as Firefox not
| "keeping up", and more as Google deploying _pre-standard_
| protocols (like SPDY) into Chrome _first_ , _before_ ever
| documenting the protocol; let alone trying to get it turned
| into a standard (like HTTP /2.)
|
| Chrome had SPDY support not just before any other web browser
| did, but before any open _web server_ did--because Chrome had
| SPDY support before Google ever documented that there was
| such as thing as "SPDY." It was, at first, just turned on as
| a special Chrome-to-Google.com accelerator, spoken only
| between that browser and that server, because only they knew
| it.
|
| I don't fault Google for this: they're doing "internal" R&D
| with protocols, and then RFCing them if-and-when they turn
| out to have been a good design for at least their use-case
| with plenty of experimental data to confirm that. Which is
| exactly how the RFC process is intended to be used: spreading
| things that are known to work.
|
| It's just kind of surprising that "internal" R&D, in their
| case, means "billions of devices running their software are
| all auto-updated to speak the protocol, and start speaking it
| --at least to Google's own servers--making it immediately
| become a non-negligible percentage of Internet packet
| throughput." (Which is a troubling thing to have happen, if
| you're a network equipment mfgr, and you expected to have
| some time while new protocols are still "nascent" to tune
| your switches for them.)
| kevin_thibedeau wrote:
| HTTP 1.1 is faster when you're not downloading megabytes of
| JS. I rarely browse AMP sites but when I do I'm amazed at
| how user hostile they are compared to a strictly filtered
| browsing experience.
| kgwxd wrote:
| I use Gmail, YouTube, Calendar and Sheets through Firefox and
| never noticed a difference. What's not as good?
| iscrewyou wrote:
| I've replied to one of the other replies above.
| alangibson wrote:
| What problems do you have? I use Firefox exclusively and I'm
| a heavy Google app user too (laziness...), but I can't
| remember ever having a significant issue
| MegaDeKay wrote:
| I've had weird little breakages. Right now in Firefox, I am
| unable to search within a given Youtube channel. Works fine
| in Chrome.
|
| Edit: I am a diehard Firefox user and fall back to Chrome
| only when I have to because of some weird breakage. One of
| those is editing within Atlassian's Confluence: find within
| a Confluence page doesn't work right in FF, and I've often
| had @name references messed up too upon saving. Chrome
| works fine.
| iscrewyou wrote:
| I'm on a MacBook Pro with a discrete graphics card. YouTube
| never performs well for me on Firefox. It takes time to
| buffer the video when I skip ahead or back. And that's with
| me being on Fiber internet. Same goes for Gmail. It takes
| longer to load emails. It's minor annoyances that add up.
| For some reason, Chrome always works better whenever I
| switch the applications.
|
| There's a good chance my MacBook is not supported properly
| for Firefox as I've run into some internet threads about.
| But at this point, I've settled on this solution. It also
| makes me spend less time on YouTube once chrome is closed
| down and I'm solely on Firefox.
| Hnaomyiph wrote:
| For some reason Firefox absolutely cannot play 720p+ 60fps
| videos on YouTube for me, whereas opening the same video on
| Edge I can play 4K 60fps videos without a single problem.
| SubiculumCode wrote:
| Google refuses to let Firefox have their voice typing
| feature.
| SubiculumCode wrote:
| For those down-voting, I should have added this:
| https://bugzilla.mozilla.org/show_bug.cgi?id=1456885
| shakna wrote:
| > Google websites work better on chrome. Not sure if it's
| because google is doing something nefarious or if Firefox is
| just not keeping up with google website technologies.
|
| For a number of sites like YouTube and GMail, it's because of
| Google. If you change your useragent to look like Chrome, you
| get served a JS payload that Firefox is fine with, and it is
| faster.
|
| If your useragent isn't Chrome, they'll serve you a less
| optimised payload, but which tends to have wider support.
|
| They seem to have made a tradeoff - one that generally isn't
| necessary under Firefox.
| literallyWTF wrote:
| Lot of 'Do as I say, not as I do'.
| sanxiyn wrote:
| Eh, I agree in general, but in this case, Chrome implemented
| network partitioning in Chrome 86, which became stable in
| October 2020, earlier than Firefox.
| zests wrote:
| Firefox sends everything you type in the address bar to google
| by default.
|
| Would you be able to tell the difference between stock firefox
| and stock chrome if all you saw was the fiddler session? I
| don't know, I haven't tried. I did look at a firefox session in
| fiddler and I was not impressed.
|
| Pick your poison. If you configure all the settings in firefox
| properly it might be acceptable. But can you just do the same
| in chrome? If not, you can use the privacy friendly chromium
| browser of your choice. Most firefox users wont take the time
| to configure it properly and the data will still reach the data
| gobbler.
|
| Edit: an interesting comment from the other firefox thread
| https://news.ycombinator.com/reply?id=25916762
| splatcollision wrote:
| Even if you've changed the search engine?
| mrweasel wrote:
| Nope, I believe it also stops if you disable search hints.
| They send keystrokes to the search engines because that's
| how you get the search suggestion when typing in the URL
| bar.
| zests wrote:
| What if you change the search engine in Chrome and disable
| all telemetry? This is the comparison we should be making.
| unethical_ban wrote:
| You're stretching really hard to make them equivalent. There
| are a number of reasons to use FF besides telemetry.
| zests wrote:
| This is whataboutism. You can talk about other reasons for
| using firefox if you'd like (although you'd have to mention
| what those reasons are.) We're talking about privacy right
| now and firefox does not fit the bill.
| spijdar wrote:
| It's probably one of the most obscure reasons, but keep
| Chromium around because it's the only web browser with a JIT-
| backed javascript engine on ppc64le. Firefox has to run
| everything interpreted, which is actually fine for most sites,
| but bogs down on JS heavy web app type things.
|
| On a much less niche side of things, a lot of web apps like
| Teams, Zoom, and probably many others are only fully functional
| on Chromium, thanks to WebRTC specifics and some video encoding
| stuff that's only on Chromium. Don't know the details, but
| things like video and desktop streaming are limited to
| Chromium.
|
| That could very well be an artificially enforced restriction,
| but I don't think it is. I _think_ firefox is moving towards
| feature parity with Chrome on this one, I hope so anyway.
| saagarjha wrote:
| It's kind of sad that WebKit doesn't support it...
| sanxiyn wrote:
| Somewhat ironically, Google Meet works very well for video
| streaming and desktop sharing on Firefox. So I think Firefox
| isn't missing anything.
| MegaDeKay wrote:
| Slack calling doesn't work on FF as well. This + Teams + Zoom
| is a big gap, especially in these COVID times.
| arendtio wrote:
| Is there any reason to keep the Same Origin Policy after this
| change? I mean, shouldn't this change defeat CSRF attacks?
| ogre_codes wrote:
| These advertising networks are destroying web performance. Most
| of these "Supercookies" are optimizations to improve performance.
| By abusing them, advertisers have turned what should be a great
| performance tool into a liability. I know FF suggests this won't
| significantly affect most websites performance, but web
| advertising and trackers are already responsible for a huge chunk
| of performance issues already.
|
| Of course we'll have the inevitable guy pop in here and talk up
| how awesome web tracking is because it helps sites monetize
| better, but that's all bullshit. At this point, all the
| advertising profits are sucked out of the web by Facebook and
| Google. The rest of the industry, including publishers are just
| struggling to get by while two trillion dollar behemoths throw
| them scraps.
| ngold wrote:
| With data caps you are paying to be advertised to.
| DrBazza wrote:
| In many parts of the world, data still costs, and it annoys me
| that if you pay for 10Gb a month, the sites you surf to are a
| few kb, and then up pop the ads which are Mbs and steal your
| data allowance. You're actually paying for ads you don't want.
| the_jeremy wrote:
| Browsers need to own tracking, and it's clear that Firefox and
| Safari agree.
|
| I don't object to (silent, low resource, banner) ads, even
| targeted ones, as long as the targeted ads aren't building a
| comprehensive profile of me.
|
| I think my ideal would be telling my browser a list of a couple
| interest areas (prosumer tech, sci-fi, dog peripherals) that
| the website could target on to serve ads. They'd get targeted
| ads, I'd get privacy, and I'd get ads that actually match
| things I care about.
| kristofferR wrote:
| A much more significant performance issue with web tracking is
| usually the absurd amount of JS loaded.
|
| It's almost impressive how they manage to load so much crap.
| Just visit a site like mediaite.com, the list of trackers is
| damn long.
| ogre_codes wrote:
| Yup.
|
| The _really_ frustrating thing about this bit is that because
| it disables optimizations, it potentially impacts sites where
| they don 't actually use tracking.
| sanxiyn wrote:
| Note that this particular change does not apply to non-
| third-party resources. That's why performance impact is
| minimal.
| hinkley wrote:
| I worked a contract where we slaved to get our load time down
| to some respectable number, and then they launched the site
| and load time was _multiplied_ by just the analytics software
| (it was a company website, they weren't running 3rd party
| ads).
|
| How demotivating. It was time to start thinking about moving
| on anyway, but I basically stopped trying to pursue contract
| renewal at that point. All that work (and uncomfortable
| meetings) so Google could triple our load time.
| Jestar342 wrote:
| For more than a decade I've been campaigning (to any of my
| employers that utilise adverts on their platform) to drop
| adverts with the primary factor being that of performance for
| page load. The last time I looked, adverts were adding an
| additional ~35% load time to the page. Anywhere from 5% to
| _60%_ (!!) of vistors were navigating away before page load
| completed (Varied depending on company/product of course) and
| a staggering 80+% of those vistors would have had a full page
| load if the adverts were not there.
| yummypaint wrote:
| I often wonder incredulously whether developers responsible
| for particular sites really comprehend how bad performance
| has gotten. Browsing threads like this on HN makes it clear
| that they are probably well aware, but have no choice in
| the matter. In a way that's even more depressing because
| only a tiny minority of people are happy with the
| arrangement.
| hinkley wrote:
| I walked away from one project. 3rd party scripts were
| not the only problem but were the last straw.
|
| I have a community site I want to build. If it stays
| small I can probably run it for $20 a month all in and
| not pester anyone. But I'm still keeping my eye on some
| of the saner ad networks that use subject matter instead
| of user tracking to target ads. That might be an option.
|
| Linus tech tips has a video where he gives us a peek into
| their finances. Among other things the merchandizing arm
| makes them about a third of their revenue, and no one
| advertiser is allowed to pay more than that, so they can
| maintain a degree of objectivity. I think a lot of us
| don't want to approach sponsors so we feel sort of stuck
| with ad networks.
|
| And I'm not much of a materialist but I'm a tool nerd
| (you possibly don't need it, but if you're gonna buy it,
| get a really good one) so I'm not sure how I'd do
| merchandizing, since I'm more likely to recommend a brand
| than have something made for us. That leaves what?
| Amazon's "influencer" BS, which is more money for Amazon?
| Discount codes, which are untargeted consumerism?
| executesorder66 wrote:
| What was their rationale for not doing as you suggested?
| WrtCdEvrydy wrote:
| It's the chain of analytics.
|
| You load one ad and they want their own analytics or they try
| to stuff multiple ads into the same slot so you get multiple
| analytics.
|
| We clocked one ad at 800Mb loaded once.
| nudpiedo wrote:
| Blocking ads and installing some sort of cookie auto-
| accepter/deleter[1] is the best and mopst optimization saver
| which you can have without disabling javascript.
|
| [1] https://www.i-dont-care-about-cookies.eu/
| aembleton wrote:
| Or just add the filter list [1] to uBlock Origin
|
| 1. https://www.i-dont-care-about-cookies.eu/abp/
| stiray wrote:
| Due to cache abuse I have all caching disabled on firefox and
| this is a nice move (even if I will continue to use it without
| cache).
|
| Anyway one more thing that I can observe on Ubuntu 20.04.
| Firefox has become noticeably faster. I dont know if this is
| due to the fact that is not from ubuntu repositories or some
| serious optimizations were made.
|
| "On Linux, the WebRender compositing engine is enabled by
| default for the GNOME desktop environment session with Wayland.
| In the previous release, WebRender support was activated for
| GNOME in the X11 environment. The use of WebRender on Linux is
| still limited to AMD and Intel graphics cards, as there are
| unresolved problems when working on systems with the
| proprietary NVIDIA driver and the free Noveau driver."
|
| (Fax machine enthusiasts, please stop abusing the thread and
| move to Ask HN or something)
| warent wrote:
| I run a network ad-block dns (pihole) and consistently 25-33%
| of all my network traffic is blocked as ads. It's much more
| than I ever imagined. Now I'm used to a different internet,
| when I'm using internet off the network it's like WTF is this?
| pradn wrote:
| Question about pihole: is it possible to turn off blocking
| for a website? Do you have to log into the pihole web
| interface to do that? I often go to websites where some
| crucial functionality is blocked by my adblocker (ublock
| origin), where I have to turn it off for that site.
| guilhermetk wrote:
| Yes, you can do that via whitelist/blacklist:
| https://docs.pi-hole.net/guides/misc/whitelist-blacklist/
| secondcoming wrote:
| allowlist/denylist
| daotoad wrote:
| Why are people being so negative about this?
|
| If the terms whitelist/blacklist are hurtful to some
| people because of all the racial baggage we've applied to
| the words white and black, why not switch to allow/deny
| instead?
|
| Using allow/deny is more explicit and doesn't rely on the
| benign cultural associations with the colors black and
| white. The choice of colors used here is arbitrary. For
| example, one could just as easily use green/red in
| reference to traffic signal colors. Ask yourself, would
| it bother you if we used blue and pink for allow and
| deny? What if we used blue or white as synonymous with
| deny?
|
| Two good reasons exist to change our habits, basic
| manners and clarity.
|
| I'm sure I'll use the terms blacklist and whitelist from
| time to time out of accumulated habit. But there's no
| reason for me to cling to those terms. Being gently
| reminded to use objectively clearer terminology shouldn't
| engender hostility on my part. I try not to be an
| unpleasant person, part of that is when someone tells me
| my behavior has a negative impact on them, I try to
| listen to what they say and modify my behavior--while
| actually effecting change can be hard, the underlying
| concept is pretty simple.
| shakna wrote:
| Whitelist/blacklist have their origins in terms from the
| 1400s and nothing to do with race (they have to do with
| criminality). Twisting their etymology to fit some kind
| of racial bias is sort of weird.
|
| And throwing aside 600 years of clarity for "basic
| manners" also seems rather weird. Sort of like banning
| the word "engender" because a small minority might find
| that to be offensive. It isn't clearer to use a different
| word than has been used for over half a millennium.
| 8note wrote:
| Blacklist/whitelist are not used consistently, so the
| clarity is not there. You can't see whitelist and
| consistently know whether it's going to be an allow list
| or a deny list
| sib wrote:
| For a while, people were getting in trouble for using the
| word, "niggardly," even though it had nothing to do with
| the offensive term that it sounds like.
|
| https://en.wikipedia.org/wiki/Controversies_about_the_wor
| d_n...
| ogre_codes wrote:
| I suspect it is the perception that it's a bit pedantic
| to correct an otherwise correct answer. I agree with you,
| but also don't really think it needs to be corrected
| every single time someone posts whitelist/blacklist.
|
| EDIT: apparently setting allowlist/denylist won't work so
| it's not just being pedantic, it's wrong.
| rgossiaux wrote:
| >objectively clearer terminology
|
| Sorry but I find this claim (which I've heard from others
| too) ridiculous. "Blacklist" is an actual common English
| word in the dictionary. "Denylist" is an incredibly
| awkward-sounding neologism without any context or history
| behind it. There is no way that "denylist" is the
| "objectively clearer" one here.
| Macha wrote:
| There is a real cost to changing APIs/documentation/UIs.
| My experience talking to black (one African, one
| European) coworkers is their reaction is "That's the
| problem you're going to fix?". When the company does a
| companywide initative to remove "problematic" terms from
| APIs/documentation, but doesn't stop funding of
| politicians who support voter suppression that
| predominantly affect black people in real practical ways,
| that bemusement can even turn to offense as they feel
| placated.
|
| Of course, my coworkers don't represent all black people,
| and especially wouldn't claim to represent African
| Americans, but if even black people can hold this
| opinion, are you surprised others don't see this as worth
| the effort to change?
| ogre_codes wrote:
| > There is a real cost to changing
| APIs/documentation/UIs.
|
| This is an OSS project. If someone cares enough about it,
| they should submit a (non-breaking) patch along with a
| patch for the documentation. There are no costs to people
| who don't find it a valuable change.
|
| > My experience talking to black (one African, one
| European) coworkers is their reaction is "That's the
| problem you're going to fix?".
|
| Obviously this isn't fixing any of the fundamental
| issues, but it does bother some people. My preference is
| to respect the people who have problems with it. An easy
| policy is to simply avoid creating new software which
| uses that terminology and to accept any patches which fix
| it. That way the people who feel the change is important
| bear the burden of the cost (which is likely small some
| thing like this).
| ARandomerDude wrote:
| Man I can't wait until I get special treatment because I
| drive a vehicle of color.
| trewnews wrote:
| Really? Is this not Doublespeak?
| kayodelycaon wrote:
| Not quite. A number of applications use allow/deny for
| access control. I've seen allowlist and denylist more
| than ten years ago.
| tsujp wrote:
| You and everyone else who exhibit this are reading into
| things that don't exist. Language has context, words are
| part of language and so therefore words have context too.
| JKCalhoun wrote:
| A black celebrity (forget who) said that he came to the
| realization growing up that the only positive connotation
| he could find for black was "in the black" with regards
| to finances.
|
| So, I kind of see the point.
| cgriswald wrote:
| The downside of that is being 'in the red', which is also
| potentially problematic.
|
| To fix the problem, we either have to stop referring to
| any metaphor/symbol involving color with negative
| connotations; or we have to stop using color to identify
| and refer to people. I think the former is good for
| precision (allowlist/denylist are great identifiers in
| that regard), but won't really solve our other problems;
| while the latter is probably better for human dignity,
| mutual respect, and combating our propensity for
| tribalism/racism. (Or, why not, we could do both.)
| pkulak wrote:
| Exactly. And using white/black as synonyms for good/bad
| may be creating context (connotations, really) that we
| don't want. It would be fine if we hadn't already
| overloaded those words to refer to people... but, here we
| are. In the context we've created. -\\_(tsu)_/-
| cgriswald wrote:
| The original poster used the terms used by the
| technology. The best choices for changing this
| terminology would be to write a treatise for HN
| consumption (to reach the community at large) or to
| contact the authors of the technology that use this
| terminology (to fix the origin in this case). Sniping a
| 'random internet poster' is just lazy trolling.
| vaduz wrote:
| > allowlist/denylist
|
| As of now, it is called whitelist/blacklist in PiHole
| [0]. Maybe it will change, maybe it will not, but there
| is already a place to fight that battle [1] and it is not
| HN.
|
| [0] https://docs.pi-hole.net/guides/misc/whitelist-
| blacklist/
|
| [1] https://github.com/pi-hole/AdminLTE/issues/1448
| cj wrote:
| My solution to this is using Cloudflare Warp (Cloudflare's
| consumer-facing VPN).
|
| When I need to access ads.google.com or
| analytics.google.com for my company, I turn on Cloudflare,
| and pihole is bypassed.
| corobo wrote:
| You can whitelist yes, or there's an option to disable the
| entire thing temporarily for x minutes.
|
| Yes you have to log in to the interface unless you engineer
| a way around it
| vdqtp3 wrote:
| Yes, you have to login to disable but you could easily use
| the API. For instance, pihole.disable(60) with
| https://pypi.org/project/PiHole-api/
| biryani_chicken wrote:
| I just stop using sites that gimp themselves when I use an
| adblocker. There's tons of alternatives for most things.
| pradn wrote:
| There aren't always alternatives - think shopping for
| certain items, government forms.
| tux1968 wrote:
| Why would a site that hopes you'll send them money in
| exchange for product, refuse your traffic if you have an
| ad blocker enabled? That just costs them money. Same for
| government forms, why would they refuse your traffic if
| you're blocking ads?
| pradn wrote:
| I wonder, too. Yet I still see these issues.
| vaduz wrote:
| It might not be intentional to break the site experience
| for adblock users - but there is a number of sites that
| has implemented link tracking in a way that overrides the
| normal click (though sometimes not keypress) events, to
| let the tracking code do its thing. If the tracking code
| is blocked or fails to load, that means a lot of actions
| break.
|
| Best part? Trying to convince the operators of such sites
| that users they cannot see in their "analytics solution"
| are worth fixing their site for is not exactly a
| straightfoward job - from their narrow view, these users
| simply do not exist, because the tracking does not show
| them!
| contravariant wrote:
| You have adds on your government forms?
| pradn wrote:
| Ad blockers have false positives.
| GuB-42 wrote:
| It is not what GP asked.
|
| An no, there isn't "tons of alternatives". In theory
| there is. But in practice, they can really make your life
| harder. Some may say that Signal is an alternative for
| WhatsApp, but if people you communicate with don't want
| to use anything but WhatsApp, then Signal is useless. I
| hate Facebook but when I want to plan an event, I found
| nothing better, simply because that's the platform that
| reaches the most people. Network effects... But also,
| your favorite show may not be on "alternative" streaming
| platforms, sometimes your job, or worse, the government
| may require a specific website.
|
| There are extremists who are ready to find alternative
| friends, shows or jobs just to avoid using some website.
| It is a good thing these people exist, that's how
| progress is made. But for most people you have to make
| compromises.
| JKCalhoun wrote:
| > I hate Facebook but when I want to plan an event...
|
| Ah! That's why I haven't missed Facebook. I am old enough
| that I don't plan events any longer.
|
| (Or maybe I have no social life. Actually, that's right,
| I don't. ;-))
| ogre_codes wrote:
| How do you use the web when you can't click on links?
|
| I can't effectively keep a mental black list of all the
| sites which I don't want to click on.
| biryani_chicken wrote:
| I don't. I mean, if it's a news site just search for the
| title in a search engine and you'll find other articles.
| If it's a web application I search for an alternative and
| bookmark that. If you really want to avoid even loading
| it, you can just block the whole site with your adblocker
| but I don't go that far.
| ogre_codes wrote:
| That is what I currently do. It turns casual browsing
| into a frustrating scavenger hunt. The whole point of the
| web was to make links effortless so you could browse
| sites. This breaks that whole model.
| monadic3 wrote:
| > I can't effectively keep a mental black list of all the
| sites which I don't want to click on.
|
| It gets easier over time.
| oivey wrote:
| Very few sites are broken with ad blocking. If you click
| on one, you just press the back button. No need for a
| mental blacklist.
| spacedgrey wrote:
| I map the command below to a keyboard shortcut to disable
| all pihole blocking for 60 seconds via the pihole disable
| API call.
|
| wget --quiet "http://PIHOLE_IP/admin/api.php?disable=60&aut
| h=YOUR_API_TOKE..."
|
| You can find the token in the pihole Web GUI at, Settings >
| API/Web Interface > Show API token
| xeonoex wrote:
| Pi-Hole/NextDNS also blocks adds in most apps. I used NextDNS
| (which has a limit on the free tier), and recently switched
| to pihole running on my home server. I also use ZeroTier to
| connect to my server directly even when I am not on my local
| network to still use it as the DNS server. Works great.
| rndomsrmn wrote:
| You can get even better coverage with the NoTracking lists
| (dnsmasq/unbound or dnscrypt-proxy)
| https://github.com/notracking/hosts-blocklists
|
| They focus not only on tracking but also malware
| prevention, where possible via dns filtering.
|
| Pi-Hole still does not properly support wildcard filtering,
| only via regex but that is not really efficient (requires
| tons of resources).
| StavrosK wrote:
| I paid them, $20/yr is quite good and I can add my parents'
| house, my in-laws' house, etc on the same plan and manage
| them all centrally.
| rodgerd wrote:
| Mine was that high, until I ditched all the family Android
| devices. It's now around 2-3%. It's quite an extraordinary
| difference.
| mstade wrote:
| I use NextDNS for this, it's brilliant. (I'm not affiliated
| with them in any way, just a happy customer.)
| jeanofthedead wrote:
| Same. I got tired of Pihole breaking for one reason or
| another (although I certainly adore the project). NextDNS
| works extremely well, provides a native app for every
| device, runs on my router, and is dead simple to maintain.
| mstade wrote:
| Hear hear. The only problem I've had was when I set it up
| on my router and my IKEA smart lights stopped responding
| after some 30 min or so. Turns out the gateway phones
| home and those calls were blocked, so for some reason or
| another the gateway just stopped responding to commands.
| Restarting it or resetting the network made it fly again,
| but only for the set time before it phoned home again. I
| was very disappointed by that, after having read some
| article here on HN arguing that IKEA had actually done
| IoT sort of right. Oh well.
|
| Obviously not a NextDNS specific issue, it'd happen with
| anything that blocks the call, but just putting it out
| there for the next sucker that tries to google why their
| IKEA gateway suddenly stops responding.
| karakanb wrote:
| Would you mind sharing the blocklists you use? I have gotten
| to a ratio like that, but I have noticed that it was causing
| more issues with regular websites for my guests, so I removed
| many of the custom ones. I'd like to try some others if you
| have suggestions.
| ycombinete wrote:
| Would Pihole affect latency in online games?
| wejick wrote:
| My issue with pihole or any other DNS adblocker is I can't
| whitelist some website that I love. As evil as ada network,
| but I still want my favorite site to get some revenue.
| McDyver wrote:
| Maybe your favourite site would welcome a direct
| contribution, instead of an ad click
| [deleted]
| ogre_codes wrote:
| I just have a decent set of ad blockers and the experience is
| similar. Unfortunately, it often results in weird experiences
| or I get sites which don't work at all if you have ad
| blocking.
| Average_ wrote:
| Well that's interesting. For me 99.5% of websites work
| perfectly using ublock origin. The only .5% remaining are
| websites that actively refuse to serve any kind of adblock
| users, not because it breaks functionality on their site. I
| don't think I can recall having visited a single website
| that would have features break unintentionally because of
| ublock in the past few years.
| ogre_codes wrote:
| I don't think my experience is vastly different from
| yours. I do get some sites where pop-overs or cookie
| notifications are blocked but it's not clear and you just
| can't scroll. I could turn off those blocker settings,
| but the notifications are annoying enough it's worth it.
| vianneychevalie wrote:
| Can't agree with you, Dynamics 365 is one of them (it's
| shit but I've implemented it at work). EDF (French main
| electricity provider) also breaks for me. That's one
| example from a big company, and one example with a big
| user base.
| ev1 wrote:
| It depends on how many privacy lists you have added,
| probably.
|
| Normal display ads all being blocked is generally fine
| 99% of the time, but if you care about not being
| permanently tracked across the internet then there are a
| couple more domains you have to add - except some sites
| make it mandatory that those invasive fingerprinting
| scripts and port scanners run and report back a session,
| otherwise you're refused login or banned.
| letitbeirie wrote:
| The Denver Post just lost my business over this. They
| have one of those things that scrambles all the words for
| any user with the audacity to not want to see video+audio
| ads while reading their newspaper.
|
| Is it their content to do what they want with? Sure.
|
| Does the same logic apply to the $9 I used to give them
| each month? You're damn right.
| ogre_codes wrote:
| Hard agree. If I'm paying for content, I'd accept a small
| number of discrete advertising. Video advertising on a
| text/ photo site pisses me off in general and if I was
| paying for it? No chance I'd let that fly.
| pkulak wrote:
| I run Pi-Hole on my network as well; it's wonderful. I'm
| terrified that it will stop working soon though, as companies
| start to use their own DNS servers, which I've heard is
| happening.
| rodgerd wrote:
| This is pretty much why Google are a huge proponent of DoH.
| JKCalhoun wrote:
| Interesting. I would think though that the move to their
| own DNS servers could extend to their own ads as well --
| that is, cutting out the middle man that is Google/etc.
|
| I'm all for news sites, for example, hoisting ads if I knew
| they were getting the money from those ads, knew the ads
| were actually coming from their site.
| pkulak wrote:
| Sorry, I didn't mean their _own_ servers, I just meant
| hard-coding 8.8.8.8 into the DNS settings, for example.
|
| I wonder if you could hijack those requests at your
| router and send them back to your Pi-Hole? But then they
| just switch to DNS over TLS...
| varenc wrote:
| I just have my network block outgoing DNS queries that
| aren't from the gateway. But you're so right that DoH is
| going to throw a wrench in this.
| [deleted]
| letitbeirie wrote:
| If an ad can use DoH to sidestep a firewall, so can an
| employee. If Google and Facebook were cunning (and
| nefarious, but that much is presumed), they would be
| aggressively developing a product that solves this
| problem for corporate networks, but at an enormous cost.
| Otherwise, when corporate networks solve this (and they
| will), home users who hate ads will just follow whatever
| pattern they settle on.
| dheera wrote:
| I added this to my /etc/hosts
|
| https://github.com/StevenBlack/hosts
|
| What is the advantage of having DNS on a separate device
| other than that it provides ad blocking for multiple devices?
| varenc wrote:
| That's the main benefit.
|
| But also you can have more flexible block patterns. I run
| DNSCrypt-Proxy and my block lists can have wildcards. With
| /etc/hosts you have to enumerate each origin. It can also
| do things like IP blocking where if any domain resolves to
| a known ad network IP, then that request is blocked.
|
| But mainly, DNSCrypt-proxy encrypts all my outgoing queries
| and round robins them across resolvers. (Also hi dheera!)
| JKCalhoun wrote:
| 25-33% of requests? Or is this a percentage of bytes?
|
| Because I wonder what percentage of bandwidth (in terms of
| bytes) trackers/banners/ads account for.
|
| Need to set up a pi-hole ... just too many other projects....
| 6gvONxR4sf7o wrote:
| I set it up recently. It's about as much effort as buying
| and setting up a new laptop with ubuntu if you get a kit.
| I'd imagined it as a project beforehand, but in reality
| it's super easy and trivial (assuming you're comfortable
| using linux and ssh at a noob level).
| warent wrote:
| Yep same. I'm a mere web developer that mostly works on
| Mac. Getting Pihole setup only took me like an afternoon
| after having an RPi sitting around doing nothing for
| months. They make it really easy, just follow the
| instructions. Also I'm lucky enough that my router has a
| friendly interface where it's easy to set the router DNS
| to pihole.
| mstade wrote:
| How would you measure bytes if the requests are blocked?
| emayljames wrote:
| Run the same requests throught different end points. Each
| through pihole & unfiltered, while monitoring the traffic
| on both.
| mstade wrote:
| Doesn't that defeat the point of pihole? Though I suppose
| if what you want to do is measure things it makes sense.
| dylan604 wrote:
| Some people are good at thinking a process through to the
| end. Others are not and ask questions at the first
| unknown. It's a large part of why I'm not a teacher.
| cptskippy wrote:
| Pi-Hole is a DNS solution so it's just blocking DNS
| lookups. Mine is currently blocking 43.9% of all DNS
| requests.
| Fiahil wrote:
| It's a percent of DNS requests. It might be quite difficult
| to see what percentage of bytes it translate to, since HTTP
| requests aren't actually sent.
|
| My pihole is showing 18.7%-23% of requests blocked :)
| andreasha wrote:
| Noticed that some apps on iOS spammed the DNS server if they
| couldn't connect to their ad networks which should affect
| battery negatively.
| mixmastamyk wrote:
| I use the noscript extension that uses a scripting whitelist.
| Bit of a pain at first, but pretty soon your browser will be
| flying. No extra hardware needed.
|
| Kid's computer has dnsmasq as a similar solution.
| monopoledance wrote:
| Advertising destroys everything. If something is based on ad
| revenue, it goes to shit ultimately.
|
| The latest casualty was podcasts. It's revolting.
|
| Ad-based businesses need to be boycotted until this disease is
| in lasting remission.
| ogre_codes wrote:
| > The latest casualty was podcasts. It's revolting.
|
| Hmm?
|
| Yes, there are adverts on all the podcasts I listen to. Many
| of my favorites offer members only ad-free versions. Usually
| I suffer through the ad supported versions because the
| adverts are easy enough to skip.
|
| Some podcasts have too many adverts or annoyingly inserted
| advertising. Those are pretty 1 and done. No point listening
| to them.
|
| IMO the (current) podcast market is a good example of how we
| can enjoy content and know the producers are compensated
| without having to deal with obtrusive marketing crap.
|
| It is getting clear some podcasting is getting sucked into
| things like Spotify, but there is still enough good content I
| don't think it's a problem.
| monopoledance wrote:
| I absolutely don't respect having my weir podcast-
| friendship relationship with the host exploited by fully
| integrated ad pieces whispered to me in a trusted voice.
| That. Is. Sick.
| ericholscher wrote:
| We're trying to build an ad network that doesn't track users:
| https://www.ethicalads.io/
|
| We talked a little bit about how these ads still work, even
| without tracking you. You might be losing 10-15% of revenue,
| but if you never had that revenue to start with, you don't miss
| it: https://www.ethicalads.io/blog/2018/04/ethical-
| advertising-w...
|
| I think the real secret is just to not become dependent on the
| additive revenue. All businesses forgo additional revenue based
| on ethics and regulation, and I don't understand why that's
| such a odd thing to do with advertising.
| tgsovlerkhgsel wrote:
| I think the big problem in adtech isn't just targeting, it's
| also fighting ad fraud. Do you have a good plan for when you
| become big enough to become a target for ad fraud?
| wpietri wrote:
| I appreciate that you're trying what you're trying, but I
| wanted to address this:
|
| > All businesses forgo additional revenue based on ethics and
| regulation, and I don't understand why that's such a odd
| thing to do with advertising.
|
| The great bulk of advertising is built upon a conflict of
| interest and is essentially manipulative. Consider, for
| example, an article. Both the writer and the reader want the
| reader's maximum attention on the article for as long as the
| reader cares to give it. The goal of advertising is to
| distract from that in hopes of extracting money from the
| reader. Generally, ads are constructed without much regard to
| whether the reader was intending to buy or would really
| benefit from the product. The goal is to make a sale. (If you
| doubt me, look at how many people who create or show ads,
| say, test a product before putting the ad in front of people.
| Or just look at tobacco advertising, a product that has
| killed hundreds of millions.)
|
| So I think there's an inherent lack of ethics to ads as an
| industry. It could be that you'll find enough people who are
| worried about privacy but not about the other stuff to build
| a business. But I wouldn't bet on it. It's no accident that
| this security hole is being closed not because of random
| miscreants but because of industrial-scale exploitation.
| msl wrote:
| These are some of the only ads I see online these days (on
| Read the Docs, mostly). I don't use ad blockers, but I do use
| tracker blockers, and those block pretty much all ads, for
| obvious reasons. Not these ones, though. And that's how it's
| supposed to go.
| HappySweeney wrote:
| Can you elaborate on your setup?
| morvita wrote:
| I'm not OP, but I have my browser setup to block trackers
| only, nothing that's billed as an ad-blocker.
|
| I use Firefox with Strict Enhanced Tracking Protection
| [0] and Privacy Badger [1] as an extra layer of
| protection. Some sites, mostly news orgs, complain that
| I'm blocking ads, but inevitably these are the sites
| Privacy Badger reports 20+ trackers blocked. I'm happy to
| see ads online, I'm just not willing to sacrifice my
| privacy for them.
|
| [0] https://support.mozilla.org/en-US/kb/enhanced-
| tracking-prote... [1] https://privacybadger.org/
| TedDoesntTalk wrote:
| Why not just block ads, too? Do you really think
| advertising is ethical at any level? Because I do not. If
| I want to buy something, I seek it out. Anything else is
| like junk snail mail: a waste of my time and your money.
| morvita wrote:
| The short answer: I am not anti-advertising, so I don't
| block ads that respect me.
|
| I don't love advertising in many of it's forms, but taken
| from the viewpoint of those who make money from ads (i.e.
| content creators), it is one of the best ways out there
| for them to make a living. Platforms like Patreon are
| great for some folks, but not everyone can make a living
| off of sponsorship from their viewers. But, I am not
| willing to sacrifice my own privacy to allow someone else
| to make money, especially given that we have tonnes of
| examples of non-privacy-invading advertising that works.
|
| I listen to 8-10 hours of podcasts a week and I generally
| find the ads on them, usually where the host does an ad
| read and includes a discount code, to be far more useful
| and relevant to me than the hyper-targeted ads backed by
| 20 tracking scripts I see on news sites. Another example,
| many of the indie tech news sites I read (e.g. Daring
| Fireball or Six Colors) will have a weekly sponsor that
| will have an advertising post or two interspersed with
| their regular content. I'm happy to take 2-3 minutes out
| of a 30 minute podcast episode to listen to a couple ad
| reads or see a brief write-up of a sponsor's product as
| I'm scrolling through the week's tech news. What I'm not
| happy to do is have my web browser load a dozen tracking
| scripts in the background when I open a news article and
| have flashing pictures deliberately trying to distract me
| from what I'm reading.
| s_tec wrote:
| Which ones? I think I would like to try your setup, since
| it sounds like a good compromise between having my data
| harvested and being kicked off of sites for blocking their
| ads.
| Nextgrid wrote:
| This is great. How are the ads paid for though - is it billed
| per click or per impression, or is it billed per an
| approximate amount of time the ad will be displayed for?
|
| The problem with charging per click or impression is that
| you're vulnerable to fraud which means you either lose
| money/trust or you have to do invasive tracking to detect &
| prevent fraud (which you'll be unlikely to achieve as well as
| the big players - Google & Facebook - do). Charging per
| amount of time (regardless of actual impressions or clicks)
| doesn't have that problem.
| ericholscher wrote:
| We are doing CPC & CPM pricing. I don't believe anyone has
| asked us for "time seen" pricing. I don't even really know
| how that would work, and why it wouldn't be open to fraud
| in a similar fashion.
|
| Do you have a good example of how this is priced, and how
| it would work in practice?
| [deleted]
| Nextgrid wrote:
| By time seen I don't literally mean time displayed on
| screen but more like TV/radio ads, as in this ad will be
| part of our rotation of X ads for an entire months across
| X publishers. I think The Deck used to do this.
|
| Determining the price will be a bit tricky (and I would
| expect that you'd have to lowball yourself until your
| platform builds credibility in terms of good ROI) but in
| the long run it should mean your advertisers pay a flat
| price to be included per week/month regardless of actual
| impressions or clicks (thus there's no fraud potential as
| only the raw profit from the ads will matter - the only
| "fraud" potential would be to literally buy the
| advertised product _en masse_ ).
| ericholscher wrote:
| Gotcha, that definitely makes sense. We are looking at
| doing that for some of our larger sites, similar to
| Daring Fireball:
| https://daringfireball.net/feeds/sponsors/ -- which I
| believe is based off the old Deck model :)
|
| Thanks for following up.
| hhjj wrote:
| It would be nicer if no tracking would mean no data sent to
| ethicalads unless user engaging with ad because we know what
| happen when we trust advertising companies. So a step in the
| right direction but i would still block impressions when
| hosted on another domain. Also ads should not distort users
| perception in order to sell but that's another debate.
| ericholscher wrote:
| We support a backend API, but it's much more complicated to
| implement, and the client gets more complex as well. We
| started out with a vision of all backend integrations, but
| it was impossible to sell to most publishers.
| AndrewUnmuted wrote:
| There is no such thing as an ethical ad.
|
| Advertising is a cynical deployment of our knowledge of crowd
| wisdom, media manipulation, and statistics to make people
| part with their money for things they wouldn't think they
| needed. Our economy can't handle this kind of reckless
| consumerism anymore.
|
| Worse yet, we don't need advertising to bolster our media.
| Unfortunately, the media execs don't realize this yet.
|
| All your metrics are fuzzy, your standards ridiculous. We
| have far better practices we can deploy than the ones the
| advertisers use.
|
| Please, stop advertising to us. If that's all you plan to do
| with this new company, can you please kindly go away?
| sbarre wrote:
| I am really confused by this position.
|
| How do you propose that companies should promote their
| products and services, if not through advertising?
|
| Are you somehow suggesting that they should just sit there
| and hope that people who have never heard of their product
| independently decide they happen to want or need that
| product and seek it out, unprompted?
|
| You say "people part with their money for things they
| wouldn't think they needed, Our economy can't handle this
| kind of reckless consumerism anymore": Surely you don't
| think you speak for everyone?
|
| You certainly don't speak for me.
|
| I am not some blind sheep who is suckered into buying
| things I don't need. I am a grown adult who can make
| informed decisions with my money, including sometimes
| buying frivolous or unnecessary things.
|
| I hate these arguments that assume everyone is stupid
| except for the person making the argument. It feels like
| there's some weird savior complex at work.
|
| People have free will and are allowed to spend their money
| as they wish, and I think YOU are the cynical one if you
| think otherwise..
| TedDoesntTalk wrote:
| > Are you somehow suggesting that they should just sit
| there and hope that people who have never heard of their
| product independently decide they happen to want or need
| that product and seek it out, unprompted?
|
| Yeah, it's even got a name: shopping.
| jamiequint wrote:
| It must be hard to be this naive ^^
| sbarre wrote:
| And how do you know about the existence of a product to
| go shop for in the first place, if not through
| advertising and promotion?
|
| Or do you have infinite time to go browse every single
| store in your city on the odd chance that you'll see
| something you want?
| com2kid wrote:
| > Yeah, it's even got a name: shopping.
|
| So, for direct to consumer companies who only ship
| online, SEO?
|
| Here's the thing: ads can be useful.
|
| Awhile back I got a, highly targeted, ad for high protein
| sugar free cereal. That's awesome! I am 100% the target
| audience for that product, and until I saw that ad I had
| no clue it existed! To find a product like that I'd have
| to search for it, but I would never search for an entire
| new category of product that I didn't know about.
|
| Same thing for the fitness app I am using (BodBot, it is
| amazing!). I am quite literally healthier right now
| because of a targeted advertisement.
|
| Was I aware of fitness apps before then? Sure. But the ad
| for BodBot was informative about what features
| differentiated it from the literally hundreds, if not
| thousands, of other competing apps.
|
| Do most ads suck? Sure. Should ads be highly invasive?
| Nope. But interest tracking and basic targeting actually
| help me find products and services that I want to buy!
|
| Facebook in particular, for all the things wrong with it
| (long list!) has some amazingly relevant ads that inform
| me of products that I never knew about.
| TedDoesntTalk wrote:
| hey man, that's great and i'm happy you're healthier
| because of advertising. My experience has been the
| opposite (yes, advertising making me and my family
| UNhealthier -- mentally and emotionally). I don't want
| targeted ads, but I can understand that you do.
|
| Perhaps there is a way we can both enjoy the internet in
| our preferred ways. Perhaps not, I don't know.
| zentiggr wrote:
| So let's designate .biz as the place where advertisements
| live, and turn it into the online yellow pages (plus all
| the other scum to be expected) and ban anything
| resembling advertising from every other TLD.
|
| Those who want to shop know where to go. Those who don't,
| know where to avoid.
| AngryData wrote:
| I like what that guy is doing, but I still have to agree
| with you. To me ads are just money focused propaganda,
| abusing human psychology to make people spend money they on
| crap they don't need.
| scotu wrote:
| there is no such a thing as an ethical comment.
|
| Comments are a cynical deployment of our knowledge of crowd
| wisdom, media manipulation, and statistics to make people
| part with their opinions for others they wouldn't think
| they agree with.
|
| --
|
| Sorry, there is such a think as "more" ethical ads. If you
| want to be pedantic and argue they should use "more" suit
| yourself. But things are not black and white, your comment
| is in itself "manipulating" the reader trying to convince
| them that ads are all the same and that they cannot be put
| on an ehtical spectrum which is not true: tracking ads vs
| billboard, I'd much rather a billboard (which I hate in and
| on itself as they are usually just making the place they
| are in uglier).
| TedDoesntTalk wrote:
| I'm not trying to manipulate anyone. I'm voicing my
| opinion. I don't buy anything from advertisements.
| Period. When I need something, I shop for it. And if you
| think I'm alone, you're kidding yourself.
| scotu wrote:
| that's totally fine. I prefer a world without
| advertisement, ideally. I disagree with you that there is
| no spectrum of ad ethics.
|
| And while you are not "trying" to manipulate anyone
| (maybe), I also disagree that you are not effectively
| influencing your reader thoughts to some degree.
|
| The analogy I made is: even an internet comment does, on
| a smaller scale, less maliciously, use persuasion
| techniques: should we get rid of discussion forums too? I
| don't think so, and while an ad-less world seems like a
| nice experiment, sounds pretty unrealistic, regulating
| (outlawing would be nice) tracking in ads? More realistic
| and fixing 80% of what's wrong with 20% of the effort if
| you ask me
| TedDoesntTalk wrote:
| You're right that an ad-less world is impossible.
| Advertisements existed before you and I were both alive
| and they will exist when we're gone.
|
| But that does not mean I have to partake in them, watch
| them, or allow them to consume my attention and time. I
| also don't need to spend my limited time on this planet
| trying to "fix advertising". I can simply block them and
| ignore the ones that slip through, and get on with my
| life. If this is an issue that is dear to your heart,
| that sentiment undoubtedly feels dismissive. I'm sorry
| about that.
| bennyelv wrote:
| That may be the case but you can't discount the
| possibility that when you are shopping for something,
| your choices are influenced by advertising that you have
| previously been exposed to whether you are aware of it or
| not. Your decision to go shopping for something in the
| first place may be influenced by it too.
| ericholscher wrote:
| If you'd like to suggest another way to make OSS
| sustainable, I'd be all ears.
|
| A bit more color here:
| https://www.ericholscher.com/blog/2016/aug/31/funding-oss-
| ma...
| smichel17 wrote:
| I'm working on https://snowdrift.coop for that.
|
| We could use help, particularly from anyone who's good
| with css.
| TedDoesntTalk wrote:
| You've obviously thought this out extensively and decided
| to advertise. Who am I to offer a better solution? You
| know your business domain, revenue needs, etc better than
| me or anyone else.
|
| However, that does not mean I have to agree to
| advertising -- whether it is labeled ethical, green,
| sustainable, cage-free or whatever. If you're lucky, you
| won't have a lot of extremists like myself visiting your
| site; i.e. the advertising will be successful.
| myWindoonn wrote:
| Rather than open source, let us return to Free Software.
| The point of our labor is not to ensure that we are paid;
| it is to tear down the systems which create inequality
| and scarcity in the first place.
| TedDoesntTalk wrote:
| To me, there is no such thing as an "ethical ad". You are
| trying to steal my attention, my time. You don't get to do
| that. My time on Earth is limited and you don't get a
| millisecond of it if I can help it.
|
| If I want to buy something, I seek it out. Anything else is a
| waste of my time and a waste of the advertisers money.
|
| I long ago decided to throw out every piece of physical ad
| mail I receive without even glancing at it more than long
| enough to recognize it as an advertisement.
|
| I don't know why you expect me to treat your digital ads any
| differently?
|
| You can call my perspective extremist, but is it any more
| extreme than the methods used by advertising networks to
| steal my attention?
| ogre_codes wrote:
| I'm pretty frustrated by advertising too, and some of it is
| particularly egregious, but at the moment, there is really
| no other way for many publishers to get paid.
|
| I'm curious, how many services do you subscribe to and pay
| for content? I pay for a few ad free resources, but
| certainly a lot of the sites I enjoy don't get my $$.
| monopoledance wrote:
| Because publishers are producing print content for a past
| era digitally, or, worse, already feed its bastard
| adapted to advertisement.
|
| I get netflix for about 10EUR/month, but a weekly print
| newspaper (still filled with ads...) wants 30EUR/month (4
| issues...) here, where a lesser digital only costs still
| 10EUR/month... They just don't serve the information I
| would pay for, but that doesn't mean the clickbaity
| "free" online "content" is a legit business model.
|
| I want sober, on point, timely information on matters of
| shared/common interest, filtered by journalistic
| overview, contextualization and reliable sourcing. With
| the option to subscribe to niche content additions, e.g.
| art, culture, but of course news shouldn't be a comfort
| zone only, either. I don't want to co-pay for the clear
| special interests like the sports/soccer or housing
| section, at all. And I won't ever pay for opinionated
| outrage and intellectual masturbation, because nothing
| else happened or feels like anything at the moment. I
| don't want some mind-numbing four page zeitgeist piece on
| cancel culture which starts by making associative yak
| shaving a storytelling virtue. I want to be briefed in
| the morning, by my personal intelligence service, like
| madame president.
|
| Publishers are not struggling, they are throwing a fit
| over a changing information access reality, for 15 years
| or something. If they cry just a bit longer now, their
| economic niche is gonna be completely absorbed by
| technological answers to the question of "What's going
| on?".
| Griffinsauce wrote:
| Just as an example: I read some dev newsletters, they
| include a block of paid-for job postings. Highly relevant
| with the content. Together with the occasional sponsored
| post link (also still relevant content) this appears to
| fund them just fine.
|
| This isn't "ad free" but it's close enough in my opinion.
| There's a huge gulf between contextually relevant content
| curated by the creators and the kind of shite that ad
| networks push.
| silentsea90 wrote:
| Great morally charged argument, but I am not sure how you
| expect content creators to monetize.
| beefield wrote:
| Well, to be blunt, in my humble opinion more than 90% of
| "content creators" trying to monetize their content with
| ads currently produce content of so low quality, that
| world would be a better place without their content. So
| if my ad blocker helps any of those to change their
| career, I am happy.
| silentsea90 wrote:
| Even with ad monetization, if their content is of no use,
| they will disappear if they survive on said ad
| monetization. Content creation on the web is hard enough
| to suffer from removing the major monetization avenue
| without a suitable alternative.
| JoshTriplett wrote:
| Charge money, either directly for the content, or
| indirectly in the form of patronage or a service or other
| business you run.
| silentsea90 wrote:
| Yep, these exist as alternatives as of now, but require
| an explicit payment step which might cause more friction
| than ads.
|
| I think a service that allows for website usage based
| payments, a Spotify/Apple News for websites would be
| interesting. I can see a decentralized crypto application
| evolving around this usecase
| JoshTriplett wrote:
| > Yep, these exist as alternatives as of now, but require
| an explicit payment step which might cause more friction
| than ads.
|
| Payment from one user produces more revenue than showing
| ads to hundreds of users. That should be multiplied in to
| any analysis of friction.
|
| > I think a service that allows for website usage based
| payments, a Spotify/Apple News for websites would be
| interesting.
|
| There have been _many_ attempts to do that, none of which
| have succeeded. One major problem: they tend to track all
| your web activity, and the kinds of people interested in
| services like this are very much the kinds of people who
| don 't want to be tracked. Another problem: it's easier
| to convince people to pay for a specific source of
| content than to amorphously pay for "various content".
| TedDoesntTalk wrote:
| That's not really my problem, is it? It is the content
| creator's problem.
| ogre_codes wrote:
| Presumably if your adverts don't do tracking, they don't need
| to slow page loads down the way current advertising does
| either which should be a big plus.
|
| Fundamentally serving an advert should be a _light_ process
| adding only a tiny amount of overhead to the site.
| ericholscher wrote:
| Yea, we are planning to do a blog post on it, but the total
| overhead is in the 10's of KB. Just a single JS file, and
| an image. All open source:
| https://github.com/readthedocs/ethical-ad-client
| franklampard wrote:
| I totally read it as ethical lads.
| tilolebo wrote:
| And I read your comment as "ethical ads" and was wondering
| what I got wrong from the GP comment, ahah.
| baby wrote:
| Security in general is a performance and usability killer. If
| "attackers" were not a thing your internet would be much much
| faster, hell your smartphone wouldn't need to encrypt itself or
| paying in a shop wouldn't need a chip & pin.
|
| What I'm saying is that a lot of applications have many
| attackers in their threat models, but advertisers have so far
| been out of scope.
| makecheck wrote:
| Modern ad networks are essentially the "fax machine flyers" of
| old: someone you don't know using _your_ resources and _your_
| time, denying you use of your own resources temporarily, to
| send you something you don't want. Except now it's like every
| "normal" fax page includes 15,000 flyers.
| sunnytimes wrote:
| i started working at a place that would get stacks of flyers
| across the fax machine every day , they would just toss them
| in the recycling bin all the while wasting tons of paper and
| ink .. i started calling all the removal numbers and got it
| down to zero .. they thought the fax machine was broken haha.
| adrr wrote:
| If people didn't want ads it wouldn't be a multi billion
| business. Also your analogy is wrong. Your browser won't
| execute code unless it requests it. Fax machine spam you
| don't have do anything except have it connected to a live
| telephone connection.
|
| It's more like complaining that your sole of your shoes is
| being worn out more because grocery stores put the milk in
| the back forcing you to walk past items you don't intend to
| buy. You can always go to a different store just like you no
| one is forcing you to browse websites that are ad supported.
| ssss11 wrote:
| Often something is a multi billion dollar industry that
| people don't want!
|
| Perhaps you're invested in the ad industry. No one else
| wants ads buddy.
| adrr wrote:
| Not in ads but I know they are quite effective. Most
| startups can attribute their growth to the effectiveness
| of digital advertising. Robinhood was driving app
| installs for $10 each while E*TRADE and Ameritrade were
| paying $1000 per customer.
|
| Most of that VC cash startups raise is spent on
| marketing. I don't understand why people have such
| negative perception of ads especially on a VC run news
| site. All the ycomb companies drops tens of millions on
| digital advertising.
| mola wrote:
| People don't want adds. how do you infer that people want
| ads because the ad industry is profitable?
|
| It's profitable because a few people want to influence and
| spy on a lot of people.
|
| Most people don't want ads they just tolerate them for
| getting actual services. Most these people don't even know
| how much tracking is involved and how nefarious this
| industry really is.
| adrr wrote:
| Why do they work? Why can I go start a business and scale
| it to millions of paying customers by using ads?
| zentiggr wrote:
| Because there are businesses and politicians willing to
| pay through the nose to get their message in front of
| those that they want to influence, and you are then the
| middleman that gets our irritation and ad blockers and
| pushback for contributing to the proliferation of the
| most invasive, unscrupulous segment of our entire
| society.
| layoutIfNeeded wrote:
| Because you're infecting people with mind-viruses to
| force them to buy your crap. Advertising is about
| exploiting human psychology, taking advantage of people
| with weak impulse control, and outright lying.
| notsureaboutpg wrote:
| There's a huge difference though, people didn't use fax
| machines to access loads of quality content for free.
|
| Things aren't free, but the Internet makes us feel like those
| things are, and then when the creators of the content we
| consume for free attempt to receive their pay, we call ad
| networks shady and shifty and cheating. There are huge
| problems with ad networks, but they are feeding and providing
| for lots and lots of content creators in a way we, as the
| general public, aren't willing to do.
|
| Complex situation with complex answers...
| andai wrote:
| Some pages don't let you "Reject All" cookies, you have to
| uncheck them one by one, and there's literally hundreds of ad
| networks listed.
|
| It's spooky, I tell ya!
| jkochis wrote:
| I seem to always have this handy snippet in my dev tools
| history:
|
| document.querySelectorAll('input[type=checkbox]').forEach(e
| l => el.removeAttribute('checked'))
| anko wrote:
| https://github.com/oblador/hush if you use safari :)
| Basically the regulations say that if a user doesn't
| respond to this popup, by default all the cookies are
| rejected except the ones the site needs.
|
| This app hides the popup :)
| tomjen3 wrote:
| Sites can set as many cookies as they want. I have
| installed temporary containers (that is a Firefox only
| feature sadly), 15 minutes after I close the last tab in
| that group all those cookies are automatically deleted.
|
| Each tab group then has its own cookie container, so I can
| have multiple groups open and they don't share anything - I
| can login to different google (or any other service)
| accounts in different contains and it works like I want it
| to.
|
| For the sites that I want to use logged in, I either create
| a special container for that site only, or I just use a
| password manager to log me in each time I need to visit it.
|
| The added privacy is great, the peace of mind in just
| clicking I agree is great.
| novaRom wrote:
| How do you circumvent browser fingerprinting? If every
| container has the same user agent, canvas, screen
| resolution, JS benchmark test results, etc. then no
| matter what but you are uniquely identified, bingo!
|
| I really feel today having different devices with
| different browsers, connected to different providers is
| only working solution.
| grishka wrote:
| Use your browser settings to block third-party cookies
| altogether. And, better yet, install uBlock Origin and
| never see an ad again.
| Justsignedup wrote:
| this. this is the way i solve this. They can use all the
| cookies they want, ublock tends to just eliminate all of
| it.
|
| Overall FF has been incredibly user friendly making all
| sort of plugins that focus on privacy possible, while
| Chrome has been as hostile to it as possible.
| at-fates-hands wrote:
| Unless you get the pop-up from the site that says, "We
| see you're using an ad blocker. You need to turn it off
| in order to access our site."
|
| Along with some marketing drivel about how its important
| advertisers get their ad revenue.
| grishka wrote:
| This is when you revoke that website's privilege to run
| arbitrary Turing-complete code in your browser because it
| didn't use it wisely.
| michaelmior wrote:
| > never see an ad again
|
| I wish that were true. Although uBlock Origin does a good
| job, some ads definitely still make it through. There are
| also some sites that detect ad blockers and refuse to let
| you in unless you disable it. There are workarounds for
| some of these, but it's still a bit of a mess.
| grishka wrote:
| > There are also some sites that detect ad blockers and
| refuse to let you in unless you disable it.
|
| That, and when there's an email subscription popup, is
| when the one-click JS toggle extension comes out. Can't
| detect anything if it can't run any code in your browser.
| michaelmior wrote:
| It can "detect" if JS is disabled (by loading content via
| JS) so this doesn't always work.
| emayljames wrote:
| I agree, although to add, uBlock Origin has an
| 'annoyances' list that does a pretty good job of stopping
| detectors.
| michaelmior wrote:
| Thanks for the reminder that I hadn't enabled this in my
| current browser :)
| sbarre wrote:
| If a website doesn't let me in because I use an ad
| blocker, I respect their decision and I leave the site
| and find what I need elsewhere.
|
| I have yet to come across a site that offered something
| so unique or compelling that I decided to turn off my ad
| blocker to use it.
| [deleted]
| [deleted]
| boogies wrote:
| Doesn't Google grant itself first-party status by
| redirecting you through an advertisement domain? uBlock
| definitely is the king of ad blocking extensions -- only
| the fork AdNauseam (https://adnauseam.io/) can compete,
| and that's by both blocking ads and fighting back with
| obfuscating click simulation.
| CameronNemo wrote:
| Hmm. I think it would be better if the extension clicked
| _randomly_ rather than clicked on all ads. That would
| cause the numbers to be much harder to interpret, and ad
| agencies or departments would have a much harder time
| measuring their efficacy or justifying their existence.
| boogies wrote:
| Me too, and it provides a slider for the percentage to
| click that I kept below 100 when I used it (now I use
| Palemoon, which doesn't support WebExtensions, and I use
| /etc/hosts).
| valvar wrote:
| You can change the click frequency in the settings. I
| guess it would be better to make that setting a part of
| the splash page that shows up on installation, though, as
| otherwise many will miss it.
| iso1631 wrote:
| > ad agencies or departments would have a much harder
| time measuring their efficacy or justifying their
| existence.
|
| 50% of adverts are a waste of money, the problem for
| people wanting to advertise is nobody knows which 50%
| beders wrote:
| Please don't. Unless you are willing to pay for the
| services you are using for free now, ads is what keeps
| them "free".
|
| You can object to being targeted based on your browsing
| habits, but don't stop ads altogether.
| gpvos wrote:
| Too late. They had their chance and blew it.
| grishka wrote:
| It's my device and it's my choice what it's allowed to
| load and display to me. It's not my responsibility to
| make sure someone who provides their service for free
| earns money from shitting into my brain. Implied
| contracts aren't a thing for me. If you want to make sure
| you get paid for your service, put up a paywall.
| AnIdiotOnTheNet wrote:
| Eh, I get where you're coming from, but no. The ad
| industry is insidious and has exploited every means
| possible to hijack the user's attention: pop-ups,
| flashing banners, auto-playing videos with sound, inline
| ads that reflow what you're reading after they take way
| too long to load, extensions that insert ads, paying ISPs
| to insert ads, talking to Alexa through your TV...
|
| There is no level these people will not stoop to, and
| we're sick of their shit. They brought this on
| themselves.
| ihsw wrote:
| Ad networks had their chance, it's done now.
| mstade wrote:
| I wonder how many people reading this comment are thinking,
| "what's a fax machine?" :o)
|
| I like the analogy, but I wonder how effective it is on
| anyone under the age of what, 35?
| at-fates-hands wrote:
| A small business owner I used to work for got sued for fax
| blasting people when the marketing company he hired was
| sending out some 2K faxes per day to unsuspecting business
| owners.
|
| I still laugh about how he got several cease and desist
| letters and still continued sending the same businesses
| stuff.
|
| Ahhhhhhh yeah, the good old days.
| culopatin wrote:
| I'm in the age group you mention and although I've only
| used a fax twice, I can totally understand the analogy.
| neltnerb wrote:
| Easy enough to just use "text messages" since it was not
| very long ago that you had to pay to receive them but had
| no ability to block them without disabling them entirely.
|
| At least for those of us that were late adopters of text
| messages.
| bialpio wrote:
| This also depends on where you're from - I had a cell
| phone for the past ~20years and only learned that you pay
| for receiving texts in the US when I first visited, ~9
| years ago.
| jdhzzz wrote:
| I'm old enough to remember (like New Coke) ZapMail by FedEx
| where you would send documents by FedEx and FedEx would Fax
| it on their equipment to a location near the recipient for
| physical delivery. Obligatory Wikipedia article:
| https://en.wikipedia.org/wiki/Zapmail. Hey, most businesses
| didn't have one of those newfangled FAX machines.
| gumby wrote:
| Newfangled? It will enter its third century in a decade
| or so.
| tomcam wrote:
| So just fangled
| gumby wrote:
| I think it's sufficiently geriatric to be considered
| oldfangled.
| zxexz wrote:
| You might be surprised how many of us under-35s still have
| to use Fax machines on a regular basis ;)
| megablast wrote:
| > You might be surprised
|
| This is such a meaningless statement.
| jsilence wrote:
| This below 35 yr old discovered a fax machine. You won't
| believe what happened next!
|
| Better?
| castwide wrote:
| Especially anyone who works in law, government, banking,
| or healthcare.
| TheRealDunkirk wrote:
| I love that some of the most-sensitive information users
| are the ones hanging on to a completely-unsecured
| transmission method. Sure, tell me again about all those
| HIPAA and SOX requirements when we still have fax
| machines.
| PeterStuer wrote:
| or Microsoft
| yakubin wrote:
| Counts as government.
| gumby wrote:
| Especially in Japan.
| pants-no-pants wrote:
| My bank still accepts fax documents. All I would have to do
| is find a fax machine ...
| madamelic wrote:
| Unsurprisingly Equifax requires you communicate with them
| through snail mail, fax or a telephone call.
|
| Every other credit agency had no problem with my SSN +
| address then Equifax throws a flag, locks my account and
| says I have to validate my identity by faxing them
| identity documents.
|
| Fat chance, idiots.
| coliveira wrote:
| In the Apple store you can find apps that send fax to a
| physical location. That's what I used the last time I had
| to send one.
| slivanes wrote:
| Try this online fax service:
| https://www.faxrocket.com/#!/start
|
| I have bookmarked them from long ago.
| yyyk wrote:
| There are quite a few multifunction printers with fax.
| darrylb42 wrote:
| That assumes a land line to plug the fax machine into.
| mjcohen wrote:
| We have two.
| wtetzner wrote:
| There are online services that let you upload a PDF, and
| they'll fax it for you.
| mixmastamyk wrote:
| Even in the 90s a lot of folks didn't send a "physical"
| fax, you could print it thru your modem. Or something
| similar, memory fuzzy, only did it once I think.
| dylan604 wrote:
| Or going to a shop like Kinkos or a local print/copy
| shop. They offered sending/receiving faxes or FaaS before
| _aaS was a term of "endearment".
| gaius_baltar wrote:
| > My bank still accepts fax documents. All I would have
| to do is find a fax machine ...
|
| On linux you can use
| [efax](https://linux.die.net/man/1/efax) and a modem
| and... ooops, good luck finding a modem.
|
| I did this for real ~10 years ago when a stupid company
| didn't accept a scanned PDF by email and required a fax
| of the actual document "because security". The difference
| is that I had a modem in an old laptop at that time, so I
| just send them the same scanned PDF.
|
| Now I'm wondering if there is a provision for sending
| faxes somewhere in the GSM/3G/4G rabbit hole of
| standards.
| unilynx wrote:
| I'm not sure if it required anything from the network,
| but my Siemens C35 could send faxes
| freeone3000 wrote:
| GSM yes, but once phones went digital that capability was
| lost.
| ciceryadam wrote:
| One of my previous employees had a Kofax server with 6
| ISDN lines for faxing. D in ISDN stands for Digital.
| gumby wrote:
| GSM phones _are_ digital and include a special FAX mode.
| dialamac wrote:
| Pharmacy, nursing, and medical students will find out soon
| enough.
| dyingkneepad wrote:
| I had to use a Fax machine in 2018. In the United States.
| As the _only acceptable way_ to submit certain documents.
|
| I should also point to non-Unitedstatians that checks (that
| physical paper worth as much money as you write and sign on
| it) are still in use in the USA.
| 14 wrote:
| Checks still in use in Canada as well. I had a person
| today tell me they had 3 checks stolen and cashed and my
| response was "people still use checks?".
| ghostpepper wrote:
| In Canada it's spelled cheque, I have no idea why.
| </pedantry>
| jeromegv wrote:
| Still in us but much less than the US. Interac bank
| transfer has cut on a lot of that usage.
| ryandrake wrote:
| The demise of checks is greatly exaggerated. I've written
| about 70 or so checks in the last 5 years. Mostly:
| Property taxes, home improvement contractors, dues for
| various clubs and social groups, kids activities, and
| some mail-in retailers who simply don't take credit card.
|
| That's leaving out the "automatic bill pay" function of
| my bank's web site, which, for most payees, at the end of
| the day results in physical paper checks being printed
| and sent in envelopes.
| wastholm wrote:
| > The demise of checks is greatly exaggerated.
|
| That varies a lot by jurisdiction. I'm 50 and I haven't
| written a single check in my entire life. (Sweden.)
| wdb wrote:
| Yeah, only cashed in checks from US and U.K. Each time I
| need to find out how to do it! Think three checks in
| 40years ain't bad
| tomjen3 wrote:
| I have only ever paid once with a check here in Denmark.
| I won't ever do it again, because no bank that I know of
| will issue a paper check.
| scruple wrote:
| I maintain a legacy service at work (I originally wrote
| it back in 2014) that is responsible for sending eFaxes
| from our various other services and platforms. It's one
| of the most internally trafficked services we have. We're
| in the healthcare space. Almost every document created on
| our different platforms results in a fax being sent.
| dvfjsdhgfv wrote:
| For the SS-4 form, to get the Employer Identification
| Number, you have to either make a phone call (fairly
| long, half na hour in my case), send a fax (and get the
| EIN in 4 days) or apply by email and... wait 4-5 _weeks_!
| [0]
|
| [0] https://www.irs.gov/instructions/iss4
| bityard wrote:
| I still use checks because in the US there are certain
| things you can't use a credit card for, e.g. loan
| payments.
|
| I pay contractors with checks because almost none accept
| credit cards and cash gets cumbersome once you start
| getting into 4 and 5 digits.
|
| My local utilities all charge a "convenience fee" of a
| few dollars when paying online or with a credit card.
| Sending a check in the mail costs me only $0.50. (Even
| though it costs them some employee's wages to handle my
| envelope and cash the check. Go figure.)
|
| Checks are also convenient for transferring small amounts
| of money to friends and family. Yes, there is Paypal and
| the like and some of them don't even charge fees but I
| trust my bank way more than I trust a random company with
| direct access to my bank account. (Paypal in particular
| have proven over and over again to be untrustworthy in
| this regard, which is why not only do I have two Paypal
| accounts--one for buying and one for selling--but I also
| have a special "firewall" account between PayPal and my
| main checking account. This is so that the most they can
| grab is a couple hundred dollars on average, rather than
| some arbitrary fraction of my life's savings.)
|
| Checks are sometimes the easiest (or only) way to move
| large amounts of money between my own accounts. There was
| a time where most online bank accounts would let you make
| ACH ("electronic checks") transfers to any other account,
| but they seem to be moving away from this, I presume due
| to its high use in fraud.
| robocat wrote:
| New Zealand is phasing out cheques.
|
| Many shops don't accept them, some banks have already
| stopped using them altogether, and the rest of the major
| banks are phasing them out this year.
|
| A cheque is a rare thing to see (I haven't handled one
| for a decade or so?)
| ACow_Adonis wrote:
| what on earth is banking doing over there in the US? I
| wouldn't know how to write a cheque these days if I
| wanted to, and the only cheque I've seen in the last 10
| years or so is from my (now deceased) grandmother in-law
| sending birthday money to my wife.
|
| I'm guessing this is why several US payment companys and
| start-ups just don't make any sense to me: "make payments
| easier!"
|
| but it's hard for me to understand how to make it easier
| than just typing in someone's phone number or email and
| sending them money, or purchasing via tap and go with
| your card/ phone. Don't you at least have electronic
| transfers if not those other newfangled technologies? are
| you (seriously) suggesting you can't transfer money
| between your accounts?
| toast0 wrote:
| Banking in the US has first mover disadvantage.
|
| Because of how and when it got computerized, it's hard to
| move it forward again. There's no desire for sweeping
| changes, everything has to move slowly now.
|
| There are several personal transfer services (PayPal is
| ancient and fits the mold), but none have a lot of
| penetration. I think Zelle? is deployed through bank
| integration, and may end up with a lot of users as a
| result; possibly critical mass.
|
| There was a lot of backlash on rf payments the first go
| round, a few issuers gave me cards with it, but then they
| removed it. Then they started issuing cards with chips,
| and now most of them are putting rf payments back in. A
| lot of payment terminals have the hardware for it, but a
| lot of them also have signs that say don't tap to pay.
|
| I can easily do electronic (ACH) between _my_ accounts,
| as long as I 've gone through setup, which takes days for
| test deposits to show up. But to transfer to a friend or
| a relative is tricky.
| spiralx wrote:
| The first digital computers were used by banks within
| years of each other - 1955 for BoA in the USA, 1958 for
| BNP in France and 1959 for Barclays in the UK. And those
| machines merely took over from existing calculating
| systems that had been in place for a good couple of
| decades.
|
| US banks suck for a lot of reasons but part of it is that
| culturally and regulatorily the entire
| financial/banking/commercial environment in the US is
| very conservative. And there's not much in the way of
| pressure to make changes either - whether internally from
| competition and regulation or externally from the need to
| interact with other countries. Like broadband, consumer
| banking is basically an oligopoly that will quite happily
| plod along providing the same service as long as it can.
| elzbardico wrote:
| Can't you use a wire-transfer or an ACH transfer? All
| those use cases are easily solved with electronic
| transactions in most of Europe, Asia and even in Latin
| American countries like brazil. They are usually
| inexpensive or free and instantaneous.
| daxelrod wrote:
| In the US, wire transfers can incur fees for both sender
| and recipient. ACH is more often used by medium to large
| businesses transferring money from or to consumers, but
| the ergonomics are pretty bad for one-off person to
| person transfers, to the point that if you hire a plumber
| who owns their own business, they'll probably accept
| check, and sometimes accept credit cards.
|
| The US does have some electronic networks for instant,
| no-cost p2p payments. https://www.zellepay.com/ has a
| large number of participating major banks with some major
| exceptions. A lot of people use https://venmo.com/ or
| https://cash.app/ which are not directly integrated with
| banks but then offer electronic transfer of funds to bank
| accounts.
| com2kid wrote:
| Wire transfers from my bank in the US require me to call
| up and make a request.
|
| Writing a check is the fastest way for me to transfer
| between two accounts. :(
| josephg wrote:
| Australia too. Electronic transfers here are free and
| instant. When I used to rent I just set up a recurring
| payment through my bank's website (free and easy, with
| any bank to any bank). Now my mortgage gets taken out
| each month automatically via a direct deposit
| authorisation. (ACH equivalent).
| toast0 wrote:
| ACH in the US is not simple to use. Companies that accept
| ACH payments are using a payment processor that comes
| with a fee (usually less than credit card fees);
| contractors aren't going to set that up. Consumer to
| consumer transfers built on ACH have increased in the
| last couple of years, but with low limits, inappropriate
| for contractors, and generally with terms of service
| prohibitting business use. It's easy to move money
| between my accounts with tools based on ACH, though.
| There's nowhere at my bank where I can say send $x to a
| routing number and account number, it takes a bunch of
| setup work.
|
| Wire transfers are expensive here; my credit union which
| doesn't generally have high fees, charges $29 to send a
| wire (they don't charge for incomming wires, but some
| banks do). I've had some brokerages with free wires, but
| usually that's tied to a balance requirement or in
| connection with a company sponsored account (for stock
| based compensation or retirement accounts).
| jamiequint wrote:
| This is a terrible analogy. Nobody forced you to go to the
| website that voluntarily decided to include the trackers.
| tehjoker wrote:
| I can't tell if this argument is meant seriously but it is
| incredibly specious. If every single website operates in
| this fashion and modern life is nearly impossible without
| them, then consumers are presented with no option and it
| amounts to coercion.
| passivate wrote:
| It is still not a nice thing to do. Can we at-least agree
| on that?
| spiralx wrote:
| If that website doesn't ask me if I want to allow those
| trackers then it's forcing them upon me without my consent.
| How am I supposed to know if a website has a tracker before
| I visit it?
| nixpulvis wrote:
| This is akin to the whole class of CPU vulnerabilities we've
| seen (Spectre/Meltdown/CacheOut/...) where performance
| optimizations are at odds with security.
| ogre_codes wrote:
| It is remarkably similar. If it weren't for the assholes
| trying to steal from us, our whole computing experience would
| be faster.
| kmeisthax wrote:
| I'm going to be inevitable in the opposite direction: I don't
| think cross-domain requests were actually saving that much
| bandwidth. The common use case I could think of that would be
| JavaScript CDNs. The problem with that is that JS libraries
| update frequently - even something really common like jQuery
| has hundreds of releases, all of which get their own
| separately-cached URL. So the chance of two sites using the
| same jQuery version is low. Keep in mind that public JS CDN
| URLs are rarely refreshed, too - it's more of an indicator of
| when the site was developed rather than the latest version the
| site was tested with. So you could hit hundreds of sites and
| not get a cross-domain cache hit.
|
| Even if you did share a URL with another site, the benefit is
| low compared to what you can do with same-domain requests. Most
| sites should be served with HTTP 2 already, which means even
| unoptimized sites should still load decently fast as requests
| aren't as expensive as they used to. You can get almost all of
| the same bandwidth benefits from a cross-domain cache by just
| making sure your own resources are being cached for a long
| time.
| ogre_codes wrote:
| Mozilla ran the numbers and it's not a huge penalty.
|
| It's just frustrating that it's one more optimization that is
| getting turned off. And makes the internet just a tiny bit
| worse as a result. It's like death by a thousand cuts.
| na85 wrote:
| >but web advertising and trackers are already responsible for a
| huge chunk of performance issues already.
|
| Indeed. The brave move would be to firefox to include built-in
| adblock, but I don't think Mozilla has the cojones.
|
| >Of course we'll have the inevitable guy pop in here and talk
| up how awesome web tracking is because it helps sites monetize
| better, but that's all bullshit.
|
| I think if adblocker usage became widespread we _would_ in fact
| see the death of a lot of websites, but to be perfectly honest
| I kinda want that to happen because advertising is cancer.
| jrmann100 wrote:
| Does this make Firefox's Multi-Account Containers obsolete? I
| just finished setting the smart cookie-grouping extension up, but
| it seems like this serves a functionally similar purpose.
| WorldMaker wrote:
| Multi-Account Containers remains important for managing "real"
| cookies used as intended (signed in account information, for
| instance). These "supercookies" are parts of the web experience
| abused for tracking and at least partly orthogonal to what
| Multi-Account Containers helps manage.
| cyberpro007 wrote:
| Doesn't NoScript do the same job?
| jefftk wrote:
| No. You can track users across sites with the HTTP cache
| without running any JS.
| neatze wrote:
| I use both ublock and noscript, it was pain for a few weeks
| to get use to noscript, now I don't see going back using
| browser without noscript.
| NelsonMinar wrote:
| Perhaps you are trolling? NoScript is a giant hammer that
| smashes 90% of the functioning parts of most modern web pages.
| This new feature in Firefox partitions caching in a way that
| mostly won't affect how a site works but will block one
| nefarious tracking technique.
| Pet_Ant wrote:
| It takes time to tune, but I find after a month of usage I
| rarely need to tweak things. The tweaking itself is eye
| opening as it really makes you more aware of what is going
| on.
| neatze wrote:
| It is just one or two clicks away to load website, it also
| safer to browse internet this way, in my no expert opinion.
| nixpulvis wrote:
| I'm still trying to imagine the way one exploits a lack of
| partitioning in the DNS cache...
|
| 1. It seems like client web pages cannot directly view the DNS
| information for a given domain name. So I would think embedding
| identifying information in something like a CNAME or TXT record
| directly wouldn't work. 2. I suppose a tracker could try to
| create unique records for a given domain name and then use
| request/responses to/from that domain to get identifying
| information. But this seems highly dependent on being able to
| control the DNS propagation. Short of my ISP trying this trick on
| me, I'm not really sure who else could manage.
|
| I'm sure I am missing things in this brief analysis. I'd love to
| hear what others think about this cache.
| tyingq wrote:
| _" I'm still trying to imagine the way one exploits a lack of
| partitioning in the DNS cache."_
|
| There's a PDF here: https://www.ndss-symposium.org/wp-
| content/uploads/2019/02/nd...
|
| Basically timing based. See
| https://www.audero.it/demo/resource-timing-api-demo.html for a
| demo of what's available in the browser's navigation and
| resource timing API. For example, I get this on a cached
| reload:
|
| domainLookupStart: 52.090000128373504
|
| domainLookupEnd: 52.090000128373504
|
| The PDF explains some enhancements that make it more reliable,
| like publishing multiple A records and watching order, etc.
| Also, the demo link isn't really showing what you would
| do...the resource being downloaded would be marked as non-
| cacheable so that you would be measuring "DNS lookup was cached
| or not" instead of "Entire Asset was cached, therefore no DNS
| lookup happened".
| nixpulvis wrote:
| It's always timing isn't it... Thanks for those links.
| labawi wrote:
| DNS could respond with unique IPv6 addresses and echo back on
| HTTP request.
|
| But it's more likely they just use a large set of (sub)domains
| and measure timing.
| somerandomboi wrote:
| I'm on Firefox right now. Does anyone Internet browse on Emacs?
| paulpauper wrote:
| Twitter uses these type of cookies. They even use cookies that do
| not contain any reference to the twitter domain. It is how they
| track people who have been suspended on the platform
| xorcist wrote:
| Browse twitter through nitter and all these problems go away,
| and it's actually a usable interface on top.
| kreddor wrote:
| Nitter looks pretty cool. Didn't know about that one. Does
| something like that exist for Facebook as well?
| jjgreen wrote:
| ... and if you use the FF extension "Privacy Redirect", then
| all twitter links are redirected to nitter, which is sweet.
| brokensegue wrote:
| citation?
| smcl wrote:
| Seconded - I'm not normally the [Citation Needed] guy but
| this claim deserves either an explanation or a link to an
| article that gives one. If it's true it'll have a ready
| audience willing to amplify it, if it's false it should
| disappear
| SahAssar wrote:
| That's not how cookies work. See mdn which says about the
| domain flag: "If omitted, defaults to the host of the current
| document URL, not including subdomains.":
| https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Se...
| sholladay wrote:
| I haven't looked into Twitter's cookies specifically, but if I
| understood you correctly, I think you're misinformed about what
| the domain of a cookie does. It's normal to not specify the
| domain because that's the only way to exclude subdomains, which
| is important for security.
| eznzt wrote:
| I think he means that they use another domain (third-party
| cookies), not that they have no domain at all
| yannoninator wrote:
| Will switch to firefox because of this, absolutely disgusting.
| jefftk wrote:
| Safari, Chrome, and Edge already partitioned the HTTP Cache
| by site; Firefox was the last major browser not to. It's
| great that Firefox is doing this, but it's not a
| differentiator.
| viseztrance wrote:
| The way they phrased it, in the post implies otherwise?
|
| > These impacts are similar to those reported by the Chrome
| team for similar cache protections they are planning to
| roll out.
| jefftk wrote:
| See
| https://developers.google.com/web/updates/2020/10/http-
| cache...
|
| "The feature is being rolled out through late 2020. To
| check whether your Chrome instance already supports it:
| ..."
| [deleted]
| crtasm wrote:
| What other domain(s) are they setting cookies on? I'm not
| seeing any (but I am not logged in).
| paddlesteamer wrote:
| I wish there could be a way to see which root site set those
| cookies. For example I wish we could see twtracker.com
| supercookies are set in some iframe in twitter.com.
| danbruc wrote:
| How much money is a user actually worth per year on average? And
| why can I not pay that amount of money and be left alone, not
| seeing any ads, not being tracked, not being sold?
| LeifCarrotson wrote:
| Annual average revenue per (active) user (from North America)
| is about $180 for Google, $150 for Facebook, and $80 for
| Twitter. As you might expect, Amazon has far higher revenue per
| user ($700), and Apple is about $140, but they're both more
| like $30 when you only count their advertising revenue instead
| of much lower-margin retail and hardware manufacturing
| businesses.
|
| Searching for "ARPU" news will give articles with new takes
| every time anyone publishes new quarterly numbers, but those
| are roughly accurate. Obviously, they can be distorted to tell
| whatever story you want by messing with market segmentation,
| time period, and what kind of
| revenue/profit/margin/expenses/capital you want to invoke, but
| those are rough numbers.
|
| To be clear, those are first-party advertising companies, this
| isn't the value of a page view to a random blog with side-roll
| ads from some third-party advertisers/trackers. I have no idea
| what Taboola/Outbrain chumboxes generate other than that they
| both have $1B revenue and there are about 5B Internet users
| worldwide, which means the average user is worth $0.20 per year
| to them. And it's reasonable to assume the majority of their
| revenue comes from wealthy English speaking adults, so maybe
| your demographic is worth $5 or something like that.
| DevKoala wrote:
| I wonder if Google will follow suit.
| sanxiyn wrote:
| Google implemented this first.
| antman wrote:
| And I am stuck in an old Firefox version before they cracked down
| extensions.
| [deleted]
| jzer0cool wrote:
| Is there any movement in tech centered on security/privacy
| allowing web viewing without relying on cookies and local browser
| storage?
| dikaio wrote:
| Mozilla.
| newscracker wrote:
| Use uBlock Origin, Multi Account Containers, Privacy Badger,
| Decentraleyes and CookieAutoDelete with Firefox. Make sure you
| aggressively clear cache, cookies, etc., periodically (with
| CookieAutoDelete). You'll probably load the web servers more and
| also add more traffic on your network, but it will help protect
| your privacy since most websites don't care about that. When
| websites are user hostile, you have to take protective measures
| yourself.
| SamuelAdams wrote:
| Or enable private browsing all the time. You'll have to log
| into your accounts every time you open your browser, but that's
| not really a big deal with a decent password manager.
|
| [1]: https://support.mozilla.org/en-US/kb/how-clear-firefox-
| cache...
| skeletonjelly wrote:
| Can you be tracked within the private browsing mode though?
| For instance in Chrome private tabs I know if you log in to
| something then open a new tab, that tab retains the cookies
| from the private session until you close all private tabs. Is
| this the same with Firefox? I'm hesitant to install yet
| another extension but I'm wondering if this one mentioned
| elsewhere in this thread will fix it, if it is the case with
| firefox
|
| https://addons.mozilla.org/en-US/firefox/addon/temporary-
| con...
| driverdan wrote:
| You forgot NoScript.
|
| uBlock Origin with privacy lists negates the need for Privacy
| Badger.
|
| Decentraleyes is neat but I've found multiple sites it breaks.
| llacb47 wrote:
| Why NoScript? uBlock Origin in medium or hard mode can be
| used instead.
| m463 wrote:
| I use umatrix... as long as it lasts.
| vxNsr wrote:
| umatrix is built into ublock origin now, just enable advanced
| mode in ublock.
| m463 wrote:
| thank you, that is great news!
| floatingatoll wrote:
| Doing this will make it trivially easy to fingerprint and track
| you on the web, as the set of people who use non-defaults like
| this list is 0.000001% of the total possible user space for
| their area, and your IP address probably only changes rarely or
| never
|
| A better way to protect yourself is to use a browser with
| tracking protections on by default, and leave the settings
| alone. You may see a few more ads but you'll be a lot less
| tracked as a result.
|
| If personal convenience is the priority, then of course Adblock
| and so on to your heart's content, but if not being tracked is
| the priority, reset your browser settings to default and remove
| weird addons that your neighbors don't use.
| danShumway wrote:
| I don't see how using containers in Firefox or auto-deleting
| cookies would have any negative effect here.
|
| None of the cache deletion/isolation addons should inject any
| Javascript into the page or alter headers in any way, so they
| shouldn't be detectable to sites you visit. So in terms of
| unique behavior, all that site isolation means is that you're
| going to hit caches more often and be missing cookies.
|
| I mean, sure, a website can recognize that you don't have any
| unique cross-site cookies to send them and make some
| inferences based on that, but the alternative is... having a
| unique cross-site cookie. So it's not like you're doing any
| better in that scenario.
|
| I can see an argument against a few of these like
| DecentralEyes, since they change which resources you fetch at
| a more micro-level. But uBlock Origin and Multi Account
| Containers seem like strict privacy/security improvements to
| me.
|
| UBlock Origin especially -- if you care about privacy, you
| should have that installed, because outside of very specific
| scenarios your biggest threat model should be 3rd-party ad-
| networks, not serverside 1st-party timing
| attacks/fingerprinting. No one should be running Chrome or
| Firefox without Ublock Origin installed.
| floatingatoll wrote:
| Auto-deleting cookies or other content in a way that
| doesn't resemble Safari ITP would indicate that a device at
| your IP address is constantly losing tracking cookies in an
| uncommon manner, theoretically increasing your
| trackability.
|
| Websites can only make inferences based on the absence of
| unique cross-site cookies _if_ you are configuring your
| browser in non-default ways. If all Firefox 85+ users are
| partitioning, then any inferences drawn from that behavior
| do not increase your trackability -- and it could well
| decrease it, as those Firefox 85+ users will be joining the
| swarm of Safari users whose browser has already done the
| same sort of partitioning for a couple years.
|
| Multi Account Containers are an oddity, and alone they
| would not be particularly distinguishable from a multi-user
| computer (which, at a home residence, could be unusual;
| many people don't have User Accounts on a shared device).
| However, when combined with cross-container tracking
| infection (such as URL parameter tags designed to survive a
| transition to another container, e.g. fbclid or utm_*),
| it's possible to identify that a user is using containers,
| which is a very rare thing and not available by default,
| thus increasing risk of being tracked.
|
| UBlock Origin allows far too much customization for me to
| prepare any clear reply there. I imagine it is possible to
| run UBO with a ruleset that only interferes with requests
| to third-party adservers, without letting the first-party
| know that this is occurring. I doubt, however, that a
| majority of UBO users are running in such a circumspect
| mode. Adblocking often requires interfering with JavaScript
| in ways that are easily visible to the first-party (who has
| a vested interest in preventing ad fraud).
|
| Fingerprinting is a known defense against fraudulent
| clicks, so there's a lot to puzzle over there. But I
| definitely don't like to take active steps to make myself
| stand out from others. I'm annoyed that I'm tracked a
| little on the web, but I'm indistinguishable from the
| general pool of "users with default browser settings"
| today. That's a type of protection that addons can't
| provide. I'm not wholly certain what I think yet, but
| happily the browsers continue advancing the front of
| protection forward, so maybe by the time I decide it won't
| matter anymore. YMMV.
|
| ps. I'm glad to see your much more nuanced consideration of
| this balance, and I wish that more took your careful
| approach here when recommending "privacy" setups to others.
| alfalfasprout wrote:
| If you live in the Bay Area chances are plenty of others do
| the same thing.
| rmdashrfstar wrote:
| And for the rest of the globe?
| surround wrote:
| Every browser already has a unique fingerprint. uBlock origin
| does a ton to improve privacy, it's foolish not to use it
| just to avoid fingerprinting.
| buzzy_hacker wrote:
| Agree, but substituting multi-account containers with temporary
| containers https://addons.mozilla.org/en-
| US/firefox/addon/temporary-con...
| infogulch wrote:
| Oh nice! I've been wanting a container extension that just
| works on every site by default.
| mistahchris wrote:
| This looks excellent. I've wanted something like this before
| but wasn't aware of this extension. Thanks for sharing :)
| commotionfever wrote:
| temporary containers is really nice. but how can you replace
| MAC with it? I tried before couldn't assign some domains to
| "permanent" containers.
|
| eg. I'd like use temp containers all the time, except for
| some sites like YouTube where I'd like it to always open in a
| YouTube container
| floatboth wrote:
| Temporary Containers > any kind of auto-delete hacks
| WC3w6pXxgGd wrote:
| Why not use Brave? It has all of this, with Fingerprint
| protection turned on by default.
| notriddle wrote:
| Because cryptocurrency is a scam.
| ldiracdelta wrote:
| Then don't use the cryptocurrency part.. it isn't all-or-
| nothing.
| mastazi wrote:
| Brave doesn't have the features offered by those extensions,
| it doesn't have anything equivalent to multi account
| containers, it doesn't have DNS emulation (unless you install
| Decentraleyes) and it doesn't auto delete cookies (you still
| need to install Cookie Autodelete). The built in ad blocker
| is not as advanced as uBlock Origin and that's why I
| installed the latter as an extension (I turned off the built
| in one). Anyway IMHO the biggest limitation currently is the
| lack of containers, because it needs to be built into the
| browser, there is no 3rd party extension that can give you
| that.
| cpeterso wrote:
| Firefox's Tracking Protection blocklist blocks many known
| fingerprinting scripts by default.
|
| Firefox also has an active fingerprinting protection mode
| that spoofs the unique values returned from some JavaScript
| APIs (such as locale, time zone, screen dimensions, WebGL),
| but this feature flash is currently buried in about:config
| because it can break websites. How to enable fingerprinting
| protection anyway:
|
| https://support.mozilla.org/kb/firefox-protection-against-
| fi...
| bradly wrote:
| With Brave you will still see personalized ads on some sites
| which I do not want see
| dazbradbury wrote:
| Worth pointing out that Chrome has been partitioning cache by
| domain since chrome 86 (released Oct 6th 2020).
|
| https://developers.google.com/web/updates/2020/10/http-cache...
|
| Does anyone know if these protections go further or differ
| significantly?
| masa331 wrote:
| Thank you Firefox team
| EastSmith wrote:
| I have an android phone, using Brave on a Samsung flagship from 2
| years ago.
|
| The test at amiunique.org tells me my _User Agent_ string is
| unique.
|
| So, can we now fix the _User Agent_ strings, please?
| chrsw wrote:
| I'm slowly weaning myself onto private browsing through a VPN and
| the NoScript extension.
| brandnamehq wrote:
| Any opinions on the likelihood of upcoming changes to first party
| cookies?
|
| Ex: www.example.com and api.example.com may both access cookies
| for example.com.
| waynesonfire wrote:
| fanastic work, thank you.
| falsaberN1 wrote:
| The partitioning thing is terrible for people with slow/unstable
| connections, despite the security gains.
|
| Is there a way to disable it? Or should I better think about
| installing a caching proxy to avoid the redundant traffic?
| mikl wrote:
| I think you're overestimating the impact of this. Most web site
| content these days are served from the web site owner's own
| domain.
|
| It's only if a.com and b.com have (for example) the exact same
| image URL (c.com/img123.jpg) embedded, and you visit both
| sites, that this cache partitioning will make a difference.
|
| In essence, there's very little legitimate Internet traffic
| that would be effected by this change, but lots and lots of
| creepy spyware behaviour will be prevented.
| philote wrote:
| What about JS libraries or CSS hosted by a CDN? I'm thinking
| jQuery, Bootstrap, etc etc. I learned that using a common CDN
| was the way to go because the content would likely already be
| in the user's cache and often not need to be loaded.
| IshKebab wrote:
| This was discussed when Chrome made this change. It makes
| almost no difference because to get any saving you have to
| have lots of websites that use the same CDN _and_ the same
| version of jQuery etc. Unlikely enough to not matter.
| mikl wrote:
| Indeed, and the savings are fairly small even in the best
| case, jQuery is 28kB gzipped, a drop in the ocean of the
| multi-megabyte payload of most big sites these days.
| tyingq wrote:
| I see what you're saying. But, for example, all of the new
| DNS queries for things like jQuery and Google Analytics
| surely add up to something noticeable.
| mikl wrote:
| Statistically significant: maybe. Noticeable to humans:
| almost certainly not.
| falsaberN1 wrote:
| On a proper internet connection, you are right, but when
| that connection is unstable or capped, it's extremely
| noticeable.
| mminer237 wrote:
| I fully agree.
|
| I _think_ turning `privacy.partition.network_state` off in
| about:config should do allow reverting the change at least.
| floatingatoll wrote:
| You'd be better off installing a caching proxy, so that all
| connections from all of your devices share one cache, rather
| than only altering settings in one browser.
|
| If you're a Mac user with more than one of any kind of Apple
| device on your network (like, two Macs), you can install their
| Server app on any macOS and enable software update caching as
| well.
| jb1991 wrote:
| Can anyone explain the fingerprinting issue, unrelated to
| cookies. Visit any one of these many sites that show you what
| your browser knows about you, it doesn't matter if using Firefox
| with fingerpring blocking enabled, the site reveals a tremendous
| amount of information in your fingerprint. Firefox doesn't stop
| any of that, despite its settings that purport to do so. It's
| always the same information, not scrambled or randomized, from
| site to site.
| marvinblum wrote:
| Which actually makes sense. If you have a "zero-fingerprint"
| browser it will become useless, because you cannot use any
| advanced features other than displaying HTML.
| gilrain wrote:
| Brave's method of slightly randomizing the metrics gets
| around that. They call it farbling.
| jb1991 wrote:
| What I mean is, the fingerprint that is sent to any of these
| sites accurately describes my machine, and FF never attempts
| to hide or scramble that information despite its anti-
| fingerprint setting.
| chromaton wrote:
| Is this really important given that browser fingerprinting can
| almost always identify a web browser?
| jb1991 wrote:
| I agree. Visit any one of these many sites that show you what
| your browser knows about you, it doesn't matter if using
| Firefox, the site reveals a tremendous amount of information in
| your fingerprint. Firefox doesn't stop any of that, despite a
| setting that supposedly protects you from fingerprinting.
| [deleted]
| Closi wrote:
| Absolutely it's important - Just because one hole is still open
| doesn't mean another shouldn't be closed.
|
| And FF and Safari should continue their work to close any
| fingerprinting opportunities Fingerprinting is becoming less
| effective over time - for example fingerprinting on iOS is
| pretty unsuccessful.
| chromaton wrote:
| Yes, I agree.
|
| Do you have more information about how iOS is blocking
| fingerprinting?
| zinekeller wrote:
| While it has some native anti-fingerprinting protection
| (including automatically deleting third-party cookies every
| week), the main deterrent is homogeneity: you can be sure
| that the browser/device is Safari on iPhone 12 Pro Max...
| and that's it. In other words, unlike other devices where
| you can get what GPU is in the system (WebGL and Canvas),
| the resolution of the screen, the list of fonts installed
| by the user (indirectly, by testing them), list of webcams
| and sound cards on the system (WebRTC), how many (logical)
| CPU cores are there (WASM), whether the device has a
| battery (Battery API), and the laundry abuse of APIs that
| exists means that it is possible to individually identify
| desktop users and (to a certain extent) Android users.
| chromaton wrote:
| I found this:
|
| https://9to5mac.com/2020/09/04/ad-industry-tracking/
|
| "my iPhone 11 Pro was also unique among the more than 2.5
| million devices they have tested."
|
| Time zone is one possible fingerprint data point.
| zinekeller wrote:
| > Time zone is one possible fingerprint data point.
|
| Totally forget that. Oops.
|
| Now for the meat of your comment ...and how many have
| tested their protections so that their testing site
| recognize that your device is not unique?
|
| A very good counterclaim was posted in the comments:
|
| _I strongly disagree with your findings, Ben. Namely,
| you list fingerprinting techniques available to browsers,
| and fail to mention how Safari (and Firefox to some
| extent) make those methods less precise. Instead, you say
|
| Note that this isn't a comprehensive list, it's just
| examples. When a website analyses all of the data
| available to it, things get very specific, very fast.
|
| So let me point out where you were wrong about Safari in
| particular:
|
| * Fonts installed. Safari reports very limited subset of
| fonts, which does not vary. it is the same for every
| Safari users.
|
| * Plugins installed. Unsurprisingly, Safari lists just
| one: PDF reader. Native plugins are not reported.
|
| * Codecs supported for video. The uniqueness checking
| site reported just H.264 and FLAC. Audio format are not
| reported at all. There's no mention of H.265 and VP9
| which work in my Safari beta version, and no mention of
| the whole plethora of audio formats which are supported.
|
| * Screen resolution is not the real screen resolution.
| I'm on 27'' 5K iMac and the screen is reported as 2048 x
| 1152.
|
| * Media devices attached reported as "audioinput" and
| "videoinput". It has nothing to do with the actual
| available media devices.
|
| And incorrect reporting goes on.
|
| As you can see, fingerprinting through browser leaves
| Safari users very poorly segregated. As long as you
| running latest OS with latest version of Safari, you are
| a part of a very broad chunk. You can't be identified
| through browser fingerprinting along._
|
| This means that the only unique data that you can get
| are: a) Language settings. There is no way to work-around
| this (unless you consistently lie that you solely use
| English) b) Time zone. There is no way to work-around
| this (unless you consistently lie that you solely use
| UTC)
|
| These things can be predicted anyway with IP address, so
| it is not perceptibly meaningful in any way. In other
| words, advertisers can literally give up on detecting
| when Safari are the browser and rely instead on IP
| addresses (which can tie into a family (or in some IPv6
| cases) a device.
| chromaton wrote:
| Thanks for the response. It looks like just because the
| fingerprint is _unique_ doesn 't mean that it's
| _accurate_ or _stable_.
| kedikedi wrote:
| I've got a question; if it is ok to lie in these reports,
| why do they even exist? I thought these reports were
| there as a way to introduce client capabilities so that
| the server can serve the right content.
|
| Disclaimer: This is a genuine question. I'm a hardware
| guy and I don't know how web works nowadays.
| chromaton wrote:
| You're correct as to why they exist, but then it turns
| out that this is a privacy leak. Software is hard.
| danShumway wrote:
| In a parallel reality:
|
| "Firefox 85 Cracks Down on Fingerprinting"
|
| "Is this really important given that supercookies can almost
| always persist between sessions and across domains?"
|
| ----
|
| If you want to fix a problem, there are going to be points
| during that process where the problem is partially fixed. This
| only becomes an issue if we're headed in the wrong direction,
| or focusing on a sub-problem that would be better addressed in
| a different way, or if we have no plans to fix the other attack
| vectors.
|
| But the steps we'll take to attack fingerprinting are very
| similar to the steps we'll take to attack supercookies, so
| there's no harm in grabbing the low-hanging fruit first.
|
| Supercookies clearly have some value to advertisers and other
| bad actors or else they wouldn't be used. There's value in
| closing off that specific tracking method while we continue to
| try and figure out the harder problem of how to standardize
| headers, resource loading, etc...
| chromaton wrote:
| You're right, of course. But let's not forget that
| fingerprinting exists and is going to be tough to eliminate.
| rrix2 wrote:
| let's also not forget that firefox has spent the last few
| years aggressively investing in anti-fingerprinting tech
| danShumway wrote:
| People shouldn't think that this change on its own means
| they can't be tracked any more, but also this change is
| worth celebrating -- not all sites use fingerprinting
| (yet).
|
| But yeah, we still have a ways to go. Small steps.
| floatboth wrote:
| about:config - privacy.resistFingerprinting
| Jonnax wrote:
| "In the case of Firefox's image cache, a tracker can create a
| supercookie by "encoding" an identifier for the user in a cached
| image on one website, and then "retrieving" that identifier on a
| different website by embedding the same image."
|
| Clever. And so frustrating that optimisations need to be turned
| off due to bad actors.
| legym wrote:
| In Javascript how are they able to retrieve something from the
| cache? Local, session, and cookies are domain locked.
| Gare wrote:
| They load the image URL and observe the loading time. If it's
| fetched quickly, they know it was from cache. The server
| (controlled by the advertisers) can intentionally add delay
| to those image requests that makes detection reliable.
| floatboth wrote:
| With some forms of caching it's much simpler: the browser
| sends an ETag or If-Modified-Since and the server is
| supposed to return 304 Not Modified to optimize the load if
| the cached resource is still valid.
| kortilla wrote:
| But from JavaScript I don't think you can see that. You
| just get the end result of the image being served to you.
| You have to infer it from timing.
| avolpe wrote:
| I think that they put the user information in the image using
| something like this[1].
|
| [1]. https://github.com/subc/steganography
| eshaan7 wrote:
| As a fellow engineer, clever! As a user, damn you!
| simias wrote:
| Note that the root of all evil here is Javascript being opt-out
| instead of opt-in (and effectively mandatory for a big chunk of
| the internet these days).
|
| Letting any website and their friends (and the friends of their
| friends) run turing complete code on the client PC probably
| sounded reasonable when the web was created but it seems
| incredibly naive in hindsight. It's not as bad as ActiveX and
| other plugins, but it's pretty close.
| masa331 wrote:
| No no no. The problem isn't JavaScript or web capabilities
| here. It's the companies and people who use them in evil
| ways. I would rather handle that even if it's much much
| harder.
| xg15 wrote:
| And how would you address this problem?
| CogitoCogito wrote:
| Regulation seems appropriate.
| kortilla wrote:
| Regulation as a solution for problems on the Internet is
| pretty stupid because jurisdictions are so diverse.
| Daho0n wrote:
| So different website features per country? Or do you mean
| regulation decides how a browser implements it? Either
| way I don't see how that would ever work.
| DavideNL wrote:
| Yea... You need either a law/sanctions, or a technical
| restriction that can't be circumvented.
|
| Hopefully both, someday :)
| alentist wrote:
| Yes yes yes. Luckily for us, these problems are
| _technically_ solvable, no handling (?) "evil ways" (?)
| needed. The latter proposal is both ill-defined and a waste
| of time and resources. Better to spend those resources on
| _designing more secure systems_.
| fimbulvetr wrote:
| Somewhat off topic but have you see all of the recent (2
| years) malware using webassembly? It's difficult to disable
| in chrome, somewhat difficult to disable in firefox, and no
| extensions seem to help. I'd love make it as easy to disable
| as JS.
| ghayes wrote:
| I'm curious how bad disabling this caching feature would be.
| Specifically, how often do you load the same image on two
| different domains?
| callmeal wrote:
| Instead of thinking "same image on different domains, think
| "hidden uniquely-named single pixel image".
| kortilla wrote:
| That's the same thing. In order for that tracking method to
| work, this uniquely named pixel has to be loaded while
| visiting multiple sites. So it ends up being multiple
| domains referencing the same image from some tracker
| resource.
| SwiftyBug wrote:
| Good question. I'd guess that the chance of that happening is
| very small. But if that optimization exists maybe it's not
| that uncommon?
| greycol wrote:
| The most common example I could think of (other than
| trackers) would be aggregator sites. If the aggregator shows
| an image that was originally from a destination article or if
| comments link to a source for some content.
| avodonosov wrote:
| We need to acknowledge also that recognising the user as he moves
| across pages and domains is sometimes needed to provide valuable
| services to the user.
|
| Therefore, I believe, browsers have to provide a volunteer
| "tracking" functionality - when a web page reqests 3rd party
| cookies, a popup is shown to the user with the cookie values,
| description (as set by the owning domain), the list of domains
| already permitted to access the cookies and their privacy policy
| links, and options Allow Once, Allow, Deny Once, Deny.
|
| So instead of fighting each other, service and the user had a
| chance to cooperate. Service only needs to describe the need
| clear enough.
| bryanmgreen wrote:
| Does this mean I don't need to permanently browse with Incognito
| now?
|
| Using uBlock, Privacy Badger, Decentraleyes currently.
| option_greek wrote:
| Not if you plan on using Google search. They discourage such
| 'behaviour' by throwing captchas at you after a set amount of
| time.
| peterpost2 wrote:
| How is that even legal
| dang wrote:
| We detached this subthread from
| https://news.ycombinator.com/item?id=25917326.
| minikites wrote:
| Because enough people think making laws restricting companies
| in any way prevents "innovation". Corporations should be able
| to do whatever they want because if they were truly bad, they
| would just go out of business, right? It's the worldview of a
| third grader.
| fcantournet wrote:
| I don't know why your getting downvoted, this is clearly the
| dominating ideology of Silicon Valley.
| [deleted]
| awefasdfasdf wrote:
| Read 'The age of surveillance capitalism'. Engineers should
| understand the business models they create.
| minikites wrote:
| Engineers don't respect any subject outside of STEM,
| education like this would fall on deaf ears.
| tolbish wrote:
| That's not true; they respect the sciences. But only
| sufficiently "hard" ones like chemistry and biology.
| yakubin wrote:
| You seem to think that the meaning of "STEM" includes
| anything that anyone applied the word "science" to. But
| no, the "science" part is precisely the "hard" sciences.
| E.g. psychology, economics and theology aren't included
| in STEM.
| tolbish wrote:
| I thought it was STEM instead of HSTEM. Silly me.
|
| Sarcasm aside, not all natural sciences are treated
| equally. There are differing attitudes towards astronomy,
| oceanography, and climatology, for example.
| yannoninator wrote:
| science is STEM no?
| tolbish wrote:
| But not all sciences are respected.
| eulers_secret wrote:
| I understand this knee-jerk reaction, but please don't
| judge engineers by what they post on HN. This place is...
| odd. (as I'm sure you know!)
|
| If I formed my opinion only from HN, I'd think most
| engineers love: big-tech, advertising, electric cars,
| Apple, tech-enabled tracking (autos, web, cell-phone,
| watches, exercise machines, music players - it's ok if
| business profits!), and tend toward self-righteousness,
| narcissism, and virtue-signalling.
|
| Of course, most of us are just living our lives and trying
| to get by. I don't know where this self-important
| insufferable attitude comes from, but I suspect it's a few
| folks who are very noisy. Most 'normal' people don't spend
| much time posting to sites like these, so there is a
| selection bias. Sadly, I also suspect that this attitude is
| an advantage in today's environment. It is a mirage of
| self-confidence, and telling the two apart can be very hard
| (especially for a potential employer).
| etiam wrote:
| There are plenty of categories of human for which this
| community would not stand for an overly broad, coarse
| generalization like that.
|
| Personally I'm not even convinced your claim is effective
| as a prejudice. What I'll concede is many engineers I've
| met seem to be harsher than average on pseudoscience och
| some varieties of manipulative lies, but that's to be
| expected as they have distinguishing knowledge for such
| things to clash with.
| awefasdfasdf wrote:
| They seem to respect their inflated salaries.
| shrimp_emoji wrote:
| In America, what else is there? :3
| [deleted]
| call_me_dana wrote:
| Hi! Systems engineer for two decades now. I have a deep
| respect for philosophy, natural medicine, photography and
| the environment. I suspect many other engineers would have
| interests outside of their profession.
| Teever wrote:
| I know, right?
|
| Like if I were to be caught doing this to a random woman it
| would be appropriately labelled 'stalking' yet when a company
| does it they potentially have a patentable marketing technique
| on their hands or something.
| minikites wrote:
| It's good when a company does it because they create value in
| the economy. It's only bad when a person does it because no
| value is created.
| agnosticmantis wrote:
| I wonder how many downvoted you because they understood the
| sarcasm but they agreed with the non-sarcastic
| interpretation of it.
| Tarsul wrote:
| don't know if you're sarcastic. However, just because a
| company makes money, doesn't mean value is created. Like
| when you win in poker against someone, you're making money
| but not creating value.
| _-david-_ wrote:
| I am not who you were responding to, but I think playing
| poker would create entertainment (even for the loser)
| which could be considered something of value.
| howlin wrote:
| I mostly agree with your point, but it has to be said
| that poker players are creating entertainment value for
| each other. Even if the cash portion of the game is zero
| or even negative sum.
| ghostDancer wrote:
| You forgot the /s. This is HN here you find people that can
| take that seriously and agree.
| numpad0 wrote:
| IMO the /s requirement applies anywhere. Sarcasm is dead,
| literal expressions are literally interpreted literally
| since 2018 and on.
| afiori wrote:
| Sarcasm only works if it can succesfully comunicate that
| it is sarcasm; be it body language, face expression,
| absurdity, or memeing. On the internet you are a random
| faceless stranger to me, so how can I distinguish sarcasm
| other than guessing?
|
| If the priors were the other way then people would
| complain that nobody takes anyone seriously.
| hinkley wrote:
| Poe's Law was named in 2005. Which was interesting news
| to all of us on Usenet for whom this phenomenon was
| already known before Eternal September or Green Cards
| stole the show.
|
| Sarcasm was already dead before "spam" meant ads instead
| of scrolling a forum or chat window by repeating yourself
| (exactly like the Monty Python sketch it alluded to).
| [deleted]
| zwirbl wrote:
| In values we trust. Shareholder value that is
| numpad0 wrote:
| nothing is illegal if no one understands a thing
| notriddle wrote:
| > It is how they track people who have been suspended on the
| platform
|
| That sounds like a legitimate interest to me.
| mirekrusin wrote:
| Really? Chrome wants to protect against tracking? Isn't that
| their business model?
| EGreg wrote:
| Serious question:
| https://stackoverflow.com/questions/65904903/will-third-part...
|
| EDIT: why the downvotes?
| fsflover wrote:
| You can already do it in the preferences of Firefox. It can
| break some websites though.
| [deleted]
___________________________________________________________________
(page generated 2021-01-26 23:00 UTC)