Visiting a site that uses Disqus when not logged in sends URL to Facebook

As a user I use uBlock Origin to block all 3rd party JS by default. This protects me from loading ads, social widgets(trackers), and trackers. A lot of the web is completely broken when you don't run 3rd party JS so each site requires a bit of whitelisting before it will function correctly.

As a website owner I try to lead by example by not including any 3rd party JS(or any JS at all for that matter). Specifically avoiding trackers from Google or Facebook.

Agreed. I use PrivacyBadger[1] to block the download of assets from third-party domains. That way I can selectively enable anything that I want from the blocked domains.

[1]: https://www.eff.org/privacybadger

Heise now uses a new tool they developed called Shariff. Looks better imho and is easy to use. It also shows a like counter if you proxy requests to FB's Graph API through your server.

https://github.com/heiseonline/shariff

Would recommend this over their old two click social share. Your link is a fork of the old Heise tool. It looks dated on mobile.

Bruce Schneier's security blog implements something like this, providing an on/off switch for each social network's "Like", "+1", etc.

https://www.schneier.com/

that looks great! I like how the buttons are originally grey, which is a clear visual indicator that they are not enabled.

Use ScriptSafe, Ublock, Privacy Badger, Ghostery or any number of script blockers to block 3rd party scripts.

somebody in the other thread mentioned https://www.discourse.org/ as an open-source alternative to disqus, although there were some people that downvoted it, so I don't know how good it is.

Just code your site to do something sane with 3rd-party content blocked. E.g. handle load errors with fallbacks.

That way people with µMatrix or similar blockers can use the control tools they have instead of needing to do something site-specific.

Also, such decisions can't be remembered if cookies/localstorage are disabled. So prompting over and over again could also be annoying.

> 1. May we retrieve common libraries from third party CDNs? Doing so helps support this site by saving on our bandwidth costs, but may expose information about you to those third parties.

In an ideal world browsers would never send a cache-refresh request for resources tagged with SRI[0] because the hashes would guarantee that the content is 100% stable. Alas, it has non-trivial privacy implications, so they don't do that.

Maybe it could be implemented as a privacy addon with a whitelist for CDN domains, but then sites would still have to adopt SRI for that addon to do its work. Or maybe an addon that injects cache-control: immutable[1] to CDN could work too, but that's limited to https.

[0] https://developer.mozilla.org/en-US/docs/Web/Security/Subres... [1] https://bitsup.blogspot.de/2016/05/cache-control-immutable.h...

My two cents:

1. All local. Unless you don't want and a 100-200kb JS file is too much of a strain on your server bandwidth. Or are you serving 15Mb of JS files?

2. Screw Disqus. Screw Facebook Comments. Start thinking about your visitors, as someone said on another related thread, you are responsible for the tracking of your visitors by 3rd-party sites. Local comments or turn them off if you don't care about what others are saying. Don't save any information about the commenters except what they enter in the boxes. One-way hash the IPs if you need to compare for spam reasons.

3. If you need your ego stroked when you see you had xx visitors on your site, go ahead, use Google Analytics and screw us all. We're gonna block it anyway.

[1] This is a privacy policy I use and respect very much when interacting with the visitors/commenters on my personal blog.

1. https://vox.space/pages/106/privacy-policy

1. If you're only interested in saving bandwidth and don't care about cache hits from overlapping with other sites, maybe you can host static content somewhere free (GitHub Pages?) or even just set a long cache header (ensure version numbers in filenames, cache for > 1 month) since presumably you're going to serve them the first time before the user has answered anyway?

2. I'm thinking of putting a "Click to load comments" box in place of Disqus on my blog so nothing gets loaded unless the user clicks. Seems better than bothering the user up-front.

3. I use Google Analytics - I figure it's common enough that if people don't like that, they'll already have it blocked, so there isn't really any additional tracking they won't want (unless the twitter timeline widget is tracking; which it might be, but I suspect I'll remove it soon anyway).

Just tried it out, very cool man.

My suggestion would be to make the design more appealing, it looks a little bland now.

And also promote the privacy oriented mission of the service a lot more. Currently there is no mention of privacy/tracking, you only mentioned no ads.

And https is a must in 2017.

Just a few question:

* When do you plan to launch?

* What is the backend built with?

Good luck man.

For me, the problem is that the smaller a service is, the less reputation they have to lose by screwing everyone over. I don't know who you are or that you won't inject ads or affiliate links into my site in a few months (or sell your domain to someone for a few quid that will). (This doesn't mean I think your intentions are bad; I just think it's a bad idea to trust people you don't know on the internet!).

I don't mind included scripts on my page from huge orgs that have a lot to lose by doing bad things but there aren't that many companies that fall into this (Disqus did, but possible shouldn't ;))

Sure, I just posted a link to make it easy to find their comment. I'm giving them the benefit of the doubt that this is an accident and they're working on it, but I'll believe they care when the fix is live and I can see it with my own eyes :-)

Thanks for calling my honest reply a lie and me a liar, really appreciate it.

I'm @madbyk on Twitter and you can also Google my full name to catch my other lies and bad acting on some of my recorded talks.

TLDR: it was because Disqus added the Facebook SDK in the last week or so, for some new feature they're testing. They're looking into this.

^ That sounds legit to me... I believe this was the primary reason why Facebook made an SDK and Like button in the first place...for data mining. Pretty clever.

This is the consequence of building on a platform like FB, you exchange your visitors browsing habit data for access and FB expands their graphs of IP<>websites to improve their ad targeting. And with Disqus is won't be as obvious because the publisher might not be aware that it leads to an FB connection.

So regardless if it was unintentional this is a relevant story for the trade offs of using platforms.

How did you use reddit as a commenting system? It's something I've thought about before but didn't know someone has already built it

Do ad networks allow doing this?

I believe ghostery is one of those kind of adblockers that checks if the ads and trackers target the right people, no?

Sort of a meta-tracker. But maybe I'm too paranoid.

I think this is unlikely, it seems like a silly accident to me.

Someone claiming to be from Disqus has said they are investigating the issue, as it's not their intent.