WingNews logo WingNews
top | item 43865719

(no title)

freeamz | 10 months ago

Feel like all this cookies thing is just white wash, when if you enable JS then they can track you no matter if you have cookies or not!

Nothing is private: https://nothingprivate.gkr.pw

More effort ought to be put into how to make web spec to NOT be able track user even if JS is turned on.

Browser vendor Brave, Firefox suppose to privacy browser are NOT doing anything about it.

At this point, do we need to using JS disabled browser to really get privacy on the web?

discuss

order

idle_zealot|10 months ago

> At this point, do we need to using JS disabled browser to really get privacy on the web?

My thoughts are that we need a distinction between web pages (no JS) which are minimally interactive documents that are safe to view, and web apps (sites as they exist now) which require considerable trust to allow on your device. Of course, looking that the average person's installed app list indicates that we have a long way to go culturally with regards to establishing a good sense of digital hygiene, even for native software.

wtallis|10 months ago

It doesn't help that web browsers aren't even trying to help users make the distinction. They have an ever-growing list of features and permissions that sites can take advantage of, with no attempt to coalesce anything into a manageable user interface. Instead, it takes a hundred clicks to fully trust or distrust a site/app.

iggldiggl|10 months ago

The problem is that there is a lot of grey area between pure document-style pages and full-on apps (take online shops for example) and even for the former category of pages a lot of UI niceties are only possible with scripting.

littlecranky67|10 months ago

Any other tracking methods are way more obvious, and way harder to implement for the advertising industry. We shouldn't think in black/white here - the more difficult it is to track a user, the less likely it is implemented. It is okay if 30% of tracking sites dissapear as the cost/value ratio don't work for them. We don't have to sit in silence and do nothing, just because we can't have the 100% privacy.

matthewdgreen|10 months ago

I do think there is a point here: any technical means to block tracking is going to be overrun by technical means to overcome the anti-tracking tech. There are simply too many dollars at stake for anything else to happen. If anti-tracking stops some players, that just means the industry will consolidate into a few large and well-resourced players.

While I am all in favor of continuing the technical battle against tracking, it’s time to recognize that the war will only be won with legislation.

GCUMstlyHarmls|10 months ago

https://nothingprivate.gkr.pw seems to (not) work fine in Firefox... I am running ublock-origin though, no other special things.

Diti|10 months ago

Same here, it’s not just you. Judging by the other comments, it only seems to “work” on Blink-based browsers.

Kovah|10 months ago

Also not working on Brave, without UBlock or similar extensions. Brave says it blocked one requests, probably that for fingerprinting.

brookst|10 months ago

It’s an interesting question: is it possible for JavaScript to be turing complete, able to read/write the DOM, and somehow prevent fingerprinting / tracking?

My gut says no, not possible.

Maybe we need a much lighter way to express logic for UI interactions. Declarative is nice, so maybe CSS grows?

But I don’t see how executing server-controlled JS could ever protect privacy.

Enginerrrd|10 months ago

I've always thought there should be a way to use the browser like a condom. It should obfuscate all the things that make a user uniquely identifiable. Mouse movement/clicks/typing cadence should be randomized and sanitized a bit. And no website should have any authority whatsoever to identify your extensions or other tabs, or even whether or not your tab is open. And it certainly shouldn't allow a website to overrule your right click functionality, or zoom, or other accessibility features.

6510|10 months ago

I don't know what it is called but if you try to open a window from a timeOut it wont work. The user has to click on something then the click even grants the permission.

You could make something similar where fingerprint worthy information cant be posted or used to build an url. For example, you read the screen size then add it to an array. The array is "poisoned" and cant be posted anymore. If you use the screen size for anything those things and everything affected may stay readable but are poisoned too. New fingerprinting methods can be added as they are found. Complex calculations and downloads might make time temporarily into a sensitive value too.

febusravenga|10 months ago

Yes, it is.

Just create _strict_ content security profile, which doesn't allow any external requests (fetch) and only allow load of resources (css, image, whatever) from predefined manifest.

App cannot exfiltrate any data in that case.

You may add permissions mechanisms of course (local disk, some cloud user controls, etc).

That's a big challenge in standards and not sure if anyone is working on such strongly restricted profile for web/js.

chongli|10 months ago

It’s an interesting question: is it possible for JavaScript to be turing complete, able to read/write the DOM, and somehow prevent fingerprinting / tracking?

Yes, of course: restrict its network access. If JS can't phone home, it can't track you. This obviously lets you continue to write apps that play in a DOM sandbox (such as games) without network access.

You could also have an API whereby users can allow the JS application to connect to a server of the user's choosing. If that API works similarly to an open/save dialog (controlled entirely by the browser) then the app developer has no control over which servers the user connects to, thus cannot track the user unless they deliberately choose to connect to the developer's server.

This is of course how desktop apps worked back in the day. An FTP client couldn't track you. You could connect to whatever FTP server you wanted to. Only the server you chose to connect to has any ability to log your activity.

deadbolt|10 months ago

Just tried this with Brave and it didn't seem to work, assuming the site working means that it can remember me in an incognito browser. I gave the site a name, and then opened it in incognito (still using brave), and it acts as if I visited the site for the first time.

What am I supposed to witness?

cptskippy|10 months ago

It didn't work on Firefox mobile either... Why are all these browser companies breaking the web!

gkbrk|10 months ago

Doesn't work on Brave. It says to check it on private mode, but when I switch to private mode it just asks for my name again.

IMTDb|10 months ago

On me it had the opposite effect of what was intended:

I opened the website on non anonymous session safari: it asked my name. Then I opened another new non anonymous window on the same browser: it showed my name as expected. I then opened the same browser in incognito mode: it asked my name again. I then opened chrome (non anonymous) and again it asked my name.

Exactly what I expected to see; everything seems to be working as intended. Anonymization online seems to be working perfectly fine.

FridgeSeal|10 months ago

Also doesn’t work on iOS (for me).

matheusmoreira|10 months ago

They can track you just fine via CSS and countless other ways. They'll even fingerprint the subtle intricacies of your network stack.

What we need to do is turn the hoarding of personal information into a literal crime. They should be scrambling to forget all about us the second our business with them is concluded, not compiling dossiers on us as though they were clandestine intelligence agencies.

emsign|10 months ago

Web Browsers Must Be Removed

They run arbritrary code from sketchy servers called "websites" on people's hardware with way too many privileges. While free and open source standalone web applications exist that only use minimal JS code to access the same web resources with a much better user experience. Without trackers, without ads and third parties.

Kiro|10 months ago

I want a browser to be able to run arbitrary code. That's the whole point. I want to play a game or use a complex application in the browser without having to install anything.

afavour|10 months ago

It won’t happen because people don’t care enough.

I don’t mean to sound glib. But people derive a ton of utility from the web as it stands today. If they were asked if they supported the removal of web browsers they would absolutely say no. The privacy costs are worth the gains. If you want change you have to tackle that perception.

hi_hi|10 months ago

I think this is a bit overblown. Brave and Safari we're both private when I just tested. Chrome not so much, but thats expected.

hobs|10 months ago

I by default block JS on the web and only allow it for domains I accept. It's a tiny bit of work for a whole lot of safety.

switch007|10 months ago

I've tried this recently and I found it very difficult. Cloudflare bot protection is everywhere, other anti-scrape protections, many 'document' sites using JS to render with no fallback, basic forms requiring JS, authentication requiring JS, payments requiring JS etc

Not intending to sound snarky but do you just not use the web much? Or if you're adding allows all the time, what's the net gain?

antihipocrat|10 months ago

Unmodified server request headers contain enough information for tracking even if JS is disabled. If you're keen to modify http headers while browsing, then you could also modify any JS run on your system that snoops system information (or strip the info from any request sent to the server) and continue with JS enabled.

myHNAccount123|10 months ago

Works as advertised on Edge but not on safari

kstrauser|10 months ago

I can't get that site to work on Safari on my Mac, with JS enabled.

sensanaty|10 months ago

The more egregious and frankly disgusting one is https://fingerprint.com

IMO this service should straight up be made illegal. I love the tagline they have of supposedly "stopping fraud" or "bots", when it's obvious it's just privacy invasive BS that straight up shouldn't exist, least of all as an actual company with customers.

alkonaut|10 months ago

I have almost no hope that this is a matter that has a technical solution. The GDPR shows that law - even if not global, and even if not widely enforced - is pretty good at getting people to act. And most importantly, it will make the largest players the most afraid as they have the most to lose. And if just a handful of the largest players online are looking after peoples privacy then that is a huge win for privacy.

Doing what this demo shows, is clearly a violation of the GDPR if it works the way I assume it does (via fingerprints stored server side).

xiaomai|10 months ago

hmm, this didn't recognize me in a private window in either firefox or brave.