Mozilla plans to enable Hyperlink Ping Tracking by Default in Firefox
A new Bleeping Computer report by Lawrence Abrams suggests that Mozilla plans to enable Hyperlink Ping Tracking by default in the Firefox browser.
Firefox is one of the few browsers that has the feature disabled by default, another is Brave. Most Chromium-based browsers, Google Chrome and Opera, as well as Microsoft Edge and Safari have the feature turned on by default.
The browsers that have the feature enabled already won't allow users to disable the feature anymore in coming versions. Chrome users, for example, can disable Hyperlink auditing in the browser currently on chrome://flags if they run the Stable version. Chrome users who run Beta or other development versions won't find the feature listed anymore as Google removed it from the list of available flags.
What is Ping Hyperlink Auditing?
Links, or hyperlinks, are a fundamental HTML feature that loads another resource when a user activates it.
Ping is a new attribute that can be added to links to send information to another resource. Here is an example: <a href="https://www.ghacks.net/ ping="https://www.example.com/">This</a>
When a user clicks on the Ghacks Link, Example.com is notified that the click happened. It is possible to notify one or multiple resources about the link click.
What is bad about it?
Ping is used to track link clicks. The nature of how that is done is not transparent to users who click on links, as the ping attribute is not shown and links with pings are not highlighted when a user hovers over the link in the browser.
While it is possible to check the source, it is not comfortable and unlikely that many users will do so.
Apart from privacy, at least one case has been recorded where pings were used for denial of service attacks.
Mozilla told Bleeping Computer that the Ping has not been enabled by default in Firefox already is because the feature is still being implemented.
Asked about the privacy implications, Mozilla told Bleeping Computer that it agreed with Apple's stance on the issue. Apple stated that turning off Ping would not "solve the privacy implications of link click analytics" and that disabling it would result in companies using techniques that would "hurt the user experience".
Sites would often check for supported tracking features and would simply switch to another if Ping was not available.
Firefox supports a preference currently that determines whether pings are enabled or not. The preference is set to False currently which means that it is not used.
Firefox users can check browser.
Chrome users may install Ping Blocker to block pings in the browser. The popular content blocker uBlock Origin blocks pings by default as well, and it is available for Firefox, Chrome, and other browsers.
Brave is one of the few browsers that has the Ping attribute disabled.
Mozilla – respecting your privacy as always.
The funniest part in all of this are the fanboys who claim that Mozilla inherently cares about privacy in spite of them being funded by Google. When will they learn?
Yeah agreed. The option of signing into a Microsoft account was a red flag for me. I checked about:config and this pinging feature is disabled for me so far.
Presumably, like most corporations, they care about money most of all. And if, oh I don’t know, Google were to approach them and say “implement this or else our partnership is over”, I’m pretty sure they’d get right on it.
Honestly I’ve always been a Firefox fanboy. I really enjoyed their privacy features that they built in…. Then there’s this… I have absolutely zero faith that this won’t end up being use maliciously by some websites. I just can’t get behind it and because of that I’m officially switching browsers. :/
When you read the fine print you’ll find there are no other major browsers that “respect your privacy*”.
Only current options are Waterfox or Coldfox, both forks of Firefox which so far have managed to circumvent Mozilla’s descent into silicon-valley-spyware. Time will tell how well they can keep it up.
I’ve been using Brave as a result of this. I really can’t trust Firefox to not protect me against some of the more malicious trackers. If they’ve capitulated in this instance… what’s to stop them from capitulating in every other instance?
Maybe they added it to maintain compatibility with Google-Microsoft Chrome browser standards? Don’t blame Mozilla, blame the Five Eyes, Russia and China. We need legislation against corporate-government collusion.
Just curious: what do you recommend?
Pale Moon, Basilisk, Waterfox, Ungoogled Chromium, Brave, Iridium
From those I have yet to try Basilisk. I tried Iridium very briefly but immediately decided it was not my cup of tea (just personal preference, maybe it has changed). I prefer Waterfox over Pale Moon although I don’t use a lot of extensions overall, and Ungoogled Chromium over Brave but I don’t really like either of these two.
To that list I would add Bromite for Android, which takes a mix-up of Ungoogled Chromium, Iridium and others to make an excellent browser with ad-blocking capabilities.
My main browser is indeed Firefox, it’s “easy enough” to customize (but you can complicate this as much as you want) and supports pretty much all add-ons that I use (which admittedly is not an extensive list). I use Waterfox ‘on the side’ but almost as much as Firefox, just for different purposes and add-ons. My Chromium-based favorite is actually Vivaldi. Unfortunately I don’t get to use this one as often as I’d like due to the privacy implications, and when I do it’s within a very restrictive setup.
what do you recommend?
Best Secure Browsers that Protect Your Privacy
Best Secure Browsers that Protect Your Privacy
The recommended browser is clearly stated as â€œafter all, it is Firefox and its fork specifications (Waterfox, PaleMoon).â€
@owl, interesting article, interesting site that I discover, restoreprivacy.com, that I’ll keep as a reference along with privacytools.io
The article you mention, ‘Best Secure Browsers that Protect Your Privacy’ is indeed worth being read. It reminds us as well that Firefox is the leader when it comes to users’ privacy. And maybe because of this leading position many users express frustration when not hatred when what they consider as an offense to privacy (and which may be occasionally true) is encountered on a browser who’s credo is privacy, as if Chrome brought modifications slowing it down).
My point is just to emphasize on this : a compromise doesn’t mean as such a compromise of principles, a dishonorable behavior. Life is a compromise, society is a compromise.
When Mozilla builds and modifies Firefox what is the company’s guidelines?
A radical attitude such as Tor’s will interest and involve a small minority of users;
An open-bar attitude such as Google’s Chrome will interest and involve a majority of users because a majority expects speed rather than privacy but also because many basic users want an install and forget application and feel concerned by privacy, if ever, within that limit.
My opinion is that the very philosophy of Mozilla is to conciliate privacy with a sexy browser that remains attractive for a broad majority : the balance is a tough challenge because if you focus exaggeratedly on top-notch features and stay up-to-date with latest gadgets you may lose privacy-concerned users, and when focusing on privacy you may loose amateurs of easiness and feature-rich combined to speed browsers.
So Mozilla’s position, IMO, is definitely a quest of balance. Of course mistakes are made, inevitably (or at least what I, we consider as mistakes) but I am strongly convinced that if we understand this company’s position we’ll be less likely to spit as some of us do on the slightest modification we consider as a betrayal of privacy : the odyssey is to carry on a browser without making it a techie’s only delight but simultaneously without abandoning what is at heart of the company (and I believe it is) : respect of the user.
I totally agree with you
Mozilla wants to be a major browser so it can’t do something that makes developers angry.
But in the heart most of it can be customized for privacy in oposite of chrome
So in my opinion there isn’t so much bad in enabling this by default as long as they keep its option to disable in about:config
Also some notes to some other friends
Please Don’t use small browsers that claim to be secure or private
choose between browsers that have big teams because:
1. a small browser can spy on its users withput anyone noticing
(open source don’t work here because you should read all source for every release and complie the browser from source yourself to be certain and binaries that they offer can have malicius codes that isn’t in their public source code!
2. A small browser can steal its users passwords, credit cards info, browsing history and …
3. A small browser can be vulnerable because keeping up with zero day exploits is hard for small teams.
I suggest to read these articles:
“Mozilla wants to be a major browser so it canâ€™t do something that makes developers angry.”
And they did *not* do that when they introduced WebExtensions? Not to mention users!
Yes, you are correct but what i wanted to say was about web developers.
I mean mozilla can’t do something that will increase the probability of it be banned by web developers and site owners may block it if it be strict about adblocking and strict tracking protection and …
Because it should don’t keep bias about good tracking and ads because they are legit.
That’s all paranoid bullshit that just serves to sheepdog people back to the silicon valley megacorporation cartel.
Everything based on chromium has the same problem: Chromium was designed by google.
Whatever their flaws, Mozilla based browsers are the ONLY option for anyone who values privacy.
Exactly. I’ll never get why people just can’t accept that already. Anything Chromium based should never be trusted no matter how good it might sound. Google/Yahoo/MS/AOL/Skype/FB/Twitter, etc, along with all of the shitty mainline browsers are all on board and working with governments globally to pull off whatever insidious shit that benefits them and ONLY them. Have people heard of the Snowden Leaks, ffs? Or what Julian Assange said about all of this nearly 10 years before it ever came about? Lol…these big tech companies don’t give one rat’s ass about anyone or their privacy. Forget last on their list, its not even on their damn list.
About this restoreprivacy.com page : it says Chrome is a “Browser to avoid” and lists why it is a botnet on this picture :
Then it lists Firefox in the “Best secure browsers” section, but fails to say that Firefox does exactly the same as what Chrome does according to this picture (except asking to login to a Google account) :
– sends the name of the file you’re downloading to Google
– every URL you even begin to type in the address bar is sent to Google
– connects to Google every 30 minutes
– connects to websites in the background before you are even finished typing them in
I wouldn’t trust a site that’s so misinformed.
@Anonymous,You should read the topic carefully.
the Firefox privacy guide.
recent reports suggesting that Mozilla
also audited by a third party
Firefox Extended Support Release (ESR),
The misleading page I’m talking about is https://restoreprivacy.com/secure-browser/ .
The problem with this page is something we’re seeing too often : people getting angry at Google when they learn about the spyware features and praising Firefox for not doing the same, but when soon exactly the same features are integrated in Firefox, they suddenly change their mind and decide that the benefits were worth the privacy cost. This is exactly what happened with ping tracking, by the way. This tells much about the role of Mozilla in making people accept the continual privacy erosion.
The difference is all the things you mention in Firefox are just optional defaults which you can change. Chrome doesn’t give the user any choice in the matter.
It is completely unfair to equivocate those situations.
Literally everything you mention is unclicking three checkboxes in about:preferences
Once you have changed those settings any updates to Firefox will respect them, so its like a minute of your time to change those things if you want.
…in other words, we as a society nor the individual have absolutely no say nor do we have any rights on all this issues. It is clear that a few mighty players dictate what and where our steps go and who else shall know about it…
Good luck with a privately regulated internet and everything else that has and will come along with it. I do not like this at all no matter in which form it comes along. Liberalised private regulation is the antagonist of every democratic society…
Benjamin Morgentau: “we as a society nor the individual have absolutely no say nor do we have any rights on all this issues.”
I honestly don’t agree with this characterization. We certainly have the right to control what happens on our own machines. However, we are engaged in a battle of sorts with those who wish to infringe on that.
So, this is the sort of “right” that nobody but ourselves can enforce, and that takes effort and vigilance.
Quoting the article, “Apple stated that turning off Ping would not “solve the privacy implications of link click analytics” and that disabling it would result in companies using techniques that would “hurt the user experience”.
I’d like elaborating this assertion. Meanwhile here on Firefox browser.send_pings is set to false as well as browser.send_pings.require_same_host is set to true (the latter obsolete of course when the former is false).
But because behind-the-scene events have always preoccupied me, and not being sure Firefox’s dedicated ‘browser.send_pings’ is truly ping-proof, I’ve installed as well a dedicated extension:
‘API-Killer-Beacon’ at https://addons.mozilla.org/en-US/firefox/addon/api-killer-beacon/
The developer has several interesting extensions among which a few other API-killers.
I use as well his ‘API-Killer-IndexedDB’ which allows me to visit a site without that site lay its data in my indexedDB folder ( PROFILE\storage\default\) when cookies are not blocked : no side-effects/issues up to now.
Checked out the addon you mentioned. The project on Github doesn’t have the actual source accessible. Instead, there is a password-protected archive, which alarmed me, but the actual code looks safe. It essentially uses browser.webRequest.onBeforeRequest to block type connections and attempt to overwrite the JS API per page. I added the same functionality to one of my private extensions back at the transition to Quantum/57.
My method of preventing idb is surefire but hacky. Without modifying preferences/API, I directly changed the write permissions of the storage folders in my FF profile. I do the same to prevent crashlogs, widevine drm, etc. from accumulating or downloading. The drawback is that I need to do it once for every profile.
@Anonymous, I remember having read a user mentioning the same workaround as you concerning blocking access to the IDB storage folder by modifying those folders’ permission. But the problem now (since, what, Firefox 64 was it?) is that Firefox’s Webextensions use the very same IDB storage folder as Websites (which is, IMO, rude) : [PROFILE]\storage\default\ … so I don’t understand how your tweak can make it from there on. The Webextension I mention above is less troublesome IMO even if as you maybe I prefer, I even love to use hacky solutions, often better suited.
Included with the setup process, I set each extension’s storage subfolder to not inherit the permissions so they still get full read/write access within their space. I rarely add new extensions and they are often able to fall back to local storage which go into the browser-extension-data folder of the profile instead. The only extension that I allow IDB is uBlock Origin where storing its compiled snapshots with IDB makes sense.
So yes, it is more cumbersome than installing an extension but it still works as I try to keep external code to a minimum — especially when they can update to be entirely different without notice.
Thank you for this tip about the API Killer Bacon. This guy seems to live right inside his code… absolutely very interesting.
@Tom Hawack: â€œApple stated that turning off Ping would not â€œsolve the privacy implications of link click analyticsâ€ and that disabling it would result in companies using techniques that would â€œhurt the user experienceâ€.
I can really only interpret this one way — they seem to be saying that eliminating the pings is just another step in an ongoing “arms race” that can never be won, so the best thing to do is to surrender now.
@John Fenderson, defeatism is not usually a component of companies’ arguments, especially the big ones, as if the understatement was “Hey, don’t go breaking your heads trying to find workarounds to counter our fellow companies, they’ll beat you anyhow” :=) But you may be right considering that in an increasing competitive world wolves start being aggressive to their very owns (I’m not Marxist but Marx’s prophecy on capital clash is known and admitted by all).
Back to Champagne, bread & butter : what I was and am still wondering about is what techniques Apple was referring to, independently of what such a statement may implicitly be analyzed as (I remain prosaic here!).
@Tom Hawack: “what I was and am still wondering about is what techniques Apple was referring to”
Yes Tom, I agree with you. When reading that quote from Mozilla I thought, “Wow, Apple and Mozilla need a lesson in free markets”. They are creating a self-fulfilling prophecy by rejecting the dynamics of a free market.
If they allow me to disable pings, the worst case scenario is not that my user experience will be “harmed”. The worst case scenario is that people will boycott an annoying website and it will lose millions. Here’s a likely chain of events:
1. I disable pings.
3. The aggressive alternative annoys me.
4. I boycott the website for annoying me.
5. The website administrator realizes that a lot of users are doing the same thing as me, so he decides to soften his tactics.
6. I return to the website.
No need for my browser to act as my nanny and automatically lead me to an unwanted result.
@Jason, “They are creating a self-fulfilling prophecy by rejecting the dynamics of a free market.” : that’s what I had in mind indeed. No free markets when users aren’t free. I admit that the tone of the quote really surprised me, perceived first as defeatism (as i wrote above) then, thinking about it, as some sort of threat.
The chain you mention corresponds already to the way many of us deal with aggressively coded websites but the problem is that a minority’s rebellion never changed the world, even if there was always a minority’s rebellion before things changed. Hence I hope we will be sufficiently numerous to imagine reasonably an impact on dictatorial approaches of implicit (or explicit as our quote above seams to be) limits imposed to users of the Web. I hope but I’m skeptical to be frank. As i see it tomorow’s Web will be at the image of tomorrow’s society, an increased clash between those who know and behave consequently, those who ignore and those who don’t give a damn. People care less and less about their privacy. remember Google’s CEO stating that privacy would one day disappear? I still don’t know if our cherished privacy is cultural or native. But what I do know is that, should it be cultural, not defending it leads to far more than being naked on Tmes Square because there is no freedom of thoughts without privacy, bacause lack of privacy is an open door to manipulation and namely mass manipulation.
Let us stay aware, aware not paranoid. There are also many beautiful things, on the Web as elsewhere.
EDIT, correcting my poor English:
I wrote above “As i see it tomorowâ€™s Web will be at the image of tomorrowâ€™s society, an increased clash [….]” : increasing gap, not clash. The clash is between companies striving to monopolize, not between users :=)
You didn’t mention tracking via CSS. That method is not only impossible to stop short of knowing and blocking access to the tracking server through a firewall of Pihole, but you won’t even notice that it’s happening unless you’re sniffing you network traffic.
@John Fenderson, you and others here and elsewhere mention CSS tracking : can we elaborate on the specifics of this method? Is it what is called by some ‘CSS Exfil’, is it that only, is it more than that?
There’s a dedicated Firefox extension called ‘CSS Exfil Protection’ and the developer’s homepage includes a test page on which the method is described as,
“The CSS Exfil vulnerability […] is a method attackers can use to steal data from web pages using Cascading Style Sheets (CSS).” (https://www.mike-gualtieri.com/css-exfil-vulnerability-tester)
Wild Wild Web.
CSS Exfil Protection aims so defuse offensive CSS. Its maintainer should update as new attack methods are discovered.
I’ll try to explain how one of such techniques work. Notice how websites make links/buttons change color, animate, or whatnot when you hover your mouse or click on it. CSS allows the browser to be aware of these conditions and apply different visual effects. Therefore, by CSS alone, a website can change the background of something when you hover over or click it. If the background is set to change to an image, the browser will request that image from wherever it is on the web. The record of requests for this image will show all the details of who and when a person clicked on the link. CSS techniques can go as far as determine how long you kept your mouse over everything before you finally click on something.
While CSS tracking is not as powerful as JS-based methods such as Clicktale, which is basically a screen-recording of your entire time on a website, it is still difficult to detect unless you keep an eye on your network traffic.
@Anonymous, thanks for this introduction to CSS Tracking : I start to conceptualize the methodology, which was my main handicap (I always thought CSS was 100% harmless).
The technique you describe (one of several others as you mention), and which I understand, if it allows to follow the user’s movements on a page is nevertheless not as serious as stealing the user’s data, an issue handled by the â€˜CSS Exfil Protectionâ€™ I mentioned in my former comment, even if “stealing” should whatever tracking be considered as stealing (and I subscribe to that).
So it is.
CSS Exfil Protection’s author explains the data-stealing exploits in much greater detail:
In essence, it’s unlikely that site owners will use these methods because they can already do whatever they want on their site. Most problems come from depending on 3rd-party libraries, extensions, and services that they don’t control. If those get compromised or otherwise become malicious, they trickle down to all the websites that use them..
@thebrowser, @Anonymous, @John Fenderson, thanks for your comments regarding CSS Tracking. Most appreciated.
From now on (because I’ve discovered this vulnerability right here, even if I had installed the â€˜CSS Exfil Protectionâ€™ Firefox extension previously on the ground it seemed pertinent but without really understanding the context in fact (a behavior I usually avoid). What I really discover here is that CSS Tracking is multi-form.
@Tom Hawack, that’s not an unreasonable approach when it comes to privacy/security. In fact there are so many aspects of our daily lives where we all trust someone else’s judgement at some point, simply because we cannot keep up with all the things around us.
I haven’t installed the CSS Exfil Protection at all because the very nature of the vulnerability requires you, the user, to voluntarily enter information (most likely on a web form) that would be sent elsewhere. You should be already familiar anyway with common best practices when entering sensitive data: is the website you are on trustworthy, are you giving away more information that is actually needed for a given transaction, etc…
There is of course the matter that a website you trust has been compromised, but in that case is very likely that you have bigger problems to worry about.
By the way if you are ever curious just right click > inspect element on the button of a form and you will see right away if there’s something shady. For instance here on ghacks the “post comment” button has 2 hidden fields used for storing the comment id (not malicious) but if Martin was trying to steal my information, he would change them for something more shady which anyone could see easily. Also, it wouldn’t matter since this comment is public anyway.
Just so you have a better understanding on how it works and hopefully give you a little peace of mind :)
@thebrowser, I appreciate the tone of your comment (when I dislike I usually say so, so why not saying when we like?), calm and friendly. The little history describes Nietzche crying when he saw a man beating a dog; he cried not only for the suffering of the animal but also because it was relevant of humanity at its worst and because when you refuse to counter hatred and violence by hatred and violence you face either madness either a terrible sadness. Why I relate this story? In our context, privacy and security on the Web, more you advance, more you dig, more you know, more you discover the inner battle between vice and virtue, because virtue there is, just as in life, and as in life you may halt, breath, think and wonder : why? Why has the WWW become what it is? I do have peace of mind but of course I happen to be troubled with an increasing lack of ethics, and the tone of my comments (should the very content not be concerned) reflects that. You’ve perceived it and your comment friendly took into consideration my state of mind. As I said, I appreciate that, not only for myself but because nowadays sympathy seems to be a too feminine behavior to accompany what many men consider as a required in a man’s man’s world : virility free of compassion.
Sorry for this digression. I understand your explanation of the ‘CSS Exfil Protection’ extension, hence why you don’t use it yourself. You mention inspecting the element with the dedicated right-click menu item. Point is, once I’m in the Tools I barely understand half of the provided info. I know and agree : it’s up to each and everyone of us to get into the battle rather than cry. Not crying here but rather hitting my head with my fist each time I notice a sort of laziness :=)
As always, more you know more your action (or reaction) is properly tailored; concerning code, computers, digital life we often use tools which bring more than we specifically need (and the more may include less good side-effects) because we lack a wide view of the situation : context knowledge allows a tactic but a strategy requires a wider map.
I’ll think about using this element inspector you mention and find my way in the Tools area which for the time being reminds me of a cockpit, with little lights/switches everywhere (I love to end a speech with a little smile and/or laugh!).
Knowledge participates to freedom, so I’d better get up and dance, I mean embrace, I mean the codes, what else?!
Your explanation is far more complete and correct than the one I was going to offer: CSS tracking is basically the same as tracking pixels, but implemented in CSS rather than in the HTML document itself.
How would you block all hyperlink ping using uMatrix?
@Tom Hawack, CSS tracking refers to using the built-in capabilities of CSS to track users throughout the web. These capabilities are pretty obvious but powerful: modify the html document, listening for events (click button or link) and of course make external requests.
For instance to post a comment here in ghacks you have to click “Post Comment”, which may very well do just that but in addition to it sends a request somewhere else. Whoever gets that requests can collect data from your machine and where the request was originated.
Is very similar to CSS Exfil in that it takes advantage of CSS and that it has to be explicitly setup by the owner of the site. However Exil takes advantage of input fields used in forms, whereas links and buttons are pretty much everywhere, and are more prompt for user interaction. Also, CSS Exfil is malicious as in “I expect to steal data from you” whereas tracking is just that and can be used for many things.
i suggest you to use WebAPI Manager
It is great and you can disable many more apis without installing several addons but the con of WebAPI Manager is that it is unmaintained but it works great and i use it daily.
Also another of its cons is it won’t work with first party isolation enabled.
@Alidl, sure that ‘WebAPI Manager’ is (or was) an interesting Firefox extension, I had it running at one time but got to find it cumbersome because fine tuning (per-site included) wasn’t sufficiently elaborated. Also, as you mention it, that extension doesn’t support First Party Isolation…
There is as well another Firefox extension which may come in handy for advanced users : ‘WebAPI Blocker’, which I remembered when discovering the above mentioned extension ‘API-Killer IndexedDB’ … but finding the right API for non-techies as myself is sometimes tough : searching within that extension for APIs related to IndexedDB I had found 5 or 6 … I’m just unable to know the one(s) to choose in order to get what I get with ‘API-Killer IndexedDB’.
But thanks for mentioning, this might very well interest some of us.
@Tom Hawack – Thanks for the tip about this Developer. His extension UnLazy – https://addons.mozilla.org/en-US/firefox/addon/unlazy/ – makes Amazon and other sites so Much Faster and Usable.
Mozilla simply aren’t the company old. They’ve shown that they don’t deserve to be blindly trusted on multiple occasions. So the only browser that is showing it cares about this is Brave (will have to see if that lasts but hope so). I wasn’t sure about Vivaldi but checked and it’s turned on in it too.
Pale Moon / Basilisk, Waterfox, Ungoogled Chromium are also trustworthy IMHO.
Is it possible to turn it off in Vivaldi?
Don’t forget to mention Epic Privacy Browser
To make things worse, it seems that they are going to remove the pref that allows to disable ping tracking:
“We donâ€™t believe that offering an option to disable this feature alone will have any meaningful improvement in the user privacy”
That’s a very worrying statement, right there. I keep hoping that the modern Firefox will get better — at least enough for me to be OK using it — but I keep seeing signs (like this) that it will not.
and NoScript or AdBlockPlus are good to block pings in the browser?
I don’t know for certain, but I think that NoScript won’t address this.
They’re not even hiding the corporate gang bang down in california. Wouldn’t put my hopes on Brave.
Speaking of Brave, Gab.com forked Brave (Insert evil laugh here)
“”The popular content blocker uBlock Origin blocks pings by default as well, and it is available for Firefox, Chrome, and other browsers.””
Good. Two stones killed with one bird.
Martin, thanks very much for this article. It clearly shows that Mozilla is no longer to be trusted (and of course, hasn’t been such for a very long time.) Their clumsily obvious spin-doctoring remark about agreeing with Apple’s stance on the issue is an insult to even the most incompetent end user.
Both Apple and Mozilla are saying the same stupid thing. They’re saying if these pings are disabled then baddies could use another method to track you. So instead of blocking it they’re basically inviting them to use it. That’s some really twisted logic for so called privacy respecting companies.
More likely it’s that apple has its own ad network and mozilla are funded by the biggest ad network and they both use pings to track you.
Apple doesn’t have their own ad network.
They used to have iAd’s where they exercised strict control over the type of ads that could be displayed through their service, to prevent things like full-screen ads from taking over or things like that but they shut it down years ago and it only lasted a couple years.
Yes they do. Just one of the many, many recent links
I recommend you all to look up Librefox https://github.com/intika/Librefox
This project is not actively developed right now as Mozilla was complaining about “copyright”
More proof that Mozilla is anti-free-speech and anti-alternatives-providing – They ruined already Cyberfox – with making this developer unable to provide features and choice – they are on the best way to ruin Seamonkey with making their life harder and harder, and Waterfox is also forced to give up a big degree of their features and customization soon!
And why? Because Mozilla has NO mercy for other developers using their base-code.
Do you have sources about that copyright story ? Is that Google sock puppet Mozilla that’s drowning in dirty money now starting to threaten legally the small ressources forks that remove its malware like Librefox and Waterfox based on technicalities like their name or icon ?
Regarding Librefox’s status:
Awful. This is so low, even from them. Fuck Mozilla.
i don’t think mozilla can do anything with them as long as they don’t use icon and name of firefox
firefox is publishing with “mozilla public license 2” and its only copyright is someone can’t build binaries with the name or icon of firefox but there is no other limit as long as i know.
@Alidl: “i donâ€™t think mozilla can do anything with them as long as they donâ€™t use icon and name of firefox”
This is correct. Mozilla has always been clear that they will protect and enforce their trademarks (such as the icon and the “Firefox” name), but they have no interest in preventing forks and such. You just can’t call them Firefox or anything confusingly similar.
This is why Iceweasel had to change its name to Iceweasel.
@Lord-Lestat said on April 20, 2019 at 10:52 pm
Is your view “Alternative facts”?
But not the truth!
Both Cyberfox (Toady Smith / AU) and Waterfox (Alex Kontos / UK) are the ones created, maintained and managed by only one individual. After all, what an individual can do is limited. Keeping pace with Firefox development is a challenge, and it can be left behind.
Cyberfox the practical use of the Firefox 64bit is in focus, the purpose has been achieved. But after that, it was difficult to continue to follow Firefox’s development speed, and it was until he decided to end that development.
However, PaleMoon and Waterfox are doing well.
Seamonkey is a community driven Suite app (https://www.seamonkey-project.org/), but mozilla officially supports it.
Alternative facts (that in fact, fake news, Demagogie), let’s stop!
Everyone who says that Mozilla is still the same company like they have been years in the past are either deceiving people on purpose or are just over-the-top enthusiasts who can not admit that Mozilla has lost their way.
Let’s make a small list:
– Censoring Conservatives
– Ignoring/Censoring people with a Conservative opinion
– Censoring Conservative resources
– Censoring free-speech resources
– Abandoning their origin user-base for simple/Chrome users
– Becoming equal worse like Google/even worse than Google
– Unwilling to admit they made mistakes and go on no matter what
– Ignoring their users on purpose – as Mozilla “knows what users want”
Also they like to complain that they get “sabotaged” by other parties – while in reality it is Mozilla’s own inability to have been able to protect their company from outsiders who have been able to influence/control Mozilla’s decision making process!
Old Mozilla would never have been that ignorant and dishonorable on purpose.
I think you are referring to them banning the “Dissenter” extension, right? I heard about this on the Firefox subreddit.
This was a legally valid removal, 100%. Mozilla doesn’t have to host the extension, AMO is their property, and by removing Dissenter they were exercising their property rights. They don’t have to host any extension if they don’t want to. And if they don’t want to, why force them to?
Dissenter is being used by the Alt-Right, not really monitoring the comments for hate speech (i.e. discriminatory, insulting comments). I wouldn’t want to host such an extension, either. Discussion is fine, but it should happen in a matter of fact way respecting basic human dignity.
Again, Mozilla is a private organization / company, AMO is their property, they decide which extension they host and which they don’t. If the state itself had forbidden the extension, then you could start crying “suppression of freedom of speech!!!”. Again, private organization -> property rights regarding AMO.
And just so that you know, you are free to agree or disagree with the removal (you obviously disagree), but it was 100% perfectly legal to remove it.
Every time you call the far-right “alt-right”, you’re helping them a little, implying that they’re more an alternative than extremists. It’s sad that this marketing trick had success even among their enemies.
And if Mozilla removed Dissenter from AMO, I can also remove Firefox from my computer and watch their ever shrinking market share go into oblivion.
Good job Mozilla. Your decisions will lead to your downfall. I am on Brave now because of their move.
Also, Dissenter is not Alt-Right, because it’s not an echo chamber. Have you ever bothered to go to https://dissenter.com/ to check the comments? I think you’ve been fed the same propaganda by the legacy media (you might call it “mainstream”, although it’s losing relevance so fast, it will be gone before long).
Brave is very good for future of chromium forks but they are not that much innocent company that you think:
although they fixed this now.
Everyone has to eat, drink, find shelter, maintain health etc. Common sense says people don’t work full time on a project and not receive payment of some sort. Only a fool would think they are getting something for nothing. Somehow, whatever program you are using is finding a way to monetize. Cash up front or sneakily is your choice. However, there is no guarantee cash up front will not also include sneaky tactics to raise more cash.
That was looking at the corporate level. Down at individual level inside organisations individuals suffer varying degrees of greed. A small percentage may be bad enough to inject a little code that serves their greed and does not comply with stated terms and conditions.
Its a greedy, corrupt world.
I think you’ll need to actually provide evidence regarding your claims of political censorship. I don’t see where such a thing has happened.
John Fenderson said: â€œI think youâ€™ll need to actually provide evidence regarding your claims of political censorship. I donâ€™t see where such a thing has happened.â€
He may be referring to, among other things, the lynch mob campaign against Mozilla founder and CEO Brendan Eich when it was discovered in 2014 that six years earlier he had donated $1000 in support of Californiaâ€™s Proposition 8 which defined marriage as between a man and a woman. For his sin and thoughtcrime of privately expressing his political rights, he was pilloried to such an extent that he very soon resigned and left Mozilla entirely.
@Anonymous: “He may be referring to, among other things, the lynch mob campaign against Mozilla founder and CEO Brendan Eich”
But that really doesn’t look like political censorship to me. Nobody told him that he couldn’t speak out, and nobody try to suppress what he was saying.
Right or wrong, what happened to him was a whole lot of other people speaking up in response, and Mozilla making a business decision about how to react to that.
“Freedom of speech” does not mean “freedom from people reacting to speech”.
@John Fenderson: Iâ€™ve always found your comments to be reasonable but this time Iâ€™m surprised. If someone being forced out of their job because of a political donation (which is Constitutionally-protected free speech) made with their own money in their private life, if that doesnâ€™t look like political censorship then I donâ€™t know what does. Weâ€™ll just have to agree to disagree on this one.
â€œNobody told him that he couldnâ€™t speak out, and nobody try to suppress what he was saying.â€ Really? I canâ€™t believe you say this. John have you ever voted? Or made a donation of any kind to a candidate, cause, church, or charity? Letâ€™s say that you have, and then several years later someone finds out which way you once voted, or who or what you once donated to, and such a furor is whipped up over it that your employer leaves you with no choice other than to resign or be removed. The issue it not whether you were told that you couldnâ€™t speak out or were suppressed from doing so, but that AFTER the free exercise of your rights you were penalized for doing so by being forced out of your job by your employer.
â€œRight or wrong…â€ In a democratic country such as the one where this regrettable episode took place, where freedom of political and religious expression is guaranteed and protected under law, such retribution for exercising those rights is clearly wrong.
â€œwhat happened to him was a whole lot of other people speaking up in response, and Mozilla making a business decision about how to react to that.â€ Yes, a â€œwhole lot of other peopleâ€ spoke up in response, both supporters and detractors, but this is beside the point. Whether lots of people spoke in response, or only a few, or none, it has no bearing whatsoever on any citizen exercising their Constitutionally-guaranteed rights and being free from subsequent harassment, abuse, termination at work, etc., as a result of exercising said rights. An employer is not entitled to violate these rights, even if they or you call it a â€œbusiness decision.â€
“Freedom of speech” does not mean “freedom from people reacting to speech”. Uh, okay, but again, this is irrelevant and does not justify retribution against someone in the form of them ending up being forced out of their job because of how they exercised their protected rights to political and religious expression. Weâ€™ll just have to agree to disagree on this one John.
I’m sorry that I didn’t notice your comment until now. I’m not sure that you’ll see my response, but here goes…
I am not saying that being fired because of past behavior that your employer has serious problems with is a good thing. I think it reflects poorly on the employer, and I think a strong case can be made that it shouldn’t be legal.
I just don’t think the underlying issue is a freedom of speech issue.
As long as there’s an option to disable it in Firefox, people will still laud them as The One True Browserâ„¢.
They seem to want to make it impossible to disable.
â€œWe donâ€™t believe that offering an option to disable this feature alone will have any meaningful improvement in the user privacyâ€
But that won’t stop the fanboys’ veneration either, I think that they’re ready to swallow anything.
Whilst allowing this *miiiight* lead to a reduction in the plethora of trackers that sites pump down our pipes at increasingly unfeasible levels, it is also something that browsers must give users the simple option to disable.
What we need to know is how this is going to interact with Do Not Track and or per-site permissions.
It’s possible this will be another per-site permission users can tweak. But users must still have the option to disable this across the board (globally).
Otherwise, it really is inconceivable that Mozilla can still claim to put user privacy first and support this.
For a long time, I’ve right-clicked on links and copy/pasted them, to remove such items of crappiness. Yeah, it’s a small inconvenience, but it prevents more… er… crappiness!
This is the best advise anyone can give on security/privacy online. Takes 2 seconds and saves you from spam and possibly malware, plus of course tracking by who knows how many 3rd parties.
I also recommend using different profiles while browsing, each restricted to specific activities/identities online and with different settings, themes and add-ons.
Just enter ping in about:config search: there’s a whole lot of the ping thing going on.
Notifying a completely different domain that we clicked on a link is just wrong and a huge invasion of privacy.
Mozilla needs to rethink their twisted logic, and at the very least, keep the pref to turn off pinging.
BTW, with such a small marketshare, would a majority of advertisers really create a completely different tracking scheme just for Firefox users? Something to think about.
It won’t have an effect on current tracking methods. It might give analytic companies less incentive to innovate new methods to track. Supporters of enabling pings by default probably think that tricks like sneaky CSS-based click tracking may not have been invented if pings did the job.
@Anonymous: “Supporters of enabling pings by default probably think that tricks like sneaky CSS-based click tracking may not have been invented if pings did the job.”
That’s what it sounds like, but that argument is unsupportable. If more than a tiny percentage of users disable pings, then the spies will just use the alternate methods anyway. If it is not possible to disable pings, then privacy-conscious users will have lost anyway.
great said, agree.
Make your opinions known to Mozilla: https://qsurvey.mozilla.com/s3/FirefoxInput/
They have proved enough during the last years that they do not care at all about users opinion, it’s Google deciding and them obeying to keep the money flowing. They exist only to give a “we’re the good guys” color to evil Google’s decisions for idiots who haven’t yet understood.
So simply hovering over a link in a phishing/spam email can ping the spammer?! how is this a good feature?!
No, hovering over the link does not trigger the ping. You have to click on it.
You can do link tracking with any decent analytics script. Google analytics for example. So enabling this by default doesn’t hurt anyone. I agree with FF’s stance on this.
Analytics scripts are disabled when you use uBlock Origin, wanker.
Dear friend seems that you didn’t read martin’s article carefully, pings also will disable when you install ublock origin!
“pings also will disable when you install ublock origin!”
Thankfully ublock origin is here to defend users against some of Mozilla’s tracking defaults. Until Mozilla decides that extensions can’t directly disable pings either. We’ll see. The arms race against tracking is no longer between Mozilla and trackers, it’s between users and Mozilla.
Anonymous said: â€œThe arms race against tracking is no longer between Mozilla and trackers, itâ€™s between users and Mozilla.â€
Amen. Man, if that isnâ€™t the truth… Extremely well-observed and well-put. Sad days, indeed. This â€œtracking every link clicked on,â€ by default and with no way to disable it, is ABSOLUTELY UNACCEPTABLE. It doesnâ€™t matter that more knowledgeable advanced users may be able, this time anyway, to stop it by installing a certain extensionâ€“the vast overwhelming majority of FF users will never even know they are being tracked this way. This is completely indefensible and unacceptable, and Mozillaâ€™s and Appleâ€™s specious â€œjustificationâ€ for it is just doubletalk-BS that insults oneâ€™s intelligence.
Well, you said it: script. Those people disabling scripts will now be tracked too.
Do you know the magic 1×1 images that are loaded in many sites?
They are used for tracking, as you load them, they send a ping to some tracking server or open a beacon for google telemetry. All is used for better search results on google and focused ads in your browsing.
Now M0zilla seems to agree with all of that.
Luckily I have uBo, NoScript and a local proxy that strips out most of these dangerous pings and soclet connections.
M0zilla, I dare you.
Just curious, what’s the implementation of the local proxy? I’ve been looking for something lightweight for traffic analysis/interception. My makeshift python server that I use for testing isn’t exactly pretty so I’m open to better solutions.
SOS about firefox being no longer trustworthy. If you can’t do config mods, it never was trustworthy but it’s getting junkier for sure.
Chromium is not modifiable to the extent the trustworthiness proponents seem to think. Google owns Chromium and parts of it are locked down; they license the parts that can be changed. Don’t know how google can call chromium open source when their licensing method doesn’t require the source code to be published. They do publish something…
Chrome is malware, google blatantly calls it a browser based user ad data collector. MS’s chromedgium can’t possibly have seen the light except maybe an enlightened way of grabbing even more user data.
Firefox ESR is a nice browser; not at all like the release channel version. If mozilla decides to give up on business users and dumps ESR, I hope someone who knows firefox’s innards continues it.
One can use any browser desired, not worth even arguing over the subject; don’t jump out of the frying pan into the fire though.
Taking the word of any of the tech/social media companies at face value is foolish. They intercept your information and waffle about how it’s not important information. Then why do they take it? If that’s the game, fight back with blockers, VPN’s, whatever you need. Screw them!
I fail to understand the Mozilla bashing in comments. Enabled by default in nightly (68) and I see no reason why it would change in the future.
nano blocker has a forefront option to block this as well. Default=ON too.
A lot of comments so far are counter productive and meaningless. Have GH readers been swapped for ADD afflicted kids ?
Mozilla plans to remove the about:config option to disable it, disrespecting user choice. Also, enabling it in the first place is questionable at best.
ping, no ping, who cares.
kindergarten to actual privacy – violations and opportunities. the argument is logical, but there is no logical need to remove “the user – choice” (again). s. hentschel, what do you have to say about this? wait, i know it. because i remember.
ultimately not a single browser is usable.
brave would be usable but with an ethically/politically very “questionable” context (+ former but longtime “leaks” to facebook, twitter & co.). disgusting. but i have to use this ethical – mess.
iridium would be usable if there would be more effort. a new version every 6 months = a security risk. furthermore, debian-based systems are discriminated and a senseless suse – retweet shows what “the team is made of”. suse.. . and what’s their account on _facebook_ for? shame on https://osb-alliance.de/ & co – partners. . event after event (similar to suse/opensuse) & paper after paper, lot of words and “good” intentions are useless in these days. invent in this browser. do something. or clear the field & s.u. . same @eff. self-praise stinks.
unggogled chromium = questionable addon that can’t even be removed. non-transparent & a new version every x months like iridium = a security risk.
gnome or kde specific browsers : all negligible, ugly, pointless. falkon with adblock – plus (or was it adblock or a fork of whatever – it doesn’t matter, because it’s not ublock origin). no thx.
moon-water-whatever: outdated. not my community. i’ll never use it, though it’s probably the smallest nasty thing of all.
vivaldi, opera : non-ungoogled = senseless. & opera .. ist not opera anymore, it’s a threat. & vivaldi -> time cannot be turned back, mr. tetzchner (ok, it’s “possible” on the basis of the “time-idea”:
.. but not for you).
edge : .
programmers all over the world: you hurt & manipulate the normal end-user. for decades (wouldn’t that be the case, the web & co. would look different today). not only in a browser – context, in any IT – context.
not politicians and managers penetrate into the privacy & co. of the end-user (they are too stupid for that), but you programmers do it. for your “company”, for your “goverment”, for $, for selfish – reasons. but not _for the end – user_ (there are exceptions, but these can be counted with one hand).
non – metaphor:
(mr. lunduke, when he wasn’t a contradiction in itself. sry. but all the best)
most (not all) of you don’t have a spark of ethics in you. no wonder – you’re too concerned with algortihmic – processes and identify yourself with them. but goedel and turing point out your limits. and this is where it can start.
cheerful simulating for : [ …… ]
When you started off by suggesting that pings are insignificant, I didn’t expect the rest to be of such a strong opinion. While not to the same extent, I mostly agree with the sentiment on each topic.
As FF becomes increasingly tedious to configure for security and privacy, I’m exploring my options and ungoogled-chromium looks the most promising. It’s not an addon as you describe; it’s just a collection of patches which gouge out chunks of Google integration in chromium. In the process, it breaks quite a few things such as installing addons from the webstore. There are no official releases — just ones created by users who share their own builds — thus the conception of being out-of-date and opaque.
Firefox is actually the only one technically alternative – thats the only reason to choose Firefox. We use Firefox not for their political conception but to keep the diversity. One browser in the market is awful for the customer – Vivaldi Opera and Brave they re actually chromium based. The same engine.
so… If this PING sends a PING-FROM header or text field, with my wan ip address, and I am using a vpn for my privacy, does this destroy my use of the vpn fro privacy ?
thx4 your response, yep, after some research a few weeks ago i got a similar result concerning u-chr. & this addon, whose name i forgot. but i also read somewhere else that this addon can’ t be trusted for reason xy (forgotten). but what i remember: the nitrux os – developer(s) replaced the u-chr. – appimage with the waterfox – appimage. therefore, it’s all too nebulous for me. too “fuzzy”. otherwise u-chr. would be an anchor in distress. but the mentioned security – risk remains. similar to a part of the iridium-argument.
actually i am personally (still) too shocked by the archive.org (“robot/human”) – attack. this was (the attempt) of modern “book burning”. and i’m also shocked by twitter, reddit, protonmail, ibm/redhat/fedora/suse/opensuse/endless os/firefox .. .. .. . a never ending list.
however, let’s take a look to the night sky, not only the web.
While reading the article, I’m asking myself, if Mozilla has still all the pickets on its fence.
“We use Firefox not for their political conception but to keep the diversity”:
Mozilla don’t know the meaning of the word.
A quick look at the top 22 MozCo majordomos (leadership)…. not one black face.
Can you say bloody hypocrites?
Arman said: â€œFirefox is actually the only one technically alternative â€“ thats the only reason to choose Firefox. We use Firefox not for their political conception but to keep the diversity. One browser in the market is awful for the customer â€“ Vivaldi Opera and Brave they re actually chromium based. The same engine.â€
@Stan: You misunderstood and/or conflated the â€œdiversityâ€ to which Arman was referring in his original postâ€“easy to do, I know, since other â€œPCâ€-types co-opted the word 30 years ago and caused this confusion. Armanâ€™s point was that the engine which Firefox uses is really the only alternative to the chromium engine which many other browsers use: Google Chrome, Vivaldi, Opera, Brave, and now Microsoft Edge. At least we have an alternative to using Googleâ€™s Chromium engine for browsing…
No, I didn’t misunderstand, Mozilla and Diversity should not be mentioned in the same breath/sentence. ;)
Want privacy enhanced, no compromise making browser?
Cyber Dragon is a nice inspecting browser, thank you Mr. Froberg.
My pleasure. :-)
I try to get the 1.9.0 for public download out ASAP, and keep adding features and GUI controls
as I go toward version 2.0.
1/ Locate these entries in about:config in the next Firefox update.
2/ If found disable them. They are as follows:
browser.send_pings – set to false
browser.send_pings.max_per_link – set to 0
browser.send_pings.require_same_host – set to false
3/ If not found, install Ublock Origin, and ensure that hyperlink auditing is set to disabled in the settings of the addon, this will achieve the same result, whether or not the entries in about:config in the Firefox update are present or not.
I do not like prying dictatorships, do you ?
Thank you for your attention.
Glad I don’t have to worry about this garbage – my last install of Firefox was replaced by Waterfox 6 months ago after FF 52 ESR expired :)
@Tom Hawack, I completely agree with you there. We should take the time here and there to help with what we can, be it in person or online, even with the smallest of gestures (something as simple as saying ‘thank you’ or a smile when greeting people really does make a difference). This is specially true, at least in my experience, in the field of computer science, programming, etc, where very capable people often talk down to others for asking questions, which is how we all learn anything at some point.
I think it’s important to make people aware about the privacy implications about today’s technologies, something to incredibly overlooked but that actually impacts our lives every day, increasingly so since the past few years (and will continue to increase). Therefore I don’t mind taking the time to research something new that I don’t know, or dropping a few lines to explain something for people that are interested. Even when it comes to ‘newbie’ questions or something that has been answered already, it is still worth it. This is not to say that you asked something repetitive or ‘newbie’, as this is definitely not something you would know unless someone told you or read it about it somewhere.
In any case, the important thing to do is to stay curious and learn not only by asking but also by explaining things to others, debating, being wrong. These things take time, but it is time well spent :)
You can fix many things with uMatrix
but I’m not sure how to go about blocking hyperlink pings.
@Anonymous said on April 28, 2019 at 1:05 am
You can fix many things with uMatrix
but Iâ€™m not sure how to go about blocking hyperlink pings.
How to block ping (Packet Internet Groper) with the extension “uMatrix”:
Enable the following items.
Optionï¼žSettingsï¼žPrivacyï¼žBlock all hyperlink auditing attempts
Hyperlink auditing is a mechanism which allow a party, any party, to be informed about which link a user clicked on a particular web page. It is essentially a tracking feature: it allows a web site, or any third-party to that web site, to be informed about which link you clicked on which one of its web pages. The sole purpose is to track your browsing activity.
About how to use “uMatrix”
Randomly assembled documentation: https://github.com/gorhill/uMatrix/wiki
Thank you. So far my uMatrix experience is error and trial ðŸ™‚ However, I am beginning to understand it. Documentation and example should help enormously.
An explicit ping attribute makes it easier for content blockers; with a redirect there’s nothing you can do but with a declarative attribute it’s clear what to block.
But still we need a DuckDuckGo browser for desktop. Restoreprivacy guides are paid shill. Check his backlinks, full of donation networks.
result in companies using techniques that would “hurt the user experience”.
That’s why besides family, I don’t recommend to anyone adblocker. If all start using it, companies will find something that ultimately will do even more harm.
Also, Edge Chromium Dev which uses Chromium 76 the flag gone for good.