Mozilla plans to enable Hyperlink Ping Tracking by Default in Firefox - gHacks Tech News

Mozilla plans to enable Hyperlink Ping Tracking by Default in Firefox

A new Bleeping Computer report by Lawrence Abrams suggests that Mozilla plans to enable Hyperlink Ping Tracking by default in the Firefox browser.

Firefox is one of the few browsers that has the feature disabled by default, another is Brave. Most Chromium-based browsers, Google Chrome and Opera, as well as Microsoft Edge and Safari have the feature turned on by default.

The browsers that have the feature enabled already won't allow users to disable the feature anymore in coming versions. Chrome users, for example, can disable Hyperlink auditing in the browser currently on chrome://flags if they run the Stable version. Chrome users who run Beta or other development versions won't find the feature listed anymore as Google removed it from the list of available flags.

chrome hyperlink auditing
Chrome 73.0 Stable
chrome no ping auditing
Chrome 75.0 Canary

What is Ping Hyperlink Auditing?

Links, or hyperlinks, are a fundamental HTML feature that loads another resource when a user activates it.

Ping is a new attribute that can be added to links to send information to another resource. Here is an example: <a href="https://www.ghacks.net/ ping="https://www.example.com/">This</a>

When a user clicks on the Ghacks Link, Example.com is notified that the click happened. It is possible to notify one or multiple resources about the link click.

What is bad about it?

Ping is used to track link clicks. The nature of how that is done is not transparent to users who click on links, as the ping attribute is not shown and links with pings are not highlighted when a user hovers over the link in the browser.

While it is possible to check the source, it is not comfortable and unlikely that many users will do so.

Apart from privacy, at least one case has been recorded where pings were used for denial of service attacks.

And Firefox?

firefox pings tracking

Mozilla told Bleeping Computer that the Ping has not been enabled by default in Firefox already is because the feature is still being implemented.

Asked about the privacy implications, Mozilla told Bleeping Computer that it agreed with Apple's stance on the issue. Apple stated that turning off Ping would not "solve the privacy implications of link click analytics" and that disabling it would result in companies using techniques that would "hurt the user experience".

Sites would often check for supported tracking features and would simply switch to another if Ping was not available.

Firefox supports a preference currently that determines whether pings are enabled or not. The preference is set to False currently which means that it is not used.

Firefox users can check browser.send_pings on about:config to configure it. Whether that preference will remain in Firefox once Mozilla enables Ping functionality remains to be seen.

Solutions

Chrome users may install Ping Blocker to block pings in the browser. The popular content blocker uBlock Origin blocks pings by default as well, and it is available for Firefox, Chrome, and other browsers.

Brave is one of the few browsers that has the Ping attribute disabled.

Summary
Mozilla plans to enable Hyperlink Ping Tracking by Default in Firefox
Article Name
Mozilla plans to enable Hyperlink Ping Tracking by Default in Firefox
Description
A new Bleeping Computer report by Lawrence Abrams suggests that Mozilla plans to enable Hyperlink Ping Tracking by default in the Firefox browser.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:


Previous Post: «
Next Post: »

Comments

  1. Iron Heart said on April 20, 2019 at 8:42 am
    Reply

    Mozilla – respecting your privacy as always.

    The funniest part in all of this are the fanboys who claim that Mozilla inherently cares about privacy in spite of them being funded by Google. When will they learn?

    1. Robert said on April 20, 2019 at 4:00 pm
      Reply

      Yeah agreed. The option of signing into a Microsoft account was a red flag for me. I checked about:config and this pinging feature is disabled for me so far.

    2. Kevin said on April 20, 2019 at 7:13 pm
      Reply

      Presumably, like most corporations, they care about money most of all. And if, oh I don’t know, Google were to approach them and say “implement this or else our partnership is over”, I’m pretty sure they’d get right on it.

    3. Shadow_Death said on April 20, 2019 at 8:50 pm
      Reply

      Honestly I’ve always been a Firefox fanboy. I really enjoyed their privacy features that they built in…. Then there’s this… I have absolutely zero faith that this won’t end up being use maliciously by some websites. I just can’t get behind it and because of that I’m officially switching browsers. :/

      1. Just As Angry As You said on April 25, 2019 at 1:40 pm
        Reply

        When you read the fine print you’ll find there are no other major browsers that “respect your privacy*”.

        Only current options are Waterfox or Coldfox, both forks of Firefox which so far have managed to circumvent Mozilla’s descent into silicon-valley-spyware. Time will tell how well they can keep it up.

      2. Jacob Siegel said on April 25, 2019 at 9:19 pm
        Reply

        I’ve been using Brave as a result of this. I really can’t trust Firefox to not protect me against some of the more malicious trackers. If they’ve capitulated in this instance… what’s to stop them from capitulating in every other instance?

    4. Anonymous said on April 21, 2019 at 3:23 am
      Reply

      Maybe they added it to maintain compatibility with Google-Microsoft Chrome browser standards? Don’t blame Mozilla, blame the Five Eyes, Russia and China. We need legislation against corporate-government collusion.

    5. thebrowser said on April 21, 2019 at 8:27 am
      Reply

      Just curious: what do you recommend?

      1. Iron Heart said on April 21, 2019 at 9:11 am
        Reply

        @thebrowser

        Pale Moon, Basilisk, Waterfox, Ungoogled Chromium, Brave, Iridium

      2. thebrowser said on April 22, 2019 at 6:28 am
        Reply

        From those I have yet to try Basilisk. I tried Iridium very briefly but immediately decided it was not my cup of tea (just personal preference, maybe it has changed). I prefer Waterfox over Pale Moon although I don’t use a lot of extensions overall, and Ungoogled Chromium over Brave but I don’t really like either of these two.

        To that list I would add Bromite for Android, which takes a mix-up of Ungoogled Chromium, Iridium and others to make an excellent browser with ad-blocking capabilities.

        My main browser is indeed Firefox, it’s “easy enough” to customize (but you can complicate this as much as you want) and supports pretty much all add-ons that I use (which admittedly is not an extensive list). I use Waterfox ‘on the side’ but almost as much as Firefox, just for different purposes and add-ons. My Chromium-based favorite is actually Vivaldi. Unfortunately I don’t get to use this one as often as I’d like due to the privacy implications, and when I do it’s within a very restrictive setup.

      3. owl said on April 22, 2019 at 10:09 am
        Reply

        what do you recommend?

        Best Secure Browsers that Protect Your Privacy
        https://restoreprivacy.com/secure-browser/

      4. owl said on April 22, 2019 at 10:53 am
        Reply

        Postscript:
        Best Secure Browsers that Protect Your Privacy
        https://restoreprivacy.com/secure-browser/
        The recommended browser is clearly stated as “after all, it is Firefox and its fork specifications (Waterfox, PaleMoon).”

      5. Tom Hawack said on April 22, 2019 at 11:46 am
        Reply

        @owl, interesting article, interesting site that I discover, restoreprivacy.com, that I’ll keep as a reference along with privacytools.io

        The article you mention, ‘Best Secure Browsers that Protect Your Privacy’ is indeed worth being read. It reminds us as well that Firefox is the leader when it comes to users’ privacy. And maybe because of this leading position many users express frustration when not hatred when what they consider as an offense to privacy (and which may be occasionally true) is encountered on a browser who’s credo is privacy, as if Chrome brought modifications slowing it down).

        My point is just to emphasize on this : a compromise doesn’t mean as such a compromise of principles, a dishonorable behavior. Life is a compromise, society is a compromise.

        When Mozilla builds and modifies Firefox what is the company’s guidelines?
        A radical attitude such as Tor’s will interest and involve a small minority of users;
        An open-bar attitude such as Google’s Chrome will interest and involve a majority of users because a majority expects speed rather than privacy but also because many basic users want an install and forget application and feel concerned by privacy, if ever, within that limit.

        My opinion is that the very philosophy of Mozilla is to conciliate privacy with a sexy browser that remains attractive for a broad majority : the balance is a tough challenge because if you focus exaggeratedly on top-notch features and stay up-to-date with latest gadgets you may lose privacy-concerned users, and when focusing on privacy you may loose amateurs of easiness and feature-rich combined to speed browsers.

        So Mozilla’s position, IMO, is definitely a quest of balance. Of course mistakes are made, inevitably (or at least what I, we consider as mistakes) but I am strongly convinced that if we understand this company’s position we’ll be less likely to spit as some of us do on the slightest modification we consider as a betrayal of privacy : the odyssey is to carry on a browser without making it a techie’s only delight but simultaneously without abandoning what is at heart of the company (and I believe it is) : respect of the user.

      6. Alidl said on April 22, 2019 at 7:40 pm
        Reply

        @Tom Hawack

        I totally agree with you
        Mozilla wants to be a major browser so it can’t do something that makes developers angry.
        But in the heart most of it can be customized for privacy in oposite of chrome
        So in my opinion there isn’t so much bad in enabling this by default as long as they keep its option to disable in about:config

        =============================================

        Also some notes to some other friends
        Please Don’t use small browsers that claim to be secure or private
        choose between browsers that have big teams because:

        1. a small browser can spy on its users withput anyone noticing
        (open source don’t work here because you should read all source for every release and complie the browser from source yourself to be certain and binaries that they offer can have malicius codes that isn’t in their public source code!

        2. A small browser can steal its users passwords, credit cards info, browsing history and …

        3. A small browser can be vulnerable because keeping up with zero day exploits is hard for small teams.

        I suggest to read these articles:

        https://www.howtogeek.com/108384/6-alternative-browsers-based-on-google-chrome/
        https://www.howtogeek.com/100361/how-to-optimize-google-chrome-for-maximum-privacy/
        https://www.engadget.com/2016/07/18/opera-browser-sold-to-a-chinese-consortium-for-600-million/

      7. OzMerry said on April 25, 2019 at 9:44 am
        Reply

        @Alidl

        “Mozilla wants to be a major browser so it can’t do something that makes developers angry.”

        And they did *not* do that when they introduced WebExtensions? Not to mention users!

      8. Alidl said on April 25, 2019 at 3:27 pm
        Reply

        Yes, you are correct but what i wanted to say was about web developers.

        I mean mozilla can’t do something that will increase the probability of it be banned by web developers and site owners may block it if it be strict about adblocking and strict tracking protection and …

        Because it should don’t keep bias about good tracking and ads because they are legit.

      9. GetSomeFacts said on April 25, 2019 at 1:28 pm
        Reply

        That’s all paranoid bullshit that just serves to sheepdog people back to the silicon valley megacorporation cartel.

        Everything based on chromium has the same problem: Chromium was designed by google.

        Whatever their flaws, Mozilla based browsers are the ONLY option for anyone who values privacy.

      10. Anonymous said on May 6, 2019 at 3:33 am
        Reply

        Exactly. I’ll never get why people just can’t accept that already. Anything Chromium based should never be trusted no matter how good it might sound. Google/Yahoo/MS/AOL/Skype/FB/Twitter, etc, along with all of the shitty mainline browsers are all on board and working with governments globally to pull off whatever insidious shit that benefits them and ONLY them. Have people heard of the Snowden Leaks, ffs? Or what Julian Assange said about all of this nearly 10 years before it ever came about? Lol…these big tech companies don’t give one rat’s ass about anyone or their privacy. Forget last on their list, its not even on their damn list.

      11. K B Tidwell said on April 23, 2019 at 3:07 pm
        Reply

        Excellent comment.

      12. Anonymous said on April 22, 2019 at 2:34 pm
        Reply

        @owl

        About this restoreprivacy.com page : it says Chrome is a “Browser to avoid” and lists why it is a botnet on this picture :

        https://cdn-resprivacy.pressidium.com/wp-content/uploads/2018/05/google-chrome-tracking-.jpg

        Then it lists Firefox in the “Best secure browsers” section, but fails to say that Firefox does exactly the same as what Chrome does according to this picture (except asking to login to a Google account) :

        – sends the name of the file you’re downloading to Google
        – every URL you even begin to type in the address bar is sent to Google
        – connects to Google every 30 minutes
        – connects to websites in the background before you are even finished typing them in

        I wouldn’t trust a site that’s so misinformed.

      13. Anonymous said on April 22, 2019 at 6:44 pm
        Reply

        @owl
        The misleading page I’m talking about is https://restoreprivacy.com/secure-browser/ .

        The problem with this page is something we’re seeing too often : people getting angry at Google when they learn about the spyware features and praising Firefox for not doing the same, but when soon exactly the same features are integrated in Firefox, they suddenly change their mind and decide that the benefits were worth the privacy cost. This is exactly what happened with ping tracking, by the way. This tells much about the role of Mozilla in making people accept the continual privacy erosion.

      14. Some anon said on April 25, 2019 at 3:38 pm
        Reply

        The difference is all the things you mention in Firefox are just optional defaults which you can change. Chrome doesn’t give the user any choice in the matter.

        It is completely unfair to equivocate those situations.

        Literally everything you mention is unclicking three checkboxes in about:preferences

        Once you have changed those settings any updates to Firefox will respect them, so its like a minute of your time to change those things if you want.

  2. Benjamin Morgentau said on April 20, 2019 at 9:23 am
    Reply

    …in other words, we as a society nor the individual have absolutely no say nor do we have any rights on all this issues. It is clear that a few mighty players dictate what and where our steps go and who else shall know about it…

    Good luck with a privately regulated internet and everything else that has and will come along with it. I do not like this at all no matter in which form it comes along. Liberalised private regulation is the antagonist of every democratic society…

    1. John Fenderson said on April 23, 2019 at 8:53 pm
      Reply

      Benjamin Morgentau: “we as a society nor the individual have absolutely no say nor do we have any rights on all this issues.”

      I honestly don’t agree with this characterization. We certainly have the right to control what happens on our own machines. However, we are engaged in a battle of sorts with those who wish to infringe on that.

      So, this is the sort of “right” that nobody but ourselves can enforce, and that takes effort and vigilance.

  3. Tom Hawack said on April 20, 2019 at 11:04 am
    Reply

    Quoting the article, “Apple stated that turning off Ping would not “solve the privacy implications of link click analytics” and that disabling it would result in companies using techniques that would “hurt the user experience”.

    I’d like elaborating this assertion. Meanwhile here on Firefox browser.send_pings is set to false as well as browser.send_pings.require_same_host is set to true (the latter obsolete of course when the former is false).

    But because behind-the-scene events have always preoccupied me, and not being sure Firefox’s dedicated ‘browser.send_pings’ is truly ping-proof, I’ve installed as well a dedicated extension:

    ‘API-Killer-Beacon’ at https://addons.mozilla.org/en-US/firefox/addon/api-killer-beacon/

    The developer has several interesting extensions among which a few other API-killers.
    I use as well his ‘API-Killer-IndexedDB’ which allows me to visit a site without that site lay its data in my indexedDB folder ( PROFILE\storage\default\) when cookies are not blocked : no side-effects/issues up to now.

    1. Anonymous said on April 20, 2019 at 4:47 pm
      Reply

      Checked out the addon you mentioned. The project on Github doesn’t have the actual source accessible. Instead, there is a password-protected archive, which alarmed me, but the actual code looks safe. It essentially uses browser.webRequest.onBeforeRequest to block type connections and attempt to overwrite the JS API per page. I added the same functionality to one of my private extensions back at the transition to Quantum/57.

      My method of preventing idb is surefire but hacky. Without modifying preferences/API, I directly changed the write permissions of the storage folders in my FF profile. I do the same to prevent crashlogs, widevine drm, etc. from accumulating or downloading. The drawback is that I need to do it once for every profile.

      1. Tom Hawack said on April 20, 2019 at 7:32 pm
        Reply

        @Anonymous, I remember having read a user mentioning the same workaround as you concerning blocking access to the IDB storage folder by modifying those folders’ permission. But the problem now (since, what, Firefox 64 was it?) is that Firefox’s Webextensions use the very same IDB storage folder as Websites (which is, IMO, rude) : [PROFILE]\storage\default\ … so I don’t understand how your tweak can make it from there on. The Webextension I mention above is less troublesome IMO even if as you maybe I prefer, I even love to use hacky solutions, often better suited.

      2. Anonymous said on April 21, 2019 at 7:16 am
        Reply

        @Tom Hawack
        Included with the setup process, I set each extension’s storage subfolder to not inherit the permissions so they still get full read/write access within their space. I rarely add new extensions and they are often able to fall back to local storage which go into the browser-extension-data folder of the profile instead. The only extension that I allow IDB is uBlock Origin where storing its compiled snapshots with IDB makes sense.

        So yes, it is more cumbersome than installing an extension but it still works as I try to keep external code to a minimum — especially when they can update to be entirely different without notice.

    2. Benjamin said on April 20, 2019 at 4:58 pm
      Reply

      Thank you for this tip about the API Killer Bacon. This guy seems to live right inside his code… absolutely very interesting.

    3. John Fenderson said on April 21, 2019 at 5:28 pm
      Reply

      @Tom Hawack: “Apple stated that turning off Ping would not “solve the privacy implications of link click analytics” and that disabling it would result in companies using techniques that would “hurt the user experience”.

      I can really only interpret this one way — they seem to be saying that eliminating the pings is just another step in an ongoing “arms race” that can never be won, so the best thing to do is to surrender now.

      1. Tom Hawack said on April 21, 2019 at 6:14 pm
        Reply

        @John Fenderson, defeatism is not usually a component of companies’ arguments, especially the big ones, as if the understatement was “Hey, don’t go breaking your heads trying to find workarounds to counter our fellow companies, they’ll beat you anyhow” :=) But you may be right considering that in an increasing competitive world wolves start being aggressive to their very owns (I’m not Marxist but Marx’s prophecy on capital clash is known and admitted by all).

        Back to Champagne, bread & butter : what I was and am still wondering about is what techniques Apple was referring to, independently of what such a statement may implicitly be analyzed as (I remain prosaic here!).

      2. John Fenderson said on April 22, 2019 at 6:44 am
        Reply

        @Tom Hawack: “what I was and am still wondering about is what techniques Apple was referring to”

        I assume they mean the primary techniques currently used (Javascript-based tracking mostly, but also redirection). The rationale for including the ping attribute in the HTML5 standard was to encourage sites to stop using JS and such to gain that result. Getting them to use the ping attribute instead allows the browser to regain some sort of control over these things.

      3. Jason said on April 22, 2019 at 9:20 pm
        Reply

        Yes Tom, I agree with you. When reading that quote from Mozilla I thought, “Wow, Apple and Mozilla need a lesson in free markets”. They are creating a self-fulfilling prophecy by rejecting the dynamics of a free market.

        If they allow me to disable pings, the worst case scenario is not that my user experience will be “harmed”. The worst case scenario is that people will boycott an annoying website and it will lose millions. Here’s a likely chain of events:

        1. I disable pings.
        2. A certain website detects that I’ve disabled pings and implements some aggressive javascript alternative to pings.
        3. The aggressive alternative annoys me.
        4. I boycott the website for annoying me.
        5. The website administrator realizes that a lot of users are doing the same thing as me, so he decides to soften his tactics.
        6. I return to the website.

        No need for my browser to act as my nanny and automatically lead me to an unwanted result.

      4. Tom Hawack said on April 22, 2019 at 10:21 pm
        Reply

        @Jason, “They are creating a self-fulfilling prophecy by rejecting the dynamics of a free market.” : that’s what I had in mind indeed. No free markets when users aren’t free. I admit that the tone of the quote really surprised me, perceived first as defeatism (as i wrote above) then, thinking about it, as some sort of threat.

        The chain you mention corresponds already to the way many of us deal with aggressively coded websites but the problem is that a minority’s rebellion never changed the world, even if there was always a minority’s rebellion before things changed. Hence I hope we will be sufficiently numerous to imagine reasonably an impact on dictatorial approaches of implicit (or explicit as our quote above seams to be) limits imposed to users of the Web. I hope but I’m skeptical to be frank. As i see it tomorow’s Web will be at the image of tomorrow’s society, an increased clash between those who know and behave consequently, those who ignore and those who don’t give a damn. People care less and less about their privacy. remember Google’s CEO stating that privacy would one day disappear? I still don’t know if our cherished privacy is cultural or native. But what I do know is that, should it be cultural, not defending it leads to far more than being naked on Tmes Square because there is no freedom of thoughts without privacy, bacause lack of privacy is an open door to manipulation and namely mass manipulation.

        Let us stay aware, aware not paranoid. There are also many beautiful things, on the Web as elsewhere.

      5. Tom Hawack said on April 22, 2019 at 10:31 pm
        Reply

        EDIT, correcting my poor English:

        I wrote above “As i see it tomorow’s Web will be at the image of tomorrow’s society, an increased clash [….]” : increasing gap, not clash. The clash is between companies striving to monopolize, not between users :=)

      6. John Fenderson said on April 23, 2019 at 1:20 am
        Reply

        @Jason:

        You didn’t mention tracking via CSS. That method is not only impossible to stop short of knowing and blocking access to the tracking server through a firewall of Pihole, but you won’t even notice that it’s happening unless you’re sniffing you network traffic.

      7. Tom Hawack said on April 23, 2019 at 10:24 am
        Reply

        @John Fenderson, you and others here and elsewhere mention CSS tracking : can we elaborate on the specifics of this method? Is it what is called by some ‘CSS Exfil’, is it that only, is it more than that?

        There’s a dedicated Firefox extension called ‘CSS Exfil Protection’ and the developer’s homepage includes a test page on which the method is described as,

        “The CSS Exfil vulnerability […] is a method attackers can use to steal data from web pages using Cascading Style Sheets (CSS).” (https://www.mike-gualtieri.com/css-exfil-vulnerability-tester)

        I remember Java, disabled by many users, then Javascript which is increasingly considered worth being disabled by default)… and now CSS. What next?!

        There is a bookmarklet which breaks a page’s stylesheets, problem is the bookmarklet requires javascript (Sweet Lord) …

        javascript:(function(){var%20i,x;for(i=0;x=document.styleSheets[i];++i)x.disabled=true;})();

        Now, visit a page with javascript enabled, use the bookmarklet to disable its stylesheets, then disable javascript for that page … what’s left? Soup :=)

        Wild Wild Web.

      8. Anonymous said on April 23, 2019 at 3:38 pm
        Reply

        @Tom Hawack
        CSS Exfil Protection aims so defuse offensive CSS. Its maintainer should update as new attack methods are discovered.

        I’ll try to explain how one of such techniques work. Notice how websites make links/buttons change color, animate, or whatnot when you hover your mouse or click on it. CSS allows the browser to be aware of these conditions and apply different visual effects. Therefore, by CSS alone, a website can change the background of something when you hover over or click it. If the background is set to change to an image, the browser will request that image from wherever it is on the web. The record of requests for this image will show all the details of who and when a person clicked on the link. CSS techniques can go as far as determine how long you kept your mouse over everything before you finally click on something.

        While CSS tracking is not as powerful as JS-based methods such as Clicktale, which is basically a screen-recording of your entire time on a website, it is still difficult to detect unless you keep an eye on your network traffic.

        Also, when you need to enable JavaScript on a site in order to load a bookmarklet, the site will have already loaded its JS during that window. For a better experience while blocking some sites’ JS and CSS, you’ll need to do it with an extension. uMatrix (by the same developer or uBlock Origin) does the job if you’re looking for this level of control.

      9. Tom Hawack said on April 23, 2019 at 4:27 pm
        Reply

        @Anonymous, thanks for this introduction to CSS Tracking : I start to conceptualize the methodology, which was my main handicap (I always thought CSS was 100% harmless).

        The technique you describe (one of several others as you mention), and which I understand, if it allows to follow the user’s movements on a page is nevertheless not as serious as stealing the user’s data, an issue handled by the ‘CSS Exfil Protection’ I mentioned in my former comment, even if “stealing” should whatever tracking be considered as stealing (and I subscribe to that).

        What I’ll keep in mind from your comment is that CSS tracking is a method with many possible ramifications. Correct me if I’m wrong but seems to me mastering CSS intrusion won’t be as “easy” as controlling javascript. Also, obviously, any and all code intended to the user’s comfort seems to be systematically used to achieve the user’s tracking, tricking and ultimately Web life.

        So it is.

      10. Anonymous said on April 23, 2019 at 6:43 pm
        Reply

        @Tom Hawack
        CSS Exfil Protection’s author explains the data-stealing exploits in much greater detail:
        https://www.mike-gualtieri.com/posts/stealing-data-with-css-attack-and-defense

        In essence, it’s unlikely that site owners will use these methods because they can already do whatever they want on their site. Most problems come from depending on 3rd-party libraries, extensions, and services that they don’t control. If those get compromised or otherwise become malicious, they trickle down to all the websites that use them..

      11. Tom Hawack said on April 23, 2019 at 11:28 pm
        Reply

        @thebrowser, @Anonymous, @John Fenderson, thanks for your comments regarding CSS Tracking. Most appreciated.

        From now on (because I’ve discovered this vulnerability right here, even if I had installed the ‘CSS Exfil Protection’ Firefox extension previously on the ground it seemed pertinent but without really understanding the context in fact (a behavior I usually avoid). What I really discover here is that CSS Tracking is multi-form.

      12. thebrowser said on April 24, 2019 at 9:42 am
        Reply

        @Tom Hawack, that’s not an unreasonable approach when it comes to privacy/security. In fact there are so many aspects of our daily lives where we all trust someone else’s judgement at some point, simply because we cannot keep up with all the things around us.

        I haven’t installed the CSS Exfil Protection at all because the very nature of the vulnerability requires you, the user, to voluntarily enter information (most likely on a web form) that would be sent elsewhere. You should be already familiar anyway with common best practices when entering sensitive data: is the website you are on trustworthy, are you giving away more information that is actually needed for a given transaction, etc…
        There is of course the matter that a website you trust has been compromised, but in that case is very likely that you have bigger problems to worry about.

        By the way if you are ever curious just right click > inspect element on the button of a form and you will see right away if there’s something shady. For instance here on ghacks the “post comment” button has 2 hidden fields used for storing the comment id (not malicious) but if Martin was trying to steal my information, he would change them for something more shady which anyone could see easily. Also, it wouldn’t matter since this comment is public anyway.

        Just so you have a better understanding on how it works and hopefully give you a little peace of mind :)

      13. Tom Hawack said on April 24, 2019 at 3:49 pm
        Reply

        @thebrowser, I appreciate the tone of your comment (when I dislike I usually say so, so why not saying when we like?), calm and friendly. The little history describes Nietzche crying when he saw a man beating a dog; he cried not only for the suffering of the animal but also because it was relevant of humanity at its worst and because when you refuse to counter hatred and violence by hatred and violence you face either madness either a terrible sadness. Why I relate this story? In our context, privacy and security on the Web, more you advance, more you dig, more you know, more you discover the inner battle between vice and virtue, because virtue there is, just as in life, and as in life you may halt, breath, think and wonder : why? Why has the WWW become what it is? I do have peace of mind but of course I happen to be troubled with an increasing lack of ethics, and the tone of my comments (should the very content not be concerned) reflects that. You’ve perceived it and your comment friendly took into consideration my state of mind. As I said, I appreciate that, not only for myself but because nowadays sympathy seems to be a too feminine behavior to accompany what many men consider as a required in a man’s man’s world : virility free of compassion.

        Sorry for this digression. I understand your explanation of the ‘CSS Exfil Protection’ extension, hence why you don’t use it yourself. You mention inspecting the element with the dedicated right-click menu item. Point is, once I’m in the Tools I barely understand half of the provided info. I know and agree : it’s up to each and everyone of us to get into the battle rather than cry. Not crying here but rather hitting my head with my fist each time I notice a sort of laziness :=)

        As always, more you know more your action (or reaction) is properly tailored; concerning code, computers, digital life we often use tools which bring more than we specifically need (and the more may include less good side-effects) because we lack a wide view of the situation : context knowledge allows a tactic but a strategy requires a wider map.

        I’ll think about using this element inspector you mention and find my way in the Tools area which for the time being reminds me of a cockpit, with little lights/switches everywhere (I love to end a speech with a little smile and/or laugh!).

        Knowledge participates to freedom, so I’d better get up and dance, I mean embrace, I mean the codes, what else?!

      14. John Fenderson said on April 23, 2019 at 8:47 pm
        Reply

        @Anonymous

        Your explanation is far more complete and correct than the one I was going to offer: CSS tracking is basically the same as tracking pixels, but implemented in CSS rather than in the HTML document itself.

      15. Anonymous said on April 28, 2019 at 1:08 am
        Reply

        How would you block all hyperlink ping using uMatrix?

      16. thebrowser said on April 23, 2019 at 4:44 pm
        Reply

        @Tom Hawack, CSS tracking refers to using the built-in capabilities of CSS to track users throughout the web. These capabilities are pretty obvious but powerful: modify the html document, listening for events (click button or link) and of course make external requests.

        For instance to post a comment here in ghacks you have to click “Post Comment”, which may very well do just that but in addition to it sends a request somewhere else. Whoever gets that requests can collect data from your machine and where the request was originated.

        Is very similar to CSS Exfil in that it takes advantage of CSS and that it has to be explicitly setup by the owner of the site. However Exil takes advantage of input fields used in forms, whereas links and buttons are pretty much everywhere, and are more prompt for user interaction. Also, CSS Exfil is malicious as in “I expect to steal data from you” whereas tracking is just that and can be used for many things.

    4. Alidl said on April 22, 2019 at 7:44 pm
      Reply

      i suggest you to use WebAPI Manager
      It is great and you can disable many more apis without installing several addons but the con of WebAPI Manager is that it is unmaintained but it works great and i use it daily.
      Also another of its cons is it won’t work with first party isolation enabled.

      1. Tom Hawack said on April 22, 2019 at 9:14 pm
        Reply

        @Alidl, sure that ‘WebAPI Manager’ is (or was) an interesting Firefox extension, I had it running at one time but got to find it cumbersome because fine tuning (per-site included) wasn’t sufficiently elaborated. Also, as you mention it, that extension doesn’t support First Party Isolation…

        There is as well another Firefox extension which may come in handy for advanced users : ‘WebAPI Blocker’, which I remembered when discovering the above mentioned extension ‘API-Killer IndexedDB’ … but finding the right API for non-techies as myself is sometimes tough : searching within that extension for APIs related to IndexedDB I had found 5 or 6 … I’m just unable to know the one(s) to choose in order to get what I get with ‘API-Killer IndexedDB’.

        But thanks for mentioning, this might very well interest some of us.

    5. Rick A. said on April 24, 2019 at 10:36 pm
      Reply

      @Tom Hawack – Thanks for the tip about this Developer. His extension UnLazy – https://addons.mozilla.org/en-US/firefox/addon/unlazy/ – makes Amazon and other sites so Much Faster and Usable.

  4. crambie said on April 20, 2019 at 11:28 am
    Reply

    Mozilla simply aren’t the company old. They’ve shown that they don’t deserve to be blindly trusted on multiple occasions. So the only browser that is showing it cares about this is Brave (will have to see if that lasts but hope so). I wasn’t sure about Vivaldi but checked and it’s turned on in it too.

    1. Iron Heart said on April 20, 2019 at 2:05 pm
      Reply

      Pale Moon / Basilisk, Waterfox, Ungoogled Chromium are also trustworthy IMHO.

    2. Anonymous said on April 20, 2019 at 7:22 pm
      Reply

      Is it possible to turn it off in Vivaldi?

    3. Valrobex said on April 20, 2019 at 7:47 pm
      Reply

      Don’t forget to mention Epic Privacy Browser

  5. Anonymous said on April 20, 2019 at 12:24 pm
    Reply

    To make things worse, it seems that they are going to remove the pref that allows to disable ping tracking:

    “We don’t believe that offering an option to disable this feature alone will have any meaningful improvement in the user privacy”

    1. John Fenderson said on April 22, 2019 at 7:05 pm
      Reply

      That’s a very worrying statement, right there. I keep hoping that the modern Firefox will get better — at least enough for me to be OK using it — but I keep seeing signs (like this) that it will not.

  6. anna said on April 20, 2019 at 12:42 pm
    Reply

    and NoScript or AdBlockPlus are good to block pings in the browser?

    1. John Fenderson said on April 22, 2019 at 10:24 pm
      Reply

      @anna:

      I don’t know for certain, but I think that NoScript won’t address this.

  7. Sundar said on April 20, 2019 at 12:49 pm
    Reply

    They’re not even hiding the corporate gang bang down in california. Wouldn’t put my hopes on Brave.

  8. Plebian said on April 20, 2019 at 1:34 pm
    Reply

    Speaking of Brave, Gab.com forked Brave (Insert evil laugh here)

    https://twitter.com/getongab/status/1118211585544204293

  9. Sound Judgment said on April 20, 2019 at 2:38 pm
    Reply

    “”The popular content blocker uBlock Origin blocks pings by default as well, and it is available for Firefox, Chrome, and other browsers.””

    Good. Two stones killed with one bird.

  10. John C. said on April 20, 2019 at 2:38 pm
    Reply

    Martin, thanks very much for this article. It clearly shows that Mozilla is no longer to be trusted (and of course, hasn’t been such for a very long time.) Their clumsily obvious spin-doctoring remark about agreeing with Apple’s stance on the issue is an insult to even the most incompetent end user.

    1. crambie said on April 20, 2019 at 2:58 pm
      Reply

      Both Apple and Mozilla are saying the same stupid thing. They’re saying if these pings are disabled then baddies could use another method to track you. So instead of blocking it they’re basically inviting them to use it. That’s some really twisted logic for so called privacy respecting companies.

      More likely it’s that apple has its own ad network and mozilla are funded by the biggest ad network and they both use pings to track you.

      1. Anonee said on April 21, 2019 at 1:11 am
        Reply

        Apple doesn’t have their own ad network.
        They used to have iAd’s where they exercised strict control over the type of ads that could be displayed through their service, to prevent things like full-screen ads from taking over or things like that but they shut it down years ago and it only lasted a couple years.

      2. crambie said on April 21, 2019 at 4:26 pm
        Reply

        Yes they do. Just one of the many, many recent links
        https://www.macrumors.com/2018/06/01/apple-advertising-third-party-apps/

  11. Malte said on April 20, 2019 at 3:19 pm
    Reply

    I recommend you all to look up Librefox https://github.com/intika/Librefox

    1. Lord-Lestat said on April 20, 2019 at 10:52 pm
      Reply

      This project is not actively developed right now as Mozilla was complaining about “copyright”

      More proof that Mozilla is anti-free-speech and anti-alternatives-providing – They ruined already Cyberfox – with making this developer unable to provide features and choice – they are on the best way to ruin Seamonkey with making their life harder and harder, and Waterfox is also forced to give up a big degree of their features and customization soon!

      And why? Because Mozilla has NO mercy for other developers using their base-code.

      1. Anonymous said on April 21, 2019 at 10:16 am
        Reply

        Do you have sources about that copyright story ? Is that Google sock puppet Mozilla that’s drowning in dirty money now starting to threaten legally the small ressources forks that remove its malware like Librefox and Waterfox based on technicalities like their name or icon ?

        https://old.reddit.com/r/waterfox/comments/bee5a3/waterfox_new_icon/el59mic/

      2. Anonymous said on April 21, 2019 at 3:59 pm
        Reply
      3. Anonymous said on April 21, 2019 at 8:15 pm
        Reply

        Awful. This is so low, even from them. Fuck Mozilla.

      4. Alidl said on April 22, 2019 at 7:54 pm
        Reply

        i don’t think mozilla can do anything with them as long as they don’t use icon and name of firefox

        firefox is publishing with “mozilla public license 2” and its only copyright is someone can’t build binaries with the name or icon of firefox but there is no other limit as long as i know.

      5. John Fenderson said on April 22, 2019 at 8:07 pm
        Reply

        @Alidl: “i don’t think mozilla can do anything with them as long as they don’t use icon and name of firefox”

        This is correct. Mozilla has always been clear that they will protect and enforce their trademarks (such as the icon and the “Firefox” name), but they have no interest in preventing forks and such. You just can’t call them Firefox or anything confusingly similar.

        This is why Iceweasel had to change its name to Iceweasel.

      6. owl said on April 23, 2019 at 2:21 am
        Reply

        @Lord-Lestat said on April 20, 2019 at 10:52 pm

        Is your view “Alternative facts”?
        But not the truth!

        Both Cyberfox (Toady Smith / AU) and Waterfox (Alex Kontos / UK) are the ones created, maintained and managed by only one individual. After all, what an individual can do is limited. Keeping pace with Firefox development is a challenge, and it can be left behind.

        Cyberfox the practical use of the Firefox 64bit is in focus, the purpose has been achieved. But after that, it was difficult to continue to follow Firefox’s development speed, and it was until he decided to end that development.
        However, PaleMoon and Waterfox are doing well.
        Seamonkey is a community driven Suite app (https://www.seamonkey-project.org/), but mozilla officially supports it.

        Alternative facts (that in fact, fake news, Demagogie), let’s stop!

  12. Lord-Lestat said on April 20, 2019 at 3:48 pm
    Reply

    Everyone who says that Mozilla is still the same company like they have been years in the past are either deceiving people on purpose or are just over-the-top enthusiasts who can not admit that Mozilla has lost their way.

    Let’s make a small list:
    ——————————-
    – Censoring Conservatives
    – Ignoring/Censoring people with a Conservative opinion
    – Censoring Conservative resources
    – Censoring free-speech resources
    – Abandoning their origin user-base for simple/Chrome users
    – Becoming equal worse like Google/even worse than Google
    – Unwilling to admit they made mistakes and go on no matter what
    – Ignoring their users on purpose – as Mozilla “knows what users want”

    Also they like to complain that they get “sabotaged” by other parties – while in reality it is Mozilla’s own inability to have been able to protect their company from outsiders who have been able to influence/control Mozilla’s decision making process!

    Old Mozilla would never have been that ignorant and dishonorable on purpose.

    1. Iron Heart said on April 20, 2019 at 7:40 pm
      Reply

      I think you are referring to them banning the “Dissenter” extension, right? I heard about this on the Firefox subreddit.

      This was a legally valid removal, 100%. Mozilla doesn’t have to host the extension, AMO is their property, and by removing Dissenter they were exercising their property rights. They don’t have to host any extension if they don’t want to. And if they don’t want to, why force them to?

      Dissenter is being used by the Alt-Right, not really monitoring the comments for hate speech (i.e. discriminatory, insulting comments). I wouldn’t want to host such an extension, either. Discussion is fine, but it should happen in a matter of fact way respecting basic human dignity.

      Again, Mozilla is a private organization / company, AMO is their property, they decide which extension they host and which they don’t. If the state itself had forbidden the extension, then you could start crying “suppression of freedom of speech!!!”. Again, private organization -> property rights regarding AMO.

      And just so that you know, you are free to agree or disagree with the removal (you obviously disagree), but it was 100% perfectly legal to remove it.

      1. Anonymous said on April 21, 2019 at 10:38 am
        Reply

        Every time you call the far-right “alt-right”, you’re helping them a little, implying that they’re more an alternative than extremists. It’s sad that this marketing trick had success even among their enemies.

      2. Anonymous said on April 21, 2019 at 1:46 pm
        Reply

        And if Mozilla removed Dissenter from AMO, I can also remove Firefox from my computer and watch their ever shrinking market share go into oblivion.

        Good job Mozilla. Your decisions will lead to your downfall. I am on Brave now because of their move.

        Also, Dissenter is not Alt-Right, because it’s not an echo chamber. Have you ever bothered to go to https://dissenter.com/ to check the comments? I think you’ve been fed the same propaganda by the legacy media (you might call it “mainstream”, although it’s losing relevance so fast, it will be gone before long).

      3. Alidl said on April 22, 2019 at 8:03 pm
        Reply

        Brave is very good for future of chromium forks but they are not that much innocent company that you think:

        https://www.theblockcrypto.com/2018/12/24/brave-browser-is-collecting-donations-on-your-behalf-did-you-know/

        although they fixed this now.

      4. Anonymous said on April 26, 2019 at 11:41 pm
        Reply

        Everyone has to eat, drink, find shelter, maintain health etc. Common sense says people don’t work full time on a project and not receive payment of some sort. Only a fool would think they are getting something for nothing. Somehow, whatever program you are using is finding a way to monetize. Cash up front or sneakily is your choice. However, there is no guarantee cash up front will not also include sneaky tactics to raise more cash.

        That was looking at the corporate level. Down at individual level inside organisations individuals suffer varying degrees of greed. A small percentage may be bad enough to inject a little code that serves their greed and does not comply with stated terms and conditions.

        Its a greedy, corrupt world.

    2. John Fenderson said on April 22, 2019 at 6:23 pm
      Reply

      @Lord-Lestat:

      I think you’ll need to actually provide evidence regarding your claims of political censorship. I don’t see where such a thing has happened.

      1. Anonymous said on April 23, 2019 at 6:17 am
        Reply

        John Fenderson said: “I think you’ll need to actually provide evidence regarding your claims of political censorship. I don’t see where such a thing has happened.”

        He may be referring to, among other things, the lynch mob campaign against Mozilla founder and CEO Brendan Eich when it was discovered in 2014 that six years earlier he had donated $1000 in support of California’s Proposition 8 which defined marriage as between a man and a woman. For his sin and thoughtcrime of privately expressing his political rights, he was pilloried to such an extent that he very soon resigned and left Mozilla entirely.

      2. John Fenderson said on April 23, 2019 at 9:00 pm
        Reply

        @Anonymous: “He may be referring to, among other things, the lynch mob campaign against Mozilla founder and CEO Brendan Eich”

        But that really doesn’t look like political censorship to me. Nobody told him that he couldn’t speak out, and nobody try to suppress what he was saying.

        Right or wrong, what happened to him was a whole lot of other people speaking up in response, and Mozilla making a business decision about how to react to that.

        “Freedom of speech” does not mean “freedom from people reacting to speech”.

      3. Anonymous said on April 23, 2019 at 10:52 pm
        Reply

        @John Fenderson: I’ve always found your comments to be reasonable but this time I’m surprised. If someone being forced out of their job because of a political donation (which is Constitutionally-protected free speech) made with their own money in their private life, if that doesn’t look like political censorship then I don’t know what does. We’ll just have to agree to disagree on this one.

        “Nobody told him that he couldn’t speak out, and nobody try to suppress what he was saying.” Really? I can’t believe you say this. John have you ever voted? Or made a donation of any kind to a candidate, cause, church, or charity? Let’s say that you have, and then several years later someone finds out which way you once voted, or who or what you once donated to, and such a furor is whipped up over it that your employer leaves you with no choice other than to resign or be removed. The issue it not whether you were told that you couldn’t speak out or were suppressed from doing so, but that AFTER the free exercise of your rights you were penalized for doing so by being forced out of your job by your employer.

        “Right or wrong…” In a democratic country such as the one where this regrettable episode took place, where freedom of political and religious expression is guaranteed and protected under law, such retribution for exercising those rights is clearly wrong.

        “what happened to him was a whole lot of other people speaking up in response, and Mozilla making a business decision about how to react to that.” Yes, a “whole lot of other people” spoke up in response, both supporters and detractors, but this is beside the point. Whether lots of people spoke in response, or only a few, or none, it has no bearing whatsoever on any citizen exercising their Constitutionally-guaranteed rights and being free from subsequent harassment, abuse, termination at work, etc., as a result of exercising said rights. An employer is not entitled to violate these rights, even if they or you call it a “business decision.”

        “Freedom of speech” does not mean “freedom from people reacting to speech”. Uh, okay, but again, this is irrelevant and does not justify retribution against someone in the form of them ending up being forced out of their job because of how they exercised their protected rights to political and religious expression. We’ll just have to agree to disagree on this one John.

      4. John Fenderson said on April 27, 2019 at 6:22 pm
        Reply

        @Anonymous:

        I’m sorry that I didn’t notice your comment until now. I’m not sure that you’ll see my response, but here goes…

        I am not saying that being fired because of past behavior that your employer has serious problems with is a good thing. I think it reflects poorly on the employer, and I think a strong case can be made that it shouldn’t be legal.

        I just don’t think the underlying issue is a freedom of speech issue.

  13. Ascrod said on April 20, 2019 at 3:57 pm
    Reply

    As long as there’s an option to disable it in Firefox, people will still laud them as The One True Browser™.

    1. Anonymous said on April 20, 2019 at 8:49 pm
      Reply

      They seem to want to make it impossible to disable.

      “We don’t believe that offering an option to disable this feature alone will have any meaningful improvement in the user privacy”

      But that won’t stop the fanboys’ veneration either, I think that they’re ready to swallow anything.

  14. pd said on April 20, 2019 at 5:27 pm
    Reply

    Whilst allowing this *miiiight* lead to a reduction in the plethora of trackers that sites pump down our pipes at increasingly unfeasible levels, it is also something that browsers must give users the simple option to disable.

    What we need to know is how this is going to interact with Do Not Track and or per-site permissions.

    It’s possible this will be another per-site permission users can tweak. But users must still have the option to disable this across the board (globally).

    Otherwise, it really is inconceivable that Mozilla can still claim to put user privacy first and support this.

  15. K@ said on April 20, 2019 at 5:44 pm
    Reply

    For a long time, I’ve right-clicked on links and copy/pasted them, to remove such items of crappiness. Yeah, it’s a small inconvenience, but it prevents more… er… crappiness!

    1. thebrowser said on April 21, 2019 at 8:26 am
      Reply

      This is the best advise anyone can give on security/privacy online. Takes 2 seconds and saves you from spam and possibly malware, plus of course tracking by who knows how many 3rd parties.

      I also recommend using different profiles while browsing, each restricted to specific activities/identities online and with different settings, themes and add-ons.

    2. Anonymous said on April 23, 2019 at 7:54 pm
      Reply

      Manually copying links doesn’t always help unless you’re typing it all out. If JavaScript is enabled on the site, they can just listen the the event of copying something to clipboard and read its contents.

      https://www.w3schools.com/jsref/event_oncopy.asp

  16. Haakon said on April 20, 2019 at 8:15 pm
    Reply

    Just enter ping in about:config search: there’s a whole lot of the ping thing going on.

  17. Tony said on April 20, 2019 at 8:18 pm
    Reply

    Notifying a completely different domain that we clicked on a link is just wrong and a huge invasion of privacy.

    Mozilla needs to rethink their twisted logic, and at the very least, keep the pref to turn off pinging.

    BTW, with such a small marketshare, would a majority of advertisers really create a completely different tracking scheme just for Firefox users? Something to think about.

    1. Anonymous said on April 21, 2019 at 4:52 pm
      Reply

      It won’t have an effect on current tracking methods. It might give analytic companies less incentive to innovate new methods to track. Supporters of enabling pings by default probably think that tricks like sneaky CSS-based click tracking may not have been invented if pings did the job.

      1. John Fenderson said on April 22, 2019 at 8:04 pm
        Reply

        @Anonymous: “Supporters of enabling pings by default probably think that tricks like sneaky CSS-based click tracking may not have been invented if pings did the job.”

        That’s what it sounds like, but that argument is unsupportable. If more than a tiny percentage of users disable pings, then the spies will just use the alternate methods anyway. If it is not possible to disable pings, then privacy-conscious users will have lost anyway.

      2. Alidl said on April 22, 2019 at 8:06 pm
        Reply

        @Anonymous

        great said, agree.

  18. Chris said on April 20, 2019 at 8:21 pm
    Reply

    Make your opinions known to Mozilla: https://qsurvey.mozilla.com/s3/FirefoxInput/

    1. Anonymous said on April 21, 2019 at 10:22 am
      Reply

      They have proved enough during the last years that they do not care at all about users opinion, it’s Google deciding and them obeying to keep the money flowing. They exist only to give a “we’re the good guys” color to evil Google’s decisions for idiots who haven’t yet understood.

  19. asd said on April 20, 2019 at 10:24 pm
    Reply

    So simply hovering over a link in a phishing/spam email can ping the spammer?! how is this a good feature?!

    1. John Fenderson said on April 22, 2019 at 7:09 pm
      Reply

      @asd:

      No, hovering over the link does not trigger the ping. You have to click on it.

  20. wanker said on April 21, 2019 at 1:30 am
    Reply

    You can do link tracking with any decent analytics script. Google analytics for example. So enabling this by default doesn’t hurt anyone. I agree with FF’s stance on this.

    1. Anonymous said on April 21, 2019 at 10:24 am
      Reply

      Analytics scripts are disabled when you use uBlock Origin, wanker.

      1. Alidl said on April 22, 2019 at 8:09 pm
        Reply

        Dear friend seems that you didn’t read martin’s article carefully, pings also will disable when you install ublock origin!

      2. Anonymous said on April 22, 2019 at 11:00 pm
        Reply

        “pings also will disable when you install ublock origin!”

        Beside ublock origin, there are many solutions to block current mechanisms of click tracking , that won’t also disable ping. For example people assume they’re safer without javascript. This new tracking mechanism will betray many people’s expectation of privacy in that area.

        Thankfully ublock origin is here to defend users against some of Mozilla’s tracking defaults. Until Mozilla decides that extensions can’t directly disable pings either. We’ll see. The arms race against tracking is no longer between Mozilla and trackers, it’s between users and Mozilla.

      3. Anon y mous said on April 23, 2019 at 6:36 am
        Reply

        Anonymous said: “The arms race against tracking is no longer between Mozilla and trackers, it’s between users and Mozilla.”

        Amen. Man, if that isn’t the truth… Extremely well-observed and well-put. Sad days, indeed. This “tracking every link clicked on,” by default and with no way to disable it, is ABSOLUTELY UNACCEPTABLE. It doesn’t matter that more knowledgeable advanced users may be able, this time anyway, to stop it by installing a certain extension–the vast overwhelming majority of FF users will never even know they are being tracked this way. This is completely indefensible and unacceptable, and Mozilla’s and Apple’s specious “justification” for it is just doubletalk-BS that insults one’s intelligence.

    2. Anonymous said on April 21, 2019 at 12:05 pm
      Reply

      Well, you said it: script. Those people disabling scripts will now be tracked too.

  21. Daring Surfer said on April 21, 2019 at 1:41 am
    Reply

    Do you know the magic 1×1 images that are loaded in many sites?
    They are used for tracking, as you load them, they send a ping to some tracking server or open a beacon for google telemetry. All is used for better search results on google and focused ads in your browsing.

    Now M0zilla seems to agree with all of that.

    Luckily I have uBo, NoScript and a local proxy that strips out most of these dangerous pings and soclet connections.

    M0zilla, I dare you.

    1. Anonymous said on April 21, 2019 at 4:42 pm
      Reply

      Just curious, what’s the implementation of the local proxy? I’ve been looking for something lightweight for traffic analysis/interception. My makeshift python server that I use for testing isn’t exactly pretty so I’m open to better solutions.

      1. ghacksuser privacytools said on April 21, 2019 at 10:57 pm
        Reply

        Privoxy.

  22. ULBoom said on April 21, 2019 at 2:11 am
    Reply

    SOS about firefox being no longer trustworthy. If you can’t do config mods, it never was trustworthy but it’s getting junkier for sure.

    Chromium is not modifiable to the extent the trustworthiness proponents seem to think. Google owns Chromium and parts of it are locked down; they license the parts that can be changed. Don’t know how google can call chromium open source when their licensing method doesn’t require the source code to be published. They do publish something…

    Chrome is malware, google blatantly calls it a browser based user ad data collector. MS’s chromedgium can’t possibly have seen the light except maybe an enlightened way of grabbing even more user data.

    Firefox ESR is a nice browser; not at all like the release channel version. If mozilla decides to give up on business users and dumps ESR, I hope someone who knows firefox’s innards continues it.

    One can use any browser desired, not worth even arguing over the subject; don’t jump out of the frying pan into the fire though.

    Taking the word of any of the tech/social media companies at face value is foolish. They intercept your information and waffle about how it’s not important information. Then why do they take it? If that’s the game, fight back with blockers, VPN’s, whatever you need. Screw them!

  23. archie said on April 21, 2019 at 9:22 am
    Reply

    I fail to understand the Mozilla bashing in comments. Enabled by default in nightly (68) and I see no reason why it would change in the future.
    nano blocker has a forefront option to block this as well. Default=ON too.

    A lot of comments so far are counter productive and meaningless. Have GH readers been swapped for ADD afflicted kids ?

    1. Iron Heart said on April 21, 2019 at 12:00 pm
      Reply

      Mozilla plans to remove the about:config option to disable it, disrespecting user choice. Also, enabling it in the first place is questionable at best.

  24. noemata said on April 21, 2019 at 11:47 am
    Reply

    ping, no ping, who cares.

    kindergarten to actual privacy – violations and opportunities. the argument is logical, but there is no logical need to remove “the user – choice” (again). s. hentschel, what do you have to say about this? wait, i know it. because i remember.

    ultimately not a single browser is usable.

    brave would be usable but with an ethically/politically very “questionable” context (+ former but longtime “leaks” to facebook, twitter & co.). disgusting. but i have to use this ethical – mess.

    iridium would be usable if there would be more effort. a new version every 6 months = a security risk. furthermore, debian-based systems are discriminated and a senseless suse – retweet shows what “the team is made of”. suse.. . and what’s their account on _facebook_ for? shame on https://osb-alliance.de/ & co – partners. . event after event (similar to suse/opensuse) & paper after paper, lot of words and “good” intentions are useless in these days. invent in this browser. do something. or clear the field & s.u. . same @eff. self-praise stinks.

    unggogled chromium = questionable addon that can’t even be removed. non-transparent & a new version every x months like iridium = a security risk.

    gnome or kde specific browsers : all negligible, ugly, pointless. falkon with adblock – plus (or was it adblock or a fork of whatever – it doesn’t matter, because it’s not ublock origin). no thx.

    moon-water-whatever: outdated. not my community. i’ll never use it, though it’s probably the smallest nasty thing of all.

    vivaldi, opera : non-ungoogled = senseless. & opera .. ist not opera anymore, it’s a threat. & vivaldi -> time cannot be turned back, mr. tetzchner (ok, it’s “possible” on the basis of the “time-idea”:

    https://www.nature.com/articles/s41598-019-40765-6?error=cookies_not_supported&code=5589faf7-4404-4da6-a985-fa4cac95d123

    .. but not for you).

    edge : .

    programmers all over the world: you hurt & manipulate the normal end-user. for decades (wouldn’t that be the case, the web & co. would look different today). not only in a browser – context, in any IT – context.

    not politicians and managers penetrate into the privacy & co. of the end-user (they are too stupid for that), but you programmers do it. for your “company”, for your “goverment”, for $, for selfish – reasons. but not _for the end – user_ (there are exceptions, but these can be counted with one hand).

    metaphor:

    https://archive.org/details/MilgramExperimentObedience

    non – metaphor:

    https://invidio.us/watch?v=_e6BKJPnb5o

    (mr. lunduke, when he wasn’t a contradiction in itself. sry. but all the best)

    most (not all) of you don’t have a spark of ethics in you. no wonder – you’re too concerned with algortihmic – processes and identify yourself with them. but goedel and turing point out your limits. and this is where it can start.

    ps: https://qiskit.org/

    cheerful simulating for : [ …… ]

    1. Anonymous said on April 21, 2019 at 4:38 pm
      Reply

      When you started off by suggesting that pings are insignificant, I didn’t expect the rest to be of such a strong opinion. While not to the same extent, I mostly agree with the sentiment on each topic.

      As FF becomes increasingly tedious to configure for security and privacy, I’m exploring my options and ungoogled-chromium looks the most promising. It’s not an addon as you describe; it’s just a collection of patches which gouge out chunks of Google integration in chromium. In the process, it breaks quite a few things such as installing addons from the webstore. There are no official releases — just ones created by users who share their own builds — thus the conception of being out-of-date and opaque.

  25. Arman said on April 21, 2019 at 1:49 pm
    Reply

    Firefox is actually the only one technically alternative – thats the only reason to choose Firefox. We use Firefox not for their political conception but to keep the diversity. One browser in the market is awful for the customer – Vivaldi Opera and Brave they re actually chromium based. The same engine.

    1. Anonymous said on April 22, 2019 at 8:14 pm
      Reply

      well said

  26. greanfrog said on April 21, 2019 at 4:15 pm
    Reply

    so… If this PING sends a PING-FROM header or text field, with my wan ip address, and I am using a vpn for my privacy, does this destroy my use of the vpn fro privacy ?

  27. worldknote said on April 21, 2019 at 7:58 pm
    Reply

    @anonymous

    thx4 your response, yep, after some research a few weeks ago i got a similar result concerning u-chr. & this addon, whose name i forgot. but i also read somewhere else that this addon can’ t be trusted for reason xy (forgotten). but what i remember: the nitrux os – developer(s) replaced the u-chr. – appimage with the waterfox – appimage. therefore, it’s all too nebulous for me. too “fuzzy”. otherwise u-chr. would be an anchor in distress. but the mentioned security – risk remains. similar to a part of the iridium-argument.

    actually i am personally (still) too shocked by the archive.org (“robot/human”) – attack. this was (the attempt) of modern “book burning”. and i’m also shocked by twitter, reddit, protonmail, ibm/redhat/fedora/suse/opensuse/endless os/firefox .. .. .. . a never ending list.

    however, let’s take a look to the night sky, not only the web.

  28. Thorky said on April 22, 2019 at 10:36 am
    Reply

    While reading the article, I’m asking myself, if Mozilla has still all the pickets on its fence.

  29. Stan said on April 22, 2019 at 4:35 pm
    Reply

    “We use Firefox not for their political conception but to keep the diversity”:

    Diversity!!!!?
    Mozilla don’t know the meaning of the word.
    A quick look at the top 22 MozCo majordomos (leadership)…. not one black face.
    Can you say bloody hypocrites?

    1. Anonymous said on April 22, 2019 at 6:15 pm
      Reply

      Arman said: “Firefox is actually the only one technically alternative – thats the only reason to choose Firefox. We use Firefox not for their political conception but to keep the diversity. One browser in the market is awful for the customer – Vivaldi Opera and Brave they re actually chromium based. The same engine.”

      @Stan: You misunderstood and/or conflated the “diversity” to which Arman was referring in his original post–easy to do, I know, since other “PC”-types co-opted the word 30 years ago and caused this confusion. Arman’s point was that the engine which Firefox uses is really the only alternative to the chromium engine which many other browsers use: Google Chrome, Vivaldi, Opera, Brave, and now Microsoft Edge. At least we have an alternative to using Google’s Chromium engine for browsing…

  30. Stan said on April 22, 2019 at 6:36 pm
    Reply

    No, I didn’t misunderstand, Mozilla and Diversity should not be mentioned in the same breath/sentence. ;)

  31. Stefan Fröberg said on April 23, 2019 at 1:19 am
    Reply

    Want privacy enhanced, no compromise making browser?
    Support CyberDragon!

    https://www.orwell1984.today/CyberDragon2.html

  32. random noise said on April 23, 2019 at 3:25 pm
    Reply

    Cyber Dragon is a nice inspecting browser, thank you Mr. Froberg.

    1. Stefan Fröberg said on April 23, 2019 at 6:48 pm
      Reply

      My pleasure. :-)

      I try to get the 1.9.0 for public download out ASAP, and keep adding features and GUI controls
      as I go toward version 2.0.

  33. Peter Newton said on April 25, 2019 at 12:29 am
    Reply

    1/ Locate these entries in about:config in the next Firefox update.

    2/ If found disable them. They are as follows:

    browser.send_pings – set to false
    browser.send_pings.max_per_link – set to 0
    browser.send_pings.require_same_host – set to false

    3/ If not found, install Ublock Origin, and ensure that hyperlink auditing is set to disabled in the settings of the addon, this will achieve the same result, whether or not the entries in about:config in the Firefox update are present or not.

    I do not like prying dictatorships, do you ?

    Thank you for your attention.

  34. Anonymous said on April 26, 2019 at 12:58 am
    Reply

    Glad I don’t have to worry about this garbage – my last install of Firefox was replaced by Waterfox 6 months ago after FF 52 ESR expired :)

  35. thebrowser said on April 26, 2019 at 12:23 pm
    Reply

    @Tom Hawack, I completely agree with you there. We should take the time here and there to help with what we can, be it in person or online, even with the smallest of gestures (something as simple as saying ‘thank you’ or a smile when greeting people really does make a difference). This is specially true, at least in my experience, in the field of computer science, programming, etc, where very capable people often talk down to others for asking questions, which is how we all learn anything at some point.

    I think it’s important to make people aware about the privacy implications about today’s technologies, something to incredibly overlooked but that actually impacts our lives every day, increasingly so since the past few years (and will continue to increase). Therefore I don’t mind taking the time to research something new that I don’t know, or dropping a few lines to explain something for people that are interested. Even when it comes to ‘newbie’ questions or something that has been answered already, it is still worth it. This is not to say that you asked something repetitive or ‘newbie’, as this is definitely not something you would know unless someone told you or read it about it somewhere.

    In any case, the important thing to do is to stay curious and learn not only by asking but also by explaining things to others, debating, being wrong. These things take time, but it is time well spent :)

  36. Anonymous said on April 28, 2019 at 1:05 am
    Reply

    You can fix many things with uMatrix
    https://www.ghacks.net/2017/11/28/a-umatrix-guide-for-firefox/
    but I’m not sure how to go about blocking hyperlink pings.

    1. owl said on April 28, 2019 at 9:39 am
      Reply

      @Anonymous said on April 28, 2019 at 1:05 am
      You can fix many things with uMatrix
      but I’m not sure how to go about blocking hyperlink pings.

      How to block ping (Packet Internet Groper) with the extension “uMatrix”:
      Enable the following items.
      Option>Settings>Privacy>Block all hyperlink auditing attempts
      Its Information:
      Hyperlink auditing is a mechanism which allow a party, any party, to be informed about which link a user clicked on a particular web page. It is essentially a tracking feature: it allows a web site, or any third-party to that web site, to be informed about which link you clicked on which one of its web pages. The sole purpose is to track your browsing activity.

      About how to use “uMatrix”
      Randomly assembled documentation: https://github.com/gorhill/uMatrix/wiki

      1. Anonymous said on April 29, 2019 at 4:57 am
        Reply

        Thank you. So far my uMatrix experience is error and trial 🙂 However, I am beginning to understand it. Documentation and example should help enormously.

  37. Willie aames said on May 2, 2019 at 2:01 pm
    Reply

    The ping attribute replaces redirects and JavaScript that already allow (and are very widely used for) less performant ways of doing exactly the same tracking.

    An explicit ping attribute makes it easier for content blockers; with a redirect there’s nothing you can do but with a declarative attribute it’s clear what to block.

    But still we need a DuckDuckGo browser for desktop. Restoreprivacy guides are paid shill. Check his backlinks, full of donation networks.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Be polite: we do not allow comments that threaten or harass, or are personal attacks. Please leave politics and religion out of discussions!