Slashdot Mirror

Given that most web pages these days contain links to SM (Facebook, Twitter, ...) often a link to the SM logo or a bit of javascript. So the person might not knowingly have anything to do with SM but I suspect that their browser downloading these small components will be seen as access to SM and so trigger the day's tax. Now that HTTPS is pervasive it is not possible to determine *what* is being accessed within a web site.

The only way that people are going to be able to avoid this is by installing browser plugins like request policy - which, in itself, is no bad thing.

https://www.requestpolicy.com/

Stops external requests. Like that facebook script the parent talks about.

For the technically apt nerd, the solution is RequestPolicy which is a granular domain-based request control plugin for Firefox. You can set it to block all cross domain requests by default and then selectively enable those that are part of the site's functionality. Unfortunately, with the advent of CDNs and whatnot, most websites (such as Slashdot) will be entirely broken and making them work will require a fair bit of knowledge of how the web operates under the hood in some cases.

Actually, since RequestPolicy stopped working in my Iceweasel, I installed Policeman. It provides a neat UI for selecting precisely which sites can load what from where, including options like loading styles but not scripts. I believe NoScript is necessary to block firsthand scripts, however.

The only thing newsworthy about this is that google wasn't already recording all this information in the first place.

I don't think I'm excessively paranoid, but I've always assumed that google trackss everything you send them and keeps the data forever. And that they regularly run retrograde analyses on it to try to associate any 'anonymous' data with any newly collected data to 'unmask' all of your old searches with any new profiling data they have been able to acquire since.

Frankly I am stunned that google was not doing all that for embedded maps before. In the past I've deliberately abandoned websites rather than enable the gmaps cross-site refernece in RequestPolicy because I didn't think the trade-off of handing that particular map search data to google was worth it.

You left out RequestPolicy', it is a must have, it works even better than AdBlock because by default it blocks anything on the page that isn't on the same domain you're visiting.

You can then select exactly which extra domains can be allowed to load more on page elements.

Request Policy

I'll see your Adblock and raise you a NoScript and block all cookies. Still imperfect, but it seems to work very well.

Go all in with RequestPolicy.

It is like NoScript for all cross-site requests, not just javascript.

Install the beta of 1.0 direct from the website. It is stable and the GUI is better, I've been running it for months, just make sure you change the default from black-listing to white-listing.

Except Request Policy is funded by the ad networks themselves. Giving the benefit of the doubt, there might be noble intentions behind it...lol, nevermind, I didn't just say that.

Do you have any evidence for that? It seems like RequestPolicy is just some guy and searching doesn't find any clear documentation of nefarious funding.

Are you thinking of Ghostery, by chance? (Even Ghostery claim that their tracking is opt-in and sold anonymized, though I understand some skepticism there.)

For Firefox users, Stanford research discovered recently that using a script-blocking extension actually isn't as effective at privacy protection as using privacy & ad-blocking lists with an ad-blocking extension (I use AdBlock Plus). I double-checked the domains you listed, and all of them appeared in at least one of the blocklists, either blocking everything from their sites or blocking things from being executed from another domain.

If you're in Firefox (and have a *lot* of patience/time), you might like another whitelisting-based extension they labeled extremely effective, though:
"Request Policy, a Firefox extension, takes the opposite approach: all requests to third-party domains are blocked, save those the user explicitly allows. While Request Policy offers nearly comprehensive protection from third-party tracking, properly configuring it requires substantially greater patience and expertise than the average user can reasonably be expected to possess."

The RequestPolicy add-on should handle this too. RequestPolicy blocks cross-site references by default and lets you whitelist individual cases. If you don't even talk to the tracker websites then they can't track you.

If the main website you access tracks you via etags the risk is limited to tracking your actions on that website which you'd have problems avoiding anyway since they can track you via ip address or if you have an account on that website.

I use multiple: AdBlock Plus and Ghostery in my browser, a hosts file

Try RequestPolicy it is better than a hosts file because it is on a per-website basis. You can let "slashdot.org" pull content from "fsdn.net" while blocking all other websites from pulling content from "fsdn.net"

And it is a whitelist system rather than a black-list like the hosts file, adblock and ghostery, so nobody sneaks through just because you haven't updated it. The downside is that if those approaches are like driving an automatic transmission, using RequestPolicy is like driving a stick-shift.

NoScript is an awesome plugin, especially from a security viewpoint, but there is still a lot of information a web site can relay to advertisers without using scripts.

If you like NoScript - check out RequestPolicy - think of it as an inverse hosts file - instead of blocking individual trackers you whitelist sites instead. Not only that, but the whitelisting is on a per web-server basis, e.g. you can let ESPN's include stuff from doubleclick without letting any other sites include stuff from doubleclick.

It makes the interweb soo much faster and protects against fingerprinting because your browser never even connects to the fingerpinter much less hands over any identifying information.

What can Ghostery do that RequestPolicy can not ?

https://www.requestpolicy.com/

It Ghostery just targetted as abusers of 1x1 img pixel and tracking cookies ? As RequestPolicy seems to be a generic solution from any information not coming from the target website you are visiting.

Since Firefox has started their crazy version numbering, I've given up on upgrading. I use 27 different addons and perfectly configured to make my web browser do what I want. It is near impossible to do an upgrade without spending hours reconfiguring the addons, some of which need to be manually downloaded and have their "MaxVersion" incremented so they will install. Maybe in 6 more months when we reach Firefox 50 I'll give it a try, but until then. Firefox 8 all the way!

Application: Firefox 8.0 (20111104165243)
Total number of items: 27

- Active Stop Button 1.4.10
https://addons.mozilla.org/firefox/addon/active-stop-button/
- Adblock Plus 1.3.10
http://adblockplus.org/en/
- BetterPrivacy 1.68
http://nc.ddns.us/extensions.html
- ColorfulTabs 7.1
http://www.binaryturf.com/free-software/colorfultabs-for-firefox/
- Cookie Monster 1.1.0
https://addons.mozilla.org/en-US/firefox/addon/cookie-monster/?src=api
- Copy Link Name 1.3.2
http://www.captaincaveman.nl/
- Download Statusbar 0.9.10
http://downloadstatusbarapp.com/
- DownloadHelper 4.9.14
http://www.downloadhelper.net/
- DownThemAll! 2.0.8
http://downthemall.net/
- Export Cookies 1.2
https://addons.mozilla.org/en-US/firefox/addon/export-cookies/?src=api
- Find Toolbar Tweaks 3.0.0
http://homepage3.nifty.com/georgei/extension/ftt_en.html
- Firebug 1.8.4
http://www.getfirebug.com/
- Greasemonkey 0.9.13
http://www.greasespot.net/
- HeaderControlRevived 1.1
https://addons.mozilla.org/en-US/firefox/addon/headercontrolrevived/?src=api
- Hide Caption Titlebar Plus 2.4.1
https://addons.mozilla.org/firefox/addon/13505/
- Menu Editor 1.2.7
http://menueditor.mozdev.org/
- Movable Firefox Button 1.4
https://addons.mozilla.org/en-US/firefox/addon/movable-firefox-button/
- NoScript 2.1.7
http://noscript.net/
- OptimizeGoogle 0.78.2
http://www.optimizegoogle.com/
- RequestPolicy 0.5.27
http://www.requestpolicy.com/
- Screen Capture Elite 2.0.0.23
http://www.grizzlyape.com/
- Searchbastard 1.5.5
http://searchbastard.rosell.dk/
- SkipScreen 0.6.1.2

Correction: version 1.0 beta does support wildcards in domain names.

This firefox addon blocks anything from 3rd party domains on any site you visit, but with a configurable whitelist for any sites you actually care about.

https://www.requestpolicy.com/

Enter RequestPolicy, an add-on for firefox that does essentially this.

I use RequestPolicy on one of my computers, but not all of them, partially because the UI is a pain to use. But I just checked the website and the next version will fix that (although it doesn't look like the code has been touched in 6 months, so I'm not sure what's going on there). For my usage, wildcards and blacklists would make it much more useful. Subscription whitelists/blacklists would make me much more willing to recommend it to other people.

And even if they all comply with your opt-out request, it doesn't mean that they'll stop collecting data on you, only that they'll stop serving you targeted ads."

That line is the most important part of the story. The phrase "opt out" has been redefined by the marketers. You can not opt out of being tracked, you can only opt out of being reminded that you are being tracked. That is more than useless because it defuses the people most likely to be unhappy about these trackers with a false sense of safety.

Your only way to avoid being tracked is not to ever talk to the trackers in the first place. For the less technically inclined, the Ghostery plugin for firefox is pretty much set it and forget it. If you can handle looking underneath the hood of the internet, check out Request Policy which gives you extremely fine grained control over what stuff a webpage can pull in from other webservers. I default block all cross-site includes from other domains and white-list them on an individual basis and it really isn't too inconvenient. Besides the privacy benefits, it makes web pages load super fast when they don't have to pull in crap from 15 other servers.

Ghostery is a good start.

And Request Policy is the technical user's upgrade. It is kind of like a noscript for trackers, but also for ads and scripts and basically any remotely linked inline content.

One Word:

requestpolicyrequestpolicy

Try the RequestPolicy add on for firefox. It gives you find grained control over cross-site content embedding and it doesn't replace the blocked content with an ugly error message - just a small icon of a flag in the case of a blocked image, if you tell it to.

Try: https://www.requestpolicy.com/

The only feature that I want that is long overdue is a setting wherein the browser will make HTTP GETs only to the original domain. So, if I go to slashdot.org, I want my browser to only fetch things from slashdot.org. Not scorecardresearch, not doubleclick, not gstatic, not google, not facebook, etc etc etc.

You want RequestPolicy - it does exactly what you want and lets you whitelist on a per-site basis. So, for example, you could let google pages also pull in stuff from gstatic.com but no other websites could pull in stuff from gstatic.com.

RequestPolicy is more powerful than adblock/noscript/ghostery because of the per-site control - all of those others don't care about what site the request is coming from, only the one it is going to. At best they let you whitelist the requests from an entire site, RequestPolicy is much more fine-grained. Those other add-ons are important too, they just have different strengths.

You'd be shocked at how many cookies come from facebook across multiple sites. I use an extension called Ghostery (https://addons.mozilla.org/en-US/firefox/addon/ghostery/) to block most of them.

I use Ghostery plus RequestPolicy which gives you control over every single external request that a web page makes. It is like a noscript for cross-site references of any kind.

> If the ad is served from a host controlled by the advertiser, then they have my IP address [etc].

Use the RequestPolicy addon, solves most issues that ABP and NoScript should have done. No unnecessary adds, no unnecessary scripts and for free no cross-site request forgery.

https://www.requestpolicy.com/

Cheers, M

BTW, is there a chrome and FF extension that basically prevents EVERYTHING on a webpage that is not from the same domain than said webpage?

Request:Policy for Firefox. Don't know if there's something similar for Chrome.

NoScript is a great product, but it is also worth mentioning RequestPolicy which is a great compliment to NoScript.

From the RequestPolicy FAQ:

Is RequestPolicy an alternative or competitor to NoScript?

No! :)

NoScript is a tool that gives you a default deny policy for JavaScript, Java, Flash and other plugins. NoScript allows you to whitelist scripts and objects from domains you trust.

RequestPolicy is a tool that gives you a default deny policy for cross-site requests. RequestPolicy allows you to whitelist cross-site requests you trust.

Use RequestPolicy instead. It allows control of cross-site requests with domain-level granularity. So only sites you trust are able to gain access to domains like amazonaws.com, akamai.net etc. It basically has the same features as Noscript's ABE, but is much easier to use.

https://www.requestpolicy.com/

Google and Facebook are more likely to be able to track you despite you trying to avoid it. Their stuff is "everywhere". If you use their services and go somewhere else but somehow still load stuff (images/scripts) from their servers (or servers they can get info from) they know who you are and what IP you are currently using.

That's what RequestPolicy is for. You can control what images/scripts/content from other domains gets loaded on a site-by-site basis in a way similar to Noscript. It's great in addition to Noscript (not as a replacement).

For example, when you load Slashdot with RequestPolicy turned on, you don't get any of the static content like images/css because that all seems to be stored on fsdn.com. You can easily select the RequestPolicy icon and tell it to allow requests from slashdot.org to fsdn.com. In a similar manner, you can let google.com load scripts and content from google.com while preventing other domains from doing so.

It's really the only way to prevent client-side tracking services that haven't yet hit the blacklists. It's more than the average user would be willing to do, but if you really want to stop tracking or you're just interesting in seeing which CDNs and how many off-domain resources sites use, it's worth checking out.

I haven't found anything else that comes close to how flexible and easy to use it is.

Have you checked out Request Policy?

I don't suggest it out of NoScript hate[0] -- I still run noscript on some machines -- but because it's fantastically easy to use to do things you need to mess with ABE to do on NoScript (if even then. I haven't had the time to mess much with ABE). My favorite is being able to block everything google, and then only allow it, if needed, permanently and only on the sites that need it (mostly on sites using recaptcha)

It's pretty nice and one of the four extensions that keeps me shackled to Firefox, much to my continued misery (The other four being ABP, PasswordMaker, and Lazarus)

[0]Though its insistence on opening up the homepage twice a week lately on minor updates is becoming a pet peeve.

LOL That must have been a shitload of work to get that blacklist together, let alone maintain it. What about white-listing instead?

There is a very promising Firefox addon, that does exactly that.

https://www.requestpolicy.com/

No third party will ever track you again, unless you explicitly allow their domain name.

(I just noticed that their licence notice doesn't make any sense. I presume they meant to write "with*out* written permission")

I just went looking for free alternatives but NoScript is all I found!

* https://addons.mozilla.org/en-US/firefox/addon/noscript/

TrackerBlock, BetterPrivacy, and Ghostery all seem to be proprietary software. What a disappointment.

FSF maintain a list of free mozilla-compatible plugins:
http://www.gnu.org/software/gnuzilla/addons.html

I see one free plugin that I haven't tinkered with: https://www.requestpolicy.com/

I surf with requestpolicy and noscript up. It is utterly amazing the number of websites that can't render a page without firing scripts or loading content from 6, 8, 10 or more different domains.
If you haven't tried these, do it and be amazed at how many sites load without stylesheets, pictures etc. It's amazing how badly shit is implemented - zero thought about graceful degradation.

no script
requestpolicy

RequestPolicy works great in conjunction with NoScript. Don't know if it works with Firefox mobile (doubt it), but it's great for site specific permissions on the desktop.

You want RequestPolicy

I have to warn you that many sites have REALLY obscure dependencies.

"Allow javascript from the site you're on to run while blocking 3rd party scripts." - much harder to mis-understand.

This is exactly what RequestPolicy does. Much nicer to use than NoScript. Too bad I'm on Chrome now.

How does RequestPolicy help you where NoScript does not? RequestPolicy will protect you from various attacks that NoScript will not (such as CSRF attacks, though there some special cases that NoScript protects against) and will give you greater privacy while browsing. Also, RequestPolicy will give you finer-grained control over JavaScript and plugins when you use it with NoScript. For example, if you whitelist a domain with NoScript to allow it to run JavaScript, then that domain will also be allowed to run JavaScript when you are on any other site that you have whitelisted with NoScript. RequestPolicy makes sure that when it is JavaScript from a third-party site, it will still be restricted unless you have allowed those cross-site requests.

http://www.requestpolicy.com/

RequestPolicy is an extension for Mozilla browsers that improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit. It is the first comprehensive client-side protection against CSRF attacks and the first tool to enable the use of modern browsers without cross-site information leakage.

not just displays, as the original post was suggesting, but also allows to you block (or unblock) cross site requests.

I installed NoScript recently along with Request Policy. One protects from any request to a foreign domain and one blocks scripts until I allow them.

Have I reduced my exposure enough?

What I want to see is a community mediated system whereby the whitelists and blacklists are distributed amongst the community. A bit like ThreatNet, SpyNet, PrevX and all the other proprietary security systems. How the decision of whether or not to allow or disallow a request will be made but it needs to be made by a massive community. I generally experiment whitelisting a website until it works. If this information was made subscribable, people could browse with a bare minimum of exposure?

Sam

[Note: I'm the RequestPolicy author.]

Thanks for letting people know about RequestPolicy. I would like to stress, however, that RequestPolicy is not a replacement for NoScript. I actually keep a FAQ entry about the high-level differences between the two extensions as this is a not uncommon misunderstanding:

http://www.requestpolicy.com/faq#faq-noscript