Slashdot Mirror
Firefox 's Ping Attribute: Useful or Spyware?
An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
This isn't a question, it's obviously a little of both. Sacrifice some information about the sites you visit to allow those who run the servers (anyone, really) some feedback and statistics.
It's simply the user's choice as to whether or not the pros outweigh the cons. And I'm sure the massive response that ensues on Slashdot will reveal that everyone values these pros and cons differently.
Doesn't seem to be much argument other than I think they should have a very simple way to disable this if the user so chooses. As with the iTunes fiasco, I would recommend Firefox be distributed with this option disabled.
My work here is dung.
I think the first thing any browser developer should consider when adding a new tag or tag attribute to the DOM is "How can this be abused?" and explore that question to its fullest. Because all of you know that it will be abused and that users will implement it wrong or find new uses for it that the developers didn't intend. Some of them may be good, some bad.
One ping-disabling Firefox extension.
How is this different from the web server logging every page and image you load?
Is the concern that the 'ping' comes from your browser and not any proxy server you may be using? In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....
Of course this should be disabled by default, I just don't see this as a huge privacy issue.
v2sw7CUPhw5ln6pr5Pck4ma7u7LFw0m6g/l7Di5e6t5Ab6TH.
Websites can do all that stuff with a redirect script on the server side and the user has no control or knowledge of who is being notified. If site developers start using the ping tag instead we can selectively disable it with an extension. It gives the user control where before there was none.
compared to before? It's not as if this functionality isn't already employed through other ways (javascript or redirects on the serverside). Now, it's just a little bit easier.
Of course you can disable javascript, but most people don't. People who do so, can also turn off this ping functionality. I'm sure an extension will allow to do this the easy way (NoScript notably).
the pun is mightier than the sword
A lot of websites use redirect pages to get this exact same information, and off the top of my head I imagine it is pretty simple to notify multiple urls of where you are going using some tricky javascript and even cookies and referrers can be used across sites to track visitors. This is just making a very common, and needlessly complex, mechanism infinitely simpler for the web developer.
The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
So, I don't mean to go all "Senstionalist Title" on your ass, but the post links to a mozilla blog explaining how they've added this feature to the TRUNK. Announcing a new feature in a blog is not quite a press release, but it's a hell of lot more forthcoming that what "quietly added" implies. Also, it's been added to the Trunk, so it's not likely to actually show up in any Mozilla build for a while, much longer, if ever, in a release. This is really the way to add something like this. Put it in to see where and how it will be used and whether that's good or bad.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
One badly formed loop and a page request with pings could mean one hell of a DoS attack.
.. but this is one of the cases where the Open Source model works well. Any truly paranoid geek out there can pull down the source tree and watch all of the changes to any of the crap the FF developers decide to throw in. They can then apply their own patches-of-paranoia and remove untrusted suspect code, build it and run it behind however many firewalls and proxies they have set up.
1. Javascript does it already
... if Microsoft said that /. would be up in arms)
2. Now you alienate any user using another browser
3. Mozilla team is pulling an IE (implementing their own extensions... read the blog... "w3c doesn't have to make all the rules"
My first thought was "How can you track clicks with a ping?". After RTFA, it's not literally a ping to some server, it's a request to a URI, most probably an HTTP request that will contain request parameters indicating what link was clicked.
Second of all, this is not any more of a privacy intrusion than previously existed. It was always possible to track clicks within a single website via cookies, and clicks on external links (i.e. banner ads) by using a redirect first. If the author of the website wants to track what you're doing, he's already got the means, and he's had them for years.
There are 2 kinds of people in this world. Those that can keep their train of thought,
One, this is in the trunk builds - NOT the released versions.
From a technical POV it's actually nicely thought out, as it separates logically the intended action and the "log."
I'm sure that Google, Yahoo, and others are BEGGING for this. I've worked in Design and Dev at two of the biggest travel sites - it's a huge problem tracking clicks. If we could remove our tracking javascript then users would get a MUCH snappier web site.
But we can't because our advertisers specify that we must have third party click/view audits that "verify" our intended audience numbers.
On the one hand, I know (having designed and built some of the auditing and log analysis systems) that we're tracking every click on our sites. We do use cookies. And the tag would bring it all out in the open instead of buried 3 layers deep in javascript.
But from an individual POV, it's like acknowledging that they really ARE watching me. And I am now consenting to that.
Solution: In my mind, the big(and little) sites could offer users the "option" of using the ping tag for a nicer user experience. It would be disabled by default, and a web site would have to specifically request and get permission from the user before the browser would "unlock"
Just me $0.02
I said no... but I missed and it came out yes.
Come on. Who asked for this 'feature'? I don't see the purpose of it. THe article states that is is for "enable link tracking mechanisms commonly employed on the web". That sounds to me that a marketing lobbying firm has leverage its influence somewho.
It will be abused really soon in my opinion. Right now the site you're browsing can track you. Tomorrow, your clicks will be broadcasted (clickcasted) to all ads firms live. Gr8t!
Assuming that IE implements the same feature, will sites use this? If clients can turn it off, I suspect that web sites won't trust it. This is something that is most accurately done on the server, and I think that's where it will stay.
The most rabid believers in American Exceptionalism are the exact same people whose policies are destroying it.
Disable the feature. Easy.
This kind of misses the point. If Firefox is to become a mainstream internet browser, it needs to be anti-spyware and usable from a clean install onwards. Making it the ideal browser for the tweakers, where it's at its most usable after multiple options have been changed and several extensions installed, is not going to make it the browser of choice for the general public.
As far as grabbing market share goes, it's the default settings that make the difference.
Can we please, please, keep politics out of this? I would rather discuss the FF issue, than listen to a flame war about politics.
Extentions should add features, not remove them.
No, it's not really that simple. This is much like the difference between first-party cookies and third-party cookies. In fact, I'd be happy if they decided to limit them at that level of granularity. I honestly wouldn't mind first-party pings. This provides--as you correctly note--nothing more than they can already collect now. It does, however, significantly enhance the developers' ability to directly collect stateful click-through information.
On the other hand, I'd say third-party pings are no less (and no more) evil than third-party cookies in terms of privacy. It seems to be a fairly common practice to disable third-party cookies while leaving first-party cookies enabled. I would certainly like the option to specify my preferences at that level.
Ever heard of cross-site scripting? "ping" needs at the least to be implemented in such a fashion that only the originating site can get a ping. Any pings to non-originating site should either be blocked wholesale or at least present the user a dialog (Site A is attempting to convey information about your browsing to Site B).
It's 10 PM. Do you know if you're un-American?
Comment removed based on user account deletion
Acid2 only measures the particular edgecasitis that the Acid2 authors managed to think of - web developers seem capable of introducing many more. What's needed isn't more acid tests but a W3-approved regression suite.
My question is where did this idea come from? Is it in an HTML standard somewhere? If not, they shouldn't have bothered putting it in IMHO. How can I tell my friends that Firefox aims to be more standards compliant if the Mozilla team is putting in proprietary HTML features?
Arguing about vi versus Emacs is like arguing whether it's better to make fire by rubbing sticks or banging rocks.
Do not confuse this feature with spyware. Tracking cookies have always been used by advertising companies, yet they can be disabled. But I'd rather stick with tracking cookies than having to navigate through sites with embedded flash because the sponsors require them to. This "cookies = spyware" is just paranoia to me.
Anyway, if a website gives you a "ping" attribute, what prevents the same site from obfuscating the link and doing some redirections? It's EXACTLY THE SAME! If there can be any abuse, it's because the attribute is provided BY THE WEBSITE'S CONTENT. And who controls the website content?
One major abuse I could see are phishing sites, but if you already entered a phishing site it's your own fault, and I *REALLY* doubt a bank site would add ping attributes to their website.
In comparison, SPYWARE steals resources, bandwith, CPU and Memory, and makes your system unstable, stealing also YOUR VALUABLE TIME.
So, no, the ping attribute is NOT SPYWARE. I think the article submitter was too sensationalist by putting this in the headline.
> You would think so. Starting with cookies, though, there's
> always been a major component of web design and development
> which hinges on deliberately obfuscating important events
> from the user.
Still using cookies as an example, progress has been towards better "cookie privacy". Items like blocking 3rd party cookies by default, a clear "clear all information" button, limits which override cookie expiries, etc. all give the user more control over his/her privacy.
To add this "ping" feature w/o also providing control over its use to users is rather surprising since, otherwise, Firefox has been moving in the right direction.
This is not just surprising, but incredibly disappointing.
And we should compromise our security (arguably) and our knowledge of what the system is doing (certainly) for their profit margin why?
fast as fast can be. you'll never catch me.
Saying that you'd stop using Firefox if this is deployed is like saying you'd stop going to Wal-Mart if they have cameras watching you ... but wait ... they do. Face it. You're on the web. You're being tracked. OMG! Slashdot is tracking me now!!1!!1
... as a tool to improve user experience, this is a GREAT idea. decouple the link tracking from the target page loading. however, until it's adopted in a standard way by all browsers, it's useless. this can already be done in numerous ways thru javascript, proxy pages, inventive link creation, mod-rewrite ... there are as many ways to track user clicks as there are competent developers.
but seriously
sure, make it disableable. additionally, make it configurable to set the maximum number of PINGs per click. and lastly, limit the URLs to the originating site only.
"Glory is fleeting, but obscurity is forever." - Napoleon Bonaparte
I just want to ask: What functionality does this give to me, as a user, that couldn't be entirely implemented on the server side without requiring anything to happen behind my back?
I use the web to view content. Ceding the argument of complex layouts (graphics, frames, fonts, etc.) there is no content that I've viewed in the last 8 years which requires any functionality on my browser's part beyond what I could get from lynx. What does this ping bring to me, as a user, and why should I care to have it at all?
AJAX doesn't impress me either. Webapps, while nice for jobs and web-coders (everyone needs to make a living somehow), should die. There's a better and more secure way to do everything which any web-app does.
fast as fast can be. you'll never catch me.
Not everyone views the web as "read-only", so to speak.
I use quite a few sites as tools that give me access to data or features provided by someone that I wouldn't normally have access to. Examples include bank sites and stock brokerage firm sites.
One additional response to your comment: how about providing insight as to the "more secure" alternatives to AJAX that provide the same functionality and fill the same niche rather than simply saying it "should die".
"I have no special gift, I am only passionately curious." - Albert Einstein
Couldn't a crafty webmaster load up a javascript on an adwords page to add all the adwords links as ping fields to all the links on the page via the DOM? Then all the links on the page would generate adwords clicks right?
Does this protocol check for duplicate links in the ping? What happens if I put like 10 or 100 of the same link in the ping. With a popular enough website I could innundate other websites with garbage ping requests.
---k--
</stupid>
There are a couple things wrong with your statement here:
First, the purpose of web standards is not to hand the power to bless things to one organization, but rather to ensure that new technologies and features are implemented and used in a clear, interoperable fashion by browser developers and web designers. So if the people on both ends of the web (the companies and groups which build the browsers, and the designers and developers who build web sites) can get together and agree on a standard way to implement and use a new feature, why not let them do it instead of complaining that it hasn't been blessed by some grand high muck-a-muck at the W3C?
Second, the W3C's authority exists only through consensus. If they lose the consensus of the big players in the web industry, they lose their authority. This is what's already partially begun to happen; the W3C is currently working on XHTML 2.0, which has some major issues:
Because of this, the W3C is in serious danger of losing its consensus and its relevance, which means it's also in serious danger of losing its authority. The WHATWG was founded, basically, with the idea of ending the stagnation of web technology (the last standardized version of an HTML language was published six years ago, and the last standardized version of CSS was published eight years ago) and implementing features that will make web design and development easier all around (think things like expanded form controls, additional useful DOM properties and methods, etc.), and so far it's not doing too bad a job of that.
Think of the distinction like this:
The big advantage of web apps is that they don't require installation.
.Net and Hailstorm a few years back (funny how people didn't like it much). Web apps are the "right now" solution which can get this type of app running and in use today.
Sure, you can come up with a zero-install app with roaming profiles running on a distributed, remotely-accessible platform using something other than HTTP and a web browser -- but you'd need to set up the infrastructure and get the platform installed on as many PCs as possible. That's the next-gen "right" solution, and I recall Microsoft talking about this type of thing with
Bypassed? That may demand definition, for example,
Where does http://tinyurl.com/161 go?
How about http://freshmeat.net/redir/cexec/57387/url_homepa
How do you know without making a URL connection?
Oh sure, you can ignore links that look like that, and even block them. Nobody's suggesting that you cannot block PING-requested URLs.
But bypassed? What exactly could you mean by this?
Acid2 only measures the particular edgecasitis that the Acid2 authors managed to think of - web developers seem capable of introducing many more. What's needed isn't more acid tests but a W3-approved regression suite.
Too rigid. I developed a fairly complex layout for a website that was IE, Firefox, Opera and W3C-compliant (hardest of all after IE compatibility, you'd be surprised how forgiving browsers really are). Strangely enough it had a small rendering bug on Safari and I presume Konqueror as well. Anyway, Firefox and Opera were almost to the pixel identical. When they all pass ACID2 I think you have to really go out of your way to make it render differently on W3C-compliant pages. If your page isn't valid (X)HTML/CSS, then expect things to behave odd. What is needed is better tools to create compliant pages - I've seen so many broken tools that should have been put to death long ago.
Kjella
Live today, because you never know what tomorrow brings
I would agree if you could demonstrate the usefulness of AJAX outside of a web browser. AJAX may, in itself, be a fantastic design. The question still remains, though,"What are we really trying to accomplish and should we be doing this with a web browser at all?"
Lately the following has become increasingly obvious: We're adding new features to keep and track users on the web to generate databases and clicks for (artificial) revenue to show numbers to the investors so that we can get more capital to add new features to keep and track users on the web to generate databases and clicks for (artificial) revenue to show numbers to the investors so that we can get more capital to add new features...
Can you see why I, as a user, am no longer impressed with port 80? I'm not really fond of pyramid schemes.
fast as fast can be. you'll never catch me.