Slashdot Mirror

← Back to Stories (view on slashdot.org)

Several Major Browsers to Prevent Disabling of Click-Tracking 'Hyperlink Auditing' (bleepingcomputer.com)

Posted by EditorDavid on from the pinging-back dept.

x_t0ken_407 quotes BleepingComputer: A HTML standard called hyperlink auditing that allows sites to track link clicks is enabled by default on Safari, Chrome, Opera, and Microsoft Edge, but will soon have no way to disable it. As it is considered a privacy risk, browsers previously allowed you to disable this feature. Now they are going in the opposite direction.

Hyperlink auditing is an HTML standard that allows the creation of special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page that can then examine the request headers to see what page the link was clicked on.
The article concludes that "Firefox and Brave win the award" for people who want this click-tracking capability disabled -- since "only Brave and Firefox currently disable it by default, and do not appear to have any plans on enabling it in the future."

32 of 142 comments (clear)

  1. Turned off by default in firefox by Anonymous Coward · · Score: 5, Informative

    Went looking for how to turn it off, article was kind enough to provide the necessary about:config setting, it's "browser.send_pings".

    Firefox already has it off by default. Nice! for once.

    1. Re:Turned off by default in firefox by AmiMoJo · · Score: 5, Informative

      For Chrome install uBlock Origin and it's an option under "Privacy".

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:Turned off by default in firefox by omfglearntoplay · · Score: 2

      So what happens when Chrome when it's not an option to turn off anymore? A little worrying.

    3. Re:Turned off by default in firefox by GuB-42 · · Score: 2

      *Not* nice.

      tl;dr : It means a worse user experience and less privacy for Firefox users.

      Try to think about why that "evil" standard exists in the first place. People don't need hyperlink auditing to track you.
      What they do instead is that they wrap links into redirect URLs. They use JS to hide it in the tooltip. Just make a Google search in Firefox, right click on one of the search results and "copy link location". What you'll get is a Google URL with a redirect target. Google is far from being the only one to do that.

      The problem with that is that it makes "copy link location" almost useless. It also has an impact on performance. "Hyperlink auditing" is the answer to that problem. Now, look at the Google search results in Google Chrome. The links target are correct, no more of that redirect bullshit. That's because it uses the "ping" attribute to achieve the same thing.

      So when it comes to Google search, both Firefox and Google Chrome users are tracked. The difference is that Firefox users can't properly copy links and are slower. Furthermore, if you have uBlock Origin installed, you will only get tracked if you are using Firefox...

    4. Re:Turned off by default in firefox by Pieroxy · · Score: 2

      What people that want to track click do today is bring you to their website and issue a 302 to redirect you to the destination website. What this feature allowed was to remove the necessary hop, and thus would make the web faster.

      But since Firefox did not activate it by default, everyone is still redirected through domains everytime they click a link.

      Not sure it's an actual win. Firefox do not remove a feature by disabling this, they forbid an optimization.

      --
      Write boring code, not shiny code!
  2. Can't this just be done with Javascript? by phantomfive · · Score: 2

    Can't you just encase the link in Javascript and get the clicked link that way? Or do webpages not do that very often?

    --
    "First they came for the slanderers and i said nothing."
    1. Re:Can't this just be done with Javascript? by MrL0G1C · · Score: 5, Insightful

      I loathe links made in that manner because when you right-click them they aren't treated as links so you can't open them in a new tab with a right-click or copy the link etc. That is a mistake IMO, if it's a link when you left-click it then it should also be treated as a link when you right-click it.

      --
      Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
    2. Re:Can't this just be done with Javascript? by Anonymous Coward · · Score: 2

      Don't even need that - they could be far more honest and simply rewrite it http://clicktrackers.com/logclick&desturl=http://blah.... ; and clicktrackers simply sends a redirect to the real site name.

      The point of this is to hide the fact your clicks are being tracked so you don't see it.

    3. Re:Can't this just be done with Javascript? by viperidaenz · · Score: 3

      The point is to also speed the request up. The ping can be done in parallel, you don't need to wait for your click-tracker to redirect you.
      ad-blockers can also easily block the ping request.

    4. Re:Can't this just be done with Javascript? by DontBeAMoran · · Score: 3

      They also break "command+click" which is supposed to open the link in a new tab.

      --
      #DeleteFacebook
    5. Re:Can't this just be done with Javascript? by The+MAZZTer · · Score: 4, Informative

      You can make the links work properly when right clicked, the problem is whoever coded it didn't care enough to make that happen.

      The proper way to do it is to make it a normal link, but then hook up some JavaScript that stops the default link behavior and/or does something extra in the background.

    6. Re:Can't this just be done with Javascript? by Waccoon · · Score: 2

      Even better, UX people are trying to bring the "swipe" paradigm to the desktop. Now, just trying to select and copy a block of text doesn't work, because clicking anywhere in the text treats it like a drag-able layer.

      Modern UX is all about breaking everything that made the web work. If browsers even try to stop this BS, designers will hack their way around the fixes.

  3. Chromium Issue 935978 by Anonymous Coward · · Score: 5, Informative

    Chrome devs have removed the hidden setting while they debate promoting it into the regular settings UI. If you want this, star the bug (but don't flood the comments too much):
    Issue 935978

  4. Pale Moon - OFF by default by Anonymous Coward · · Score: 3, Informative

    Turned off by default in Pale Moon too.

    (I checked...)

    AC

  5. Re:"One of these things is not like the others" by ChoGGi · · Score: 3, Informative

    There's always tampermonkey

    let links = document.getElementsByTagName("a");
    for (let i = 0; i < links.length; i++) {
        let link = links[i];
        if (link.hasAttribute("ping")) {
            link.removeAttribute("ping");
        }
    }

    Assuming it works... anyone got a site with these ping links?

  6. Yet another reason to use Firefox by Tough+Love · · Score: 4, Insightful

    Look folks, as long as Google has control of the browser engine source code, Google has you by the short hairs. Worse, control of the binaries as in Android. Open source or not. Not only is Firefox just an all round nicer browser to use (my opinion, if you disagree then please direct your fan mail to Larry Page) it is the only browser that gives a toss about your privacy.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
    1. Re:Yet another reason to use Firefox by Tough+Love · · Score: 3, Informative

      Right, ask selfless Eric Schmidt, he'll tell you.

      --
      When all you have is a hammer, every problem starts to look like a thumb.
    2. Re:Yet another reason to use Firefox by dargaud · · Score: 2

      ...posted as an anonymous coward... how fitting !

      --
      Non-Linux Penguins ?
  7. Re:Tim Berners-Lee, the hypocrite by diamondmagic · · Score: 5, Informative

    No, "ping" isn't in the official HTML specification. What /. linked to is the Google's unofficial fork of HTML.

    --
    Wonder what the public key field is for?
  8. For WHAT? by Anonymous Coward · · Score: 4, Insightful

    You deranged idiots are incredible. You clearly want a police state where any person can be locked up on a whim if the "right people" disagree with them, and you think of yourselves as the "right people".

    History is littered with the corpses of the victims of tyranny who themselves enabled that tyranny in the dreams of using it to oppress their political opponents.

    At least the Trumpsters chanting "Lock her up!" had a list of actual violations of actual laws for which they wanter her locked up. The FBI even admitted to that list when James Comey infamously stated that "no reasonable" prosecutor would prosecuter her for her crimes, and then moments later announced that if anybody else did the same thing, that person WOULD be prosecuted. You people who've been snorting some sort of drug from Rachel Maddow or Chris Hayes or Chris Cuomo, or Don Lemon, etc have no flipping idea of what laws you imagine Trump has violated.

    Morons.

  9. Re:"Safari, Chrome, Opera, and Microsoft Edge"? by anegg · · Score: 3, Funny

    More like Practically Chrome, Chrome, Chrome, and Chrome

    Can I get spam with that?

  10. Re:"Safari, Chrome, Opera, and Microsoft Edge"? by Cmdln+Daco · · Score: 2

    Chrome and Safari are based on Konqueror, which is a KDE project. Apple always copies somebody else's code, but retains many lawyers to keep others from copying theirs.

  11. Re:Tim Berners-Lee, the hypocrite by Dracos · · Score: 2

    Drafts of HTLM5 included a ping attribute on the a element for doing exactly this. Anyone with a brain could see it would be an order of magnitude more exploitable and abusable than cookies. At some point it was removed from HTML5 officially, but the W3C has gotten into a habit of modularizing things.

  12. ping is better than redirect by kiviQr · · Score: 2

    At least you can see where you are going. Plus you can block ping with browser extensions. Redirects not so much.

  13. Firefox is Doomed by jaa101 · · Score: 4, Interesting

    This is why Firefox is doomed if it remains a hold-out. Money from the internet comes from advertising so the major platforms are going to find a way to sideline companies the size of Mozilla that spoil the party. The surprise here is that Safari has recently disabled this feature since Apple is much less beholden to advertising interests. There's a chance that the Safari change was inadvertent, or at least wan't considered very high up the corporate ladder. With luck Apple will put the feature back.

    1. Re:Firefox is Doomed by AmiMoJo · · Score: 4, Insightful

      Apple probably did it for the same reason everyone else did - it actually enhances privacy.

      There are two ways you can audit clicks on links. You can use the proper HTML hyperlink auditing system, or you can write some horrible Javascript. The HTML hyperlink auditing system can be optimized by the browser for performance, and blocked by extensions, and means you get a real link instead of some Javascript that can't be copy/pasted or opened in a new tab.

      By encouraging everyone to use HTML hyperlink auditing it actually improves privacy by making it easier to block and making links work like they are supposed to.

      The next step will be to disable the Javascript option. Don't allow OnClick() to rewrite the page URL.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  14. Re:"One of these things is not like the others" by grep+-v+'.*'+* · · Score: 4, Informative
    I read about this yesterday, and immediately thought about tampermonkey. Thanks for the script.

    On page link they talk about this, with

    To create a hyperlink auditing URL, you can simply create a normal hyperlink HTML tag, but also include a ping="[url]" variable.

    <a href="https://www.google.com/"
    ping="https://www.bleepingcomputer.com/pong.php"> Ping Me</a>

    To wit: Ping Me

    This will render on the page as a normal link to google.com and if you hover over it, will only show you the destination URL. It does not show you the ping back URL , so users will not even realize this is happening unless they examine the sites source code. Scripts that receive the ping POST request, can then parse the headers in order to see what page the ping came from and where the hyperlink audited link was going to.

    The headers associated with the information sent in the ping request are shown below.

    [HTTP_PING_FROM] => https:/ www.bleepingcomputer.com/ping.html
    [HTTP_PING_TO] => https:/ www.google.com/
    [CONTENT_TYPE] => text/ping

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
  15. Re:"One of these things is not like the others" by Z00L00K · · Score: 4, Insightful

    Or go around the other way - use this to generate faked pingbacks in large volume rendering the data collected useless.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
  16. Re:Why? by AHuxley · · Score: 2

    AC, ads, always the ads.

    --
    Domestic spying is now "Benign Information Gathering"
  17. Re:Tim Berners-Lee, the hypocrite by shadow_slicer · · Score: 2

    How is the w3c version "official" if no one is following it anymore? After the XHTML debacle the WHATWG created HTML5. The w3c tries to remain relevant by taking occasional snapshots of the WHATWG standard, but they have no real authority anymore. Calling it "Google's" unofficial fork is incorrect - it was created and is maintained by a consortium of browser developers and is the authoritative reference for HTML5.

  18. Re:Tim Berners-Lee, the hypocrite by diamondmagic · · Score: 2

    Every website and their mother was moving to XHTML, the XHTML debacle is that Internet Explorer wouldn't support the application/xhtml+xml media type. That's it. It's perfectly fine to use XHTML now that IE6 is no longer a thing.

    And no, their fork is not authoritative, it's only defined for Web browsers, it lacks features required for Internet media types in general, the IETF assigned authority for HTML to the W3C in RFC2854, and the IANA still registers text/html as maintained by the W3C. https://www.iana.org/assignmen...

    --
    Wonder what the public key field is for?
  19. Recommendations by d3bruts1d · · Score: 2

    w3c publishes recommendations not specifications.

    "And thirdly, it is more what you'd call guidelines than actual rules." — Captain Hector Barbossa