Jump to content



Photo

  • Please log in to reply
11 replies to this topic

#1 em_te

em_te

    Awan Afuqya

  • 1,738 posts
  • Joined: 16-June 03

Posted 23 July 2014 - 08:17

Sharing a link to a social media website using a plugin? Prepare to lose privacy. But this time it's not the NSA tracking you. Instead you're being tracked by the plugin vendors. Vendors like AddThis, ShareThis and AddToAny are keeping track of what links you are sharing, not only on the current website, but on any other websites that use those plugins.

But they don't really know who you are, right? You've never given them your Facebook ID or Twitter ID. Well think again. These social sharing plugins are using by millions of websites out there. Even if you don't click on them, they are still being loaded by your browser whenever you visit a page that uses social sharing plugins, allowing them to track you by your IP. And by constructing a huge database of websites that you've visited, they can generate a pretty clear picture of your personal interests and browsing habits. Information that advertisers and insurance companies are interested in.

Not only can they track you, they can also track the people who visit the links that you've shared. Some plugins will modify the link that you share to include a tracker ID or will substitute another link that redirects the user through another server first. This way they can build a database of people who share things and find out who clicks on those links and who subsequently re-shares them.

And think they can't track you because you're using Incognito mode or InPrivate mode in your browser? Well AddThis is experimenting with a new tracking tool called Canvas Fingerprinting which is virtually impossible to block. It works by picking a bunch of metrics off your computer, including things like what fonts are installed, and then generates a unique fingerprint of you on this particular computer. Even if you clear your cookies or block them, they can still track you.

How about "opting out" of being tracked on the social sharing plugins website? Many social sharing plugins feel obliged to offer you the ability to opt-out by setting an "opt-out" cookie in your browser. This is the real world equivalent to sticking a "No Spam" sticker on your mailbox at home. But lets face it, how much do you trust them to comply with those cookies? They didn't ask you for permission to take part in the Canvas Fingerprint experiment in the first place.

Can't I block these social sharing plugins at the firewall? Only if you don't mind slowing your browser to a halt. Social sharing plugins use a technology called JavaScript to include themselves in the websites that we visit. When your browser visits a website and sees a link to a JavaScript file located on the social sharing plugin's server, it will try and download it. But if your firewall blocks it, your browser will keep waiting up to 20 seconds for it to load and during this time the website will be blocked from rendering. Imagine having to wait 20 seconds for each website because a server is inaccessible.

Well what can we do?

For starters you can send an email to your favorite websites politely asking them to stop using social media plugins that track users.

You can also write to your senator asking them to support laws that protect your privacy.

If you own a website, you can use Open Source social sharing plugins that don't track users or use plugins that can be whole hosted on your own server and that doesn't call out to external servers.

If you use Internet Explorer, Chrome, Safari or Opera, you can disable JavaScript in your browsers settings before going into Incognito mode.

http://www.propublic...ssible-to-block


#2 TPreston

TPreston

    Neowinian Senior

  • 2,709 posts
  • Joined: 18-July 12
  • Location: Ireland
  • OS: Windows 8.1 Enterprise & Server 2012R2/08R2 Datacenter
  • Phone: Nokia Lumia 1520

Posted 23 July 2014 - 11:40

......Firewalls don't do http content filtering. Its entirely possible to block these things without slowing down browsing you can use a hosts file, Cisco isr/equivlant or a secure gateway without slowing down internet access I've been doing it for years with tmg.

Advertising is a slimy buisness and there's little to no regulation to keep these scumbags in line.

#3 OP em_te

em_te

    Awan Afuqya

  • 1,738 posts
  • Joined: 16-June 03

Posted 25 July 2014 - 04:12

......Firewalls don't do http content filtering.

You can block access to their IP or their domain.

Its entirely possible to block these things without slowing down browsing you can use a hosts file,

With hosts file even if you set their domain to resolve to 127.0.0.1, unless you're running a local server that will connect and then reject the request, your browser will still try and connect to 127.0.0.1 and wait for the timeout. At least that's what happens on Windows.

#4 Torolol

Torolol

  • 3,175 posts
  • Joined: 24-November 12

Posted 25 July 2014 - 04:19

i use local-proxy to re-direct any javascripts request to any known social media/trackers, so the website will get my version of javascript which contain nothing but stubs of empty functions.



#5 OP em_te

em_te

    Awan Afuqya

  • 1,738 posts
  • Joined: 16-June 03

Posted 25 July 2014 - 05:22

i use local-proxy to re-direct any javascripts request to any known social media/trackers, so the website will get my version of javascript which contain nothing but stubs of empty functions.


Why not just an empty file or do your empty functions screw around with the website a little?

Someone should write a little application whose only job is to listen on the local computer for requests and issue "404 Not Found" replies to all of them. So we can use hosts file to redirect all domains to home. Or to be more sneaky it should be a "401 Unauthorized" reply. :)

#6 Torolol

Torolol

  • 3,175 posts
  • Joined: 24-November 12

Posted 25 July 2014 - 05:32



Why not just an empty file or do your empty functions screw around with the website a little?

 

certain website did checks for certain functions from tracker's javascripts, if those functions are not available those sites designed to not behave properly.

but for most cases, an empty files to replace the tracker javascripts would usually works just fine.



#7 +LimeMaster

LimeMaster

    LippyZillaD Council ( ͡° ͜ʖ ͡°)

  • 11,085 posts
  • Joined: 28-August 10
  • OS: Windows 8
  • Phone: Nokia Lumia 920

Posted 25 July 2014 - 09:36

Adblock Plus actually has a feature which prevents those social media plugins from loading, so if you are concerned, then I'd recommend installing it: :)

https://adblockplus....res#socialmedia

 

Also, it's a separate filter from the ad filter, so if you don't want to block ads, you can simply remove the filter and only use the social media one.   



#8 OP em_te

em_te

    Awan Afuqya

  • 1,738 posts
  • Joined: 16-June 03

Posted 30 July 2014 - 07:44

 

certain website did checks for certain functions from tracker's javascripts, if those functions are not available those sites designed to not behave properly.

but for most cases, an empty files to replace the tracker javascripts would usually works just fine.

Off topic, but how do you deal with HTTPS requests? You don't have the certs.



#9 Steven P.

Steven P.

    aka Neobond

  • 31,384 posts
  • Joined: 09-July 01
  • Location: Neowin HQ

Posted 30 July 2014 - 07:49

Erm this is to be expected if a third party service is being used to share via social media. On Neowin we use the api for the social media service (same goes for the forums). Click bait.... (technically the api for sharing via a website is also a plugin, but not third party).



#10 Torolol

Torolol

  • 3,175 posts
  • Joined: 24-November 12

Posted 30 July 2014 - 09:02

Off topic, but how do you deal with HTTPS requests? You don't have the certs.

theres several ways:

using hosts files, or

adding the site's certificates into Untrusted certificate List, or

using the BudMan's way only if the sites behaves erroneously when they can't get their 3rd party https-javascripts.

 

current local proxy program that I use doesn't support ssl-bump on windows,

but i've test what BudMan have shown and its works on Unix/Linux environment.

I must thanks BudMan for showing me the light. :D



#11 Jack 0Neill

Jack 0Neill

    Neowinian

  • 642 posts
  • Joined: 23-October 05

Posted 30 July 2014 - 23:06

......Firewalls don't do http content filtering.


Wrong. Many firewalls do this.
 

Its entirely possible to block these things without slowing down browsing you can use a hosts file, Cisco isr/equivlant or a secure gateway without slowing down internet access I've been doing it for years with tmg.

Misuse of the hosts file. Hosts is not meant to block ads and that will slow down your browsing because it has to parse every single line you block.


The Lunarsoft Wiki has a great read about properly blocking things like that.



#12 Praetor

Praetor

    ASCii / ANSi Designer

  • 3,530 posts
  • Joined: 05-June 02
  • Location: Lisbon
  • OS: Windows Eight dot One dot One 1!one

Posted 30 July 2014 - 23:17

Misuse of the hosts file. Hosts is not meant to block ads and that will slow down your browsing because it has to parse every single line you block.

 

very true; i've seen computers back in the 2000 with hundreds of blocked sites in hosts, making web navigation horrible slow (thank you spybot seek and destroy for that crap!).

 

Also: TMG was so great  :cry:  (Y)