
Decentraleyes: A Firefox addon to prevent tracking via free CDN providers - throwaway2048
https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/
======
rgbrenner
I read over a bit of the source. It uses a hard coded list of CDNs and files.
So it does nothing unless the the CDN and file is on this list:
[https://github.com/Synzvato/decentraleyes/blob/master/lib/ma...](https://github.com/Synzvato/decentraleyes/blob/master/lib/mappings.js)

Edit: someone asked how this works..

1) it looks up the resource in the mapping (linked above) (matching the cdn
and file path).

2) if found, it replaces it with the copy it includes:
[https://github.com/Synzvato/decentraleyes/tree/master/data/r...](https://github.com/Synzvato/decentraleyes/tree/master/data/resources)

So for those files, requests are never made to the CDN.

If the website uses a different CDN; a lib not recognized; or a version not
recognized.. then the request is still made.

~~~
vbezhenar
I thought that CDN should send proper caching headers and browser will save
cached version after first request and never hit CDN again.

~~~
perlpimp
still need to check if file is changed, hence 304 http status code.

~~~
mike-cardwell
If the server sends an "Expires" header in the response, then the client
doesn't even need to do that check. With an expires header, the server has
effectively told the client that the data wont change until at least a
particular date, and so the client honours that information.

Last-Modified/If-Modified-Since is an optimisation trick which exists for the
situation where the person running the website hasn't bothered to explicitly
define expiry periods for content.

------
lucb1e
This is brilliant, not only for privacy but for speed. Seeing this makes me
wonder why I didn't build this yet. I've often thought that Javascript loading
tags could include a hash of the desired resource and your browser can fetch
them once only for a thousand page loads on a thousand websites. This is not
that, but it is extra local caching and on top of that it stops most tracking
by CDNs. Guess I always thought of it as something my browser should have
instead of an addon.

~~~
edraferi
IPFS does this by design. Everything is content-addressed so you immediately
know if you've seen the resource before. This also enables chunk-level
deduplication.

If course the P2P nature of the project means other people can find out
exactly which of those resources you're looking at...

~~~
chc4
Only your direct peers can, and they can't tell if you got the content to
increase your fitness score or because you wanted the asset for yourself.
Peers are incentivized to pull as many assets as they can (which prevents
torrent death) in order to build reputation.

~~~
theptip
I think this is overly optimistic; as soon as you pull down a rare asset you
have leaked information, since a peer that's farming would presumably work
down the list of assets ranked by some measure of popularity, and would be
unlikely to bother collecting obscure content.

This sort of system helps against some sorts of snooping, but certainly not
nation-state adversaries.

------
elktea
Looks good. I've added it to my ever growing list of privacy extensions:

    
    
      * Privacy Badger
      * Disconnect
      * CanvasBlocker
    

Can anyone recommend any more?

~~~
sheepdestroyer
I personally use this triple combo :

HTTPS Everywhere [https://www.eff.org/https-
everywhere](https://www.eff.org/https-everywhere)

uBlock Origin :
[https://github.com/gorhill/uBlock](https://github.com/gorhill/uBlock)

uMatrix :
[https://github.com/gorhill/uMatrix](https://github.com/gorhill/uMatrix)

I have used Noscript, AdBlockPlus and Ghostery before but found they where
lacking functionality, flexibility and performance. I used Privacy Badger too
but if I remember well, it is based on the same engine as ABP and suffers for
the same performance problems.

~~~
vidyesh
Ditto except _uMatrix_

What exactly does it do?

~~~
artificial
uMatrix provides a tabular view sorted by host featuring toggleable category
columns e.g. Dis/Allow iframe, script etc. It's granular client side resource
whitelisting.

~~~
edraferi
uBlock Origin does that too, just need to turn on Advanced Mode via options.

~~~
ymse
uMatrix offers more granularity. You can choose exactly what each third-party
site can do in terms of cookies, CSS, images, plugins, javascript, XHR(!),
frames and media (audio, video, pdf, etc).

After years of using uMatrix (formerly HTTP Switchboard), many sites "just
works" wrt Youtube, Vimeo and similar even without first-party javascript
enabled.

I've considered sharing parts of my global ruleset so others can just copy-
paste the sections/sites they want to whitelist without having to discover
what's required themselves.

------
mysterypie
Could someone please explain what this does in a clear step-by-step way
please?

Here, I'll explain what I _think_ it does so you can at least correct what I'm
missing:

(1) User visits web site example.com and needs to get file foo.jpg from
example.com.

(2) foo.jpg is available at some content delivery network, let's say Akamai.

(3) User's browser gets foo.jpg from Akamai.

(4) Akamai now knows the user's IP address, the Referer (example.com), and the
user agent info (browser version, OS version, etc.)

So what does the Decentraleyes add-on do? I _think_ it does the following:

First, this add-on apparently cuts out the Referer when the browser asks for
foo.jpg, but Akamai would still get the IP address (and the user agent info
unless the user is disguising that). With the IP address you've been tracked,
so does this really help?

Second, this add-on apparently gives you a local copy of foo.jpg if it exists
(i.e., a copy of foo.jpg already cached on your own computer). Well, the first
copy of foo.jpg had to have come from somewhere (either example.com or
Akamai), so you've already been tracked.

NOTE: I'm not criticizing the add-on at all! I'm just trying to understand it.

~~~
takeda
It's simpler than you think.

The extension has common files (jquery etc) requested included with it, and
list of CDN curls that return those files. Every time browser makes request to
those urls, the extension serves the local file back.

How does that help? It speeds up browsing, since you have local version of the
requested file. It also increases privacy. For example many sites are lazy and
use for example google cdn for let say jQuery. Now when you visit the site,
google still can track you, because you make request to them.

The only weakness with this approach is that it only works for urls known to
the author. Request to unknown CDN or even known CAN, but a new file will
still be made (AFAIR there is an option to block unknown files on known CDN,
but that will often break many websites)

~~~
marcosscriven
I thought one of the benefits of using something like Google CDN to serve
jQuery was _meant_ to be that a person's browser was much more likely to have
that in their cache than mylittlewebsite.com?

~~~
newscracker
That's true, but you don't really have to let Google know which sites you
visit in order to pull the jQuery library. This extension provides the files
from a local cache so that you avoid the requests to a great extent and thus
minimize any tracking. If mylittlewebsite.com and yourlittlewebsite.com both
use Google CDN for jQuery, Google would know that you visited these two sites.
With this extension, there's lesser chances of Google or another CDN getting
all instances of the jQuery download requests (unless each site is using a
different newer version of jQuery that's not locally cached yet).

------
abcd_f
I'd add Google Fonts to the list. It's a massive privacy leak as well.

~~~
SahAssar
The method this extension uses would require one to download the ~1GB font
archive upon installation for that to work, since it installs all the blocked
libraries in the extension itself. Perhaps it could block the 100 or so most
commonly used google fonts and serve those...

------
cantagi
The problem this solves is even worse than it sounds - there's no reason why
the NSA couldn't force a CDN to silently concatenate their own analytics onto
a site's JQuery. Is there a good way of signing your assets?

~~~
cuonic
There is, and it's called Sub-resource integrity:
[http://www.w3.org/TR/SRI/](http://www.w3.org/TR/SRI/)

MaxCDN's Bootstrap CDN implements it for example: <link
href="[https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstra...](https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css")
rel="stylesheet"
integrity="sha256-7s5uDGW3AHqw6xtJmNNtr+OBRJUlgkNJEo78P4b0yRw=
sha512-nNo+yCHEyn0smMxSswnf/OnX6/KwJuZTlNZBjauKhTK0c+zT+q5JOCx0UFhXQ6rJR9jg6Es8gPuD2uZcYDLqSw=="
crossorigin="anonymous">

------
ojiikun
Can experienced with the code speak to how this is a 5MB addon? That smells
like an order of magnitude more code than would be needed to block a fairly
simple behaviour on fewer than 200 predefined URLs.

------
axx
Cool plugin, but it's quiet ironic that their test utility uses (and needs)
jQuery hosted by Google to work.

Checkout the source here:
[https://decentraleyes.org/test/](https://decentraleyes.org/test/)

It would be much better to serve jQuery from the decentraleyes.org domain and
run the test with that.

tl;dr: It needs jQuery from Google to test if jQuery from Google can be loaded
via $.ajax.

------
cm3
A version of Firefox with the modifications in the tor firefox bundle minus
the tor network would be splendid. They fix privacy and solve fingerprinting
as well. On top of that you don't have to deal with a website's decision to
use certain fonts anymore. Is this available somewhere as a patchset/branch
for mozilla-release.hg?

------
prajjwal
Does this work on localhost? Apart from the increased privacy, it sounds like
this would also improve offline web development. I could be offline, and still
have all the CDNJS libraries on the page load correctly.

------
navlelo
Does Privacy Badger cover these CDNs as well?

------
bhrgunatha
So does this cache files on your local machine that are often served via CDN?

Doesn't the browser do that automatically for you?

~~~
throwaway2048
headers are still sent with referer etc information every time the resource is
loaded to check for freshness.

------
kawera
Is there something similar but for Chrome?

~~~
nmy
Do you have Chrome and still care about privacy ? Or maybe you are asking that
for the speed enhancement.

------
eklavya
Isn't it ironic that this page itself has a google.com dependency as shown by
uBlock :D

~~~
teknologist
well it's the mozilla addons site - they couldn't really control that

~~~
eklavya
I know, it was much more ironic when a page by mozilla which was talking about
online tracking and privacy had a google tracker :D

------
swinglock
Why not just strip the referer header when getting static resources from the
CDNs?

~~~
rmc
You'd have to block IP address, and er...

------
zkhalique
How does it know where the local files would be?

------
shikhil587
Looks interesting. Will try and post reviews.

------
cyphar
Just use Tor. Anything that doesn't function like Tor (or can guarantee such
security properties) isn't worth your time.

~~~
smt88
How does Tor prevent cookie-based tracking?

~~~
cyphar
The Tor Browser bundle clears cookies on exit. There are some plugins you can
add to clear them on tab close too. As for something like CDN cookies, I'm
actually not sure. But if you have cookies that are set by the CDN for their
domain, then it's not trivial to link the loading page (assuming Referrer
headers are stripped) to the resource being loaded because TBB uses different
Tor circuits for different websites.

~~~
developer2
I think running _any_ addons or plugins within Tor Browser is a bad idea. Even
if it's from a "respected" source, the risk of it somehow becoming compromised
is not worth it. IIRC the bundle even advises you that addons may be risky.
Considering that the purpose of Tor is to remain anonymous, one should keep in
mind that _any_ addon could de-anonymize you.

~~~
r3bl
> IIRC the bundle even advises you that addons may be risky.

The reason for this is that by installing various non-default addons, you're
actually making your browser more unique. As a consequence, you're making it
easier to link all of your Tor activity back to a single person.

------
davidpelayo
Great. I add it. I wonder whether a fully free service is trustable or not.

Question: where do you get your info from? I'm trying to gather twitter lists
into this repo to know the best sources of info. Please collaborate:
[https://github.com/davidpelayo/twitter-tech-
lists](https://github.com/davidpelayo/twitter-tech-lists)

