
Show HN: How privacy-friendly is your site? - octosphere
https://webbkoll.dataskydd.net/en/
======
andersju
Hey, I'm the main author of this. Happy to see that people like it!

As I wrote elsewhere in the comments we're planning to redesign the results
page and rewrite all the text later this year. The current page hasn't changed
much since mid-2016. Need to refresh/expand technical advice, be more clear
about the limitations of the service, etc. I'll note down all suggestions
here.

I'd also like recommend a similar project that was inspired by Webbkoll:
[https://privacyscore.org/](https://privacyscore.org/) \-- it's slower, but
also integrates things like testssl.sh, and most importantly lets you make
lists of URLs to check. It uses OpenWPM [0] which has been used for many
interesting studies,[1] such as "Online Tracking: A 1-million-site Measurement
and Analysis".[2] (Webbkoll uses Phoenix+Puppeteer)

[0] [https://github.com/citp/OpenWPM](https://github.com/citp/OpenWPM)

[1]
[https://webtransparency.cs.princeton.edu/webcensus/index.htm...](https://webtransparency.cs.princeton.edu/webcensus/index.html#Users)

[2]
[http://senglehardt.com/papers/ccs16_online_tracking.pdf](http://senglehardt.com/papers/ccs16_online_tracking.pdf)

~~~
auslander
Great tool. But if you'd have a list of top 10 checked sites at the top, say
by sum of all three counters, it could actually bring some action, no one
would like to be in this shame list.

------
mtmail
Really nice! Positive and negative results are marked green and red.
Colorblind users will need additional visual clues (e.g. checkmark vs cross)
to differentiate between the sections.

~~~
andersju
Noted, thanks! I'm planning to redesign the whole thing in a couple of months.
I'll definitely keep that in mind. /author

------
auslander
newyorker.com

155 Cookies, 319 Third-party requests, 125 Third-parties contacted

Beat it if you can :)

~~~
dublinben
salon.com

136 cookies, 846 third-party requests, 159 third-parties contacted

~~~
flukus
I was about to joke that they were loading each word from a CDN, but the word
count would only account for 609 requests.

------
mirimir
Very nice! Tells me to add "<meta name="referrer" content="no-referrer">"
which I didn't think of, because I don't link to external resources.

~~~
tananaev
I have added `Referrer-Policy` header to my nginx configuration instead. What
is better meta tag or header and why?

~~~
chrismorgan
<meta name=referrer> is the older of the two, and has IE/Edge support if you
use one of the values never, always, origin and default, while the Referrer-
Policy header is still in development for Edge.

Using the header form will be more efficient on HTTP/2 due to HPACK reducing
it to roughly one byte.

Using the meta tag is typically easier to deploy.

------
geuis
Ran this against my service [https://jsonip.com](https://jsonip.com).

[https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fj...](https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fjsonip.com%2F)

Pretty happy with the results. I have to have access to referrer headers for
it to work.

Beyond that, there are some things I can tighten up in regards to some other
xss headers so I’ll take care of those.

Also, I don’t keep traffic logs. Sometimes (maybe a couple times a year) I
will do a small log capture for a few minutes if I need data to test an
upgrade or feature experiment but that’s it.

------
subcosmos
Well done. Caught some things on one of my projects that
[https://securityheaders.com/](https://securityheaders.com/) missed

------
ttoinou
Didn't know about no-referrer, thanks !

------
chrismorgan
> _While still a work in progress, Referrer Policy is now supported by all
> major browsers (except Internet Explorer, although it is supported by Edge,
> the new browser in Windows 10)._

This information is at odds with Microsoft’s own status on the feature
([https://developer.microsoft.com/en-us/microsoft-
edge/platfor...](https://developer.microsoft.com/en-us/microsoft-
edge/platform/status/metareferrer)) which indicates that Edge does not yet
support it (“in development”), and the cited source
[http://caniuse.com/referrer-policy](http://caniuse.com/referrer-policy) which
also says IE and Edge don’t support it, but that they do support an older,
more restricted version of the spec.

~~~
andersju
Yeah, I have to update that part. This works in Edge (as well as FF, Chrome,
Safari) to kill referrers completely:

    
    
      <meta name="referrer" content="never">
    

Should also note that it's possible to have fallback values
([https://www.w3.org/TR/referrer-policy/#unknown-policy-
values](https://www.w3.org/TR/referrer-policy/#unknown-policy-values)).

------
ChrisGranger
Wouldn't it be fair to say that third-party requests aren't automatically a
problem? For example, mozilla.org sends third-party requests to their CDN at
mozilla.net, but it's the same parent company, so not _really_ a third-party
in the privacy sense.

~~~
andersju
For sure, it's just hard to tell them apart from a technical point of view.
Tracking Preference Expression (DNT) [0] _does_ make it possible with a
Tracking Status Resource's same-party property [1], but it seems like almost
nobody uses (or talks about) this. Medium.com is the only major site where
I've seen it implemented: [https://medium.com/.well-
known/dnt/](https://medium.com/.well-known/dnt/)

[0] [https://www.w3.org/TR/tracking-dnt/](https://www.w3.org/TR/tracking-dnt/)

[1] [https://www.w3.org/TR/tracking-dnt/#rep.same-
party](https://www.w3.org/TR/tracking-dnt/#rep.same-party)

------
woodruffw
Nice tool! I just added some of the recommended headers on my personal
(static, single origin) sites.

It's minor, but you could add Apache and/or Nginx and/or Lighttpd examples for
many of the recommendations.

~~~
andersju
Definitely. Planning to redesign and rewrite the whole results page later this
year.

------
pkz
This is a great tool! I have used it to check government websites. Government
websites typically have a monopoly on the service they provide. As a citizen
you can not easily choose to take you business elsewhere.

For a government website you could argue that there should be no third parties
using the information about the visitor's interaction with the government. But
a lot of government websites still use 3rd party scripts that specifically use
information about your for ad targeting.

------
kaushalmodi
@andersju Thanks for making this web site. I have used this site in the past,
and it helped me make my Hugo generated static site more secure.

Your site is very informative, and easy even for a non-webdev like me to
grasp.

[https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fs...](https://webbkoll.dataskydd.net/en/results?url=http%3A%2F%2Fscripter.co%2F)

------
simplydt
Thank you kindly. I used this + one more resource to get my startups site all
green (I thought HTTPS redirect was enough) - hopefully it doesn't cause any
bugs/issues this busy week but it's now done :) Cheers

------
ealhad
Nice! It seems there are some things I overlooked on the websites I manage —
HTTP headers for XSS, HSTS and such, which are going to be easy enough to add.

Kudos to the authors, thank you for helping making the web a better place.

------
stockkid
Thanks for making this. It says the following but did not provide more info
about why:

> The site is loading libraries from one or more CDN:s. Self-host the files.

Is it on the ground that browsing pattern can be leaked via http referrer?

------
JanisL
Would like to thank the people that made this, I found a few things that I can
improve for my company site. It's also really good to get a resource that can
be shared with other people via a link!

------
rightbyte
Really nice tool actually. Need to fix some things on my site though ...

------
mo3gut
> Your browser then sends Referer: ...

While I don't doubt dataskydd's good intentions, their advice about referrers
is a sign that we live in Clown World.

Yes, your browser's tendency to provide a referrer might well give away
information you would prefer it didn't. Unfortunately for you, the browser
vendors have chosen to provide browsers that do that.

In a parallel universe it would be obvious that this is a problem (among many)
for the browser vendors to address. In Clown World, you are supposed to rely
on each and every site providing a special response header.

~~~
andersju
Just a historical note that I found interesting - it was in fact obvious (to
some) already 22 years ago. From RFC 1945 (HTTP/1.0), May 1996, 10.13 Referer
[sic]:

"Note: Because the source of a link may be private information or may reveal
an otherwise private information source, it is strongly recommended that the
user be able to select whether or not the Referer field is sent. For example,
a browser client could have a toggle switch for browsing openly/anonymously,
which would respectively enable/disable the sending of Referer and From
information."

([https://tools.ietf.org/html/rfc1945#section-10.13](https://tools.ietf.org/html/rfc1945#section-10.13))

This recommendation was not followed in any meaningful way, but Referrer
Policy ([https://www.w3.org/TR/referrer-
policy/](https://www.w3.org/TR/referrer-policy/)), which supports a whole
bunch of different policies and is very easy to implement (and now widely
supported), at least makes things slightly better.

------
jen729w
If you enter a URL in the suggested format – with [http://](http://) – you get
an error.

> Invalid domain:
> [http://http//www.coruscade.com](http://http//www.coruscade.com)

Either change the placeholder or, preferably, detect whether the user’s input
contains [http://](http://) and adjust accordingly.

~~~
reaperducer
If I enter [https://](https://) for a site I manage, the tool automatically
changes it to [http://](http://), claims that's what I entered, and then tells
me the connection is not secure.

Needs work.

~~~
ly
I think this means that the tool is not automatically being redirected to
[https://](https://) when visiting your website at [http://](http://), so it's
marked as insecure (See point 2. on the website).

~~~
andersju
Indeed. I'll change "Input URL" to "Checked URL" or something like that.

