
A more privacy-friendly blog - vbernat
https://vincent.bernat.im/en/blog/2018-more-privacy-blog
======
cagrimmett
Awesome! I dumped Disqus and Google Analytics earlier this year, too. I hadn't
thought about Google Fonts, so I'll dump that soon, too.

Since you are using CloudFront, I highly recommend
[http://s3stat.com](http://s3stat.com) for analytics. It grabs CloudFront's
(or S3's) server access logs and visualizes them.

For search, I like this method Mat Hayward uses for Jekyll:
[https://github.com/mathaywarduk/jekyll-
search](https://github.com/mathaywarduk/jekyll-search) Dump the site contents
out into a JSON file with the titles and links accessible, crawl through the
JSON file with javascript whenever someone runs a search, then display the
results. I know you use Hyde instead of Jekyll, but you can port over the
general idea.

~~~
CobrastanJorji
There's one small downside to using your own font. The Google Font is very
likely already cached in the browser and won't need to load from anywhere
remote.

An even better solution might be to just not specify a specific font unless
you really, really need one.

~~~
LeoNatan25
Use a system font stack. Both macOS and Windows come with good font choices,
and Linux … is Linux, more often than not, users are not even aware of
typography or why it matters.

~~~
przmk
That's pretty dismissive of Linux users. Just because someone uses Linux,
doesn't mean that person doesn't care about design.

~~~
LeoNatan25
Of course. It’s just my subjective experience that most don’t. It’s to the
point most don’t know what ligatures and stylistic sets are. Most Linux
software lacks basic OpenType features support.

~~~
detaro
> It’s to the point most don’t know what ligatures and stylistic sets are.

As if the majority of Windows and Mac OS users would know that.

~~~
eftychis
Since a noticeable at least portion of Mac OS users have some artistic vein
one would argue for Mac OS users. For Windows my personal opinion is the
average user has no idea. I think for Linux/BSD etc there is a part of users
that know or have some idea but don't care enough personally. I comment from
experience -- not aware of any study that looks for correlation :D

------
theandrewbailey
> As it is unlikely that more than three people will use the search engine in
> a year, this seems a good idea to not spend too much time on this non-
> essential feature.

I disagree. When I want to remember something, I blog about it. When I
implemented a search feature on my site, it was a godsend, and wondered why I
had overlooked it for so long. Finding something I had blogged about years ago
wasn't a pain anymore, since a box is right there.

~~~
coldtea
> _I disagree. When I want to remember something, I blog about it. When I
> implemented a search feature on my site, it was a godsend, and wondered why
> I had overlooked it for so long. Finding something I had blogged about years
> ago wasn 't a pain anymore, since a box is right there._

You can use Google or whatever to search your blog, or search local files with
your posts or whatever.

In any case, and especially since you're not adding the search feature on your
blog for the blog's visitors, but for you, it sounds totally redundant.

~~~
yborg
>You can use Google

<whoosh>

~~~
coldtea
Whoosh what? This subthread is not about "more privacy" anymore, it's about
searching your own blog -- and since you put it out there, I'd assume you
already have it indexed by Google (unless your visitors are handpicked and
sent the URL).

------
gkya
For analytics you can try log analyzers like Webalizer and Goaccess. I use the
former and I kinda dislike it, but I at least don't not like it as much as
Goaccess. All I look at is just the list of referrers most of the time
anyways, to see if there are any backlinks.

WRT comments and fonts, you can just get rid of both for good. Not imposing
your fonts on the reader is almost always good, and you save on the bandwidth.
And when it comes to comments, I prefer to host my content only on my website.
People do e-mail, and asking them to email if they want to discuss with me is
an incredibly effective spam filter.

WRT big media like videos and sound files, and bigger images, I think it's
better to just link to them. Software like mpv, mplayer, VLC, &c are capable
of streaming, so it becomes a matter of copying the link and "curl <link> |
mpv -" or adding a mailcap entry.

Another thing I can add is to use shared hosting. It's easier to maintain and
safer if you trust your host (I use NearlyFreeSpeech.NET, and if this mention
counts as an ad, let that be; I really like them). I just generate my static
blog and rsync it over ssh. rsync the logs and run webalizer on them every now
and then. As simple as it gets.

------
craftyguy
If you are already self-hosting services, why not self-host your search too?
Searx is a very good service that aggregates results from any number of search
engines, which is collects by stripping out any/all identifiable info from the
requests it submits. You (not DDG, etc) can explicitly disable logging and be
confident that your system is not preserving logs, instead of trusting Yet
Another 3rd Party to do the right thing.

~~~
vbernat
One reason I prefer to use DDG is also to promote them. I started using DDG
when I saw other people using it. The other reason is I also try to limit the
number of services that I have to maintain.

------
mattbierner
Very helpful. I've hosted a few videos using cloudfront but there were lots of
little gotchas with setting up both the hosting and the player. I wish I had
found the linked to guide earlier:
[https://vincent.bernat.im/en/blog/2018-self-hosted-
videos](https://vincent.bernat.im/en/blog/2018-self-hosted-videos)

~~~
NetOpWibby
I’ve wanted something like this for so long but never knew where to start.
Thanks!

------
misterbowfinger
There has to be a simpler, privacy focused way to figure out pageviews, right?
As long as I don't know _who_ looked at my site, I should be able to find out
_how many_.

Similar thing goes for "how many people clicked this button"

Or am I way off here....

~~~
newscracker
You can self-host a free analytics solution like Matomo (formerly called
Piwik) [1] and choose whether you're fine analyzing web server logs alone or
want to track finer details by injecting JavaScript (provided in the solution)
on your pages.

[1]: [https://matomo.org/](https://matomo.org/)

------
KajMagnus
Is there any open source browser session recording tool? With recording
features like the one in Fullstory or Hotjar.

So one can record what people do at one's website, and see what UX problems
they run into, and if something makes them feel bored and leave. Without
sending their browser session to a 3rd party. (Fortunately the one I'm using
right now is able to exclude parts of the recording, client side. E.g. `input`
fields. But still would feel better to not send anything to a 3rd party)

------
z3t4
If you have RSS on your site you can use the search script I made for my
static web site/blog:
[https://www.webtigerteam.com/websearch/](https://www.webtigerteam.com/websearch/)
Earlier discussion:
[https://news.ycombinator.com/item?id=14717182](https://news.ycombinator.com/item?id=14717182)

------
tomc1985
Way back when we all installed software that analyzed Apache (et al) logs,
before Google came in and killed it with their GA package. Why not a return to
this classic style?

I remember messing with a module in webmin (i think?) that did this, and
watching traffic come in and have it show up in the reporting tool. Was pretty
cool considering the whole thing was self-contained

edit: I'm thinking of AWStats

~~~
sleavey
Urchin [1] was a popular one. It was bought and killed by Google.

[1]
[https://en.wikipedia.org/wiki/Urchin_(software)](https://en.wikipedia.org/wiki/Urchin_\(software\))

~~~
tomc1985
I think we are thinking of something different. AWStats?

------
kaushalmodi
Thanks to your post, I learnt about Content-Security-Policy in HTTP headers. I
thought, that's awesome, let me add a tight CSP to my site
([https://scripter.co](https://scripter.co)) as I don't load any content from
outside and the only thing going out are Webmentions sending requests... and
then I realize that I use #mathjax on some pages..

MathJax requires me to add 'unsafe-inline' and 'unsafe-eval' to script-src,
and 'unsafe-inline' style-src. So my overall CSP becomes quite weak :(

Anyone would have an idea how to implement CSP without those, _and_ uses
MathJax?

Thanks.

~~~
kaushalmodi
I fixed this finally, thanks to Github user dpvc and his suggested way of
writing MathJax config:
[https://github.com/mathjax/MathJax/issues/1988#issuecomment-...](https://github.com/mathjax/MathJax/issues/1988#issuecomment-384978927).

------
lern_too_spel
While Google Fonts may be covered by the generic Google Privacy Policy
(haven't verified this myself), it is technically unable to track users very
well due to caching for a day at a time and serving from a cookieless domain.
If a user visited any other site using the same font that day, visiting your
site won't result in a request to Google.
[https://developers.google.com/fonts/faq#what_does_using_the_...](https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users)

------
misterbowfinger
_I opted for a simpler solution: no analytics. It also enables me to think
that my blog attracts thousands of visitors every day._

I lol'd

~~~
curiouscats
But now they don't get to see the huge amount of traffic sent from Hacker News
:-(

~~~
loup-vaillant
You can still `grep | line` the logs. There are also tools that do more
precise analysis.

------
mobitar
I work on Listed as part of Standard Notes, which is a privacy focused
blogging platform focused on authors, and allows authors to receive tips, sell
content, and use custom CSS.

More here:
[https://listed.standardnotes.org](https://listed.standardnotes.org)

------
sachleen
This is neat. I use disqus on my blog and had never heard of Isso. I'll have
to check it out.

~~~
KajMagnus
There's also Talkyard, which is like Disqus, and open-source, no ads, no
tracking. Serverless hosting. Google, Facebook etc login.

[https://www.talkyard.io/blog-comments](https://www.talkyard.io/blog-comments)
(I'm developing it)

~~~
jazoom
Your pricing being cheaper for people in developing countries is interesting.
I quite like the idea behind that. A few Euros is practically nothing for me
but for some people it's a week's worth of food.

~~~
KajMagnus
Ok :- ) It's related to the vision & goals: helping people to find ideas &
solutions to problems in society. And then it needs to be affordable for
people in developing countries too (because maybe that's where there're most
problems to solve?).

------
smoyer
I would have book-marked your page to reread it later (I've been working on a
new blog design). Unfortunately, something on your page is blocking
pinboard.in.

~~~
vbernat
I believe this is the CSP. You can confirm that in the Javascript console.
Extensions should be able to work around that. Bookmarklet are bound by the
CSP and the major browsers don't want to fix that
([https://bugzilla.mozilla.org/show_bug.cgi?id=866522](https://bugzilla.mozilla.org/show_bug.cgi?id=866522),
[https://bugs.chromium.org/p/chromium/issues/detail?id=233903](https://bugs.chromium.org/p/chromium/issues/detail?id=233903)).

------
hostcord
I built a hosted comment service powered by Isso -
[https://comment.sh](https://comment.sh) :)

~~~
KajMagnus
What's your goals & plans with `comment.sh`? Right now the website says "Free
Signup" — I'm thinking either the plan is to start charging money later, or,
if it stays free, then there is some altruistic / ideological reason you're
doing this project & will continue long term ?

(There's no About page so I couldn't find out :- ))

------
antjanus
Thanks for posting this, I've been meaning to make similar transitions with my
site.

