
Mozilla Firefox to Enable Hyperlink Ping Tracking by Default - Jerry2
https://www.bleepingcomputer.com/news/software/mozilla-firefox-to-enable-hyperlink-ping-tracking-by-default/
======
jefftk
The ping attribute replaces redirects and JavaScript that already allow (and
are very widely used for) less performant ways of doing exactly the same
tracking.

An explicit ping attribute makes it easier for content blockers; with a
redirect there's nothing you can do but with a declarative attribute it's
clear what to block.

This seems very clearly better to me.

~~~
Eridrus
Does anyone want the ping attribute?

It seems like JS-based trackers using sendBeacon are the better option for
analytics.

~~~
geocar
Yes.

I implement these kinds of trackers, and right now, my choices look like this:

1\. Use a redirect:

    
    
        <a href="trackingurl?redirect=target">link</a>
    

However this is difficult to implement securely, so most people don't. It's
also ugly: The user sees tracking urls in the URL bar and each need to load in
turn, redirecting to the final target.

2\. Use JavaScript:

    
    
        <a onclick="navigator.sendBeacon('trackingurl')" href="target">link</a>
    

This seems to be your suggestion. This requires JavaScript and the JavaScript
could be doing other things, like a global mousedown handler which could
interfere with it. Many tracking "solutions" have to be carefully written to
avoid this kind of interference, which makes development hard to implement as
well. The risk is that people's websites' break.

3\. Use CSS:

    
    
        <style>
        a:active{background-image:url(trackingurl) !important;};
        </style>
    

This "works" but it's sneaky, and it's even more likely that multiple tracking
"solutions" will interfere with each other using this method. It might also
break the publisher's site if they intended the selector for another purpose.

4\. Use ping:

    
    
        <a ping="trackingurl" href="target">link</a>
    

Now looking at all four options, I'd _definitely_ much rather use ping=
because (a) it's likely to be implemented correctly, (b) it's unlikely to
break other scripts/styles on the page, and (c) it's not sneaky; the effects
are implementation are transparent.

However I appreciate to some people "anyone" might not include the people who
write the content you're reading -- after all, if you don't care about them,
then _surely_ there isn't "anyone" who wants this, but this is immature. These
are most certainly people, and these are the people that want this: People who
know about other methods and have thought about the risk/reward of using them.

~~~
chrismeller
I absolutely think the ping attribute is preferable, but several of your
solutions are to avoid conflicting with other tracking solutions that are in
place already. How would you address that with ping attributes?

~~~
geocar
The ping attribute stores a space-separated list of urls.

------
newscracker
_> "We don’t believe that offering an option to disable this feature alone
will have any meaningful improvement in the user privacy, since website can
(and often already do) detect the various supported mechanisms for hyperlink
auditing in each browser and disabling the more user friendly mechanisms will
cause them to fall back to the less user friendly ones, without actually
disabling the hyperlink auditing functionality itself."_

Sites that wanted to track have always been tracking clicks on links on their
pages using JavaScript or redirection pages that first record the click and
then send the browser to the destination that the user wanted to go to. Ping
is just a better way for sites to implement tracking, and if more sites move
to this, the easier it’ll be to block (like uBlock Origin has already done).
In conjunction with other Firefox extensions that thwart “traditional” click
tracking, we can cover everything.

I find Mozilla’s (and Apple’s) position on enabling this by default tenable,
because we certainly don’t want sites to block Firefox for this reason or tell
users to use another browser (with euphemisms like) “for a better experience”.
On this point, I think Brave has cornered itself as a niche browser that sites
may start revolting against when it grows.

What is not acceptable from any browser vendor, especially a vendor like
Mozilla or Apple that wears privacy on its sleeves, is not having a way to
disable this using preferences (visible or something like about:config or
defaults). Not everyone may want to trust and install several extensions for
things like this. On this, Mozilla has failed (and so has Apple, though I
didn’t check that in this context).

~~~
stephenr
The solution to this is eg a content blocker in safari.

The browser still reports “ping” as usable so no blocking of the user or
expensive (resource wise) js alternatives, but when you click the link the URL
is evaluated as being blocked and safari does nothing relating to the ping.

This isn’t theory, I’ve tested it and it works.

I don’t know enough about blocking capabilities in Firefox to theorise how it
would work there.

~~~
bangonkeyboard
_> This isn’t theory, I’ve tested it and it works._

That only works when the destination URL of the ping is specified as a content
blocker rule. Content blockers are too limited to block the ping mechanism
itself, so you would need to statically add every single arbitrary tracker URL
pattern to the ruleset and hope they don't match a site or resource you want.

~~~
stephenr
That is literally my point.

You don’t need to “block” the ping functionality (which itself would be come a
fingerprinting data point) any more than you need to block xhr/fetch or
following 301 redirects (which are also used for the same purposes the ping
attribute may be used for)

There are literally dozens of content blockers available for both macOS and
iOS and all have extensive block lists of trackers, ad networks, etc. Some
also allow you to add custom rules.

That same content blocker will _also_ block XHR/fetch based link tracking that
many will just fallback to if ping support is not detected.

------
hagreet
This is clearly wrong. If usability suffers due to tracking implementing this
removes a disadvantage of tracking; so it supports tracking. If usability
doesn't suffer it still provides a cleaner and simpler way to implement the
tracking and also supports tracking.

The only legitimate reason to add this is that if some browsers have it and
some don't usability will be better on some browsers than on others.

This is a prisoner's dilemma. Or was.

------
roca
As explained in the article, the same data is already being collected without
the use of 'ping', so refusing to support ping is nothing but privacy theater
(a la "security theater") --- at the cost of user experience. I'm disappointed
to see Brave playing that game.

~~~
nanaya
Not supporting it means sites without tracking have better user experience.
Now tracking is natively supported, everyone can just start doing tracking
without any of the disadvantages.

~~~
roca
That argument would carry weight if you could point to sites that deliberately
avoid outbound link tracking because of the impact on the user experience.
I've never heard of any.

~~~
klez
That's not what GP was saying. They were saying that given two websites, one
that doesn't track and one that does, the one that doesn't would have a better
user experience as a side effect, which would give it a competitive advantage
in this "department" over the one that does track. So, all things being equal,
users would choose the one that doesn't track for the simple virtue of it
giving them a better experience.

~~~
jgowdy
This argument appears multiple times in this thread. However, realistically
I've never seen a mainstream website that was drastically disadvantaged by
their tracking mechanisms. I'm concerned that a lot of the tech savvy people
who are making this claim may be working on severely outdated machines for
which this makes a difference. With even the cheapest Dell computer sold
today, it doesn't really matter, which is why everyone is tracking everywhere.
I'm not a huge fan of ping, but the idea that websites are going to choose not
to track with JavaScript based on the bad UX on a years old Core 2 Duo is just
absurd. The economic incentive you are imagining does not exist, thus ping
isn't truly eliminating a critical UX difference between tracked and untracked
websites.

TL;DR ITT: "Link auditing / ping will eliminate the disadvantages of
tracking!" \- Ad Industry and sites that serve tracking: "What disadvantages?"

------
zzo38computer
As long as I can turn it off in about:config (and it won't try to
automatically change the setting for me without my permission) I don't care if
it is on or off by default.

~~~
gkoberger
In fact, having it on by default is better for people who are privacy
conscious. If everyone has it off by default, then no site will implement it.
If it's opt-out, the average site is more likely to use it rather than using
JS tracking.

It's kind of like Do Not Track. Once IE enabled it by default, every single ad
network stopped honoring it.

~~~
xaqfox
How are ad networks not in violation of the CFAA (computer fraud and abuse
act) by not honoring DNT? Surely if I can get in trouble for abusing what a
server allows but does not intend then the same should hold true for
interactions with a client web browser.

~~~
javagram
DNT arguably ceased to be a reliable symbol of user intention the moment
Microsoft turned it on by default.

I doubt Microsoft didn’t realize what they were doing would kill DNT
acceptance, but they did it anyway to add a bullet point to their feature
list.

~~~
deogeo
Much like malware protection ceased to be a reliable symbol of user intention
the moment Microsoft turned it on by default.

~~~
javagram
Malware protection isn’t a signal though, it’s an active process of deleting
and blocking. No need or even possibility to interpret it.

The analogy in the tracking space would be something like Safari ITP, not DNT.

------
X-Istence
Maybe now we can get rid of the god-forsaken javascript hell that does link
tracking or the multiple bounces between servers before a redirect.

~~~
HocusLocus
(Me, landing on an 'empty' page with NoScipt)

 _" Bye!"_

Life is simpler these days. Others should envy me.

------
klez
From the mdn page on the `a` element, the section on the `ping` attribute
says:

> Contains a space-separated list of URLs to which, when the hyperlink is
> followed, POST requests with the body PING will be sent by the browser (in
> the background). Typically used for tracking.

Does this mean that if I put a proxy between the browser and the internet I
can block this kind of requests? (of course at the expense of requests that
contain that same body for other reasons, in which case I wonder why they
didn't add a specific http request header to clearly mark those requests as
pings)

------
HNKingpin
Just wanted to say that uMatrix can disable this. Browsers have been anti-user
control for so long, we can't rely on them anymore to provide basic
configuration even.

------
spystath
I was never aware of the ping attribute but now it makes me wonder what was
the rationale behind standardising it. Is there any particular legitimate (ie.
non-tracking) use for such a feature? It would makes sense, of sorts, if there
was a policy regarding the target of the attribute but as far as I can see the
browser can ping literally anything.

~~~
beagle3
The rationale is that everyone interested has been doing this with redirects
(for years) in non standardised and often opaque ways.

So it’s better to standardize and make it transparent.

E.g. google search results get rewritten to redirects as soon as you hover
over them or press them (and are redirects in the first place with JS off).
Have been for at least 8 years now.

------
RandomGuyDTB
That's a shame. Now I have to either wait for someone to make an extension to
disable hyperpings (so it can sync between all my Firefoxes rather than me
having to manually change it every time) or learn to make one myself.

~~~
ChrisGranger
uBlock Origin already blocks this feature.

[https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#d...](https://github.com/gorhill/uBlock/wiki/Dashboard:-Settings#disable-
hyperlink-auditing)

~~~
RandomGuyDTB
That was a short wait.

~~~
jefftk
This isn't a new feature; it was added in Chrome 15 and Safari 6.
[https://caniuse.com/#feat=ping](https://caniuse.com/#feat=ping)

------
im3w1l
> Google Chrome, Opera, Microsoft Edge, and Safari enabled hyperlink auditing
> pings by default... will no longer allow users to [disable it] in the
> future.

------
Mortiffer
This is amazing news b/c it will unfuck the link graph. So many shitty content
sites link to the outside through an intermediary url which counts
clickthroughs and then passes you on with JS. Would love to see that stop

------
RenRav
Yeah, that's 100% getting disabled for me. What a shame.

------
swiley
As much as I hate tracking this is definitely cleaner. I'm sure noscript will
block it too.

------
andremr
Is this an official statement from Mozilla? If understood right, it says that
because every tracking site already does, we will put it inside the browser.

It seems like one day Nike will say, we need to send the location of every
step you take, where you're heading and the speed so we can make better shoes.
And people just, yes, seems fair to me.

~~~
geocar
It's a little different.

It's more like Nike are fitting their stores with a special floor that track
people walking around in the store to figure out where people go and what they
find interesting.

There are many vendors of these special floors, and they offer different kinds
of reporting to Nike.

At the moment, Nike can't use multiple vendors without careful testing because
the floors can potentially interfere with eachother. Sometimes the
interactions only occur in extreme cases, such as massively overweight or
underweight individuals. Nike may not be floor experts and not know how to to
this. It also makes the floor "thicker" with multiple vendors special floors
layered on top of each other, which might feel weird walking on.

These vendors don't just sell to Nike, they sell to lots of stores. Obviously
they don't share Nike's "data" with ASIC but _each of them_ have to deal with
the fact that even if they solve the problem for Nike's chosen set of vendors,
they'll have to do it again for ASIC as well.

So, the floor vendors got together and proposed a mechanism whereby they can
all work together.

No new privacy leak, no new information is being generated, or even being
transmitted to anyone who didn't already have the ability to collect it, but
the implementation is simpler, and user experience is better.

~~~
klez
Or, you can make this "floor tracking" so difficult and circumventable that
people start to question it and decide that new pair of shiny shoes doesn't
deserve the added hassle of walking in them.

There's that producer of floors that stands against these forms of tracking
and says "go to the stores that buy from us, they won't track you!" So this
benefits the stores that but from them, the floor maker and the store's
patrons.

But this analogy broke down pretty soon this way, didn't it?

------
rasz
Does anyone have a handy hyperlink auditing test website to check your current
browser?

------
HocusLocus
Firefox v52.9.0esr with NoScript, uBlock Origin and whitelist-based security
just got a big industry boost.

Good going, Mozilla!

------
bayareanative
This is asinine. What is the point of a symphony of holistic privacy
initiatives like the GDPR cookie policies on websites and a so-called "privacy
browser" if the browser people inconsistently move away from opt-in to opt-out
and sell-out their users?

------
rolph
This feature allows a trivial DDOS attack to be constructed

[https://securityaffairs.co/wordpress/83890/hacking/ddos-
html...](https://securityaffairs.co/wordpress/83890/hacking/ddos-html-
hyperlink-audit-ping.html)

[https://www.nsaneforums.com/topic/341522-hyperlink-
auditing-...](https://www.nsaneforums.com/topic/341522-hyperlink-auditing-
pings-being-used-to-perform-ddos-attacks/)

you can always downgrade your FF version and turn off auto updates, or go to a
custom palemoon, then have a chat with mozilla about why you did so.

~~~
roca
I (former Firefox developer) do not see how using ping for this sort of attack
has any advantage over any of the other myriad ways Javascript running in a
browser can generate traffic to a site.

If it does have an advantage, it's probably just something incidental like
particular HTTP proxies being configured to let pings through, or something
like that.

~~~
A1kmm
Probably more that certain sites are using serverside XSS filters that allow
third party content a elements with ping attributes, but not to inject
arbitrary JavaScript.

