Hacker News new | past | comments | ask | show | jobs | submit login
Mozilla Firefox to Enable Hyperlink Ping Tracking by Default (bleepingcomputer.com)
95 points by Jerry2 on April 20, 2019 | hide | past | favorite | 52 comments

The ping attribute replaces redirects and JavaScript that already allow (and are very widely used for) less performant ways of doing exactly the same tracking.

An explicit ping attribute makes it easier for content blockers; with a redirect there's nothing you can do but with a declarative attribute it's clear what to block.

This seems very clearly better to me.

Does anyone want the ping attribute?

It seems like JS-based trackers using sendBeacon are the better option for analytics.


I implement these kinds of trackers, and right now, my choices look like this:

1. Use a redirect:

    <a href="trackingurl?redirect=target">link</a>
However this is difficult to implement securely, so most people don't. It's also ugly: The user sees tracking urls in the URL bar and each need to load in turn, redirecting to the final target.

2. Use JavaScript:

    <a onclick="navigator.sendBeacon('trackingurl')" href="target">link</a>
This seems to be your suggestion. This requires JavaScript and the JavaScript could be doing other things, like a global mousedown handler which could interfere with it. Many tracking "solutions" have to be carefully written to avoid this kind of interference, which makes development hard to implement as well. The risk is that people's websites' break.

3. Use CSS:

    a:active{background-image:url(trackingurl) !important;};
This "works" but it's sneaky, and it's even more likely that multiple tracking "solutions" will interfere with each other using this method. It might also break the publisher's site if they intended the selector for another purpose.

4. Use ping:

    <a ping="trackingurl" href="target">link</a>
Now looking at all four options, I'd definitely much rather use ping= because (a) it's likely to be implemented correctly, (b) it's unlikely to break other scripts/styles on the page, and (c) it's not sneaky; the effects are implementation are transparent.

However I appreciate to some people "anyone" might not include the people who write the content you're reading -- after all, if you don't care about them, then surely there isn't "anyone" who wants this, but this is immature. These are most certainly people, and these are the people that want this: People who know about other methods and have thought about the risk/reward of using them.

I absolutely think the ping attribute is preferable, but several of your solutions are to avoid conflicting with other tracking solutions that are in place already. How would you address that with ping attributes?

The ping attribute stores a space-separated list of urls.

FWIW, I asked this since I've built client-side ads/analytics code before and I very much prefer JS-based solutions, since you can sort out the difficulties of dealing with interfering scripts once, put it in a library and still have control of what is going on.

But I guess it does provide a simple mechanism for folks who would otherwise use a redirect and don't want to deal with the complication, so thanks for the insight.

> "We don’t believe that offering an option to disable this feature alone will have any meaningful improvement in the user privacy, since website can (and often already do) detect the various supported mechanisms for hyperlink auditing in each browser and disabling the more user friendly mechanisms will cause them to fall back to the less user friendly ones, without actually disabling the hyperlink auditing functionality itself."

Sites that wanted to track have always been tracking clicks on links on their pages using JavaScript or redirection pages that first record the click and then send the browser to the destination that the user wanted to go to. Ping is just a better way for sites to implement tracking, and if more sites move to this, the easier it’ll be to block (like uBlock Origin has already done). In conjunction with other Firefox extensions that thwart “traditional” click tracking, we can cover everything.

I find Mozilla’s (and Apple’s) position on enabling this by default tenable, because we certainly don’t want sites to block Firefox for this reason or tell users to use another browser (with euphemisms like) “for a better experience”. On this point, I think Brave has cornered itself as a niche browser that sites may start revolting against when it grows.

What is not acceptable from any browser vendor, especially a vendor like Mozilla or Apple that wears privacy on its sleeves, is not having a way to disable this using preferences (visible or something like about:config or defaults). Not everyone may want to trust and install several extensions for things like this. On this, Mozilla has failed (and so has Apple, though I didn’t check that in this context).

The solution to this is eg a content blocker in safari.

The browser still reports “ping” as usable so no blocking of the user or expensive (resource wise) js alternatives, but when you click the link the URL is evaluated as being blocked and safari does nothing relating to the ping.

This isn’t theory, I’ve tested it and it works.

I don’t know enough about blocking capabilities in Firefox to theorise how it would work there.

> This isn’t theory, I’ve tested it and it works.

That only works when the destination URL of the ping is specified as a content blocker rule. Content blockers are too limited to block the ping mechanism itself, so you would need to statically add every single arbitrary tracker URL pattern to the ruleset and hope they don't match a site or resource you want.

That is literally my point.

You don’t need to “block” the ping functionality (which itself would be come a fingerprinting data point) any more than you need to block xhr/fetch or following 301 redirects (which are also used for the same purposes the ping attribute may be used for)

There are literally dozens of content blockers available for both macOS and iOS and all have extensive block lists of trackers, ad networks, etc. Some also allow you to add custom rules.

That same content blocker will also block XHR/fetch based link tracking that many will just fallback to if ping support is not detected.

What if it was a compile-time option?

If those capable were compiling and sharing versions of Firefox without some of these "features", perhaps some users might be interested.

Bias/ignorance: I like to use smaller software for doing TCP connections and HTTP requests that require more modest resources and shorter time to compile; often these projects provide many compile-time options. There are many, many examples of such software. First example that comes to mind for some reason is socat, if one needs an example of what I mean.

By making it possible to disable it, you are adding fingerprintable bits of entropy to your browser.

Concerns about this were also the reason why toggling the sending of the DNT header was removed for example.

DNT support was removed from Firefox? When did this happen?

Probably good for the reasons you mention considering DNT is dead anyway.

This is clearly wrong. If usability suffers due to tracking implementing this removes a disadvantage of tracking; so it supports tracking. If usability doesn't suffer it still provides a cleaner and simpler way to implement the tracking and also supports tracking.

The only legitimate reason to add this is that if some browsers have it and some don't usability will be better on some browsers than on others.

This is a prisoner's dilemma. Or was.

As explained in the article, the same data is already being collected without the use of 'ping', so refusing to support ping is nothing but privacy theater (a la "security theater") --- at the cost of user experience. I'm disappointed to see Brave playing that game.

Not supporting it means sites without tracking have better user experience. Now tracking is natively supported, everyone can just start doing tracking without any of the disadvantages.

That argument would carry weight if you could point to sites that deliberately avoid outbound link tracking because of the impact on the user experience. I've never heard of any.

That's not what GP was saying. They were saying that given two websites, one that doesn't track and one that does, the one that doesn't would have a better user experience as a side effect, which would give it a competitive advantage in this "department" over the one that does track. So, all things being equal, users would choose the one that doesn't track for the simple virtue of it giving them a better experience.

This argument appears multiple times in this thread. However, realistically I've never seen a mainstream website that was drastically disadvantaged by their tracking mechanisms. I'm concerned that a lot of the tech savvy people who are making this claim may be working on severely outdated machines for which this makes a difference. With even the cheapest Dell computer sold today, it doesn't really matter, which is why everyone is tracking everywhere. I'm not a huge fan of ping, but the idea that websites are going to choose not to track with JavaScript based on the bad UX on a years old Core 2 Duo is just absurd. The economic incentive you are imagining does not exist, thus ping isn't truly eliminating a critical UX difference between tracked and untracked websites.

TL;DR ITT: "Link auditing / ping will eliminate the disadvantages of tracking!" - Ad Industry and sites that serve tracking: "What disadvantages?"

As long as I can turn it off in about:config (and it won't try to automatically change the setting for me without my permission) I don't care if it is on or off by default.

In fact, having it on by default is better for people who are privacy conscious. If everyone has it off by default, then no site will implement it. If it's opt-out, the average site is more likely to use it rather than using JS tracking.

It's kind of like Do Not Track. Once IE enabled it by default, every single ad network stopped honoring it.

How are ad networks not in violation of the CFAA (computer fraud and abuse act) by not honoring DNT? Surely if I can get in trouble for abusing what a server allows but does not intend then the same should hold true for interactions with a client web browser.

DNT arguably ceased to be a reliable symbol of user intention the moment Microsoft turned it on by default.

I doubt Microsoft didn’t realize what they were doing would kill DNT acceptance, but they did it anyway to add a bullet point to their feature list.

Much like malware protection ceased to be a reliable symbol of user intention the moment Microsoft turned it on by default.

Malware protection isn’t a signal though, it’s an active process of deleting and blocking. No need or even possibility to interpret it.

The analogy in the tracking space would be something like Safari ITP, not DNT.

Maybe now we can get rid of the god-forsaken javascript hell that does link tracking or the multiple bounces between servers before a redirect.

(Me, landing on an 'empty' page with NoScipt)


Life is simpler these days. Others should envy me.

From the mdn page on the `a` element, the section on the `ping` attribute says:

> Contains a space-separated list of URLs to which, when the hyperlink is followed, POST requests with the body PING will be sent by the browser (in the background). Typically used for tracking.

Does this mean that if I put a proxy between the browser and the internet I can block this kind of requests? (of course at the expense of requests that contain that same body for other reasons, in which case I wonder why they didn't add a specific http request header to clearly mark those requests as pings)

Just wanted to say that uMatrix can disable this. Browsers have been anti-user control for so long, we can't rely on them anymore to provide basic configuration even.

I was never aware of the ping attribute but now it makes me wonder what was the rationale behind standardising it. Is there any particular legitimate (ie. non-tracking) use for such a feature? It would makes sense, of sorts, if there was a policy regarding the target of the attribute but as far as I can see the browser can ping literally anything.

The rationale is that everyone interested has been doing this with redirects (for years) in non standardised and often opaque ways.

So it’s better to standardize and make it transparent.

E.g. google search results get rewritten to redirects as soon as you hover over them or press them (and are redirects in the first place with JS off). Have been for at least 8 years now.

That's a shame. Now I have to either wait for someone to make an extension to disable hyperpings (so it can sync between all my Firefoxes rather than me having to manually change it every time) or learn to make one myself.

uBlock Origin already blocks this feature.


That was a short wait.

This isn't a new feature; it was added in Chrome 15 and Safari 6. https://caniuse.com/#feat=ping

> Google Chrome, Opera, Microsoft Edge, and Safari enabled hyperlink auditing pings by default... will no longer allow users to [disable it] in the future.

This is amazing news b/c it will unfuck the link graph. So many shitty content sites link to the outside through an intermediary url which counts clickthroughs and then passes you on with JS. Would love to see that stop

Yeah, that's 100% getting disabled for me. What a shame.

As much as I hate tracking this is definitely cleaner. I'm sure noscript will block it too.

Is this an official statement from Mozilla? If understood right, it says that because every tracking site already does, we will put it inside the browser.

It seems like one day Nike will say, we need to send the location of every step you take, where you're heading and the speed so we can make better shoes. And people just, yes, seems fair to me.

The problem is sites don't need ping to do their tracking. In the past, search engines would just force a redirect to gather all the metrics they want for which link you go to. Most browsers put ping in as default because it improves responsiveness by not forcing the redirect. Firefox simply hasn't changed that yet. It hardly changes their privacy position, IMO.

Check out the latest episode of Security Now, which talks about this. https://www.grc.com/securitynow.htm

It's a little different.

It's more like Nike are fitting their stores with a special floor that track people walking around in the store to figure out where people go and what they find interesting.

There are many vendors of these special floors, and they offer different kinds of reporting to Nike.

At the moment, Nike can't use multiple vendors without careful testing because the floors can potentially interfere with eachother. Sometimes the interactions only occur in extreme cases, such as massively overweight or underweight individuals. Nike may not be floor experts and not know how to to this. It also makes the floor "thicker" with multiple vendors special floors layered on top of each other, which might feel weird walking on.

These vendors don't just sell to Nike, they sell to lots of stores. Obviously they don't share Nike's "data" with ASIC but each of them have to deal with the fact that even if they solve the problem for Nike's chosen set of vendors, they'll have to do it again for ASIC as well.

So, the floor vendors got together and proposed a mechanism whereby they can all work together.

No new privacy leak, no new information is being generated, or even being transmitted to anyone who didn't already have the ability to collect it, but the implementation is simpler, and user experience is better.

Or, you can make this "floor tracking" so difficult and circumventable that people start to question it and decide that new pair of shiny shoes doesn't deserve the added hassle of walking in them.

There's that producer of floors that stands against these forms of tracking and says "go to the stores that buy from us, they won't track you!" So this benefits the stores that but from them, the floor maker and the store's patrons.

But this analogy broke down pretty soon this way, didn't it?

Does anyone have a handy hyperlink auditing test website to check your current browser?

Firefox v52.9.0esr with NoScript, uBlock Origin and whitelist-based security just got a big industry boost.

Good going, Mozilla!

This is asinine. What is the point of a symphony of holistic privacy initiatives like the GDPR cookie policies on websites and a so-called "privacy browser" if the browser people inconsistently move away from opt-in to opt-out and sell-out their users?

This feature allows a trivial DDOS attack to be constructed



you can always downgrade your FF version and turn off auto updates, or go to a custom palemoon, then have a chat with mozilla about why you did so.

Installing ublock origin is far preferable to an old version of Firefox or an old version of Firefox with branding.

when as mozilla is apparently stating, pinging is turned on by default, and cant be disabled, that is the point when you use a different version. there are a lot of people who block JS regardless of how it "breaks a page" I for one can live without pages that require JS for anything more than a blank page

I (former Firefox developer) do not see how using ping for this sort of attack has any advantage over any of the other myriad ways Javascript running in a browser can generate traffic to a site.

If it does have an advantage, it's probably just something incidental like particular HTTP proxies being configured to let pings through, or something like that.

Probably more that certain sites are using serverside XSS filters that allow third party content a elements with ping attributes, but not to inject arbitrary JavaScript.

no it involves multiple links being pointed at one webserver. read the article and you will see. you dont need JS or any skill other than knowing how to use an HTML5 tag and malform a ping for every link. you just need a good piece of clickbait is all.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact