Hacker News new | past | comments | ask | show | jobs | submit login

Another sinister way of doing this is having users solve captchas in order to comment and keeping a badness score of the troublemakers. Then pretend they failed the captchas at a rate proportionally to their score.





If that's going on then what on earth have I done to offend Google?

you use a vpn and have anti tracking features enabled in a browser. actually it's sometimes impossible to win the puzzle, they just keep serving you new ones to keep you busy. maybe it's effective against 3rd world click farms.

Just having anti-tracking features without vpn is enough. I suffer from it all the time.

Yup - it’s a great way to lose real customers - but I suspect it’s a trade off they’re ok with

Not using Chrome?

Is it just me or has the web's compatibility with Firefox taken a nosedive recently? It used to just be my employer's HR software that was chrome-only, but in the last year my power utility website, apartment complex website, and even major websites like https://www.deviantart.com/ (which I was trying to visit just 10 minutes ago) have broken in Firefox but not chrome. Badly, too. These aren't "the layout is different in FF and nobody noticed" bugs, they're "site infinitely redirects" bugs or "login button doesn't submit" bugs.

Debug steps: turn off bitwarden, my only extension. Never helps. Ctrl+Shift+Del cookies. Never helps. Sigh, open chrome. Works first time.

Is it just me or did the web up and dump firefox just when it started to get good?

:(


I've noticed some of this lately - in a significant fraction of cases, it comes from Firefox honoring X-FRAME- OPTIONS while chrome ignores them, so e.g. payments work on chrome on sites that don't work on FF.

At my current employer, the web apps are only ever tested on chrome. If it works on chrome, it ships. I think I’m the only one using Firefox and making sure it works there before chrome.

Thanks for fighting the good fight.

We recently had some "FE devs" make a spiffy new SPA for some internal product. When I got to testing it on Firefox cause that's my main browser, I got a blank white page.

I asked them and they're like "yeah, it only works on chrome-based browsers". Or something to that effect. It's not like some CSS was wonky, or a bug somewhere... No, the default process of them building the SPA somehow yielded a completely non-functioning app for Firefox.


Services with absent engineers should be breaking left and right this month due to changes to SameSite attributes on cookies that hit browsers in early Feb. The intention of the change is to provide some long overdue changes to defaults on cookies with better privacy.

This is a change that’s been underway for years but came as a surprise when it actually shipped. I coordinated updates to ~40 packages owned by 5 different teams at my company, and had to put aside a good amount of other critical product work for about a week to ensure we didn’t encounter any customer issues.

The crux of the issue for maintainers is that Auth flows that require cookies to be sent around different origins (e.g. OAuth with form_post) will no longer work unless they update the cookies to explicitly be SameSite=none and Secure=true. Chrome led the pack on shipping the changes to browsers, but also implemented a special timeout rule that temporarily allows cookies that don’t meet the new spec to be set anyway to try to ensure auth flows don’t break. Eventually they will lift this timeout. Firefox has shipped support but has not implemented such a timeout.


At one place i was at, people were completely aware but firefox issues were always deprioritized because the analytics showed low percentage of users affected. I wouldnt be surprised if a higher proportion of users with firefox also have adblock which further skew these usage stats

I've unexpectedly had precisely the opposite experience; as of recent changes to cookie handling and 3rd party content in Chrome, several sites / webapps have either stopped working at all in chrome, or have serious issues -- while rendering and performing just fine in FF.

Some tech demo sites are Chrome only but I’ve yet to encounter a broken site on Firefox. The only issues I have are mostly due to adblock or my Pi Hole. I haven’t used Chrome in years.

Have you tried turning off ublock/etc. first?

For me it's usually extensions.


Consider submitting a bug ticket. You are the customer after all.

> Not using Chrome?

A truly deplorable act...

I also added about 30 seconds of latency to every page I visit, but for completely different reasons as op. Switching to Brave and blocking all cookies and JS by default made me have to manually enable it for nearly every site that I actually wanted to use.

About a week later, Chrome was reinstalled. Maybe I'll try it again once I level up my willpower.


I'm using nextdns.io and no-script with firefox, it works quite smooth when you accumulate the settings. You can export/import the no-script settings and merge with meld to keep the setting in sync between your PCs and laptops

Also "Privacy Badger" which smartly block scripts by checking cross site cookie, preset whitelist and custom whitelist/blocklist

I have 15 whitelisted sites. I think it took negligible effort to add them, you whitelist a site once and it stays there from there on.

i find blacklisting sites that abuse JS works better for me than the whitelist approach

Are you blocking their tracking and fingerprinting? Do you sit behind a massive CG-NAT?


You haven't opted in. For the modern web, using it without JavaScript and the requisite accounts isn't a supported option.

Adblock? I ended up switching mine off just to make the internet usable.

> pretend they failed the captchas

That explains a lot... I frequently have to solve 10+ captchas when I'm using Firefox, many of them rate-limited. It feels like a punishment for resising surveilance. These things should be illegal due to the accessibility problems they cause if not the fact they're a nuisance.


It's more of an automatic thing (it's usually due to VPN) since many people connect from the same IP at near the same time. It's even worsr with TOR

Why should people be punished for using VPNs, Tor, an ISP with CGNAT? All of these should be supported regardless of how much abuse originates from them.

"Oh, you dare to oppose our surveillance? You want to block tracking scripts, fingerprinting and use VPN? You're a baaaad consuumer, we're going to correct your behavior by making your browsing experience miserable or submit to our rules and switch to Chrome"

I'm sorry if that's unnecessarily dystopian


There's also the double standards involved. It's totally fine when they run their abusive javascript on my computer but if I even so much as scrape their website suddenly it's abuse just because they don't like it.

Everything is okay and justified when rich corporations do it. "Normal" people just have to accept it without fighting back in any way. Company directly and openly transmits malware to people's browsers, collects all personal information and creates detailed profiles of people in order to sell to interested parties? If I did that, I'd no doubt get charged with some sort of crime. They just make it part of their terms of service which nobody ever reads much less agrees to and somehow everything is justified. Suddenly it's not malware but "surveillance capitalism", a totally legitimate activity. And if we try to resist in any way, they use the lack of tracking to say we're indistinguishable from the networks of bots spamming them or DDoSing them or whatever. Since it's part of their terms of service, any attempt on our part to circumvent their fingerprinting is abuse.

> we're going to correct your behavior by making your browsing experience miserable

Hopefully the only thing they'll achieve is the death of their own online community. Imagine if HN forced people to solve a captcha before every single post.


It's almost as if every dystopian/cyberpunk scenario is coming to life (or will some time in the future)

Should be, but unfortunately we're still trying to invent a better abuse-resistance system than a captcha. Invent a better one and the world will throw money at you. Telemarketing calls are an example where better abuse-resistant systems would be awesome.

> we're still trying to invent a better abuse-resistance system than a captcha.

> Invent a better one and the world will throw money at you.

It already exists.

The abuse stems from the fact servers connected to the wider internet are designed to respond to anyone who tries to talk to it. That's the fundamental problem with internet security today: computers talk to strangers they don't know much less trust.

What if computers dropped all packets by default and networked only with authorized users? The risk of exploitation and abuse becomes negligible because to unauthorized users it's like the computer is not even there to begin with.

This can be done with single packet authorization. The internet would lose its mass market appeal but it's much better than normalized widespread surveillance.


For about six months, the Fidelity mobile site gave false indications of incorrect username/password on purpose. No idea why they did this.

I can see that it could be effective against brute force attacks. A real user would assume they fat fingered their password and try it again, a brute force attack would miss the password and carry on forever.



Applications are open for YC Summer 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: