HTML5 ping tracking – Firefox :firefox: will enable it by default:

– HTML5 ping attributes can be used to track people if they click a link (<a href=… ping=…>) by sending POST requests to an arbitrary amount of hosts
– tracking is possible without any JavaScript, or Cookies
– Steve Gibson talked about it in Security Now 709:
– ping is enabled in Chrome, Opera, Edge, Safari by default

@infosechandbook Now I understand why Waterfox exists. What the hell is wrong with Mozilla? :blobastonished:

@infosechandbook Their reasoning is apparently that if they don't add this "feature", people will just emulate it using something else.

Which is bulls**t, because that "something else" is JavaScript, which can be blocked. But this cannot.

@Sturmflut @infosechandbook Maybe it can be disabled through the user.js config file, but I don't know.

People doesn't know/care about that config file, and it shoudn't worry the rest of us, because Firefox is supossed to be the non-tracking web browser...

@Sturmflut @captainepoch @infosechandbook Link tracking has been around since forever and works even on your NoScript setup with pure html and http with nothing you can do about it. The new standard is client side and trivial to bypass, Firefox has support for that in about:config.

@captainepoch @infosechandbook

There is a difference between the host the link points to being part of the tracking network, and my browser talking to a third-party website on its own.

It can still be disabled in about:config, but this should never be enabled to begin with, and I don't trust Mozilla with keeping it configurable in the future.

@Sturmflut @captainepoch @infosechandbook Another alternative is HTTP redirect. HTTP-redirect-based tracking is very common, and can't be blocked.

@kornel @Sturmflut @infosechandbook We shouldn't be even thinking about that, especially with Mozilla (which is supposedly the company which worries about our privacy online)

@captainepoch @Sturmflut @infosechandbook I like that Mozilla actually cares about privacy, not merely about *looking* like they care. Blocking of ping looks good, but is bad for actual privacy. Mozilla here is brave enough to take the heat from people who don't understand how link tracking works already, to make an actual improvement.

@captainepoch @infosechandbook actually, that may not be that bad, because otherwise websites fall back to tracking links via JS. This way, you can at least block it…


@captainepoch @infosechandbook I'm not sure that Waterfox is that trustworthy though...

I also lost faith in Firefox but that's a different story. Wish there would be a bit more behind Seamonkey, which browser is still going strong.

@artixx @infosechandbook Interesting, I didn't know this page. I'll take a closer look later!

Thank you 😊

@infosechandbook @megfault Can these pings be identified on the Network level somehow? Or do we collectively need Yet another Blocklist?

@infosechandbook @megfault

The requests are standardised and could probably be blocked by a proxy, as long as it can also look into HTTPS connections.

But ad blockers will probably have to be extended anyways, since even if this "feature" is off, people already emulate it in JavaScript.

@wonko @infosechandbook @megfault Well… they are HTTPS POST requests, so encrypted.

But ublock origin blcoks them.


> HTML5 ping tracking – Firefox :firefox: will enable it by default:

I started out *very* skeptical of this move but, after reading the link you provided, have to admit that their logic makes sense: given that the overwhelming majority of sites that want this info currently track it in JS, letting them track the same data with an HTML attribute would reduce page bloat without changing privacy.

That said, I hope that they keep a way to turn it off for people who disable JS

Firefox has a setting. For other browsers it would be rather easy to write extensions, that just remove the ping= attribute when loading the page. @infosechandbook

@allo @codesections @infosechandbook actually uBlock Origin also already blocks it.

And yes, it may actually not be that bad,m given you now have a safe way to block this requests…

@allo "The popular content blocker uBlock Origin blocks pings by default as well, and it is available for Firefox, Chrome, and other browsers."

@codesections @infosechandbook

@codesections @infosechandbook I've seen a few people say ublock origin alrerdy blocks by default (or has the option) so that's something I guess


That's the problem though... You can block JS. Now all of the security measures people have developed to stop this tracking will not work anymore. (uBlock, noscript, etc.)


@dvn @codesections @infosechandbook I would think these requests could be blocked just as if it was sent by JavaScript, there's no justification for the alternative.

@codesections @infosechandbook

The problem is not on the technology but the use of it. It's on the webmaster side. Why they don't care about their customer's privacy? Why customers don't care about it too and still accept Google terms of service.

We should emphasize good websites and discard the others.

@infosechandbook This is a very good news! Neutral for privacy, increase in transparency, and win for performance.

@infosechandbook I know you're all guilty of reading books unauditably! You should have written your name and date on each page at the bottom so the authorities can properly ensure our safety.

can a vpn counter this ?

Should the common man start using counter-espionnage tactics to maintain dignity and privacy ?


The purpose of VPNs isn't privacy in the first place. So, no, it is very unlikely that a VPN provider changes anything in this scenario (except your IP address).

You can try to block it by using addons, however, as always companies will come up with another tracking technique.

@infosechandbook luckily this is already blocked by uBlock, so most of us don't have to really worry about this. Those who do have to are already being tracked through JavaScript, in worse ways than the pings would allow (not saying this is OK, but I can understand their reasoning and it will have no significant impact as far as I can tell)

Sign in to participate in the conversation
Mastodon is a microblogging site that federates with most instances on the Fediverse. Note: This instance will shut down on February 29th, 2020.