Firefox 's Ping Attribute: Useful or Spyware? 575
An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."
Firefox's Ping Attribute: Useful AND Spyware (Score:5, Insightful)
It's simply the user's choice as to whether or not the pros outweigh the cons. And I'm sure the massive response that ensues on Slashdot will reveal that everyone values these pros and cons differently.
Doesn't seem to be much argument other than I think they should have a very simple way to disable this if the user so chooses. As with the iTunes fiasco [slashdot.org], I would recommend Firefox be distributed with this option disabled.
Consider what may happen (Score:5, Insightful)
Coming soon to a browser near you: (Score:5, Insightful)
How is this different from (Score:2, Insightful)
Is the concern that the 'ping' comes from your browser and not any proxy server you may be using? In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....
Of course this should be disabled by default, I just don't see this as a huge privacy issue.
It's great! (Score:3, Insightful)
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:5, Insightful)
Re:Consider what may happen (Score:3, Insightful)
What's the difference ... (Score:2, Insightful)
Of course you can disable javascript, but most people don't. People who do so, can also turn off this ping functionality. I'm sure an extension will allow to do this the easy way (NoScript notably).
How is this an issue? (Score:5, Insightful)
It's a C-O-N-spiracy (Score:5, Insightful)
Bad Javascript Coding DoS Attack (Score:1, Insightful)
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:5, Insightful)
Because of this, and it being mozilla-specific for now, websites that currently use tracking URL's will see no value in switching over.
As for privacy concerns, it's already quite easy to track people on the web. Those who avoid it now are more in the know and would probably just add this to the list of things to disable.
I hate to say it... (Score:2, Insightful)
Not very useful (Score:3, Insightful)
2. Now you alienate any user using another browser
3. Mozilla team is pulling an IE (implementing their own extensions... read the blog... "w3c doesn't have to make all the rules"
Not literally a ping... (Score:3, Insightful)
My first thought was "How can you track clicks with a ping?". After RTFA, it's not literally a ping to some server, it's a request to a URI, most probably an HTTP request that will contain request parameters indicating what link was clicked.
Second of all, this is not any more of a privacy intrusion than previously existed. It was always possible to track clicks within a single website via cookies, and clicks on external links (i.e. banner ads) by using a redirect first. If the author of the website wants to track what you're doing, he's already got the means, and he's had them for years.
Facts of the matter (Score:5, Insightful)
From a technical POV it's actually nicely thought out, as it separates logically the intended action and the "log."
I'm sure that Google, Yahoo, and others are BEGGING for this. I've worked in Design and Dev at two of the biggest travel sites - it's a huge problem tracking clicks. If we could remove our tracking javascript then users would get a MUCH snappier web site.
But we can't because our advertisers specify that we must have third party click/view audits that "verify" our intended audience numbers.
On the one hand, I know (having designed and built some of the auditing and log analysis systems) that we're tracking every click on our sites. We do use cookies. And the tag would bring it all out in the open instead of buried 3 layers deep in javascript.
But from an individual POV, it's like acknowledging that they really ARE watching me. And I am now consenting to that.
Solution: In my mind, the big(and little) sites could offer users the "option" of using the ping tag for a nicer user experience. It would be disabled by default, and a web site would have to specifically request and get permission from the user before the browser would "unlock"
Just me $0.02
Who asked for this? (Score:1, Insightful)
It will be abused really soon in my opinion. Right now the site you're browsing can track you. Tomorrow, your clicks will be broadcasted (clickcasted) to all ads firms live. Gr8t!
Will sites really use this? (Score:5, Insightful)
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:5, Insightful)
Today, ad or other link tracking is generally handled like this: The link target specifies a tracking page and passes in a magic word or number that specifies the campaign or other info (e.g., "go.php?id=123" or "click.asp?campaign=A1254S"). That page logs the click in some database and issues a redirect to the actual destination page. Sometimes the web server log acts as the "database" and the click stats are processed from the logs.
With this new scheme, idea is supposed to be that the href target would be the actual destination and there would be no need for the time-consuming redirect. The separate ping attribute would take care of notifying the server similar to what happens today. But now the target page is out in the open for the client to see, and it is not essential to use the ping URL at all! Once users start blocking ping URLs, as they inevitably will, this transparency means that click stats will be very unreliable.
Since a lot of revenue depends on click numbers, this outcome is bad for commercial web sites. Therefore, very few money links will ever use this scheme and will instead stay with the tried-and-true redirect pages.
Re:With or without your consent? (Score:4, Insightful)
This kind of misses the point. If Firefox is to become a mainstream internet browser, it needs to be anti-spyware and usable from a clean install onwards. Making it the ideal browser for the tweakers, where it's at its most usable after multiple options have been changed and several extensions installed, is not going to make it the browser of choice for the general public.
As far as grabbing market share goes, it's the default settings that make the difference.
Re:This stinks (Score:2, Insightful)
Re:It's great! (Score:2, Insightful)
Why should site developers use the ping attribute to track users, if there are solutions already that the user can't disable. The ping attribute will simply never catch on and there's not a bit of control users will gain.
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:4, Insightful)
Re:Extension (Score:2, Insightful)
Not that simple (Score:3, Insightful)
No, it's not really that simple. This is much like the difference between first-party cookies and third-party cookies. In fact, I'd be happy if they decided to limit them at that level of granularity. I honestly wouldn't mind first-party pings. This provides--as you correctly note--nothing more than they can already collect now. It does, however, significantly enhance the developers' ability to directly collect stateful click-through information.
On the other hand, I'd say third-party pings are no less (and no more) evil than third-party cookies in terms of privacy. It seems to be a fairly common practice to disable third-party cookies while leaving first-party cookies enabled. I would certainly like the option to specify my preferences at that level.
Re:You can already do this with Javascript (Score:5, Insightful)
Comment removed (Score:2, Insightful)
Re:Not very useful (Score:3, Insightful)
Perhaps we should call this one 'pulling a google'? I mean, who is the biggest sponsor for the Mozilla Foundation? And who has a huge interest in 'features' like this?
Re:Don't like Firefox spyware? Use Konqueror (Score:5, Insightful)
Acid2 only measures the particular edgecasitis that the Acid2 authors managed to think of - web developers seem capable of introducing many more. What's needed isn't more acid tests but a W3-approved regression suite.
Standards? (Score:3, Insightful)
Tracking? YES! Spyware? NO! (Score:3, Insightful)
Anyway, if a website gives you a "ping" attribute, what prevents the same site from obfuscating the link and doing some redirections? It's EXACTLY THE SAME! If there can be any abuse, it's because the attribute is provided BY THE WEBSITE'S CONTENT. And who controls the website content?
One major abuse I could see are phishing sites, but if you already entered a phishing site it's your own fault, and I *REALLY* doubt a bank site would add ping attributes to their website.
In comparison, SPYWARE steals resources, bandwith, CPU and Memory, and makes your system unstable, stealing also YOUR VALUABLE TIME.
So, no, the ping attribute is NOT SPYWARE. I think the article submitter was too sensationalist by putting this in the headline.
Re:Not very useful (Score:3, Insightful)
The difference here is that the ping tag does not affect loading or rendering of the page. It can be safely ignored, and does not create any compatibility problems for the user.
Also, you must remember that Microsoft shoves its browser down people's throats, in the form of OS integration and prebundling, whereas this piece of software is not only optional, but open source, and a simple extension will disable this functionality, if one doesn't want to alter the source themselves.
A disappointing reduction of user privacy (Score:2, Insightful)
> always been a major component of web design and development
> which hinges on deliberately obfuscating important events
> from the user.
Still using cookies as an example, progress has been towards better "cookie privacy". Items like blocking 3rd party cookies by default, a clear "clear all information" button, limits which override cookie expiries, etc. all give the user more control over his/her privacy.
To add this "ping" feature w/o also providing control over its use to users is rather surprising since, otherwise, Firefox has been moving in the right direction.
This is not just surprising, but incredibly disappointing.
Re:it's all about Google adwords (Score:3, Insightful)
The Obvious Answer (Score:3, Insightful)
but seriously
sure, make it disableable. additionally, make it configurable to set the maximum number of PINGs per click. and lastly, limit the URLs to the originating site only.
Re:Don't like Firefox spyware? Use Konqueror (Score:3, Insightful)
I use the web to view content. Ceding the argument of complex layouts (graphics, frames, fonts, etc.) there is no content that I've viewed in the last 8 years which requires any functionality on my browser's part beyond what I could get from lynx. What does this ping bring to me, as a user, and why should I care to have it at all?
AJAX doesn't impress me either. Webapps, while nice for jobs and web-coders (everyone needs to make a living somehow), should die. There's a better and more secure way to do everything which any web-app does.
Re:Don't like Firefox spyware? Use Konqueror (Score:3, Insightful)
I use quite a few sites as tools that give me access to data or features provided by someone that I wouldn't normally have access to. Examples include bank sites and stock brokerage firm sites.
One additional response to your comment: how about providing insight as to the "more secure" alternatives to AJAX that provide the same functionality and fill the same niche rather than simply saying it "should die".
adwords cheating? ddos linking? (Score:2, Insightful)
Does this protocol check for duplicate links in the ping? What happens if I put like 10 or 100 of the same link in the ping. With a popular enough website I could innundate other websites with garbage ping requests.
Re:Firefox's Ping Attribute: Useful AND Spyware (Score:4, Insightful)
Re:Deeper problem (Score:3, Insightful)
There are a couple things wrong with your statement here:
First, the purpose of web standards is not to hand the power to bless things to one organization, but rather to ensure that new technologies and features are implemented and used in a clear, interoperable fashion by browser developers and web designers. So if the people on both ends of the web (the companies and groups which build the browsers, and the designers and developers who build web sites) can get together and agree on a standard way to implement and use a new feature, why not let them do it instead of complaining that it hasn't been blessed by some grand high muck-a-muck at the W3C?
Second, the W3C's authority exists only through consensus. If they lose the consensus of the big players in the web industry, they lose their authority. This is what's already partially begun to happen; the W3C is currently working on XHTML 2.0, which has some major issues:
Because of this, the W3C is in serious danger of losing its consensus and its relevance, which means it's also in serious danger of losing its authority. The WHATWG was founded, basically, with the idea of ending the stagnation of web technology (the last standardized version of an HTML language was published six years ago, and the last standardized version of CSS was published eight years ago) and implementing features that will make web design and development easier all around (think things like expanded form controls, additional useful DOM properties and methods, etc.), and so far it's not doing too bad a job of that.
Think of the distinction like this:
Re:Don't like Firefox spyware? Use Konqueror (Score:3, Insightful)
Sure, you can come up with a zero-install app with roaming profiles running on a distributed, remotely-accessible platform using something other than HTTP and a web browser -- but you'd need to set up the infrastructure and get the platform installed on as many PCs as possible. That's the next-gen "right" solution, and I recall Microsoft talking about this type of thing with
Re:You can already do this with Javascript (Score:5, Insightful)
Bypassed? That may demand definition, for example,
Where does http://tinyurl.com/161 [tinyurl.com] go?
How about http://freshmeat.net/redir/cexec/57387/url_homepa
How do you know without making a URL connection?
Oh sure, you can ignore links that look like that, and even block them. Nobody's suggesting that you cannot block PING-requested URLs.
But bypassed? What exactly could you mean by this?
Re:Don't like Firefox spyware? Use Konqueror (Score:3, Insightful)
Too rigid. I developed a fairly complex layout for a website that was IE, Firefox, Opera and W3C-compliant (hardest of all after IE compatibility, you'd be surprised how forgiving browsers really are). Strangely enough it had a small rendering bug on Safari and I presume Konqueror as well. Anyway, Firefox and Opera were almost to the pixel identical. When they all pass ACID2 I think you have to really go out of your way to make it render differently on W3C-compliant pages. If your page isn't valid (X)HTML/CSS, then expect things to behave odd. What is needed is better tools to create compliant pages - I've seen so many broken tools that should have been put to death long ago.
Kjella
Re:Don't like Firefox spyware? Use Konqueror (Score:3, Insightful)
Lately the following has become increasingly obvious: We're adding new features to keep and track users on the web to generate databases and clicks for (artificial) revenue to show numbers to the investors so that we can get more capital to add new features to keep and track users on the web to generate databases and clicks for (artificial) revenue to show numbers to the investors so that we can get more capital to add new features...
Can you see why I, as a user, am no longer impressed with port 80? I'm not really fond of pyramid schemes.