Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Firefox 's Ping Attribute: Useful or Spyware?

CmdrTaco posted more than 8 years ago | from the wear-your-foil-hats dept.

Mozilla 575

An anonymous reader writes "The Mozilla Team has quietly enabled a new feature in Firefox that parses 'ping' attributes to anchor tags in HTML. Now links can have a 'ping' attribute that contains a list of servers to notify when you click on a link. Although link tracking has been done using redirects and Javascript, this new "feature" allows notification of an unlimited and uncontrollable number of servers for every click, and it is not noticeable without examining the source code for a link before clicking it."

cancel ×

575 comments

Sorry! There are no comments related to the filter you selected.

Firefox's Ping Attribute: Useful AND Spyware (5, Insightful)

eldavojohn (898314) | more than 8 years ago | (#14499401)

This isn't a question, it's obviously a little of both. Sacrifice some information about the sites you visit to allow those who run the servers (anyone, really) some feedback and statistics.

It's simply the user's choice as to whether or not the pros outweigh the cons. And I'm sure the massive response that ensues on Slashdot will reveal that everyone values these pros and cons differently.

Doesn't seem to be much argument other than I think they should have a very simple way to disable this if the user so chooses. As with the iTunes fiasco [slashdot.org] , I would recommend Firefox be distributed with this option disabled.

Re:Firefox's Ping Attribute: Useful AND Spyware (5, Funny)

Stevyn (691306) | more than 8 years ago | (#14499429)

Nooo! Here in the US, the media polarizes two options and have people in bow ties argue it. You're either in agreement with this idea or totally against it.

Don't like Firefox spyware? Use Konqueror (0, Offtopic)

billybob2 (755512) | more than 8 years ago | (#14499682)

If you don't like Firefox's attempt to give away your privacy, there is a perfectly good FOSS browser you can use:

Konqueror [konqueror.org]

In some instances, it may render web pages even better than Firefox, since Konqueror passed the Acid2 test [slashdot.org] .

Re:Firefox's Ping Attribute: Useful AND Spyware (5, Insightful)

timeOday (582209) | more than 8 years ago | (#14499470)

As with the iTunes fiasco, I would recommend Firefox be distributed with this option disabled.
I'm racking my brain to imagine why a user would ever want to enable it.

RTA (4, Informative)

Morosoph (693565) | more than 8 years ago | (#14499540)

I'm racking my brain to imagine why a user would ever want to enable it.
So as to avoid expensive and hidden redirects.

You can already do this with Javascript (5, Interesting)

dmoen (88623) | more than 8 years ago | (#14499481)

I would recommend Firefox be distributed with this option disabled.

Are you also recommending that Firefox be distributed with Javascript disabled? Because this ping functionality is easy enough to implement in javascript. If ping is disabled by default, then nobody will have it enabled, which means that web developers will continue to do it the old fashioned way, and the ability to disable ping will be worthless.

Doug Moen.

Re:You can already do this with Javascript (4, Informative)

grub (11606) | more than 8 years ago | (#14499526)


Use the Firefox NoScript extension and you can be selective about what javascript you run on a per-site basis.

Re:You can already do this with Javascript (1)

mrmeval (662166) | more than 8 years ago | (#14499579)

I use No Script. Yes it should be user controllable and disabled. Who got rich putting this M$ style crap in?

Re:You can already do this with Javascript (4, Interesting)

Hurga (265993) | more than 8 years ago | (#14499645)

Are you also recommending that Firefox be distributed with Javascript disabled?

I know that I HAVE JavaScript disabled (using the NoScript extension) for this and other reasons, and I don't want to have that functionality back whithout me noticing.

Hurga

Re:You can already do this with Javascript (4, Interesting)

TheSpoom (715771) | more than 8 years ago | (#14499676)

Why would a web developer use the ping attribute now? AFAIK only Firefox supports it.

Possible fix (5, Interesting)

spitzak (4019) | more than 8 years ago | (#14499683)

Why not limit the ping to the server that made the current page? This should prevent people from embedding pings into blogs, and still allow the replacement of redirects for tracking where you go. I would think unless this is done, too many people will disable it for any real sites to use it, and it will *only* be used for nefarious purposes.

Re:Firefox's Ping Attribute: Useful AND Spyware (5, Insightful)

heavy snowfall (847023) | more than 8 years ago | (#14499528)

As I see it this will only make it easier to avoid tracking. At the moment tracking links are often obfuscated like this one [slashdot.org] . With this new attribute and the ability to disable it you get a plain non-tracked destination URL.

Because of this, and it being mozilla-specific for now, websites that currently use tracking URL's will see no value in switching over.

As for privacy concerns, it's already quite easy to track people on the web. Those who avoid it now are more in the know and would probably just add this to the list of things to disable.

I ONCE took a SURVEY, and it SAID... (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#14499543)

Plllllllease, SIR. Eat my, the ball. THE BALLS!!!! Hewh i am so durnk now

Re:Firefox's Ping Attribute: Useful AND Spyware (4, Informative)

oneiros27 (46144) | more than 8 years ago | (#14499568)

I would recommend Firefox be distributed with this option disabled
Which would give web developers no reason to ever bother using it, and they'll continue doing the same little tricks they've been using for years to keep you from seeing that they're tracking the links.

Take a look at the HTML source on Fark -- you'll see javascript to overwrite the status line so it doesn't show it's tracking you ... and there are hundreds, if not thousands or millions of other sites that do the same.

Re:Firefox's Ping Attribute: Useful AND Spyware (1)

nodrogluap (165820) | more than 8 years ago | (#14499583)

I'd take a compromise. By default I'd allow pings to the domain the HTML page came from, but would require specific user enabling to allow other sites to be pinged.

Re:Firefox's Ping Attribute: Useful AND Spyware (5, Insightful)

kawika (87069) | more than 8 years ago | (#14499634)

The blog is right that from a user perspective this is good because it makes the target page load faster and makes the tracking transparent. However, this gives the marketer or website even less control than they have now.

Today, ad or other link tracking is generally handled like this: The link target specifies a tracking page and passes in a magic word or number that specifies the campaign or other info (e.g., "go.php?id=123" or "click.asp?campaign=A1254S"). That page logs the click in some database and issues a redirect to the actual destination page. Sometimes the web server log acts as the "database" and the click stats are processed from the logs.

With this new scheme, idea is supposed to be that the href target would be the actual destination and there would be no need for the time-consuming redirect. The separate ping attribute would take care of notifying the server similar to what happens today. But now the target page is out in the open for the client to see, and it is not essential to use the ping URL at all! Once users start blocking ping URLs, as they inevitably will, this transparency means that click stats will be very unreliable.

Since a lot of revenue depends on click numbers, this outcome is bad for commercial web sites. Therefore, very few money links will ever use this scheme and will instead stay with the tried-and-true redirect pages.

Re:Firefox's Ping Attribute: Useful AND Spyware (1)

mwvdlee (775178) | more than 8 years ago | (#14499647)

Given the simple fact that the owner of the server can already do all the "useful" bits without this attribute, why would any user ever want to enable this feature? It has absolutely no use to them whatsoever.

Consider what may happen (5, Insightful)

suso (153703) | more than 8 years ago | (#14499411)

I think the first thing any browser developer should consider when adding a new tag or tag attribute to the DOM is "How can this be abused?" and explore that question to its fullest. Because all of you know that it will be abused and that users will implement it wrong or find new uses for it that the developers didn't intend. Some of them may be good, some bad.

Re:Consider what may happen (2, Insightful)

Libor Vanek (248963) | more than 8 years ago | (#14499471)

Heh - with this philosophy we won't have anything and be in stone-age (hey - stones can be (ab)used for head-smashing!). _ANYTHING_ CAN & WILL BE ABUSED!

Re:Consider what may happen (1)

chrismcdirty (677039) | more than 8 years ago | (#14499507)

Of course. Any tool can potentially be used as a weapon.

Re:Consider what may happen (2, Interesting)

suso (153703) | more than 8 years ago | (#14499517)

What I'm saying is that just because you thought of something neat, you shouldn't just implement it (and I know that this isn't how it happens of course). Cookies and javascript weren't just implemented. A lot of thought went into how they could be used, abused, what the gotchas are and how to solve them. Test models were done and analyzed. This seems like the kind of feature that is comparable to that level of change in the way browsers work. I wonder if the WhatWG people really tested the concept and implementation that much.

Re:Consider what may happen (1)

timeOday (582209) | more than 8 years ago | (#14499505)

"How can this be abused?"
I don't particularly like the feature, but I also don't think a user reveals any extra information by turning it on. Following a link already reveals precisely the same information, and sites no less than google.com already use redirects so they know every link followed from their site. They could already implement this same feature on the server side by notifying whomever they choose.

Re:Consider what may happen (1)

'nother poster (700681) | more than 8 years ago | (#14499686)

Well, that's sort of my thought. If the information is so valuable to them, they should use their CPU cycles and bandwith to notify the people paying them, not me. yes I know I use resources following the redirects, and I don't like them either.

Re:Consider what may happen (0)

Anonymous Coward | more than 8 years ago | (#14499702)

<img> can be used to display goatse.
<a> can be used to link to goatse.
<pre> can be used to show ASCII-art goatse.
HTML can be used to write about goatse.
Computers can be used &c &c &c.

Required! (4, Funny)

Shadow Wrought (586631) | more than 8 years ago | (#14499417)

At least for childbirth. Bring in the machine that goes, PING!

Coming soon to a browser near you: (5, Insightful)

Whiteout (828544) | more than 8 years ago | (#14499418)

One ping-disabling Firefox extension.

Re:Coming soon to a browser near you: (0)

Anonymous Coward | more than 8 years ago | (#14499468)

Was just thinking that... ..or at least one that made them obvious to the user... like highlighting them a different colour or something...

Re:Coming soon to a browser near you: (1)

jasen666 (88727) | more than 8 years ago | (#14499536)

highlight it and display a list of the servers that will be notifified when you click. Maybe in a contextual menu or something.
*hint, hint* extension devs...

Re:Coming soon to a browser near you: (1)

biglig2 (89374) | more than 8 years ago | (#14499477)

Which would imply that the ping tag is a good thing, since it makes it easy to write an extension that blocks tracking links.

Re:Coming soon to a browser near you: (0)

Anonymous Coward | more than 8 years ago | (#14499521)

The other way to address this is to have an extension aggregate all the pings tags on the page and pretend you are pressing every link any time you press one of them, that will mess up enough stats to prevent them abusing this.

Re:Coming soon to a browser near you: (1)

wondafucka (621502) | more than 8 years ago | (#14499588)

Tool-tips that show the link destination AND the pinged server list.

Whitelisted servers that you allow to receive your browser information.

Out of control (2, Interesting)

RuiFerreira (791654) | more than 8 years ago | (#14499427)

kind of abusive, no? I'm just imagining slashdotting more than one server... hum? another issue is the pre fetch directive on firefox... i'm starting to think my bandwidth is out of my control..

Re:Out of control (2, Interesting)

peragrin (659227) | more than 8 years ago | (#14499559)

Actually I kind of like it. With this tool Slashdot could finally Slashdot all the advertisers in one shot. Talk about a major DDOS.

Create a link with an image to a story site. Embed that link with this. You could slashdot The big sites with this. Go Open Source innovation.

This stinks (-1, Offtopic)

a_nonamiss (743253) | more than 8 years ago | (#14499441)

This definitely strikes me as something that could be used for much evil. Makes me wonder about the FF developers. I know that there are many legitimate reasons for wanting to include such a feature, but there are many legitimate reasons for the NSA to listen in to phone calls without a warrant. We all know they would never allow somthing like that to happen...

Re:This stinks (2, Insightful)

sthibault (607867) | more than 8 years ago | (#14499672)

Can we please, please, keep politics out of this? I would rather discuss the FF issue, than listen to a flame war about politics.

Re:This stinks, Why? (2, Interesting)

LWATCDR (28044) | more than 8 years ago | (#14499728)

I find this so odd. What is wrong if I want to see how many people click a link on my website? I can think of a lot of none evil uses for it. Think of it like P2P why should you eliminate a perfectly useful technology just because it can be abused?

Very useful (5, Interesting)

dada21 (163177) | more than 8 years ago | (#14499447)

This feature is extremely useful for any website that wants to give their users better content by parsing what they're going through. It also lets you figure out who is clicking advertisements (which are usually off site) and even gives you the ability to run a multitude of websites but aggregate all the statistics on one of your machines.

Sure it can be abused -- I don't see why more of these abusive features can't be set up in a whitelist fashion. I'm already shocked that web browsers make it so difficult to white lists sites you feel are safe (or don't mind giving up some information to make your experience better).

That comes to the point of this post -- how about a standard "setup" logo/button committee that helps create a "setup" web profile that sites can use to give the users options on how they want to be configured? We've got some standard buttons already (RSS feed, etc), why not one that users could be familiar with so that they can white list or opt-in to certain additional "anti-privacy" features?

I know many websites (including a few of mine) could use more user information, and I don't see why we can't work to just setting a standard for how to do it.

Not very useful (3, Insightful)

everphilski (877346) | more than 8 years ago | (#14499574)

1. Javascript does it already

2. Now you alienate any user using another browser

3. Mozilla team is pulling an IE (implementing their own extensions... read the blog... "w3c doesn't have to make all the rules" ... if Microsoft said that /. would be up in arms)

Re:Very useful (1)

swilver (617741) | more than 8 years ago | (#14499626)

This feature is extremely useful for any website that wants to give their users better content by parsing what they're going through. It also lets you figure out who is clicking advertisements (which are usually off site) and even gives you the ability to run a multitude of websites but aggregate all the statistics on one of your machines.
The first is trivial, the second is also easy to do without a ping attribute, the third may be a bit trickier, but if all the websites are yours anyway, you can do that easy enough as well.

The trick is to use redirect. For exampe, you click on some random add of which the link points to my server (like this: http://www.myserver.com/adclick.jsp?realurl=www.am azon.com [myserver.com] ). The server will register the click and then tell your browser to redirect to www.amazon.com. The user will not even notice it, and in fact, tons of sites already do it that way.

Re:Very useful (1)

TheRaven64 (641858) | more than 8 years ago | (#14499711)

Even more useful would be if search engines included this. If every link on a Google results page included this then they would know exactly which links people were clicking on when they searched for a particular term. They would also know if people clicked on a link and then went back to the (locally cached) search page and tried something else. This would give them a lot of information for refining searches.

With or without your consent? (1)

digitaldc (879047) | more than 8 years ago | (#14499448)

Does this feature track and retain your surfing habits without your consent? Can you not opt-out of it?

If the answers are yes, I would say it is Spyware.

Re:With or without your consent? (4, Interesting)

ivan256 (17499) | more than 8 years ago | (#14499486)

Does this feature track and retain your surfing habits without your consent?

No.

Can you not opt-out of it?

Disable the feature. Easy.

It's not spyware by your definition. It has the added benefit of giving the user some control instead of being secretly tracked by the server side.

Re:With or without your consent? (4, Insightful)

spectrumCoder (944322) | more than 8 years ago | (#14499636)

Disable the feature. Easy.

This kind of misses the point. If Firefox is to become a mainstream internet browser, it needs to be anti-spyware and usable from a clean install onwards. Making it the ideal browser for the tweakers, where it's at its most usable after multiple options have been changed and several extensions installed, is not going to make it the browser of choice for the general public.

As far as grabbing market share goes, it's the default settings that make the difference.

Extension (4, Interesting)

nes11 (767888) | more than 8 years ago | (#14499449)

This is firefox we're talking about. There will be an extension available within the first day to strip out those attributes. Or even more likely a built-in option to not acknowledge them.

Privacy VS. Usability (0, Offtopic)

PlayfullyC1ever (944117) | more than 8 years ago | (#14499450)

Honestly, this comes down to an almost Richard Stallman definition of Freedom. We can not have useful utilities such as this, without ignoring the privacy rights issues involved. And now before you question me, remember Stallman is mainly concerned with Freedom, not privacy. The two do happen to overlap, of course, but there's no reason to insult the man for caring, and for being aware of the issues. That's why most of us are here talking about it. Also, what Stallman seems "paranoid" about generally turns out to be the reality of the situation just a few years down the line. The man is a visionary, not a quack. The success of the Free Software movement, Open Source, and Linux, and the attempted corporate dominance of Internet Explorer, Microsoft, and others are all here as evidence of Stallman's deep understanding. Probably best not to deride the guy who's kept your online world sane, huh? ;) Setting that aside and addressing the article itself, I would point out that privacy is always a trade-off with ease of use. Regardless of what the ideal level of privacy is, we do need good privacy, which few of us have achieved. Real security and privacy is hard, and you're far more likely to run into usability issues before you run into overkill issues. So, I think it basically boils down to this: privacy vs. usability

Re:Privacy VS. Usability (1)

PlayfullyC1ever (944117) | more than 8 years ago | (#14499553)

How is such a statement offtopic? This is what it boils down to! Privacy, people that flip out about such "features" and what not. Usability, such features HELP the web, better statistics, more options, everything It is having to give some to get some. You either like it or you don't. Go download lynx and you will have NO spyware, but you will have NO features either. Make your pick slashdotters, Features or Privacy!

How is this different from (2, Insightful)

astyanax (8365) | more than 8 years ago | (#14499458)

How is this different from the web server logging every page and image you load?

Is the concern that the 'ping' comes from your browser and not any proxy server you may be using? In most cases your proxy server is also your NAT server so the 'ping' isn't going to give much of anything about your IP....

Of course this should be disabled by default, I just don't see this as a huge privacy issue.

Re:How is this different from (1)

'nother poster (700681) | more than 8 years ago | (#14499611)

Well, I'm not sure I have my head around exactly how this will work, but if the ping is coming from my machine, it's using my cycles and bandwidth. Now imagine if rather than redirecting through some stats gatherers proxy and finally getting where you wanted to go in the first place with the stat gatherer backending the data out to a couple of hundred advertising clients, now they have your box simply "ping" all of them. Not how it's designed to be used, probably not how it will be used, but I'm sure some computer illiterate entrepreneur will come up with some equally stupid way of misusing the "feature".

Re:How is this different from (1)

Andrewkov (140579) | more than 8 years ago | (#14499757)

The 'ping' will actually be an HTTP request from your browser, not an ICMP packet.

Re:How is this different from (1)

ArsenneLupin (766289) | more than 8 years ago | (#14499680)

How is this different from the web server logging every page and image you load?

Third party logging. Just imagine the privacy implications if half of the links on the web would ping ad.doubleclick.net.

Sure, this could still happen without ping (ad.doubleclick might contractually oblige its partners to share webserver logs), but it would be much more difficult, a higher burden on the webmaster, and thus much less likely to be implemented successfully. Whereas the ping is trivial to implement, even by a webmaster who doesn't know what it does. Pings will surface in all kind of copy-paste code snippets to put on your web site.

Re:How is this different from (1, Interesting)

Anonymous Coward | more than 8 years ago | (#14499716)

We aren't talking about a low-level ping here - the "ping" locations are URLs to which a request will be issued. There's no reason for them to go via any route other than your normal HTTP proxy, if you use one.

From the WHATWG spec [whatwg.org] :

For URIs that are HTTP URIs, the requests must be performed using the POST method (with an empty entity body in the request). User agents must ignore any entity bodies returned in the responses, but must honour the HTTP headers -- in particular, HTTP cookie headers.


It's a literal replacement for the current habit of links passing through a traffic stats site before redirecting you to where you actually wanted to go. It won't waste any more bandwidth, since browsers - according to the spec - MUST ignore any entity that is returned. The only productive thing you can do is log the fact that the ping URL was visited, and drop a cookie on the client - just as with an HTTP redirect.

Re:How is this different from (4, Interesting)

Bogtha (906264) | more than 8 years ago | (#14499731)

How is this different from the web server logging every page and image you load?

It's different because web server logs only record what you ask that server for. Web server logs don't record what you ask other servers for.

This is essentially what the Referer header does, except in reverse. Instead of telling a new server where you have come from, it tells the old server where you are going.

This is already possible with Javascript, and it was possible with CSS too - I'm not sure if it still is, but the technique was basically to suggest a local background image to style :active links - so when the link becomes :active (when it gets clicked on), the browser downloads the background image and you know the link was clicked.

It's great! (3, Insightful)

ivan256 (17499) | more than 8 years ago | (#14499460)

Websites can do all that stuff with a redirect script on the server side and the user has no control or knowledge of who is being notified. If site developers start using the ping tag instead we can selectively disable it with an extension. It gives the user control where before there was none.

Re:It's great! (0)

Anonymous Coward | more than 8 years ago | (#14499690)

It's not a tag, it's an attribute. They are two totally different things. A tag is the syntax marker that indicates the start of an element. An attribute is a value associated with an element.

I wouldn't say that it gives the user control where there was none before; the user has always been free to disable Javascript and check the status bar for redirects. I'd say that it gives the user more fine-grained control.

Re:It's great! (2, Insightful)

kill-1 (36256) | more than 8 years ago | (#14499733)

Huh? How could this be rated +5 Insightful?

Why should site developers use the ping attribute to track users, if there are solutions already that the user can't disable. The ping attribute will simply never catch on and there's not a bit of control users will gain.

Submitter is a melodramatic idiot (5, Informative)

grahams (5366) | more than 8 years ago | (#14499463)

  1. You are talking about a feature just added to a development tree, not something in a released version of Firefox.
  2. This feature can already be disabled (if you happen to be running a development version) using the 'browser.send_pings' preference.
  3. They didn't "quietly enable" a feature, they did it in front of everyone interested. There are plenty of bugs in bugzilla talking about the implementation of this feature. If you are running a development version of Firefox and can't be bothered to keep up with what is going on in the development community, that's your problem.

Check out: https://bugzilla.mozilla.org/show_bug.cgi?id=31936 8 [mozilla.org]

// check prefs to see if pings are enabled
nsCOMPtr<nsIPrefBranch> prefs = do_GetService(NS_PREFSERVICE_CONTRACTID);
if (prefs) {
PRBool allow = PR_TRUE;
prefs->GetBoolPref("browser.send_pings", &allow);
if (!allow)
return;
}

I bet this is a product of cooperation (0, Flamebait)

cwtrex (912286) | more than 8 years ago | (#14499472)

Remember when it was first announced that Google and the Mozilla Foundation would be working together? I bet this "feature" has come from that joint work effort. What a great way to increase advertising data!

Re:I bet this is a product of cooperation (1)

bunratty (545641) | more than 8 years ago | (#14499523)

No, this feature came from the WHATWG, which is largely a joint work effort between Mozilla and Opera.

userContent.css to the rescue (5, Informative)

Matt Perry (793115) | more than 8 years ago | (#14499475)

Add this to your userContent.css file to make links with the ping attribute have a green border when hovered:
a:hover[ping]
{
-moz-outline: 1px solid green;
}

Re:userContent.css to the rescue (1)

stecoop (759508) | more than 8 years ago | (#14499653)

Rather then modifying the userContent.css, I recommend using Greasmonkey and create a new function mouseover(event).

Re:userContent.css to the rescue (0)

Anonymous Coward | more than 8 years ago | (#14499692)

... nice!, there goes my 176 hours of design /P

That's one way to resolve it. (1)

doublem (118724) | more than 8 years ago | (#14499701)

Just add that code to the default and I'd consider the issue resolved.

Unless the web designer can override the setting...

they're watching.... (3, Funny)

to_kallon (778547) | more than 8 years ago | (#14499476)

as i read the summary i became overcome with fear when the updates are available dialogue popped up at the bottom of my screen. coincidence....?

Give me aping. One ping only, please (5, Funny)

hkgroove (791170) | more than 8 years ago | (#14499478)

This will make it easier for Ramius to declare his intention is to defect.

Re:Give me aping. One ping only, please (1)

One Blue Ninja (801126) | more than 8 years ago | (#14499546)

Haha - I just watched The Hunt For Red October this weekend :-)

Re:Give me aping. One ping only, please (1)

LifesABeach (234436) | more than 8 years ago | (#14499760)

Given that this PING would interrupt all servers listening thus causing these same servers to do something; would it be resonable think this as, "One Ping To Rule Them All?"

Be fair...it's easy (-1, Troll)

Anonymous Coward | more than 8 years ago | (#14499480)

If this were an IE "feature" everyone on /. would be going crazy about all sorts of Ballmer or Gates conspiracies. You know it's true!

Amen (1)

greenmars (685118) | more than 8 years ago | (#14499565)

Good grief, that's the first thing I thought of when I read this article. I guess I've been reading Slashdot for too long.

Redirects (1)

Billosaur (927319) | more than 8 years ago | (#14499496)

I've used redirects a lot and if properly set up, the transfer time between the redirect and the page the user wants is minimal. If you want a redirect to a lot of complicated things or collect a lot of data, of course it's going to be slow. The idea is to keep it simple. As long as this is something I'm not forced to use, I'm fine with it, though I can see the bitching down the road when someone finds a novel way to abuse it.

What's the difference ... (1, Insightful)

Basje (26968) | more than 8 years ago | (#14499497)

compared to before? It's not as if this functionality isn't already employed through other ways (javascript or redirects on the serverside). Now, it's just a little bit easier.

Of course you can disable javascript, but most people don't. People who do so, can also turn off this ping functionality. I'm sure an extension will allow to do this the easy way (NoScript notably).

Don't force things down my throat (1)

JochenBedersdorfer (945289) | more than 8 years ago | (#14499498)

At least if I'm not telling you to do so ;)

The default for this option must be OFF in any case. Is the firefox team really prepared to be associated with the same business practices Microsoft and -the new kid on the bloack- Apple is showing?`

Re:Don't force things down my throat (1)

Lehk228 (705449) | more than 8 years ago | (#14499687)

i don't think you understand, this new tool allows any large web community to weaponize their firefox users at the drop of a hat. if, for example microsoft succeeded in getting linux banned slashdot could retaliate by adding a ping list so every link someone clicks on slashdot would ping every known microsoft server.

How is this an issue? (4, Insightful)

Idimmu Xul (204345) | more than 8 years ago | (#14499499)

A lot of websites use redirect pages to get this exact same information, and off the top of my head I imagine it is pretty simple to notify multiple urls of where you are going using some tricky javascript and even cookies and referrers can be used across sites to track visitors. This is just making a very common, and needlessly complex, mechanism infinitely simpler for the web developer.

This can't be a good idea... (1)

IvanGirderboot (925273) | more than 8 years ago | (#14499500)

I doubt it's usefulness outweighs the huge downside to basicly allow any 6-yr old to track your every move. Just my .02 // And you people say IE has security problems... /// Waits for flame to start

Re:This can't be a good idea... (1)

Lussarn (105276) | more than 8 years ago | (#14499589)

If it's so easy to track my every move. Can you show me a log of what sites I've been to today? I make it easy for you, you can start the trace now and give me the log tommorow.

Or are you just talking out of your ass?

It's a C-O-N-spiracy (4, Insightful)

blazerw11 (68928) | more than 8 years ago | (#14499511)

So, I don't mean to go all "Senstionalist Title" on your ass, but the post links to a mozilla blog explaining how they've added this feature to the TRUNK. Announcing a new feature in a blog is not quite a press release, but it's a hell of lot more forthcoming that what "quietly added" implies. Also, it's been added to the Trunk, so it's not likely to actually show up in any Mozilla build for a while, much longer, if ever, in a release. This is really the way to add something like this. Put it in to see where and how it will be used and whether that's good or bad.

Re:It's a C-O-N-spiracy (0)

Andrewkov (140579) | more than 8 years ago | (#14499729)

Yeah, but your description is boring, I wouldn't have read the article if that's what the Slashdot summary had said! ;-) Fear mongering works well for Television news too.

Easily dealt with... (1)

jginspace (678908) | more than 8 years ago | (#14499515)

1) Don't use firefox
2) Write an extension. Similar to the one that lets you know if the target is a PDF file or opens a new window or whatever...

Bad Javascript Coding DoS Attack (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14499525)

One badly formed loop and a page request with pings could mean one hell of a DoS attack.

Sounds like Microsoft all over (1, Redundant)

Dikeman (620856) | more than 8 years ago | (#14499541)

Isn't this just like Microsoft back in the days. Making their browser compliant to their own 'standard' HTML specification in stead of the W3C specification?

It's smelly if you ask me. If you have this marvelous new innovation for HTML, why not propose a new specification at W3C?

I hate to say it... (2, Insightful)

HellYeahAutomaton (815542) | more than 8 years ago | (#14499570)

.. but this is one of the cases where the Open Source model works well. Any truly paranoid geek out there can pull down the source tree and watch all of the changes to any of the crap the FF developers decide to throw in. They can then apply their own patches-of-paranoia and remove untrusted suspect code, build it and run it behind however many firewalls and proxies they have set up.

And the upside... (1)

jginspace (678908) | more than 8 years ago | (#14499577)

I'm going to implement this on some pages. It would be dead interesting just to see who's got this enabled...

Not literally a ping... (2, Insightful)

nganju (821034) | more than 8 years ago | (#14499587)


My first thought was "How can you track clicks with a ping?". After RTFA, it's not literally a ping to some server, it's a request to a URI, most probably an HTTP request that will contain request parameters indicating what link was clicked.

Second of all, this is not any more of a privacy intrusion than previously existed. It was always possible to track clicks within a single website via cookies, and clicks on external links (i.e. banner ads) by using a redirect first. If the author of the website wants to track what you're doing, he's already got the means, and he's had them for years.

can't you just take it out? (1)

edmicman (830206) | more than 8 years ago | (#14499590)

ummmmm, since it's open source, can't you just take that part out and recompile it? granted you have the expertise, anyway....

Don't worry yet (5, Interesting)

courtarro (786894) | more than 8 years ago | (#14499595)

"Quietly" refers to Mozilla's inclusion of this feature in the nightly trunk versions, not the official version available for download. That's hardly cause for concern. I'll bet most of the features added to nightlies are "quiet", so that's just a bit of fear mongering. It's a development version! I personally don't like the idea of pings that much, but I'm willing to bet it will have a UI to allow disabling when it's released to the masses. According to the bug request to implement it [mozilla.org] :

We should try and do an experimental implementation of , to see if there are any unexpected real-world problems.

That's what nightlies are for! We now see that it's a controversial tag (and they're probably already well-aware), so they're giving it a shot. Would you rather them just say "no, we don't like that potential standard [whatwg.org] , so we're not going to try implementing it"?

No (0)

Anonymous Coward | more than 8 years ago | (#14499597)

Firefox? Spyware? If it'd be true, it'd show that even open source can be pleagued with spyware and privacy concern.

I hope this is not a true story.

Mmm, okay, is this bad? (2, Interesting)

SmallFurryCreature (593017) | more than 8 years ago | (#14499598)

I click a link in a slashdot article to an external site and slashdot is notified about this. Mmm, okay. I can see that it might be considered usefull for deteriming how people use their website.

It could enable a user comments vs people who actuall RTFA statistic. Knowing slashdot it would crash on a divide by zero error offcourse.

But wait a minute, a infinite number of pings? So the story submitter himself can also add his pings? Knowing the quality of slashdot editors (HA!) any story submitter would know who read what links in his article. Do I want him to know?

Imagine that someone puts a goatse.cx link on a forum. You don't of course admit that you been tricked but the next post is a record of all the pings the link submitter received proving that all of slashdot wanks to the goatse man.

The abuse of this feature is clear and the benefits? If slashdot really cared to know wich external links are followed or not then that is their business isn't it?

Do I really want websites to know wich external links I follow? I think this is a solution looking for a problem and in the few cases where a website needs to know the users need for privacy is superior.

Bad mozilla. This is something I would have expected of MS or the old Netscape. Now go sit in a corner and don't come out until you stop adding crap features that tattle on me without informing me.

If it can't be disabled then I'm off (3, Informative)

BestNicksRTaken (582194) | more than 8 years ago | (#14499599)

If this can't be disabled (in preferences, about:config, or easily in the source, or via some extension/Greasemonkey script) then I'm sticking with the current 1.5 build, or possibly off to Opera or Epiphany.

Jesus if this was put into MSIE then people would be writing to their MP/senator by now!

I cannot think of any good use for this.

People who run servers do not need that specific kind of stats, their server logs should be good enough. Only marketing (aka spyware) types would want this kind of info.

As I understand it... (1, Funny)

Oy Vey (859593) | more than 8 years ago | (#14499604)

This single attribute will notify "a list of servers to notify when you click on a link".

Is this the one rule to ping them all?

Facts of the matter (5, Insightful)

Panaflex (13191) | more than 8 years ago | (#14499612)

One, this is in the trunk builds - NOT the released versions.

From a technical POV it's actually nicely thought out, as it separates logically the intended action and the "log."

I'm sure that Google, Yahoo, and others are BEGGING for this. I've worked in Design and Dev at two of the biggest travel sites - it's a huge problem tracking clicks. If we could remove our tracking javascript then users would get a MUCH snappier web site.

But we can't because our advertisers specify that we must have third party click/view audits that "verify" our intended audience numbers.

On the one hand, I know (having designed and built some of the auditing and log analysis systems) that we're tracking every click on our sites. We do use cookies. And the tag would bring it all out in the open instead of buried 3 layers deep in javascript.

But from an individual POV, it's like acknowledging that they really ARE watching me. And I am now consenting to that.

Solution: In my mind, the big(and little) sites could offer users the "option" of using the ping tag for a nicer user experience. It would be disabled by default, and a web site would have to specifically request and get permission from the user before the browser would "unlock"

Just me $0.02

Imagine if Microsoft had Done This (0)

Anonymous Coward | more than 8 years ago | (#14499614)

This article will probably illuminate some of the hypocrisy we see daily on Slashdot (and of course this will get suppressed by the censors).

When Microsoft adds a "feature" it is termed "proprietary", "violating".
When those features are privacy or security risks, the abuse is not fit to display where young eyes may see it.

When a favored non-Microsoft projecr adds a "feature" it is praised as
"innovation".
When those features are privacy or security risks, we see "you can always change it yourself, it's open source".

Who asked for this? (1, Insightful)

Anonymous Coward | more than 8 years ago | (#14499618)

Come on. Who asked for this 'feature'? I don't see the purpose of it. THe article states that is is for "enable link tracking mechanisms commonly employed on the web". That sounds to me that a marketing lobbying firm has leverage its influence somewho.

It will be abused really soon in my opinion. Right now the site you're browsing can track you. Tomorrow, your clicks will be broadcasted (clickcasted) to all ads firms live. Gr8t!

Will sites really use this? (4, Insightful)

Shimmer (3036) | more than 8 years ago | (#14499628)

Assuming that IE implements the same feature, will sites use this? If clients can turn it off, I suspect that web sites won't trust it. This is something that is most accurately done on the server, and I think that's where it will stay.

tips? (1)

lseltzer (311306) | more than 8 years ago | (#14499654)

The whatwg page says that "When the ping attribute is present, user agents should clearly indicate to the user that following the hyperlink will also cause secondary requests to be sent in the background, possibly including listing the actual target URIs."

To me this means that the status bar or some other indicator should show the fact of the ping when you hover over the link. Does Forefox do this? I'm not running a "trunk" build.

Use Firefox as a workaround (2, Informative)

joel2600 (540251) | more than 8 years ago | (#14499673)

It would be just as easy to defeat this technology (if you did not want it), by using it against itself.

Any developer with a small amount of time on their hands can easily develop a firefox extension or greasemonkey script that will take all of the ping tags out of the page that is rendered to the user.

"Problem" solved.

FUD (1, Informative)

Anonymous Coward | more than 8 years ago | (#14499700)

When you contact a server, it can do whatever it wants with the details of the transaction, including sending information about it to any number of 3rd party servers. All this ping tag does is offload some of that to the client. I could see how this could be used to set up a DDOS, but implying that it's a privacy risk sounds like BS/FUD to me. Kind of like cookies: They don't track anything that the server couldn't track server side if it wanted to, in which case you wouldn't be able to erase the records, which puts cookies one up imo.

So how long.... (0, Redundant)

Iphtashu Fitz (263795) | more than 8 years ago | (#14499705)

Until somebody writes a plugin to Mozilla to disable this "feature"?

Heh (1)

Schraegstrichpunkt (931443) | more than 8 years ago | (#14499715)

We are the Pages Who Say... 'Ping!'.

No! Not the Pages Who Say 'Ping!'

The same!

...

Ping! Ping! Ping! Ping! Ping!

Ow! Ow! Ow! Oww!

We shall say 'ping' again to you if you do not appease us.

Well, what is it you want?

We want... a shrubbery!

HTTP REFERER considered harmful (0)

Anonymous Coward | more than 8 years ago | (#14499726)

Get a grip, people; are you going to loby to have HTTP REFERER [sic] removed from the HTTP spec?

Shit-Storm A-Coming? (1)

Saeed al-Sahaf (665390) | more than 8 years ago | (#14499755)

There will probably be a shit-storm over this. It sounds usful, though. Too bad it will be abused.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?