Jump to content

Major Browsers to Prevent Disabling of Click Tracking Privacy Risk


Recommended Posts

Newer versions of Chrome, Safari, and Opera will no longer allow you to disable hyperlink auditing, which is a concern for those seeking maximum privacy. While some of these browsers previously allowed you to disable this feature, newer versions are going in the opposite direction.

 

a 9 ea

 

Hyperlink auditing is an HTML standard that can be used to track clicks on web site links. This is done by creating special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page, which can then examine the request headers to see what page the click came from.

 

To create a hyperlink auditing URL, you can simply create a normal hyperlink HTML tag, but also include a ping="" variable as shown below.

 

html example

 

 

ping

Example Ping POST Request

 

 

Ping HTML Link

This will render on the page as a normal link to google.com and if you hover over it, will only show you the destination URL. It does not show you the ping back URL of https://www.bleepingcomputer.com/pong.php, so users will not even realize this is happening unless they examine the sites source code.

 When a user clicks on the above link, the browser will first send a POST request back to the ping URL https://www.bleepingcomputer.com/pong.php as shown below. It will then open the www.google.com page.  This means that every time a user clicks on a hyperlink audited link, the browser will make two requests instead of one.

 

 Scripts that receive the ping POST request, can then parse the headers in order to see what page the ping came from and where the hyperlink audited link was going to. The headers associated with the information sent in the ping request are shown below.

 

  [HTTP_PING_FROM] => https://www.bleepingcomputer.com/ping.html
    [HTTP_PING_TO] => https://www.google.com/
    [CONTENT_TYPE] => text/ping

 

 As you can see, using Hyperlink Auditing developers can track link clicks from any web property that they have access to.

Most browsers wont let you disable in the future

With privacy and online tracking being such a large problem and major concern for many users, you would think that browser developers would give you the option to disable anything that could affect your privacy.

Unfortunately, this seems to be going in the reverse direction when it comes to hyperlink auditing.

 

According to developer Jeff Johnson, Safari enabled hyperlink auditing by default, but allowed you to disable it by using the following hidden preference.

 

 

defaults write com.apple.Safari com.apple.Safari.ContentPageGroupIdentifier.WebKit2HyperlinkAuditingEnabled -bool false

 Johnson has stated that this flag no longer works with Safari 12.1.


"Unfortunately, this no longer works in Safari 12.1. I actually discovered the issue in Safari Technology Preview 72, and I filed a Radar on January 2, 2019 as rdar://problem/47000341," Johnson stated in a blog post. "Despite several months notice from me, Apple shipped Safari 12.1 last week to the public with no way to disable hyperlink auditing. I hope to raise awareness about this issue, with the ultimate goal of getting hyperlink auditing disabled by default in Safari. Apple claims that Safari is supposed to protect your privacy and prevent cross-site tracking, but hyperlink auditing is a wide open door to cross-site tracking that still exists. To end this article, I'll quote the full text of the Radar that I filed:"
 

 

chrome flags

 

 

 

Chrome 73 Hyperlink Auditing Flag


Google Chrome also enables this tracking feature by default, but in the current Chrome 73 version it includes a "Hyperlink auditing" flag that can be used to disable it from the chrome://flags URL.

In the Chrome 74 Beta and Chrome 75 Canary builds, though, this flag has been removed and there is no way to disable hyperlink auditing.

 

chrome 74 beta flag gone

 

Firefox and Brave win the award

Of all the browsers I tested, only Brave and Firefox currently disable it by default and do not appear to have any plans on enabling it in the future.

Firefox 66, Firefox Beta 67, and Firefox Nightly 68 disable Hyperlink auditing by default and allow users to enable it using the browser.send_pings about:config setting.

 

 

 

firefox about config

 

The privacy focused Brave Browser also disables it by default and does not allow you to enable it at all. It does have a display bug in the brave://flags that show that Hyperlink auditing is enabled, but this is a carryover from Chrome and is not displayed correctly.

 Going forward, if privacy is important to you and you want to reduce the risk of being tracked online, then you will need to use Firefox or Brave.

 

Source

 

Edited by steven36
Link to post
Share on other sites
  • Replies 4
  • Created
  • Last Reply

Top Posters In This Topic

  • steven36

    2

  • Karlston

    1

  • mp68terr

    1

  • Ha91

    1

Top Posters In This Topic

Popular Posts

Newer versions of Chrome, Safari, and Opera will no longer allow you to disable hyperlink auditing, which is a concern for those seeking maximum privacy. While some of these browsers previously allowe

It's even worse than they thought  not only   do some websites use it to track you online  some hackers are using to do ddos attacks as well  so that back door is a security problem as well.  

@Ha91   Please use the reputation button to leave 'Thanks'. From the forum Guidelines ...    

1 hour ago, Ha91 said:

I still don't understand as to how a simple ping can affect privacy? @steven36 @straycat19 @DonyMach1

It's even worse than they thought  not only   do some websites use it to track you online  some hackers are using to do ddos attacks as well  so that back door is a security problem as well.

 

 

https://www.nsaneforums.com/topic/341522-hyperlink-auditing-pings-being-used-to-perform-ddos-attacks/

 

 

Edited by steven36
  • Like 2
Link to post
Share on other sites

@Ha91   Please use the reputation button to leave 'Thanks'. From the forum Guidelines ...

 

Quote

Like on most online forums the use of the 'Like / Thanks' button is preferred over simply posting 'Thanks' or something similar.

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...