[HN Gopher] Prevent Google from mangling search result links whe...
___________________________________________________________________
Prevent Google from mangling search result links when click/copying
on Firefox
Author : calmingsolitude
Score : 346 points
Date : 2021-09-27 16:19 UTC (6 hours ago)
(HTM) web link (gist.github.com)
(TXT) w3m dump (gist.github.com)
| noxer wrote:
| Bookmarklet version
|
| javascript:(function(){window.addEventListener("mousedown",(event
| )=>{event.stopImmediatePropagation();},true);})()
| carom wrote:
| It is really worth it to switch to DuckDuckGo. You can throw a g!
| at the end of your search if you don't like the results DDG gave
| and it will redirect you to Google. That was the feature that
| gave me the confidence to switch over, it's painless to get
| different results, even on a mobile keyboard.
| DavideNL wrote:
| Or use startpage.com which has Google search results.
| kekebo wrote:
| ( !s via ddg)
| jefftk wrote:
| DuckDuckGo also tracks what links you click on. Try it: when
| you click on a link you'll see an immediate ping to
| https://improving.duckduckgo.com/t/...
|
| (Disclosure: I work for Google, speaking only for myself)
| carom wrote:
| Thanks, I didn't know about this. It's blocked by my ad
| blocker but I just whitelisted it.
|
| I stopped using Hangouts a long time ago because every link
| that was sent was wrapped in a redirect through Google.
| Sometimes that tracking service would be slow and I'd have to
| copy the links manually. Really infuriating.
|
| Anyways, there is a big difference here. If I copy a link
| from Google I get [1] and if I copy a link from DDG I get
| [2].
|
| 1. https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
| &c...
|
| 2. https://github.com/
| GordonS wrote:
| I don't think most folks would have a problem with Google
| doing it the same way - it makes sense that l you'd want to
| know what search results were clicked on.
|
| The problem is Google has implemented the tracking in such a
| way that it's hostile to users, preventing them from copying
| the target link. There are various ways that Google could
| allow copying the link whole also enabling tracking _if it 's
| explicitly clicked_, but Google chose an anti-user option
| because it almost guarantees people click the link.
| jefftk wrote:
| _> There are various ways that Google could allow copying
| the link whole also enabling tracking if it 's explicitly
| clicked, but Google chose an anti-user option because it
| almost guarantees people click the link._
|
| On browsers that support it (all modern browsers except
| Firefox) it uses <a href=... ping=...> which is exactly
| what you're looking for.
| Trollmann wrote:
| Firefox supports it fine but disables the setting by
| default.
| vorpalhex wrote:
| They are only posting the domain in my tests.
| seanw444 wrote:
| As well as other bangs too. I frequently use !gh to search for
| software repos on GitHub, and !a to search for a product on
| Amazon.
|
| Also, DuckDuckGo has taken keyboard-centric users into account,
| whereas Google has not. I rarely have to touch my mouse when
| searching on DDG. Up and down arrows to select the results,
| enter to go, / to return to the search bar, left and right
| arrows to go between images and maps and whatnot.
|
| I almost use DDG solely for the UX. The added privacy is just a
| very nice bonus.
|
| (Tip: you can also type "figlet ______" and it will give you
| ASCII art for the text you typed. That's neat.)
| cheeze wrote:
| My biggest hangup is that Google is pretty good at making
| suggestions based on my past history. You end up losing that
| doing ddg proxy
| Andrew_nenakhov wrote:
| That might actually be a good thing, to break free from an
| information bubble created to you by Google.
| soraminazuki wrote:
| I find the Safari search bar to be good at this sort of
| thing.
| blahyawnblah wrote:
| Isn't it "!g" or do both work?
| carom wrote:
| Both work! Which is really nice on a mobile keyboard since it
| will do an auto space after the !.
| soraminazuki wrote:
| DDG user here, I'm not even sure most people would need g!
| anymore. I recently came across a Google search results page,
| and was surprised how unrecognizable it has become. Instead of
| giving me a page full of search results, it was presenting me
| with a page full of Google-curated content. At this point,
| Google is basically unusable for me as a search engine.
| JohnFen wrote:
| I think it's been two years since I've used the g!
| avnigo wrote:
| I'm a full time DDG user, but I still use !g sometimes. For
| some reason DDG is not great with discussion boards like any
| forum, stackoverflow, reddit etc., especially if the posts
| are too recent.
| mrweasel wrote:
| Mostly if DDG can't find something, chances are that neither
| can Google. We've also reached a point where the Google
| result pages are now ads the first half page. Fair enough
| that they want/need to make money, but it seems a little
| excessive.
| HelloMcFly wrote:
| I have noticed this, but I have never understood what is
| happening. Still don't, but nice to see a fix.
| ainar-g wrote:
| Tracking is happening. It's the goog after all. As for
| Chromium-based ones, perhaps the goog thinks that it already
| knows enough about them?
| hraedon wrote:
| Chromium browsers support and enable by default the "ping"
| attribute. This helpfully makes link tracking a standard bit
| of functionality, rather than needing ugly workarounds to
| accomplish the same thing.
| dandanua wrote:
| I wrote a simple addon that avoids just that
| https://github.com/dandanua/copy-true-link
|
| The code doesn't prevent event propagation, instead it copies the
| link before propagation happens. I guess this way is more
| reliable. It works on other sites too, like FB.
| beltsazar wrote:
| I have no mangling issue--thanks to uBlock annoyances filter:
| https://github.com/uBlockOrigin/uAssets/blob/02d16a221c276fe...
| cyberpsybin wrote:
| Google is cancer to the web that has metastasized and become
| malignant.
| kvark wrote:
| I wonder about the detail at which W3C specifies the behavior of
| copying a link. Is it outside of the web spec, and thus could be
| non-portable?
| akkartik wrote:
| I find link mangling to be a great test for when a service
| becomes too powerful relative to its users, able to add friction
| to its product that serves no purpose for its users[1]. Google
| started doing this around 2004[2]. Facebook didn't do it until a
| few years ago. Slack and Discord don't do it. Yet.
|
| [1] Example: a search result that's a pdf. How do I share this
| link? If I click on it it downloads to my disk. If I rightclick
| on it I can copy a crappy URL.
|
| [2] http://akkartik.name/firefox.html
| TechBro8615 wrote:
| It's worse with Google, because they add the friction but then
| hide it in their own browser. There's no issue copy/pasting
| links from Chrome.
|
| This is a pattern of behavior. For example, when reading an AMP
| article hosted by google.com, an iPhone will correctly show
| `google.com` in its URL bar. Whereas an Android will
| conveniently rewrite `google.com` to show the URL of the
| article source, falsely implying the browser connected to a
| hostname that it did not.
|
| In any other context, it would be called phishing.
| lgats wrote:
| This works via AMP Signed Exchange
| https://amp.dev/documentation/guides-and-
| tutorials/optimize-...
| noobgrammer wrote:
| This works via Google blackmailing publishers with the
| threat of SEO downranking without Amp
| einpoklum wrote:
| Here, here.
|
| My alma mater switched its mail accounts to Outlook365. Now all
| links in email messages - including text emails - are mangled
| to go through microsoft's servers. And they're humongous-long
| too!
| mikeiz404 wrote:
| > _...serves no purpose for its users_
|
| It might be that one of the reasons they track link clicking is
| to determine "bounce rate" [0] to infer how useful the result
| is. That is something I would want to know if I were building a
| search engine and wanted to verify ranking accuracy. Though I
| would have thought there would be better ways of tracking this
| than url redirection if JS is enabled.
|
| 0: #5 on https://www.spyfu.com/blog/improve-google-rankings/ (I
| tried to find a more authoritative source but didn't have much
| luck. If some one can find a better one, please share.)
| akkartik wrote:
| Their search results used to be great before they started
| doing this. In fact, they've started to suck more in the past
| 10 years, though probably for unrelated reasons. As the
| Conchords say, "what are your overheads?"
| quotemstr wrote:
| > Their search results used to be great before they started
| doing this
|
| Google is in an arms race with SEO --- one Google is
| gradually losing. Removing relevance signals will make
| search results worse. That Google was able to deliver
| excellent results ten years ago is irrelevant today: the
| environment is different and if they went back to what they
| were doing then, results would be far worse now.
| TeMPOraL wrote:
| > _able to add friction to its product that serves no purpose
| for its users_
|
| A good moment to remind everyone: the goal of the attention
| economy is to make things as _inefficient_ as possible, because
| money is made on the friction.
| munchler wrote:
| How's that? Reducing friction for many sites means that users
| will spend more time browsing on the site. E.g. video auto-
| play on YouTube.
|
| In this case, though, Google doesn't mind frustrating users
| because there is no competitive alternative search engine.
| sciolizer wrote:
| Answer to #1:
|
| In the google search results, click the three vertical dots
| above the link and to the right of the domain. If using mobile,
| you'll need to switch to desktop mode to see the three dots.
| After clicking, an "About this result" pane will pop up to the
| right, probably[1]. In that pane you'll see the true link, and
| you can Right Click > Copy Link.
|
| [1]: On my computer, the "About this result" pane says "BETA",
| so not sure if everyone can use it. It works for me in a
| private window, though.
| BunsanSpace wrote:
| There's already an add-on which does this, and more.
| https://addons.mozilla.org/en-CA/firefox/addon/clearurls/
| mrintegrity wrote:
| Sadly it seems to be unmaintained, or at least under
| maintained. I was going to open am issue for missing Firefox
| mobile support but issues seem to be going un answered
| armada651 wrote:
| I actually prefer short userscripts like this over addons,
| because I can immediately see it's not doing anything nefarious
| and I only need to trust the addon that I install the user
| script with.
| 5faulker wrote:
| Same here.
| matheusmoreira wrote:
| > I only need to trust the addon that I install the user
| script with
|
| I wonder why this is even necessary. User scripting should be
| a standard feature of browsers. We should have direct access
| to a complete Javascript environment every time we launch a
| browser. Just like Emacs gives users a Lisp environment.
| rasz wrote:
| it was, in Opera up to 12.xx. You just dropped .js files in
| designated directory and it _always_ ran before executing
| website js.
| sfink wrote:
| You do, it's just in the devtools menu. The missing piece
| is triggering javascript based on the loaded page.
| matheusmoreira wrote:
| Browser devtools are amazing and do have a Javascript
| REPL. Do people use it for scripting though? It's always
| been more of a debugger than a Javascript environment.
| People install node.js for local scripting even though
| it's the same Javascript engine.
|
| It's also not available on mobile.
| smallpipe wrote:
| It's great if you're on an unfamiliar machine and need a
| calculator with loops. It's also great to press all the
| buttons on a website.
| yosamino wrote:
| I recently noticed addons.mozilla.org also tracks links using
| this method. If you scroll down to "Add-on Links" the links to
| "Homepage" and "Support site" go to https://out
| going.prod.mozaws.net/v1/8a4c4de845953bc85d10c6465c5c0f11210b5c
| a1c195b70d7ddfcf8b74592477/https%3A//clearurls.xyz/
|
| and https://outgoing.prod.mozaws.net/v1/8a4c4de
| 845953bc85d10c6465c5c0f11210b5ca1c195b70d7ddfcf8b74592477/https
| %3A//wiki.clearurls.xyz/
|
| respectively, instead of going to the page directly.
|
| Why Mozilla? Why are _you_ tracking us ? Of all the pages...
| varenc wrote:
| Google does this so they have click tracking data. But they don't
| need to mangle URLs in Chrome because it supports the `ping`
| attribute on <a> tags [0].
|
| The ping attribute basically adds click tracking as a native
| browser feature so you don't need to do URL redirects. It also
| makes these analytics much easier for the site and mysterious to
| the user. Looks like most vendors besides Firefox support it.
| (They were pretty opposed I recall)
|
| If you're a Chrome user, there's some extensions that disable
| ping requests/link auditing [1]. (EDIT: a commenter noted that
| uBlock Origin already blocks these! So I recommend that over this
| obscure extension)
|
| [0] https://caniuse.com/ping
|
| [1] https://chrome.google.com/webstore/detail/ping-
| blocker/jkpoc...
| zo1 wrote:
| Not to be facetious but Wow - I'm not sure how we let that
| "feature" slide past the "privacy" folk.
| rodgerd wrote:
| The Google monopoly doesn't give a fuck.
| Santosh83 wrote:
| It didn't slide past. I recall a lot of discussions but those
| discussing and outraging are not the ones implementing and
| pushing forward with sheer momentum of technological
| dominance and money. It's the same for every privacy issue.
| IncRnd wrote:
| This is actually well-known and gets blocked by ublock origin
| and others.
| eps wrote:
| I see no cases when I, as a user, would want my broswer to
| support "ping" attribute. It's basically shady as fuck.
| dudus wrote:
| It would allow Google or other companies to track which
| result the user clicked without resorting to more complex
| JavaScript tracking or redirects.
|
| I bet anyone would prefer the ping method rather than the
| redirects we see on Firefox that mangle copied urls.
|
| You seem to be of the opinion that no tracking would be
| better. And that's fine and a popular opinion around here.
| But that's not an option as Google relies heavily on the
| clicks as an input for ranking.
|
| So in a context where you consider tracking HAS to happen
| ping does offer advantages for the user.
| amelius wrote:
| Is this turned on by default in Chromium too?
| NelsonMinar wrote:
| Note the caniuse link says "While still in the WHATWG
| specification, this feature was removed from the W3C HTML5
| specification in 2010." Another reason I prefer Firefox. Why
| implement a rejected non-standard feature whose primary purpose
| is to enable surveillance?
| judge2020 wrote:
| > whose primary purpose is to enable surveillance
|
| Google search is good because it tracks what links people
| click and knows when they come back to go to a different url
| on the page. if 99% of people visit the top result for a
| query, return, then hit the second one, chances are that the
| top result never answers what the search query asks.
| noisem4ker wrote:
| People here may not like to read "Google" and "good"
| together, but yours is a description of how things actually
| work.
|
| Of all the tracking Google does, this is by far the most
| justified, and least concerning to me. I'd rather log out
| and search anonymously, if my concern was being put in a
| bubble, rather than block this kind of feedback for search
| result quality. Then, again, I primarily use DuckDuckGo and
| I wonder if they do anything similar.
| inetknght wrote:
| > _Google search is good because_
|
| Google search might have been good over a decade ago but
| today it's trash.
| dragonwriter wrote:
| > Google search might have been good over a decade ago
| but today it's trash.
|
| IME, its still consistently far and away better than the
| alternatives. Part of the difference in perception of
| quality may be that over time it has come to use more
| personal signals to zero in on relevant results, and the
| people that complain about how bad it is overlap
| considerably with those who actively seek to deny those
| signals to Google.
| spinningslate wrote:
| good point, that seems plausible. It's an unenviable
| choice though: good results from incessant surveillance
| (and nasty link re-writing per topic), or poor results if
| you use it infrequently.
|
| [I wouldn't know. I've been using DDG for so long now, I
| can't remember the last time I used Google search. Maybe
| I've forgotten how much better G is. Truth is, though,
| DDG does what I need of it. Rarely come away without the
| answer I want. So no temptation to use Google. At. All.]
| marcosdumay wrote:
| I still have the habit of adding !g into my queries when
| the results are bad.
|
| There have been years since the last time I remember
| Google actually giving me better results than DDG (except
| when I only want product sellers, on this case there has
| been around an year).
|
| Yes, maybe if I let Google see even more of my life, they
| would be able to get me better results. But they have
| access to much more than I'm comfortable with already,
| and the results aren't there.
| ShroudedNight wrote:
| > over time it has come to use more personal signals to
| zero in on relevant results
|
| I am specifically disinterested in existing within an
| echo chamber.
|
| When I search for a topic, I am looking for information
| that is most faithful to objective reality. A detailed
| explanation of the limits of our current understanding,
| or why my understanding / model is inadequate is orders
| of magnitude more valuable to me than something that will
| affirm that I am a smart, special person. Google used to
| be exceptionally capable of delivering those kinds of
| results, even if it took some work refining search terms.
| Over the preceding decade, their effectiveness in this
| regard has significantly diminished.
| Ajedi32 wrote:
| Seems like it's not meant to _enable_ tracking so much as to
| improve its performance and UX, as the article demonstrates.
| (Google tracks clicks from Firefox users just fine without
| ping, it just does it in a more annoying way.)
|
| Also probably worth noting that the W3C doesn't maintain an
| HTML standard anymore[1]; the WHATWG standard is the
| definitive one.
|
| [1]: https://www.w3.org/html/
| dragonwriter wrote:
| > Why implement a rejected non-standard feature whose primary
| purpose is to enable surveillance?
|
| Something that's in the spec that matters (WHATWG) but not
| the one that desperately pretends to still have relevance for
| HTML though it hasn't since it tried to push XHTML 2 (W3C)
| isn't "rejected" or "nonstandard" in any meaningful sense.
| userbinator wrote:
| WHATWG, also known as We Have Aligned Totally With
| Google...
|
| The company that has an effectively complete control over
| the "standard" and churns it frequently to discourage
| competition...
| munk-a wrote:
| How that came to be is an interesting study in company
| PR. MSFT arguably should've had a much more prominent
| advisory position in WHATWG than Google but WHATWG ended
| up solidifying in a large part to counter act all the
| non-standard behavior folks experienced trying to develop
| cross browser pages in the days when mentioning ie6 would
| cause a terrified silence to fall on any web dev
| department.
| tailspin2019 wrote:
| Wow, I had no idea about this.
|
| At least with the mangled link approach it's easier to tell
| that tracking is going on, but that ping attribute seems
| extraordinarily sneaky to me. I get that it enables "clean"
| links but the opaque tracking is way worse in my eyes.
|
| Sigh.
|
| Edit: when I think about it, I guess it's not that dissimilar
| to what you can do with JS based tracking anyway, so perhaps
| it's not really any worse than what already exists. But it
| still feels wrong for some reason.
| hvdijk wrote:
| Firefox has a browser.send_pings setting to control this, not
| sending any pings when it is set to false. This is explicitly a
| valid browser implementation of the ping attribute:
|
| https://html.spec.whatwg.org/multipage/links.html#hyperlink-...
|
| > 2. Optionally, return. (For example, the user agent might
| wish to ignore any or all ping URLs in accordance with the
| user's expressed preferences.)
|
| The problem isn't that Firefox doesn't support the ping
| attribute, the problem is that Google fails to respect user
| requests not to track.
| metalliqaz wrote:
| Exactly. That's why I solved this problem by using DDG.
|
| Although I admit some searches I have to send to Google to
| get the result I'm looking for.
| zuhsetaqi wrote:
| Same for me, but all google searches are done by DDG bangs
| like 'g!'
| metalliqaz wrote:
| Yeah, me too. Love the bang system. Don't forget to put
| the exclamation point in front! "!g"
| greenyoda wrote:
| > Don't forget to put the exclamation point in front!
| "!g"
|
| At least some of the bang keywords work with the "!" on
| either side. I tried "g!" and "w!" and they work OK.
| Dah00n wrote:
| Seems to me the old Emac (or vi) saying have changed. Today
| it is "How do you know someone uses DDG? He'll tell you!"
| Ajedi32 wrote:
| Seems like it's set to false by default. So it's not really a
| "user request" not to track so much as a "browser request"
| not to. Reminds me of the situation with the "Do Not Track"
| header where browsers sending it by default caused the signal
| to lose all meaning.
| edoceo wrote:
| No tracking by default means it's Opt-In - as it should be.
| mcherm wrote:
| Arguably, the user requested it by intentionally choosing
| to use a browser with that default behavior.
| JohnFen wrote:
| That wasn't what caused DNT to fail. What caused it to fail
| was that websites could decide whether or not to honor it,
| and honoring it would have meant a reduced ability to spy
| on people, impacting their income.
| Ajedi32 wrote:
| That was part of it. Obviously if sites had no choice in
| the matter then it wouldn't have mattered whether
| browsers enabled it by default or not.
|
| Since it _was_ a voluntary thing though, browsers sending
| it by default pretty much destroyed what chance there was
| of mainstream sites deciding to implement support for it.
| It 's one thing to give up on tracking a small portion of
| users who explicitly opt-out, and another thing entirely
| to give up on tracking _everyone_ except for a tiny
| minority who choose to opt-in.
| metalliqaz wrote:
| Its reasonable to assume that users choose a more privacy
| focused browser intentionally, meaning that "default"
| setting is intended by the user and not a decision that's
| made for them without their knowledge.
| themacguffinman wrote:
| No, I don't think it's reasonable to assume that when the
| browser that broke DNT was INTERNET EXPLORER. Internet
| Explorer is perhaps the most notoriously unchosen browser
| to ever exist.
| 8note wrote:
| If browsers weren't sending it be default, it wouldnt
| have any support because nobody saw enough traffic with
| it to implement it.
|
| The design is the problem since websites who don't feel
| like it don't have to honor it. Whether it's because
| it'll bankrupt them by everyone setting it, or not
| bothering with supporting their unprofitable users.
| superjan wrote:
| Well, in the relation between user and browser vendor it is
| quite a reasonable default. I can always change my mind if
| I want to give up my privacy.
| varenc wrote:
| I noticed this part of the spec too:
|
| > When the `ping` attribute is present, user agents should
| clearly indicate to the user that following the hyperlink
| will also cause secondary requests to be sent in the
| background, possibly including listing the actual target
| URLs.
|
| > For example, a visual user agent could include the
| hostnames of the target ping URLs along with the hyperlink's
| actual URL in a status bar or tooltip.
|
| Does any browser supporting pings actually do that??
|
| Also the "Note" in that section provides a decent argument
| for supporting `ping`. Basically, users will have their
| clicks tracked anyway, but the `ping` attribute provides more
| transparency and a better user experience. Though the
| transparency part is debatable given browser implementations.
| kevin_thibedeau wrote:
| Third party links won't be "tracked anyway" if you're
| blocking JS. That's the only reason to have this feature
| since a site can track activity from its own links via
| logs.
| matheusmoreira wrote:
| The ping attribute is blocked by uBlock Origin. It's called
| hyperlink auditing in the dashboard.
| hosteur wrote:
| I don't want my clicks to be tracked!
| dimitrios1 wrote:
| Then call your ISP! They are tracking them, too!
| input_sh wrote:
| Okay? Does that mean my search engine should do that too?
| Two wrongs don't make a right.
| dimitrios1 wrote:
| Sorry, my wording insinuates it's an either or. I meant
| to point out this is a war that needs to be fought on
| multiple fronts, and arguably your ISP has the better
| data (with the worse IT security, to boot)
| vikingerik wrote:
| Even through HTTPS? They'll have the domain and IP address
| and transfer size, but not the URL or contents of the
| traffic. (Unless they managed to MITM a trusted certificate
| somehow.)
| dimitrios1 wrote:
| HTTPS encrypts the host? Thought you had to know where to
| go to open that secure transmission. It's enough for your
| ISP to know you went to "pornhub.com" for example.
| kevin_thibedeau wrote:
| They won't know when you use an alt DNS or DoH.
| greenyoda wrote:
| Your ISP needs to know the IP address of the site to
| route your TCP packets there, and they can easily do a
| reverse DNS lookup[1] on it. So hiding your DNS query
| from them won't prevent them from knowing what site you
| visited.
|
| [1] https://en.wikipedia.org/wiki/Reverse_DNS_lookup
| pritambaral wrote:
| You'll also need ECH, to avoid leaking your TLS
| handshake's SNI.
| sk5t wrote:
| Yeah, despite ESNI and DNS-over-HTTPS it's likely an ISP
| could still effectively track usage of certain large-ish
| sites by IP address alone. Compare against the anonymity
| inherent in accessing s3.amazonaws.com/some-bucket/some-
| path.
| JohnFen wrote:
| Support for the ping attribute is one of the several reasons
| why I don't use Chrome/Chromium.
| nextos wrote:
| For Firefox, there's a relatively popular extension called
| ClearURLs that sanitizes most URLs to remove tracking,
| including Google's and Amazon's.
| johnmaguire wrote:
| I did notice a bug with this... I had a magic link for
| authentication in Gmail that used a `+` symbol in a URL, e.g.
| `http://example.com/token/abcd123+3cf==` and ClearURLs ended
| up convering the `+` to a `%20` which caused the server to
| fail to find the token.
|
| Otherwise I love ClearURLs.
| aembleton wrote:
| Or you can add https://raw.githubusercontent.com/DandelionSpr
| out/adfilt/mas... to your uBlock Origin filters
| woodruffw wrote:
| It's also a notable DDoS amplification vector[1].
|
| [1]: https://securityaffairs.co/wordpress/83890/hacking/ddos-
| html...
| Ajedi32 wrote:
| I'm confused as to why ping was used in that situation at
| all, rather than, for example, just a normal POST request.
| judge2020 wrote:
| Doesn't require running javascript, so presumably the
| devices could be more efficient in sending them versus
| XHR/fetch.
| Ajedi32 wrote:
| The article specifically says the offending pages used
| JavaScript to add the ping attribute to the <a> tags, so
| the attack wouldn't have worked against users with JS
| disabled anyway.
| woodruffw wrote:
| My understanding of the actual amplification vector is
| that the JS is just obfuscation on top: they could have
| just as easily deployed static HTML with those
| attributes.
| aembleton wrote:
| It doesn't use Ping on Chrome browsers. For example, this
| is how the a tag looks like on Chromium:
|
| <a href="https://news.ycombinator.com/" data-
| ved="2ahUKEwiIxrz0jKDzAhUWHcAKHQnnArkQFnoECAcQAx" ping="/
| url?sa=t&source=web&rct=j&url=https://news.yc
| ombinator.com/&ved=2ahUKEwiIxrz0jKDzAhUWH...">
|
| and this is how it looks like in Firefox:
|
| <a href="https://news.ycombinator.com/" data-
| ved="2ahUKEwj9i67MjKDzAhXUfMAKHWJcCYsQFnoECA0QAx"
| onmousedown="return rwt(this,'','','','','AOvVaw3F-2xUE22
| tTvOxNDwVufx-','','2ahUKEwj9i67MjKDzAhXUfMAKHWJcCYsQFnoEC
| A0QAx','','',event)">
|
| You can see that Chromium based browsers call a ping
| endpoint whereas Firefox browsers use a mousedown event.
| This device detection uses the user agent; changing it on
| Firefox to look like Chrome results in a ping attribute
| instead of mousedown.
| johnchristopher wrote:
| So that's what is going on
| https://news.ycombinator.com/item?id=21427341
|
| I thought I was the only one.
| hagbard_c wrote:
| While this might solve the problem for the Google search engine
| it is but a patch to a bigger problem. Instead of applying this
| patch on each and every device you happen to use it is much more
| effective to refrain from using these search engines directly by
| using a meta-search engine like Searx [1]. This not only solves
| these obnoxious attempts at leaching a bit more data from you, it
| has an even bigger advantage: it shows search results from
| multiple engines, ranked in the way those engines present the
| results to an anonymous user. This often reveals interesting
| patterns by showing just how those who run these search engines
| either promote or demote relevant results for a given search.
| Google clearly prefers to show results from corporate media and
| established actors (e.g. Wikipedia) above those from non-
| affiliated sites, DuckDuckGo gives far more 'organic' results.
|
| [1] https://searx.me
| TechBro8615 wrote:
| Searx is very cool. It would be nice if I could configure my
| browser to rotate through different searx instances rather than
| configuring one as the default search engine.
|
| Btw the list of public nodes is here: https://searx.space/
|
| What is the difference between SearXNG [0] ("next generation,"
| i.e. the one you just linked) vs. SearX [1]? NG claims to be a
| fork, but it's not clear why? The main SearX has recent
| development activity.
|
| [0] https://github.com/searx/searx
|
| [1] https://github.com/searxng/searxng
| hagbard_c wrote:
| > It would be nice if I could configure my browser to rotate
| through different searx instances rather than configuring one
| as the default search engine.
|
| That can be achieved using the Privacy Redirect [1]
| extension, set it to redirect search engine calls and it will
| use a random engine. The list contains more than just
| instances of Searx and can by default not be edited by users
| so you might have to get the source [2] and build a version
| with only those search engines you want to use. It can
| redirect many other corporate entities like Youtube, Twitter,
| Instagram (which does not really seem to work but since I
| never go there anyway I don't really know), Reddit, Maps
| (Google etc) and others. I have it redirect to private
| instances of Invidious (for Youtube), Nitter (for Twitter)
| and LibReddit. I do not use search engine redirect since I
| run a custom Searx instance which doubles as an intranet
| search engine and as such offers more than any public
| instance.
|
| [1] https://addons.mozilla.org/en-US/firefox/addon/privacy-
| redir...
|
| [2] https://github.com/SimonBrazell/privacy-redirect
| Lammy wrote:
| I used to use "Google/Yandex Search Link Fix" but it died along
| with XUL https://github.com/palant/searchlinkfix
| 5e92cb50239222b wrote:
| Works fine in practice. I've had it installed for years and
| didn't even know it's not being maintained anymore until I saw
| your comment.
| CanisDirus wrote:
| There's also "Don't Track Me Google": https://github.com/Rob--
| W/dont-track-me-google which seems to work pretty well,
| including on Firefox for Android.
| jlpom wrote:
| Twitter also uses a redirect (t.co) and it's very annoying
| tohe wrote:
| Is there any known way to bypass those?
| einpoklum wrote:
| Can't you just prevent most scripts on google.com from running,
| for this mangling not to happen?
| hospadar wrote:
| To add a little color and for clarity:
|
| Some google links (notably shopping links for products) don't
| just point at a google-owned redirect (presumably for ad
| tracking/payment calculation?), they also change the link target
| on click (?!?evil!?!). There are redirect-removal addons which
| re-write the original URL correctly, but the on-click handlers
| mangle the target of the link if the event is not blocked.
| phkahler wrote:
| >> There are redirect-removal addons which re-write the
| original URL correctly, but the on-click handlers mangle the
| target of the link if the event is not blocked.
|
| On-click event handlers should never have been allowed.
| Hijacking the browser UI is never in the users interest.
| aembleton wrote:
| I was going to upvote you, but unfortunately it required an
| on-click event handler.
| zootboy wrote:
| Except that's not true at all. HN works with javascript
| entirely disabled, and the upvote buttons become actual
| links.
| toss1 wrote:
| Easier way:
|
| Use DDG (or some other search engine)
| fastssd wrote:
| Thank you for this. I thought something was wrong when I tried to
| hover over links, or I was going crazy. This explains a lot.
| a-dub wrote:
| they've been doing this for a very long time. didn't know about
| this ping attribute for anchors though.
|
| i always just assumed it was for improving the index. the more a
| result gets clicked, the more relevant it must be.
|
| it's kind of a zero'th order optimization.
| rasz wrote:
| >the more a result gets clicked, the more relevant it must be
|
| how? the more clickbaity Yes, but how do you judge quality by
| action of the uninformed (clicking before viewing content)?
| a-dub wrote:
| google was originally based on pagerank, which was based on
| the idea that if you analyze the link structure of the web,
| you can assign quality scores to pages based on number of
| inbound links, and then use that quality score to propagate a
| high quality score to other pages that are linked to by pages
| with high quality scores. in other words: find the pages with
| reputations you trust, use their opinions to boost the
| reputations of other pages in the graph.
|
| you could do the same for people. first off, a user looking
| at a search results page isn't uninformed, there's lots of
| signal in the results page for a search query: domain name,
| familiarity/recognition of domain name, abstract text quality
| (grammar/spelling), abstract text, spamminess, etc. for the
| trained eye, that's a good amount of signal, but who has a
| trained eye?
|
| you could, say, have some ground truth rated webpages that
| you have human raters rate in house, and then you could use
| this to score actual users on the website in terms of who
| frequently picks the known best result. now you have a cohort
| of users who you trust in terms of clicking on quality search
| results.
|
| now you just pay attention to what this cohort pays attention
| to and let their clicks materially boost the ranking of
| results.
|
| this is just one over simplified way, i'm sure they do tons
| of stuff like this (with tons of other stuff to avoid
| abuse/seo/etc).
| senkora wrote:
| Could this also solve the problem on Facebook Messenger? It does
| similar mangling.
| anoncow wrote:
| That would be awesome. It currently filters everything which
| blocks websites sometimes for no good reason! (My websites are
| blocked and FB pays no heed to my requests to unblock them).
| Ironlink wrote:
| I use https://startpage.com/ instead
|
| Good search results, with privacy
| miduil wrote:
| If only startpage hadn't an ad tracking company as an investor
| ShroudedNight wrote:
| I have encountered a number of occasions when the Startpage
| results are frustratingly shallow, but the direct Google
| results are not. It was as though Startpage was not being
| provided a complete set of results.
___________________________________________________________________
(page generated 2021-09-27 23:00 UTC)