[HN Gopher] Ain't no party like a third party
___________________________________________________________________
Ain't no party like a third party
Author : pmlnr
Score : 90 points
Date : 2021-12-13 12:26 UTC (10 hours ago)
(HTM) web link (adactio.com)
(TXT) w3m dump (adactio.com)
| blackbear_ wrote:
| Wouldn't this make ad blocking much harder for end users?
| david_draco wrote:
| To get this through what you have to do is
|
| a) create a Chrome clone that rejects third-party scripts and has
| other security enhancements by default (do browsers really still
| need http support?). Then, you can say "Your site doesn't work
| with SuperChrome!" and shame until they fix it, to reach also the
| SuperChrome users (hopefully growing in number). SuperChrome
| cannot be a loose set of extensions, it has to be a well-defined
| thing.
|
| b) have other services treat sites preferentially: higher
| throughput, better caching, higher ranking in search results,
| better user retention. I think this can easily be achieved,
| because the load-time will be shorter on such sites, therefore
| users will stay longer, and faster sites are already preferred by
| Google. This is the "AMP route" btw.
| Ntrails wrote:
| > do browsers really still need http support?
|
| There are some legitimate resources I use that are http only
| (eg the Dungeon Crawl Stone Soup wiki). I turned Firefox over
| to auto-error/alert on http, and it bugs me every time I go
| there
| jtbayly wrote:
| Yes. Browsers really should maintain HTTP support. There's no
| reason to require every static site in the world to be
| encrypted in transit. And in particular, there's no reason to
| block off all the _actual_ good websites that are old static
| sites still serving their purpose.
| sneak wrote:
| > _There's no reason to require every static site in the
| world to be encrypted in transit._
|
| Yes, there is. Encryption doesn't just provide privacy, it
| also provides authentication. Being able to tamper with
| downloadable code (i.e. javascript) in transit is a
| nonstarter. Everything needs to be authenticated, and the way
| we authenticate data from a webserver in 2021 is by using
| TLS.
|
| Ban port 80.
| phil294 wrote:
| Here [1] is an interesting article that advocates for not
| blindly enforcing SSL everywhere as it makes deliberate
| mitm caching impossible. Also discussed in 2018 [2]
|
| [1] https://meyerweb.com/eric/thoughts/2018/08/07/securing-
| sites... [2] https://news.ycombinator.com/item?id=17707187
| wayoutthere wrote:
| Stick an SSL proxy in front of them and be done with it. This
| was a solved problem 15 years ago.
| [deleted]
| h2odragon wrote:
| People who have been saying things like this all along don't get
| to say "I told you so," tho, because we gave up on this issue
| years ago, and are currently involved in incessant bitching about
| the _next_ society wide stupidity currently being perpetrated
| that will take decades to fix when the error id finally
| recognized.
| xwolfi wrote:
| Oh crypto you mean ? I resist the call of the incessant
| exchanges and crypto startups stealing all my colleagues, I
| must resist even if they pay double arrrgl
| fevangelou wrote:
| For personal sites? Sure, why not.
|
| For anything commercial though, especially in media publishing,
| this is just insane.
|
| I'm beginning to think the old generation of "celebrity" web devs
| (the ones that became famous in the 2000s - now around in their
| 50s) has really lost touch with the modern web for some time now.
| And this comes from someone who's actually bought all of Jeremy's
| books.
|
| The fact that Google is switching away from third party cookies
| is surely not a matter of "resisting the tide" as Jeremy writes.
| It's actually about more control. Whoever controls the web
| platform (=the browser) can now control the ad landscape [1]. See
| how Google used AMP to promote a supposedly "faster" web (and
| it's now being sued for for preferencial ad placement) [2].
|
| [1] https://www.reuters.com/technology/googles-browser-
| cookies-p...
|
| [2]
| https://www.theregister.com/2021/10/26/google_deliberately_t...
| the__alchemist wrote:
| Your reaction is in line with this speculation about reactions
| from the article: _" On today's modern web it sounds like
| advice from a tinfoil-hat wearing conspiracy nut."_
|
| Your post doesn't address any details from the article; it
| reads like a gut reaction.
| Puts wrote:
| I don't know what industries you've been working in but in any
| sensitive business third-party javascripts are under the same
| tight controls as any other code, and changes in javascripts
| are going through the same change management controls as any
| other code before entering production.
|
| Even Google have had issues with malware being distributed via
| adsense: https://www.businessinsider.com/google-has-shut-down-
| a-malic...
|
| Not to speak of the Megacart hacks:
| https://www.riskiq.com/blog/external-threat-management/magec...
| dec0dedab0de wrote:
| You can't put third party javascript through change
| management. Unless you download and host it yourself, in
| which case it's not really third party.
| Puts wrote:
| Well we can absolutely talk semantics. Code written by a
| third-party is third-party code however it is hosted. Your
| conclusion is right however. If you are serious with your
| security and change management you host all scripts
| yourself. Or use sub-source integrity:
|
| https://developer.mozilla.org/en-
| US/docs/Web/Security/Subres...
| bee_rider wrote:
| He seems to have addressed your point already (I think. "just
| insane" is a little vague, so it is hard to tell what your
| objection is).
|
| > Easier said than done, right? Especially if you're working on
| a site that currently relies on third-party tracking for its
| business model. But that exploitative business model won't
| change unless people like us are willing to engage in a
| campaign of passive resistance.
|
| > I know, I know. If you refuse to add that third-party script,
| your boss will probably say, "Fine, I'll get someone else to do
| it. Also, you're fired."
|
| > This tactic will only work if everyone agrees to do what's
| right. We need to have one another's backs. We need to support
| one another. The way people support one another in the
| workplace is through a union.
| actually_a_dog wrote:
| True though this may be, I don't see unions gaining any real
| mindshare among developers. Whenever the subject comes up,
| you get the standard straw man arguments against unions, and
| that either ends the discussion, or turns it into some
| extended shit show that ultimately goes nowhere.
|
| While you might be able to easily "vote with your feet" in
| this industry, not everybody can afford to stand up for a
| principle like this on penalty of getting fired.
|
| I don't know what the real solution here is. I'd like to see
| unions make gains among software engineers, but there's a lot
| of animosity from people who think they'll be "held back" if
| they have to join a union. I don't see that kind of attitude
| going away anytime soon.
| bee_rider wrote:
| The IEEE code of ethics and the ACM code of ethics both
| have language in them about privacy, so I think those
| software engineers are not living up to the standards of
| their professional societies.
| horsawlarway wrote:
| I spent a good chunk of my career working in software security.
|
| I'm fairly damn well convinced at this point that a _WHOLE LOT_
| of modern security practices are actually technical run-arounds
| on missing legislation.
|
| Modern security practices intentionally silo users into a
| single domain - Usually a large tech firm (Facebook, Google,
| Apple, etc) and then try as DAMN HARD as they can to lock users
| there - all in the name of security, of course.
|
| We can't let the user LEAVE our site! How can we know for sure
| they'll do what we want if they go somewhere else (oh, and also
| - that thing they do that we don't approve of? It might be
| _DANGEROUS_! - think of the children!)
|
| It turns out small sites can make a pretty compelling web
| experience when they can coordinate and work together (links to
| each other, shared preferences, decentralized identity) and
| it's absolutely NOT a mistake that many large orgs are now
| using every technical lever than can to prevent that sort of
| organization.
|
| I see "Security" as filling the same space as union busting
| right now - make it impossible for those smaller than you to
| become threatening by banding together. When you keep them
| divided you can eat them at your leisure.
| actually_a_dog wrote:
| > Modern security practices intentionally silo users into a
| single domain - Usually a large tech firm (Facebook, Google,
| Apple, etc) and then try as DAMN HARD as they can to lock
| users there - all in the name of security, of course.
|
| > We can't let the user LEAVE our site! How can we know for
| sure they'll do what we want if they go somewhere else (oh,
| and also - that thing they do that we don't approve of? It
| might be DANGEROUS! - think of the children!)
|
| I don't think I've ever seen a walled garden justified in the
| name of security. Generally, it seems to be more about
| keeping the user within your ecosystem, so you can capture
| the value of their attention ( _i.e._ show them ads).
| juanani wrote:
| >I don't think I've ever seen a walled garden justified in
| the name of security.
|
| Hmm, have you ever heard of Apple?
| kijin wrote:
| Apple requires all apps to be installed through the App
| Store. Google requires all in-app payments to go through
| Google Play. The obvious reason for these requirements is
| that it's profitable for them. But how do they justify it
| to their users? More convenience? A unified experience? No,
| their most prominent argument is that it's safer that way.
| actually_a_dog wrote:
| Those examples are not applicable. The context of the
| article, and the comment I was quoting from, clearly
| indicate a web environment.
| teddyh wrote:
| Well, you wrote "a walled garden", which could reasonably
| be interpreted as any walled garden in software
| generally.
|
| But if we are charitable and limit ourselves to web site
| "walled gardens", how do YouTube and Facebook, etc.
| justify their "oops, you clicked on an _external link_!
| If might lead _anywhere_! Are you _really, really_ sure
| you want to continue?", if security is not their
| argument?
| actually_a_dog wrote:
| Ads. They want to introduce friction into the process of
| leaving their site so they can keep showing you ads.
| JasonFruit wrote:
| > This tactic will only work if everyone agrees to do what's
| right.
|
| I do not know who said it first, but: "If your solution to some
| problem relies on "If everyone would just..." then you do not
| have a solution. Everyone is not going to just. At no time in the
| history of the universe has everyone just, and they're not going
| to start now."
| ColinHayhurst wrote:
| More companies need to take a stand and not use any third-party
| scripts or third-party cookies. We do that with our search
| engine and it works without Javascript.
| velcrovan wrote:
| I'm not sure whether it's silly or genius for this post to lead
| with "don't load 3rd party scripts" and end with "by the way we
| all need to unionize for this to work kthxbye".
| webmaven wrote:
| Not sure I'd go so far as to call it "genius", but it is
| certainly clever (and possibly effective).
| narag wrote:
| _Browsers are now beginning to block third-party cookies._
|
| I assume that means by default? I remember having that option
| like twenty years ago or something like that.
|
| Edit: Navigator had the option to block 3rd party images.
| Blocking 3rd party cookies might be more recent, but not "now
| beginning" by any means.
| mikestew wrote:
| Without searching for a timeline of Safari development, I
| recall that Safari has had the option to block 3rd-party
| cookies for a number of years. Last year Safari started
| blocking those cookies by default:
|
| https://www.pcmag.com/news/safari-now-blocks-all-third-party...
|
| And now that I look, there is no longer an option in Safari
| Preferences that mentions anything about 3rd-party cookies.
| It's either "all cookies", or "no cookies".
| MarkusWandel wrote:
| I tried the request mapper link, with two URLs.
|
| http://news.ycombinator.com
|
| http://cnn.com
|
| Warning, the second one takes a while. I remember hand-coding
| HTML and "bloat" was a page that took annoyingly long to load on
| dialup. Has it really been worth it?
|
| Coincidentally, last time I used dialup, Hacker News worked just
| fine.
| celestialcheese wrote:
| Google isn't dragging their feet and pushing the timeline for
| their "Privacy Sandbox" update because their ad business will be
| hurt - likely these changes will help them.
|
| It's because EU/UK regulators are blocking this move as anti-
| competitive, and the FLoC/FLEDGE/Whatever cohort targeting gives
| Google essentially a monopoly on targeted ads since they have the
| best look with 1st party data of almost any company (except maybe
| FB).
|
| My prediction - it'll get pushed back another 2 years to 2025
| since the industry can't figure out what to do. There's hundreds
| of billions at stake and Google wins no matter what.
| jakub_g wrote:
| The reason people add third-parties is the same why big companies
| outsource cleaning to a cleaning company: pay someone else to own
| a subproblem of yours. Even the analogy is similar: evil cleaner
| can steal secret documents and wreak havoc in your office.
|
| In media, there are a handful of third-parties that you de facto
| must load, because this is the only way to compare various
| metrics between different websites (number of views etc.); you
| can't rely on companies to self-report the numbers; even if they
| acted in good faith, the small details of how they collect the
| data would lead to discrepancies.
|
| I hate third-parties like everyone else (and especially since I
| used to be a perf engineer and had my hands tied with bloated
| unremovable 3p libs), but they're just not going away.
| Puts wrote:
| Well if you are a somewhat serious company you probably have a
| clean-desk policy, workstations that lock themselves after a
| couple of minutes inactivity and encrypted hard-drives. Also
| there are probably areas where you don't let the cleaner go,
| like that closet with all the switches. And the cleaner has in
| some form been vetted. You see that person a couple of days
| every week and start building a relationship. You can see if
| he/she suddenly shows up drunk every day.
|
| With security and risk it works like this. You can accept some
| risk if you at the same time find solutions to mitigate any
| dire consequences. With third-party javascripts you are giving
| away all control. Now if you are in an nonsensitive business
| maybe it's okay to use some third-party javascripts here and
| there, but is it reasonable to have those on an e-commerce
| checkout for example? Also Subresource Integrity has been
| mentioned a couple of times already here to mitigate the risks
| of third-party javascripts.
| bsder wrote:
| > And the cleaner has in some form been vetted.
|
| Oh, you sweet summer child, I admire your optimistic view of
| life. Please never lose it.
|
| I have this facepalm discussion with people who want to
| "upgrade" our security by moving something into the office.
| "So, you want to trust our cleaning staff who regularly _fail
| to lock_ our front door more than having it in a _locked
| colocation cage with monitoring_? "
|
| Even if the cleaning staff were "vetted" (which they are
| not), humans gonna human.
| breckenedge wrote:
| _> On today's modern web it sounds like advice from a tinfoil-hat
| wearing conspiracy nut._
|
| Has this become common? I've been developing "modern web" SPAs
| for years now and still never load scripts from 3rd parties.
| Maybe I don't understand the meaning of "modern web" in this
| context?
| michaelt wrote:
| A few years ago, it was widespread advice that you _shouldn 't_
| host a copy of jquery on your own server, and instead you
| should include it from cdnjs or jsdelivr in the hopes users
| would have it cached, having needed it on another website.
|
| This advice is now obsolete, because it was realised sharing
| caches between sites was a privacy problem. Evil.com can
| request example.com/logo.png and if it loads instantly, know
| that you've visited example.com before.
| moffkalast wrote:
| Yeah at best that'll break your site when the library has the
| next update, changing random things that nobody asks for. And
| you'll get a swapped malicious file at worst.
| michaelt wrote:
| Well, back when that was common you'd import a numbered
| version, like
| "https://cdn.example.com/js/library-v1.2.3.js" which,
| unless the CDN was evil, would be immutable.
|
| Someone even came up with a standard for "subresource
| integrity" [1] where you could specify a checksum of the
| thing you were importing from a CDN, so it couldn't be
| replaced by an evil CDN. I don't believe it ever achieved
| widespread use.
|
| [1] https://developer.mozilla.org/en-
| US/docs/Web/Security/Subres...
| dexterdog wrote:
| It doesn't need widespread use since you get the benefit
| of using by just using it on your own site.
| hannob wrote:
| 3rd party JS is pretty much unavoidable if your main source of
| income is ads. It's particularly true for almost all media
| pages.
|
| That's of course not the whole web, but it's a huge chunk. If
| you do anything that does not require ad funding, you have a
| much easier time to do without 3rd party JS.
| Supermancho wrote:
| If a site is small enough, it's going to use 3rd party
| sources for convenience. If a site is large enough to have
| it's own cdn, etc it's going to have 3rd party sources for
| ads.
|
| https://almanac.httparchive.org/en/2019/third-parties
|
| It's over 90%
| commandlinefan wrote:
| > still never load scripts from 3rd parties
|
| Hm, maybe you and I are reading this differently, but I read it
| as not using React or Angular or Ember or Vue or jQuery or
| whatever is fashionable until next Tuesday. You don't eschew
| all of those as well do you?
| AndyJames wrote:
| If you want to sell your product/look for investors you need
| analytics. The easiest way is to just slap Google snippet in
| there. If you decide not to do it you're off to self hosted
| analytics solutions which are just not comparable to google.
| Building small sites, blogs, informational sites is pretty easy
| without 3rd party scripts but when you're going into mid size
| ecommerce (by mid size I mean company that have decent
| advertisement and sales research budget) it's getting way
| harder to stay away from 3rd party analytic and marketing
| tools.
| dsign wrote:
| Hmm, I checked some local e-commerces. They have more
| trackers than people actually fulfilling orders, that I don't
| understand.
| AndyJames wrote:
| That's actually skew in another direction. If marketing is
| not generating sales they're generating job for them self
| instead.
| kevincox wrote:
| > If you want to sell your product/look for investors you
| need analytics.
|
| Most meaningful analytics don't need these trackers. They can
| be done server-side with info you already have such as
| orders, logins, active users. If an investor bases their
| decision primarily based on how many users Google Analytics
| reports the probably aren't the most critical.
| scrose wrote:
| > I know, I know. If you refuse to add that third-party script,
| your boss will probably say, "Fine, I'll get someone else to do
| it. Also, you're fired."
|
| I've been on two ends of this during my brief time in media. I
| once worked on a team that had nothing to do with ads, but the
| manager who replaced my original one basically told me I'd be
| overlooked for any promotions because I would not pivot to work
| on adtech. I left pretty soon after.
|
| At a separate company, I made it clear from the start that I
| would not work on ads or tracking of any kind and I had some
| proposals to reduce invasive tracking that were actually heard
| and implemented. Unfortunately, in media, it's a losing battle if
| you approach it from an engineer / IC level. Many partners expect
| you to have all types of scripts to measure engagement, bot
| detection/fraud, etc... and the voice that's heard is the one
| giving the company the most money.
| stickfigure wrote:
| > I left pretty soon after.
|
| This seems pretty win/win? I don't think you and I would be
| compatible either; you sound a bit too moralistic for my
| tastes. That's fine, you are entitled to your opinions and I'm
| entitled to mine.
| Cthulhu_ wrote:
| > I left pretty soon after.
|
| That's it, we work in a pretty privileged market where we can
| more easily vote with our feet, generally speaking.
|
| Of course, we also work in one where wages can end up being
| pretty exorbitant, and where there's plenty of people who are
| morally flexible depending on their own conscience,
| compensation, or whether the ad tech is wrapped in hype-driven
| development.
___________________________________________________________________
(page generated 2021-12-13 23:01 UTC)