Privacy Badger blocks this site


#1

"Privacy Badger detected 1 potential trackers on this page.

cdn-business.discourse.org"

Causing there to be just a blank page. I changed the privacy badger setting from “block” to “just block cookies” and it started to work. After the site loaded and I logged in, I see that it is also blocking avatars.discourse.org. Browsing to the root of those domains
provides zero info. Googling discourse.org tracking shows
someone else had the same issue, but nothing else. This should
be fixed. Let’s Encrypt should not have a 3rd party company
tracking people or using techniques which could track and EFF
recommends blocking.

I’m using debian firefox 46.0.1-1+b1. I don’t know what
version of privacy badger, but the addons page says
last updated 4/21/2016, and no updates were found when I check.


#2

cdn-business.discourse.org has the correct DNT policy that Privacy Badger looks for on domains that should never be blocked. In addition. In addition the entire forum is hosted by Discourse so they can see everything anyway.


#3

should never be blocked

But it is, and I doubt it’s a bug in privacy badger. Googling discourse.org tracker shows at least 1 other person hit the same issue for another site with cdn-business.discourse.org.

In addition the entire forum is hosted by Discourse so they can see everything anyway.

Sounds like people who say “I’m not serving sensitive content, so why enable https?” This site deserves better than that.


#4

Not in any way. Discourse hosts this support forum. It’s not hosted by Let’s Encrypt. Let’s Encrypt has setup a CNAME record to discourse.org:

$ dig @8.8.8.8 community.letsencrypt.org

; <<>> DiG 9.9.5-11ubuntu1.3-Ubuntu <<>> @8.8.8.8 community.letsencrypt.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57058
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;community.letsencrypt.org.	IN	A

;; ANSWER SECTION:
community.letsencrypt.org. 6534	IN	CNAME	hosted-vh2.discourse.org.
hosted-vh2.discourse.org. 119	IN	A	64.71.168.201

;; Query time: 36 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jul 16 22:31:39 CEST 2016
;; MSG SIZE  rcvd: 105

#5

Not in any way. Discourse hosts this support forum. It’s not hosted by Let’s Encrypt.

My browser says: community.letsencrypt.org. It has the Let’s Encrypt logo, people get here from letsencrypt.org. Let’s Encrypt may have outsourced some technical responsibilities of the site, but they are still responsible for it. If discourse.org got hacked and the page was filled with malicous content, Let’s Encrypt would fix it quickly, be it by changing the dns record or some other means. Just as I said before: this site deserves better, and these are lame excuses.


#6

They can do that either way. Whether that content is moved onto a letsencrypt.org subdomain or not doesn’t change anything. If Discourse gets hacked and DNS records would be changed, the forum would be unavailable either way.


#7

@kulenik, I don’t even know what your last message is getting at, but it definitely seems irrelevant.


#8

I’m sure you’ve got the best intentions, but your attitute might not be very constructive for a good discussion…


#9

Discourse is a forum software that keeps a user logged in from one website to another, which is not really ‘tracking’, but will show up as tracking to some paranoid apps.

I’m not familiar with privacy badger, but if it outright blocks a webpage from loading for something like the above, then that is not an app I’d ever use. There are ways to protect your privacy without nanny-bot software interfering with your legitimate activities.


#10

This issue is has already been brought up on the Discourse Meta forum. The problems seems to be that CloudFlare is sending out tracking cookies on its CDN which are, “necessary for security”.


#11

How would that work if I only have cookies for “community.letsencrypt.org” which don’t get sent to other domains?


#12

I’m not an expert on cookie tracking, but my point was you might get better mileage from something like ‘Disconnect’ which is a tracker-blocking addon that doesn’t interfere with your ability to load pages.


#13

That’s rather interesting, because I use Privacy Badger myself (on Debian Chromium), with no special settings for discourse.org-related domains, and it’s not throwing up any warnings for me.

After the last time PB called shenanigans on avatars.discourse.org (legitimately), we (Discourse) fixed it, and switched CDNs because of it (for shame, Cloudflare… for shaaaaaame).

It would help to diagnose what’s going on if you could give me the names (just the names, don’t need contents) of all cookies that are being sent by cdn-business.discourse.org and avatars.discourse.org. That’ll help me to know where the cookies are coming from. If you can include one or more URLs you’re requesting that are giving the cookies, I can more accurately reproduce the problem. For reference, neither the URL for my letter avatar

https://avatars.discourse.org/v2/letter/m/a8b319/64.png

nor the first CDN URL on this page

https://cdn.discourse.org/letsencrypt/uploads/default/original/1X/8529b324ee54a8f85c38260975250e39582cfefe.png

give back any cookies.


#14

well most people are on some kind of hosting service and obviously the hoster does have theoretical access to the data

who knows whether the LE HQ has an internet connection nice enough to run a large forum.


#15

Privacy Badger is not perfect (it generates lots of false positives). You already have the ability to delete Firefox cookies - with all due respect, use it. It’s nigh impossible to provide even a self-hosted forum(1) that actually works without using cookies. The traffic this forum attracts requires the use of a CDN, and CloudFlare needs to use cookies.

What you should be concerned about are, carrying cookies from one site to another, “super-cookies”, canvas fingerprinting, and other techniques to uniquely identify a browser (like detecting extensions) - this forum uses none of those.

tl;dr. Lodge a bug report with Privacy Badger; set Firefox to announce “do not track”, clear all cookies (2) after visiting a site - you can only be tracked by cookies if you retain them.

Apropos of little (and off the subject) - I can conceive of no rational reason why anyone would be concerned about anyone knowing they visited this forum (note my previous comment about keeping necessary cookies for the session only). Especially when your ISP knows exactly where you visit (as does any monitoring equipment they have no control over/knowledge of) and given that the two cookies served expire at the end of the session.

(1) I’m guessing you’re not prepared to donate the money for self-hosting this forum. :slight_smile:
(2) Tools -> Preferences -> Privacy -> Remove cookies… -> Remove selected OR Remove all


#16

The two things are mutually exclusive. HTTPS encrypts content - it doesn’t have anything to do with site navigation or allowing secure CDN to work. Neither a single-page or cgi driven website, cookie-free, or https extends the reasonable expectation of privacy beyond the domicile (billing difficulties not withstanding).


#17

Thanks you SFITCS, that was very informative.


#18

Thank you - for expressing your original concern, your consideration of my response/s, and for your reply.

After some thought about your concerns - the only way it’s truly possible to visit and view web(-like) content in privacy is through freenet (for reasons too lengthy and tangential to the purpose of this forum Tor is not an option).

Kind regards


#19

@mpalmer not using Privacy Badget but I don’t see any cookies sent from the CDN. It looks similar to https://github.com/EFForg/privacybadgerfirefox/issues/490

@iankelling can you check if you get any cookies from the CDN requests?


#20

Nice catch, @saper, finding that bug. I agree it sounds very similar, and I’ve added a detailed comment on that issue, so we’ll see if there is a bug that can be found.