Causing there to be just a blank page. I changed the privacy badger setting from "block" to "just block cookies" and it started to work. After the site loaded and I logged in, I see that it is also blocking avatars.discourse.org. Browsing to the root of those domains
provides zero info. Googling discourse.org tracking shows
someone else had the same issue, but nothing else. This should
be fixed. Let's Encrypt should not have a 3rd party company
tracking people or using techniques which could track and EFF
recommends blocking.
I'm using debian firefox 46.0.1-1+b1. I don't know what
version of privacy badger, but the addons page says
last updated 4/21/2016, and no updates were found when I check.
cdn-business.discourse.org has the correct DNT policy that Privacy Badger looks for on domains that should never be blocked. In addition. In addition the entire forum is hosted by Discourse so they can see everything anyway.
But it is, and I doubt it's a bug in privacy badger. Googling discourse.org tracker shows at least 1 other person hit the same issue for another site with cdn-business.discourse.org.
In addition the entire forum is hosted by Discourse so they can see everything anyway.
Sounds like people who say "I'm not serving sensitive content, so why enable https?" This site deserves better than that.
Not in any way. Discourse hosts this support forum. It's not hosted by Let's Encrypt.
My browser says: community.letsencrypt.org. It has the Let's Encrypt logo, people get here from letsencrypt.org. Let's Encrypt may have outsourced some technical responsibilities of the site, but they are still responsible for it. If discourse.org got hacked and the page was filled with malicous content, Let's Encrypt would fix it quickly, be it by changing the dns record or some other means. Just as I said before: this site deserves better, and these are lame excuses.
They can do that either way. Whether that content is moved onto a letsencrypt.org subdomain or not doesn't change anything. If Discourse gets hacked and DNS records would be changed, the forum would be unavailable either way.
Discourse is a forum software that keeps a user logged in from one website to another, which is not really ātrackingā, but will show up as tracking to some paranoid apps.
Iām not familiar with privacy badger, but if it outright blocks a webpage from loading for something like the above, then that is not an app Iād ever use. There are ways to protect your privacy without nanny-bot software interfering with your legitimate activities.
This issue is has already been brought up on the Discourse Meta forum. The problems seems to be that CloudFlare is sending out tracking cookies on its CDN which are, ānecessary for securityā.
Iām not an expert on cookie tracking, but my point was you might get better mileage from something like āDisconnectā which is a tracker-blocking addon that doesnāt interfere with your ability to load pages.
That's rather interesting, because I use Privacy Badger myself (on Debian Chromium), with no special settings for discourse.org-related domains, and it's not throwing up any warnings for me.
After the last time PB called shenanigans on avatars.discourse.org (legitimately), we (Discourse) fixed it, and switched CDNs because of it (for shame, Cloudflare... for shaaaaaame).
It would help to diagnose what's going on if you could give me the names (just the names, don't need contents) of all cookies that are being sent by cdn-business.discourse.org and avatars.discourse.org. That'll help me to know where the cookies are coming from. If you can include one or more URLs you're requesting that are giving the cookies, I can more accurately reproduce the problem. For reference, neither the URL for my letter avatar
Privacy Badger is not perfect (it generates lots of false positives). You already have the ability to delete Firefox cookies - with all due respect, use it. It's nigh impossible to provide even a self-hosted forum(1) that actually works without using cookies. The traffic this forum attracts requires the use of a CDN, and CloudFlare needs to use cookies.
What you should be concerned about are, carrying cookies from one site to another, "super-cookies", canvas fingerprinting, and other techniques to uniquely identify a browser (like detecting extensions) - this forum uses none of those.
tl;dr. Lodge a bug report with Privacy Badger; set Firefox to announce "do not track", clear all cookies (2) after visiting a site - you can only be tracked by cookies if you retain them.
Apropos of little (and off the subject) - I can conceive of no rational reason why anyone would be concerned about anyone knowing they visited this forum (note my previous comment about keeping necessary cookies for the session only). Especially when your ISP knows exactly where you visit (as does any monitoring equipment they have no control over/knowledge of) and given that the two cookies served expire at the end of the session.
(1) I'm guessing you're not prepared to donate the money for self-hosting this forum.
(2) Tools -> Preferences -> Privacy -> Remove cookies.. -> Remove selected OR Remove all
The two things are mutually exclusive. HTTPS encrypts content - it doesn't have anything to do with site navigation or allowing secure CDN to work. Neither a single-page or cgi driven website, cookie-free, or https extends the reasonable expectation of privacy beyond the domicile (billing difficulties not withstanding).
Thank you - for expressing your original concern, your consideration of my response/s, and for your reply.
After some thought about your concerns - the only way itās truly possible to visit and view web(-like) content in privacy is through freenet (for reasons too lengthy and tangential to the purpose of this forum Tor is not an option).
Nice catch, @saper, finding that bug. I agree it sounds very similar, and Iāve added a detailed comment on that issue, so weāll see if there is a bug that can be found.
