DNT header ignore Firefox config

[satanist]

Hi

I have seen that NS enables the DNT Header by default and ignore the config of Fx. There is also only the option in the about:config and no one in the graphical-config. I was suppriesed by this behaviour. Maby you can add this to the FAQ and add an graphical-option to configure this feature.

Satanist
Ps: Realy, you need JS to post in this forum?

[Thrawn]

I have seen that NS enables the DNT Header by default and ignore the config of Fx.

https://hackademix.net/2010/12/28/x-do- ... -noscript/

There is also only the option in the about:config and no one in the graphical-config. I was suppriesed by this behaviour. Maby you can add this to the FAQ and add an graphical-option to configure this feature.

It's somewhere on Giorgio's to-do list. But do you really need it? Most people haven't heard of the header, most of those who have would not want to disable it, and those who really want to disable it can do so. Why clutter the graphical interface?

Ps: Realy, you need JS to post in this forum?

No. You only need it to use the buttons that insert formatting and smileys. If you don't use those - or you're willing to type them out manually instead - then you can block JS.

[satanist]

I have seen that NS enables the DNT Header by default and ignore the config of Fx.

https://hackademix.net/2010/12/28/x-do- ... -noscript/

Do I know the whole Internet?

There is also only the option in the about:config and no one in the graphical-config. I was suppriesed by this behaviour. Maby you can add this to the FAQ and add an graphical-option to configure this feature.

It's somewhere on Giorgio's to-do list. But do you really need it? Most people haven't heard of the header, most of those who have would not want to disable it, and those who really want to disable it can do so. Why clutter the graphical interface?

Because adding a DHT header to HTTP is a not realy something I expect from a tool witch blocks unlinked HTML-Content for me. I have only looked in the graphical-config so i didn't see this option
for some years. If you don't know about an feature you can't turn it of. A feature you can't turn of is always a bug. So most users didn't look in the about:config, so for most users this is a Bug.

Satanist

Ps: Realy, you need JS to post in this forum?

No. You only need it to use the buttons that insert formatting and smileys. If you don't use those - or you're willing to type them out manually instead - then you can block JS.

Maybe if you are registered, but if not you need JS from "forums.informaction.com" and from "www.google.com", for the preview or the submit

[barbaz]

Just to note,

It also implements the DoNotTrack tracking opt-out proposal by default, see https://hackademix.net/2010/12/28/x-do- ... -noscript/.

So it's obvious to anyone installing from AMO that you opt in to installing NoScript, you opt in to DNT unless you say otherwise.

But yeah I also think it's worth having the entire description from AMO somewhere on the homepage or features page on noscript.net, for those who don't find NoScript through AMO.

Do I know the whole Internet?

Poor satanist, I feel sorry for you having all those advertisements and cat videos in your head

A feature you can't turn of is always a bug.

Well, not "always", but I know what you mean, so +1

So most users didn't look in the about:config, so for most users this is a Bug.

But "most users" wouldn't want to turn that feature off...

[Thrawn]

Well, as long as you didn't know about it, you couldn't turn it off, so maybe it was a bug then. But now you know, and can turn it off, so it's not a bug any more. Right?

Seriously, most people who would use NoScript don't want or need to know about this feature. IMO it's not important enough to be added to an already-busy interface.

[satanist]

But "most users" wouldn't want to turn that feature off...

Seriously, most people who would use NoScript don't want or need to know about this feature. IMO it's not important enough to be added to an already-busy interface.

First of all how do you know what "most users" want?

But that's not the point. The point is that you have a feature with has nothing to do with the rest of the software and it's hidden from the user. IMO this feature is in the wrong software and the best way to fix this is remove this feature. If your config interface is "already-busy", maybe you have to much features?

Maybe you can write an other plugin with add some privacy to the HTTP-header and add this feature.

satanist

[barbaz]

First of all how do you know what "most users" want?

I started helping people with NoScript on this forum in late 2013 and have been frequenting this forum quite a lot the whole time since. I'd think that would give me a decent sense of the NoScript community.
You, on the other hand, are clearly way above the level of "most users". Your User-Agent says FreeBSD. I would consider myself a crazy power user, and out of curiosity I tried to set up FreeBSD in a VM for myself - and just could not get it going at all, not even after finding a pre-installed VM to start with. (Off to OpenBSD and NetBSD, both of which I was able to get going - starting from official install iso - without too much effort.)
What makes you think you have a better idea of what "most users" want than us?

The point is that you have a feature with has nothing to do with the rest of the software and it's hidden from the user.

If you actually read that link to Giorgio's blog you would see he is already planning to expose the entire DNT functionality of NoScript in the GUI. I suspect the main reason he hasn't done it yet is just lack of time.

IMO this feature is in the wrong software and the best way to fix this is remove this feature. If your config interface is "already-busy", maybe you have to much features?

I really doubt Giorgio would add a feature to NoScript if he didn't believe it to be really worthwhile somehow, because I would think 1) he wouldn't want NoScript to have a reputation for being bloatware and 2) having such a long TODO list as he does, he wouldn't want to maintain more than absolutely necessary.

Maybe you can write an other plugin with add some privacy to the HTTP-header and add this feature.

If Giorgio is already too busy to do everything he wants to do with NoScript where is he going to find the time to write and maintain yet another addon?

[satanist]

What makes you think you have a better idea of what "most users" want than us?

I don't know what most users want, also I have never said that. For my argumentation this is not impotent. I argue with the behaviour of a user, not with what they want or need to know (Is this an Agency).

If you actually read that link to Giorgio's blog you would see he is already planning to expose the entire DNT functionality of NoScript in the GUI. I suspect the main reason he hasn't done it yet is just lack of time.

Is Giorgio the only developer of NS?

IMO this feature is in the wrong software and the best way to fix this is remove this feature. If your config interface is "already-busy", maybe you have to much features?

I really doubt Giorgio would add a feature to NoScript if he didn't believe it to be really worthwhile somehow, because I would think 1) he wouldn't want NoScript to have a reputation for being bloatware and 2) having such a long TODO list as he does, he wouldn't want to maintain more than absolutely necessary.

I don't say DNT is a bad feature, still I say it's a good feature, this is not my problem and can be discussed somewhere else. My point is that when you have a feature you should document it and add config options to default config interface. If Giorgio has not enough time maybe he can ask for help. I would have post a patch, if I could write JS.

Maybe you can write an other plugin with add some privacy to the HTTP-header and add this feature.

If Giorgio is already too busy to do everything he wants to do with NoScript where is he going to find the time to write and maintain yet another addon?

Is Giorgio the only one who can write a Firefox extensions?

satanist

[barbaz]

Is Giorgio the only developer of NS?

Yes

I don't say DNT is a bad feature, still I say it's a good feature, this is not my problem and can be discussed somewhere else. My point is that when you have a feature you should document it

Again, I'm not sure why the description from AMO isn't also somewhere on noscript.net...
Giorgio, could you please add it to https://noscript.net/features?

and add config options to default config interface. If Giorgio has not enough time maybe he can ask for help. I would have post a patch, if I could write JS.

With the way Giorgio has designed the Options dialog, not sure you need to know JS for something like that. I think it's possible you just set the right attributes in the XUL and his existing code will do the rest.
I think ideally this should go in a 'DNT' tab in Advanced. No idea if I'll be able to try make a patch or not (and even if I do, it will need to have localization/localizability added which I don't know anything about) but will see how things go, never know my luck.

Oh, and I decided to read the comments in that blog entry, and it sounds like NoScript 3 will come with presets you can select, which would presumably say whether NoScript will turn on its own DNT (if not, it should be selectable then but selected by default IMO, to make sure users are aware of it).

Again, I agree with you NoScript's DNT feature needs more obvious documentation outside of AMO.

Maybe you can write an other plugin with add some privacy to the HTTP-header and add this feature.

If Giorgio is already too busy to do everything he wants to do with NoScript where is he going to find the time to write and maintain yet another addon?

Is Giorgio the only one who can write a Firefox extensions?

Oh, sorry, didn't understand what you meant there. Anyway even if someone else wrote the addon, why install a separate extension just for DNT when the browser has that functionality?
(note: NoScript implemented DNT before Gecko did.)

[OldLurker]

This is a storm in a teacup.
The DNT feature doesn't interfere with full Web access via Fx with best security.
Without default DNT, there is a good case to be argued that NS is less secure.

There is already a toggle even if it's not in the GUI for those NS users who discover they want to be tracked. I haven't met anyone like that yet, except ad company employees who're NS users more to be able to keep track of their opposition than anything else.
There are heaps more non-GUI configurations that I'd really like to have in the GUI because I'm so forgetful and have been known to leave sub-optimal toggles off or on without a GUI to remind me. I'm waiting for NS 3 because I've been part of the NS community, and understand the workload of the dev. Even though I've donated, I still don't feel entitled to be this picky.

DNT has historical roots in being first proposed jointly by Maone and Palant - devs of NS and AdBlock. It is the dev's baby and doesn't need abuse from someone outside the tent.
At the time, there was clear opinion offered in the dev's own blog and comments about the default state.

At best, any configuration of the NS Gui for DNT should be taken up directly with the developer himself- - of course after first at least having the manners to research the developer on his own site and not by using a support thread to waste volunteer time with questions that could be answered with a few seconds reading.

I vote -1 for this picky RFE; the general NS user expects to have a default NS configuration that affords maximum security and not being tracked adds to security via blocking data collection.

@ satanist. Please stop abusing barbaz's generosity.

[Thrawn]

First of all how do you know what "most users" want?

Mostly because I've been on the NoScript support team for years, and helped out on an unofficial basis for years before that.

[Bane]

I'm a privacy conscious user before being security-minded. DNT is a privacy thing, not a security one, and NoScript often claims to be security-focused first and foremost. So I should be happy that NoScript enables DNT right ?

But DNT was used by about 11% of Firefox users last time I checked, so privacy wise it is bad in that it makes you stand out of the pack. Furthermore, websites seldom respect it and when they do, they just do it their own way, such as "track user but don't show targeted ads". DNT was meant to protect privacy but in adding entropy without providing any guarantee to not be tracked, it makes the situation worse.

So not providing the DNT header is probably the best solution for privacy-conscious users. But it is enabled by default with NoScript, so disabling it risks making the user stand out even more as a "NoScript user with DNT disabled" (i.e. it adds entropy to our fingerprint)

Considering all of this, I think NoScript should just leave DNT alone and let Firefox handle it. The feature is very accessible nowadays - it was not the case in 2010 when Giorgio wrote this article and implemented it in NoScript.

Can it please be considered to remove this functionality altogether ?



(Yes I did read Giorgio's article in 2010 when it was published, but since then I learned more about fingerprinting, watched adoption of this header both by servers and users, and concluded that DNT sucks for privacy)

[barbaz]

...??

I'm a privacy conscious user before being security-minded. DNT is a privacy thing, not a security one, and NoScript often claims to be security-focused first and foremost. So I should be happy that NoScript enables DNT right ?

Yes!

But DNT was used by about 11% of Firefox users last time I checked, so privacy wise it is bad in that it makes you stand out of the pack.

Right, because with a total of millions, about 1 in 10 being just like you in one specific way is "standing out of the pack"...

Furthermore, websites seldom respect it and when they do, they just do it their own way, such as "track user but don't show targeted ads".

So what?
Yes, some people/groups are willing to be jerks for the sake of business. That's not a problem with DNT, that's a problem with business being profitable.

DNT was meant to protect privacy but in adding entropy without providing any guarantee to not be tracked, it makes the situation worse.

One boolean *that everyone else has access to* doesn't make much difference to your browser fingerprint. And it matters even less considering that this particular property could, at some point, be backed by law somewhere (if it's not already?).

So not providing the DNT header is probably the best solution for privacy-conscious users.

Because silence is the answer when someone is bullying you and assuming you are OK with it?

But it is enabled by default with NoScript, so disabling it risks making the user stand out even more as a "NoScript user with DNT disabled" (i.e. it adds entropy to our fingerprint)

Have you really read anything about browser fingerprinting?
NoScript, DNT and all, actually makes it very difficult for sites to fingerprint your browser, because most fingerprinting can only be done by Javascript which NoScript blocks by default. NoScript isn't the only way to disable Javascript, so disabled Javascript + no DNT doesn't make you much more identifiable than disabled Javascript + DNT.
And if you allow Javascript... well, I've seen some scripts that can ferret out information that's a LOT more identifying than a tracking preference... just as one example, have you heard about AddThis' canvas fingerprinting?

In short, the DNT header really doesn't make a significant difference to your browser fingerprint or fingerprintability.

Please go to https://panopticlick.eff.org/browser-uniqueness.pdf and search for the word "NoScript", and read all the statements that comes up with.

Considering all of this, I think NoScript should just leave DNT alone and let Firefox handle it. The feature is very accessible nowadays - it was not the case in 2010 when Giorgio wrote this article and implemented it in NoScript.

Can it please be considered to remove this functionality altogether ?

Please no, NoScript's DNT feature is useful because those who do want DNT can use NoScript to opt not to send DNT to specified sites, which can't be done with just the browser builtin DNT. It's happened before that a site breaks with DNT but works fine without: viewtopic.php?f=7&t=18078
Also NoScript still supports Firefox 3.0.9 and later. DNT in Firefox wasn't added until Fx 4, so Fx 3 users would be left with no DNT (possibly with no warning).

Protip: next time you want significant functionality completely removed from some software, try to avoid using FUD and random out-of-context statistics as the primary basis for your reasoning.

(Yes I did read Giorgio's article in 2010 when it was published, but since then I learned more about fingerprinting, watched adoption of this header both by servers and users, and concluded that DNT sucks for privacy)

Sounds like you have been badly misinformed since then. Maybe you should read the entire document I linked above (in which notably, they don't even bother considering using DNT info for constructing a browser fingerprint)...

[Thrawn]

Please go to https://panopticlick.eff.org/browser-uniqueness.pdf and search for the word "NoScript", and read all the statements that comes up with.

And one from the conclusion (which doesn't actually use the word 'NoScript'):

We identified only three groups of browser with comparatively good resistance to fingerprinting: those that block JavaScript, those that use TorButton, and certain types of smartphone.

[Bane]

Right, because with a total of millions, about 1 in 10 being just like you in one specific way is "standing out of the pack"... (...)
One boolean *that everyone else has access to* doesn't make much difference to your browser fingerprint.

I forgot the math but I think it's around one bit of entropy. According to EFF's experiment which we've both heard of when it was started: "Overall, we were able to place a lower bound on the fingerprint distribution entropy of 18.1 bits, meaning that if we pick a browser at random, at best only one in 286,777 other browsers will share its fingerprint.".
Which, coupled with an IP address, should be enough to uniquely identify anyone but those living in the most densely populated areas. If 18 bits of entropy do that, then 1 bit does make a difference right ?

And it matters even less considering that this particular property could, at some point, be backed by law somewhere (if it's not already?).

How many countries would have to vote such a law for it to have any real impact ? And do you think they will all vote into law the exact definition of DNT, or do something completely useless like California ? Even if all major countries in the world voted it exactly like we want, which is not just unlikely but completely impossible in any decent time frame, how seriously do you think it is going to be enforced ? Quoting the link about California to illustrate:
"If you do not respond to DNT signals, it will suffice to indicate this fact in the privacy policy;
if you respond to DNT in some way, the privacy policy should disclose how you respond to this signal;
You need to act when: your (in any way commercial) website or mobile app is operated from California or your users may be consumers residing in California"

Because silence is the answer when someone is bullying you and assuming you are OK with it?

(Silence is the answer when you want to go unnoticed. Being incognito can only be a separate activity from fighting for the right to be incognito). Besides, DNT like a protest only has weight when people know they are participating in it. NoScript enables it by default regardless of Firefox preferences, so there is a grey area regarding the will of all of its 2.2 million users. Even if it makes sense that someone installing NoScript would want to enable DNT, it can be disputed, and it gives ground for jerks to claim that DNT doesn't have much weight and can therefore be ignored.

NoScript, DNT and all, actually makes it very difficult for sites to fingerprint your browser, because most fingerprinting can only be done by Javascript which NoScript blocks by default.

NoScript definitely reduces browser fingerprint *a lot*. DNT does not, it's yet another header so it is adding entropy.

disabled Javascript + no DNT doesn't make you much more identifiable than disabled Javascript + DNT.

NoScript users have massively had DNT enabled, so as a NoScript user, I have less entropy if I enable DNT as well. I am singled out as being a Firefox user with JS disabled (very likely from NoScript) with no DNT header (the vast majority of Firefox users with JS disabled have DNT ON)

Please no, NoScript's DNT feature is useful because those who do want DNT can use NoScript to opt not to send DNT to specified sites, which can't be done with just the browser builtin DNT. (...)
Fx 3 users would be left with no DNT

Right. So then, NoScript could just have DNT unset by default, like Firefox.


So I guess there are two arguments for a DNT header unset by default:
- Counter-productivity due to entropy
- Default enable is undermining the message. Do-Not-Track is a proactive move. (Currently jerks can shrug it off with the argument that NS users may or may not want DNT, we have no means to know, so that's 2 million DNT users we're going to ignore)

Maybe you should read the entire document I linked above (in which notably, they don't even bother considering using DNT info for constructing a browser fingerprint)...

DNT wasn't used in the wild at the time.