Propagation: defeating journal trackers and other web-bugs with FireFox

[denny]

Reposted from ciphergoth's journal:

This journal entry describes ways in which people you know may be monitoring the way you use LJ. How often you read their journal, what friends groups you define, and so on.

It's done with what are called "web bugs" - tiny images served from special servers that record this information. You can block the servers that serve the web bugs, but they can always create more servers, so it's a game of "whack-a-mole".

Today I found out about a setting in Firefox that blocks *all* such tracking, from all websites to all websites, permanently. No longer will people be able to monitor you in this way.

Go to the URL bar and type "about:config". Select the setting "network.http.sendRefererHeader". If it has the value "2", change it to "1". That's it.

Technical details

I'll be setting this on all my browsers ASAP.

I'm actually not particularly bothered by the LJ web-bugs - they strike me as slightly inane, but I don't mind if people know when I read their journal. I will be changing this setting though, to defeat any commercially-motivated web-bugs that might be hooked into web advertising and similar.

Comments

[http://users.livejournal.com/_nicolai_/]

That's going to break a bunch of image hosting sites, etc, but I'm assuming you're not bothered about that.

[dennyd.livejournal.com]

I was wondering what the collateral damage would be :) Why the image-hosting sites?

[davefish.livejournal.com]

Well if this became common practise I might change mine to refuse if they didn't know the referer (Okay, I might want to, I might not know how though.)

[dennyd.livejournal.com]

Why would you want to?

[davefish.livejournal.com]

If its a bundle of people on LJ that do it and thats it then I don't mind so much, but if it means that I really can't see whats going on in my weblogs then its another matter.

I've had bandwidth issues in the past with people posting to forums with my pictures, but using my hosting. I don't really want to give several gigs a week of bandwidth to other people who are posting my images around the place, so having some means to check what the website that requested the image was is what I am after.

[ulorin-vex.livejournal.com]

hmm. changed mine for now, will it affect anything else do you know?

[dennyd.livejournal.com]

If people are protecting their images by checking for a matching referrer, it will stop their images loading even when you're on their site... apparently Keenspace comics is one place that does so, I guess it's not unlikely for some fetish sites to do the same.

[azekeil.livejournal.com]

Check back on the comments on his post; some of this and other things are explained - I don't think this will fix it as well as blocking each site until more options are explored.

[lusercop.livejournal.com]

IMLE, real webbugs (the commercial kind - I don't know about the kind that LJ users are embedding) work with information embedded into the request in some kind of encoded or encrypted form (depending on the site and the bug), so you don't have to rely on the Referer: header in the HTTP request, and the browser behaving itself properly.

Changing this setting is a nice feelgood, but I can't say it's necessarily going to actually help you. As davefish has commented (sjmurdoch has suffered the same), people just link straight to your images on something popular, meaning you pay for the bandwidth without any credit.

I think at some point I'm going to write an HTTP proxy (or squid extension) that blocks images that have a size smaller than, say, 16x16, and possibly it's worth doing the same as a browser extension. I noticed that some of my testing code at work was doing all sorts of webbug stuff when I wrote a proxy to try and track the hits for profiling...

Thing is that I could easily include an image, even in this comment, and watch my server logs for that image. It's much better to make it clear that you get upset with such things, and to take reasonable action against people who do it to you. It's a (basically) social problem, and so requires a basically social solution.

[dennyd.livejournal.com]

The most popular of the LJ bug systems uses custom mood icon themes as the images it hangs off of, so it is actually desirable to see the images (to a limited extent) and just not return any information about who looked at them.

It would be nice to be able to set the don't-send-referrer thing on small images only.