frank published Why your WordPress blog needs DoNotTrack.
frank liked Radiohead – The King of Limbs [Full Album].
frank published 3 Apache mod_cache gotchas.
frank liked Black Dub performing "Last Time" on KCRW.
3 Apache mod_cache gotchas
If you want to avoid the learning curve of Squid and Varnish or the cost of a dedicated caching & proxying appliance, using Apache with mod_cache may seem like a good, simple and cheap solution. Rest assured, it can be -to some extent- but here are 3 gotchas I learned the hard way:
- mod_cache ignores Cache-control if Expires is in the past (which it shouldn’t according to RFC2616), so you might have to unset the Expires-header.
- mod_cache by default caches cookies! Let me repeat; cookies are cached! That might be a huge security-disaster waiting to happen; sessionid’s (that provide access for logged-on users) are generally stored in cookies. If a logged on user that request an uncached page, then that user’s cookie will get cached and sent to other users that request the same page. Do disable this by adding “CacheIgnoreHeaders Set-Cookie” to your config
- mod_cache by default treats all browsers like the one that triggered the caching of the object. In the field that approach can cause problems with e.g. CSS-files that are stored gzipped (because the first browser requested with header “Accept-Encoding: gzip, deflate”). If a browser that does not support gzipped content requests the same file, the CSS will be unreadable and thus not applied. The solution; make sure the “backend webserver” sends the “Vary: Accept-Encoding” header in the response (esp. for CSS-files). This will tell mod_cache to take different Accept-Encodings into account, storing and sending different versions of the same CSS-file.
Why your WordPress blog needs DoNotTrack
So what’s with all that nagging about tracking and that DoNotTrack plugin, you might wonder? Well, it’s pretty simple actually.
- Some very popular WordPress plugins include 3rd party tracking, sometimes even without properly disclosing, often without means to disable this behavior
- 3rd party tracking has privacy implications: all your visitors are tracked by the 3rd party, in general for behavioral marketing purposes (depending on what data is captured, tracking might even be illegal in some countries)
- 3rd party tracking has a performance impact: every visit to your blog will include between 2 and 5 extra requests for the 3rd party tracking to succeed, effectively delaying full page rendering
It is my conviction that blog owners should be able to install and use WordPress plugins without having to worry about undisclosed tracking and that plugins should provide a way to disable such 3rd party tracking if included.
Some details from the readme.txt:
- What works:
- It sets a2a_config.no_3p to true for addtoany not to execute the 3rd party tracking
- What does not work (yet): Tracking code added using innerHTML or appendChild/insertBefore is not yet intercepted (but I’m working a solution for that)
- What else might be added:
- a widget which explains tracking for your visitors, with a link to this bookmarklet to opt out of many tracking/ advertising services at once
- other known opt-out code to disable tracking for all visitors of your blog
- support for the DNT-header as seen in Firefox4
- How you can help:
- Provide me with links to plugins that include browser-based tracking + domain where the tracking is done.
- Tell plugin writers you’re not happy with 3rd party tracking!
- Tell your visitors about tracking & privacy, link to e.g. http://www.privacychoice.org/
And remember: if you host your WordPress blog yourself, you and nobody else should be able to decide who tracks your users!
As found on the web (February 16th)
frank published Google Analytics for the privacy aware.
frank liked Thomas Dybdahl – How it Feels.
frank posted IE9 RC released.
frank posted Google Adds Extra Layer of Security to User Accounts.
frank posted (.
frank posted Do Not Track Bill Introduced in Congress.
frank liked 2 videos.
frank posted HTC Announces The Desire S, Wildfire S, and Incredible S.
frank liked Gorillaz Featuring Daley – Doncamatic.
Google Analytics for the privacy aware
While the entire German blogosphere seems to have discovered the pretty unpleasant, secretive inclusion of Quantcast tracking in the “WordPress.com Stats” plugin, I found an article on the blog that broke the story in Germany, that explains how you can somewhat limit (valid) privacy-concerns with Google Analytics.
You just have to push “_gat._anonymizeIp” as an option in the _gaq object, as shown on line 5 in this code snippet:
According to the relevant Google Analytics docs page, this:
“Tells Google Analytics to anonymize the information sent by the tracker objects by removing the last octet of the IP address prior to its storage. Note that this will slightly reduce the accuracy of geographic reporting.”
Call me naive (or overly idealistic), but shouldn’t your Google Analytics implementation have this option on as well?
As found on the web (February 9th)
frank Frank de ene android (een bijna-nieuwe cheapo acer e110) is de andere (een trouwe maar verloren gelopen htc hero) niet ….
frank liked Ghostpoet – Cash and Carry Me Home official video.
frank posted Facebook.com is now the Internet.
frank published On the rebound with an Acer beTouch e110.
frank liked Hanne Hukkelberg – Do Not As I Do.
On the rebound with an Acer beTouch e110
On January 28th I was stupid enough to forget my trusty HTC Hero on the train. I filled out the NMBS’ online lost luggage forms and mourned the loss of my faithful personal digital assistant for a couple of days. As my employer is supposed co-finance a new handset in July, I decided to look for a cheap temporary replacement for now. Main requirements: cheap, 3G+, tethering and optionally Android. The Acer beTouch e110 seemed to be a perfect match.
The e110 is a small and light touchscreen device, running Android 1.5 (Cupcake). It comes with 3G+ (HSDPA), Bluetooth, GPS and FM radio and it is one of the cheapest Android-based handset available. And when I say cheap, I mean cheap as in “you can’t even find a decent 2nd hand device for that price”-cheap.
So what’s not to like? Well, the CPU is pretty slow, there’s no WiFI and the touchscreen needs some tough love. Android 1.5 Cupcake isn’t exactly the latest and greatest Android around either. Although Acer did issue new ROM’s in 2010, those were all based on Android 1.5 and there are no plans for an Eclair or Froyo version. What’s more surprising (although some would consider this a plus) is that the e110 is not a Google-branded phone. This means, amongst other things, that there’s no Google Market and no Contacts synchronization. Add the lack of Exchange integration to the equation and you’ve got very empty contacts and calender, which is pretty frustrating if you want to use your phone for work purposes.
No, Acer’s beTouch e110 certainly is no Hero, but I’ve got my HSDPA, tethering and even Android for a very low price. So I’ll cope until my Hero comes home. And if that doesn’t happen, the unboxing of the Desire Z in July will be all the more exiting.
Quantcast spyware puts selfhosted WordPress blogs in Automattic network
A quick update about the WordPress.com Stats plugin secretive inclusion of Quantcast tracking:
- Automattic’s CEO proudly blogged about the huge leap Quantcast sees in the usage of sites in the Automattic network as from November and confirms self-hosted wordpress blogs are now considered part of Automattic’s network:
the bump you see in November is when we started tracking Polldaddy, ID, Gravatar, and WordPress.com Stats users in addition to WordPress.com visitors
- A German law-firm that seems to specialize in internet, law and privacy wrote about Automattic’s Quantcast tracking, claiming that using the Stats plugin migth put you at risk of legal action. I’m not a lawyer, but privacy laws in Germany (and Europe as a whole) are a lot stricter, so self-hosted bloggers should be careful when installing plugins that include tracking.
- My little DoNotTrack plugin got downloaded quite a few times this last month. Maybe I should iron out the quirks, make it a bit more generic and see if I can get it listed on the wordpress.org plugins repository?
As found on the web (February 2nd)
frank liked Achin Heart – Pomplamoose.
frank published Why you shouldn’t rely on ajax’s same origin policy.
frank Frank voel me dom, dommer domst; ben m’n slimme telefoon vandaag kwijt geraakt :-(..
frank liked Flying Lotus – Golden Axe (Maida Vale Session).
Why you shouldn’t rely on ajax’s same origin policy
XmlHttpRequests (or “ajax“) is generally considered to be safe because it is restricted by the “same origin” policy, but that isn’t entirely correct. Consider the following: an ajax-call, like all http communication, consists of a request and a response. For read-operations the response is needed, for write-operations … that ain’t necessarily so!
So how can a “hacker” send a request for such a write-operation and have it executed (which amounts to “cross site request forgery” actually)? There’s a number of possibilities:
- Execute a GET-request by including it in the attack-site html as the src of a script, css or img tag, for all of which the same origin-policy does not apply.
- Just do a normal XHR-request, the same-origin policy applies, but some top-notch browsers will execute the request and just ignore the response (is that a bug or a feature?)
Conclusion: if you want to do anything more than read-requests on the same domain, you really-really-really have to protect your resources against CSRF using one of the techniques that are described in this wonderful OWASP CSRF cheat-sheet.