[ADDITION] solicitation for a method to de-bork the modern web about personal-security-checklist HOT 11 OPEN

Also, nothing you tell them would be news. The developers who built the site would already be aware of the issues (...)

Not necessarily 😏 Lissy93/awesome-privacy#65

from personal-security-checklist.

Also, nothing you tell them would be news. The developers who built the site would already be aware of the issues (...)

Not necessarily 😏 Lissy93/awesome-privacy#65

@ltguillaume You got me there 😂

from personal-security-checklist.

, that the web has become a ... a shit-hole, to put it bluntly

Couldn't have put it better 🤣

As a developer myself, JavaScript is Devil's Spawn. Almost all modern web "apps" run the majority of their logic client-side (on the users browser), this has increased overtime, due to client devices becoming more powerful, and the improved user experience you get from not having to re-render each page.

All this logic is written in JavaScript (or a subset which transpiles into JavaScript). Yet JS is not particulaly secure by default - it's messy, bloated, not type safe, behaves differently on different engines / browsers, can be insecure, etc, etc.

There are a bunch of proposed solutions to the issue in the works, e.g. WASM, which is pretty cool.

That said, you can still build frontend apps, using modern frameworks that are not privacy-invasive. Here's the Privacy Docs for one of my apps, it doesn't make any external requests, unless you specifically enable a feature (like weather, uptime monitoring, etc), and everything that is stored is transparently documented to the user.

The privacy issues mostly come from either sloppy developers, or data-greedy companies, combined with a poorly configured user environment.

from personal-security-checklist.

In terms of your idea...

It doesn't need to be a browser extension (and probably shouldn't be), and obviously the mail sending component wouldn't be possible from an extension alone.
Instead, you could just have a serverless function, which accepts a URL, scans the site, generates a report, scrapes a contact address, then sends off the message. The function could then be initiated manually with a web address passed in, or you could use it to crawl top sites within certain categories.

As for the effectiveness, although a nice idea, I honestly don't think any companies would give a shit. To them, the data they are collecting, is far more valuable to them than a few users threatening to boycott their service.

Furthermore, web administrators get A TON of mostly automated messages every day. They don't read any of them. Even developers of small sites, like myself get so many automated messages that it's not practical to even open them any more.

Also, nothing you tell them would be news. The developers who built the site would already be aware of the issues, and would have made those decisions based on things like cost, complexity, time-constraints, business requirements..

You could still try building it, not sure of your skill level, but this should be a very easy starter project. Most of the logic is already out there, so just a case of putting the parts together, maybe just a serverless function written in Go, and a simple UI to invoke it.

from personal-security-checklist.

Instead, you could just have a serverless function, which accepts a URL, scans the site, generates a report, scrapes a contact address, then sends off the message. The function could then be initiated manually with a web address passed in, or you could use it to crawl top sites within certain categories.

interesting idea for sure!

the problem is, all the mails would be coming from the same mailer, no? this wouldn't be as effective as mails originating from many individuals - any idea on how that could be overcome? i suspect passing a mail address as a param to the ... script(?) wouldn't really work (mails would still originate from a single server)

also, wouldn't a browser ext. act as a compliment to this so users can feed the script the params without having to do anything? i'm thinking about keeping this as dirt simple as possible for users

what about a very simple ext. that interacts with the script? so the script then checks the site (url param sent to the script) against a db and opens a pre-filled mail for the user to manually send - this avoids ext. updates when the db is updated (db = a text file, not an actual db)

As for the effectiveness ... I honestly don't think any companies would give a shit. To them, the data they are collecting, is far more valuable to them than a few users threatening to boycott their service.

i dunno - maybe it depends on who is contacted? - site owner vs. article author, the "contact" address, etc. - i think this might get some noticeable attention over time - the "few users" is a hurdle to overcome, but that's where a browser ext. might help and maybe some advertising

not sure of your skill level...

well, if we start the scale at 0, i'm about a 0.2 (some bash, html, css, very limited success hacking other peoples JS/PHP) - given it's assumed simplicity however, this is not necessarily beyond my ability but i'll probably need help, perhaps mostly with getting the ext. to talk to the script (assuming an ext. is in order)

from personal-security-checklist.

the problem is, all the mails would be coming from the same mailer, no? this wouldn't be as effective as mails originating from many individuals - any idea on how that could be overcome? i suspect passing a mail address as a param to the ... script(?) wouldn't really work (mails would still originate from a single server)

Ah yeah, I see what you mean, yeah you could have emails sent from the users address by using an ordinary anchor element. The mailto part within the href attribute can accept, the recipient, subject and body passed as GET params. So when you / the user open the link it'll open your default email client, and populate those fields, all you'll need to do is hit Send.

Then, like you say each mail comes from a real sender, which will be much more effective. Although would also mean sending the email from your real address. And it would might tedious to do each website one at a time.

That'd remove the need for any email sending capabilities. Setting up mail servers for sending, in a way that you can send out a lot of emails, without them landing in spam is surprisingly hard. That's one of the reasons why most apps with any mail sending functionality will outsource this to a third-party service, like mailchimp, sendgrid, mailgun...

i dunno - maybe it depends on who is contacted?

Ah yeah, very true. But also, any email address you can found online by a web scraper, will have already been found by a web scraper, and be getting a lot of emails. But if you can manually deduct an authors email address yourself (e.g. trying [email protected]), then you'll probably have much better results.

from personal-security-checklist.

Although would also mean sending the email from your real address. And it would might tedious to do each website one at a time.

users would be (strongly) encouraged to set up a dedicated account somewhere (riseup, gmail <-- yes, i said that out loud, protonmail, etc.)

frequency of mails based on different domain visits could be handled by a preference, or done in a very unobtrusive way, such as a toolbar icon changing color with an optional notification

so i gather you think an ext. + a script makes sense? i'm open to any and all suggestions

ps - for anyone interested, i'm looking at the ClearURLs ext. because it fetches a file from a git repo and processes it - see line 262 in clearurls.js

from personal-security-checklist.

As for the effectiveness, although a nice idea, I honestly don't think any companies would give a shit. To them, the data they are collecting, is far more valuable to them than a few users threatening to boycott their service.

Furthermore, web administrators get A TON of mostly automated messages every day. They don't read any of them. Even developers of small sites, like myself get so many automated messages that it's not practical to even open them any more.

Also, nothing you tell them would be news. The developers who built the site would already be aware of the issues, and would have made those decisions based on things like cost, complexity, time-constraints, business requirements..

I agree 100% with @Lissy93 on this and for the reasons she has mentioned above, I don't think this would have any impact what so ever.

IMHO the entire industry is so hopelessly romanticized by hype that even when it is more costly in the long run, they still do the "wrong" thing just because that's what everyone else is doing.

from personal-security-checklist.

hiya @unixsheikh :)

i wouldn't necessarily disagree that effectiveness would be between 0 and near 0 if Big Tech were the target, but that's not really what i had in mind - i'm more interested in blogs, alternative social platforms, sites that focus on free software, personal site, wordpress sites, etc. - a lot of these kinds of sites aren't interested in monetizing data, but the admin, who could be a total novice, is just using whatever tools are popular (wordpress, shitty plugins, etc.) without being aware of the implications

i'd also mention again that i think the effort required to get something like this up and running as far as coding would be rather trivial - essentially a very simple browser ext. that grabs a remote file and prefills a ready-to-send mail

it could be an interesting experiment and, who knows, the result may be surprising

from personal-security-checklist.

i wouldn't necessarily disagree that effectiveness would be between 0 and near 0 if Big Tech were the target, but that's not really what i had in mind - i'm more interested in blogs, alternative social platforms, sites that focus on free software, personal site, wordpress sites, etc. - a lot of these kinds of sites aren't interested in monetizing data, but the admin, who could be a total novice, is just using whatever tools are popular (wordpress, shitty plugins, etc.) without being aware of the implications

Hi @atomGit :)

The problem with those, i.e. private blogs, Wordpress, etc., is that the people using these wouldn't know what to do about it. Even when/if you suggest replacements, migrating a website from product A to product B for at non-tech person is often a daunting/time consuming task.

I personally know a lot of small business that just use Wordpress for blogging, and they know absolutely ZERO about any of this. They managed to get it installed and that's about it.

from personal-security-checklist.

I personally know a lot of small business that just use Wordpress for blogging, and they know absolutely ZERO about any of this.

that's where this part comes in...

if the user lands on a blacklisted site, they are non-intrusively prompted to send a pre-filled mail to the site owner/admin/contact/author/etc. which contains concerns with the site (privacy, security, etc.) and information as to possible solutions

i agree that a lot of these administrates are technically challenged (so am i) and i gave that a little bit of thought when i outlined all this - i think friendly, concise suggestions and a willingness to help could go a long way

from personal-security-checklist.