Decentraleyes Topic is solved

[half-moon]

I just recently installed this extension, but I really can't tell if it works and if it is conflicting with other extensions or not. I posted a link to where Decentaleyes was mentioned.

http://www.ghacks.net/2015/11/23/decentraleyes-for-firefox-loads-cdn-resources-locally/

[ketmar]

Off-topic:
8MB! oh, my... instead of simply downloading the required thing on the first query, cache it and serve that cached version, that addon carries 24MB of unpacked data with itself!

otherwise, it's sdk addon, and has no logging. it seems that the only way to check is to open developer console and watch if there are any queries to CDN there.

there seems to be an option to "Automatically prepend a notice to retrieved documents to signal local delivery.", but i don't know how it's named (sdk, yeah).

[dark_moon]

I install the addon too and it works. Here you have a test site: http://formble.nl/test-decentraleyes/

(use the web console). You need to allow of cource scripts in NoScript and/ or RequestPolicy but even if you allow, the addon block the CDN request and use the local file.

[LimboSlam]

How effective is this and should I add it to my security measures. Or a better question, is this beneficial to me, really?

[ketmar]

not much, actually. there are alot of ways to track you, even if you will turn off cookies, javascript and will use tor/anonymisers. worrying about "CDN tracking" is not the thing that should be on top of your list. not even in the middle.

so the only thing that left is somewhat faster loading of js-heavy sites. that may work, but if you will ask me, i'll say you: "don't bother".

[dark_moon]

You have one more protect against tracking you, so i disagree with ketmar.
Speed is the same, until now i didn't see any improvements but maybe this is different for other users with slower internet/ slower pc.

The best is if you test it your self.

[ketmar]

it's like wearing a helmet 'cause you may be hit by asteroid: sure, if you will be hit, it may save you. but...

[LimboSlam]

Got it, will test it. Thanks.

[Decentraleyes]

it's like wearing a helmet 'cause you may be hit by asteroid: sure, if you will be hit, it may save you. but...

I think that's a rather poor and confusing analogy. You're comparing an entirely ineffective defense method for something that is very unlikely to happen, to an effective way of defending yourself against something that is known (and objectively proven) to happen very regularly.

Let me clarify. According to W3Techs, 19.7% of all websites make you fetch resources from large, known, Content Delivery Networks. Google Hosted Libraries has an insanely large market share in the CDN market (85.3% to be exact). This means that a good portion of your browsing history is handed over to them in exchange for "free" content delivery. Now, I don't think I need to tell you that Google is a data mining company and that they're paying for the servers behind this massive network. For a reason.

Source: http://w3techs.com/technologies/overview/content_delivery/all

DISCLAIMER: I'm the author of Decentraleyes.

[Lord_Brezel]

Fedora develops a similar approach of shipping popular static web ressources with their package manager, I wonder how they plan to integrate that in the browser without having to blast it through lots of extension woes.

[ketmar]

Let me clarify. According to W3Techs, 19.7% of all websites make you fetch resources from large, known, Content Delivery Networks. Google Hosted Libraries has an insanely large market share in the CDN market (85.3% to be exact). This means that a good portion of your browsing history is handed over to them in exchange for "free" content delivery.

how is that? very little number of sites adding unique ids to cdn links. and i never had referers turned on. i'm not allowing cookies to go to 3-rd party. so the only attack vector left is javascript code. which can be used regardless of library source site: xhr is always here. see? turn off referers and cookies — and there's no need in multimegabyte download.

still, i can't really understand what people are talking about with javascript turned on in their browsers. this alone makes all other "protection efforts" not better than tinfoil hat. and with js turned off one don't need cdn replacer at all.


p.s. just in case. sometimes i seem to be rude, sorry. it's not a personal attack, and i'm not telling that addon is useless. what i'm trying to tell with my unique style is that i, personally, don't see any reason to use the addon. and i tried to explain why. but, of course, i'm not forcing anyone to do what i'm doing. ;-)

[Decentraleyes]

i'm not allowing cookies to go to 3-rd party. so the only attack vector left is javascript code regardless of library source site: xhr is always here.

Even if one would take all of the steps you take in protecting yourself, you indeed still trust a third party to inject non-malicious code into your environment. The difference with loading resources from individual websites, is that these third parties have full control over a wide range of websites, and can identify individual visitors by their browser fingerprints. This is the perfect set-up to inject code into the environment of a specific actor. Compromising individual websites is quite tricky.

no need in multimegabyte download

Decentraleyes is by no means heavy. I'm not sure how you're worried about an extension that easily fits on a 1986 Perpendicular floppy disk. That said, the current version contains a fair amount of libraries that are so rare, that they can (and will) be removed from future versions.

i can't really understand what people are talking about with javascript turned on in their browsers. this alone makes all other "protection efforts" not better than tinfoil hat. and with js turned off one don't need cdn replacer at all.

You're right about the fact that the current version of Decentraleyes only supports scripts, but future versions will come with support for web fonts, styles, and more. This means that, even with JavaScript disabled, you will be able to enjoy a visually pleasing browsing experience without having to rely on CDNs.

p.s. just in case. sometimes i seem to be rude, sorry. it's not a personal attack

No offense taken, and I'm not trying to attack you personally either. I think it's nice to have a healthy debate on this. I definitely get your stance on this matter, but mine does indeed differ from yours. Instead of trying to fight the symptoms of an unhealthy ecosystem, Decentraleyes aims to completely cut out the middle-man. It's built to work out of the box, not get in your way, and be performant. It was also made under the assumption that most people have a couple of megabytes to spare.

So, different opinions and views indeed, but I do respect yours.

[Moonchild]

I most definitely find it an interesting and logical concept to replace repeat calls to CDNs and downloads of known stable and unchanging libraries with a locally-loaded resource. In a way this is not all that much different than what the browser disk cache does already -- with the difference that a website or CDN can't force a request to a server (with the stated risk of tracking by way of lib loads/checks). The question will be, ultimately, how much of the common, static web you want to cache inside the extension.

[ketmar]

Even if one would take all of the steps you take in protecting yourself, you indeed still trust a third party to inject non-malicious code into your environment.

and the page itself, which can be hijacked almost as easily as cdn.

The difference with loading resources from individual websites, is that these third parties have full control over a wide range of websites, and can identify individual visitors by their browser fingerprints. This is the perfect set-up to inject code into the environment of a specific actor. Compromising individual websites is quite tricky.

without cookies and referers there is only HTTP headers to inspect. those can be stripped to bare minimum, so good luck, google. yes, you know my ip. now try to find out what site is loading resource from your cdn (if there's no "?uniqueid" in query, of course). so, we can strip those unique ids (if there are any) and change http request headers. should be enough, i think.

no need in multimegabyte download

Decentraleyes is by no means heavy.

that's not a main issue, of course. yet 8MB of packed data is still alot. of course, caching data on first load from cdn is less secure, so i see a reason of all that data included. i don't see a reason in addon in the first place. ;-)

You're right about the fact that the current version of Decentraleyes only supports scripts, but future versions will come with support for web fonts, styles, and more. This means that, even with JavaScript disabled, you will be able to enjoy a visually pleasing browsing experience without having to rely on CDNs.

with js turned off most "modern" sites looks like shit anyway (and some aren't even working). and if js is not turned off, site can send any analitics it want. so it's a question of trusting site makers then — and it's quite obviously that i don't trust 'em, or i won't be using things like Decentraleyes in the first place. it doesn't matter if site authors are spying on themselves or just don't care if someone else is spying using their site: zero trust level anyway. so, the only way is to turn js off — and get a broken site. even if the site is stripped of all cdn traffic, i still don't trust it's scripts.

Instead of trying to fight the symptoms of an unhealthy ecosystem, Decentraleyes aims to completely cut out the middle-man.

from my PoV it's exactly "curing the symptoms". modern web is foobared, and cutting out some attack vectors aren't help much, i think.

It's built to work out of the box, not get in your way, and be performant. It was also made under the assumption that most people have a couple of megabytes to spare.

yep, the addon itself can help speedup things, as i wrote ealier. i'm not objecting to this. ;-)

So, different opinions and views indeed, but I do respect yours.

and i do respect yours. even a tinfoil hat has some uses, and your addon is surely way more useful than such hat. ;-) tbh, i simply used the opportunity to write more of my "anti-javascript" blah-blah. javascript is a desease of web, and no attempts to cure sympthoms will really help. or, to be more pricise, modern trend "web is an application platform" is a desease. web wasn't made for apps.

[Antonius32]

Instead of trying to fight the symptoms of an unhealthy ecosystem, Decentraleyes aims to completely cut out the middle-man.

I like the idea. Keep up the good work!

[Decentraleyes]

I most definitely find it an interesting and logical concept to replace repeat calls to CDNs and downloads of known stable and unchanging libraries with a locally-loaded resource. In a way this is not all that much different than what the browser disk cache does already -- with the difference that a website or CDN can't force a request to a server (with the stated risk of tracking by way of lib loads/checks).

I'm glad to hear you like the concept. Thanks!

The question will be, ultimately, how much of the common, static web you want to cache inside the extension.

That's a very good question indeed. Now that there's a working foundation, it's definitely time to give this more thought. It's very likely that resource market share statistics will play a big role in what exactly the default resource bundle will contain. Quite a few specific versions of libraries, and even entire libraries (all versions combined), have a market share of less than a percent. To make sure Decentraleyes remains accessible, the default bundle will be balanced in that regard.

In order to give users the ability to take this a step further (at the expense of additional hard disk space), efforts are underway to implement support for custom resource bundles. This should enable users to create, share, and install additional resources. The concept is comparable to filter lists for content blockers.

[Gary5]

Google Hosted Libraries has an insanely large market share in the CDN market (85.3% to be exact).

I see I can fail the Decentraleyes Testing Utility if I disable requests from ajax.googleapis.com with uMatrix. Is there a simple relationship between Decentraleyes CDNs like Google Hosted Libraries and uMatrix hostnames like ajax.googleapis.com?

[Decentraleyes]

Instead of trying to fight the symptoms of an unhealthy ecosystem, Decentraleyes aims to completely cut out the middle-man.

I like the idea. Keep up the good work!

Thank you Antonius! I'll definitely continue my efforts.

[Decentraleyes]

Google Hosted Libraries has an insanely large market share in the CDN market (85.3% to be exact).

I see I can fail the Decentraleyes Testing Utility if I disable requests from ajax.googleapis.com with uMatrix. Is there a simple relationship between Decentraleyes CDNs like Google Hosted Libraries and uMatrix hostnames like ajax.googleapis.com?

Google Hosted Libraries serves its content from "ajax.googleapis.com", so there's definitely a relationship there. After a content blocker stops a request, there's nothing left for Decentraleyes to intercept and respond to. Also, it would not be nice of Decentraleyes to inject a resource your content blocker is actively blocking.

See: https://github.com/Synzvato/decentraleyes/wiki/Frequently-Asked-Questions#why-doesnt-it-deliver-resources-from-cdns-i-block-using-a-different-add-on

I hope this answers your question.

[LimboSlam]

Nice, it does seem to speed up Pale Moon a bit. But I got one question, does it fully with Ublock Origin. There's been some chatter on Ghacks and not a very solid answer to be proven. Here is where the conversation starts: http://www.ghacks.net/2015/11/23/decentraleyes-for-firefox-loads-cdn-resources-locally/#comment-3728310.