Decentraleyes Topic is solved
Moderators: FranklinDM, Lootyhoof
Decentraleyes
I just recently installed this extension, but I really can't tell if it works and if it is conflicting with other extensions or not. I posted a link to where Decentaleyes was mentioned.
http://www.ghacks.net/2015/11/23/decentraleyes-for-firefox-loads-cdn-resources-locally/
http://www.ghacks.net/2015/11/23/decentraleyes-for-firefox-loads-cdn-resources-locally/
-
- Lunatic
- Posts: 369
- Joined: 2015-07-28, 11:10
- Location: Earth
Re: Decentraleyes
Off-topic:
8MB! oh, my... instead of simply downloading the required thing on the first query, cache it and serve that cached version, that addon carries 24MB of unpacked data with itself!
otherwise, it's sdk addon, and has no logging. it seems that the only way to check is to open developer console and watch if there are any queries to CDN there.8MB! oh, my... instead of simply downloading the required thing on the first query, cache it and serve that cached version, that addon carries 24MB of unpacked data with itself!
there seems to be an option to "Automatically prepend a notice to retrieved documents to signal local delivery.", but i don't know how it's named (sdk, yeah).
Re: Decentraleyes
I install the addon too and it works. Here you have a test site: http://formble.nl/test-decentraleyes/
(use the web console). You need to allow of cource scripts in NoScript and/ or RequestPolicy but even if you allow, the addon block the CDN request and use the local file.
(use the web console). You need to allow of cource scripts in NoScript and/ or RequestPolicy but even if you allow, the addon block the CDN request and use the local file.
-
- Board Warrior
- Posts: 1029
- Joined: 2014-06-09, 04:43
- Location: USA
Re: Decentraleyes
How effective is this and should I add it to my security measures. Or a better question, is this beneficial to me, really?
With Pale Moon by my side, surfing the web is quite enjoyable and takes my headaches away!
God is not punishing you, He is preparing you. Trust His plan, not your pain. #TrentShelton #RehabTime
God is not punishing you, He is preparing you. Trust His plan, not your pain. #TrentShelton #RehabTime
-
- Lunatic
- Posts: 369
- Joined: 2015-07-28, 11:10
- Location: Earth
Re: Decentraleyes
not much, actually. there are alot of ways to track you, even if you will turn off cookies, javascript and will use tor/anonymisers. worrying about "CDN tracking" is not the thing that should be on top of your list. not even in the middle.
so the only thing that left is somewhat faster loading of js-heavy sites. that may work, but if you will ask me, i'll say you: "don't bother".
so the only thing that left is somewhat faster loading of js-heavy sites. that may work, but if you will ask me, i'll say you: "don't bother".
Re: Decentraleyes
You have one more protect against tracking you, so i disagree with ketmar.
Speed is the same, until now i didn't see any improvements but maybe this is different for other users with slower internet/ slower pc.
The best is if you test it your self.
Speed is the same, until now i didn't see any improvements but maybe this is different for other users with slower internet/ slower pc.
The best is if you test it your self.
-
- Lunatic
- Posts: 369
- Joined: 2015-07-28, 11:10
- Location: Earth
Re: Decentraleyes
it's like wearing a helmet 'cause you may be hit by asteroid: sure, if you will be hit, it may save you. but...
-
- Board Warrior
- Posts: 1029
- Joined: 2014-06-09, 04:43
- Location: USA
Re: Decentraleyes
Got it, will test it. Thanks.
With Pale Moon by my side, surfing the web is quite enjoyable and takes my headaches away!
God is not punishing you, He is preparing you. Trust His plan, not your pain. #TrentShelton #RehabTime
God is not punishing you, He is preparing you. Trust His plan, not your pain. #TrentShelton #RehabTime
-
- Apollo supporter
- Posts: 40
- Joined: 2015-11-30, 16:46
- Location: The Netherlands
Re: Decentraleyes
I think that's a rather poor and confusing analogy. You're comparing an entirely ineffective defense method for something that is very unlikely to happen, to an effective way of defending yourself against something that is known (and objectively proven) to happen very regularly.ketmar wrote:it's like wearing a helmet 'cause you may be hit by asteroid: sure, if you will be hit, it may save you. but...
Let me clarify. According to W3Techs, 19.7% of all websites make you fetch resources from large, known, Content Delivery Networks. Google Hosted Libraries has an insanely large market share in the CDN market (85.3% to be exact). This means that a good portion of your browsing history is handed over to them in exchange for "free" content delivery. Now, I don't think I need to tell you that Google is a data mining company and that they're paying for the servers behind this massive network. For a reason.
Source: http://w3techs.com/technologies/overview/content_delivery/all
DISCLAIMER: I'm the author of Decentraleyes.
Re: Decentraleyes
Fedora develops a similar approach of shipping popular static web ressources with their package manager, I wonder how they plan to integrate that in the browser without having to blast it through lots of extension woes.
-
- Lunatic
- Posts: 369
- Joined: 2015-07-28, 11:10
- Location: Earth
Re: Decentraleyes
how is that? very little number of sites adding unique ids to cdn links. and i never had referers turned on. i'm not allowing cookies to go to 3-rd party. so the only attack vector left is javascript code. which can be used regardless of library source site: xhr is always here. see? turn off referers and cookies — and there's no need in multimegabyte download.Decentraleyes wrote:Let me clarify. According to W3Techs, 19.7% of all websites make you fetch resources from large, known, Content Delivery Networks. Google Hosted Libraries has an insanely large market share in the CDN market (85.3% to be exact). This means that a good portion of your browsing history is handed over to them in exchange for "free" content delivery.
still, i can't really understand what people are talking about with javascript turned on in their browsers. this alone makes all other "protection efforts" not better than tinfoil hat. and with js turned off one don't need cdn replacer at all.
p.s. just in case. sometimes i seem to be rude, sorry. it's not a personal attack, and i'm not telling that addon is useless. what i'm trying to tell with my unique style is that i, personally, don't see any reason to use the addon. and i tried to explain why. but, of course, i'm not forcing anyone to do what i'm doing. ;-)
-
- Apollo supporter
- Posts: 40
- Joined: 2015-11-30, 16:46
- Location: The Netherlands
Re: Decentraleyes
Even if one would take all of the steps you take in protecting yourself, you indeed still trust a third party to inject non-malicious code into your environment. The difference with loading resources from individual websites, is that these third parties have full control over a wide range of websites, and can identify individual visitors by their browser fingerprints. This is the perfect set-up to inject code into the environment of a specific actor. Compromising individual websites is quite tricky.ketmar wrote:i'm not allowing cookies to go to 3-rd party. so the only attack vector left is javascript code regardless of library source site: xhr is always here.
Decentraleyes is by no means heavy. I'm not sure how you're worried about an extension that easily fits on a 1986 Perpendicular floppy disk. That said, the current version contains a fair amount of libraries that are so rare, that they can (and will) be removed from future versions.ketmar wrote:no need in multimegabyte download
You're right about the fact that the current version of Decentraleyes only supports scripts, but future versions will come with support for web fonts, styles, and more. This means that, even with JavaScript disabled, you will be able to enjoy a visually pleasing browsing experience without having to rely on CDNs.ketmar wrote:i can't really understand what people are talking about with javascript turned on in their browsers. this alone makes all other "protection efforts" not better than tinfoil hat. and with js turned off one don't need cdn replacer at all.
No offense taken, and I'm not trying to attack you personally either. I think it's nice to have a healthy debate on this. I definitely get your stance on this matter, but mine does indeed differ from yours. Instead of trying to fight the symptoms of an unhealthy ecosystem, Decentraleyes aims to completely cut out the middle-man. It's built to work out of the box, not get in your way, and be performant. It was also made under the assumption that most people have a couple of megabytes to spare.ketmar wrote:p.s. just in case. sometimes i seem to be rude, sorry. it's not a personal attack
So, different opinions and views indeed, but I do respect yours.
-
- Pale Moon guru
- Posts: 35647
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: Decentraleyes
I most definitely find it an interesting and logical concept to replace repeat calls to CDNs and downloads of known stable and unchanging libraries with a locally-loaded resource. In a way this is not all that much different than what the browser disk cache does already -- with the difference that a website or CDN can't force a request to a server (with the stated risk of tracking by way of lib loads/checks). The question will be, ultimately, how much of the common, static web you want to cache inside the extension.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
-
- Lunatic
- Posts: 369
- Joined: 2015-07-28, 11:10
- Location: Earth
Re: Decentraleyes
and the page itself, which can be hijacked almost as easily as cdn.Decentraleyes wrote:Even if one would take all of the steps you take in protecting yourself, you indeed still trust a third party to inject non-malicious code into your environment.
without cookies and referers there is only HTTP headers to inspect. those can be stripped to bare minimum, so good luck, google. yes, you know my ip. now try to find out what site is loading resource from your cdn (if there's no "?uniqueid" in query, of course). so, we can strip those unique ids (if there are any) and change http request headers. should be enough, i think.Decentraleyes wrote:The difference with loading resources from individual websites, is that these third parties have full control over a wide range of websites, and can identify individual visitors by their browser fingerprints. This is the perfect set-up to inject code into the environment of a specific actor. Compromising individual websites is quite tricky.
that's not a main issue, of course. yet 8MB of packed data is still alot. of course, caching data on first load from cdn is less secure, so i see a reason of all that data included. i don't see a reason in addon in the first place. ;-)Decentraleyes wrote:Decentraleyes is by no means heavy.ketmar wrote:no need in multimegabyte download
with js turned off most "modern" sites looks like shit anyway (and some aren't even working). and if js is not turned off, site can send any analitics it want. so it's a question of trusting site makers then — and it's quite obviously that i don't trust 'em, or i won't be using things like Decentraleyes in the first place. it doesn't matter if site authors are spying on themselves or just don't care if someone else is spying using their site: zero trust level anyway. so, the only way is to turn js off — and get a broken site. even if the site is stripped of all cdn traffic, i still don't trust it's scripts.Decentraleyes wrote:You're right about the fact that the current version of Decentraleyes only supports scripts, but future versions will come with support for web fonts, styles, and more. This means that, even with JavaScript disabled, you will be able to enjoy a visually pleasing browsing experience without having to rely on CDNs.
from my PoV it's exactly "curing the symptoms". modern web is foobared, and cutting out some attack vectors aren't help much, i think.Decentraleyes wrote:Instead of trying to fight the symptoms of an unhealthy ecosystem, Decentraleyes aims to completely cut out the middle-man.
yep, the addon itself can help speedup things, as i wrote ealier. i'm not objecting to this. ;-)Decentraleyes wrote:It's built to work out of the box, not get in your way, and be performant. It was also made under the assumption that most people have a couple of megabytes to spare.
and i do respect yours. even a tinfoil hat has some uses, and your addon is surely way more useful than such hat. ;-) tbh, i simply used the opportunity to write more of my "anti-javascript" blah-blah. javascript is a desease of web, and no attempts to cure sympthoms will really help. or, to be more pricise, modern trend "web is an application platform" is a desease. web wasn't made for apps.Decentraleyes wrote:So, different opinions and views indeed, but I do respect yours.
-
- Add-ons Team
- Posts: 695
- Joined: 2014-05-25, 11:18
- Location: Netherlands
Re: Decentraleyes
I like the idea. Keep up the good work!Decentraleyes wrote:Instead of trying to fight the symptoms of an unhealthy ecosystem, Decentraleyes aims to completely cut out the middle-man.
-
- Apollo supporter
- Posts: 40
- Joined: 2015-11-30, 16:46
- Location: The Netherlands
Re: Decentraleyes
I'm glad to hear you like the concept. Thanks!Moonchild wrote:I most definitely find it an interesting and logical concept to replace repeat calls to CDNs and downloads of known stable and unchanging libraries with a locally-loaded resource. In a way this is not all that much different than what the browser disk cache does already -- with the difference that a website or CDN can't force a request to a server (with the stated risk of tracking by way of lib loads/checks).
That's a very good question indeed. Now that there's a working foundation, it's definitely time to give this more thought. It's very likely that resource market share statistics will play a big role in what exactly the default resource bundle will contain. Quite a few specific versions of libraries, and even entire libraries (all versions combined), have a market share of less than a percent. To make sure Decentraleyes remains accessible, the default bundle will be balanced in that regard.Moonchild wrote:The question will be, ultimately, how much of the common, static web you want to cache inside the extension.
In order to give users the ability to take this a step further (at the expense of additional hard disk space), efforts are underway to implement support for custom resource bundles. This should enable users to create, share, and install additional resources. The concept is comparable to filter lists for content blockers.
Re: Decentraleyes
I see I can fail the Decentraleyes Testing Utility if I disable requests from ajax.googleapis.com with uMatrix. Is there a simple relationship between Decentraleyes CDNs like Google Hosted Libraries and uMatrix hostnames like ajax.googleapis.com?Decentraleyes wrote:ketmar wrote:Google Hosted Libraries has an insanely large market share in the CDN market (85.3% to be exact).
-
- Apollo supporter
- Posts: 40
- Joined: 2015-11-30, 16:46
- Location: The Netherlands
Re: Decentraleyes
Thank you Antonius! I'll definitely continue my efforts.Antonius32 wrote:I like the idea. Keep up the good work!Decentraleyes wrote:Instead of trying to fight the symptoms of an unhealthy ecosystem, Decentraleyes aims to completely cut out the middle-man.
-
- Apollo supporter
- Posts: 40
- Joined: 2015-11-30, 16:46
- Location: The Netherlands
Re: Decentraleyes
Google Hosted Libraries serves its content from "ajax.googleapis.com", so there's definitely a relationship there. After a content blocker stops a request, there's nothing left for Decentraleyes to intercept and respond to. Also, it would not be nice of Decentraleyes to inject a resource your content blocker is actively blocking.Gary5 wrote:I see I can fail the Decentraleyes Testing Utility if I disable requests from ajax.googleapis.com with uMatrix. Is there a simple relationship between Decentraleyes CDNs like Google Hosted Libraries and uMatrix hostnames like ajax.googleapis.com?Decentraleyes wrote:ketmar wrote:Google Hosted Libraries has an insanely large market share in the CDN market (85.3% to be exact).
See: https://github.com/Synzvato/decentraleyes/wiki/Frequently-Asked-Questions#why-doesnt-it-deliver-resources-from-cdns-i-block-using-a-different-add-on
I hope this answers your question.
-
- Board Warrior
- Posts: 1029
- Joined: 2014-06-09, 04:43
- Location: USA
Re: Decentraleyes
Nice, it does seem to speed up Pale Moon a bit. But I got one question, does it fully with Ublock Origin. There's been some chatter on Ghacks and not a very solid answer to be proven. Here is where the conversation starts: http://www.ghacks.net/2015/11/23/decentraleyes-for-firefox-loads-cdn-resources-locally/#comment-3728310.
With Pale Moon by my side, surfing the web is quite enjoyable and takes my headaches away!
God is not punishing you, He is preparing you. Trust His plan, not your pain. #TrentShelton #RehabTime
God is not punishing you, He is preparing you. Trust His plan, not your pain. #TrentShelton #RehabTime