I just noticed that the only way I can read forum postings here is to allow Google tracking. I have no such problem with other forums. What gives?
Could you elaborate on that? What do you mean by "allow Google tracking"? What do you see that leads you to believe that tracking is occurring? Which browser? Did this just start to happen? Have you installed a new addon recently? Does it happen when you access the site via HTTPS? Is fingerprint correct? https://www.wilderssecurity.com/thr...ate-being-installed-still-self-signed.374852/
None Google in my experience tracking this site. You could install something like uBlock Origin and run it in medium settings to confirm yourself. None https in wilderssecurity forum though by running with something like HTTPS Everywhere..
The only scripts on this forum are from the wilderssecurity.com domain. My script blocker is not finding any 3rd party content at all. The only thing I can think of is it being injected from elsewhere. There have been cases of ISPs doing this.
Huh? Google indexes Wilders very quickly, and it has high rank in search results. But that just reflects post quality I don't use UBlock Origin, but I do use NoScript (no scripts to block), AdBlock Plus (no third-party resources found) and Privacy Badger (no third-party resources found). Please provide evidence for you claims. Huh? Just accept the self-signed certificate, and use HTTPS. You can see the SHA-256 fingerprint here: https://www.dbshmc5frbchaum2.onion/Wilders_SHA-256_Fingerprint.html (but you need Tor for that). The pages on erehwon.dev.null are signed by this key: https://www.wilderssecurity.com/members/mirimir.121604/ You can also ask other Wilders users to confirm that SHA-256 fingerprint, via independent channels.
I use a program that will block sites if certain keywords, of my choosing, are used in the URL . This has always worked fine with Wilders; allowing me to interact. I have tried a couple of different browsers trying to sort this out and results are the same. As long as I keyword 'Google' I am blocked from Wilders and only Wilders.
What program and version? My first question is whether it could/would be detecting the string "google" in: Content-Security-Policy default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src 'self' https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'
There are two schools of thought about sharing ones security setup with the world. I belong to Paranoids Are Us, so please do not take offense. The program I use has worked fine for years and there have been no recent updates to it. The Google problem just started happening and of course is disconcerting. I will do a malware scan with a couple of antimalware programs. I'll report back. TheWind Bringeth, what and where is the string you mentioned?
@Rainwalker: I don't take offense to that at all. Please notice that I edited my post. I do see the string google in some response headers I'm getting from Wilders.
OK...and is this something new? Very new? I'll be signing out until tomorrow. One more thing. The word blocking report reads www.wilderssecurity.com/threads/googletracking.384408/
To mirimir. I am not the OP and as told I see no google scripts in wilderssecurity. We are not talking here about what Google search engine gathers from sites, understand? Yes, I noticed too, before my post above when trying to force HTTPS Everywhere to use https for this site, that it does have a self-signed certificate that the browser will complain. So I was not totally clear in my post above that none https is existing. None in a sense that HTTPS Everywhere knows in its database to force. Anyways I did not allow it. Your post is most misleading to help any of the OP.
I asked LowWaterMark about this in https://www.wilderssecurity.com/threads/content-security-policy-header.384415/
Which appears to be the top level link for a thread (this one)... and the response to those does contain said Content-Security-Policy policy header... and you wouldn't be able to read a thread if that response is blocked. Edit: However, that particular example also has "google" in the URL/request.
Well, I had no clue what OP was referring to. Because it's clear that Wilders is not calling any third-party resources! But now, I get that the issue is the Content-Security-Policy policy header. It seems that LWM has used a generic one that allows third-party resources that the site isn't using. If it were my site, I'd strip out irrelevant stuff. Maybe he will. I still don't know what "none https is existing" means. Of course HTTPS Everywhere won't force HTTPS on sites with self-signed certificates. But that, in my opinion, is a bug in HTTPS Everywhere, and not a problem caused by the site. So relying on HTTPS Everywhere is a little dangerous, no?
Edit: However, that particular example also has "google" in the URL/request.[/QUOTE] That Wilders would have google linked in there makes me a bit uncomfortable.
Well, don't be. I only meant that the word "google" appears in the URL. Here is that URL: https://www.wilderssecurity.com/threads/google-tracking.384408/ Do you see the word "google-tracking" in that URL? It appears there because the title of this thread (which you chose) is "Google Tracking". Some forum software simply puts words from the title into the URL. If you had given this thread the title "Elephant Tracking", the URL would have looked like this: https://www.wilderssecurity.com/threads/elephant-tracking.384408/ Basically, you can't just search for the word "Google" appearing somewhere in URLs, HTTP Requests, and/or HTTP Responses, and when they are found assume there is a Google related privacy issue. You you need to look for more specific things. Example: https://google.com/tracking?url=example.com https://example.com/i-hate-google.html In #1, the word google appears in the hostname portion of a URL, and in this example means that a Google server will be contacted. You'd be concerned about this. In #2, the word google appears in the path portion of the URL and isn't a problem. So these search rules you create, and the way the program works, must differentiate between the two. Another example: The URL/request containing https://ssl.google-analytics.com A Content-Security-Policy header containing https://ssl.google-analytics.com Assuming the matching is done correctly, #1 would reflect an attempt to visit a Google server. You'd be concerned about this. The #2 suggests a Google server *might* be contacted at times, but you wouldn't know for sure until you actually saw it happen. If it did happen, you should see a #1. So #2 is more of a warning sign... something that needs to be investigated.
You are welcome, and thank you for posting about it. You made me, and possibly others, aware of something that I, and possibly others, didn't know
Our domain name is registered with "Register.com" and has been since the name was created early in 2002. But, when you chose the option (and pay the extra fee) so that it doesn't list your personal name, address and phone number for all to see, they put that information in its place. It's a service that keeps the domain name owners information private.
AS LWM said. https://www.networksolutions.com/manage-it/private-registration-splash.jsp Must be the same as Registra.com
