Mozilla told BleepingComputer that it will enable the tracking feature called hyperlink auditing, or Pings, by default in Firefox. There is no timeline for the activation of this feature, but it will be done when their implementation is complete.
For those new to hyperlink auditing, this is an HTML feature that allows websites to track link clicks by adding the “ping =” attribute to HTML links. When these links are clicked, in addition to navigating to the linked page, the browser also connects to the page listed in the ping = attribute, which can then be used to record the click.
You can see an example of what an HTML audit hyperlink, or ping, link looks like below. This would link to www.google.com, but would cause your browser to connect to www.bleepingcomputer.com/pong.php so that the click could be logged.
When these links are displayed on the page, they will appear as a normal link and if a user clicks on them, there is no indication that a connection is made to another page as well.
Earlier this month, we discussed how Google Chrome, Opera, Microsoft Edge, and Safari enabled hyperlink auditing pings by default. Although some browsers currently allow you to disable this feature, all of the browsers mentioned will not allow users to do so in the future.
For some users, any method of tracking, including hyperlink auditing, is considered a privacy risk and they should always be able to turn it off if they wish.
Because of this, when Firefox and Brave were shown not to turn on this feature by default and appear to not do so in the future, people praised the browser’s decision.
Additionally, a recent report showed that hyperlink audit pings were used by attackers to perform DDoS attacks on websites.
Mozilla thinks it’s a performance improvement
While some users think this feature is a privacy risk, browser developers believe trackers will follow, so you might as well come up with a solution that offers better performance.
In an Apple article, the developers of WebKit explain that hyperlink audit pings improve performance because, unlike other tracking methods, they do not block or delay navigation to the requested site.
“Simply disabling the Ping attribute or the Beacon API does not resolve the privacy implications of link click analysis. Instead, it prompts websites to adopt tracking techniques that are detrimental to the user experience. Indeed, the choice between supporting Ping and it is not a question of confidentiality, it is rather a choice between a good and a bad user experience. “
After reading Apple’s post, I reached out to Mozilla to see if they agreed with the views expressed in the WebKit article.
Mozilla told BleepingComputer via email that they agreed with Apple’s take on hyperlink auditing. Additionally, they stated that the only reason it is not currently enabled by default in Firefox is because their implementation is not ready.
“We agree that enabling the commonly used hyperlink ping attribute for hyperlink auditing is not a matter of privacy but a matter of improving the user experience by providing websites with a better way to implement hyperlink auditing without the performance drawbacks of the other existing methods listed in the webkit.org blog post. In fact, we already support the sendBeacon API and the reason we don’t not yet enable the hyperlink ping attribute is that our implementation of this feature is not yet complete.
When asked if they thought users should at least be given the option to turn off the feature if they wanted, Mozilla said they didn’t think it would provide a “significant improvement” to their privacy. ‘an user.
“We don’t believe that providing an option to turn off this feature alone will have a significant improvement in user privacy, as the website can (and often already does) detect the various supported mechanisms for auditing. hyperlinks in every browser and disabling the most user-friendly mechanisms will cause them to fall back on the less friendly ones, without disabling the hyperlink auditing feature itself. “
Brave says it will continue to block this feature
After Mozilla’s response, we also reached out to Brave Software to ask if they plan to enable hyperlink auditing in their browser.
“Disabling hyperlink auditing is a critical privacy feature, and Brave has always disabled it by default,” Catherine Corre, communications manager at Brave Software, told BleepingComputer via email. “Courageous users expect this protection from our browser.”