11

7 comments

[–] pembo210 2 points (+2|-0) Edited

I really like this, but I have privacy concerns..

Do you plan on launching a full site anytime soon explaining everything that's going on? or your stance on ads or sponsored link positioning?

[–] x0x7 [OP] 1 points (+1|-0) Edited

Oh yeah. It was written sort of as a joke. It has exactly the relevant privacy concern as the gab chat addon, which are either zero or a significant one depending on your views.

So ultimately from a security standpoint it's the same application. An addon is placing content into a page based on data from a server based on data produced socially, which also has access to most of your history if it wants it. You know gab is going to be grabbing that right.

So to down play this a bit it's not at all different from what people put up with already. If a page has something as simple as a facebook like button on it the developer actually includes a script tag that downloads more javascript that also records your browser history, and is able to inject content into the page.

If you use google translate on a page it's really the same story. Third party content injector talking to a server that has access to the content of your page. Likely there is already google ad sense on that page before you decide to translate something, and there we have the same story again.

So I had actually had this idea for a while but I realized people would have privacy concerns but when Gab put out their comment system I thought to myself, well apparently people are cool with it so maybe people want this kind of thing.

So that really is the tie into gab, is they have similar security expectations. One difference is that the basis of the app reveals more transparently the security issue. It's the difference of sushi and seshimi. In one you can see the raw fish. How it's handled really matters the most.

Also if you think about it since it uses a similar algorithm to youtube, youtube also needs your history which they have.

So more specific to how I've done things I don't store any history on the server in a way that's specific to one person and I don't log ip addresses. I have no plans to make money out of it.

It uses a weighted bi-directed graph to relate urls together. It uses the prior places you went and where you are now to add weighs to the graph and it forgets the data. That's why the script stores the history on the client side rather than having some history tied to some session. Once its weights are updated it doesn't remember anything else and has to be reminded again the next time. One consequence to that is if someone wanted to game it they could. I'm hoping there is some way I can use an addon feature to make it so only data from the app comes in.

Grease monkey has an XMLHttpRequest that ignores CORS. I opened up the CORS on the server so that I could use jquery, but if I close that up and use the GM_XMLHttpReqest at least I could prevent people from posting to it from their browser console.

But yeah, it's an art piece. The security aspects are sort of the statement. It's interesting that we don't have tools like this because we like the aperance of security but we do have tools like ad sense because we don't actually care about security.

Of course the only people who are going to leverage poor security and polish it enough that it's not apparent to you are big corporations who will log everything and sell your data, and not people who waste their day making software art that intentionally makes the sketchiness of the situation obvious.

But part of me does want people to use it because it would be a useful tool, plus it's no more dangerous than visiting a page with cloudflare on it. Actually that's worse. They have your browsing history and your passwords.