This reminds me of those old forum signatures which looked like a signpost, and showed your IP address, browser, OS etc. They were pretty popular back then (when no one cared about their privacy), to the point that some folks even made parody versions of those signatures (like changing the IP to “127.0.0.1” or writing a funny message).
This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.
Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.
This is true for most link aggregators that attempt to render external content. Proxying images and videos would dramatically increase costs.
If you care that much about anonymity, use a VPN/Tor and a browser with advanced fingerprinting resistance — tor browser, mullvad browser, or firefox with resist fingerprinting = true.
It still adds up fast especially if you run an instance that stores to s3 with a cdn. My mastodon server racked up 1k in cdn usage one month before I switched to local storage no cdn.
That makes sense. But I guess there’s these questions: at what resolution? For how long? Maybe the status quo is such because it’s simpler code. The project is still relatively young. I wonder where/how we can discuss these things?
Hexbear.net stays winning, external embeds are domain whitelist-only until pictrs adds proxying support, and blurred by default.
Good PSA tho, I’d honestly encourage other instances to do the same but it requires dev effort that I know not everyone has, and upstream isn’t quite as paranoid about this stuff.
as far as I know upstream lemmy doesn’t want it and is waiting on pictrs proxying support. If I’m wrong though our code is public, I’m sure a dev would be happy to put together a PR,
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: [email protected]
This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.
Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.
Rules:
1: All Lemmy rules apply
2: Do not post low effort posts
3: NEVER post naziped*gore stuff
4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.
5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)
6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist
7: crypto related posts, unless essential, are disallowed
But I’m not on chrome mobile…
This reminds me of those old forum signatures which looked like a signpost, and showed your IP address, browser, OS etc. They were pretty popular back then (when no one cared about their privacy), to the point that some folks even made parody versions of those signatures (like changing the IP to “127.0.0.1” or writing a funny message).
My favorite Linux distro: Windows.
*brave
This is possible because Lemmy doesn’t proxy external images but instead loads them directly. While not all that bad, this could be used for Spy pixels by nefarious posters and commenters.
Note, that the only thing that I willingly log is the “hit count” visible in the image, and I have no intention to misuse the data.
This is true for most link aggregators that attempt to render external content. Proxying images and videos would dramatically increase costs.
If you care that much about anonymity, use a VPN/Tor and a browser with advanced fingerprinting resistance — tor browser, mullvad browser, or firefox with resist fingerprinting = true.
At the very least setting referer policy headers and such would be a good addition.
That’s great except those browsers often don’t work.
They normal don’t render then instantly, though. Caching at least a lower res version should barely be noticable compared to actual image posts.
It still adds up fast especially if you run an instance that stores to s3 with a cdn. My mastodon server racked up 1k in cdn usage one month before I switched to local storage no cdn.
That makes sense. But I guess there’s these questions: at what resolution? For how long? Maybe the status quo is such because it’s simpler code. The project is still relatively young. I wonder where/how we can discuss these things?
Probably the same as for other images? I mean, it’s not as if remote images are vastly different from uploaded ones ;)
I guess it knows that it’s unknown
It’s the same for me
I guess mobile clients screw with their fingerprinting method. Also doesn’t work on Slide.
It sees my phone fine (Chrome on Android)
Wait what, slideforreddit works for lemmy now?
looks like sync in the screenshot, i think thats what they meant
I guess Donald Rumsfeld was right.
Hexbear.net stays winning, external embeds are domain whitelist-only until pictrs adds proxying support, and blurred by default.
Good PSA tho, I’d honestly encourage other instances to do the same but it requires dev effort that I know not everyone has, and upstream isn’t quite as paranoid about this stuff.
For reference:
Cool, didn’t know some Lemmy instances did this
Is there a pull request for it though?
as far as I know upstream lemmy doesn’t want it and is waiting on pictrs proxying support. If I’m wrong though our code is public, I’m sure a dev would be happy to put together a PR,
Looks like your home instance hexbear.net is filtering external images.
This ain’t me!