Why does the TOR network show my location - browser

I've recently installed the TOR browser bundle and tried different settings (e.g. with/without bridges), but all the sites I visit invariably detect the country from where I'm making the connection, i.e. where my computer is located and connected to the internet. How can this be?

I would also be interested in an answer to this question. I've been reading many TOR-related questions lately and noticed that almost all questions going into a certain direction (e.g. touching on privacy questions, TOR nodes, the TOR browser bundle etc.) are getting shadow-banned on SE, i.e. not reaching more than maybe 5-6 view counts over a period of months. Is SE funded by the US government/US defense-related institutions? It feels as if "SE" stands for "Social Engineering" rather than "Stack Exchange".

Related

How could I protect the users from my webpage from being tracked?

This is maybe quite a broad question and I tried to look for other stack exchanges where addressing my question would suit better – but in the end I decided that it might be still a question of a technical nature, and so I am posting it here:
I recently started to think more about privacy and security and I realized that I as a web user can only do so much about staying untracked. VPN, (slow) Tor, privacy helpers, add-blockers, Firefox are just a few tools to name, but still I realize that the information that I normally share (like installed add-ons, browser size, IP location etc.) can still very well be fingerprinted.
Normally as a web-developer I am told that we should add analytics, that we should find out more about the users to «make a better service», but I think I would like to do the opposite.
So:
Are there steps I could take, when building a website, that help the visitors to stay untracked? And I don't mean «not installing google analytics», I mean things like somehow actively messing with the statistics, so that my hosters server is incapable of tracking things correctly or similar things...
Right now I can't really think of anything, but I somehow believe that I as a person who builds bricks of the internet could and should be able to influence these kind of things directly...
For now I see the obvious things:
- not using statistic services
- use https
- not using any third party tools that might include tracking or open doors for other trackers
But still this seems to just omit the bad things, but I can't actually do active stuff...
So I would be very glad to hear your thoughts about this. (Or guide me to a place, where this discussion fits a better..)
Cheers
merc
As a web developer, you can only control your website.
Assuming you aren't caching any data or using cookies, then users shouldn't be tracked while using your website by tools like 3rd party cookies.
Here is a good article about online tracking and how it works.
As far as I know, there isn't an effective way to actively mess with tracking statistics. Your best bet is to avoid installing libraries or tools that track your users.

Detecting Private Browsing mode: 2019 edition

It used to be the case, as described in this answer from five years ago, that web sites could not reliably tell whether a client's browser was in Incognito Mode. However, in the past few months, I've started encountering sites which are able to throw up a banner that says, "hey, you're in Private Browsing mode, so we won't show you any content."
I have two questions, which are opposite sides of the same coin:
As a web developer in 2019, how would I construct a reliable check for a user's Private Browsing status?
As a privacy-conscious web user in 2019, who might like to keep the meta-information of his privacy-consciousness private as well, how could I reliably generate a first-time-visitor experience from a site that is desperate to track me?
In pre-Incognito days I would have accomplished #2 by using a "clean profile" to visit a site that I didn't want to follow me around. User profiles are apparently still in Firefox, though I suspect they probably don't protect against browser fingerprinting. But I'm not sure whether that is a good summary of my threat model --- my interest is mostly in opting out of the advertisement-driven data-mining ecosystem, without being treated differently for doing so.
I'll leave the main question to others who know how each browser's Private mode may differ from default. I do use Private modes extensively, but when I encounter a page that won't work, I simply use a clean non-private window, then clear all cookies and other stored state again afterwards.
You also mention fingerprinting, which is more insidious. Often it's based on collection by a client-side script, which is detectable but only somewhat defendable in practice. But server-detectable characteristics can also provide a good enough correlation for cross-site, even cross-device correlation.
Fingerprinting is very difficult to thwart. but I recommend using Tor for as much casual browsing as practical, using multiple browsers with your activity partitioned across them in a disciplined way, using a common browser with the best fingerprinting protections or at least using the most common browser config for your platform(s), keep your browsers updated and never install Java or Flash, change your IP address(es) often, change your window size often, and clear all cookies and other stored state often. Use a common platform (machine + display size + os) if possible. Making your browser more unique by loading it up with privacy extensions is quite likely to make you look more unique. There are also a few resources out there that list fingerprinting servers / domains, and you can block those in your machine, DNS, router, or wherever practical.
Keep in mind that Panopticlick and sites like it suffer from selection bias, and also combine all platforms, obscuring how unique your browser is compared to other browsers on the same platform (it's hard to change your platform, but at least you can try to make your browser look more like others used on your platform).

How To Distract Clients From Using IE6

How can we distract our clients from using IE6. We know IE6 is not a good standard-compliant browsers; has many issues. How to satisfy clients so that they do not use IE6?
Thanks...
I'm currently in the process of building a new site for my company and I've been looking at http://code.google.com/p/ie6-upgrade-warning/.
Essentially it's a little javascript lib that checks to see if the user is running IE6 and if so it displays a nice little overlay on top of your site. The only problem I've got with it is that it completely blocks the user from using your site. I'd like to allow for them to use it anyways but I'd like them to know that their experience may not be as good as it could be. I'm sure it can be adapted though, you should never exclude people from using your site based on their user agent. That being said I think it's a good tradeoff that you try to get your users to upgrade and if they don't wan't to they can still use your site but they probably won't see all of the fancy pancy browser tricks that you can do with modern browsers.
(source: googlecode.com)
It sure looks nice anyway
Other resources include http://ie6update.com/ (not a fan though, you shouldn't trick users)
Update: Seems like someone made a bit more customizable version of this written in jQuery. See jreject.turnwheel.com
One of the reasons this problem exists is as follows.
Many IE6 user have no choice. They sit behind corporate firewalls with locked down machines and while on their home machines they will have the latest technology they are constrained by the workplace rules and policies.
So why do the corporates not upgrade from IE6 to 7 or 8? Well here is one reason. Workload.
As a sysop you need to upgrade 500 machines to the new browser.
In many cases these browsers run mission critical add-ins as ActiveX's etc so to do the upgrade you have to do all the testing and verification and then do a planned roll out upgrade, which will have problems, hiccups and glitches, a lot of work and late nights and unpaid overtime and a lot of flak from the users as you do this.
And what is the payback for this upgrade? Well the internal systems work on IE8 exactly as they worked on IE6, (well not always and you may need to rewrite that as well) but the users can now access the latest startup site that plugs into Facebook (but will be gone in 6 months) perfectly but it is not work related.
So unless there is a tangible business benefit many shops simply cannot se a reason, or justify the cost of a browser upgrade.
These locations will convert, when they go to Windows 7 perhaps or because the "application" they use internally is upgraded and needs the newer browser version. But at this point there is a justification for doing it.
N.B. I have recently worked in two jobs where IE6 compatibility was a must for this reason, large client bases, behind firewalls with lockdown, and i am not stating the above as a reason/excuse not to do it. The sooner the better.
Provided they have the proper permissions to do install software on their machines, use Chrome Frame. The speed boost, if nothing else, should be incentive alone.
"The customer is always right."
You can advise them otherwise, but if they want IE6 for whatever reason then it's up to them.
The best way is by educating them, make them aware of why you are blocking IE6. Do a comparison, case study, etc to convince them, try and put it in terms they may understand, try to convince them that using IE6 is a bad idea (whatever your reasons).
Its simple to implement a script to prevent IE Browsers from connecting to your site, however doing that may result in users being turned away. If this is a public site take into consideration the market share internet explorer has, unless your site is really incredible it is unlikely you will get a user to install a new browser.
To get around this in the past a simple splash page that informes them of the reasons not to use IE6, Example:
You are currently using internet explorer, while you may continue to browse this site using IE, please be aware that some functionality may not be available due to compliance standards within internet explorer, and due to this we do not support issues that arise when using Internet Explorer. We recommend using Google Chrome (Download here) or Mozilla Firefox (Download here).
If this is within a corprate environment you can always work with the IT department to ensure that alternate browsers are distributed. I recommend Google Chrome, simply beacuse of the ability to create "Application Windows" that eliminate problmem causing elements of the browser GUI (Back buttion etc...)
Having a site that elegantly degrades when the user's browser is IE6 is the best option. IE6 users should still be able to use your web site - if a particular feature requires a modern browser a user will be more likely to switch if they already find your site useful.
Another point: modern javascript libraries like jQuery makes it easier to code sites that are compatible with IE6. There's no need to turn away potential customers because of their web browser choice. If you're a web designer it's your job to make sure they have a good experience.
A lot of this comes down to the reasons you want them to stop using IE6. IE6/7 are a pain in the bum if you let them be. We're now taking a more aggressive approach to browser adoption when it comes to what you can/can't do.
For instance, when you visit our new sites in most browsers you'll get rounded corners, transparency, gradients etc. When you visit in IE6 you get a square, opaque, monotone website. Wherever you have PNGs you'll get a simple GIF (even if it looks pants).
Unfortunately IE6 is tied to many businesses for internal reasons (using apps etc) and you can't force them to upgrade but you can give them a subtle message.
make them understand that ie is not bad, its ie 6 thats bad .. if they wish to use ie they can surely use it but could use ie 7 ir even ie 8... make them see that how ie 7 and 8 provide some great features which are not there in ie 6..
also ie 8 is the only browser that follows strict css 2.1 methodology
plus there are many websites which previously were running in ie 6 (with no problem) are running under a warning message that some context may not be suported by ie 6 for eg. www.yahoo.com, so why to use it?
thanks
We had the same issue in one of our projects. I made a simple conditional check and displayed an additional div with links to download firefox, Chrome and IE-8.
Try facebook.com on IE-6. This was my inspiration for the additional div.
In line with Markus' post, it's simple enough to display a popup when the site loads with a warning. Ideally you won't show this every time they load a page of course, that will get old fast.
You have a good opportunity when working on a spec with your client, to tell them "it will cost $X more if we have to support older browsers including IE6 (don't just say IE6), and it will mean we can't easily add more advanced functionality... supporting older browsers will detract from the overall quality and increase time & cost.
A while ago there was a collective effort in Norway to get users away from IE6. Several of the largest sites in Norway participated, and the user got a kind warning on top of the site that recommended him to upgrade or switch browser for an improved browsing experience - if using IE6.
Check out what Wired said about it!
make a whitepaper
Two things:
Charge extra -- double or treble rates or more -- to support IE6. (even IE7 these days).
Point out that IE6 (and WinXP too) will be losing the last vestiges of support in the near future. If you think they're insecure now, just wait till that happens -- no more security fixes. If you're still developing for IE6 now, then you're clearly not going to be ready for the upgrade in time, so you will be hacked, and hacked badly. If your client is willing to accept that, then that's his problem, but you need to help him understand the gravity of the problem. He needs to be putting his upgrade plans in now, not getting more dev work done for the old systems.

what is the purpose of Offline mode in a web browser?

What is actually the purpose of offline mode. does it somehow manages the caching system of the browser. or it just skips the host resolution part, dont know for what.
what probably the designer had in mind, when he developed the offline mode feature.
It's something that most of us wouldn't use very often, but it was useful in the past when we used dial-up modems (and especially for those of us who had time limited plans). You could connect to the internet, go to a website, quickly browse through everything you thought could be useful, disconnect, go to offline mode and then browse through the site as though you were connected (for everything was cached).
I didn't realise browsers still had them (I can't remember the last time I went to the File menu in Firefox though).
I think it's something from the old days, where connections were mostly dial-up (read: slow, and not always connected), and browsers relied on caching material off-line, so if you're not connected, you'd see the cached version in an off-line mode.
I guess it still applies to countries that still don't have DSL everywhere.
You might use it to find out what happens to people who are using your web application if their internet connection is flaky or drops out. You can also use it if you're only interested in accessing local files, not websites.
It doesn't try to access the network, but instead fetches all content from the cache.
in developed countries (asia especially), internet are rare and expensive (there are quota or time based) so offline is very good feature to have for them.
Sometimes you are out and you need to check something on web .. you can use that offline cache.
I wonder if it will became more used in the west these days as people with net-books and other ultra portable devices travel round lots? While wi-fi hot spots and 3g data connections are popular they are still not universal.
I know when I designed my html/javascript open source chess clock, I deliberately designed it to work off-line very easily, so I could just download it onto my netbook and meet my chess friends in cafes without having to worry if the cafe had a good wifi signal or not.
Now, where's the "Blatant Plug" tag?
It helps you to may be browse through a site fast & with a large cache size set , U go to offline mode & read the pages with your Time based Internet connection switched off.
As has been stated by David Johnstone, I used to use the Offline Mode during dial-up days for reading articles/pages from cache when connection to the internet was disconnected.
As my experience, normally offline servers are using while online servers are down or accessibility problem with our web server via internet, meanwhile we are using our offline server to get the informations. Then once the web server is up then we can synchronic the datas from offline server to online server.

When is a browser considered "dead"? [closed]

Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
Keep in mind that I'm not looking for a list of current browsers to support, I'm looking for logical ways to make that list, backed by some kind of hard statistics.
Since it's been a while since my last web job, I decided to do this latest site up from scratch. Now I have to decide again what to support in terms of browsers. Certainly I have a list of what I'd like to support, but the decisions that went into that list seem to be a little arbitrary to me. Where can I go to get a reliable picture of browser usage and what seems to be a good point at which to cut off an old version of a browser from support?
Browsers don't die out completely for about a decade. The first thing you must realise is that you will have some visitors that are using a browser you don't support. The question is not which browsers are not dead, but which browsers are worth supporting (the benefit) relative to the work it takes to do so (the cost).
I've never seen browser statistics I'm comfortable recommending, they all seem to be snake oil. A rule of thumb I feel is appropriate is that a browser isn't worth supporting if somebody using that browser is going to regularly run into problems on other websites as well. In other words "stick with what everybody else is supporting". To that end, Yahoo's graded browser support is useful.
Ultimately, the best choice depends on your individual circumstances and will change over time. For instance, 37signals have recently dropped support for Internet Explorer 6 and Facebook are slowly heading in the same direction. This isn't a decision that most organisations can make yet, but give it a year or two and you'll see a lot more organisations follow suit. Right now, it's a bold step that you probably can't justify, but give it time.
Don't fall into the trap of thinking that supporting as many browsers as possible is automatically the best choice - it may be that you are doing your visitors a disservice by wasting time working on compatibility with a browser used by five people when you could be improving the experience for the other million users you have.
Also, it's worth considering that you can "officially" not support a browser. For example, one thing I've done in the past is use JavaScript served only to Internet Explorer 5.5 and below (via a conditional comment), to automatically remove stylesheets, JavaScript and replace images with their alt text. Without those measures, the site would be unreadable due to Internet Explorer's many layout bugs, but with it, the site at least works, even if it's too much work to "support" it.
The easiest way to do it is sign up for Google Analytics and add their tracking code to your site (there are a number of similar services, but Google's one is the best I've found). It gives you detailed statistics as to what browsers people who visit your site use.
Once you have a couple of months data, you can start making decisions as to which browsers you will support. I work for a mainstream web company who want to make our site work for as many users as possible, so we consider any browser with above 0.5% market share to be within our testing matrix. However, other sites may choose to only support and test on major browsers such as IE and Firefox.
As a rough guide, the major browsers you'll see are IE 6 and 7, and Firefox 2 and 3. This should cover well over 90% of your audience so is a good starting point for the first couple of months. Then use your analytics data and make a business decision as to whether the potential revenue (or whatever you're trying to achieve) is worth the additional effort it will take to support other browsers.
Added 2008-09-18:
Admittedly one issue with this method is that if your support for some browser types is so bad that your site is unusable with them then it will potentially skew the statistics as those people will stop coming back, and thus those browsers will appear to have a lower percentage of users.
To determine whether this is happening, you can use Google Analytics' detailed breakdown of behaviour for each browser type and version. This gives you the bounce rate, average time on site, pages per visit, and percent of new visits. If the figures for a given browser type and version are significantly worse than others (i.e. the bounce rate is higher, time on site is lower, pages per visit is lower, or percent of new visits is higher) then it's possible that your site isn't supporting that browser sufficiently well and that you might get more users with it if you had better support.
At this point the figures will still give you a reasonable feeling for how important the browser is (i.e. if it you don't support Google Chrome and it is being shown as 2% of your traffic, then it wouldn't jump to 20% just because you added support) so you can use that browser to see how bad your site is, and make a judgment call as to whether you add support; sometimes this may involve fixing only the worst issues and leaving the site imperfect but usable until the browser gets to a higher percentage of users, or out of beta status.
You could take a look at the way Yahoo! supports browsers at Graded browser support.
The browser is dead when (a) a very small percentage of people use it and (b) you don't care about (selling to? educating? whatever your business is) such a small percentage of people.
Unfortunately, you won't find a good answer to this; even if you found some hard statistics on browser versions for visitors to your website, that almost certainly doesn't tell you what you need to know.
What you need to know isn't "what percent of my visitors use Browser X", it's "what percent of my revenue comes from visitors who use Browser X". That one guy visiting your site using an ancient copy of IE might be the managing director of a big company wanting to buy a site license; the 10k visitors you had last month using Firefox 3 might be college students wanting to plagiarize your documentation for an essay.
Really, you need to know your market - not just the raw browser statistics. If you pay the bills by selling stuff to graphic designers, then rock solid Safari support matters a lot more than if you're in the job of selling Visual Studio plugins. Not helpful, I know!
There are 2 main groups to target. (There are plenty of others though)
Group #1 is browsers that use Webkit (Safari for example), Presto (Opera for example), KHTML (Konqueror for example) or Gecko (Firefox for example). These browsers should all get the same markup, CSS and Javascript code (as they're all in the same group of standard-compliant browsers). Only work around bugs in one of these if you absolutely have to and have the resources to do so. Instead, test in the latest stable versions of each (as you're developing so they can keep each other in check as to what the expected behavior is) and (after checking in the nightlies for the bugs) file bug reports. Again, avoid workarounds for a specific browser if you can. Instead, plan a cross-browser compatible solution from the beginning.
With Group #1, you don't have to worry about older versions much, if it all.
Group #2 is browsers that use Trident (IE for example). Target IE versions you care about and still only workaround the most severe bugs.
Also, don't deny browsers you don't officially support. Let them fend for themselves instead of blocking them (either intentionally or through crappy browser detection).
Also, remember that when looking at market share percentages, try to figure out the numbers they represent so you can see how many millions of potential visitors with that browser there are. 1% or 5% might not seem like a lot, but that could still mean millions.
Most of all, listen to the visitors. If you're getting multiple complaints about a certain browser, look into it if you can. Even if it's for a browser with low market share, if it's a trivial fix, you should just do it.
Ones that are definitely not dead are: IE6 (starting to push it), IE7, IE8, latest Opera 9.x, latest FF 3.x, latest Safari 3.x and others that have about the same capabilities. FF 2.x isn't dead either and is needed for Win9X users (if they don't want to use Opera)
See also this topic
You should use a good UI framework that solves most of the compatibility issues among browsers, like YUI!, jQuery, and so on...
Personaly, I recommend YUI!
Try to answer this locally, consider your audience. For example when I was developing my own Blog Engine, my appeal was mostly to .NET developers. I hope it stands to reason what browser I primarily develop for. From that point I consider the market share and try to ensure a "reasonable" support level for all other browsers. For example even .NET developers occasionally use Firefox, maybe even Opera. Safari and Chrome are possibilities too now. So my current level of support ranks in this order:
It MUST run perfectly in Internet Explorer 7. All features I intended to build are there
It MUST run reasonably in Internet Explorer 6, Firefox 3.0, Opera 9+ and Safari for Windows, not everything has to be flawless, but it can't look downright ugly either
Everything else I don't care about. I just don't have the time and willing effort to support everything.
How do I determine whether or not I want to even consider supporting another browser or continuing supporting one of the above browsers any more? Simply I look at the market share and the statistics of who is hitting my page. If someone is dying, or I just haven't seen them in awhile, then I consider support dropped.
So in short, I would simply make a statement to yourself about the browsers that must run your code perfectly then reasonably and update periodically as the browser world changes. For the first run of your website, just think about your audience, for subsequent updates, your statistics should tell you enough.
My (very poor) solution was to get stats from w3schools and base my decisions on that. While those numbers aren't really terrible, they are skewed because viewers of that site are more likely to be upgrade-conscious. Also, it doesn't give a breakdown of any browser versions except FF.
If you purely build to standards, some browser won't render correctly since no browser supports all standards. You have to pick a few browsers and test your site in those.
Don't try to be too bleeding edge. If you must use some cutting edge CSS, then you have to expect it not to work 100% of the time.
What are you really going to do with the list? Are you planning to block browsers you don't support? What if the user hacks the User-Agent response?
Like others, I would strongly suggest going with something like Yahoo's "Graded Browsers" and, if possible, leveraging YUI or other libraries so you don't have to do it yourself.
<1% market share isn't a criteria - esp if the browser is new.
For me, < IE6 is dead, and the HTML monkeys I work with WISH it was dead. < FF2 is dead. Opera is a nice to have. < Safari 2 is dead, tho most are designing for Saf 3 now.
So it's:
IE6,7,8
FF 2,3
Saf 3,4
Chrome (which is basicly Saf4)
But depending on your app, and how many people you think you are going to get wih hold machines, you COULD drop IE6, which would make your life so much easier.
I would say IE6 and below are dead... but many are still stuck using it.
This site has a nice live listing of each browser and its actual age.
http://webbugtrack.blogspot.com/2008/08/browser-life-statuses.html
I'd go with the http://browser-update.org/ defaults, which currently say the following are dead:
IE <= 6
FF <= 2.0
Op <= 10.01
Sf <= 2.0
My opinion (has always been) build it to the standards and leave it to the browsers to render it correctly.
Start with the browser with the highest market share and work your way down from there.
If you have existing metrics on browsers that visit your site, use those instead of the general market share.
Whichever has < 1% market share.
I agree with Unkwntech.
You should try to make the website compatible to both IE and Firefox
It's simple - most users keep using the browser that came with the PC when they bought it (think of your mom). The browser is dead when the machines that it pre-installed with are not longer used for Internet access... which is probably around 5 years. As prices of new PC's drops and they become more of a consumer electronics item then this period will drop as people will easily buy a new PC

Resources