> According to Qurium, TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling "push notifications," a cross-platform browser standard that allows websites to show pop-up messages which appear outside of the browser.
An elderly relative of mine was hit by this a couple years back: his computer's desktop was constantly being spammed with messages on startup, and there was no simple way to turn them all off. It turned out that they were all notifications from web workers that he'd inadvertently allowed at some point prior. (I set his browser to auto-deny notifications so it wouldn't happen again.)
mapt · 9h ago
The entire idea of push notifications on browsers was obviously toxic from the start, especially the privileged status "Do you want to enable notifications?" popups had.
I think the idea comes from the 2010's hype about Phone-Ifying The Desktop. Someone clearly thought they were recreating the Google Reader / RSS ecosystem (Mozilla had RSS in the browser in a flop)... but everyone else was just enthusiastic about dark patterns that were viable in mobile apps that didn't exist in a desktop browser.
jeroenhd · 5h ago
I use this feature all the time and I love it. Not having to install dozens of apps just to see the occasional notification is a dream come true.
The way it's trivial for browsers to fake OS notifications on some platforms is a clear design flaw, though. I get the need for it (PWAs and such) but unless the website sending a notification is a PWA, there's no need for a notification to be that ambiguous.
The current system, where Chrome (the only browser that matters) collects information about websites and only shows the permission popup on some websites has mostly killed useful notification support for a lot of websites.
ninkendo · 1h ago
I can think of exactly two use cases for web browser push notifications:
- Web-based email
- Web-based chat
That’s it. Every other use case seems to be solving a “them” problem (how do we increase engagement?) and not a “me” problem.
Even if I wanted to hear about updates from a website (and I never do), I could sign up for emails. And If I don’t trust a website with my email, I certainly don’t trust them with sending me push notifications.
In fact, let me take chat apps off that list, because if I don’t have the webapp open in a browser window, the chat app should have the option to just email me about someone trying to message me (and ideally, letting the other party know I’m unavailable and letting them choose whether to send me the email.) So no, really just email and that’s it.
I’m super curious what your use cases are if you use web-based push notifications “all the time”.
cyanydeez · 6m ago
Its a progressive webapp feature and would be a necessary tool tobescape Apple and Google stores and hardwarw lockin. Like all tech, hindsight is 20/20 with malicious actors.
johnmaguire · 6h ago
I think notifications came about as part of Progressive Web Apps (PWA).
hsbauauvhabzb · 6h ago
IMO random websites prompting to access your location data is far more problematic
mtillman · 1h ago
The biggest problem there is that several browsers don't want to remember your response of "No" for more than one day. They want you to be constantly tracked. I'd like to be able to tell all browsers, never track my location or send me a notification from any website but that's not what they want. Orion by Kagi is a breath of fresh air in this department.
riddlemethat · 4h ago
DocuSign tracks your location when you sign a document unless you disable it in the browser. Learned that a few years ago.
_Algernon_ · 11h ago
One of the first settings I change in any new browser is to forbid notification requests from all pages, and disable dom.beforeUnload (stops websites being able to prompt to confirm if I want to close the tab). Those functionalities are probably the most abused browser functionalities and definitely shouldn't be enabled by default (or if so only for a whitelist of sites).
privatelypublic · 10h ago
How do you do this? I'm looking to do it for the clipboard API. Browsers should be able to block copy and paste.
_Algernon_ · 9h ago
In firefox: about:config -> dom.disable_beforeunload=true
For copy-paste: dom.event.clipboardevents.enabled=false I would guess.
AugustoCAS · 10h ago
A quick google shows this for FF (taken from a thread in StackOverflow):
> In Firefox you can completely disable beforeunload events by setting dom.disable_beforeunload to true in about:config. Extensions may be needed for other browsers.
A word of caution: I'm not 100% sure, but I wonder if some web collaboration tools might use this to ensure data has been synced with a server.
LadyCailin · 8h ago
It surely has a lot of legitimate uses, even if it is primarily abused. I’ve used it before to do various cleanup tasks, to have a more timely “user disconnected” event, rather than waiting on some timeout to occur server side.
Having said that, it should never be the end of the world to disable, sites should never have data loss due to this event missing, because if so, they already have a data loss problem when for instance the power goes out.
dizhn · 7h ago
I am not sure if this is implemented using this functionality but when I am on a console session on proxmox and hit ctrl+w due to muscle memory, it's nice to have a warning telling me the tab will be closed. Same with all kinds of remote access tools. One legit use case I can think of.
QuantumGood · 3h ago
I have run into this. My notes: Google Chrome (Desktop & Android)
chrome://settings/content/notifications
Or Settings > Privacy and security > Site settings > Notifications Under "Default behavior," select: Don’t allow sites to send notifications.
------------------
Mozilla Firefox (Desktop)
Settings > Privacy & Security Scroll to the "Permissions" section, find "Notifications," and click "Settings…"
At the bottom, check: Block new requests asking to allow notifications.
------------------
Microsoft Edge
Settings > Cookies and site permissions > Notifications Set the default to block all notification requests.
------------------
Safari (macOS)
Safari > Settings (or Preferences) > Websites tab > Notifications Untick: Allow websites to ask for permission to send notifications
------------------
Samsung Internet (Android)
Settings > Notifications > Allow or block sites
PaulHoule · 2h ago
Advocacy for "progressive web apps" always fell flat to me. There are a few reasons, such as web workers being a Rube Goldberg machine when people just wanted the kind of facility to control caches and fetching that Netscape Netcaster had in 1997. It was predictable to me that the usage breakdown of push notification was going to be
50% spam
49% scams
1% other
and now people are just catching up to the obvious.
KevinGlass · 17h ago
I honestly think desktop notifications in their current form are one of the worst features of the modern web. Sure it's nice to get an email alert but on my experience there's probably a thousand confused old people getting spammed for each person that intentionally enabled it.
What's worse is they look like native OS alerts (on Windows) so when one says "SECURYIRT ALERT!! CALL NOW" it's that much more effective at getting people on the phone with scammers.
cortesoft · 16h ago
So many sites ask for permission to send notifications that have zero reason to do so. Why would I want push notifications from a shopping or news site?
jeroenhd · 5h ago
Same reason you subscribe to their newsletters. To get discounts.
I don't understand why people would want that, but neither do I understand the people who actually enter their email address in those "subscribe to my newsletter" popovers.
tim-- · 15h ago
Honestly, push notifications from a news site arguably is one of the few sites that I see having a reason to send push notifications.
Communication platforms; messaging apps (Slack, Discord etc); email sites (gmail and co.) also make sense. Financial platforms (banks, Stripe etc)
Once you start getting out of these two categories, then yeah, it gets silly. No way should an airline website even be allowed to ask to send push notifications.
If I trusted airlines to only send me notifications about gate changes, failed payments, delayed flights, maaaybe low prices on route-date combinations I previously expressed interest in, I'd give them notification permissions. I definitely don't trust them to do that, though.
CamperBob2 · 3h ago
See also: Uber and Uber Eats.
It seems that companies like this can't help but abuse the permissions I grant them, so the result is that they don't get any permissions at all.
Propelloni · 13h ago
See, that's just the point. You see a need for that. I'd never enable push notifications from a news site, I don't need to know NOW that some pupil shot 17 teachers and pupils in the elementary school around the corner. There is nothing I could do anyway. I'm extremely unlikely to enable notifications from async messaging because, you know, they are async. If it's urgent, come over to my desk or use your phone to call me.
Financial data or travel info is something I'm actively watching, when I travel, just like car traffic. Otherwise, why would I need to know? That's a good question to ask anyway anytime you come across an inbox. I have been in management really long now and designing your information flow strategically is crucial to being effective.
vanviegen · 14h ago
> No way should an airline website even be allowed to ask to send push notifications.
Your flight is delayed/now boarding/etc?
evilduck · 6h ago
The native apps for my phone aren't really reliable enough at letting me know about delays or gate changes, I don't expect a web push notification to be any better at something that's already untrustworthy, especially on a system that lacks a cellular modem to stay online all the time. Even if they did work perfectly and could be trusted to serve that purpose, no company would only send status updates about your flight in the long term, they're unable to restrain themselves and will view it as an advertising avenue just like they do with phone apps.
dmonitor · 14h ago
I'm rarely at a computer in the airport without my phone
graemep · 14h ago
I would prefer to know about a delayed flight before I get to the airport.
Your phone needs a web browser or an app. An app for every airline you ever use? You already have a web browser.
They could SMS but its more expensive to send, often even more so for customers on roaming to receive.
Nothing else is universal.
I think there are much better possible solutions. An open notification standard or reasonable pricing of bulk sending SMS would do it.
codingminds · 12h ago
We still have eMail in place. If they don't want to spend money on an SMS they can send an eMail.
If browser notification permissions would have a TTL, I'd might considering it. But until this happens I won't allow anyone to send me browser notifications. And even then I'd be very picky.
mr_mitm · 10h ago
Emails have essentially become notifications anyway. All my emails are things like "your booking has been confirmed", "your package has been shipped", "your invoice is ready for download", "a login from a new device happened", "your flight is delayed", etc.
PaulHoule · 2h ago
Emails have a mature ecosystem. We've been getting spam and scam emails since 1994, we have tools for dealing with it.
Sophira · 8h ago
> I would prefer to know about a delayed flight before I get to the airport.
Generally, the recommendation is that you get to the airport at least two hours before your flight departs. Ideally, you shouldn't be rushing to try to get your plane.
Granted, the world has changed since that was first a recommendation, but even in today's connected world, it's still a good idea to get there two hours before departure, in my experience.
graemep · 7h ago
> Generally, the recommendation is that you get to the airport at least two hours before your flight departs.
A lot of delays are known much earlier than that. For example if a flight gets seriously delayed taking off and the plane is going to turn round and return, then the return flight will be delayed.
In any case, once at the airport delays will be announced and shown on screens. Once you get there you do not need phone notifications.
zeta0134 · 8h ago
What do you mean nothing else is universal? I can't book a flight without a phone number and an email address, and they usually send emails. My phone is set to do notifications when I get one of those. Why is this solution bad? Any network situation that causes both SMS and email to fail certainly isn't going to magically deliver a push notification from a browser.
notpushkin · 12h ago
> An app for every airline you ever use? You already have a web browser.
And yet I’m sure airlines will push you towards the app every time!
account42 · 8h ago
Do you really need a reminder that the flight is boarding?
devilbunny · 4h ago
You do if your goal is to chill out in the lounge until that point.
ryukoposting · 9h ago
I wonder how many people's browsers get push notifications from Temu, or Amazon.
zamadatix · 3h ago
I feel like the web would be a better place if "allow notifications" popups were only allowed for PWAs the user already installed. I.e. they have to manually interact with the page and then click the prompt acknowledging they want to install the site as an application on their computer before the site can start popping up windows from the browser asking for notification permissions.
It's not that there are 0 use cases where it could possibly be convenient to get notifications from a plain site but, like you said with the email example, 95% of the legitimate use cases are probably better modeled as an app anyways.
PaulHoule · 2h ago
What's "progressive" about installing software?
It's always saddened me that people failed to understand the web platform, and never more so than today when that platform could be on the verge of extinction.
Young people don't remember this: in the 1990s if a big corporation wanted to make a 1-line change to an application deployed to a fleet of desktops they'd have to update every single machine and to do so they'd probably have to hire at least 1 FTE and probably more for installer engineering and other makework.
With the web it is often
git pull
on the server and you're done!
As it is I can find web sites with search, links from other sites, bookmarks and history. If you "install" applications you just clutter up your desktop with 300 icons for applications you don't really use which makes it hard to find the 2-3 that you really use.
codedokode · 11h ago
Instead of desktop notifications web apps should use pinned tabs and show a badge in the tab header.
layer8 · 5h ago
That’s more a browser implementation issue though. Browser could offer that as a choice for how to handle notifications, on a per-website basis.
creeble · 18h ago
Elderly neighbor for me. Quite insipid; it took me a few minutes to realize that they were browser-based when I first got to the computer.
psychoslave · 47m ago
>While TDSs are commonly used by legitimate advertising networks to manage traffic from disparate sources and to track who or what is behind each click, VexTrio’s TDS largely manages web traffic from victims of phishing, malware, and social engineering scams.
Legal sysops is still sysops. Certainly every actor out there putting in place individual level mass surveillance and influence consider themselves very legitimate.
preinheimer · 20h ago
I think the “prove you’re human by hitting the button” attack is pretty clever.
With the range of different ways captchas are presented today I can see it getting a good % of folks.
a2128 · 18h ago
It's our own fault for making the internet such a confusing Kafkaesque maze. Click this button, click that button, sign in to confirm you're not a bot, select the traffic signs, select the items that a rat would not eat, solve this maze to prove you're a human, type out the numbers hidden in these demonic noises, provide your phone number to prove you're real, compute proof-of-work, download this browser if you're having issues... The line between fraudster and modern tech company is honestly not clear anymore and especially not for people who don't care much about tech and just want to access something
pixl97 · 18h ago
Evolution is messy and guided by random occurrences.
Early in the internet days I had ran an open SMTP server for a few years before it was used as a spam relay. The web browser didn't have a security model. Online shopping was going up to a site, writing what you wanted on paper, then mailing off a money order.
Then both fraud and useful things like actual online shopping started happening while the size of the web exploded. Masses of people with no technical capability were getting online. And that's before we got to the age of social media and massive data collection.
Simply put we didn't make the 'web' part of the internet, some people tossed it out as a child and it's been a tooth and nail fight for survival ever since, patching itself up one vuln at a time.
permo-w · 2h ago
never mind the fact that half these captchas are just excuses for orgs to sneakily extract some reinforcement learning data from you. last time I tried to sign into my microsoft account it made me do 6 captchas. SIX. not six like I failed 1 captcha six times, six like each captcha was iteratively marked i/6
miki123211 · 12h ago
It's not just the captchas either, the "this GPS app needs access to your location" or "this photo taking app wants access to your camera" style pop-ups don't help either.
If you learn once that clicking "deny" in a notification pop-up means your phone doesn't ring when your grandson calls you on Whats App, you won't be clicking "Deny" in those pop ups any more.
I genuinely don't know how to solve that problem, and I definitely see non-technical family members struggle with it.
Sophira · 8h ago
The silly thing is, it was known before all these permission pop-ups were created that users will simply press "Yes", "OK", "Allow", "Agree", etc., on every dialogue they see simply in order to get rid of it. Many people -maybe even most people? - just see them as needlessly getting in the way of where they actually want to be.
So, given that we knew that, why the hell did we create more?
const_cast · 3h ago
Because there’s no good alternatives IMO.
Auto-deny leads to a lot of unexpected and broken behavior, and most users aren’t going to know where to go to enable that type of stuff.
But auto-enable is even worse: because malicious actors can get permissions they shouldn’t. In fact, even with mainstream applications, most of the permissions they ask for they don’t need to operate - they’re just used for tracking and data exfiltration.
So ask every time has been the solution and it works okay. iOS actually does a good job with this. For suspicious permissions, such as accurate location data all the time, it periodically re-prompts. It’s annoying, but it can catch a lot of suspect behavior. There’s shockingly little apps that need your exact location when the app isn’t open.
Mtinie · 18h ago
…but don’t click this button.
justusthane · 18h ago
> Doppelganger campaigns use specialized links that bounce the visitor’s browser through a long series of domains before the fake news content is served
What’s the purpose of being bounced across several different domains before arriving at the destination? I’ve noticed this behavior when accidentally clicking on sketchy ads, but never stopped to think about it.
byteknight · 17h ago
It bypasses a lot of the checks they do on the initial site when submitting to ad networks. It also allows custom redirections based on user agent, potential ip location, etc. Common in phishing.
out-of-ideas · 17h ago
reminds me of how okta and similar handle logging in. feels like 10thousand redirects later.. training users that behavior is okay
OkayPhysicist · 4h ago
I literally just implemented an Okta integration with an internal tool yesterday, so let me offer a little insight on why this happens. I have an existing tool. The guy in charge of it doesn't want me breaking anything, but we want to add an SSO flow to avoid having to login.
So I need a "SSO login page", which fetches some configuration data, stores it, generates some shared tokens, hands them to the browser, and then redirects the user to an Okta endpoint. Okta, for some reason, doesn't directly serve the login screen at that endpoint, so it captures the tokens I gave the browser, then redirects to its login page. The user logs in on the Okta page, which then redirects the user back to a page that I specified, which (since I don't want to touch the fragile 10,000 line php document that is the application's home page, is a separate page, which gets some information from the browser, makes a request to another Okta endpoint, at which point the user can be authenticated, logged in, and then sent to the home page of the app.
Basically, the most standalone way of handling the problem involves 4 redirects.
badmintonbaseba · 9h ago
Still better than the MS Teams website, which can get into a weird state and redirect in circles.
Xevion · 16h ago
I despise how my university's login system just redirects several times (sometimes getting stuck, reloading and redirecting multiples times, and then occasionally shitting me out on the logged out screen, wondering WTF happened).
I cannot fathom how their IT staff allows things to be that way. One redirect ideally. Two max. Three, and I'm assuming you don't know what you're doing, at all.
rrr_oh_man · 12h ago
> I cannot fathom how their IT staff allows things to be that way. One redirect ideally. Two max. Three, and I'm assuming you don't know what you're doing, at all.
Welcome to Microsoft/Live/Bing/Skype/Edge/...
immibis · 13h ago
One reason is to set session ID cookies on several different domains.
mschuster91 · 12h ago
The problem with university login systems - at least here in Germany/Europe - is this global federation system that's also backing EduRoam. Authentication flows there are insanely complex, not to mention dealing with known quirks of some university's implementation...
imp0cat · 15h ago
If only it were that simple. You can thank Apple, Google and their war on cookies for that.
weird-eye-issue · 16h ago
In addition to what the other comments said it also would allow for first-party cookies to be set for those domains
Not sure if that's the purpose but it could potentially be used for tracking, monetization, etc
Mtinie · 18h ago
Multiple impressions per interstitial domain, I imagine.
lionkor · 11h ago
A lot of microsoft services do this, too. Though, that's probably incompetence.
b0a04gl · 11h ago
> This is the new pop-up ad.
browser gave it a front row seat without asking. feels less like security and more of a prank someone forgot to turn off
thyristan · 10h ago
This is, at least for browser notifications, just yet another result of generally atrocious browser UI decisions.
There are tons of permissions a site may or may not request, all of them configured and requested in different ways. Sometimes it is a full page overlay, like when you get a certificate error. Sometimes it is a separate popup window, like when you allow using a client certificate. Sometimes it is a whole-width bar below the address bar, like when a page requests becoming your mailto:-scheme-handler. Sometimes it is a smaller popover dangling from the address bar or some icon there, like for camera or location. Sometimes I can allow/deny, sometimes I can allow or just close that tab. Sometimes I can remember the setting, sometimes it is auto-remembered.
As soon as the initial setting has been configured, removing or reconfiguring it happens in totally different and unobvious places again.
And then, If I allowed something and there is e.g. a notification from a website, the browser hides the fact that this is a browser-based notification, there are no embedded "STFU, never show again" buttons or anything.
There also is no simple place to just look at all the permissions some website might have. There also isn't a place for many permissions, where you can get a list of websites that have e.g. camera permissions.
It is all just very opaque, non-obvious, historically grown inconsistent spaghetti.
What needs to happen is a consistent permission request and change flow for everything a website wants to do. Not only with "allow forever/deny forever", but also with "allow/deny once", "allow/deny for session", "allow/deny for timeframe". And with an "allow to ask again after timeframe/never/..." selection. Not with popups or bars, but with a whole-page overlay like HTTPS does. Why whole-page? Because then clickjacking won't work, there is more space to put an explanation and options, and pages need to interrupt flow so this will hopefully be used sparingly.
tempodox · 16h ago
It never ceases to amaze me how creativity gets ramped up to 11 when it comes to graft, theft and scam.
BMaronge · 8h ago
The article is a bit vague on some points, for example: the links bounce the visitor through a series of domain names... why exactly? What do the scammers gain by redirecting the visitor multiple times instead of just once? It is not explained.
coldpie · 7h ago
KrebsOnSecurity is a really weird website. I feel like I should be the perfect audience for it, as a software engineer who is very interested in security and reverse engineering, but every time I try to read their articles it just comes across as paragraphs and paragraphs of overwrought fluff with zero actual content. I guess their audience is someone with less technical knowledge who is impressed by empty phrases like "startling discovery" and "online hucksters and website hackers" and "resilient and incestuous". And that's all just in the first paragraph here. Get to the point, man.
bn-l · 7h ago
Huh that’s weird I feel the exact same way and should also be the natural audience.
Every time I read an article though I feel like my eyes go cross eyed. It’s like you said, the words are there they should make sense, but I find my attention wandering.
It’s like they are written by a very very early LLM.
cpburns2009 · 6h ago
I stopped reading his website after he started spreading disinformation about Ubiquiti.
HocusLocus · 9h ago
I've followed Krebs for years and appreciate this specific warning. I changed my dad's default Windows colors so when he was presented with fake system dialogues floating on web pages he'd spot them as different right away. But the "click allow to prove you're a human" might have caught him. Captcha-annoyed people are slightly easier to fool sometimes. Push wasn't a big thing then or I would have disabled it.
Dad was one of those late computer adopters who had to be instructed carefully about things pretending to be other things and and nested windows. I remember when pages spawning new windows (then grabbing focus to hide them) was a thing. Then older folks about to go to bed closing their browsers and greeting the hidden windows like a continuation of their browsing experience.
Russia has evolved along with us on the Internet and I'd remind Mr. Krebs paraphrasing Freud, sometimes a Russian oligarch is just a Russian oligarch. It's possible that the Kremlin has hired these companies like everyone else, and a lot of shady people want to penetrate EU DNS defenses.
Fake camping sites with AI content whether its disinformation or deception or hallucination with no human proofreading, is a looming problem. Keep an eye on the prize, preventing old people from getting scammed.
People need more education in general to spot nefarious content, no matter who the state actor is. We don't want a repeat of the Alfa-Bank scam 'October Surprise' either. It relied on the gullibility of the Internet surfing public but DNS administrators should have seen through it and asked more questions.
tehwebguy · 9h ago
Once again grateful that at least one mobile platform doesn’t allow browser push notifications.
username223 · 18h ago
> TacoLoco is a traffic monetization network that uses deceptive tactics to trick Internet users into enabling “push notifications,”
Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.
hakfoo · 18h ago
Because people turned browsers into an app platform and users wanted their webmail and chat services to have the same first-class features native clients had.
username223 · 16h ago
Who wanted their web browser to let hostile programs send notifications and access battery levels, unused fonts, etc.? Ad companies run the web standards bodies, so "people" (i.e. you and me) have to deal with this.
Xevion · 16h ago
In all fairness, some of these things you've mentioned could be useful. If your battery is low, reprioritize the webapp's functions, lower requests, disable anything not necessary in the moment.
Notifications are just another convenient thing that me and you use every day.
Perhaps these things should be disabled by default, or requested upon being needed, but that's not really your argument it would seem.
account42 · 8h ago
> In all fairness, some of these things you've mentioned could be useful. If your battery is low, reprioritize the webapp's functions, lower requests, disable anything not necessary in the moment.
This kind of automated perfomance tuning is almost always more annoying than useful.
> Notifications are just another convenient thing that me and you use every day.
Who is "me and you"?
username223 · 6h ago
"Requested upon being needed" might work if it weren't possible for sites to get around it by probing and popping up their own "yes / ask me again later" dialogs. Have the APIs ask on the first call, with a "yes/no + make answer permanent" dialog, and return fake data if the answer is "no." If people were sufficiently annoyed by constant requests for stuff a basic webpage wouldn't seem to need, the web might become a better place.
But yeah, web browsers basically run arbitrary code written by hostile companies, with layers of indirection to confuse accountability. In that environment, you have to weigh "nice to have" against "could be abused," and err on the side of caution.
jeroenhd · 5h ago
Because it's very useful.
You don't call any OS level API from a website. The browser makes and shapes the notification for you. If the notification cannot be traced back to your browser, blame your browser vendor for their bad design.
That said, no amount of good browser design can protect a computer from people who don't know what they're doing. I recall a recent malware campaign where a similar mechanism was used, but instead of "click this button, go to site settings, click notifications, click allow", it'd show "copy this, hit windows+r, hit ctrl+v, then press enter to confirm you're human".
As computers continue to be dumbed down, I don't expect computer literacy to rise to a safe level any time soon. It's a matter of time before executing downloads from the internet becomes impossible.
StuntPope · 5h ago
Lost me at "Kremlin disinformation".
Krebs need to ditch the TDS.
His "Red Herring DNS flaw" garbage was when I realized that 90% of what he spits out is Gell-Mann amnesia.
wwn_se · 13h ago
Great article but the fix is Adblock! Enable adblock everywhere for your family and friends at risk. Even if an ad sometimes slips through they since its out of the ordinary they are way less likely to click.
The problem with this is that many older people are reluctant to use web browsers that actually support true ad blocking. They are used to Chrome and don't want to use anything that is even remotely different. I have this argument with my mom on almost a daily basis. She is always messing up her phone or computer by clicking on something she shouldn't. I have installed firefox for her, but she refuses to use it.
lionkor · 11h ago
Okay, my family has iPads. What should they use? Brave? lol
const_cast · 3h ago
Orion has ad blocking built in and supports Firefox extensions.
I think the extension support is explicitly disallowed by Apple so shhh don’t tell anyone teehee!
jeroenhd · 5h ago
iPads don't support notifications unless your family figures out how to use PWAs (they won't, Apple made sure of that). Also, there are various content blockers for iOS.
Unfortunately, because real alternative browsers are only supported in the EU (and even then with big asterisks), you won't see a normal browser engine powerful content blocking any time soon. The content filters you can download from the app store help, but they're not as powerful as uBO and friends.
ikekkdcjkfke · 10h ago
UBOL is in testing now for iOS, but Apple has some bugs on their content blocking side.
Reminder that adblockers are recommended by the FBI
brettermeier · 11h ago
Tablets not from Apple. That's your fault if you use that shit and can't block ads or install whatever you want.
lionkor · 8h ago
They already have an iPhone, a Mac, a MacBook, which tablet would you recommend that integrates just as well? My point is that this is not a realistic option for a lot of people. Adblockers only work for people who have previously valued their freedom.
carlosjobim · 8h ago
It's easy for a non technological person to block ads and malicious domains on the system level on all Apple devices.
v5v3 · 10h ago
Nextdns/similar.
Vpn with ad blocking built in
Tijdreiziger · 9h ago
There are various ad blockers for Safari on the App Store.
coldpie · 7h ago
People always say this, but I wish they would suggest a specific one. There are so many out there, it's hard to know which ones are high quality, still maintained, etc.
qilo · 4h ago
Firefox Focus is available on App Store. You don't have to use it (I don't), but set it as a content blocker in Safari settings.
The only other extension I’ve started using recently, when the quantity/frequency of YouTube ads on Safari became unbearable, is 1Blocker. It includes a specific filter for blocking YouTube ads, and you can use one active filter for free without subscription.
I recommend 1Blocker, it’s actively maintained and pretty good. However, if you’re not a grandfathered user like me, it does come with a small price.
nake89 · 11h ago
Yes
palmfacehn · 14h ago
A clever social engineering approach, but Kreb's trite alarmism overshadows the novelty.
PaulHoule · 2h ago
Kinda wish the web had an ability to defend itself.
Put CAPTCHAs on your site: zero traffic.
EU adds those cookie banners to everything: EU should have been disconnected from the internet.
lcnPylGDnU4H9OF · 2h ago
> EU adds those cookie banners to everything
EU required website operators to disclose certain uses of cookies and many of them chose the most obnoxious way possible. Perhaps more agreeable: every website that uses those banners should be disconnected from the internet.
PaulHoule · 2h ago
They coulda said "Respect DNT or go to jail" but instead they broke the ultimate window.
For years I advocated, mostly successfully, to keep pop-ups, pop-unders, pop-ins and other abuse like that out of sites I worked on. Then the EU pulls this magic trick that transforms them into something required, and then "wholesome" so after that the dam breaks and it is common for a blog today to pop up three banners that want your email address, for pop-up ads to cover other pop-up ads, etc.
When your government is unresponsive like that the only choice is exit, no wonder the EU is overrun by populists that want out. If they don't want Frexit and Sprexit and Grexit they'd better think twice when they make another thoughtless law with terrible consequences.
Ylpertnodi · 55m ago
>They coulda said "Respect DNT or go to jail" but instead they broke the ultimate window.
You know EU law only applies in the EU? And blockers exist? I always howl with laughter when some bumhole USA newspaper presents me with a cookie banner that got through. Then i change vpn-server, read what i want, and get on with my tawdry existence.
An elderly relative of mine was hit by this a couple years back: his computer's desktop was constantly being spammed with messages on startup, and there was no simple way to turn them all off. It turned out that they were all notifications from web workers that he'd inadvertently allowed at some point prior. (I set his browser to auto-deny notifications so it wouldn't happen again.)
I think the idea comes from the 2010's hype about Phone-Ifying The Desktop. Someone clearly thought they were recreating the Google Reader / RSS ecosystem (Mozilla had RSS in the browser in a flop)... but everyone else was just enthusiastic about dark patterns that were viable in mobile apps that didn't exist in a desktop browser.
The way it's trivial for browsers to fake OS notifications on some platforms is a clear design flaw, though. I get the need for it (PWAs and such) but unless the website sending a notification is a PWA, there's no need for a notification to be that ambiguous.
The current system, where Chrome (the only browser that matters) collects information about websites and only shows the permission popup on some websites has mostly killed useful notification support for a lot of websites.
- Web-based email
- Web-based chat
That’s it. Every other use case seems to be solving a “them” problem (how do we increase engagement?) and not a “me” problem.
Even if I wanted to hear about updates from a website (and I never do), I could sign up for emails. And If I don’t trust a website with my email, I certainly don’t trust them with sending me push notifications.
In fact, let me take chat apps off that list, because if I don’t have the webapp open in a browser window, the chat app should have the option to just email me about someone trying to message me (and ideally, letting the other party know I’m unavailable and letting them choose whether to send me the email.) So no, really just email and that’s it.
I’m super curious what your use cases are if you use web-based push notifications “all the time”.
For copy-paste: dom.event.clipboardevents.enabled=false I would guess.
> In Firefox you can completely disable beforeunload events by setting dom.disable_beforeunload to true in about:config. Extensions may be needed for other browsers.
A word of caution: I'm not 100% sure, but I wonder if some web collaboration tools might use this to ensure data has been synced with a server.
Having said that, it should never be the end of the world to disable, sites should never have data loss due to this event missing, because if so, they already have a data loss problem when for instance the power goes out.
chrome://settings/content/notifications Or Settings > Privacy and security > Site settings > Notifications Under "Default behavior," select: Don’t allow sites to send notifications.
------------------
Mozilla Firefox (Desktop)
Settings > Privacy & Security Scroll to the "Permissions" section, find "Notifications," and click "Settings…"
At the bottom, check: Block new requests asking to allow notifications.
------------------
Microsoft Edge
Settings > Cookies and site permissions > Notifications Set the default to block all notification requests.
------------------
Safari (macOS)
Safari > Settings (or Preferences) > Websites tab > Notifications Untick: Allow websites to ask for permission to send notifications
------------------
Samsung Internet (Android)
Settings > Notifications > Allow or block sites
What's worse is they look like native OS alerts (on Windows) so when one says "SECURYIRT ALERT!! CALL NOW" it's that much more effective at getting people on the phone with scammers.
I don't understand why people would want that, but neither do I understand the people who actually enter their email address in those "subscribe to my newsletter" popovers.
Communication platforms; messaging apps (Slack, Discord etc); email sites (gmail and co.) also make sense. Financial platforms (banks, Stripe etc)
Once you start getting out of these two categories, then yeah, it gets silly. No way should an airline website even be allowed to ask to send push notifications.
Google does have a way for Chrome users to not show the notification window (https://yespo.io/blog/google-chrome-will-now-block-abusive-b...) by default (https://support.google.com/webtools/answer/9799829?hl=en) but I really wish that this was flipped, so that Google would first need to approve sites to use notifications, similar to the Public Suffix List.
It seems that companies like this can't help but abuse the permissions I grant them, so the result is that they don't get any permissions at all.
Financial data or travel info is something I'm actively watching, when I travel, just like car traffic. Otherwise, why would I need to know? That's a good question to ask anyway anytime you come across an inbox. I have been in management really long now and designing your information flow strategically is crucial to being effective.
Your flight is delayed/now boarding/etc?
Your phone needs a web browser or an app. An app for every airline you ever use? You already have a web browser.
They could SMS but its more expensive to send, often even more so for customers on roaming to receive.
Nothing else is universal.
I think there are much better possible solutions. An open notification standard or reasonable pricing of bulk sending SMS would do it.
If browser notification permissions would have a TTL, I'd might considering it. But until this happens I won't allow anyone to send me browser notifications. And even then I'd be very picky.
Generally, the recommendation is that you get to the airport at least two hours before your flight departs. Ideally, you shouldn't be rushing to try to get your plane.
Granted, the world has changed since that was first a recommendation, but even in today's connected world, it's still a good idea to get there two hours before departure, in my experience.
A lot of delays are known much earlier than that. For example if a flight gets seriously delayed taking off and the plane is going to turn round and return, then the return flight will be delayed.
In any case, once at the airport delays will be announced and shown on screens. Once you get there you do not need phone notifications.
And yet I’m sure airlines will push you towards the app every time!
It's not that there are 0 use cases where it could possibly be convenient to get notifications from a plain site but, like you said with the email example, 95% of the legitimate use cases are probably better modeled as an app anyways.
It's always saddened me that people failed to understand the web platform, and never more so than today when that platform could be on the verge of extinction.
Young people don't remember this: in the 1990s if a big corporation wanted to make a 1-line change to an application deployed to a fleet of desktops they'd have to update every single machine and to do so they'd probably have to hire at least 1 FTE and probably more for installer engineering and other makework.
With the web it is often
on the server and you're done!As it is I can find web sites with search, links from other sites, bookmarks and history. If you "install" applications you just clutter up your desktop with 300 icons for applications you don't really use which makes it hard to find the 2-3 that you really use.
Legal sysops is still sysops. Certainly every actor out there putting in place individual level mass surveillance and influence consider themselves very legitimate.
With the range of different ways captchas are presented today I can see it getting a good % of folks.
Early in the internet days I had ran an open SMTP server for a few years before it was used as a spam relay. The web browser didn't have a security model. Online shopping was going up to a site, writing what you wanted on paper, then mailing off a money order.
Then both fraud and useful things like actual online shopping started happening while the size of the web exploded. Masses of people with no technical capability were getting online. And that's before we got to the age of social media and massive data collection.
Simply put we didn't make the 'web' part of the internet, some people tossed it out as a child and it's been a tooth and nail fight for survival ever since, patching itself up one vuln at a time.
If you learn once that clicking "deny" in a notification pop-up means your phone doesn't ring when your grandson calls you on Whats App, you won't be clicking "Deny" in those pop ups any more.
I genuinely don't know how to solve that problem, and I definitely see non-technical family members struggle with it.
So, given that we knew that, why the hell did we create more?
Auto-deny leads to a lot of unexpected and broken behavior, and most users aren’t going to know where to go to enable that type of stuff.
But auto-enable is even worse: because malicious actors can get permissions they shouldn’t. In fact, even with mainstream applications, most of the permissions they ask for they don’t need to operate - they’re just used for tracking and data exfiltration.
So ask every time has been the solution and it works okay. iOS actually does a good job with this. For suspicious permissions, such as accurate location data all the time, it periodically re-prompts. It’s annoying, but it can catch a lot of suspect behavior. There’s shockingly little apps that need your exact location when the app isn’t open.
What’s the purpose of being bounced across several different domains before arriving at the destination? I’ve noticed this behavior when accidentally clicking on sketchy ads, but never stopped to think about it.
So I need a "SSO login page", which fetches some configuration data, stores it, generates some shared tokens, hands them to the browser, and then redirects the user to an Okta endpoint. Okta, for some reason, doesn't directly serve the login screen at that endpoint, so it captures the tokens I gave the browser, then redirects to its login page. The user logs in on the Okta page, which then redirects the user back to a page that I specified, which (since I don't want to touch the fragile 10,000 line php document that is the application's home page, is a separate page, which gets some information from the browser, makes a request to another Okta endpoint, at which point the user can be authenticated, logged in, and then sent to the home page of the app.
Basically, the most standalone way of handling the problem involves 4 redirects.
I cannot fathom how their IT staff allows things to be that way. One redirect ideally. Two max. Three, and I'm assuming you don't know what you're doing, at all.
Welcome to Microsoft/Live/Bing/Skype/Edge/...
Not sure if that's the purpose but it could potentially be used for tracking, monetization, etc
browser gave it a front row seat without asking. feels less like security and more of a prank someone forgot to turn off
There are tons of permissions a site may or may not request, all of them configured and requested in different ways. Sometimes it is a full page overlay, like when you get a certificate error. Sometimes it is a separate popup window, like when you allow using a client certificate. Sometimes it is a whole-width bar below the address bar, like when a page requests becoming your mailto:-scheme-handler. Sometimes it is a smaller popover dangling from the address bar or some icon there, like for camera or location. Sometimes I can allow/deny, sometimes I can allow or just close that tab. Sometimes I can remember the setting, sometimes it is auto-remembered.
As soon as the initial setting has been configured, removing or reconfiguring it happens in totally different and unobvious places again.
And then, If I allowed something and there is e.g. a notification from a website, the browser hides the fact that this is a browser-based notification, there are no embedded "STFU, never show again" buttons or anything.
There also is no simple place to just look at all the permissions some website might have. There also isn't a place for many permissions, where you can get a list of websites that have e.g. camera permissions.
It is all just very opaque, non-obvious, historically grown inconsistent spaghetti.
What needs to happen is a consistent permission request and change flow for everything a website wants to do. Not only with "allow forever/deny forever", but also with "allow/deny once", "allow/deny for session", "allow/deny for timeframe". And with an "allow to ask again after timeframe/never/..." selection. Not with popups or bars, but with a whole-page overlay like HTTPS does. Why whole-page? Because then clickjacking won't work, there is more space to put an explanation and options, and pages need to interrupt flow so this will hopefully be used sparingly.
Every time I read an article though I feel like my eyes go cross eyed. It’s like you said, the words are there they should make sense, but I find my attention wandering.
It’s like they are written by a very very early LLM.
Dad was one of those late computer adopters who had to be instructed carefully about things pretending to be other things and and nested windows. I remember when pages spawning new windows (then grabbing focus to hide them) was a thing. Then older folks about to go to bed closing their browsers and greeting the hidden windows like a continuation of their browsing experience.
Russia has evolved along with us on the Internet and I'd remind Mr. Krebs paraphrasing Freud, sometimes a Russian oligarch is just a Russian oligarch. It's possible that the Kremlin has hired these companies like everyone else, and a lot of shady people want to penetrate EU DNS defenses.
Fake camping sites with AI content whether its disinformation or deception or hallucination with no human proofreading, is a looming problem. Keep an eye on the prize, preventing old people from getting scammed.
People need more education in general to spot nefarious content, no matter who the state actor is. We don't want a repeat of the Alfa-Bank scam 'October Surprise' either. It relied on the gullibility of the Internet surfing public but DNS administrators should have seen through it and asked more questions.
Why is it even possible for hostile code (i.e. JavaScript) to send OS-level notifications? If clicking a link runs untrusted code with layers of legal insulation, that code should run in a very limited sandbox. It's crazy that we're turning the "Open Web" into an ever-expanding attack surface.
Notifications are just another convenient thing that me and you use every day.
Perhaps these things should be disabled by default, or requested upon being needed, but that's not really your argument it would seem.
This kind of automated perfomance tuning is almost always more annoying than useful.
> Notifications are just another convenient thing that me and you use every day.
Who is "me and you"?
But yeah, web browsers basically run arbitrary code written by hostile companies, with layers of indirection to confuse accountability. In that environment, you have to weigh "nice to have" against "could be abused," and err on the side of caution.
You don't call any OS level API from a website. The browser makes and shapes the notification for you. If the notification cannot be traced back to your browser, blame your browser vendor for their bad design.
That said, no amount of good browser design can protect a computer from people who don't know what they're doing. I recall a recent malware campaign where a similar mechanism was used, but instead of "click this button, go to site settings, click notifications, click allow", it'd show "copy this, hit windows+r, hit ctrl+v, then press enter to confirm you're human".
As computers continue to be dumbed down, I don't expect computer literacy to rise to a safe level any time soon. It's a matter of time before executing downloads from the internet becomes impossible.
Krebs need to ditch the TDS.
His "Red Herring DNS flaw" garbage was when I realized that 90% of what he spits out is Gell-Mann amnesia.
https://firstpartyornoparty.org/
I think the extension support is explicitly disallowed by Apple so shhh don’t tell anyone teehee!
Unfortunately, because real alternative browsers are only supported in the EU (and even then with big asterisks), you won't see a normal browser engine powerful content blocking any time soon. The content filters you can download from the app store help, but they're not as powerful as uBO and friends.
Vpn with ad blocking built in
https://support.mozilla.org/en-US/kb/safari-integration-fire...
The only other extension I’ve started using recently, when the quantity/frequency of YouTube ads on Safari became unbearable, is 1Blocker. It includes a specific filter for blocking YouTube ads, and you can use one active filter for free without subscription.
https://support.1blocker.com/en/articles/9313640-how-to-bloc...
Put CAPTCHAs on your site: zero traffic.
EU adds those cookie banners to everything: EU should have been disconnected from the internet.
EU required website operators to disclose certain uses of cookies and many of them chose the most obnoxious way possible. Perhaps more agreeable: every website that uses those banners should be disconnected from the internet.
For years I advocated, mostly successfully, to keep pop-ups, pop-unders, pop-ins and other abuse like that out of sites I worked on. Then the EU pulls this magic trick that transforms them into something required, and then "wholesome" so after that the dam breaks and it is common for a blog today to pop up three banners that want your email address, for pop-up ads to cover other pop-up ads, etc.
When your government is unresponsive like that the only choice is exit, no wonder the EU is overrun by populists that want out. If they don't want Frexit and Sprexit and Grexit they'd better think twice when they make another thoughtless law with terrible consequences.
You know EU law only applies in the EU? And blockers exist? I always howl with laughter when some bumhole USA newspaper presents me with a cookie banner that got through. Then i change vpn-server, read what i want, and get on with my tawdry existence.