Seems related, so I’ll share here. I wrote an “awesome” list of privacy-focused front-ends[1] for a variety of services. Haven’t been updated in a while, but I figured it’s still valid.
Overall it works but the problem lies in instances that tend to die-off pretty fast. There were homebrew "hubs" solely providing redirects out of pure kindness to many big sites and services but now it seems it's hard to find one that works without being blocked/rate limited. Big sites and services fight back, which isn't really surprising.
Privacy Redirect was prob the first extension that introduced this idea. It did the job as well but up until bad-actors figured out they can redirect people to their dangerous sites.
It's a little finnicky to set up, but I'm enjoying it so far. It goes beyond alternative frontend redirects. You can strip URL params, check domains against a blacklist, and choose native apps to open links that match a pattern.
romaaeterna · 1h ago
Nobody is setting up "privacy-friendly" frontends to track browsing data that they couldn't otherwise get without access to Google's/Twitter's/etc. logs? Because I think they are.
lucb1e · 23m ago
How could you ever prove that nobody is doing that? You can believe anything that way
One can't prove god doesn't exist either, but as someone who made some privacy-friendly front-ends, I tend to expect honest intentions. If you find one that suddenly asks for your login data or sets tracking cookie, sure, be wary, just as with any other site that asks for data they don't need (see: literally every cookie wall, because if they had good intentions, it would fall under one of the five other reasons to use personal data and they wouldn't need to fall back to asking for consent)
Funes- · 38m ago
Yeah, the possibility of any of them being a honeypot I'd say is real.
No comments yet
bmacho · 6h ago
A web extension is an unnecessary security risk. A userscript will do it just fine.
I actually have made it extensible, with closely coupled source of rules and domains; but then I lost it Edge forgot all my userscripts :(
londons_explore · 6h ago
User scripts have super wide permissions. For example a user script scoped to YouTube.com can make payments from any cards you have saved in Google pay.
And most user scripts are so long a typical user won't be able to spot a couple of malicious lines amongst 10k lines of minified webpacked libraries.
rvnx · 5h ago
You also have to weight the benefits versus the "risk".
For example, if you use FreeTube with SponsorBlock to improve your privacy and block ads, in fact you are sending to Cloudflare 100% of your YouTube watch history, and to SponsorBlock ("sponsor.ajay.io").
With Piped instances it's even worse, essentially escaping Google's tracking just to give our data to random strangers.
If you are worried, just run a second Chrome session with NordVPN and uBlock Origin in a loose jurisdiction and browse YouTube unlogged.
It's easy, simple, and you have the benefits of an audited platform and that reasonably legally confirm they don't store logs unless the court forced them: "we never log their activity unless ordered by a court never log their activity unless ordered by a court", but for that, the court has to find you as a user, which can be very complicated in practice.
So much better than random strangers.
lucb1e · 14m ago
> worse, essentially escaping Google's tracking just to give our data to random strangers
I'd much rather send random tidbits of information, that are nearly useless in isolation, to strangers than to the central tracking corporation
In the end, there is no way to reveal what information you're interested in when retrieving data, short of retrieving a ton of data and doing the filtering client-side, which is also an option with these third parties if you so desire
hashiyakshmi · 3h ago
>If you are worried, just run a second Chrome session with NordVPN and uBlock Origin in a loose jurisdiction and browse YouTube unlogged.
If you actually did this you would know that it works for all of a week or two before YouTube stops letting you watch videos until you login.
Devorlon · 1h ago
I found that hopping to different VPN servers is a mildly inconvenient workaround for that.
heavensteeth · 3h ago
SponsorBlock doesn't send video IDs to the server.
(*anymore, as of late 2020 from a quick look. The parent comment may not have been wrong about that, just outdated info)
lvass · 3h ago
Terrible advice. Not only youtube will precisely fingerprint you, nordvpn/tesonet/oxylab will also get data on you.
rvnx · 2h ago
Way better than the recommended "privacy" instances.
NordVPN only sees that you connect to YouTube, they do not see the pages or videos that you are looking at, and from the perspective of YouTube, they only see requests from a very popular VPN where are millions of users.
If you use the "privacy" instances, these "privacy" websites and Cloudflare knows precisely which videos you are watching.
lvass · 2h ago
Recommended by whom? I'm just saying your advice is terrible in general and takes no regard to how easy and powerful fingerprinting is nowadays, in google's perspective the only difference to using that VPN if you're "just" running chrome is that it also knows when you use a VPN, in other words, just giving one more data point. Also the average user is likely to install some nordvpn app if following your advice, which is a security nightmare, remember that company sells residential proxies.
Also IIRC for youtube, alternative frontends don't tend to rely on someone else's endpoints.
No comments yet
latexr · 5h ago
> If you are worried, just run a second Chrome session with NordVPN
I'm happy to give my watch history to some unknown in exchange for never ever seeing an ad.
bmacho · 5h ago
> And most user scripts are so long a typical user won't be able to spot a couple of malicious lines amongst 10k lines of minified webpacked libraries.
Exactly!
That's why you should use 3 lines for it instead, that are
- inspectable
- not updateable by the Chinese/Russians
- written by you anyway
danielspace23 · 2h ago
what's up with the random racism in this comment?
bmacho · 1h ago
I've chosen them as example elements of the larger group: people that would harm you. It's a type of synecdoche[0,1].
I was considering reformulating it, in $CURRENTYEAR there is always someone that claims that using Russian or Chinese as a synonym for 'enemy' is Russo- and Shinophobic. I've decided against it this time.
Critique and distrust of an (authoritarian) government is not racism.
eviks · 5h ago
The extension links to 50+ services, your script - to 1. Do you now suggest that every single user should figure out how to do it properly and replicate the extension in a script for no better alternative (you could instead spend part of that time reading the extension code and using your private copy)
bmacho · 4h ago
I don't think that not having all the services is a problem. On the contrary, I think it is an advantage for userscripts, that those only have the redirects a user explicitly adds.
Tho I probably should've demonstrated first that it is possible, before advocating for it. The script I linked indeed only works for one website. Multiple websites with multiple rules, each with a list of instances (that often go offline for a time, so it is worth keeping them around, and make switching easy) indeed complicates it a bit.
eviks · 4h ago
So what exactly is the advantage of having to code all the rules yourself for every service you want to use??
> complicates it a bit
a bit of an understatement
bmacho · 4h ago
> So what exactly is the advantage of having to code all the rules yourself for every service you want to use??
"having to code all the rules" is not that hard, in most cases you can just pass the whole URL, and the instance accepts it.
Advantages: you don't get unwanted redirects from services, and you don't get unwanted redirects to instances. (Even tho the information about the instances will likely be concentrated at libredirect github issues. Chances are that some random person on the internet who has paranoid activities as a hobby will look into the instances, so you don't have to.)
- - -
I don't use many redirects. Nowadays I use exactly 0. But if I needed a redirect for example to xcancel, I would use my user-script as I had done it in the past before I lost it. I definitely wouldn't install a browser extension for it.
eviks · 3h ago
> in most cases a slice(,) will do it since the relevant id is at a fixed position in the URL.
In all cases that also involves actually finding the URLs, then there are non-most cases where a slice wouldn't do it.
> Nowadays I use exactly 0
Exactly. If you ignore actual uses everything becomes trivial
Akronymus · 1h ago
I personally prefer to use redirector to do it. It has served me quite well so far.
I did, seemed to fall in the same category of sometimes working, sometimes not. I'v been trying various alternatives on/off for the past 5 years or so but unfortunately nothing really ever sticks.
az09mugen · 38m ago
Thanks for your feedback
b0a04gl · 1h ago
tis is great for what it solves i don't wanna see ads, i don't wanna load 10MB of js just to read a tweet or watch a 2-min clip. redirecting to piped or nitter makes total sense. but what i would appreciate more is either selfhost or at least rotate through known good instances. currently it just serves half the intent. i don't often check who's running what. if you're gonna use it seriously, current assumption is the routing target instances is always up, clean and fast. some are slow as hell, some die without notice and a few probably log everything. currently also many of the list is dead out
johnisgood · 3h ago
Proxigram? I doubt I could run that on Android.
lucb1e · 10m ago
...care to elaborate why you can't visit a website on Android and how this is relevant to anyone else?
I want the opposite, an extension that will redirect all crappy frontends to the canonical sources (which work better and I am logged-into, I can comment, etc).
lucb1e · 6m ago
So... press the 'clone' button on the repository and swap the mapping from twitter.com -> nitter.net to nitter.net -> twitter.com?
fmbb · 4h ago
Don’t almost all of them show a link to the source anyway?
hsbauauvhabzb · 4h ago
Do any of these YouTube extensions retrieve videos in a way which is unassociated with my IP? I’d really rather not get my google account banned, or my searches rate limited. These aren’t happening now, but I believe they will in the future to the point where I actively avoid using any tooling from my home connection, and vps’ seem to be blocked by YouTube already.
v5v3 · 3h ago
VPNs are not blocked by YouTube.
Neither is viewing YouTube using Tor Browser.
pimeys · 4h ago
If you have a dynamic IP at home, run it in your homelab and access it through Tailscale everywhere. I highly doubt YouTube will block the whole IP block for home users.
hsbauauvhabzb · 3h ago
That doesn’t solve the issue of my google search traffic and fingerprint from coming from the same source as yt-dlp.
swayvil · 2h ago
"privacy friendly". Now there's a modern euphemism.
Retr0id · 2h ago
What is implied?
anthk · 8h ago
X.com works bet with lightbrd.com instead of xcancel with captchas.
Which is a PoW CAPTCHA, but a CAPTCHA nonetheless.
CaptainFever · 3h ago
However, if your JS is disabled (or if you're running LibreJS), you do get redirected to a CAPTCHA which only works sometimes.
HelloUsername · 6h ago
lightbrd also needs cloudflare captcha
teddyh · 1h ago
Try nitter.tiekoetter.com.
Razengan · 4h ago
How long before browsers disable these kinds of in-user-favor workarounds?
Like Apple removing the "Disable JavaScript" menu option from Safari and moving it into Developer Tools, which can be detected by websites before you can disable JS >:(
reddalo · 4h ago
I think the real question is: should we keep using browsers that are developed by ad companies? And the answer is no, we should just use Mozilla Firefox.
This comment could've been phrased better, but Farside does have an important feature that LibRedirect lacks, which is automatic instance selection based on reachability. Instances routinely fail and new ones are added, so automating that aspect instead of requiring manual instance selection by the user is a powerful feature.
Anyway, thanks for mentioning it!
MallocVoidstar · 4h ago
Using Farside means the initial redirect goes through Farside, so they are capable of knowing what videos you're watching, what tweets you're looking at, etc. You have to trust them not to monitor this. Using a client-side extension means only the instance you use knows this.
imiric · 4h ago
It's a Go project that seems trivial to self-host. By your logic we shouldn't trust any of the instances of the alternative services either since anyone could be monitoring their use as well.
iLoveOncall · 5h ago
Maybe for the fact it as 4 times as many stars on GitHub if that's what you care about?
[1]: https://sr.ht/~jamesponddotco/awesome-privacy-front-ends/
[1] https://addons.mozilla.org/en-US/firefox/addon/redirector/
Privacy Redirect was prob the first extension that introduced this idea. It did the job as well but up until bad-actors figured out they can redirect people to their dangerous sites.
It's a little finnicky to set up, but I'm enjoying it so far. It goes beyond alternative frontend redirects. You can strip URL params, check domains against a blacklist, and choose native apps to open links that match a pattern.
One can't prove god doesn't exist either, but as someone who made some privacy-friendly front-ends, I tend to expect honest intentions. If you find one that suddenly asks for your login data or sets tracking cookie, sure, be wary, just as with any other site that asks for data they don't need (see: literally every cookie wall, because if they had good intentions, it would fall under one of the five other reasons to use personal data and they wouldn't need to fall back to asking for consent)
No comments yet
edit: one of my previous attempt: https://news.ycombinator.com/item?id=35229211
I actually have made it extensible, with closely coupled source of rules and domains; but then I lost it Edge forgot all my userscripts :(
And most user scripts are so long a typical user won't be able to spot a couple of malicious lines amongst 10k lines of minified webpacked libraries.
For example, if you use FreeTube with SponsorBlock to improve your privacy and block ads, in fact you are sending to Cloudflare 100% of your YouTube watch history, and to SponsorBlock ("sponsor.ajay.io").
With Piped instances it's even worse, essentially escaping Google's tracking just to give our data to random strangers.
If you are worried, just run a second Chrome session with NordVPN and uBlock Origin in a loose jurisdiction and browse YouTube unlogged.
It's easy, simple, and you have the benefits of an audited platform and that reasonably legally confirm they don't store logs unless the court forced them: "we never log their activity unless ordered by a court never log their activity unless ordered by a court", but for that, the court has to find you as a user, which can be very complicated in practice.
So much better than random strangers.
I'd much rather send random tidbits of information, that are nearly useless in isolation, to strangers than to the central tracking corporation
In the end, there is no way to reveal what information you're interested in when retrieving data, short of retrieving a ton of data and doing the filtering client-side, which is also an option with these third parties if you so desire
If you actually did this you would know that it works for all of a week or two before YouTube stops letting you watch videos until you login.
https://github.com/ajayyy/SponsorBlockServer/issues/25
NordVPN only sees that you connect to YouTube, they do not see the pages or videos that you are looking at, and from the perspective of YouTube, they only see requests from a very popular VPN where are millions of users.
If you use the "privacy" instances, these "privacy" websites and Cloudflare knows precisely which videos you are watching.
Also IIRC for youtube, alternative frontends don't tend to rely on someone else's endpoints.
No comments yet
I feel like I’m on YouTube already.
It’s not like they are free of criticism either.
https://en.wikipedia.org/wiki/NordVPN#Criticism
Exactly!
That's why you should use 3 lines for it instead, that are
I was considering reformulating it, in $CURRENTYEAR there is always someone that claims that using Russian or Chinese as a synonym for 'enemy' is Russo- and Shinophobic. I've decided against it this time.
[0] : https://en.wikipedia.org/wiki/Synecdoche#Part_referring_to_w...
[1] : https://en.wikipedia.org/wiki/Pars_pro_toto
Tho I probably should've demonstrated first that it is possible, before advocating for it. The script I linked indeed only works for one website. Multiple websites with multiple rules, each with a list of instances (that often go offline for a time, so it is worth keeping them around, and make switching easy) indeed complicates it a bit.
> complicates it a bit
a bit of an understatement
"having to code all the rules" is not that hard, in most cases you can just pass the whole URL, and the instance accepts it.
Advantages: you don't get unwanted redirects from services, and you don't get unwanted redirects to instances. (Even tho the information about the instances will likely be concentrated at libredirect github issues. Chances are that some random person on the internet who has paranoid activities as a hobby will look into the instances, so you don't have to.)
- - -
I don't use many redirects. Nowadays I use exactly 0. But if I needed a redirect for example to xcancel, I would use my user-script as I had done it in the past before I lost it. I definitely wouldn't install a browser extension for it.
In all cases that also involves actually finding the URLs, then there are non-most cases where a slice wouldn't do it.
> Nowadays I use exactly 0
Exactly. If you ignore actual uses everything becomes trivial
https://einaregilsson.com/redirector/
No comments yet
Neither is viewing YouTube using Tor Browser.
Like Apple removing the "Disable JavaScript" menu option from Safari and moving it into Developer Tools, which can be detected by websites before you can disable JS >:(
Download today people https://www.torproject.org/download/
Using venrable farside.link
https://sr.ht/~benbusby/farside/
https://farside.link/
Why use your offering?
Anyway, thanks for mentioning it!