More than 480 websites recording 'every keystroke' - Sensationalist Headlines

[QUOTE=Chryseus;52916911]The full list has 96,718 sites, unsurprisingly quite a few porn sites are on there and a large percentage (around 1/3) are Russian websites. Here is a [url=https://chryseus.co.uk/junk/hosts]hosts[/url] file if you want to block them, or a plain url [url=https://chryseus.co.uk/junk/urllist.txt]list[/url] you can use with ublock.[/QUOTE] blocking all those sites seems impractical, and a lot of them might not even use session recording [url]https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html[/url] [quote=that link]In a recent study we analyzed seven “session replay” services and revealed how they exfiltrate sensitive user data. Here we release the data behind our study, specifically, [b]the list of websites from the Alexa top 1 million which embed scripts from analytics providers that offer session recording services. The appearance of a website on this list DOES NOT necessarily mean that session recordings occur,[/b] as website developers may choose not enable session recording functionality.[/quote] you should be blocking the session recording scripts instead [editline]24th November 2017[/editline] same goes for the link in the op, the sites don't necessarily use session recording

Ive been typing random bullshit for years when bored into nothing on a webpage. I wonder how mant times they got me typing the navy seals copypasta

[QUOTE=%%;52918846]blocking all those sites seems impractical, and a lot of them might not even use session recording [url]https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html[/url] you should be blocking the session recording scripts instead [editline]24th November 2017[/editline] same goes for the link in the op, the sites don't necessarily use session recording[/QUOTE] You're quite right not all of them may be using the session recording feature but the presence still means they are likely using some features that could impact your privacy, as far as I'm concerned that is more than enough reason to block them, if there is something on there you use regularly well there is no point blocking it, still knowing is better than not knowing. As for disabling the scripts that will not work in many cases, I could go in to details but suffice to say there are multiple ways around things like noscript, unless you want to turn off javascript completely which will of course break most websites.

[QUOTE=thejjokerr;52919692]The only way I see this impacts your privacy is that your keystrokes get sent to services like hotjar, which IIRC doesn't even record keystrokes in password fields. Additionally these site owners are the only one that are likely to view your session and you're already typing on their site so you're already giving consent to them getting what your typing. Why else would you type on a website? If someone sees some other security risk please let me know because I'd be interested in knowing. We use hotjar for our sites as well to optimize readability and click through rates.[/QUOTE] It's dependent on the website developer to implement it correctly so sensitive data is redacted, the automated redaction feature is not particularly reliable either as is explained in the [url=https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/]blog post[/url]. Hotjar for example doesn't automatically redact the credit card CVC field or expiry date, UserReplay sends the last 4 digits of your card number and Yandex apparently sends the lot, so you can see why this is potentially a huge security problem. The main privacy concern is that your data is leaving the website you're using, often without any informed consent, this data then can then potentially be aggregated with data from other sites to track you and your browsing habits among other things.

[QUOTE=thejjokerr;52919692]The only way I see this impacts your privacy is that your keystrokes get sent to services like hotjar, which IIRC doesn't even record keystrokes in password fields. Additionally these site owners are the only one that are likely to view your session and you're already typing on their site so you're already giving consent to them getting what your typing. Why else would you type on a website?[/QUOTE] I guess it depends how invasive it is. Does it only record typing while you have that webpage open and selected, and stop when the page is deselected?

Hahaha, PagSeguro, the brazilian method of payment for Steam is on the list [B]FUCK[/B]

snip dumb question

bet they can't track all the strokes I make :wink:

[QUOTE=kisaraji;52919786]Hahaha, PagSeguro, the brazilian method of payment for Steam is on the list [B]FUCK[/B][/QUOTE] It's not really a problem. I mean, as long as the human element isn't awful and they put a strong password on the account for whatever service they're using. (you won't be tracked by this stuff when getting redirected through auth pages for CC payments, it'd serve no purpose as those are automated. This would only track you if you went on their actual site)

that's a lot of damn websites no wonder people getting hacked left and right