-1

If there are Google-Fonts scripts running on some pages of a website (but not all of them), and a developer in customer service tells me that I am wrong, the website does NOT run any Google Fonts at all; but rather my plugin needs to be reinstalled...

...then I do that, and can still find scripts on different pages than before.

...PLUS I can detect them with a separate plugin (that I didn't mention to them), could they mistaken? Does their explanation make sense, from a programming perspective?

Sorry, here's why I ask:

Essentially, I need to know if I can trust FlokiNet (https://flokinet.is/) as a webhost for developing a fully-privacy-respecting website that journalists can trust to keep their identities private.

I visited their website with NoScript and EFF’s Privacy Badger installed.

Both of these tools indicated that there were Google scripts running on their website on some pages. One gstatic (probably Google fonts?) and another Google maps script (only on one page).

I visited their blog, and the same thing. Gstatic scripts. On every page this time (Likely Fonts, I'd guess).

(I have extensive screenshots, if you want to see them.)

I reached out because technically, google fonts sends IP info to Google, according to Bryce Wray (link: https://brycewray.com/posts/2020/08/google-fonts-privacy/ ).

Here’s the thread:

THEM:

Hello,

the contact page cotainend an old maps link which was not removed from the source code and has been fixed now.

There is no google fonts usage on our page (we are well aware of the problems with using it) , please check your privacy badger / browser as this must be an error.

ME:*
Great! Glad to hear the Google Maps code was an error. That makes me feel much better.

I’ll reach out to EFF and see if I can understand why a Google Fonts script is being identified. I’m relieved to hear you are aware of the issues with those.

THEM:

There is no need to reach out to EFF, just reinstall the privacy badger it will solve it.

Here’s what I did after this exchange:

First off, he says he totally knows about Google Fonts being a problem.

I reinstalled Privacy Badger, as instructed. Then re-visited the Flokinet page in question.

It appeared to work. No Gstatic script. The Google Maps script was gone as promised, too.

Then I kept clicking around, just on a whim.

I found another set of scripts (screenshots available), and the blog still had tons of them.

NoScript (which I didn't mention) detected the gstatic scripts also, and did so consistently in tandem with Privacy Badger.

I was so confused and frustrated, I just dropped it.

I went back 2 days ago thinking it was an error, and it’s still there! (Screenshot available)

The blog is still full of them also.

Does this explanation of theirs make any programming-sense? Are my tools broken, or is it possible he is mistaken?

Bergi
  • 630,263
  • 148
  • 957
  • 1,375
Sean
  • 1
  • 1
  • 1
    Please edit your question and reduce it (considerably) to the most succinct phrasing you can. Remove all references that are not relevant and not likely to be understood by most (i.e. your X-Files sentence). Because your post is so long, it probably won't get too many people interested in reading it and providing you with an answer. We really don't want a blow by blow of the conversations you had. Can you just think about what question you are trying to get an answer to and just ask that? – Scott Marcus Dec 18 '20 at 20:34
  • Absolutely! What ever works. – Sean Dec 18 '20 at 20:35
  • Um. How do I edit. Ug. Sorry. First time – Sean Dec 18 '20 at 20:35
  • Click the "edit" link just below your question. – Scott Marcus Dec 18 '20 at 20:36
  • Yes, their explanation makes sense. There's no googlefont on their start page. Try viewing the source. This is often caused by browser plugins on the client side adding such resources, that's why they told you to reinstall your plugins (though trying to disable them would be my first advice). Try a different browser also. – Bergi Dec 18 '20 at 21:01
  • Excellent! Thank you so much for the response. Helps immensely. Sorry for the late response. – Sean Dec 28 '20 at 22:44

1 Answers1

0

There are two separate things getting confused here.

The site at https://flokinet.is does not have any google-sourced content, fonts, scripts or anything else. They are missing a few simple things that I'm sure they could fix easily (like a CSP header), but 0 cookies, 0 trackers is a good start.

Quite separately, https://blog.flokinet.is is a WordPress blog on a separate IP (though only 1 address higher), and this does use Google fonts.

It's easy to gather reports on the site, and the blog to let you see the difference, and that they both have privacy and security deficiencies. I'd say the only unforgivable thing (given their "100% Secure" claim on their home page) is that they serve anything at all without TLS.

It's not all bad. They are clearly trying (which is rare in itself), they're just not quite there yet.

Synchro
  • 35,538
  • 15
  • 81
  • 104
  • Wow! Thanks a million! That helps a great deal, and yes that totally makes sense! Sorry about the late response. Caught up in the holidays. – Sean Dec 28 '20 at 22:44
  • (I'm a first-time user, by the way - apologies again for being out of touch.) – Sean Dec 28 '20 at 22:52
  • Glad that cleared it up for you. Please mark this as your chosen answer by clicking the check mark next to it. – Synchro Dec 29 '20 at 09:13