Menu

Author: Kev Quirk

Nextcloud Talk Is Crap!

Yes, that’s right, I said it, Nextcloud Talk is crap! We have been using Talk for quite some time as the main chat tool for the Fosstodon team, but today we decided to flip back to our previous tool, Keybase.

I want to get one thing straight here – Nextcloud is awesome. I use it at home on my private server, and it works extremely well. However, I only use Nextcloud for file syncing. In my experience, many of the official Nextcloud apps are somewhere on a spectrum of mildly annoying, to just plain useless.

I am focussing on the apps that are developed by the Nextcloud team here. I am not referring to any of the apps that are developed by third parties, as I have very little experience of them.

Performance Issues

The Fosstodon team had a Nextcloud instance hosted with OwnCube, but when hitting the send button on a message within Talk, it would take anywhere from 3 to 10 seconds to actually deliver the message to the chat group.

This would make having conversations within Talk almost impossible. To add to this, many members of the team had issues with notifications occasionally not showing on their devices.

Please remember, the Fosstodon team is very small at only 8 people including myself, so it’s not like the chat room had tens or even hundreds of members.

Not Many Features

One of the most annoying “features” of Nextcloud Talk is that if you want to attach an image to a chat, you can only do so from your Nextcloud files. If you want to attach a photo or screenshot from your device, forget about it. You will have to upload the file to Nextcloud Files first.

On a desktop or laptop, this isn’t a major issue, but on a mobile device this is an absolute nightmare.

Also, Nextcloud Talk doesn’t support emojis out of the box. For this, 4-byte support needs to be enabled on the Nextcloud database. Unfortunately, our host, OwnCube never got around to doing this in the 4 months we were using their service.

Suffice to say, all of the above made using Nextcloud Talk extremely frustrating and pretty useless to use.

Same Across The Board?

Like I said earlier, this has been my experience on a number of Nextcloud apps within the ecosystem, namely:

  • Mail
  • Contacts
  • Calendar
  • News (RSS reader)

Personally, I feel like Nextcloud are spreading themselves too thin and are trying to do too much. File syncing is great and it works really well for the most part in my experience. So now that’s nailed, get another app working just as well, then the next, then the next etc.

I wish that the Nextcloud team would stop saturating their marketplace with apps that are sub-par, frustrating to use, or in some cases, just plain bad.

Am I being too harsh here? If so, please feel free to get in touch with me and tell my why.

Coming Full Circle – From Grav To WordPress

Woah, 2 posts in one day, aren’t you guys lucky! So I’ve just published a post on why I’m removing comments from this site. Now I want to talk about migrating from Grav to WordPress.

When I originally re-launched this blog, I went with Ghost. Then I moved to a static site that was running WordPress; after a little while I got bored of that and migrated over to Grav. Now I’ve come full circle and ended up back on WordPress!

Why the move?

There was nothing inherently wrong with Grav really, I enjoyed using it, especially the Markdown support. However, because it’s a small fledgling CMS, there were a number of niggles with the tool that frustrated me.

I found myself constantly trying to work around these niggles, rather than concentrating on writing posts. WordPress is huge and there a many reasons to use it. I also know it pretty well, so I’m not wasting time fiddling with these little annoyances.

The main niggles were the caching – it was never right and I was constantly having to CTRL+F5 to get the latest version of the site – so I assume my readers were having to too.

The RSS feeds were also a pain – they just never updated. I think this was linked to the caching issue, but I could never work it out. Even turning caching off completely wouldn’t get the feeds to update.

Then there was the lack of spellcheck in the browser window. For some reason, Grav wouldn’t spellcheck within the editor. I have no idea why, but I just couldn’t get it to work.

Finally, most of the functionality for Grav requires a plugin. To get the basic functionality I had on the my Grav site, it required 15 (yes, fifteen!) plugins. These were for anything from SEO, to RSS feeds, to adding pagination on the home page for posts.

For context, I have 6 plugins installed on this WordPress site, which add things like 2FA, caching and SEO.

But what about Markdown?

Markdown was my main reason for moving to Grav. I love using it, as it allows me to write and format entire posts without my fingers leaving the keyboard. Luckily for me, WordPress’ new Gutenberg editor supports Markdown out of the box. 🙂

WordPress has a pretty nice writing experience now. Gutenberg seems to have gotten a bad rap since it was released, but the WordPress team continue to make it an excellent editing interface, in my opinion.

The new theme

I didn’t want the look of the WordPress version of the site to change significantly, and I really liked the speed of Grav, but speed is difficult to achieve on WordPress.

I decided to use the awesome (and only 7kb in size) Susty theme (Github) as the basis for my new theme. However, the theme looks nothing like this site out of the box, so I had to do a lot of work to make it look how I wanted, but I still needed to keep things lean where possible.

I think I’ve managed to get a site that looks good, but still performs well. Looking at a Google PageSpeed Insights report, this site gets 97% for mobile and 98% for desktop. That’ll do nicely, I think.

Considering my Grav site was lucky to scrape 75%, I’m very please with the results. I haven’t spent much time optimising WordPress yet, other than enabling caching and some Gzip compression with Nginx on my server. So there’s probably a little more performance I can still get out of the site, but this will do for now.

Conclusion

Overall, I’m really happy to be back on WordPress. The website looks amazing (in my opinion), it performs well, and WordPress just feels like being back home.

Hopefully this will be the last migration for a while, so I can concentrate on putting out content instead of messing with the site!

Removing Comments

So I’ve decided that I’m removing comments from this website. I’ve been thinking about doing so for a while, and while migrating back to WordPress from Grav, I decided to get rid of them.

But why am I removing comments?

My decision to remove the comments section came about for a number of reasons. Firstly, managing the droves of spam I received via comments was a pain to manage. I’m a busy guy, so would rather spend my time writing posts, instead of moderating spam comments.

Great post, I totally agree! Here’s a link to my blog…

I got this kind of comment a lot. So even when I wasn’t filtering comments that would like to advertise Viagra within the comments section, I was having to go through a tonne of comments that added absolutely nothing to the conversation.

Seth Godin sums up my feelings pretty well in his post, Why I don’t have comments. I loved getting useful comments that contribute to the discussion, but the fact of the matter is, that was a very small proportion of the actual comments I received.

Privacy

I’m a privacy advocate, and I always try to respect your privacy on this site. So I used the Commento commenting system, which did a great job of keeping commenters private. But there is still the issue of having to manage the data that goes along with storing comments, so I decided to just get rid instead.

Will I be removing comments forever?

I don’t know yet. For now, I’ve left a few links for getting touch with me via social media and email instead of a comments box. My hope is that by removing comments I will stop the spam and useless comments, and let the interesting discourse prevail within my social media channels and inbox.

Time will tell, this may be a temporary thing, or it may be permanent, I’ll have to wait and see.

Do you think me removing comments was a bad idea? Or do you think it was the right move? Feel free to get in touch and tell me your thoughts using the links below.

What Is Self-Hosting?

There was a post on Fosstodon recently where one of our members shared their thoughts on what they think self-hosting is.

Following the post, a conversation started about what different people considered self-hosting to be. The different trains of thought where:

  1. It’s only self-hosting if you have physical access and complete control over the server.
  2. It counts as self-hosting if you’re responsible for the entire software stack, no matter where the server is physically located.

I’m on the fence…I think

I can see both sides of the argument. On the one hand, you don’t control the physical tin box that your software is running on, so the service provider could pull the rug from under you and close their service. You’re not in complete control.

Having said that, you are responsible for all of the software, including the OS on that server. If you break something, you’re on your own. One could argue that this is definition of self-hosting something, as you’re solely responsible.

The problem I have with the rationale of “it’s only self-hosted if you have complete control” is that I think the argument is flawed. You may have complete control over the server, but you don’t have complete control over the network infrastructure.

If you’re self-hosting at home and your ISP decides to cut you off, or has connectivity issues, you have very little control over that. You can then make an even more tenuous link and say what if there’s a black-out? You don’t control the power grid.

Yes, it’s far-fetched, but the original argument is based on the premise that a self-hoster has to have complete control.

Then again

I host Nextcloud and Plex at home. I consider myself to be self-hosting those services. I also have a VPS that I have full root access to, which runs this website. Personally, I don’t see myself as self-hosting this website.

For me, it boils down to this – if someone asks me “who do you host your website with?” I would respond with “Ionos” as that’s who I rent the VPS off. However, if the same person asked me who I host my Nextcloud instance with, I’d probably reply with “I self-host it at home”.

But then again, I can certainly understand it when people are of the opinion that they self-host even though they’re on a VPS that’s hosted in a data centre somewhere.

Conclusion

As I said at the start, I can see both sides of this discussion. To me, what’s far more important than where your server is located, is that you use privacy respecting services. Self-hosted or not.

Are you a self-hoster? Feel free to share your opinions in the comments below.

Why You Shouldn’t Use Facebook

I was having a conversation with a friend of mine recently and they were asking me why I don’t use Facebook. Within my circle of friends, I’m the IT guy and most of them aren’t really into IT, let alone privacy or security. So this person thought Facebook was great. I disagree.

I get it, Facebook is useful for keeping in touch with people, planning events and generally wasting time. But it’s also extremely good at swallowing your privacy, chewing it up, and spitting it out to all of their advertising partners.

Back to my friend – I quickly rattled off a number of reasons as to why I don’t use Facebook, but thought I would write my reasons out in a longer form. This is for a number of reasons:

  1. It gives me a place to refer people to when I inevitably get asked this question again.
  2. People may actually learn something from this post and think twice about using the service themselves.

For many people from the privacy and security circles I’m involved in, this won’t be new information, but hopefully it will still be of use. I intend for this post to be an ever-evolving list a f**k ups that Zuckerberg & Co. have made when handling both our data, and our privacy.

The Reasons

I intend to create a new item within this list every time I feel another reason not to use Facebook comes to light. Where possible, I will try to articulate technical information in a way that is easy to digest, so anyone can understand (hopefully).

These are in chronological order, starting with the earliest. So the whole thing should read like a nice, long privacy vortex timeline.

If you think I’ve missed something here, please contact me.

Reason 1: The Timeline

When: September 2006
What: Facebook introduced the timeline feature

Details

When Facebook first launched, you had to go into each person’s profile to see their status updates and what they had been up to. After just 2 years, Zuckerberg decided that creating a feed that automatically displayed everything your friends have posted was a good idea.

It may seem like a small thing, but this is the beginning of the end when it comes to privacy. No longer are your timeline and profile updates kept on your page only, they’re now plastered all over the timeline of every person you are friends with.


Reason 2: Beacon

When: December 2007
What: Here comes the tracking – AKA, Beacon

Details

Zucker & Co. thought it would be a really great idea if they implemented a way for companies to track purchases made by Facebook users, then notify their Facebook friends. Worse still, this was often without the Facebook user’s consent.

The Zuck later explained his rationale behind Beacon, and announced that users would be given an option to opt out of Beacon – how thoughtful of him.

Here’s an interesting read on The New York Times about the introduction of advertising and tracking into Facebook.


Reason 3:

When: November 2011
What: FTC privacy charges

Details

Zucker the sucker settled with the Federal Trade Commission over charges that he didn’t keep his privacy promise to users, by allowing private information to be made public without warning.

Regulators said that Facebook falsely claimed that 3rd party apps were only able to access the data they needed to operate. Well, the truth is they could access pretty much the entirety of the user’s profile. This included non-public profile data.

What’s more, the apps could even collect your private posts even if you weren’t using them. All it took was for one of your friends to be using one of these apps.

Facebook were also charged with sharing user information to advertisers, despite promising they wouldn’t. Shock horror!

Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users, Facebook’s innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not.
— Jon Leibowitz, then chairman of the FTC


Reason 4:

When: June 2013
What: Bug exposes private data

Details

A bug in Facebook’s software exposed the email addresses and phone numbers of 6 million users to anyone who had a connection to the person, or knew at least one piece of their contact information. Here’s a write-up on Mashable about the bug.


Reason 5:

When: July 2014
What: Mood manipulation experiment

Details

Yes, you read that right. Facebook carried out mood manipulation experiments on their users!

The experiment included more than half a million randomly selected users. Facebook altered their news feeds to show more positive or negative posts. The purpose was to see how emotions could spread on social media.

The results were published on the Proceedings of the National Academy of Sciences, which understandably kicked off a huge shit storm.

The Facebook data scientist who led the experiment eventually posted an apology on Facebook:

I can understand why some people have concerns about it, and my co-authors and I are very sorry for the way the paper described the research and any anxiety it caused.
— Adam Kramer, FB Data Scientist


Reason 6:

When: April 2015
What: Facebook stops giving apps all the data

Details

If Jane Smith downloads and app, that app should not be able to suck all of Gary Jones’ data just because they’re friends. Am I right, or am I right?

Well, according to Facebook, I’m dead wrong and this behaviour is completely appropriate. You can read more about the whole debacle in this TechCrunch post.


Reason 7:

When: February 2018
What: Belgian court says stop tracking everyone!

Details

Did you know that Facebook can track you over multiple sites? Well they can and a Belgian court ordered Facebook to stop collecting private information about Belgian users on 3rd party sites. Facebook were also ordered to delete all data they have illegally collected on Belgian users, including those who aren’t Facebook users, or risk being fined up to 100 million euros.

GO BELGIUM!

Reason 8:

When: March 2018
What: Cambridge Analytica

Details

Oh yeah, here it is – the big dog; Cambridge Analytica. Zuck the crook strikes again.

You know earlier on (reason 6 to be specific) when I mentioned that Facebook stopped giving apps all the data? Wellllll, they didn’t! Truth is, all the data continued to be leaked between apps and this culminated when consulting company, Cambridge Analytica used leaked Facebook app data to great affect during the 2016 Trump presidential campaign.

Here’s how the data collection went down:

  1. Around 32,000 US voters used a Facebook survey app and were paid a couple dollars to take a detailed personality/political test.
  2. The app also collected data such as likes and personal information from the test-taker’s Facebook account, as well as the same data from all their friends. This resulted in gathering the data of around 50 million Facebook users.
  3. The test results and skimmed Facebook data were combined to provide psychological patterns.
  4. Algorithms combined the data with other sources, such as voter records, to create a list of 2 million people in 11 key states, with hundreds of data points per person.
  5. These people were then targetted with highly personalised advertising to sway their vote.

Many feel that the analysis, data manipulation and ultimately the highly targetted advertising on Facebook had a direct impact on the result of the 2016 US election. Would Trump have won without this data? Who knows. But one thing is for sure, this data definitely helped.


Reason 9:

When: April 2019
What: Breach exposing 540 million users

Details

Yet more Facebook apps with more holes in than a sieve. This time, Cyber Security firm, UpGuard reported that a Facebook app dataset was found to be publicly available online. The breach contained the comments, likes, reactions, account names and Facebook IDs of over 540 million users.

Furthermore, there was also an Amazon S3 bucket discovered for an app called At the Pool, which contained the user ID, friends list, likes, music, movies, books, photos, events, groups, check-ins, interests, password and more. Worse still, around 22,000 of those passwords were not encrypted. Winning!


Reason 10:

When: July 2019
What: Facebook fined 5 billion dollars over privacy breaches

Details

This was a settlement, once again at the hands of the Federal Trade Commission (FTC). This is a culmination of a lot of the privacy issues you have read about above. Although 5 billion dollars sounds like a huge amount of money, it’s only around one month’s worth of revenue for Zuck the shmuck.

You can read more about it in this CNN article.


Reason 11:

When: November 2019
What: Facebook admits to circumventing GDPR

Facebook has told a court in Vienna that: “We don’t need user’s consent to process data.” It went on to say that since May 25, 2018, it has been collecting and processing data without the user’s consent.

If you don’t know, The GDPR requires that all users need to consent to how their personal data is handled by a given website.

You can read a full write up of the issue on this post from Enterprise Times.

How Browser Fingerprinting Works

I recently wrote a post called how online tracking works, that post mainly focussed on cookies and how they can be used to track you. But even if a site isn’t using cookies, browser fingerprinting can still be used to track you.

What is browser fingerprinting?

Browser fingerprinting is the process of collecting information about a remote device for identification purposes. Client-side scripting languages, like JavaScript, can be used in such as way to collect very detailed fingerprints.

These fingerprints can include data such as geographic location, the browser and operating system that is in use, screen resolution, system fonts, system architecture, browser plugins and system hardware.

Like all tracking technology, browser fingerprinting can be used both legitimately and maliciously.

Fingerprints can be used to prevent fraud or credential hijacking, by checking that a user who is attempting to login is likely legitimate. For example, if you have logged in to cool-website.com for the last 5 years from the UK and using Ubuntu, then someone attempts to login to your account from Germany on a Windows system, this can flag as potentially illegitimate.

But like most things online, browser fingerprints can also be used in more nefarious way, to track you across web sites and collect information about your habits and tastes without you even knowing it.

Browser fingerprinting can even be used in a downright malicious way; if an attacker knows which operating system, software, versions, plugins and hardware you’re using, they can potentially deliver exploits that are specifically crafted for your machine and therefore are more likely to be successful.

How are browser fingerprints collected?

Browser fingerprints do not require cookies or any kind of user interaction. The fingerprinting process simply runs when a website is loaded. This means that the act of fingerprinting your browser is completely transparent. Browser fingerprinting can be achieved in a number of ways:

  • Your public IP address can be used to geolocate you. This is usually accurate to the town/city you’re based in.
  • The user agent and accept header fields are automatically sent to websites when you make a connection.
  • JavaScript is widely used across the Internet and it can be used to provide data on things like the plugins you have installed on your browser.
  • If the Flash plugin is installed, its API provides access to many system-specific attributes such as exact version of the operating system, list of fonts, screen resolution, timezone etc.
  • A HTML5 Canvas element can be used to collect small differences in the hardware or software. This is because every machine will render an image in a different way. With canvas fingerprinting, the tiniest of details can be detected.

Can I prevent browser fingerprinting?

In short, no you can’t. There are some things you can do, such as disable JavaScript and image rendering, but this would have a huge impact on your online experience.

Also, very few people have JavaScript and image rendering disabled, so this also makes you unique and easier to fingerprint. So although a website may not know certain details about your system because JavaScript is disabled, the very fact of having JavaScript disabled makes you pretty unique, so you can’t win.

Conclusion

This post only scratches the surface of browser fingerprinting, but hopefully it will give you a better idea of how it works.

I will leave you with this final thought – I just tested my browser fingerprint using this tool from the EFF. My browser was found to be completely unique among the 228,000 browsers tested in the last 45 days.

Browser Fingerprint Results
That’s how powerful browser fingerprinting is!

So even if you have 3rd party cookies blocked, you can still be identified and tracked online. Worse still, there’s currently no easy way of preventing browser fingerprinting.

How Online Tracking Works

With the numerous Facebook snafu’s going around, as well the feeling that new data breaches are being reported daily, privacy is currently top of mind in the tech world. For many, privacy equates to advertising, cookies and tracking, but it’s so much more than those three things alone. Having said that, they certainly don’t help things so in this post, I’m going to try and explain how online tracking works. I think I have a relatively good understanding of things, but it’s a complicated subject, so I’ll try and keep it as simple as possible.

If you can’t explain it simply, you don’t understand it well enough.
— Albert Einstein

Why do we need to know?

I think that if you understand what makes online tracking bad, you can better protect yourself against it. So by understanding how online tracking works, you may be able to stop your details being listed in the next breach that finds itself on Pastebin.

With that in mind, there’s a lot for us to get through, so let’s get started shall we?

What is a cookie?

Contrary to popular belief, cookies are not biscuits, and they are not necessarily malicious. A cookie in this context is a small text file that is stored on your machine. Cookies are created by your browser, and they contain a small amount of data that is specific to a the website that you have visited, usually in the form of a session ID.

Most modern websites use cookies for two main purposes – to keep you logged in and to track your behaviour.

How cookies keep you logged in

When you log in to a website, let’s use Facebook as an example, your browser sends Facebook a message informing it you wish to log in. We call this a HTTP request. This message contains your username and password (that’s why HTTPS is important), if your credentials match what Facebook has on record, you’re allowed to log in.

Once you’re cleared to login, Facebook will generate a unique session ID and sends it to your browser. Your browser then creates a cookie containing your session ID. The cookie is stored on your machine and sent to Facebook along with every HTTP request your machine creates. When you then navigate around Facebook, they know its you and don’t ask you to log in again.

Facebook Cookie Diagram

Without a session ID Facebook would ask you to login every single time you navigate to a different page. This would get pretty annoying, pretty quick. So this is a legitimate use for cookies where they are used in an innocuous manner.

How cookies can be used to track you

If a website, like Facebook, requires a login to be used, it’s extremely simple to track you while you use their service. This is because you already have a cookie with a session ID stored on your device. Since this cookie is used with every request you send to the site, the website owner knows exactly where you have been and what you have done during your session.

This data can then be used to create a profile of your usage habits, and the more you use a service, the more data they have on you. This profile can then be used to send you targetted advertising; the rationale being that if you’re shown an advert for something you’re interested in, you’re going to be more likely to click on it.

This is also how sites like YouTube can recommend other content that is based on your tastes – because they’re tracking you and know exactly what you have been doing while on their site.

For me, this is where cookies start to mutate from being a benign, useful tool, to a potentially nefarious tracking mechanism.

Facebook Tracking Cookie

Third party cookies – single site

If a website does not require a login, you’re still not safe unfortunately. Many sites use third party cookies for things like analytics, as knowing which pages are popular and how much traffic your site is getting can be useful information. There are ways to do this analysis without cookies; for example, using web server log analysis, or by still using an analytics platform, but not allowing them to create cookies on your visitor’s device. This means that the stats are a little less accurate, but still give a good idea of visitor counts. This is how I monitor the analytics for this website.

Ok, so how does a third party analytics platform, such as Google Analytics or Matomo, know when someone visits your site? Lets use a news site as an example, when a person visits news-site.com the news site doesn’t create a session ID itself, but instead has a little snippet of JavaScript code that in turn sends a request to the analytics platform, which then creates the session ID and places it on the visitor’s device.

Since the session ID is unique to that visitor, it is used to track that person’s activity throughout the site, as the session ID will be sent back to the analytics platform along with any requests to news-site.com.

Analytics platforms are popular and will likely be tracking multiple sites – that’s especially true when it comes to Google Analytics. However, analytical data is not shared between sites being tracked.

So if news-site.com and banking-site.net are both using Google Analytics to track their visitors, Google Analytics will not co-mingle the news and banking site’s data. Therefore the tracking cookie for news-site.com can only be used to track you on that particular site.

That’s not to say that Google isn’t finding other ways to interpret all this data in such a way to be of benefit to them, but I couldn’t possibly speculate. 😊

Single Site Tracking

Third party cookies – multi-site

This is where shit gets real and really starts to make me feel uneasy. Multi-site third party tracking works in a very similar way to single site tracking, however when the session ID is generated for that visitor on news-site.com, the same session ID is shared across all sites within that tracking platform.

This means that the third party tracking platform can now track you over any site they have subscribed to their platform. Worse still, that data is available to any website owners using that platform AND is often sold to fourth parties, such as advertisers.

Have you ever gone on to Amazon and searched for something, then seen adverts for that exact item you just looked at on Facebook? That’s because of third party multi-site cookies. When you visit Amazon and search for hard drives, Facebook is also using the same multi-site tracking company, so you have the same session ID across both sites. This means that Facebook knows you just searched for hard drives on Amazon, so then shows you adverts for said hard drive in the hope that you click.

Multi-Site Tracking

Not just advertising

We’re not just talking about advertising here. The multi-site platform will have many sites over many niches signed up to their service. So you can potentially be tracked across social media, shopping sites, news sites, porn sites, or any other sites you can think of.

With this tracking, an extremely detailed profile can be built up on you. Imagine a profile that contains your likes and dislikes, where you like to visit and things like the type of porn you prefer. Then when it comes to Google, this profile could also contain your search history, location tracking from your Android device, your contacts, your calendars, your emails, your text messages, phones calls etc. etc. etc.

Pretty worrying, right?

How can I protect myself?

It isn’t all bad news, as there are tools out there that you can use to protect yourself. The major browsers have options available for blocking third party cookies; here are instructions for both Firefox and Chrome.

Firefox Content Filter

Having said that, I would still recommend installing a content filter add-on to your browser, I personally use uBlock Origin. It’s available for all major browsers, it’s free and is pretty much set it and forget it when it comes to blocking trackers.

Then there’s VPN services. Many think a VPN is a magic pill against all things privacy on the Internet. Unfortunately, that isn’t the case – whilst a VPN will help give you some anonymity, as many people are likely using the same public IP addresses that VPN provider uses, you’re still being tracked.

The best advice I can give over and above everything else is to use privacy respecting services online. Or, better yet, self-host those services. I personally de-Googled a lot of the services I use, and I do host some of them myself too. Here are some quick recommendations:

Conclusion

By replacing core services with privacy respecting ones, and taking a few steps to block trackers while you’re browsing the web, you can make your online experience much more private. Having such an in-depth profile that is easily identifiable to a single person really concerns me. Especially when that profile is then being sold on to advertisers and other potentially nefarious 3rd parties for a profit. This is our personal data, they have no right to sell it on!

So there you have it, you now have a better idea of how online tracking works. This post doesn’t cover everything, far from it actually, but I hope it’s enough for you to start making informed decisions about where your personal data could potentially end up.

What steps do you take to maintain your privacy online? Please feel free to leave a comment below to tell me about it.

And remember, I respect your privacy!

Commento – The Privacy Respecting Commenting System

Regular readers of this blog will know that I recently migrated from WordPress to Grav. One of the things I was really concerned about when migrating was the comments, as the WordPress commenting system is really good.

I didn’t want to go back to Disqus because of a number of privacy and security concerns with their service. So I started hunting for an alternative.

My Requirements

When looking for an alternative to WordPress comments, I approached it in much the same way as I did when I De-Googled. In that the replacement service has to be as good as, if not better than, the service I was replacing.

The requirements I had where as follows:

  • Be privacy respecting
  • Be easy to moderate comments
  • Allow anonymous commenting
  • Not add loads of JavaScript to my site
  • Fit in with the my site’s theme

The Options

Grav have hundreds of plugins available for their system, which includes two different commenting systems. However, neither of them fulfilled all of my requirements. Namely, they both seemed difficult to moderate and configure.

I was back at the drawing board and about to admin defeat, but just before I went back to WordPress with my cap in my hand, I took a punt and searched Google for “privacy respecting commenting systems” as I wasn’t having much luck with DuckDuckGo.

That’s when I came across Commento:

Privacy Respecting

The Commento team make it abundantly clear that privacy is a first class citizen when it comes to their service.

We do not sell or rent data to any third party, including marketers, advertisers, and tracking agencies.
Commento privacy policy

They even go on to clarify their position when it comes to Government agencies contacting them for things like court orders:

We may, from time to time, contest court orders if there is a public interest in doing so. In such situations, the company will not comply with the court order until all legal or other remedies have been exhausted. Therefore, not all court orders may lead to data disclosure.

Comment is also free from third-party tracking and advertisers. This alone was a major selling point for me. Things only got better from here…

Easy To Moderate

Moderation is hugely important. I’m an extremely busy guy, so the comment moderation process needs to be as slick as possible.

Comment moderation with Commento is as simple as clicking on a link in an email. Personally, I have my site set to hold all comments for moderation then email me with a notification. When that notification pops into my inbox, it looks something like this:

I can then approve the comment, delete it, or link straight to the comment using the Context link in the email.

When logged in to Commento on my site, I can also manage comments direct from there too. I can even add additional moderators if I want to. It’s such a simple way to moderate comments without having a heavy dashboard to login to.

Commento also has spam protection built in – I believe they use the same anti-spam system as WordPress, Akismet.

Allow Anonymous Commenting

Allowing my visitors to quickly and easily add an anonymous comment is incredibly important to me because I respect your privacy. Adding an anonymous comment with Commento is as simple as clicking a checkbox, then adding your comment. You don’t have to add any personal information, not even a name.

If you want to receive an email notification if you get a reply, you can also sign in with your Google, Twitter, GitHub, GitLab or Commento accounts.

Not Add Loads Of JavaScript

The JavaScript for Commento is just 11KB in size. Even on a dial-up connection that’s a negligible amount of additional data. On a modern broadband connection, it’s a fraction of a millisecond in additional load time.

Victor Zhou did some Disqus vs Commento performance comparisons and found that adding Disqus comments to his site increased his page size by 10x and request count by 6x!

Graphs courtesy of Victor Zhou – https://victorzhou.com.

Adding Commento to my site was as simple as adding the following code where I wanted the comments to appear:

<div id="commento"></div>
<script src="https://cdn.commento.io/js/commento.js"></script>

Look & Feel

When visiting a website, I find it really jarring if the comment section doesn’t fit in with the aesthetics of the rest of the site. By default, Commento looks pretty good, but I want it to look exactly like the rest of my site.

Luckily that’s easy to do too. By adding around 25 lines of CSS to my stylesheet, I can override the default Commento CSS by changing the embed code to the following:

<div id="commento"></div>
<script src="https://cdn.commento.io/js/commento.js" data-css-override="/path/to/my/stylesheet.css"></script>

The result is a commenting system that pulls in all of my theming perfectly and looks exactly how I want it to look.

Hacker News

A few days after finishing the re-design of my website, I published the article Please Add RSS Support to Your Site. This hit the font page of Hacker News for a day or so; which means lots of comments.

I managed to use Commento in anger straight away, and it was faultless. My site never slowed down, email notifications were delivered quickly and everything just worked as it should. This, to me at least, is a true testament to how good Commento is.

Conclusion

Commento isn’t a free product, but it works superbly well, is privacy respecting and has no third-party trackers or advertising. It is, however, pay what you want to a certain degree. The minimum the developers ask is $3/month. I pay $5/month as I think the price of a coffee per month is great value for money for such a good tool.

During the initial implementation of Commento, I had to contact the support team, which I think consists of one person – the main developer of Commento. I made a mistake when importing my comments, but he was able to fix the issue for me quickly and easily.

I also asked a couple of general questions about Commento, which he was happy to answer for me. Each time I emailed, I got a response within 24 hours.

I can’t recommend Commento highly enough. If you’re already using Disqus, Commento has an import tool so you can get going straight away. You can also try Commento for 15 days for free. I can’t see myself using another commenting system any time in the near future.

If you’re a website owner, I implore you to consider switching to this privacy respecting, open source commenting system – oh, did I mention you can self-host it too if you like!

Please Add RSS Support To Your Site

I recently discovered Jan-Lukas Else’s blog, which contains a tonne of great posts – I’d strongly recommend checking out his blog if you’re a techie.

While I was perusing Jan’s blog, I came across his blogroll, which includes links to other blogs he finds interesting. Again, that list is well worth checking out as it has some good blogs in there.

Side note – I was thrilled to see this blog listed on his list, thanks Jan! :far fa-smile:

I went through the list, hoping to find some new feeds to add to my RSS reader. But I was surprised to learn that many of the blogs that Jan had linked to didn’t support RSS.

Y U No RSS?

I was able to find some of these people on Mastodon, so I will be able to consume their new content. However, some people had no obvious way to subscribe, so I will be unlikely to see their new posts in future.

There aren’t many tech people that I know who don’t use RSS feeds to consume news and articles, so by not supporting RSS you could be losing readers. I know for most people (myself included) writing content isn’t about amassing a huge readership, but that doesn’t mean we shouldn’t take steps to ensure our content is easy to consume.

If you own a blog, please make sure it supports RSS.

Oh, that reminds me, if you want to add the feed for this site to your RSS reader, it’s https://kevq.uk/feed.

Can you think of a good reason NOT to use RSS on a website? What am I missing here?

Migrating from WordPress to Grav

I’ve been running a blog for quite a few years now. I first started with Blogger, before moving on to WordPress, and ultimately selling my site so I could have a break. A few years later I got the bug again and decided to start a blog on Ghost. Server admin became a pain, so I started hosting a static version of a WordPress site, but have since migrated to dedicated WordPress hosting with EasyWP.

It’s fair to say that my website has been through quite the evolution, and for the most part I was very happy with WordPress and EasyWP. However, there were some things that I wanted to change:

  • Remove of Google fonts on my theme.
  • General lack of control with my theme (it was a purchased theme).
  • I disliked the new Gutenberg editor on WordPress.

I really liked Ghost’s Markdown support and the simplicity of their admin interface, however hosting a Ghost website is either expensive, or a lot of work in terms of administration as it needs a dedicated server due to using Node.js. So I went on the hunt to find something else…

Grav

I heard about Grav a while ago and actually use it for the Fosstodon Hub. However, the Hub was put together in a rush and I never really took the time to learn Grav in-depth. I basically took an existing theme and changed some of the CSS elements to make the colours fit Fosstodon’s theme.

I started playing around with Grav around a month ago. Mainly out of curiosity, but also with a view to improving Fosstodon Hub’s theme. After spending some time with Grav and becoming more familiar with it, I thought I could probably make it the platform for my personal blog too.

What is Grav?

Good question! The Grav team describe it as “A modern open source flat-file CMS. That basically means that you have a happy medium between a static site generator, like Hugo or Jekyll, and a full-blown CMS, like WordPress. There is an admin interface you can install to edit the site and produce posts, or you can just edit the files directly, like a static site generator.

Grav also uses Markdown for its main content, so writing a post within the Grav admin interface is really simple. Or you can use Markdown editors like Ghostwriter to write locally, then upload your files to your web server.

Grav admin UI

Why Migrate?

There are a number of arguments to be made in favour of both WordPress and Grav, but overall Grav won out for me. There were three main factors that made me go with this option:

  1. Better performance
  2. Save money
  3. More control

Better Performance

As I said earlier, Grav uses static files, but it also has caching functionality out of the box. There is no database involved, so no complicated page building when the site loads. This, along with the caching means that I can host the Grav site on very cheap, shared hosting and my site actually loads quicker than when I was hosting with EasyWP.

Save Money

Being able to host my website on a shared hosting account that I already use for a couple of other sites, such as analytics and a personal wiki, has saved me money. EasyWP is priced well, costing approximately $4/month. That’s really cheap for dedicated WordPres hosting – and the performance is really good, for WordPress. Let’s be real though, a WordPress site is never going to compete with a flat-file website.

Unfortunately, EasyWP doesn’t support free SSL certificates, such as Let’s Encrypt, so I needed to buy an SSL certificate every year. Again, these aren’t expensive; I get mine from NameCheap and they cost around $7/year, but it’s another thing I have to manage and pay for.

So hosting with EasyWP cost me approximately $55/year. My shared hosting account, which supports free SSL certificates, costs me around $12/year. That’s a significant saving. We’re not talking huge numbers here, and neither of these options will break the bank, but if I can get better performance for less than a quarter of the price, then it’s a no-brainer.

More Control

This is probably the main reason I wanted to migrate from WordPress to Grav. The theme I was using on my WordPress site was gorgeous (well I thought so anyway), but it wasn’t mine. It was a theme I bought from Theme Forest. I didn’t write the theme, I’m not responsible for the theme, and I have little control over what I can do with it as I don’t know what license it has (Theme Forest don’t make that obvious).

Worse still, the theme uses Google Fonts for font rendering. Now, I could change that easily, but I didn’t know if I would be breaking whatever license the theme has. So I didn’t want to take that risk. For the Grav site, I took the default Quark theme (which has an MIT license) and made it my own. Self-hosted fonts, so no Google, and the reassurance of knowing I’m in full control of the theme and not breaking any licenses.

My WordPress site
My Grav site

Migrating from WordPress to Grav

The process of actually migrating from WordPress to Grav was a pain. Unfortunately there is no way that I could find of automating the process, so I had to basically copy and paste each post and page into Grav, then remove all the additional crap that WordPress adds to the text.

Thankfully, Grav doesn’t add additional crap; it’s just plain Markdown, so if I decide to move away from Grav at some point, it should be relatively easy.

Comments

I had around 600 published comments on my WordPress site, which included a lot of good discussion – I didn’t want to lose that information. Problem is, Grav doesn’t support comments out of the box, so I needed a solution.

The obvious solution for a lot of people would have been Disqus, but there are number of privacy and security concerns with their service. So I went on the hunt and found Commento.

Commento is a privacy respecting commenting service that works in a similar way to Disqus. I was able to import all of my comment automatically, but the downside is that the meta data didn’t come over with the comments, so they’re all listed as anonymous comments. That’s fine though, it’s the content that’s important.

Commento isn’t a free service, I currently pay $3/month, so I obviously need to factor that in to my cost savings over WordPress, but it still comes out cheaper and like I said earlier, it doesn’t break the bank anyway.

There is an option to self-host Commento, and I will probably look into that in the future, but for now, I’m happy and me paying for the service helps support development.

Conclusion

I’ve made a lot of changes to the Quark theme to make it my own (now called the Quirk theme :far fa-smile:), it has been a lot of work, but really worth it.

I now have a website with a design that I’m really happy with, that I’m in full control over and is running open source and privacy respecting software right through the stack.

I don’t know if I will ever move away from Grav to something else, but for the time being, I’m really happy with what I have managed to create here.

Are you a Grav user, or have you recently migrated to or from WordPress? Feel free to tell me your thoughts in the comments section below.