Dear followers of this thread,
Finding far too many insecurities during my scanning is really discouraging.
Normal IT staff is not up to it, and technical IT cannot make the difference somehow,
also pro-active hosting is too few and too far in between.
Here an excample where 1600 attempts at canvas fingerprinting were blocked by my chrome extension, read the full story here:
https://forum.avast.com/index.php?topic=177229.0Now theory on best practices and actual practice isn't often in balance.
Here I have a site author that discusses ways to block canvas fingerprinting,
but that very article site breaches your privacy with a so-called Facebook Likebutton
we find tracking us now from many, many a webpage (together with his AddThis friend and Google+ pal).
The Facebook Like-button was neatly replaced by my PrivacyBadger extension inside Google Chrome,
but one sees what experts are preaching and what they actually do online are two different things.
Here is the link to find that button (if you have an extension to set it out).
http://gizmodo.com/what-you-need-to-know-about-the-sneakiest-new-online-tr-1608455771There is also a SPOF report for that site:
Possible Frontend SPOF from:
-kinja.com - Whitelist
(100%) - <script async type="text/javascript" src="//kinja.com/api/profile/assets/javascripts/sso.js">
-html5shiv.googlecode.com - Whitelist
(97%) - <script src="//html5shiv.googlecode.com/svn/trunk/html5.js">
-pagead2.googlesyndication.com - Whitelist
(44%) - <script type="text/javascript" src="-http://pagead2.googlesyndication.com/pagead/show_ads.js">
-www.googletagservices.com - Whitelist
(7%) - <script type="text/javascript" src="//-www.googletagservices.com/tag/js/gpt.js" async>
-c.amazon-adsystem.com - Whitelist
(7%) - <script type="text/javascript" src="//-c.amazon-adsystem.com/aax2/amzn_ads.js" async>
Not blocking these could also make that website load quite a bit slower.
Privacy is a non-existant animal to-day and that should be our conclusion. We could make it a bit more difficult for the trackers and profilers and those that dragnet us, but at the end we haven't enough defenses.
Script and request blocking are still our best bets, but you cannot win where others forget about the security of their online visitors - outdated (server) software, outdated CMS, use of left software, misconfigurations, bad hosting, incompetence and disinterest are hard devils to fight.
polonus (volunteer website security analyst and website error-hunter)