A way to stop having to read the same security comic every time we log in

Joined
Feb 16, 2023
Messages
18
Long time user resent poster but i have noticed that whenever i log into Mangadex it always makes me scroll to the bottom of the sites long security comic. We get it do not give your Pussy(@+$ special key to randos on the Inter-webs, so can we get the site to remember that we have read the security comic 500 times.
 
Upvote 2
Yuri Enjoyer
Staff
Developer
Joined
Feb 16, 2020
Messages
425
Sorry tristan if this has felt like an attack
It hasn't, don't worry :thumbsup:

I want someone to say third party cookies are bad
They are bad indeed, but we don't use them, so I didn't consider it super relevant to this discussion, mostly.

My suggestion was for Mangadex to store consents and heck why not setting while we are at it
The main problem with this is us then needing to store more data about users (which we'd rather not), and even per-device data (which we'd even less want to do).

these could be used to track your activity on other sites once on your browser which would give them access to your logins which could include social, state-fed ID bank login and recent purchases
Yeah so that is not a thing at all. Cookies are (and iirc all mainstream browsers do that by default these days, more details here https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#samesite_attribute ) limited to be read by the site who wrote them in in the first place. Another site cannot just read random cookies off your browser (your browser is the one that decides whether or not to send them to the website for requests it makes to it; so it is the ultimate authority on the matter, no matter what a shady site might try to pull).

So short of having malware installed on your computer (at which point it might as well be a keylogger and it's GG anyway) accessing the local files where your browser stores cookies, this type of thing is 15 years old information (in general, there are heaps of nuance here).

They insert additional tracking code that can record a user's online activity.
That's a separate concern, and not nearly as black-and-white as you think. For example we do track the number of users online ourselves; not because we care about what you are reading (the data is anonymized so we couldn't find out even if we wanted, but specifically we don't care) but because we need to understand if something like a site slowness is happening out of the blue or in reaction to a massive spike; or to see a sudden drop for a country and be able to help people understand that their ISP is likely blocking us, etc.

For those we use the least privacy-invasive option that we are aware of on the market (and we also selfhost it), see their detailed information here https://plausible.io/data-policy

Restrictions on third-party cookies introduced by web browsers are bypassed by some tracking companies using technique called CNAME cloaking,
Yes and no; many browsers (notably Safari for example) check for that. But yes, it's a technique some sites will use, not us though since we selfhost our stuff and thus have 0 need for it. It is also very much visible on the client's side when done, like so:

Just A records:
Code:
$ dig +short mangadex.org
45.129.229.1
45.129.229.2

api.mangadex.org is an alias (which is essentially what a CNAME record is) to mangadex.org and thus has the same IPs:
Code:
$ dig +short api.mangadex.org
mangadex.org.
45.129.229.2
45.129.229.1

uploads.mangadex.org is an alias to imlb.mangadex.org and has a slightly different IP set:
Code:
$ dig +short uploads.mangadex.org
imlb.mangadex.org.
45.129.229.5
45.129.229.2
45.129.229.6
45.129.229.1

The problem I see here is that you're conflating misuse of technologies with them being essentially bad. None of any of this was made for tracking, and all of this has genuine uses completely unrelated to tracking (or even security). Once again, they just happen to be incredibly useful tools in many regards.
 
Last edited:
Yuri Enjoyer
Staff
Developer
Joined
Feb 16, 2020
Messages
425
Supercookies or "evercookies" can not only be used to track users across the web, but they are also hard to detect and difficult to remove since
Oh yeah also that's a thing, but just as much as browser fingerprinting and other more advanced techniques that someone like Google would use. If you read the description though, it's not about cookies, but rather how to use every single possible browser data persistence option to make a cookie-like thing happen. In general just storing a unique id as a string somewhere, anywhere. So disabling cookies does nothing for that, since the whole idea is to not rely on actual cookies alone.

Session replay scripts allows the ability to replay a visitor's journey
Sure that exists too. But while it might be morally bad (no personal opinion on the matter, and MD doesn't make use of any of that), it's mainly to help designers find out what UI elements confuse users (buttons they don't click, or unclickable elements they do try to click, etc). afaik https://www.hotjar.com/product-designer/ (click the "See what users see" section of that page to see an example) is one of the most popular such products.

But again, this is not actually related to malfeasance (or cookies, for that matter) in any meaningful way.
 
VIP
Joined
Nov 12, 2019
Messages
49
Petition to ban OP for being retarded?

If you're willing to chill on the schizophrenia a bit, I can ELI5 you on cookies. Those text walls you've posted show that you're grossly misinformed on cookies (well, the web and the state of web security in general), and should probably have an adult handhold you through this.
 
Joined
Feb 16, 2023
Messages
18
Oh yeah also that's a thing, but just as much as browser fingerprinting and other more advanced techniques that someone like Google would use. If you read the description though, it's not about cookies, but rather how to use every single possible browser data persistence option to make a cookie-like thing happen. In general just storing a unique id as a string somewhere, anywhere. So disabling cookies does nothing for that, since the whole idea is to not rely on actual cookies alone.


Sure that exists too. But while it might be morally bad (no personal opinion on the matter, and MD doesn't make use of any of that), it's mainly to help designers find out what UI elements confuse users (buttons they don't click, or unclickable elements they do try to click, etc). afaik https://www.hotjar.com/product-designer/ (click the "See what users see" section of that page to see an example) is one of the most popular such products.

But again, this is not actually related to malfeasance (or cookies, for that matter) in any meaningful way.
This was intended as thread to talk about different methods of migrating user consents and settings to the Mangadex's cloud servers. So that every interaction with the site from a device or application that does not already have your settings stored in local storage would not cause you to have to re-select them all. This has now become the mad ravings of me my imaginary friend Mr Tinfoil Hat and what my gradual dissociation with reality is causing me to refer to as the Tristan Twins. I now fear that i have strayed so far from where i started that i can no longer tell where far i Ive come but i now know that whatever path i choose to now take it will me further from whence i came, So anyways here i go digging. I have not been making an argument against cookies or making a statement to the capability of every cookie. I have been making statements about the dangers that cookies can present when coupled with a compromised site and unprotected browser. The code that can pose as a third party cookie and hide its self potential as a first party cookie can acquire a non insignificant amount of personal data. I am not talking about Mangadex's security or a likely outcome from leaving open permissions to all cookies, the internet is vast and has the ability to make large numbers quickly become much more finite. This started with a mildly sarcastic response from to a blanket statement of just enable cookies. This then caused a series of responses from people suggesting that cookies where nothing to fear which i clearly disagreed with. Firearms experts treat every gun as loaded because they can be dangerous and to always treat them as such, security for ones property ends at the user. The buck stops at you think before you click is all that i have be trying to say. Just a reminder this dumpster fire started as a suggestion about connecting the security comic consent to the user profile, so lets keep it civil so we do not attract trolls to the fire. This has not been directed at anyone in particular.
 
Active member
Joined
Jan 8, 2023
Messages
19
Here goes my attempt at putting this thread out of its misery:

Regarding the original post, the functionality already exists. The reading status of announcements is saved in your browser's Local Storage. Items saved in Local Storage do not have an expiration date and should persist until you manually delete them.

If you are regularly clearing Local Storage and want the setting to be saved server-side, the answer will be the same as in other similar threads. Some settings will be moved to the server in the future. You likely won't get an ETA or confirmation that this is one of those settings.



Your posts on network security and cookies, I'm afraid, read like the ramblings of a luddite.

Your first reply conflates your requested convenience feature with matters of web security. Any website that provides a customized experience for its users needs to store information locally. For a website with a login this could be as small as a random session identifier. It doesn't really matter where this information is stored (Local Storage, Session Storage, Cookies) but if you delete this information the website will forget about you. It is also common to save some additional information locally for various reasons. As an example, MangaDex stores reader settings locally on purpose because people will have different settings depending on the device type. I do actually agree with you that it would be nice to store dismissals of announcements server-side. But that is a matter of convenience not security.

In your next reply you conflate the concepts of privacy and security. You link an article that talks about privacy concerns with cookies. Next you link to MangaDex's previous data breach which was caused by an RCE and had little to do with "cookie security". Having "to re agree" the use of cookies in any new browser you use is an inevitability of all websites with login and account functionality. Most people are happy with the "overuse" of cookies (Local Storage) because they do not sign into new devices very often and the announcement shows up only once at the beginning for any web browser in its default setup.

Your third reply already contains mostly incoherent ramblings about some cookie going rogue and stealing your banking information. This, again, confuses the privacy issues with cookies for security issues. Cookies are often used to "steal" marketing-relevant information about you. The companies behind these services are trying to gather as much information about you as they can so that they can place more relevant ads and get you to buy more unnecessary things. They are not trying to find out your mother's maiden name to social engineer your bank into transfering all your money to them. The specific purpose of tools like uBlock Origin is to block these types of cookies without disrupting site functionality. Which is why MangaDex works just fine with it enabled. Blocking all first-party cookies will break pretty much all websites with any type of login.

This reply encapsulates your tech illiteracy very well. You claim that telling the average user to enable cookies is "terrible advice", but all mainstream browsers (even more privacy-focused ones) enable at least some cookies by default. They do this because blocking all cookies breaks, within a margin of error, all websites on the internet. You then again continue with the whole "stealing bank logins and passwords" claim. Please provide a source for a single hack where banking logins where exfiltrated using cookies from an unrelated site.
unless you have a browser with profile you can log into form different computers that also saves your local storage online
What do you think "local" means? It's called Local Storage, because it is local to the specific web browser.



Generally, you are preventing the MangaDex website from using legitimate tools such as a persistent Local Storage and complaining about degraded functionality. Your initial request is actually quite reasonable after you explained it a little more clearly and I have upvoted it to show my support. As with any suggestion costing dev time, it's a "maybe" on if it will be implemented and a "someday" on when. It does not seem like the highest priority item.

The rest of this thread is, frankly, crazy. Cookies are not like a gun, loaded or otherwise. They are like kitchen knives. You can certainly stab someone with a kitchen knife, but they are an important tool that most people have in their home. You are the one advocating for keeping a single blunt kitchen knife in a lockbox in a cellar, wondering why it's a pain to use your kitchen to make a meal, and acting like we are all weird for just keeping our knives in the kitchen.
 
Joined
Feb 16, 2023
Messages
18
Here goes my attempt at putting this thread out of its misery:

Regarding the original post, the functionality already exists. The reading status of announcements is saved in your browser's Local Storage. Items saved in Local Storage do not have an expiration date and should persist until you manually delete them.

If you are regularly clearing Local Storage and want the setting to be saved server-side, the answer will be the same as in other similar threads. Some settings will be moved to the server in the future. You likely won't get an ETA or confirmation that this is one of those settings.



Your posts on network security and cookies, I'm afraid, read like the ramblings of a luddite.

Your first reply conflates your requested convenience feature with matters of web security. Any website that provides a customized experience for its users needs to store information locally. For a website with a login this could be as small as a random session identifier. It doesn't really matter where this information is stored (Local Storage, Session Storage, Cookies) but if you delete this information the website will forget about you. It is also common to save some additional information locally for various reasons. As an example, MangaDex stores reader settings locally on purpose because people will have different settings depending on the device type. I do actually agree with you that it would be nice to store dismissals of announcements server-side. But that is a matter of convenience not security.

In your next reply you conflate the concepts of privacy and security. You link an article that talks about privacy concerns with cookies. Next you link to MangaDex's previous data breach which was caused by an RCE and had little to do with "cookie security". Having "to re agree" the use of cookies in any new browser you use is an inevitability of all websites with login and account functionality. Most people are happy with the "overuse" of cookies (Local Storage) because they do not sign into new devices very often and the announcement shows up only once at the beginning for any web browser in its default setup.

Your third reply already contains mostly incoherent ramblings about some cookie going rogue and stealing your banking information. This, again, confuses the privacy issues with cookies for security issues. Cookies are often used to "steal" marketing-relevant information about you. The companies behind these services are trying to gather as much information about you as they can so that they can place more relevant ads and get you to buy more unnecessary things. They are not trying to find out your mother's maiden name to social engineer your bank into transfering all your money to them. The specific purpose of tools like uBlock Origin is to block these types of cookies without disrupting site functionality. Which is why MangaDex works just fine with it enabled. Blocking all first-party cookies will break pretty much all websites with any type of login.

This reply encapsulates your tech illiteracy very well. You claim that telling the average user to enable cookies is "terrible advice", but all mainstream browsers (even more privacy-focused ones) enable at least some cookies by default. They do this because blocking all cookies breaks, within a margin of error, all websites on the internet. You then again continue with the whole "stealing bank logins and passwords" claim. Please provide a source for a single hack where banking logins where exfiltrated using cookies from an unrelated site.

What do you think "local" means? It's called Local Storage, because it is local to the specific web browser.



Generally, you are preventing the MangaDex website from using legitimate tools such as a persistent Local Storage and complaining about degraded functionality. Your initial request is actually quite reasonable after you explained it a little more clearly and I have upvoted it to show my support. As with any suggestion costing dev time, it's a "maybe" on if it will be implemented and a "someday" on when. It does not seem like the highest priority item.

The rest of this thread is, frankly, crazy. Cookies are not like a gun, loaded or otherwise. They are like kitchen knives. You can certainly stab someone with a kitchen knife, but they are an important tool that most people have in their home. You are the one advocating for keeping a single blunt kitchen knife in a lockbox in a cellar, wondering why it's a pain to use your kitchen to make a meal, and acting like we are all weird for just keeping our knives in the kitchen.
Firefox allows profiles across devices which lets the user share data across devices, i do not know if that goes beyond bookmarks, passwords and permissions which are considered local. To respond to your comments regarding security i gave links for information on the type danger programs labeled as cookie can pose i then state that the risk where unlikely. Regarding my status as a Luddite which is not the most appropriate use of the word, i have said i understand the necessity of storing data to a users computers or browsers to improve performance. Every single person who has responded to my post so far has listed first party cookies, local storage, browser settings and various programs that that make cookies safe, guess what if you need a list of things you have to do to make using something safe then it is not safe the method of operation is what is safe. all that i have stated is that allowing all cookies access to your computer with no regard to security is not best practices, yet i keep getting bonked with the Luddite hammer. I posted the Mangadex link because it is literally right at the bottom of the page and i hoped would help illustrate my belief it is a bad practice to give complete access and trust to any site regardless of how good they are because all it takes is one hack to change there cookies along with anything else. Just to be clear i know that Mangadex does not use cookies, which is what makes the number of comments about cookies on this suggestion post so out of control.
 
Aggregator gang
Joined
May 8, 2019
Messages
124
Firefox allows profiles across devices which lets the user share data across devices, i do not know if that goes beyond bookmarks, passwords and permissions which are considered local. To respond to your comments regarding security i gave links for information on the type danger programs labeled as cookie can pose i then state that the risk where unlikely. Regarding my status as a Luddite which is not the most appropriate use of the word, i have said i understand the necessity of storing data to a users computers or browsers to improve performance. Every single person who has responded to my post so far has listed first party cookies, local storage, browser settings and various programs that that make cookies safe, guess what if you need a list of things you have to do to make using something safe then it is not safe the method of operation is what is safe. all that i have stated is that allowing all cookies access to your computer with no regard to security is not best practices, yet i keep getting bonked with the Luddite hammer. I posted the Mangadex link because it is literally right at the bottom of the page and i hoped would help illustrate my belief it is a bad practice to give complete access and trust to any site regardless of how good they are because all it takes is one hack to change there cookies along with anything else. Just to be clear i know that Mangadex does not use cookies, which is what makes the number of comments about cookies on this suggestion post so out of control.
How is this still going on? If you fear the cookies so much, just delete your account and never log into any website ever again. To change cookies, is to fundamentally change how the internet functions. It is a necessary evil.
And when it comes to Firefox, they upload all your information to the cloud, that is what helps them sync your settings, passwords and what not. Cookies remain on your device. Sounds like you are raging at the wrong subject.
 
VIP
Joined
Nov 12, 2019
Messages
49
How is this still going on? If you fear the cookies so much, just delete your account and never log into any website ever again. To change cookies, is to fundamentally change how the internet functions. It is a necessary evil.
And when it comes to Firefox, they upload all your information to the cloud, that is what helps them sync your settings, passwords and what not. Cookies remain on your device. Sounds like you are raging at the wrong subject.
Firefox allows profiles across devices which lets the user share data across devices, i do not know if that goes beyond bookmarks, passwords and permissions which are considered local. To respond to your comments regarding security i gave links for information on the type danger programs labeled as cookie can pose i then state that the risk where unlikely. Regarding my status as a Luddite which is not the most appropriate use of the word, i have said i understand the necessity of storing data to a users computers or browsers to improve performance. Every single person who has responded to my post so far has listed first party cookies, local storage, browser settings and various programs that that make cookies safe, guess what if you need a list of things you have to do to make using something safe then it is not safe the method of operation is what is safe. all that i have stated is that allowing all cookies access to your computer with no regard to security is not best practices, yet i keep getting bonked with the Luddite hammer. I posted the Mangadex link because it is literally right at the bottom of the page and i hoped would help illustrate my belief it is a bad practice to give complete access and trust to any site regardless of how good they are because all it takes is one hack to change there cookies along with anything else. Just to be clear i know that Mangadex does not use cookies, which is what makes the number of comments about cookies on this suggestion post so out of control.
be op
read one too many indian infosec threads on twitter
trusts browser profile sync over cookies
I don't know how many layers deep you have to go to get to OP's level of braincell deficiency, and I don't want to find out.

From a web security standpoint, cookies are literally just a key-value store, with everything else around it dictating how websites can use/modify data ON THE COOKIE. You have to explicitly go out of your way to write external mechanisms and make them unsafe (i.e. evaluating arbitrary code from cookies), because they are literally ONLY capable of storing strings of data. Websites are not able to gain any extra info from you through storing cookies on your device that they wouldn't already be able to obtain otherwise.

If you're allergic to local data storage on your device, I urge you to uninstall your web browser immediately, and stop bothering other people on the internet with your schizophrenic incoherent rambling. Reciting unrelated articles you find on the interwebz does not make you sound smart.
 
Dex-chan lover
Joined
Aug 24, 2018
Messages
899
Honestly, I wish MD would store my settings on the server.
Some of us use public or work computers which essentially give us a fresh browser every time.
I use the same settings on every device and I wish I wouldn't have to go reconfigure them every time I log in.
I don't care for per-device settings. I wish the site would load MY defaults for a new session, rather than the generic defaults.

The other thing that should be saved server-side is blacklists. I hate that hidden groups don't get blocked across all devices and will eventually reappear. I want to be able to hide shit-tier translators permanently.
 
Last edited:
Joined
Feb 16, 2023
Messages
18
Honestly, I wish MD would store my settings on the server.
Some of us use public or work computers which essentially give us a fresh browser every time.
I use the same settings on every device and I wish I wouldn't have to go reconfigure them every time I log in.
I don't care for per-device settings. I wish the site would load MY defaults for a new session, rather than the generic defaults.

The other thing that should be saved server-side is blacklists. I hate that hidden groups don't get blocked across all devices and will eventually reappear. I want to be able to hide shit-tier translators permanently.
Thanks for contributing to the topic. I would think with there being so little for settings options that Mangadex could assign each option a variable between 1-225 in basic binary which would let them store all of the users setting in a very short string of code. Though they would need to programs the site to read the assigned variables as your settings and then select them for you upon logging in. I do not know how much work something like that would be for them to implement. I think it would be fairly basic though my only experiences with programing is from programming basic HTML and custom commands for database systems way back. So i do not know how much of the current design and would have to be changed to do this or how much work it would really take to employment.
 
Dex-chan lover
Joined
Jan 18, 2023
Messages
2,054
Thanks for contributing to the topic. I would think with there being so little for settings options that Mangadex could assign each option a variable between 1-225 in basic binary which would let them store all of the users setting in a very short string of code. Though they would need to programs the site to read the assigned variables as your settings and then select them for you upon logging in. I do not know how much work something like that would be for them to implement. I think it would be fairly basic though my only experiences with programing is from programming basic HTML and custom commands for database systems way back. So i do not know how much of the current design and would have to be changed to do this or how much work it would really take to employment.
Of course they can do that, but I doubt it’s high priority as it doesn’t make much difference for most users with accounts. This also does nothing for guest users, so for them they still need a frontend only solution. There’s absolutely no issue doing what MD is doing now, unless your browser is crap, but that’s another issue. So in the end it feels like a waste of time which they can put somewhere else.
 
Joined
Feb 16, 2023
Messages
18
Of course they can do that, but I doubt it’s high priority as it doesn’t make much difference for most users with accounts. This also does nothing for guest users, so for them they still need a frontend only solution. There’s absolutely no issue doing what MD is doing now, unless your browser is crap, but that’s another issue. So in the end it feels like a waste of time which they can put somewhere else.
Saving the settings to the severs can help save you the trouble of having to sync your home browser to a browser profile to avoid it, plus a site like Mangadex's main selling points is curation of what you are reading, are planning to read and have read, so rembering your settings a plus. people also keep bringing up the your setting preferences could change based on device but you can just give local storage priority for that, which is mainly about screen size preference between phone tab and home screens.
 
Dex-chan lover
Joined
Jan 18, 2023
Messages
2,054
Eventually usually means never. Just kidding, even though it is common some planned stuff never happens because it’s so low priority compared to everything else.

Saving the settings to the severs can help save you the trouble of having to sync your home browser to a browser profile to avoid it, plus a site like Mangadex's main selling points is curation of what you are reading, are planning to read and have read, so rembering your settings a plus. people also keep bringing up the your setting preferences could change based on device but you can just give local storage priority for that, which is mainly about screen size preference between phone tab and home screens.
Yes I know what server side settings are good for, but for some things it’s not worth the time. I’m sure there’s better analytics available, but just checking the forum there’s 75% guests right now.
If it’s fine to save some settings in local storage, why isn’t the setting this thread started about fine to store there? It’s an annoyance for you, yes, but that’s all. Make an exception for MD if you want to avoid it and wait to see if/when they get time around to do any changes.
 
File Attacher
Staff
Super Moderator
Joined
Jan 20, 2018
Messages
255
Thanks funny thing is that same guy commented on my post and did not say annthing other than to enable cookies, though he updated it to local storage. looks like this thread is solved.
Because they're about different things, things like the original topic is about would essentially be just wasted space on the server so i don't see that moving from a cookie/localstorage or whatever it is in, the eventually i was talking about is pretty much the the stuff in https://mangadex.org/settings, maybe it would've been clearer if i used the reply on the specific latest posts about the server sided settings but that'd take up quite a bit of space (could've put it in a spoiler i guess)
 

Users who are viewing this thread

Top