A way to stop having to read the same security comic every time we log in

[mangadexprofile]

Long time user resent poster but i have noticed that whenever i log into Mangadex it always makes me scroll to the bottom of the sites long security comic. We get it do not give your Pussy(@+$ special key to randos on the Inter-webs, so can we get the site to remember that we have read the security comic 500 times.

 

[mangadexprofile]

Oh yeah also that's a thing, but just as much as browser fingerprinting and other more advanced techniques that someone like Google would use. If you read the description though, it's not about cookies, but rather how to use every single possible browser data persistence option to make a cookie-like thing happen. In general just storing a unique id as a string somewhere, anywhere. So disabling cookies does nothing for that, since the whole idea is to not rely on actual cookies alone.


Sure that exists too. But while it might be morally bad (no personal opinion on the matter, and MD doesn't make use of any of that), it's mainly to help designers find out what UI elements confuse users (buttons they don't click, or unclickable elements they do try to click, etc). afaik https://www.hotjar.com/product-designer/ (click the "See what users see" section of that page to see an example) is one of the most popular such products.

But again, this is not actually related to malfeasance (or cookies, for that matter) in any meaningful way.

This was intended as thread to talk about different methods of migrating user consents and settings to the Mangadex's cloud servers. So that every interaction with the site from a device or application that does not already have your settings stored in local storage would not cause you to have to re-select them all. This has now become the mad ravings of me my imaginary friend Mr Tinfoil Hat and what my gradual dissociation with reality is causing me to refer to as the Tristan Twins. I now fear that i have strayed so far from where i started that i can no longer tell where far i Ive come but i now know that whatever path i choose to now take it will me further from whence i came, So anyways here i go digging. I have not been making an argument against cookies or making a statement to the capability of every cookie. I have been making statements about the dangers that cookies can present when coupled with a compromised site and unprotected browser. The code that can pose as a third party cookie and hide its self potential as a first party cookie can acquire a non insignificant amount of personal data. I am not talking about Mangadex's security or a likely outcome from leaving open permissions to all cookies, the internet is vast and has the ability to make large numbers quickly become much more finite. This started with a mildly sarcastic response from to a blanket statement of just enable cookies. This then caused a series of responses from people suggesting that cookies where nothing to fear which i clearly disagreed with. Firearms experts treat every gun as loaded because they can be dangerous and to always treat them as such, security for ones property ends at the user. The buck stops at you think before you click is all that i have be trying to say. Just a reminder this dumpster fire started as a suggestion about connecting the security comic consent to the user profile, so lets keep it civil so we do not attract trolls to the fire. This has not been directed at anyone in particular.

 

[zloa2y04w]

Here goes my attempt at putting this thread out of its misery:

Regarding the original post, the functionality already exists. The reading status of announcements is saved in your browser's Local Storage. Items saved in Local Storage do not have an expiration date and should persist until you manually delete them.

If you are regularly clearing Local Storage and want the setting to be saved server-side, the answer will be the same as in other similar threads. Some settings will be moved to the server in the future. You likely won't get an ETA or confirmation that this is one of those settings.

---

Your posts on network security and cookies, I'm afraid, read like the ramblings of a luddite.

Your first reply conflates your requested convenience feature with matters of web security. Any website that provides a customized experience for its users needs to store information locally. For a website with a login this could be as small as a random session identifier. It doesn't really matter where this information is stored (Local Storage, Session Storage, Cookies) but if you delete this information the website will forget about you. It is also common to save some additional information locally for various reasons. As an example, MangaDex stores reader settings locally on purpose because people will have different settings depending on the device type. I do actually agree with you that it would be nice to store dismissals of announcements server-side. But that is a matter of convenience not security.

In your next reply you conflate the concepts of privacy and security. You link an article that talks about privacy concerns with cookies. Next you link to MangaDex's previous data breach which was caused by an RCE and had little to do with "cookie security". Having "to re agree" the use of cookies in any new browser you use is an inevitability of all websites with login and account functionality. Most people are happy with the "overuse" of cookies (Local Storage) because they do not sign into new devices very often and the announcement shows up only once at the beginning for any web browser in its default setup.

Your third reply already contains mostly incoherent ramblings about some cookie going rogue and stealing your banking information. This, again, confuses the privacy issues with cookies for security issues. Cookies are often used to "steal" marketing-relevant information about you. The companies behind these services are trying to gather as much information about you as they can so that they can place more relevant ads and get you to buy more unnecessary things. They are not trying to find out your mother's maiden name to social engineer your bank into transfering all your money to them. The specific purpose of tools like uBlock Origin is to block these types of cookies without disrupting site functionality. Which is why MangaDex works just fine with it enabled. Blocking all first-party cookies will break pretty much all websites with any type of login.

This reply encapsulates your tech illiteracy very well. You claim that telling the average user to enable cookies is "terrible advice", but all mainstream browsers (even more privacy-focused ones) enable at least some cookies by default. They do this because blocking all cookies breaks, within a margin of error, all websites on the internet. You then again continue with the whole "stealing bank logins and passwords" claim. Please provide a source for a single hack where banking logins where exfiltrated using cookies from an unrelated site.

unless you have a browser with profile you can log into form different computers that also saves your local storage online

What do you think "local" means? It's called Local Storage, because it is local to the specific web browser.

---

Generally, you are preventing the MangaDex website from using legitimate tools such as a persistent Local Storage and complaining about degraded functionality. Your initial request is actually quite reasonable after you explained it a little more clearly and I have upvoted it to show my support. As with any suggestion costing dev time, it's a "maybe" on if it will be implemented and a "someday" on when. It does not seem like the highest priority item.

The rest of this thread is, frankly, crazy. Cookies are not like a gun, loaded or otherwise. They are like kitchen knives. You can certainly stab someone with a kitchen knife, but they are an important tool that most people have in their home. You are the one advocating for keeping a single blunt kitchen knife in a lockbox in a cellar, wondering why it's a pain to use your kitchen to make a meal, and acting like we are all weird for just keeping our knives in the kitchen.

 

[mangadexprofile]

Here goes my attempt at putting this thread out of its misery:

Regarding the original post, the functionality already exists. The reading status of announcements is saved in your browser's Local Storage. Items saved in Local Storage do not have an expiration date and should persist until you manually delete them.

If you are regularly clearing Local Storage and want the setting to be saved server-side, the answer will be the same as in other similar threads. Some settings will be moved to the server in the future. You likely won't get an ETA or confirmation that this is one of those settings.

---

Your posts on network security and cookies, I'm afraid, read like the ramblings of a luddite.

Your first reply conflates your requested convenience feature with matters of web security. Any website that provides a customized experience for its users needs to store information locally. For a website with a login this could be as small as a random session identifier. It doesn't really matter where this information is stored (Local Storage, Session Storage, Cookies) but if you delete this information the website will forget about you. It is also common to save some additional information locally for various reasons. As an example, MangaDex stores reader settings locally on purpose because people will have different settings depending on the device type. I do actually agree with you that it would be nice to store dismissals of announcements server-side. But that is a matter of convenience not security.

In your next reply you conflate the concepts of privacy and security. You link an article that talks about privacy concerns with cookies. Next you link to MangaDex's previous data breach which was caused by an RCE and had little to do with "cookie security". Having "to re agree" the use of cookies in any new browser you use is an inevitability of all websites with login and account functionality. Most people are happy with the "overuse" of cookies (Local Storage) because they do not sign into new devices very often and the announcement shows up only once at the beginning for any web browser in its default setup.

Your third reply already contains mostly incoherent ramblings about some cookie going rogue and stealing your banking information. This, again, confuses the privacy issues with cookies for security issues. Cookies are often used to "steal" marketing-relevant information about you. The companies behind these services are trying to gather as much information about you as they can so that they can place more relevant ads and get you to buy more unnecessary things. They are not trying to find out your mother's maiden name to social engineer your bank into transfering all your money to them. The specific purpose of tools like uBlock Origin is to block these types of cookies without disrupting site functionality. Which is why MangaDex works just fine with it enabled. Blocking all first-party cookies will break pretty much all websites with any type of login.

This reply encapsulates your tech illiteracy very well. You claim that telling the average user to enable cookies is "terrible advice", but all mainstream browsers (even more privacy-focused ones) enable at least some cookies by default. They do this because blocking all cookies breaks, within a margin of error, all websites on the internet. You then again continue with the whole "stealing bank logins and passwords" claim. Please provide a source for a single hack where banking logins where exfiltrated using cookies from an unrelated site.

What do you think "local" means? It's called Local Storage, because it is local to the specific web browser.

---

Generally, you are preventing the MangaDex website from using legitimate tools such as a persistent Local Storage and complaining about degraded functionality. Your initial request is actually quite reasonable after you explained it a little more clearly and I have upvoted it to show my support. As with any suggestion costing dev time, it's a "maybe" on if it will be implemented and a "someday" on when. It does not seem like the highest priority item.

The rest of this thread is, frankly, crazy. Cookies are not like a gun, loaded or otherwise. They are like kitchen knives. You can certainly stab someone with a kitchen knife, but they are an important tool that most people have in their home. You are the one advocating for keeping a single blunt kitchen knife in a lockbox in a cellar, wondering why it's a pain to use your kitchen to make a meal, and acting like we are all weird for just keeping our knives in the kitchen.

Firefox allows profiles across devices which lets the user share data across devices, i do not know if that goes beyond bookmarks, passwords and permissions which are considered local. To respond to your comments regarding security i gave links for information on the type danger programs labeled as cookie can pose i then state that the risk where unlikely. Regarding my status as a Luddite which is not the most appropriate use of the word, i have said i understand the necessity of storing data to a users computers or browsers to improve performance. Every single person who has responded to my post so far has listed first party cookies, local storage, browser settings and various programs that that make cookies safe, guess what if you need a list of things you have to do to make using something safe then it is not safe the method of operation is what is safe. all that i have stated is that allowing all cookies access to your computer with no regard to security is not best practices, yet i keep getting bonked with the Luddite hammer. I posted the Mangadex link because it is literally right at the bottom of the page and i hoped would help illustrate my belief it is a bad practice to give complete access and trust to any site regardless of how good they are because all it takes is one hack to change there cookies along with anything else. Just to be clear i know that Mangadex does not use cookies, which is what makes the number of comments about cookies on this suggestion post so out of control.

 

[wcfdwfc]

Firefox allows profiles across devices which lets the user share data across devices, i do not know if that goes beyond bookmarks, passwords and permissions which are considered local. To respond to your comments regarding security i gave links for information on the type danger programs labeled as cookie can pose i then state that the risk where unlikely. Regarding my status as a Luddite which is not the most appropriate use of the word, i have said i understand the necessity of storing data to a users computers or browsers to improve performance. Every single person who has responded to my post so far has listed first party cookies, local storage, browser settings and various programs that that make cookies safe, guess what if you need a list of things you have to do to make using something safe then it is not safe the method of operation is what is safe. all that i have stated is that allowing all cookies access to your computer with no regard to security is not best practices, yet i keep getting bonked with the Luddite hammer. I posted the Mangadex link because it is literally right at the bottom of the page and i hoped would help illustrate my belief it is a bad practice to give complete access and trust to any site regardless of how good they are because all it takes is one hack to change there cookies along with anything else. Just to be clear i know that Mangadex does not use cookies, which is what makes the number of comments about cookies on this suggestion post so out of control.

How is this still going on? If you fear the cookies so much, just delete your account and never log into any website ever again. To change cookies, is to fundamentally change how the internet functions. It is a necessary evil.
And when it comes to Firefox, they upload all your information to the cloud, that is what helps them sync your settings, passwords and what not. Cookies remain on your device. Sounds like you are raging at the wrong subject.

 

[rikuwu]

How is this still going on? If you fear the cookies so much, just delete your account and never log into any website ever again. To change cookies, is to fundamentally change how the internet functions. It is a necessary evil.
And when it comes to Firefox, they upload all your information to the cloud, that is what helps them sync your settings, passwords and what not. Cookies remain on your device. Sounds like you are raging at the wrong subject.

Firefox allows profiles across devices which lets the user share data across devices, i do not know if that goes beyond bookmarks, passwords and permissions which are considered local. To respond to your comments regarding security i gave links for information on the type danger programs labeled as cookie can pose i then state that the risk where unlikely. Regarding my status as a Luddite which is not the most appropriate use of the word, i have said i understand the necessity of storing data to a users computers or browsers to improve performance. Every single person who has responded to my post so far has listed first party cookies, local storage, browser settings and various programs that that make cookies safe, guess what if you need a list of things you have to do to make using something safe then it is not safe the method of operation is what is safe. all that i have stated is that allowing all cookies access to your computer with no regard to security is not best practices, yet i keep getting bonked with the Luddite hammer. I posted the Mangadex link because it is literally right at the bottom of the page and i hoped would help illustrate my belief it is a bad practice to give complete access and trust to any site regardless of how good they are because all it takes is one hack to change there cookies along with anything else. Just to be clear i know that Mangadex does not use cookies, which is what makes the number of comments about cookies on this suggestion post so out of control.

be op
read one too many indian infosec threads on twitter
trusts browser profile sync over cookies

I don't know how many layers deep you have to go to get to OP's level of braincell deficiency, and I don't want to find out.

From a web security standpoint, cookies are literally just a key-value store, with everything else around it dictating how websites can use/modify data ON THE COOKIE. You have to explicitly go out of your way to write external mechanisms and make them unsafe (i.e. evaluating arbitrary code from cookies), because they are literally ONLY capable of storing strings of data. Websites are not able to gain any extra info from you through storing cookies on your device that they wouldn't already be able to obtain otherwise.

If you're allergic to local data storage on your device, I urge you to uninstall your web browser immediately, and stop bothering other people on the internet with your schizophrenic incoherent rambling. Reciting unrelated articles you find on the interwebz does not make you sound smart.

 

[Koneko_Nyaa]

Honestly, I wish MD would store my settings on the server.
Some of us use public or work computers which essentially give us a fresh browser every time.
I use the same settings on every device and I wish I wouldn't have to go reconfigure them every time I log in.
I don't care for per-device settings. I wish the site would load MY defaults for a new session, rather than the generic defaults.

The other thing that should be saved server-side is blacklists. I hate that hidden groups don't get blocked across all devices and will eventually reappear. I want to be able to hide shit-tier translators permanently.

 

[mangadexprofile]

Honestly, I wish MD would store my settings on the server.
Some of us use public or work computers which essentially give us a fresh browser every time.
I use the same settings on every device and I wish I wouldn't have to go reconfigure them every time I log in.
I don't care for per-device settings. I wish the site would load MY defaults for a new session, rather than the generic defaults.

The other thing that should be saved server-side is blacklists. I hate that hidden groups don't get blocked across all devices and will eventually reappear. I want to be able to hide shit-tier translators permanently.

Thanks for contributing to the topic. I would think with there being so little for settings options that Mangadex could assign each option a variable between 1-225 in basic binary which would let them store all of the users setting in a very short string of code. Though they would need to programs the site to read the assigned variables as your settings and then select them for you upon logging in. I do not know how much work something like that would be for them to implement. I think it would be fairly basic though my only experiences with programing is from programming basic HTML and custom commands for database systems way back. So i do not know how much of the current design and would have to be changed to do this or how much work it would really take to employment.

 

[Penthero]

Thanks for contributing to the topic. I would think with there being so little for settings options that Mangadex could assign each option a variable between 1-225 in basic binary which would let them store all of the users setting in a very short string of code. Though they would need to programs the site to read the assigned variables as your settings and then select them for you upon logging in. I do not know how much work something like that would be for them to implement. I think it would be fairly basic though my only experiences with programing is from programming basic HTML and custom commands for database systems way back. So i do not know how much of the current design and would have to be changed to do this or how much work it would really take to employment.

Of course they can do that, but I doubt it’s high priority as it doesn’t make much difference for most users with accounts. This also does nothing for guest users, so for them they still need a frontend only solution. There’s absolutely no issue doing what MD is doing now, unless your browser is crap, but that’s another issue. So in the end it feels like a waste of time which they can put somewhere else.

 

[mangadexprofile]

Of course they can do that, but I doubt it’s high priority as it doesn’t make much difference for most users with accounts. This also does nothing for guest users, so for them they still need a frontend only solution. There’s absolutely no issue doing what MD is doing now, unless your browser is crap, but that’s another issue. So in the end it feels like a waste of time which they can put somewhere else.

Saving the settings to the severs can help save you the trouble of having to sync your home browser to a browser profile to avoid it, plus a site like Mangadex's main selling points is curation of what you are reading, are planning to read and have read, so rembering your settings a plus. people also keep bringing up the your setting preferences could change based on device but you can just give local storage priority for that, which is mainly about screen size preference between phone tab and home screens.

 

[Ndtm]

@Koneko_Nyaa @mangadexprofile @Penthero
It's already planned for Eventually

 

[Penthero]

@Koneko_Nyaa @mangadexprofile @Penthero
It's already planned for Eventually

Eventually usually means never. Just kidding, even though it is common some planned stuff never happens because it’s so low priority compared to everything else.

Saving the settings to the severs can help save you the trouble of having to sync your home browser to a browser profile to avoid it, plus a site like Mangadex's main selling points is curation of what you are reading, are planning to read and have read, so rembering your settings a plus. people also keep bringing up the your setting preferences could change based on device but you can just give local storage priority for that, which is mainly about screen size preference between phone tab and home screens.

Yes I know what server side settings are good for, but for some things it’s not worth the time. I’m sure there’s better analytics available, but just checking the forum there’s 75% guests right now.
If it’s fine to save some settings in local storage, why isn’t the setting this thread started about fine to store there? It’s an annoyance for you, yes, but that’s all. Make an exception for MD if you want to avoid it and wait to see if/when they get time around to do any changes.

 

[mangadexprofile]

@Koneko_Nyaa @mangadexprofile @Penthero
It's already planned for Eventually

Thanks funny thing is that same guy commented on my post and did not say annthing other than to enable cookies, though he updated it to local storage. looks like this thread is solved.

 

[Ndtm]

Thanks funny thing is that same guy commented on my post and did not say annthing other than to enable cookies, though he updated it to local storage. looks like this thread is solved.

Because they're about different things, things like the original topic is about would essentially be just wasted space on the server so i don't see that moving from a cookie/localstorage or whatever it is in, the eventually i was talking about is pretty much the the stuff in https://mangadex.org/settings, maybe it would've been clearer if i used the reply on the specific latest posts about the server sided settings but that'd take up quite a bit of space (could've put it in a spoiler i guess)