When we built the new website for www.gimp.org we moved from a homegrown build system to using Pelican, a Python based Static Site Generator. That migration deserves its own post over on the GIMP website to talk about the process and the specific things we did to support the new site design, but we did use the migration as an opportunity to step up the security of the site substantially. (This was mostly due to the efforts and prodding of Michael Schumacher.)
Security matters to me as well, so when I migrated this to a new site I also implemented many of the same ideas. I’m not quite Content Security Policy (CSP) ready like the GIMP website is, but it’s in my plans!
Why It Matters
Unbeknownst to many folks, your web browsing habits can betray quite a lot of information about you to places you may not even have realized. Assets can be called from many different places across the web, and those assets log information about requests. Depending on the asset, they may be connecting much more than what you originally asked for.
Perhaps you have a Facebook account. When you log onto Facebook in your browser the site will set a cookie that can uniquely identify you (for your convenience of course). This is not uncommon for many sites that need to persist data between browser sessions.
What makes this insidious is when Facebook starts having ads included all over the web (including the FB “pixel”), or the inclusion of various interaction widgets such as FB comments or “Like” buttons that are called from Facebook servers. When those things are included, they can generate tracking information back to Facebook about you and your interactions on these other web pages. Now Facebook knows you like whatever weird thing it is that you’re browsing (no judgement, but eww).
It’s not just Facebook, either. Remember that any external asset being requested in a page is likely being logged. As such, I’ve tried to minimize how this might affect any readers here.
I used Google AdSense on the old site. This was awesome for a while because the little bit I earned from those ads helped me to pay for the server infrastructure for PIXLS.US in the beginning. I considered keeping the ads here but I figured people would have a better, and safer, experience if I didn’t.
I don’t like them, you don’t like them, so why bother? If you like what I’m doing and want to send a thanks, you can do it directly to me at paypal.me/patdavid. (If you’d like to support PIXLS.US directly, the community would appreciate it!)
Speaking of Google
Unfortunately, as I said above:
Any external asset being requested in a page is likely being logged (or worse).
In lieu of telling Google that you’re visiting my website by having your browser request a font from them when you visit here, I am hosting the font files myself. (If you’re curious, it’s all Libre Baskerville.)
If you’re not lazy, it turns out you can do most of the same thing by taking the time to program links properly during the static generation of the site. This is what it looks like on https://www.gimp.org, at the bottom of news items:
I haven’t created these links yet for this site, but it’s on my to-do list and will probably look just like the above.
I may still change this in the future and simply rely on analyzing the Apache server logs offline, or I may switch to using a self-hosted solution like Piwik. For the time being, please know that I am including a link to Google Analytics. If you don’t want to let me log your visits with Analytics, then the easiest method to avoid it is to use something like an ad blocker.
I personally use uBlock Origin.
Another good option is to use a project from the Electronic Frontier Foundation called Privacy Badger (I use this as well).
I’ve set the entire site to use HTTPS with a Let’s Encrypt certificate. I had already done this for PIXLS.US, so this was a no-brainer. We’re now keeping the connection between my server here and your browser private and secure! (Look for the little green lock icon in your browser address bar.)
Not all of the pages are fully HTTPS compliant yet. I hosted most of the images on my old blog with Google, so I still need to work through old posts and download the images to serve from my server.
David Revoy (of Pepper & Carrot fame) also recently fought against using CDN libraries on the Pepper & Carrot site. Of course, being a talented artist, his transition ended up with the creation of an awesome Cat Avatar Generator (to replace Gravatar) and his own font as well!