Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Some of the people I've talked with over the years study things like nuclear weapons arms control or cyberwarfare. The most paranoid of the bunch have resorted to having Virtual Private Servers screen shot websites with headless browsers once it loads and pipe it back to their research machine. I can't remember if it's a table of PNGs or just one big one, but either way it's sent back over a SSH tunnel and when you click the server knows what you're trying to click on and preforms the action for you, and will randomly forward the click to a new VPS.

It's not perfect because the IP blocks make it obvious that it comes from DigitalOcean, AWS, etc, but it's sure better than loading untrusted PDFs or JS locally. Still vulnerable to a network attack, though.



Sounds like Stallman

>I generally do not connect to web sites from my own machine, aside from a few sites I have some special relationship with. I usually fetch web pages from other sites by sending mail to a program (see https://git.savannah.gnu.org/git/womb/hacks.git) that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly. I usually try lynx first, then a graphical browser if the page needs it

https://stallman.org/stallman-computing.html


How does this stop something as simple as user-unique URLs for each link? A new VPS that fetches a unique URL is trivial to tie to the same user.


open multiple browser sessions for the user, and randomly choose one of them as the 'result' (but still click on all of them, even if the resultant page isn't viewed).

Or, just don't use the website if they do this.


I keep thinking someone will reboot Opera's mini web browser for this purpose. (Their intermediate server renders the target website to an image.)

I also anticipate someone will do smart diffing on target websites to better auto nuke ads, trackers, etc.


Isn't that worse, a big brother in the middle watching everything and even doing TLS termination? Unless it's running on a Tor-like distributed system?


Much belated response, sorry.

I just don't know. I've stopped using VPNs for this very reason.


This type of tracking seems to assume the user is not bothering to send a fake Referer, e.g. she can just use the URL she is requesting, or just omit the header. One could argue such users are "low-hanging fruit".

Very few websites will vary the response if there is no Referer. Sending it really offers little benefit to the user.

Setting up a "headless" browser also seems like overkill. Firefox 57 and later has a -screenshot command line option which saves a PNG. No need to launch X11 for this to work.


Payment flows often require a specific referrer.


Solution: Send a Referer when making payments, i.e., when using the web for commerce.

No need to send one when using the web for recreation.


So they're taking screenshots via the VM console? Why not just directly interact with the VM console, then?


If they’re forwarding each click to a different VM to avoid persistent tracking then that wouldn’t work.


https://en.wikipedia.org/wiki/Browser_isolation


Why don't they use isolated laptops with only 4G access or dedicated external line?




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: