And it makes perfect sense for my bank to be doing this to me, since I'm logged in and they already have all my money. They already have the complete Identity Theft Kit, how much more do they need to know?
(Also that dialog should win some kind of "Enter to Exit" award for inapprehensiblity.)
Previously, previously, previously, previously, previously, previously, previously.
Thanks for the link to that extension though. Looks good.
The UI is crufty as hell, but it does the job well. I wish there was an iOS version.
Presumably it's impossible to do what it does with the Content Blocking API, which is the only available option on iOS. The extension on macOS gets labelled with the "this will steal your stuff" warning, which happens when it's not using said API.
If we're wishing for workarounds for idiots who broke the web, may I have a Twitter client that turns all AMP links into usable URLs so I never ever have to see one, inadvertently share one, or worse, decipher the URL scheme to canonicalize it myself?
AMP links are the worst. Apple News has its own link hell as does Flipboard. I just want the link to the _actual_ article without getting locked into your special brand of hell.
> AMP links are the worst
Yet they load in literally a second on my throttled 40kb/s mobile connection.
I realise it's just honey, but damn is it good.
Worse, Apple attempts to canonicalize AMP links in Safari on iOS 11, yet some other bit of Apple is off polluting the web with Apple News links.
Are there blockers for the surreptitious bitcoin miners yet? How do those work, anyway? The Web Workers API?
I'd bet that this is your bank's attempt to implement "multi-factor authentication" in accordance with FFIEC rules, which allow pretty much anything to be multi-factor auth, except, you know, using an app or a token or something as good as world of fucking warcraft does to protect your magic swords.
Except they also do SMS 2-factor.
Dude, they do it to sell your "anonymous" financial status to data brokers. Banks are one of the few people who can make a hard link between your browsing habits and finances.
Oops, meant to reply to Angry Security Guy.
I'm guessing they use it to avoid session fixation attacks. Yes they authenticate with SMS (which is broken since SMS is broken, but whatever) but then you get a session token that can be stolen. And since loads of people load their computers with malware, stealing that session token is a possible thing. Tying that session token to an ip address won't work with mobile computing and the fact that we keep using ipv4 + nat.
So instead fingerprint the browser and lock the session token to that to try and stay ahead - make the attackers figure out how to capture and to fake canvas responses. It's firedoor security. From the bank's perspective, it won't stop attackers forever but it means you're making them do more work. Heck, you have some chances to catch them - though the legal system can't really do that well yet. But it definitely means you're a less desirable target and the attackers can go after banks that don't do that.
the trouble with this thinking is that they break useful privacy tools for their own temporary convenience. If you can't tell the good guys from the bad, the good guys aren't good.