A missing blog post image

How did you come up with this awful thought ??

During past weeks, at work, we couldn’t figure out why several times a day “someone” was probing “/robots.txt” of one of the internal WEB applications.

After having blamed each one of our softwares (even Firefox, sorry Mozilla I won’t do it again) and persons, I thought about our browser extensions.

So I ended up doing a little search for “robots.txt” on Wappalyzer’s sources, and surprise :

A missing blog post image

Wait wait wait, what is Wappalyzer ??

I have to admit, Wappalyzer is a very powerful tool allowing you to find out which WEB technologies are being used on the websites you visit. But now we know that it mainly bases its results from cached-metadata it gathers FROM YOU daily…
… with the help of some lines of JavaScript dedicated to this at the bottom of the very same source file :

A missing blog post image

Okay, it’s an OpenSource project, and that’s a good point of course.
Sadly, the built-in “analytics” solution is enabled by default, and that’s an effing privacy mess.

Why is this so important ?

There is people on earth fighting for WEB decentralization focusing their work on some important privacy aspects, and in the meantime you got some browser extensions like that one.
The point is, there are dozens of external calls and script codes tracking you while you are visiting a website in 2018, but you are fortunately able to get rid of most of them (it’s in French).
The problem with Wappalyzer is that the “tracker” is not shipped in the pages you visit, but directly in your browser, so the other extensions you use for your privacy won’t be able to do A THING about that.

So, to sum the whole thing up, using Wappalyzer as a browser add-on by default turns your WEB browser into a[nother] tracker like many of your mobile applications, sending most of your browsing history to a third actor hosted on Amazon “for research purposes”, “anonymously”.

The author(s) hoped that using “anonymous” and “research” words would comfort the users. The point is, even if we assume the owners do not perform any statistical operations at “the application level”, simple HTTP GET or POST actions will leave some very important information at least within the WEB server logs like your public IP address, which actually does not anonymize you at all.
You’re sceptical about that ? You (really) wanna see what it looks like ? Here you are…

A missing blog post image

So your IP address (the 1st field) will identify (at the very least) your network, and your User-Agent (the latest field) may identify your device.
At the very last, by grouping on timestamps (2nd field), you are even able to identify a person among others sharing the same public IP and User-Agents (let’s say in a company with automatically deployed workstations for instance).

What are the consequences ? Am I concerned ??

You are concerned if you do use this service as a browser extension.
I guess you don’t want to appear on private lists containing visitors of some of the doubtful websites below…

A missing blog post image

So don’t use the Wappalyzer’s browser extension, or at least consider opting-out from the “anonymous […] research purposes” privacy-mess module option (see at the end of this post).

It’s without saying that the “project” does not present any business model, so remember the best sentence of our century : “If you’re not paying for the product, you are the product”.

Conclusion

Nevertheless, I wanted to “thank” the add-on authors for having let this option somewhat, as long as the “analytics” implementation in the sources.
They could have not, but they “fairly” (?) did.

But again, and as this guy was suggesting some days ago, that very option should be DISABLED by default…


Tell me how to opt-out from this privacy mess !!

If you really care about this browser extension, I’d advise you to uncheck the third option available within the module preferences, as below :

A missing blog post image


EDIT 2019-11-15 : As Konstantin Samuel pointed out (see comments below), technologies icons are served locally by the WEB extension itself and not served from Wappalyzer’s servers as I was claiming.
So I apologize to the Wappalyzer team for having wrote and published something wrong.