Hacker News new | past | comments | ask | show | jobs | submit login

The way I read it, the discussion is about third-party ads which are disguised as first-party ads by using CNAME DNS records, so that `totallyfirstpartyads.mywebsite.com` is actually just referring to `serveads.thirdpartyadcompany.com`.

More than that, random subdomains are used to subvert adblockers.

To me, it seems that the discussion is about third-party ads which are masquerading as first-party content. It's not about first-party ads or whether the content should be free, but about third-party advertisers pretending to be first-party.




There's no such thing as pretending to be first-party. All ads are going to be served through a service/software provider the same way sites run on Wordpress or use a CDN.

The data relationship changes with first-party serving because it's now isolated to that site.


> The data relationship changes with first-party serving because it's now isolated to that site.

Except that when you decide to point to someone else's domain via a DNS CNAME on your own domain, you open the door to cookies, referrer information, and more being leaked to the third party.

Whether it's intentional or not, I think it's a bad thing to do.

Oh, and opens the door for malicious cross-domain scripting if the CDN you're CNAME'ing gets compromised.


That's the same as the ISP, CDN, CMS, and plenty of other software and vendors in the middle getting access to that information. There's a difference between a service provider and data ownership.


> That's the same as the ISP, CDN, CMS, and plenty of other software and vendors in the middle getting access to that information.

I don't think it's the same.

At least with HTTPS (or even the use of VPNs, DNS over HTTPS, and the upcoming/proposed encrypted SNI), the ISPs won't have any metadata except the IP headers, which I think is a good rebalancing.

There's no requirement for the CMS to be hosted by a third party. Joomla, Drupal, Wordpress, etc. are all popular self-hosted solutions.

The CDN typically does not have all the information, either: a CDN's job is (often, but not always) to deliver media assets (images, videos, audio), large files (e.g. ISOs, executables), or to deliver things like fonts or javascript libraries. These things are (again, often, but not always) supplied from a different domain.

My browser, for example, doesn't send referer headers when dealing with these sites, and it definitely doesn't send any cookies which aren't set for the CDN's domain explicitly. Different amounts of information leak when you CNAME to a CDN on your own domain, or you load third party advertising scripts in a page.

To me, at least, there's a difference between a third party (such as a CDN or ISP) knowing what domain I was on, versus third-party advertising scripts getting their hands on my detailed browser information by (ab)using JavaScript APIs and extensive fingerprinting.

> There's a difference between a service provider and data ownership.

Can you elaborate? I don't think I understand this point. For example, under the GDPR where I live, I have rights to data which I produced, regardless of the service provider or the domain it's delivered on.


Those are all vendors that get access to cookies and traffic. The point is that data flows through plenty of companies are various levels and providing a CMS or CDN is no different than providing ad serving.

The real issue is whether your data is more protected, and with first-party serving (and all the other anti-tracking restrictions), it's isolated to each domain instead of the cross-site tracking we had before. It's basically a user-to-site connection only now, regardless of the backend tech they use.

Any serious privacy change would require regulation as you noted, GDPR and CCPA in the US will provide the real protections soon enough.




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: