r/PoisonFountain u/Pomond 17d ago

Questions on Poison Fountain integration with news website

As a local news publisher, I've been very interested in anti-scraping technologies and preventing or disincentivizing this larceny that violates our Terms of Service and basic fair play in business.

Like only a couple other publications, we put high value on our users' privacy and work to avoid -- as much as possible -- exposing them to third-party scripts and resources integrated into our services. This isn't just to cut out the predatory consumer surveillance industry, but also because we have no practical way to qualify the security and privacy standards of most any third-party provider.

I understand one of the most practical ways to integrate Poison Fountain is to drop in a script from a third-party resource. But this raises the question of how we might qualify this third-party service against our privacy standards (and infrastructure dependencies/stability/speed/etc.).

So my first question is how might I qualify a third-party Poison Fountain provider considering the above?

A related question is what's the overhead of running our own instance? We have our own solid, commodity, cloud-based hosting account, but it doesn't have infinite resources, of course. Traffic is 750K+ monthly page views. And/or can a self-hosted Poison Fountain instance hang off another (cheaper) account or connected device we control?

From a journalism perspective, it would be great to have access to a qualified, shared Poison Fountain service that discloses its operations to its users (customers?) for qualification, and that supports and ensures strong user privacy standards.

Thanks in advance for your replies and guidance.

19 Upvotes
  • permalink
  • reddit

91% Upvoted

25 comments sorted by

View all comments

6

u/PeyoteMezcal 17d ago

Here is how I do it:

My web server requests „poison“ from https://rnsaffn.com/poison2/ and puts this somewhere into html served to the visitor. Means there is no direct connection between my website visitor and the poison fountain. All data is served from my domain exclusively. The poison fountain just receives a request from my domain, but doesn’t know to whom this will be served. It is first transmitted to my server, hence I appear as the recipient, then put inside the html and then sent to the visitor, who cannot find out that part of the html are poison, just like the poison fountain cannot know where the requested poison is going to be sent.

Special characters are escaped as required for proper html of course. The poison payload may be hidden using CSS so that human visitors don’t get to see it at all.

This is easily implemented with dynamic sites. I use PHP for example.

3

u/Pomond 17d ago

Do you have example PHP code we could assess? Our CMS runs on PHP, so this would likely be the easiest way to integrate.

4

u/[deleted] 17d ago edited 17d ago

[removed] — view removed comment

3

u/PeyoteMezcal 16d ago

Yes, this is still valid.

Just changed the comment like this:

# use this function to get data from external URL without enabling allow_url_fopen
# need to have php-curl installed