Taking link for the post should not add username to it

Taking link for the post should not add username to it.
Currently the link is like that: https://forum.qubes-os.org/t/something-something/topicid?u=USERNAME

Why do we have username attached? It not only not needed but also violates basic privacy. People will share this links in other places revealing their accounts on the forum for no reason.

Proposal: modify site to avoid adding username to the links.

2 Likes

https://www.startpage.com/do/search?q=why+discourse+add+user+name+when+linking+post
some links from this search:
https://meta.discourse.org/t/why-do-all-shared-links-include-the-username-u-username/60126
https://meta.discourse.org/t/share-a-link-for-a-post-should-not-leak-username/66489

TLDR.
It is used for badges (first share, nice share, great share).
You can still manually delete the username part of the link or just copy the url from the address bar.

I agreed with the proposal. It shouldn’t be default (too easy to not remember to manually delete the username).

still from above link, the site setting exist:

1 Like

Thank you for information and support of proposal. Now it is clear for me how it could be used at least somewhere. If I were making discource and wanted to have badges for sharing I would add some token, not username.

I am also happy that other people are also concerned about this issue. So concerned that they made PR/patches to upstream to allow turning it off.

Proposal update: change site settings to avoid adding username to the links.

@adw, @gonzalo-bulnes please tell who on the Forum should we contact to initiate possible considering of turning off this username leaks?

The setting has been changed.

5 Likes

I dont understand this.
The Forum is a public space.
If the link is followed then your account on the forum will be
“revealed”, whether the link contains the username or not.
How does this violate basic privacy?

1 Like

Thanks a lot for fast reaction! I checked it works.
Now let’s hope nobody will ask to turn it back :slight_smile: (joking, the chance is almost zero).

Well, links provided by @szz9pza above probably also have some cases, but I was talking about cases like that:

  • User wants to use Qubes OS and has hater/hacker that follows them on social networks and other places.
  • User shares some link to some forum post or comment (not even theirs post) in their twitter.
  • Everybody in the internet knows that User with that social media account (usually connected to real name) is owning username account on Qubes OS forum.

Now everybody can target real person based on forum posts and comments:

  • investigate what custom software they use, modify this software or use known vulnerabilities of this software,
  • maybe know about traveling plans,
  • and a lot of other stuff.

There can be a million ways to target person’s infrastructure if you have their posts on the related forum.

1 Like

If you share a link on another forum and you don’t have the same username,
you may not want these two separate usernames to be correlated.

Isn’t there a setting to enable this in the user preferences (disabled by default) ?
With this global setting, the related badges are useless and disabled.
(unless you do the other way and manually add the ?u=username :slight_smile: )

It’s ok with a global setting, it’s better than having the username in the shared link.

2 Likes

Not that I saw. You’d probably have to submit a feature request to the Discourse folks for that.

1 Like

Thanks Andrew.

It’s this step that I dont follow.
(I dont have any problem with removing the name from links at all. I’m
indifferent.)
But I dont follow how you get from Step 1 to Step 3.

It would be different if Step 1 was:
User posts to twitter - “Just commented on Qubes Forum” - which
obviously ties their twitter account to their Forum account.
But how does sharing a link with some user name attached reveal the link to the Social media account?
I feel I’m missing something important.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

Please forgive me, but I’m working blind here.
This suggests there’s some “Share” button on a post, that does something
(perhaps copies a link to that post) and ADDS YOUR USERNAME to that
post?
In email format, I’m used to seeing the username of the user who sent
the post, in quotes etc, and I dont have these “useful” features.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

Imagine that I have another anonymous account on Twitter. In that account, I want to share a link to this post of yours:
https://forum.qubes-os.org/t/taking-link-for-the-post-should-not-add-username-to-it/20530/9?u=fsflover

If I forget to remove my Qubes username, I reveal the connection between my two anonymous accounts, which harms my privacy. I see no reason to add my username to every link by default, forcing me to be careful every time.

1 Like

Thanks @fsflover, that was what I’d arrived at, (but didnt quite
believe.)
It is stupid and was rightly removed.
Sorry for noise

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes

Only there I understood your struggle, that you are explicit mail person :slight_smile:

Yes, on each post on forum there is a button share a link to this post, but link provided by default has username of the User clicking (not the author of the post, not the author of the topic). I had to remove this part of the link manually each time.

Yes, it was strange and kind of stupid for me, too.

1 Like

Not good default beahvior. I dislike many things in discourse. Their whole stance on collecting tons of metrics for gamification purposes. But it’s the best we have currently. This is just one more of their games, I guess.

:bulb: Tip
If you want to share a particular reply, just copy the link in the URL bar. It will be for the post you’re currently seeing.

2 Likes