placeholder image

Why we shouldn’t use Third-Party resources and CDN Services

Written By Beda Schmid on June 6, 2021 at 9:46 am

We will explore more in depth why we shouldn’t use Third-Party Resources and CDN Services. We have written previously about why we shouldn’t use Analytic Tools for our Websites, and extend the topic in this article by exploring more in depth the negative aspects of Third-Party Resources and Content Delivery Networks (CDN).

Almost every webmaster is concerned with two things:

  • Make a website as fast as possible
  • Make the website building process as quick as possible

There are certainly many valid reasons why a webmaster is concerned with the above two points, but often, while the goals are justified and reasonable, the ways to achieve them are unprofessional, unreasonable and only used because “it is easy, fast and everyone suggests it”

This is a problem of the modern, profit-oriented society in general. People want things implemented quickly, at a low cost and with the highest “quality” possible. What most of us forget thou, is that the three things do not mix. We can’t expect high quality with a low budget and in no time. 

Instead, quality is the result of how much time and effort we put into something.

Thus, if we want a high qualitative Website that loads fast, we can’t expect it to be done in a short amount of time and at a low budget.

Unfortunately, several services and recommendations suggest precisely that. Most of the websites we see make usage of several third parties, from Fonts to Images, and use third-party services that promise “faster websites”, all of which promise to be easy to implement, delivering fast and reliable results.

It might be accurate, but what suffers is the end products quality.

Let’s have a look at two primary such services and why we should not use them.

Why we should not use Adobe Fonts and instead self-host our Fonts

Adobe Fonts is a very excellent service that allows a webmaster to pull in (almost) any font, be it paid or free, to a website and use it without further ado. We only need to add a script to the website’s head, and the fonts are magically available in the project, ready to be used in our CSS.

So, why not use this excellent service?

Or – why not use the similar service provided by Google?

The main concern here is performance and Privacy. Adding any additional third-party call to the website’s head means adding (even if tiny) extra loading time to our website. 

Another concern is Privacy. While this might not be the case for some services, at least Adobe Fonts tracks your visitors’ data (Such as the OS and whether adblockers are enabled or not) of your websites visitors.  Unless you read Adobe’s usage policies, it happens without your knowledge or your visitors’ agreement. And, even if you know, you can not influence this tracking and cannot delete that data if a visitor ever requests such data removal.

Self-hosting your fonts might restrict you in the choice of fonts and require a bit more work; however, it will avoid both problems mentioned above.

Why we shouldn’t use Third-Party Resources (Vimeo, YouTube, etc.)

I won’t detail what data is tacked by which services; however, in short, most (if not all) third-party media services such as Vimeo, YouTube collect data of your visitors when they visit a page where an external Media is Embedded. This again creates (sometimes huge) performance issues, and you have no control over the data collected.

In short, whenever such third-party data is embedded in a website, the website is not the only instance knowing you (as the visitor) visited the website; Google (or any of the third-party owners) know that as well.

Did you ever stop and wonder how Google and other big Internet giants know so much about “us”? 

Embedded Youtube videos, just like hosted Google fonts, Vimeo or else, are just another way for the Data Giants to harvest our personal data across the internet. 

Here is an interesting article about the tracking practices of YouTube, in this case.

With promises like “see how your videos perform”, even more tracking is done by adding “analytics panels” for webmasters and web owners, where they can see how their content performs. What happens, though, data giants get insight for free, without knowledge of the visitor (most often), and if a webmaster or web owner complies with GDPR, all a visitor can do is “agree to the terms”.

No one gains anything from that insight unless the data giants. And, we get hit by performance problems on top.

Why we shouldn’t use CDN (Content Delivery Networks)

CDNs are a considerable problem, generally unknown or ignored (even by GDPR).

CDNs (Content Delivery Networks) promise faster sites by offloading the website to several servers around the globe and then delivering the content to the visitors from the server that is closest to their location. Great! We can have a server in Canada and serve an Asian visitor just as fast as if the visitor would be in Canada. 

However, CDNs will decrypt any safe communication from your visitor and then re-encrypt it to your server and back.

If we were speaking about hacking, a “man in the middle attack” looks exactly like that.

A visitor sends data, someone between the visitor and the server listens to it, unpacks and acts on it, then sends it to the server, and/or back from your server to the client.

Big CDNs like CloudFlare are perfectly aware of this issue and even make you as webmaster sign an agreement (Data Processing Addendum), so they are safe, and you agree to the practice.

This practice is, of course (hopefully 🙂 ) not made with bad intentions, it is the only way for CDNs actually to know what the request is and handle it appropriately, and apply other (for example, additional security or, like CloudFlare, tracking and statistics) to each request.

However, it is completely knocking out any principle of a TLS. It removes any control over the data from your hands, so you are again left with the only choice to add a “consent” to your website. 

The user is again not allowed to see the content if they disagree with the policy.

GDPR completely ignores this issue by simply stating that a CDN counts to the “necessary” measures for Website development and that it is “OK” in this case to share the data with third parties.

Don’t forget that many CDN services are located in the 5, 9 and 14 Eyes Countries, many of which have no respect for Users privacies and can, upon a request by Courts, force data disclosure of VPNs and CDNs. That means your user’s data is entirely at the disposal of those countries governments. While you might not care, there are topics that – while being mere discussions – can bring you in trouble in the wrong country. Those countries can read your visitor’s data almost freely, and that might put your visitors in danger or “just” infringe their Privacy.

The problem – in short – is that your connection to (as an example) Cloudflare is encrypted via TLS; however, once it reaches Cloudflare servers, it gets decrypted. It means Cloudflare, a US-based company, can read your passwords, private messages and everything else. The government can repeat what they did with Lavabit to extract this information. 

Last but not least, CDNs do often not improve your website’s speed; if you take the time and optimise your website the “proper way”, you will have better results than with a CDN. 

Not using a CDN, relying on self-hosted data such as fonts or images/videos, will often wholly obsolete any user agreement checkbox. This means your visitors will be able to visit your website truly anonymously. You (or your website) won’t be contributing to the “two classes society” which the GDPR and other privacy agreements are building by excluding disagreeing users from even reading your content.

Not using any of these services indeed contributes to a free, decentralised and better web experience.

Conclusion

By not using Third Party Resources like YouTube, Vimeo, Adobe or google Fonts, and optimising our Websites instead of using CDNs like CloudFlare, we can grant the visitor’s Privacy without further concerns. We stay in control of what we share with whom, and as a nice side-effect, websites are faster and less energy consuming (thus, sustainable) than websites that load and/or offload resources from/to third parties.

It takes more time and money to build such websites, but it pays off the efforts.

TukuToi established the “Zero Tracking Policy” with a badge that Webmasters can use on their Websites to denote the clean development approaches and their commitment to respect the Users Privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *