"The http://mozilla.org tab discussing the importance of Privacy loads in the background, bringing along with it the Google Tag Manager and Google Analytics. Hello, Google."
It demonstrates that support for Google Analytics is not unanimous within Mozilla, and even if someone removes it from a product page that action is detected by others and reversed.
Privacy aware users should block this sort of thing at their router using a hosts file, or Pi-hole, which is far more effective than calling companies out on Twitter and hoping for the best.
Privacy aware users should take all resonable steps to protect their on privacy, but it is also appropriate to call out Mozilla.
Mozilla (and advocates) promote Firefox as the privacy conscious browser while Mozilla repeatedly takes actions that would appear to go against that claim.
addons.mozilla.org also contains Google Analytics. And since addons are not allowed to act on addons.mozilla.org, you have no choice but to ping Google every time you load a page there.
Mozilla is either stupid or ill-intentioned. It's 2019 so they've lost the benefit of the doubt for me.
There is in fact a third option, which happens to be their stated position.
Part of their (written) agreement with Google is that none of the analytics data generated from Mozilla properties will contribute towards Google's tracking database.
"Mozilla has a legal contract with Google that prevents them from using our Google Analytics data for mining or from sharing it with third parties, among other privacy-protecting provisions."
"Mozilla went through a year long legal discussion with GA before we would ever implement it on our websites. GA had to provide how and what they stored and we would only sign a contract with them if they allowed Mozilla to opt-out of Google using the data for mining and 3rd parties."
https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14
Great if you trust Google, not so much if you don't. Too bad Mozilla made that choice for us, and imho, the wrong one. Google has proved itself time and time again that they cannot be trusted with privacy.
"Mozilla went through a year long legal discussion with GA."
I wonder why. Implementing some basic analytics on a few pages shouldn't be that hard.
"Great if you trust Google, not so much if you don't. Too bad Mozilla made that choice for us, and imho, the wrong one. Google has proved itself time and time again that they cannot be trusted with privacy."
I believe this to be a lazy and ignorant opinion, and I think you are hoping no one will call you out for this.
"Google has proved time and time against they cannot be trusted with privacy". This is a contract between two businesses, which carries legal weight (and in some countries, carries more legal weight than just contract law), so could you source for me perhaps 2-3 (you said "time and time again", so 2-3 should be quite easy!) of your most iconic times that Google openly violated contract terms with major organizations regarding privacy controls?
Remember when they were "unintentionally" scanning and saving wifi data?
Broke the law.
If Google has a culture of "grab all the data, and use it in whatever way you can figure out to make money,"—and they do—then the real question is if they even have the institutional capability to not accidentally use this data the same way they use all the other data they have.
>"Remember when they were "unintentionally" scanning and saving wifi data? Broke the law."
I don't want to be a broken record of "this opinion sounds lazy and under-researched and I'm calling you out" but.....
* Google was cleared of wrongdoing under the Wire Tap Act after an investigation by federal law enforcement
* The wifi data capture was a 20% time engineer project which rolled out unintentionally, was never commingled with other data, and was destroyed without being used
* The DoJ and Federal Court of Appeals disagree on the details and the Supreme Court of the United States refused a petition to clarify any parts, so any assertion that they "Broke the law" is either ignorant or malicious, IMO, because to summarize a situation where law enforcement said "No law breaking " and an Appeals court said "Maybe law breaking" as "Law Breaking" can't be considered a rational and intellectual attempt at understanding
While Google does collect a lot of data, the culture is to guard it rather zealously. Google has a lot of lawyers and all projects have to get a privacy review. The privacy folks take their jobs seriously. There is mandatory training about when you need a privacy review. There are a lot of internal rules and technologies built to guard security and privacy. There are researchers looking into ways to learn from data on mobile devices without actually collecting it. The security people are probably the best in the business. And so on.
Some of the procedures were put in place after the wifi scanning incident.
And that's not to say bad things can't still happen. One thing that sounded particularly bad about the now-cancelled Dragonfly project was that they were allegedly avoiding privacy review. This project was being kept secret from the rest of the company because it's not how things are usually done.
So, my guess as an ex-Googler is that they can guard it and probably will, at least under normal conditions.
We wouldn't know, since most of the incidents would never see the light. From the incidents that did come to light (e.g. Google spying on you through its assistant), we do know that they can and will bend the letter of the law to suit their purpose. So I think that it's your opinion that sounds hopelessly naive rather than OP's.
Most of the cases of Google "spying through home assistant" (along with the other assistants, Amazon, Apple included) while obviously invasions of privacy were generally (all?) legal.
At least in the US they weren't breaking any laws. I'm not saying they would never break any laws for financial gain, just that most of the breaches in privacy aren't technically illegal (thus the need for privacy laws)
It is pretty unlikely that a company (Google) would break a contract with another relatively large organisation (Mozilla). Yes, Google vacuum up all your data and do shady stuff with it, but only because all of it is legal.
Plus, the amount of data that they get from Mozilla must be tiny compared to the amount of data that they collect through their search engine: it's only data on mozilla.org, not data of everyone that uses the browser at all times. It is not wise to risk a lawsuit over it.
> I wonder why. Implementing some basic analytics on a few pages shouldn't be that hard.
Maybe defining a contract to prevent use of Mozilla data without loopholes is harder.
It’s not entirely one sided as you describe. Google is one of the few companies that has also fought legal requests from governments trying to spy on their citizens, when the others giants caved immediately.
One of the things Google gets right. They know that data breaches, where someone does get the valuable ad profiles or data of Google users (while usually advertisers just get to target based off the data), are one of the few things that will actually cause the masses to think about their privacy settings and why they're giving Google their life story at all.
Which requires the user to trust Google to a) honor that agreement (somewhat simple, though we don't know the actual terms, i.e. what's on the line for Google) and b) not have bugs in their systems that accidentally leak information (to their own profiling services or third parties), and if they trust them on this, why not trust them in general when it comes to "we won't use your information for anything nefarious". Anti-Ad/Tracking-Plugins being among the most popular suggests that a lot of Mozilla's users don't want to rely on trust.
My bank argues the same way and uses Google Analytics to track their visitors, including inside the online banking system. Fine, so they trust Google to honor agreements and not connect profiles, but I'd still prefer Google to simply not know when and how often I'm logging in to check my account balance.
It's good that Mozilla goes the extra mile to get a custom contract, but I believe that most people aren't expecting a self-proclaimed privacy champion to use an anti-privacy-service by one of the largest corporate enemies of privacy. Explicit opt-in would be the right thing to do here.
If you personally want to opt out then use a content blocker? There's also an official way to completely opt out of GA, but this basically does the same thing.
Privacy isn't a zero sum game, there can be improvements.
What's the point? Why does Mozilla exist? If Google is good enough mozilla.org should redirect to google.com/chrome.
If Google is not going enough, Mozilla shouldn't use Google for analytics on the add-ons page when there are plenty of other options and an opportunity to do something valuable by building a site-private analytics product as part of their core mission of protecting the web.
According to the issues trackers, various forms of "self-hosting would be more work for a lesser product".
I'm not sure that would still be the case if the decision were being made today, and would quietly hope not, but I guess we can charitably say that the reason now is "inertia".
Personally, I think they may have underestimated (or failed to fully predict) the anti-google, pro-privacy sentiment in the wings, and it's clear even from this thread and the issues on bugzilla that it's probably cost them enough privacy-capital at this stage to have justified the extra work required to self-host.
But hindsight is 20-20. There are sunk costs now which also must play into the decisions.
Definitely not, but I can see how it might be useful to know aggregates of the Firefox version and locale information for people visiting that particular page.
> Personally, I think they may have underestimated (or failed to fully predict) the anti-google, pro-privacy sentiment in the wings, and it's clear even from this thread and the issues on bugzilla that it's probably cost them enough privacy-capital at this stage to have justified the extra work required to self-host.
Or maybe the "anti-google, pro-privacy sentiment" isn't really all that big. Could be a relatively small but vocal set of people.
> self-hosting would be more work for a lesser product".
The same argument applies to the whole of Firefox. It's more work and it's a lesser product. If Firefox can be a better product, than Mozilla Analytics could be too.
At this point it's clear that Mozilla is a business (with well paid management and staff) like Google that is using Privacy as a promo like Google used Don't Be Evil.
Mozilla might be better in practice today, but it's not on a principled foundation. It looks like a Google Lite - Firefox vs Chrome, Rust vs Go, etc.
We use this one, paid version. Sometimes it's a slower load, the UI is less good than GA, other little issues but we still get the core data, and can trap page-level-events.
No law can prevent a thing, no written agreement can prevent cheating. Law can only set out that such cheating might be illegal in the sense that it can be argued in court that penalties should apply.
I do see the point that you are making, and clearly prevents is not absolutely true, but the beauty of open companies like Mozilla is that this information is available at all. In an issue tracker no less.
We can be a little more charitable in not demanding legalese from someone who was casually paraphrasing somebody else, given the context (a bug report).
Sorry, ironically I didn't mean to imply openness in any legal sense (although the foundation itself is publicly accountable in terms of what they spend their money on).
Open companies was probably a bad term to use because it might imply something beyond most/all(?) of their products being developed in the open, but I think the point stands well enough regardless.
I won't edit now, but please read my original "open" as "open source".
>No law can prevent a thing, no written agreement can prevent cheating. Law can only set out that such cheating might be illegal in the sense that it can be argued in court that penalties should apply.
This is asinine stuff. Contract law is one of the oldest parts of the legal system and contracts are protected. Violating contract terms leads to a discussion of damages. It's not about illegal contracts, it's about liability and damages.
No one before you was talking about "illegal contracts". You misread what you replied to. Contracts don't prevent things. Contracts determine (sometimes indefinite, but not infinite) prices for actions.
If you trust Google to always uphold its contract, than by the same logic you should trust the government to never abuse your encryption keys.
But we don't, because insider access is (eventually) outsider access. Bits don't have color.
And I'm explicitly rejecting the theoretical discussion of "contracts not preventing things", a somewhat useful model of legal thinking for first year law students to understand one aspect, but an absolutely atrocious model for a layperson to understand general contract law.
This is like saying criminal law doesn't prevent crime, which again under some literalist and pointless definition sure a murderer isn't physically prevented from murder by a law, but the punishment of murderers does prevent many people from becoming murderers.
Similarly, contract law influences the behavior of people who agree to them by establishing damages and liabilities for various situations, and these incentives influence and control normal actors in predictable ways. A summary of the influences and controls on normal actors in contract negotiation could be "contracts prevent things".
My contract with my ISP prevents me from reselling my bandwidth to my neighbors. It doesn't physically prevent me, but it establishes a liability for me that I want to avoid.
My contract with my car insurance company prevents me from working for Uber. It doesn't physically prevent me from clicking Sign Up in the Uber app, but it establishes limits on my coverage such that I would be driving illegally if I were to continue, and I want to avoid that, so the contract prevents me from doing it.
Let's not be naive. The Big Brother agenda of Google didn't happen in a vacuum. They have government support and protection from some factions of our intelligence agencies to this day (although, perhaps not for much longer). The whole original concept of "Google" as a search engine (and tracking app) was originally a program of DARPA (same for Facebook - originally called "LifeLog"). Do you really think they cut all ties with the government when they went public? Neither Google or Facebook are what they appear to be.
"Privacy" in the sense that it pertains to selling your info to advertisers is just a sideshow; i.e. not the real problem.
> Violating contract terms leads to a discussion of damages.
No, being found in a court of law to have done so does, but when the contract terms are easy to violate without the other party being aware it is especially inaccurate to portray this as the violation itself leading to this result.
Thank God that Google is such trustworthy company on which we can depend with all our data and personal information. The company that would never deal with likes of China. The company which would never expose data of Google+ customers. The company which is always transparent with its policies and usage of user provided data.
> The company that would never deal with likes of China.
This is disingenuous. They basically locked themselves out of China voluntarily many years ago. They're really scary otherwise and I agree with you, but don't lessen your point by including exaggerations, in my opinion.
> Part of their (written) agreement with Google is that none of the analytics data generated from Mozilla properties will contribute towards Google's tracking database.
Thanks for investigating. For comparison, I'd suggest trying something older --- perhaps IE6, Firefox 3.x, and Opera 9.x? For something newer, Dillo and NetSurf might make good contrasts too; I believe they don't make any network requests and just sit there with a blank window and the cursor focused on the address bar, which is IMHO the way a browser should behave the first --- or any --- time you run it. No further adverts or other attempts to get "promotional" material in your face, just a program that waits for and goes to whatever URL you choose.
(I really hate the "first-run experience" of a lot of "modern" apps these days. I don't need to be told "thanks for using our product" or anything similar, I'm already using your product --- just shut up and let me use it!)
He's not going to do that because https://news.ycombinator.com/item?id=20806265, and it wouldn't fit his agenda. tl;dr: he works for Brave, has two personal Twitter accounts, both browser-related, yet posts these reviews from the account which magically has zero mentions of him being on Brave's payroll! The level of propaganda is simply unbelievable!
Yeah, supposedly some but not all of the calling-home is only added in Chrome, not in chromium. I would also be curious to see just how google vanilla Chromium is.
Of course there's ungoogled-chromium, but I had some issues building that recently.
Interesting how one of the main selling points of Brave, the slightly-shady crypto currency thing, is not initialized on first start (unless it's hidden deep inside some JSON or done using a different kind of network protocol).
I suppose this is because they put it behind another layer of privacy agreements and terms of service. This is an improvement from the last time I tried it. They also added confirmation that a website is actually open to receiving tokens now, that's nice as well.
If Brave wasn't Chrome-based, I would've tried it. Sadly, the world seems to be converging on Google's One True Browser Engine and I don't want to support that.
You shouldn't see communication with ledger services until you opt-in to Brave Rewards. I did this last night, and monitored network activity. We run a tight ship
I could. Those bits are fairly simple though. Often a small payload is sent to a server containing the version of the browser (and often the OS). The server responds with a link to download the newer bits (if necessary). A couple of the threads I shared touch on this briefly. The only difference, if I recall correctly, was that some of the browsers would check for updates to the updater too.
The note at the top of surf's page about the lack of tabs is missing some context, surf is composable, so if you want tabs, it comes with a script to use tabbed. Each window (or tab) runs in it's own process (skipping some details). It's also easy to enable/disable JS (per process) out of the box with it's keybindings.
I tried to use suckless software at some point but stopped in the end. In theory the idea is good, but sadly the software is not up to par. For a lightweight WebKit browser with minimal UI and vim mode included I’d recommend QuteBrowser https://qutebrowser.org/
That, too, is hard without Apple hardware. KVM is probably the only virtual machine software that runs macOS with minimal fuss and patching outside of Apple hardware and it still requires a fair bit of work (though scripts exist to automate all of it.)
Many guides to creating Hackintosh setups hinge on having at least one existing Mac. The only saving grace for KVM is that people have developed tools to download macOS directly from the Mac App Store CDN and deal with the DMG image.
I run VMWare for cross-platform development and I can tell you I have no problems running Apple OS'es since Mountain Lion 10 years. I have around 20 VM's with different MacOS'es that I use/used for testing/development. No Apple hardware at all, only my good old custom PC that houses all of them
Ah, I also have used VMware Workstation to run macOS, although my Workstation 15 license has mostly collected dust thanks to KVM.
Since you’ve been doing this for a while, perhaps you’ve simply forgotten that running macOS natively on VMware outside macOS actually requires patching? Granted, there is a tool[1] for this that is pretty popular and easy to use. But it’s still required when running without hacks.
Finally, where are you getting your installation media? Apple only allows downloads of macOS installation media via the Mac App Store.
I suspect you may possibly be referring to using pre-configured Hackintosh VMs that use EFI emulation and FakeSMC instead of running natively. Frankly, I just don’t trust OS images from random sketchy third parties.
Actually I got an official Mountain Lion image from Apple way back 10 years ago, and ever since a new MacOS was out, I just copied my latest VM and run that one as a complete update. Couple hours later I was having their latest OS in new VM. So all my VM's have official Apple software, no 3rd party included. And yes, you are right, every time a new update for apps I use appear on store, I get hit with the message to update what I have. I simply just cancel and go on with my work. XCode is the most updated, I get hit with messages for it at least several times per week.
Oh, I see. Unfortunately I think it’s not as easy to bootstrap anymore. Having an existing Hackintosh VM obviously is a useful starting point, but getting one today is probably not super easy. So I can sympathize with folks who are having trouble.
The truth is, this service was acquired last year by a US company. They didn't mention it or share the news with their users and they keep marketing themselves as "indie developers", including on their patreon https://www.patreon.com/ThreadReaderApp. In addition to that the original creator left, he is not working on the product anymore.
I think that it's shady too. I don't know much about Brave and don't want to know. To me a huge red flag is that Brave tries to push its Basic Attention Token (BAT). BAT is a token of low quality because of the following reasons.
1. The developers try to make up a reason to create another coin for something, that doesn't need a coin;
2. The relationship between the browser and the coin is not cryptographically strong and will never be — it's impossible to prevent fraud when their system is just a program that checks for certain condition (an ad viewed) and communicates to its backend, instructing it to give some address a coin.
3. The developers created a billion of tokens out of thin air and now try to give it some value. And traders do believe that it has some value.
I personally don't tolerate shitcoins even the slightest. Thus, I see Brave as nothing, but a browser engine with a content filter and a shitcoin embedded.
However, to me Brave is the least-worse browser because at least it has a step inside the territory of blockchain-based browsing. It's the first browser that will add an integrated wallet by default (mainstream will never accept using the weird developer-centric MetaMask extension).
I hoped at one point Brave would follow more of a patreon-like model - block ads on pages and give the site my money in exchange. Unfortunately they've gone for showing me different ads.
Brave does follow this patreon style model. There's a section in the Brave Rewards panel that mentions "Auto-contribute" which does what your describing.
You can also easily enable and disable Brave Ads while still contributing (though you'd need to fund your browser wallet)
It sounds like you have something against cryptocurrencies as a whole and not their tokenomics as to me it seems the reasons for creating your own token for this case is fairly clear.
For a while they would take BAT "donations" for any website, and would just keep them unless the site owner signed up to receive them. This stopped a few months ago.
The whole monetization model of replacing a site's ads with their own is questionable.
The whole BAT thing seems like a scam, they offer ways to buy them but no way to sell them.
Really anything that uses a cryptocurrency for funding has that "con stink".
"The whole monetization model of replacing a site's ads with their own is questionable."
Just to be more concise, they are not exactly "replacing" ads on the site. The built-in adblocker remove all ads irrelevant of the sites and if you enable Brave Ads (the coin thing, opt in), you get up to 5 per hour (configurable) OS native notification. The notification contains a text ad with a link. Even if you don't click on the notification, you get the coin.
You can sell BAT via any crypto exchange or website. Coinbase, Uphold, Binance, etc. You can even choose to have BAT automatically convert to USD, Euro, etc.
Click "Options" or whatever. Almost everything seems turned of (I guess it is an attempted dark pattern where they want me to believe it is off by default.)
Click "Third parties". See an somewhat complete list of shady "mainstream" tracker companies - or so I hope -there are literally hundreds of companies on that list, I counted by copying and pasting into a spreadsheet :-]
So much for valuing my privacy. Then again I guess it can be read to mean they value taking our privacy away.
Did you know that every Opera install on windows and mac using the net-installer gets a uniquely modified exe or zip file with information about the download so that Opera can track where/why a browser was downloaded?
On windows they modify the PE header of the exe, and adds extra information to a certificate table at the end of the file, without affecting the signature of the file. (Last 4 bytes of the file gives the size of the payload, giving you the offset to start reading a string that starts with OPR followed by a base64 encoded string, which contains a checksum and a json object. The json object contains country of origin, http_referrer of the download, a timestamp, UTM-parameters seen on the referrer, the user agent and a uuid assigned to the download. This uuid is kept for the life time of the browser install.)
On mac, the process is a bit different, but there they use appledouble (._-meta files) to modify the zip-file on the fly while downloading including the same type of data.
This was implemented way before Opera changed ownership, and as far as I can see from the outside, not much has changed in this code. The main difference I see, is that they have removed the source IP from the JSON.
So, if any, they are tracking less data in that data blob after they changed ownership.
(I worked on this feature at Opera back in the days)
Statistics. We wanted to know how different campaigns worked, how the user retention from different partners was, and also benchmark how well the autoupdate system worked. While I worked for Opera this was strictly for internal use, and a very limited set of people had access to logs and raw data.
The same ex-opera people was the master minds behind the netinstaller tracking :) I was not implying that Opera is any more adware/malware than any other software.
What do you use for syncing bookmarks? That's one of the most infuriating thing about browsers that are not FF, Chrome or Safari. I want my bookmarks no matter what device I'm on. I could care less about other types of syncing.
I worked on an app that did this, you digitally sign the exe and the signature includes the length of the signed data but not the length of the exe - you can the append whatever you want at the end and read it when you run the executable.
It is a great way to not have to resign every app but also allow for a “one click” install experience
A reality check to those who want to push apps and more workloads into the browser (via WASM, PWAs/excessive JavaScript, or whatever), with the browser becoming a gatekeeper. Not only is the browser a laughably complicated app runtime that isn't capable to do anything with local files (so you need "services" to store your eg. photos), it's also blatantly power-inefficient and a privacy catastrophe. Where has the idea of personal computing shared by a whole generation gone?
No, what we need is a proper permissions model for desktop applications. The idea of permissions being per-user is almost useless in this day and age where most desktop machines have one user (or a small number of users sharing files) and where most applications are downloaded from untrusted sources.
We need proper automatic sandboxing of native apps, restricting file, network and resource access without prior permission from the user.
That is being worked on. On many fronts. Linux containers are getting better. iOS is sandboxing applications to some extend. Android too and is slowly adding finer and finer sandboxing settings. ChromeOS also does sandboxing. I don't know about Windows, but I guess something similar is happening over there.
My money is on the Browser. Because it has proven (via survival of the fittest) that it is the best platform for the modern age. It has what, 100% market share? Everybody I know can use websites.
Even if one of the desktop or mobile operating systems adds sufficient sandboxing in the future, I would not want to develop applications for it. Because it would restrict my creation to the people who use that one platform. And it would give the power to censor it or mingle with it to the platform operator.
>ecause it would restrict my creation to the people who use that one platform. And it would give the power to censor it or mingle with it to the platform operator.
But that's exactly what's happening with browsers. Suddenly, Google wants to raze ad blocking, and everyone else follows. All the good points for browsers are restrictions and standardisations, which are fully present in exemplary containers. I don't see how you can get vendor locked-in via docker or kubernetes, I can see how webkit and DRM can.
There is no vendor lock-in if you use standard, battle tested web technologies with a few exceptions. If you use the browser as a UI platform, then OP is right.
That was I was thinking about, but DRM is flawed anyways. I don't think there's anything on Netflix for example that isn't available on torrents or other file sharing methods.
I don't want to only use trusted sources from any software store. If UWP had provided sensible deployment options, it wouldn't be as dead as it is.
Hell, personal firewalls provide a better sandbox solution, at least for network access, even if that is not really their intended function.
Be that as it may, I think good privacy laws and holding software manufacturers accountable is part of a solution. That software more and more behaves like worms regarding to user data is a more recent development.
UWP is not dead, every Windows release adds more API space, React Native for Windows uses UWP, Windows 10 drivers now use UWP APIs as well (Universal drivers), WinUI uses UWP, XAML Islands use UWP, ...
WinUI is also the official replacement for MFC, which triggered the rewritte of some UWP components into C++/WinRT from .NET Native.
Windows store supports side loading since Windows 8.1, and MSIX packages have replaced APPX and MSI as the future of Windows package formats.
Maybe. I am not really happy with it to be honest. Win32 is old and I thought WPF would be a real alternative. It did many things better than classical APIs, but I was never really into XAML and it was dropped just after a few years. I took a quick look at UWP which uses XAML in a different way, but I wasn't really convinced by it.
I am not interested in side loading anything. I have just no interest to use an API that is abused to promote a proprietary store and an OS because I only see disadvantages in that. UWP may have changed by now, but for me it is too late. I have switched to other technologies and are pretty happy with them. If windows continues to be SaaS, I will not develop for it. Even if its legacy might continue for a few decades.
If the primary form of deployment is a store, I could as well use Apple. Although their store isn't really shining on Mac OS as well. I believe there are good reasons for that.
Windows as a platform had many advantages, but it seems to me that MS threw that away to emulate others. A futile strategy in my opinion.
That will result in a lot less software for mac OS. Since there are many applications that certainly will not spend anything on developer ids, e.g. most open source software there will simply be less builds for the platform.
ChromeOS supports android apps, but yes, I would state that iOS, chromeOS and android are really bad operating systems.
> Learn how Linux for Chromebooks (Crostini) gives you a secure sandbox for development. Through a variety of demos, this talk will explain the architecture underlying Linux for Chromebooks and the design decisions that keep it easy to use.
Great. Let me know when that fancy sandboxing tech works for applications I actually use though. Or when UWP catches up with the 1990s and supports portable applications.
macOS Catalina is actually much more aggressive about this. Even in unsigned unsandboxed apps, the OS will pause the app and ask the user for permission when the app tried to access any directory it doesn’t have permission for, and this behavior is replicated across many other parts of the system too (webcam, mic, etc).
It’s a bit annoying initially but it’s nice knowing that the system will put control back into my hands whenever apps try to do something shady.
False dichotomy. A cage restricting the rightful owner of a computer is not the same as a cage that the rightful owner can use to restrict untrusted software.
There is no reason why sandboxing needs to be evil. In fact this is already proven by the sandboxing efforts on linux where there is no mandatory repository and the user is always in control, its the applications that are not.
How do you think Apple are allowed to exist in China? Who gave you the impression that they're the exception to the rule for independence from the government's "oversight"?
Funny, but I can trust most of my locally installed apps. I trust Photoshop not to share my photos with Adobe, and so far it hasn't. It also doesn't share telemetry or any of that.
Same actually goes for most programs I use.
It's the browsers that have the habit of sharing sensitive information with the outside world, not other apps.
I'm talking desktop software. Mobile seems to have a lot more privacy invading apps.
We have to differentiate between platform (OS/Browser) and applicaion (native app/website)
The browser is the OS.
The website is the application.
Browser and os can both track your history.
An application / a website can not.
You might think websites can via tracking scripts connecting to third parties. But applications can connect to third parties even easier. As a user, you have even less power to prevent that.
That's why I want to be able to trust my OS privacy-wise.
A native app might be able to violate my privacy. But an OS that can do so is much more dangerous. The reason is the volume of data that can be collected by the gatekeeper.
The next step would be for some open source initiative to do the work and de-google Firefox completely. If that fork of Firefox gains traction, it might bring Mozilla on the right track so they drop their ties with Google to survive.
I am hoping that privacy and security concerns are about to push the local/remote pendulum back towards local again. An antidote to the Cloud madness is well overdue.
Of course, that does rely on having better security models and software installation and update systems in our desktop OSes, and particularly in the case of Windows, they are running at full speed in the opposite direction lately. :-(
> Not only is the browser a laughably complicated app runtime that isn't capable to do anything with local files (so you need "services" to store your eg. photos), it's also blatantly power-inefficient and a privacy catastrophe.
Yes, but there are no practical alternatives. No matter how inefficient it is, there is nothing to replace it. And the gatekeepers of the devices on which the browsers run won't let anything else replace it unless they are the ones controlling it.
> Where has the idea of personal computing shared by a whole generation gone?
I would say it was eaten by profit seeking corporations.
There are no practical alternatives for delivering appications especially for small companies.
Let's say you are small startup, which core business it not IT related, and you want to distribute an app your customers/partners. Are you gonna hire one person to write app for each platform? And how many platforms are you going to support?
Bunk. This is entirely subjective and worthless to the argument. Compare: widget toolkits like Aqua, GTK3, Windows.Forms, etc. to the bedlam that is the web.
So let'say you use any of the toolkits you mention.
How would you go about distributing your app to Windows, macos, android and ios? I am even leaving out the question that from all the toolkits mentioned none will let you do that.
well, it's already there when you buy/reinstall the device.
Maybe not chrome but a web browser is preinstalled.
So then you only need to provide url to the users of your app, and they are ready to use it.
With distributing binaries it is much more complex story. And that's why projects using Electron get more and more popular, because they at least take part of this complexity away.
> And that's why projects using Electron get more and more popular, because they at least take part of this complexity away.
...no they don't. They're literally distributed the exact same was as native applications. They're developed differently, saving the developer time (theoretically), but they're distributed in the same old download-and-install (or just download and run) way that applications have been since forever.
I said "they at least take part of this complexity away."
They don't solve all of the problems, but they do solve two important ones.
1. The runtime is the same on all platform
2. They build installable binary packages for you
So only 2 is about distribution , and it is not a trivial task. If you have to make Installer for windows, DMG for macos and let's say deb and rpm for Linux.
I have a small opensource tool that I make, and I would say that building the installer for all the platforms have taken probably 20% of all the development time, and if you count in also the desktop integration code( like Explorer context menu for Windows) it's way more.
Installers for MacOS and Windows are piss easy. Hell, you don't even actually need installers for either, as both OSs support portable applications. I never even bother to make windows installers because you can just unzip to a folder and be done. If I ever distributed anything for Linux, I'd use AppImage to the same effect.
These are great write ups! Just a shame they are in the format of a twitter “conversation”. The readability really sucks and don’t let me get started on the UX :/
I've noticed multiple people pinging twitter.com/threadreaderapp at the ends of these threads. It rolls up the tweets into a more traditional single-page, blog format.
Huh? Loads of links on HN are not to twitter. Most of them in fact. I don't see how twitter is a prerequisite for us having the opportunity to discuss something here.
The reason people post stuff to twitter is because they have an addiction to the gamification of social media like/share statistics.
Thanks. In that case I don't think it's worth carrying on more discussion, given that you are interpreting something entirely different from what I meant.
This conversation is about the medium, not the message, so we'd probably have been OK without this one. I agree that a Twitter thread is a pretty inefficient and painful way of reading a conversation.
I mean the entire conversation, not just this particular subthread.
Basically, what if doing something different would have impacted the reach of the discussion to the point where none of us would have heard about it. Is that better?
Disable JavaScript and Twitter magically becomes...almost useable. You can only view one image at a time. Other than that, proper conversations are readable. As someone who visits Twitter approximately every other month, it works for me.
Sure, all requests are now sent to one location, including (!!) extension (Tor, https everywhere, etc) downloads used by brave. What about the possibility of the brave folks modifying those extensions to suit their needs? If I am needing to trust Tor, I'm going to download Tor from the appropriate location, not from brave. Based on the language he used reviewing other browsers, I suspect if that behavior was seen on anything other than brave the prognosis would be different.
I don't hide the fact that I work for Brave; I mention it in numerous threads and responses. What do you feel I handled differently on account of my association with Brave? Will gladly correct any mistakes.
To your question, Brave couldn't get away with modifying extensions on the fly. This would cause integrity checks on the client to fail. Not to mention, the code to do this would have to land in our public repos on GitHub, where we would quickly be tarred and feathered.
If you're capable of running the Tor browser, we encourage you to do so. Brave isn't as good as the Tor browser if you're smart enough to use the later. That said, if you need a browser that can also make non-Tor connections, etc., then Brave is probably more ideal.
> What do you feel I handled differently on account of my association with Brave? Will gladly correct any mistakes.
Put it in your twitter bio. Just "working @brave". If I'm reading your opinion on software its helpful to know I'm reading the opinion of someone employed by a competitor without needing to dig through other parts of your twitter account.
Obviously, if this original review were to come from Brave or a Brave-employee directly, it probably would have been taken differently than coming from a "grass-roots" individual, hence the intentional deception on his part.
Twitter explicitly allows one to have multiple accounts as long as you use them for different purposes; in this instance, it's very difficult to see what purpose this Brave-less account has (other than intentionally misleading the public by hiding the Brave affiliation whilst still talking about browsers).
There's no intentional deception here. My followers on Twitter know for whom I work, but that doesn't mean every tech-related Tweet is a work item. I didn't pump this post, I wrote it for the people who follow me on Twitter. Be kind.
Side question: I use Brave on Android and have noticed that scrolling through the comments here on HN can be a bit finicky.
The first swipe tends to sometimes scroll the contents of a comment (not the page) up or down by a couple of pixels, then the next swipe with finger starting in same comment will let me scroll the page.
Just thought I'd mention it as I love Brave and am hoping this can be improved. Haven't noticed it on other mobile browsers. Cheers!
As a reader of the threads, I first assumed you were an independent security/privacy researcher. Only when I saw a reply of yours "that's being worked on" did I begin to suspect you were affiliated with brave (but assumed as a fan).
I was not able to quickly confirm your affiliation (bio was first place I looked). Not disclosing this more prominently felt icky.
For some context, I released this on Twitter, to my followers, who know I work for Brave. I mean, in my profile picture I'm seen wearing a Brave shirt and presenting at a Brave booth
The threads aren't hit pieces; they were the curious musing of a software engineer and browser builder. And it's worth noting that I spend time yesterday working with Mozilla on their telemetry bugs; so I'm not her to throw mud. Somebody else posted my thread here, and caused it to blow up. Don't lay that on me
Sorry, I didn't mean to imply ill intent whatsoever. It didn't come across to me that you were trying to do anything shady, and it also didn't seem like you were trying to damage a competitor.
Given that this did end up reaching a broader audience than your twitter following (it is a public forum), my feedback would be that it was too hard to tell that you were directly affiliated with Brave, and that it would feel much classier to disclose this clearly in your bio (just "eng @brave" or something, or even a top-level reply to your primary thread if you don't want to modify your bio).
Perhaps I'm less eagle-eyed or adept than most twitter users, but I actively suspected you were affiliated, looked for clues that you were, and could not find them. Given that it wasn't your intent to hide anything, but can accidentally give an impression that you are, it might go over better to be more proactive in disclosure.
Again, the thread itself was successful in achieving the tone of "just the curious musings of a software engineer", was great content, and IMO still reads well with knowledge of your horse in the race.
FYI we didn't have an issue open on the topic of reproducible builds until now[0]. While it has been discussed internally, we haven't focused on it. We will have to assess the work involved but will put it on our backlog.
I think "reproducible builds" usually refers to being able to build Brave yourself, then creating a hash of the resulting artefact, and that hash being exactly the same as that of the built version Brave distributes itself.
In other words, being able to verify that the source code that is included in the build of Brave that Brave distributes, is the same as the source code we can view publicly.
Mozilla, however, is different, in that all builds are posted to ftp.mozilla.org, in a versioned manner, and kept there for a while, which, at least in theory, makes it easier to verify or analyse the builds.
What is the situation with Brave? Can I download a version released a few months ago? As it is, the browser is not only not really versioned (at least in the binary form), but there's not even a way to disable it from automatically updating itself. Self-modifying code, where the user has no control over the channel under which the modifications are pushed, is inherently insecure from the reproducibility's perspective.
You can get older (and many incremental) builds from https://github.com/brave/brave-browser/tags. Hope this helps! There is desire within the team for reproducible builds, and I'll see to it that these coals are stoked. Our intent is to be as open, transparent, and accountable as we can be. Brave's mentality is "Can't be evil", as opposed to "Don't be evil." Thank you for the feedback!
Those are Git tags; they have nothing to do with reproducible builds, because you're not providing the executable binaries that are the ones being distributed. It's a huge downgrade in terms of reproducibility of builds compared to Firefox. (It works for Google with Google Chrome because they have an entirely different business model where the whole thing is a walled-garden by design.)
Reproducibile builds would mean that anyone could download the code for a specific release and build a binary that is identical to the one you provide - byte for byte. Is that possible?
> If you're capable of running the Tor browser, we encourage you to do so. Brave isn't as good as the Tor browser if you're smart enough to use the later.
May I ask what you mean by "if you're capable of running the Tor browser" and "if you're smart enough to use the later (sic)"? Is it about the person knowing that it even exists? I use Tor Browser sometimes, and it's no different from using any other browser (except for some differences in network speed and the fact that it isolates every tab). I don't see what specific capability or smartness is required to use it.
Sure, what I mean to say is that Tor is more of a super-user utility (IMHO). If you're looking for that degree of anonymity, you probably don't want to be in a browser that also supports traditional protocols (like HTTP, etc.). As such, Tor is more appropriate for a sub-set of users who are very interested in privacy/anonymity. For those who need it only occasionally, Brave is probably a better option.
> If you're capable of running the Tor browser, we encourage you to do so. Brave isn't as good as the Tor browser if you're smart enough to use the later. That said, if you need a browser that can also make non-Tor connections, etc., then Brave is probably more ideal.
I'm confused about this? Tor browser installation isn't any different from any other major browser, presumably including Brave. There's no skill required to operate it that you don't need for Chrome.
Your trust for privacy has to go somewhere - do you trust the megacorp with antitrust investigations and hundreds of perpetually pending lawsuits, or "Brave Software, Inc"? Security as well. Password sync is coming[1] - surely brave software, who controls that one domain "brave.com" and the entire process of install, update, and password sync, has security procedures that rival Google and Mozilla in preventing unauthorized or malicious code deploys.
> Password sync is coming[1] - surely brave software, who controls that one domain "brave.com" and the entire process of install, update, and password sync, has security procedures that rival Google and Mozilla in preventing unauthorized or malicious code deploys.
How would I know? Is that code on GitHub? If not, why not? That would certainly give your words a lot more weight.
Also, to my knowledge there has never been a leak of Chrome sync data since the feature was first introduced in 2012.
I say this sarcastically - I don't think anything about Brave's security ops is flawed or even misconfigured [now], but Google and Mozilla have a lot more resources than Brave does dedicated to security and auditing of things like CI servers and access controls.
And the password sync thing was related to the server that runs sync - it's E2EE, but Brave controls the update process and could very well deploy a malicious update that exfiltrates sync data or leaves it open to attacks.
That's why my point is about where you place your trust - if you're not up to the task of building your own browser (or at least auditing and building chromium yourself) and running your own sync software, you have to trust someone; oftentimes this means giving up privacy (Google) or giving up security (Again, choosing Brave isn't really giving up the security of your sync data, you're just now trusting a company that might not have the same security procedures and amount of resources dedicated to audits).
Point of clarification: Brave supports Sync today, but passwords are not yet included. You can read about how we implement end-to-end encrypted sync here: https://github.com/brave/sync/wiki/Design
We began developing Sync during our "Muon" days, when our browser was a fortified fork of the Electron project. We then moved over to "Core", which is a soft-fork/patch of the Chromium code-base. As such, this required us to back-track just a bit, and recover some ground. Efforts were then directed at shipping a MVP of Sync across Windows, macOS, Android, and iOS. We succeeded in doing that not too long ago, and are now working towards expanding support for more data types. Hope this helps!
Any possible chance of supporting third party sync? I'd love to have Brave (my primary mobile browser) sync natively with Firefox (my primary desktop browser).
You're already trusting their browser - if they were going to maliciously modify the Tor extension, they could do it inside the browser instead of in the extension download (e.g. not load the actual Tor extension but do their nasty thing internally)
My daily driver is Firefox (and I abandoned Google Chrome long ago), but if I have to choose, for whatever reason, between sending requests directly to Google and sending requests to Brave, I'd choose the latter. I do trust Brave more than I trust Google (yes, I'm also aware of the controversies with a rave about its founder and about its micropayments service). I wish Mozilla would actually proxy requests to Google, since I trust Mozilla a lot more.
What you're advocating is for Mozilla to become a walled-garden, just like Brave and Chrome are.
Since when is a walled-garden a good thing?
If you trust Mozilla more than you trust Google, I think it follows that you should also trust their decision that NOT proxying and going directly to Google.com for this data is acceptable.
Not only that, but he has another account, @BraveSampson, which links to this one, @jonathansampson, but not the other way around. They used to have a nearly-identical pictures, and, IIRC, linked to each other, but not anymore.
Would I be the only one to find it fishy for someone to post such reviews for your competitors whilst pretending that you're an individual not on a payroll from Brave? Why should Mozilla proxy requests to Google through their own servers like Brave does? And the better question: Why IS Brave MITM proxying requests to Google and other services?
BTW, having multiple Twitter accounts is not against the rules if each account is for a separate purpose, but for someone working in the browser industry to be having two separate accounts where they write about browsers on each one, all whilst hiding their affiliation and pretending to be an unaffiliated individual on one of them?! Seriously?
---
Keep in mind that Brave and Chrome are the ultimate privacy violators, as it's not possible to disable autoupdates on either one; Brave developers repeatedly (see https://github.com/brave/browser-laptop/issues/1877) disregarded community's complaints about this issue (ironically, going against https://brendaneich.com/2014/01/trust-but-verify/); so, you're basically running a self-modifying binary, whether you like it or not. Any review anyone does is kinda meaningless, because there aren't any versions per se, and it can do whatever the hell it wants the next day, without any public record of what it did yesterday. With Mozilla, there's a public ftp directory with all the versions at `ftp.mozilla.org` — haven't seen anything like that for neither Brave nor Chrome.
In fact, many folks used various official guides from Google to disable Chrome from autoupdating itself, e.g., because the newer versions broke font support or other system-level features, only to find such officially-sanctioned settings completely ignored down the line.
How about doing a review of how much it costs in roaming fees to have Chrome/Brave download updates without your permission whilst you're travelling? Or how many hosts Brave does MITM to without any good reason?
"The tab discussing the importance of Privacy loads in the background, bringing along with it the Google Tag Manager and Google Analytics. Hello, Google."
Mozilla had a contract seven years ago. No idea what has happened since then -- and I note that not only is DNT not honored there, the suggestion to properly support it by conditionally loading GA if DNT is or is not enabled was ignored and the ticket was hastily closed "fixed by switching to GA."
This does nothing to affect my faith in Mozilla's privacy practices, especially since GA is baked into the extensions page and cannot be disabled, even by installing extensions.
Honestly, for the amount of flak they still get because of it, they really should've dropped GA by now and wrote their own analytics backend. If they're serious about valuing privacy and preventing tracking, that custom backend wouldn't need to be complicated.
Does it matter if they get flak for it if their contract does actually protect privacy? Or is privacy only for marketing and not an actual principle they care about?
Writing an analytics backend is not a trivial thing, and more stuff like that means less resources for Firefox development. It's far more sensible to do what they did, which was negotiate a contract with those who know what they're doing.
From the point of view of their principles, the contract with Google is fine as long as it protects privacy. Some people will always be quick to jump to conclusions, but there's a practical problem when such people form a good chunk of your market (and can amplify their outrage via media).
It's a practical problem. On the one hand, you have people turned off by the perception of Mozilla betraying its principles. On the other hand, you have resources to be directed to substitute the analytics backend. The right thing to do would be to pick an option that maximizes the amount of resources available for Firefox development/Mozilla's mission.
My impression is that building and maintaining an analytics backend consistent with their mission would not require that much of resources, so the balance would fall in favor of doing it. But maybe (probably?) I'm wrong about this, and it's better to stick with Google for now.
From the point of view of their principles, the contract with Google is fine as long as it honored by Google. Hard to check that though, because you never know what Google really does with that data. Google also doesn't have a very good track record with privacy. So, yeah, the contract is fine, but there's also soo much wrong with it. Who trusts it? Mozilla? They seem to. Their target demographic? The people who are smart enough to understand that you can switch your browser, and who don't choose Chrome but Firefox? Those people, not so much.
I was more thinking about the fact that the loading of the tracking code, regardless of backend, is quietly loaded by the tab with the page discussing privacy
It was unexpected for me that Firefox is calling google. It surprises me and disappoint me that EdgeChrome is calling google too. I was hoping for a Google Free Experience with EgdeChrome. That EdgeChrome is calling Facebook leaves me speechless.
> They’d be in pretty hot water pretty fast if they didn’t honor it,
Only if they got caught, and only if the person who caught them saw fit to make waves about it and let other people know. And even then they could likely worm their way out of any real trouble by apologizing and pleading that it was accidental (because the sycophants would likely eat that shit up.)
Corporations break contracts every damn day. There is no way for me to even hope to verify that Google isn't breaking their contract in this case. You and others in this thread expect me to trust Google and trust that the threat of a contract breach lawsuit will keep them compliant, but there is no reason that I should. They don't deserve the benefit of my doubt. They lost that a long time ago.
I googled it and got a bunch of articles about data breaches of Opera services.
What I understood the GP post to be is that the owners of the browser do shady stuff, which I found no evidence for on Google (or DDG). So was Opera compromised by a third party or is Opera compromised by the first party (malicious owners?).
Heads up, Mozilla is on the way to be notorious Google services/Google Cloud user [0]. Recently, they started adoption of the Google Spanner in the Firefox-Sync related backend services, while in others they adopted the Google Pub Sub. The use of GA and GTM might seem like hypocrisy but my guess mozillians don't have enough workforce and/or assets to control infrastructure to roll their own analytics platform.
An auto-updating browser is essential to me. For nearly all other software I abhor automatic updates, but for something as vulnerable as a browser it's absolutely crucial.
I'm programming since the 1980s. This feels very, very strange to me. I wouldn't want to rely on so many moving parts even after the whole software got installed.
They have a totally different philosophy than us old folks.
I was thinking about this too. In fact, to do my review of Edge and Firefox, I had to dig into the file-system to grok where/how profiles are persisted. These are different than Chrome, Opera, Vivaldi, and Brave (which all share a common Chromium ancestry). I am also curious (as a Windows user) how the Registry is affected by each browser. That too is something I'd like to investigate.
The first thing I do with newly installed Chrome is to disable its auto updater. I do not wish one day to find the feature I relied upon missing and had to download and install another old version.
If you're running on Windows there's a group policy templates pack[1] for tweaking updates for Google products. Copy it then run gpedit.msc and disable auto-updates.
I wonder if the binary download with language information is a protobuf? If so, it should be easy to get a slightly better look at it with one of the various online protobuf decoders, such as this one:
There are quite a few protobuf responses. Unfortunately, I wasn't able to get Marc's service to work for me. I'd have to revisit it at a later time to peer further into the bits.
Author doesn’t mention safe browsing data (a random projection of domains believed to be serving malware). Does that mean the chrome binary comes with the initial data in the package?
I do mention SafeBrowsing data in other reviews; if it didn't come up in the Chrome review, it may be the case that Chrome uses the Lookup API rather than the Update API. I would have to dig a bit more to confirm this.
I took another dip into Google last night. SafeBrowsing is hit, but it was hit much later than in other browsers from what I could tell. I believe I had to attempt navigation before it was called.
So how much of this is due to the default bad configuration?
I would like to see a variation of this test when you start with network turned off, configure the browser to not use Google services, not open an initial tab, remove all default extensions and turn off telemetry. Then turn network back on.
I would also like to install ublock right from the start but that is a bit harder without network.
The application IDs can likely be paired up with cookies later in your browsing journey.
Their safe browsing API is (or was, 3 years ago anyways) also downloaded by Firefox.
All it takes really is one unique piece of identifying information for a large proportions of your browsing to be known to Google and attributed to one entity (you)
I've shared this disclaimer elsewhere, but I work for Brave. That said, based on an objective evaluation, I think Brave is the best. This conclusion is drawn by the results themselves. Brave doesn't pass me around from third-party to third-party, allowing cookies to collect on my session like barnacles.
As for "very worst," I'm sure there are far, far worse browsers out there
Do the same for OSs. I recently put win7 through ufw to see what it was doing....lots of interesting calls. I allowed one app to get out to a specific IP and when Windows saw it get a few return packets it went bezerk trying to get out to Windows update etc.
I was doing a bit of this unintentionally, while monitoring network activity. It's intriguing to see which processes are calling out to which end points.
I tried opening Chromium on Linux yesterday (I use it sometimes for testing) and it prompted me to log in. I had to hit Cancel four or five times before being able to browse. Bizarre behaviour for a browser.
You also cannot log in on Google-owned websites, like YouTube, without signing in in the browser itself.
I haven't figured out a way to do so, at least. You can use guest tabs, but then you lose all of your customizations (extensions, bookmarks, etc.), so I don't consider that a viable option.
ungoogled-chromium removes this, but the current builds fail on my machine for some reason.
Brave wouldn't know if the cookies were collected during a Chrome first-run, or explicit user navigation. They could also be picked up by direct chains during normal browsing.
To my knowledge, this type of knowledge would require updates to the underlying cookie specification itself, where additional meta information records the type of action responsible for setting the cookie (automatic vs user-navigation). But then, I would assume, everybody storing cookies would do so as 'user-navigation' to avoid getting cleaned out.
Stopped using Firefox a while ago (recently). For a company so pro-privacy, they sure do have no problems with pushing 3rd party advertising content through their product.
I work on Brave (stated numerous times elsewhere). That said, Vivaldi was one of the better browsers I reviewed (as stated in that thread). I still think Brave is doing the most here, though. I did find a place last night where Brave failed to proxy a call, and reached out to my team this morning to work towards resolving. In my sincere opinion (based on objective criteria), Brave is the best browser to use.
Microsoft Edge (Chromium) Beta https://twitter.com/jonathansampson/status/11661386925090652...
Opera https://twitter.com/jonathansampson/status/11653532133081292...
Vivaldi (Same thread as Opera) https://twitter.com/jonathansampson/status/11653581559220592...
Dissenter https://twitter.com/jonathansampson/status/11653770639326371...
Brave https://twitter.com/jonathansampson/status/11653912119995187...
Mozilla Firefox https://twitter.com/jonathansampson/status/11658588961766604...
Cheers!