Why do I always get a bad feeling about the motivations behind stuff like this? I want to believe it's for better privacy and security, but it's being driven by a corporation or two, and that makes me 100% suspicious. Like, for example, suddenly Edge is no longer respecting local DNS options and my pihole protects one fewer device from the real dangers to privacy. I don't want to be cynical so often, but this really doesn't feel like a benevolent move. Yeah, it's conditional at the moment, but as with Chrome and manifest v3, among many other examples, I'm losing my faith that anything with the potential to increase ad revenue will remain turned off for long.
The reason you have a bad feeling is it gives the FBI/FEDS a single point to collect your data, with a man-in-the-middle attack that you will have no idea is there.
Using a browser that monetizes itself in any way seems like a slippery slope to me. I'd rather use Ungoogled Chromium/Bromite or even LibreWolf if it came down to it. Saying "that's it, I'm moving to Brave!" is basically declaring that you're moving your data from Microsoft(1) to Microsoft(2).
Exactly. Brave just takes Chromium (from Google) and adds weird crypto stuff to it. None of the Chromium forks are "different browsers" in my eyes. They all depend on upstream for everything important. They couldn't develop the browser on their own.
Just use Firefox. It works just as well as Chrome (*), but it's based on a completely different engine which was built from the ground up.
(*) On desktop at least (on Android I still use a Chromium fork for now)
> Brave just takes Chromium (from Google) and adds weird crypto stuff to it
That's a really unfair(and untrue) statement. Brave also removes some code they find privacy violating, built in a best in class adblocker, built a full cross-device sync system that works perfectly, some UI tweaks and enhancements, built Tor connectivity in, etc. Probably a lot more that I'm leaving out.
I am def not a fan of crypto or BATs or whatever they were pushing, but you can use it fine ignoring all of that.
To be fair, you can also disable Microsoft's built-in VPN. The problem is trusting people who don't have your best interests at heart, and using Brave products just kicks that can further down the road.
Normally this might just be a platitude of the sort, "Go check it for yourself." But in this case that's not what I'm saying. Brave is going to be used by large numbers of tech focused users with a privacy/security bent. And they are also competing against Google who will make sure even the slightest slip by Brave is promoted across the entirety of the web.
That code is scrutinized heavily. That the worst you can find about Brave is people making false statements about crypto stuff (it is entirely optional and opt-in with 0 coercion or dark patterns to push you there) speaks incredibly highly as to the current state of the Browser. Might that change in the future, as you seem to be suggesting? Yip! And when it does there will be a new Brave. But for now they continue to stay on an excellent path forward.
Many sites are broken on non-Google browsers though. But the advantage of being able to use adblockers in Firefox alone outweight that - not even taking privacy into consideration.
The thing I like most about Brave is actually the crypto stuff, and I hate almost all crypto. This is actually a good use case for it - you have a distributed system (users browsing) across untrusted hosts (users).
People like to shit on advertising, but much of the internet exists today because of advertising. Do you think Youtube could exist at that scale without ads? I don't think so, personally. At least, not without another way to monetize.
Brave is the only player providing an alternative monetization strategy. Crypto or not, to me, that is by far the most interesting thing a browser has done in a long, long time.
Blink (Chrome) is a fork of WebKit which is a fork of KHTML (Konqueror), but that is a very much different situation. None of the Chromium/WebKit-based browsers are full forks but rather merge custom patches with upstream development. They don't have the development capacity to go against any Google changes except for a few things here and there. Meanwhile Google isn't relying on KDE to develop new features - in fact KDE isn't developing any new KHTML features but instead is switching (or has switched) to WebKit/Blink.
> (on Android I still use a Chromium fork for now)
What chromium fork is on android and actually better than Firefox for android? I use Firefox for the best possible experience on android and would like to be aware of another option.
From my (anecdotal) experience, Bromite is faster than Firefox on my phone, but your mileage may vary.
I was originally using Firefox due to its uBlock Origin support, but Bromite has ad-blocking built-in (unfortunately it's not quite up to par with uBO but it works well enough).
I would suggest that you try both and see which one you prefer.
I have at least three sites I use that i have to open in edge since they don't work properly in Firefox. Local bank, credit card issuer, and employer's guest wifi login portal.
>Just use Firefox.
No.
Well, I'm not so rude, so "No, thank you".
>It works just as well as Chrome ()
Not on anything* I use, it doesn't, so "No....thank you".
Tbf, I do keep trying ff, but...clunky, jeepers!
'Fraid I'll hang on until my Brave jumps it's particular shark and then maybe I'll hop over to something else, but for now, and as long as I can still use UblockO, Brave it is.
>not even Microsoft can afford to maintain their own browser engine
We don't know that. Maybe Microsoft could maintain their own browser engine if Google hadn't provided one on permissive open-source licensing terms that met their needs.
They gave up way too easily though. I don't think they ever had an interest in actually making a good browser engine. They've never managed one in their entire history. Microsoft love mediocrity, the "just good enough" mindset. Nobody takes their products on because they really excel at what they do. Just because they have a huge installed base, they're not so bad there's really a problem to use them and they integrate with everything else (e.g. Windows) nicely. For example Slack is so much better than that turd called Teams but nobody wants to pay the extra because Teams is free with O365 and user frustration doesn't cost anything on the bottom line.
This is why Apple really came out of the blue with Steve Jobs' razor focus on quality above all. Microsoft's goal is never to be 'best in class'. Because they don't need to be. People will buy it anyway.
So what's the solution? I hate this status quo as much as you do, and standing here in a Mexican Standoff is not viable forever. You're right. "The web" as a platform has been twisted and perverted beyond real usability at this point. There is no path forward where we undo Google's damage and preserve the qualities of the web we enjoy today. So, how do we fix this?
The solution (to me) is simple - fix native app distribution. Make platform targets operate the same as they used to, and give people control over their computer again. The only ones preventing us from a platform-agnostic utopia is Apple and Google, both of whom profit off the artificial difficulty of distributing applications.
So, here we are. Google is poisoning the web while Apple refuses to swallow their pride. Everyone is hurting, and nobody stands to gain anything but the shareholders. A hopeless situation, but let's not pretend like everything here is morally grey.
For starters, if a company makes a web browser with market share exceeding 50%, and also produces web sites and web apps, if those web sites and web apps to do any sort of user agent testing or require non-standard features of the aforementioned browser, it should be treated as ipso facto monopoly abuse.
The solution is already impossible. When Mozilla had browser domination they had a chance to dictate something. The moment Chrome became popular, now another company, just as MS and IE did before, could just do the feature creep of "add feature, subtly break/slow down opposition, get more users that just want browser that works"
Can you please give a concrete example of what Apple should do, in your opinion, to expand their API targets? And how is that related to web standards complexity?
People complain about excess functionality being added to web browsers (HTML5, WebXR, WebRTC, etc) and many of these complaints are valid. Web browsers don't need these features, they should be relegated to native apps.
Except they can't be. Native apps don't offer the same freedoms that the web does. And so, we keep stacking technologies on top of web browsers to alleviate the problem. It's a bad situation, and both Google and Apple are gruesomely complicit in making this situation worse.
> Can you please give a concrete example of what Apple should do, in your opinion, to expand their API targets?
Stop browser lockdown. Allow sideloading. You know, the basics of computing that we had figured out since the mid-90s or when we sued Microsoft.
Yes but being able to use all of Chrome's extensions in Brave is a huge win to me. And most Chrome documentation, Q and A, tutorials are mostly relevant to Brave as well. I see Google and other behemoths contributing to an open source project as a good thing. The product may not be where it is today without their help, including paying people to work on a free product. Still, yeah don't trust them.
I must have a hundred things that I change on every install. At a bare minimum I'd be disabling pocket, prefetch, and search from the address bar for privacy reasons and then disabling service workers, webgl, and wasm for security reasons.
> Using a browser that monetizes itself in any way seems like a slippery slope to me.
Is that a practical sustainable long-term business practice though? Firefox was only able to be free because Google was paying Mozilla. Browsers are some complex software and software developers wanna get paid. I know that the in's and outs of history of browser software has conditioned us to expecting browsers for free but that doesn't reflect the reality of developing the software.
Firefox, with its full complement of full-time developers, could stay alive with a tiny fraction of what Mozilla earns in a year. Most of Mozilla's work is tangential to Firefox at best.
Surely there's space in the browser market for a model akin more to how Wikipedia operates.
That's the thing, it shouldn't be a business practice at all. Browsers are part of the Internet infrastructure and that should not be treated like any other business but be regulated enough to ensure anyone gets fair use of the infrastucture and should rely primarily on public funding.
The Internet being global makes this challenging, and almost all countries (including so-called democracies) wanting to drink as much authoritarian juice as they can get away with does mean that there is plenty of risk here as well. But letting one or a few giant megacorporations entirely dicate the primary intrastructure for information interchange is so much worse.
> Using a browser that monetizes itself in any way seems like a slippery slope to me. I'd rather use Ungoogled Chromium/Bromite or even LibreWolf if it came down to it.
The problem with this approach is that it’s impossible to get a safe binary that isn’t downloaded from “libfree.cxcc.gg” or whatever. The other option being to build from source, which is an absolute nightmare for Chromium.
All of those browsers have signatures available if you question the integrity of your binary. Otherwise this argument isn't any different for the likes of Brave or Chrome even.
> All of those browsers have signatures available if you question the integrity of your binary
Signatures available from whom?
The point being that a web browser is a very special case of software that has to absolutely 100% trustworthy from a reputable commercial entity (that is, someone that can be sued). The only other thing with that level of trust is your operating system.
So my Linux kernel running the majority of the infrastructure of the company I work for is untrustworthy?
Do you not trust kernel.org? Or the GPG signatures of the commits?
What about Mozilla?
As for "someone that can be sued", have you read any of the EULAs of the commercial entities that you think are "reputable" and "100% trustworthy"? You can't sue them.
Similarly, do you trust all of the CAs that have certificates in your OS or browser trust store?
Gemini is on the other extreme (except for requiring the crypto complexity that comes with TLS). I would prefer something that still lets people express themselves creatively like the early web did. Personally, I think even newer CSS is fine even if more complex than it could be if re-designed - the problem is mostly JS and million different APIs that come with that as well as the expectation that that the browser will be able to execute that JS insanely fast.
I would. I already use FF mainly under a locked-down profile for mere reading. (I use another profile for madatory interactive sites like banking and stuff).
Others like me would. And resource-constrained devices. An eco-system of low-tech sites could emerge with a label signaling them as simple and virtuous.
The issue I have with Gemini is that it discards 25+ years of established domain knowledge and existing software for something which does not provide any additional functionality over what today's software already offers.
I don't think any way is unacceptable. I'd be totally happy to pay for the software for example. It's all the sneaky crypto / adware / tracking stuff that I have a problem with.
I'm very glad you mentioned the homepage spam. It's increasingly difficult (and valuable) to live without information overload these days; Edge's forced "news" spam has pushed me away as well.
What is shocking is the content is so low quality it's appalling it came from a big, respected company as Microsoft. A lot of the posts are often clickbaits, and there are ads carelessly interspersed between the posts all over the page.
I know it makes a lot of money for Microsoft but the fact they chose to keep the quality so low really looks bad.
Biz, gov and mil management relies on MSFT; executives, their attorneys and bankers, respect MSFT for doing what they do ($$). Similar to big retail and worse, gambling, the single user is last in line; used and abused individuals.. nobody expects a lot from the individuals involved, and their opinion matters less. Wolves among sheep, basically.
blocking msn.com via hosts will give you a blank new tab page in Edge, only including an Edge background image, and a search bar leading to your chosen search engine.
You can disable all that from Edge itself, at least on the desktop. When on the new tab page, there's a "Page settings" icon in the top right. If you click on that, there's a bunch of options there regarding what should be present on the page; the bottom-most item is "Content", and if you set it to "Content off", it all goes away.
I'm all for pushing for more privacy/etc; but is Brave what we want to advocate for as an alternative? They did some pretty heinous link jacking relatively recently. I'm not sure FF/(/chromium) have been caught doing anything worse than that yet.
the only unremovable thing that bothers me is the stupid bing points thing that i dont care about. It doesnt encourage me to use bing, it just makes me question how they continue to manage to swipe my queries enough to increase that score.
And not even then. Most VPN providers in the top 10 are actually very shady and their organizational structure is quite opaque.. to say the least. I wouldn't be surprised if at least half of the top providers are actually FBI fronts, like the ANOM chat app.
The insane thing is that, because the VPN has a 1GB/month traffic limit, there is no way to enforce it unless they associate all traffic with a Microsoft controlled user identity. Cloudflare literally has to keep track of any sites you visit and associate them to your ID to make it work.
Though, I do believe that for connections from public WiFi it's somewhat of an improvement. It establishes a minimal security baseline of: "ok, we'll sell your data and let FBI snoop on you, but we won't inject trojans in your downloads and then hijack your webcam to create ransom-porn (though the FBI/??? might)".
It is so weird that they're 'VPN providers'. They're proxies. It's not really a VPN unless I'm in control, or they're providing servers in the VPN to connect to.
ISPs in Poland at least give you the ability to pay so they do not spy on you. It is very small (10%)but I have no doubt most people cheap out. Internet is relatively cheap here.
From my experience, non-tech people just leave browser defaults. I'd argue this is better than letting them to use public wifi without VPN. If you really care about security you won't use it, of course
Story time. Someone I know once got laid thanks to Facebook not encrypting their sessions
My university was still using basic ass unencrypted WiFi with some kind of terrible dns-hijack sign in to “auth”. This of course meant that everyone put their shiny MacBooks on essentially public wifi and logged in to social media in the clear in class.
Some enterprising chaps made a browser extension that made it trivial to snoop any open sessions and impersonate that session in a new tab.
Someone I know would do this during lecture and post to people’s social media as them saying they should pay attention in lecture. Possibly some other scandalous things were said. The hilarity that led from that stranger doing so led to the beautiful nerdy girl sitting behind this person noticing and daring them to post more. That became hanging out, parties, and as far as I know they got married and have kids now.
Literal people exist that wouldn’t otherwise because Facebook didn’t have HTTPS
>Some enterprising chaps made a browser extension that made it trivial to snoop any open sessions and impersonate that session in a new tab.
Firesheep was super big for a while, yeah. I used it to show a few coffee shops that yes, really, WiFi with a password of "password" was measurably better for their customers than no password: https://en.wikipedia.org/wiki/Firesheep
Plus, Firefox is soon implementing HTTPS-Only by default if I remember correctly. What was it, maybe 2016 there was a big push for SSL and the majority of the web, even login and payment pages, were HTTP? Now only a small percentage of the web isn't HTTPS. I have HTTPS-Only enabled in Firefox and rarely do I have to click the 'Continue Anyway' button to browse an HTTP page. For most general users that only use popular services, I'm sure it's even more rare.
I have a site from 1997, pure html, with drivers, install disks, documentation for computers from the 80s/90s.
It works. It's fine. No, it does not need ssl. What, someone is going to hack a floppy driver for a computer, which doesn't even have a built in network stack?!
No, I am not going to do work on it, any work, at all.
Depending on what the drivers are for, you may be a prime candidate for MitM. People already go to your site to download software they're going to run in the most privileged mode. This is a perfect candidate for a type of watering hole attack.
Considering you're providing those for 90s machines, you could be the last resort website for a few interesting industry computers with no security restrictions around them.
> Depending on what the drivers are for, you may be a prime candidate for MitM.
Doing that MitM is technically very easy, but in practice pretty hard. You'd have to have an adversary on your network path watching for connections to this particular esoteric low-volume site hosting drivers for machines from the 80s and 90s.
That is extremely unlikely.
I have a much easier way to target that content: Just put up a new site hosting the same content with malware attached. No need for MitM shenanigans.
Security isn't about absolutes, it is about risk managment and being aware of the likelihood and consequence of the risks is important.
> No, I am not going to do work on it, any work, at all.
Without HTTPS, the content can be replaced entirely. Last time it was JavaScript that DDOS'd github. If you don't want to serve content over HTTPS, then you don't care what your users receive. Just delete the site and they all get 404's instead, since you already admit that you don't care either way.
If it makes you feel any better, HTTP without HTTPS was a mistake we all made together. It should never have happened.
Given that HTTP without TLS can provide backwards compatibility while anyone and their dog is advocating for deprecating TLS versions and them being too complex for most people to maintain on their own, I respectfully disagree that plain HTTP was a mistake.
You're at a coffee shop or library using their WiFi. Your computer sends a plaintext HTTP message. The attacker just needs to be able to see that message and get a response back to you before the real site does, and the real site is a lot further away than the guy sitting at the table next to you (or the hacked router, if he doesn't want to be there in person). Then they can feed your browser whatever they want.
A login form to phish you, perhaps?
They can even start replying, then go off and fetch from the actual site before finishing the response, if it helps to incorporate the real data.
That is fine. The site itself is safe. Accessing it over untrusted transits is not. What has changed since 97? Well, attacks became far more sophisticated, and the transits that people access stuff over became far less trustworthy.
There is nothing wrong with your website. However, you shouldn't be surprised when modern browsers stop working with it. Progress doesn't come free.
You are hosting executable data of some kind on a non-authenticated protocol. That's totally not dangerous at all. A MITM definitely couldn't cause any damage by altering executable data in transit on unsuspecting users. This has never happened to anyone.
>are safe
No, they are not.
>No, I am not going to do work on it, any work, at all.
If you are too lazy to do it securely maybe you just shouldn't do it at all.
HTTPS everywhere by default can't come fast enough. There is no excuse at all to not have HTTPS support today and browsers should deny access to these lazy and careless sites by default. Anyone who can't spend the 5m to set it up for their website can go kick rocks as far as I'm concerned.
It is all fun and games until one of the downloads from your site picks up malware in transit and the user goes "why did this web admin infect my computer? Sue!"
Not caring about whether some segment (possibly even a majority) of users can or are willing to jump through hoops to access your site is a valid choice, just like publishing through gopher is. You do you.
You could host hashes of the downloads on an https page. Should be quite simple. Malware can still work on a computer without a built-in network stack and if users are getting downloads onto that computer, then data can leave through the same means.
And update all links to not go back to the HTTP site...
And troubleshoot weird issues (TLS errors are generally not helpful)...
And maintain that setup for years...
Not an insurmountable effort for sure, but if you estimate 30 min for the total additional effort of adding HTTPS to a site then I have a bridge to sell you.
Recently I noticed that FF doesn't even let you accept invalid (meaning no longer recognized as valid by FF because they changed the rules to requrie SAN) certificates for HSTS-enabled sites. The bug report's response was that the HSTS standard specifies that. Fuck that, the users should always be the one in control of such decisions in the end.
You forget exactly how much the government felt they got out of just knowing whom was talking to whom, not even bothering to collect the data of the conversation itself.
Microsoft was one of the first companies to sign up for PRISM [1], doing so in 2007. I think there's a subconscious feel among many that because the media stopped reporting on these things, that it stopped happening. PRISM never ended, and almost certainly has only expanded and grown even more invasive and brazen largely owing society's apathy towards what Snowden revealed.
Literally to this day one can read things like the NSA manual for using their software that enables real-time absolute surveillance of Skype: "User's Guide For PRISM Skype Collection." [2] The idea of any degree of privacy from any tech company hosted in America is a lie. The main difference with China is that we lie about our surveillance state, and force companies to lie about it, while China openly advertises theirs.
You can learn a lot about a person based on the IPs they visit. HTTPS/SSL doesn't protect you from that.
In many cases you can even determine which protocols and general content they are consuming from that IP based on traffic shaping/fingerprinting. The burst of traffic your browser sends when loading a particular site is quite exploitable. There's plenty of software already available that makes use of this.
Public wifi and bluetooth detectors all over is whats scary, as most public wifi is used by phones, not machines and who the hell is running edge on their phone?
but this just reminded me of the failed FB phone and the failed microsoft phone...
So deanonymizing bluetooth device IDs. I know the Canadian spies used airport Wifis to deanonymize Wifi MAC addresses then set up wifi stations all over Toronto to experiment in tracking people.
How would they do the same for bluetooth? Broadcasting "Dans iPhone" doesn't tell you much.
Correct, but its a more insidious web on this level...
they have so many correlation engines for device location, that it will soon be impossible to be "off grid", if its not already.
how the heck do you think there are fn leaks from over a decade ago of "text messages received by the government reveal that person X who is on the shit-list was quoted as saying [BULLSHIT] sources close to CNN have stated.."]
ASIDE: Famous story from ~20 years ago was talking about the CIA handlers at CNN... and the revolving door of in-q-tel emps from fb moving back and forth within the security team (one of which had to be walked out of the building for [things])
you dont need "dan's phone" they have had eschelon for DECADES and were able to literally do 6-degrees ppl tracking since the 1990s...
WTH do you think they named it "starlink" instead of sky-net...
And when they built the first part, they were advertising the wonderful things the rural folks in africa's greater continent will benefit, then after a few years they showed that the system will primarily service the dense populations of the coasts of places like the USA and AUS -- which is where a big portion of the five-eyes service.
IMEI and such is a bitch..
iOS is the biggest location tracking platform ever...
Remember when the founder of Android (from Danger) was let go from google with a ~200MM$ golden parachute at $90MM to gtfo?
yeah but im pretty sure 99% of the population just clicks past those SSL certificate warnings, in part because they don't understand what that means, and in part because there are way too many sites that let their certificates expire.
HTTPS is trivial to break with a man in the middle attack, yes you get a scary warning in your browser about an invalid certificate, but I'd bet that 90% of people will just click through it and ignore it.
Really? Most people? I cannot think of anyone from my family who would even think about it for a second - they would just get annoyed they can't get to their bank website or whatever and just click continue. Also what tech support? Me?
But now there is no button "continue", you have to click multiple buttons, which are not clearly labelled, in order to see the page. I'm sure 90% of people would not even be aware that you are able to continue.
Even more, for self-signed certificate on chrome, there is no button to continue for example. Check https://self-signed.badssl.com/
Yes, there is. I often have to use it to deal with some internal misconfigured site inside the corporate intranet (the cause is almost always that a certificate has expired, when it isn't it's because a host can be reached with two names and the cert matches only one of them, but that case can be fixed by using the proper URL). I have no trouble telling chrome desktop to bypass.
From my experience working as on-campus tech support in college, most people who aren't tech savvy will quickly give up or look to someone else for help. They will likely not think to click Advanced -> Continue Anyway (unless they have been taught to do that before).
Tech support comes in many forms. The owner of the website, a friend who knows about computers, someone else in the workplace, the vendor they purchased their laptop from.
Banks often have awful security systems. Kiwibank in NZ has a "two-factor security" system. All it is is a security questions thing where you click on screen to fill in 3 letters of the hidden answer. The on-screen keyboard makes it secure, you see? Against keyloggers.
I once wrote them a long email about what two-factor is actually supposed to be and why it exists, and got a reply basically saying "lol ok, our security is great ok?"
I've since switched away from them for a bank which does 'two-factor' by sending codes via SMS, but only when its algorithm decides that it needs to. That's not very often.
handelsbanken.se is on line 163144. (I was a little bit off on the length of the list before)
unicredit.it is not on the list, but unicredit.ba and unicredit.ro are. (Lines 7331 and 7332) It does send HSTS headers.
danskebank.se and sella.it are not in the file, nor are the base strings, but both sites do send HSTS headers.
fideuram.it is not on the list, and does not send HSTS headers, so they don't seem particularly interested in security. They also haven't set an A record for the root domain, so visiting `fideuram.it` returns NXDOMAIN. Only `www.fideuram.it` exists.
fideuram removed the phisical tokens for 2fa and moved to SMS, saying that it was because of some european directive… I went to read the directive. It basically said to not use sms and avoid apps in favour of dedicated 2fa devices for banking.
Also, what does "HSTS sites" mean. Does it mean (a) "official" HSTS via HTTP header alone, (b) "unofficial" HSTS via preload list (see RFC 6797 section 12.3), i.e., the list maintained by Google, hardcoded into a browser, or (c) both. The "unofficial" approach only seems feasible for a limited number of domainnames and unworkable for every domainname in existence.
In tests I have done on Chrome (YMMV), executing "Clear site data" via Developer Tools, or including
Clear-Site-Data: *
in an HTTP response header, e.g., added via a user-deployed proxy, will clear an "official" HSTS block, allowing the "MITM" to proceed.
Besides being generally annoying, HSTS allows for setting "supercookies" that persist even in "Incognito" mode
The RFC for HSTS even admits how it can be used for web tracking. Not too concerning for the advertising company sponsoring the RFC.
14.9. Creative Manipulation of HSTS Policy Store
Since an HSTS Host may select its own host name and subdomains thereof, and this information is cached in the HSTS Policy store of conforming UAs, it is possible for those who control one or more HSTS Hosts to encode information into domain names they control and cause such UAs to cache this information as a matter of course in the process of noting the HSTS Host. This information can be retrieved by other hosts through cleverly constructed and loaded web resources, causing the UA to send queries to (variations of) the encoded domain names. Such queries can reveal whether the UA had previously visited the original HSTS Host (and subdomains).
I use a loopback-bound forward proxy to enforce zero tolerance for HTTP across all programs, not just the web browser. Everything is sent via HTTPS. The proxy is configured to to check certificates, and deny connections, according to rules I set. I use a text-only browser for noncommercial, recreational web use so I need a forward proxy, if for nothing other than to deal with the spread of TLS. But I also use it for a whole laundry list of tasks.
Maybe it is just me, but HSTS, like much of Google's rhetoric, comes across as unfriendly if not hostile to proxies, regardless of who is running them. Consider this line from the RFC
"The rationale behind this is that if there is a "man in the middle" (MITM) -- whether a legitimately deployed proxy or an illegitimate entity -- it could cause various mischief (see also Appendix A ("Design Decision Notes") item 3, as well as Section 14.6 ("Bootstrap MITM Vulnerability"));"
"Mischief." Does that include inspecting one's own HTTP traffic on one's own network. How about blocking certain methods of tracking, data collection and advertising. Apparently it includes disabling HSTS.
Let's be honest. Google is an undisputed king of "mischief". The stakes for Google mischief are much higher and there have been too many fines to count. Consider the latest. How many people deploying their own proxies get fined $4B. (Arguably, an issue of "control" was at the heart of that decision.)
If the proxy is "legitimately deployed" then why not stay out of the network operator's way. Let them have control. Give the option to cede control to Google instead of making it a default.
I use HSTS for commercial, nonrecreational web use, when I have to use a "modern" browser. That is a small fraction of total web use for me.
I'd argue the invalid certificate would only get the middle segment of semi-tech literate but security illiterate people. So maybe a lot of people on this site . The average user, based on my observations, tends to take these warnings very seriously.
Have you looked at what the UX is for invalid certificates in 2022? It's not like ten years ago where you just click enough times and "visit anyway".
Here, try this link in Chrome: https://untrusted-root.badssl.com/. When you click Advanced, it tells you "the website sent scrambled credentials that Chrome cannot process". And beyond that there's just no button to bypass it. You can't visit the site. (Sure, there's probably a chrome://flags or --disable-web-security way to bypass this, but that's well beyond the average user's comfort zone, as well it should be.)
I clicked that link - in Chrome on Android all I had to do was click "advanced" then "proceed anyway". I have never changed any flags or default settings in this browser.
I just tried to open the site in Safari, and there's no "Continue anyway" button, only "Go Back". I did not change any default settings, because I use Firefox as my daily driver ( and Firefox does have "Accept risk and continue" button, but I think the word "risk" on it is scary enough for many people to not click it).
EDIT: It turns out there is a "visit this website anyway" option in Safari, but it is not a button, it's a link which you only notice when you click "Show details" button and read the warning.
It's trivial to set it up for the attacker. If you have a Linux laptop you can set up a redirect for all the traffic on the network through your machine with two commands, then there's plenty of tools that will intercept any incoming HTTPS certificate, replace it with your own, the decrypt the traffic. It sounds like a lot but anyone can set this up in about 15 minutes - that's why I said it's trivial.
The user mistake is just clicking "advanced" then "proceed". I know all my family members would do that without questioning.
We had recently hired new programmers, 2 freshgrad and 1 junior. All of them use edge on their personal laptop and I didn't notice extension button anywhere.
While I agree with the sentiment that ultimately we have to have some level of trust somewhere on the stack, there are a few minor differences.
In theory anyway, I pick my ISP. If this was "support for using a VPN" instead of "we're injecting OUR VPN" I would feel a lot better.
I'm aware Im using my ISP. Even someone who doesn't know much about computers knows their traffic is going somewhere. They might not know the repercussions of that, but if this is just transparently on in the background, effectively a keylogger, a user might never know this is happening.
I give my ISP money. Back to the choice option. Some ISPs are bad and are trying to nickel and dime you to maximize profits. Some ISPs are actually good (I'm not swiss so I don't know for sure, but Init7 looks amazing https://www.init7.net/en/support/faq/privatsphaere/). I don't have to question with my ISP "how are they profiting off of me" because I give them money every month. They might be, but they don't intrinsically NEED to be scraping my data. I am not sure how Microsoft benefits from giving me a free VPN unless they are scraping my data.
I can use a VPN to bypass my ISP monitoring if they do monitor. I have no idea how Microsoft's stuff is set up here. If the end result is that it gets routed through their VPN after my VPN, or instead of my VPN, or even through their stuff at all, but with stamped metadata, then there's not necessarily a great way to get around it other than "don't use Edge"
In general, yes, your ISP isn't your friend. But an ISP is something I asked for, have a use for, and need. A Microsoft stealth VPN is none of those things.
This was also how I could justify being more trusting of Apple. They didn't need all my data because that was paid for up front. The ongoing services that needed to make money I used were also paid for. Obviously that's no long quite true with Apple ramping up their ad business, but that attitude is still often the best you can do without a level of effort that I just am not willing to go through.
Maybe a dumb question, but isn't that already a given when using a browser? To me it always seemed a bit absurd to use VPN as it basically just gives another person all your info, but just assumed browsers and the big 5 just got most of the data anyway.
The only thing I can see working is pollution, pollution of our data. There are some current extensions that do some of that, but they are likely not enough and what we really need is a kind stream of data and requests that your own requests are simply merged into.
The thing is that it would need to be smart enough to prevent pattern recognition, e.g., it cannot just be random data because your specific searches and string of searches or actions will stand out quite obviously.
Yes, it would place a severe tax on the internet and a few things could be done to minimize that, but I currently do not see any other better option.
I could see it implemented where your activities online are merged with and threaded into those of related or similar communities, e.g., be it family and friends, the YC community, or a combination of different groups. The effect would come from the proximity to similar but not exact activities. To use a common example, if your legal free speech activities could make you a target, those online activities are muddled and polluted by being merged with other people's legal free speech activities, and your activities would be merged with those of others.
Consider it a kind of mutual compromise of society in order to provide protection/obfuscation in numbers ... the zebra in a herd, if you will. They can't arrest/target everyone if everyone has activity data that looks like they defy the ruling powers.
> The only thing I can see working is pollution, pollution of our data.
this is a terrible and dangerous idea. Nobody cares about the accuracy of the data they collect on you. Stuffing your dossier with random things won't cause anyone to throw it away just because there might be errors in it. Instead all of that data, random/accurate or not, will be used against you all the same.
Your clever browser extension might have been responsible for browsing to a bunch of fast food websites, but your health insurance provider won't care. They'll just see that in your internet history and quietly raise your health insurance premiums anyway.
If your legal free speech activities make you a target, adding more free speech activities to your permanent record just means you'll also now be targeted for those activities on top of your own.
You can't know what will prejudice someone else against you. You might not be gay, or Muslim, or a heavy drinker, or an Andrew Yang supporter, but your browser extension pulls in the wrong data that gets you flagged as being one and it could cost you your job, get you denied housing, etc.
You might not be looking into getting an abortion, but anti-abortion activists who buy up the data of anyone who appears to be trying to get one, or looking for support after getting one, will still see you listed and you will still get harassed by them or dragged into a texas court room.
You might not be rich, but data brokers and consumer reputation services will see that you've been interested in expensive vacation spots and online stores will start charging you more than your neighbors for the same items on the assumption that you are.
If you want to try to hide in the crowd look into a VPN or TOR (although be aware device/browser fingerprinting can still get your traffic associated with you). Just please understand that giving others more ammo to use against you isn't helping yourself or anyone else. Adding more and more data to your internet history just increases your risks substantially because no matter if you deserve it or not your life will be impacted in countless ways by the data you surrender and none of that data, "pollution" or genuine, ever goes away.
Yep, a VPN baked into a browser like this is literally Microsoft stealing the network routes from your ISP, who is probably too embarrassed to complain that what’s happening is they are taking that sweet, sweet data with them. It’s like high-fructose corn syrup for targeted advertising imho. Who’s selling?
While it doesn’t resolve all the issues, the single point to monitor is your internet connection where they have jurisdiction, not some arbitrary VPN provider. Then if they can force the IKE a certain way they decrypt.
I think the other side of this is if you have FBI attention, do you really want to look more suspicious? Whatever fight you try with them you will not win.
It's also a way to front run ISPs in the data market. Then these vendors can sell the data on the data broker market and pocket the cash the ISPs are getting by selling whatever browsing history data they can infer (from DNS and traffic).
I suspect this is the corporate motivation. The increased state surveillance and control is a side effect.
I work for a very large corporation who has decided the default browser will be Edge. Getting another browser installed on your machine takes an act of congress and several upper level approvals.
Does this mean they will also have the ability to collect corporate data from the browser in companies like mine?
they already have this at several points in your network. from ISP to target site. meh.
the reason microsoft is doing that is because google is forcing their hand with Floc implemented in the browser.
you wont be in ads next year unless you can slurp more traffic than the NSA. and only google can do that today, thanks to chrome + android. apple is a close second.
How do you think google competitors will have access to all those user to form the cohorts without having the browser or google analytics code everywhere?
VPNs don’t help privacy at all. They allow you to substitute trust in your ISP for trust in a different entity. For some, that may be good, but for most others it’s a wash.
ISPs generally don't claim to protect your privacy at all [0]. So it would be foolish to trust them to do something they never claimed they would do. VPNs generally do claim they will protect your privacy so at least trusting them makes some amount of sense.
Going from "trusting" an entity that explicitly requires you to consent to spying when you sign up to trusting one which explicitly promises to protect your privacy when you sign up does seem like it would "help privacy" in most cases.
A major difference between your ISP and a VPN is that your ISP is generally an established company based in the same jurisdiction as you are. So, if they do something terrible, in theory at least, they can be brought to court. A non-trivial number of VPNs that claim to protect your privacy, however, are based all around the world with unclear corporate structures. If they do something terrible, you likely have no recourse at all. How much faith you want to put in a promise made by such a company is up to you - but I would push back on the idea that simply making a promise really provides much value by itself.
Why would I trust an entity that often has the legal backing to harvest my data and provide it to the government whenever they "deem" it necessary? The same government that has direct means of control over me? Whether it's the US, China, Germany, I think I'd rather put my chances with some private company that at least has financial and maybe ethical motivations (depending on the company) to protect my privacy. An ISP will only go as far as the law requires to protect it and who knows what backdoor deals are made with governments to subvert those same laws.
There is no realistic/helpful/useful legal process to sue over a breach of privacy. So my ISP being in my jurisdiction doesn't do me any good at all.
ISPs don't emphasize privacy in their marketing, but some large ISPs claim they protect it [0], although their claims are pretty dubious[0][1].
I think your logic holds up, but it's not quite as definitive as you say. VPNs are not the straightforward privacy upgrade that HTTPS is. (I don't think you were trying to imply otherwise.)
I think the picture improves if you choose more carefully. Choosing an established VPN that has a no-log policy and has been audited seems much better, because now multiple companies are putting their reputation on the line. On the other hand, I think a relatively unknown company that's reselling someone else's VPN and hoping to cash in on the "VPN = privacy" is only a slight upgrade over a major ISP.
1. You make DNS request about example.com. Your ISP sees this. Your ISP can see what websites you "might" visit.
2. You connect to 1.2.3.4. Your ISP sees this. Your ISP can see what websites you "did" visit.
3. You request some data and receive some data. Your ISP sees the size of the data. If it's not encrypted, it can also see the content. Your ISP can see (at least) the size of objects that you requested -- which is enough to fingerprint many specific contents.
Okay so not using a VPN gives effectively zero privacy. Let's look at a VPN:
1. You connect to a VPN (and let's assume your connection doesn't "leak" insomuch as now _all_ network traffic goes through the VPN). Your ISP can see this.
2. You make DNS request about example.com. Your VPN sees this and your ISP can see a network packet. Your VPN can see what websites you "might" visit, your ISP can't.
2. You connect to 1.2.3.4. Your VPN sees this. Your VPN can see what websites you "did" visit. Your ISP still sees traffic to the VPN.
3. You request some data and receive some data. Your VPN sees the size of the data, and your ISP only sees the aggregate-size of data across all of your sessions. If it's not encrypted, your VPN can also see the content but your ISP should still only see aggregate size. Your VPN can see (at least) the size of objects that you requested -- which is enough to fingerprint many specific contents. Your ISP will have a tough time fingerprinting content from specific websites.
4. Your ISP can note that you have a high amount of traffic, possibly note that the traffic is going to a known VPN destination, and that your "normal" traffic is now gone.
Now, your VPN can see all the stuff that your ISP used to see. In addition, your ISP can now determine that you might be doing something illegal, suspicious, or at the very least "enterprise grade" and demand more money.
Your isp is legally resident in the country most likely to want to spy on you. There are also very few isps per country, so it's less work for the attacker to cover everyone they care about.
There are vast numbers of vpns, so total coverage is impossible. They are also very likely to be in a different legal jurisdiction so it's non trivial to do.
So, yes, you have, by making yourself a harder target despite having the same amount of centralisation on your part
There's quite a few VPNs who have been asked to keep logs by the authorities but the VPN providers contest it in court, and since their jurisdiction laws don't need them to, the courts side with the VPN providers.
Mullad, OVPN are a couple.
What are your opinions on those?
Not every country has laws like USA/India, which give the government free reign by citing certain Acts.
Adding that in general a country's law (data protection/privacy in this context) usually targets its own citizens; traffic related to foreign citizens (as in the case of VPNs) would for sure have a lower degree of protection.
IDK about simplyinfinity, but here in NZ, the last mile of internet infrastructure (the fibre from homes to the exchange) is owned by regulated companies which must lease access to them at set rates or lower, and mustn't act as ISPs.
As such, we have dozens of ISPs with their own backend infrastructure, all sharing the same last-mile, and most available nation-wide.
That said, they're all going to be buying transit from a big backbone ISP to get overseas connectivity.
VPN and ISP are similar in term of middlemen, but there is an important difference downstream of said middlemen.
With your ISP, you appear on the internet as a residential IP that provides your approximate location and most likely doesn't change very often. The requests you make can be easily correlated by PRISM or any other middleman, or by any CDN running the websites you visit.
With a VPN, your exit IP is unrelated to your geographic location, changes very often, and hopefully it is shared among many more users.
Also you could use double VPN config from different VPN providers in separate geo locations with openDNS thrown in one of them. then it would be much harder to correlate your traffic out of the mix. its not about perfect secrecy its about becoming hard enough target.
GeoIP services are trash. My current IP on most GeoIP services gives a location >900 miles away. My last IP had a location in another country. I don't think I've ever had a GeoIP lookup resolve within 100 miles for any IP I've had.
GeoIP is only necessary when seeing a new IP. But once the IP starts to build a reputation, then the specific location can be determined. It's especially true if you buy something online.
My several datapoints is wildly inconsistent and has never been within several hundred miles.
My office: suburb of Chicago
My home: downtown Atlanta
My friend's house: just outside Phoenix
The McDonald's free WiFi: Chicago
A church's WiFi: Some random location in Arkansas.
I'm in North Texas.
Just a few examples I've remembered since making a point to test while I'm out.
Based on that analysis, I say clearly yes!
Privacy is about choosing who to share with, be it a specific group or no-one. Being able to share with a VPN of my choice (who, if reputable, shouldn't further disseminate my information) is likely a privacy gain compared to being forced to share with my ISP (many of whom would gladly sell my data).
Being able to choose to reveal data to Mullvad over Comcast or Verizon seems like a clear win to me.
Yea i really don't get these people. Frustratingly. Perfect is the enemy of good here. Yes, full privacy is the goal, but i know certain actors are spying on me. If i can bypass them, i can at least attempt to improve it.
At the very least i rob Comcast of my data. Which is my goal, after all. Not full privacy.
> Yes, full privacy is the goal, but i know certain actors are spying on me. If i can bypass them, i can at least attempt to improve it.
The problem is that it doesn’t actually change anything while giving a false sense of security.
Your VPN’s ‘improved’ privacy is just as worthless as the privacy you get with just your ISP. If something requires privacy, neither can be used, and if it doesn’t then why should it matter which one you use ?
Privacy is an on/off thing. Either you have it or you don’t. There is no in-between.
My VPN provider (Mullvad) doesn't have my full name, address, and social security number. They could build a profile off my account number, sure, so I have to trust that they're not. If they actually aren't, fantastic, I win. If they actually are, I still win, because they have less data to build a profile on me from. I know for certain that my ISP is selling my data, so I'm certainly no worse off.
On top of that, I get the benefit of not being tracked everywhere on the web. Or if they are tracking me, they have bogus data. And I can set my exit server to a jurisdiction with more user-friendly privacy laws.
> Also, what better place to tap traffic than the connection of a VPN provider.
Well, per my previous post, my ISP is definitely a better place. Hell, you don't even need to tap them. They'll just sell you the data, along with other PII. (Setting aside Mullvad' multi-hop support, which would require taps in multiple jurisdictions).
I think the point you're trying to make is that this isn't resilient to the NSA monitoring my traffic. I had hoped it was clear from my message that there's another level of privacy I'm concerned with related to intrusive private entities. I'm not expecting the GDPR or similar privacy laws to stop the NSA either, but they serve a useful purpose.
I guess I'm banking on Meta and Google not tapping Mullvad. Or even the RIAA or MPAA, for that matter. Because my ISP will very willingly give those entities data. And as long as unencrypted SNI is the norm, my ISP knows more than I want it to know about my browsing behavior. Not to mention the stuff that isn't HTTPS. Sure, Verizon knows I've established a connection an encrypted tunnel and how much bandwidth I routed through it, but that's a level of metadata I'm not concerned with.
So, yeah, Mullvad could be logging every packet through their tunnel. They could even assemble a profile based on my account and sell it to all the data brokers and advertising networks. They still don't have my SSN. Even if all of that happened, then I'm still no worse a situation than if I didn't use them because my ISP is doing those things. At worst, I'll be out 5€ for the month.
If you don’t trust your ISP, then why not simply switch to another one ? I literally have dozens of ISP’s to choose from at my address. Last time I checked there were 13 ISP’s offering fiber service alone, if you’re willing to settle for DSL or cable there a lot more options. And that is with me living in ‘socialist’ Europe. I can only dream of how many options people in ‘free market’ USA must have.
I have two viable options, ignoring 5G and satellite services. The one I'm on is the lesser of two evils. And I've largely neutralized the primary concern I have with the ISP I'm on.
No... It's a demonstration of adherence the axiom "Don't let perfect be the enemy of good" being misapplied.
The "Good" (VPN) is exactly as imperfect as it's complete abscence. There has been no improvement whatsoever. Literally, as far as Privacy is concerned, nothing short of "No one actor has the capability to sit on a full stream of traffic", will suffice.
Either you're MITM'd or you aren't. Use malicious postmen if it makes it easier.
If you have the same guy come, and all of your mail goes through him, he can reconstruct all conversational state.
Now imagine you get a different malicious postman at random every day. He eacesdrops on every packet, but he's not privy to which of his fellows is scheduled to get the next packet. Therefore, it's not practicable to MITM in any practical way. This all goes out the window when someone controls the malicious postman scheduler, of course, because then they can figure out a map of who to go to to reconstruct your conversation.
The above is the concept behind Tor, and why the only effective counter to it is to run a hell of a lot of entry/exit nodes so you can conceivably time correlate given enough consecutive probe points are hit.
Russia has the ability to drop a nuke in the region you currently live in, so there's no such thing as safety and therefore why do you have locks on your doors?
i find this extremely doubtful. I see the point of your statement, but i'm willing to bet 99% of all the already built nuclear devices wouldn't work today. There's no way that they're all stored in such a way that the delicate mechanisms are protected from the environment and oxidization, moisture ingress, insects, heat and cold expansion and contraction.
That a nation could make a new device is arguable, that a nation could make a device that could be delivered without flying planes over another country is less arguable. Even nukes as they stand would only pose significant threats to certain parts of a country (there was a map floating around the web a few days back of areas of the US most susceptible to the - pardon the pun - fallout from a tactical strike.)
As others have mentioned you gained privacy from your government that has easy access to whatever information your ISP has but not towards a VPN provider.
But the information you leak towards your ISP or VPN isn't the only variable. With a VPN you leak less information to the services you interact with (e.g. your IP is hidden) which undoubtedly increases privacy.
> Now, your VPN can see all the stuff that your ISP used to see.
> Have you really gained more privacy?
Absolutely, 100%, unambiguously, yes; my ISP openly says that they monetize my data, my VPN says they don't. I'm very happy to gamble that the VPN is telling the truth when faced with the expectation that the ISP is telling the truth.
VPNs entire business revolves around not giving up your data, that's why you pay them. ISP business revolves around protecting their monopoly which means making the government happy. Massively different incentives which means they will act differently. If VPN leaks data and people find out they're done. If ISP does nothing changes for them.
The amount of loss of privacy you incur when some particular item of personal information about you is revealed to another party often depends on how much other information that party has about you.
If the ISP is legally protected from any inquiry or transparency into what they do with the data and is systematically incompetent about protecting it and the vpn exists in a country with good privacy laws, then yeah.
Of course they do? They are a tool that routes traffic through a third party. That can be anywhere from terrible to fantastic for privacy, with everything in between. There's nothing "of course" about it.
They just replace your ISP with a VPN company. Which is the two is more shady is something you have to figure out, keeping in mind that a subsection of the internet just stops working or turns the aggressiveness of their anti-bot protections up to the maximum on a VPN.
I would reverse that assertion under the one condition that you don't use a VPN provider from your own country. In Australia at least, ISPs are legally required to maintain logs of everything you access for several years. By choosing to trust a VPN provider outside of Australia, you defacto have better privacy than you otherwise would have.
https://www.ivpn.net/ see "Do you really need a VPN?" - not affiliated with them, but tell me any other VPN-service that is actually this upfront... most are marketing the hell out of their apparent magic effects...
since we're on the topic: how is it still a thing that vpn services are actively pitching content-block/copyright circumvention? Seems weird to pitch something as shady this loud and publicly? Reminds me of how weird I find it that trackers and illegal hosting sites have twitter accounts...
I'd say they're still a net win, generally. The ISP vs VPN service tracking who does cancel out (if you ignore privacy claims of VPN providers, vs ISPs generally not guaranteeing that at all), but for every other service I might consume, when I'm on VPN I'm no longer connecting from a unique IP that can have other identifying information tagged to it.
To add to that: in Sweden (which is generally pretty ok in regards to privacy and rights) ISPs are required to store traffic for 6 months, while VPN providers are not.
They also expose your data to the VPN operator. That's a negative on privacy. Whether it's a net negative or positive depends on the VPN operator and ISP involved.
In Germany (according to TTDSG) an ISP does not have to claim that. They need explicit permission to track you. It is pretty much as the post does not have to claim that they open your envelopes.
I think the only good reasons to use VPNs are for torrenting and accessing movies only available in other countries. For any privacy reasons its best to use Tor.
I believe it is harder for my government to get my data from a foreign VPN service than from my local oligopoly ISP that is already effectively an arm of the government.
Modern TLS is enough to prevent others from eavesdropping everything except domain names when on public WiFi. Domain names are sent in clear text if your client supports SNI.
ESNI is not implemented yet on any website. And there is no software support except beta versions of Chrome/Edge and you have to manually toggle flags in dev mode.
All SNIs are passed as plain text to your ISP/VPN, even with DoH/TLS secure DNS enabled.
It might be cheaper but still not free. Cost of electricity + time to maintain + Raspberry Pi itself. Not to mention that you don't get the variety of servers (for geo-location or more diverse networks not tracked to you by websites themselves).
Well the Raspberry Pi is already on 24/7 running a few other services for my home network. But even then, the energy consumption per month costs pennies. I update the device once a quarter and it takes me 5 minutes. These costs are so negligible as to have no impact on my decision making process.
Why would you? Nobody can connect to it without your private key. Or is there something I am not aware of? Genuine question, as I am running wireguard in a few places and thought it was secure by default.
If it was good for you, Microsoft would the the one announcing it. Loudly and repeatedly. They would do it even if it was harmful, but there existed some artificial narrative where it sounds good.
You are hearing it from a third party exactly because they couldn't construct any explanation minimally realistic that sounded good.
They haven't announced it yet because it hasn't been released. Reading the article, it does sound pretty decent.
Partnership with cloudflare, selectively enables when you are connected to untrusted networks like public wifi.
Pretty much the only downside is that they turn it on by default... which is always tricky when most of your target audience is not computer savvy in the least.
How to give people security features that they have to figure out themselves when they can barely open the browser .. a dilemma for the ages.
Windows is an appliance (an interface) for amazon shopping and watching netflix.
The MS telemetry has proven that 99.999% of consumers do not tweak default settings or dig under the hood.
The 1-2 million now former "windows power users" are just too small population to be economically feasible to deal with.
For MS it does not matter to lose those few to other tweakable OSs.
Instead MS's product department is dreaming of scooping the remaining billions of cash-laden consumers. Presumably this is what the telemetry tells them.
Cash is good, consuming is good, keeps the economy running, making shareholders happy.
When trying to ascertain the intents of large organizations, I find it useful to examine previous actions. In the case of Microsoft, their willingness/intent to add ads and telemetry (including keylogging) into their OS seem to indicate they are doing this for serving ads better to their larger (paying) customers.
If you're not paying for the (specific) service, you are the product.
I mean, if you have an attitude that anything an organization does must be for an ulterior motive, you're always going to get what you are looking for. Heck, people too for that matter. Maybe my dog just pretends to love me to get food.
But in this case, Microsoft is looking for any competitive advantage against Google. They won't win on targeting, and they still make more money selling software than ads. So this does seem like an easy win for them.
> if you have an attitude that anything an organization does must be for an ulterior motive …
Well in the case where they are spending a lot of money to implement and operate a feature that nobody asked for and which has obvious privacy downsides, it does seem worthwhile to examine their motives. It’s not like we’re responding to the announcement for the next model of the Microsoft ergonomic keyboard with “hmmm, what are they up to?”
What is the obvious privacy downside of selectively enabling a Cloudflare VPN when browsing on public Wifi or unsecured sites (which is when it enables)? That Cloudflare can see what sites you visit?
On public Wifi and unsecured sites, anyone could potentially see and modify the data anyway.
The privacy issue is obvious. If my browser is funneling all of its traffic through a specific VPN instead of letting my system handle it, I have to wonder whether that choice was based on the VPN operator wanting to see my data or cooperating with someone who does.
This is like finding out Microsoft decided all internet traffic on windows should be proxied through their servers. Could there be a benefit? Yes. Does it raise serious questions? Most definitely.
> If my browser is funneling all of its traffic through a specific VPN instead of letting my system handle it
It's not. According to the article, it only funnels insecure traffic through the Cloudflare VPN (eg, to a site with an invalid certificate). And this doesn't prevent you from using your own VPN as well.
If you're connecting to a site over HTTP, and the packet takes 10 hops to get there, that's 10 machines that can see who you're connecting to and what data you're sending. Including, in all likelihood, a major CDN like Cloudflare. Also including anyone on the same public Wifi network. This data was never kept private to begin with.
If you're connecting over HTTPS with a valid certificate, the VPN isn't used. Even if it were though, they couldn't see your data. It's encrypted.
Check out the book “Hard Drive” about the early days of Microsoft, and you will never be able to see anything that corporate does without suspicion, and for a good reason.
Probably because Facebook already tried the free VPN and it was every bit the privacy nightmare you'd expect it to be. Given Microsoft's track record, there's no reason to expect that to be any different.
I am 100% with you in general, but this feels more like the Windows Defender launch than some fully cynical power grab. That is to say - Microsoft gets a lot of grief and work from windows installs getting taken over / viruses / etc. For users who don't pick up their own protection (and don't choose to turn off the default windows protection) this feels like a better default. I don't trust Microsoft, but you are already exposed to their manipulations when you are using their OS - and this will help protect you from other manipulations.
This is where Apple's implementation, where the info is split between them and a third party with neither of them able to read the traffic on their own is so smart. Especially since there are multiple counter-parties to Apple. It also negates the risk of an MITM attack. Yes of course they could collaborate with a counter-party to break the system, but it seems significantly less likely to happen, and if it was happening it would be significantly more likely to come to light.
I mean nobody is forcing you to use Edge or Chrome, there are better alternatives like Vivaldi or if you really want to take it to extreme Ungoogled Chromium. But I agree with your sentiment, although it just means you should probably move to open source and obscure options.
Also:
> Brave, Mozilla, and Vivadi have said they intend to continue supporting Manifest v2 extensions for an indeterminate amount of time.
The motivation is to keep up with Apple who themselves are trying to distinguish themselves from Google. Doesn’t need to be sinister. If your primary business model doesn’t depend on tracking people to sell ads, and you’re competing with someone else whose does, then leaning in to making the use of your software/hardware more private makes sense.
I noticed today I can't find the Chrome flag (v105) to enable its reader mode. It's like they just nuked it since it made articles actually readable. It's not a huge deal, but I liked not having to launch another service like Pocket.
Exactly.. I would take it from Firefox if they offered something like iCloud Private Relay.
But the thing they offer from Mullvad is no better than a traditional VPN (because it is a traditional VPN). And even more limited because it only works in the browser.
And indeed the circumvention of Pihole is a big problem.
If you have never worked at a large tech company like Microsoft, you'll probably have a bad feeling because there's a lot you don't know about the business process of shipping features like this. It's reasonable to be cynical and confused if you have never seen it from the other side.
For the most part, product features like this are shipped for boring and completely non-nefarious reasons. It's just hard to believe that if you've never worked on one.
