1. 33
  1.  

  2. 13

    I think it’s somewhat irresponsible for this article not to mention that the story with security updates for all the “real privacy respecting browsers” is very poor. Only the big leagues can afford to have full-time security teams on staff. In fact, Debian goes so far as to state in their release notes: (emphasis mine)

    Debian 10 includes several browser engines which are affected by a steady stream of security vulnerabilities. The high rate of vulnerabilities and partial lack of upstream support in the form of long term branches make it very difficult to support these browsers and engines with backported security fixes. Additionally, library interdependencies make it extremely difficult to update to newer upstream releases. Therefore, browsers built upon e.g. the webkit and khtml engines[6] are included in buster, but not covered by security support. These browsers should not be used against untrusted websites. The webkit2gtk source package is covered by security support.

    https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security

    Of course, if you disable scripting in an obscure browser it greatly reduces the attack surface, but I don’t feel like this is a well-understood problem, and it’s very unfortunate that the article neglects to mention this very depressing fact.

    1. 3

      I agree with this. In the case of Firefox, they fix security issues in every release, and they had previously reported 0day attacks exploiting these issues. Due to the complexity of browsers, using an out-of-date browser can be very dangerous.

      Disabling JS on untrusted sites sites seems to mitigate most vulnerabilities. But there also exist ways to bypass this protection, so it isn’t enough if you want maximum security.

      1. 2

        I think security updates are a overrated. If you want security, use Qubes or run your browser in a VM. As your own link demonstrates, even the latest and greatest won’t protect you from newly discovered vulnerabilities which are immediately exploited.

        If you only browse trusted sites without third-party ads (and/or block tpa) there’s little opportunity for exploit code to find a way into your browser.

        If you browse with JS disabled by default, odds are even lower, as that’s where most of the attack surface is.

        If you are writing a browser based on a major engine, you can get the security updates rolled into your project pretty quickly.

        This is how I do web security today. It will probably not protect you from anyone with a budget over 100K, but neither will Chrome or Firefox. Embrace being owned by our 8enevolent 0wners.

        This is only for protection against random drive-by Web exploits. None of this will help you against privacy attacks, spearphishing, downloading and opening random shit, enabling javascript on porn sites, and so on.

        I’m afraid this means not clicking random links in search results. Whenever you’re searching for e.g. a how-to or advice on the best X to use for Y, make sure you gate your searches with site:reddit.com or site:stackoverflow.com.

        1. 1

          You make some decent arguments, but they have so many caveats attached.

          “If you always do X and never forget to do Y, it should be safe to use Z.” There is no reason to believe the average reader of the article would know do X, so failing to call that out is a big mistake.

          1. 2

            The intended audience for this article seems to be techies, and that’s who my comment was for.

            I agree that this type of thinking shouldn’t be a requirement for the average user, but here we are, and there’s no easy solution for them.

      2. 7

        Some of the problems in Firefox can probably be alleviated by using one of the user.js projects on GitHub.

        1. 9

          Definitely, but I think one problem that the author is correct in pointing out is that Mozilla has made some very questionable decisions in order to find new sources of funding.

          IMO this is a problem that the open source community can’t and shouldn’t ignore, and I think we should all be very careful about not biting the hand that feeds us and attacking the only non Google entity even attempting to provide a mass market web browser.

          So yeah it’s a tough situation.

        2. 4

          SecBrowser probably deserves a mention in this thread as well - Tor Browser patches without forcing Tor use. A possible step before having to compile and maintain your own damn Firefox fork.

          1. 3

            Worth noting that all of the objective criticisms of Brave were bugs that were reported by users and addressed by the developers. I’m not seeing any past bugs being brought up regarding other browsers?

            All things considered, I feel Brave is doing a good job having honest conversations with their users and writing code that aligns with the values of the users.

            (I have no affiliation with any browser, I am currently using Firefox/Chrome/Brave respectively on each of my 3 devices to get an accurate feel for the differences. I am considering switching the other two to Brave or Chrome.)

            1. 8

              re: Brave, I think there is probably a fundamental conflict between selling Attention Units and ensuring user privacy.

              Plus there was the scandal a while back where Brave was hijacking URLs to pocket referrals [1].

              There have just been too many Things That Make You Go Hmmmm with Brave for me to trust them. Fair or not, I dismiss the browser as a crypto scam parading as a privacy focused browser.

              1: https://decrypt.co/31522/crypto-brave-browser-redirect

                1. 1

                  Plus there was the scandal a while back where Brave was hijacking URLs to pocket referrals [1].

                  Yea, that was one of the objective criticisms I reference: https://brave.com/referral-codes-in-suggested-sites/

                  I don’t agree that BAT is fundamentally conflicting with user privacy. We can debate that, but at minimum I think we can agree it’s a more subjective criticism.

              1. 3

                Privacy on the Internet is important

                Oh, really? But when I use Tor, the website says:

                Error: IP in X-Forwarded-For header is blocked

                1. 3

                  Tor is a tricky thing.

                  I ran an exit node on Linode for ~6 months. The folks there were VERY reasonable about it. They forwarded complaints along to me, set a counter in motion and said “If we get more than X more complaints we’ll need to terminate your account according to our policies” which actually IS very reasonable.

                  I made the mistake of not blocking outgoing ports 80 or 443. 8 Gmail takeover complaints later, I had to take down the exit node.

                  I love Tor and love what it stands for but I can’t take issue with anyone restricting exit nodes to avoid being hacked/cracked/attacked into the ground.

                  1. 5

                    What’s not a tricky thing is allowing your website to be accessed via Tor.

                    1. 2

                      … Provided you want to open yourself up to a world of hurt as griefers and script kiddies slam your site with every bit of vile chaos energy they can muster.

                      Look, I’m glad Tor exists. I support it, and donate to Torservers and similar efforts on the regular. I even use it sometimes when I want an anonymous crumb trail minimized experience.

                      That doesn’t mean I can’t also be very aware of the fact that it’s a pandora’s box of threat actors using it for ill, or that I can blame ANYONE for barring access from its exit nodes because they simply don’t want to deal.

                      This is another one of those pragmatist/idealist things where we’ll never agree so I’ll just say that I respect your opinion because there need to be those who zealously defend privacy tools.

                      1. 2

                        I don’t know where this perception comes from. I have never taken measures to block Tor exit nodes, and the level of attacks has never been a problem with an updated OS and web server. Is there data to suggest that a majority of attackers conduct their attacks through Tor?

                        1. 1

                          It sounds like you might be assuming a bunch.

                          If your blog is a static site with just a webserver fronting static content? Sure. No reason not to allow it.

                          Dynamic site running something with a complicated software stack you didn’t write and a database you’re trying to secure? Not such a slam dunk in my view.

                          And as to where this perception comes from please see my personal experience detailed at the start of this thread.

                          1. 3

                            It sounds like you might be assuming a bunch.

                            If your blog is a static site with just a webserver fronting static content? Sure. No reason not to allow it.

                            so as i said it’s not tricky in this context, where the static blog is blocking tor users.

                            And as to where this perception comes from please see my personal experience detailed at the start of this thread.

                            if i understand correctly, your experience says nothing about what portion of attacks come from tor. it is simply that some attacks were traced back to your tor node, with no measure of how many didn’t come from tor.

                  2. 1

                    hahaha woaw Wowwowwow

                  3. 2

                    So wait a minute. The solution here is to use a KDE browser, which will pull in ~134MB of Qt libraries when I try to install it on my machine which runs i3 and has no need for any of those libraries besides. And this is to avoid Firefox “phoning home” to it’s CDN for add-ons?

                    I appreciate skepticism and privacy focus as much as the next person (which is why I use searx and firefox instead of google and chrome). But this is not a recommendation any practical person is ever going to follow unless they already happen to run KDE.

                    Edit: I just went and actually tried it, 134MB of Qt libraries. Yuk. Also, what about Qutebrowser?

                    1. 1

                      Last, but not least, Cloudflare is an American company subject to American law, a law that pretty much undermines the foundation of any kind of privacy.

                      Uh. REALLY? I recognize that our intelligence community has the ability to subpoena information from online services, but this feels like a very extreme statement that I’d like to see more proof behind.

                      1. 14

                        Didn’t Snowdon kinda prove that a few years ago?

                        1. 6

                          It’s also important to realize that if your concern is keeping your data truly “private”, in a binary sense, your data isn’t really safe anywhere.

                          1. 2

                            Oh yes a thousand times this!

                            The only way to truly secure your data in a computer is to keep that computer disconnected from the internet, with all its USB ports filed off, encased in a lead lined windowless room to avoid Van Eck phreaking.

                            How far down the rabbit hole are you willing to go? :)

                          2. 3

                            Snowden proved that the NSA was guilty of some sincere over-reach, but as with most things the reality is shades of gray and I’d just like us to be careful about making incredibly broad statements about this stuff.

                            There’s no doubt that EU policies around this are more privacy friendly, I’m just vying for a less bombastic and more correctly nuanced conversation.

                            1. 2

                              But what would be a “more correctly nuanced conversation” in your opinion here? Like, what should they have written in place of their sentence: “Cloudflare is an American company subject to American law, a law that pretty much undermines the foundation of any kind of privacy.”

                              Not necessarily disagreeing with you. I agree that it sounds extreme… but it also sounds kind of true… You can’t possibly assume your data is private when stored by a U.S. tech company, can you?

                              1. 1

                                Respectfully you contradict yourself.

                                I would direct you to this resource on privacy law in the US.

                                Data stored by a tech company in the US is less private than that stored in the EU because of its enhanced regulatory requirements. That is a statement I can agree with.

                                I don’t wish to rehash this to death.

                                1. 5

                                  Aren’t National Security Letters still in existence? The problem they present is not just that they’re an obvious privacy issue, but because of the gag order, we can’t intelligently reason about how widely used or misused they are. This results in threads like here, with a lot of speculation and opinions, because we can’t see the data. If we could see the data, we’d probably agree one way or the other. I’d argue that this is why things like NSLs are a threat to democracy - how can people intelligently hold government accountable if the information needed to do so is secret?

                                  Referring to the NSA and Snowden, IMO, misses the point. That activity was essentially hacking, and it was aimed at actors all over the globe. A legal country of domicile doesn’t mean anything to that type of activity.

                                  1. 2

                                    Aren’t National Security Letters still in existence? The problem they present is not just that they’re an obvious privacy issue, but because of the gag order, we can’t intelligently reason about how widely used or misused they are. This results in threads like here, with a lot of speculation and opinions, because we can’t see the data. If we could see the data, we’d probably agree one way or the other. I’d argue that this is why things like NSLs are a threat to democracy - how can people intelligently hold government accountable if the information needed to do so is secret?

                                    Now THIS is an excellent point founded in fact that I’m happy to discuss.

                                    First I agree that NSLs are on very shaky constitutional ground to start with, and the changes the Patriot Act made that enables the FBI to send an NSL to anyone even vaguely connected to not just threat of subversion by a foreign power but anything related to any ongoing terrorism investigation.

                                    IMO this mechanism is ripe for abuse.

                                    I do think there needs to be a mechanism where the US government can compel tech companies to release customer information, but I think that mechanism needs to be:

                                    A) Under civilian (Judicial?) oversight and B) Very discretely limited in duration such that when the investigation ends (Or maybe even when some reasonable time-box expires to prevent foot dragging) the NSL and any information it obtained should be accessible to FOIA.

                                    Again, I am NOT arguing that the US is a privacy friendly nation where technology companies are concerned. You’re much better off, at least on the face of it, keeping your data in the EU with its excellent protections, I’m just suggesting that people get educated on the facts and avoid making incredibly broad sweeping statements that include words like “impossible”.

                                    1. 8

                                      I feel pretty educated on the facts, and since the mechanism in place at the moment is, as you say, rife for abuse, coupled with the fact that the “a” and “b” protections you mention are extremely not in place, and further since the mechanism has been verifiably abused on many occasions by multiple administrations (and will no doubt continue to be, so long as any portion of the Patriot Act remains in force), the “law that pretty much undermines the foundation of any kind of privacy” seems an entirely reasonable summation, and not a particularly overstated one.

                                      1. 3

                                        but the statement you took issue with didn’t say “impossible”

                          3. 1

                            Mildly related, the recommended Falkon is the browser Genode’s Sculpt got working on their recent release.