1. 20
  1. 22

    Firefox makes its next move in downloading Safe Browsing bits from Google APIs. This is common among browsers today (Exception: @brave proxies the call through http://brave.com , keeping users out of Google’s hands).

    Would be nice to begin this thread with a “I work for Brave” disclaimer… but that’s not even in his twitter bio.

    This proxying sounds like a waste of bandwidth. (And it would be a ton more bandwidth for Mozilla than for Brave!)

    Safe Browsing does not reveal pretty much anything about you. If you’re one of those paranoid privacy fundamentalists uncomfortable with the idea of a Google serivce potentially logging something like “update request from IP address X”, you’ve probably already null-routed all Google IP addresses on your home network. For everybody else, there’s nothing wrong with using Safe Browsing v4 directly.

    The http://mozilla.org tab discussing the importance of Privacy loads in the background, bringing along with it the Google Tag Manager and Google Analytics

    Keep in mind that Mozilla pushed Google to implement complete opt-out of data sharing in Analytics.

    The OpenH264 addon is requested over HTTP. I hope they do integrity checking!

    The hash is right there in the screenshot!

    1. 14

      I think some disclosure is in order. This guy, @jonathansampson, works for Brave. He has another account, @BraveSampson, which links to this one, but not the other way around. They used to have a nearly-identical pictures, and, IIRC, linked to each other, but not anymore.

      Would I be the only one to find it fishy for someone to post such reviews for your competitors whilst pretending that you’re an individual not on a payroll from Brave? Why should Mozilla proxy requests to Google through their own servers like Brave does? (Why is Brave (MITM?) proxying requests to Google?)

      Having multiple Twitter accounts is not against the rules if each account is for a separate purpose, but for someone working in the browser industry to be having two separate accounts where they write about browsers on each one, all whilst hiding their affiliation and pretending to be an unaffiliated individual on one of them?! Seriously?

      Keep in mind that Brave and Chrome are the ultimate privacy violators, as it’s not possible to disable autoupdates on either one; Brave developers repeatedly disregarded community’s complaints about this issue (ironically, going against https://brendaneich.com/2014/01/trust-but-verify/); so, you’re basically running a self-modifying binary, whether you like it or not. Any review anyone does is kinda meaningless, because there aren’t any versions per se, and it can do whatever the hell it wants the next day, without any public record of what it did yesterday. With Mozilla, there’s a public ftp directory with all the versions at ftp.mozilla.org — haven’t seen anything like that for neither Brave nor Chrome.

      In fact, many folks used various official guides from Google to disable Chrome from autoupdating itself, e.g., because the newer versions broke font support or other system-level features, only to find such officially-sanctioned settings completely ignored down the line.

      How about doing a review of how much it costs in roaming fees to have Chrome/Brave download updates without your permission whilst you’re travelling?

      1. 5

        His ‘analysis’ of Brave on first start is a good example of how his interests are definitely in conflict with the message he is trying to project in his analysis of competing browsers: https://mobile.twitter.com/jonathansampson/status/1165391211999518720

        Everything is proxied through Brave (and that’s somehow a good thing?), including downloading of the Tor extension and HTTPS everywhere extensions. That seems like a terrible idea.

        1. 4

          Wow, that’s, like, indeed, even worse. As pointed out, we should use the proper terms for “proxying” here — Brave browser is performing a MITM attack on its own users, and somehow this “individual” that’s hiding his Brave affiliation promotes such as the absolute best practice. Absolutely unbelievable!

          1. 2

            I don’t see why it matters. Your browser vendor is a part of your TCB by necessity; if Brave wants to send you malware, tampering with Google Safe Browsing seem like a very roundabout way of doing so, compared to just, you know, shipping a malicious update. Your browser vendor is also inevitably involved in things like push notifications and extension updates.

            1. 2

              Which is why it’s best to disable autoupdates, and download updates directly from something like ftp.mozilla.org — not an option with Brave.

              1. 2

                You’re still running arbitrary code provided by your browser vendor. The only difference is that you’re delaying your browser updates, which is kind of irresponsible.

      2. 17

        This kind of content would be much better as a blog post.

        1. 11

          I was thinking exactly the same. The world has really come to this point, where a platform with poor presentation is the preferred medium of expression simply due to its popularity (easier to draw eyeballs).

            1. 1

              That is awesome! Thanks for telling us about it!

            2. 7

              I stopped looking at it because of it being on twitter. It’s not meant for articles, and it’s silly to use it that way IMO.

              1. 2

                I agree in general, but well-structured Tweet threads like this are acceptable.

                1. 12

                  For people not on Twitter “well-structured tweets” are actually rather uncomfortable.

                  Re the article itself: the amount of telemetry gathered by browsers is rather unsettling. Interesting read.

                  1. 3

                    I mean, I proposed a tag for “low-info” submissions like a single tweet - this was rejected. But I’ve seen a number of decent threads (like this one, and this one) so I’ve come to moderate my stance.

                    1. 3

                      Indeed, Tweet threading was one of the things that prevented me from adopting Twitter. I found it very hard to follow conversations.

                  2. 2

                    So if we say “The Medium is the Message,” what does that say about these silly long Twitter threads? Some of them contain a lot of debt, but they way they’re broken up changes the way we read and interoperate the message.

                  3. 2

                    I have to say, requesting the detectportal and ocsp files more than once is a bit ridiculous.