1. 15

    I had the urge to check if it’s April Fool’s day yet. Web tech is becoming so overcomplicated so quickly it makes me feel burnt out. Besides, HTTP/2 isn’t even widely supported yet, and they expect us to implement HTTP/3 already? Over UDP, of all things?

    1. 4

      I looked it up and about 90% of browsers support HTTP2 (IE before windows 10 was the only one that didn’t) and virtually every web server supports it.

      1. 3

        All three of them? I mean, it’s not like there is a whole lot of diversity in browser engine land.

        As a few random counter-examples, lynx doesn’t seem to support it (note: its underlying libwww library is by the W3C and doesn’t support it!), elinks doesn’t, Dillo doesn’t, Netsurf doesn’t. Even most language HTTP libraries don’t support it (even Python’s Requests library, which is quite active and has lots of contributors doesn’t).

        Note that curl only supports http/2 via an external library because it is such a complex protocol.

        1. 2

          Fun fact: I just discovered that wget doesn’t even support HTTP/1.1, let alone 2.0 :)

      2. 1

        Would the IETF care about if this new protocol is not adopted? Would it consider its position already too strong to care/use this as a deciding factor?

        1. 2

          I do not think it matters much. As long as the big browsers and major servers implement it, that’s enough.

        2. 1

          That’s because HTTP/2 requires https:// protocol scheme, so, unless you’re willing to partake in the political activities, you’re out!

          It looks like HTTP/3 will have integrated encryption, distinct from TLS, but still based on public certificate support. It’s not clear whether or not it’ll require https:// address scheme in order to function — hopefully, not, and they’ll finally address BCP 188.

        1. -3

          cryptographyengineering.com?! That’s a valid and legitimate domain name, seriously?!

          1. 4

            Why wouldn’t it be?

            1. -1

              Why is your response shorter than the name in question?!

              1. 5

                I am sincerely asking what you thought was invalid or illegitimate about it.


                1. 4


                  Apparently there’s a 63 character limit, so you have to use a long gtld (like international) to get the actual longest domain possible.

            2. 3

              Yes, given his field of research. Quick links: http://spar.isi.jhu.edu/~mgreen/ and https://en.wikipedia.org/wiki/Matthew_D._Green

            1. 1

              Nice upgrades to 2TB SSDs.

              Personally find it funny how OpenGrok is so bloated that it still has to run on the spindles, hugging along next to the backups — even a 512GB SSD is no fit when you’re dealing with Enterprise-level software written in Java. :-)

              1. 1

                I wonder if they’ve examined Hound – https://github.com/etsy/hound – I’ve found it to be much more performant when compared to OpenGrok, while still providing excellent results.

              1. 2

                I find it a little ironic that after using the open-web browser that I am not able to inspect the sessionstore-backups/recovery.jsonlz4 file after a crash to recover some textfield data, as Mozilla Firefox is using a non-standard compression format, which cannot be examined with lzcat nor even with lz4cat from ports.

                The bug report about this lack of open formats has been filed 3 years ago, and suggests lz4 has actually been standardised long ago, yet this is still unfixed in Mozilla.

                Sad state of affairs, TBH. The whole choice of a non-standard format for user’s data is troubling; the lack of progress on this bug, after several years, no less, is even more so.

                1. 15

                  https://bugzilla.mozilla.org/show_bug.cgi?id=1209390#c10 states that when Mozilla adopted using LZ4 compression there wasn’t a standard to begin with. Yeah, no one has migrated the format to the standard variant, which sucks, but it isn’t like they went out of their way in order to hide things from the user.

                  It was probably unwise for Mozilla to shift to using that compression algorithm when it wasn’t fully baked, though I trust that the benefits outweighed the risks back then.

                  1. 14

                    This will sound disappointing to you, but your case is as edge-caseish as it gets.

                    It’s hard to prioritize those things over things that affect more users. Note that other browser makers have security teams larger than all of Mozilla’s staff. Mozilla has to make those hard decisions.

                    These jsonlz4 data structure are meant to be internal (but your still welcome to use the open source implementation within Firefox to mess with it).

                    1. 2

                      I got downvoted twice for “incorrect” though I tried my best to be neutral and objective. Please let me know, what I should change to make these statements more correct and why. I’m happy to have this conversation.

                      1. 0

                        Priorities can be criticized.

                        Mozilla obviously has more than enough money that they could pay devs to fix this — just sell Mozilla’s investment in the CliqZ GmbH and there would be enough to do so.

                        But no, Mozilla sets its priorities as limiting what users can do, adding more analytics and tracking, and more cross promotions.

                        Third party cookie isolation still isn’t fully done, while at the same time money is spent on adding more analytics to AMO, on CliqZ, on the Mr Robot addon, and even on Pocket. Which still isn’t ooen source.

                        Mozilla has betrayed every single value of its manifesto, and has set priorities opposite of what it once stood for.

                        That can be criticized.

                        1. 11

                          Wow, that escalated quickly :) It sounds to me that you’re already arguing in bad faith, but I think I’ll be able to respond to each of your points individually in a meaningful and polite way. Maybe we can uplift this conversation a tiny bit? However, I’ll do this with my Mozilla hat off, as this is purely based on public information and I don’t work on Cliqz or Pocket or any of those things you mention. Here we go:

                          • Cliqz: Mozilla wants a web with more than just a few centralized search engines. For those silos to end, decentralization and experimentation is required. Cliqz attempts to do that
                          • Telemetry respects your privacy
                          • You can isolate cookies easily. EIther based on custom labels (“Multi Account Containers”) or based on the first party domain (i.e., the website in the URL bar). The former is in the settings, the latter is behind a pref (first party isolate). For your convenience, there’s also an add-on for first party isolation
                          • Cross Promotions: The web economy is based on horrible ads that are annoying and tracking users. To show that ads can be profitable without being tracking or annoying, Mozilla shows sponsored content (opt-out btw) by computing the recommendations locally on your own device
                          • Some of the pocket source code is already open source. It’s not a lot, that’s true. But we consider that a bug.
                          1. 2

                            As someone who also got into 1-3 arguments against firefox I guess you’ll always have to deal with criticism that is nit picking, because you’ve written “OSS, privacy respecting, open web” on your chest. Still it is obvious you won’t implement an lz4 file upgrade mechanism (oh boy is that funny when it’s only some tiny app and it’s sqlite tables). Because there are much more important things than two users not being able to use their default tools to inspect the internals of firefox.

                            1. 2

                              Sure, but it’s obvious that somehow Mozilla has enough money to buy shares in one of the largest Advertisement and Tracking companies’ subsidiaries (Burda, the company most known for shitty ads and its Tabloids, owns CliqZ), where Burda retains majority control.

                              And yet, there’s not enough left to actually fix the rest.

                              And no, I’m not talking about Telemetry — I’m talking about the fact that about:addons and addons.mozilla.org use proprietary analytics from Google, and send all page interactions to Google. If I wanted Google to know what I do, I’d use Chrome.

                              Yet somehow Mozilla also had enough money to convert all its tracking from the old, self-hosted Piwik instance to this.

                              None of your arguments fix the problem that Mozilla somehow sees it as higher priority to track its users and invest in tracking companies than to fix its bugs or promote open standards. None of your arguments even address that.

                              1. 3

                                about:addons code using Google analytics has been fixed and is now using telemetry APIs, adhering to the global control toggle. Will update with the link, when I’m not on a phone.

                                Either way, Google Analytics uses a mozilla-customized privacy policy that prevents Google from using the data.

                                If your tinfoil hat is still unimpressed, you’ll have to block those addresses via /etc/hosts (no offense.. I do too).

                            2. 3

                              I won’t comment on the rest of your comment, but this is really a pretty tiny issue. If you really want to read your sessionstore as a JSON file, it’s as easy as git clone https://github.com/Thrilleratplay/node-jsonlz4-decompress && cd node-jsonlz4-decompress && npm install && node index.js /path/to/your/sessionstore.jsonlz4. (that package isn’t in the NPM repos for some reason, even though the readme claims it is, but looking at the source code it seems pretty legit)

                              Sure, this isn’t perfect, but dude, it’s just an internal datastructure which uses a format which is slightly non-standard, but which still has open-source tools to easily read it - and looking at the source code, the format is only slightly different from regular lz4.

                        1. 1

                          tl;dr: noone really knows what’s going on, but, potentially, this means not only the ban for Qualcomm chips from being sold to ZTE, but also the licensing of Android’s Google Play from Google, which basically might mean kaput for any Android sales outside of China (and North Korea, I guess?). (ICYMI: many Android phones sold in China don’t have Google Play.)

                          What doesn’t kill you, makes you stronger. But this’ll be tough…

                          1. 3

                            A little under an hour ago OVH popped in to the VPS provider Slack server I’m on and said they were blocked. I haven’t seen any bounces or received any support requests for my network. Is anyone out there having connection trouble?

                            1. 5

                              I would imagine they’re going to block all the popular cloud services that noone in Russia uses for “legitimate” reasons, but which are quite popular outside of Russia. Russia has a pretty big hosting industry and a plethora of VPS providers (in fact, many virtualisation technologies (e.g., Virtuozzo/OpenVZ) and hosting tools (e.g., ISPmanager and ISPBSD fork of FreeBSD) come out of Russia), so, I’d wager that fewer home-run shops/startups are actually affected than most western folks realise.

                              1. 2

                                Well, those serving the external market are annoyed by the need to access their own deployments via tunnels, but this is a solvable problem so far. Those who deployed on Amazon but didn’t depend on the fancy stuff have probably redeployed to local providers at least as a backup for local connections. But quite a few are hit, and then there are branches of international companies…

                                At some point, though, someone (apparently anyone can deploy a Telegram proxy) might remote-order VMs in some Russian datacenters, and deploy proxies that use some spoofing to hide which remote connections are relevant.

                            1. 3

                              I just found this through Google when trying to finally configure my mutt for more productive use after years of casual use as a secondary MUA.

                              Mutt is indeed very flexible, but, TBH, I’m quite surprised how poor some of the defaults appear to be! I basically had to pick-and-choose several default-behaviour options exactly as what this blog author does as well.

                              There’s also a prior discussion from 5 years ago, with some useful setup hints from @jcs as well.

                              1. 10

                                I’ve been a member of SO since public beta, and have just under 30K rep.

                                My experience is considerably different. Looking through my deleted items, the ones that weren’t deleted by myself were deleted because the enclosing Q was deleted, and I agreed with every deletion I looked at.

                                1. 3

                                  Depends on how you use it, and whether you are lucky enough to always take the discussions that are too complex or novel for StackOverflow off the platform right away, or not make them there in the first place. (E.g., effectively, depends on how much trust you put into the platform.)

                                  As I mentioned on reddit, most of the stuff that got deleted for me are actually my own questions, quite disproportionately, where I’ve spent considerate time on doing the research, and where the answer is non-obvious.

                                  If your question doesn’t meet metrics, the StackOverflow company will automatically remove it without any human intervention whatsoever, and block your own access from it, until/unless you have 10k. Is that really fair, after you’ve spent several hours doing the research and formulating a clear-enough question, which is so clear noone has even bothered to provide an incomplete and misunderstood answer for it? There’s really no reason for this.

                                  The toxic part is that when you bring up these kinds of things on meta, they school you into not posting questions that “don’t belong” in the first place, and your meta questions themselves quickly gain -15 downvotes (not -15 rep, but -15 actual downvotes, within a day or two), and get automatically deleted promptly, so, the next person wouldn’t even have anything to refer to (and neither will you have the text in case you wanted to repost elsewhere).

                                  1. 1

                                    If your question doesn’t meet metrics, the StackOverflow company will automatically remove it without any human intervention whatsoever, and block your own access from it, until/unless you have 10k.

                                    I have no idea what you are talking about. Can you elaborate on this?

                                    1. 1

                                      Go to /help/privileges, then the 10k link on StackOverflow to /help/privileges/moderator-tools has the following text:

                                      SO: You also have a new search operator available to find your own deleted posts: deleted:1.

                                      The reddit discussion has a link to the criteria for automatic deletion; in my case, the following seems to have been triggered a number of times:

                                      SO: The system will automatically delete unlocked, unanswered questions on main (non-meta) sites with score of zero (or one, if the owner is deleted), fewer than 1.5 views per day on average, and fewer than two comments that are at least 365 days old. (RemoveAbandonedQuestions)

                                      Basically, when you make that comment that the question is useless, you’re making sure it wouldn’t actually be deleted, unlike a question that’s simply ahead of its time. Duh!

                                  2. 2

                                    I still don’t understand how I’m supposed to get ‘rep’ to upvote something, and I’ve never had the time to understand their internet points system to do so. I’ve been ‘using’ stackoverflow since it came out to beat expertsexchange and usenet, etc. But yea I probably have like 1 rep. I understand why they hold voting, but it always makes me sad when I want to upvote a good answer or downvote a terribly wrong one and I can’t. No idea what the route is from user to community member and no desire to read up on it… which maybe makes me not a community member. :)

                                    1. 8

                                      It’s as simple as just asking and answering questions. I think just asking a single question and accepting an answer gets you enough rep to vote.

                                      1. 6

                                        I also have had semi-decent (if small) success editing questions for clarity. It got me far enough to get upvote/downvote privileges.

                                        1. 3

                                          They require a minimum of 15 rep to upvote, and 125 to downvote, see /help/privileges on each of their sites.

                                          Getting 15 rep is, like, really easy — you get 5 rep when your question gets +1, and 10 rep when your answer gets +1. Basically, all it takes is a single question and answer that someone does a +1 for, and you can upvote. (And you can even ask and answer your own question.)

                                          1. 1

                                            Interesting about that last one, knowing that that might’ve added 10-100 questions to stack overflow, if I’d taken the time to do it. Good to know. I think I have a complex about asking questions online in asynchronous forums. Chances are if I don’t know the answer, I’d rather keep looking than take the time to write it down somewhere and then wait. I’ll usually jump on IRC (or slack or discord these days) if the question is so pressing. I’d have to be in really dire straits to post and wait, it would feel almost like praying for an answer. :) (even tho 9 times out of 10 once I’ve worded the question I’m closer to a solution anyway… like I said I have a complex)

                                            1. 3

                                              You assume that it takes time to get an answer on StackOverflow. IME, very often for the more popular topics, the answer often appears right away within a couple of minutes. Folks race each other to answer first. :-)

                                              (Of course, it highly depends on the tag.)

                                              1. 2

                                                the answer often appears right away within a couple of minutes.

                                                Only if your question is something every mildly experienced programmer would know. As soon as you start asking things a little harder than you are often left without an answer.

                                                1. 1

                                                  Yeah I think I was molded in the era of web 1.0 responsiveness (think perl monks) and it’s probably cost me a bit. Not to mention whatever the false bravado/fear of showing ignorance that leads me to not ask enough questions in general.

                                                  Duly noted though, thanks!

                                        1. 10

                                          I’m trying to make DragonFly work on GCE. It seems that GCE requires vioscsi / virtio_scsi, which is in DragonFly, and is nearly identical to the version in FreeBSD (which does officially work on GCE), and DFly’s vtscsi does work locally in KVM if using vtscsi as a secondary disc as per the NetBSD instructions for QEMU (which are, like, total magic), but appears to fail to attach the da child in GCE.

                                          I’ve been adding a bunch of printf’s this past week, partially because it appears that DragonFly doesn’t appear to support reading input from the GCE serial port, so, you cannot do any live debugging; and doing the same changes to FreeBSD to see how the things differ. This included removing some support from FreeBSD’s vtscsi to see if that’ll make it stop working when matched for some framework features that are missing from DragonFly, but it appears that the error is likely outside of virtio_scsi.c, as FreeBSD still seemed to work even when downgrading vtscsi. Already tried CAMDEBUG w/ all the CAM_DEBUG_FLAGS, but CAM itself is quite different between FreeBSD and DragonFly to see the issue in the clear.

                                          My plan now is to get outside of virtio_scsi.c, both upstream into cam(4) and downstream into da(4), to understand how the whole thing works in FreeBSD and DragonFly locally, and how it doesn’t work on DragonFly in GCE. I’ll start by adding a few print_backtrace(int) calls, which is what panic() calls to get the backtrace onto the terminal, to get a better understanding of the paths that get da to attach via vtscsi over cam.

                                          P.S. The fact that someone in FreeBSD decided to name the driver virtio_scsi, attach it as vtscsi and have the actual physical discs attached as da (without documenting any such thing whatsoever in virtio_scsi(4)) doesn’t help much, but I’m way past that misunderstanding; which is even worse in the case of virtio_blk(4), which shows up as vtblk in dmesg, yet attaches the discs as vbd — seriously?! Where’s any sort of mention of /dev/vbd%d in the man-page?!

                                          1. 32

                                            I don’t see why this progress bar should be obnoxiously put at the top of the page. It’s cool if you wanna do a donation drive but don’t push it in the face of everybody who comes here. Honestly at first I thought this was a bar for site expense. Then I realised it’s to ‘adopt’ an emoji.

                                            1. 7

                                              Lobsters isn’t a daily visit for most readers, probably even for most users. They can’t see it to join in if there isn’t anything visible for it, and it has an id for adblocking if you prefer not to see it.

                                              1. 22

                                                Personally a check this site quite regularly on my mobile device… which doesn’t have an ad-blocker.

                                                1. 13

                                                  That sounds awful. If you’re an android user, normal uBlock Origin works on Firefox for Android just like it does on desktop. :)

                                                  1. 3

                                                    Or use Block This!, which blocks ads in all apps.

                                                    1. 3

                                                      Oh, that’s a cool little tool. Using a local VPN to intercept DNS is a neat trick. Unfortunately doesn’t help with in this case because it blocks requests to domains and not elements on a page via CSS selectors.

                                                      That does make me want to actually figure out my VPN to home for my phone and setup a pi-hole, though.

                                                    2. 2

                                                      Ohh! Good to know, thanks.

                                                    3. 2

                                                      Firefox 57+ has integrated adblocker nowadays, on both desktop and mobile; plus, there’s also Brave.

                                                    4. 27

                                                      That is still annoying that I need to setup my adblocker to fix lobste.rs. So much for all the rant articles about bad UX/UI in here.

                                                      1. 11

                                                        maybe one could just add a dismiss button or sometimes like that? I don’t find it that annoying, but I guess it would be a pretty simple solution.

                                                        1. 1

                                                          I concur, either a client side cookie or session variable.

                                                          1. 1

                                                            Well, yeah… that’s how you could implement it, and I guess that would be the cleanest and simplest way?

                                                        2. 2

                                                          It’d be great to see data about that! Personally I visit daily or at least 3 times a week. Lack of clutter and noise is one of the biggest advantages of Lobsters. And specifically, I looked at the link, and I have no idea who this Unicode organization is, or their charitable performance, or even if they need the money. I’d imagine they are mostly funded by the rich tech megacorps?

                                                          1. 1

                                                            [citation needed] ;-)

                                                          2. 3

                                                            Adopting an emoji isn’t the end goal: the money goes to Unicode, which is a non-profit organization that’s very important to the Internet.

                                                            1. 5

                                                              If this bar actually significantly annoys you, I’m surprised you haven’t literally died from browsing the rest of the internet.

                                                            1. 10

                                                              I, too, first thought that this bar was for site expense. I think it wouldn’t hurt to make “Adopt Lobsters Emoji” text visible, at least on desktop, as right now it’s just a number within the progress bar.

                                                              As for making it hideable, I don’t really get the purpose of this proposal — the bar takes less space than a single story. In fact, this very thread takes more space on the front page than the element it proposes to collapse, and unlike the bar, this thread doesn’t even give the warm glow.

                                                              As much as I hate the obscure UI elements that obstruct and slow down my UX when browsing the different sites (especially as they may pop in and out), I have absolutely zero objection against this tiny bar on the front page here, which is implemented as static HTML/CSS in less than 400 characters. In fact, I do object to getting it bloated with all the logic that the hiding would require.

                                                              1. 8

                                                                It’s certainly not tiny, and while it’s not that large, it is by far the heaviest element on the front page.

                                                                I definitely support, in decreasing order of preference:

                                                                • Getting rid of it
                                                                • Making it hideable directly (rather than requiring users to block parts of the page)
                                                                • Making it smaller and less contrasty to reduce visual weight
                                                                1. 4

                                                                  That’s a good point about it being the visually heaviest element on the page - and for such a light, text-only site, it really stands out. (I made a similar point a while ago about a different feature.) I’ve taken most of the color out of the progress bar and reset it to the default font size so it fits in a little more smoothly.

                                                                  1. 1

                                                                    Thank you, it’s much better now.

                                                              1. 6

                                                                This is just gold:

                                                                Under the new patch, Linux listed all x86-compatible chips as vulnerable, including AMD processors. Since the patch tended to slow down the processor, AMD wasn’t thrilled about being included. The day after Christmas, AMD engineer Tom Lendacky sent an email to the public Linux kernel listserve explaining exactly why AMD chips didn’t need a patch.

                                                                “The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault,” Lendacky wrote.

                                                                A very interesting article. Would be more interesting to know the details behind the above gaffe — did the AMD engineer break his NDA, or did he come up with the root cause behind the patch independently?

                                                                TBH, regarding discussions on public listserve, it seems really weird that these kinds of things wouldn’t be done behind closed doors — just because the software is OSS, doesn’t mean that every single change has to be thoroughly explained on the public mailing lists, like Verge seems to suggest. In the BSD world, for example, internal developer-only (i.e., committer-only) mailing lists do exist, which, for better or worse, make it easy to not unneccessarily publicise such changes, whilst still gettting the exposure and feedback from the developer community.

                                                                1. 16

                                                                  When you know a secret for too long, you forget what’s supposed to be secret and what’s not. Also, when too many people know, you forget who knows and doesn’t. You forget when it’s secret and when it’s public. When the secret topic is half secret and half public, you forget precisely what’s secret and what’s not. Etc., etc.

                                                                  Governments, with 100 years of practice, screw this up. Amateurs are doomed.

                                                                  1. 3

                                                                    I looked at the graph, and it’s actually above 2x CPU utilisation increase, unlike what the reddit title said; however, this is virtual machines we’re talking about; who is to say that the extra increase is not attributed to moving to a different host, CPU type or some other type of VM-based consolidation?!

                                                                    1. 10

                                                                      Matt Dillon hardly needs an introduction, however, I’d just like to point out that he’s one of the few people that I really do trust to have actual knowledge on these issues, as a few years ago it was him who found some obscure processor bug that resulted in an errata from the vendor — AMD in 2012.

                                                                      He was also involved in providing a public analysis of the Intel Core bugs back in 2007:

                                                                      1. 3

                                                                        This is just bloody ridiculous! Why would any org not have a purchasing requirement that prohibits purchasing anything that has a prohibition of doing performance testing? Especially in the government settings, where things are supposed to be up to the public disclosure through Freedom Of Information Act and the like.

                                                                        Can you imagine going to the restaurant where as a condition of being serviced you agreed not to write Yelp reviews?! How could Oracle not only survive, but thrive with such poor numbers, and an explicit acknowledgement from legal that they do know they probably suck against the competition?! Unbelievable!

                                                                        P.S. Which cloud provider has this clause?! Asking for a friend.

                                                                        1. 2

                                                                          Oracle probably had a better response time for the C-level exec to come to your office and grovel for forgiveness when the software breaks.

                                                                          1. 4

                                                                            So, Uber decided to pay bribes to the assailants, and hide the fact that they were hacked?! And it’s all under an NDA, I gather, so, no worries?!

                                                                            On the one hand, that’s an applaudable bug-bounty programme.

                                                                            But on the other, at this point, I don’t think any sort of mafia-like behaviours of Uber should come as any surprise to anyone.

                                                                            1. 4

                                                                              I think it’s an interesting article, but I disagree with the effort it takes to get the upper management on board with OSS.

                                                                              I once had an interview in San Diego with QCOM, and noticed that the upper level guy who was interviewing me for the position (I was going for a Sr. SE, so, he was probably VP level for the group), was playing with scissors as I was asking him how come they extensively use LLVM for their projects on this team, yet don’t feel like doing any contributions at all whatsoever (he was very clear on both points).

                                                                              Likewise, other occasions with many other companies, except for the playing with scissors part — was something to remember.

                                                                              1. -1

                                                                                TBH, once I got into Brave, I became very sceptical of these kinds of posts.

                                                                                Most of the CPU cycles of modern browsers are given to the parasite tracking code nowadays. I don’t really care about the whole DNT movement, but when all the sites have multisecond delays, freeze your scrolling, blow out your CPU and crash your apps on decent hardware, you know something’s gotta give.

                                                                                I easily get 10x the speed in Brave compared to Chrome. All those improvements in Firefox sound nice, but I don’t see a paradigm shift of killing off background JavaScript tracking here. Until that’s done, Brave would still be much faster IRL, even if its engine is slower.

                                                                                1. 12

                                                                                  Luckily ad blockers work in Firefox, I guess?

                                                                                  1. 7

                                                                                    You know Brave’s income model is ad-substitution. You’re not doing away with those tracking code, you’re just replacing it with another. You can opt out, but you can also install an ad-blocker on chrome or firefox (or safari, or edge).

                                                                                    1. 1

                                                                                      That’s the thing — I don’t care about ad substitution, or the privacy part of tracking all that much.

                                                                                      I highly doubt they’d make their own ads and tracking have anywhere close to the performance impact that all the third party tracking has nowadays.

                                                                                    2. 5

                                                                                      You mean something like the tracking protection Firefox has had built in for some time now? It’s enabled by default too.