Why do I always get a bad feeling about the motivations behind stuff like this? I want to believe it's for better privacy and security, but it's being driven by a corporation or two, and that makes me 100% suspicious. Like, for example, suddenly Edge is no longer respecting local DNS options and my pihole protects one fewer device from the real dangers to privacy. I don't want to be cynical so often, but this really doesn't feel like a benevolent move. Yeah, it's conditional at the moment, but as with Chrome and manifest v3, among many other examples, I'm losing my faith that anything with the potential to increase ad revenue will remain turned off for long.
The reason you have a bad feeling is it gives the FBI/FEDS a single point to collect your data, with a man-in-the-middle attack that you will have no idea is there.
Using a browser that monetizes itself in any way seems like a slippery slope to me. I'd rather use Ungoogled Chromium/Bromite or even LibreWolf if it came down to it. Saying "that's it, I'm moving to Brave!" is basically declaring that you're moving your data from Microsoft(1) to Microsoft(2).
Exactly. Brave just takes Chromium (from Google) and adds weird crypto stuff to it. None of the Chromium forks are "different browsers" in my eyes. They all depend on upstream for everything important. They couldn't develop the browser on their own.
Just use Firefox. It works just as well as Chrome (*), but it's based on a completely different engine which was built from the ground up.
(*) On desktop at least (on Android I still use a Chromium fork for now)
> Brave just takes Chromium (from Google) and adds weird crypto stuff to it
That's a really unfair(and untrue) statement. Brave also removes some code they find privacy violating, built in a best in class adblocker, built a full cross-device sync system that works perfectly, some UI tweaks and enhancements, built Tor connectivity in, etc. Probably a lot more that I'm leaving out.
I am def not a fan of crypto or BATs or whatever they were pushing, but you can use it fine ignoring all of that.
To be fair, you can also disable Microsoft's built-in VPN. The problem is trusting people who don't have your best interests at heart, and using Brave products just kicks that can further down the road.
Normally this might just be a platitude of the sort, "Go check it for yourself." But in this case that's not what I'm saying. Brave is going to be used by large numbers of tech focused users with a privacy/security bent. And they are also competing against Google who will make sure even the slightest slip by Brave is promoted across the entirety of the web.
That code is scrutinized heavily. That the worst you can find about Brave is people making false statements about crypto stuff (it is entirely optional and opt-in with 0 coercion or dark patterns to push you there) speaks incredibly highly as to the current state of the Browser. Might that change in the future, as you seem to be suggesting? Yip! And when it does there will be a new Brave. But for now they continue to stay on an excellent path forward.
Many sites are broken on non-Google browsers though. But the advantage of being able to use adblockers in Firefox alone outweight that - not even taking privacy into consideration.
The thing I like most about Brave is actually the crypto stuff, and I hate almost all crypto. This is actually a good use case for it - you have a distributed system (users browsing) across untrusted hosts (users).
People like to shit on advertising, but much of the internet exists today because of advertising. Do you think Youtube could exist at that scale without ads? I don't think so, personally. At least, not without another way to monetize.
Brave is the only player providing an alternative monetization strategy. Crypto or not, to me, that is by far the most interesting thing a browser has done in a long, long time.
Blink (Chrome) is a fork of WebKit which is a fork of KHTML (Konqueror), but that is a very much different situation. None of the Chromium/WebKit-based browsers are full forks but rather merge custom patches with upstream development. They don't have the development capacity to go against any Google changes except for a few things here and there. Meanwhile Google isn't relying on KDE to develop new features - in fact KDE isn't developing any new KHTML features but instead is switching (or has switched) to WebKit/Blink.
> (on Android I still use a Chromium fork for now)
What chromium fork is on android and actually better than Firefox for android? I use Firefox for the best possible experience on android and would like to be aware of another option.
From my (anecdotal) experience, Bromite is faster than Firefox on my phone, but your mileage may vary.
I was originally using Firefox due to its uBlock Origin support, but Bromite has ad-blocking built-in (unfortunately it's not quite up to par with uBO but it works well enough).
I would suggest that you try both and see which one you prefer.
I have at least three sites I use that i have to open in edge since they don't work properly in Firefox. Local bank, credit card issuer, and employer's guest wifi login portal.
>Just use Firefox.
No.
Well, I'm not so rude, so "No, thank you".
>It works just as well as Chrome ()
Not on anything* I use, it doesn't, so "No....thank you".
Tbf, I do keep trying ff, but...clunky, jeepers!
'Fraid I'll hang on until my Brave jumps it's particular shark and then maybe I'll hop over to something else, but for now, and as long as I can still use UblockO, Brave it is.
>not even Microsoft can afford to maintain their own browser engine
We don't know that. Maybe Microsoft could maintain their own browser engine if Google hadn't provided one on permissive open-source licensing terms that met their needs.
They gave up way too easily though. I don't think they ever had an interest in actually making a good browser engine. They've never managed one in their entire history. Microsoft love mediocrity, the "just good enough" mindset. Nobody takes their products on because they really excel at what they do. Just because they have a huge installed base, they're not so bad there's really a problem to use them and they integrate with everything else (e.g. Windows) nicely. For example Slack is so much better than that turd called Teams but nobody wants to pay the extra because Teams is free with O365 and user frustration doesn't cost anything on the bottom line.
This is why Apple really came out of the blue with Steve Jobs' razor focus on quality above all. Microsoft's goal is never to be 'best in class'. Because they don't need to be. People will buy it anyway.
So what's the solution? I hate this status quo as much as you do, and standing here in a Mexican Standoff is not viable forever. You're right. "The web" as a platform has been twisted and perverted beyond real usability at this point. There is no path forward where we undo Google's damage and preserve the qualities of the web we enjoy today. So, how do we fix this?
The solution (to me) is simple - fix native app distribution. Make platform targets operate the same as they used to, and give people control over their computer again. The only ones preventing us from a platform-agnostic utopia is Apple and Google, both of whom profit off the artificial difficulty of distributing applications.
So, here we are. Google is poisoning the web while Apple refuses to swallow their pride. Everyone is hurting, and nobody stands to gain anything but the shareholders. A hopeless situation, but let's not pretend like everything here is morally grey.
For starters, if a company makes a web browser with market share exceeding 50%, and also produces web sites and web apps, if those web sites and web apps to do any sort of user agent testing or require non-standard features of the aforementioned browser, it should be treated as ipso facto monopoly abuse.
The solution is already impossible. When Mozilla had browser domination they had a chance to dictate something. The moment Chrome became popular, now another company, just as MS and IE did before, could just do the feature creep of "add feature, subtly break/slow down opposition, get more users that just want browser that works"
Can you please give a concrete example of what Apple should do, in your opinion, to expand their API targets? And how is that related to web standards complexity?
People complain about excess functionality being added to web browsers (HTML5, WebXR, WebRTC, etc) and many of these complaints are valid. Web browsers don't need these features, they should be relegated to native apps.
Except they can't be. Native apps don't offer the same freedoms that the web does. And so, we keep stacking technologies on top of web browsers to alleviate the problem. It's a bad situation, and both Google and Apple are gruesomely complicit in making this situation worse.
> Can you please give a concrete example of what Apple should do, in your opinion, to expand their API targets?
Stop browser lockdown. Allow sideloading. You know, the basics of computing that we had figured out since the mid-90s or when we sued Microsoft.
Yes but being able to use all of Chrome's extensions in Brave is a huge win to me. And most Chrome documentation, Q and A, tutorials are mostly relevant to Brave as well. I see Google and other behemoths contributing to an open source project as a good thing. The product may not be where it is today without their help, including paying people to work on a free product. Still, yeah don't trust them.
I must have a hundred things that I change on every install. At a bare minimum I'd be disabling pocket, prefetch, and search from the address bar for privacy reasons and then disabling service workers, webgl, and wasm for security reasons.
> Using a browser that monetizes itself in any way seems like a slippery slope to me.
Is that a practical sustainable long-term business practice though? Firefox was only able to be free because Google was paying Mozilla. Browsers are some complex software and software developers wanna get paid. I know that the in's and outs of history of browser software has conditioned us to expecting browsers for free but that doesn't reflect the reality of developing the software.
Firefox, with its full complement of full-time developers, could stay alive with a tiny fraction of what Mozilla earns in a year. Most of Mozilla's work is tangential to Firefox at best.
Surely there's space in the browser market for a model akin more to how Wikipedia operates.
That's the thing, it shouldn't be a business practice at all. Browsers are part of the Internet infrastructure and that should not be treated like any other business but be regulated enough to ensure anyone gets fair use of the infrastucture and should rely primarily on public funding.
The Internet being global makes this challenging, and almost all countries (including so-called democracies) wanting to drink as much authoritarian juice as they can get away with does mean that there is plenty of risk here as well. But letting one or a few giant megacorporations entirely dicate the primary intrastructure for information interchange is so much worse.
> Using a browser that monetizes itself in any way seems like a slippery slope to me. I'd rather use Ungoogled Chromium/Bromite or even LibreWolf if it came down to it.
The problem with this approach is that it’s impossible to get a safe binary that isn’t downloaded from “libfree.cxcc.gg” or whatever. The other option being to build from source, which is an absolute nightmare for Chromium.
All of those browsers have signatures available if you question the integrity of your binary. Otherwise this argument isn't any different for the likes of Brave or Chrome even.
> All of those browsers have signatures available if you question the integrity of your binary
Signatures available from whom?
The point being that a web browser is a very special case of software that has to absolutely 100% trustworthy from a reputable commercial entity (that is, someone that can be sued). The only other thing with that level of trust is your operating system.
So my Linux kernel running the majority of the infrastructure of the company I work for is untrustworthy?
Do you not trust kernel.org? Or the GPG signatures of the commits?
What about Mozilla?
As for "someone that can be sued", have you read any of the EULAs of the commercial entities that you think are "reputable" and "100% trustworthy"? You can't sue them.
Similarly, do you trust all of the CAs that have certificates in your OS or browser trust store?
Gemini is on the other extreme (except for requiring the crypto complexity that comes with TLS). I would prefer something that still lets people express themselves creatively like the early web did. Personally, I think even newer CSS is fine even if more complex than it could be if re-designed - the problem is mostly JS and million different APIs that come with that as well as the expectation that that the browser will be able to execute that JS insanely fast.
I would. I already use FF mainly under a locked-down profile for mere reading. (I use another profile for madatory interactive sites like banking and stuff).
Others like me would. And resource-constrained devices. An eco-system of low-tech sites could emerge with a label signaling them as simple and virtuous.
The issue I have with Gemini is that it discards 25+ years of established domain knowledge and existing software for something which does not provide any additional functionality over what today's software already offers.
I don't think any way is unacceptable. I'd be totally happy to pay for the software for example. It's all the sneaky crypto / adware / tracking stuff that I have a problem with.
I'm very glad you mentioned the homepage spam. It's increasingly difficult (and valuable) to live without information overload these days; Edge's forced "news" spam has pushed me away as well.
What is shocking is the content is so low quality it's appalling it came from a big, respected company as Microsoft. A lot of the posts are often clickbaits, and there are ads carelessly interspersed between the posts all over the page.
I know it makes a lot of money for Microsoft but the fact they chose to keep the quality so low really looks bad.
Biz, gov and mil management relies on MSFT; executives, their attorneys and bankers, respect MSFT for doing what they do ($$). Similar to big retail and worse, gambling, the single user is last in line; used and abused individuals.. nobody expects a lot from the individuals involved, and their opinion matters less. Wolves among sheep, basically.
blocking msn.com via hosts will give you a blank new tab page in Edge, only including an Edge background image, and a search bar leading to your chosen search engine.
You can disable all that from Edge itself, at least on the desktop. When on the new tab page, there's a "Page settings" icon in the top right. If you click on that, there's a bunch of options there regarding what should be present on the page; the bottom-most item is "Content", and if you set it to "Content off", it all goes away.
I'm all for pushing for more privacy/etc; but is Brave what we want to advocate for as an alternative? They did some pretty heinous link jacking relatively recently. I'm not sure FF/(/chromium) have been caught doing anything worse than that yet.
the only unremovable thing that bothers me is the stupid bing points thing that i dont care about. It doesnt encourage me to use bing, it just makes me question how they continue to manage to swipe my queries enough to increase that score.
And not even then. Most VPN providers in the top 10 are actually very shady and their organizational structure is quite opaque.. to say the least. I wouldn't be surprised if at least half of the top providers are actually FBI fronts, like the ANOM chat app.
The insane thing is that, because the VPN has a 1GB/month traffic limit, there is no way to enforce it unless they associate all traffic with a Microsoft controlled user identity. Cloudflare literally has to keep track of any sites you visit and associate them to your ID to make it work.
Though, I do believe that for connections from public WiFi it's somewhat of an improvement. It establishes a minimal security baseline of: "ok, we'll sell your data and let FBI snoop on you, but we won't inject trojans in your downloads and then hijack your webcam to create ransom-porn (though the FBI/??? might)".
It is so weird that they're 'VPN providers'. They're proxies. It's not really a VPN unless I'm in control, or they're providing servers in the VPN to connect to.
ISPs in Poland at least give you the ability to pay so they do not spy on you. It is very small (10%)but I have no doubt most people cheap out. Internet is relatively cheap here.
From my experience, non-tech people just leave browser defaults. I'd argue this is better than letting them to use public wifi without VPN. If you really care about security you won't use it, of course
Story time. Someone I know once got laid thanks to Facebook not encrypting their sessions
My university was still using basic ass unencrypted WiFi with some kind of terrible dns-hijack sign in to “auth”. This of course meant that everyone put their shiny MacBooks on essentially public wifi and logged in to social media in the clear in class.
Some enterprising chaps made a browser extension that made it trivial to snoop any open sessions and impersonate that session in a new tab.
Someone I know would do this during lecture and post to people’s social media as them saying they should pay attention in lecture. Possibly some other scandalous things were said. The hilarity that led from that stranger doing so led to the beautiful nerdy girl sitting behind this person noticing and daring them to post more. That became hanging out, parties, and as far as I know they got married and have kids now.
Literal people exist that wouldn’t otherwise because Facebook didn’t have HTTPS
>Some enterprising chaps made a browser extension that made it trivial to snoop any open sessions and impersonate that session in a new tab.
Firesheep was super big for a while, yeah. I used it to show a few coffee shops that yes, really, WiFi with a password of "password" was measurably better for their customers than no password: https://en.wikipedia.org/wiki/Firesheep
Plus, Firefox is soon implementing HTTPS-Only by default if I remember correctly. What was it, maybe 2016 there was a big push for SSL and the majority of the web, even login and payment pages, were HTTP? Now only a small percentage of the web isn't HTTPS. I have HTTPS-Only enabled in Firefox and rarely do I have to click the 'Continue Anyway' button to browse an HTTP page. For most general users that only use popular services, I'm sure it's even more rare.
I have a site from 1997, pure html, with drivers, install disks, documentation for computers from the 80s/90s.
It works. It's fine. No, it does not need ssl. What, someone is going to hack a floppy driver for a computer, which doesn't even have a built in network stack?!
No, I am not going to do work on it, any work, at all.
Depending on what the drivers are for, you may be a prime candidate for MitM. People already go to your site to download software they're going to run in the most privileged mode. This is a perfect candidate for a type of watering hole attack.
Considering you're providing those for 90s machines, you could be the last resort website for a few interesting industry computers with no security restrictions around them.
> Depending on what the drivers are for, you may be a prime candidate for MitM.
Doing that MitM is technically very easy, but in practice pretty hard. You'd have to have an adversary on your network path watching for connections to this particular esoteric low-volume site hosting drivers for machines from the 80s and 90s.
That is extremely unlikely.
I have a much easier way to target that content: Just put up a new site hosting the same content with malware attached. No need for MitM shenanigans.
Security isn't about absolutes, it is about risk managment and being aware of the likelihood and consequence of the risks is important.
> No, I am not going to do work on it, any work, at all.
Without HTTPS, the content can be replaced entirely. Last time it was JavaScript that DDOS'd github. If you don't want to serve content over HTTPS, then you don't care what your users receive. Just delete the site and they all get 404's instead, since you already admit that you don't care either way.
If it makes you feel any better, HTTP without HTTPS was a mistake we all made together. It should never have happened.
Given that HTTP without TLS can provide backwards compatibility while anyone and their dog is advocating for deprecating TLS versions and them being too complex for most people to maintain on their own, I respectfully disagree that plain HTTP was a mistake.
You're at a coffee shop or library using their WiFi. Your computer sends a plaintext HTTP message. The attacker just needs to be able to see that message and get a response back to you before the real site does, and the real site is a lot further away than the guy sitting at the table next to you (or the hacked router, if he doesn't want to be there in person). Then they can feed your browser whatever they want.
A login form to phish you, perhaps?
They can even start replying, then go off and fetch from the actual site before finishing the response, if it helps to incorporate the real data.
That is fine. The site itself is safe. Accessing it over untrusted transits is not. What has changed since 97? Well, attacks became far more sophisticated, and the transits that people access stuff over became far less trustworthy.
There is nothing wrong with your website. However, you shouldn't be surprised when modern browsers stop working with it. Progress doesn't come free.
You are hosting executable data of some kind on a non-authenticated protocol. That's totally not dangerous at all. A MITM definitely couldn't cause any damage by altering executable data in transit on unsuspecting users. This has never happened to anyone.
>are safe
No, they are not.
>No, I am not going to do work on it, any work, at all.
If you are too lazy to do it securely maybe you just shouldn't do it at all.
HTTPS everywhere by default can't come fast enough. There is no excuse at all to not have HTTPS support today and browsers should deny access to these lazy and careless sites by default. Anyone who can't spend the 5m to set it up for their website can go kick rocks as far as I'm concerned.
It is all fun and games until one of the downloads from your site picks up malware in transit and the user goes "why did this web admin infect my computer? Sue!"
Not caring about whether some segment (possibly even a majority) of users can or are willing to jump through hoops to access your site is a valid choice, just like publishing through gopher is. You do you.
You could host hashes of the downloads on an https page. Should be quite simple. Malware can still work on a computer without a built-in network stack and if users are getting downloads onto that computer, then data can leave through the same means.
And update all links to not go back to the HTTP site...
And troubleshoot weird issues (TLS errors are generally not helpful)...
And maintain that setup for years...
Not an insurmountable effort for sure, but if you estimate 30 min for the total additional effort of adding HTTPS to a site then I have a bridge to sell you.
Recently I noticed that FF doesn't even let you accept invalid (meaning no longer recognized as valid by FF because they changed the rules to requrie SAN) certificates for HSTS-enabled sites. The bug report's response was that the HSTS standard specifies that. Fuck that, the users should always be the one in control of such decisions in the end.
You forget exactly how much the government felt they got out of just knowing whom was talking to whom, not even bothering to collect the data of the conversation itself.
Microsoft was one of the first companies to sign up for PRISM [1], doing so in 2007. I think there's a subconscious feel among many that because the media stopped reporting on these things, that it stopped happening. PRISM never ended, and almost certainly has only expanded and grown even more invasive and brazen largely owing society's apathy towards what Snowden revealed.
Literally to this day one can read things like the NSA manual for using their software that enables real-time absolute surveillance of Skype: "User's Guide For PRISM Skype Collection." [2] The idea of any degree of privacy from any tech company hosted in America is a lie. The main difference with China is that we lie about our surveillance state, and force companies to lie about it, while China openly advertises theirs.
You can learn a lot about a person based on the IPs they visit. HTTPS/SSL doesn't protect you from that.
In many cases you can even determine which protocols and general content they are consuming from that IP based on traffic shaping/fingerprinting. The burst of traffic your browser sends when loading a particular site is quite exploitable. There's plenty of software already available that makes use of this.
Public wifi and bluetooth detectors all over is whats scary, as most public wifi is used by phones, not machines and who the hell is running edge on their phone?
but this just reminded me of the failed FB phone and the failed microsoft phone...
So deanonymizing bluetooth device IDs. I know the Canadian spies used airport Wifis to deanonymize Wifi MAC addresses then set up wifi stations all over Toronto to experiment in tracking people.
How would they do the same for bluetooth? Broadcasting "Dans iPhone" doesn't tell you much.
Correct, but its a more insidious web on this level...
they have so many correlation engines for device location, that it will soon be impossible to be "off grid", if its not already.
how the heck do you think there are fn leaks from over a decade ago of "text messages received by the government reveal that person X who is on the shit-list was quoted as saying [BULLSHIT] sources close to CNN have stated.."]
ASIDE: Famous story from ~20 years ago was talking about the CIA handlers at CNN... and the revolving door of in-q-tel emps from fb moving back and forth within the security team (one of which had to be walked out of the building for [things])
you dont need "dan's phone" they have had eschelon for DECADES and were able to literally do 6-degrees ppl tracking since the 1990s...
WTH do you think they named it "starlink" instead of sky-net...
And when they built the first part, they were advertising the wonderful things the rural folks in africa's greater continent will benefit, then after a few years they showed that the system will primarily service the dense populations of the coasts of places like the USA and AUS -- which is where a big portion of the five-eyes service.
IMEI and such is a bitch..
iOS is the biggest location tracking platform ever...
Remember when the founder of Android (from Danger) was let go from google with a ~200MM$ golden parachute at $90MM to gtfo?
yeah but im pretty sure 99% of the population just clicks past those SSL certificate warnings, in part because they don't understand what that means, and in part because there are way too many sites that let their certificates expire.
HTTPS is trivial to break with a man in the middle attack, yes you get a scary warning in your browser about an invalid certificate, but I'd bet that 90% of people will just click through it and ignore it.
Really? Most people? I cannot think of anyone from my family who would even think about it for a second - they would just get annoyed they can't get to their bank website or whatever and just click continue. Also what tech support? Me?
But now there is no button "continue", you have to click multiple buttons, which are not clearly labelled, in order to see the page. I'm sure 90% of people would not even be aware that you are able to continue.
Even more, for self-signed certificate on chrome, there is no button to continue for example. Check https://self-signed.badssl.com/
Yes, there is. I often have to use it to deal with some internal misconfigured site inside the corporate intranet (the cause is almost always that a certificate has expired, when it isn't it's because a host can be reached with two names and the cert matches only one of them, but that case can be fixed by using the proper URL). I have no trouble telling chrome desktop to bypass.
From my experience working as on-campus tech support in college, most people who aren't tech savvy will quickly give up or look to someone else for help. They will likely not think to click Advanced -> Continue Anyway (unless they have been taught to do that before).
Tech support comes in many forms. The owner of the website, a friend who knows about computers, someone else in the workplace, the vendor they purchased their laptop from.
Banks often have awful security systems. Kiwibank in NZ has a "two-factor security" system. All it is is a security questions thing where you click on screen to fill in 3 letters of the hidden answer. The on-screen keyboard makes it secure, you see? Against keyloggers.
I once wrote them a long email about what two-factor is actually supposed to be and why it exists, and got a reply basically saying "lol ok, our security is great ok?"
I've since switched away from them for a bank which does 'two-factor' by sending codes via SMS, but only when its algorithm decides that it needs to. That's not very often.
handelsbanken.se is on line 163144. (I was a little bit off on the length of the list before)
unicredit.it is not on the list, but unicredit.ba and unicredit.ro are. (Lines 7331 and 7332) It does send HSTS headers.
danskebank.se and sella.it are not in the file, nor are the base strings, but both sites do send HSTS headers.
fideuram.it is not on the list, and does not send HSTS headers, so they don't seem particularly interested in security. They also haven't set an A record for the root domain, so visiting `fideuram.it` returns NXDOMAIN. Only `www.fideuram.it` exists.
fideuram removed the phisical tokens for 2fa and moved to SMS, saying that it was because of some european directive… I went to read the directive. It basically said to not use sms and avoid apps in favour of dedicated 2fa devices for banking.
Also, what does "HSTS sites" mean. Does it mean (a) "official" HSTS via HTTP header alone, (b) "unofficial" HSTS via preload list (see RFC 6797 section 12.3), i.e., the list maintained by Google, hardcoded into a browser, or (c) both. The "unofficial" approach only seems feasible for a limited number of domainnames and unworkable for every domainname in existence.
In tests I have done on Chrome (YMMV), executing "Clear site data" via Developer Tools, or including
Clear-Site-Data: *
in an HTTP response header, e.g., added via a user-deployed proxy, will clear an "official" HSTS block, allowing the "MITM" to proceed.
Besides being generally annoying, HSTS allows for setting "supercookies" that persist even in "Incognito" mode
The RFC for HSTS even admits how it can be used for web tracking. Not too concerning for the advertising company sponsoring the RFC.
14.9. Creative Manipulation of HSTS Policy Store
Since an HSTS Host may select its own host name and subdomains thereof, and this information is cached in the HSTS Policy store of conforming UAs, it is possible for those who control one or more HSTS Hosts to encode information into domain names they control and cause such UAs to cache this information as a matter of course in the process of noting the HSTS Host. This information can be retrieved by other hosts through cleverly constructed and loaded web resources, causing the UA to send queries to (variations of) the encoded domain names. Such queries can reveal whether the UA had previously visited the original HSTS Host (and subdomains).
I use a loopback-bound forward proxy to enforce zero tolerance for HTTP across all programs, not just the web browser. Everything is sent via HTTPS. The proxy is configured to to check certificates, and deny connections, according to rules I set. I use a text-only browser for noncommercial, recreational web use so I need a forward proxy, if for nothing other than to deal with the spread of TLS. But I also use it for a whole laundry list of tasks.
Maybe it is just me, but HSTS, like much of Google's rhetoric, comes across as unfriendly if not hostile to proxies, regardless of who is running them. Consider this line from the RFC
"The rationale behind this is that if there is a "man in the middle" (MITM) -- whether a legitimately deployed proxy or an illegitimate entity -- it could cause various mischief (see also Appendix A ("Design Decision Notes") item 3, as well as Section 14.6 ("Bootstrap MITM Vulnerability"));"
"Mischief." Does that include inspecting one's own HTTP traffic on one's own network. How about blocking certain methods of tracking, data collection and advertising. Apparently it includes disabling HSTS.
Let's be honest. Google is an undisputed king of "mischief". The stakes for Google mischief are much higher and there have been too many fines to count. Consider the latest. How many people deploying their own proxies get fined $4B. (Arguably, an issue of "control" was at the heart of that decision.)
If the proxy is "legitimately deployed" then why not stay out of the network operator's way. Let them have control. Give the option to cede control to Google instead of making it a default.
I use HSTS for commercial, nonrecreational web use, when I have to use a "modern" browser. That is a small fraction of total web use for me.
I'd argue the invalid certificate would only get the middle segment of semi-tech literate but security illiterate people. So maybe a lot of people on this site . The average user, based on my observations, tends to take these warnings very seriously.
Have you looked at what the UX is for invalid certificates in 2022? It's not like ten years ago where you just click enough times and "visit anyway".
Here, try this link in Chrome: https://untrusted-root.badssl.com/. When you click Advanced, it tells you "the website sent scrambled credentials that Chrome cannot process". And beyond that there's just no button to bypass it. You can't visit the site. (Sure, there's probably a chrome://flags or --disable-web-security way to bypass this, but that's well beyond the average user's comfort zone, as well it should be.)
I clicked that link - in Chrome on Android all I had to do was click "advanced" then "proceed anyway". I have never changed any flags or default settings in this browser.
I just tried to open the site in Safari, and there's no "Continue anyway" button, only "Go Back". I did not change any default settings, because I use Firefox as my daily driver ( and Firefox does have "Accept risk and continue" button, but I think the word "risk" on it is scary enough for many people to not click it).
EDIT: It turns out there is a "visit this website anyway" option in Safari, but it is not a button, it's a link which you only notice when you click "Show details" button and read the warning.
It's trivial to set it up for the attacker. If you have a Linux laptop you can set up a redirect for all the traffic on the network through your machine with two commands, then there's plenty of tools that will intercept any incoming HTTPS certificate, replace it with your own, the decrypt the traffic. It sounds like a lot but anyone can set this up in about 15 minutes - that's why I said it's trivial.
The user mistake is just clicking "advanced" then "proceed". I know all my family members would do that without questioning.
We had recently hired new programmers, 2 freshgrad and 1 junior. All of them use edge on their personal laptop and I didn't notice extension button anywhere.
While I agree with the sentiment that ultimately we have to have some level of trust somewhere on the stack, there are a few minor differences.
In theory anyway, I pick my ISP. If this was "support for using a VPN" instead of "we're injecting OUR VPN" I would feel a lot better.
I'm aware Im using my ISP. Even someone who doesn't know much about computers knows their traffic is going somewhere. They might not know the repercussions of that, but if this is just transparently on in the background, effectively a keylogger, a user might never know this is happening.
I give my ISP money. Back to the choice option. Some ISPs are bad and are trying to nickel and dime you to maximize profits. Some ISPs are actually good (I'm not swiss so I don't know for sure, but Init7 looks amazing https://www.init7.net/en/support/faq/privatsphaere/). I don't have to question with my ISP "how are they profiting off of me" because I give them money every month. They might be, but they don't intrinsically NEED to be scraping my data. I am not sure how Microsoft benefits from giving me a free VPN unless they are scraping my data.
I can use a VPN to bypass my ISP monitoring if they do monitor. I have no idea how Microsoft's stuff is set up here. If the end result is that it gets routed through their VPN after my VPN, or instead of my VPN, or even through their stuff at all, but with stamped metadata, then there's not necessarily a great way to get around it other than "don't use Edge"
In general, yes, your ISP isn't your friend. But an ISP is something I asked for, have a use for, and need. A Microsoft stealth VPN is none of those things.
This was also how I could justify being more trusting of Apple. They didn't need all my data because that was paid for up front. The ongoing services that needed to make money I used were also paid for. Obviously that's no long quite true with Apple ramping up their ad business, but that attitude is still often the best you can do without a level of effort that I just am not willing to go through.
Maybe a dumb question, but isn't that already a given when using a browser? To me it always seemed a bit absurd to use VPN as it basically just gives another person all your info, but just assumed browsers and the big 5 just got most of the data anyway.
The only thing I can see working is pollution, pollution of our data. There are some current extensions that do some of that, but they are likely not enough and what we really need is a kind stream of data and requests that your own requests are simply merged into.
The thing is that it would need to be smart enough to prevent pattern recognition, e.g., it cannot just be random data because your specific searches and string of searches or actions will stand out quite obviously.
Yes, it would place a severe tax on the internet and a few things could be done to minimize that, but I currently do not see any other better option.
I could see it implemented where your activities online are merged with and threaded into those of related or similar communities, e.g., be it family and friends, the YC community, or a combination of different groups. The effect would come from the proximity to similar but not exact activities. To use a common example, if your legal free speech activities could make you a target, those online activities are muddled and polluted by being merged with other people's legal free speech activities, and your activities would be merged with those of others.
Consider it a kind of mutual compromise of society in order to provide protection/obfuscation in numbers ... the zebra in a herd, if you will. They can't arrest/target everyone if everyone has activity data that looks like they defy the ruling powers.
> The only thing I can see working is pollution, pollution of our data.
this is a terrible and dangerous idea. Nobody cares about the accuracy of the data they collect on you. Stuffing your dossier with random things won't cause anyone to throw it away just because there might be errors in it. Instead all of that data, random/accurate or not, will be used against you all the same.
Your clever browser extension might have been responsible for browsing to a bunch of fast food websites, but your health insurance provider won't care. They'll just see that in your internet history and quietly raise your health insurance premiums anyway.
If your legal free speech activities make you a target, adding more free speech activities to your permanent record just means you'll also now be targeted for those activities on top of your own.
You can't know what will prejudice someone else against you. You might not be gay, or Muslim, or a heavy drinker, or an Andrew Yang supporter, but your browser extension pulls in the wrong data that gets you flagged as being one and it could cost you your job, get you denied housing, etc.
You might not be looking into getting an abortion, but anti-abortion activists who buy up the data of anyone who appears to be trying to get one, or looking for support after getting one, will still see you listed and you will still get harassed by them or dragged into a texas court room.
You might not be rich, but data brokers and consumer reputation services will see that you've been interested in expensive vacation spots and online stores will start charging you more than your neighbors for the same items on the assumption that you are.
If you want to try to hide in the crowd look into a VPN or TOR (although be aware device/browser fingerprinting can still get your traffic associated with you). Just please understand that giving others more ammo to use against you isn't helping yourself or anyone else. Adding more and more data to your internet history just increases your risks substantially because no matter if you deserve it or not your life will be impacted in countless ways by the data you surrender and none of that data, "pollution" or genuine, ever goes away.
Yep, a VPN baked into a browser like this is literally Microsoft stealing the network routes from your ISP, who is probably too embarrassed to complain that what’s happening is they are taking that sweet, sweet data with them. It’s like high-fructose corn syrup for targeted advertising imho. Who’s selling?
While it doesn’t resolve all the issues, the single point to monitor is your internet connection where they have jurisdiction, not some arbitrary VPN provider. Then if they can force the IKE a certain way they decrypt.
I think the other side of this is if you have FBI attention, do you really want to look more suspicious? Whatever fight you try with them you will not win.
It's also a way to front run ISPs in the data market. Then these vendors can sell the data on the data broker market and pocket the cash the ISPs are getting by selling whatever browsing history data they can infer (from DNS and traffic).
I suspect this is the corporate motivation. The increased state surveillance and control is a side effect.
I work for a very large corporation who has decided the default browser will be Edge. Getting another browser installed on your machine takes an act of congress and several upper level approvals.
Does this mean they will also have the ability to collect corporate data from the browser in companies like mine?
they already have this at several points in your network. from ISP to target site. meh.
the reason microsoft is doing that is because google is forcing their hand with Floc implemented in the browser.
you wont be in ads next year unless you can slurp more traffic than the NSA. and only google can do that today, thanks to chrome + android. apple is a close second.
How do you think google competitors will have access to all those user to form the cohorts without having the browser or google analytics code everywhere?
VPNs don’t help privacy at all. They allow you to substitute trust in your ISP for trust in a different entity. For some, that may be good, but for most others it’s a wash.
ISPs generally don't claim to protect your privacy at all [0]. So it would be foolish to trust them to do something they never claimed they would do. VPNs generally do claim they will protect your privacy so at least trusting them makes some amount of sense.
Going from "trusting" an entity that explicitly requires you to consent to spying when you sign up to trusting one which explicitly promises to protect your privacy when you sign up does seem like it would "help privacy" in most cases.
A major difference between your ISP and a VPN is that your ISP is generally an established company based in the same jurisdiction as you are. So, if they do something terrible, in theory at least, they can be brought to court. A non-trivial number of VPNs that claim to protect your privacy, however, are based all around the world with unclear corporate structures. If they do something terrible, you likely have no recourse at all. How much faith you want to put in a promise made by such a company is up to you - but I would push back on the idea that simply making a promise really provides much value by itself.
Why would I trust an entity that often has the legal backing to harvest my data and provide it to the government whenever they "deem" it necessary? The same government that has direct means of control over me? Whether it's the US, China, Germany, I think I'd rather put my chances with some private company that at least has financial and maybe ethical motivations (depending on the company) to protect my privacy. An ISP will only go as far as the law requires to protect it and who knows what backdoor deals are made with governments to subvert those same laws.
There is no realistic/helpful/useful legal process to sue over a breach of privacy. So my ISP being in my jurisdiction doesn't do me any good at all.
ISPs don't emphasize privacy in their marketing, but some large ISPs claim they protect it [0], although their claims are pretty dubious[0][1].
I think your logic holds up, but it's not quite as definitive as you say. VPNs are not the straightforward privacy upgrade that HTTPS is. (I don't think you were trying to imply otherwise.)
I think the picture improves if you choose more carefully. Choosing an established VPN that has a no-log policy and has been audited seems much better, because now multiple companies are putting their reputation on the line. On the other hand, I think a relatively unknown company that's reselling someone else's VPN and hoping to cash in on the "VPN = privacy" is only a slight upgrade over a major ISP.
1. You make DNS request about example.com. Your ISP sees this. Your ISP can see what websites you "might" visit.
2. You connect to 1.2.3.4. Your ISP sees this. Your ISP can see what websites you "did" visit.
3. You request some data and receive some data. Your ISP sees the size of the data. If it's not encrypted, it can also see the content. Your ISP can see (at least) the size of objects that you requested -- which is enough to fingerprint many specific contents.
Okay so not using a VPN gives effectively zero privacy. Let's look at a VPN:
1. You connect to a VPN (and let's assume your connection doesn't "leak" insomuch as now _all_ network traffic goes through the VPN). Your ISP can see this.
2. You make DNS request about example.com. Your VPN sees this and your ISP can see a network packet. Your VPN can see what websites you "might" visit, your ISP can't.
2. You connect to 1.2.3.4. Your VPN sees this. Your VPN can see what websites you "did" visit. Your ISP still sees traffic to the VPN.
3. You request some data and receive some data. Your VPN sees the size of the data, and your ISP only sees the aggregate-size of data across all of your sessions. If it's not encrypted, your VPN can also see the content but your ISP should still only see aggregate size. Your VPN can see (at least) the size of objects that you requested -- which is enough to fingerprint many specific contents. Your ISP will have a tough time fingerprinting content from specific websites.
4. Your ISP can note that you have a high amount of traffic, possibly note that the traffic is going to a known VPN destination, and that your "normal" traffic is now gone.
Now, your VPN can see all the stuff that your ISP used to see. In addition, your ISP can now determine that you might be doing something illegal, suspicious, or at the very least "enterprise grade" and demand more money.
Your isp is legally resident in the country most likely to want to spy on you. There are also very few isps per country, so it's less work for the attacker to cover everyone they care about.
There are vast numbers of vpns, so total coverage is impossible. They are also very likely to be in a different legal jurisdiction so it's non trivial to do.
So, yes, you have, by making yourself a harder target despite having the same amount of centralisation on your part
There's quite a few VPNs who have been asked to keep logs by the authorities but the VPN providers contest it in court, and since their jurisdiction laws don't need them to, the courts side with the VPN providers.
Mullad, OVPN are a couple.
What are your opinions on those?
Not every country has laws like USA/India, which give the government free reign by citing certain Acts.
Adding that in general a country's law (data protection/privacy in this context) usually targets its own citizens; traffic related to foreign citizens (as in the case of VPNs) would for sure have a lower degree of protection.
IDK about simplyinfinity, but here in NZ, the last mile of internet infrastructure (the fibre from homes to the exchange) is owned by regulated companies which must lease access to them at set rates or lower, and mustn't act as ISPs.
As such, we have dozens of ISPs with their own backend infrastructure, all sharing the same last-mile, and most available nation-wide.
That said, they're all going to be buying transit from a big backbone ISP to get overseas connectivity.
VPN and ISP are similar in term of middlemen, but there is an important difference downstream of said middlemen.
With your ISP, you appear on the internet as a residential IP that provides your approximate location and most likely doesn't change very often. The requests you make can be easily correlated by PRISM or any other middleman, or by any CDN running the websites you visit.
With a VPN, your exit IP is unrelated to your geographic location, changes very often, and hopefully it is shared among many more users.
Also you could use double VPN config from different VPN providers in separate geo locations with openDNS thrown in one of them. then it would be much harder to correlate your traffic out of the mix. its not about perfect secrecy its about becoming hard enough target.
GeoIP services are trash. My current IP on most GeoIP services gives a location >900 miles away. My last IP had a location in another country. I don't think I've ever had a GeoIP lookup resolve within 100 miles for any IP I've had.
GeoIP is only necessary when seeing a new IP. But once the IP starts to build a reputation, then the specific location can be determined. It's especially true if you buy something online.
My several datapoints is wildly inconsistent and has never been within several hundred miles.
My office: suburb of Chicago
My home: downtown Atlanta
My friend's house: just outside Phoenix
The McDonald's free WiFi: Chicago
A church's WiFi: Some random location in Arkansas.
I'm in North Texas.
Just a few examples I've remembered since making a point to test while I'm out.
Based on that analysis, I say clearly yes!
Privacy is about choosing who to share with, be it a specific group or no-one. Being able to share with a VPN of my choice (who, if reputable, shouldn't further disseminate my information) is likely a privacy gain compared to being forced to share with my ISP (many of whom would gladly sell my data).
Being able to choose to reveal data to Mullvad over Comcast or Verizon seems like a clear win to me.
Yea i really don't get these people. Frustratingly. Perfect is the enemy of good here. Yes, full privacy is the goal, but i know certain actors are spying on me. If i can bypass them, i can at least attempt to improve it.
At the very least i rob Comcast of my data. Which is my goal, after all. Not full privacy.
> Yes, full privacy is the goal, but i know certain actors are spying on me. If i can bypass them, i can at least attempt to improve it.
The problem is that it doesn’t actually change anything while giving a false sense of security.
Your VPN’s ‘improved’ privacy is just as worthless as the privacy you get with just your ISP. If something requires privacy, neither can be used, and if it doesn’t then why should it matter which one you use ?
Privacy is an on/off thing. Either you have it or you don’t. There is no in-between.
My VPN provider (Mullvad) doesn't have my full name, address, and social security number. They could build a profile off my account number, sure, so I have to trust that they're not. If they actually aren't, fantastic, I win. If they actually are, I still win, because they have less data to build a profile on me from. I know for certain that my ISP is selling my data, so I'm certainly no worse off.
On top of that, I get the benefit of not being tracked everywhere on the web. Or if they are tracking me, they have bogus data. And I can set my exit server to a jurisdiction with more user-friendly privacy laws.
> Also, what better place to tap traffic than the connection of a VPN provider.
Well, per my previous post, my ISP is definitely a better place. Hell, you don't even need to tap them. They'll just sell you the data, along with other PII. (Setting aside Mullvad' multi-hop support, which would require taps in multiple jurisdictions).
I think the point you're trying to make is that this isn't resilient to the NSA monitoring my traffic. I had hoped it was clear from my message that there's another level of privacy I'm concerned with related to intrusive private entities. I'm not expecting the GDPR or similar privacy laws to stop the NSA either, but they serve a useful purpose.
I guess I'm banking on Meta and Google not tapping Mullvad. Or even the RIAA or MPAA, for that matter. Because my ISP will very willingly give those entities data. And as long as unencrypted SNI is the norm, my ISP knows more than I want it to know about my browsing behavior. Not to mention the stuff that isn't HTTPS. Sure, Verizon knows I've established a connection an encrypted tunnel and how much bandwidth I routed through it, but that's a level of metadata I'm not concerned with.
So, yeah, Mullvad could be logging every packet through their tunnel. They could even assemble a profile based on my account and sell it to all the data brokers and advertising networks. They still don't have my SSN. Even if all of that happened, then I'm still no worse a situation than if I didn't use them because my ISP is doing those things. At worst, I'll be out 5€ for the month.
If you don’t trust your ISP, then why not simply switch to another one ? I literally have dozens of ISP’s to choose from at my address. Last time I checked there were 13 ISP’s offering fiber service alone, if you’re willing to settle for DSL or cable there a lot more options. And that is with me living in ‘socialist’ Europe. I can only dream of how many options people in ‘free market’ USA must have.
I have two viable options, ignoring 5G and satellite services. The one I'm on is the lesser of two evils. And I've largely neutralized the primary concern I have with the ISP I'm on.
No... It's a demonstration of adherence the axiom "Don't let perfect be the enemy of good" being misapplied.
The "Good" (VPN) is exactly as imperfect as it's complete abscence. There has been no improvement whatsoever. Literally, as far as Privacy is concerned, nothing short of "No one actor has the capability to sit on a full stream of traffic", will suffice.
Either you're MITM'd or you aren't. Use malicious postmen if it makes it easier.
If you have the same guy come, and all of your mail goes through him, he can reconstruct all conversational state.
Now imagine you get a different malicious postman at random every day. He eacesdrops on every packet, but he's not privy to which of his fellows is scheduled to get the next packet. Therefore, it's not practicable to MITM in any practical way. This all goes out the window when someone controls the malicious postman scheduler, of course, because then they can figure out a map of who to go to to reconstruct your conversation.
The above is the concept behind Tor, and why the only effective counter to it is to run a hell of a lot of entry/exit nodes so you can conceivably time correlate given enough consecutive probe points are hit.
Russia has the ability to drop a nuke in the region you currently live in, so there's no such thing as safety and therefore why do you have locks on your doors?
i find this extremely doubtful. I see the point of your statement, but i'm willing to bet 99% of all the already built nuclear devices wouldn't work today. There's no way that they're all stored in such a way that the delicate mechanisms are protected from the environment and oxidization, moisture ingress, insects, heat and cold expansion and contraction.
That a nation could make a new device is arguable, that a nation could make a device that could be delivered without flying planes over another country is less arguable. Even nukes as they stand would only pose significant threats to certain parts of a country (there was a map floating around the web a few days back of areas of the US most susceptible to the - pardon the pun - fallout from a tactical strike.)
As others have mentioned you gained privacy from your government that has easy access to whatever information your ISP has but not towards a VPN provider.
But the information you leak towards your ISP or VPN isn't the only variable. With a VPN you leak less information to the services you interact with (e.g. your IP is hidden) which undoubtedly increases privacy.
> Now, your VPN can see all the stuff that your ISP used to see.
> Have you really gained more privacy?
Absolutely, 100%, unambiguously, yes; my ISP openly says that they monetize my data, my VPN says they don't. I'm very happy to gamble that the VPN is telling the truth when faced with the expectation that the ISP is telling the truth.
VPNs entire business revolves around not giving up your data, that's why you pay them. ISP business revolves around protecting their monopoly which means making the government happy. Massively different incentives which means they will act differently. If VPN leaks data and people find out they're done. If ISP does nothing changes for them.
The amount of loss of privacy you incur when some particular item of personal information about you is revealed to another party often depends on how much other information that party has about you.
If the ISP is legally protected from any inquiry or transparency into what they do with the data and is systematically incompetent about protecting it and the vpn exists in a country with good privacy laws, then yeah.
Of course they do? They are a tool that routes traffic through a third party. That can be anywhere from terrible to fantastic for privacy, with everything in between. There's nothing "of course" about it.
They just replace your ISP with a VPN company. Which is the two is more shady is something you have to figure out, keeping in mind that a subsection of the internet just stops working or turns the aggressiveness of their anti-bot protections up to the maximum on a VPN.
I would reverse that assertion under the one condition that you don't use a VPN provider from your own country. In Australia at least, ISPs are legally required to maintain logs of everything you access for several years. By choosing to trust a VPN provider outside of Australia, you defacto have better privacy than you otherwise would have.
https://www.ivpn.net/ see "Do you really need a VPN?" - not affiliated with them, but tell me any other VPN-service that is actually this upfront... most are marketing the hell out of their apparent magic effects...
since we're on the topic: how is it still a thing that vpn services are actively pitching content-block/copyright circumvention? Seems weird to pitch something as shady this loud and publicly? Reminds me of how weird I find it that trackers and illegal hosting sites have twitter accounts...
I'd say they're still a net win, generally. The ISP vs VPN service tracking who does cancel out (if you ignore privacy claims of VPN providers, vs ISPs generally not guaranteeing that at all), but for every other service I might consume, when I'm on VPN I'm no longer connecting from a unique IP that can have other identifying information tagged to it.
To add to that: in Sweden (which is generally pretty ok in regards to privacy and rights) ISPs are required to store traffic for 6 months, while VPN providers are not.
They also expose your data to the VPN operator. That's a negative on privacy. Whether it's a net negative or positive depends on the VPN operator and ISP involved.
In Germany (according to TTDSG) an ISP does not have to claim that. They need explicit permission to track you. It is pretty much as the post does not have to claim that they open your envelopes.
I think the only good reasons to use VPNs are for torrenting and accessing movies only available in other countries. For any privacy reasons its best to use Tor.
I believe it is harder for my government to get my data from a foreign VPN service than from my local oligopoly ISP that is already effectively an arm of the government.
Modern TLS is enough to prevent others from eavesdropping everything except domain names when on public WiFi. Domain names are sent in clear text if your client supports SNI.
ESNI is not implemented yet on any website. And there is no software support except beta versions of Chrome/Edge and you have to manually toggle flags in dev mode.
All SNIs are passed as plain text to your ISP/VPN, even with DoH/TLS secure DNS enabled.
It might be cheaper but still not free. Cost of electricity + time to maintain + Raspberry Pi itself. Not to mention that you don't get the variety of servers (for geo-location or more diverse networks not tracked to you by websites themselves).
Well the Raspberry Pi is already on 24/7 running a few other services for my home network. But even then, the energy consumption per month costs pennies. I update the device once a quarter and it takes me 5 minutes. These costs are so negligible as to have no impact on my decision making process.
Why would you? Nobody can connect to it without your private key. Or is there something I am not aware of? Genuine question, as I am running wireguard in a few places and thought it was secure by default.
If it was good for you, Microsoft would the the one announcing it. Loudly and repeatedly. They would do it even if it was harmful, but there existed some artificial narrative where it sounds good.
You are hearing it from a third party exactly because they couldn't construct any explanation minimally realistic that sounded good.
They haven't announced it yet because it hasn't been released. Reading the article, it does sound pretty decent.
Partnership with cloudflare, selectively enables when you are connected to untrusted networks like public wifi.
Pretty much the only downside is that they turn it on by default... which is always tricky when most of your target audience is not computer savvy in the least.
How to give people security features that they have to figure out themselves when they can barely open the browser .. a dilemma for the ages.
Windows is an appliance (an interface) for amazon shopping and watching netflix.
The MS telemetry has proven that 99.999% of consumers do not tweak default settings or dig under the hood.
The 1-2 million now former "windows power users" are just too small population to be economically feasible to deal with.
For MS it does not matter to lose those few to other tweakable OSs.
Instead MS's product department is dreaming of scooping the remaining billions of cash-laden consumers. Presumably this is what the telemetry tells them.
Cash is good, consuming is good, keeps the economy running, making shareholders happy.
When trying to ascertain the intents of large organizations, I find it useful to examine previous actions. In the case of Microsoft, their willingness/intent to add ads and telemetry (including keylogging) into their OS seem to indicate they are doing this for serving ads better to their larger (paying) customers.
If you're not paying for the (specific) service, you are the product.
I mean, if you have an attitude that anything an organization does must be for an ulterior motive, you're always going to get what you are looking for. Heck, people too for that matter. Maybe my dog just pretends to love me to get food.
But in this case, Microsoft is looking for any competitive advantage against Google. They won't win on targeting, and they still make more money selling software than ads. So this does seem like an easy win for them.
> if you have an attitude that anything an organization does must be for an ulterior motive …
Well in the case where they are spending a lot of money to implement and operate a feature that nobody asked for and which has obvious privacy downsides, it does seem worthwhile to examine their motives. It’s not like we’re responding to the announcement for the next model of the Microsoft ergonomic keyboard with “hmmm, what are they up to?”
What is the obvious privacy downside of selectively enabling a Cloudflare VPN when browsing on public Wifi or unsecured sites (which is when it enables)? That Cloudflare can see what sites you visit?
On public Wifi and unsecured sites, anyone could potentially see and modify the data anyway.
The privacy issue is obvious. If my browser is funneling all of its traffic through a specific VPN instead of letting my system handle it, I have to wonder whether that choice was based on the VPN operator wanting to see my data or cooperating with someone who does.
This is like finding out Microsoft decided all internet traffic on windows should be proxied through their servers. Could there be a benefit? Yes. Does it raise serious questions? Most definitely.
> If my browser is funneling all of its traffic through a specific VPN instead of letting my system handle it
It's not. According to the article, it only funnels insecure traffic through the Cloudflare VPN (eg, to a site with an invalid certificate). And this doesn't prevent you from using your own VPN as well.
If you're connecting to a site over HTTP, and the packet takes 10 hops to get there, that's 10 machines that can see who you're connecting to and what data you're sending. Including, in all likelihood, a major CDN like Cloudflare. Also including anyone on the same public Wifi network. This data was never kept private to begin with.
If you're connecting over HTTPS with a valid certificate, the VPN isn't used. Even if it were though, they couldn't see your data. It's encrypted.
Check out the book “Hard Drive” about the early days of Microsoft, and you will never be able to see anything that corporate does without suspicion, and for a good reason.
Probably because Facebook already tried the free VPN and it was every bit the privacy nightmare you'd expect it to be. Given Microsoft's track record, there's no reason to expect that to be any different.
I am 100% with you in general, but this feels more like the Windows Defender launch than some fully cynical power grab. That is to say - Microsoft gets a lot of grief and work from windows installs getting taken over / viruses / etc. For users who don't pick up their own protection (and don't choose to turn off the default windows protection) this feels like a better default. I don't trust Microsoft, but you are already exposed to their manipulations when you are using their OS - and this will help protect you from other manipulations.
This is where Apple's implementation, where the info is split between them and a third party with neither of them able to read the traffic on their own is so smart. Especially since there are multiple counter-parties to Apple. It also negates the risk of an MITM attack. Yes of course they could collaborate with a counter-party to break the system, but it seems significantly less likely to happen, and if it was happening it would be significantly more likely to come to light.
I mean nobody is forcing you to use Edge or Chrome, there are better alternatives like Vivaldi or if you really want to take it to extreme Ungoogled Chromium. But I agree with your sentiment, although it just means you should probably move to open source and obscure options.
Also:
> Brave, Mozilla, and Vivadi have said they intend to continue supporting Manifest v2 extensions for an indeterminate amount of time.
The motivation is to keep up with Apple who themselves are trying to distinguish themselves from Google. Doesn’t need to be sinister. If your primary business model doesn’t depend on tracking people to sell ads, and you’re competing with someone else whose does, then leaning in to making the use of your software/hardware more private makes sense.
I noticed today I can't find the Chrome flag (v105) to enable its reader mode. It's like they just nuked it since it made articles actually readable. It's not a huge deal, but I liked not having to launch another service like Pocket.
Exactly.. I would take it from Firefox if they offered something like iCloud Private Relay.
But the thing they offer from Mullvad is no better than a traditional VPN (because it is a traditional VPN). And even more limited because it only works in the browser.
And indeed the circumvention of Pihole is a big problem.
If you have never worked at a large tech company like Microsoft, you'll probably have a bad feeling because there's a lot you don't know about the business process of shipping features like this. It's reasonable to be cynical and confused if you have never seen it from the other side.
For the most part, product features like this are shipped for boring and completely non-nefarious reasons. It's just hard to believe that if you've never worked on one.
> the VPN will automatically connect when you’re using public Wi-Fi or browsing unsecured networks and sites lacking a valid HTTP certificate.
OK, that's actually a pretty decent idea. It's not going to be always-on, but it's providing security specifically for things like coffeeshops/libraries and for sites that don't provide their own security. In other words, it's "backup security", not rerouting all of your "normal" secure traffic at work/home.
This mainly protects sites you visit from having JavaScript injected into them by networks when there aren't any other protections, and the VPN is run by Cloudflare so it will be performant, so I don't really see any problems here? Seems like a positive development actually.
Although you would commonly find a long list of AWS or similar IP addresses which wouldn't be very useful, unless you simultaneously crawl tens of thousands of possible sites (from the same source IP range) to map IPs to sites.
By this definition, any DNS server is basically a proxy (assuming you are not hitting an authoritative name server for the domain you are trying to access).
> This mainly protects sites you visit from having JavaScript injected into them by networks when there aren't any other protections, and the VPN is run by Cloudflare so it will be performant, so I don't really see any problems here? Seems like a positive development actually.
How does this protect from having JavaScript injected? Why couldn't the VPN do that?
It's a question of how many entities you have to trust. There are many thousands of public networks around the world and millions of people using ISPs which tamper with traffic (especially on mobile networks). With the VPN, you only have to trust the VPN provider; without it, you have to review each network you use and its ISP. That doesn't mean that the VPN is automatically trustworthy, of course, but it's a single entity.
Note that you still have to trust the server's ISP and any intermediate ISP routing traffic from the VPN exit node to the server, if you're accessing a server over an insecure protocol.
Of course, but almost all of the tampering has happened on the client end historically, especially since this VPN is backed by Cloudflare who have widely distributed nodes. It’s still much better to deploy TLS everywhere but this shuts down most of the non-NSA attacks.
The question is whether your basket is made of chains (one bad link), cables (many bundled wires), how many baskets there are, how many eggs in each, and how effective and trustworthy the guards are.
Simply shrieking "SPOF!!! SPOF!!!" lacks naunce after a while.
I've concerns with proposals such as this similar to what others are voicing on this thread. But if one considers the proposal in light of the present status quo for the typical person, then it's probably a net improvement.
I agree, and it's hard for me to trust the VPN more than my own ISP. Like yeah, someone else on this public coffee shop wifi network can waste a whole day finding a couple of random victims. Does that actually happen, idk. Have huge, reputable VPNs been hacked before, yes, and there's much greater incentive there. Either way I won't know, so it feels like they're selling snake oil.
"Microsoft" and "security" also don't go together in my head.
coffee shop hacking is usually done in an automated, at-scale fashion, often with a remote device that doesn't require an operator to be present or paying attention.
It uses lowest common denominator tactics. This VPN strategy is precisely for the lowest common denominator.
I don't understand how something can feel like snake oil when you haven't researched your own questions. I can sow doubt on anything; is it always justified?
It's reducing the number of parties you have to trust from 'every hop along the path from the public wifi operator to the host' to 'cloudflare', and many site operators already trust cloudflare not to MITM them.
How hard it would be silently push an update to redirect all google traffic through VPN. We have already seen them trying to get google search query and results. And why stop at Google basically they can do any website they want.
The only way they can do that is at the client level, not the network level. Whether it's running over a VPN or not, your traffic to Google is TLS, so you have an excellent guarantee that it's impossible to snoop on the contents of your HTTP requests at the network level.
However, you are using a Microsoft client and/or a Microsoft OS to do this - and of course, if they want to, Edge or even Windows itself can report on the input and output of any operation you make, regardless of any network security. Similarly, WhatsApp or Signal or iMessage or Android/iOS could send a copy of the plain text of any messages you send or receive to home base despite them being E2E encrypted on the wire. You always have to trust the device and client software you are using to access the internet.
So, if you personally don't trust Microsoft not to snoop on your traffic with Google, using Edge or Windows is completely wrong.
> your traffic to Google is TLS, so you have an excellent guarantee that it's impossible to snoop on the contents of your HTTP requests at the network level.
It’s definitely not impossible, MITM attacks work for TLS and this is exactly how cloudflare work (it MITMs TLS sites by terminating the tunnel and recreating.). TLS is only secure if you have pinned certs.
MITM for TLS only works if you have the cooperation of the server owner (like Cloudflare does, or illegally be stealing the server owner private keys) or a malicious CA, or if you ignore the security errors that the browser offers.
Otherwise, TLS is completely impervious to MITM attacks as a protocol.
Of course, various implementations of TLS may also have exploitable vulnerabilities.
I’m not sure even how to respond to this. If a protocol is weak due to a flaw, like being susceptible to MITM attacks, then yes it is a problem with the protocol.
This is exactly my point. People are desperate for there to be no flaws in TLS, so much so they ignore MITM attacks.
From the article, this is powered by a partnership with Cloudflare. It's worth noting that until August 6 of this year, Cloudflare's WARP VPN would leak your IP address - but only to sites using the Cloudflare network.
Microsoft's initial announcement for the feature touted that IP addresses would be masked, and one imagines that they did their diligence with Cloudflare and are enforcing the strong practices that WARP has now rolled out more broadly.
But it's worth noting that you're routing through a company to whom the words "still private" encompassed leaking client IP address information to Cloudflare's hosting customers as recently as two months ago.
Warp/1.1.1.1[0] is a product, not a VPN, despite the fact that it tunnels your traffic. Even after the IP address change, the current documentation and promotions for Warp do not call it a VPN. It was never meant to keep your IP hidden from the websites you visit.
"Technically, WARP is a VPN.... We built WARP because we’ve had those conversations with our loved ones too and they’ve not gone well. So we knew that we had to start with turning the weaknesses of other VPN solutions into strengths. Under the covers, WARP acts as a VPN. But now in the 1.1.1.1 App, if users decide to enable WARP, instead of just DNS queries being secured and optimized, all Internet traffic is secured and optimized. In other words, WARP is the VPN for people who don't know what V.P.N. stands for."
I don't think this holds much weight given the regular users of this product are likely referred to https://1.1.1.1 and are unlikely to read through all of this 3000 word blog post with tech jargon. However, indeed, many people might've heard about it from other blog posts saying it's a VPN or word-of-mouth from more technical users also calling it a VPN - but it's obvious Cloudflare made a concerted effort not to use that term.
I think it holds weight when I’m staring at a Cloudflare blog URL that explicitly says “Warp better VPN.” I don’t doubt that this has been scrubbed from current documentation, but this is fair evidence for the above comment’s claim that CF has advertised it as a VPN.
I don’t have a dog in this fight, but it was especially odd in this context to claim that this misconception was entirely driven from outside of Cloudflare when the URL is sitting right there.
I remember seeing this blog post and the updated docs suggest they no longer reveal your IP but enable WARP and visit https://www.whatismyip-address.com (uses Cloudflare) and you’ll see your actual IP.
As a generally happy Cloudflare customer, a Cloudflare VPN makes me deeply uneasy. (Yes, I know Warp has been around for a while.) Using it means Cloudflare owns a huge chunk of your Internet traffic end to end and decrypted, a uniquely powerful position to be in. And this is going to be default on in Edge according to TFA, even though it’s only applied to plain HTTP sites by default at the moment.
People are fools if think there isn't a Room 641A in Cloudflare, except it's a lot better since web service operators willingly handed over all their private keys and therefore user data.
While I agree that it is concerning, WARP doesn't decrypt your traffic unless you sign in to ZeroTrust, enable it in your dashboard and install their CA.
Not much you can do about them having decrypted traffic for sites that use them.
When you don’t use a VPN, at least your traffic to Cloudflare doesn’t carry a unique ID of yours. Effort is required to correlate your traffic, especially if you are CGNAT’ed and share an IP with others, or have a dynamic IP that changes frequently.
Https is among the most broken ideas in the history of CS. I remember the first time I really learned about it and I went like it can't be this stupid.
Most Internet traffic today between A and B is decrypted by C because of this.
Https is a wrapper around http. The result is that any service that needs any http information can decrypt all https traffic. So on the web, passwords, apikeys, personal information and so is in general decrypted by a third party, Fastly, Akamai, Cloudflare and so on.
That is entirely untrue. HTTPS is just HTTP encrypted with TLS. The only parties that can decrypt the traffic are the people with the session keys: you and the website you’re visiting.
Not sure how this is a problem with HTTPS, then. It’s like complaining that AES encryption is broken because you have away your keys to a bunch of people.
You’re glossing over that these third parties C are contracted trusted parties of entity B and thus for B’s purposes are considered part of B.
HTTPS and transport security isn’t a broken idea.
Standardized content security has been tried in many contexts and has typically been even less secure unless it’s for long lived opaque media, like S/MIME for emails. Structured data like XML security has been abysmal.
While I would never use a VPN service fronted by a data thieving company, I really hope that VPN usage goes more mainstream so that companies can't have "no access from VPN" as a security strategy.
Ally bank recently did this and many others have intermittent issues due to flagging, etc.
Security teams don't block certain VPN traffic for fun.When a certain IP block has been running credential stuffing attacks all month long, It's very reasonable to see any request from said block with a lot of suspicion. In many cases, 99.9% of login attempts from certain IP blocks are just fraudulent, and there might be more requests from one of said blocks than legitimate requests from the rest of the world combined.
Completely blocking a VPN is often too blunt an instrument, but even the best alternatives are unfriendly to legitimate traffic. The most user-friendly thing you can do is to rely on bonus security controls, like asking for two factor authentication for everything. No, you will not be able to log into anything from a new device, even, without the two factor. A very understandable tradeoff for a bank, but we'll end up seeing that for any account protecting anything of relatively low value.
If your second factor is tied to, say, a phone, it's not going to be fun to wait to replace it if it's lost. But in a world where most traffic is coming from a VPN, there aren't many good alternatives.
Is Cloudflare known as a data thieving company? I didn't have that association with them yet. They're not really in the data selling business, are they?
I said "a VPN service fronted by a data thieving company" and I misspoke - I should have said "backed" instead of "fronted."
AFAIK Cloudflare isn't a data thief (yet). If (when) they decide to be, they will have access to quite a lot at the rate they are going. At this point, how can we trust that any public company won't eventually monetize user data?
Oh stop, already. Cloudflare isn't in the "business of selling insights". They make their money from enterprise sales of their various network products.
They're in the business of competing with AWS and are pretty damn good at it, too.
When did the world start trusting any company with a VPN more than their ISP? I still find the privacy pitch to be flakey at best, where at least I can choose who’s aware of my traffic, but getting past geo-blocks really seems to be the most obvious consumer value, which this Cloudflare vpn lacks.
My ISP actively lobbied to be able to harvest (steal) my data. Who do I trust more: the guy who says that they aren't selling my data, or the guy who corrupted my government so that they can actively sell me out (not to mention their monopoly)?
Sure, the first guy could be a liar, but I know that the second guy is a thief.
I don't care about geo-blocking - my only threat model is to keep a scumbag ISP at bay.
Edit: I should add that keeping sites I browse from knowing my IP is also part of my threat model.
Seing how many webstes' TLS is terminated by Cloudflare, you shouldn't state that they don't have your credit card info with such conviction unless you never used it online.
ISP injecting content into your connection is a known story (google "ISP injecting ads" for many results).
For better or worse Microsoft (or other corps) have not done that in recent memory afaik. They might do equally dodgy stuff in other aspects, but they don't tamper with the integrity of your connection (they might sniff it a bit).
And often you're paying a nontrivial amount of money to the ISP for the "privilege" of getting injecting ads and tracking injected. This really rubs people the wrong way, justifiably so I think.
I know people that use VPNs 24/7 just for privacy. I would assume there's many more that use them for the reason you described though. Torrents are less useful than ever, piracy is down in general thanks to streaming services and products having moved to SaaS. From what I can tell, the number of people using VPNs merely for privacy alone is growing and a good sign that people feel that strongly about it.
Media piracy is less tempting than in 2006 (before streaming) but more tempting than in 2014 (before competition decreased overall and everyone started siloing content as part of their truce).
Server-side control has been making software piracy less and less viable, video games sorta included. And a lot of mainstream games have found ways to make money without charging to buy the game upfront.
It can go either way. Many ISPs are known to be nasty, but hardly anyone sees the effects of that, so it's hard to tell. I think VPNs market "more security," people mostly blindly buy it, and everyone is happy.
Yeah, to me, a VPN is only a way around geo restrictions.
Edge is a reskinned Chromium browser with Microsoft tracking and telemetry baked in. Just because they have a VPN now, it doesn't make it any more private/secure. Why do people use Edge? If you're any way privacy conscious you wouldn't use Microsoft products.
> Yes, I'm definitely going to audit some giant as hell CPP code base (diffs) every four weeks.
I've had this discussion with other people too, just because you don't want to doesn't mean you can't. So your point of suspecting something nefarious is moot for me until you can back it up.
If I do already use Windows, then I'm already relying on MS
Using Edge doesn't change much, meanwhile using ungoogled Chromium means that I have to trust additional actors
Additionally MS inserting e.g "backdoor" into Edge could cost them a lot of in PR damages meanwhile what if ungoogled chromium inserted some kind of "backdoor"?
I don't even know people who maintain it, so I wouldn't even be able to break their windows or throw eggs at them
> I don't even know people who maintain it, so I wouldn't even be able to break their windows or throw eggs at them
I hear your point on this, it's pretty hard to put your faith in a browser that updates regularly and not just for schema reasons. But you seem okay with Edge..
> Using Edge doesn't change much, meanwhile using ungoogled Chromium means that I have to trust additional actors
This is where I'm confused.
> Additionally MS inserting e.g "backdoor" into Edge could cost them a lot of in PR damages
I'm not an M$ hater, they've been incredible. dotNet core is a gift. GoPilot is a good use of whatever we're doing here. But why do you think if they could work a 'backdoor' (without leaks from employees) would actually matter. Their fine would be minimal.. See FB
I think we've come full circle. I'm defending your point that Edge might be just another 'Okay' browser.
> Using Edge doesn't change much, meanwhile using ungoogled Chromium means that I have to trust additional actors
Because I'm already on Windows, thus I already trust Microsoft
>I'm not an M$ hater, they've been incredible. dotNet core is a gift. GoPilot is a good use of whatever we're doing here. But why do you think if they could work a 'backdoor' (without leaks from employees) would actually matter. Their fine would be minimal.. See FB
On the other hand take a look at Intel - they had security issues and not even intentional and there was a lot of dmg to their brand due to all those CPU related vulns in last years
> also "ungoogled Chromium" - The process is Chrome is Googled Chromium.
You can download Chromium[0], but people tend to be referring to the project called "Ungoogled Chromium"[1] to remove any calls to Google domains, eg. safe browsing, which are still present in Chromium.
My primary browser is Firefox. I have Edge as my backup browser for sites that don’t work with Firefox, and sometimes for watching stuff. There is no reason for me to install Chrome. (And Microsoft isn’t that bad, even if Edge sometimes does weird things.)
In my case, it is the default browser at my current company. I don't know the reasoning behind it, but we are also forced into Teams. Corporate requirements is my reason.
But for a windows domain environment Edge makes sense.
- Comes builtin, no need to patch browsers separately and worry about outdated Google Chrome installs in a 1000+ computer fleet.
- Integrates with Office 365 that the company already use/pay for.
- Can be managed with policy over Office 365 or Intune
- Has IE Enterprise Mode for the old apps that need IE11
For Teams, the alternative is this:
- Pay for Zoom AND Slack AND Office 365 AND have IT personell manage all 3
- Pay for Gsuite and use... hangouts?
or
- Just pay for Office 365 and get email, fileshare, office suite and chat/fileshare/video tool all in one that works "fine" and can be managed all in admin.microsoft.com (that goes into 500 different portals that all change each month but I digress...)
Oh, and you can use whatever browser, even if its not the default. I use Firefox but Edge is the default one.
There is a good reason why Trident is alive and kicking, people just don't know about it. But it's the reason for more than 98% of exploits, because shitty software of Microsoft still uses Trident to render MSHTML based documents (office etc).
The same will be true for a traffic-observing webview2, for decades to come. And it will never be removed again, because of Microsoft's development philosophy.
It seems that both had alleged collaborations with PRISM. The main difference I see between the two wiki articles, is that people complain about Microsoft's telemetry but not Apple's (even though they do have a lot of telemetry [1]).
In general it feels like Apple has won the trust of the public, partially through good products, partially through good marketing.
Windows 10 is a privacy disaster compared to previous versions of Windows. They track every single app and website you open, what files you have on your PC, and much more.
I run a free browser game where you can start playing immediately, no registration required. The game has a big sandbox element where you can build and paint on the world map.
Naturally I've attracted trolls doing everything in their power to grief and ruin it for other players. This has lead me to reluctantly implement moderation tools such as IP bans and proxy detection.
I'm currently using a couple of services where I can supply an IP and get a risk score back but I'm worried about false positives. I'm afraid this initiative, while great for privacy, will make my defense measures futile.
What should I do? I just want to run a game with as few intrusive barriers as possible. I have no interest in collecting any private data from users whatsoever.
You have to have intrusive barriers. This is true in real life and it is true online.
The world is not a graffiti free-for-all because there are barriers: the government (police) is able to apprehend individuals, link that physical individual to an identity (which it issued at birth), and effectively implement consequences to that identity/individual.
If you want your site to not be a graffiti free-for-all, you will need a durable way to identify actual people. Twitter, for example, essentially requires a phone number to use their site. Phone numbers are fairly difficult to get anonymously. Therefore, Twitter has a useful link between their users and a physical individual. Other services use other things.
The government should implement cryptographic certificate based identities to citizens. Ideally there would be a way to "sign" something that says you are a real citizen without revealing which citizen you are, but is durably unique (subsequent signings identify you as the same citizen).
Facebook, Google, etc. are effectively filling this function right now but they leave much to be desired.
> Ideally there would be a way to "sign" something that says you are a real citizen without revealing which citizen you are, but is durably unique (subsequent signings identify you as the same citizen).
This is a truly interesting and groundbreaking idea that would solve all my problems. Do you know if there are any initiatives like that or is it science-fiction?
How to implement? Also not sure. I am not an expert in this field. "Anonymous credentials" seems like the closest thing maybe. Basically you need to somehow prove you have a valid signed certificate without disclosing the public key.
Since you seem open to putting up barriers...in the process of looking into this I discovered Idena and checked it out a little. You could required verified Idena something or other, just as an example. I'm sure there are scores of these types of things being built, most or all of which will fail to gain traction.
I don't know if a government would use it, but 4chan has tripcodes that can uniquely identify an anonymous user across multiple posts without the user ever needing to create a permanent identity.
You will just have a bunch of random false positives that get blocked and never come back. Even before VPN a lot of ISPs gave you dynamic IP that changed anywhere from every few weeks to daily, to each reconnect. Same with any public access point
Same with carrier grade NAT, IP stopped being good way to block things long time ago. About the only use is "this IP is DoSing me now, block it for few hours".
There are few other methods, all of them intrusive on privacy. Generating fingerprint of browser and blocking based on that might work for the clueless users but dedicated ones will go around it. Making using one of the popular SSO logins is one option (at least banning-wise) but that's a lot of work
Yeah, I thought I could pull that off but in the end I was naive thinking I could solve it with mechanics. The idea was that I would never need to ban anyone, ever. However, even with thousands of players playing the game as intended just one troll can wreck havoc by creating hundreds of accounts through proxies.
I have implemented measures where you can't chat until you've finished the tutorial, 5 minutes decay on stuff built/painted outside plots and upkeep on claimed plots but it's not enough. The trolls are extremely dedicated and devote their life to ruining my game.
Everybody is suspicious of Microsoft's motives but I think in this, you gotta consider how many windows systems are out there used by security novices.
Lots of people are computer savvy but want to use a computer to do something else not under the umbrella of hobbyist sysadmin work.
I don't see the downside here, again, considering the multi-millions average users Windows/Edge has. If you are savvy enough to roll your own VPN using algo from Trail of Bits, then do that. If you are able to weigh the pros and cons of VPNs from having one or not, or which one to use, you are ahead of 99.99% of the people this will help.
I don't like this. When I add a URL to the address bar I want TCP/IP traffic to be directed to only the remote address I requested, and not have traffic relayed through some third party.
Sorry I misspoke I know that routing traffic isn't a direct peer to peer connection but that's different from ALL traffic going through one company.
I'm not an expert on internet routing but it seems to me a bit disconcerting how much of web traffic is already routed through cloudflare servers. This centralization scares me.
Besides the point, 18 hops to get to HN via my colo server in London, UK; what is cogentco doing with the excessive routing?
1 24 ms 24 ms 25 ms 10.0.0.1
2 32 ms 25 ms 24 ms x.x.x.x
3 28 ms 28 ms 27 ms core-router-b-nlc.netwise.co.uk [185.17.175.246]
4 29 ms 25 ms 25 ms core-router-hex.netwise.co.uk [185.17.175.240]
5 29 ms 25 ms 26 ms te0-7-0-17.505.rcr21.b015534-1.lon01.atlas.cogentco.com [216.168.64.16]
6 27 ms 25 ms 25 ms be2186.ccr22.lon01.atlas.cogentco.com [154.54.61.70]
7 27 ms 25 ms 28 ms be2870.ccr41.lon13.atlas.cogentco.com [154.54.58.173]
8 94 ms 93 ms 94 ms be2317.ccr41.jfk02.atlas.cogentco.com [154.54.30.185]
9 103 ms 100 ms 100 ms be2806.ccr41.dca01.atlas.cogentco.com [154.54.40.106]
10 118 ms 117 ms 117 ms be2112.ccr41.atl01.atlas.cogentco.com [154.54.7.158]
11 130 ms 130 ms 134 ms be2687.ccr41.iah01.atlas.cogentco.com [154.54.28.70]
12 147 ms 146 ms 181 ms be2927.ccr21.elp01.atlas.cogentco.com [154.54.29.222]
13 155 ms 155 ms 156 ms be2930.ccr32.phx01.atlas.cogentco.com [154.54.42.77]
14 172 ms 348 ms 192 ms be2941.rcr52.san01.atlas.cogentco.com [154.54.41.33]
15 198 ms 202 ms 205 ms te0-0-2-0.rcr12.san03.atlas.cogentco.com [154.54.82.70]
16 209 ms 165 ms 165 ms te0-0-2-3.nr11.b006590-1.san03.atlas.cogentco.com [154.24.18.194]
17 166 ms 171 ms 203 ms 38.96.10.250
18 165 ms 162 ms 162 ms news.ycombinator.com [209.216.230.240]
Is that excessive? It looks like it's taking the most direct route it can. First goes west to NY, then goes south to DC, south again to Atlanta, and then makes a series of westward hops to Houston, El Paso, Phoenix, and San Diego. And I'm guessing the hops within London and San Diego would be something like a router for local traffic, a router for regional traffic, and a router for international/interstate traffic.
but hops from 9 to 30 are "blank" like this:
30 * * *
the last non-blank hop is this:
8 M5-HOSTING.bar1.SanDiego1.Level3.net (4.16.110.170) 69.921 ms GIGLINX-INC.bar1.SanDiego1.Level3.net (4.16.105.98) 60.600 ms M5-HOSTING.bar1.SanDiego1.Level3.net (4.16.110.170) 69.882 ms
Seriously, I can't grok why people here don't use it more often. Web is 100% usable, what doesn't work in it doesn't work in latest chrome neither. Web development is fine too, just different, not worse. But whatever, use chrome for dev work if you love it, and Firefox for everything else, especially Internet proper (plus you get another full testing browser, not just spoofing user-agent)
Its a great product, and ublock origin make it by far the best on the market for internet not only for me, across any devices ever made, period.
I don’t think Adguard, the Russian tech company registered in cyprus, but with mostly Russian employees living in Russia has our best interests at heart.
In India, it is illegal to operate an open unauthenticated wifi. All public Internet access requires a secure auth and you have to present a government ID to the operator to get access. (This applies to getting a mobile SIM card or landline Internet at home as well). This is to deter anonymous illicit activity being conducted from from public Internet locations (like cafes, bus/train/airport stations etc.) Also, same real identity requirement is now applied to VPN operators. Additionally, they have to collect and retain traffic logs, and cooperate with government cybercrime investigations.
Obviously there are potential loopholes – apparently a lot of VPN services are planning to continue operating services with Indian residents with servers not physically hosted in India without logs.
Apple with its Private Relay and now Microsoft with Edge Browser VPN – don't provide VPN with exit nodes hosted in foreign jurisdictions. I'm curious to know if they will cooperate with requirements to collect/retain logs as well.
Microsoft: "Sorry $site_owner, We (some unaccountable ML model) detected that you have violated some rule (we will not tell you which) and as a result, your website can no longer be accessed.
This decision is final and permanent."
There are other ways to protect user privacy without conveniently putting yourself in charge. They pulled the same move with UEFI and secure boot
I think this is the real reason for the "VPN in a browser" trend. It's about getting exclusive access to browsing data.
Imagine Facebook data collection, but without being able to ignore it. That's where we're headed. Watch for Google to release a "security" product that does something similar.
IMO Apple, Microsoft, and (eventually) Google are going to use their platform dominance to usurp Facebook's ad business. That's why Facebook is making a big bet on VR. It's not that they see VR as a naturally popular platform. It's simply one of the last platforms that could be popular (for the near future), isn't already dominated by a major player, and has network effects that make it a critical mass platform similar to how Facebook works. If they can buy their way in, they own the whole market.
This kind of thing should get these companies obliterated by regulators. It's shameless, blatant, anti-competitive behavior where they're using their dominance in one market to gain an extremely unfair advantage in another.
The goal is to move the entire ad market away from the open web and into closed platforms like OSes and browsers.
VPNs can destroy net neutrality. The internet can be reduced to a dumb pipe that gives everyone equal bandwidth, which is used to operate VPNs, inside of which entirely private rules apply that are inscrutable from the outside.
I think this is mainly an form of advertisement move to compel more users to use edge/not switch away from it. Reason: By now many non-technical people think a VPN is necessary (or at least recommendable) for "safety". Through how a VPN actually helps/works most non-technical people do not understand at all. For Microsoft providing a VPN which by default is only enabled on public WiFi and similar isn't too expensive.
They also need to compete with Apples Privacy Relay feature.
So putting bias aside it seems a good thing.
But there are some gotchas:
1. a VPN is not per-se privacy protecting, it is only that if the VPN provider legally binding agrees to not sell out the users data.
2. a major browser which tries to force itself on all windows users providing a VPN for free hurt the VPN market due to the unfair competitive advantage this VPN has.
3. It could normalize for many people that VPNs do not necessary have a feature to avoid geo-blocking => make it easier for legislation targeting such features to pass
4. also more centralization for cloudflair
Through if you ignore all this from a pure "common peoples security" perspective (i.e. not state actor attacks) this is an neat improvement. There are still to many things which allow attacks due to not using HTTPS and for non state-level attackers the best attack vector are public hotspots and similar where this VPN automatically is enabled. E.g. common security problem is HTTP(not s) redirect links in e.g. mails, which an attacker could trivially rewrite to point you to their site which automatically proxies the site you originally wanted to go to. Worst offender I saw was a FIN-tec site using emailing http(not s) redirect links containing the auth token for the initial account setup...
Some users might want this feature, which gets them more users. I think outside HN most users would appreciate a free VPN for when they're on public Wi-Fi.
Microsoft obviously benefits from the ability to collect more tracking signals. Even over HTTPS they will have many traffic signals to use for ads targeting.
Just be mindful of any feature and who it benefits. These companies aren't charities.
> "...it lacks one important feature users seek in a virtual private network: an ability to bypass geo-block. In the case of Edge’s VPN, you won’t be able to choose any server location..."
The trend towards 0-configuration VPNs though make it totally compelling to just port your traffic home. I'm not trying to be a fan-boi, but I want ALL my traffic off the network of snoop. I'm just going to go out there and say Ubuiti and Teleport with WifiMan on phone/tablets/computers and 0 config bar codes, I mean its ALMOST frictionless for my family to do this setup once its going.
I least try to do this while we travel and are out of network range. How do people feel about this?
Why don't we just call it what it is: "Microsoft redirects all browser traffic through their servers". At first it sounds great but in two years when the start selling the data or start injecting ads, what will the privacy advocates think then? How long until Microsoft decides they don't like your site, so they're going to block it? Yet another move towards centralization of the internet, NO THANKS.
Lol the traffic is Capped at 1gb. It’s also super obscure. Only in small rollouts to edge canary users. It’s opt in I believe and It can be turned off.
Even MSFT isn’t going to pay the network bill for everyone forever
Split decision if this is a true good faith thing for consumers. Time will tell. I can easily see where it’s a great thing on one hand but also a terrible one too. This is where a company’s integrity comes in.
I remember this being done back when Opera 7 was used. I think it had a feature for mobile OS, where it would route requests to Opera's servers and serve clients a minified, smaller version of the page, so people on 2G at the time could still use the web. I don't remember people being outraged at the time at the prospect of a browser having a baked-in VPN option though.
I remember this as well and thought it was a neat service. One that I would have liked to emulate using my own proxy in order to save bandwidth on my mobile data but never got around to actually doing.
These days with widespread HTTPS, the only way to do this is to bake it into the browser itself.
And of course, this was back when you could trust Opera to do what they said they were (or weren't) doing.
That was Opera Mini, and it's still around (and popular in areas where Internet speed is still measured in Kbps and/or you pay for data per megabyte).
It's not even that it served a minified version, too. It basically did all layout server-side, so the client got something more akin to a PDF of the webpage optimized for its screen size. It also compressed images.
At the time, spyware was not yet a mainstream business model so there was no outrage because respectable, established companies didn't yet become spyware operators. There was still mutual trust back in the day.
> Also, we must be aware of the risks associated with using the built-in VPN services of Microsoft, Apple, and the like. The tools they so generously offer might protect you from being tracked by your Internet Service Provider (ISP),
It seems using a VPN from your browser vendor does not increase your risk. I don’t think a VPN would have any information that your browser did not.
Not really: Your browser vendor might push out a malicious update or enable dormant functionality that sends them telemetry on your browsing, or even your entire web traffic, but a VPN definitively does receive all of you traffic (including, at least, the host name of almost all sites you visit).
I can observe who my browser/OS talk to (beyond the sites I already visit) – but what happens inside a VPN provider is impossible to tell.
People generally don’t tolerate browsers that phone home with any and all accessible information. But if you claim to also run a built-in VPN service...
I oftentimes see people using Chrome (not Chromium) while logged into a profile. Are you telling me that either those people are actually a minority, or that Chrome doesn't phone home?
A crazy thing happened to me on a recent trip to Mexico city. I thought my AT&T mobile plan covered Mexico, but after 2 days it stopped working. So I tried to log into my account online with AT&T. It would keep redirecting me to the Mexico AT&T website instead of the US website. The first time I realized I needed a VPN.
If this "VPN" is under the control of an entity collecting information about users wherever it can what's the sense of the service.
"VPN" (in fact the term should be "virtual internet access network") make sense only when it is independent of any entity controlling internet traffic...
I wouldn't care about this VPN if it weren't for the fact that I can't ignore it. There's an option to hide it from the toolbar, but every time I open an incognito window it pops back up again. It's incredibly annoying.
> "However, the VPN will not run while you’re streaming or watching videos — so that you can save up on traffic which is capped at a modest 1 GB per month."
OK? And what happens after that? After you go over your 1 GB cap? You're cut off from the internet?
Edge-VPN is primarily Cloudfare.
Now Cloudfare has potentially even "more" data about users. They don't have an ad platform, yet. What will stop Cloudfare from accumulating and then targeting the users through "Bing-Ads"?
Privacy from our government is becoming illegal. I believe that with widespread adoption of VPN services, at some point in the next few years the government will prohibit ISPs from sending traffic to foreign VPN services - for our protection.
Had to move off of Edge to Brave a few weeks back after sticking it out longer than I should have. I really liked Edge on both Windows and macOS but they keep adding stuff that I don't want to the browser.
The move benefits foreign companies, weakening the domestic industry.
Let’s see how fast EU can move and regulate the traffic access. For instance, demanding that the servers should be accessible only to the local governments.
Pretty cool to see Wireguard, a protocol that is only a few years old, making it so fast into the linux kernel and now into Edge. Literally shipping into billions of devices in such a small amount of time.
There will be times when more people are fed up with all the corporate BS. Duckduckgo, Lineageos, Firefox, Protonmail, ... is all working fine for me. I don't miss any corp tech.
I am not saying that they'd do it but what would prevent Microsoft from 'theoretically' collecting your information themselves and then selling it back to your ISP?
Can someone explain to me how this is different from apple’s privacy relay? Is it because it’s all traffic instead of just some traffic Apple designates as “trackers”?
It's already installed and it works well enough. Plus, if I'm using Windows, I'm already sending a bunch of telemetry to MS, so I don't see a reason to go out of my way to send some to goog, too. Also, I'm not a Netflix customer, but I understand that on PC you need Edge to get high-definition (>=1080p) video. Chrome doesn't work (neither does it work on Mac). So the question becomes: is there a legimate use case for Chrome when Edge is available (and is mostly the same thing)?
I, personally, am quite against using a Google browser (or derivative), but for my gaming PC where I only launch the browser once in a blue moon, I just can't be bothered to download anything else since Edge works. On my work PC I use Firefox, and am quite happy with it.
There are significant changes in Edge compared to Chrome stable and perf and efficiency improvements on Windows (not to mention deeper system integration).
Vivaldi has it, and it's a Chromium-based browser made by people who left Opera after it was sold to the Chinese. Opera had vertical tabs even a decade or so ago, back when it was still using its own Presto engine (they switched to Chromium and seems to have lost this feature).
Just wait. VPNs, under the guise of privacy, will be used to continue mass surveillance operations. Soon you won't be able to access certain sites unless you're using an "official" VPN.
I play video games. Things have actually changed a heck of a lot in the last couple of years and seem to be accelerating thanks to the Steam Deck. 90% of the games I care about now work fine in Linux, sometimes with a little massaging (there are also now many more tools and forum posts to help with this). Modding certain things is occasionally the biggest impediment but that too is getting easier thanks to stuff like https://github.com/frostworx/steamtinkerlaunch , which if you use the Flatpak Steam can be installed via the app installer right alongside it.
You're describing a worse user experience than gaming on Windows. Single player games on Steam is a best case scenario.. Blizzard games, or games with anti cheat are a total pain to run or won't run at all.
This is why people tolerate Windows in 2022.
I'm not saying I like it, I was just trying to answer your question :)
