Thank you :)

Why is fireox so low and chromium so hight ?

There is probably no corporation that has fooled its userbase more and for longer than Mozilla. Pretending to be your friend, it has for years ruined the customizability, privacy, and usability of its browser. The marketing team was, and still is, in full swing trying to spin every one of its shitty decisions positively.

...I'm sceptical. I want facts not his opinion ?

As far as I'm concerned, most browser are shitty, we should go minimalist. Like the dillo browser and such that doesn't really support JS.

I thought that chromium should be at the same lvl as firefox, or at least otter browser.

@Otyugh I think that article is summing up al the other articles published on the website. I did not read any of them. The one about Firefox is here. Maybe there is some meaningful fact in there.

Most interesting, thanks !

@Otyugh & @Astheroth 明日照: That is not Google Chromium but Ungoogled-Chromium. So that is a really bad choice of logo that I have simply taken from the site... :-( I have added mouse overs and linked to the icons to the articles about the browsers naively hope that people will look them.
Actually the articles are quite detailed listing very concrete issues and problems. For example, the article about Firefox also links this Spyware Mitigation Guide.
So it is worth looking the article about the browsers you use.

ahh thank you. @Gergely (∀E∃A)y

It seems to be hard to install it on Arch. Creator's AUR key has been deleted...

Thanks, i'm hearing about ungoogled chromium for the first time!

IceCat seems to get high praise, time to try it.

Qutebrowser - A keyboard-driven, vim-like browser based on PyQt5 and Qt.

Qutebrowser makes no unsolicited requests at all.

after a few minutes of using - freakin' awesome vim paradise and not spyware. Thanks for the find!

thnx. reminded. not all firefoxen are alike. installed icecat.

https://www.privacytools.io/ recommends hardened firefox ...

So, I just read through all of those, and I am on a Windows pc. Dare I ask, but, best choice of browser, and addons, for windows? I know Win is not ideal, but if one DID choose to go with it, was there a preferred addon list, web browser, anyone could suggest?

@Djinn I go with Firefox with a few tweaks. It is not all that bad. Read about it on the site in this post. Basically it does three bad things: telemetry (can be opted out), portal pings (can be be turned off and I don't find it that big deal in general unless you are into doing something really covert) and too much Google by default.

Also you have to make up your mind how do you feel about using their "smart start page" and sync feature.

I tried Waterfox which is supposed to be better but it is quite clunky on Windows.

Ah ok ty. I use FF with Ublockorigin, User-Agent-Switch, and Privacy Badger atm.I went through a list I found about "hardening FF", it was rather long and involved in the about:config, but I got through it alright. I am thinking about switching to a flavor of linux, but am unsure which. I recently took a liking to Lubuntu, as I don't like Ubuntu.

@Djinn I went with Debian with one of my home computers. Seems all right but not completely without quirks just as any Linux distro. The other one runs licensed Windows 10 and is about to retire soon. I will most likely put Linux on the new one when time comes.

I would recommend you to stick with major branch for a while and try to get it to your liking. Basically 99% of desktop experience comes to choosing right desktop environment (Gnome, KDE, etc) and tweaking it a little. You can set it up on any distro. Don't care about "cleanness" yet. When you get it right and get the hang of it you will probably want to choose distro that is closest to your liking from the box.

I think using Firefox with NoScript addon at least, that blocks by default all javascript, should keep you safe from a lot of security issue (yes javascript is a bad thing). Just enable some exception for some website that requires it.

Great, thanks everyone.

I prefer uMatrix over NoScript.

I am thinking about switching to a flavor of linux, but am unsure which. I recently took a liking to Lubuntu, as I don’t like Ubuntu.

@Djinn: I think it is worth trying several distros: https://distrowatch.com/. They say that with LinuxLive USB Creator you can create a persistent live USB, so you don't loose the settings after reboot. (I haven't tried it. I have ditched windows in the last century. Now, I only use it if I'm forced to...)

You can also install several distos directly to a pendrive. So you can also have a portable fully installed GNU/Linux. I for example use a Parabola GNU/Linux-libre pendrive at my workplace.

The user experience is mainly based on the desktop environment. I think Cinnamon is the best desktop environment, but you may have different taste. So I suggest you to try some desktop environment, most of the distros offer a great variety of choices for desktop environments.

Have fun trying out new distros and enjoy the freedom!

Look at this page on the same site. https://spyware.neocities.org/guides/palemoon.html

The author considers using a Pale Moon web page as your home page and checking for updates to be "spyware." Really?

That's just silly.

Also, the about:config settings recommended aren't nearly all the ones we should use.

I don't think this person knows more than I do.

Oh! Also, it looks to me that everything this person doesn't like about Waterfox can be cured with some changes to settings.

@David they seem to consider any unnecessary connects the user can't prevent from the start as spyware. A bit extreme but might make sense for some.

Many thanks, Gergely, this is a useful resource for my research. I too think Firefox can be safer if WebGL, Pocket, Canvas Fingerprinting and other default snoops are disabled in about:config. This is probably true of other browsers, the trouble is, the majority of users do not tweak their privacy settings. They either don't know how or are scared to open the 'advanced' section where browsers like Chrome tend to stash them.

@privacybill@socialhome.network as far as I know it is nearly impossible to disable browser fingerprinting. It is easier to just use anonymous browser then like Tor Browser - at the cost of functionality.

it is nearly impossible to disable browser fingerprinting. It is easier to just use anonymous browser then like Tor Browser

See https://diasp.eu/posts/272658e0bf7b0136d0104061862b8e7b

@David well, it is even worse then.

Thanks for the heads up.

@David: Have you reported that issue to the developers of Tor Browser? If yes, what did they say about it?

Hmm interesting writeup. Nearly and Impossible are quite drastic terms, but since this topic is home-field for you, as-it-were, take a look into the addons. They seem to me anyway, to provide for me protection, so long as I do not disable things when I want to view a cookie recipe.... Perfect is a term that should never be used anywhere near computers, and while it is not perfect, for me, it provides a blanket that I am comfortable with without having to resort to Tor immediately.

Still it is quite hard to defeat browser fingerprinting without taking functionality hit.

Test here, for example: https://panopticlick.eff.org

@Alexander

My Pale Moon, with all my enhancements, does quite well with Panopticlick.

One of the interesting built-in features of Pale Moon is to return a random canvas fingerprint every time a site attempt this type of fingerprinting. This makes me unique, and apparently different, every time I use Panopticlick. The about:config setting for this in Pale Moon is canvas.poisondata;true.

I like Pale Moon, but if you want to start using it, you might want to look at my recent post about it. https://diasp.eu/posts/99420400c3740136aca04061862b8e7b

@David Interesting. Does sending fake canvas values affect how actual pages render?

@Alexander
True, FF does have some fingerprinting issues, depending on which version or fork one uses.
One tweak to hardening it is to toggle privacy.resistFingerprinting to TRUE in about:config.

As most fingerprinting is done through JavaScript -- Youtube uses the googlevideo.com script to slip in a canvas request, for instance -- a blocker like NoScript, Ublock Origin or add-ons like Disconnect do the job.

Of course, the more tools and add-ons we employ in our browsers actually limits our anonymity. This is why most corporations are now starting to turn on to fingerprinting -- before all users used a simple setup and many signatures were similar -- now, with the cat out of the bag with Facebook's latest privacy scandals, canvas is a sneaky alternative to tracking scripts, which EVERYBODY is now trying to block. FB never used fingerprinting much before they 'came clean' about their privacy 'mistakes'. It is their new pickpocket.

I get more bits of identifying information when using User-Agent Switcher with any of the available choice of OS/browser. 10.23 bits otherwise with 6 recommended add-ons.

Interesting.

@privacybill@socialhome.network enabled this but don't see any difference on Panopticlick...

As for JS - true but the problem here is that many sites require JS. It is hard to granularly filter scripts every time you stumble upon random article.

Disconnect as I understand blocks known trackers only so it is also not ideal.

Thanks! Does anyone know of such a ranking for android web browsers? Actually, I'm kind of new to all this, is it possible to avoid Google spying on you when using a web browser on android?

@Hippolyte don't use built-in browser or Chrome, also disable in-app web views where possible, switch start pages and search away from Google and you should be okay.

But of course Android still uses some Google services but it isn't that big deal IMO.

@Alexander

Interesting, but as I've said, it depends on your setup.

Re Disconnect, it was developed by disgruntled ex-Google techs so the scripts it flags to block are worth considering. It has also registered scripts for me it has not named, occasionally. This is intriguing I think, as it could mean clicking the 'content' button could in theory block unknown scripts.

Lastly, I'd say that if a site doesn't work without temporarily allowing a script (and deleting its reference and tracking cookies when you leave) its developers are bread heads/NSA slaves or idiots. I also don't mind something taking a long time. Convenience is probably the scourge of the internet for me -- it should not trump safety and privacy. :)

@Hippolyte

Android is a sieve, but many of the browsers have an android version these days. Tor used to have Orbot or Orfox as their Android browser. It was slow of course but still frustrated Google, which made me chuckle. I understand they're developing something else now. Maybe others can elaborate on it. :)

Is anyone able to get less "bits of identifiable information" on panopticlick? If so, how?

46538465@diasporing.ch
Try using Tor and disabling JavaScript. You'd look pretty clean then. :)

I use a VPN and disable JS through the NoScript add-on. Tor is too slow for everyday browsing, I'll use tor if i want to make sure but not all the time.

Using Tor and unchecking everything that is allowed by default in NoScript (why?) gives me 9.75 bits compared to 10.23 with hardened firefox. Differences are "DNT Header Enabled?" True in Firefox False in Tor. "Are cookies enabled?" False in Firefox True in Tor. Would love to know if i have a setting i should change.

if a site doesn't work without temporarily allowing a script

Most sites will work that way but the problem here is unless you manually veto the code of each script before allowing it through, even just temporarily, there's still chance of tripping something. They can put tracking code in infinite scrolling, right?

@Alexander

Yes, you are right, more JS loads to add content to the infinite scroll down, but it's usually just doubling up the same covert tracking scripts, depending on what deals the web site has done with the Big G or whoever. It's possible a new client will want to load a tracker half way down, I guess. On this page, for instance there are 8 trackers loading as I scroll down, though I suspect they are just invisible gif trackers from the links provided by unwitting posters.

As you know, in NoScript (in 5+ at least) we can block all scripts and temporarily allow the ones that are essential for stuff to work. We get to know what to load on a site-by-site basis. Eventually it becomes obvious which scripts are dirty or problematic -- facebook dot net, googletagmanager, doubleclick, automattic, scorecard, amazon, microsoft, etc.It certainly takes time and Tor and Georgio NoScript didn't help matters by totally changing up their setups and undoing all that hard work users had done cataloguing their bad scripts as a new version like Tor 8 and NoScript 10 just overwrote everything. That really pissed off both sets of users as did the new versions themselves, which are unpopular with some.

Again, this depends on your setup. Tor 8 with NoScript 10 will react differently to say, Tor 7.54 and NoScript 5+ with auto update blocked. Okay, the latter setup is 'old' and potentially 'less safer' but is probably more private because it blocks everything by default and you have to allow it. By Tor 7.55 more scripts were allowed by default.

I don't really want to talk about Tor 8.

Sadly, it's quite hard to find a safe mirror to download old Tor versions but that's what I'm doing with most of my devices until Tor 8 sorts itself out.

Re cookies I tend to disallow ALL third party cookies as they are usually the bad guys. A minority of sites won't work. I always enable the DNT header but sites still totally ignore it. "Why do facebook ignore their users' DNT header" would've been a good question to ask Zuck in congress but no one did. :)

I always enable the DNT header but sites still totally ignore it.

It seems to be that it became just another piece of detectable identifying information and nothing more.

Absolutely, But the user also identifies who ignores it. :)

To be honest I think we fight a losing battle here.

Given the interactive nature of the modern Internet there are always certain client vulnerabilities. Just like with computers it all comes to trusting the code and these tracking bits and pieces are almost always put on the resource by the owner.

All these measures are almost like recommendations to avoid rape by putting on clothes that are harder to remove and also trying to run faster :)

So far most of the tracking is third-party but it is only a matter of time when it becomes integrated in the first-party code so there won't be any cross-site calls or separate scripts. Simple solutions like uMatrix won't work.

@Alexander Thanks! I just don't understand how switching start page helps. The data that is shown there is not collected if you have a different start page ?

@Hippolyte whatever your start page is it gets loaded every time you open your browser or another tab. So it gets a lot of hits and can potentially collect nice history of your sessions, identify your devices, etc - especially if it is something like Google. So it is better to have something neutral as your start page.

The percentage of users who are 'woken' to this hardcoded internet snoop fest has been about 5%-15% of internet users, people like us, and I'm sure others on this thread, were seen as nerdy conspiracy theorists who hated 'the man'. It was hard work.

Since Cambridge Analytica, the curtain got accidentally lifted and the populous suddenly noticed they had no underpants on. This has galvanized many on both sides. Corporations have begun to look at ways to make money without violating their users and the ranks of the privacy advocacy movement have swollen. Yes, it looks like a losing battle, but there are many battles more to come.

To be honest I think we fight a losing battle here.

The fight for privacy, as with the fight for all human rights, is not a war that can be won. It is a never-ending struggle.

Actually, we win quite a few battles. I agree with Doctorow that we've already passed peak indifference. We're advancing, and they're retreating. The danger is that we won't push as hard as we can while we have some advantage.

The EFF (disclosure: I've been a member for years) is fighting on 3 fronts: in the courts, in the legislatures, and by developing new software.

I don't see any point in trying to help those who won't give up on non-free software. If you can't see the source code, you have no idea what it's doing.

I also think we need to move more and more to Internet overlay networks that can scale: I2P and ZeroNet, in particular.

I've recently been looking into ZeroNet. Maybe we should get something going over there?

Perhaps I should have spoken more clearly. I understand and fully support the fight for privacy and by no means it should be given up.

However many people seem to concentrate on technical passive defense aspects only - and this is what I wanted to call fighting the losing battle.

And even when people question tracking practices itself the blame usually falls on tracking companies. Like Google is some kind of supervillain who forcefully took over half of the Internet. No one ever questions who in fact installs and funds tracking ads, analytics and such - and it resource owners that do it. Tracking companies only respond to the demand.

So by "tracking company" you mean analytics providers like Google Analytics? I think most people are unaware that "tracking companies" exist, but they do know that the web sites they look at attempt to gather information about them. People are blaming those they know exist, not "tracking companies" they never heard of.

Also, what is a "resource owner"?

Also...

Tracking companies only respond to the demand.

So they just do it for money. [sarcastically] Well that makes it much easier to forgive. "Sorry mate. Nothing personal. It's just business."

I don't think the point here is to forgive, but to remind that Google is not the only responsible for privacy issues. If smaller companies were not interested in swindling people's data, it would not be so lucrative to collect them. One shouldn't only try to avoid the gafam but also their clients.

I think most people are unaware that “tracking companies” exist, but they do know that the web sites they look at attempt to gather information about them.

Just my impressions. When you visit some random website or use an app and "personalized ad" pops up and it is obviously based on tracking your activity - who is more to blame? I mostly hear "Google" (or whatever source the ad came from).

However the reason you see this ad is because the website owner you are on put it there and they consider it good business practice. Also the company the said ad advertises considers it good business practice. In fact they payed extra for the targeting (i.e. tracking). Both of these actors are primary reasons the whole system exists and reaches you.

Yet most users seem to have no problem with neither and point the blame exclusively towards tracking providers.

Ideally if users notice some tracking on the resource they use their first intent should be not blocking the advertisement/tracking components but boycott entire resource as not trustworthy.

A few times I noticed some bad cases of tracking (borderline malware) or very unethical advertisements (scams and such) on some sites and apps I used and I got in touch with the owners asking them to do something about it. If they replied they usually took a victim stance: "we need to monetize to pay support costs and we are not affiliated with the ad content". Like it makes it okay somehow.

As I said if such attitude continues we end up with tracking and ads getting built-in right into the first party code.

@Gergely (∀E∃A)

@David: Have you reported that issue to the developers of Tor Browser? If yes, what did they say about it?

Sorry about the long delay in getting back to you. The Tor project seems to know about the problem.

https://trac.torproject.org/projects/tor/ticket/26146

Oh, by the way, this has to do with my post, https://diasp.eu/posts/272658e0bf7b0136d0104061862b8e7b, about being able to use JavaScript to find out what OS is in use by the Tor Browser.

@Alexander

@David Interesting. Does sending fake canvas values affect how actual pages render?

The answer is "No."

Sorry to take so long in getting back to you.

This is in reference to my comment

@Alexander\
\
My Pale Moon, with all my enhancements, does quite well with Panopticlick.\
\
One of the interesting built-in features of Pale Moon is to return a random canvas fingerprint every time a site attempt this type of fingerprinting. This makes me unique, and apparently different, every time I use Panopticlick. The about:config setting for this in Pale Moon is canvas.poisondata;true.\
\
I like Pale Moon, but if you want to start using it, you might want to look at my recent post about it. https://diasp.eu/posts/99420400c3740136aca04061862b8e7b

@Alexander

So you were saying that blame for tracking should go first to sites that use trackers and analytics, and second to the providers of tracking and analytics services. Hmm. I think I dislike them equally.

As a practical matter, I'm willing to read an article with ads and tracking blocked. Maybe there's an argument that I shouldn't be willing, that I should boycott such sites. Well, that's definitely going to make getting news a bigger challenge.

All the time I tell people that they don't have to put up with tracking and ads, but if none of us did, some sites would definitely be starved out of existence. So I guess the question is: Do we starve them out by boycotting the sites themselves, or by boycotting (with uBlock Origin, etc.) just the crap we don't like?

When you have some time on your hands some day, take a look at all the links on the left hand side of the BrowserSpy site, http://browserspy.dk/, with JavaScript off and on.

Also, don't forget that it's not just your browser than can be fingerprinted. Your hardware and other software can be fingerprinted too with audio context fingerprinting, WebGL fingerprinting, and tricks to find out what other writing systems (e.g., Hangul, Japanese kana, etc.) you might have installed. Fortunately, these also depend on JavaScript, and support for WebGL and audio context can be turned off. (In Firefox and its forks, media.webaudio.enabled;false and webgl.disabled;true.) See http://yinzhicao.org/TrackingFree/crossbrowsertracking_NDSS17.pdf A ZDNet article is headlined, "No hiding from this new web fingerprinting tech," but that's not true.

Every once in a while, someone comes up with some new way to fingerprint us, but most of the schemes work very badly. Remember Douglas Adams' famous aphorism, DON'T PANIC! We can keep up with this crap, and it really doesn't take that much work. I think we've been pretty good about sharing hacks for this sort of thing here on D*. We'll keep it up.

Your connection is not secure

The owner of browserspy.dk has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

Thanks for interesting points, @David. I guess the general approach of tracking is taking just about any component browser uses and trying to fingerprint it.

Recently I read about tracking technique which supposedly allowed to guess information about other sites loaded in other tabs by monitoring cache responsiveness (basically creating a load and try to measure performance and detect patterns),

About ten years ago I knew someone who used his physical machine as pure hypervisor and all his work was done on several virtual machines. He had one for "the Internet", one for work, one was for the personal data, etc. All with different sets of online identities. It was quite streamlined. Seemed quite crazy back then for a guy who wasn't doing something really secretive but now it seems like he knew something

Anyone else using Firefox have a problem with browserspy.dk?

@David - not just Firefox. If you try https connection it turns out they have wrong certificate (wrong host name).

I just use it HTTP. It doesn't do the HSTS thing.

Oh! Also, it looks to me that everything this person doesn’t like about Waterfox can be cured with some changes to settings.

But why every human on planet must do this as mandatory? Why this "freedoms" they presenting and advertising is not present right "from the box" and always needs do some voodoo magic and hocus pocus with settings? i recognising this behaviour as #manipulation. if they leaking users data by default - they must go to hell and be history but not make history. period.

Why this “freedoms” they presenting and advertising is not present right “from the box”

Because it all hinders convenience. More freedom means more responsibility and more work, not everyone wants to do that. Most features that are considered in that article as privacy-invasive in fact are intended for convenience (captive portal, etc) and safety (automatic updates) but can be misused. I believe everyone decides the acceptable compromise for themselves.

bullsh^t. this exactly what corrupted gov (read "money mafia") told as as excuse to invide another countries and destroy them - "freedom is not free" - same bullsh^t and manipulation just for support them to keep stay in their #inhuman "business", nothing else.

What exactly is bullshit?

Just forget about. i lost my interest in that conversation. time to hit disable notifications button. good luck with supporting deepstate and bye.

I believe everyone decides the acceptable compromise for themselves.

To decide anything, one should know about it. I'm pretty confident that most "skilled people" (culturaly speaking) will chose the most paranoid stuff, while all the other will pick anything which is easy to use, mostly where publicity shines the most.

There is no freedom involved here. Unskilled people do what the first people tells them to ; in our society, it's mostly advertising.

"Give unprepared childrens knifes and pretends that it was their call if something goes horribly wrong."

Unskilled people do what the first people tells them to

Of course. It is pretty normal. You also do a lot of things how you are told to do them without knowing their nature. You can't know everything.

Let's take automatic software updates, for example. Here they are considered a vulnerability. And yes, if one makes privacy their top priority they would want to control updates themselves. Also they can be misused (for example, malware could be injected into update).

However do you really think it is better NOT to have them on by default for most users? 99% of users have no idea how software works. It is just a window they type stuff in and it displays things. They don't read security news. They don't care about their browser more than they care about their fridge. No automatic updates means they won't get any updates. Which will lead to disaster.

We need to trust trustworty people.

How do we do that ? Well. If you know someone trustworty, you tell the others around you. If you were betrayed, you spread the word. .

I do truste the debian community and a few developers out there, because I could meet and know about their work.
I do promote their use around me, to people who don’t get a damn about computing, because they trust me - they can meet and complain to me.

That's a trust chain. ~

The biggest problem out there is people don’t have trustworty people to begin with in a loooot of domain. And get screwed with all the people making living out of people that are alone and defensless.