[HN Gopher] Microsoft bakes a VPN into Edge and turns it on
___________________________________________________________________
Microsoft bakes a VPN into Edge and turns it on
Author : elashri
Score : 580 points
Date : 2022-09-30 16:44 UTC (1 days ago)
(HTM) web link (adguard-vpn.com)
(TXT) w3m dump (adguard-vpn.com)
| eatonphil wrote:
| I think Pixel phones (or maybe it's all Google Fi phones) also do
| this.
| andrewstuart2 wrote:
| Why do I always get a bad feeling about the motivations behind
| stuff like this? I want to believe it's for better privacy and
| security, but it's being driven by a corporation or two, and that
| makes me 100% suspicious. Like, for example, suddenly Edge is no
| longer respecting local DNS options and my pihole protects one
| fewer device from the real dangers to privacy. I don't want to be
| cynical so often, but this really doesn't feel like a benevolent
| move. Yeah, it's conditional at the moment, but as with Chrome
| and manifest v3, among many other examples, I'm losing my faith
| that anything with the potential to increase ad revenue will
| remain turned off for long.
| jahewson wrote:
| The motivation here is surely reducing ad tracking.
| legitster wrote:
| I mean, if you have an attitude that anything an organization
| does must be for an ulterior motive, you're always going to get
| what you are looking for. Heck, people too for that matter.
| Maybe my dog just pretends to love me to get food.
|
| But in this case, Microsoft is looking for any competitive
| advantage against Google. They won't win on targeting, and they
| still make more money selling software than ads. So this does
| seem like an easy win for them.
| hamburglar wrote:
| > if you have an attitude that anything an organization does
| must be for an ulterior motive ...
|
| Well in the case where they are spending a lot of money to
| implement and operate a feature that nobody asked for and
| which has obvious privacy downsides, it does seem worthwhile
| to examine their motives. It's not like we're responding to
| the announcement for the next model of the Microsoft
| ergonomic keyboard with "hmmm, what are they _up to_?"
| nearbuy wrote:
| > obvious privacy downsides
|
| What is the obvious privacy downside of selectively
| enabling a Cloudflare VPN when browsing on public Wifi or
| unsecured sites (which is when it enables)? That Cloudflare
| can see what sites you visit?
|
| On public Wifi and unsecured sites, anyone could
| potentially see and modify the data anyway.
| hamburglar wrote:
| The privacy issue is obvious. If my browser is funneling
| all of its traffic through a specific VPN instead of
| letting my system handle it, I have to wonder whether
| that choice was based on the VPN operator wanting to see
| my data or cooperating with someone who does.
|
| This is like finding out Microsoft decided all internet
| traffic on windows should be proxied through their
| servers. Could there be a benefit? Yes. Does it raise
| serious questions? Most definitely.
| marcosdumay wrote:
| If it was good for you, Microsoft would the the one announcing
| it. Loudly and repeatedly. They would do it even if it was
| harmful, but there existed some artificial narrative where it
| sounds good.
|
| You are hearing it from a third party exactly because they
| couldn't construct any explanation minimally realistic that
| sounded good.
| ratg13 wrote:
| They haven't announced it yet because it hasn't been
| released. Reading the article, it does sound pretty decent.
|
| Partnership with cloudflare, selectively enables when you are
| connected to untrusted networks like public wifi.
|
| Pretty much the only downside is that they turn it on by
| default... which is always tricky when most of your target
| audience is not computer savvy in the least.
|
| How to give people security features that they have to figure
| out themselves when they can barely open the browser .. a
| dilemma for the ages.
| idiocrat wrote:
| MS motivation is quite clear.
|
| Windows is an appliance (an interface) for amazon shopping and
| watching netflix.
|
| The MS telemetry has proven that 99.999% of consumers do not
| tweak default settings or dig under the hood.
|
| The 1-2 million now former "windows power users" are just too
| small population to be economically feasible to deal with.
|
| For MS it does not matter to lose those few to other tweakable
| OSs.
|
| Instead MS's product department is dreaming of scooping the
| remaining billions of cash-laden consumers. Presumably this is
| what the telemetry tells them.
|
| Cash is good, consuming is good, keeps the economy running,
| making shareholders happy.
| stinos wrote:
| Ok, but how exactly is your story an explanation of the
| motivation for VPN in their browser?
| Markoff wrote:
| I mean nobody is forcing you to use Edge or Chrome, there are
| better alternatives like Vivaldi or if you really want to take
| it to extreme Ungoogled Chromium. But I agree with your
| sentiment, although it just means you should probably move to
| open source and obscure options.
|
| Also:
|
| > Brave, Mozilla, and Vivadi have said they intend to continue
| supporting Manifest v2 extensions for an indeterminate amount
| of time.
| ekianjo wrote:
| just creating a honeypot for the 3 letters agency. Microsoft
| loves doing that. just dont use edge I guess?
| marcodiego wrote:
| > Why do I always get a bad feeling about the motivations
| behind stuff like this?
|
| Because of microsoft history. Including recent history.
| uup wrote:
| VPNs don't help privacy at all. They allow you to substitute
| trust in your ISP for trust in a different entity. For some,
| that may be good, but for most others it's a wash.
| riedel wrote:
| In Germany (according to TTDSG) an ISP does not have to claim
| that. They need explicit permission to track you. It is
| pretty much as the post does not have to claim that they open
| your envelopes.
| yjftsjthsd-h wrote:
| > VPNs don't help privacy at all.
|
| > For some, that may be good, but for most others it's a
| wash.
|
| That sounds less like "VPNs don't help privacy at all" and
| more like "VPNs are helpful some of the time".
| nine_k wrote:
| VPNs help against geolocation and geofencing though.
| Nifty3929 wrote:
| I believe it is harder for my government to get my data from
| a foreign VPN service than from my local oligopoly ISP that
| is already effectively an arm of the government.
| jimmydorry wrote:
| I would reverse that assertion under the one condition that
| you don't use a VPN provider from your own country. In
| Australia at least, ISPs are legally required to maintain
| logs of everything you access for several years. By choosing
| to trust a VPN provider outside of Australia, you defacto
| have better privacy than you otherwise would have.
| AnimalMuppet wrote:
| Does the VPN company have a business presence in Australia?
| If so, then maybe you haven't gained as much as you
| think...
| andrewstuart2 wrote:
| I'd say they're still a net win, generally. The ISP vs VPN
| service tracking who does cancel out (if you ignore privacy
| claims of VPN providers, vs ISPs generally not guaranteeing
| that at all), but for every other service I might consume,
| when I'm on VPN I'm no longer connecting from a unique IP
| that can have other identifying information tagged to it.
| simon1573 wrote:
| To add to that: in Sweden (which is generally pretty ok in
| regards to privacy and rights) ISPs are required to store
| traffic for 6 months, while VPN providers are not.
| lokedhs wrote:
| Wasn't this struck down by the EU recently?
| Double_a_92 wrote:
| They help in public WiFi.
| jacobsenscott wrote:
| Public wifi, assuming you don't send any personal info to
| "sign in" to the public wifi is more anonymous than a vpn
| that has your name/address/etc.
| babypuncher wrote:
| So I can pay $10/mo for a VPN for use when I'm on public
| wifi, or I can run WireGuard on my Raspberry Pi at home and
| get one for free
| wbsss4412 wrote:
| Not sure what services you've looked at, but it
| definitely doesn't cost $10/month.
|
| Your personal solution seems pretty good though.
| wintermutestwin wrote:
| Unless you are a network security expert, aren't you
| greatly increasing your risk by running that WireGuard
| server?
| fjfbsufhdvfy wrote:
| Why would you? Nobody can connect to it without your
| private key. Or is there something I am not aware of?
| Genuine question, as I am running wireguard in a few
| places and thought it was secure by default.
| bilkow wrote:
| WireGuard is pretty minimalist and has great defaults,
| AFAIK if you manage to set it up you're good.
|
| Unless your credentials leak, of course, but a security
| expert would have that same risk.
| elashri wrote:
| It might be cheaper but still not free. Cost of
| electricity + time to maintain + Raspberry Pi itself. Not
| to mention that you don't get the variety of servers (for
| geo-location or more diverse networks not tracked to you
| by websites themselves).
| babypuncher wrote:
| Well the Raspberry Pi is already on 24/7 running a few
| other services for my home network. But even then, the
| energy consumption per month costs pennies. I update the
| device once a quarter and it takes me 5 minutes. These
| costs are so negligible as to have no impact on my
| decision making process.
| zekica wrote:
| Modern TLS is enough to prevent others from eavesdropping
| everything except domain names when on public WiFi. Domain
| names are sent in clear text if your client supports SNI.
| doubled112 wrote:
| A trail of DNS names is more than enough to know what
| somebody is up to.
| uup wrote:
| You could use DoH, which you should do anyway. No reason
| to leak DNS lookups to anyone.
| madars wrote:
| DoH alone is not enough due to
| https://en.wikipedia.org/wiki/Server_Name_Indication
| being sent in plain text. Some day ECH (formerly, eSNI)
| should help with that.
| erinnh wrote:
| I thought TLSv1.3 already encrypted the SNI?
| detaro wrote:
| No. ESNI is an later-created extension to TLS 1.3
| uup wrote:
| It does
| [deleted]
| ranger_danger wrote:
| you'll always be leaking it to whoever you are sending
| your query to.
| Forge36 wrote:
| While traveling I've used my own VPN hosted at home to
| provide additional security.
|
| It allows me to trust only my ISP instead of every ISP in
| various coffee shops.
| 7952 wrote:
| It is not just about your ISP though. Your IP is getting sent
| to whatever website you are connecting to. People won't
| always trust that website.
| P5fRxh5kUvp2th wrote:
| > VPNs don't help privacy at all
|
| Or course they do, I'm so tired of seeing posts like this
| when really what you mean is that it's not perfect privacy
| and therefore you don't like it.
| shubb wrote:
| One of the main use cases today for VPNs is to pirate
| movies or access geo-blocked content. That and dodgy hotel
| wifi.
|
| The adversary is netflix or a IP rights enforcement
| company, and the user doesn't care what their ISP or a
| state could observe.
|
| For what they are used for, they are fine. If you are
| worried about state or megacorp spying, the solution is
| less technical and more political.
| sascha_sl wrote:
| No as a rule.
|
| They just replace your ISP with a VPN company. Which is the
| two is more shady is something you have to figure out,
| keeping in mind that a subsection of the internet just
| stops working or turns the aggressiveness of their anti-bot
| protections up to the maximum on a VPN.
| pkulak wrote:
| Of course they do? They are a tool that routes traffic
| through a third party. That can be anywhere from terrible
| to fantastic for privacy, with everything in between.
| There's nothing "of course" about it.
| inetknght wrote:
| > _Or course they do_
|
| Let me compare an ISP spying vs a VPN spying:
|
| 1. You make DNS request about example.com. Your ISP sees
| this. Your ISP can see what websites you "might" visit.
|
| 2. You connect to 1.2.3.4. Your ISP sees this. Your ISP can
| see what websites you "did" visit.
|
| 3. You request some data and receive some data. Your ISP
| sees the size of the data. If it's not encrypted, it can
| also see the content. Your ISP can see (at least) the size
| of objects that you requested -- which is enough to
| fingerprint many specific contents.
|
| Okay so not using a VPN gives effectively zero privacy.
| Let's look at a VPN:
|
| 1. You connect to a VPN (and let's assume your connection
| doesn't "leak" insomuch as now _all_ network traffic goes
| through the VPN). Your ISP can see this.
|
| 2. You make DNS request about example.com. Your VPN sees
| this and your ISP can see a network packet. Your VPN can
| see what websites you "might" visit, your ISP can't.
|
| 2. You connect to 1.2.3.4. Your VPN sees this. Your VPN can
| see what websites you "did" visit. Your ISP still sees
| traffic to the VPN.
|
| 3. You request some data and receive some data. Your VPN
| sees the size of the data, and your ISP only sees the
| aggregate-size of data across all of your sessions. If it's
| not encrypted, your VPN can also see the content but your
| ISP should still only see aggregate size. Your VPN can see
| (at least) the size of objects that you requested -- which
| is enough to fingerprint many specific contents. Your ISP
| will have a tough time fingerprinting content from specific
| websites.
|
| 4. Your ISP can note that you have a high amount of
| traffic, possibly note that the traffic is going to a known
| VPN destination, and that your "normal" traffic is now
| gone.
|
| Now, your VPN can see all the stuff that your ISP used to
| see. In addition, your ISP can now determine that you might
| be doing something illegal, suspicious, or at the very
| least "enterprise grade" and demand more money.
|
| Have you really gained more privacy?
| colinmhayes wrote:
| VPNs entire business revolves around not giving up your
| data, that's why you pay them. ISP business revolves
| around protecting their monopoly which means making the
| government happy. Massively different incentives which
| means they will act differently. If VPN leaks data and
| people find out they're done. If ISP does nothing changes
| for them.
| ascar wrote:
| As others have mentioned you gained privacy from your
| government that has easy access to whatever information
| your ISP has but not towards a VPN provider.
|
| But the information you leak towards your ISP or VPN
| isn't the only variable. With a VPN you leak less
| information to the services you interact with (e.g. your
| IP is hidden) which undoubtedly increases privacy.
| miloignis wrote:
| Based on that analysis, I say clearly yes! Privacy is
| about choosing who to share with, be it a specific group
| or no-one. Being able to share with a VPN of my choice
| (who, if reputable, shouldn't further disseminate my
| information) is likely a privacy gain compared to being
| forced to share with my ISP (many of whom would gladly
| sell my data).
|
| Being able to choose to reveal data to Mullvad over
| Comcast or Verizon seems like a clear win to me.
| lijogdfljk wrote:
| Yea i really don't get these people. Frustratingly.
| Perfect is the enemy of good here. Yes, full privacy is
| the goal, but i _know_ certain actors are spying on me.
| If i can bypass them, i can at least attempt to improve
| it.
|
| At the very least i rob Comcast of my data. Which is my
| goal, after all. Not full privacy.
| Aaargh20318 wrote:
| > Yes, full privacy is the goal, but i know certain
| actors are spying on me. If i can bypass them, i can at
| least attempt to improve it.
|
| The problem is that it doesn't actually change anything
| while giving a false sense of security.
|
| Your VPN's 'improved' privacy is just as worthless as the
| privacy you get with just your ISP. If something requires
| privacy, neither can be used, and if it doesn't then why
| should it matter which one you use ?
|
| Privacy is an on/off thing. Either you have it or you
| don't. There is no in-between.
| nirvdrum wrote:
| My VPN provider (Mullvad) doesn't have my full name,
| address, and social security number. They could build a
| profile off my account number, sure, so I have to trust
| that they're not. If they actually aren't, fantastic, I
| win. If they actually are, I still win, because they have
| less data to build a profile on me from. I know for
| certain that my ISP is selling my data, so I'm certainly
| no worse off.
|
| On top of that, I get the benefit of not being tracked
| everywhere on the web. Or if they are tracking me, they
| have bogus data. And I can set my exit server to a
| jurisdiction with more user-friendly privacy laws.
| Aaargh20318 wrote:
| Mullvad is just the first link in the chain of untrusted
| systems between you and whatever server you're connecting
| to.
|
| Also, what better place to tap traffic than the
| connection of a VPN provider.
| nirvdrum wrote:
| > Also, what better place to tap traffic than the
| connection of a VPN provider.
|
| Well, per my previous post, my ISP is definitely a better
| place. Hell, you don't even need to tap them. They'll
| just sell you the data, along with other PII. (Setting
| aside Mullvad' multi-hop support, which would require
| taps in multiple jurisdictions).
|
| I think the point you're trying to make is that this
| isn't resilient to the NSA monitoring my traffic. I had
| hoped it was clear from my message that there's another
| level of privacy I'm concerned with related to intrusive
| private entities. I'm not expecting the GDPR or similar
| privacy laws to stop the NSA either, but they serve a
| useful purpose.
|
| I guess I'm banking on Meta and Google not tapping
| Mullvad. Or even the RIAA or MPAA, for that matter.
| Because my ISP will very willingly give those entities
| data. And as long as unencrypted SNI is the norm, my ISP
| knows more than I want it to know about my browsing
| behavior. Not to mention the stuff that isn't HTTPS.
| Sure, Verizon knows I've established a connection an
| encrypted tunnel and how much bandwidth I routed through
| it, but that's a level of metadata I'm not concerned
| with.
|
| So, yeah, Mullvad could be logging every packet through
| their tunnel. They could even assemble a profile based on
| my account and sell it to all the data brokers and
| advertising networks. They still don't have my SSN. Even
| if all of that happened, then I'm still no worse a
| situation than if I didn't use them because my ISP is
| doing those things. At worst, I'll be out 5EUR for the
| month.
| Aaargh20318 wrote:
| If you don't trust your ISP, then why not simply switch
| to another one ? I literally have dozens of ISP's to
| choose from at my address. Last time I checked there were
| 13 ISP's offering fiber service alone, if you're willing
| to settle for DSL or cable there a lot more options. And
| that is with me living in 'socialist' Europe. I can only
| dream of how many options people in 'free market' USA
| must have.
| ripdog wrote:
| > _And that is with me living in 'socialist' Europe. I
| can only dream of how many options people in 'free
| market' USA must have._
|
| I can feel the sarcasm dripping from this sentence.
| nirvdrum wrote:
| I have two viable options, ignoring 5G and satellite
| services. The one I'm on is the lesser of two evils. And
| I've largely neutralized the primary concern I have with
| the ISP I'm on.
|
| Where would you like to move the goal posts now?
| P5fRxh5kUvp2th wrote:
| One wonders if you consider your bedroom to be private
| despite the fact that a peeping tom can still look
| through the window.
| hamburglar wrote:
| This is quite a concrete illustration of the concept of
| the perfect being the enemy of the good. Thank you.
| salawat wrote:
| No... It's a demonstration of adherence the axiom "Don't
| let perfect be the enemy of good" being misapplied.
|
| The "Good" (VPN) is exactly as imperfect as it's complete
| abscence. There has been no improvement whatsoever.
| Literally, as far as Privacy is concerned, nothing short
| of "No one actor has the capability to sit on a full
| stream of traffic", will suffice.
|
| Either you're MITM'd or you aren't. Use malicious postmen
| if it makes it easier.
|
| If you have the same guy come, and all of your mail goes
| through him, he can reconstruct all conversational state.
|
| Now imagine you get a different malicious postman at
| random every day. He eacesdrops on every packet, but he's
| not privy to which of his fellows is scheduled to get the
| next packet. Therefore, it's not practicable to MITM in
| any practical way. This all goes out the window when
| someone controls the malicious postman scheduler, of
| course, because then they can figure out a map of who to
| go to to reconstruct your conversation.
|
| The above is the concept behind Tor, and why the only
| effective counter to it is to run a hell of a lot of
| entry/exit nodes so you can conceivably time correlate
| given enough consecutive probe points are hit.
| P5fRxh5kUvp2th wrote:
| Russia has the ability to drop a nuke in the region you
| currently live in, so there's no such thing as safety and
| therefore why do you have locks on your doors?
| genewitch wrote:
| i find this extremely doubtful. I see the point of your
| statement, but i'm willing to bet 99% of all the already
| built nuclear devices wouldn't work today. There's no way
| that they're all stored in such a way that the delicate
| mechanisms are protected from the environment and
| oxidization, moisture ingress, insects, heat and cold
| expansion and contraction.
|
| That a nation could make a _new_ device is arguable, that
| a nation could make a device that could be delivered
| without flying planes over another country is less
| arguable. Even nukes as they stand would only pose
| significant threats to certain parts of a country (there
| was a map floating around the web a few days back of
| areas of the US most susceptible to the - pardon the pun
| - fallout from a tactical strike.)
| P5fRxh5kUvp2th wrote:
| Especially when you consider that what they're really
| saying is that a VPN won't hide you from a state level
| actor.
|
| Yeah, of course not, that's not nearly the only reason to
| use a VPN.
| crtasm wrote:
| > your ISP can now determine that you might be doing
| something illegal, suspicious
|
| and my neighbours can determine I might be doing
| something illegal when I close my curtains, sure.
| postalrat wrote:
| You increased the number of choices you can make
| regarding your privacy.
| piaste wrote:
| VPN and ISP are similar in term of middlemen, but there
| is an important difference downstream of said middlemen.
|
| With your ISP, you appear on the internet as a
| residential IP that provides your approximate location
| and most likely doesn't change very often. The requests
| you make can be easily correlated by PRISM or any other
| middleman, or by any CDN running the websites you visit.
|
| With a VPN, your exit IP is unrelated to your geographic
| location, changes very often, and hopefully it is shared
| among many more users.
| DesiLurker wrote:
| Also you could use double VPN config from different VPN
| providers in separate geo locations with openDNS thrown
| in one of them. then it would be much harder to correlate
| your traffic out of the mix. its not about perfect
| secrecy its about becoming hard enough target.
| vel0city wrote:
| GeoIP services are trash. My current IP on most GeoIP
| services gives a location >900 miles away. My last IP had
| a location in another country. I don't think I've ever
| had a GeoIP lookup resolve within 100 miles for any IP
| I've had.
| inetknght wrote:
| > _GeoIP services are trash._
|
| GeoIP is only necessary when seeing a new IP. But once
| the IP starts to build a reputation, then the specific
| location can be determined. It's _especially_ true if you
| buy something online.
| zmmmmm wrote:
| My single data point observation is that it gets my city
| correct nearly 100% of the time and sometimes is able to
| resolve to a nearby suburb.
| tzs wrote:
| > Have you really gained more privacy?
|
| No, but you have lost less privacy.
|
| The amount of loss of privacy you incur when some
| particular item of personal information about you is
| revealed to another party often depends on how much other
| information that party has about you.
| yjftsjthsd-h wrote:
| > Now, your VPN can see all the stuff that your ISP used
| to see.
|
| > Have you really gained more privacy?
|
| Absolutely, 100%, unambiguously, yes; my ISP openly says
| that they monetize my data, my VPN says they don't. I'm
| _very_ happy to gamble that the VPN is telling the truth
| when faced with the expectation that the ISP is telling
| the truth.
| squeaky-clean wrote:
| My VPN was unable to give the British government any logs
| or IPs relating to someone who emailed a series of bomb
| threats using them.
|
| As terrible as that is, yeah I feel pretty safe pirating
| movies using it.
|
| But you're right that blindly trusting a VPN without
| doing any research might be worse than blindly trusting
| your ISP.
| donedealomg wrote:
| Dayshine wrote:
| Your isp is legally resident in the country most likely
| to want to spy on you. There are also very few isps per
| country, so it's less work for the attacker to cover
| everyone they care about.
|
| There are vast numbers of vpns, so total coverage is
| impossible. They are also very likely to be in a
| different legal jurisdiction so it's non trivial to do.
|
| So, yes, you have, by making yourself a harder target
| despite having the same amount of centralisation on your
| part
| simplyinfinity wrote:
| my country has between 3 and 20 isp's per city. of a
| country of 7 million.
| psd1 wrote:
| I assume they are just resellers, buying bulk data from a
| big carrier. Is that the case?
| ripdog wrote:
| IDK about simplyinfinity, but here in NZ, the last mile
| of internet infrastructure (the fibre from homes to the
| exchange) is owned by regulated companies which must
| lease access to them at set rates or lower, and mustn't
| act as ISPs.
|
| As such, we have dozens of ISPs with their own backend
| infrastructure, all sharing the same last-mile, and most
| available nation-wide.
|
| That said, they're all going to be buying transit from a
| big backbone ISP to get overseas connectivity.
| xani_ wrote:
| Same with most VPN providers. Just expands the search
| from "ask ISP" to "ask ISP, they tell government its a
| VPN company, ask VPN company".
|
| Now, sure, they could "just" delete logs, but their
| government can "just" tell them not to, or even tell them
| to live send the logs to them directly.
|
| So it's really "which country's government you trust".
| travoltaj wrote:
| There's quite a few VPNs who have been asked to keep logs
| by the authorities but the VPN providers contest it in
| court, and since their jurisdiction laws don't need them
| to, the courts side with the VPN providers.
|
| Mullad, OVPN are a couple.
|
| What are your opinions on those? Not every country has
| laws like USA/India, which give the government free reign
| by citing certain Acts.
| zepearl wrote:
| Adding that in general a country's law (data
| protection/privacy in this context) usually targets its
| own citizens; traffic related to foreign citizens (as in
| the case of VPNs) would for sure have a lower degree of
| protection.
| Schroedingersat wrote:
| If the ISP is legally protected from any inquiry or
| transparency into what they do with the data and is
| systematically incompetent about protecting it and the
| vpn exists in a country with good privacy laws, then
| yeah.
| Wxc2jjJmST9XWWL wrote:
| https://www.ivpn.net/ see "Do you really need a VPN?" - not
| affiliated with them, but tell me any other VPN-service that
| is actually this upfront... most are marketing the hell out
| of their apparent magic effects...
|
| since we're on the topic: how is it still a thing that vpn
| services are actively pitching content-block/copyright
| circumvention? Seems weird to pitch something as shady this
| loud and publicly? Reminds me of how weird I find it that
| trackers and illegal hosting sites have twitter accounts...
| wintermutestwin wrote:
| >VPNs don't help privacy at all.
|
| 1. They keep your data safe from your ISP. 2. They keep your
| IP hidden to the sites you browse.
|
| Those two clearly "help" privacy.
| rcxdude wrote:
| They also expose your data to the VPN operator. That's a
| negative on privacy. Whether it's a net negative or
| positive depends on the VPN operator and ISP involved.
| ipaddr wrote:
| The VPN provider could be you hosted somewhere using
| bitcoin.
| [deleted]
| swayvil wrote:
| VPNs don't anonymize, they just route you through an
| anonymizing service. Lol.
| voxic11 wrote:
| ISPs generally don't claim to protect your privacy at all
| [0]. So it would be foolish to trust them to do something
| they never claimed they would do. VPNs generally do claim
| they will protect your privacy so at least trusting them
| makes some amount of sense.
|
| Going from "trusting" an entity that explicitly requires you
| to consent to spying when you sign up to trusting one which
| explicitly promises to protect your privacy when you sign up
| does seem like it would "help privacy" in most cases.
|
| [0] https://www.privacypolicies.com/blog/isp-tracking-you/
| dagenix wrote:
| A major difference between your ISP and a VPN is that your
| ISP is generally an established company based in the same
| jurisdiction as you are. So, if they do something terrible,
| in theory at least, they can be brought to court. A non-
| trivial number of VPNs that claim to protect your privacy,
| however, are based all around the world with unclear
| corporate structures. If they do something terrible, you
| likely have no recourse at all. How much faith you want to
| put in a promise made by such a company is up to you - but
| I would push back on the idea that simply making a promise
| really provides much value by itself.
| Sakos wrote:
| > based in the same jurisdiction as you are
|
| Why would I trust an entity that often has the legal
| backing to harvest my data and provide it to the
| government whenever they "deem" it necessary? The same
| government that has direct means of control over me?
| Whether it's the US, China, Germany, I think I'd rather
| put my chances with some private company that at least
| has financial and _maybe_ ethical motivations (depending
| on the company) to protect my privacy. An ISP will only
| go as far as the law requires to protect it and who knows
| what backdoor deals are made with governments to subvert
| those same laws.
|
| There is no realistic/helpful/useful legal process to sue
| over a breach of privacy. So my ISP being in my
| jurisdiction doesn't do me any good at all.
| actuallyalys wrote:
| ISPs don't emphasize privacy in their marketing, but some
| large ISPs claim they protect it [0], although their claims
| are pretty dubious[0][1].
|
| I think your logic holds up, but it's not quite as
| definitive as you say. VPNs are not the straightforward
| privacy upgrade that HTTPS is. (I don't think you were
| trying to imply otherwise.)
|
| I think the picture improves if you choose more carefully.
| Choosing an established VPN that has a no-log policy and
| has been audited seems much better, because now multiple
| companies are putting their reputation on the line. On the
| other hand, I think a relatively unknown company that's
| reselling someone else's VPN and hoping to cash in on the
| "VPN = privacy" is only a slight upgrade over a major ISP.
|
| [0]:
| https://www.latimes.com/business/story/2021-11-12/column-
| int... [1]:
| https://www.ftc.gov/system/files/documents/reports/look-
| what...
| cowmix wrote:
| You are actually being too kind IMHO.
| nerdawson wrote:
| Probably because Facebook already tried the free VPN and it was
| every bit the privacy nightmare you'd expect it to be. Given
| Microsoft's track record, there's no reason to expect that to
| be any different.
| mgraczyk wrote:
| If you have never worked at a large tech company like
| Microsoft, you'll probably have a bad feeling because there's a
| lot you don't know about the business process of shipping
| features like this. It's reasonable to be cynical and confused
| if you have never seen it from the other side.
|
| For the most part, product features like this are shipped for
| boring and completely non-nefarious reasons. It's just hard to
| believe that if you've never worked on one.
| [deleted]
| aeturnum wrote:
| I am 100% with you in general, but this feels more like the
| Windows Defender launch than some fully cynical power grab.
| That is to say - Microsoft gets a lot of grief and work from
| windows installs getting taken over / viruses / etc. For users
| who don't pick up their own protection (and don't choose to
| turn off the default windows protection) this feels like a
| better default. I don't trust Microsoft, but you are already
| exposed to their manipulations when you are using their OS -
| and this will help protect you from other manipulations.
| spicybright wrote:
| Anything that decides to wrap around your internet traffic
| without telling you should definitely raise your antennas.
|
| Even if they had the best intentions, it's pretty easy to botch
| these things which erode your privacy even more.
| simonh wrote:
| This is where Apple's implementation, where the info is split
| between them and a third party with neither of them able to
| read the traffic on their own is so smart. Especially since
| there are multiple counter-parties to Apple. It also negates
| the risk of an MITM attack. Yes of course they could
| collaborate with a counter-party to break the system, but it
| seems significantly less likely to happen, and if it was
| happening it would be significantly more likely to come to
| light.
| numpad0 wrote:
| Block UDP port 53(DNS).
| samstave wrote:
| IMO its so they can keep the data-usage metric in their hose
| and not leak it to other companies which are competing for ad
| attention...?
| kirillzubovsky wrote:
| Check out the book "Hard Drive" about the early days of
| Microsoft, and you will never be able to see anything that
| corporate does without suspicion, and for a good reason.
| kirillzubovsky wrote:
| And apparently we now get downvoted on Hacker News for a book
| recommendation. Amazing.
| r00fus wrote:
| When trying to ascertain the intents of large organizations, I
| find it useful to examine previous actions. In the case of
| Microsoft, their willingness/intent to add ads and telemetry
| (including keylogging) into their OS seem to indicate they are
| doing this for serving ads better to their larger (paying)
| customers.
|
| If you're not paying for the (specific) service, you are the
| product.
| GekkePrutser wrote:
| Exactly.. I would take it from Firefox if they offered
| something like iCloud Private Relay.
|
| But the thing they offer from Mullvad is no better than a
| traditional VPN (because it _is_ a traditional VPN). And even
| more limited because it only works in the browser.
|
| And indeed the circumvention of Pihole is a big problem.
| jvanderbot wrote:
| How is this not a transparent attempt to secure user
| information and conceil it from the usual other suspects?
| deviantbit wrote:
| The reason you have a bad feeling is it gives the FBI/FEDS a
| single point to collect your data, with a man-in-the-middle
| attack that you will have no idea is there.
|
| This is absolute BS they're implementing this.
| bakuninsbart wrote:
| Maybe a dumb question, but isn't that already a given when
| using a browser? To me it always seemed a bit absurd to use
| VPN as it basically just gives another person all your info,
| but just assumed browsers and the big 5 just got most of the
| data anyway.
| frankfrankfrank wrote:
| The only thing I can see working is pollution, pollution of
| our data. There are some current extensions that do some of
| that, but they are likely not enough and what we really
| need is a kind stream of data and requests that your own
| requests are simply merged into.
|
| The thing is that it would need to be smart enough to
| prevent pattern recognition, e.g., it cannot just be random
| data because your specific searches and string of searches
| or actions will stand out quite obviously.
|
| Yes, it would place a severe tax on the internet and a few
| things could be done to minimize that, but I currently do
| not see any other better option.
|
| I could see it implemented where your activities online are
| merged with and threaded into those of related or similar
| communities, e.g., be it family and friends, the YC
| community, or a combination of different groups. The effect
| would come from the proximity to similar but not exact
| activities. To use a common example, if your legal free
| speech activities could make you a target, those online
| activities are muddled and polluted by being merged with
| other people's legal free speech activities, and your
| activities would be merged with those of others.
|
| Consider it a kind of mutual compromise of society in order
| to provide protection/obfuscation in numbers ... the zebra
| in a herd, if you will. They can't arrest/target everyone
| if everyone has activity data that looks like they defy the
| ruling powers.
| autoexec wrote:
| > The only thing I can see working is pollution,
| pollution of our data.
|
| this is a terrible and dangerous idea. Nobody cares about
| the accuracy of the data they collect on you. Stuffing
| your dossier with random things won't cause anyone to
| throw it away just because there might be errors in it.
| Instead all of that data, random/accurate or not, will be
| used against you all the same.
|
| Your clever browser extension might have been responsible
| for browsing to a bunch of fast food websites, but your
| health insurance provider won't care. They'll just see
| that in your internet history and quietly raise your
| health insurance premiums anyway.
|
| If your legal free speech activities make you a target,
| adding more free speech activities to your permanent
| record just means you'll also now be targeted for those
| activities on top of your own.
|
| You can't know what will prejudice someone else against
| you. You might not be gay, or Muslim, or a heavy drinker,
| or an Andrew Yang supporter, but your browser extension
| pulls in the wrong data that gets you flagged as being
| one and it could cost you your job, get you denied
| housing, etc.
|
| You might not be looking into getting an abortion, but
| anti-abortion activists who buy up the data of anyone who
| appears to be trying to get one, or looking for support
| after getting one, will still see you listed and you will
| still get harassed by them or dragged into a texas court
| room.
|
| You might not be rich, but data brokers and consumer
| reputation services will see that you've been interested
| in expensive vacation spots and online stores will start
| charging you more than your neighbors for the same items
| on the assumption that you are.
|
| If you want to try to hide in the crowd look into a VPN
| or TOR (although be aware device/browser fingerprinting
| can still get your traffic associated with you). Just
| please understand that giving others more ammo to use
| against you isn't helping yourself or anyone else. Adding
| more and more data to your internet history just
| increases your risks substantially because no matter if
| you deserve it or not your life will be impacted in
| countless ways by the data you surrender and none of that
| data, "pollution" or genuine, ever goes away.
| danuker wrote:
| If you have enough money and time, it might still be
| useful (and satisfying) to serve society in this way.
|
| You would confuse models currently shooting fish in a
| barrel.
|
| You would still pick the cheapest insurer (probably one
| that does not look at your data).
|
| You can live without anyone abusing your privacy in this
| way.
| 867-5309 wrote:
| >what we really need is a kind stream of data and
| requests that your own requests are simply merged into
|
| having a wife and kids helps with this. or any shared
| wifi with a guaranteed shitstream for your tunnel to wade
| through
| stavros wrote:
| How are the browsers and the big 5 getting the data? It's
| not like you can't see what your browser is sending where.
| sheerun wrote:
| From my experience, non-tech people just leave browser
| defaults. I'd argue this is better than letting them to use
| public wifi without VPN. If you really care about security
| you won't use it, of course
| dataflow wrote:
| Public Wi-Fi in the world of HTTPS is not exactly
| terrifying.
| mjevans wrote:
| You forget exactly how much the government felt they got
| out of just knowing whom was talking to whom, not even
| bothering to collect the data of the conversation itself.
| NegativeLatency wrote:
| Now they only have to subpoena/hack/partner with
| microsoft for that
| somenameforme wrote:
| Microsoft was one of the first companies to sign up for
| PRISM [1], doing so in 2007. I think there's a
| subconscious feel among many that because the media
| stopped reporting on these things, that it stopped
| happening. PRISM never ended, and almost certainly has
| only expanded and grown even more invasive and brazen
| largely owing society's apathy towards what Snowden
| revealed.
|
| Literally to this day one can read things like the NSA
| manual for using their software that enables real-time
| absolute surveillance of Skype: "User's Guide For PRISM
| Skype Collection." [2] The idea of any degree of privacy
| from any tech company hosted in America is a lie. The
| main difference with China is that we lie about our
| surveillance state, and force companies to lie about it,
| while China openly advertises theirs.
|
| [1] - https://en.wikipedia.org/wiki/PRISM
|
| [2] - https://www.aclu.org/sites/default/files/field_docu
| ment/Guid...
| snickerbockers wrote:
| yeah but im pretty sure 99% of the population just clicks
| past those SSL certificate warnings, in part because they
| don't understand what that means, and in part because
| there are way too many sites that let their certificates
| expire.
| newZWhoDis wrote:
| > Public Wi-Fi in the world of HTTPS
|
| Story time. Someone I know once got laid thanks to
| Facebook not encrypting their sessions
|
| My university was still using basic ass unencrypted WiFi
| with some kind of terrible dns-hijack sign in to "auth".
| This of course meant that everyone put their shiny
| MacBooks on essentially public wifi and logged in to
| social media in the clear in class.
|
| Some enterprising chaps made a browser extension that
| made it trivial to snoop any open sessions and
| impersonate that session in a new tab.
|
| Someone I know would do this during lecture and post to
| people's social media as them saying they should pay
| attention in lecture. Possibly some other scandalous
| things were said. The hilarity that led from that
| stranger doing so led to the beautiful nerdy girl sitting
| behind this person noticing and daring them to post more.
| That became hanging out, parties, and as far as I know
| they got married and have kids now.
|
| Literal people exist that wouldn't otherwise because
| Facebook didn't have HTTPS
| RockRobotRock wrote:
| Is your friend Samy Kamkar?
| Groxx wrote:
| > _Some enterprising chaps made a browser extension that
| made it trivial to snoop any open sessions and
| impersonate that session in a new tab._
|
| Firesheep was super big for a while, yeah. I used it to
| show a few coffee shops that yes, really, WiFi with a
| password of "password" was measurably better for their
| customers than no password:
| https://en.wikipedia.org/wiki/Firesheep
| staticassertion wrote:
| Fuck, HTTPS was already popular by the time I went to
| college. That explains everything.
| newZWhoDis wrote:
| To be fair this needed HTTP _and_ WPA(?) lol. Old school
| wifi let you see everything every other client sent.
| jcims wrote:
| I credit the fact that basically nothing was encrypted
| over the wire when i got into computers in the 90s for
| learning how protocols work.
| samstave wrote:
| Public wifi and bluetooth detectors all over is whats
| scary, as most public wifi is used by phones, not
| machines and who the hell is running edge on their phone?
|
| but this just reminded me of the failed FB phone and the
| failed microsoft phone...
| dmix wrote:
| What bluetooth devices are you concerned are going to
| leak private data?
|
| Looking at the ones I use daily... headphones, TV
| soundbar, Xbox controllers, TV remote. None of those
| provide an interesting attack vector.
|
| My iPhone isn't really going to be connecting to random
| stuff and leaking data, so I don't really see the risk
| here. Maybe I'm missing something?
| samstave wrote:
| >> _My iPhone isn 't really going to be connecting to
| random stuff and leaking data_
|
| Incorrect -- BT scanners and loggers have been LONG
| tracking your things avail...
|
| and the fact that Apple doesnt allow you to "turn off" it
| merely pauses..
|
| both wifi and BT...
|
| they use prox sensors for BT for airtags, wifi etc and
| ALL OF THAT data in mined like mad.
|
| Any Apple person that says otherwise is lying to you.
| dmix wrote:
| So deanonymizing bluetooth device IDs. I know the
| Canadian spies used airport Wifis to deanonymize Wifi MAC
| addresses then set up wifi stations all over Toronto to
| experiment in tracking people.
|
| How would they do the same for bluetooth? Broadcasting
| "Dans iPhone" doesn't tell you much.
| samstave wrote:
| Correct, but its a more insidious web on this level...
|
| they have so many correlation engines for device
| location, that it will soon be impossible to be "off
| grid", if its not already.
|
| how the heck do you think there are fn leaks from over a
| decade ago of "text messages received by the government
| reveal that person X who is on the shit-list was quoted
| as saying [BULLSHIT] sources close to CNN have stated.."]
|
| ASIDE: Famous story from ~20 years ago was talking about
| the CIA handlers at CNN... and the revolving door of in-
| q-tel emps from fb moving back and forth within the
| security team (one of which had to be walked out of the
| building for [things])
|
| you dont need "dan's phone" they have had eschelon for
| DECADES and were able to literally do 6-degrees ppl
| tracking since the 1990s...
|
| WTH do you think they named it "starlink" instead of sky-
| net...
|
| And when they built the first part, they were advertising
| the wonderful things the rural folks in africa's greater
| continent will benefit, then after a few years they
| showed that the system will primarily service the dense
| populations of the coasts of places like the USA and AUS
| -- which is where a big portion of the five-eyes service.
|
| IMEI and such is a bitch..
|
| iOS is the biggest location tracking platform ever...
|
| Remember when the founder of Android (from Danger) was
| let go from google with a ~200MM$ golden parachute at
| $90MM to gtfo?
| gambiting wrote:
| HTTPS is trivial to break with a man in the middle
| attack, yes you get a scary warning in your browser about
| an invalid certificate, but I'd bet that 90% of people
| will just click through it and ignore it.
| gsich wrote:
| >trivial >requires user mistake
|
| Not sure how that matches.
| gambiting wrote:
| It's trivial to set it up for the attacker. If you have a
| Linux laptop you can set up a redirect for all the
| traffic on the network through your machine with two
| commands, then there's plenty of tools that will
| intercept any incoming HTTPS certificate, replace it with
| your own, the decrypt the traffic. It sounds like a lot
| but anyone can set this up in about 15 minutes - that's
| why I said it's trivial.
|
| The user mistake is just clicking "advanced" then
| "proceed". I know all my family members would do that
| without questioning.
| fsckboy wrote:
| it's not so easy to click through, because I often try
| and it really seems like they don't want you to, the
| dialogs are very confusing.
| ShinTakuya wrote:
| I'd argue the invalid certificate would only get the
| middle segment of semi-tech literate but security
| illiterate people. So maybe a lot of people on this site
| . The average user, based on my observations, tends to
| take these warnings very seriously.
| jiayo wrote:
| Have you looked at what the UX is for invalid
| certificates in 2022? It's not like ten years ago where
| you just click enough times and "visit anyway".
|
| Here, try this link in Chrome: https://untrusted-
| root.badssl.com/. When you click Advanced, it tells you
| "the website sent scrambled credentials that Chrome
| cannot process". And beyond that there's just no button
| to bypass it. You can't visit the site. (Sure, there's
| probably a chrome://flags or --disable-web-security way
| to bypass this, but that's well beyond the average user's
| comfort zone, as well it should be.)
| gambiting wrote:
| I clicked that link - in Chrome on Android all I had to
| do was click "advanced" then "proceed anyway". I have
| never changed any flags or default settings in this
| browser.
| 988747 wrote:
| I just tried to open the site in Safari, and there's no
| "Continue anyway" button, only "Go Back". I did not
| change any default settings, because I use Firefox as my
| daily driver ( and Firefox does have "Accept risk and
| continue" button, but I think the word "risk" on it is
| scary enough for many people to not click it).
|
| EDIT: It turns out there is a "visit this website anyway"
| option in Safari, but it is not a button, it's a link
| which you only notice when you click "Show details"
| button and read the warning.
| chrnola wrote:
| A slight digression, but I read[1] recently that typing
| "thisisunsafe" while the tab has focus is sufficient for
| bypassing the warning.
|
| [1]: https://twitter.com/cyb3rops/status/1561995926666985
| 472?s=20...
| LtWorf wrote:
| Uh I just have to click "advanced" and then "proceed
| anyway".
|
| I tried on a blank profile to make sure there were no
| strange settings.
| shepherdjerred wrote:
| I highly doubt this prediction is accurate. Most people
| will think something is broken and call tech support.
|
| Aside from that, this isn't possible for HSTS sites.
| 1vuio0pswjnm7 wrote:
| "Aside from that, this isn't possible for HSTS sites."
|
| Isn't it possible for the user to disable HSTS. A simple
| web search produces detailed instructions, from a CA.
|
| https://sectigostore.com/blog/how-to-disable-hsts-in-
| chrome-...
|
| Also, what does "HSTS sites" mean. Does it mean (a)
| "official" HSTS via HTTP header alone, (b) "unofficial"
| HSTS via preload list (see RFC 6797 section 12.3), i.e.,
| the list maintained by Google, hardcoded into a browser,
| or (c) both. The "unofficial" approach only seems
| feasible for a limited number of domainnames and
| unworkable for every domainname in existence.
|
| In tests I have done on Chrome (YMMV), executing "Clear
| site data" via Developer Tools, or including
| Clear-Site-Data: *
|
| in an HTTP response header, e.g., added via a user-
| deployed proxy, will clear an "official" HSTS block,
| allowing the "MITM" to proceed.
|
| Besides being generally annoying, HSTS allows for setting
| "supercookies" that persist even in "Incognito" mode
|
| https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-
| bro...
|
| The RFC for HSTS even admits how it can be used for web
| tracking. Not too concerning for the advertising company
| sponsoring the RFC.
|
| 14.9. Creative Manipulation of HSTS Policy Store
|
| Since an HSTS Host may select its own host name and
| subdomains thereof, and this information is cached in the
| HSTS Policy store of conforming UAs, it is possible for
| those who control one or more HSTS Hosts to encode
| information into domain names they control and cause such
| UAs to cache this information as a matter of course in
| the process of noting the HSTS Host. This information can
| be retrieved by other hosts through cleverly constructed
| and loaded web resources, causing the UA to send queries
| to (variations of) the encoded domain names. Such queries
| can reveal whether the UA had previously visited the
| original HSTS Host (and subdomains).
|
| I use a loopback-bound forward proxy to enforce zero
| tolerance for HTTP across all programs, not just the web
| browser. Everything is sent via HTTPS. The proxy is
| configured to to check certificates, and deny
| connections, according to rules I set. I use a text-only
| browser for noncommercial, recreational web use so I need
| a forward proxy, if for nothing other than to deal with
| the spread of TLS. But I also use it for a whole laundry
| list of tasks.
|
| Maybe it is just me, but HSTS, like much of Google's
| rhetoric, comes across as unfriendly if not hostile to
| proxies, regardless of who is running them. Consider this
| line from the RFC
|
| "The rationale behind this is that if there is a "man in
| the middle" (MITM) -- _whether a legitimately deployed
| proxy_ or an illegitimate entity -- it could cause
| various mischief (see also Appendix A ( "Design Decision
| Notes") item 3, as well as Section 14.6 ("Bootstrap MITM
| Vulnerability"));"
|
| "Mischief." Does that include inspecting one's own HTTP
| traffic on one's own network. How about blocking certain
| methods of tracking, data collection and advertising.
| Apparently it includes disabling HSTS.
|
| Let's be honest. Google is an undisputed king of
| "mischief". The stakes for Google mischief are much
| higher and there have been too many fines to count.
| Consider the latest. How many people deploying their own
| proxies get fined $4B. (Arguably, an issue of "control"
| was at the heart of that decision.)
|
| https://www.theregister.com/2022/09/14/european_court_fin
| es_...
|
| If the proxy is "legitimately deployed" then why not stay
| out of the network operator's way. Let them have control.
| Give the option to cede control to Google instead of
| making it a default.
|
| I use HSTS for commercial, nonrecreational web use, when
| I have to use a "modern" browser. That is a small
| fraction of total web use for me.
| heavyset_go wrote:
| Thanks for the informative post.
| gambiting wrote:
| Really? Most people? I cannot think of anyone from my
| family who would even think about it for a second - they
| would just get annoyed they can't get to their bank
| website or whatever and just click continue. Also what
| tech support? Me?
| elcomet wrote:
| But now there is no button "continue", you have to click
| multiple buttons, which are not clearly labelled, in
| order to see the page. I'm sure 90% of people would not
| even be aware that you are able to continue.
|
| Even more, for self-signed certificate on chrome, there
| is _no_ button to continue for example. Check
| https://self-signed.badssl.com/
| gambiting wrote:
| In your example, all I had to do was click advanced then
| proceed(Chrome on Android)
| elcomet wrote:
| Ok, on chrome desktop there is no way to bypass the
| security
| not2b wrote:
| Yes, there is. I often have to use it to deal with some
| internal misconfigured site inside the corporate intranet
| (the cause is almost always that a certificate has
| expired, when it isn't it's because a host can be reached
| with two names and the cert matches only one of them, but
| that case can be fixed by using the proper URL). I have
| no trouble telling chrome desktop to bypass.
| not2b wrote:
| ... and I always read the details before proceeding
| (finding out what chrome's problem with the cert is).
| elcomet wrote:
| For some type of errors it is possible, for some other it
| isn't. Check the badssl website and test the various type
| of bad certs, you'll see.
| shepherdjerred wrote:
| From my experience working as on-campus tech support in
| college, most people who aren't tech savvy will quickly
| give up or look to someone else for help. They will
| likely not think to click Advanced -> Continue Anyway
| (unless they have been taught to do that before).
|
| Tech support comes in many forms. The owner of the
| website, a friend who knows about computers, someone else
| in the workplace, the vendor they purchased their laptop
| from.
| sbierwagen wrote:
| HSTS cannot be overridden. Which bank domain names are
| you thinking of that are not one of the twelve thousand
| names on the HSTS preload list? https://source.chromium.o
| rg/chromium/chromium/src/+/main:net...
| LtWorf wrote:
| I tried 5 banks (swedish and italian). None of them are
| in the list. I feel safer now :D :D :D
|
| handelsbanken.se danskebank.se unicredit.it fideuram.it
| sella.it
| ripdog wrote:
| Banks often have awful security systems. Kiwibank in NZ
| has a "two-factor security" system. All it is is a
| security questions thing where you click on screen to
| fill in 3 letters of the hidden answer. The on-screen
| keyboard makes it secure, you see? Against keyloggers.
|
| I once wrote them a long email about what two-factor is
| actually supposed to be and why it exists, and got a
| reply basically saying "lol ok, our security is great
| ok?"
|
| I've since switched away from them for a bank which does
| 'two-factor' by sending codes via SMS, but only when its
| algorithm decides that it needs to. That's not very
| often.
| sbierwagen wrote:
| handelsbanken.se is on line 163144. (I was a little bit
| off on the length of the list before)
|
| unicredit.it is not on the list, but unicredit.ba and
| unicredit.ro are. (Lines 7331 and 7332) It does send HSTS
| headers.
|
| danskebank.se and sella.it are not in the file, nor are
| the base strings, but both sites do send HSTS headers.
|
| fideuram.it is not on the list, and does not send HSTS
| headers, so they don't seem particularly interested in
| security. They also haven't set an A record for the root
| domain, so visiting `fideuram.it` returns NXDOMAIN. Only
| `www.fideuram.it` exists.
| LtWorf wrote:
| So this shows that your statement about the security of
| hsts headers was overblown?
| hsbauauvhabzb wrote:
| Hsts solves sslstrip, I do not believe it enforces cert
| pinning. Iirc browsers deprecated cert pinning some time
| ago.
| shepherdjerred wrote:
| I've seen HSTS not let me continue without the server
| having the expected certificate recently, so I think
| that's still a thing.
| mr_toad wrote:
| That might be because of certificate transparency rather
| than certificate pinning.
| CommitSyn wrote:
| Plus, Firefox is soon implementing HTTPS-Only by default
| if I remember correctly. What was it, maybe 2016 there
| was a big push for SSL and the majority of the web, even
| login and payment pages, were HTTP? Now only a small
| percentage of the web isn't HTTPS. I have HTTPS-Only
| enabled in Firefox and rarely do I have to click the
| 'Continue Anyway' button to browse an HTTP page. For most
| general users that only use popular services, I'm sure
| it's even more rare.
| ct0 wrote:
| Its so easy, even a dummy like myself can grab a cert for
| my self hosted services. I dont give any HTTP only sites
| any slack
| bbarnett wrote:
| I have a site from 1997, pure html, with drivers, install
| disks, documentation for computers from the 80s/90s.
|
| It works. It's fine. No, it does not need ssl. What,
| someone is going to hack a floppy driver for a computer,
| which doesn't even have a built in network stack?!
|
| No, I am not going to do work on it, any work, at all.
|
| Millions of such sites exist, are fine, are safe.
| hcrean wrote:
| It is all fun and games until one of the downloads from
| your site picks up malware in transit and the user goes
| "why did this web admin infect my computer? Sue!"
|
| This genuinely happens a lot in the 2020s.
| [deleted]
| nradov wrote:
| Please provide citations for those lawsuits.
| mgbmtl wrote:
| I think of you say "genuinely happens a lot" you should
| give some examples, because this seems odd to me.
|
| More likely sites get cloned, improve their SEO over the
| original, and distribute malware.
| [deleted]
| jjav wrote:
| > This genuinely happens a lot in the 2020s.
|
| Sceptical of that claim, can you provide a few documented
| cases?
|
| Particularly for low-volume sites like the parent post.
| LtWorf wrote:
| Ok since it happens a lot can you cite it happening in 3
| different occasions since 2020?
| anthk wrote:
| Set up a gopher mirror too :)
| searchableguy wrote:
| http://n-gate.com/software/2017/
|
| I always chuckle at this _site does not need SSL_ post
| from n-gate.
|
| PS: Use the URL directly in browser because the site
| doesn't like traffic from HN.
| gonzo41 wrote:
| Putting stunnel Infront of that site and opening 443 is
| about a solid 30 minutes of effort
| yazaddaruvala wrote:
| > Millions of such sites exist, are fine, are safe.
|
| Frankly, even sadly, they are also entirely forgettable
| and don't add enough value to hold back the modern web.
| nlewycky wrote:
| > No, I am not going to do work on it, any work, at all.
|
| Without HTTPS, the content can be replaced entirely. Last
| time it was JavaScript that DDOS'd github. If you don't
| want to serve content over HTTPS, then you don't care
| what your users receive. Just delete the site and they
| all get 404's instead, since you already admit that you
| don't care either way.
|
| If it makes you feel any better, HTTP without HTTPS was a
| mistake we all made together. It should never have
| happened.
| sanroot99 wrote:
| Seems ,like since inception internet protocols was
| designed with foreseeable security implications, Gnunet
| is project is attempting to solve this
| jjav wrote:
| > If it makes you feel any better, HTTP without HTTPS was
| a mistake we all made together. It should never have
| happened.
|
| Given that http predates SSL 1.0 by a few years, somewhat
| inevitable.
| jchw wrote:
| That is fine. The site itself is _safe_. Accessing it
| over untrusted transits is not. What has changed since
| 97? Well, attacks became far more sophisticated, and the
| transits that people access stuff over became far less
| trustworthy.
|
| There is nothing wrong with your website. However, you
| shouldn't be surprised when modern browsers stop working
| with it. Progress doesn't come free.
| kbenson wrote:
| Not caring about whether some segment (possibly even a
| majority) of users can or are willing to jump through
| hoops to access your site is a valid choice, just like
| publishing through gopher is. You do you.
| viraptor wrote:
| > with drivers, install disks
|
| Depending on what the drivers are for, you may be a prime
| candidate for MitM. People already go to your site to
| download software they're going to run in the most
| privileged mode. This is a perfect candidate for a type
| of watering hole attack.
|
| Considering you're providing those for 90s machines, you
| could be the last resort website for a few interesting
| industry computers with no security restrictions around
| them.
| jjav wrote:
| > Depending on what the drivers are for, you may be a
| prime candidate for MitM.
|
| Doing that MitM is technically very easy, but in practice
| pretty hard. You'd have to have an adversary on your
| network path watching for connections to this particular
| esoteric low-volume site hosting drivers for machines
| from the 80s and 90s.
|
| That is extremely unlikely.
|
| I have a much easier way to target that content: Just put
| up a new site hosting the same content with malware
| attached. No need for MitM shenanigans.
|
| Security isn't about absolutes, it is about risk
| managment and being aware of the likelihood and
| consequence of the risks is important.
| chlorion wrote:
| You are hosting executable data of some kind on a non-
| authenticated protocol. That's totally not dangerous at
| all. A MITM definitely couldn't cause any damage by
| altering executable data in transit on unsuspecting
| users. This has never happened to anyone.
|
| >are safe
|
| No, they are not.
|
| >No, I am not going to do work on it, any work, at all.
|
| If you are too lazy to do it securely maybe you just
| shouldn't do it at all.
|
| HTTPS everywhere by default can't come fast enough. There
| is no excuse at all to not have HTTPS support today and
| browsers should deny access to these lazy and careless
| sites by default. Anyone who can't spend the 5m to set it
| up for their website can go kick rocks as far as I'm
| concerned.
| sfink wrote:
| The site contents don't necessarily matter.
|
| You're at a coffee shop or library using their WiFi. Your
| computer sends a plaintext HTTP message. The attacker
| just needs to be able to see that message and get a
| response back to you before the real site does, and the
| real site is a lot further away than the guy sitting at
| the table next to you (or the hacked router, if he
| doesn't want to be there in person). Then they can feed
| your browser whatever they want.
|
| A login form to phish you, perhaps?
|
| They can even start replying, then go off and fetch from
| the actual site before finishing the response, if it
| helps to incorporate the real data.
| staticassertion wrote:
| No one is forcing you to use TLS. Do whatever the fuck
| you want, it's your site?
| memen wrote:
| You could host hashes of the downloads on an https page.
| Should be quite simple. Malware can still work on a
| computer without a built-in network stack and if users
| are getting downloads onto that computer, then data can
| leave through the same means.
| kuekacang wrote:
| We had recently hired new programmers, 2 freshgrad and 1
| junior. All of them use edge on their personal laptop and I
| didn't notice extension button anywhere.
| sbierwagen wrote:
| What percentage do you think of all network traffic that
| Edge handles is 1) Over wifi? 2) Over unencrypted wifi?
| itake wrote:
| From my experience, tech people with non-default browsers
| can't use the internet :(
| supernovae wrote:
| why is it ok if firefox and opera do this but no one else?
| _the_inflator wrote:
| This reminds me of this here:
| https://en.wikipedia.org/wiki/EncroChat
|
| However, there analogy is not 100% on point.
| drews64 wrote:
| what makes you think its the US government you should worry
| about?
|
| EDIT: clarified "US" government, though I don't necessarily
| intend to suggest other governments are the worry.
| jwond wrote:
| https://en.wikipedia.org/wiki/PRISM
|
| https://en.wikipedia.org/wiki/Global_surveillance_disclosur
| e...
| discordance wrote:
| I think there's more to it than that. Good for some and bad
| for others. A few rough off the top of my head:
|
| Good:
|
| * Better privacy from the intrusive ad motivated JS shit hole
| the internet has become.
|
| * Faster internet for those on slow connections
|
| * Protection from ISP MITM. Many countries now have mandatory
| data collection laws that ISPs have to follow.
|
| * Better than a lot of shady 3rd party commercial VPN
| providers.
|
| * Is opt-in (for now)
|
| * Potential to reduce Google's dominance
|
| Bad:
|
| * Obvious MITM choke point, as you mentioned
|
| * Potential control / monitoring by two large corporations
|
| * Business goals usually override users.
| Thorrez wrote:
| >* Is opt-in (for now)
|
| Are you sure?
|
| >a VPN baked into Edge appears to be turned on by default,
| but only for certain use cases.
| princevegeta89 wrote:
| Besides the unremovable junk they fill on the homepage, now
| this. Uninstalled and will be moving to Brave
| cheschire wrote:
| the only unremovable thing that bothers me is the stupid
| bing points thing that i dont care about. It doesnt
| encourage me to use bing, it just makes me question how
| they continue to manage to swipe my queries enough to
| increase that score.
| ectopod wrote:
| Edge is a pretty good local pdf reader so I added a
| firewall rule to stop it connecting to the internet.
| gotoeleven wrote:
| Oh you sweet summer child.
| _V_ wrote:
| Damn you, I just spit out my drink! :-D
| mc32 wrote:
| Also Epic.
| darig wrote:
| drews64 wrote:
| Firefox with uBlock Origin and HTTPS only works beautifully
| with Pocket disabled.
|
| Only thing I have to pull out Chrome for is corporate
| intranet.
| smoldesu wrote:
| Using a browser that monetizes itself in _any_ way seems
| like a slippery slope to me. I 'd rather use Ungoogled
| Chromium/Bromite or even LibreWolf if it came down to it.
| Saying "that's it, I'm moving to Brave!" is basically
| declaring that you're moving your data from Microsoft(1) to
| Microsoft(2).
| _emacsomancer_ wrote:
| How is Brave Microsoft(2)?
| smoldesu wrote:
| They're both for-profit businesses that will consistently
| put the user experience behind profitability. Open-
| source, libre browsers will not.
|
| I'm sure people said the same thing when Edge was in
| beta. "How is Microsoft Chrome(2)?"
| _emacsomancer_ wrote:
| But Brave is also an open-source, libre browser. And the
| Mozilla Corporation is a for-profit company.
|
| (And I think Edge is _worse_ than being Chrome(2).)
| fragmede wrote:
| > Using a browser that monetizes itself in any way seems
| like a slippery slope to me.
|
| Is that a _practical_ sustainable long-term business
| practice though? Firefox was only able to be free because
| Google was paying Mozilla. Browsers are some complex
| software and software developers wanna get paid. I know
| that the in 's and outs of history of browser software
| has conditioned us to expecting browsers for free but
| that doesn't reflect the reality of developing the
| software.
| easygenes wrote:
| Firefox, with its full complement of full-time
| developers, could stay alive with a tiny fraction of what
| Mozilla earns in a year. Most of Mozilla's work is
| tangential to Firefox at best.
|
| Surely there's space in the browser market for a model
| akin more to how Wikipedia operates.
| staticassertion wrote:
| OK so you _do_ want a business model, it 's just a
| terrible one.
| smoldesu wrote:
| Sounds better than a black-hole cryptocurrency where the
| devs steal 30% of your transaction 'because they can'
| GekkePrutser wrote:
| This is part of the problem. Mozilla is diverging too
| much into dead ends. Instead of focusing on what they do
| best, Firefox.
| TEP_Kim_Il_Sung wrote:
| > Surely there's space in the browser market for a model
| akin more to how Wikipedia operates.
|
| Donations by corporations, and edited by powerhungry
| users (ryulong) and bots?
| [deleted]
| colechristensen wrote:
| I still have a CD of Netscape Navigator Gold I purchased
| in a box in a store... long ago enough that was a thing.
|
| Those were the days.
| forgotmypw17 wrote:
| I still test and validate my websites with Netscape 2.x
| and up.
|
| Any Browser can be a reality.
| colechristensen wrote:
| If I had my billion dollars I would fund a modern
| intentionally crippled hypertext browser with hard limits
| on programmability and style complexity.
| Karunamon wrote:
| It sounds like you are describing Gemini.
| https://gemini.circumlunar.space/
| pdntspa wrote:
| Why not just bring back the 486?
| forgotmypw17 wrote:
| Some browsers you may want to try, which support only
| HTML and CSS:
|
| Dillo
|
| Links
|
| NetSurf
| Thiez wrote:
| A shame that you would waste your money on a browser that
| nobody would use.
| alcover wrote:
| I would. I already use FF mainly under a locked-down
| profile for mere reading. (I use another profile for
| madatory interactive sites like banking and stuff).
|
| Others like me would. And resource-constrained devices.
| An eco-system of low-tech sites could emerge with a label
| signaling them as simple and virtuous.
| Thiez wrote:
| So you basically want gemini?
| https://en.m.wikipedia.org/wiki/Gemini_(protocol)
| alcover wrote:
| Interesting. But I meant only using a subset of current
| web stack, and insist on low resource.
| forgotmypw17 wrote:
| The issue I have with Gemini is that it discards 25+
| years of established domain knowledge and existing
| software for something which does not provide any
| additional functionality over what today's software
| already offers.
| LtWorf wrote:
| well google is removing adblockers from chrome to better
| monetise the web...
| GekkePrutser wrote:
| I don't think _any_ way is unacceptable. I 'd be totally
| happy to pay for the software for example. It's all the
| sneaky crypto / adware / tracking stuff that I have a
| problem with.
| ramesh31 wrote:
| > Using a browser that monetizes itself in any way seems
| like a slippery slope to me. I'd rather use Ungoogled
| Chromium/Bromite or even LibreWolf if it came down to it.
|
| The problem with this approach is that it's impossible to
| get a safe binary that isn't downloaded from
| "libfree.cxcc.gg" or whatever. The other option being to
| build from source, which is an absolute nightmare for
| Chromium.
| smoldesu wrote:
| All of those browsers have signatures available if you
| question the integrity of your binary. Otherwise this
| argument isn't any different for the likes of Brave or
| Chrome even.
| ramesh31 wrote:
| > All of those browsers have signatures available if you
| question the integrity of your binary
|
| Signatures available from whom?
|
| The point being that a web browser is a very special case
| of software that has to _absolutely_ 100% trustworthy
| from a reputable commercial entity (that is, someone that
| can be sued). The only other thing with that level of
| trust is your operating system.
| Entinel wrote:
| This line of thinking is why Chrome owns most of the
| internet. No one else can hope to compete because they
| just get screeched down.
| smoldesu wrote:
| Chrome owns the internet because people like Brave don't
| develop their own browser engine.
| Am4TIfIsER0ppos wrote:
| Companies like google keep expanding the effort needed to
| write a browser engine to ensure everyone uses their
| spyware.
| smoldesu wrote:
| Then companies like Apple should stop shrinking their API
| targets and contribute to the general wellness of
| computing, for a change.
| rytis wrote:
| Can you please give a concrete example of what Apple
| should do, in your opinion, to expand their API targets?
| And how is that related to web standards complexity?
| smoldesu wrote:
| People complain about excess functionality being added to
| web browsers (HTML5, WebXR, WebRTC, etc) and many of
| these complaints are valid. Web browsers don't need these
| features, they should be relegated to native apps.
|
| Except they can't be. Native apps don't offer the same
| freedoms that the web does. And so, we keep stacking
| technologies on top of web browsers to alleviate the
| problem. It's a bad situation, and both Google and Apple
| are gruesomely complicit in making this situation worse.
|
| > Can you please give a concrete example of what Apple
| should do, in your opinion, to expand their API targets?
|
| Stop browser lockdown. Allow sideloading. You know, the
| basics of computing that we had figured out since the
| mid-90s or when we sued Microsoft.
| mozey wrote:
| Few people attempt this... Here is one: Ladybird
| https://awesomekling.github.io/Ladybird-a-new-cross-
| platform...
| Entinel wrote:
| 99% of a web browsers end users do not care if their
| browser uses Servo, Webkit, etc.
| andirk wrote:
| Yes but being able to use all of Chrome's extensions in
| Brave is a huge win to me. And most Chrome documentation,
| Q and A, tutorials are mostly relevant to Brave as well.
| I see Google and other behemoths contributing to an open
| source project as a good thing. The product may not be
| where it is today without their help, including paying
| people to work on a free product. Still, yeah don't trust
| them.
| autoexec wrote:
| I'd guess pretty close to that number don't even know
| what those are in the first place.
| marshray wrote:
| Chrome owns the internet because web standards have
| become so complex that not even Microsoft can afford to
| maintain their own browser engine.
| supernovae wrote:
| Microsoft edge non chromium was fine, but no one used it.
| So they went chromium based.
| q-big wrote:
| > Microsoft edge non chromium was fine, but no one used
| it. So they went chromium based.
|
| Are people now using Edge because of this change?
| int_19h wrote:
| Edge has made substantial gains in market share in the
| past few years. But it's hard to definitively ascribe it
| to any specific change.
| smoldesu wrote:
| So what's the solution? I hate this status quo as much as
| you do, and standing here in a Mexican Standoff is not
| viable forever. You're right. "The web" as a platform has
| been twisted and perverted beyond real usability at this
| point. There is no path forward where we undo Google's
| damage and preserve the qualities of the web we enjoy
| today. So, how do we fix this?
|
| The solution (to me) is simple - fix native app
| distribution. Make platform targets operate the same as
| they used to, and give people control over their computer
| again. The only ones preventing us from a platform-
| agnostic utopia is Apple and Google, both of whom profit
| off the artificial difficulty of distributing
| applications.
|
| So, here we are. Google is poisoning the web while Apple
| refuses to swallow their pride. Everyone is hurting, and
| nobody stands to gain anything but the shareholders. A
| hopeless situation, but let's not pretend like
| _everything_ here is morally grey.
| int_19h wrote:
| For starters, if a company makes a web browser with
| market share exceeding 50%, and also produces web sites
| and web apps, if those web sites and web apps to do any
| sort of user agent testing or require non-standard
| features of the aforementioned browser, it should be
| treated as ipso facto monopoly abuse.
| xani_ wrote:
| The solution is already impossible. When Mozilla had
| browser domination they had a chance to dictate
| _something_. The moment Chrome became popular, now
| another company, just as MS and IE did before, could just
| do the feature creep of "add feature, subtly break/slow
| down opposition, get more users that just want browser
| that works"
| hollerith wrote:
| >not even Microsoft can afford to maintain their own
| browser engine
|
| We don't know that. Maybe Microsoft could maintain their
| own browser engine if Google hadn't provided one on
| permissive open-source licensing terms that met their
| needs.
| numpad0 wrote:
| Microsoft tried with Edge V1, and gave up when Google
| online services started sabotaging it.
| GekkePrutser wrote:
| They gave up way too easily though. I don't think they
| ever had an interest in actually making a good browser
| engine. They've never managed one in their entire
| history. Microsoft love mediocrity, the "just good
| enough" mindset. Nobody takes their products on because
| they really excel at what they do. Just because they have
| a huge installed base, they're not so bad there's really
| a problem to use them and they integrate with everything
| else (e.g. Windows) nicely. For example Slack is so much
| better than that turd called Teams but nobody wants to
| pay the extra because Teams is free with O365 and user
| frustration doesn't cost anything on the bottom line.
|
| This is why Apple really came out of the blue with Steve
| Jobs' razor focus on quality above all. Microsoft's goal
| is never to be 'best in class'. Because they don't need
| to be. People will buy it anyway.
| bfung wrote:
| >not even Microsoft can afford to maintain their own
| browser engine
|
| MS can afford it financially. The desire to put in the
| effort to is not there.
| smoldesu wrote:
| ...that's what they're saying. Microsoft has no reason to
| build their own browser when they can fork Chrome and
| preinstall it on their computers.
| IncRnd wrote:
| It's the other way around. Brave uses the Chrome browser
| engine, because Chrome already developed their own
| browser engine.
| NotPractical wrote:
| Exactly. Brave just takes Chromium (from Google) and adds
| weird crypto stuff to it. None of the Chromium forks are
| "different browsers" in my eyes. They all depend on
| upstream for everything important. They couldn't develop
| the browser on their own.
|
| Just use Firefox. It works just as well as Chrome (*),
| but it's based on a completely different engine which was
| built from the ground up.
|
| (*) On desktop at least (on Android I still use a
| Chromium fork for now)
| tbrownaw wrote:
| I have at least three sites I use that i have to open in
| edge since they don't work properly in Firefox. Local
| bank, credit card issuer, and employer's guest wifi login
| portal.
| brabel wrote:
| I use FF and when this happens it's almost always some
| extension you have installed. Try disabling some
| extensions and go to those sites again.
|
| If they still don't work, they're doing some messed up
| stuff on those sites.
| beebeepka wrote:
| Oh my. I wonder what that banking site must be doing for
| it to not work on Firefox. It's either malice or
| inconvenience, or both
| Ylpertnodi wrote:
| >Just use Firefox. No. Well, I'm not so rude, so "No,
| thank you".
|
| >It works just as well as Chrome ( _) Not on_ anything* I
| use, it doesn't, so "No....thank you".
|
| Tbf, I do keep trying ff, but...clunky, jeepers! 'Fraid
| I'll hang on until my Brave jumps it's particular shark
| and then maybe I'll hop over to something else, but for
| now, and as long as I can still use UblockO, Brave it is.
|
| Even Opera is looking interesting again....
| smoldesu wrote:
| > Even Opera is looking interesting again....
|
| What browsers have you been daily-driving to come to that
| conclusion?
| staticassertion wrote:
| The thing I like most about Brave is actually the crypto
| stuff, and I _hate_ almost all crypto. This is actually a
| good use case for it - you have a distributed system
| (users browsing) across untrusted hosts (users).
|
| People like to shit on advertising, but much of the
| internet exists today because of advertising. Do you
| think Youtube could exist at that scale without ads? I
| don't think so, personally. At least, not without another
| way to monetize.
|
| Brave is the _only_ player providing an _alternative_
| monetization strategy. Crypto or not, to me, that is by
| far the most interesting thing a browser has done in a
| long, long time.
| silisili wrote:
| > Brave just takes Chromium (from Google) and adds weird
| crypto stuff to it
|
| That's a really unfair(and untrue) statement. Brave also
| removes some code they find privacy violating, built in a
| best in class adblocker, built a full cross-device sync
| system that works perfectly, some UI tweaks and
| enhancements, built Tor connectivity in, etc. Probably a
| lot more that I'm leaving out.
|
| I am def not a fan of crypto or BATs or whatever they
| were pushing, but you can use it fine ignoring all of
| that.
| smoldesu wrote:
| To be fair, you can also disable Microsoft's built-in
| VPN. The problem is trusting people who don't have your
| best interests at heart, and using Brave products just
| kicks that can further down the road.
| somenameforme wrote:
| Brave is 100% open source: https://github.com/brave/
|
| Normally this might just be a platitude of the sort, "Go
| check it for yourself." But in this case that's not what
| I'm saying. Brave is going to be used by large numbers of
| tech focused users with a privacy/security bent. And they
| are also competing against Google who will make sure even
| the slightest slip by Brave is promoted across the
| entirety of the web.
|
| That code is scrutinized heavily. That the worst you can
| find about Brave is people making false statements about
| crypto stuff (it is entirely optional and opt-in with 0
| coercion or dark patterns to push you there) speaks
| incredibly highly as to the current state of the Browser.
| Might that change in the future, as you seem to be
| suggesting? Yip! And when it does there will be a new
| Brave. But for now they continue to stay on an excellent
| path forward.
| LtWorf wrote:
| As if chromium wasn't a fork of konqueror
| [deleted]
| magic_hamster wrote:
| I don't see a reason to use anything but Firefox on
| Android. It's got full parity to it's desktop
| counterpart. It's amazing.
| rightbyte wrote:
| Many sites are broken on non-Google browsers though. But
| the advantage of being able to use adblockers in Firefox
| alone outweight that - not even taking privacy into
| consideration.
| [deleted]
| lemper wrote:
| I actually use firefox on android for 7 years or so.
| never experienced broken sites on it. can you please give
| me some examples of broken sites?
| rightbyte wrote:
| Thinking about it, only internal time reporting tools.
| Both on my current and prior employer they only worked
| with Chrome or IE.
|
| I think I overestimate the amount of broken sites due to
| the adblocker messing them up, not Firefox.
| Zardoz84 wrote:
| and allows to install an adblocker
| maguirre wrote:
| Tangentially related. Using Firefox on Linux for anything
| Google chat/voice call related is not a very pleasant
| experience
| daptaq wrote:
| You could also consider the Firefox forks Fennec and
| Mull.
| [deleted]
| autoexec wrote:
| Firefox is pretty nice once you beat it into submission.
| I'd put my money there before Brave.
| kdtsh wrote:
| Honestly I find the defaults plus uBlock Origin and
| Multi-Account Containers to be fine, no bearing required.
| autoexec wrote:
| I must have a hundred things that I change on every
| install. At a bare minimum I'd be disabling pocket,
| prefetch, and search from the address bar for privacy
| reasons and then disabling service workers, webgl, and
| wasm for security reasons.
| mhardcastle wrote:
| I'm very glad you mentioned the homepage spam. It's
| increasingly difficult (and valuable) to live without
| information overload these days; Edge's forced "news" spam
| has pushed me away as well.
| SimoneSleek wrote:
| blocking msn.com via hosts will give you a blank new tab
| page in Edge, only including an Edge background image,
| and a search bar leading to your chosen search engine.
| int_19h wrote:
| You can disable all that from Edge itself, at least on
| the desktop. When on the new tab page, there's a "Page
| settings" icon in the top right. If you click on that,
| there's a bunch of options there regarding what should be
| present on the page; the bottom-most item is "Content",
| and if you set it to "Content off", it all goes away.
| KyleK wrote:
| true, but the default new tab page sets cookies and
| connects to MS all the time. When blocking msn.com, it
| loads local resources only.
| princevegeta89 wrote:
| What is shocking is the content is so low quality it's
| appalling it came from a big, respected company as
| Microsoft. A lot of the posts are often clickbaits, and
| there are ads carelessly interspersed between the posts
| all over the page.
|
| I know it makes a lot of money for Microsoft but the fact
| they chose to keep the quality so low really looks bad.
| ekianjo wrote:
| "Respected"? Since when is Microsoft respected?
| mistrial9 wrote:
| Biz, gov and mil management relies on MSFT; executives,
| their attorneys and bankers, respect MSFT for doing what
| they do ($$). Similar to big retail and worse, gambling,
| the single user is last in line; used and abused
| individuals.. nobody expects a lot from the individuals
| involved, and their opinion matters less. Wolves among
| sheep, basically.
| princevegeta89 wrote:
| The company is respected for being so big and being a
| stable, high performer. Obviously they did a lot in
| "personal computing" as well
| w0m wrote:
| I'm all for pushing for more privacy/etc; but is Brave what
| we want to advocate for as an alternative? They did some
| pretty heinous link jacking relatively recently. I'm not
| sure FF/(/chromium) have been caught doing anything worse
| than that yet.
| Datagenerator wrote:
| Or the privacy focused Librewolf (fork of Firefox)
| tekknik wrote:
| While it doesn't resolve all the issues, the single point to
| monitor is your internet connection where they have
| jurisdiction, not some arbitrary VPN provider. Then if they
| can force the IKE a certain way they decrypt.
|
| I think the other side of this is if you have FBI attention,
| do you really want to look more suspicious? Whatever fight
| you try with them you will not win.
| at-fates-hands wrote:
| I work for a very large corporation who has decided the
| default browser will be Edge. Getting another browser
| installed on your machine takes an act of congress and
| several upper level approvals.
|
| Does this mean they will also have the ability to collect
| corporate data from the browser in companies like mine?
| meltedcapacitor wrote:
| Just compile Firefox or chromium to WebAssembly and run it
| inside Edge. :-)
| cyanydeez wrote:
| Corporations have shown worse proclivities than the US
| government these days.
| muricula wrote:
| Like your internet service provider you already have??
| xboxnolifes wrote:
| An ISP is not a single point for all Windows users.
| BillinghamJ wrote:
| Cloudflare is probably not far off, though not an ISP in
| quite the same sense
| bisby wrote:
| While I agree with the sentiment that ultimately we have to
| have some level of trust somewhere on the stack, there are
| a few minor differences.
|
| In theory anyway, I pick my ISP. If this was "support for
| using a VPN" instead of "we're injecting OUR VPN" I would
| feel a lot better.
|
| I'm aware Im using my ISP. Even someone who doesn't know
| much about computers knows their traffic is going
| somewhere. They might not know the repercussions of that,
| but if this is just transparently on in the background,
| effectively a keylogger, a user might never know this is
| happening.
|
| I give my ISP money. Back to the choice option. Some ISPs
| are bad and are trying to nickel and dime you to maximize
| profits. Some ISPs are actually good (I'm not swiss so I
| don't know for sure, but Init7 looks amazing
| https://www.init7.net/en/support/faq/privatsphaere/). I
| don't have to question with my ISP "how are they profiting
| off of me" because I give them money every month. They
| might be, but they don't intrinsically NEED to be scraping
| my data. I am not sure how Microsoft benefits from giving
| me a free VPN unless they are scraping my data.
|
| I can use a VPN to bypass my ISP monitoring if they do
| monitor. I have no idea how Microsoft's stuff is set up
| here. If the end result is that it gets routed through
| their VPN after my VPN, or instead of my VPN, or even
| through their stuff at all, but with stamped metadata, then
| there's not necessarily a great way to get around it other
| than "don't use Edge"
|
| In general, yes, your ISP isn't your friend. But an ISP is
| something I asked for, have a use for, and need. A
| Microsoft stealth VPN is none of those things.
| gfaster wrote:
| This was also how I could justify being more trusting of
| Apple. They didn't _need_ all my data because that was
| paid for up front. The ongoing services that needed to
| make money I used were also paid for. Obviously that 's
| no long quite true with Apple ramping up their ad
| business, but that attitude is still often the best you
| can do without a level of effort that I just am not
| willing to go through.
| dheera wrote:
| It's because they are shareholder-driven, not customer-
| driven.
|
| Clueless shareholders on the 59th floor of JP Morgan who
| don't even use Edge see "oooh VPN, me like buzzwords" and
| upvote the stock.
| vintermann wrote:
| Yup, a VPN is not a security measure at all unless you trust
| the VPN provider more than the site you're connecting to...
| Schnurpel wrote:
| Actually, with a VPN, you need to trust the VPN provider
| AND the site you're connecting to...
| bryanrasmussen wrote:
| well you might have a reason to trust a VPN provider you
| pay for, but who is the customer for MS Edge.
| manholio wrote:
| The insane thing is that, because the VPN has a 1GB/month
| traffic limit, there is no way to enforce it unless they
| _associate all traffic with a Microsoft controlled user
| identity_. Cloudflare literally has to keep track of any
| sites you visit and associate them to your ID to make it
| work.
|
| Though, I do believe that for connections from public
| WiFi it's somewhat of an improvement. It establishes a
| minimal security baseline of: "ok, we'll sell your data
| and let FBI snoop on you, but we won't inject trojans in
| your downloads and then hijack your webcam to create
| ransom-porn (though the FBI/??? might)".
| rpgmaker wrote:
| And not even then. Most VPN providers in the top 10 are
| actually very shady and their organizational structure is
| quite opaque.. to say the least. I wouldn't be surprised
| if at least half of the top providers are actually FBI
| fronts, like the ANOM chat app.
| eli wrote:
| My ISP reserves the right to sell data on the sites I
| visit. If the VPN provider promises not to do that, it's
| probably a win.
| ptsneves wrote:
| ISPs in Poland at least give you the ability to pay so
| they do not spy on you. It is very small (10%)but I have
| no doubt most people cheap out. Internet is relatively
| cheap here.
| smeagull wrote:
| It is so weird that they're 'VPN providers'. They're
| proxies. It's not really a VPN unless I'm in control, or
| they're providing servers in the VPN to connect to.
| staticassertion wrote:
| They already have that with ISPs, right? I don't see this as
| worse. If anything ISPs are _more_ scummy.
| api wrote:
| It's also a way to front run ISPs in the data market. Then
| these vendors can sell the data on the data broker market and
| pocket the cash the ISPs are getting by selling whatever
| browsing history data they can infer (from DNS and traffic).
|
| I suspect this is the corporate motivation. The increased
| state surveillance and control is a side effect.
| datalopers wrote:
| Wait til you hear about Cloudflare
| devwastaken wrote:
| CF removed kiwi farms from their services. If they're
| cooperating with FBI they would continue to host and
| intercept traffic to decloak users.
| datalopers wrote:
| Honeypots outlive their usefulness. Take silkroad v2 that
| was actually ran by the FBI, yet they still shut it down.
| mejutoco wrote:
| Isn't this what they did with Skype (centralize it)?
| salawat wrote:
| Yup.
| still_grokking wrote:
| > This is absolute BS they're implementing this.
|
| Out of the perspective of a PRISM Premium Partner this makes
| perfect sense.
| jhchjdjsdh wrote:
| they already have this at several points in your network.
| from ISP to target site. meh.
|
| the reason microsoft is doing that is because google is
| forcing their hand with Floc implemented in the browser.
|
| you wont be in ads next year unless you can slurp more
| traffic than the NSA. and only google can do that today,
| thanks to chrome + android. apple is a close second.
| dannyw wrote:
| How is FLOC relevant to this?
| jhchjdjsdh wrote:
| How do you think google competitors will have access to
| all those user to form the cohorts without having the
| browser or google analytics code everywhere?
| d0mine wrote:
| "bad feeling" is too generous. Microsoft is famous for its
| ubiquitous telemetry. It is not a suspicion, data collection is
| a fact. today. already.
| cm2187 wrote:
| Because every recent development in the evolution of Windows
| has been hostile to privacy.
| chinathrow wrote:
| Firefox, having your back since 2002.
| eastdakota wrote:
| The motivation is to keep up with Apple who themselves are
| trying to distinguish themselves from Google. Doesn't need to
| be sinister. If your primary business model doesn't depend on
| tracking people to sell ads, and you're competing with someone
| else whose does, then leaning in to making the use of your
| software/hardware more private makes sense.
| pricci wrote:
| About the pihole problem, redirect all calls to port 53 to your
| pihole.
|
| If Edge is using DoH, you're out of luck.
| numpad0 wrote:
| Does something like `source 0.0.0.0 dest 8.8.8.8 dport 443
| action drop` work for DoH?
| newZWhoDis wrote:
| The pain/anger you're feeling is called stallmanogenesis: the
| suffering induced by realizing, by force or otherwise, that
| stallman was right
| kranke155 wrote:
| Nostradamus of technology, even if we all didn't want to
| believe him.
| amatecha wrote:
| No, yeah, it's sketchy as hell. Welp, another browser I'll
| never touch I guess.
| aborsy wrote:
| The move benefits foreign companies, weakening the domestic
| industry.
|
| Let's see how fast EU can move and regulate the traffic access.
| For instance, demanding that the servers should be accessible
| only to the local governments.
| sedatk wrote:
| > and turns it on
|
| for CANARY users which is a completely normal thing. This kind of
| sensationalism really hurts everyone.
| graypegg wrote:
| When did the world start trusting any company with a VPN more
| than their ISP? I still find the privacy pitch to be flakey at
| best, where at least I can choose who's aware of my traffic, but
| getting past geo-blocks really seems to be the most obvious
| consumer value, which this Cloudflare vpn lacks.
| zapataband1 wrote:
| I thought it was when all the ISPs started basically giving
| away your private info to the government and repeatedly lied
| about it
| seabrookmx wrote:
| I swear VPN privacy is a red herring.
|
| Everyone I know who has a VPN subscription simply uses it to
| prevent DMCA letters from their ISP when torrenting.
|
| VPN providers with a "no logs" policy simply shrug these off.
| BuckRogers wrote:
| I know people that use VPNs 24/7 just for privacy. I would
| assume there's many more that use them for the reason you
| described though. Torrents are less useful than ever, piracy
| is down in general thanks to streaming services and products
| having moved to SaaS. From what I can tell, the number of
| people using VPNs merely for privacy alone is growing and a
| good sign that people feel that strongly about it.
| aliqot wrote:
| > torrents are less useful than ever
|
| ok I'll bite, let's hear it
| hot_gril wrote:
| Media piracy is less tempting than in 2006 (before
| streaming) but more tempting than in 2014 (before
| competition decreased overall and everyone started
| siloing content as part of their truce).
|
| Server-side control has been making software piracy less
| and less viable, video games sorta included. And a lot of
| mainstream games have found ways to make money without
| charging to buy the game upfront.
| LilBytes wrote:
| Media privacy might be less tempting, but it's been
| swinging in the other direction (of becoming valid again)
| for quite a few years.
| nvllsvm wrote:
| For some - it was when their ISP started sending their
| customers scary sounding letters regarding certain downloaded
| movies and shows.
|
| Some ISPs also needlessly block certain sites (ex. Verizon
| blocks nyaa.si)
| hot_gril wrote:
| It can go either way. Many ISPs are known to be nasty, but
| hardly anyone sees the effects of that, so it's hard to tell. I
| think VPNs market "more security," people mostly blindly buy
| it, and everyone is happy.
|
| Yeah, to me, a VPN is only a way around geo restrictions.
| TheFattestNinja wrote:
| ISP injecting content into your connection is a known story
| (google "ISP injecting ads" for many results).
|
| For better or worse Microsoft (or other corps) have not done
| that in recent memory afaik. They might do equally dodgy stuff
| in other aspects, but they don't tamper with the integrity of
| your connection (they might sniff it a bit).
| math_dandy wrote:
| And often you're paying a nontrivial amount of money to the
| ISP for the "privilege" of getting injecting ads and tracking
| injected. This really rubs people the wrong way, justifiably
| so I think.
| wintermutestwin wrote:
| My ISP actively lobbied to be able to harvest (steal) my data.
| Who do I trust more: the guy who says that they aren't selling
| my data, or the guy who corrupted my government so that they
| can actively sell me out (not to mention their monopoly)?
|
| Sure, the first guy could be a liar, but I _know_ that the
| second guy is a thief.
|
| I don't care about geo-blocking - my only threat model is to
| keep a scumbag ISP at bay.
|
| Edit: I should add that keeping sites I browse from knowing my
| IP is also part of my threat model.
| MichaelCollins wrote:
| VPN also has my credit card number, real name, etc. VPN
| doesn't have that; their data is worth less than the data my
| ISP could sell.
| [deleted]
| dizhn wrote:
| Article says the VPN gets activated in public networks. Wifi
| etc. That's one decent use case.
| NoGravitas wrote:
| It's not true of the whole world, but in the US, you generally
| know that your ISP is untrustworthy, while your VPN is a leap
| of faith.
| Thorentis wrote:
| Just wait. VPNs, under the guise of privacy, will be used to
| continue mass surveillance operations. Soon you won't be able to
| access certain sites unless you're using an "official" VPN.
| shuntress wrote:
| This is why net neutrality and easy accessible encryption are
| important.
| 29athrowaway wrote:
| The Microsoft Network is back apparently.
|
| The AOL-like hell that the Microsoft Network was in the 90s makes
| its return in its Neo-Internet Explorer dystopian nightmare.
| collaborative wrote:
| Strangely enough Opera's VPN has suddenly started working after a
| long period of not being "available" and pushing their paid
| version
| jll29 wrote:
| Microsoft as any company must abide by federal laws, including US
| FISA court orders.
| bborud wrote:
| Second time today Hacker News makes Firefox look good.
| saiya-jin wrote:
| Seriously, I can't grok why people here don't use it more
| often. Web is 100% usable, what doesn't work in it doesn't work
| in latest chrome neither. Web development is fine too, just
| different, not worse. But whatever, use chrome for dev work if
| you love it, and Firefox for _everything_ else, especially
| Internet proper (plus you get another full testing browser, not
| just spoofing user-agent)
|
| Its a great product, and ublock origin make it by far the best
| on the market for internet not only for me, across any devices
| ever made, period.
| bborud wrote:
| _I_ can't grok why _I_ haven't switched. :-)
|
| So this weekend I'll make an effort to switch from Chrome.
| pessimizer wrote:
| https://github.com/aris-t2/customcssforfx
|
| Here's something to use if the UI makes you really upset.
|
| Also you will probably miss translation:
| https://addons.mozilla.org/en-US/firefox/addon/traduzir-
| pagi...
| ohbtvz wrote:
| ...in a "canary" (basically a nightly build), for some users, for
| some specific cases (unsecure http, public wifi).
| omgomgomgomg wrote:
| Did anyone test this? Is it better than operas "vpn"?
|
| Can the user configure various geolocations?
| marshray wrote:
| I wonder how it respects legal web censorship orders imposed on
| ISPs like those of China and UK.
| perlgeek wrote:
| I hear the Great Chinese Firewall is pretty good at blocking
| VPNs, they'll likely be able to block this one pretty quickly.
| marshray wrote:
| Sounds like this one is going to appear on the network like
| https connections to Cloudflare.
| mrtri wrote:
| edpichler wrote:
| > "...it lacks one important feature users seek in a virtual
| private network: an ability to bypass geo-block. In the case of
| Edge's VPN, you won't be able to choose any server location..."
| Nifty3929 wrote:
| Privacy from our government is becoming illegal. I believe that
| with widespread adoption of VPN services, at some point in the
| next few years the government will prohibit ISPs from sending
| traffic to foreign VPN services - for our protection.
| jfdi wrote:
| Nice work MSFT
| legrande wrote:
| Edge is a reskinned Chromium browser with Microsoft tracking and
| telemetry baked in. Just because they have a VPN now, it doesn't
| make it any more private/secure. Why do people use Edge? If
| you're any way privacy conscious you wouldn't use Microsoft
| products.
| seabriez wrote:
| Based on what source exactly? Microsoft is about equivalent to
| privacy protections as Apple, if not more so.
| mtgx wrote:
| I can't tell if serious or ...
|
| Windows 10 is a privacy disaster compared to previous
| versions of Windows. They track every single app and website
| you open, what files you have on your PC, and much more.
| isoprophlex wrote:
| I beg to differ.
|
| Please compare the severity and extent of
|
| https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Privacy.
| ..
|
| with
|
| https://en.wikipedia.org/wiki/Criticism_of_Apple_Inc.
|
| Depending on how you weigh the issues MSFT is _far_ from
| equivalent on privacy
| woojoo666 wrote:
| It seems that both had alleged collaborations with PRISM.
| The main difference I see between the two wiki articles, is
| that people complain about Microsoft's telemetry but not
| Apple's (even though they do have a lot of telemetry [1]).
|
| In general it feels like Apple has won the trust of the
| public, partially through good products, partially through
| good marketing.
|
| [1]: https://mspoweruser.com/macos-big-sur-has-its-own-
| telemetry-...
| cookiengineer wrote:
| I would be cautious with such assumptions.
|
| There is a good reason why Trident is alive and kicking, people
| just don't know about it. But it's the reason for more than 98%
| of exploits, because shitty software of Microsoft still uses
| Trident to render MSHTML based documents (office etc).
|
| The same will be true for a traffic-observing webview2, for
| decades to come. And it will never be removed again, because of
| Microsoft's development philosophy.
| A4ET8a8uTh0 wrote:
| In my case, it is the default browser at my current company. I
| don't know the reasoning behind it, but we are also forced into
| Teams. Corporate requirements is my reason.
|
| FWIW, it is not bad performance-wise.
| rejectfinite wrote:
| So, I do use Firefox.
|
| But for a windows domain environment Edge makes sense.
|
| - Comes builtin, no need to patch browsers separately and
| worry about outdated Google Chrome installs in a 1000+
| computer fleet.
|
| - Integrates with Office 365 that the company already use/pay
| for.
|
| - Can be managed with policy over Office 365 or Intune
|
| - Has IE Enterprise Mode for the old apps that need IE11
|
| For Teams, the alternative is this:
|
| - Pay for Zoom AND Slack AND Office 365 AND have IT personell
| manage all 3
|
| - Pay for Gsuite and use... hangouts?
|
| or
|
| - Just pay for Office 365 and get email, fileshare, office
| suite and chat/fileshare/video tool all in one that works
| "fine" and can be managed all in admin.microsoft.com (that
| goes into 500 different portals that all change each month
| but I digress...)
|
| Oh, and you can use whatever browser, even if its not the
| default. I use Firefox but Edge is the default one.
| Kwpolska wrote:
| My primary browser is Firefox. I have Edge as my backup browser
| for sites that don't work with Firefox, and sometimes for
| watching stuff. There is no reason for me to install Chrome.
| (And Microsoft isn't that bad, even if Edge sometimes does
| weird things.)
| Koshkin wrote:
| > _for watching stuff_
|
| ... while the browser is watching you [1].
|
| > _Microsoft isn't that bad_
|
| Yes it is. That bad.
|
| [1] https://en.wikipedia.org/wiki/In_Soviet_Russia
| tester756 wrote:
| If you're using Windows, what's the point of using Chrome if
| you already have Edge?
|
| You're already sending data to MS anyway
| MichaelCollins wrote:
| What's the point of using either of those when you could use
| an ungoogled chromium build?
|
| (I use Firefox, but if I were to use a chromium browser it
| wouldn't be Edge _or_ Chrome...)
| sascha_sl wrote:
| In case you want a real answer: battery life.
| MichaelCollins wrote:
| Googled Chromium has better battery life than Ungoogled
| Chromium? That seems like a dubious claim.
| rejectfinite wrote:
| No, Edge does. It actually is the best performing and
| battery life browser on Windows.
| tester756 wrote:
| Because you gotta trust people behind ungoogled Chromium
|
| I don't know them, so I don't trust them.
| bilekas wrote:
| Chromium is open source, and so you can see what the
| changelog is etc.. You don't need to trust the people
| when you can read the source yourself ?
|
| also "ungoogled Chromium" - The process is Chrome is
| Googled Chromium.
|
| Chromium was a thing before Google-Chrome..
|
| Edit: My mistake: Chrome and Chromium were release the
| same time.
| judge2020 wrote:
| > also "ungoogled Chromium" - The process is Chrome is
| Googled Chromium.
|
| You can download Chromium[0], but people tend to be
| referring to the project called "Ungoogled Chromium"[1]
| to remove any calls to Google domains, eg. safe browsing,
| which are still present in Chromium.
|
| 0: https://www.chromium.org/getting-involved/download-
| chromium/
|
| 1: https://github.com/ungoogled-software/ungoogled-
| chromium
| tester756 wrote:
| Yes, I'm definitely going to audit some giant as hell CPP
| code base (diffs) every four weeks.
|
| I'd rather write my own browser from scratch
| bilekas wrote:
| > Yes, I'm definitely going to audit some giant as hell
| CPP code base (diffs) every four weeks.
|
| I've had this discussion with other people too, just
| because you don't want to doesn't mean you can't. So your
| point of suspecting something nefarious is moot for me
| until you can back it up.
| tester756 wrote:
| If I do already use Windows, then I'm already relying on
| MS
|
| Using Edge doesn't change much, meanwhile using ungoogled
| Chromium means that I have to trust additional actors
|
| Additionally MS inserting e.g "backdoor" into Edge could
| cost them a lot of in PR damages meanwhile what if
| ungoogled chromium inserted some kind of "backdoor"?
|
| I don't even know people who maintain it, so I wouldn't
| even be able to break their windows or throw eggs at them
| bilekas wrote:
| > I don't even know people who maintain it, so I wouldn't
| even be able to break their windows or throw eggs at them
|
| I hear your point on this, it's pretty hard to put your
| faith in a browser that updates regularly and not just
| for schema reasons. But you seem okay with Edge..
|
| > Using Edge doesn't change much, meanwhile using
| ungoogled Chromium means that I have to trust additional
| actors
|
| This is where I'm confused.
|
| > Additionally MS inserting e.g "backdoor" into Edge
| could cost them a lot of in PR damages
|
| I'm not an M$ hater, they've been incredible. dotNet core
| is a gift. GoPilot is a good use of whatever we're doing
| here. But why do you think if they could work a
| 'backdoor' (without leaks from employees) would actually
| matter. Their fine would be minimal.. See FB
|
| I think we've come full circle. I'm defending your point
| that Edge might be just another 'Okay' browser.
| tester756 wrote:
| > Using Edge doesn't change much, meanwhile using
| ungoogled Chromium means that I have to trust additional
| actors
|
| Because I'm already on Windows, thus I already trust
| Microsoft
|
| >I'm not an M$ hater, they've been incredible. dotNet
| core is a gift. GoPilot is a good use of whatever we're
| doing here. But why do you think if they could work a
| 'backdoor' (without leaks from employees) would actually
| matter. Their fine would be minimal.. See FB
|
| On the other hand take a look at Intel - they had
| security issues and not even intentional and there was a
| lot of dmg to their brand due to all those CPU related
| vulns in last years
| detaro wrote:
| > _Chromium was a thing before Google-Chrome_
|
| no it wasn't.
| bilekas wrote:
| Sorry that's actually my mistake, I was thinking of
| something else. (Android)
|
| They were both launched the same period, but chromium was
| the 'trimmed' down open source version.
| fsflover wrote:
| But we do know people behind Microsoft are _not_ to be
| trusted with our privacy... See PRISM and their data
| collection practices.
| tester756 wrote:
| The thing is about what data MS wants and what bad actor
| in ungoogled chromium would want
|
| e.g MS doesn't want to steal money from my card
| BiteCode_dev wrote:
| Indeed, they will lock you in to get it legally.
| s3p wrote:
| Waiting for the /sarcasm tag
| poopnugget wrote:
| timbit42 wrote:
| I'd choose Edge over Chrome if I didn't have better options.
| dodgerdan wrote:
| I don't think Adguard, the Russian tech company registered in
| cyprus, but with mostly Russian employees living in Russia has
| our best interests at heart.
| aussiesnack wrote:
| Your evidence seems to be repetition of the word 'Russia'.
| Seems a tad thin.
| imbnwa wrote:
| What bothers me about Adguard is offering HTTPS cert spoofing
| as a means to duplicate uBo's dynamic filtering behavior
| gdy wrote:
| Of course, we all stand by our beloved president who is
| threatening to start a nuclear war. What's not to like.
| lizardactivist wrote:
| What makes you say that? And this is not really about Adguard,
| it's about Microsoft, Cloudflare, and Edge.
| la_fayette wrote:
| There will be times when more people are fed up with all the
| corporate BS. Duckduckgo, Lineageos, Firefox, Protonmail, ... is
| all working fine for me. I don't miss any corp tech.
| wintermutestwin wrote:
| While I would never use a VPN service fronted by a data thieving
| company, I really hope that VPN usage goes more mainstream so
| that companies can't have "no access from VPN" as a security
| strategy.
|
| Ally bank recently did this and many others have intermittent
| issues due to flagging, etc.
| VoodooJuJu wrote:
| I can see this evolving into something worse.
|
| >try to connect to ally
|
| >vpn not allowed - try connecting through on of our authorized
| vpn partners: microsoft, nordvpn!, etc.
| ascar wrote:
| Is Cloudflare known as a data thieving company? I didn't have
| that association with them yet. They're not really in the data
| selling business, are they?
| wintermutestwin wrote:
| I said "a VPN service fronted by a data thieving company" and
| I misspoke - I should have said "backed" instead of
| "fronted."
|
| AFAIK Cloudflare isn't a data thief (yet). If (when) they
| decide to be, they will have access to quite a lot at the
| rate they are going. At this point, how can we trust that any
| public company won't eventually monetize user data?
| hansel_der wrote:
| they are in the business of collecting data and selling
| insights. cdn is just a means to an end
| scrollaway wrote:
| Oh stop, already. Cloudflare isn't in the "business of
| selling insights". They make their money from enterprise
| sales of their various network products.
|
| They're in the business of competing with AWS and are
| pretty damn good at it, too.
| hibikir wrote:
| Security teams don't block certain VPN traffic for fun.When a
| certain IP block has been running credential stuffing attacks
| all month long, It's very reasonable to see any request from
| said block with a lot of suspicion. In many cases, 99.9% of
| login attempts from certain IP blocks are just fraudulent, and
| there might be more requests from one of said blocks than
| legitimate requests from the rest of the world combined.
|
| Completely blocking a VPN is often too blunt an instrument, but
| even the best alternatives are unfriendly to legitimate
| traffic. The most user-friendly thing you can do is to rely on
| bonus security controls, like asking for two factor
| authentication for everything. No, you will not be able to log
| into anything from a new device, even, without the two factor.
| A very understandable tradeoff for a bank, but we'll end up
| seeing that for any account protecting anything of relatively
| low value.
|
| If your second factor is tied to, say, a phone, it's not going
| to be fun to wait to replace it if it's lost. But in a world
| where most traffic is coming from a VPN, there aren't many good
| alternatives.
| egberts1 wrote:
| For my home gateway, all HTTPS, VPN, SSTP, SMTP, PPTP, IPSec,
| UDP, DNS, and proxy are blocked.
|
| All JavaScript scripts are blanked by Squid ICAP clients.
|
| WireGuard to a VPS for DNS resolver/nameserver.
|
| Run a mean transparent Squid proxy, Snort/Zeek/Suricata and
| whitelist bastion dns forwarder.
|
| No problem. No spam. No headache.
| btown wrote:
| From the article, this is powered by a partnership with
| Cloudflare. It's worth noting that until August 6 of this year,
| Cloudflare's WARP VPN would leak your IP address - but only to
| sites using the Cloudflare network.
|
| https://web.archive.org/web/20220609160341/https://developer...
|
| And when Cloudflare released their new SOPs for Warp, they did so
| in a blog post titled "More features, still private" -
| https://blog.cloudflare.com/geoexit-improving-warp-user-expe...
| as referenced in https://developers.cloudflare.com/warp-
| client/known-issues-a...
|
| Microsoft's initial announcement for the feature touted that IP
| addresses would be masked, and one imagines that they did their
| diligence with Cloudflare and are enforcing the strong practices
| that WARP has now rolled out more broadly.
|
| But it's worth noting that you're routing through a company to
| whom the words "still private" encompassed leaking client IP
| address information to Cloudflare's hosting customers as recently
| as two months ago.
| judge2020 wrote:
| Warp/1.1.1.1[0] is a product, not a VPN, despite the fact that
| it tunnels your traffic. Even after the IP address change, the
| current documentation and promotions for Warp do not call it a
| VPN. It was never meant to keep your IP hidden from the
| websites you visit.
|
| 0: https://1.1.1.1/
| btown wrote:
| I wish that were how it had been presented, but they indeed
| did advertise it as a VPN. From
| https://blog.cloudflare.com/1111-warp-better-vpn/ :
|
| "Technically, WARP is a VPN.... We built WARP because we've
| had those conversations with our loved ones too and they've
| not gone well. So we knew that we had to start with turning
| the weaknesses of other VPN solutions into strengths. Under
| the covers, WARP acts as a VPN. But now in the 1.1.1.1 App,
| if users decide to enable WARP, instead of just DNS queries
| being secured and optimized, all Internet traffic is secured
| and optimized. In other words, WARP is the VPN for people who
| don't know what V.P.N. stands for."
| judge2020 wrote:
| I don't think this holds much weight given the regular
| users of this product are likely referred to
| https://1.1.1.1 and are unlikely to read through all of
| this 3000 word blog post with tech jargon. However, indeed,
| many people might've heard about it from other blog posts
| saying it's a VPN or word-of-mouth from more technical
| users also calling it a VPN - but it's obvious Cloudflare
| made a concerted effort not to use that term.
| genewitch wrote:
| it's used _five_ times in that single paragraph. That 's
| cloudflare calling it a VPN. you can't unring the bell.
| jdgoesmarching wrote:
| I think it holds weight when I'm staring at a Cloudflare
| blog URL that explicitly says "Warp better VPN." I don't
| doubt that this has been scrubbed from current
| documentation, but this is fair evidence for the above
| comment's claim that CF has advertised it as a VPN.
|
| I don't have a dog in this fight, but it was especially
| odd in this context to claim that this misconception was
| entirely driven from outside of Cloudflare when the URL
| is sitting right there.
| sproketboy wrote:
| ChoGGi wrote:
| That's nice I suppose...
|
| The only time I use Edge is when something Microsoft opens it,
| then I have to close it.
| smm11 wrote:
| I'm going to run my VPN on Edge running a VPN.
| jawadch93 wrote:
| rmason wrote:
| I am not saying that they'd do it but what would prevent
| Microsoft from 'theoretically' collecting your information
| themselves and then selling it back to your ISP?
| hda2 wrote:
| I can see it now:
|
| Microsoft: "Sorry $site_owner, We (some unaccountable ML model)
| detected that you have violated some rule (we will not tell you
| which) and as a result, your website can no longer be accessed.
|
| This decision is final and permanent."
|
| There are other ways to protect user privacy without conveniently
| putting yourself in charge. They pulled the same move with UEFI
| and secure boot
|
| Microsoft needs to be investigated and fined.
| josephcsible wrote:
| Especially timely given that
| https://news.ycombinator.com/item?id=33036748 just happened.
| yenwodyah wrote:
| I wouldn't care about this VPN if it weren't for the fact that I
| can't ignore it. There's an option to hide it from the toolbar,
| but every time I open an incognito window it pops back up again.
| It's incredibly annoying.
| _mwnc wrote:
| Hmmm interesting another reason for me to avoid microsoft
| browsers.
| AlexandrB wrote:
| Interesting to see this on the front page along with
| https://news.ycombinator.com/item?id=33036748
|
| I wonder how long until Microsoft starts blocking sites on their
| VPN for "your protection".
| mikaelsouza wrote:
| I think they already do. Just like chrome and firefox block
| sites that are considered insecure.
|
| I don't think they need a VPN for this.
| xnx wrote:
| Sounds pretty handy for data-scraping!
| remram wrote:
| Back in the days, a network relay at the application later was
| called a proxy. Any reason we are now calling this VPN?
| crazygringo wrote:
| Yes, because proxies and VPNs are totally different.
|
| Proxies are generally unencrypted and a new connection is
| usually made per-request.
|
| VPN's are inherently encrypted and maintain a single
| connection.
|
| They're totally different technologies. So hope that answers
| your question.
| stereoradonc wrote:
| Edge-VPN is primarily Cloudfare. Now Cloudfare has potentially
| even "more" data about users. They don't have an ad platform,
| yet. What will stop Cloudfare from accumulating and then
| targeting the users through "Bing-Ads"?
| zarmin wrote:
| Did you misspell Cloudflare as Cloudfare three times?
| sdmike1 wrote:
| Sure, they did, but that doesn't make their point any less
| relevant...
| zarmin wrote:
| Okay?
| witrak wrote:
| If this "VPN" is under the control of an entity collecting
| information about users wherever it can what's the sense of the
| service. "VPN" (in fact the term should be "virtual internet
| access network") make sense only when it is independent of any
| entity controlling internet traffic...
| crazygringo wrote:
| > _the VPN will automatically connect when you're using public
| Wi-Fi or browsing unsecured networks and sites lacking a valid
| HTTP certificate._
|
| OK, that's actually a pretty decent idea. It's not going to be
| always-on, but it's providing security specifically for things
| like coffeeshops/libraries and for sites that don't provide their
| own security. In other words, it's "backup security", not
| rerouting all of your "normal" secure traffic at work/home.
|
| This mainly protects sites you visit from having JavaScript
| injected into them by networks when there aren't any other
| protections, and the VPN is run by Cloudflare so it will be
| performant, so I don't really see any problems here? Seems like a
| positive development actually.
| kburman wrote:
| How hard it would be silently push an update to redirect all
| google traffic through VPN. We have already seen them trying to
| get google search query and results. And why stop at Google
| basically they can do any website they want.
| tsimionescu wrote:
| The only way they can do that is at the client level, not the
| network level. Whether it's running over a VPN or not, your
| traffic to Google is TLS, so you have an excellent guarantee
| that it's impossible to snoop on the contents of your HTTP
| requests at the network level.
|
| However, you are using a Microsoft client and/or a Microsoft
| OS to do this - and of course, if they want to, Edge or even
| Windows itself can report on the input and output of any
| operation you make, regardless of any network security.
| Similarly, WhatsApp or Signal or iMessage or Android/iOS
| could send a copy of the plain text of any messages you send
| or receive to home base despite them being E2E encrypted on
| the wire. You always have to trust the device and client
| software you are using to access the internet.
|
| So, if you personally don't trust Microsoft not to snoop on
| your traffic with Google, using Edge or Windows is completely
| wrong.
| tekknik wrote:
| > your traffic to Google is TLS, so you have an excellent
| guarantee that it's impossible to snoop on the contents of
| your HTTP requests at the network level.
|
| It's definitely not impossible, MITM attacks work for TLS
| and this is exactly how cloudflare work (it MITMs TLS sites
| by terminating the tunnel and recreating.). TLS is only
| secure if you have pinned certs.
| tsimionescu wrote:
| MITM for TLS only works if you have the cooperation of
| the server owner (like Cloudflare does, or illegally be
| stealing the server owner private keys) or a malicious
| CA, or if you ignore the security errors that the browser
| offers.
|
| Otherwise, TLS is completely impervious to MITM attacks
| as a protocol.
|
| Of course, various implementations of TLS may also have
| exploitable vulnerabilities.
| barsonme wrote:
| They're not magic. They can't peek into the TLS connection
| between your browser and google.com.
| tekknik wrote:
| Conversely many people here think TLS is magic and
| unhackable, but it is not.
| barsonme wrote:
| I'm not sure what you mean. Do you know how to break TLS?
| timmb wrote:
| Just curious but is there really a risk on public WiFi if
| you're using DNS-over-HTTPS and connecting to a site over
| https?
| Gigachad wrote:
| You can still do reverse domain lookups using the IP address
| as well as see the domain in the SNI details.
|
| So the content is safe but the sites you visit are still
| exposed unlike with a vpn.
| angry_octet wrote:
| Although you would commonly find a long list of AWS or
| similar IP addresses which wouldn't be very useful, unless
| you simultaneously crawl tens of thousands of possible
| sites (from the same source IP range) to map IPs to sites.
| kibwen wrote:
| No, though DNS-over-HTTPS is already basically a proxy.
| tsimionescu wrote:
| By this definition, any DNS server is basically a proxy
| (assuming you are not hitting an authoritative name server
| for the domain you are trying to access).
| Gigachad wrote:
| No it isn't. The DoH server is the final destination. It
| isn't relaying your traffic to somewhere else.
| [deleted]
| CogitoCogito wrote:
| > This mainly protects sites you visit from having JavaScript
| injected into them by networks when there aren't any other
| protections, and the VPN is run by Cloudflare so it will be
| performant, so I don't really see any problems here? Seems like
| a positive development actually.
|
| How does this protect from having JavaScript injected? Why
| couldn't the VPN do that?
| simsla wrote:
| MITM protection on public networks maybe?
| CogitoCogito wrote:
| > MITM protection on public networks maybe?
|
| How does this address the fact that the operators of the
| VPN can certainly modify any content they access over http
| on your behalf?
| kevingadd wrote:
| It's reducing the number of parties you have to trust
| from 'every hop along the path from the public wifi
| operator to the host' to 'cloudflare', and many site
| operators already trust cloudflare not to MITM them.
| yed wrote:
| The operators of the VPN in this case are also the
| developers of the browser. If they want to inject content
| they can do that without the VPN.
| soulofmischief wrote:
| It's security by consolidation.
| hypertele-Xii wrote:
| Security by consolidation to single point of failure, I
| might add.
| hot_gril wrote:
| I agree, and it's hard for me to trust the VPN more than
| my own ISP. Like yeah, someone else on this public coffee
| shop wifi network can waste a whole day finding a couple
| of random victims. Does that actually happen, idk. Have
| huge, reputable VPNs been hacked before, yes, and there's
| much greater incentive there. Either way I won't know, so
| it feels like they're selling snake oil.
|
| "Microsoft" and "security" also don't go together in my
| head.
| soulofmischief wrote:
| coffee shop hacking is usually done in an automated, at-
| scale fashion, often with a remote device that doesn't
| require an operator to be present or paying attention.
|
| It uses lowest common denominator tactics. This VPN
| strategy is precisely for the lowest common denominator.
|
| I don't understand how something can feel like snake oil
| when you haven't researched your own questions. I can sow
| doubt on anything; is it always justified?
| dredmorbius wrote:
| The question is whether your basket is made of chains
| (one bad link), cables (many bundled wires), how many
| baskets there are, how many eggs in each, and how
| effective and trustworthy the guards are.
|
| Simply shrieking "SPOF!!! SPOF!!!" lacks naunce after a
| while.
|
| I've concerns with proposals such as this similar to what
| others are voicing on this thread. But if one considers
| the proposal _in light of the present status quo for the
| typical person_ , then it's _probably_ a net improvement.
| kevmo314 wrote:
| Better than every public wifi access point being able to.
| acdha wrote:
| It's a question of how many entities you have to trust.
| There are many thousands of public networks around the
| world and millions of people using ISPs which tamper with
| traffic (especially on mobile networks). With the VPN,
| you only have to trust the VPN provider; without it, you
| have to review each network you use and its ISP. That
| doesn't mean that the VPN is automatically trustworthy,
| of course, but it's a single entity.
| tsimionescu wrote:
| Note that you still have to trust the server's ISP and
| any intermediate ISP routing traffic from the VPN exit
| node to the server, if you're accessing a server over an
| insecure protocol.
| acdha wrote:
| Of course, but almost all of the tampering has happened
| on the client end historically, especially since this VPN
| is backed by Cloudflare who have widely distributed
| nodes. It's still much better to deploy TLS everywhere
| but this shuts down most of the non-NSA attacks.
| tsimionescu wrote:
| Absolutely, I just wanted to give the full picture.
| ViViDboarder wrote:
| The assumption is that the VPN operator is more trustworthy
| than an unsecured network.
| hot_gril wrote:
| Yeah, and even if the network operator is trustworthy,
| often times any other user on that network can mess with
| you, e.g. ARP poisoning.
| reactspa wrote:
| A crazy thing happened to me on a recent trip to Mexico city. I
| thought my AT&T mobile plan covered Mexico, but after 2 days it
| stopped working. So I tried to log into my account online with
| AT&T. It would keep redirecting me to the Mexico AT&T website
| instead of the US website. The first time I realized I needed a
| VPN.
| Justin_K wrote:
| Why don't we just call it what it is: "Microsoft redirects all
| browser traffic through their servers". At first it sounds great
| but in two years when the start selling the data or start
| injecting ads, what will the privacy advocates think then? How
| long until Microsoft decides they don't like your site, so
| they're going to block it? Yet another move towards
| centralization of the internet, NO THANKS.
| tarunmuvvala wrote:
| The walled gardens are raising their walls.
|
| The plan is to sell the corporates VPN enabled services. The
| corporate will buy it without hesitation too if it comes bundled
| with Office 365.
| vinay_ys wrote:
| In India, it is illegal to operate an open unauthenticated wifi.
| All public Internet access requires a secure auth and you have to
| present a government ID to the operator to get access. (This
| applies to getting a mobile SIM card or landline Internet at home
| as well). This is to deter anonymous illicit activity being
| conducted from from public Internet locations (like cafes,
| bus/train/airport stations etc.) Also, same real identity
| requirement is now applied to VPN operators. Additionally, they
| have to collect and retain traffic logs, and cooperate with
| government cybercrime investigations.
|
| Obviously there are potential loopholes - apparently a lot of VPN
| services are planning to continue operating services with Indian
| residents with servers not physically hosted in India without
| logs.
|
| Apple with its Private Relay and now Microsoft with Edge Browser
| VPN - don't provide VPN with exit nodes hosted in foreign
| jurisdictions. I'm curious to know if they will cooperate with
| requirements to collect/retain logs as well.
| SavageBeast wrote:
| So Edge users are going to be impacted by this - whats that like
| 35 people outside the development team who made it?
| sh1mmer wrote:
| Can someone explain to me how this is different from apple's
| privacy relay? Is it because it's all traffic instead of just
| some traffic Apple designates as "trackers"?
| oefrha wrote:
| As a generally happy Cloudflare customer, a Cloudflare VPN makes
| me deeply uneasy. (Yes, I know Warp has been around for a while.)
| Using it means Cloudflare owns a huge chunk of your Internet
| traffic _end to end_ and _decrypted_ , a uniquely powerful
| position to be in. And this is going to be default on in Edge
| according to TFA, even though it's only applied to plain HTTP
| sites by default at the moment.
| xani_ wrote:
| Browsers already want to send every domain you visit to
| cloudflare via DoH.
|
| Other options of securing DNS included "just" encrypting
| traffic to DNS server. But no, they decided to centralize
| sending DNS records via HTTPS
| sascha_sl wrote:
| While I agree that it is concerning, WARP doesn't decrypt your
| traffic unless you sign in to ZeroTrust, enable it in your
| dashboard and install their CA.
|
| Not much you can do about them having decrypted traffic for
| sites that use them.
| oefrha wrote:
| > having decrypted traffic for sites that use them
|
| Yes, that's the huge chunk I'm talking about, and when you
| use them as your VPN they can effortlessly trace that
| decrypted traffic to you.
| sascha_sl wrote:
| How is that different from not using a VPN?
| xboxnolifes wrote:
| Its not, that's the point.
| ViViDboarder wrote:
| It's not _for one party_. The VPN protects your traffic
| from any party other than Cloudflare. Exactly as it would
| with any VPN.
| oefrha wrote:
| When you don't use a VPN, at least your traffic to
| Cloudflare doesn't carry a unique ID of yours. Effort is
| required to correlate your traffic, especially if you are
| CGNAT'ed and share an IP with others, or have a dynamic
| IP that changes frequently.
| AtNightWeCode wrote:
| Https is among the most broken ideas in the history of CS. I
| remember the first time I really learned about it and I went
| like it can't be this stupid.
|
| Most Internet traffic today between A and B is decrypted by C
| because of this.
| barsonme wrote:
| What are you talking about?
| AtNightWeCode wrote:
| Https is a wrapper around http. The result is that any
| service that needs any http information can decrypt all
| https traffic. So on the web, passwords, apikeys, personal
| information and so is in general decrypted by a third
| party, Fastly, Akamai, Cloudflare and so on.
| barsonme wrote:
| That is entirely untrue. HTTPS is just HTTP encrypted
| with TLS. The only parties that can decrypt the traffic
| are the people with the session keys: you and the website
| you're visiting.
| jimlongton wrote:
| People are fools if think there isn't a Room 641A in
| Cloudflare, except it's a lot better since web service
| operators willingly handed over all their private keys and
| therefore user data.
| chiefalchemist wrote:
| > "However, the VPN will not run while you're streaming or
| watching videos -- so that you can save up on traffic which is
| capped at a modest 1 GB per month."
|
| OK? And what happens after that? After you go over your 1 GB cap?
| You're cut off from the internet?
| ridgered4 wrote:
| How they even id the user for the cap? Some kind of system
| signature? Requirement of a MS account?
| shmde wrote:
| They just turn the VPN off ?
| mdaniel wrote:
| Heh, I wonder if they just quietly do that in the middle of a
| session
|
| * GET bank.example.com/accounts
|
| * GET bank.example.com/accounts/1
|
| _vpn disconnect_
|
| * GET bank.example.com/accounts/1/details <- 403 new IP, who
| dis?
| sirmike_ wrote:
| Lol the traffic is Capped at 1gb. It's also super obscure. Only
| in small rollouts to edge canary users. It's opt in I believe and
| It can be turned off.
|
| Even MSFT isn't going to pay the network bill for everyone
| forever
|
| Split decision if this is a true good faith thing for consumers.
| Time will tell. I can easily see where it's a great thing on one
| hand but also a terrible one too. This is where a company's
| integrity comes in.
| 1langisbad wrote:
| drexlspivey wrote:
| Pretty cool to see Wireguard, a protocol that is only a few years
| old, making it so fast into the linux kernel and now into Edge.
| Literally shipping into billions of devices in such a small
| amount of time.
| _mwnc wrote:
| I don't like this. When I add a URL to the address bar I want
| TCP/IP traffic to be directed to only the remote address I
| requested, and not have traffic relayed through some third party.
| criddell wrote:
| Do a traceroute and see how many third parties your traffic is
| going through. You probably don't get many point-to-point
| connections.
| [deleted]
| hbrn wrote:
| I have bad news for you. traceroute
| news.ycombinator.com
| [deleted]
| doublerabbit wrote:
| Besides the point, 18 hops to get to HN via my colo server in
| London, UK; what is cogentco doing with the excessive
| routing? 1 24 ms 24 ms 25 ms
| 10.0.0.1 2 32 ms 25 ms 24 ms x.x.x.x 3
| 28 ms 28 ms 27 ms core-router-b-nlc.netwise.co.uk
| [185.17.175.246] 4 29 ms 25 ms 25 ms core-
| router-hex.netwise.co.uk [185.17.175.240] 5 29 ms
| 25 ms 26 ms
| te0-7-0-17.505.rcr21.b015534-1.lon01.atlas.cogentco.com
| [216.168.64.16] 6 27 ms 25 ms 25 ms
| be2186.ccr22.lon01.atlas.cogentco.com [154.54.61.70] 7
| 27 ms 25 ms 28 ms
| be2870.ccr41.lon13.atlas.cogentco.com [154.54.58.173] 8
| 94 ms 93 ms 94 ms
| be2317.ccr41.jfk02.atlas.cogentco.com [154.54.30.185] 9
| 103 ms 100 ms 100 ms
| be2806.ccr41.dca01.atlas.cogentco.com [154.54.40.106] 10
| 118 ms 117 ms 117 ms
| be2112.ccr41.atl01.atlas.cogentco.com [154.54.7.158] 11
| 130 ms 130 ms 134 ms
| be2687.ccr41.iah01.atlas.cogentco.com [154.54.28.70] 12
| 147 ms 146 ms 181 ms
| be2927.ccr21.elp01.atlas.cogentco.com [154.54.29.222] 13
| 155 ms 155 ms 156 ms
| be2930.ccr32.phx01.atlas.cogentco.com [154.54.42.77] 14
| 172 ms 348 ms 192 ms
| be2941.rcr52.san01.atlas.cogentco.com [154.54.41.33] 15
| 198 ms 202 ms 205 ms
| te0-0-2-0.rcr12.san03.atlas.cogentco.com [154.54.82.70]
| 16 209 ms 165 ms 165 ms
| te0-0-2-3.nr11.b006590-1.san03.atlas.cogentco.com
| [154.24.18.194] 17 166 ms 171 ms 203 ms
| 38.96.10.250 18 165 ms 162 ms 162 ms
| news.ycombinator.com [209.216.230.240]
| jdthedisciple wrote:
| only 8 hops for me from Europe
| pGuitar wrote:
| I got 30 hops from Atlanta/Comcast
|
| but hops from 9 to 30 are "blank" like this: 30 * * *
|
| the last non-blank hop is this: 8
| M5-HOSTING.bar1.SanDiego1.Level3.net (4.16.110.170) 69.921
| ms GIGLINX-INC.bar1.SanDiego1.Level3.net (4.16.105.98)
| 60.600 ms M5-HOSTING.bar1.SanDiego1.Level3.net
| (4.16.110.170) 69.882 ms
| ziml77 wrote:
| Is that excessive? It looks like it's taking the most
| direct route it can. First goes west to NY, then goes south
| to DC, south again to Atlanta, and then makes a series of
| westward hops to Houston, El Paso, Phoenix, and San Diego.
| And I'm guessing the hops within London and San Diego would
| be something like a router for local traffic, a router for
| regional traffic, and a router for international/interstate
| traffic.
| dhaavi wrote:
| Cogent is the third biggest network on the Internet by
| CAIDA AS Rank. Your connection used it for pretty much all
| the distance.
| _mwnc wrote:
| Sorry I misspoke I know that routing traffic isn't a direct
| peer to peer connection but that's different from ALL traffic
| going through one company.
|
| I'm not an expert on internet routing but it seems to me a
| bit disconcerting how much of web traffic is already routed
| through cloudflare servers. This centralization scares me.
| peanut_worm wrote:
| Doesn't that mean that all my connections are routed MS servers?
| How is MS more trustworthy than my ISP
| RcouF1uZ4gsC wrote:
| > Also, we must be aware of the risks associated with using the
| built-in VPN services of Microsoft, Apple, and the like. The
| tools they so generously offer might protect you from being
| tracked by your Internet Service Provider (ISP),
|
| It seems using a VPN from your browser vendor does not increase
| your risk. I don't think a VPN would have any information that
| your browser did not.
| oefrha wrote:
| People generally don't tolerate browsers that phone home with
| any and all accessible information. But if you claim to also
| run a built-in VPN service...
| vladvasiliu wrote:
| What do you mean?
|
| I oftentimes see people using Chrome (not Chromium) while
| logged into a profile. Are you telling me that either those
| people are actually a minority, or that Chrome doesn't phone
| home?
| lxgr wrote:
| Not really: Your browser vendor _might_ push out a malicious
| update or enable dormant functionality that sends them
| telemetry on your browsing, or even your entire web traffic,
| but a VPN definitively _does_ receive all of you traffic
| (including, at least, the host name of almost all sites you
| visit).
|
| I can observe who my browser/OS talk to (beyond the sites I
| already visit) - but what happens inside a VPN provider is
| impossible to tell.
| 4258204984 wrote:
| mkl95 wrote:
| Serious question - is there a legitimate use case for Edge when a
| Chrome Stable build is available?
| mrweasel wrote:
| I'm thinking Microsoft is hoping for the reverse: Why download
| Chrome when you have a perfectly good Blink based browser
| already installed.
| vladvasiliu wrote:
| It's already installed and it works well enough. Plus, if I'm
| using Windows, I'm already sending a bunch of telemetry to MS,
| so I don't see a reason to go out of my way to send some to
| goog, too. Also, I'm not a Netflix customer, but I understand
| that on PC you need Edge to get high-definition (>=1080p)
| video. Chrome doesn't work (neither does it work on Mac). So
| the question becomes: is there a legimate use case for Chrome
| when Edge is available (and is mostly the same thing)?
|
| I, personally, am quite against using a Google browser (or
| derivative), but for my gaming PC where I only launch the
| browser once in a blue moon, I just can't be bothered to
| download anything else since Edge works. On my work PC I use
| Firefox, and am quite happy with it.
| wintermutestwin wrote:
| Edge is the only Chromium-based browser that allows for
| Vertical Tabs.
| netsharc wrote:
| Vivaldi has it, and it's a Chromium-based browser made by
| people who left Opera after it was sold to the Chinese. Opera
| had vertical tabs even a decade or so ago, back when it was
| still using its own Presto engine (they switched to Chromium
| and seems to have lost this feature).
| wintermutestwin wrote:
| Thanks for that. Unfortunately, it looks like Vivaldi is
| closed source. Do you know how it is monetized?
| rejectfinite wrote:
| Search engines, bookmarks and they offer email services.
|
| https://vivaldi.com/blog/vivaldi-business-model/
| radicaldreamer wrote:
| There are significant changes in Edge compared to Chrome stable
| and perf and efficiency improvements on Windows (not to mention
| deeper system integration).
| jabroni_salad wrote:
| From a business perspective, IE mode and onedrive userstate
| sync for o365 customers
|
| From a personal perspective, goog and microsoft are basically
| equivalent and I don't want either of their browsers.
| BLO716 wrote:
| The trend towards 0-configuration VPNs though make it totally
| compelling to just port your traffic home. I'm not trying to be a
| fan-boi, but I want ALL my traffic off the network of snoop. I'm
| just going to go out there and say Ubuiti and Teleport with
| WifiMan on phone/tablets/computers and 0 config bar codes, I mean
| its ALMOST frictionless for my family to do this setup once its
| going.
|
| I least try to do this while we travel and are out of network
| range. How do people feel about this?
| gzer0 wrote:
| how about a tailscale exit node running on a computer at home
|
| takes 10 seconds to setup and I can use my home IP from
| anywhere on earth
| hopfog wrote:
| I run a free browser game where you can start playing
| immediately, no registration required. The game has a big sandbox
| element where you can build and paint on the world map.
|
| Naturally I've attracted trolls doing everything in their power
| to grief and ruin it for other players. This has lead me to
| reluctantly implement moderation tools such as IP bans and proxy
| detection.
|
| I'm currently using a couple of services where I can supply an IP
| and get a risk score back but I'm worried about false positives.
| I'm afraid this initiative, while great for privacy, will make my
| defense measures futile.
|
| What should I do? I just want to run a game with as few intrusive
| barriers as possible. I have no interest in collecting any
| private data from users whatsoever.
| xani_ wrote:
| You will just have a bunch of random false positives that get
| blocked and never come back. Even before VPN a lot of ISPs gave
| you dynamic IP that changed anywhere from every few weeks to
| daily, to each reconnect. Same with any public access point
|
| Same with carrier grade NAT, IP stopped being good way to block
| things long time ago. About the only use is "this IP is DoSing
| me now, block it for few hours".
|
| There are few other methods, all of them intrusive on privacy.
| Generating fingerprint of browser and blocking based on that
| might work for the clueless users but dedicated ones will go
| around it. Making using one of the popular SSO logins is one
| option (at least banning-wise) but that's a lot of work
| aaronax wrote:
| You have to have intrusive barriers. This is true in real life
| and it is true online.
|
| The world is not a graffiti free-for-all because there are
| barriers: the government (police) is able to apprehend
| individuals, link that physical individual to an identity
| (which it issued at birth), and effectively implement
| consequences to that identity/individual.
|
| If you want your site to not be a graffiti free-for-all, you
| will need a durable way to identify actual people. Twitter, for
| example, essentially requires a phone number to use their site.
| Phone numbers are fairly difficult to get anonymously.
| Therefore, Twitter has a useful link between their users and a
| physical individual. Other services use other things.
|
| The government should implement cryptographic certificate based
| identities to citizens. Ideally there would be a way to "sign"
| something that says you are a real citizen without revealing
| which citizen you are, but is durably unique (subsequent
| signings identify you as the same citizen).
|
| Facebook, Google, etc. are effectively filling this function
| right now but they leave much to be desired.
| hopfog wrote:
| > Ideally there would be a way to "sign" something that says
| you are a real citizen without revealing which citizen you
| are, but is durably unique (subsequent signings identify you
| as the same citizen).
|
| This is a truly interesting and groundbreaking idea that
| would solve all my problems. Do you know if there are any
| initiatives like that or is it science-fiction?
| aaronax wrote:
| Actually issued by a government? Not sure.
|
| How to implement? Also not sure. I am not an expert in this
| field. "Anonymous credentials" seems like the closest thing
| maybe. Basically you need to somehow prove you have a valid
| signed certificate without disclosing the public key.
|
| https://crypto.stackexchange.com/questions/83412/how-to-
| achi...
| https://crypto.stackexchange.com/questions/52189/zero-
| knowle...
|
| Since you seem open to putting up barriers...in the process
| of looking into this I discovered Idena and checked it out
| a little. You could required verified Idena something or
| other, just as an example. I'm sure there are scores of
| these types of things being built, most or all of which
| will fail to gain traction.
| dejawu wrote:
| I don't know if a government would use it, but 4chan has
| tripcodes that can uniquely identify an anonymous user
| across multiple posts without the user ever needing to
| create a permanent identity.
| BrainVirus wrote:
| Redesign the rules so that trolling is not rewarding. Yes, I
| know, it's hard.
| hopfog wrote:
| Yeah, I thought I could pull that off but in the end I was
| naive thinking I could solve it with mechanics. The idea was
| that I would never need to ban anyone, ever. However, even
| with thousands of players playing the game as intended just
| one troll can wreck havoc by creating hundreds of accounts
| through proxies.
|
| I have implemented measures where you can't chat until you've
| finished the tutorial, 5 minutes decay on stuff built/painted
| outside plots and upkeep on claimed plots but it's not
| enough. The trolls are extremely dedicated and devote their
| life to ruining my game.
| dathinab wrote:
| Hm,
|
| I think this is mainly an form of advertisement move to compel
| more users to use edge/not switch away from it. Reason: By now
| many non-technical people think a VPN is necessary (or at least
| recommendable) for "safety". Through how a VPN actually
| helps/works most non-technical people do not understand at all.
| For Microsoft providing a VPN which by default is only enabled on
| public WiFi and similar isn't too expensive.
|
| They also need to compete with Apples Privacy Relay feature.
|
| So putting bias aside it seems a good thing.
|
| But there are some gotchas:
|
| 1. a VPN is not per-se privacy protecting, it is only that if the
| VPN provider legally binding agrees to not sell out the users
| data.
|
| 2. a major browser which tries to force itself on all windows
| users providing a VPN for free hurt the VPN market due to the
| unfair competitive advantage this VPN has.
|
| 3. It could normalize for many people that VPNs do not necessary
| have a feature to avoid geo-blocking => make it easier for
| legislation targeting such features to pass
|
| 4. also more centralization for cloudflair
|
| Through if you ignore all this from a pure "common peoples
| security" perspective (i.e. not state actor attacks) this is an
| neat improvement. There are still to many things which allow
| attacks due to not using HTTPS and for non state-level attackers
| the best attack vector are public hotspots and similar where this
| VPN automatically is enabled. E.g. common security problem is
| HTTP(not s) redirect links in e.g. mails, which an attacker could
| trivially rewrite to point you to their site which automatically
| proxies the site you originally wanted to go to. Worst offender I
| saw was a FIN-tec site using emailing http(not s) redirect links
| containing the auth token for the initial account setup...
| strictfp wrote:
| Cue VPNs being banned
| rntksi wrote:
| I remember this being done back when Opera 7 was used. I think it
| had a feature for mobile OS, where it would route requests to
| Opera's servers and serve clients a minified, smaller version of
| the page, so people on 2G at the time could still use the web. I
| don't remember people being outraged at the time at the prospect
| of a browser having a baked-in VPN option though.
| laundermaf wrote:
| Don't forget about Google's own "optimizer"
|
| https://en.wikipedia.org/wiki/Google_Web_Accelerator
| bityard wrote:
| I remember this as well and thought it was a neat service. One
| that I would have liked to emulate using my own proxy in order
| to save bandwidth on my mobile data but never got around to
| actually doing.
|
| These days with widespread HTTPS, the only way to do this is to
| bake it into the browser itself.
|
| And of course, this was back when you could trust Opera to do
| what they said they were (or weren't) doing.
| sergiotapia wrote:
| God I miss Presto and Dragonfly. :'(
| Nextgrid wrote:
| At the time, spyware was not yet a mainstream business model so
| there was no outrage because respectable, established companies
| didn't yet become spyware operators. There was still mutual
| trust back in the day.
| int_19h wrote:
| That was Opera Mini, and it's still around (and popular in
| areas where Internet speed is still measured in Kbps and/or you
| pay for data per megabyte).
|
| It's not even that it served a minified version, too. It
| basically did all layout server-side, so the client got
| something more akin to a PDF of the webpage optimized for its
| screen size. It also compressed images.
| noja wrote:
| Yes that was mainly because mobile internet was really slow and
| using it without Opera's proxy was an exercise in frustration.
|
| But do not forget that Opera 7 was release TWENTY YEARS AGO.
| Things are a bit different now. Think eternal september.
| pGuitar wrote:
| Why do they even need this? With all the spying/telemetry they
| already do, they probably already know the sites that you
| visit....
| lucasmullens wrote:
| Some users might want this feature, which gets them more users.
| I think outside HN most users would appreciate a free VPN for
| when they're on public Wi-Fi.
| timbit42 wrote:
| They want to keep everyone else from tracking you so their data
| is more valuable.
| jeroen79 wrote:
| cloudflare is nasty, its worse giving them all your data then
| spreading it around.
| counttheforks wrote:
| bilekas wrote:
| > you can save up on traffic which is capped at a modest 1 GB per
| month.
|
| These days that probably wont even manage the tracking requests
| being sent from the machine a month.
| kebman wrote:
| If I'm not mistaken Skype used to be called the most secure video
| calling app back in the day. Until this:
| https://lists.randombit.net/pipermail/cryptography/2013-May/...
| kazinator wrote:
| "Let's use our browser to herd users into our walled network,
| where our competitors cannot track them as easily as we are able
| to."
| donmcronald wrote:
| I think this is the real reason for the "VPN in a browser"
| trend. It's about getting exclusive access to browsing data.
|
| Imagine Facebook data collection, but without being able to
| ignore it. That's where we're headed. Watch for Google to
| release a "security" product that does something similar.
|
| IMO Apple, Microsoft, and (eventually) Google are going to use
| their platform dominance to usurp Facebook's ad business.
| That's why Facebook is making a big bet on VR. It's not that
| they see VR as a naturally popular platform. It's simply one of
| the last platforms that _could_ be popular (for the near
| future), isn 't already dominated by a major player, and has
| network effects that make it a critical mass platform similar
| to how Facebook works. If they can buy their way in, they own
| the whole market.
|
| This kind of thing should get these companies obliterated by
| regulators. It's shameless, blatant, anti-competitive behavior
| where they're using their dominance in one market to gain an
| extremely unfair advantage in another.
|
| The goal is to move the entire ad market away from the open web
| and into closed platforms like OSes and browsers.
| kazinator wrote:
| VPNs can destroy net neutrality. The internet can be reduced
| to a dumb pipe that gives everyone equal bandwidth, which is
| used to operate VPNs, inside of which entirely private rules
| apply that are inscrutable from the outside.
| pmarreck wrote:
| Imagine still tolerating Windows in 2022
| seabrookmx wrote:
| Some people play video games.
|
| Some people want to use the Adobe suite on user upgradable
| hardware.
|
| If you come out of your bubble you'll see there's plenty of
| reasons to still use Windows (typing this in Firefox running on
| Fedora, FWIW).
| rejectfinite wrote:
| The great thing about Windows is that you can install another
| browser and set it to default. You don't have to use Edge.
| blibble wrote:
| and then every other update it "accidentally" gets set back
| to Edge
| rodolphoarruda wrote:
| Not even god knows what's going on inside that (not so very much)
| private network.
| tonymet wrote:
| Microsoft obviously benefits from the ability to collect more
| tracking signals. Even over HTTPS they will have many traffic
| signals to use for ads targeting.
|
| Just be mindful of any feature and who it benefits. These
| companies aren't charities.
| MikeYasnev007 wrote:
| netsharc wrote:
| > The VPN feature, known as "Microsoft Edge Secure Network," has
| rolled out to a limited selection of users in the latest Edge
| Canary version.
|
| Now why didn't they call it Microsoft Secure Network! And MSN in
| short.
|
| And next they should start a VPN'ed messaging service, they can
| name it "MSN Messenger".
| MrPatan wrote:
| What do I need to do to disable this?
| kingaillas wrote:
| Everybody is suspicious of Microsoft's motives but I think in
| this, you gotta consider how many windows systems are out there
| used by security novices.
|
| Lots of people are computer savvy but want to use a computer to
| do something else not under the umbrella of hobbyist sysadmin
| work.
|
| I don't see the downside here, again, considering the multi-
| millions average users Windows/Edge has. If you are savvy enough
| to roll your own VPN using algo from Trail of Bits, then do that.
| If you are able to weigh the pros and cons of VPNs from having
| one or not, or which one to use, you are ahead of 99.99% of the
| people this will help.
| sylens wrote:
| Had to move off of Edge to Brave a few weeks back after sticking
| it out longer than I should have. I really liked Edge on both
| Windows and macOS but they keep adding stuff that I don't want to
| the browser.
| 0xbadcafebee wrote:
| Isn't this basically just Chrome's data saver? They never called
| it a VPN but they did send all your traffic to Google.
___________________________________________________________________
(page generated 2022-10-01 23:02 UTC)