[HN Gopher] Mullvad Browser
___________________________________________________________________
Mullvad Browser
Author : dotcoma
Score : 281 points
Date : 2023-08-17 10:51 UTC (12 hours ago)
(HTM) web link (blog.torproject.org)
(TXT) w3m dump (blog.torproject.org)
| colesantiago wrote:
| Why is it that the main use case for this would be for criminals
| to use this Tor & Mullvad based browser + VPN?
| flangola7 wrote:
| Most criminals are using chrome like everyone else.
| lemper wrote:
| I am really curious how you came to that conclusion. pray tell.
| fredoliveira wrote:
| Ah yes, the old "I have nothing to hide, so they can look at
| anything they want". There's no way you've properly thought
| about what you are saying.
| judge2020 wrote:
| Most criminals want to be anonymous, but wanting to be
| anonymous doesn't make you a criminal.
| safetybox wrote:
| Wanting to buy drugs online doesn't make you a criminal.
|
| Wanting to be criminal also doesn't make you a criminal.
| idiotsecant wrote:
| In most jurisdictions buying drugs is a criminal act, or
| why would you buying them online? If you commit a crime you
| are a criminal, by the definition of the word. You can
| argue about the merits of the law, but it doesn't mean that
| you've not committed the crime.
| drcongo wrote:
| I bought a synthesiser online recently. That's not a
| crime.
| idiotsecant wrote:
| I made toast this morning. That is also not a crime. Are
| we just listing things we've done here?
|
| On a side note I did not actually make toast but now that
| I'm saying it I wish I had some.
| atdrummond wrote:
| Buying drugs online almost certainly funds criminal acts.
| Some of the most vicious gangs in Europe traffic "mild"
| drugs like Ecstasy, Ketamine and marijuana. Denying this is
| to be profoundly dishonest with one's self.
| flangola7 wrote:
| The most vicious gangs are fully legal and have billion
| dollar market caps. I'm not going to sweat this.
| dark-star wrote:
| you forgot to include tobacco and alcohol in that list...
|
| /s
| GhostWhisperer wrote:
| it's true: https://en.wikipedia.org/w/index.php?title=Phi
| lip_Morris_Int...
| kodt wrote:
| Technically his comment says "wanting to" not actually
| doing it.
| atdrummond wrote:
| Even doing it isn't a criminal act everywhere. My point
| was that there are ethical implication of engaging with
| dark web sites irrespective of what the law says.
| zarathustreal wrote:
| Define criminal and then contemplate what you've just done and
| you'll have an answer to your question
| krono wrote:
| There are places in the world where police will come and knock
| on your door if you search for "barbie" or visit some foreign
| news website that has posted something critical about your
| country's regime.
|
| You might even encourage some of those criminal acts that will
| be performed through this browser.
| phowat wrote:
| Wait, isn't everyone else in the world living in a western
| democracy like me ??
| tacker2000 wrote:
| This is the same mindset that uses potential child abuse to
| justify bans and censorship on everything.
| _joel wrote:
| <uk government entered the chat>
| AbraKdabra wrote:
| Main use case criminals? Lol what.
| wolverine876 wrote:
| Regarding hiding-in-the-crowd anonymity (the technical term
| escapes me atm): Which is the larger crowd, Mullvad VPN or the
| Tor network?
| earth-adventure wrote:
| With TOR, even the middle men don't know who you are (not
| considering some large entity controlling too much of 5he TOR
| network). With a VPN, the middle man sees all your (encrypted)
| traffic.
|
| Considering your question from a host/website point of view,
| connections trough TOR endpoints are blocked way more often
| than connections trough a VPN.
| godelski wrote:
| I have two questions:
|
| - Can we HN users help push Firefox to incorporate better
| fingerprint circumvention? (more than current) This is, imo, one
| of the worst technologies that has been developed around the web.
| This seems like a thing all privacy focused browsers, which
| includes FF, should be working on together. This seems like a
| thing that wins by the network effect, but can be done without an
| authoritative browser. You just need mass numbers, and while FF
| isn't that large of a user share, it is large enough that
| probably most local networks have at least a few connections and
| every ISP has thousands.
|
| FWIW, using amiunique.org I am unique on FF, Safari, Mullvad,
| Chrome, and Edge on a M2 Air. Mullvad is 0.22% across the board
| btw, so looks like that's how many Mullvad/Tor users have tried
| it. Though I am a bit surprised by some of the results.
| Similarity is very low for: UTC-07 (3% of users are on the...
| west coast? This can't be right), screen sizes (I thought this
| was going to be a win because apple consistency, but all values
| are <0.1% -- except depth, which is best on Safari and identical
| on FF/Chrome/Edge. Do people not make their browsers the full
| screen size? (not clicking green expand)).
|
| - Will the browser end up having a Tor connect switch? I'd
| imagine this would make Tor more accessible and could make the
| entry via VPN method easier and safer for many users. Is that why
| they're working together? I guess I'm a bit confused at the
| collaboration here? But it does seem natural that they could work
| to set up easy interfaces like x -> Mullvad -> Tor, x -> Tor ->
| Mullvad, or even x -> Mullvar -> Tor -> Mullvad? Is this the
| natural extension?
| burnte wrote:
| > Can we HN users help push Firefox to incorporate better
| fingerprint circumvention?
|
| Yes, it's OSS and they are very happy to receive third party
| patches.
| howinteresting wrote:
| You can't simply submit a patch to any self-respecting open
| source project on a decision so consequential. You have to do
| annoying things that mostly get in the way, like convince
| other people and build consensus.
| godelski wrote:
| Isn't this something that's already been in conversation
| though? Just not popular? I'm pretty sure I've seen
| discussion and pull requests for this on HN. I know even the
| strict privacy setting, which affects fingerprints, does not
| make it anywhere close to a Tor fingerprint.
|
| I was more suggesting that maybe we can demonstrate the
| desire of this, to put positive pressure on making this, and
| other privacy measures, a higher priority of FF
| zamadatix wrote:
| > Similarity is very low for: UTC-07 (3% of users are on the...
| west coast? This can't be right)
|
| I dunno, seems about right to me. It's only something like
| 60ish million people and there are somewhere around 5 billion
| internet users. Obviously who will be checking the site isn't
| expected to be perfectly even but that's why the number is also
| 3x higher than plain user count would suggest.
|
| > screen sizes (I thought this was going to be a win because
| apple consistency, but all values are <0.1% -- except depth,
| which is best on Safari and identical on FF/Chrome/Edge. Do
| people not make their browsers the full screen size? (not
| clicking green expand)).
|
| Screen size, not browser size. Even on the exact same make and
| model hardware the OS UI scale setting will alter the reported
| screen dimensions in the browser. The same is true with people
| who change the default browser zoom in the browser instead.
| godelski wrote:
| > It's only something like 60ish million people and there are
| somewhere around 5 billion internet users.
|
| You know, I feel dumb now that you're pointing this out. I'm
| not sure why I originally interpreted this value as an
| "amount of identifiablity" variable rather than the pure
| amount. You're right to point that this is a variable that
| can only be used in support of others and not unique in of
| itself.
|
| > Screen size, not browser size.
|
| I would think this would make it more likely to be less
| common. Apple has tight control and thus more consistency.
| But it is a good point, especially considering the prior
| point. The M2 Air has a different screen size than the M1
| Air, which has a different screen size from *-Air which has a
| different from pros and so on. We don't need to get into UI
| scaling to change that. I was just thinking about consistency
| and popularity of the Apple ecosystem, in the West, compared
| to the variance in Windows machines. For example, I know that
| canvas fingerprints tend to have lower variance between apple
| machines of the same model than windows/linux machines of the
| same model. Just because there is different chip binning. I
| was thinking about the same thing with screens. But again, I
| clearly did a major brain fart and I appreciate the
| correction.
| swexbe wrote:
| Don't underestimate how entrenched 1920x1080, 3840x2160 and
| a few other resolutions are outside of Apple.
| ape4 wrote:
| I'd like that. But I might change the timezone from UTC to
| mine.
| matthewaveryusa wrote:
| >the Mullvad Browser applies a "hide-in-the-crowd" approach to
| online privacy by creating a similar fingerprint for all of its
| users. The browser's 'out-of-the-box' configurations and settings
| will mask many parameters and features commonly used to extract
| information from a person's device that can make them
| identifiable, including fonts, rendered content, and several
| hardware APIs.
|
| What does masking specifically mean? Is it returning pre-canned
| responses to those queries that match non mullvad browser users.
| Because otherwise the absence of these APIs basically
| fingerprints the user to the Mullvad Browser which,
| realistically, will always be a small fraction of total browser
| sessions.
| kfreds wrote:
| > What does masking specifically mean?
|
| Here's a complete list of settings and modifications:
|
| https://mullvad.net/en/browser/hard-facts
| Sakos wrote:
| They seem to be basing the behavior on the Tor Browser which is
| described here:
|
| https://blog.torproject.org/browser-fingerprinting-introduct...
|
| The Mullvad Browser download page has this to say:
|
| "Strong anti-fingerprinting from the Tor Project
|
| The Tor Project has a proven track record of building a
| privacy-focused browser. The Mullvad Browser has the same
| fingerprinting protection as the Tor Browser - it just connects
| to the internet with (or without) a VPN instead of the Tor
| Network."
| pavon wrote:
| It is using the same profile as Tor Browser which will broaden
| the group a little. There has been effort to upstream many of
| these fingerprinting resistance changes to Firefox, which would
| broaden the group even more, but I don't know if they are on
| par yet.
| autoexec wrote:
| I don't understand why TOR Browser thought that was a good
| idea either. It seems extremely risky to try to make every
| browser appear the same and simply hope that they've managed
| to cover every single means to fingerprint an individual.
| It's a game of Whac-A-Mole where your adversary is constantly
| exploring new fingerprinting techniques so TOR/Mullvad has to
| invest their time and effort into doing the same just so they
| can counter them all. If they miss anything or don't catch it
| before or as soon as anyone else does they lose the ability
| to hide in the crowd entirely.
|
| Some amount of research into fingerprinting techniques will
| always be needed but it seems to me that a far simpler
| solution would be to randomize the fingerprint for each
| connection. It doesn't matter if your browser fingerprint is
| unique as long as it's always changing. That would also make
| it harder to detect TOR/Mullvad users since they'll look
| exactly the same as anyone else with a unique fingerprint. It
| also gives users the ability to modify some of their
| fingerprint according to their needs without losing
| protection. For example, they could freely change their
| useragent for certain websites/requests while still having a
| unique fingerprint.
| Bu9818 wrote:
| The Whac-A-Mole game still exists when you randomize
| values, right?
| autoexec wrote:
| To a certain extent. You don't have to make sure you're
| catching and accounting for 100% of every possible data
| point that might be collected by a browser if you're
| randomizing everything else though. Random value +
| consistent individual value will always produce a changed
| hash.
| godelski wrote:
| If you randomize everything that sounds like a pretty
| identifiable signal tbh. Unless a very large number of
| people are also performing that randomization. A large
| number of people specifically in whichever discriminating
| group you belong to, which might be something out of your
| control.
| Bu9818 wrote:
| Fair enough, it may be more reliable against
| general/naive approaches like commercial uses though a
| sufficiently skilled adversary may only consider the
| fingerprinting techniques they have missed (one
| specifically targeting TB users).
| godelski wrote:
| Honest question, what's the upside of not doing this?
| You're already identified as a Tor user via the IP address.
| But wouldn't a unique, for example, canvas fingerprint just
| deanonymize you further? A shared fingerprint just makes
| you indistinguishable from others Tor users. Which you're
| already being classified as and can't escape that printing.
| Bu9818 wrote:
| As a side note, Tor Browser/Mullvad Browser does
| randomize canvas (and this changes every time you restart
| the browser or press New Identity). I don't remember what
| the reason for randomizing this specific feature is for,
| maybe it had better compatibility.
| godelski wrote:
| Were you intending to respond to me or the parent to my
| comment. They are the one that said Tor doesn't
| randomize.
| autoexec wrote:
| IP addresses won't necessarily ID a TOR user unless all
| exit nodes are known and being checked for. The TOR
| browser fingerprint stands out like a sore thumb though.
|
| The shared fingerprint makes TOR users indistinguishable
| from other TOR users unless/until a single identifying
| factor isn't accounted for at which point all TOR users
| are identifiable on every connection, across time,
| different domains, etc. The sameness of TOR user's
| fingerprints + even just one consistent identifying
| feature means TOR users could be individually tracked.
|
| A unique canvas fingerprint can be used to track you, but
| as long as it's _differently_ unique on every request it
| can 't be used to track you because the resulting
| fingerprint will always be different.
|
| The "hide in the crowd" trick of trying to make a bunch
| of different people's browsers look identical isn't a bad
| thing, it's just extremely fragile. Still, it's better
| than nothing. Making all browsers randomize their
| fingerprint every time defeats tracking just as well as
| the "hide in the crowd" trick does (when that trick is
| 100% perfect) but also adds resilience and flexibility
| atkailash wrote:
| [dead]
| derefr wrote:
| Tor exit nodes are self-identifying. There's a DNS-based
| reverse-IP API you can use to ask if an IP address is a
| Tor exit node.
| autoexec wrote:
| Good to know! Weird that stuff like
| https://www.dan.me.uk/tornodes and
| https://www.ipqualityscore.com/tor-ip-address-check are
| still around.
| godelski wrote:
| > IP addresses won't necessarily ID a TOR user unless all
| exit nodes are known and being checked for.
|
| Forgive my naivety, I don't really know Tor that well or
| even use it, but aren't nearly all exit nodes known and
| aren't they routinely checked for? It does not seem like
| a difficult thing to check for. I mean when I googled to
| check it seems like it is easy and Tor even provides a
| tool and publishes the 2188 addresses[0,1,2]. So... I'm
| quite confused about your assumption because a quick
| googling is leading me to believe that this is a rather
| known thing and doesn't require anywhere near state level
| action. I mean people routinely scan the entire internet
| and those posts don't even make it to HN anymore because
| they are so easy.
|
| > The shared fingerprint makes TOR users
| indistinguishable from other TOR users unless/until a
| single identifying factor isn't accounted for at which
| point all TOR users are identifiable on every connection,
| across time, different domains, etc. The sameness of TOR
| user's fingerprints + even just one consistent
| identifying feature means TOR users could be individually
| tracked.
|
| This is a great point, and I get it. But I'm not sure how
| this is different from normal situation. Doesn't this
| mean a misconfiguration of the Tor browser? One or two
| metrics may not be enough entropy to have confidence in
| an identity, though certainty you're right that it is of
| concern. I'm just trying to intuit the entropy
| difference. I'd wager it matters which metric is broken.
| But the question is when we start undoing Tor fingerprint
| overrides, at what point does the entropy decease before
| it starts increasing again? (as you're suggesting) Is
| that enough information to confidently identify a person?
| I honestly have no idea. This is a question since you're
| stating this is a cause for concern.
|
| > A unique canvas fingerprint can be used to track you,
| but as long as it's differently unique on every request
| it can't be used to track you because the resulting
| fingerprint will always be different.
|
| Is that true? I heard that Canvas Fingerprint randomizers
| actually decrease anonymity for the average user (i.e.
| done without other measures such as what Tor and Mullvad
| are doing). Due to noise being information itself, and is
| thus itself a fingerprint. You just call the function
| multiple times and look for differences or call different
| functions and look for similarities (i.e. the return
| const value). Maybe not as clear of an identifier as a
| normal canvas fingerprint, but it does constitute good
| information as most browsers aren't randomizing. I mean
| one piece of information alone isn't enough, that is why
| they collect several. You aren't being identified by only
| your canvas fingerprint.
|
| > isn't a bad thing, it's just extremely fragile. Still,
| it's better than nothing.
|
| I'm just asking what your alternative is. Btw, Tor and
| Mullvad __are__ randomizing[3]. So what is your complaint
| and what is your suggestion?
|
| [0] https://metrics.torproject.org/exonerator.html
|
| [1]
| https://2019.www.torproject.org/projects/tordnsel.html
|
| [2] https://ipdata.co/blog/tor-detection/
|
| [3] https://mullvad.net/en/browser/hard-facts
|
| > privacy.resistFingerprinting.autoDeclineNoUserInputCanv
| asPrompts set to true
|
| > privacy.resistFingerprinting.randomDataOnCanvasExtract
| set to true
| jorams wrote:
| It seems to me whether you're going to make fingerprintable
| properties be the same or randomize them, you're always
| going to need to explore every angle. Otherwise a bad actor
| can just ignore all the properties you randomize and focus
| on what's left.
| autoexec wrote:
| Very few data points used in browser fingerprinting are
| 100% unique to an individual. Multiple data points are
| combined to form a hash that is unique to an individual.
| Most people have a unique fingerprint.
|
| You can sort out your TOR browser traffic by user agent
| then focus on a single data point to track a small number
| of those users (probably to the individual level because
| TOR browser traffic is uncommon) but a website can't
| always know what's been/being randomized and can't
| separate out the randomized users from everyone else with
| a unique fingerprint.
| Bu9818 wrote:
| The alternative (faking Chrome or something) is extremely
| difficult, especially with a different codebase. There's going
| to be differences. You can tell if someone is using this
| browser if they're using Tor/Mullvad too. It's just a better
| option to create a new identity (TB/Mullvad) and put everyone
| behind that.
| eggnet wrote:
| You can already tell Mullvad users from their IP address. If
| their browser only reveals that much, that sounds like a win to
| me.
| em-bee wrote:
| considering the difference between the words mask and hide, i
| would assume it's replacing them with canned values.
| reaperducer wrote:
| Hopefully the values rotate randomly through a common set of
| values, rather than just making everyone Windows 11/Chrome.
| smegsicle wrote:
| the 'scanner darkly' method, i think xxxterm used to do
| that
|
| probably more annoying to fingerprint in general, but its
| own signal in another way
| em-bee wrote:
| well, each individual browser should not rotate the
| values to often, every few weeks or months maybe, if at
| all, or when sessions are cleared. or they could differ
| per site. but across all browser instances a statistical
| distribution of values that is similar to the existing
| distribution would help to ensure that no particular
| value stands out. given that it is firefox this should
| also mean that only average firefox values should be used
| because the browser itself can be detected through
| checking feature differences which can't be masked as
| easily.
| RamRodification wrote:
| "a similar fingerprint for all of its users", to me, makes it
| sound like they accept the fact that users will be
| fingerpritable as Mullvad Browser users (but not more precise
| than that).
|
| Actually, which other crowd could they even be referring to
| with "hide-in-the-crowd"?
| mpixel wrote:
| let's say windows 11 users who use google chrome
| ISO-morphism wrote:
| Not sure if you're being sarcastic or not, but Windows 11
| users who use Google chrome are only really a crowd at the
| User Agent string level. Chrome allows much deeper
| fingerprinting.
| Bu9818 wrote:
| It's going to be extremely difficult to imitate another
| browser like that, especially one of a different codebase.
| Chrome is extremely fingerprintable too.
| [deleted]
| predictabl3 wrote:
| Seems like a real missed opportunity to cross pollinate between
| Mullvad user and Tor users. Like, why not just leave Tor enabled?
| yieldcrv wrote:
| Is there a new directory of onion services thats more reliable?
|
| I used to use dark.fail but every site they listed has been
| continually down for the last 2 years due to some widespread DDOS
| attack on onions, and now dark.fail itself is basically always
| down too
|
| Is there a good Dread replacement while we are at it?
|
| Did everyone really move to i2p? because I rarely see anyone
| talking about that network
| MasterYoda wrote:
| OT: I use Mullvad as VPN and have 2 different Firefox instances,
| Firefox (standard) and Firefox Dev. Does anyone know if it is
| possible to run all web surfing thru one of the browsers thru
| Mullvad VPN thru some extension or similar?
|
| In other words: What I want to do is to use one of the Firefox
| web browsers to connect to my normal ISP and the others traffic
| to go thru MULLVAD VPN. I know about "split tunnel", but it does
| not feel optimal, because every single app must be deselected no
| to use VPN, to just make one web browser use the VPN. And if you
| want to run another app thru VPN, you must remember to activate
| it, not only turn on the VPN tunnel. So is there any way an
| extension could connect Firefox to Mullvad VPN directly or
| configure some proxies in Firefox that connects to Mullvad VPN
| app or similar?
| _jsnk wrote:
| I do something like this. I run wireguard in a container along
| with dante-server (a socks proxy daemon). I then configured a
| Firefox profile to connect to the socks daemon running in the
| container.
|
| This way I have a single browser profile that is routed through
| Mullvad while everything else works normally.
| Bu9818 wrote:
| If you're on Linux, consider network namespaces. Very cool
| feature.
| venatiodecorus wrote:
| mullvad offers a socks proxy. i generally use the wireguard
| app, and only allow traffic to the socks proxy through the vpn,
| and configure firefox to use that socks proxy.
|
| if you use their app it depends on your operating system how
| their whitelisting works, but you can pick apps you don't want
| to have routed through their vpn (but by default with their app
| all system traffic will be routed through the vpn except what
| you explicitly deny).
| plsbenice34 wrote:
| One of the reasons I use Qubes OS is that it makes
| functionality like this easy, with strong guarantees that there
| won't be a leak since it is achieved though VMs in the
| background. With any application you can configure it to use
| only a certain VPN, or have multiple separate instances of the
| same application connected to different ones
| Bu9818 wrote:
| This is possible with Linux network namespaces too (but
| doesn't provide protection against kernel exploitation).
| ChrisArchitect wrote:
| [dupe]
|
| FYI: news from April
|
| Bunch of discussion then:
| https://news.ycombinator.com/item?id=35421034
| mediumsmart wrote:
| I'll vote for anything that makes the web I don't care about
| break right at the doorstep, so yes.
| [deleted]
| gslepak wrote:
| How does this compare to Brave?
| fsflover wrote:
| Unlike Brave, it does not support Google's ecosystem and
| therefore doesn't provide them an unlimited power to change web
| standards.
| gslepak wrote:
| Thank you, that's an answer that I can understand. It's
| always great to see greater browser engine diversity.
| (Whatever happened to Servo?)
| noirscape wrote:
| > Whatever happened to Servo?
|
| Killed by Mozilla management and stripped for parts to
| improve Gecko.
| editional wrote:
| no Chromium might be one. I also dont know if Brave has easy
| VPN integration
| Daunk wrote:
| It's not a scam.
| gslepak wrote:
| How is Brave a scam?
| arrowsmith wrote:
| For the millionth time: you can use Brave without any of the
| crypto nonsense. I'm typing this on Brave now and I still
| barely understand what a BAT is; I've never spent more than
| 10 seconds looking into it and the browser makes no attempt
| to force it on me.
| gslepak wrote:
| > without any of the crypto nonsense
|
| I'm curious, what do people mean by this? How is the bank's
| financial system any less "nonsense" than crypto? Second
| question: when the banks start using crypto in not too long
| (via CBDCs), how will that crypto be any less "nonsense"
| than crypto?
| UberFly wrote:
| I think they mean the nonsense of it being baked into the
| browser. It wasn't a commentary on crypto itself.
| arrowsmith wrote:
| Yes.
| gslepak wrote:
| Hmm, why is that nonsense? It makes a lot of sense to me
| for a browser to support cryptocurrency payments for
| goods & services online using an Internet-native
| currency. I agree though that the particular way Brave
| has gone about it could stand to use improvement. I wish
| they had gone the Alby route.
| OkayPhysicist wrote:
| > How is the bank's financial system any less "nonsense"
| than crypto?
|
| When things go wrong in real money land, we have a whole
| legal framework with standing precedent and built up
| processes for resolving them. Nevermind the fact that I
| can just call up my local pizza place, give them a credit
| card number, and get a pizza. Over in the crypto-
| hellscape, ever since the fall of the big darknet
| markets, the only real use case for cryptocurrency is
| trying to convince other people that everybody's getting
| rich, so that you can sell them your cryptocurrency for
| real money. Or accepting a ransom for your malware
| attack. When the only three inhabited niches in your
| ecosystem are "speculator", "con artist", and "criminal",
| it's safe to write the entire thing off as "nonsense".
| gslepak wrote:
| Hmm, I use cryptocurrency on a daily basis, and my usage
| does not fall in any of those categories you listed.
|
| It sounds like (correct me if I'm wrong), the "nonsense"
| that you see consists of two things: (1) a lack of
| integration with a legal framework, and (2) that your
| local pizza shop doesn't accept crypto.
|
| Neither of those things are fundamental shortcomings of
| crypto though, as some pizza shops do accept
| cryptocurrency (just not as many), and custodial
| cryptocurrency is a thing if you're not into "being your
| own bank", which does give you some integration with the
| legal system (as long as your custodian is a law-abiding
| entity, like a well known company). As far as I'm aware,
| Brave's usage falls within that category.
| OkayPhysicist wrote:
| If you're trusting the government to resolve your legal
| issues, you have a root of trust, invalidating the entire
| need for cryptocurrency. At that point you could just
| have an SQL DB operated by the Central Reserve. The use
| of money to affect the real world necessitates a level of
| trust that completely invalidates the point of a
| decentralized, trust-less monetary system.
|
| The Silk Road was the last time anybody used
| cryptocurrency for anything useful, and beyond the
| criminality of it, crypto wasn't even particularly well-
| suited for that task. If I ever get asked for
| cryptocurrency at a pizza place, I suspect they'll have
| greeted me by inquiring about a fellow named Galt. At
| this point, nobody in the space is actually exchanging
| their "currency" for goods and services. They're treating
| it as a speculative asset. Meanwhile, the entire
| ecosystem is saturated with criminals, and not even of
| the kinda fun Silk Road kind. Just con artists, grifters,
| and the occasional ransomware connoisseur.
|
| I get it, you have a vested interest in people not
| realizing this and letting the whole "economy" collapse.
| But as long as the only legal utility in having
| cryptocurrency is hoping that someone else will be stupid
| enough to buy it for more than you did, the whole thing
| is nonsense.
| gslepak wrote:
| > _Just con artists, grifters, and the occasional
| ransomware connoisseur. I get it, you have a vested
| interest in people not realizing this and letting the
| whole "economy" collapse._
|
| I beg your pardon?
|
| I am very aware of all of the fraudsters and rug pullers
| in cryptocurrency. Do you think I like them? Just as with
| the fraudsters in FED-world, I hope they all get sent to
| jail for the crimes they pull. There are criminals,
| frausters, and grifters, in any economic system of a
| meaningful size. It's just reality, and acting shocked
| about this doesn't make any sense.
|
| As for "letting the whole 'economy' collapse", what on
| Earth are you talking about? I do not want the
| cryptocurrency economy to collapse, I want to see it
| grow. I think it's doing many incredibly important
| valuable things, like freeing humanity from digital
| slavery, and securing the Internet's broken X.509 system.
|
| As for using a SQL DB - it sounds to me like you do not
| understand what cryptocurrencies are, why they exist, and
| why they are designed the way that they are. There are
| plenty of high-quality, free explainers out there, so I
| won't bore you with one here.
| brewdad wrote:
| Please tell me how you are using crypto on a DAILY basis.
| I get maybe using it once it a while for specific
| transactions but I can't imagine a scenario where I could
| use it every day.
| [deleted]
| gslepak wrote:
| Well between paying contractors, paying for
| goods/services, playing with defi (there are non-
| speculative uses for defi believe it or not), using group
| income, and paying the random person back for a meal I
| owe, it comes out to either daily or almost daily.
|
| Don't worry as I mentioned you'll be using it daily soon
| too, except (unless I'm mistaken), it sounds like you
| might choose to use a cryptocurrency built from the
| ground up to surveil and control you, rather than one
| that's built from the ground up to enable permissionless
| transactions. To each their own.
| [deleted]
| [deleted]
| r721 wrote:
| Previously: https://news.ycombinator.com/item?id=35421034
| yewenjie wrote:
| Interesting. IIRC, TOR browser is itself a Firefox fork?
| pentamassiv wrote:
| Yes, the current Tor Browser is based on Firefox 102.14.0esr.
|
| https://blog.torproject.org/new-release-tor-browser-1252/
| MrAlex94 wrote:
| Years ago, I had the idea to create a clear-net version of Tor,
| e.g. Tor Browser without the Tor network (was called Aegis
| Digital, I believe The Epoch Times interviewed me about it).
| Separate to Waterfox, the idea would be ramp up the privacy to
| the max.
|
| The problem is, when you did that, many websites would break in
| the most bizarre of ways. Even now, it still breaks a lot of the
| web. Couple that with a well known VPN and large swathes of the
| web are going to be difficult to access.
|
| I'm sure this may go down well with the privacy crowd, but for
| the general user it was and still is a hard pill to swallow. I
| wound down any attempts, figuring a balance of privacy and
| usability would be better and if I were to offer this, why not
| just point users to use Tor instead?
|
| I figure this is a good opportunity for Mullvad to capture its
| VPN users and shift them onto a platform they control. Not
| necessarily a good or bad thing, as I know VPN providers try to
| launch their own browsers and even some browser vendors launching
| their own VPN to capture the maximum value out of their users.
| wing-_-nuts wrote:
| I use mullvad's vpn and I know very well what you're talking
| about. Social media websites will shadowban you without _any_
| TOS violating actions on your part. Certain financial sites
| will straight up refuse to work, and the worst of all are the
| sites that use _only certain js libs_ hosted on cdns that
| straight up refuse to serve anyone on a vpn. That leaves you
| with a site that looks like it 's responding, but is in fact
| broken.
|
| I feel like the very act of trying to opt out of the web's
| surveillance is enough to mark you as a second class citizen on
| the web. You either submit, and let your isp and google resell
| your most sensitive secrets, or you're effectively shunned.
|
| Regarding tor, it's a great idea tarnished by the fact that
| it's used for vile illegal activity. There's no way I would
| ever run a tor exit node. The risk of some 3 letter agency
| taking all my hardware for a few months while they figure out
| I'm not the guy they're looking for is too damned high.
| WeylandYutani wrote:
| Yes I wonder how many people actually use Mulvad as their daily
| driver.
|
| Hell I'm using completely unmodified Edge for banking and
| government agencies because even something as simple as ublock
| cosmetic filters manages to break them.
| noobermin wrote:
| I guess the worry is that this is the tor project turning into
| the equivalent of the mozilla project at their scale,
| specifically mozilla of the last 5 years. Somehow it never seems
| sustainable just running on donations. Literally the only lasting
| institution to do so is wikimedia, and that's it.
| alexalx666 wrote:
| both vpn service and web browser are commodities, giving me a
| dedicated browser was a trigger for me to learn about them and
| buy their vpn service. I love that i can login with 1 number.
| So I think the future is bright for companies that can create
| differentiation like that
| namanyayg wrote:
| Mullvad has been doing some great work -- and the browser is open
| source too.
| akkartik wrote:
| Do you have a link to the source? I'm not seeing it on the
| site.
| SushiHippie wrote:
| https://github.com/mullvad/mullvad-
| browser/releases/tag/12.5...
| mcpackieh wrote:
| This is bizarre. Why would Tor lend the credibility of their
| association to an inferior privacy product? My spidey senses are
| tingling, something is very wrong here.
| pphysch wrote:
| > Why would Tor lend the credibility of their association
|
| Huh? The Tor Project is primarily funded by the US Government.
| andrewaylett wrote:
| Both projects benefit. Tor gets funding to improve parts of the
| main Tor browser to meet Mullvad's specifications, Mullvad gets
| a new product and incidentally gets to financially support a
| project that they obviously admire.
|
| The actual reskin is technically not all that challenging, for
| all that I'd still not want to do it just for fun. I'm sure
| that if Mullvad wanted to, they could have released a rebranded
| Tor Browser with their own development team. But that would
| have meant missing out on what is probably the main point of
| the exercise, which is giving more1 money to the Tor project to
| make things better for _everyone_.
|
| [1]: See also https://www.torproject.org/about/membership/,
| wherein we discover that Mullvad gives Tor a minimum of
| $100k/year for membership.
| noirscape wrote:
| Another reason is that the Tor network has been overloaded
| since it's inception. If Mullvad can take off the load
| slightly for the uh... less necessary users (aka those who
| used Tor Browser for anti-fingerprinting uses rather than the
| type of protection offered by its onion routing), then that
| would be a win in the books of the Tor Project.
| mcpackieh wrote:
| All Tor users benefit from mundane lawful "less necessary"
| users providing cover to all the rest.
| Scion9066 wrote:
| Because not everyone wants to use the Tor network but may still
| be interested in a browser that comes configured for as much
| privacy as possible by default instead of having to configure
| various settings/extensions manually?
|
| Options for incrementally improving privacy are still good,
| even if it doesn't go as far as the normal Tor browser.
| mcpackieh wrote:
| For a superior privacy product to neuter itself for the
| benefit of supposed people who want inferior privacy is
| bizarre. Who are these people, who would want to use Tor
| Browser but wish it were less private? All this does is make
| the inferior privacy product seem better than it really is,
| by associating it with a superior one.
|
| This whole thing _STINKS._
| flumpcakes wrote:
| "inferior privacy product"
|
| I think Tor is inferior to be honest.
|
| If someone uses a commercial VPN I think they're privacy
| conscious. If someone uses Tor I subconsciously assume
| something else.
|
| I wouldn't be recommending Tor to my friends of family.
| dishsoap wrote:
| That sounds like more of a personal problem than a Tor
| problem
| wintermutestwin wrote:
| It would be great if they would bake in some extensions that are
| "table stakes" for a modern usable browser like uBlock Origin,
| Multi Account Containers, Total Suspender, and a vertical tabs
| solution like Sidebury.
| sa1 wrote:
| Things like Sidebury affect your window width and hence your
| fingerprint, Tor Browser is extremely careful with these. You
| might not be in the market for a privacy focused browser.
| wintermutestwin wrote:
| My whole point is that vertical tabs should be the damn
| default on any browser. How many people have a screen that is
| taller than it is wide? How many people have more than 8 tabs
| open at once?
| arrowsmith wrote:
| > How many people have more than 8 tabs open at once?
|
| Don't most people? I basically always do. And yes, I'm a
| techie, but anecdotally I see many non-techies with
| zillions of browser tabs open because they barely notice
| that tabs are even a feature and so they continually allow
| new ones to be opened without going back and closing
| anything.
| nurbl wrote:
| I have hundreds of open tabs in FF most of the time and
| rarely close them. I use it a bit like emacs; ignore the
| "tab bar" and use ctrl-tab (with
| browser.ctrlTab.sortByRecentlyUsed set to true) or tab
| search (with %) to jump between them. The only reason I
| need to clean up my tabs now and then is the RAM usage.
| wintermutestwin wrote:
| >The only reason I need to clean up my tabs now and then
| is the RAM usage.
|
| Total Suspender extension is critical if you have lots of
| tabs open at once.
| selykg wrote:
| My colleagues are not techies, at all. Their browser tab
| situation scares me.
| wintermutestwin wrote:
| Of course they don't notice the tabs - once you get over
| ~8, you'd have to scroll to see them.
|
| I can see 40 tabs with 40 characters of tab name in a
| single window (actually, I pin 3 rows of 8 tabs, which
| takes up 3 tab spaces, so I can see 24 pinned tabs and 37
| full size)
| n0tinventedhere wrote:
| [flagged]
| layer8 wrote:
| While I agree that vertical tabs make sense, personally I
| never use desktop browsers in fullscreen (nor almost any
| other application other than IDEs). So I'm probably f'ed
| anyway with regard to fingerprinting.
| ramraj07 wrote:
| Vertical tabs take a much larger fraction of your screen
| than horizontal tabs. The entire original USP of Chrome was
| that the "Chrome" part of the browser window took the
| absolute bare minimum space in the screen letting you focus
| on the content. I think people still psychologically expect
| that to be true.
|
| I wanted to love vertical tabs but I just keep going back.
| If you have multiple browsers open side by side it gets
| annoying how much screen the tabs take up.
| Arcuru wrote:
| You can always just toggle the vertical tab view per
| window, so you don't lose any horizontal screen real
| estate unless you need them. And at least in Firefox you
| can remove the existing horizontal tabs using
| userChrome[1].
|
| [1]: https://www.pcworld.com/article/823939/vertical-
| tabs-in-fire...
| wintermutestwin wrote:
| >If you have multiple browsers open side by side
|
| Interesting. I have never had a need to not have the
| browser take the full width (at least on my 16" MBP.
| What's the use case / workflow?
| bonif wrote:
| The use case is using a proper monitor, bigger than 16".
| Try that on a 27" or 32"
| throwanem wrote:
| Docs in a browser window, next to an editor window, while
| working with a library that isn't very familiar. Granted,
| this works better on a display of meaningful size, but I
| do it a lot and vertical tabs would waste noticeable
| space.
|
| On the other hand, I have good tab discipline in general,
| so vertical tabs would waste even more space by virtue of
| dedicating a lot of real estate for displaying next to
| nothing. But who needs all those tabs anyway?
| wintermutestwin wrote:
| >But who needs all those tabs anyway?
|
| While doing research, each search yields numerous links
| that I need to evaluate so I'll open them all in tabs and
| then I go through them as a task list to whittle down.
|
| I have a whole window for just email + comms. I have
| several different businesses that all use separate email,
| etc in containers.
|
| I also have several interests where each gets its own
| window and has up to 24 pinned tabs of key sites for that
| topic. These are not business, so I don't have time
| pressure to whittle down the tabs that I open.
|
| I currently have 368 tabs open and they are all easy to
| access: Select a window by topic (I use the Titler
| extension to name windows) and I have 3 rows of 8 tabs
| pinned at the top and up to 37 tabs with 40 characters of
| tab name space. So in each window, I can see 61 tabs
| without scrolling.
|
| Why would I ever want "tab discipline?"
| dmm wrote:
| > Vertical tabs take a much larger fraction of your
| screen than horizontal tabs.
|
| Sidebery can be toggled with ctrl-e. I just enable when I
| need it. I also the horizontal tab bar with custom css,
| saving the space.
| omgmajk wrote:
| > How many people have more than 8 tabs open at once?
|
| Basically everyone I know, techie or not have many many
| tabs open, always. I might have 200+ at the moment?
| Something like that. They are hidden in containers so I
| don't see them all but in this current window I have maybe
| 20.
|
| I never liked vertical tabs, takes up too much screen.
| fasterik wrote:
| I've never really understood this. I might go 10 or 20
| tabs deep in a browsing session if I'm researching
| something, but if I want to save something for later I
| will either bookmark it or paste links into a text file.
| Having hundreds of tabs open all the time just seems
| inefficient to me.
| c_s_guy wrote:
| There are plenty of use cases so I'm sure it varies.
|
| For example, I often have my browser on the left side and
| my editor on the right. With only 50% of the width, I
| sometimes prefer to reclaim the horizontal space and switch
| back to horizontal tabs.
| Barrin92 wrote:
| okay, people need to stop treating digital canvases like an
| analog surface. It doesn't matter what dimensions your
| screen is. The paradigm for virtually every application on
| a computer is to scroll vertically, so practically that
| space is unlimited.
|
| What people want to do is fit stuff side-by-side and move
| up and down, rarely ever the other way around. That's why
| vertical tabs make no sense in most contexts. It's why
| narrow-width fonts exist, those columns are valuable real
| estate as soon as you have another window pulled up to the
| left or right, there's virtually no case where a few rows
| made a difference.
| ar_lan wrote:
| These are not table stakes features for usability, especially
| the last one. I use Arc Browser and while I think vertical tabs
| is _nice_ , this is not a MVP feature.
|
| Additionally, I'd argue Multi Account Containers + Total
| Suspender are not either. Even MAC doesn't come by default w/
| Firefox, you still need to install it. I'm willing to bit the
| vast majority of internet users still don't know about it.
|
| And Total Suspender is really a response to RAM use by
| browsers. It's a great idea, browsers should implement it, but
| many people still don't know about it and it's not necessarily
| a deal-breaker.
| drcongo wrote:
| uBlock is the only one of those I've even heard of.
| ian-g wrote:
| multi account containers is a Firefox thing.
|
| you can silo websites away from each other. for example, your
| work uses outlook and slack. a work tab has those logins
| memorized, but it won't know about your Facebook login.
|
| you could have a banking tab just for logging in to places
| like that. I'm a fan
| drcongo wrote:
| Thanks, I've never used that but it does sound useful! I
| tend to use different browsers to context switch as Cmd+Tab
| is a nice way to switch between them - Safari for actual
| browsing, Firefox (and developer edition) for dev.
| pferde wrote:
| I prefer to use separate docker containers for that, with
| some trivial shell wrappers to make creating new persistent
| "browser profiles" easy. But for non-techies, I guess the
| Firefox addon is the next best thing.
| trackflak wrote:
| Brilliant also for your sock puppeting... I mean legit
| separation of interests
| dotcoma wrote:
| Ublock Origin is baked-in, as far as I know.
| theyknowitsxmas wrote:
| I understand a mutual fingerprint is good, but how is this better
| than LibreWolf?
| MrAlex94 wrote:
| Well, this will provide signed binaries and a "native" (to the
| browser) update service that doesn't rely on a third party to
| update it.
|
| Librewolf breaks trust (for lack of a better term) by not
| offering both of those options.
|
| You just have to assume the binary you download isn't
| compromised (maybe you could argue checking the hash is enough)
| and that the third-party updating service won't serve you a
| compromised update.
| hendersoon wrote:
| So it's just the TOR browser with TOR disabled? Thing is, you
| could do that anyway. It did take setting a couple environment
| variables, no GUI method, but easy enough to do. Unclear what
| value Mullvad's version provides. Feels like a promotional thing.
| yencabulator wrote:
| Of course it's a promotional thing, it's named after a company.
|
| Think of it this way: Mullvad is sponsoring Tor at
| >=$100,000/year, and in exchange the Tor Browser developers
| made a slight fork of their codebase that sets a couple of
| environment variables and changes the branding. Now the fact
| that it's just a couple of environment variables sounds like a
| good thing, right?
| [deleted]
| suslik wrote:
| I suspect that this:
|
| > It did take setting a couple environment variables, no GUI
| method
|
| , which is unknown to almost anyone, would scare an absolute
| majority of non-technical folk away. Even if what mullvad does
| is relatively small in scope, it can still provide a lot of
| value to people.
___________________________________________________________________
(page generated 2023-08-17 23:01 UTC)