Re: [Trisquel-users] Web Browser
Chromium is not supported because it is a complex collection of different pieces, some of which are not free, and cannot be easily parced out because each version is different. There are other Webkit browsers though: Flakon (Qupzilla), Surf, Web, Midori, and Konqueror.
Re: [Trisquel-users] Web Browser
I am currently using Palemoon. Can't complain so far... Works pretty well. Maybe you would like to give it a try?
Re: [Trisquel-users] Web Browser
But Palemoon is not free software.
Re: [Trisquel-users] Web Browser
I'd like to add that Web (GNOME Web) is awesome, and people should be writing their web apps to run inside it rather than Chromium. GNOME Web integrates web apps with the desktop at the click of a button. signature.asc Description: This is a digitally signed message part
Re: [Trisquel-users] Web Browser
Having had a quick look, it seems to be under Mozilla Public License. https://www.palemoon.org/licensing.shtml According to GNU, that's free software: https://www.gnu.org/licenses/license-list.en.html#MPL-2.0
Re: [Trisquel-users] Web Browser
What a shame.
Re: [Trisquel-users] Web Browser
It has the same problem as Firefox, where freedom #2 (the ability to make exact copies) has been limited to non-commercial purposes. https://www.palemoon.org/redist.shtml https://libreplanet.org/wiki/Libre_Browsers_Libre_Formats#Browsers_that_might_seem_free.2C_but_are_not https://jxself.org/mozilla_trademark.shtml Because that loophole is open, it allows room for a derivative to be free but the original version itself would still only have 2 (or maybe 2.5) of those 4 freedoms, depending on how you count.
Re: [Trisquel-users] Web Browser
Hello friend of software freedom, In December 2017, after trying FF 57 for the first time, I saw some hideous things and I started to test various browsers myself, from privacy perspective. I have shared some of my findings as bug reports: Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1424781 Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=795526 IceCat: I have reported this directly to GNU and FSF as it shows similar behavior to Firefox (with a little less messages sent). RMS himself replied and forwarded the message to one of the developers who then replied: "I'll be working on more a more strict cleanup of those "features" for the next IceCat release cycle." FWIW I am using openSUSE Leap 42.3 (and interested in trying Trisquel). Considering the results: It seems to me that the so called FOSS browsers don't really respect user privacy and as also mentioned in the bug report to Mozilla, I consider this violation of Freedom 0 as privacy is essential to freedom. Unfortunately Mozilla seems not to care at all. Chromium developers replied much more sanely and as a whole Chromium so far seems the most privacy respecting browser (as per my tests, feel free to share your results). Also looking at most recent issues of Spectre and Meltdown - personally I have blocked all JS in chromium. Firefox doesn't even have such setting. Waterfox (supposedly a version of FF with enhanced privacy) shows exactly the same result as Firefox in tcpdump. I am still willing to test other browsers when I have time. Currently I am also looking for RSS reader which won't load any JS. Akregator seems to load web pages with embedded and playable YouTube videos (which means it also loads scripts, 3rd party stuff etc). If anyone knows about good privacy respecting RSS reader, please share.
Re: [Trisquel-users] Web Browser
In Trisquel 8, Abrowser is default browser and works nice (apart from some branding issues). Also, as others have mentioned, the "Web" package is nice.
Re: [Trisquel-users] Web Browser
> and as a whole Chromium so far seems the most > privacy respecting browser As I understand it Chromium has freedom issues, which doesn't surprise me since the project seems committed not to freedom but to ensuring that its proprietary counterpart Chrome benefits from all free software included in Chromium, only including pushover-licensed free software and avoiding the work of free software developers who have used the GPL to protect their labor from exploitation. Firefox has known issues, but as free software can be modified to remove any antifeatures. Have you tried the same privacy tests on any other Firefox forks? Tor Browser should be the most privacy-respecting. Abrowser should also be better than vanilla Firefox. > Also looking at most recent issues of Spectre and Meltdown - > personally I have blocked all JS in chromium. You are wise to avoid JS. > Currently I am also looking for RSS reader which won't load any > JS. Liferea's internal browser has JS enabled by default, but it can be disbled under Tools->Preferences->Browser.
Re: [Trisquel-users] Web Browser
> As I understand it Chromium has freedom issues Could you please explain what freedom issues (apart from the one mentioned by me) there are? I have always thought Chromium is FLOSS. > Firefox has known issues, but as free software can be modified to remove any antifeatures. But I am not a programmer. And it seems no programmer has taken care to remove them, yet the vendors claim it is free software respecting privacy and people believe that. My test proves that it is not. And that the vendor not only doesn't care but would rather argue with proven and close the ticket. > Have you tried the same privacy tests on any other Firefox forks? Yes - IceCat, Waterfox. IceCat also does background communication on startup. Waterfox shows the same behavior as Firefox. > Tor Browser should be the most privacy-respecting. Using uMatrix's background log I noticed that Tor Browser also sends behind the scenes packets. I don't know if they go through the Tor network but in any case - they are sent, without prior (or any) consent. Some of them were to Mozilla's servers. I haven't tested further or in more detail. > Liferea's internal browser has JS enabled by default, but it can be disbled under Tools->Preferences->Browser. Thanks. I also just found QuiteRSS which has built in browser in which JS can be disabled. But to my mind the very fact that the RSS reader has support for JS makes me stay away from it. Perhaps I need to find an command line tool or get rid of RSS totally...
Re: [Trisquel-users] Web Browser
>Also looking at most recent issues of Spectre and Meltdown - personally I have blocked all JS in chromium. Firefox doesn't even have such setting. Well done, welcome to the club. Firefox does have the option to block all javascript, of course. In about:config type javascript javascript.enabledfalse Just a friendly reminder about Chromiummo... https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909
Re: [Trisquel-users] Web Browser
> Could you please explain what freedom issues (apart from the one mentioned > by me) there are? I have always thought Chromium is FLOSS. See Magic Banana and Supertramp's posts. > But I am not a programmer. And it seems no programmer has taken care to > remove them I wasn't suggesting that you yourself do it. I was referring to Firefox derivatives, including Abrowser, IceCat, and Tor Browser. From reading your bug report, it appears that Mozilla is unwilling to make the reasonable change you requested. However, the three browsers I listed are more likely to address the issue if brought to their attention. It sounds like you've already done this for Icecat and gotten a promising response. I suggest doing the same for Tor Browser. If the data is not sent through the Tor network or contains identifying data then it is deanonymitizing and I'm sure they would take it seriously. > yet the vendors claim it is free software respecting privacy There are two claims in there, as freedom (in the software sense) and privacy are to important but separate issues. I agree that Firefox does not adequately respect privacy, but it is free software which is why it is possible to create Firefox derivatives that improve the software with respect to privacy. You've found one issue that has not yet been fixed in Icecat, Abrowser (I just checked), or Tor Browser (more info needed to know if deanonymitizing in this case) but there is nothing stopping them from fixing the issue now. If Firefox were proprietary no one would be allowed to fix any of these issues. > Perhaps I need to find an command > line tool or get rid of RSS totally... I recently started using newsbeuter. It's very easy to configure. Run it once to generate ~/.newsbeuter/ and save a list of links to feeds as ~/.newsbeuter/urls. > ETA: FWIW this whole thing makes me question the FOSS software as a whole. It is possible for free software to include antifeatures, and it's true that community control over the software doesn't immediately eliminate all antifeatures. However, at least it is possible to audit and improve the software. With proprietary software we are truly at the developers mercy and only have their word that the software contains no malicious functionality. It's similar to how science works. It is possible for a study to be flawed or for results to be forged, but if the research is public and subject to peer review it is possible to refute falsehoods, which also incentivizes researchers to be accurate and truthful in the first place. If scientists were allowed to keep their methedology a secret so that no one could attempt to replicate their results we would simply have to trust what they say is the truth. Public information, whether it is code or any other kind of information, is not necessarily perfect, but it is far more reliable than privatized information.
Re: [Trisquel-users] Web Browser
> newsbeuter Yes, I have started using it yesterday too. Looks nice. Thanks for sharing your experience. > agree that Firefox does not adequately respect privacy, but it is free software I see a big danger in this. It implies that free software can be malicious to the user and still be called free software. So the very term looses its meaning because normally free is a associated with ethical, so that is the expectation. Would you agree? Of course I am not implying that it should be 100% bug free but I object to the fact that it is intentionally made non-private. That's why I mention freedom 0 in the comments. The other question is - how come an average nobody, not even a network expert, could make such a simple test (which seems essential and fairly easy to my mind) and professional top programmers or sysadmins never did that, yet they stick to software which they accept as given to be safe? That is what really worries me. I don't mean to be disrespectful to anyone but looking at facts, logically and sanely, without any bias - we have great talks about software freedom, ethics, non-maliciousness, non-spying, endorsements listed as 100% free/libre/RYF etc. - words creating the impression of absolute cleanness in which the user can be completely safe, like a baby in the hands of a good loving mother. But at the same time - it is not quite the case. Why are these endorsements created if nobody really seems to have checked elementary things? How can a free/libre thing be "respecting your freedom" if it contains a product which connects to Amazon, Akamai etc. on first run, without even asking you or without even telling you that it will do that? I have read some threads with lots of criticism about Purism, about how they carefully structure the language to create the impression of cleanness, security and safety. But how is this different? It is either clean or not clean. We cannot mix clean water and dirty water and advertise that it is clean water. Otherwise the words free and ethical are already polluted and we need new words, which in turn will get polluted too etc. I wonder if I am making myself clear :) So I am not questioning the technical expertise of anyone but the depth of attention given to things and how it is shared. Through the words used and through the mockery at proprietary stuff the sharing creates the impression of absolutism, as in inspected thoroughly down to the semiconductor by super experts. At the same time we see such superficial issues and the company "respecting user privacy" would rather send me to talk to another one who doesn't care. It is not that I don't understand what they are doing - I simply won't play their game. I have uninstalled Firefox, to me it is that simple. When one sees a venomous snake one doesn't argue with it - one stays away from it, doesn't one?
Re: [Trisquel-users] Web Browser
> I see a big danger in this. It implies that free software can be > malicious to the user and still be called free software. You make a similar point to the one RMS makes in the Ubuntu article Magic Banana linked to, which I encourage you to read if you haven't already. It is for this reason that he suggests people shun Ubuntu, while acknowledging that they had not infringed on user freedom to modify the software, which is why Trisquel was able to remove the spyware features. I was not defending Mozilla's privacy violations by calling it free software. I was clarifying the terms we are using so that our criticisms are accurate. > normally free is a > associated with ethical, so that is the expectation. Freedom (in the general sense) is an aspect of ethics that in my view does include privacy. However, because RMS coined the term 'free software', it is generally associated with his definition, which is very specific. > That's why I mention freedom 0 in the comments. Again, RMS's definitions are very specific, and I think you misunderstand his definition of freedom 0. If I give you a shovel that is too long for you to use comfortably, perhaps you can not use the shovel as you wish in its current form. It may seem that this infringes on freedom 0, and you may get frustrated if I were to refuse to make the shovel shorter. However, I am simply refusing to perform labor I do not wish to perform. I would be infringing on freedom 0 if I told you that you may only use the shovel with certain kinds of soil during certain hours of the day and that anything valuable you find while digging you must give to me. I would also be infringing on freedom 1 if I told you that you may not shorten the shovel, freedom 2 if I told you that you may not lend the shovel to your friend or create a new shovel for her, and freedom 3 if I told you that the new shovel you create for her may not be better than the one I gave you. I'm not trying to get too semantic on you. I just want to clarify the definition of freedom 0 because I think you had a very good point in the Mozilla thread and it was unfortunate that they jumped on your misuse of the term as a way to derail what youwere saying. > The other question is - how come an average nobody, not even a > network expert, could make such a simple test (which seems > essential and fairly easy to my mind) and professional top > programmers or sysadmins never did that Whether they never > words creating the impression of absolute > cleanness in which the user can be completely safe, like a baby > in the hands of a good loving mother. It is a mistake to think that way. Free software is less likely to be malicious that proprietary software because a community of many people who may review the source code is less likely to conspire than a single party, and because malicious functionality may be removed by community members with the knowledge and time to do so. However, that does not mean you should blindly trust free software. Healthy skepticism is part of the process by which a community can find faults with and improve software. If Mozilla won't make the improvement you suggest and you lack the knowledge to do it yourself, you can approach a more privacy-minded Firefox derivative like Icecat (as you have done and got a positive response), Abrowser, or Tor Browser. > How can a > free/libre thing be "respecting your freedom" if it contains a > product which connects to Amazon, Akamai etc. on first run, > without even asking you or without even telling you that it will > do that? This is a huge privacy concern, and I consider privacy to be a freedom in the general sense of the word. Again though, in the context of software 'freedom' is associated with RMS's four freedoms, and that is what we mean when we call something 'free software'. That does not mean that we shouldn't critize Mozilla if they do something that tarnishes the reputation of free software > I have read some threads with lots of criticism about > Purism, about how they carefully structure the language to create > the impression of cleanness, security and safety. Even with Purism, it is important to be accurate in our criticisms. When Purism claims that they use a completely libre BIOS they are being dishonest, but there is nothing wrong with them claiming that their Debian-derived distro PureOS is libre because it is, and they can be commended for creating a libre distro without defending their claims about their BIOS. Similarly, Mozilla is telling the truth when they describe Firefox as 'free software' (meaning software that respects the four freedoms) but it appears that they do not respect privacy as well as they claim. > different? It is either clean or not clean. We cannot mix clean > water and dirty water and advertise that it is clean water. > Otherwise the words free and ethical are already polluted and we > need new words, which in turn will get polluted too etc. I
Re: [Trisquel-users] Web Browser
> You make a similar point to the one RMS makes in the Ubuntu article Magic Banana linked to, which I encourage you to read if you haven't already. I am familiar with the story about Ubuntu's search forwarding info to Amazon. > However, because RMS coined the term 'free software', it is generally associated with his definition, which is very specific. I understand that (even without the excellent shovel example) and I am questioning the effect of it because accompanied by talks about ethics and non-harmfulness 1) that creates the false implication of something friendly, safe etc. 2) people easily 'buy' free/safe/secure things. In other words - it can be exploited quite easily. > It is a mistake to think that way. Of course. That's why it is essential that not only Ubuntu but browsers should also be exposed. I find it disturbing that IceCat was released by people who are so strict and critical to ethics. > Again though, in the context of software 'freedom' is associated with RMS's four freedoms, and that is what we mean when we call something 'free software'. Which is an excellent example of exploitation of the term (considering the results of the test). > When Purism claims that they use a completely libre BIOS they are being dishonest I would be interested to read that claim as I haven't found any explicit evidence of it. They don't claim anywhere they use Libreboot but it seems to be a forthcoming step in future: https://puri.sm/learn/freedom-roadmap/ > I'll bet that if you bring this issue to the attention of the Abrowser and Tor Browser developers they will be willing to clean up after Mozilla as they already do. I don't know how to test Tor Browser with tcpdump due to the specific way it connects to the network. As for Abrowser - I can't find it on openSUSE's repos, neither I find it by DDGing for it. Where can I download it? > However, switching to Chromium because one of their developers told you what you wanted to hear (the Mozilla developer who referred you to someone who had some control over the policy was actually being more helpful) is not a good solution. When it comes to privacy, no company has a worse track record than Google. The answer given by the Chromium dev surely is not to my taste. Yet it is more acceptable considering that even currently Chromium's test shows it to be a privacy respecting browser. Or can you show a test which demonstrate that Chromium leaks data to Google? Or any other freedom related issue? Please do share, I am interested. As for Firefox again: of course is free in the "legal sense" (just like Ubuntu) but if one prides oneself to be an integral part of an organization which respects user privacy it is absolutely unacceptable to: 1) create a telemetry feature (for whatever purpose) 2) make it enabled by default (do you know that kids who can't read play YouTube videos in browsers?) 3) make it not possible to disable without some expert fine tuning 4) close the ticket with "FIXED WORKSFORME" when demonstrated that there is a real issue 5) give "talk to someone else" style of answer Due to all this I am reluctant to use any product by Mozilla. Still we use it on our phones because otherwise we would have to use Google Chrome (as I don't know of Chromium for Android). > Honestly, if you really care about privacy Tor Browser is your only option. I question that too. If one is not extra careful, even through Tor one can expose a traceable pattern. For lots of things Tor is an overkill (imo). > You can't have privacy without anonymity. I think they are different things. When you go to your home you have privacy. You can have a private conversation with someone in a public location. That doesn't mean you need to hide your face or remove the name from your front door in order to do that, right?
Re: [Trisquel-users] Web Browser
Chromium has no good free software derivatives, firefox does. Chromium collects information just like google chrome sending it back to google. Firefox does do the same by default... but you can turn it off at least. Also, firefox has free software forks such as, Abrowser, Icecat, Iceweasel (Hyperbola and Parabola's versions of iceweasel though.) and tor browser. That's really about it. Purism is only honest if you don't read much about them except in favor of what they say to you. and last but not least, I get the feeling I am wasting time sending this post because you may be trolling us... If so, I applaud you for that +1. If not, your insane or possibly just delusional... xD in that case -1
Re: [Trisquel-users] Web Browser
> I understand that (even without the excellent shovel example) and > I am questioning the effect of it because accompanied by talks > about ethics and non-harmfulness 1) that creates the false > implication of something friendly, safe etc. 2) people easily > 'buy' free/safe/secure things. In other words - it can be > exploited quite easily. Yes, I agree with your point, and it's similar to RMS's point which I why I suggested the article, not because I thought were unware of the Ubuntu issue itself. My only point is that "This Firefox antifeature is an invasion of privacy" will be a more effective argument than "The fact that this feature can't be disabled without editing the source code violates freedom 0." > Of course. That's why it is essential that not only Ubuntu but > browsers should also be exposed. I find it disturbing that IceCat > was released by people who are so strict and critical to ethics. It sounds like RMS took your report seriously and I believe they will fix it. > I would be interested to read that claim as I haven't found any > explicit evidence of it. They don't claim anywhere they use > Libreboot but it seems to be a forthcoming step in future: > https://puri.sm/learn/freedom-roadmap/ I don't want to get too sidetracked talking about Purism here, but they don't claim to use libreboot. On the page for their latest Librem laptop they imply that the laptop is entirely libre but to not disclose what BIOS they use. I found another page on their website acknowledging that they use coreboot but erroneously claiming that coreboot is completely libre, when it contains proprietary blobs. There is also a near-zero chance that Purism will ever use libreboot, because post-2010 Intel chips will probably never be supported. If Purism claimed that they plan to use libreboot I would be skeptical, but I'm not aware of them having made that claim. > I don't know how to test Tor Browser with tcpdump due to the > specific way it connects to the network. I don't know either, but I would contact them with your Icecat results (since both Icecat and Tor Browser are based on ESR) and ask them if they are aware of the issue and whether it affects Tor Browser. > As for Abrowser - I > can't find it on openSUSE's repos, neither I find it by DDGing > for it. Where can I download it? Abrowser is from the same developer as Trisquel. It is the default browser in Trisquel and the Trisquel-derived Uruk. I'm having trouble finding it via DDG too because there is apparently an IE-based browser by the same name. I don't have time to look further right now but will get back to you. > Or > can you show a test which demonstrate that Chromium leaks data to > Google? Or any other freedom related issue? Most of what I know about Chromium comes from what Magic Banana and others have shared on this forum, including in this thread and others, regarding why Chromium is excluded from Trisquel. Magic Banana's link in this thread is on its own reason enough. The bug Supertramp links to is apparently closed but alarming. I understand that Chromium is currently being investigated by jxself, so perhaps a libre build will be possible in the future, but until them I'm not going to trust the Chromium developers to declare that their software is libre given (1) the material Magic Banana links to and (2) the fact that they have no real incentive to care about freedom and only even attempt to meet the weaker "open source" definition for strategic reasons. > As for Firefox again: of course is free in the "legal sense" > (just like Ubuntu) but if one prides oneself to be an integral > part of an organization which respects user privacy it is > absolutely unacceptable to: Ubuntu is not quite as free in the sense that Firefox is, since it contains and recommends proprietary software (see https://www.gnu.org/distros/common-distros.html), where Firefox recommends but does not contain proprietary software, but I agree with your overall point. > Due to all this I am reluctant to use any product by Mozilla. > Still we use it on our phones because otherwise we would have to > use Google Chrome (as I don't know of Chromium for Android). I'm about to get a little off-topic, but if you are using Android you might consider switching to Replicant (if you are okay with aquiring and using an older device) or LineageOS (not 100% libre like Replicant but much better than Android and supports more devices than Replicant). I have a Replicant phone that I only carry when I absolutely have to and never use for browsing the web, so I haven't really looked into what its default browser is based on. It isn't Firefox, and it is definitely not Chrome, but it may be Chromium-based. If you live in North America you might want to look into JMP (https://jmp.chat) as an alternative to carrying a cell phone at all. > If one is not extra careful, even through > Tor one can expose a traceable pattern. No, Tor is not fool
Re: [Trisquel-users] Web Browser
I agree with most of what you just said, except that I don't think heyjoe is necessarily trolling. In fact, I think that he has provided some interesting information information, and while I question as you do his decision to use Chromium I would not risk driving him off when he may be sincere, nor would I dismiss him as delusional. He is right about much, and even on the points I disagree with he's been reasonable.
Re: [Trisquel-users] Web Browser
There is another browser called Brave. It is a chromium/blink derivative, it has adblockers and says that it enhances user privacy but when I go to their extensions page(only limited extensions web) it contains proprietary extensions like 1-pass...
Re: [Trisquel-users] Web Browser
> Chromium has no good free software derivatives, firefox does. I don't know why that makes Firefox better software (privacy or freedom wise). It may actually have the implication that Firefox *needs* modifications in order to be good for the user. In any case without having expected each line of code of both browsers these are just general considerations. > Chromium collects information just like google chrome sending it back to google. Firefox does do the same by default... but you can turn it off at least. You see, I have read thousands of such statements. For that reason I decided to test for myself and my tests show exactly the opposite. Here is what each browser sends in the background on startup with maximum privacy settings (as explained in the bug reports): Firefox (also the same with WaterFox): https://bug1424781.bmoattachments.org/attachment.cgi?id=8937242 IceCat: https://tracker.pureos.net/file/data/ezq7sfsa3em4iipqan2a/PHID-FILE-ms72jsoc2en6alzjr54z/icecat-privacy.txt Additionally (found today): https://lists.gnu.org/archive/html/bug-gnuzilla/2017-11/msg00012.html Chromium: https://bugs.chromium.org/p/chromium/issues/attachmentText?aid=316942 Do you see Chromium sending any packets to Google? Or to any other company at all? - No. But both Firefox and IceCat do. If you can show actual STR for a test scenario which proves that Chromium sends data to Google without user consent, I am very intersted to look at it. But as Chrmoium sends only DNS lookup requests to random names to test if the proxy/gateway requires authentication (as explained in the Chromium bug report) it is not really a privacy issue because: 1) if you connect to a public WiFi you have already trusted it, i.e. it is not a question of browser 2) if you use your local DNS you are in control 3) you can create a default browser policy which would enforce those settings, so even on first run there will be no communication to any company. With Firefox (or IceCat, or WaterFox) you don't have that level of control and Mozilla refuses to give it to you. Please test, see for yourself and share if you find anything different. > Purism is only honest if you don't read much about them except in favor of what they say to you. I don't want to go too off-topic as the thread is about browsers. I mentioned Purism because I noticed the harsh critique in another thread. Personally I don't have the expertise to evaluate the validity of what they say or of what others say about them. The fact is that I shared my findings in their bug tracker and they have structured it properly for further cleaning up of ther PureBrowser - which unfortunately I am unable to test as I can't find a way to install it on my openSUSE (maybe I will do it in a VM when I have time). In any case the point for which I mentioned Purism is because we must be very careful when we use or accept words about anything - browsers, OS, hardware, companies etc. I agree that the overall linguistic outline on their website is quite cleverly tailored and indeed creates the impression of a perfectly pure system which is obviously not the case: disabling Intel ME does not remove the secondary CPU built in the main one and so far it seems nobody has reverse engineered completely the modules which me_cleaner must leave untouched. But doesn't the same apply to the laptops listed as RYF by FSF? Has Intel ME been completely removed or only disabled just the same way? Along these lines: "The distro must contain no DRM, no back doors, and no spyware." https://www.gnu.org/distros/free-system-distribution-guidelines.html#no-malware If this is actual criterion used in evaluation of FSF endorsed distros, then the "no spyware" has not been checked. Browsers are perhaps the most used programs and if any distro has Firefox (or IceCat, or WaterFox), considering tcpdump's output the logical question is: How deeply has the distro been tested actually? Are there any public records which show the exact procedure and the result of it for every distro, so everyone can reproduce it? I really don't know. But if the idea is openness and freely accessible info - it makes sense to have such records. And if there is an entity which can decide which is free and ethical, then such auditing must be done on a regular basis, not just listed once and forever. Otherwise the endorsement really has no meaning and can be easily exploited for marketing purposes. So considering all that, without any condemnation or justification, it is very difficult to say who is honest and at what depth. Without actual testing it is all just words. Unfortunately technology is so complicated that it is really impossible for one to learn and test everything. So we become slaves to experts and as we see every day - being an expert does not always include good morality. > because you may be trolling us... It has ne
Re: [Trisquel-users] Web Browser
> My only point is that "This Firefox antifeature is an invasion of privacy" will be a more effective argument than "The fact that this feature can't be disabled without editing the source code violates freedom 0." You are right about that. Perhaps I should have actually used a new definition, e.g. "freedom -1" as what I am questioning is deeper than F0. From general user perspective security and privacy are much more important then the ability to inspect the code. Maybe the 4 freedoms are not enough and we need a new form of evaluating qualities which considers the deeper issues of today. > It sounds like RMS took your report seriously and I believe they will fix it. Yes. But still - is there any official public announcment by FSF saying "We have found a privacy issue in IceCat" + description of it? I actually suggested in my emails that they share the issue with the public, so that people know about them. > I don't have time to look further right now but will get back to you. If you have Trisquel you could probably repeat the test for yourself and share the result. > Most of what I know about Chromium comes from what Magic Banana and others have shared on this forum, including in this thread and others, regarding why Chromium is excluded from Trisquel. Now you have actual facts from tcpdump too :) > The bug Supertramp links to is apparently closed but alarming. It seems invalid because current version of Chromium doesn't do what that bug describes. > I understand that Chromium is currently being investigated by jxself, so perhaps a libre build will be possible in the future, but until them I'm not going to trust the Chromium developers to declare that their software is libre given (1) the material Magic Banana links to and (2) the fact that they have no real incentive to care about freedom and only even attempt to meet the weaker "open source" definition for strategic reasons. This is a valid concern but the question is: why would you trust a "free software" which sends packets to Amazon etc. or would you use one which is weaker (OSS) but shows better privacy? > I'm about to get a little off-topic, but if you are using Android you might consider switching to Replicant (if you are okay with aquiring and using an older device) or LineageOS (not 100% libre like Replicant but much better than Android and supports more devices than Replicant). I know about Replicant and LineageOS (and Omnirom). I have a Samsung Galaxy S3 mini which unfortunately is not supported by any of those. I very rarely connect the internet from my phone and (almost) never turn on the GPS. Of course that doesn't mean anything because it doesn't stop the firmware to do what it wants but still... this is the only thing I can do for the moment. We also have 2 devices here (used by other people) which are in the supported Replicant list and I am planning to try Replicant on them but considering that Replicant is not 100% deblobbed - I am questioning if it makes any sense at all. Maybe we can rather wait for the Librem 5 phone? :P > Tor... One problem which I see is that one cannot use login-based sites at all and preserve anonymity because 1) you need an email address (or phone no.) to create a login 2) I cannot find any email service provider where one can register for free without javascript. And all this greatly limits Tor usage. BTW do you think that installing uBO, uMatrix or HTTS everywhere as extensions in Tor reduces anonymity or improves it? > Suppose you want to receive information from this person without giving them any information about yourself. You see - THAT is the big paradox, the fight is not for freedom but for control. We hate to give information yet we want to receive freely available one. We really try to be clever merchants of information because of all our cultural conditioning. How is that different from what PRISM does? > The act of communication inherently requires giving some information, and in some situations the only way to complete the exchange without the other party learning something about you is if they don't know who the information is coming from. The other day I've been thinking about a new way of communication. A new network if you will. AFAIK UDP does not require response from the other peer. So in that sense: what if we have a network of anonymous UDP peers sending encrytped info. It will be available to all other nodes but only those which know how to read it (the recepient) will be able to. Of course this is just a very rough concept but maybe worth considering... Share your thoughts please. > Here's a good link (https://www.eff.org/pages/tor-and-https). Thanks. I find it amusing that the page ask to enable Javascript :)
Re: [Trisquel-users] Web Browser
Okay, I just thought he was messing around. You have a point though, we should never assume till there is ample evidence.
Re: [Trisquel-users] Web Browser
Yeah, I just didn't think chromium was good for security at all so I thought you were trolling. My bad... As for purism, their operating system pureos is fine unless your against systemd... but more pressing is the hardware RYF issue. As in their hardware isn't going to get the respects your freedom certification. Or at least, not easily... PS, have you tried maximum privacy settings on iceweasel from hyperbola or parabola even if in a vm? just wondered... Hyperbola and Parabola both are free software entirely. Though Hyperbola is still trying to get certification.
Re: [Trisquel-users] Web Browser
> My bad... No worries. > As for purism, their operating system pureos is fine unless your against systemd... Should I be? I read some comments against it in the other thread... Then in Wikipedia... but still I don't know if one should be worried enough to avoid it. Again - I don't have the expertise to inspect it. > PS, have you tried maximum privacy settings on iceweasel from hyperbola or parabola even if in a vm? Not yet. But you can do it if you are intersted. Just follow the STR listed in the bug reports. > Hyperbola and Parabola both are free software entirely. Though Hyperbola is still trying to get certification. Thanks. Do you think we should probably open a separate thread where we can discuss? I have some more questions which are not browser related.
Re: [Trisquel-users] Web Browser
I don't have time to respond to everything here right now, so I'm going to respond to the simple stuff now and get back to you on the complicated stuff later. > Maybe the 4 freedoms are not enough and we need a new form > of evaluating qualities which considers the deeper issues of > today. What's wrong with just calling it "privacy"? Privacy is important enough on its own that I don't think we need to reframe the discussion in ways that might cause confusion. > If you have Trisquel you could probably repeat the test for > yourself and share the result. From your bug reports it sounds like you had two findings. The first was the logs in ~/.mozilla, which I can confirm exist in Abrowser. I briefly attempted your second test, but the command immediately exited and /tmp/tcpdump.log was not created, so I must have done something wrong. I will figure it out when I have more time. > Now you have actual facts from tcpdump too :) According to your bug reports neither Firefox nor Chromium passed this test, so I don't see how it is an argument for either. If I understand correctly, your test creates a lower-bound, not an upper-bound, on what data is sent. It doesn't seem to prove that no additional data is sent by Firefox or Chromium during browsing, just that this data at minimum is sent on startup. > It seems invalid because current version of Chromium doesn't do > what that bug describes. ... > This is a valid concern but the question is: why would you trust > a "free software" which sends packets to Amazon etc. or would you > use one which is weaker (OSS) but shows better privacy? I said that it had been closed, but it's alarming that it ever happened. If Chromium were downstream from Chrome it could have been something implemented in Chrome that Chromium developers simply did not notice. However, Chrome is downstream, so this was apparently intentional. That makes me unwilling to trust Chromium developers that there there are no similar issues in Chromium not yet discoved by the Debian community. However, right now I am more concerned with the issues linked to by Magic Banana, since they are active and haven't been adequately addressed after several years. > but considering that Replicant is not 100% deblobbed Replicant, the operating system, is 100% libre. You are likely referring to the modem or bootloader that the device itself uses regardless of what operating system it runs. > Maybe we can rather > wait for the Librem 5 phone? :P Maybe the emoticon there was meant to indicate that this is a joke, but since I'm not familiar with Purism's phones I took a quick look at the page on their site (https://puri.sm/shop/librem-5) and just sighed. I don't have time to pick the whole thing apart, so I'll just focus on the big lie "Does Not Track You". If pressed in the matter, I'm sure they'd say that only the main operating system PureOS (like Replicant) does not track you, but they're clearly trying to imply that the phone itself won't track you, which it will whenever the modem is turned on. A kill switch for the modem is a good idea (the Neo 900 will have kill switches too) but most people will choose to leave it on so that they can receive calls. I hope anyone who buys this phone is informed that they must turn the modem off to avoid being tracked. I suggest looking into JMP if you live in North America (unfortunately it is not available elsewhere yet). It allows you to send and receive calls/texts from a device that has no modem, so that you can actually avoid being tracked. For now you have to rely on being in range of WiFi, although the main developer Denver Gingerich is now working on a radio mesh that if adopted by enough people in year area would allow you to use JMP without being in range of WiFi. That's at least a few years out though. > One problem which I see is that one cannot use login-based sites In this case the advantage of using Tor is that you do not reveal your location. This is especially important if it is a site or account you use frequently (like an email provider) as otherwise they can track you to the point of detecting behavioral patterns. > you need an email > address (or phone no.) to create a login You can you a temporary email address that self destructs when you're done with it (see link in next point). > 2) I cannot find any > email service provider where one can register for free without > javascript. Here is a good resource that also links to some disposable email address sites that do not require proprietary JavaScript. https://www.fsf.org/resources/webmail-systems > We hate to give information yet we want to > receive freely available one. ... > How is that different from what PRISM does? Asymmetrical protections are warranted when one party has much more power than the other, and when one of those parties is an individual and the other is a corporation, human rights only apply to the individual. We can't real
Re: [Trisquel-users] Web Browser
New browser tested with tcpdump: Konqueror Settings used (listing only the ones different from the default values): General When Konqueror starts: Show blank page Home page: about:blank Performance Always try to have one preloaded instance: OFF Java&JavaScript Enable JavaScript globally: OFF Cookies Enable cookies: OFF AdBlock filters Enable filters: OFF Result On startup tcpdump shows nothing (zero packets sent). Something strange happens though when opening a page. For example browse to https://stallman.org shows lots of requests to amazonaws.com, flickr.com and others which continue to appear even after the page is loaded. This makes me think Javascript may not be actually turned off because in the page source there are no any resources which need such lengthy extensive loading. tcpdump shows such packets to continue for some time even after the browser is shut down. Also tested with https://stallman.org/robots.txt (to avoid any potential script interference). Result: the extra packet traveling doesn't happen, i.e. the document is loaded and everything stops.
Re: [Trisquel-users] Web Browser
I would be interested to see your results with a command line browser linke lynxs or elinks.
Re: [Trisquel-users] Web Browser
>It seems invalid because current version of Chromium doesn't do what that bug describes. It's a matter of trust. If you still trust them after something like that, your trust is easy. Mine is very difficult. If you believe it was an unintentional bug then I would go so far as to call you gullible. - As far the tcpdump test, I just did it and twice. Nothing showed up. Zero (0). Firefox is pinging nothing, no background connection whatsoever. Now, I do need to make it clear that I am one of those guys that prefer spending 50 hours of their time if need be in order to make it right. Several, and by several I mean a huge ton of modifications were applied in about:config. The only addon installed is noscript. The version of the browser is 57.0.4 You can see the connections it makes in about:networking too.
Re: [Trisquel-users] Web Browser
> Several, and by several I mean a huge ton of > modifications were applied in about:config. Is there an easy way for you to share your about:config? Something else occurs to me. I'm not knowledgable enough to know if this is possible, but could it be the distro? You use Debian, right? Perhaps they've done something differently from OpenSUSE either in their build of Firefox or elsewhere in the distro? When I have time to figure out tcpdump I'll see if the issue occurs in Trisquel.
Re: [Trisquel-users] Web Browser
It's a matter of trust. If you still trust them after something like that, your trust is easy. Mine is very difficult. If you believe it was an unintentional bug then I would go so far as to call you gullible. A gullible person doesn't test browsers with tcpdump. As far as the tcpdump test, I just did it and twice. Nothing showed up. Zero (0). Firefox is pinging nothing, no background connection whatsoever. Please share the STR like I did, so we can all look further. Now, I do need to make it clear that I am one of those guys that prefer spending 50 hours of their time if need be in order to make it right. Me too. But I hope you would agree that the very fact that those 50 hours are needed is a proof of bad design. You can see the connections it makes in about:networking too. I wouldn't trust that. I would rather inspect with a separate tool, not made by the same software vendor (tcpdump, wireshark).
Re: [Trisquel-users] Web Browser
What's wrong with just calling it "privacy"? Privacy is important enough on its own that I don't think we need to reframe the discussion in ways that might cause confusion. Nothing wrong at all. I just wanted to accent on the fact that for people privacy (as a form of personal security) is more important then the ability to inspect/change/redistribute. That's why I think we need stronger criterion when evaluating the quality of software (or hardware). As discussed here, just being free (in the FSF sense) is obviously not enough and with the state of what is happening in the world we need new things. Hence my idea about a new network. I will figure it out when I have more time. You can also try wireshark. It doesn't seem to prove that no additional data is sent by Firefox or Chromium during browsing, just that this data at minimum is sent on startup. I don't know what lower/upper-bond means but the very fact that any browser which sends these packets without the user initiating explicitly that communication is enough for me to mark it not privacy respecting and not consider it for further testing. Of course you are right - we need to test how it works during browsing. Perhaps the best thing to do would be to keep it simple - e.g. opening remote txt or html without scripts or extensions and looking at tcpdump. Let me know if you have any better idea. I said that it had been closed, but it's alarming that it ever happened. That is in no way different from Ubuntu's case or from Mozilla's telemetry. In such scenario, when flaws are all around, all we can do is look at facts as they are right now: Chromium does not send packets to any third party on startup. Konqueror sends no packets at all on startup but has other issues as it seems. However, right now I am more concerned with the issues linked to by Magic Banana, since they are active and haven't been adequately addressed after several years. I am honestly having a difficulty in understanding what you mean. Aren't they primarily licensing issues? Why are you more concerned about licensing while your browser is sending packets to company X, Y, Z? Please explain as I may be missing something. Replicant, the operating system, is 100% libre. You are likely referring to the modem or bootloader that the device itself uses regardless of what operating system it runs. Exactly. Purism's phone... It is still not produced, so nobody can possibly evaluate it. But from what I know there will be complete hardware separation between the modem and the rest of the system. So you can use it as a pocket libre computer, hopefully without any coreboot or whatever firmware blobs, otherwise it won't be much different from a Samsung + Replicant. Also from what I have heard, it would be able to use the mobile network as a pipe, to make encrytped phone calls. So basically the only tracking will be possible through the location of the phone based on nearby mobile stations (which perhaps cannot be avoided if one wants to talk to anybody). I suggest looking into JMP if you live in North America I don't but thanks for the info. What you describe is similar to Librem5. In this case the advantage of using Tor is that you do not reveal your location. This is especially important if it is a site or account you use frequently (like an email provider) as otherwise they can track you to the point of detecting behavioral patterns. Sure. You can probably even use Facebook anonymously but FB (and many other sites) won't allow you to sign up/in with a disposable email address (they seem to recognize the domains). I know the FSF page which you linked but it seems dated. From all the recommended ones only safe-mail.net seems to work without JS but it requires a current email address and I can't find any site which gives disposable email without JS, so there is still no possibility for complete untraceable anonymity. As for Kolabnow - I have been in touch with these guys and asked them if they have cleaned their systems from Intel ME, proprietary BIOS, what is their approach to quantum resistant security etc. The answer was "We are still learning to ride the bike" and some advertising that they use only FOSS. I explained further that security at ring 0-3 means nothing when a system is flawed at ring -3 and they told me the would forward my concerns to some operations department. ProtonMail's answer was even worse. So far I haven't found a single online service provider who can guarantee a clean and completely tested system and without that there can be no privacy, regardless of how deep the server may be buried in the Alps (or wherever). And considering the most recent side-channel bugs, things are really out of hand, globally. I think it is a much bigger problem than cleaning up ones own machine(s) as we still need to communicate with the majority who use PRISMed services and
Re: [Trisquel-users] Web Browser
Perhaps they've done something differently from OpenSUSE either in their build of Firefox or elsewhere in the distro? In my tests I downloaded Firefox from Mozilla directly.
Re: [Trisquel-users] Web Browser
lynx Behaves exactly as expected: zero packets sent on startup. Opening https://fsf.org/robots.txt communicates only with fsf.org Chromium new findings: Opening settings:// sends packets to translate.google.com (although translation is turned off). Testing browsing to actual pages shows communication only with the proper hosts, no communication with Google hosts.
Re: [Trisquel-users] Web Browser
Just a heads up that the way you've started quoting text does work in the mailing list making this very difficult to read. > Nothing wrong at all. I just wanted to accent... I think we basically agree here. I brought this up to explain why invoking 'freedom 0' was not effective in the Mozilla thread, and we're past that. > Hence my idea about a new network. This is probably worth starting a new thread over. > You can also try wireshark. Will do. > That is in no way different from Ubuntu's case or from Mozilla's telemetry. Yes, I avoid Ubuntu and Firefox as well. I use modified versions (Trisquel and Tor Browser) by more privacy- and freedom-friendly developers. I would also be open a similarly modified version of Chromium but am not aware of one. > Chromium does not send packets to any third party on startup. Am I missing something? You filed a bug report because it does, right? > Why are you more concerned about licensing while your browser is sending packets to company X, Y, Z? I am concerned with both. While software freedom and privacy are two different issues, lack of software freedom makes it easier for software to abuse its users, including by invading their privacy. I would be interested to know what packets are sent from Tor Browser and how. If they contain no identifying information and are sent through the Tor network then they do not invade my privacy because the information has nothing to do with me and no one knows it came from me. Of course, I would feel more comfortable with it not being sent at all, but it's certainly not worth switching to Chromium over. I suggest that you approach the Tor developers as you have with Mozilla, Google, and RMS. I can do it myself if you don't have time, but you'd be able to do it much more quickly because you've already learned how to run these tests and articulate your findings. > Purism's phone... > It is still not produced, so nobody can possibly evaluate it. If the device connects to the cell network, we do not need to evaluate the device to know that it will track you. > But from what I know there will be complete hardware separation between the modem and the rest of the system. So you can use it as a pocket libre computer, hopefully without any coreboot or whatever firmware blobs, otherwise it won't be much different from a Samsung + Replicant. If they made a pocket libre computer with no modem I'd be fine with them saying it doesn't track you. If it's a phone it does. Good modem isolation can limit the amount of information that your modem accesses, but the modem only needs to connect the cell network for you to be tracked. > So basically the only tracking will be possible through the location of the phone based on nearby mobile stations (which perhaps cannot be avoided if one wants to talk to anybody). ... > I don't but thanks for the info. What you describe is similar to Librem5. No, it's completely different. I won't lengthen this message by explaining JMP since you don't live in North America and the information won't benefit you right now, but unlike what Purism is proposing, JMP requires no modem or connection to the cell network. Purism's marketing for their phones hasn't really been on my radar until now, but many people are already ignorant of the issues with cell phones and Purism could do some real damage if they spread misinformation just to sell their product. > FB (and many other sites) won't allow you to sign up/in with a disposable email address (they seem to recognize the domains). As an experiment I tried making a Facebook account through Tor with a disposable email address. It rejected the first domain I tried but accepted the second one. However, it eventually wouldn't let me advance without uploading a picture of my face, at which point I gave up. Anyway, the fact that Facebook rejects some disposable email address is far from the only reason to avoid Facebook. I avoid any site that prevents me from accessing it anonymously. > I can't find any site which gives disposable email without JS, so there is still no possibility for complete untraceable anonymity The one's linked to from the FSF use libre JavaScript. If you don't trust the FSF's evaluation of the code, you can review it yourself or find someone who can. JavaScript is a programming language like any other. Avoiding every single instance of JavaScript is unnecessary. We don't need to avoid every single instance of C just because some proprietary and/or malicious software is written in that language. Unless the JS on those sites compromises anonymity (which it might. I never learned JavaScript and have not audited the code, relying on the FSF's judgement) it is not an obstacle to anonymity. > So far I haven't found a single online service provider who can guarantee a clean and completely tested system Sure, really the only way to be certai
Re: [Trisquel-users] Web Browser
I saw a lot of word-confusion in this thread. Software freedom and privacy are conceptually different issues and should be treated as such. However, software freedom is a condition for privacy. you can't really be sure to have privacy without software freedom. If you feel that a piece of free software is not giving you enough privacy (which is obviously the case) then you can alter the source code and remove the critical parts. Or you can pay somebody who will do the job for you. Free software gives you no guarantee that a program will be 100% secure, bug free and exactly what you need for a specific task. It simply can't do that.
Re: [Trisquel-users] Web Browser
>Is there an easy way for you to share your about:config? Well, I can describe my procedure, yes. >You use Debian, right? Perhaps they've done something differently from OpenSUSE either in their build of Firefox or elsewhere in the distro? Yes, although I am not talking about Firefox ESR packaged by Deb devs but the tar you download directly from the Mozilla website. As the mate Joe points out and I could not agree more a user should not spend incredible amounts of their time into figuring out how to make their browser privacy decent. Third party cookies anyone? Phoning home to google constantly because of muh security? That is indeed huge bullshit. I agree with (was it?) Lunduke when he says Mozilla is nothing else but business. Open sores business. Fact is, their browser is the best worst choice we have right now. I mean, you can use lynx for your browser if you want only text but year 1986 is long gone, unfortunately. I prefer not to share the inner workings of my network but I am pretty confident I got the tcpdump right.. so yeah, you don't need to trust my words, do the following and see for yourself. Point is, to sum it up, FF can be made truly privacy respecting, chromium on the other side ... not. There is a fork of it called ungoogled-chromium, you might want to take a look at that one too (I don't recommend it, just saying) -> https://github.com/Eloston/ungoogled-chromium In the past I spent hours reading about those 'hidden' settings in about:config, now I do not need to do that anymore thanks to this guy -> https://github.com/pyllyukko/user.js/ His user.js is very very good and gets updated when new crap gets added by Mouzilloua. Very good but not perfect, you will need to apply some additional modifications but don't worry it is just a few. Place the user.js in the relevant folder. Open your browser and in about:config write 'safebrowsing'. Disable them all and remove every gooobles url (make it blank), as in: browser.safebrowsing.downloads.remote.enabled false browser.safebrowsing.downloads.remote.url (blank) Disable the captive portal feature network.captive-portal-service.enabled As far as background connections that would be all, if memory serves me right. I also recommend you change your user agent to that of the TorBB, it will lower your fingerprint considerably (according to the eff's panopticlick that is) general.useragent.override Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0 This last one is a 'string' you create by yourself (right click - new - string) Do bear in mind that addons will make background connections so you should test your browser without them.
Re: [Trisquel-users] Web Browser
> Just a heads up that the way you've started quoting text does work in the mailing list making this very difficult to read. Thank you for mentioning that. I was just trying to make my post more readable as ">" doesn't give good enough visual separation. I was also wondering how to get email notifications for replies in the forum as it is getting more and more difficult to find which posts are new. It seems you are using some mail system. Could you please help me set this up? Also please suggest a way to make posts more readable without affecting mail. (Or maybe someone can work on the frontend to improve the forum?) > This is probably worth starting a new thread over. I have been thinking about it. But considering this forum is Trisquel - wouldn't it be considered as site-off-topic? I am interested in discussing wider aspects of freedom too (such as ones already mentioned here). Please suggest. > I would also be open a similarly modified version of Chromium but am not aware of one. Brave browser was mentioned. Perhaps worth trying. I also wonder which others we should look at: https://en.wikipedia.org/wiki/Comparison_of_web_browsers Personally I would prefer to a browser compatible with the extensions uBlock Origin and uMatrix as they improve the security, privacy and cleanness of browsing tremendously. > Am I missing something? You filed a bug report because it does, right? Perhaps you haven't read the follow up comments in the bug report which show that it doesn't. At least unless you open settings:// (which is I found yesterday, also shared in comment to the bug report). > but it's certainly not worth switching to Chromium over. It obviously comes down to: what is more important - to have actual privacy or to have implication of privacy respect (F0-4). From your explanation I understand that you seem to give up privacy because of a promise for respecting privacy (conceptually but not actually). That is what confuses me. If we are able to inspect packet destinations (as we are) and a test shows that a particular browser does not send packets to 3rd party, i.e. does not really abuse the user in any way: Does it really matter if it is free or open source at all? Please share your thoughts. > I suggest that you approach the Tor developers I will as soon as I test Tor too. Could you just share a link to the proper page where I can do that? > but the modem only needs to connect the cell network for you to be tracked. Yes, because the SIM card is not anonymous. But with current technology and legislation we cannot escape from that unless we stop communicating which can be more harmful. > As an experiment I tried making a Facebook account through Tor with a disposable email address. It rejected the first domain I tried but accepted the second one. But even if that works it is not useful because to use FB you need a non-disposable email address where you can receive notifications etc. Otherwise the account is completely compromised and makes no sense at all (since you can browser parts of FB without registration). > I avoid any site that prevents me from accessing it anonymously. I understand completely your points. Unfortunately, as mentioned previously, the majority of people are using those sites and will not stop using them, and will let their email provider access to your email address (even if you are not on FB), and will not move away from FB regardless of the valid arguments we may provide to them. Pretty much the same applies to Gmail, Yahoo etc. So it seems to me anonymizing oneself is not the solution to privacy but rather a road to break communication. To my mind the solution may be a new technology, designed not to create such issues. > The one's linked to from the FSF use libre JavaScript... I know that. I also do a little JS programming myself but that is not important. LibreJS is just as good as 'free software' which may send packets to Amazon. I don't see myself auditing every JavaScript code on every non-chached HTTP request just because it is open for evaluation. So this basically still comes down to enforcing trust. The more I look, the more I think we need a technology which does not in any way require from a layman user to trust anybody. Maybe we should open a new thread. > Sure, really the only way to be certain is to use your own server. Is that really certainty? Is there hardware which is 100% libre and *verified for privacy issues*. Considering that even browsers are not fully tested (something used by millions of people) I question that, even with the risk of my scepticism being considered close to insanity :) > Here's some recent discussion of email providers on this forum, if you're interested. Thanks, I am. But as with all others - these still have the same issues at hardware level. > If you are freedom- and privacy- focused you can greatly mi
Re: [Trisquel-users] Web Browser
> I agree with (was it?) Lunduke when he says Mozilla is nothing else but business. youtube-dl https://www.youtube.com/watch?v=qMALm1VthGY BTW I am looking for a way to search/browse Youtube without JS. Any ideas? Testing as you suggested: --- (Potential) issues which I see: When Firefox starts: Show your home page (I would set it to blank) Check spelling as you type: ON (I don't know if that includes any connections but I would leave it of for the test) Allow Firefox to automatically install updates (recommended): ON (I would set it to OFF for the test) Default search engine: Google (and all the other PRISM ones are inabled too) Always use private browsing mode: ON (inconvenient) Accept cookies from websites: ON (should be OFF with only exceptions allowed, when needed) Tracking protection block list: Disconnect.me basic (perhaps should be 'strict'?) Send "Do Not Track": Only when using Tracking Protection (should be "Always") Prevent accessibility services from accessing your browser: OFF Block dangerous and deceptive content: ON (this requires connection to Google hosts where the blacklists are hosted) Query OCSP responder services: ON (this also requires connection to hosts) Further in about:config: browser.ping-centre.telemetry;true toolkit.telemetry.archive.enabled;true toolkit.telemetry.bhrPing.enabled;true toolkit.telemetry.debugSlowSql;false toolkit.telemetry.firstShutdownPing.enabled;true toolkit.telemetry.newProfilePing.enabled;true toolkit.telemetry.shutdownPingSender.enabled;true toolkit.telemetry.updatePing.enabled;true -- > 'safebrowsing'. Disable them all and remove every gooobles url (make it blank) I suppose toggling the default browser.safebrowsing.allowOverride;true would work contrary to what you are trying to do, so I leave that one to 'true'. - Testing with your settings applied on top of the downloaded shows indeed zero communication with any host. Until you browse (https://fsf.org/robots.txt) when tcpdump shows multiple connections also to: ocsp.usertrust.com ocsp.comodoca.com Another thing which I notice. Even after closing the browser and waiting for some minutes (process terminated) tcpdump shows packets related to fsf.org hosts and also to the OCSP hosts. I don't know why this is happening and why the computer is trying to connect to those hosts without any software asking for it. Any ideas? Closed Firefox and ran it again. Without opening any web pages whatsoever I go to Preferences and immediately tcpdump shows a load of connections to amazonaws.com, mozilla.com, phicdn.net, digicert.com... Anyway I proceed to tighten the preferences mentioned above. While changing them I see tcpdump shows active communcation going on in the background. Setting "Always use private mode" to OFF asked me to restart the browser. I did and after that some of the settings were not as I set them: Search: I had this one set to DDG and all other search engines I deleted. After restart it is set to Google and no other search enginse are listed. Again: I leave DDG only. Always use private browsing mode is again ON and Accept cookies is ON too (although turned off before restart). Another attempt and another fail. I go to prefs.js and remove user_pref("browser.privatebrowsing.autostart", true); Still no luck after many more attempts. I give up and try to at least turn off cookies accepting: same story - after restart the "Accept cookies" is still ON. I go and delete lines mentioning 'cookie': user_pref("pref.privacy.disable_button.view_cookies", false); user_pref("network.cookie.cookieBehavior", 1); user_pref("network.cookie.lifetimePolicy", 2); user_pref("network.cookie.prefsMigrated", true); user_pref("network.cookie.thirdparty.sessionOnly", true); user_pref("pref.privacy.disable_button.cookie_exceptions", false); Restart. Disable "Accept cookies". Restart - it is back ON. I give up and proceed to next setting. Block dangerous and deceptive content: OFF Query OCSP: OFF It seems my setting "Never check for updates" is disrespected too, so I go to prefs.js and remove: user_pref("app.update.auto", false); user_pref("app.update.lastUpdateTime.addon-background-update-timer", 1515756610); user_pref("app.update.lastUpdateTime.background-update-timer", 1515756370); user_pref("app.update.lastUpdateTime.blocklist-background-update-timer", 1515756730); user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1515756130); user_pref("app.update.lastUpdateTime.experiments-update-timer", 1515756490); user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1515756250); user_pref("app.update.lastUpdateTime.xpi-signature-verification", 1515756850); And... no, and no, and no. It reverts to "Check for updates but let me choose to install them". Also Block dangerous and deceptive content and Query OCSP also revert to ON. After 42 minutes of tuning
Re: [Trisquel-users] Web Browser
>BTW I am looking for a way to search/browse Youtube without JS. Any ideas? mps-youtube, you'll find the project on github, it's a very sweet program. >When Firefox starts: Show your home page (I would set it to blank) agreed, indeed I did that too :) >Check spelling as you type: ON (I don't know if that includes any connections but I would leave it of for the test) It doesn't AFAIK. >Allow Firefox to automatically install updates (recommended): ON (I would set it to OFF for the test) It will make just one connection each 24 hours AFAIK >Default search engine: Google (and all the other PRISM ones are inabled too) Yeah.. You can easily remove those via GUI though. Google throws hundreds of thousands of greens at them in exchange of user data, u know, open sores biz.. >Always use private browsing mode: ON (inconvenient) How is that inconvenient? I have done so for years. Well, I have also not allowed js (except for very very few websites) for years, I know I am a strange guy.. But in which way is it 'inconvenient'? >Accept cookies from websites: ON (should be OFF with only exceptions allowed, when needed) I don't know.. I mean, I know it will get you a higher fingerprint (eff panopticlick again) to disable cookies, and it is inconvenient in that many websites won't work properly. Also, if private browsing, as soon as you close your browser all of them get purged. I close my browser very often. I don't like having programs I don't use opened. >Tracking protection block list: Disconnect.me basic (perhaps should be 'strict'?) Indeed I set it to strict (remember I only use noscript, no adblocker addon whatsoever - in fact I find it unnecessary being javascript always turned off here and adds are basically just javascript nowadays, rarely a plain image file..) >Send "Do Not Track": Only when using Tracking Protection (should be "Always") Well, it is a nonsense useless feature anyway, isn't it? I mean no shark is gonna respect it, let's be realistic. But yeah I did set it to always :P >Prevent accessibility services from accessing your browser: OFF Indeed, via GUI again >Block dangerous and deceptive content: ON (this requires connection to Google hosts where the blacklists are hosted) Yeah, as mentioned already, disable every reference to goobles and to 'safe' browsing (always makes me lul - **safe** browsing, sponsored by google) >Query OCSP responder services: ON (this also requires connection to hosts) True >telemetry That one also in the GUI. In about:config it is toolkit.telemetry.enabled. Telemetry, again, should not be enabled by default.. >browser.safebrowsing.allowOverride Yes, leave that one as it is (true) >Another thing which I notice. Even after closing the browser and waiting for some minutes (process terminated) tcpdump shows packets related to fsf.org hosts and also to the OCSP hosts. I don't know why this is happening and why the computer is trying to connect to those hosts without any software asking for it. Any ideas? As you said above, you'll inevitably connect to hosts if you want it to work but why in the world would it make connections when the browser is closed I have no idea. Is that even possible? I mean, are you sure ones you closed the browser it's process was correctly killed? That is strange. >Closed Firefox and ran it again. Without opening any web pages whatsoever I go to Preferences and immediately tcpdump shows a load of connections to amazonaws.com, mozilla.com, phicdn.net, digicert.com... That's even stranger. Are you testing this without any addon? >Always use private browsing mode is again ON and Accept cookies is ON too (although turned off before restart). Another attempt and another fail. I go to prefs.js and remove Hmm, do note that user.js has the precedence AFAIK, so you will need to change those inside that file (user.js) and not prefs.js >still on / back on Yeah, I believe you'll need to set the modifications you want to be permanent into user.js. See, if you have say browser.safebrowsing.allowOverride set to false is user.js and you modify it in about:config or prefs.js (which is the same) to set it to 'true' when you restart the browser user.js will override it. >After 42 minutes of tuning a program which refuses to respect my preferences and which clearly does background communication as per my earlier test, all I can do is wipe it away from my system No, mate, again - user.js overrides prefs.js :) -- Wow, this was long. I believe this is the longest comment in my over 3 years here (and I am a daily -and quite verbose- visitor..). But it is nice to see that I am not the only one who has spent time on achieving the almost impossible getting a decent browser out of Firefox. Cheers colleague :)
Re: [Trisquel-users] Web Browser
> How is that inconvenient? Private mode cleans cookies on each exit and I don't like having to re-login to sites just because I restarted the browser. > and adds are basically just javascript nowadays, rarely a plain image file Just a side note: Pixel trackes are not JS based. And you can be tracked also through 3rd-party CSS request. So an extension like uMatrix and uBO is much more helpful than NoScript because through it you can control quite well JS blocking too. > I mean, are you sure ones you closed the browser it's process was correctly killed? That is strange. Yes, I am sure. And yes, it is strange. Speculation: I suppose it may be some related to the fact that I am behind a router which NATs the Internet to the LAN but still - tcpdump shows the connection is from the localhost to the remote host and it makes no sense. > Are you testing this without any addon? Absolutely clean virgin browser without any ~/.mozilla/firefox upon first run. I also explicitly run it from command line with option --ProfileManager so that I can see how the profile is created and selected. > But it is nice to see that I am not the only one who has spent time on achieving the almost impossible getting a decent browser out of Firefox. Cheers colleague :) Well, cheers to you too! Unfortunately I can't confirm that the final result is a decent browser. :( I may try user.js some time but I really don't have the nerves right now. I have already spend so many hours to test Firefox and each time I really find it is so bad at listening to what I ask it to do. Can you please test on your system the opening of Preferences and the browsing to https://fsf.org/robots.txt? What results do you get for each?
Re: [Trisquel-users] Web Browser
New browser tested: Brave Result: Lots of background communication, even after tightening of settings. Worse than Firefox. Details submitted in bug report: https://github.com/brave/browser-laptop/issues/12632
Re: [Trisquel-users] Web Browser
Ugh. I spent a long time writing a message and then accidentally deleted it. I can't afford the time it would take to fully reconstruct it, so this will not be the full response that many of your points deserve. The forum is mirrored to a mailing list which you can join here: https://listas.trisquel.info/mailman/listinfo/ I understand that the forum is being reworked. In the meantime, to ensure that forum posts are readable for mailing list users, avoid relying on html for coherence and update your comments by replying to them instead of editing them. If you want to start a thread that will be of interest to people here but that you are afraid is too far off-topic from Trisquel, the Troll Lounge is good for meaningful but off-topic discussions. Although Tor Browser is as libre as Firefox and more so than Chromium, the reason I use is for privacy. I agree that we *shouldn't* need anonymity to protect our privacy, but right now we do. If Tor Browser sends the same data Firefox does and it is either deanonymizing or not sent through the Tor network then that is a serious bug. (If you find that this is the case, I'm sure it can be addressed if you report it here: https://trac.torproject.org/projects/tor) However, if the data is not identifying and is sent through the Tor network than it is irrelevant as far as privacy is concerned, eliminating Chromium's advantage on this one point. When it comes to other potential privacy issies, I see Chromium as far more risky than Tor Browser. In many situations on the internet the only way to protect your privacy is to avoid them entirely, or engage with them anonymously. The former option is crippling, and more isolating than the latter. Outside the context of the issue you are testing among browsers, Google and Chromium have a far worse track record than Mozilla and Firefox, and while Tor developers have an incentive to find and fix privacy issues from Firefox, Chromium developers have an incentive to create as many privacy issues as they can get away with and only have an incentive to remove them after they get caught and if there is enough outrage. Unless Firefox has an extraordinarily massive flaw we are unaware of that cannot be fixed in Tor Browser, the hypothetical privacy gained from switching to Chromium, assuming it is better overall than Firefox in situations outside of the one you are testing, is far less than the actual privacy lost by failing to protect my privacy from many parties, not just Google and Mozilla, with anonymity. I understand your point about this not being a long-term solution. Many of your points are about identifying things that are not long-term solutions, and that is valuable because without long-term planning the good guys have no chance of winning. However, if the bad guys win anyway then all that will have mattered is mitigation of the harm to our lives, our communities, and the people we care about, so I do not consider mitigating actions petty. We have to do both. As you point out, the best long term solutions are those that replace important but harmful technologies, rather than isolate ourselves from them. Just as important as the new technologies is a path toward transitioning from the old technologies. I see Denver Gingerich's work with JMP and WOM to be a very promising plan. It is already possible to use JMP to send and receive texts and calls without a SIM card. No need to choose between isolating yourself and being tracked. Having integrated with the cell network, the next steps are to create advantages to using JMP over connecting the cell network directly, and finally replace it. Good old EEE. Thanks Micro$oft. Diaspora takes a similar approach with respect to Facebook, but I am more skeptical of it. I have some ideas about ethical and pracical social media that I am still organizing and are outside the scope of this thread. As for JavaScript, you are right to avoid it when you can. However, no individual can review every line of code in all software they use, whether it's JS for a disposable email address or the Linux kernel. JavaScript is unique in that many people install JavaScript programs everyday with out knowing it (hence my suggestion for how browsers could better frame the issue for uninformed users), but if you are as cautious about installing software written in JavaScript as you are with any other software it is no worse than C or Python. This is a good essay that probably won't tell you anything you don't already know about the problem but has some good insight as to possible solutions: https://onpon4.github.io/other/kill-js > even with the risk of my scepticism being considered close to insanity :) You aren't insane. The world is. That said, don't let perfect be the enemy of the less-awful-option-until-we-maybe-solve-the-problem-for-real-one-day. I didn't touch the capitalism
Re: [Trisquel-users] Web Browser
>but I really don't have the nerves right now. Yeah, as I said a truly libre and privacy friendly browser would not come with a ton of antiprivacy nonsense and a user should not have to do such a hard work to 'clean it up'. >Can you please test on your system the opening of Preferences and the browsing to https://fsf.org/robots.txt? What results do you get for each? Will do later, I'm curious.
Re: [Trisquel-users] Web Browser
> Ugh. I spent a long time writing a message and then accidentally deleted it. For reasons like that I learned to first write my answer in a text file and then paste it :) > The forum is mirrored to a mailing list Thanks, I already found that. Unfortunately it sends me emails from all threads which is somewhat spammy but I guess this is how mailing lists work. > Troll Lounge https://trisquel.info/en/forum/freedom-security-technology-what-can-we-do > if there is enough outrage Unfortunately I don't have a high traffic web site or anything like that to bring it to the attention of enough people. So far I have shared my findings 1) in the bug reports 2) here and in openSUSE forum. Still I don't see hundreds of people adding outrage to the bug reports, so I suppose they either don't realize the actual issue, or put up with it, or their desire for privacy is just verbal. > We have to do both. Of course. But the effort we put in securing current systems should probably be only for the sake of developing a conceptually new one. Otherwise it is an endless chase of a moving target which moves at speed which is beyond anyone's capabilities. > I have some ideas about ethical and pracical social media that I am still organizing and are outside the scope of this thread. Please share a link to another thread. I am interested to learn about your ideas. > As for JavaScript, you are right to avoid it when you can. I wasn't too concerned about it before the announcement about Spectre and Meltdown as I relied on the stronger process isolation mechanisms at lower level (which is no longer reliable obviously).
Re: [Trisquel-users] Web Browser
> Yeah, as I said a truly libre and privacy friendly browser would not come with a ton of antiprivacy nonsense and a user should not have to do such a hard work to 'clean it up'. How can something be privacy friendly and come with antiprivacy? :) > Will do later, I'm curious. Great. Looking forward to it.
Re: [Trisquel-users] Web Browser
New browser tested: TOR Result: Lots of background communication but all of it to subdomains of your-server.de over https.
Re: [Trisquel-users] Web Browser
Midori Procedure: Set home page to blank, disable scripts, restart. Result: On startup: Zero (0) packets sent. On opening of preferences only this was shown in tcpdump: IP pc.49352 > 239.255.255.250.ssdp: UDP, length 132 IP pc.49352 > 239.255.255.250.ssdp: UDP, length 133 but only the first time the browser is started. Shutting down the browser and opening preferences again doesn't show such packets in tcpdump (unless the machine is rebooted). Browsing to https://fsf.org/txt shows only communication with fsf.org and no packet sending to any other hosts whatsoever. Additional info: Acid3 test shows 100/100 (with enabled JS). It also has quite a few built in extensions, one of them an adblocker which unfortunately is not as advanced as my favorite uMatrix and uBO. Another disadvantage I notice: it has some issues with color management making images appear oversaturated. A bug noticed: opening https://browserleaks.com/ip causes Midori to crash.
Re: [Trisquel-users] Web Browser
> Taking a look at outgoing connections is not enough to deem how privacy-respectful a feature is. And that feature has advantages too. The problem with this statement is that you know (or rather can check) only what happens on the sending side. So you don't have enough data to evaluate the advantages in relation to what you sacrifice in order to receive them. That is a basic test which shows if there is a communication or not. Nothing more or less. If there is communication and it is not anonymized through TOR (it is not) - that obviously is a privacy issue. That is quite simple. > A compromise has to be sought. Why? Are privacy and security 2 incompatible mutually exclusive concepts? Or rather because someone has designed a program in a way in which you must sacrifice one for the other? If you seek for compromise what happens is giving up freedom in exchange for convenience? > What I am saying is: details matter. Yes, they do - but only in their entirity. Only then one can match the details to the big picture. Otherwise we can look at an isolated beautiful "print('Hello world')" and admire how clean and safe it is. Meanwhile Intel ME can be sending data to organization X "User N, located ... is currently admiring the source code of Hello world". > Take Safe Browsing for example... Let us agree it is a useful feature. There are organizations which consider that censoring entire geographic regions from accessing particular websites is a useful feature for the safety of the region. Should we agree to that too? It's a fact, not an article. There is enough evidence that the price people pay for using all kinds of "useful features" is pretty high. That said: I do agree that having a blacklist may be useful. But I disagree to the centralized nature of it held in the hands of a single entity which can control it. As long as we cannot check for ourselves what exactly is happening on the other side of the wire it is all wishful thinking. > Now, you know Google is actually managing the lists of pages known for phishing or of known malware. If you stop your investigation at that point, you may believe that every URL that ends up in your address bar is sent to Google along with your IP address. *That* would be a privacy nightmare not worth the enhanced security... but SafeBrowsing, in Firefox, does not work that way. > https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/ explains how it works. And anybody can check whether it is true, thanks to freedom 1. Suppose I am the victim. I (a layman) don't know. I (a non-programmer) have not checked the source code. I (an average user) am forced to trust because there is a huge mountain of information which I need to dig in order to find out the truth, it is growing every day and a lifetime wouldn't suffice for it. But still I refuse to trust articles and want truth, not words, because I don't want to depend on another. I don't want my child (if I have one) to be tracked, logged, turned into a cog of a huge machine. What am I to do? You see - the question is much bigger than F0-4. The particular article you linked says: 'Google explicitly states that the information collected as part of operating the Safe Browsing service "is only used to flag malicious activity and is never used anywhere else at Google" and that "Safe Browsing requests won't be associated with your Google Account"' Ok, Google states that. They state all kinds of things. Even without that: We all know very well that each server stores logs. Also one doesn't need to be a professor to know how this works with a company part of PRISM program. What do you think happens when NSA comes and says "We will take these servers to search them"? Will Google will say "sorry, we won't allow you to do that because we have written this and that on a web page"? If we believe that, we can easily install Microsoft Windows and turn on Windows Defender because it is a useful feature. > Mozilla's telemetry. heyjoe's bug, filed against the "telemetry" component, pretended the opposite. He had not understood that the settings in about:config depend on each other: if datareporting.healthreport.uploadEnabled (the setting that can be set from the preferences) is false, no telemetry is sent, whatever the values of other entries in about:config that stands for more specific tunings of the telemetry component. My test does not pretend anything - it proves something, providing actual, verifiable facts. It seems you have not read the bug report comments carefully because one of the attached logs clearly shows: after additional disabling of various telemetry flags in about:config the amount of packets detected by tcpdump is reduced almost in half. This means that those additional settings do something and they are not insignificant in relation to other disabled flags. > So, through
Re: [Trisquel-users] Web Browser
Just for the sake of privacy investigation I tested the same way Thunderbird (without any profile/mail configured). On startup it immediately makes connections to Amazon, Linode, Comodo, Akamai and other hosts etc. The majority are HTTPS but some are plain HTTP connections.
Re: [Trisquel-users] Web Browser
> But there is no magic: if you send little information, then little information is received on the other side. If you add noise, the receiver can exploit it even less. You send your IP address. That's more than enough. You can't add noise to that. Also it is technically stupid (inefficient) to deliberately create noise and burden a system just because it is designed poorly. > Too basic. Looking at what is communicated is relevant. Well, basic or not - this is within my capabilities. Considering that nobody seems to have done even that, I think it has certain value. > If you consider that having the receiver know your Web browser is opened, then yes. I do, so yes. The word 'private' means not shared. If you are sharing - there is no privacy. > And you should be able to disable the service it provides to stop that communication... but if that service is useful and cannot be achieved on your own computer (it is not SaaSS), then it does require communication and you may decide it is worth giving the information required to get the service. Obviously certain services cannot be disabled, otherwise the background chatter would happen. Also it is possible to make the blacklist for safe browsing decentralized. But they didn't do it and there is not even a hint that they will. > It is physically impossible to request information from a third party without communication... I know that. But the question is that in this particular case we are sending info to companies for which we know to be part of the PRISM and much more than that. Considering that Big Brother created systems which modify even the HTTP headers for the purpose of eavesdropping, saying that "they can gather much more through G+ buttons than through this" may not be quite valid (and still - we don't know, we never will). In any case, technically it is possible to get information without loosing privacy. Example: you turn on the radio and you listen to music. Nobody is geolocating you, storing cookies on your radio receiver and all the rest of it. I think it should be possible to create a privacy respecting network based on this principle. I would be interested to discuss this further with people who are more technically knowledgeable than me. > You need not compromise on freedom. You should always stay in control of your own life. Control means regulation, i.e. conforming within rules, i.e. limitation. Freedom means no limitations. So one doesn't get freedom through control. It's a long topic. > There is no physical impossibility here (whereas requesting information without communication is impossible): every piece of software can be and should be free software. I would be interested to know your thoughts in the other thread I opened yestrday: https://trisquel.info/en/forum/freedom-security-technology-what-can-we-do > And that has absolutely nothing to do with our conversation. It has a lot to do because not only the details matter but also the big picture which contains much more important details (otherwise we wouldn't be here and the whole idea of FOSS wouldnt exist). > "All kinds of useful features" is too general to state anything about them. Did you expect me to enumerate each and every spyware? Please, I know you are intelligent enough to understand what I mean. > You can consider that price too high. Other users, most users I believe, consider it is not. Of course. But the issue here is not what I consider, I am not important. The issue is that the whole system is designed in a way to encourage negligence and loss of privacy. > However, I let it enabled on my parents' computer (that I administrate). Same here. > I do not think (I may be wrong) anybody knows how to have a distributed Safe Browsing system that would not significantly slow down page loading. Do you know? The first thing that comes to mind - torrents, mirrors (like we have for FOSS). There are other means too perhaps. Example: encouraging ISPs to keep a local mirror on the gateways, proxies. It is possible. > You trust the community... freedom 3. The problem is that trust implies faith which is not facts. And that can be exploited. We can discuss that in the other thread where I raise that question. Also the issue here is: the community (Mozilla etc) ignores the facts just because they prefered to fight over the definition of words. This is another example that F3 doesn't necessarily work. > The four freedoms do not solve all problems but it is the best we have. Yes. But it seems to me they are not enough any more. Much more is necessary nowadays. > Windows is proprietary software. Its users are denied the essential freedom to know what it is actually doing. The worst should be assumed. Google's servers are not less proprietary. Why don't you assume the same for them? > Your bug reports ... You are critical and that is a good thing.
Re: [Trisquel-users] Web Browser
>Taking a look at outgoing connections is not enough to deem how privacy-respectful a feature is. I was referring to the already mentioned nonsense like third party cookies enabled by default or google sponsored 'safe' browsing etc.. >That feature aims to warn a user who is about to access a page that is known for phishing or about to download known malware. Let us agree it is a useful feature. I don't agree. It is nonsense. Mozilla should host their own servers for any purpose they deem important enough as to be included by default in their browser.
Re: [Trisquel-users] Web Browser
Ok, I know I should have tested without any addon but I installed umatrix (which btw is absolutely magnificent). So I tested it with noscript and umatrix and all my mods, basically the browser as I use it. I opened the browser and the connections made were the following: hosts-file.net (107.22.171.143) someonewhocares.org (209.97.222.140) (turing.theorem.ca) winhelp2002.mvps.org (216.155.126.40) (mars.olymp.mvps.org) Then, when going into preferencse the new connections I see are: aus5.mozilla.org balrog-aus5.r53-2.services.mozilla.com., A 52.88.57.64, A 34.208.7.8, A 52.35.162.72, A 34.214.242.76, A 34.210.48.174, A 52.36.39.89 us-west-2.compute.amazonaws.com (52.88.57.64) ocsp.digicert.com (93.184.220.29) cs9.wac.phicdn.net (93.184.220.29) And finally when on the fsf's page the new connections made were: www.fsf.org (208.118.235.174) svnweb.fsf.org (208.118.235.30) ocsp.usertrust.com (178.255.83.1) ocsp.comodoca.com (178.255.83.1) -- Btw, m8 Joe, may I ask you where you going with that gun in your hand? ;)
Re: [Trisquel-users] Web Browser
So basically you proved the results of my tests. The first 3 hosts you listed look like the hosts which contain the lists for uMatrx (without uMatrix there would not be connections to them). But opening preferences again shows connections to hosts which the user has not explicitly asked for. Still trust Firefox and Mozilla? > Btw, m8 Joe, may I ask you where you going with that gun in your hand? ;) I'm goin' down to shoot my old lady You know I caught her messin' 'round with another man. :)
Re: [Trisquel-users] Web Browser
Another reason to keep JS disabled: https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
Re: [Trisquel-users] Web Browser
> *That* (not adding noise) would be extremely inefficient. And why stopping there? By your logic, every website should continuously broadcast whatever they host to all online systems! And by your logic it is much more efficient that the clients (which are always more than the servers) broadcast all kinds of personally identifying info, that special software and hardware should be made to ensure security, that that should be further infected by the organizations which prefer the "efficient" way of doing things etc. I question that. And I question it on a bigger scale. I don't know if you understand what I am saying. That's why I opened the other thread. > No it does not. Yes, it does. One cannot be limited, attached, conditioned, dependent, restrained and free. > You are not less free because you cannot fly, for instance. Yes, you are - physically. Otherwise man wouldn't invent flying devices. > Freedom means "exemption from *external* control, interference, regulation, etc." (emphasis is mine): www.dictionary.com/browse/freedom This source is wrong. If one excercises control psychologically, i.e. inwardly, one is not free. Examples: fear, self censorship, suppression etc. You may better check the original original (etymological) meaning: https://www.etymonline.com/word/free "exempt from; not in bondage, acting of one's own will," (read the rest for yourself, there is no mention of external whatsoever) Also https://en.wiktionary.org/wiki/free mentions many times unconstrained, as well as confirms "to be enjoyed without limitations; unrestricted;" The earliest know meaning of freedom is from Sanskrit and means love. > As I wrote: being in control of your *own* life. But do you own life? Is there anyone who does? Is ownership something actual or a concept created by thought? You see - man creates the idea of ownership (this is my land/cow/food/nation/data), then separates the whole world into pieces, they inevitably conflict with each other. Then man tries to impose strict restrictions to those peaces, to _control_ them harder and harder till absolute tyrany is achieved. And all that business of "personal and national security" creates more insecurity, some good people create FOSS systems with the hope to escape the tyrany but it is not freedom. It is a fight for the control. I wonder if you understand what I am saying. The reaction to non-freedom is not freedom. Freedom has no opposite. I don't want to get too off-topic. Again - I welcome you to discuss things in the other thread as I am really intersted to talk with technically knowledgeable people about what we can do about our real freedom. So "to control one's own life" really means conformity to certain patter (adopted from an external source or invented for oneself). It is not freedom. > So you agree that the enhanced security your parents get is worth the privacy they give up? Unfortunately yes. It is the least worse for the moment. > Don't you think most users are like your parents and less like you? And that is due to the poor design. Technology as it is makes people more stupid, more dependent and less free. I don't even need to give examples, do I? > Distributing the lists is not the hard part. Creating them is. There is no need to create them. It is possible to have TOR-ed nodes which pull them and host them. BTW I wonder if you have ever asked yourself why all the malware exists but I won't go into that question here. Let's just say - with a good design it wouldn't be hard. It may even be unnecessary. Example: in Windows you need antivirus programs. In Linux - unlikely + there is fairly low interest in creating viruses. Why? Because of better overall design. Same for defragmentation programs etc. > Trusting nobody, not even free software communities, and not being a programmer, you should stop using software. All of it. Exactly. But nobody pulls the cord (except RMS perhaps). Personally I have started programming about 30 years ago (Commodore 64, then another 8-bit computer, then 8086 etc) and although I neither made it into a profession nor I do it actively, I have a fairly good view on how hardware and software works, so at least I don't try to do something which may be dangerous. Still I don't claim to be no expert, technology moves too fast to follow every aspect of it. That's why I was saying previously - if one is a general layman, things are very very dangerous. > Google's server (the software they run on their side) is trivially free: there is one single user and it has all four freedoms. Where is the source code? Can anyone download and install it? If yes - then we can outstrip Google. BTW sth interesting which I saw today in tcpdump: when i open https://duckduckgo.com/html/ - many connections to amazonaws.com :) > On the contrary, Windows is distributed to many users that do not have the control
Re: [Trisquel-users] Web Browser
> I do not. Then ask, don't assume or twist. > Since you are redefining words, it is not surprising. I have shared the original dictionary meaning of words. I don't define anything, I just stick to it. If someone else has invented a new different meaning because it sounds pleasing ("free coffee") - blame them. > The definition of freedom you list match the one I gave you. Not quite. You added emphasis to something which doesn't figure at all in the original meaning. > They do not say "freedom means no limitation" (like you wrote). What is 'unconstrained' according to you? https://www.etymonline.com/word/constrain > That is fortunate because your definition is useless: since there are impossible things (going back in time, turning yourself into a tomato, etc.), nobody is and can ever be "free" by your definition! Freedom is inwardly. Just because you can't walk on the sun doesn't mean you cannot be free. So let's not confuse freedom with outward physical possibility. Freedom and free are greatly abused words today, highly deflected from their original meaning. It is really difficult to discuss when so many words in the language have been corrupt, so we must be very careful. In any case "I control" and "I own" is not freedom. If "I control" was freedom, then every tyrant is an absolutely free human being. > Yes, it has: slavery. No. You are still thinking in terms of ownership and control. Slave implies a master (controller), as an opposite. In freedom there is no master and slave. No controller and controlled. That's why there is no restriction or limitation (constraint). > So, you now recognize that there are "levels of privacy respects"? I mean if it was 0/1, like you pretended earlier, writing "the least worse for the moment" would make no sense. We need words to talk. Both of us may have different background (cultural conditioning) and may have differnt associations with the meaning of a word. But the word is not the thing. So all the explanations I give and the refernces to the original meanings are an attempt to establish a common ground to avoid confusion. Otherwise we cannot possibly have a meaningful discussion. Two parallel monologs are not a dialog. Details do matter but not per se, they are just aimed to give the necessary depth to understand the whole. The whole is what matters the most, not the fragment. > Why is "the poor design" (of what?) the reason people are more at risk of being duped by phishing? The fact that the system is designed in a way which allows phishing to exist. I already explained that with Windows and viruses. > That is against the Terms of Service (see my reply to SuperTramp83). Even so - nobody can stop people from creating 1000 nodes each storing 50 host names (just an example). Terms can change too. Everything can change. Many years ago it was "against the terms" to say that the Earth was not flat. > He believes in in the collective control of the software through freedom 3. You see - when belief, faith, trust are used - this is the path to illusion and there will always be a party exploiting this. The prove: the privacy issue of IceCat. I have never excercised freedom 3, or 2, or 1 when testing it. I was just sceptical (because I refused to trust another's test or believe articles). Anyone can believe whatever one wants but facts are irrefutable. And FWIW: just because RMS does or does not a particular thing doesn't mean that this action is something sacred, absolutely right or that everyone else should do the same. Otherwise the Earth would still be flat. So let's not try to justify everything through the authority of someone. Of anyone. > We are all limited, i.e., nobody is free and can be free by your useless definition of freedom. Again: you are putting a different tint to the meaning and hurry to conclude that the dictionary definition is useless. According to your tint freedom is the result of absolute unlimited knowledge which of course is impossible - knowledge is always limited. By not being limited free means no depency on the factors which create limitation (including knowledge). Example: you want to make a fire, you go and take some wood and a box of matches and burn it. You don't need to be an expert in microbiology of plants. And it is a safe thing to do. You may not have the tools to inspect it, it is pretty much "closed source" (and at the same time not deliberately closed as in proprietary) yet it is in no way invading your privacy and does a good thing to you by giving you warmth and light. You also have the natural sensitivity not to touch the fire which prevents you from burning your skin. At the same time this natural sensitivity tells you to be carefull not to burn your house. So you are pretty much an expert without having to read a whole library. The problem is that the computer is not like that. The ease of u
Re: [Trisquel-users] Web Browser
>So basically you proved the results of my tests. The first 3 hosts you listed look like the hosts which contain the lists for uMatrx (without uMatrix there would not be connections to them). Yes, I believe so. >Still trust Firefox and Mozilla? I never did in the first place. As I said I think I have quite some issues at trusting. I am suspicious and pessimist by nature. >I'm goin' down to shoot my old lady You know I caught her messin' 'round with another man. That's exactly what I thought, but it was worth asking :)
Re: [Trisquel-users] Web Browser
You have been making many points that are insightful and worth talking about in themselves but that don't support a clear argument. This is perhaps a pitfall of the point-by-point forum response style that I also tend toward. However, the timing and frequency with which you temporarily reframe the discussion with interesting but tangential points comes across as evasive, which is perhaps why Magic Banana is not patient to follow them all. I think it will help if for now you can stick to topics that support your most important arguments. If I follow correctly, your main point is that the four freedoms and community control of software are insufficient to be 100% certain that software is privacy-respecting. Magic Banana and I have each acknowledged this, but have asked if you know of a better solution apart from avoiding software (including Linux, GNU, and Chromium) altogether. Your responses have touched on a wide array of issues, but none that address this question. Perhaps your secondary argument is that the design of the Internet is flawed because it requires compromises between security, privacy, and convenience. I agree that an internet without such physical limitaions would be objectively better, but in the absence of a concrete suggestion for one, wishing that the Internet behaved like radio or cherry picking definitions of 'freedom' that are ambiguous as to whether it is the absence of imposed or natural limitations is unproductive. Ealier in this thread, you mentioned that you have some ideas about this. > Hence my idea about a new network. Sharing these might get the conversation back on track.
Re: [Trisquel-users] Web Browser
You throw the baby out with the bathwater, which irritates me very much. On Tue, 2018-01-09 at 19:47 +0100, stu...@anchev.net wrote: > Could you please explain what freedom issues (apart from the one mentioned by > > me) there are? I have always thought Chromium is FLOSS. If you're concerned about privacy issues in Mozilla, then how could you ever consider Chromium? Chromium's privacy issues are even more difficult to remove, and people are still trying to figure it out. > But I am not a programmer. And it seems no programmer has taken care to > remove them, yet the vendors claim it is free software respecting privacy and > > people believe that. If someone's not doing it fast enough, pay them to go faster. > Perhaps I need to find an command line tool or > get rid of RSS totally... What. On. Earth. You are making no sense. You take no initiative to use the rights you hold so dear. You just sit back and take anything the developer gives you, as if the software were proprietary. Just because all the clients in the world are garbage is absolutely no justification for refusing to ever use the protocol. That's insanity. Just wait for a better client, whether one that someone else makes or one you pay someone to make. -- Caleb Herbert OpenPGP public key: http://bluehome.net/csh/pubkey signature.asc Description: This is a digitally signed message part
Re: [Trisquel-users] Web Browser
> but there is nothing wrong with them claiming that their Debian-derived > distro PureOS is libre because it is, I see they've recommended Etcher, an Electron app. They didn't respond to me on IRC when I said Electron was a possible FSDG issue, since Fedora and FSDG distros (specifically Parabola) have removed it for this reason. signature.asc Description: This is a digitally signed message part
Re: [Trisquel-users] Web Browser
On Thu, 2018-01-11 at 01:15 +0100, stu...@anchev.net wrote: > The answer given by the Chromium dev surely is not to my taste. Yet it is > more acceptable considering that even currently Chromium's test shows it to > be a privacy respecting browser. Or can you show a test which demonstrate > that Chromium leaks data to Google? Or any other freedom related issue? > Please do share, I am interested. Are these words sincere, or are they meant to provoke others? Everybody knows about all the struggles Chromium forks like Iridium had to go thru to get Chromium to stop going full botnet! RMS even discussed Iridium when they tried to liberate Electron, and it was difficult then too. signature.asc Description: This is a digitally signed message part
Re: [Trisquel-users] Web Browser
You made quite a good summary. Just to clarify: I am not looking for an argument in the sense of stating something and then proving it. The clarifications I made just for the sake of better mutual understanding, not in order to oppose for the sport of it (which would be quite silly). Initially I shared my findings then tried to explain that careful observation, questioning, testing (and _not_ trusting an authority) is what leads to truth. You seem to expect me to give an answer to all these questions which I may not have or for which others may be aware of recent researches on the matter and so on. We can all together look at the deeper issues and hopefully come to something. That's why I opened the other thread (as suggested in the Troll Lounge) as this is not web browser and not Trisquel related: https://trisquel.info/en/forum/freedom-security-technology-what-can-we-do
Re: [Trisquel-users] Web Browser
> Are these words sincere, or are they meant to provoke others? They are sincere. And they are meant to provoke actual testing, not just theorizing. I have not tested Iridium. And I am not planning to. So whoever says anything about it must provide actual test. Otherwise it is just words (however reputable the source may be).
Re: [Trisquel-users] Web Browser
> If you're concerned about privacy issues in Mozilla, then how could you ever consider Chromium? Why not? The test proves it behaves better. It doesn't chatter in the background like Firefox (and its forks). There is only one single packet sent to translate.google.com on opening of settings and that can easily be blocked with other means. > Chromium's privacy issues are even more difficult to remove, and people are still trying to figure it out. I don't know what issues you are talking about. I shared my testing procedure, so anyone can check for oneself without having to trust my results.
Re: [Trisquel-users] Web Browser
To find out the possible issues with Chromium, I recommend you all to contribute to [1] and the discussion around it in [2]. If there is no review as to whether some software is free/libre or not, then we can only assume the worst case which Stallman and others keep showing in their talks: that it's non-free software. And the community here shouldn't recommend non-free software. I myself so far only contributed with a simple run of licensecheck [3] but as I explained in the reference, we need to clean that result (the reference talks about an attachment, but you must download it using the torrent Info hash in [1] instead, or run licensecheck against your own copy of Chromium's source code --- following the steps I gave in [1] or in [3]). Finally, the practice of using shorter license notices such as "licensed under SomeLicense" even if the "SomeLicense" itself already defines what the notice should be makes things more confusing (as I noted in [3]). About RSS (and generall news feed/reading: I don't like the RSS specification too, I prefer Atom feeds, specially if the makers of the feed post the complete article in the item). ;) Currently I'm experimenting with some famous news readers for Emacs: Newsticker (built-in), org-feed (built-in), elfeed (external). I'm also contributing to Newsticker and org-feed by testing them and sending detailed bug reports. I can't do that with elfeed because of GitHub issues well described in gnu.org. [1] https://directory.fsf.org/wiki/Talk:Chromium. [2] http://lists.gnu.org/archive/html/directory-discuss/2017-11/msg1.html. [3] http://lists.gnu.org/archive/html/directory-discuss/2017-11/msg00014.html. 2018-01-09T19:47:02+0100 stu...@anchev.net wrote: > Could you please explain what freedom issues (apart from the one > mentioned by me) there are? I have always thought Chromium is FLOSS. > > > But I am not a programmer. And it seems no programmer has taken care > to remove them, yet the vendors claim it is free software respecting > privacy and people believe that. My test proves that it is not. And > that the vendor not only doesn't care but would rather argue with > proven and close the ticket. > > > Yes - IceCat, Waterfox. IceCat also does background communication on > startup. Waterfox shows the same behavior as Firefox. > > > Using uMatrix's background log I noticed that Tor Browser also sends > behind the scenes packets. I don't know if they go through the Tor > network but in any case - they are sent, without prior (or any) > consent. Some of them were to Mozilla's servers. I haven't tested > further or in more detail. > > > Thanks. I also just found QuiteRSS which has built in browser in which > JS can be disabled. But to my mind the very fact that the RSS reader > has support for JS makes me stay away from it. Perhaps I need to find > an command line tool or get rid of RSS totally... > -- - https://libreplanet.org/wiki/User:Adfeno - Palestrante e consultor sobre /software/ livre (não confundir com gratis). - "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar instantaneamente comigo no endereço abaixo. - Contato: https://libreplanet.org/wiki/User:Adfeno#vCard - Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft Office, MP3, MP4, WMA, WMV. - Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF (apenas sem DRM), PNG, TXT, WEBM.
Re: [Trisquel-users] Web Browser
And it's where these basic websites for paying bills get the most focus of web-vandals, because these websites have automatic client-side software being forced to end-user which just want to "get the bills paid". What you should do instead is contact the website owners and tell them to change to a solution which doesn't require any client-side software besides a browser with HTML and CSS support and no JS, extensions nor plug-ins. If you are not a programmer or not a web developer, tell them to contact libreplanet-discuss (this forum, trisquel-users, isn't for this kind of requests unfortunatelly), with more and more people doing the same for a given company they will eventually give it a try, if they ignore you, you have a reason to not use their disservice anymore. ;) 2018-01-12T01:17:01+0100 stu...@anchev.net wrote: > What's wrong with just calling it "privacy"? Privacy is important > enough on its own that I don't think we need to reframe the discussion > in ways that might cause confusion. > Nothing wrong at all. I just wanted to accent on the fact that for > people privacy (as a form of personal security) is more important then > the ability to inspect/change/redistribute. That's why I think we need > stronger criterion when evaluating the quality of software (or > hardware). As discussed here, just being free (in the FSF sense) is > obviously not enough and with the state of what is happening in the > world we need new things. Hence my idea about a new network. > > I will figure it out when I have more time. > You can also try wireshark. > > It doesn't seem to prove that no additional data is sent by Firefox or > Chromium during browsing, just that this data at minimum is sent on > startup. > I don't know what lower/upper-bond means but the very fact that any > browser which sends these packets without the user initiating > explicitly that communication is enough for me to mark it not privacy > respecting and not consider it for further testing. Of course you are > right - we need to test how it works during browsing. Perhaps the best > thing to do would be to keep it simple - e.g. opening remote txt or > html without scripts or extensions and looking at tcpdump. Let me know > if you have any better idea. > > I said that it had been closed, but it's alarming that it ever happened. > > That is in no way different from Ubuntu's case or from Mozilla's > telemetry. In such scenario, when flaws are all around, all we can do > is look at facts as they are right now: Chromium does not send packets > to any third party on startup. Konqueror sends no packets at all on > startup but has other issues as it seems. > > However, right now I am more concerned with the issues linked to by > Magic Banana, since they are active and haven't been adequately > addressed after several years. > I am honestly having a difficulty in understanding what you > mean. Aren't they primarily licensing issues? Why are you more > concerned about licensing while your browser is sending packets to > company X, Y, Z? Please explain as I may be missing something. > > Replicant, the operating system, is 100% libre. You are likely > referring to the modem or bootloader that the device itself uses > regardless of what operating system it runs. > Exactly. > > Purism's phone... > It is still not produced, so nobody can possibly evaluate it. But from > what I know there will be complete hardware separation between the > modem and the rest of the system. So you can use it as a pocket libre > computer, hopefully without any coreboot or whatever firmware blobs, > otherwise it won't be much different from a Samsung + Replicant. Also > from what I have heard, it would be able to use the mobile network as > a pipe, to make encrytped phone calls. So basically the only tracking > will be possible through the location of the phone based on nearby > mobile stations (which perhaps cannot be avoided if one wants to talk > to anybody). > > I suggest looking into JMP if you live in North America > I don't but thanks for the info. What you describe is similar to Librem5. > > In this case the advantage of using Tor is that you do not reveal your > location. This is especially important if it is a site or account you > use frequently (like an email provider) as otherwise they can track > you to the point of detecting behavioral patterns. > Sure. You can probably even use Facebook anonymously but FB (and many > other sites) won't allow you to sign up/in with a disposable email > address (they seem to recognize the domains). I know the FSF page > which you linked but it seems dated. From all the recommended ones > only safe-mail.net seems to work without JS but it requires a current > email address and I can't find any site which gives disposable email > without JS, so there is still no possibility for complete untraceable > anonymity. As for Kolabnow - I have been in touch with these guys and > asked them if they have cleaned their systems from Intel ME, > p
Re: [Trisquel-users] Web Browser
When you quote automatically whole (especially lengthy posts) it is difficult to follow what exactly you are commenting on (without rereading the whole post). You obviously do this through email but please consider quoting only what you comment on. As for recommendations to web developers: I can assure you I have done this so many times. Including: to trisquel.info which has weak HTTP security headers: https://securityheaders.io/?q=https%3A%2F%2Ftrisquel.info&followRedirects=on I have sent this using the Contact link on this site. No reply so far. No fix either. Hopefully someone will look into it.
Re: [Trisquel-users] Web Browser
> The clarifications I made just for the sake > of better mutual understanding, not in order to oppose for the > sport of it (which would be quite silly). I believe you. > Initially I shared my findings then tried to explain that careful > observation, questioning, testing (and _not_ trusting an > authority) is what leads to truth. I appreciate that, but since then you have seemed to only mistrust free software developers by default, refusing to accept their software if you can't understand every line of code yourself to prove that it is perfect, while you seem quite trusting of Google, putting the burden on people here who aren't even interested in non-free software like Chromium to use their time to audit it for you to prove that it *isn't* perfect. > You seem to expect me to give > an answer to all these questions which I may not have or for which > others may be aware of recent researches on the matter and so on. No, I had honestly misunderstood you as having said that you had some sort of suggestion. I wasn't trying to be flippant. It is fine to point out a problem even though you don't have a solution yourself, as long as your approach is conducive to finding a solution. > We can all together look at the deeper issues and hopefully come > to something. That's why I opened the other thread (as suggested > in the Troll Lounge) as this is not web browser and not Trisquel > related: Your new thread, like your comments here, is about an important topic. However, it doesn't really add anything new. We already know that no software is perfect, even software under community control. A specific proposal (even if it is not a complete solution) to improve it would be interestng, but simply saying that you don't think software is privacy-repsecting enough doesn't help anyone to improve it. I think you have touched on some ideas that are concretely helpful, but seem to have gotten sidetracked by broad questions with no helpful answers. I suggest staying focused. Take any questions you have about browsers to the developers, keeping in mind that the specific situation you are testing is not the be-all-end-all and that as Magic Banana as explained there are some compromises inherent to the system (browser developers do not get to decide how the internet works), but that if their decisions are making some users unhappy they may address or at least explain them, and that if the browser is free software than a fork may be able and more willing to make a change that the original developer is not.
Re: [Trisquel-users] Web Browser
> since then you have seemed to only mistrust free software developers by default This is incorrect. I don't mistrust a particular group of people. I question the value of trust as a whole. > putting the burden on people here who aren't even interested in non-free software like Chromium to use their time to audit it for you to prove that it *isn't* perfect I don't know why you say that. Chromium seems just as non-free as Firefox considering the link shared by another poster (https://libreplanet.org/wiki/Libre_Browsers_Libre_Formats#Browsers_that_might_seem_free.2C_but_are_not) yet for some reason people mention it as free, prefer it, fork it and make browsers using the same flawed code which obviously leads to the same privacy issues in the forks. The only people from whom I asked to check their code are the developers which is what bug reports are for. > having said that you had some sort of suggestion I never said that. I shared what came to me mind and invited others to share your thoughts. You said you had no time to ask further. Was I supposed to elaborate without anyone being interested? Or to open a thread about it and talk to myself? > to point out a problem even though you don't have a solution yourself, as long as your approach is conducive to finding a solution. I am questioning the whole approach of looking at everything in problem-solution pairs. We already have technology based on that. > A specific proposal (even if it is not a complete solution) to improve it would be interestng It is not possible to come to the specific without looking. The new thread is about looking together, thinking together, questioning together - not about one person giving a proposal and N other people agreeing or disagreeing, evaluating everything through the prism of an authority, arguing etc. If that is not possible - let's not make a problem-solution pair out of it ;)
Re: [Trisquel-users] Web Browser
I discuss _privacy_ issues. The bug reports are about _privacy_ issues. Mention freedom 0 in the bug reports was obviously unnecessary and inappropriate. That's a finished discussion. Long ago. In my last reply to mason I was clarifying that: > The only people from whom I asked to check their code are the developers which is what bug reports are for. ^^^ That is the essence of the reply. I mentioned that both FF and Chromium are similarly non-free just to illustrate that the _privacy_ issues remain regardless of the software being free or not. Which itself confirms that _privacy_ and FSF-freedom are different issues. What's the point of repeating what I say as if I said the opposite?
Re: [Trisquel-users] Web Browser
Ok.
Re: [Trisquel-users] Web Browser
> I don't mistrust a particular group of people. I question > the value of trust as a whole. Yes, you have argued that because it is impossible to be 100% certain that a piece of software is privacy-respecting, we cannot trust free software to respect our privacy. This in itself is sound, if your conlcusion is to avoid all software. However, your solution is to use Chromium, which in addition to its freedom issues has the same inherent problem that you cannot review every line of code. If you don't believe in trust, why make an exception for Google? > The only people from whom I asked to check > their code are the developers which is what bug reports are for. I had thought I remembered you asking someone in this thread to to prove that Chromium is flawed by reviewing the source code, but skimming back though the thread the closest thing I see is asking Magic Banana to investigate the Firefox source code, so I may have been mistaken. > You said you had no time to ask further. Was I supposed to > elaborate without anyone being interested? Or to open a thread about it and > talk to myself? I didn't have time to ask more about it at that moment, but I was and still am interested. If you have the time and desire I encourage you to start a more specifc thread describing it. > I am questioning the whole approach of looking at everything in > problem-solution pairs. We already have technology based on that. Can you explain what you mean by this? The way I interpret it, everything you say after this is ridiculous, so I'd rather that you clarify before I assume that I understand and risk putting words in your mouth.
Re: [Trisquel-users] Web Browser
>reviewing the source code of Chromium Over 18 million LOC, good luck! ;-)
Re: [Trisquel-users] Web Browser
> If you don't believe in trust, why make an exception for Google? If you are asking "Why do you trust Google" - I don't. > the closest thing I see is asking Magic Banana to investigate the Firefox source code, so I may have been mistaken. Yep, np. And I wasn't necessarily asking him to investigate but was rather trying to find out if his statements were based on facts or on words of others. > If you have the time and desire I encourage you to start a more specifc thread describing it. https://trisquel.info/en/forum/thoughts-about-new-type-network > Can you explain what you mean by this? Our whole culture is based on problem-solution pairs. We approach everything in life as a problem and look for solutions. And that's why technology is also based on this approach. So I am thinking if there is another approach.
Re: [Trisquel-users] Web Browser
> If you are asking "Why do you trust Google" - I don't. You use Chromium desite not understanding every line of source code. You have argued, and I agree, that this requires trust. > https://trisquel.info/en/forum/thoughts-about-new-type-network Great post. I'll probably stop following this thread less closely now and focus on the new one.
Re: [Trisquel-users] Web Browser
> You use Chromium desite not understanding every line of source code. You have argued, and I agree, that this requires trust. I use it just because I haven't found anything better (privacy-wise). FWIW I also use Google Apps... as I still can't find the perfect alternative to it. But I don't trust it, I use it - and they use me more.
Re: [Trisquel-users] Web Browser
> I use it just because I haven't found anything better (privacy-wise). I understand how you've come to that conclusion. I won't tell you to change your decision, but I will explain why I respond differently. The secondary reason is that I find it very unlikely that Chromium is the most privacy-respecting browser overall. It is a mistake to judge browsers by a single criterion. You must consider all known factors, and estimate the unknown based on the past and the track record of the browser and developer. However, even if I knew for a fact that Chromium were the most privacy-respecting browser, I would respond the same way I do in other situations where non-free software is superior to free software in some way: First I woud assess whether the better feature is important or something I can do without (in the case of privacy it is important), and if the feature is important I would find the best free alternative and request the feature. I may donate to help the feature get implemented. If the feature would take a great deal of work it may be necessary to organize a crowdfunding campaign. If the feature were something I absolutely could not live with out I may use the proprietary software as little as possible as a short term solution, but I would not give up on the free replacement, because I should not have to trade my freedom for privacy or any other feature. > > FWIW I also use Google Apps... as I still can't find the perfect > alternative to it. But I don't trust it, I use it - and they use > me more. I often have to use Google Drive for collaborative editing. When this happens I try to use a computer at my school or library instead of my personal machine, but I really wish I knew of a replacement that people would be willing to switch to (suggesting git would not go over well).
Re: [Trisquel-users] Web Browser
> I won't tell you to change your decision It is not particularly a decision but rather simple logic: I still use Google's services and while I am looking for a freedom+privacy respecting alternative it would be silly to drop them because this would block my work. So considering that my life is still "Googled" and changing the browser won't do much. So in this situation I may be considered a hypocrite who discusses privacy in general. > You must consider all known factors, and estimate the unknown based on the past and the track record of the browser and developer. I think I have already done that. Right now I find Chromium least worse because of the results of the test + the ability to use uBO and uMatrix which I consider essential extensions providing additional control over browsing, tracking, malware etc. No other browser can give me this combination of factors. So although certain parts of Chromium may be considered non-free (which seems to be mainly license-wise) the overall functionality of this combination is far better than any FF-fork. Midori and Konqueror are incompatible with uBO and uM. lynx is an overkill. Tor is slow (and some sites won't work with it). Let's not forget also that browsers like IceCat and other forks which have not updated their code up to FF 57 basis still don't have the new fixes about Meltdown for example. Chromium (even not latest) has a flag for process isolation. I think we should also mention without any bias that Google's experts are very good at security. If we disregard for a moment the overall privacy and political disaster of Google - which other company has considered removing Intel ME from their hardware, testing deeply things to discover Spectre and Meltdown, patching whatever is possible against that? But... yes, I know. > but I really wish I knew of a replacement that people would be willing to switch to I have bookmarked (in order to look at later) https://nextcloud.com/ I also learned to download files with public access from Google Drive without having to log in to Google Drive or use of JS. If the link is to a file, it can easily be converted to a direct link. Here is a bash script line which does that: echo $1 | sed -r -e 's/(https:\/\/drive\.google\.com\/)file\/d\/([^/]+)\/view/echo "\1uc?id=\2\&e=download"/ge' Unfortunately with other services like WeTransfer that seems not possible. So back to your comment: yes, long term you are absolutely right, that's why I filed all this bug reports. But right at this moment Chromium works better. BTW, on a side note regarding online services: It is generally possible for one to buy an Opteron server from Technoethical and host everything on it (website, share files, email etc). But the expenses will be much bigger and the quality of the service may not be so good for hosting high traffic websites. Well, perhaps one could put the server at an ISP data center and pay for high speed Internet but that may still not be sufficient, more servers may be needed in a cluster etc etc. So we simply don't have the resources to create such alternatives. And for a simple user whose needs are not so big it is an absolute overkill. That's why I was putting question #1 in the thread about freedom.
Re: [Trisquel-users] Web Browser
I don't even know what sloccount is.. I was using openhub, teh website to determine how much are there. *only* 9 million? Awesome, I'll throw a party \o/ Netsurf according to openhub has soem 200.000 lines of code, if memory serves. To bad websites are poorly rendered and everythin is mixed up. Was it not for this I'd use it exclusively. Highly recommended browser.
Re: [Trisquel-users] Web Browser
> Netsurf according to openhub has soem 200.000 lines of code Good luck with exercising freedom 1 with this :) > Highly recommended browser. Why?
Re: [Trisquel-users] Web Browser
>Good luck with exercising freedom 1 with this :) The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this. Why? >Why Coz it's fast like hell? Coz it's as fast as Links2 or Dillo but much more usable?
Re: [Trisquel-users] Web Browser
> BTW I am looking for a way to search/browse Youtube without JS. Any ideas? Recent versions of GNOME Videos can search and play YouTube videos, as well as Vimeo and perhaps a few other sites. mps-youtube also searches YouTube, but it won't play videos on my machine. Its UI is also not a shiny GUI app like Videos is, so recommending Windows users to go from using the site to using the terminal is kind of embarrassing.
Re: [Trisquel-users] Web Browser
F1: I know. I just wanted to say that it is humanly impossible for a single person to study millions of lines. Even for 100 people. Perhaps I should have commented on a previous post of yours. > Coz it's fast like hell? How does it behave on the tcpdump test? BTW NetSurf's website is also very fast. I notice they run Cherokee server (unknown to me, perhaps also worth trying). > Coz it's as fast as Links2 or Dillo but much more usable? Damn. :)
Re: [Trisquel-users] Web Browser
Thanks for the info! My main concern is not to run JavaScript. Do you know if Gnome Videos use JS internally? FWIW the other day I read that youtube-dl *does* use JS... which makes me hesitant to use it. Do you know any alternative to it which doesn't?
Re: [Trisquel-users] Web Browser
Also: Is Gnome Videos the same as totem? I can't find any package with name close to videos or gnome videos on my openSUSE but I have totem.
Re: [Trisquel-users] Web Browser
> I appreciate that, but since then you have seemed to only mistrust free > software developers by default, refusing to accept their software if you > can't understand every line of code yourself to prove that it is perfect, > while you seem quite trusting of Google, putting the burden on people here > who aren't even interested in non-free software like Chromium to use their > time to audit it for you to prove that it *isn't* perfect. To top it off, Chromium's codebase is even larger and harder to understand than Mozilla's. And that's saying a lot, because Firefox is hard to build. -- Caleb Herbert OpenPGP public key: http://bluehome.net/csh/pubkey signature.asc Description: This is a digitally signed message part
Re: [Trisquel-users] Web Browser
> Coz it's fast like hell? Coz it's as fast as Links2 or Dillo but much more > usable? Hell yeah, it is! Links2 sux. -- Caleb Herbert OpenPGP public key: http://bluehome.net/csh/pubkey signature.asc Description: This is a digitally signed message part
Re: [Trisquel-users] Web Browser
On Thu, 2018-01-18 at 01:57 +0100, stu...@anchev.net wrote: > > You use Chromium desite not understanding every line of source code. You > have argued, and I agree, that this requires trust. > > I use it just because I haven't found anything better (privacy-wise). Appeal to Futility. :-( > FWIW I also use Google Apps... as I still can't find the perfect alternative > to it. But I don't trust it, I use it - and they use me more. What do you use Google apps for? Which ones do you use? I used Gmail, Docs and Drive primarily. Evolution, LibreOffice and a shiny SFTP client/file manager plugin met my needs. -- Caleb Herbert OpenPGP public key: http://bluehome.net/csh/pubkey signature.asc Description: This is a digitally signed message part
Re: [Trisquel-users] Web Browser
On Thu, 2018-01-18 at 10:47 +0100, stu...@anchev.net wrote: > I also learned to download files with public access from Google Drive without > > having to log in to Google Drive or use of JS. If the link is to a file, it > can easily be converted to a direct link. Here is a bash script line which > does that: > > echo $1 | sed -r -e > 's/(https:\/\/drive\.google\.com\/)file\/d\/([^/]+)\/view/echo > "\1uc?id=\2\&e=download"/ge' Is this code snippet copyrightable? Does anybody remember the snippet to download a native Google Docs doc as OpenDocument or PDF? -- Caleb Herbert OpenPGP public key: http://bluehome.net/csh/pubkey signature.asc Description: This is a digitally signed message part
Re: [Trisquel-users] Web Browser
> What do you use Google apps for? Which ones do you use? Gmail, Google Drive (rarely Docs), Calendar. > Evolution, LibreOffice and a shiny SFTP client/file manager plugin met my needs. I use them too but they can't replace the above.
Re: [Trisquel-users] Web Browser
>How does it behave on the tcpdump test? Haven't tested it yet. Very lazy right now. Maybe tomorrow.
Re: [Trisquel-users] Web Browser
Ok. I tried myself but I am getting an error during compiling of the browser. Their documentation seems incorrect. Then I tried simply running make but it asks for libdom which is not available on openSUSE's repo. So I gave up.
Re: [Trisquel-users] Web Browser
> I think I have already done that. Right now I find Chromium least worse > because of the results of the test Perhaps it is because of your time investment in your test that you weight your test far too heavily. Your complaints are reasonable, but there is also a reasonable explanation for why those compromises are made, even if we disagree with Mozilla that the compromises are worth it. Firefox and its derivatives would be better than they are now if it were easier to configure for full privacy, but this one situation is not so damning that it is automatically worse than Chromium. > + the ability to use uBO and uMatrix These addons are available in FF derivatives, and uBO is even installed by default in Abrowser, so you do not need to rely on a developer whose business model is selling your privacy. > Tor is slow I'm sure that Chromium is significantly faster than Tor Browser, but I value freedom and privacy over convenience. > (and some sites won't work with it). Some sites accidentally blacklist some exit relays and you'll have to switch to another relay, but I assume you are referring to sites that systemically blacklist all Tor relays (Yelp and support.apple.com are a few that I've noticed). If you value your privacy I suggest that you avoid such sites, as their only motivation for forcing you to identify yourself is if they intend to collect information about you. No matter how good your browser is, it also takes safe browsing habits to protect your privacy. > Let's not forget also that browsers > like IceCat and other forks which have not updated their code up to FF 57 > basis still don't have the new fixes about Meltdown for example. Meltdown has been patched in the Linux kernel, but Abrowser is based on 57 anyway, and unlike Chromium has no profit incentive to violate your privacy and no history of doing so in a very serious way. > I think we should also mention without any bias that Google's experts are > very good at security. Security and privacy are both important but are different. As Magic Banana has pointed out they are sometimes at odds with each other, forcing a compromise. In Google's case they are almost always at odds with each other, as their first solution for security is generally to compromise privacy. Any account you have with them or info you store with them, they protect by tracking your location and locking your account when it is accessed from a suspicious location (or through Tor). The only way to unlock your account is with a phone number, so if you don't give them your phone number you risk losing access to your data. Magic Banana pointed out that the reason phishing blacklists can't be decentralized the way you want them to be is that Google won't allow it. That's the problem with a company who doesn't value your right to privacy (and in Google's case, your privacy is their product): They have no reason to seek security solutions that protect your privacy, and be avoiding them it gives them an excuse to violate your privacy in the name of "saftey." It's a trap. As you have correctly pointed out, using software you have not written or fully audited yourself relies on trust. Trust always comes with risk, and you must evaluate that risk based on how untrustworthy the developer is. Firefox is not fully trustworthy (though far more so than Google, since they have a better track record and their business model does not rely on violating your privacy), but if serious privacy disrespeecting features slipped into Tor Browser, Abrowser, or Icecat it would be by accident and there is probability (though not certainty) that the developers can catch and fix it. This reduces the probabilty of a serious privacy violation in those browsers. Chromium, on the other hand has already been proven to have a serious privacy violation, and it was only removed after they got caught, so there is no reason to believe that they will remove any additional ones until they get caught again. Why would they? If Google created a privacy-respecting alternative to Chrome, they would lose money, so they would be fools not to insert as many antiprivacy antifeatures as they think they can get away with. Of course, Chromium is not an "alternative" to Chrome. It is the part of Chrome's development process that exploits the labor of free software developers. This is another reason not to remove privacy issues from Chromium: it would create the extra work of putting them back into Chrome. Finally, you are the one who says that we should not settle for short-term solutions, and relying on the least privacy-respecting company in the world to protect your privacy is not a long-term solution. > I have bookmarked (in order to look at later) https://nextcloud.com/ Cool, I'll take a look. > I also learned to download files with public access from Google Drive > without having to log in to Google
Re: [Trisquel-users] Web Browser
Yikes. I avoid saving passwords in my browser as well.
Re: [Trisquel-users] Web Browser
That doesn't matter. A script can log your key presses.
Re: [Trisquel-users] Web Browser
> Is this code snippet copyrightable? Here is the full script: #!/bin/bash if [ -z "$1" ]; then echo "No link supplied as argument" exit fi # [i] http://funbutlearn.com/2013/02/direct-download-link-to-your-google.html echo $1 | sed -r -e 's/(https:\/\/drive\.google\.com\/)file\/d\/([^/]+)\/view/echo "\1uc?id=\2\&e=download"/ge'
Re: [Trisquel-users] Web Browser
Of course. Enabling JS is still unsafe, but the particular issue you link to relies on having the passwords stored in the browser. Even without JS enabled, another application could exploit Spectre to access your browser, so it is still wise to avoid storing passwords in your browser. I agree though the JS is the most likely way someone would exploit Spectre.
Re: [Trisquel-users] Web Browser
> Perhaps it is because of your time investment in your test that you weight your test far too heavily. No. It is because it shows something actual, not ideological or theoretical like "would be better... if". As soon as Firefox (or a derivative) shows a better behavior and overall security I would be happy to leave Chromium for a fully free program. FWIW in EU GDPR which starts to apply in May 2018 the IP address is now considered personal data, legally and must be anonymized. So software vendors who provide such "features" or who close tickets because they are not in the mood will perhaps be forced to comply with all that. Or who knows what other tricks they may have to escape from that. > Meltdown has been patched in the Linux kernel, but Abrowser is based on 57 anyway, As I said before - I have never tried Abrowser and haven't find a way to. As for Meltdown - maybe, but Spectre is considered more malicious and top security experts only shrug at it and comment that these are issues which have never been seen so far and they cannot be certain that a patch on software level will be effective. > and unlike Chromium has no profit incentive to violate your privacy and no history of doing so in a very serious way. I am unaware of that history for Chromium especially. As long as there is no proof that the _current_ versions of Chromium do anything malicious refusing to look at actuality because of something in the past makes no sense. It would be like rejecting to trust SSL because in the past there was Heartbleed or anything along these lines. The actuality is: Firefox leaks data and Mozilla rejects to look at it. Chromium does not leak data and Chromium devs agree there should be a setting to tighten it even more. Both FF and Chromium are similarly non-free, so let's not get back to all this. > I value freedom and privacy over convenience. https://trisquel.info/en/forum/some-questions-about-various-distros#comment-126496 > Security and privacy are both important but are different. You won't find many people who would agree they feel secure when they can't have privacy. > They have no reason to seek security solutions that protect your privacy, and be avoiding them it gives them an excuse to violate your privacy in the name of "saftey." It's a trap. I think you are too quick. They have all the reasons to create trust because trust is what allows them to break privacy deeper. And it would be absolutely silly on their side to do it blatantly in an open source project like Chromium. These things work more subtly. They are not stupid, that's why they rule the world. > since they have a better track record and their business model does not rely on violating your privacy I think you should really face the present and leave the past in the past. https://www.youtube.com/watch?v=qMALm1VthGY > probabilty... doesn't work for privacy and security. Privacy and security are about certainty. It is not about having only 1 spy camera in your bedroom compared to 3. It is 0 or anything else. > (see screenshot) Speaking of privacy and security: Please remove it. I prefer my email address not to be publicly visible. :) And yes - this discussion is pretty much finished.
Re: [Trisquel-users] Web Browser
> another application could exploit Spectre to access your browser I store them in Gnome Keyring. Which of course is still unsafe to Spectre. Nothing can save us from Spectre except a new CPU. Recently I started doing something which is probably silly: if I have to enable JS for short in a particular website, I close all other programs and all other browser tabs. The idea is to have less info in the memory which could be broken into. However this may be a really silly overkill because certain data remains cached in memory even after the program is closed + that doesn't mean other processes are not running. So maybe I am just paranoid. It was so nice in single-tasking 16-bit times :)