subject:"Re\: \[Trisquel\-users\] Web Browser"

> Chromium has no good free software derivatives, firefox does.

I don't know why that makes Firefox better software (privacy or freedom
wise). It may actually have the implication that Firefox *needs*
modifications in order to be good for the user. In any case without having
expected each line of code of both browsers these are just general
considerations.

> Chromium collects information just like google chrome sending it back to
google. Firefox does do the same by default... but you can turn it off at
least.

You see, I have read thousands of such statements. For that reason I decided
to test for myself and my tests show exactly the opposite. Here is what each
browser sends in the background on startup with maximum privacy settings (as
explained in the bug reports):

Firefox (also the same with WaterFox):

https://bug1424781.bmoattachments.org/attachment.cgi?id=8937242

IceCat:

https://tracker.pureos.net/file/data/ezq7sfsa3em4iipqan2a/PHID-FILE-ms72jsoc2en6alzjr54z/icecat-privacy.txt

Additionally (found today):
https://lists.gnu.org/archive/html/bug-gnuzilla/2017-11/msg00012.html

Chromium:

https://bugs.chromium.org/p/chromium/issues/attachmentText?aid=316942

Do you see Chromium sending any packets to Google? Or to any other company at
all? - No. But both Firefox and IceCat do.

If you can show actual STR for a test scenario which proves that Chromium
sends data to Google without user consent, I am very intersted to look at it.
But as Chrmoium sends only DNS lookup requests to random names to test if the
proxy/gateway requires authentication (as explained in the Chromium bug
report) it is not really a privacy issue because:

1) if you connect to a public WiFi you have already trusted it, i.e. it is
not a question of browser

2) if you use your local DNS you are in control

3) you can create a default browser policy which would enforce those
settings, so even on first run there will be no communication to any company.

With Firefox (or IceCat, or WaterFox) you don't have that level of control
and Mozilla refuses to give it to you. Please test, see for yourself and
share if you find anything different.

> Purism is only honest if you don't read much about them except in favor of
what they say to you.

I don't want to go too off-topic as the thread is about browsers. I mentioned
Purism because I noticed the harsh critique in another thread. Personally I
don't have the expertise to evaluate the validity of what they say or of what
others say about them. The fact is that I shared my findings in their bug
tracker and they have structured it properly for further cleaning up of ther
PureBrowser - which unfortunately I am unable to test as I can't find a way
to install it on my openSUSE (maybe I will do it in a VM when I have time).

In any case the point for which I mentioned Purism is because we must be very
careful when we use or accept words about anything - browsers, OS, hardware,
companies etc. I agree that the overall linguistic outline on their website
is quite cleverly tailored and indeed creates the impression of a perfectly
pure system which is obviously not the case: disabling Intel ME does not
remove the secondary CPU built in the main one and so far it seems nobody has
reverse engineered completely the modules which me_cleaner must leave
untouched. But doesn't the same apply to the laptops listed as RYF by FSF?
Has Intel ME been completely removed or only disabled just the same way?
Along these lines:

"The distro must contain no DRM, no back doors, and no spyware."

https://www.gnu.org/distros/free-system-distribution-guidelines.html#no-malware

If this is actual criterion used in evaluation of FSF endorsed distros, then
the "no spyware" has not been checked. Browsers are perhaps the most used
programs and if any distro has Firefox (or IceCat, or WaterFox), considering
tcpdump's output the logical question is: How deeply has the distro been
tested actually? Are there any public records which show the exact procedure
and the result of it for every distro, so everyone can reproduce it? I really
don't know. But if the idea is openness and freely accessible info - it makes
sense to have such records. And if there is an entity which can decide which
is free and ethical, then such auditing must be done on a regular basis, not
just listed once and forever. Otherwise the endorsement really has no meaning
and can be easily exploited for marketing purposes.

So considering all that, without any condemnation or justification, it is
very difficult to say who is honest and at what depth. Without actual testing
it is all just words. Unfortunately technology is so complicated that it is
really impossible for one to learn and test everything. So we become slaves
to experts and as we see every day - being an expert does not always include
good morality.

> because you may be trolling us...

It has ne

Re: [Trisquel-users] Web Browser

> My only point is that "This Firefox antifeature is an invasion of privacy"  
will be a more effective argument than "The fact that this feature can't be  
disabled without editing the source code violates freedom 0."


You are right about that. Perhaps I should have actually used a new  
definition, e.g. "freedom -1" as what I am questioning is deeper than F0.  
From general user perspective security and privacy are much more important  
then the ability to inspect the code. Maybe the 4 freedoms are not enough and  
we need a new form of evaluating qualities which considers the deeper issues  
of today.


> It sounds like RMS took your report seriously and I believe they will fix  
it.


Yes. But still - is there any official public announcment by FSF saying "We  
have found a privacy issue in IceCat" + description of it? I actually  
suggested in my emails that they share the issue with the public, so that  
people know about them.


> I don't have time to look further right now but will get back to you.

If you have Trisquel you could probably repeat the test for yourself and  
share the result.


> Most of what I know about Chromium comes from what Magic Banana and others  
have shared on this forum, including in this thread and others, regarding why  
Chromium is excluded from Trisquel.


Now you have actual facts from tcpdump too :)

> The bug Supertramp links to is apparently closed but alarming.

It seems invalid because current version of Chromium doesn't do what that bug  
describes.



> I understand that Chromium is currently being investigated by jxself, so  
perhaps a libre build will be possible in the future, but until them I'm not  
going to trust the Chromium developers to declare that their software is  
libre given (1) the material Magic Banana links to and (2) the fact that they  
have no real incentive to care about freedom and only even attempt to meet  
the weaker "open source" definition for strategic reasons.


This is a valid concern but the question is: why would you trust a "free  
software" which sends packets to Amazon etc. or would you use one which is  
weaker (OSS) but shows better privacy?


> I'm about to get a little off-topic, but if you are using Android you might  
consider switching to Replicant (if you are okay with aquiring and using an  
older device) or LineageOS (not 100% libre like Replicant but much better  
than Android and supports more devices than Replicant).


I know about Replicant and LineageOS (and Omnirom). I have a Samsung Galaxy  
S3 mini which unfortunately is not supported by any of those. I very rarely  
connect the internet from my phone and (almost) never turn on the GPS. Of  
course that doesn't mean anything because it doesn't stop the firmware to do  
what it wants but still... this is the only thing I can do for the moment. We  
also have 2 devices here (used by other people) which are in the supported  
Replicant list and I am planning to try Replicant on them but considering  
that Replicant is not 100% deblobbed - I am questioning if it makes any sense  
at all. Maybe we can rather wait for the Librem 5 phone? :P


> Tor...

One problem which I see is that one cannot use login-based sites at all and  
preserve anonymity because 1) you need an email address (or phone no.) to  
create a login 2) I cannot find any email service provider where one can  
register for free without javascript. And all this greatly limits Tor usage.  
BTW do you think that installing uBO, uMatrix or HTTS everywhere as  
extensions in Tor reduces anonymity or improves it?


> Suppose you want to receive information from this person without giving  
them any information about yourself.


You see - THAT is the big paradox, the fight is not for freedom but for  
control. We hate to give information yet we want to receive freely available  
one. We really try to be clever merchants of information because of all our  
cultural conditioning. How is that different from what PRISM does?


> The act of communication inherently requires giving some information, and  
in some situations the only way to complete the exchange without the other  
party learning something about you is if they don't know who the information  
is coming from.


The other day I've been thinking about a new way of communication. A new  
network if you will. AFAIK UDP does not require response from the other peer.  
So in that sense: what if we have a network of anonymous UDP peers sending  
encrytped info. It will be available to all other nodes but only those which  
know how to read it (the recepient) will be able to. Of course this is just a  
very rough concept but maybe worth considering... Share your thoughts please.


> Here's a good link (https://www.eff.org/pages/tor-and-https).

Thanks. I find it amusing that the page ask to enable Javascript :)

Re: [Trisquel-users] Web Browser

2018-01-11 Thread calmstorm

Okay, I just thought he was messing around. You have a point though, we  
should never assume till there is ample evidence.

Re: [Trisquel-users] Web Browser

2018-01-11 Thread calmstorm

Yeah, I just didn't think chromium was good for security at all so I thought  
you were trolling. My bad...


As for purism, their operating system pureos is fine unless your against  
systemd... but more pressing is the hardware RYF issue.


As in their hardware isn't going to get the respects your freedom  
certification. Or at least, not easily...


PS, have you tried maximum privacy settings on iceweasel from hyperbola or  
parabola even if in a vm?


just wondered...

Hyperbola and Parabola both are free software entirely. Though Hyperbola is  
still trying to get certification.

Re: [Trisquel-users] Web Browser


> My bad...

No worries.

> As for purism, their operating system pureos is fine unless your against  
systemd...


Should I be? I read some comments against it in the other thread... Then in  
Wikipedia... but still I don't know if one should be worried enough to avoid  
it. Again - I don't have the expertise to inspect it.


> PS, have you tried maximum privacy settings on iceweasel from hyperbola or  
parabola even if in a vm?


Not yet. But you can do it if you are intersted. Just follow the STR listed  
in the bug reports.


> Hyperbola and Parabola both are free software entirely. Though Hyperbola is  
still trying to get certification.


Thanks. Do you think we should probably open a separate thread where we can  
discuss? I have some more questions which are not browser related.

Re: [Trisquel-users] Web Browser

2018-01-11 Thread Mason Hock

I don't have time to respond to everything here right now, so I'm going to 
respond to the simple stuff now and get back to you on the complicated stuff 
later.

> Maybe the 4 freedoms are not enough and we need a new form
> of evaluating qualities which considers the deeper issues of
> today.

What's wrong with just calling it "privacy"? Privacy is important enough on its 
own that I don't think we need to reframe the discussion in ways that might 
cause confusion.

> If you have Trisquel you could probably repeat the test for
> yourself and share the result.

From your bug reports it sounds like you had two findings. The first was the 
logs in ~/.mozilla, which I can confirm exist in Abrowser. I briefly attempted 
your second test, but the command immediately exited and /tmp/tcpdump.log was 
not created, so I must have done something wrong. I will figure it out when I 
have more time.
 
> Now you have actual facts from tcpdump too :)

According to your bug reports neither Firefox nor Chromium passed this test, so 
I don't see how it is an argument for either. 

If I understand correctly, your test creates a lower-bound, not an upper-bound, 
on what data is sent. It doesn't seem to prove that no additional data is sent 
by Firefox or Chromium during browsing, just that this data at minimum is sent 
on startup.

> It seems invalid because current version of Chromium doesn't do
> what that bug describes.
...
> This is a valid concern but the question is: why would you trust
> a "free software" which sends packets to Amazon etc. or would you
> use one which is weaker (OSS) but shows better privacy?

I said that it had been closed, but it's alarming that it ever happened. If 
Chromium were downstream from Chrome it could have been something implemented 
in Chrome that Chromium developers simply did not notice. However, Chrome is 
downstream, so this was apparently intentional. That makes me unwilling to 
trust Chromium developers that there there are no similar issues in Chromium 
not yet discoved by the Debian community. However, right now I am more 
concerned with the issues linked to by Magic Banana, since they are active and 
haven't been adequately addressed after several years.


> but considering that Replicant is not 100% deblobbed

Replicant, the operating system, is 100% libre. You are likely referring to the 
modem or bootloader that the device itself uses regardless of what operating 
system it runs.

> Maybe we can rather
> wait for the Librem 5 phone? :P

Maybe the emoticon there was meant to indicate that this is a joke, but since 
I'm not familiar with Purism's phones I took a quick look at the page on their 
site (https://puri.sm/shop/librem-5) and just sighed. I don't have time to pick 
the whole thing apart, so I'll just focus on the big lie "Does Not Track You". 
If pressed in the matter, I'm sure they'd say that only the main operating 
system PureOS (like Replicant) does not track you, but they're clearly trying 
to imply that the phone itself won't track you, which it will whenever the 
modem is turned on. A kill switch for the modem is a good idea (the Neo 900 
will have kill switches too) but most people will choose to leave it on so that 
they can receive calls. I hope anyone who buys this phone is informed that they 
must turn the modem off to avoid being tracked.

I suggest looking into JMP if you live in North America (unfortunately it is 
not available elsewhere yet). It allows you to send and receive calls/texts 
from a device that has no modem, so that you can actually avoid being tracked. 
For now you have to rely on being in range of WiFi, although the main developer 
Denver Gingerich is now working on a radio mesh that if adopted by enough 
people in year area would allow you to use JMP without being in range of WiFi. 
That's at least a few years out though.

> One problem which I see is that one cannot use login-based sites

In this case the advantage of using Tor is that you do not reveal your 
location. This is especially important if it is a site or account you use 
frequently (like an email provider) as otherwise they can track you to the 
point of detecting behavioral patterns.

> you need an email
> address (or phone no.) to create a login

You can you a temporary email address that self destructs when you're done with 
it (see link in next point).

> 2) I cannot find any
> email service provider where one can register for free without
> javascript.

Here is a good resource that also links to some disposable email address sites 
that do not require proprietary JavaScript. 
https://www.fsf.org/resources/webmail-systems

> We hate to give information yet we want to
> receive freely available one.
...
> How is that different from what PRISM does?

Asymmetrical protections are warranted when one party has much more power than 
the other, and when one of those parties is an individual and the other is a 
corporation, human rights only apply to the individual. We can't real

Re: [Trisquel-users] Web Browser


New browser tested with tcpdump: Konqueror

Settings used (listing only the ones different from the default values):

General

  When Konqueror starts: Show blank page
  Home page: about:blank


Performance

  Always try to have one preloaded instance: OFF


Java&JavaScript

  Enable JavaScript globally: OFF


Cookies

  Enable cookies: OFF


AdBlock filters

  Enable filters: OFF


Result
On startup tcpdump shows nothing (zero packets sent).
Something strange happens though when opening a page. For example browse to  
https://stallman.org shows lots of requests to amazonaws.com, flickr.com and  
others which continue to appear even after the page is loaded. This makes me  
think Javascript may not be actually turned off because in the page source  
there are no any resources which need such lengthy extensive loading. tcpdump  
shows such packets to continue for some time even after the browser is shut  
down.


Also tested with https://stallman.org/robots.txt (to avoid any potential  
script interference). Result: the extra packet traveling doesn't happen, i.e.  
the document is loaded and everything stops.

Re: [Trisquel-users] Web Browser

2018-01-11 Thread Mason Hock

I would be interested to see your results with a command line browser linke 
lynxs or elinks.

Re: [Trisquel-users] Web Browser

2018-01-11 Thread greatgnu

>It seems invalid because current version of Chromium doesn't do what that  
bug describes.



It's a matter of trust. If you still trust them after something like that,  
your trust is easy. Mine is very difficult.
If you believe it was an unintentional bug then I would go so far as to call  
you gullible.


-

As far the tcpdump test, I just did it and twice. Nothing showed up. Zero  
(0). Firefox is pinging nothing, no background connection whatsoever.


Now, I do need to make it clear that I am one of those guys that prefer  
spending 50 hours of their time if need be in order to make it right.  
Several, and by several I mean a huge ton of modifications were applied in  
about:config. The only addon installed is noscript. The version of the  
browser is 57.0.4


You can see the connections it makes in about:networking too.

Re: [Trisquel-users] Web Browser

2018-01-11 Thread Mason Hock

> Several, and by several I mean a huge ton of
> modifications were applied in about:config.

Is there an easy way for you to share your about:config?

Something else occurs to me. I'm not knowledgable enough to know if this is 
possible, but could it be the distro? You use Debian, right? Perhaps they've 
done something differently from OpenSUSE either in their build of Firefox or 
elsewhere in the distro? When I have time to figure out tcpdump I'll see if the 
issue occurs in Trisquel.

Re: [Trisquel-users] Web Browser

It's a matter of trust. If you still trust them after something like that,  
your trust is easy. Mine is very difficult.
If you believe it was an unintentional bug then I would go so far as to call  
you gullible.

A gullible person doesn't test browsers with tcpdump.

As far as the tcpdump test, I just did it and twice. Nothing showed up. Zero  
(0). Firefox is pinging nothing, no background connection whatsoever.

Please share the STR like I did, so we can all look further.

Now, I do need to make it clear that I am one of those guys that prefer  
spending 50 hours of their time if need be in order to make it right.
Me too. But I hope you would agree that the very fact that those 50 hours are  
needed is a proof of bad design.


You can see the connections it makes in about:networking too.
I wouldn't trust that. I would rather inspect with a separate tool, not made  
by the same software vendor (tcpdump, wireshark).

Re: [Trisquel-users] Web Browser

What's wrong with just calling it "privacy"? Privacy is important enough on  
its own that I don't think we need to reframe the discussion in ways that  
might cause confusion.
Nothing wrong at all. I just wanted to accent on the fact that for people  
privacy (as a form of personal security) is more important then the ability  
to inspect/change/redistribute. That's why I think we need stronger criterion  
when evaluating the quality of software (or hardware). As discussed here,  
just being free (in the FSF sense) is obviously not enough and with the state  
of what is happening in the world we need new things. Hence my idea about a  
new network.


I will figure it out when I have more time.
You can also try wireshark.

It doesn't seem to prove that no additional data is sent by Firefox or  
Chromium during browsing, just that this data at minimum is sent on startup.
I don't know what lower/upper-bond means but the very fact that any browser  
which sends these packets without the user initiating explicitly that  
communication is enough for me to mark it not privacy respecting and not  
consider it for further testing. Of course you are right - we need to test  
how it works during browsing. Perhaps the best thing to do would be to keep  
it simple - e.g. opening remote txt or html without scripts or extensions and  
looking at tcpdump. Let me know if you have any better idea.


I said that it had been closed, but it's alarming that it ever happened.

That is in no way different from Ubuntu's case or from Mozilla's telemetry.  
In such scenario, when flaws are all around, all we can do is look at facts  
as they are right now: Chromium does not send packets to any third party on  
startup. Konqueror sends no packets at all on startup but has other issues as  
it seems.


However, right now I am more concerned with the issues linked to by Magic  
Banana, since they are active and haven't been adequately addressed after  
several years.
I am honestly having a difficulty in understanding what you mean. Aren't they  
primarily licensing issues? Why are you more concerned about licensing while  
your browser is sending packets to company X, Y, Z? Please explain as I may  
be missing something.


Replicant, the operating system, is 100% libre. You are likely referring to  
the modem or bootloader that the device itself uses regardless of what  
operating system it runs.

Exactly.

Purism's phone...
It is still not produced, so nobody can possibly evaluate it. But from what I  
know there will be complete hardware separation between the modem and the  
rest of the system. So you can use it as a pocket libre computer, hopefully  
without any coreboot or whatever firmware blobs, otherwise it won't be much  
different from a Samsung + Replicant. Also from what I have heard, it would  
be able to use the mobile network as a pipe, to make encrytped phone calls.  
So basically the only tracking will be possible through the location of the  
phone based on nearby mobile stations (which perhaps cannot be avoided if one  
wants to talk to anybody).


I suggest looking into JMP if you live in North America
I don't but thanks for the info. What you describe is similar to Librem5.

In this case the advantage of using Tor is that you do not reveal your  
location. This is especially important if it is a site or account you use  
frequently (like an email provider) as otherwise they can track you to the  
point of detecting behavioral patterns.
Sure. You can probably even use Facebook anonymously but FB (and many other  
sites) won't allow you to sign up/in with a disposable email address (they  
seem to recognize the domains). I know the FSF page which you linked but it  
seems dated. From all the recommended ones only safe-mail.net seems to work  
without JS but it requires a current email address and I can't find any site  
which gives disposable email without JS, so there is still no possibility for  
complete untraceable anonymity. As for Kolabnow - I have been in touch with  
these guys and asked them if they have cleaned their systems from Intel ME,  
proprietary BIOS, what is their approach to quantum resistant security etc.  
The answer was "We are still learning to ride the bike" and some advertising  
that they use only FOSS. I explained further that security at ring 0-3 means  
nothing when a system is flawed at ring -3 and they told me the would forward  
my concerns to some operations department. ProtonMail's answer was even  
worse. So far I haven't found a single online service provider who can  
guarantee a clean and completely tested system and without that there can be  
no privacy, regardless of how deep the server may be buried in the Alps (or  
wherever). And considering the most recent side-channel bugs, things are  
really out of hand, globally. I think it is a much bigger problem than  
cleaning up ones own machine(s) as we still need to communicate with the  
majority who use PRISMed services and

Re: [Trisquel-users] Web Browser

Perhaps they've done something differently from OpenSUSE either in their  
build of Firefox or elsewhere in the distro?

In my tests I downloaded Firefox from Mozilla directly.

Re: [Trisquel-users] Web Browser


lynx
Behaves exactly as expected: zero packets sent on startup. Opening  
https://fsf.org/robots.txt communicates only with fsf.org


Chromium new findings:

Opening settings:// sends packets to translate.google.com (although  
translation is turned off). Testing browsing to actual pages shows  
communication only with the proper hosts, no communication with Google hosts.

Re: [Trisquel-users] Web Browser

2018-01-11 Thread mason

Just a heads up that the way you've started quoting text does work in the  
mailing list making this very difficult to read.


> Nothing wrong at all. I just wanted to accent...

I think we basically agree here. I brought this up to explain why invoking  
'freedom 0' was not effective in the Mozilla thread, and we're past that.


> Hence my idea about a new network.

This is probably worth starting a new thread over.

> You can also try wireshark.

Will do.

> That is in no way different from Ubuntu's case or from Mozilla's telemetry.

Yes, I avoid Ubuntu and Firefox as well. I use modified versions (Trisquel  
and Tor Browser) by more privacy- and freedom-friendly developers. I would  
also be open a similarly modified version of Chromium but am not aware of  
one.


> Chromium does not send packets to any third party on startup.

Am I missing something? You filed a bug report because it does, right?

> Why are you more concerned about licensing while your browser is sending  
packets to company X, Y, Z?


I am concerned with both. While software freedom and privacy are two  
different issues, lack of software freedom makes it easier for software to  
abuse its users, including by invading their privacy. I would be interested  
to know what packets are sent from Tor Browser and how. If they contain no  
identifying information and are sent through the Tor network then they do not  
invade my privacy because the information has nothing to do with me and no  
one knows it came from me. Of course, I would feel more comfortable with it  
not being sent at all, but it's certainly not worth switching to Chromium  
over.


I suggest that you approach the Tor developers as you have with Mozilla,  
Google, and RMS. I can do it myself if you don't have time, but you'd be able  
to do it much more quickly because you've already learned how to run these  
tests and articulate your findings.


> Purism's phone...
> It is still not produced, so nobody can possibly evaluate it.

If the device connects to the cell network, we do not need to evaluate the  
device to know that it will track you.


> But from what I know there will be complete hardware separation between the  
modem and the rest of the system. So you can use it as a pocket libre  
computer, hopefully without any coreboot or whatever firmware blobs,  
otherwise it won't be much different from a Samsung + Replicant.


If they made a pocket libre computer with no modem I'd be fine with them  
saying it doesn't track you. If it's a phone it does. Good modem isolation  
can limit the amount of information that your modem accesses, but the modem  
only needs to connect the cell network for you to be tracked.


> So basically the only tracking will be possible through the location of the  
phone based on nearby mobile stations (which perhaps cannot be avoided if one  
wants to talk to anybody).

...
> I don't but thanks for the info. What you describe is similar to Librem5.

No, it's completely different. I won't lengthen this message by explaining  
JMP since you don't live in North America and the information won't benefit  
you right now, but unlike what Purism is proposing, JMP requires no modem or  
connection to the cell network. Purism's marketing for their phones hasn't  
really been on my radar until now, but many people are already ignorant of  
the issues with cell phones and Purism could do some real damage if they  
spread misinformation just to sell their product.


> FB (and many other sites) won't allow you to sign up/in with a disposable  
email address (they seem to recognize the domains).


As an experiment I tried making a Facebook account through Tor with a  
disposable email address. It rejected the first domain I tried but accepted  
the second one. However, it eventually wouldn't let me advance without  
uploading a picture of my face, at which point I gave up. Anyway, the fact  
that Facebook rejects some disposable email address is far from the only  
reason to avoid Facebook. I avoid any site that prevents me from accessing it  
anonymously.


> I can't find any site which gives disposable email without JS, so there is  
still no possibility for complete untraceable anonymity


The one's linked to from the FSF use libre JavaScript. If you don't trust the  
FSF's evaluation of the code, you can review it yourself or find someone who  
can. JavaScript is a programming language like any other. Avoiding every  
single instance of JavaScript is unnecessary. We don't need to avoid every  
single instance of C just because some proprietary and/or malicious software  
is written in that language. Unless the JS on those sites compromises  
anonymity (which it might. I never learned JavaScript and have not audited  
the code, relying on the FSF's judgement) it is not an obstacle to anonymity.


> So far I haven't found a single online service provider who can guarantee a  
clean and completely tested system


Sure, really the only way to be certai

Re: [Trisquel-users] Web Browser

2018-01-11 Thread shiretoko


I saw a lot of word-confusion in this thread.
Software freedom and privacy are conceptually different issues and should be  
treated as such.
However, software freedom is a condition for privacy. you can't really be  
sure to have privacy without software freedom.


If you feel that a piece of free software is not giving you enough privacy  
(which is obviously the case) then you can alter the source code and remove  
the critical parts.

Or you can pay somebody who will do the job for you.

Free software gives you no guarantee that a program will be 100% secure, bug  
free and exactly what you need for a specific task.

It simply can't do that.

Re: [Trisquel-users] Web Browser

2018-01-12 Thread greatgnu


>Is there an easy way for you to share your about:config?

Well, I can describe my procedure, yes.

>You use Debian, right? Perhaps they've done something differently from  
OpenSUSE either in their build of Firefox or elsewhere in the distro?


Yes, although I am not talking about Firefox ESR packaged by Deb devs but the  
tar you download directly from the Mozilla website.


As the mate Joe points out and I could not agree more a user should not spend  
incredible amounts of their time into figuring out how to make their browser  
privacy decent. Third party cookies anyone? Phoning home to google constantly  
because of muh security? That is indeed huge bullshit. I agree with (was it?)  
Lunduke when he says Mozilla is nothing else but business. Open sores  
business. Fact is, their browser is the best worst choice we have right now.  
I mean, you can use lynx for your browser if you want only text but year 1986  
is long gone, unfortunately.


I prefer not to share the inner workings of my network but I am pretty  
confident I got the tcpdump right.. so yeah, you don't need to trust my  
words, do the following and see for yourself. Point is, to sum it up, FF can  
be made truly privacy respecting, chromium on the other side ... not.


There is a fork of it called ungoogled-chromium, you might want to take a  
look at that one too (I don't recommend it, just saying) ->  
https://github.com/Eloston/ungoogled-chromium



In the past I spent hours reading about those 'hidden' settings in  
about:config, now I do not need to do that anymore thanks to this guy ->


https://github.com/pyllyukko/user.js/

His user.js is very very good and gets updated when new crap gets added by  
Mouzilloua.
Very good but not perfect, you will need to apply some additional  
modifications but don't worry it is just a few.


Place the user.js in the relevant folder. Open your browser and in  
about:config write 'safebrowsing'.

Disable them all and remove every gooobles url (make it blank), as in:

browser.safebrowsing.downloads.remote.enabled   false
browser.safebrowsing.downloads.remote.url   (blank)

Disable the captive portal feature

network.captive-portal-service.enabled

As far as background connections that would be all, if memory serves me  
right. I also recommend you change your user agent to that of the TorBB, it  
will lower your fingerprint considerably (according to the eff's panopticlick  
that is)


general.useragent.override   Mozilla/5.0 (Windows NT 6.1; rv:52.0)  
Gecko/20100101 Firefox/52.0


This last one is a 'string' you create by yourself (right click - new -  
string)


Do bear in mind that addons will make background connections so you should  
test your browser without them.

Re: [Trisquel-users] Web Browser

> Just a heads up that the way you've started quoting text does work in the  
mailing list making this very difficult to read.


Thank you for mentioning that. I was just trying to make my post more  
readable as ">" doesn't give good enough visual separation.


I was also wondering how to get email notifications for replies in the forum  
as it is getting more and more difficult to find which posts are new. It  
seems you are using some mail system. Could you please help me set this up?  
Also please suggest a way to make posts more readable without affecting mail.  
(Or maybe someone can work on the frontend to improve the forum?)


> This is probably worth starting a new thread over.

I have been thinking about it. But considering this forum is Trisquel -  
wouldn't it be considered as site-off-topic? I am interested in discussing  
wider aspects of freedom too (such as ones already mentioned here). Please  
suggest.


> I would also be open a similarly modified version of Chromium but am not  
aware of one.


Brave browser was mentioned. Perhaps worth trying. I also wonder which others  
we should look at:


https://en.wikipedia.org/wiki/Comparison_of_web_browsers

Personally I would prefer to a browser compatible with the extensions uBlock  
Origin and uMatrix as they improve the security, privacy and cleanness of  
browsing tremendously.


> Am I missing something? You filed a bug report because it does, right?

Perhaps you haven't read the follow up comments in the bug report which show  
that it doesn't. At least unless you open settings:// (which is I found  
yesterday, also shared in comment to the bug report).


> but it's certainly not worth switching to Chromium over.

It obviously comes down to: what is more important - to have actual privacy  
or to have implication of privacy respect (F0-4). From your explanation I  
understand that you seem to give up privacy because of a promise for  
respecting privacy (conceptually but not actually). That is what confuses me.  
If we are able to inspect packet destinations (as we are) and a test shows  
that a particular browser does not send packets to 3rd party, i.e. does not  
really abuse the user in any way: Does it really matter if it is free or open  
source at all? Please share your thoughts.


> I suggest that you approach the Tor developers

I will as soon as I test Tor too. Could you just share a link to the proper  
page where I can do that?


> but the modem only needs to connect the cell network for you to be tracked.

Yes, because the SIM card is not anonymous. But with current technology and  
legislation we cannot escape from that unless we stop communicating which can  
be more harmful.


> As an experiment I tried making a Facebook account through Tor with a  
disposable email address. It rejected the first domain I tried but accepted  
the second one.


But even if that works it is not useful because to use FB you need a  
non-disposable email address where you can receive notifications etc.  
Otherwise the account is completely compromised and makes no sense at all  
(since you can browser parts of FB without registration).


> I avoid any site that prevents me from accessing it anonymously.

I understand completely your points. Unfortunately, as mentioned previously,  
the majority of people are using those sites and will not stop using them,  
and will let their email provider access to your email address (even if you  
are not on FB), and will not move away from FB regardless of the valid  
arguments we may provide to them. Pretty much the same applies to Gmail,  
Yahoo etc. So it seems to me anonymizing oneself is not the solution to  
privacy but rather a road to break communication. To my mind the solution may  
be a new technology, designed not to create such issues.


> The one's linked to from the FSF use libre JavaScript...

I know that. I also do a little JS programming myself but that is not  
important. LibreJS is just as good as 'free software' which may send packets  
to Amazon. I don't see myself auditing every JavaScript code on every  
non-chached HTTP request just because it is open for evaluation. So this  
basically still comes down to enforcing trust. The more I look, the more I  
think we need a technology which does not in any way require from a layman  
user to trust anybody. Maybe we should open a new thread.


> Sure, really the only way to be certain is to use your own server.

Is that really certainty? Is there hardware which is 100% libre and *verified  
for privacy issues*. Considering that even browsers are not fully tested  
(something used by millions of people) I question that, even with the risk of  
my scepticism being considered close to insanity :)


> Here's some recent discussion of email providers on this forum, if you're  
interested.


Thanks, I am. But as with all others - these still have the same issues at  
hardware level.


> If you are freedom- and privacy- focused you can greatly mi

Re: [Trisquel-users] Web Browser

> I agree with (was it?) Lunduke when he says Mozilla is nothing else but  
business.


youtube-dl https://www.youtube.com/watch?v=qMALm1VthGY

BTW I am looking for a way to search/browse Youtube without JS. Any ideas?

Testing as you suggested:

---
(Potential) issues which I see:

When Firefox starts: Show your home page (I would set it to blank)
Check spelling as you type: ON (I don't know if that includes any connections  
but I would leave it of for the test)
Allow Firefox to automatically install updates (recommended): ON (I would set  
it to OFF for the test)

Default search engine: Google (and all the other PRISM ones are inabled too)
Always use private browsing mode: ON (inconvenient)
Accept cookies from websites: ON (should be OFF with only exceptions allowed,  
when needed)
Tracking protection block list: Disconnect.me basic (perhaps should be  
'strict'?)

Send "Do Not Track": Only when using Tracking Protection (should be "Always")
Prevent accessibility services from accessing your browser: OFF
Block dangerous and deceptive content: ON (this requires connection to Google  
hosts where the blacklists are hosted)

Query OCSP responder services: ON (this also requires connection to hosts)

Further in about:config:

browser.ping-centre.telemetry;true
toolkit.telemetry.archive.enabled;true
toolkit.telemetry.bhrPing.enabled;true
toolkit.telemetry.debugSlowSql;false
toolkit.telemetry.firstShutdownPing.enabled;true
toolkit.telemetry.newProfilePing.enabled;true
toolkit.telemetry.shutdownPingSender.enabled;true
toolkit.telemetry.updatePing.enabled;true
--

> 'safebrowsing'. Disable them all and remove every gooobles url (make it  
blank)


I suppose toggling the default browser.safebrowsing.allowOverride;true would  
work contrary to what you are trying to do, so I leave that one to 'true'.


-
Testing with your settings applied on top of the downloaded shows indeed zero  
communication with any host. Until you browse (https://fsf.org/robots.txt)  
when tcpdump shows multiple connections also to:


ocsp.usertrust.com
ocsp.comodoca.com

Another thing which I notice. Even after closing the browser and waiting for  
some minutes (process terminated) tcpdump shows packets related to fsf.org  
hosts and also to the OCSP hosts. I don't know why this is happening and why  
the computer is trying to connect to those hosts without any software asking  
for it. Any ideas?


Closed Firefox and ran it again. Without opening any web pages whatsoever I  
go to Preferences and immediately tcpdump shows a load of connections to  
amazonaws.com, mozilla.com, phicdn.net, digicert.com...


Anyway I proceed to tighten the preferences mentioned above. While changing  
them I see tcpdump shows active communcation going on in the background.


Setting "Always use private mode" to OFF asked me to restart the browser. I  
did and after that some of the settings were not as I set them:


Search: I had this one set to DDG and all other search engines I deleted.  
After restart it is set to Google and no other search enginse are listed.  
Again: I leave DDG only.


Always use private browsing mode is again ON and Accept cookies is ON too  
(although turned off before restart). Another attempt and another fail. I go  
to prefs.js and remove


user_pref("browser.privatebrowsing.autostart", true);

Still no luck after many more attempts. I give up and try to at least turn  
off cookies accepting: same story - after restart the "Accept cookies" is  
still ON. I go and delete lines mentioning 'cookie':


user_pref("pref.privacy.disable_button.view_cookies", false);
user_pref("network.cookie.cookieBehavior", 1);
user_pref("network.cookie.lifetimePolicy", 2);
user_pref("network.cookie.prefsMigrated", true);
user_pref("network.cookie.thirdparty.sessionOnly", true);
user_pref("pref.privacy.disable_button.cookie_exceptions", false);

Restart. Disable "Accept cookies". Restart - it is back ON. I give up and  
proceed to next setting.


Block dangerous and deceptive content: OFF
Query OCSP: OFF

It seems my setting "Never check for updates" is disrespected too, so I go to  
prefs.js and remove:


user_pref("app.update.auto", false);
user_pref("app.update.lastUpdateTime.addon-background-update-timer",  
1515756610);

user_pref("app.update.lastUpdateTime.background-update-timer", 1515756370);
user_pref("app.update.lastUpdateTime.blocklist-background-update-timer",  
1515756730);
user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails",  
1515756130);

user_pref("app.update.lastUpdateTime.experiments-update-timer", 1515756490);
user_pref("app.update.lastUpdateTime.search-engine-update-timer",  
1515756250);
user_pref("app.update.lastUpdateTime.xpi-signature-verification",  
1515756850);


And... no, and no, and no. It reverts to "Check for updates but let me choose  
to install them".


Also Block dangerous and deceptive content and Query OCSP also revert to ON.

After 42 minutes of tuning

Re: [Trisquel-users] Web Browser

2018-01-12 Thread greatgnu


>BTW I am looking for a way to search/browse Youtube without JS. Any ideas?

mps-youtube, you'll find the project on github, it's a very sweet program.

>When Firefox starts: Show your home page (I would set it to blank)

agreed, indeed I did that too :)

>Check spelling as you type: ON (I don't know if that includes any  
connections but I would leave it of for the test)


It doesn't AFAIK.

>Allow Firefox to automatically install updates (recommended): ON (I would  
set it to OFF for the test)


It will make just one connection each 24 hours AFAIK

>Default search engine: Google (and all the other PRISM ones are inabled too)

Yeah.. You can easily remove those via GUI though. Google throws hundreds of  
thousands of greens at them in exchange of user data, u know, open sores  
biz..



>Always use private browsing mode: ON (inconvenient)

How is that inconvenient? I have done so for years. Well, I have also not  
allowed js (except for very very few websites) for years, I know I am a  
strange guy.. But in which way is it 'inconvenient'?


>Accept cookies from websites: ON (should be OFF with only exceptions  
allowed, when needed)


I don't know.. I mean, I know it will get you a higher fingerprint (eff  
panopticlick again) to disable cookies, and it is inconvenient in that many  
websites won't work properly. Also, if private browsing, as soon as you close  
your browser all of them get purged. I close my browser very often. I don't  
like having programs I don't use opened.


>Tracking protection block list: Disconnect.me basic (perhaps should be  
'strict'?)


Indeed I set it to strict (remember I only use noscript, no adblocker addon  
whatsoever - in fact I find it unnecessary being javascript always turned off  
here and adds are basically just javascript nowadays, rarely a plain image  
file..)


>Send "Do Not Track": Only when using Tracking Protection (should be  
"Always")


Well, it is a nonsense useless feature anyway, isn't it? I mean no shark is  
gonna respect it, let's be realistic. But yeah I did set it to always :P


>Prevent accessibility services from accessing your browser: OFF

Indeed, via GUI again

>Block dangerous and deceptive content: ON (this requires connection to  
Google hosts where the blacklists are hosted)


Yeah, as mentioned already, disable every reference to goobles and to 'safe'  
browsing (always makes me lul - **safe** browsing, sponsored by google)


>Query OCSP responder services: ON (this also requires connection to hosts)

True

>telemetry

That one also in the GUI. In about:config it is toolkit.telemetry.enabled.  
Telemetry, again, should not be enabled by default..


>browser.safebrowsing.allowOverride

Yes, leave that one as it is (true)

>Another thing which I notice. Even after closing the browser and waiting for  
some minutes (process terminated) tcpdump shows packets related to fsf.org  
hosts and also to the OCSP hosts. I don't know why this is happening and why  
the computer is trying to connect to those hosts without any software asking  
for it. Any ideas?


As you said above, you'll inevitably connect to hosts if you want it to work  
but why in the world would it make connections when the browser is closed I  
have no idea. Is that even possible? I mean, are you sure ones you closed the  
browser it's process was correctly killed? That is strange.


>Closed Firefox and ran it again. Without opening any web pages whatsoever I  
go to Preferences and immediately tcpdump shows a load of connections to  
amazonaws.com, mozilla.com, phicdn.net, digicert.com...


That's even stranger. Are you testing this without any addon?

>Always use private browsing mode is again ON and Accept cookies is ON too  
(although turned off before restart). Another attempt and another fail. I go  
to prefs.js and remove


Hmm, do note that user.js has the precedence AFAIK, so you will need to  
change those inside that file (user.js) and not

 prefs.js

>still on / back on

Yeah, I believe you'll need to set the modifications you want to be permanent  
into user.js. See, if you have say browser.safebrowsing.allowOverride set to  
false is user.js and you modify it in about:config or prefs.js (which is the  
same) to set it to 'true' when you restart the browser user.js will override  
it.


>After 42 minutes of tuning a program which refuses to respect my preferences  
and which clearly does background communication as per my earlier test, all I  
can do is wipe it away from my system


No, mate, again - user.js overrides prefs.js :)

--

Wow, this was long. I believe this is the longest comment in my over 3 years  
here (and I am a daily -and quite verbose- visitor..). But it is nice to see  
that I am not the only one who has spent time on achieving the almost  
impossible getting a decent browser out of Firefox. Cheers colleague :)

Re: [Trisquel-users] Web Browser


> How is that inconvenient?

Private mode cleans cookies on each exit and I don't like having to re-login  
to sites just because I restarted the browser.


> and adds are basically just javascript nowadays, rarely a plain image file

Just a side note: Pixel trackes are not JS based. And you can be tracked also  
through 3rd-party CSS request. So an extension like uMatrix and uBO is much  
more helpful than NoScript because through it you can control quite well JS  
blocking too.


> I mean, are you sure ones you closed the browser it's process was correctly  
killed? That is strange.


Yes, I am sure. And yes, it is strange. Speculation: I suppose it may be some  
related to the fact that I am behind a router which NATs the Internet to the  
LAN but still - tcpdump shows the connection is from the localhost to the  
remote host and it makes no sense.


> Are you testing this without any addon?

Absolutely clean virgin browser without any ~/.mozilla/firefox upon first  
run. I also explicitly run it from command line with option --ProfileManager  
so that I can see how the profile is created and selected.


> But it is nice to see that I am not the only one who has spent time on  
achieving the almost impossible getting a decent browser out of Firefox.  
Cheers colleague :)


Well, cheers to you too! Unfortunately I can't confirm that the final result  
is a decent browser. :( I may try user.js some time but I really don't have  
the nerves right now. I have already spend so many hours to test Firefox and  
each time I really find it is so bad at listening to what I ask it to do.


Can you please test on your system the opening of Preferences and the  
browsing to https://fsf.org/robots.txt? What results do you get for each?

Re: [Trisquel-users] Web Browser


New browser tested:

Brave

Result: Lots of background communication, even after tightening of settings.  
Worse than Firefox.


Details submitted in bug report:
https://github.com/brave/browser-laptop/issues/12632

Re: [Trisquel-users] Web Browser

2018-01-12 Thread mason

Ugh. I spent a long time writing a message and then accidentally deleted it.  
I can't afford the time it would take to fully reconstruct it, so this will  
not be the full response that many of your points deserve.


The forum is mirrored to a mailing list which you can join here:  
https://listas.trisquel.info/mailman/listinfo/


I understand that the forum is being reworked. In the meantime, to ensure  
that forum posts are readable for mailing list users, avoid relying on html  
for coherence and update your comments by replying to them instead of editing  
them.


If you want to start a thread that will be of interest to people here but  
that you are afraid is too far off-topic from Trisquel, the Troll Lounge is  
good for meaningful but off-topic discussions.


Although Tor Browser is as libre as Firefox and more so than Chromium, the  
reason I use is for privacy. I agree that we *shouldn't* need anonymity to  
protect our privacy, but right now we do. If Tor Browser sends the same data  
Firefox does and it is either deanonymizing or not sent through the Tor  
network then that is a serious bug. (If you find that this is the case, I'm  
sure it can be addressed if you report it here:  
https://trac.torproject.org/projects/tor) However, if the data is not  
identifying and is sent through the Tor network than it is irrelevant as far  
as privacy is concerned, eliminating Chromium's advantage on this one point.  
When it comes to other potential privacy issies, I see Chromium as far more  
risky than Tor Browser. In many situations on the internet the only way to  
protect your privacy is to avoid them entirely, or engage with them  
anonymously. The former option is crippling, and more isolating than the  
latter. Outside the context of the issue you are testing among browsers,  
Google and Chromium have a far worse track record than Mozilla and Firefox,  
and while Tor developers have an incentive to find and fix privacy issues  
from Firefox, Chromium developers have an incentive to create as many privacy  
issues as they can get away with and only have an incentive to remove them  
after they get caught and if there is enough outrage. Unless Firefox has an  
extraordinarily massive flaw we are unaware of that cannot be fixed in Tor  
Browser, the hypothetical privacy gained from switching to Chromium, assuming  
it is better overall than Firefox in situations outside of the one you are  
testing, is far less than the actual privacy lost by failing to protect my  
privacy from many parties, not just Google and Mozilla, with anonymity.


I understand your point about this not being a long-term solution. Many of  
your points are about identifying things that are not long-term solutions,  
and that is valuable because without long-term planning the good guys have no  
chance of winning. However, if the bad guys win anyway then all that will  
have mattered is mitigation of the harm to our lives, our communities, and  
the people we care about, so I do not consider mitigating actions petty. We  
have to do both.


As you point out, the best long term solutions are those that replace  
important but harmful technologies, rather than isolate ourselves from them.  
Just as important as the new technologies is a path toward transitioning from  
the old technologies. I see Denver Gingerich's work with JMP and WOM to be a  
very promising plan. It is already possible to use JMP to send and receive  
texts and calls without a SIM card. No need to choose between isolating  
yourself and being tracked. Having integrated with the cell network, the next  
steps are to create advantages to using JMP over connecting the cell network  
directly, and finally replace it. Good old EEE. Thanks Micro$oft. Diaspora  
takes a similar approach with respect to Facebook, but I am more skeptical of  
it. I have some ideas about ethical and pracical social media that I am still  
organizing and are outside the scope of this thread.


As for JavaScript, you are right to avoid it when you can. However, no  
individual can review every line of code in all software they use, whether  
it's JS for a disposable email address or the Linux kernel. JavaScript is  
unique in that many people install JavaScript programs everyday with out  
knowing it (hence my suggestion for how browsers could better frame the issue  
for uninformed users), but if you are as cautious about installing software  
written in JavaScript as you are with any other software it is no worse than  
C or Python. This is a good essay that probably won't tell you anything you  
don't already know about the problem but has some good insight as to possible  
solutions: https://onpon4.github.io/other/kill-js


> even with the risk of my scepticism being considered close to insanity :)

You aren't insane. The world is. That said, don't let perfect be the enemy of  
the less-awful-option-until-we-maybe-solve-the-problem-for-real-one-day.


I didn't touch the capitalism

Re: [Trisquel-users] Web Browser

2018-01-13 Thread greatgnu


>but I really don't have the nerves right now.

Yeah, as I said a truly libre and privacy friendly browser would not come  
with a ton of antiprivacy nonsense and a user should not have to do such a  
hard work to 'clean it up'.


>Can you please test on your system the opening of Preferences and the  
browsing to https://fsf.org/robots.txt? What results do you get for each?


Will do later, I'm curious.

Re: [Trisquel-users] Web Browser

> Ugh. I spent a long time writing a message and then accidentally deleted  
it.


For reasons like that I learned to first write my answer in a text file and  
then paste it :)


> The forum is mirrored to a mailing list

Thanks, I already found that. Unfortunately it sends me emails from all  
threads which is somewhat spammy but I guess this is how mailing lists work.


> Troll Lounge

https://trisquel.info/en/forum/freedom-security-technology-what-can-we-do

> if there is enough outrage

Unfortunately I don't have a high traffic web site or anything like that to  
bring it to the attention of enough people. So far I have shared my findings  
1) in the bug reports 2) here and in openSUSE forum. Still I don't see  
hundreds of people adding outrage to the bug reports, so I suppose they  
either don't realize the actual issue, or put up with it, or their desire for  
privacy is just verbal.


> We have to do both.

Of course. But the effort we put in securing current systems should probably  
be only for the sake of developing a conceptually new one. Otherwise it is an  
endless chase of a moving target which moves at speed which is beyond  
anyone's capabilities.


> I have some ideas about ethical and pracical social media that I am still  
organizing and are outside the scope of this thread.


Please share a link to another thread. I am interested to learn about your  
ideas.


> As for JavaScript, you are right to avoid it when you can.

I wasn't too concerned about it before the announcement about Spectre and  
Meltdown as I relied on the stronger process isolation mechanisms at lower  
level (which is no longer reliable obviously).

Re: [Trisquel-users] Web Browser

> Yeah, as I said a truly libre and privacy friendly browser would not come  
with a ton of antiprivacy nonsense and a user should not have to do such a  
hard work to 'clean it up'.


How can something be privacy friendly and come with antiprivacy? :)

> Will do later, I'm curious.

Great. Looking forward to it.

Re: [Trisquel-users] Web Browser


New browser tested:

TOR

Result: Lots of background communication but all of it to subdomains of  
your-server.de over https.

Re: [Trisquel-users] Web Browser


Midori

Procedure: Set home page to blank, disable scripts, restart.

Result:

On startup: Zero (0) packets sent.

On opening of preferences only this was shown in tcpdump:

IP pc.49352 > 239.255.255.250.ssdp: UDP, length 132
IP pc.49352 > 239.255.255.250.ssdp: UDP, length 133

but only the first time the browser is started. Shutting down the browser and  
opening preferences again doesn't show such packets in tcpdump (unless the  
machine is rebooted).


Browsing to https://fsf.org/txt shows only communication with fsf.org and no  
packet sending to any other hosts whatsoever.


Additional info: Acid3 test shows 100/100 (with enabled JS). It also has  
quite a few built in extensions, one of them an adblocker which unfortunately  
is not as advanced as my favorite uMatrix and uBO. Another disadvantage I  
notice: it has some issues with color management making images appear  
oversaturated.


A bug noticed: opening https://browserleaks.com/ip causes Midori to crash.

Re: [Trisquel-users] Web Browser

> Taking a look at outgoing connections is not enough to deem how  
privacy-respectful a feature is. And that feature has advantages too.


The problem with this statement is that you know (or rather can check) only  
what happens on the sending side. So you don't have enough data to evaluate  
the advantages in relation to what you sacrifice in order to receive them.  
That is a basic test which shows if there is a communication or not. Nothing  
more or less. If there is communication and it is not anonymized through TOR  
(it is not) - that obviously is a privacy issue. That is quite simple.


> A compromise has to be sought.

Why? Are privacy and security 2 incompatible mutually exclusive concepts? Or  
rather because someone has designed a program in a way in which you must  
sacrifice one for the other? If you seek for compromise what happens is  
giving up freedom in exchange for convenience?


> What I am saying is: details matter.

Yes, they do - but only in their entirity. Only then one can match the  
details to the big picture. Otherwise we can look at an isolated beautiful  
"print('Hello world')" and admire how clean and safe it is. Meanwhile Intel  
ME can be sending data to organization X "User N, located ... is currently  
admiring the source code of Hello world".


> Take Safe Browsing for example... Let us agree it is a useful feature.

There are organizations which consider that censoring entire geographic  
regions from accessing particular websites is a useful feature for the safety  
of the region. Should we agree to that too? It's a fact, not an article.  
There is enough evidence that the price people pay for using all kinds of  
"useful features" is pretty high.


That said: I do agree that having a blacklist may be useful. But I disagree  
to the centralized nature of it held in the hands of a single entity which  
can control it. As long as we cannot check for ourselves what exactly is  
happening on the other side of the wire it is all wishful thinking.


> Now, you know Google is actually managing the lists of pages known for  
phishing or of known malware. If you stop your investigation at that point,  
you may believe that every URL that ends up in your address bar is sent to  
Google along with your IP address. *That* would be a privacy nightmare not  
worth the enhanced security... but SafeBrowsing, in Firefox, does not work  
that way.


> https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/  
explains how it works. And anybody can check whether it is true, thanks to  
freedom 1.


Suppose I am the victim. I (a layman) don't know. I (a non-programmer) have  
not checked the source code. I (an average user) am forced to trust because  
there is a huge mountain of information which I need to dig in order to find  
out the truth, it is growing every day and a lifetime wouldn't suffice for  
it. But still I refuse to trust articles and want truth, not words, because I  
don't want to depend on another. I don't want my child (if I have one) to be  
tracked, logged, turned into a cog of a huge machine. What am I to do? You  
see - the question is much bigger than F0-4.


The particular article you linked says:

'Google explicitly states that the information collected as part of operating  
the Safe Browsing service "is only used to flag malicious activity and is  
never used anywhere else at Google" and that "Safe Browsing requests won't be  
associated with your Google Account"'


Ok, Google states that. They state all kinds of things.  Even without that:  
We all know very well that each server stores logs. Also one doesn't need to  
be a professor to know how this works with a company part of PRISM program.  
What do you think happens when NSA comes and says "We will take these servers  
to search them"? Will Google will say "sorry, we won't allow you to do that  
because we have written this and that on a web page"? If we believe that, we  
can easily install Microsoft Windows and turn on Windows Defender because it  
is a useful feature.


> Mozilla's telemetry. heyjoe's bug, filed against the "telemetry" component,  
pretended the opposite. He had not understood that the settings in  
about:config depend on each other: if  
datareporting.healthreport.uploadEnabled (the setting that can be set from  
the preferences) is false, no telemetry is sent, whatever the values of other  
entries in about:config that stands for more specific tunings of the  
telemetry component.


My test does not pretend anything - it proves something, providing actual,  
verifiable facts. It seems you have not read the bug report comments  
carefully because one of the attached logs clearly shows: after additional  
disabling of various telemetry flags in about:config the amount of packets  
detected by tcpdump is reduced almost in half. This means that those  
additional settings do something and they are not insignificant in relation  
to other disabled flags.


> So, through

Re: [Trisquel-users] Web Browser

Just for the sake of privacy investigation I tested the same way Thunderbird  
(without any profile/mail configured). On startup it  immediately makes  
connections to Amazon, Linode, Comodo, Akamai and other hosts etc. The  
majority are HTTPS but some are plain HTTP connections.

Re: [Trisquel-users] Web Browser

> But there is no magic: if you send little information, then little  
information is received on the other side. If you add noise, the receiver can  
exploit it even less.


You send your IP address. That's more than enough. You can't add noise to  
that. Also it is technically stupid (inefficient) to deliberately create  
noise and burden a system just because it is designed poorly.


> Too basic. Looking at what is communicated is relevant.

Well, basic or not - this is within my capabilities. Considering that nobody  
seems to have done even that, I think it has certain value.


> If you consider that having the receiver know your Web browser is opened,  
then yes.


I do, so yes. The word 'private' means not shared. If you are sharing - there  
is no privacy.


> And you should be able to disable the service it provides to stop that  
communication... but if that service is useful and cannot be achieved on your  
own computer (it is not SaaSS), then it does require communication and you  
may decide it is worth giving the information required to get the service.


Obviously certain services cannot be disabled, otherwise the background  
chatter would happen. Also it is possible to make the blacklist for safe  
browsing decentralized. But they didn't do it and there is not even a hint  
that they will.


> It is physically impossible to request information from a third party  
without communication...


I know that. But the question is that in this particular case we are sending  
info to companies for which we know to be part of the PRISM and much more  
than that. Considering that Big Brother created systems which modify even the  
HTTP headers for the purpose of eavesdropping, saying that "they can gather  
much more through G+ buttons than through this" may not be quite valid (and  
still - we don't know, we never will).


In any case, technically it is possible to get information without loosing  
privacy. Example: you turn on the radio and you listen to music. Nobody is  
geolocating you, storing cookies on your radio receiver and all the rest of  
it. I think it should be possible to create a privacy respecting network  
based on this principle. I would be interested to discuss this further with  
people who are more technically knowledgeable than me.


> You need not compromise on freedom. You should always stay in control of  
your own life.


Control means regulation, i.e. conforming within rules, i.e. limitation.  
Freedom means no limitations. So one doesn't get freedom through control.  
It's a long topic.


> There is no physical impossibility here (whereas requesting information  
without communication is impossible): every piece of software can be and  
should be free software.


I would be interested to know your thoughts in the other thread I opened  
yestrday:


https://trisquel.info/en/forum/freedom-security-technology-what-can-we-do

> And that has absolutely nothing to do with our conversation.

It has a lot to do because not only the details matter but also the big  
picture which contains much more important details (otherwise we wouldn't be  
here and the whole idea of FOSS wouldnt exist).


> "All kinds of useful features" is too general to state anything about them.

Did you expect me to enumerate each and every spyware? Please, I know you are  
intelligent enough to understand what I mean.


> You can consider that price too high. Other users, most users I believe,  
consider it is not.


Of course. But the issue here is not what I consider, I am not important. The  
issue is that the whole system is designed in a way to encourage negligence  
and loss of privacy.


> However, I let it enabled on my parents' computer (that I administrate).

Same here.

> I do not think (I may be wrong) anybody knows how to have a distributed  
Safe Browsing system that would not significantly slow down page loading. Do  
you know?


The first thing that comes to mind - torrents, mirrors (like we have for  
FOSS). There are other means too perhaps. Example: encouraging ISPs to keep a  
local mirror on the gateways, proxies. It is possible.


> You trust the community... freedom 3.

The problem is that trust implies faith which is not facts. And that can be  
exploited. We can discuss that in the other thread where I raise that  
question. Also the issue here is: the community (Mozilla etc) ignores the  
facts just because they prefered to fight over the definition of words. This  
is another example that F3 doesn't necessarily work.


> The four freedoms do not solve all problems but it is the best we have.

Yes. But it seems to me they are not enough any more. Much more is necessary  
nowadays.


> Windows is proprietary software. Its users are denied the essential freedom  
to know what it is actually doing. The worst should be assumed.


Google's servers are not less proprietary. Why don't you assume the same for  
them?


> Your bug reports ...

You are critical and that is a good thing.

Re: [Trisquel-users] Web Browser

2018-01-14 Thread greatgnu

>Taking a look at outgoing connections is not enough to deem how  
privacy-respectful a feature is.


I was referring to the already mentioned nonsense like third party cookies  
enabled by default or google sponsored 'safe' browsing etc..


>That feature aims to warn a user who is about to access a page that is known  
for phishing or about to download known malware. Let us agree it is a useful  
feature.



I don't agree. It is nonsense. Mozilla should host their own servers for any  
purpose they deem important enough as to be included by default in their  
browser.

Re: [Trisquel-users] Web Browser

2018-01-14 Thread greatgnu

Ok, I know I should have tested without any addon but I installed umatrix  
(which btw is absolutely magnificent). So I tested it with noscript and  
umatrix and all my mods, basically the browser as I use it.


I opened the browser and the connections made were the following:

hosts-file.net   (107.22.171.143)
someonewhocares.org   (209.97.222.140)  (turing.theorem.ca)
winhelp2002.mvps.org   (216.155.126.40) (mars.olymp.mvps.org)

Then, when going into preferencse the new connections I see are:

aus5.mozilla.org
balrog-aus5.r53-2.services.mozilla.com., A 52.88.57.64, A 34.208.7.8, A  
52.35.162.72, A 34.214.242.76, A 34.210.48.174, A 52.36.39.89

us-west-2.compute.amazonaws.com (52.88.57.64)
ocsp.digicert.com   (93.184.220.29)
cs9.wac.phicdn.net   (93.184.220.29)

And finally when on the fsf's page the new connections made were:

www.fsf.org   (208.118.235.174)
svnweb.fsf.org  (208.118.235.30)
ocsp.usertrust.com  (178.255.83.1)
ocsp.comodoca.com  (178.255.83.1)

--

Btw, m8 Joe, may I ask you where you going with that gun in your hand? ;)

Re: [Trisquel-users] Web Browser

So basically you proved the results of my tests. The first 3 hosts you listed  
look like the hosts which contain the lists for uMatrx (without uMatrix there  
would not be connections to them). But opening preferences again shows  
connections to hosts which the user has not explicitly asked for.


Still trust Firefox and Mozilla?

> Btw, m8 Joe, may I ask you where you going with that gun in your hand? ;)

I'm goin' down to shoot my old lady
You know I caught her messin' 'round with another man.

:)

Re: [Trisquel-users] Web Browser


Another reason to keep JS disabled:

https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

Re: [Trisquel-users] Web Browser

> *That* (not adding noise) would be extremely inefficient. And why stopping  
there? By your logic, every website should continuously broadcast whatever  
they host to all online systems!

And by your logic it is much more efficient that the clients (which are  
always more than the servers) broadcast all kinds of personally identifying  
info, that special software and hardware should be made to ensure security,  
that that should be further infected by the organizations which prefer the  
"efficient" way of doing things etc. I question that. And I question it on a  
bigger scale. I don't know if you understand what I am saying. That's why I  
opened the other thread.

> No it does not.

Yes, it does. One cannot be limited, attached, conditioned, dependent,  
restrained and free.

> You are not less free because you cannot fly, for instance.

Yes, you are - physically. Otherwise man wouldn't invent flying devices.

> Freedom means "exemption from *external* control, interference, regulation,  
etc." (emphasis is mine): www.dictionary.com/browse/freedom

This source is wrong. If one excercises control psychologically, i.e.  
inwardly, one is not free. Examples: fear, self censorship, suppression etc.  
You may better check the original original (etymological) meaning:

https://www.etymonline.com/word/free

"exempt from; not in bondage, acting of one's own will," (read the rest for  
yourself, there is no mention of external whatsoever)

Also https://en.wiktionary.org/wiki/free mentions many times unconstrained,  
as well as confirms "to be enjoyed without limitations; unrestricted;"

The earliest know meaning of freedom is from Sanskrit and means love.

> As I wrote: being in control of your *own* life.

But do you own life? Is there anyone who does? Is ownership something actual  
or a concept created by thought? You see - man creates the idea of ownership  
(this is my land/cow/food/nation/data), then separates the whole world into  
pieces, they inevitably conflict with each other. Then man tries to impose  
strict restrictions to those peaces, to _control_ them harder and harder till  
absolute tyrany is achieved. And all that business of "personal and national  
security" creates more insecurity, some good people create FOSS systems with  
the hope to escape the tyrany but it is not freedom. It is a fight for the  
control. I wonder if you understand what I am saying. The reaction to  
non-freedom is not freedom. Freedom has no opposite. I don't want to get too  
off-topic. Again - I welcome you to discuss things in the other thread as I  
am really intersted to talk with technically knowledgeable people about what  
we can do about our real freedom.

So "to control one's own life" really means conformity to certain patter  
(adopted from an external source or invented for oneself). It is not freedom.

> So you agree that the enhanced security your parents get is worth the  
privacy they give up?

Unfortunately yes. It is the least worse for the moment.

> Don't you think most users are like your parents and less like you?

And that is due to the poor design. Technology as it is makes people more  
stupid, more dependent and less free. I don't even need to give examples, do  
I?

> Distributing the lists is not the hard part. Creating them is.

There is no need to create them. It is possible to have TOR-ed nodes which  
pull them and host them.

BTW I wonder if you have ever asked yourself why all the malware exists but I  
won't go into that question here. Let's just say - with a good design it  
wouldn't be hard. It may even be unnecessary. Example: in Windows you need  
antivirus programs. In Linux - unlikely + there is fairly low interest in  
creating viruses. Why? Because of better overall design. Same for  
defragmentation programs etc.

> Trusting nobody, not even free software communities, and not being a  
programmer, you should stop using software. All of it.

Exactly. But nobody pulls the cord (except RMS perhaps). Personally I have  
started programming about 30 years ago (Commodore 64, then another 8-bit  
computer, then 8086 etc) and although I neither made it into a profession nor  
I do it actively, I have a fairly good view on how hardware and software  
works, so at least I don't try to do something which may be dangerous. Still  
I don't claim to be no expert, technology moves too fast to follow every  
aspect of it. That's why I was saying previously - if one is a general  
layman, things are very very dangerous.

> Google's server (the software they run on their side) is trivially free:  
there is one single user and it has all four freedoms.

Where is the source code? Can anyone download and install it? If yes - then  
we can outstrip Google. BTW sth interesting which I saw today in tcpdump:  
when i open https://duckduckgo.com/html/ - many connections to amazonaws.com  
:)

> On the contrary, Windows is distributed to many users that do not have the  
control

Re: [Trisquel-users] Web Browser


> I do not.

Then ask, don't assume or twist.

> Since you are redefining words, it is not surprising.

I have shared the original dictionary meaning of words. I don't define  
anything, I just stick to it. If someone else has invented a new different  
meaning because it sounds pleasing ("free coffee") - blame them.


> The definition of freedom you list match the one I gave you.

Not quite. You added emphasis to something which doesn't figure at all in the  
original meaning.


> They do not say "freedom means no limitation" (like you wrote).

What is 'unconstrained' according to you?
https://www.etymonline.com/word/constrain

> That is fortunate because your definition is useless: since there are  
impossible things (going back in time, turning yourself into a tomato, etc.),  
nobody is and can ever be "free" by your definition!


Freedom is inwardly. Just because you can't walk on the sun doesn't mean you  
cannot be free. So let's not confuse freedom with outward physical  
possibility. Freedom and free are greatly abused words today, highly  
deflected from their original meaning. It is really difficult to discuss when  
so many words in the language have been corrupt, so we must be very careful.


In any case "I control" and "I own" is not freedom. If "I control" was  
freedom, then every tyrant is an absolutely free human being.


> Yes, it has: slavery.

No. You are still thinking in terms of ownership and control. Slave implies a  
master (controller), as an opposite. In freedom there is no master and slave.  
No controller and controlled. That's why there is no restriction or  
limitation (constraint).


> So, you now recognize that there are "levels of privacy respects"? I mean  
if it was 0/1, like you pretended earlier, writing "the least worse for the  
moment" would make no sense.


We need words to talk. Both of us may have different background (cultural  
conditioning) and may have differnt associations with the meaning of a word.  
But the word is not the thing. So all the explanations I give and the  
refernces to the original meanings are an attempt to establish a common  
ground to avoid confusion. Otherwise we cannot possibly have a meaningful  
discussion. Two parallel monologs are not a dialog. Details do matter but not  
per se, they are just aimed to give the necessary depth to understand the  
whole. The whole is what matters the most, not the fragment.


> Why is "the poor design" (of what?) the reason people are more at risk of  
being duped by phishing?


The fact that the system is designed in a way which allows phishing to exist.  
I already explained that with Windows and viruses.


> That is against the Terms of Service (see my reply to SuperTramp83).

Even so - nobody can stop people from creating 1000 nodes each storing 50  
host names (just an example). Terms can change too. Everything can change.  
Many years ago it was "against the terms" to say that the Earth was not flat.


> He believes in in the collective control of the software through freedom 3.

You see - when belief, faith, trust are used - this is the path to illusion  
and there will always be a party exploiting this. The prove: the privacy  
issue of IceCat. I have never excercised freedom 3, or 2, or 1 when testing  
it. I was just sceptical (because I refused to trust another's test or  
believe articles). Anyone can believe whatever one wants but facts are  
irrefutable. And FWIW: just because RMS does or does not a particular thing  
doesn't mean that this action is something sacred, absolutely right or that  
everyone else should do the same. Otherwise the Earth would still be flat. So  
let's not try to justify everything through the authority of someone. Of  
anyone.


> We are all limited, i.e., nobody is free and can be free by your useless  
definition of freedom.


Again: you are putting a different tint to the meaning and hurry to conclude  
that the dictionary definition is useless. According to your tint freedom is  
the result of absolute unlimited knowledge which of course is impossible -  
knowledge is always limited. By not being limited free means no depency on  
the factors which create limitation (including knowledge). Example: you want  
to make a fire, you go and take some wood and a box of matches and burn it.  
You don't need to be an expert in microbiology of plants. And it is a safe  
thing to do. You may not have the tools to inspect it, it is pretty much  
"closed source" (and at the same time not deliberately closed as in  
proprietary) yet it is in no way invading your privacy and does a good thing  
to you by giving you warmth and light. You also have the natural sensitivity  
not to touch the fire which prevents you from burning your skin. At the same  
time this natural sensitivity tells you to be carefull not to burn your  
house. So you are pretty much an expert without having to read a whole  
library.


The problem is that the computer is not like that. The ease of u

Re: [Trisquel-users] Web Browser

2018-01-15 Thread greatgnu

>So basically you proved the results of my tests. The first 3 hosts you  
listed look like the hosts which contain the lists for uMatrx (without  
uMatrix there would not be connections to them).


Yes, I believe so.

>Still trust Firefox and Mozilla?

I never did in the first place. As I said I think I have quite some issues at  
trusting. I am suspicious and pessimist by nature.


>I'm goin' down to shoot my old lady
You know I caught her messin' 'round with another man.

That's exactly what I thought, but it was worth asking :)

Re: [Trisquel-users] Web Browser

2018-01-15 Thread Mason Hock

You have been making many points that are insightful and worth talking about in 
themselves but that don't support a clear argument. This is perhaps a pitfall 
of the point-by-point forum response style that I also tend toward. However, 
the timing and frequency with which you temporarily reframe the discussion with 
interesting but tangential points comes across as evasive, which is perhaps why 
Magic Banana is not patient to follow them all. I think it will help if for now 
you can stick to topics that support your most important arguments.

If I follow correctly, your main point is that the four freedoms and community 
control of software are insufficient to be 100% certain that software is 
privacy-respecting. Magic Banana and I have each acknowledged this, but have 
asked if you know of a better solution apart from avoiding software (including 
Linux, GNU, and Chromium) altogether. Your responses have touched on a wide 
array of issues, but none that address this question.

Perhaps your secondary argument is that the design of the Internet is flawed 
because it requires compromises between security, privacy, and convenience. I 
agree that an internet without such physical limitaions would be objectively 
better, but in the absence of a concrete suggestion for one, wishing that the 
Internet behaved like radio or cherry picking definitions of 'freedom' that are 
ambiguous as to whether it is the absence of imposed or natural limitations is 
unproductive. Ealier in this thread, you mentioned that you have some ideas 
about this.

> Hence my idea about a new network.

Sharing these might get the conversation back on track.

Re: [Trisquel-users] Web Browser

2018-01-15 Thread Caleb Herbert

You throw the baby out with the bathwater, which irritates me very much.

On Tue, 2018-01-09 at 19:47 +0100, stu...@anchev.net wrote:
> Could you please explain what freedom issues (apart from the one mentioned by 
>  
> me) there are? I have always thought Chromium is FLOSS.

If you're concerned about privacy issues in Mozilla, then how could you
ever consider Chromium?  Chromium's privacy issues are even more
difficult to remove, and people are still trying to figure it out.

> But I am not a programmer. And it seems no programmer has taken care to  
> remove them, yet the vendors claim it is free software respecting privacy and 
>  
> people believe that. 

If someone's not doing it fast enough, pay them to go faster.

> Perhaps I need to find an command line tool or  
> get rid of RSS totally...

What.  On.  Earth.

You are making no sense.

You take no initiative to use the rights you hold so dear.  You just sit
back and take anything the developer gives you, as if the software were
proprietary.

Just because all the clients in the world are garbage is absolutely no
justification for refusing to ever use the protocol.  That's insanity.
Just wait for a better client, whether one that someone else makes or
one you pay someone to make.

-- 
Caleb Herbert
OpenPGP public key: http://bluehome.net/csh/pubkey

signature.asc
Description: This is a digitally signed message part

Re: [Trisquel-users] Web Browser

2018-01-15 Thread Caleb Herbert


> but there is nothing wrong with them claiming that their Debian-derived 
> distro PureOS is libre because it is, 

I see they've recommended Etcher, an Electron app.  They didn't respond
to me on IRC when I said Electron was a possible FSDG issue, since
Fedora and  FSDG distros (specifically Parabola) have removed it for
this reason.


signature.asc
Description: This is a digitally signed message part

Re: [Trisquel-users] Web Browser

2018-01-15 Thread Caleb Herbert

On Thu, 2018-01-11 at 01:15 +0100, stu...@anchev.net wrote:
> The answer given by the Chromium dev surely is not to my taste. Yet it is  
> more acceptable considering that even currently Chromium's test shows it to  
> be a privacy respecting browser. Or can you show a test which demonstrate  
> that Chromium leaks data to Google? Or any other freedom related issue?  
> Please do share, I am interested.

Are these words sincere, or are they meant to provoke others?  Everybody
knows about all the struggles Chromium forks like Iridium had to go thru
to get Chromium to stop going full botnet!  RMS even discussed Iridium
when they tried to liberate Electron, and it was difficult then too.

signature.asc
Description: This is a digitally signed message part

Re: [Trisquel-users] Web Browser


You made quite a good summary. Just to clarify:

I am not looking for an argument in the sense of stating something and then  
proving it. The clarifications I made just for the sake of better mutual  
understanding, not in order to oppose for the sport of it (which would be  
quite silly).


Initially I shared my findings then tried to explain that careful  
observation, questioning, testing (and _not_ trusting an authority) is what  
leads to truth. You seem to expect me to give an answer to all these  
questions which I may not have or for which others may be aware of recent  
researches on the matter and so on. We can all together look at the deeper  
issues and hopefully come to something. That's why I opened the other thread  
(as suggested in the Troll Lounge) as this is not web browser and not  
Trisquel related:


https://trisquel.info/en/forum/freedom-security-technology-what-can-we-do

Re: [Trisquel-users] Web Browser


> Are these words sincere, or are they meant to provoke others?

They are sincere. And they are meant to provoke actual testing, not just  
theorizing.


I have not tested Iridium. And I am not planning to. So whoever says anything  
about it must provide actual test. Otherwise it is just words (however  
reputable the source may be).

Re: [Trisquel-users] Web Browser


> If you're concerned about privacy issues in Mozilla, then how could you
ever consider Chromium?

Why not? The test proves it behaves better. It doesn't chatter in the  
background like Firefox (and its forks). There is only one single packet sent  
to translate.google.com on opening of settings and that can easily be blocked  
with other means.


> Chromium's privacy issues are even more difficult to remove, and people are  
still trying to figure it out.


I don't know what issues you are talking about. I shared my testing  
procedure, so anyone can check for oneself without having to trust my  
results.

Re: [Trisquel-users] Web Browser

2018-01-16 Thread Adonay Felipe Nogueira

To find out the possible issues with Chromium, I recommend you all to
contribute to [1] and the discussion around it in [2]. If there is no
review as to whether some software is free/libre or not, then we can
only assume the worst case which Stallman and others keep showing in
their talks: that it's non-free software. And the community here
shouldn't recommend non-free software.

I myself so far only contributed with a simple run of licensecheck [3]
but as I explained in the reference, we need to clean that result (the
reference talks about an attachment, but you must download it using the
torrent Info hash in [1] instead, or run licensecheck against your own
copy of Chromium's source code --- following the steps I gave in [1] or
in [3]).

Finally, the practice of using shorter license notices such as "licensed
under SomeLicense" even if the "SomeLicense" itself already defines what
the notice should be makes things more confusing (as I noted in [3]).

About RSS (and generall news feed/reading: I don't like the RSS
specification too, I prefer Atom feeds, specially if the makers of the
feed post the complete article in the item). ;) Currently I'm
experimenting with some famous news readers for Emacs: Newsticker
(built-in), org-feed (built-in), elfeed (external). I'm also
contributing to Newsticker and org-feed by testing them and sending
detailed bug reports. I can't do that with elfeed because of GitHub
issues well described in gnu.org.

[1] https://directory.fsf.org/wiki/Talk:Chromium.

[2]
http://lists.gnu.org/archive/html/directory-discuss/2017-11/msg1.html.

[3]
http://lists.gnu.org/archive/html/directory-discuss/2017-11/msg00014.html.

2018-01-09T19:47:02+0100 stu...@anchev.net wrote:
> Could you please explain what freedom issues (apart from the one
> mentioned by me) there are? I have always thought Chromium is FLOSS.
>
>
> But I am not a programmer. And it seems no programmer has taken care
> to remove them, yet the vendors claim it is free software respecting
> privacy and people believe that. My test proves that it is not. And
> that the vendor not only doesn't care but would rather argue with
> proven and close the ticket.
>
>
> Yes - IceCat, Waterfox. IceCat also does background communication on
> startup. Waterfox shows the same behavior as Firefox.
>
>
> Using uMatrix's background log I noticed that Tor Browser also sends
> behind the scenes packets. I don't know if they go through the Tor
> network but in any case - they are sent, without prior (or any)
> consent. Some of them were to Mozilla's servers. I haven't tested
> further or in more detail.
>
>
> Thanks. I also just found QuiteRSS which has built in browser in which
> JS can be disabled. But to my mind the very fact that the RSS reader
> has support for JS makes me stay away from it. Perhaps I need to find
> an command line tool or get rid of RSS totally...
>

-- 
- https://libreplanet.org/wiki/User:Adfeno
- Palestrante e consultor sobre /software/ livre (não confundir com
  gratis).
- "WhatsApp"? Ele não é livre. Por favor, veja formas de se comunicar
  instantaneamente comigo no endereço abaixo.
- Contato: https://libreplanet.org/wiki/User:Adfeno#vCard
- Arquivos comuns aceitos (apenas sem DRM): Corel Draw, Microsoft
  Office, MP3, MP4, WMA, WMV.
- Arquivos comuns aceitos e enviados: CSV, GNU Dia, GNU Emacs Org, GNU
  GIMP, Inkscape SVG, JPG, LibreOffice (padrão ODF), OGG, OPUS, PDF
  (apenas sem DRM), PNG, TXT, WEBM.

Re: [Trisquel-users] Web Browser

2018-01-16 Thread Adonay Felipe Nogueira

And it's where these basic websites for paying bills get the most focus
of web-vandals, because these websites have automatic client-side
software being forced to end-user which just want to "get the bills
paid".

What you should do instead is contact the website owners and tell them
to change to a solution which doesn't require any client-side software
besides a browser with HTML and CSS support and no JS, extensions nor
plug-ins. If you are not a programmer or not a web developer, tell them
to contact libreplanet-discuss (this forum, trisquel-users, isn't for
this kind of requests unfortunatelly), with more and more people doing
the same for a given company they will eventually give it a try, if they
ignore you, you have a reason to not use their disservice anymore. ;)

2018-01-12T01:17:01+0100 stu...@anchev.net wrote:
> What's wrong with just calling it "privacy"? Privacy is important
> enough on its own that I don't think we need to reframe the discussion
> in ways that might cause confusion.
> Nothing wrong at all. I just wanted to accent on the fact that for
> people privacy (as a form of personal security) is more important then
> the ability to inspect/change/redistribute. That's why I think we need
> stronger criterion when evaluating the quality of software (or
> hardware). As discussed here, just being free (in the FSF sense) is
> obviously not enough and with the state of what is happening in the
> world we need new things. Hence my idea about a new network.
>
> I will figure it out when I have more time.
> You can also try wireshark.
>
> It doesn't seem to prove that no additional data is sent by Firefox or
> Chromium during browsing, just that this data at minimum is sent on
> startup.
> I don't know what lower/upper-bond means but the very fact that any
> browser which sends these packets without the user initiating
> explicitly that communication is enough for me to mark it not privacy
> respecting and not consider it for further testing. Of course you are
> right - we need to test how it works during browsing. Perhaps the best
> thing to do would be to keep it simple - e.g. opening remote txt or
> html without scripts or extensions and looking at tcpdump. Let me know
> if you have any better idea.
>
> I said that it had been closed, but it's alarming that it ever happened.
>
> That is in no way different from Ubuntu's case or from Mozilla's
> telemetry. In such scenario, when flaws are all around, all we can do
> is look at facts as they are right now: Chromium does not send packets
> to any third party on startup. Konqueror sends no packets at all on
> startup but has other issues as it seems.
>
> However, right now I am more concerned with the issues linked to by
> Magic Banana, since they are active and haven't been adequately
> addressed after several years.
> I am honestly having a difficulty in understanding what you
> mean. Aren't they primarily licensing issues? Why are you more
> concerned about licensing while your browser is sending packets to
> company X, Y, Z? Please explain as I may be missing something.
>
> Replicant, the operating system, is 100% libre. You are likely
> referring to the modem or bootloader that the device itself uses
> regardless of what operating system it runs.
> Exactly.
>
> Purism's phone...
> It is still not produced, so nobody can possibly evaluate it. But from
> what I know there will be complete hardware separation between the
> modem and the rest of the system. So you can use it as a pocket libre
> computer, hopefully without any coreboot or whatever firmware blobs,
> otherwise it won't be much different from a Samsung + Replicant. Also
> from what I have heard, it would be able to use the mobile network as
> a pipe, to make encrytped phone calls. So basically the only tracking
> will be possible through the location of the phone based on nearby
> mobile stations (which perhaps cannot be avoided if one wants to talk
> to anybody).
>
> I suggest looking into JMP if you live in North America
> I don't but thanks for the info. What you describe is similar to Librem5.
>
> In this case the advantage of using Tor is that you do not reveal your
> location. This is especially important if it is a site or account you
> use frequently (like an email provider) as otherwise they can track
> you to the point of detecting behavioral patterns.
> Sure. You can probably even use Facebook anonymously but FB (and many
> other sites) won't allow you to sign up/in with a disposable email
> address (they seem to recognize the domains). I know the FSF page
> which you linked but it seems dated. From all the recommended ones
> only safe-mail.net seems to work without JS but it requires a current
> email address and I can't find any site which gives disposable email
> without JS, so there is still no possibility for complete untraceable
> anonymity. As for Kolabnow - I have been in touch with these guys and
> asked them if they have cleaned their systems from Intel ME,
> p

Re: [Trisquel-users] Web Browser

2018-01-16 Thread studio

When you quote automatically whole (especially lengthy posts) it is difficult  
to follow what exactly you are commenting on (without rereading the whole  
post). You obviously do this through email but please consider quoting only  
what you comment on.


As for recommendations to web developers: I can assure you I have done this  
so many times. Including: to trisquel.info which has weak HTTP security  
headers:


https://securityheaders.io/?q=https%3A%2F%2Ftrisquel.info&followRedirects=on

I have sent this using the Contact link on this site. No reply so far. No fix  
either. Hopefully someone will look into it.

Re: [Trisquel-users] Web Browser

2018-01-16 Thread Mason Hock

> The clarifications I made just for the sake
> of better mutual understanding, not in order to oppose for the
> sport of it (which would be quite silly).

I believe you.

> Initially I shared my findings then tried to explain that careful
> observation, questioning, testing (and _not_ trusting an
> authority) is what leads to truth.

I appreciate that, but since then you have seemed to only mistrust free 
software developers by default, refusing to accept their software if you can't 
understand every line of code yourself to prove that it is perfect, while you 
seem quite trusting of Google, putting the burden on people here who aren't 
even interested in non-free software like Chromium to use their time to audit 
it for you to prove that it *isn't* perfect.

> You seem to expect me to give
> an answer to all these questions which I may not have or for which
> others may be aware of recent researches on the matter and so on.

No, I had honestly misunderstood you as having said that you had some sort of 
suggestion. I wasn't trying to be flippant. It is fine to point out a problem 
even though you don't have a solution yourself, as long as your approach is 
conducive to finding a solution.

> We can all together look at the deeper issues and hopefully come
> to something. That's why I opened the other thread (as suggested
> in the Troll Lounge) as this is not web browser and not Trisquel
> related:

Your new thread, like your comments here, is about an important topic. However, 
it doesn't really add anything new. We already know that no software is 
perfect, even software under community control. A specific proposal (even if it 
is not a complete solution) to improve it would be interestng, but simply 
saying that you don't think software is privacy-repsecting enough doesn't help 
anyone to improve it.

I think you have touched on some ideas that are concretely helpful, but seem to 
have gotten sidetracked by broad questions with no helpful answers. I suggest 
staying focused. Take any questions you have about browsers to the developers, 
keeping in mind that the specific situation you are testing is not the 
be-all-end-all and that as Magic Banana as explained there are some compromises 
inherent to the system (browser developers do not get to decide how the 
internet works), but that if their decisions are making some users unhappy they 
may address or at least explain them, and that if the browser is free software 
than a fork may be able and more willing to make a change that the original 
developer is not.

Re: [Trisquel-users] Web Browser

> since then you have seemed to only mistrust free software developers by  
default


This is incorrect. I don't mistrust a particular group of people. I question  
the value of trust as a whole.


> putting the burden on people here who aren't even interested in non-free  
software like Chromium to use their time to audit it for you to prove that it  
*isn't* perfect


I don't know why you say that. Chromium seems just as non-free as Firefox  
considering the link shared by another poster  
(https://libreplanet.org/wiki/Libre_Browsers_Libre_Formats#Browsers_that_might_seem_free.2C_but_are_not)  
yet for some reason people mention it as free, prefer it, fork it and make  
browsers using the same flawed code which obviously leads to the same privacy  
issues in the forks. The only people from whom I asked to check their code  
are the developers which is what bug reports are for.


> having said that you had some sort of suggestion

I never said that. I shared what came to me mind and invited others to share  
your thoughts. You said you had no time to ask further. Was I supposed to  
elaborate without anyone being interested? Or to open a thread about it and  
talk to myself?


> to point out a problem even though you don't have a solution yourself, as  
long as your approach is conducive to finding a solution.


I am questioning the whole approach of looking at everything in  
problem-solution pairs. We already have technology based on that.


> A specific proposal (even if it is not a complete solution) to improve it  
would be interestng


It is not possible to come to the specific without looking. The new thread is  
about looking together, thinking together, questioning together - not about  
one person giving a proposal and N other people agreeing or disagreeing,  
evaluating everything through the prism of an authority, arguing etc. If that  
is not possible - let's not make a problem-solution pair out of it ;)

Re: [Trisquel-users] Web Browser

I discuss _privacy_ issues. The bug reports are about _privacy_ issues.  
Mention freedom 0 in the bug reports was obviously unnecessary and  
inappropriate. That's a finished discussion. Long ago.


In my last reply to mason I was clarifying that:

> The only people from whom I asked to check their code are the developers  
which is what bug reports are for.


^^^ That is the essence of the reply.

I mentioned that both FF and Chromium are similarly non-free just to  
illustrate that the _privacy_ issues remain regardless of the software being  
free or not. Which itself confirms that _privacy_ and FSF-freedom are  
different issues. What's the point of repeating what I say as if I said the  
opposite?

Re: [Trisquel-users] Web Browser

Ok.

Re: [Trisquel-users] Web Browser

2018-01-17 Thread Mason Hock

> I don't mistrust a particular group of people. I question
> the value of trust as a whole.

Yes, you have argued that because it is impossible to be 100% certain that a 
piece of software is privacy-respecting, we cannot trust free software to 
respect our privacy. This in itself is sound, if your conlcusion is to avoid 
all software. However, your solution is to use Chromium, which in addition to 
its freedom issues has the same inherent problem that you cannot review every 
line of code. If you don't believe in trust, why make an exception for Google?

> The only people from whom I asked to check
> their code are the developers which is what bug reports are for.

I had thought I remembered you asking someone in this thread to to prove that 
Chromium is flawed by reviewing the source code, but skimming back though the 
thread the closest thing I see is asking Magic Banana to investigate the 
Firefox source code, so I may have been mistaken.

> You said you had no time to ask further. Was I supposed to
> elaborate without anyone being interested? Or to open a thread about it and
> talk to myself?

I didn't have time to ask more about it at that moment, but I was and still am 
interested. If you have the time and desire I encourage you to start a more 
specifc thread describing it.

> I am questioning the whole approach of looking at everything in
> problem-solution pairs. We already have technology based on that.

Can you explain what you mean by this? The way I interpret it, everything you 
say after this is ridiculous, so I'd rather that you clarify before I assume 
that I understand and risk putting words in your mouth.

Re: [Trisquel-users] Web Browser

2018-01-17 Thread greatgnu


>reviewing the source code of Chromium

Over 18 million LOC, good luck! ;-)

Re: [Trisquel-users] Web Browser


> If you don't believe in trust, why make an exception for Google?

If you are asking "Why do you trust Google" - I don't.

> the closest thing I see is asking Magic Banana to investigate the Firefox  
source code, so I may have been mistaken.


Yep, np. And I wasn't necessarily asking him to investigate but was rather  
trying to find out if his statements were based on facts or on words of  
others.


> If you have the time and desire I encourage you to start a more specifc  
thread describing it.


https://trisquel.info/en/forum/thoughts-about-new-type-network

> Can you explain what you mean by this?

Our whole culture is based on problem-solution pairs. We approach everything  
in life as a problem and look for solutions. And that's why technology is  
also based on this approach. So I am thinking if there is another approach.

Re: [Trisquel-users] Web Browser

2018-01-17 Thread Mason Hock

> If you are asking "Why do you trust Google" - I don't.

You use Chromium desite not understanding every line of source code. You have 
argued, and I agree, that this requires trust.


> https://trisquel.info/en/forum/thoughts-about-new-type-network

Great post. I'll probably stop following this thread less closely now and focus 
on the new one.

Re: [Trisquel-users] Web Browser

> You use Chromium desite not understanding every line of source code. You  
have argued, and I agree, that this requires trust.


I use it just because I haven't found anything better (privacy-wise).

FWIW I also use Google Apps... as I still can't find the perfect alternative  
to it. But I don't trust it, I use it - and they use me more.

Re: [Trisquel-users] Web Browser

2018-01-17 Thread Mason Hock

> I use it just because I haven't found anything better (privacy-wise).

I understand how you've come to that conclusion. I won't tell you to change 
your decision, but I will explain why I respond differently. The secondary 
reason is that I find it very unlikely that Chromium is the most 
privacy-respecting browser overall. It is a mistake to judge browsers by a 
single criterion. You must consider all known factors, and estimate the unknown 
based on the past and the track record of the browser and developer. However, 
even if I knew for a fact that Chromium were the most privacy-respecting 
browser, I would respond the same way I do in other situations where non-free 
software is superior to free software in some way: First I woud assess whether 
the better feature is important or something I can do without (in the case of 
privacy it is important), and if the feature is important I would find the best 
free alternative and request the feature. I may donate to help the feature get 
implemented. If the feature would take a great deal of work it may be necessary 
to organize a crowdfunding campaign. If the feature were something I absolutely 
could not live with out I may use the proprietary software as little as 
possible as a short term solution, but I would not give up on the free 
replacement, because I should not have to trade my freedom for privacy or any 
other feature. 

> 
> FWIW I also use Google Apps... as I still can't find the perfect
> alternative to it. But I don't trust it, I use it - and they use
> me more.

I often have to use Google Drive for collaborative editing. When this happens I 
try to use a computer at my school or library instead of my personal machine, 
but I really wish I knew of a replacement that people would be willing to 
switch to (suggesting git would not go over well).

Re: [Trisquel-users] Web Browser


> I won't tell you to change your decision

It is not particularly a decision but rather simple logic:

I still use Google's services and while I am looking for a freedom+privacy  
respecting alternative it would be silly to drop them because this would  
block my work. So considering that my life is still "Googled" and changing  
the browser won't do much. So in this situation I may be considered a  
hypocrite who discusses privacy in general.


> You must consider all known factors, and estimate the unknown based on the  
past and the track record of the browser and developer.


I think I have already done that. Right now I find Chromium least worse  
because of the results of the test + the ability to use uBO and uMatrix which  
I consider essential extensions providing additional control over browsing,  
tracking, malware etc. No other browser can give me this combination of  
factors. So although certain parts of Chromium may be considered non-free  
(which seems to be mainly license-wise) the overall functionality of this  
combination is far better than any FF-fork. Midori and Konqueror are  
incompatible with uBO and uM. lynx is an overkill. Tor is slow (and some  
sites won't work with it). Let's not forget also that browsers like IceCat  
and other forks which have not updated their code up to FF 57 basis still  
don't have the new fixes about Meltdown for example. Chromium (even not  
latest) has a flag for process isolation.


I think we should also mention without any bias that Google's experts are  
very good at security. If we disregard for a moment the overall privacy and  
political disaster of Google - which other company has considered removing  
Intel ME from their hardware, testing deeply things to discover Spectre and  
Meltdown, patching whatever is possible against that? But... yes, I know.


> but I really wish I knew of a replacement that people would be willing to  
switch to


I have bookmarked (in order to look at later) https://nextcloud.com/

I also learned to download files with public access from Google Drive without  
having to log in to Google Drive or use of JS. If the link is to a file, it  
can easily be converted to a direct link. Here is a bash script line which  
does that:


echo $1 | sed -r -e  
's/(https:\/\/drive\.google\.com\/)file\/d\/([^/]+)\/view/echo  
"\1uc?id=\2\&e=download"/ge'


Unfortunately with other services like WeTransfer that seems not possible.

So back to your comment: yes, long term you are absolutely right, that's why  
I filed all this bug reports. But right at this moment Chromium works better.


BTW, on a side note regarding online services: It is generally possible for  
one to buy an Opteron server from Technoethical and host everything on it  
(website, share files, email etc). But the expenses will be much bigger and  
the quality of the service may not be so good for hosting high traffic  
websites. Well, perhaps one could put the server at an ISP data center and  
pay for high speed Internet but that may still not be sufficient, more  
servers may be needed in a cluster etc etc. So we simply don't have the  
resources to create such alternatives. And for a simple user whose needs are  
not so big it is an absolute overkill. That's why I was putting question #1  
in the thread about freedom.

Re: [Trisquel-users] Web Browser

2018-01-18 Thread greatgnu

I don't even know what sloccount is.. I was using openhub, teh website to  
determine how much are there.


*only* 9 million? Awesome, I'll throw a party \o/
Netsurf according to openhub has soem 200.000 lines of code, if memory  
serves. To bad websites are poorly rendered and everythin is mixed up. Was it  
not for this I'd use it exclusively. Highly recommended browser.

Re: [Trisquel-users] Web Browser


> Netsurf according to openhub has soem 200.000 lines of code

Good luck with exercising freedom 1 with this :)

> Highly recommended browser.

Why?

Re: [Trisquel-users] Web Browser

2018-01-18 Thread greatgnu


>Good luck with exercising freedom 1 with this :)

The freedom to study how the program works, and change it so it does your  
computing as you wish (freedom 1). Access to the source code is a  
precondition for this.



Why?

>Why

Coz it's fast like hell? Coz it's as fast as Links2 or Dillo but much more  
usable?

Re: [Trisquel-users] Web Browser

2018-01-18 Thread Caleb Herbert


> BTW I am looking for a way to search/browse Youtube without JS. Any ideas?

Recent versions of GNOME Videos can search and play YouTube videos, as
well as Vimeo and perhaps a few other sites.

mps-youtube also searches YouTube, but it won't play videos on my
machine.  Its UI is also not a shiny GUI app like Videos is, so
recommending Windows users to go from using the site to using the
terminal is kind of embarrassing.

Re: [Trisquel-users] Web Browser

F1: I know. I just wanted to say that it is humanly impossible for a single  
person to study millions of lines. Even for 100 people. Perhaps I should have  
commented on a previous post of yours.


> Coz it's fast like hell?

How does it behave on the tcpdump test? BTW NetSurf's website is also very  
fast. I notice they run Cherokee server (unknown to me, perhaps also worth  
trying).


> Coz it's as fast as Links2 or Dillo but much more usable?

Damn. :)

Re: [Trisquel-users] Web Browser


Thanks for the info!

My main concern is not to run JavaScript. Do you know if Gnome Videos use JS  
internally?


FWIW the other day I read that youtube-dl *does* use JS... which makes me  
hesitant to use it. Do you know any alternative to it which doesn't?

Re: [Trisquel-users] Web Browser


Also:

Is Gnome Videos the same as totem? I can't find any package with name close  
to videos or gnome videos on my openSUSE but I have totem.

Re: [Trisquel-users] Web Browser


> I appreciate that, but since then you have seemed to only mistrust free 
> software developers by default, refusing to accept their software if you 
> can't understand every line of code yourself to prove that it is perfect, 
> while you seem quite trusting of Google, putting the burden on people here 
> who aren't even interested in non-free software like Chromium to use their 
> time to audit it for you to prove that it *isn't* perfect.

To top it off, Chromium's codebase is even larger and harder to
understand than Mozilla's.  And that's saying a lot, because Firefox is
hard to build.

-- 
Caleb Herbert
OpenPGP public key: http://bluehome.net/csh/pubkey


signature.asc
Description: This is a digitally signed message part

Re: [Trisquel-users] Web Browser


> Coz it's fast like hell? Coz it's as fast as Links2 or Dillo but much more  
> usable?

Hell yeah, it is!  Links2 sux.

-- 
Caleb Herbert
OpenPGP public key: http://bluehome.net/csh/pubkey


signature.asc
Description: This is a digitally signed message part

Re: [Trisquel-users] Web Browser

On Thu, 2018-01-18 at 01:57 +0100, stu...@anchev.net wrote:
>  > You use Chromium desite not understanding every line of source code. You  
> have argued, and I agree, that this requires trust.
> 
> I use it just because I haven't found anything better (privacy-wise).

Appeal to Futility. :-(

> FWIW I also use Google Apps... as I still can't find the perfect alternative  
> to it. But I don't trust it, I use it - and they use me more.

What do you use Google apps for?  Which ones do you use?

I used Gmail, Docs and Drive primarily.  Evolution, LibreOffice and a
shiny SFTP client/file manager plugin met my needs.

-- 
Caleb Herbert
OpenPGP public key: http://bluehome.net/csh/pubkey


signature.asc
Description: This is a digitally signed message part

Re: [Trisquel-users] Web Browser

On Thu, 2018-01-18 at 10:47 +0100, stu...@anchev.net wrote:
> I also learned to download files with public access from Google Drive without 
>  
> having to log in to Google Drive or use of JS. If the link is to a file, it  
> can easily be converted to a direct link. Here is a bash script line which  
> does that:
> 
> echo $1 | sed -r -e  
> 's/(https:\/\/drive\.google\.com\/)file\/d\/([^/]+)\/view/echo  
> "\1uc?id=\2\&e=download"/ge'

Is this code snippet copyrightable?

Does anybody remember the snippet to download a native Google Docs doc
as OpenDocument or PDF?

-- 
Caleb Herbert
OpenPGP public key: http://bluehome.net/csh/pubkey


signature.asc
Description: This is a digitally signed message part

Re: [Trisquel-users] Web Browser


> What do you use Google apps for? Which ones do you use?

Gmail, Google Drive (rarely Docs), Calendar.

>  Evolution, LibreOffice and a shiny SFTP client/file manager plugin met my  
needs.


I use them too but they can't replace the above.

Re: [Trisquel-users] Web Browser

2018-01-19 Thread greatgnu


>How does it behave on the tcpdump test?

Haven't tested it yet. Very lazy right now. Maybe tomorrow.

Re: [Trisquel-users] Web Browser

Ok. I tried myself but I am getting an error during compiling of the browser.  
Their documentation seems incorrect. Then I tried simply running make but it  
asks for libdom which is not available on openSUSE's repo. So I gave up.

Re: [Trisquel-users] Web Browser

2018-01-19 Thread mason


> I think I have already done that. Right now I find Chromium least worse
> because of the results of the test

Perhaps it is because of your time investment in your test that you weight  
your test far too heavily. Your complaints are reasonable, but there is also  
a reasonable explanation for why those compromises are made, even if we  
disagree with Mozilla that the compromises are worth it. Firefox and its  
derivatives would be better than they are now if it were easier to configure  
for full privacy, but this one situation is not so damning that it is  
automatically worse than Chromium.


> + the ability to use uBO and uMatrix

These addons are available in FF derivatives, and uBO is even installed by  
default in Abrowser, so you do not need to rely on a developer whose business  
model is selling your privacy.


> Tor is slow

I'm sure that Chromium is significantly faster than Tor Browser, but I value  
freedom and privacy over convenience.


> (and some sites won't work with it).

Some sites accidentally blacklist some exit relays and you'll have to switch  
to another relay, but I assume you are referring to sites that systemically  
blacklist all Tor relays (Yelp and support.apple.com are a few that I've  
noticed). If you value your privacy I suggest that you avoid such sites, as  
their only motivation for forcing you to identify yourself is if they intend  
to collect information about you. No matter how good your browser is, it also  
takes safe browsing habits to protect your privacy.


> Let's not forget also that browsers
> like IceCat and other forks which have not updated their code up to FF 57
> basis still don't have the new fixes about Meltdown for example.

Meltdown has been patched in the Linux kernel, but Abrowser is based on 57  
anyway, and unlike Chromium has no profit incentive to violate your privacy  
and no history of doing so in a very serious way.


> I think we should also mention without any bias that Google's experts are
> very good at security.

Security and privacy are both important but are different. As Magic Banana  
has pointed out they are sometimes at odds with each other, forcing a  
compromise. In Google's case they are almost always at odds with each other,  
as their first solution for security is generally to compromise privacy. Any  
account you have with them or info you store with them, they protect by  
tracking your location and locking your account when it is accessed from a  
suspicious location (or through Tor). The only way to unlock your account is  
with a phone number, so if you don't give them your phone number you risk  
losing access to your data. Magic Banana pointed out that the reason phishing  
blacklists can't be decentralized the way you want them to be is that Google  
won't allow it. That's the problem with a company who doesn't value your  
right to privacy (and in Google's case, your privacy is their product): They  
have no reason to seek security solutions that protect your privacy, and be  
avoiding them it gives them an excuse to violate your privacy in the name of  
"saftey." It's a trap.


As you have correctly pointed out, using software you have not written or  
fully audited yourself relies on trust. Trust always comes with risk, and you  
must evaluate that risk based on how untrustworthy the developer is. Firefox  
is not fully trustworthy (though far more so than Google, since they have a  
better track record and their business model does not rely on violating your  
privacy), but if serious privacy disrespeecting features slipped into Tor  
Browser, Abrowser, or Icecat it would be by accident and there is probability  
(though not certainty) that the developers can catch and fix it. This reduces  
the probabilty of a serious privacy violation in those browsers. Chromium, on  
the other hand has already been proven to have a serious privacy violation,  
and it was only removed after they got caught, so there is no reason to  
believe that they will remove any additional ones until they get caught  
again. Why would they? If Google created a privacy-respecting alternative to  
Chrome, they would lose money, so they would be fools not to insert as many  
antiprivacy antifeatures as they think they can get away with. Of course,  
Chromium is not an "alternative" to Chrome. It is the part of Chrome's  
development process that exploits the labor of free software developers. This  
is another reason not to remove privacy issues from Chromium: it would create  
the extra work of putting them back into Chrome.


Finally, you are the one who says that we should not settle for short-term  
solutions, and relying on the least privacy-respecting company in the world  
to protect your privacy is not a long-term solution.


> I have bookmarked (in order to look at later) https://nextcloud.com/

Cool, I'll take a look.

> I also learned to download files with public access from Google Drive
> without having to log in to Google

Re: [Trisquel-users] Web Browser

2018-01-19 Thread mason


Yikes. I avoid saving passwords in my browser as well.

Re: [Trisquel-users] Web Browser


That doesn't matter. A script can log your key presses.

Re: [Trisquel-users] Web Browser


> Is this code snippet copyrightable?

Here is the full script:

#!/bin/bash
if [ -z "$1" ]; then
  echo "No link supplied as argument"
  exit
fi
# [i] http://funbutlearn.com/2013/02/direct-download-link-to-your-google.html
echo $1 | sed -r -e  
's/(https:\/\/drive\.google\.com\/)file\/d\/([^/]+)\/view/echo  
"\1uc?id=\2\&e=download"/ge'

Re: [Trisquel-users] Web Browser

2018-01-19 Thread Mason Hock

Of course. Enabling JS is still unsafe, but the particular issue you link to 
relies on having the passwords stored in the browser. Even without JS enabled, 
another application could exploit Spectre to access your browser, so it is 
still wise to avoid storing passwords in your browser. I agree though the JS is 
the most likely way someone would exploit Spectre.

Re: [Trisquel-users] Web Browser

> Perhaps it is because of your time investment in your test that you weight  
your test far too heavily.


No. It is because it shows something actual, not ideological or theoretical  
like "would be better... if". As soon as Firefox (or a derivative) shows a  
better behavior and overall security I would be happy to leave Chromium for a  
fully free program.


FWIW in EU GDPR which starts to apply in May 2018 the IP address is now  
considered personal data, legally and must be anonymized. So software vendors  
who provide such "features" or who close tickets because they are not in the  
mood will perhaps be forced to comply with all that. Or who knows what other  
tricks they may have to escape from that.


> Meltdown has been patched in the Linux kernel, but Abrowser is based on 57  
anyway,


As I said before - I have never tried Abrowser and haven't find a way to. As  
for Meltdown - maybe, but Spectre is considered more malicious and top  
security experts only shrug at it and comment that these are issues which  
have never been seen so far and they cannot be certain that a patch on  
software level will be effective.


> and unlike Chromium has no profit incentive to violate your privacy and no  
history of doing so in a very serious way.


I am unaware of that history for Chromium especially. As long as there is no  
proof that the _current_ versions of Chromium do anything malicious refusing  
to look at actuality because of something in the past makes no sense. It  
would be like rejecting to trust SSL because in the past there was Heartbleed  
or anything along these lines. The actuality is: Firefox leaks data and  
Mozilla rejects to look at it. Chromium does not leak data and Chromium devs  
agree there should be a setting to tighten it even more. Both FF and Chromium  
are similarly non-free, so let's not get back to all this.


> I value freedom and privacy over convenience.

https://trisquel.info/en/forum/some-questions-about-various-distros#comment-126496

> Security and privacy are both important but are different.

You won't find many people who would agree they feel secure when they can't  
have privacy.


> They have no reason to seek security solutions that protect your privacy,  
and be avoiding them it gives them an excuse to violate your privacy in the  
name of "saftey." It's a trap.


I think you are too quick. They have all the reasons to create trust because  
trust is what allows them to break privacy deeper. And it would be absolutely  
silly on their side to do it blatantly in an open source project like  
Chromium. These things work more subtly. They are not stupid, that's why they  
rule the world.


> since they have a better track record and their business model does not  
rely on violating your privacy


I think you should really face the present and leave the past in the past.

https://www.youtube.com/watch?v=qMALm1VthGY

> probabilty...

doesn't work for privacy and security. Privacy and security are about  
certainty. It is not about having only 1 spy camera in your bedroom compared  
to 3. It is 0 or anything else.


> (see screenshot)

Speaking of privacy and security: Please remove it. I prefer my email address  
not to be publicly visible. :)


And yes - this discussion is pretty much finished.

Re: [Trisquel-users] Web Browser