405 comments

[ 4.2 ms ] story [ 319 ms ] thread
Is this any different than Firefox's regular container support?
It's got Facebook in the name to ride the hate wave? I'm so glad Mozilla hired a Marketing team... /s
IIRC, this was just one engineer's side project to take their existing container tech, which might be too 'advanced' for most users, and make a one-off addon that more users might be interested in.

Do you think that Mozilla's marketing of Firefox as more privacy focused is a bad thing?

> Do you think that Mozilla's marketing of Firefox as more privacy focused is a bad thing?

Not at all. This just strikes me as desperation, jumping on the hate train against Facebook because it's easy. Instead I'd like to see them actually develop their container functionality into a mainstream feature for the browser that might gain enough attention to make people start asking why Chrome, Safari, or Edge don't do the same.

I could see it very easily existing somewhere between the "New Window" and "New Private Window" menu options. They'd just need to rebrand it as something other than "containers" for the masses to understand it. "Private Window" would have been good but unfortunately that's been taken, in hindsight they should have gone with something that more clearly convey's the "burned after reading" forgetful nature of the private window because I think private conveys secret/isolated without the self destruction that comes with a Private/Incognito window..

People understand the Private/Incognito window, it wouldn't be hard to explain that a container window exists somewhere between a regular window and Private/Incognito. They could also easily surface or suggest sites you might want to containerize.

Up until now I hadn't heard of their containers feature despite being a Firefox user so at least one techy has benefited from this update. Though I doubt I am alone.
It's smart – my only complaint when seeing this is "how come nobody's focusing on Google?"
Mozilla is paid by Google. WHy would they antagonize their own parent company?
Mozilla and Google have a business contract with a well-defined scope. Google has a similar contract with Apple. Google isn't Mozilla's parent company just as it isn't Apple's.
Apple makes 97% of its revenue from Google? Because Mozilla does. Your comparison is not valid.

Source: https://www.mozilla.org/en-US/foundation/annualreport/2016/

What I said is perfectly valid. Parent company is a well-defined term that doesn't apply here.

Now, may Google try to put pressure on Mozilla? Sure. Would Mozilla obey? Possibly...? None of this means that this has actually happened or will happen. Stop spreading conspiracy theories.

> Now, may Google try to put pressure on Mozilla? Sure.

There is an implicit pressure when the existence of the company depends on one entity.

> Would Mozilla obey? Possibly...?

Would they rather put 100s of people out of a job? Close down shop? Because 97% reduction in revenue can cause that.

It's quite unlikely that the options would be as clear cut as "delete the Google container addon or close down Mozilla." Note that Mozilla has just recently operated roughly two years I think without a contract with Google.
It's a convenient wrapper for that which automatically redirects Facebook pages into the container, redirects other sites to be outside the container, and deletes Facebook cookies:

> How does this compare to the Firefox Multi-Account Containers extension?

> Facebook Container specifically isolates Facebook and works automatically. Firefox Multi-Account Containers is a more general extension that allows you to create containers and determine which sites open in each container.

> You can use Multi-Account Containers to create a container for Facebook and assign facebook.com to it. Multi-Account Containers will then make sure to only open facebook.com in the Facebook Container. However, unlike Facebook Container, Multi-Account Containers doesn’t prevent you from opening non-Facebook sites in your Facebook Container. So users of Multi-Account Containers need to take a bit extra care to make sure they leave the Facebook Container when navigating to other sites. In addition, Facebook Container assigns some Facebook-owned sites like Instagram and Messenger to the Facebook Container. With Multi-Account Containers, you will have to assign these in addition to facebook.com.

> Facebook Container also deletes Facebook cookies from your other containers on install and when you restart the browser, to clean up any potential Facebook trackers. Multi-Account Containers does not do that for you.

(https://addons.mozilla.org/en-GB/firefox/addon/facebook-cont...)

The addon desc (https://addons.mozilla.org/en-US/firefox/addon/facebook-cont...) says:

> Facebook Container leverages the Containers feature that is already built in to Firefox. When you enable Facebook Container, you may also see Containers named Personal, Work, Shopping, and Banking while you browse. If you wish to use multiple Containers, you’ll have the best user experience if you install the Firefox Multi-Account Containers extension https://addons.mozilla.org/firefox/addon/multi-account-conta...

So: No, it is not.

There's a few little extra gubbins in there. See sibling comments
Im using uBlock origin and PrivacyBadger, will this cover something Im missing?
PrivacyBadger might not block all trackers. Firefox containers "block" all trackers (or rather, they allow all trackers but limit the information they can gather completely).
How about Decentraleyes?
I use uBlock Origin to whitelist 1st party JS when I like a site, and Containers to keep the signed in riff-raff away from everything else!
Use them all in combination.

Containers are nice way to divide up your tabs even if you don't want to be tracked.

Don't blame them for taking advantage of the current media attention facebook is getting to bump firefox containers a bit! It's pretty neat technology.
Unsurprisingly there is no Google container for Firefox
You can use containers for any website / group of webistes.

The specific Facebook-only container extension is for people who don't want to hassle of organizing their containers themselves and only want one for Facebook.

Hey why is Firefox giving Facebook preferential treatment?
Have you read the news lately? Facebook has been a special concern as of late...
Preferential? Other than publicity, I'd say it's the opposite. Though I see your point.
Because facebook gives preferential treatment to us?
Still shedding users and they need something to press release.
I think you meant to ask why is Facebook treating its users like shit?
Do you have any more information on how to do this? A link? I'm interested in isolating google.
You can accomplish it without any extension by creating a 'Google' container and choosing yes on every Google site when it asks you if you want to always open in that container.

Or you can fork the extension, change the container name and color, and update the array of domains.

Uh it says I'm on Firefox 52 and can't install this. But I'm on Firefox 59.
You probably have the privacy.resistFingerprinting preference set to true. This spoofs your browser version.
Yep that fixed it. Thank you!
I've been trying to use Firefox's containers for a while. They are pretty clunky - you need to open a blank container tab using a menu and then enter the url. I forget to do that all the time, so after some time you are just logged into everything in the "global" container, or logged in to google and twitter in the same container etc.

If you check the "Always open this page in this container thing" - then it prompts you with an "are you sure you want to open this page in this container" every time you go to that page which is very annoying. Edit - this is not true - there's a checkbox to "remember your choice". I don't know why I didn't see it.

They are error prone enough that they aren't good tracking protection. Just use ublock origin or a similarly good privacy plugin to globally block as much tracking as you can.

The facebook container eliminates some of those annoyances, but only for facebook.

> then it prompts you with an "are you sure you want to open this page in this container" every time you go to that page which is very annoying.

That isn't true - you say yes/no the first time and then it's automatic. Works great for me.

I create a container for every service I want to stay logged into and whitelist the specified sites with Cookie Autodelete (which is container aware), then auto delete all other cookies on tab close.

There's a "remember this" checkbox and that worked last time I tried to use it.
Yeah, I'm not getting it after the first "Are you sure?" prompt, but that first one is annoying. I already checked the box asking to always open foo.com in a specific container. Why is it asking again?

Also, I'd love to do this in my bookmarks, instead of having to visit each site and set the container one-by-one.

> I already checked the box asking to always open foo.com in a specific container. Why is it asking again?

I have some sites that I almost always want to open in a specific container. Except when I don't.

I suspect this double-confirmation is for people like me: I can chose between "always open this site in this container" and "always suggest opening this site in this container".

I actually have a few cases like this as well, but they are very common cases I encounter 20-30 times a day.

I thought containers were clunky too until I went looking for bug reports for the functionality I wanted (always open domain in container) and found out I just wasn't using them right.

I'm actually really impressed with how polished it is given the complexities it entails

Is there an official article/tutorial detailing how to use them and use cases with examples?
From searching I just found a Mozilla help page[1] that seems to have much of the useful info, along with some links to other articles.

Not sure of it or something similar was referenced at some point during the extension install process.

1: https://support.mozilla.org/en-US/kb/containers

There is an add-on called "new container tab" that uses alt+C to open a new tab in the same container. So I'll open my banking tab and Alt+C several times to do all my monthly tasks.

And as others have said, the "always open in this tab" shouldn't act how you describe.

Finally, there is an option in about:config called "firstparty.isolate" or something similar that does what containers do, for the most part, by default. It will break SSO with Google/Facebook/etc. though.

Agreed, in Chrome I used profiles to segregate, and it worked well.

Profiles in Firefox is somewhat clunky to use at the same time (I end up just using two installations).

I tried containers as well, but gave up, due to reasons you describe.

It's easy to launch new Firefox profiles if you create an alias something like:

    $ alias ff='firefox -ProfileManager -no-remote &'
You can also make desktop icons that open different profiles quickly.
You can middle click on the refresh button and it'll clone the tab you're currently in. Very useful for duplicating containers.

And yes, that's terrible discovery in ux.

It's always been obvious to me that the nav buttons are treated the same as links. Left goes there, middle goes there in a new tab, right has options.
I recommend the "Switch Container" extension for this.

For developers, containers and this extension also make it super easy to test what a page looks like when logged in as a different user.

If anyone in your household uses FB from the IOS or android mobile app from wifi, it will have both your IP address and GPS coordinates. Correlating that multiple people share one residence or workplace is easily done for FB. You can keep playing a shell game like run all your desktop PC traffic through a VPN somewhere so that the FB container doesn't show up as the same geolocation, but you or an ignorant non technical user you live or work with will slip up.

Edit: fb also buys geolocation data from organizations that do the modern equivalent of wardriving. Correlating GPS location with RSSI of specific wifi SSIDs and AP MAC addresses. If anyone near you uses the app, even if their phone has all location services turned off, you're still geoprofiled to within a city block.

What's your point? Facebook still won't know what websites you visit on your PC. It also doesn't have geolocation access there unless you explicitly grant it.
That the targeted advertising and profiling will still come to you. Live with a person who joins fb mommy groups and buys diapers online? Prepare for a barrage of relevant ads. The main point is that the combination of relationship-inference and geolocation can undo probably 70% of your own privacy protection measures, through ignorant ordinary use of the fb app by friends, family and coworkers. Then combine that with fb facial recognition profiling from photos third parties may upload...
Sure, they will still track you as best as they can (though as I said Facebook doesn't have geolocation access on desktop). This doesn't change the fact that without your browsing profile, Facebook will have less knowledge about you than it would normally have, period. Facebook can't "undo" that.
I think that was the OP’s point. FB woule have geolocation information on you because thanks to someone else’s use of your WiFi network on their cellphone, FB can now associate your IP address with a geographical location.

So even though you’re on desktop and haven’t provided them with location permissions, they can still identify your location based on your IP address.

Ah, okay. I still don't see how this would undo preventing Facebook from knowing what websites you visit. The location of your PC seems like an entirely separate data point.
Facebook can use GeoIP on their servers to position you within a few miles. That's close enough for demographic profiling. And like others mentioned, if anyone uses the Facebook app on your home network, Facebook can link the devices precise position with your IP address.
Putting in my year of birth to 1911 (but the same month/day so half friends don't send me wishes on the wrong day) used to mostly destroy their targeted advertising. It was all adverts for arthritis medication. They're steadily figuring it out, but it's taken them about 10 years.
I'm also enjoying completely meaningless ads as I lie to them about my gender.
lots of people have a dynamic ip. if you don't want that fb (or any other web-thing) correlates an ip with you, you should get an isp that gives you a dynamic ip.
Perhaps we need a specific Tor shell Facebook app. Then it's just a wrapper onto the desktop site.

Just force your kids to use that on mobile and use Tor on desktop with Facebook as the homepage.

You can tell your kids that 'Tor' means 'Facebook' in Icelandic.

cool, but if anything tells me there's something wrong with permission systems it's this... the permissions it asked for, if that was any extension i'd be leery of it, but since this is from mozilla i trusted it..
> In addition, websites that allow you to create an account or log in using your Facebook credentials will generally not work properly. Because this extension is designed to separate Facebook use from use of other websites, this behavior is expected.

As much as I love these kinds of things, this is going to break something for my less tech-y family. As such, I can't let them use this kind of thing.

Maybe you should can’t let them use Facebook logins?
They have existing apps that wouldn't let them do that. I'm not about to control my mother's choices.
I used Firefox's containers for about a day, and then I discovered the privacy.firstparty.isolate option (in about:config), which effectively gives every site its own container with no user effort. That, combined with Cookie AutoDelete, seems to work well.
nice, I wish there were a dedicated checkbox for this in the settings page. I didn't know about this until now.
Yup, this is how I thought containers would work like at first.

9/10 times I navigate off a link from one container and boom I've pulled in everything in that new container by ctrl+l reflex.

Any problems? For example, CDNs are in different domains. Some ecommerce sites use payment services from other domains.
I've definitely run into problems with ecommerce sites (really just Tarsnap) and embedded iframes from 3rd party payment services, while using the Chrome equivalent of this Firefox setting.
How do you do this in Chrome?
chrome://flags/#enable-site-per-process

Strict site isolation > Enable.

In case it's useful: This was due to a bug in Chrome which has since been fixed. (Chrome was losing the "POST" flag when sending a redirect message between processes.)
Any idea what version of Chrome fixed it? I refill my Tarsnap balance only occasionally.
The bug was fixed on January 26th and was being merged to older supported branches expeditiously -- I don't know the exact version numbers but I'm sure that any releases they rolled after mid-February would have the fix.
I guess 65.0.3325.146 from March 5th probably works, then. Thanks!
Things will break like logging in with Google/Facebook/other OAuths that use popup window redirects, iframe services like Disqus or Facebook comments, Google's captcha will become more annoying, less local caching will happen which means slower browsing in general.
Yet another reason why you should avoid using service to log into another as much as possible.
I'm really of two minds about this. On the one hand you can use Facebook or Google to log in and then have them know what sites you log into. Or you can use a site's native login and be pretty sure that at some point you're going to get a "we take security very seriously" notice after they screw up and expose all their user data.
I don't really see how logging in with a different system prevents your user data from being exposed?
(comment deleted)
If you use a password manager with different passwords for each site it doesn't matter (much). Either they steal your password (usually hashed), or your OAuth information.

The minor difference is that with OAuth they cannot log-in to the site pretending to be you, but if they don't hash the passwords, or use weak method to do it, then it's possible.

Regarding other user data stored in the DB (which is usually more valuable than just the passwords) there is no difference between the login method.

When you say login would break, what do you mean? Just that it would be less convenient, i.e. you have to login to your identity provider once for each first party? Or are you suggesting that the redirect flow for OpenID Connect or oauth wouldn't work at all?
This doesn't work for me.

I have a "personal" container that I use for my Google/PayPal login, and sites that I use Google oauth with, same for a "work" container.

If each site used it's own container, I couldn't sign in with Google without signing in multiple times (let alone the mess of signing out old sessions, which I do once in a while).

Google logins still work, this is a different kind of container from the Firefox container tabs.

I use this feature with container tabs and it's fine. There are so far one or two sites I've come across that this breaks, neither of them anything I care about.

Sorry, are you using `privacy.firstparty.isolate` or container tabs? I think SparkyMcUnicorn was saying the former would not work for them.
Both. I'm saying they work together fine, and isolate works fine with Google logins. It's not that strict.
It doesn't work all the time. I tried it with Google login on Atlassian, it seems to rely on third-party cookies, and fails. There are a few bugs open on websites that don't work with this feature:

https://wiki.mozilla.org/Security/FirstPartyIsolation#First_...

Atlassian actually rely on referrer headers as well! Extensions such as smart referrer break their single SSO system.
I assumed it didn't work because it was an Atlassian site I was logging in with. Thanks for pointing this out.

Container tabs works for me very well, so I don't see much point in switching over and dealing with little bugs like this.

Wouldn't setting your cookie settings to strict (block all third party cookies) do the same thing?
It's more thorough than just cookies including various caches and data stores.
Does the OP's method allow third party cookies while isolating them from other sites?

That might be more usable than blocking third party cookies for sites that break because of SSO.

Personally I use Containers and block third party cookies and I don't have any troubles.

My use case is multiple Google accounts. I can log in to multiple Google accounts at the same time in different containers and answer emails very easily.
You can be logged into multiple Google Accounts at the same time without the extension. Just click the little profile icon in the top right and click "Add Account."

I'm logged into four, including a Gapps account.

Have they fixed the issues though where some of their apps only work with the primary account you're logged in with? (e.g. the first one)
+1 deal with this all the time on spreadsheets ===== fixed
Over the years they have definitely fixed those one by one, but I’m not sure if they’ve fixed all of them. I believe the last problematic one I encountered was some ads-related developer console a year or two ago.
They fixed the big ones but there are still a bunch of edge cases where you have to log out, like one account is from US and one is from Canada.
Google Play Console only works with your primary account.
Good question, though the account isolation to the extent I've tested it has been surprisingly good.

I still don't fully trust it, but that's a different matter.

No. I use this feature daily, and have to login to my "primary" Google ID for my Drive/Calendar, then I "Add Account" to enable my secondary/tertiary ID's. It has to be in that order.
This would let Google know these accounts are affiliated with the same person on your network, whereas containers won't necessarily provide that assumption.

Right?

If they wanted to they could associate them other ways by just looking at the IP address and/or browser fingerprinting.
I assume there is no hiding from Google unless you black-hole their IPs. Also, don't let an Android device with links to Google be near you.

It'd hard to ban Google from your life even if you want ti. I think governments should help citizens achieve that when they choose so.

My thought is that they can certainly find good indicators that they're related, but that signing into them at the same time directly in their website confirms the relationship. Bear in mind, everything coming from say, a corporate network, won't be distinguishable by IP, and browser fingerprinting is likely less helpful in an environment with a hundred PCs running identical system images.

Your home device may not live in such a family, but it's hard for Google to determine that.

Even in a corporate network there's some plugin drift over time depending on job role especially for developers. And GP specifically has installed a container add-on which probably makes him/her fairly unique among all the corporate traffic coming from that IP/group of IPs.
Most good corporate environments should be controlling what plugins they allow users to install in their browsers. (For the few users we permit to use Chrome, for example, all extensions are disabled.)

But again, the issue is not your specific configuration (or GP's specific configuration), the point is that Google cannot assume same IP or browser fingerprint is a definitive association of identity, whereas signing in additional users in Google's app definitely does.

> Most good corporate environments should be controlling what plugins they allow users to install in their browsers.

For a very odd definition of the term 'good' I suppose that's may be the case. It's certainly not been in any place I've worked in the past 20 yrs.

I can't vouch for the security of any place you've worked in the past 20 years.

But suffice to say, it's very common for Chrome extensions to be able to both modify any content on websites you view and read data you enter into them. Both adware and spyware is prolific on the Chrome Web Store, and it's the number one infection vector I see.

Controlling extensions is downright basic competency for network security. With regards to Chrome, I currently operate an outright block, though obviously we can whitelist extensions as necessary. (One thing Chrome does particularly well is their ADMX templates: It's easy to blacklist and whitelist extensions, and install them compulsorily for users as well.)

Considering that I've spent 15 of the last of those 20 years working at cybersecurity companies, I can say with some degree of assuredness that your level of control over browser extensions goes far beyond the typical work environment, and that goes doubly so for companies based in silicon valley. Do you really think that all those engineers at Google/FB/Apple/etc can't install browser extensions?
If you browser fingerprint and uniquely identify someone in this scenario what is the GDPR rationale going to be?
I'm not sure if this is the same thing you are suggesting, but what I like to do is use the "Manage people" option from the menu at the top right. My work and home google accounts are never logged in at the same time in the same chrome window. It seems to keep everything separated pretty well, even extensions seem to maintain their own settings/"activated-ness" within each person/account.
Why don't you use Thunderbird for multiple mail accounts? I cannot imagine using web interface for multiple email accounts, too much effort, taking my browser tab space. Thunderbird is right tool for it...
Doesn't Privacy Badger do about the same, but more granular and breaking fewer things?
By not breaking things, Privacy Badger will essentially let some cookies and trackers pass through which aren't cross tracking but these could leave behind a trail. Some will stay dormant until activated.

CAD or any similar cookie deleting add-on will essentially kill any cookie that isn't required for your active tabs. This way nothing is left behind to track or trail you.

What about browser fingerprinting (https://panopticlick.eff.org/)? Unless you are using the Tor browser, this appears "uncontainable" especially for folks not using Chrome over Windows 10 or another super generic combination.
Blocking your canvas to avoid being fingerprinted/tracked is like walking under the CCTV with a hoodie and cap on. Unless everyone under the CCTV does the same you will not be detected but will be tracked. It might be hard to identify you but you will standout.

So instead of standing out of the crowd why not disguise so well that the tracker doesn't know the real you.

The idea is to use something that gives a fake readout of your fingerprint thus making you look normal but keep changing it occasionally so it leads no where for long time. Try Canvas blocker[1] and/or Canvas Defender for fake readout.

[1]https://github.com/kkapsner/CanvasBlocker

> The idea is to use something that gives a fake readout of your fingerprint thus making you look normal but keep changing it occasionally so it leads no where for long time.

What is "normal" in this case? One correct way to counter fingerprinting is to standardize the fake readouts to a specific value and not change it every so often. So if everyone's browser is reporting the same value for this feature that feature will become meaningless in the context of fingerprinting since its entropy is very low.

That's what Tor Browser has been doing with font enumeration, reported windows size, screen resolution etc. - they all report the same value. On the other hand, you can correlate these values and identify Tor Browser users.

"... and then I discovered the privacy.firstparty.isolate option (in about:config), which effectively gives every site its own container ..."

But with its own IP, possibly a non-routable, private IP ?

I think not ... and that's too bad because that is what we really need. We need the ability to chroot jail a GUI program just like we jail named or (whatever).

A different root, a different IP, and no access (or knowledge) of the rest of the system. If I used facebook, that's the browser I would run it in.

This is exactly what Qubes offers. Have as many separate browsers as you like, each originating from a different IP using VPN proxyVMs. Or just run everything through Tor using a Whonix gateway.

https://www.qubes-os.org/intro/

Yeah but you miss in the parallel session. Having several github and twitter accounts, it's very handy.

I never disconnect from anything, i just open a non container tab. I never connect to anything on my laptop, i open the site in the desired account container.

This website is in a state I don't want ? New container, and it's sees me as a new customer.

We're going from cold war to all-in.

Not just a privacy question. Reddit nags me every time I hit the front page, even returning from a story, asking me to log in. For most sites I need to create ublock filters to prevent pop-ups with useless "we use cookies", subscription requests, ads or social media bars that fills half the screen, etc. etc. etc.

Every newspaper I read has decided that autostarting video and streaming is a good idea.

Yes, HN is OK, but sites that it points to are not.

I'm giving up on the web.

When you mentioned reddit I thought you were talking about their "install the app" pop up. They have by far the worst mobile experience out of any site I've use more than once in the last 2 years.
LinkedIn are ever so slightly worse. But it's tight.
LinkedIn absolutely “wins” when it comes to a sucky mobile web experience.
Fortunately it takes one tap to update your preference to have it stop nagging you to install the app.

https://www.reddit.com/r/redditmobile/comments/6hk9ot/androi...

No, it does not.

I browse Reddit on mobile in Incognito mode in Chrome, frequently, for various reasons.

This means that there is no cookie history, and (when Chrome shits its pants and dumps the Incognito session), the settings are lost. This seems to occur every few days, occasionally every few hours. Reminds me a lot of Netscape 4 days.

Every. Fucking. Goddamned. Time. I go to Reddit, I get:

1. The "Use our Mobile fuckwitted app" fucking nag screen.

2. I have to disable that fucking nag.

3. I have to select "use Desktop".

(Chrome's own "use Desktop site" option isn't sticky across sessions, or even tabs, AFAICT, when selected on a site-by-site basis.)

And I'm finally where the fuck I wanted to be in the first fucking place.

I maintain a small but fairly well-received sub, and moderate a few others. For numerous reasons, these haven't taken off or succeeded in generating much by way of active discussion (Reddit has long been an exemplar of how to design site mechanics to fully kill and destroy any active conversation). Mind, that's a hotly-contested field, but for all it does vaguely well (and yes, Reddit does have some nice features and a large and not entirely useless community), there are a few small things that could be changed to improve this ... which manifestly haven't happened.

Another site I criticise heavily, Google+, actually does this fairly well, given a number of preconditions.

1. The discussion has to be actively and effectively moderated.

2. There's got to be a good, and not overly-large, discussion cohort. I find ~5-10 people is a minimum (with the right 5-10), and in rare cases, up to a few thousand probably an upper bound. The most lively conversation I saw was in a private community of about 50 people, tightly monitored for behaviour but not (with a few bounds) content.

3. The fact that a discussion stays live for an extended period of time and the Notifications loop back earlier participants is key.

4. Individual discussions can only run to 500 comments. This keeps things from running on too long.

5. Discussion is flat, not threaded. This isn't my initial choice, but it actually works ... fairly well. I'd ultimately prefer client-based determination of order, much as with Usenet or decent email (that is: Mutt) clients, including threads.[1]

I'm not saying G+ is great. It has many, many, many flaws. But it is the best general-use system I've found on today's Internet, despite my many reasons for wishing that weren't the case.

I've found and met some great people, and had really good conversations, many lasting days and weeks, more than a few months and years.

And no, not all discussions go well. One of the best hosts on the site is its former chief architect, Yonatan Zunger. And even he has increasingly had to shut down discussions that ended up as shitshows. See: https://plus.google.com/+YonatanZunger/posts/cnqAekPSFgB

The fact that Google doesn't have to crank up impressions on the service for advertising dosh probably helps. The other games the company's played for generating activity stats have quite negatively impacted it in many peoples' eyes, my own included. The G+/YouTube fiasco being the worst.[2]

________________________________

Notes:

1. Mutt offers: threaded, date, sender, and subject sorts, reversible ordering, and extensive filtering, including the ability to arbitrarily tag items and view only those. It remains hands down the best messaging tool I've ever used, though I find email almost entirely untractable for other reasons these days.

2. This ended up with the three top stories on HN on that date being either items I'd posted elsewhere being submitted here, or related fairly di...

I don't know if you've come across i.reddit e.g. [0], I only heard about it a few weeks ago, but it's an old mobile site from reddit with nice simple styling and all the shite taken out. No popups for the stupid app.

I don't understand the drive to force people to use the app. Medium trys similar but less annoying tactics. Either way you get eyeballs on your site. Perhaps there's better tracking that they can get hold of from the app.

[0]: https://i.reddit.com/r/Bitcoin/comments/89o16y/im_mark_karpe...

https://i.reddit.com and https://old.reddit.com both avoid this ... until you hit an internal reddit link to a different host (www, np, etc.,) in which case you're back to base and fucked. The inconsistency of intra-reddit links (that is, links within the Reddit app) is ... one of the more annoying elements of the site, and long has been.
You could try a browser extension to rewrite [www|np].reddit.com to i.reddit.com [0]

But yeah when ever you don't follow the path that the major sites want you to go down you have to keep jumping around

Similar with Gmail, all links in the email go via Google tracking so you have to do a right-click and get the link then open a separate tab and paste it (obviously a signal for me that I shouldn't be using Gmail in the first place).

[0]: https://stackoverflow.com/questions/1891738/how-to-modify-cu...

I'm increasingly of the feeling one shouldn't fight systems, though there's always at least some of that. I just can't seem to find the right platform / solution that's within my resources, capabilities, and/or constraints (inclusive of privacy and financial). Reddit or a blog are probably the best that exists presently.

More: https://www.reddit.com/r/dredmorbius/comments/8avwul/open_th...

Presumably most app users aren't blocking adverts, or the app can more easily refuse to show content of ads aren't present.

Apps will cut down multi-site use too, stop users "changing the dial".

It should not be opt-out though
How would you ever know it exists then. No, they should give you the option to be reminded again, or be done with it. But since we are talking about deleting all cookies, where do you think this information would be added?
That assumes you want to log in and be tracked.

It's annoying to follow a link from a search engine and not notice it's Reddit only to be hit with the "INSTALL OUR APP. EVERYTHING WILL BE BETTER!" shtick every time.

Instagram's mobile site gives Reddit a good run for its money. It recently just stopped working for me... Chrome throws a "Too many redirects".
There are at least two mobile reddit interfaces, and one of them does not do this popup junk. The other one is obtained by adding the /.compact suffix, like https://www.reddit.com/r/programming/.compact
That's great when you want to browse Reddit, but often I find Reddit an actual good source for information so I'll click the link from the search engine that then takes me to the "real mobile version" which has the popup.
Twitter mobile. Scroll down for a screen, full page "Log in/Sign up" popup. Every single page.
Tragically, this is most probably by design, to encourage sign-ups. Whoever implemented that should not feel any better than a telemarketer or a spammer.
And then when you decide to create a sacrificial account just to keep them happy, they won't let you unless you give them your mobile number...
i hate the fact that sometimes it says "continue to the mobile site" and sometimes it says "login to access the mobile site". I prefer to not be logged in. Sometimes when i visit reddit it refuses to let me use their site logged out. Its super inconsistent. When I can't use the site logged out i just give up.

Also sometimes now the location of the "n comments" button becomes a "share" button, with the comments moved over to the side. but again, only sometimes. I keep clicking share on accident, because it happens infrequently enough that I haven't learned to check.

I've started switching to using their .compact site, which has neither problem. Only a small "switch to the new mobile site" button at the top of the page. The thumbnails aren't as large but thats fine with me

yeah their official mobile site design is just awful. This much better tho: www.reddit.com/.compact
It is super rude, and "giving up" is the right answer - to annoying sites. Screw them.

The single nicest thing you can do for yourself after an ad blocker is to get Javascript under control. I personally am using JS Blocker, which takes too much effort, but allows you to selectively load JS. There are others - I like the control JS Blocker offers, but it is a bit annoying.

This is not without problems; there are sites that don't work/don't work well. I frankly don't care about most of them, so that's fine with me, and I leak much less data to the various panty-sniffers[1].

Life is much nicer when you take back control of what runs on your machine.

[1] I block FB, Google and several others' IP space, but the smaller adtech/government/who-knows surveillance shops are impossible to keep up with, and, well, defense-in-depth is the way to go.

How about just whitelist the good guys?
That's what I do on Android, except I use Brave instead of Chrome/Firefox.

I change the default settings to block all JavaScript by default, and then use the Brave button to whitelist sites I trust and actually want to use.

Browsing the web (especially news sites) on my Android has gone from "a complete nightmare" to "tolerable" because of this.

Me too. Brave gave me back the ability to browse the web on mobile.

Now if I could just force pages to load in Brave instead of web view, that'd be amazing.

Related tip: if you open the Google app, menu -> settings -> Accounts & privacy -> disable Open web pages in the Google app, that will fix it for google now links.

Same approach, but I prefer firefox beta + noscript, which allows more fine-grained control (so I can permanently or temporarily enable js from e.g. reddit.com and redditstatic.com, but not googletagservices, amazon-adsystem, etc. .. on the same page.)
You should try Naked Browser (or NB Pro , their paid app with some extra features). I have been using it for close to 6 years and it is awesome :-) In my opinion it has one of the simplest and nicest UI with features like script blocking. [Disclaimer: I am not associated with the developer in any way]. Ad blocking is sorely missing though.
until you mentioned this I forgot reddit started doing this. at one point, I wasn't even given the option to dismiss the login modal. I had to either login or not use reddit.

these ublock origin rules ended that:

  www.reddit.com##.splash-design
  www.reddit.com##.modal-open:style(overflow: visible !important)
Also: after years of reddit not caring about email addresses, it will now nag me every time I log in to verify my email address.
Giving up on Reddit is just the same response to stimulus, but the web is vast and varied. You’re giving up on a lot of good to spite a lot of bad, but you’re just going to hurt yourself. Use uNlock and uMatrix and after a few days of regular surfing and a little tweaking you won’t even realize that shite is still there.
Giving it up for work is not possible. But for entertainment it's different the gp not only mentions Reddit, but other news sites and specifically the ones linked from HN. It's a general trend that almost everybody does, probably because "everybody is doing it".

There are good alternatives like reading books, watching movies or going out. Web sites are shooting themselves in their feet. Blockers end up being too much work with this arms race. They think they're "winning" when they're actually just selecting the people that can't choose.

I regularly browse HN and click through to articles. I run firefox / noscript on both mobile and desktop. I occasionally have to enable or temp-enable some stuff in noscript to be able to read articles, but it's a small minority of cases, and probably smaller if I wasn't so prone to temp-enabling rather than enabling.

For sessions where I know I want js to "just work", like online shopping from a set of presumed-trustworthy sites, I use a different browser profile without privacy extensions, but I use it just for those purposes and avoid general browsing with it.

To make multi-profile browsing simple, I theme the profiles differently, so it's obvious which one I'm in. On desktop, my launcher for firefox does --ProfileManager --new-instance and on mobile I just use different firefoxes - ff-beta and ff itself.

Is this "too much work?" - I can see how it might look like that, but I've been using this system for a few years, and though it takes a few minutes to set up on a new system or device the maintenance overhead is low, so I'd say it's not "too much." Also, the time gained not waiting for js-encrusted sites to load probably outweighs the setup/maintenance by a considerable factor.

More or less the same here. Still situation worsened in the last months. And we are the techies. For "regular people" no doubt it's too much.
> Every newspaper I read has decided that autostarting video and streaming is a good idea.

If you're using Firefox, go to about:config and set media.autoplay.enabled to false.

"We use cookies on this site! Read our Cookie-policy mambo jumbo here! <dismiss>"
Blame the stupid EU cookie law for that though, not the sites. Cookies can actually be very user/privacy friendly, since they provide a way to retain user preferences without requiring an account to tie them to.
They are also entirely voluntary - which the EU would've known if decision makers had visited their browser settings once.
The notice is only for cookies used for non-essential tasks (like analytics) and doesn't have to be shown for things like login sessions. Your browser can't distinguish between those.
The cookie notice policy led to the worst imaginable actual outcome: A state in which you either accept cookies (incl. third party) by default or you will be haunted by numbing "reminders" that cookies exist. Usually taking large parts of your small screen estate.

Prior to that you could just disable them if you liked.

One can say that policy makers had good intentions - certainly. However, I can not imagine a valid evaluation that wouldn't conclude this policy as failure.

I don't disagree that the policy was a failure, I just disagree with your specific point made in the previous post.
Hmm. I'm not sure I can follow.

The browser not being able to distinguish between essential and non-essential cookies does not change the fact that cookies are and were entirely voluntary.

Right, but there's no reason to think the legislators didn't know that, because their goal was not to prevent the use of all cookies.
They thought that sites would stop using tracking cookies. But most sites use google analytics.
The intention was to highlight just how many sites use cookies to trace your movements that you might not realise. Clearly it didn't work well, and led to the reasons for a lot of the GDPR
> Cookies can actually be very user/privacy friendly, since they provide a way to retain user preferences without requiring an account to tie them to.

Enable cookies at that point then, don't turn them on globally for everyone.

> Blame the stupid EU cookie law for that though, not the sites.

If every site didn't turn on cookies by default as if they're somehow needed to read a text page a didn't contain a billion trackers then there would have been no law in the first place.

The need for this law lies squarely at the feet of the sites themselves, the industry has shown no desire to regulate itself.

There are several blocklists specifically curated to adress the EU cookie nag:

http://prebake.eu/ https://www.i-dont-care-about-cookies.eu/ https://github.com/r4vi/block-the-eu-cookie-shit-list

AFAIK some prominent cookie notices are also part of the Fanboy Annoyances list: https://easylist.to/

The only prominent nags that are not very well targeted with those lists are in webapps like reddit mobile. Primarily because of their dynamic, non-descriptive ids.

Yep, I've used "I don't care about cookies" for a couple years now I think, it's been great. It's very rare that I see these pop-ups.
> autostarting video and streaming

Super annoying. In Firefox in about:config, you can set: media.autoplay.enabled to false. That works well for me.

A similar setting exists in chrome where you can mute all tabs by default and only whitelist a limited number.
Some sites are using js tricks to override this setting.
The extension "I don't care about cookies" prevents 99% of the useless "we use cookies" pop-ups.
You do know that this is not a "web problem". Just spend 10 minutes with your average 13yr old and see how many times they get bombed in the face with one of those interstitial ads.

Also it is easier to root your phone with a malicious app than with a web page. Heck, if you are an app developer why even bother to root phones when you can just do whatever you want, after all if the user does not give you all-in permissions you won't even let the app run.

AFAIK this is against guidelines and the app shouldn't be approved in the App Store. Not sure about Google Play
I sometimes use reddit with Firefox for Android (beta, equipped with noscript and ublock origin) and it's really not too bad like that.

But overall I get a much better experience using the free, open, 3rd party app Slide ( https://www.reddit.com/r/slideforreddit/ ) so, maybe give that a try? (Assuming you're on Android - ios, I've no idea.)

no don't give up. just be in the vocal minority that gives a shit and expects better.
Good start targeting one of the biggest offenders. Now make the next step implementing full blown ad blocker the way Brave has done it.
Firefox has tracking protection. It's a pretty effective ad blocker for me.
That's absolutely wrong! Tracking protection just results in dumber ads. But they still clutter your pages and waste your bandwidth.
That tracking protection is a good enough ad blocker for me is absolutely wrong? You do realize that tracking protection actually blocks ads, don't you?
I did not know that, sorry. I thought it blocks tracking cookies and stuff. Does it actually hide advert elements from the page? If yes, I can see how it can be good enough for most people.
Stop "containing" Facebook, just quit it. These workarounds are just keeping you from facing the real problem: the time and mental effort spend on Facebook.
Quitting Facebook doesn't solve the problem that containing it solves.
This is an interesting idea. One big part of the problem with Facebook is how their ad system follows you around the web.
I would like to isolate every website I visit into a container, such that cookies or other tracking mechanisms are unable to be effective while on other pages.
What about ips?
To an extent, Tor can address this, though many sites make this exceedingly painful (Captchas, rate-limiting, outright blocking), and Tor itself is slow -- to set up, bandwidth, and latency.

I'm not sure if some middle tier of connection indirection, content caching-and-forwarding, or other mechanisms, might better address this.

There are protocols such as IPFS and browsers such as Min which might be a partial response to this:

https://minbrowser.github.io/min/

How in the world do you get this to work with subdomains in the general case? How do I just say "open all [sub]domains under example.com in their own container, end of story"?
Can't this be easily bypassed by Facebook? Given the amount of information usable to fingerprint browsers with JS enabled can't FB do some basic tricks like IP + WebRTC local IP + WebGL fingerprint + Canvas Fingerprint , etc...?
Yeah, their fingerprinting would be incredibly well trained, and I imagine would work perfectly well on sparser data.
Wouldn't surprise me; Perhaps containers could be extended to spoof/fuzz some of this data when then the site requests it? OTOH, if this blocks the tracking done by facebook's like buttons/forums by preventing their loading outside the container, then I don't think there's anything for FB to go off.
If users need to go through so many hoops to avoid facebook tracking, Best use privacy badger + don't use facebook at all.
can someone explain why this is necessary? shouldn't anything that happens outside of any site stay outside that site, why a special extension just for facebook?
Let’s say you go to example.com and they’re using a Facebook Pixel for analytics - so example.com can continue marketing that widget to you after you’ve left their site.

Well, when you visit example.com/shop/widget1 you essentially load a 1x1 pixel image from the url ads.facebook.com/pixel?metadata=goes-here and you web browser sends your Facebook cookie along side the request (as it does for every request to .facebook.com).

So Facebook knows what site you’ve visited and what your interest are so that example.com can better market to you, their prospective customer.

The web relies on cookies so you can remain logged in, have a shopping cart, and do most everything else that is stateful (though sometimes this stuff gets implemented in the browser’s webdata cache called localStorage). The container effectively makes the “session” - all data that is identifying - unique to the tab. So you couldn’t open a second tab and remain logged in to your bank account, for example.

the urls are examples; I’m on my phone, not on my laptop.

Can't the websites share that information with facebook by proxying that information? It'd be the same workaround as for ads if you host them it's very hard for someone else to block them, especially if you use dynamically named divs, image sizes etc.
No. You’re not providing your Facebook cookie to the third party site. So, there is no way to associate your identity on example.com with your Facebook profile.

Think of it this way, if you have an authentication ticket, such as what is in a session cookie, then you have access to your account. If someone intercepted that ticket / cookie, they could maliciously act on your behalf and play around on your Facebook - just like you. Your browser therefore doesn’t send cookies to domains that aren’t specified as trusted by the originator of the cookie; I.e. third parties.

So example.com and Facebook wouldn’t be able to associate the two identities.

*except of course through some interesting trickery like browser fingerprinting.

In my opinion Containers are the best thing in Firefox. I'm sacrificing battery life just so I can use them on my Mac.

I finally feel free to search for whatever I want and not have second thoughts.

> I finally feel free to search for whatever I want and not have second thoughts.

Doesn't Google also link sessions through IP Address? That combined with "how you usually browse" + interests is a very powerful deanonymization tool.

You may be very right.

I haven't encountered any targeting related to search terms yet, but I'm sure they have the capability.

I do need to make the leap to DuckDuckGo at some point!

I did both at the same time. Containers were the easier of the switches, because while DDG does an admirable job, it's not Google level quality for searches, and it can't be while still providing privacy. 80% of the time it's fine, the rest is acclimating yourself to g! and reminding yourself it exists.
Making the leap to DDG was way easier than I thought and I am really pissed now that I didn't do it months ago. As other have said, you can generally find anything you want and, if not, you always have !g. However, I now have an intuition as to what sort of searches might yield good results. Either way, I encourage everyone to do it. Just change your search engine to DDG in your browser and, after a couple of searches, you will forget it's not Google.
If they do, then you can turn it off through My Account -> Google Search personalization -> Signed out search activity.
What's a Firefox container and why should I use one ?
As the page explains: it prevents Facebook from tracking you across the Web.
No I read it, but I want to understand the technical details like how is this different from using Facebook in incognito window.
Using Facebook in private windows only is a reasonable workaround that achieves roughly the same if you're disciplined. The addon is more user friendly.
Is there an advantage to this over Chrome Profiles, a feature built-into the browser?
This is install and forget. With Chrome Profiles you have to change your behaviour. i.e. opening a new window in the right profile before you open facebook. Also, one slip up with chrome profiles and you could end up with a facebook cookie in the wrong profile.
GNOME Web (Epiphany) lets you easily save a web page as web application, so that it gets an own desktop icon and browser profile to separate it from your normal browser.