Does HTTPS Everywhere actually work for you? It's utterly useless for me as far as I can tell. Try going to some site (say, example.net) in Chrome and watch it just load HTTP.
IIRC, you have to enable the "strict" mode, or something along those lines, in the settings before it rejects HTTP connections from being made. I had the same issue.
Thanks, but then what do I do about HTTP-only sites? Why can't it default to HTTPS and then auto-fallback to HTTP when HTTPS connections fail for sites that aren't in the known-HTTPS list? It seems like a logical thing to do instead of just going straight to HTTP.
I hate captchas and love how buster is feeding them their own dog food by using speech to text to defeat captchas!
Seriously though, it almost makes me look forward to sites that have captchas to feel like I’m sticking it to google instead of working for free to help them make their computer vision models better.
one thing I only started doing recently was to (in firefox, not sure chrome even gives you that control) disable the option to use fonts.
I set my serif/san-serif fonts (ubuntu, ubuntu mono) and disable "allow website to choose their own font"
It's incredible how having a standard font all over makes reading easier.
Only downside is a handful of sites that uses the neo-windings (fontawesome et al) for icons. But it's not hard to click the button with an "S" instead of the one with a magnifying glass.
If you can live without Chrome, you can live without all Chrome extensions in the article; If you can live without a desktop/laptop, you can live without all Chrome extensions.
I just don't like this kind of eyeball-attracting title: Too much exaggeration
I have seen it a few times, but only on mobile IIRC and it wasn't consistently shown across all pages where I wanted the functionality. I definitely can't seem to find it anywhere on desktop Chrome.
Google makes money from websites showing ads, so making a reader mode readily available would be counter to that. There used to be a hacky way to approximate reader mode in Chrome [1] but not sure if that still works. Just another reason to favor Firefox over Chrome IMO.
Google will always give only enough privacy options to give the veneer of supporting privacy, but never enough to truly allow it (e.g., anti-fingerprinting measures). You can't blame them really, it's just not their business model, but if you disagree with that model and its effects on you, you can choose a different browser.
I think of extensions as a way to adapt the web to my preferences. Sane defaults are not that universal and it's good to harness the power of the web to make everyone happy.
In a 300 word email I make at least 3-4 spelling errors either because I don't know the words spelling properly (yes there are many words) or because I type fast make mistakes. Grammarly checks their database and compare my sentences and suggest different ones. Try it, it really does help.
Out of curiosity, is English your first language? I can see that it would be helpful for fixing the types of errors you mention, and the kinds that appear in your comment. Does it give suggestions for text boxes like in HN comments as well?
I have tried it and found nothing useful for me, but am interested to know why/how people use it.
You guessed it right. No, it is not my first language that's why maybe I am more inclined to use paid tools like Grammarly. Although, my coworkers/employees are native speakers they make more spelling mistakes than non-native speakers (maybe confidence?). I force them to use grammarly and almost every email there is 5-10 corrections. If you didn't try yet, just download and scan some of your old emails. I bet you will find minimum of 5 mistakes. Better safe than sorry.
As far as I know they still send everything you type to their cloud service, and their privacy policy gives them broad latitude to use that info to "improve the service."
Right now I use "LanguageTool" with the Java-based server running locally. After I imported the ngrams it works good enough to be a clear improvement over Firefox's bad built in spelling/grammar checker. The UI is passable. It does randomly decide I typed another language though and tell me everything I typed is misspelled in that language.
In an ideal world I'd prefer to pay LanguageTool money for their premium product, but they have the same privacy problems as Grammarly. Heck I'd pay Grammarly if they had a more private offering, it is a good idea.
Honestly, most of them. Grammarly in particular because of privacy concerns, but I avoid using any that are not both open source and high payoff.
I use Privacy Badger and NoScript. I may add Ublock Origin to cover the edge cases where I need to enable JS. Anything else is adding bloat, not cutting back on it.
NoScript in particular covers:
UBlock Origin, Nano Defender, Hover+Unpaywall, and ShutUp
Most of the others, I already use something outside of a browser or don't need.
There's an incredibly useful extension that's not on that list that I bet a good number of HN folks would like:
Vimium [1]
It lets you use keyboard shortcuts to navigate through webpages, click buttons, jump to text boxes, etc. it's been huge for me both as a productivity tool (it's significantly faster than using a mouse for navigation) and also for reducing RSI/strain on my hands.
Here's a video of it in action as you really need to see it being used to understand the different interaction model it provides.
Ironically Vimium (and most extensions) are disabled on the Chrome Extensions domains. So when I hit 'yy' to copy the URL of the existing page it didn't copy it, so I instead pasted the last URL I had, which was the CPRA checklist.
Not something I had intended to do, but I hope the checklist was useful.
I used to use vimperator and/or pentadactyl back before the big firefox change that redid how the browser buttons/menus/etc were rendered and it was pretty ideal. The bar at the bottom, the ability to do bind any menu action, the quick addon management interface, the beautiful completion when opening a link.
Since eventually switching to Chrome, I've tried vimium every now and then and always found it lacking. It usually got in the way when I didn't want it to and I'd get sick of trying to figure out how to turn it off for a particular site/just for this one interaction and just uninstall it.
It's been a year probably, so I guess I'm about due for another go.
I am too wary of malware extensions to install that many. It is clearly trivial [0] for malware to get into the Chrome store, and Google is not doing enough to make me feel comfortable with it.
Additionally, I know that even as non-malware extensions grow in popularity they are solicited by malware companies to integrate their software in an update. I experienced this first hand with the HoverZoom extension. [1]
Yes, this - absolutely. Every extension you install is another potential risk/attack vector. Consider the sources carefully and run the least number of extensions possible. Each one potentially has control of your browser, so choose accordingly.
KeepassXC is fortunately the only sane password-manager; so; bite your heads off with all the other crap. Bitwarden is a POS over-commercialized POS; use KeepassXC instead. Obvisously not afflitiated with KXC; and certainly not Shitwarden. Good for you that KeepassXC is free; unlike Shitwarden! Have your choices.
If there were ever a post to drive me away from a product, this'd be it. Good to know that I should stay well away from KeepassXC, if this is what its defenders sound like.
It's really disappointing to see what's a now flagged post and push-back to what was obviously a flagrant comment. For a more level-headed opinion on KeepassXC, it's decently polished and easy to use. It's also open-source and cross-platform. I like it and came from the original Keepass. I didn't have any specific issues with the first besides wanting to try something new. I haven't noticed any major issues with KeepassXC myself but open to hearing others' experiences.
Comment was flagged so I have no idea what they said, but I use KeePassXC and I'm happy with it. Regular KeePass is good too, but I use XC because it's cross-platform.
If you turn on showdead in your user profile settings you can see flagged comments. I find it helps with context in situations like this, but certain types of posts do attract a lot of racist/sexist garbage that you normally cant see so be forewarned.
I signed up for LastPass a couple of weeks ago, and they started sending me spammy emails every single day. I went into account settings and disabled the emails, and they kept coming. I opened a support thread on their forum, linking many other similar threads going back several years, and saying that they have to fix this under GDPR... Silence.
I deleted my account and switched to BitDefender. Still getting the LastPass emails though, whenever I check my spam folder.
Also, LastPass slowed my Android phone a lot. BitDefender doesn't seem to do that.
In short, my recommendation is: stay the hell away from LastPass. They can't even handle an email system, I don't trust them at all to handle my passwords.
Their Windows application was also painfully slow.
I paid them for years but I no longer trust them, it seems to me they are incompetent as an organization even if the people who work there might or might not be smart.
Isn't this true, to some degree, with all software distribution channels? Weren't CCleaner and FileZilla hacked to distribute malware alongside the main payload?
Unvalidated auto-update really is an anti-pattern. Giving arbitrary third parties the power to install and run software on your system in perpetuity is a massive attack vector. Most software doesn't represent a large active and ongoing attack surface that auto-updates would be a net positive.
I can't count the time I have heard good things about an extension, went to the chrome store page and ... "asks to read your data on all websites".
Hard pass.
I can't prevent the apps/OSes I use from gathering data about me, but that's at least one vector (although sadly a small one) I can do something about.
I really wish browsers would change their security model for extensions :\
"all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites. I may not care if X has access to site Y, but giving it access to Z means giving it the keys to my life so hell no. I don't even want to use it on Z.
I only discovered it because I was going to add a similar feature to my Chrome extension, and I was researching to see how others tend to implement it. I was glad to see that Chrome offers the feature natively, and surprised to see that Firefox didn’t.
I wish there was a way to exclude some websites instead! I want most of the extensions like ad/script/etc blockers to run everywhere, except say GMail.
> "all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites.
Thank you. I've been waiting for Firefox to add this feature for almost 2 years. For a privacy focused browser, this should be a must have, top priority.
I think they have already? In the old days, you just click once to install a mouse gesture addon.
Now you have to dig into the settings. And give it permission before it could work. At first I found that annoying. But upon reflection. I guess it's a necessary evil.
while true, you can say this about anything which doesn't have any permissions system too. why worry about end-user security, they can just fork and modify.
which means, effectively, that it becomes a 0.001% or worse event. arguably the whole point of privacy-focused (or even -aware) software is to increase that beyond "fork and modify"'s ratio, as far as possible, because it doesn't work in practice for the vast majority of the globe.
Agreed. Like with Pocket's Chrome extension permission model[1] that has a "read everything on all websites", when really it only needs brief access to the URL when I want to save something.
I tried changing the "Site access" setting to "On click" -- but then the extension started acting funny or not working in some cases.
Chrome has added a more limited "activeTab" permission[2], but even that might be too much since it grants control to the tab and continues to allow permission on the same origin.
Like the GP said, even if the extension developer isn't trying to exfiltrate data, they should do more to protect users from a compromise of their extension, and browsers should give them the models to do so.
IMO, good security models can be a foundation forward to better overall security compared to desktop apps since it seems that browsers are becoming an OS of their own.
Just yesterday I ran into an invisible layer right here on HN when replying with a comment that opened a new page when I tried to click on something.
I disabled all extensions that I don't commonly use and am watching for now, but I have no idea how to actually tell which one did it (many of them were recently updated due to a Chrome change on August 6th or something).
For me it's uBlock Origin and uMatrix. The web is unbearable without those two. Pages load at least 50% faster. Makes you realize the amount of crap modern sites load.
Panorama view (think spaces for tabs)
Multi-account container (keeps facebook properties and google properties on their own world)
User-agent switcher (I switch to mobile on heavy websites)
Evernote clipper
FoxyProxy
Auto-tab discarder
HTTPS Everywhere
S3 translator
It is mentioned in the link, but I just want to emphasize that Video Speed Controller [1] has been amazing for me. Unfortunately, it didn't work as well on Firefox (stuttering on higher speeds above 2X) when I tried it a year ago. Which means I'm stuck with chrome for at least a decent amount of my activity.
I just use uBlock Origin to clean up websites I visit of their trending sections, recommendation sections, comment sections. Sometimes I get rid of links that I might mindlessly click, like the whole top bar of reddit.com.
For example, these filters work really well on youtube.com
The one extension I cannot live without is hover zoom+. Hover over any thumbnail (for a customizable amount of time) and it loads the full size image on top. When people see me using it with google images, they always ask how I did that.
I recently deleted all of my extension off all three browsers (Chrome, Firefox, and Safari). The ad blocking on Firefox is almost as good as Ublock Origin. I found privacy badger to be largely useless.
The only thing I miss is lastpass, but I've gotten used to having it run as a desktop app.
Containers in Firefox were nice, but I've also gotten used to switching accounts.
The fact that extensions get 100% access to everything on your page (including password forms) is just a no-go for me. I have to draw the line somewhere.
Well if you're worried about chain of trust, you could only use recommended extensions on Firefox. They're manually reviewed so you're still only really trusting the organization that runs your browser.
Bonus point if you download the extensions and manually review it yourself.
I actually use this one a lot, lets you take a video and make it the full size of the browser. I find that theater mode youtube isn't quite big enough on a 4k screen, but I don't want to pop into fullscreen mode.
The days of uBlock Origin on Google Chrome are numbered. It may not work for Google Chrome when Manifest V3 is implemented (and no recourse provided for uBlock Origin). [1]
P.S: I haven't kept up with the latest developments on this since last year.
Although it’s not quite as good as uBlock Origin, moving to a network based setup, like PiHole or AdGuard Home, can make great strides across all your devices with minimal headache or worrying as much about Google making it harder to control your web content. It makes it very apparent when I’m browsing on my phone or iPad and they switch over to LTE because all the sudden there are ads everywhere.
At some point I’m sure they’ll start trying to bypass local DNS by forcing DNS over HTTPS to only their approved servers, at which point someone will build a MITM HTTPS proxy for home users that you can seamlessly install onto a Raspberry Pi until we see the next escalation in the never ending battle for our eyeballs.
GP here. You can also try NextDNS.io, which allows you to choose blocking lists. There are apps for iOS as well as other platforms to allow it to be used on all networks (or even configure it not to be used on specific WiFi networks).
> If uBlock Origin doesn't update, there'll be a dozen adblockers that work with Manifest v3 on day 1.
You seem to not know what manifest v3 is actually doing.
Any adblocker with a static list of domains per-update of the crx file's manifest is useless. Users would have to install hundreds of extensions (each with dozens of domains that they themselves block), just to have the same functionality.
If any anti adblocking team of any ad network decides to just rename foo.tracker.net to bar.tracker.net, all adblocker extension users would have to REINSTALL the chrome extension manually because the manifest's list of domain is statically builtin.
You're operating off of outdated information. Rules do not need to be baked into the manifest.
>The Declarative Net Request API now allows for the registration and removal of dynamic rules - specified at runtime rather than statically in the manifest. We’ve also added the capability to remove common tracking headers, such as Referer, Cookie, and Set-Cookie.
In the post:
"Shut Up disables comments everywhere. When I trust a platform's audience enough to read the unfiltered outputs from their brains, I enable comments for just that site. Sometimes I turn it back off immediately"
At the end of the post: A comments section with spam in it.
Honestly, I can imagine that content creators would love the option of not seeing their comment sections, at least after they take off. If I were, say, Dan Harmon, I'd be really happy to have the option of filtering every post anywhere with a reference to his work.
192 comments
[ 4.8 ms ] story [ 211 ms ] thread0: https://addons.mozilla.org/en-US/firefox/addon/tree-style-ta...
Much nice I think, but had some bugs with sessions sometimes.
An active adversary will just cheerfully block that HTTPS connection because you'll fall back to insecure silently.
Are you a robot?
Seriously though, it almost makes me look forward to sites that have captchas to feel like I’m sticking it to google instead of working for free to help them make their computer vision models better.
Had to install "privacy pass" cos of cloudflare's move to hCaptcha
screenshot whole page (not always produce good result)
Magnifier
I set my serif/san-serif fonts (ubuntu, ubuntu mono) and disable "allow website to choose their own font"
It's incredible how having a standard font all over makes reading easier.
Only downside is a handful of sites that uses the neo-windings (fontawesome et al) for icons. But it's not hard to click the button with an "S" instead of the one with a magnifying glass.
Reader mode is a little surprising, doesn’t Chrome have that built in?
Google will always give only enough privacy options to give the veneer of supporting privacy, but never enough to truly allow it (e.g., anti-fingerprinting measures). You can't blame them really, it's just not their business model, but if you disagree with that model and its effects on you, you can choose a different browser.
[1] https://www.cnet.com/how-to/how-to-enable-reader-mode-in-chr...
chrome://flags/#enable-reader-mode
Didn't find it in chromium. Might look again.
chrome://flags/#enable-reader-mode
Are we cool with them now or are they still stealing your data? I'm not up to date
I have tried it and found nothing useful for me, but am interested to know why/how people use it.
Right now I use "LanguageTool" with the Java-based server running locally. After I imported the ngrams it works good enough to be a clear improvement over Firefox's bad built in spelling/grammar checker. The UI is passable. It does randomly decide I typed another language though and tell me everything I typed is misspelled in that language.
In an ideal world I'd prefer to pay LanguageTool money for their premium product, but they have the same privacy problems as Grammarly. Heck I'd pay Grammarly if they had a more private offering, it is a good idea.
Honestly, most of them. Grammarly in particular because of privacy concerns, but I avoid using any that are not both open source and high payoff.
I use Privacy Badger and NoScript. I may add Ublock Origin to cover the edge cases where I need to enable JS. Anything else is adding bloat, not cutting back on it.
NoScript in particular covers: UBlock Origin, Nano Defender, Hover+Unpaywall, and ShutUp
Most of the others, I already use something outside of a browser or don't need.
Vimium [1]
It lets you use keyboard shortcuts to navigate through webpages, click buttons, jump to text boxes, etc. it's been huge for me both as a productivity tool (it's significantly faster than using a mouse for navigation) and also for reducing RSI/strain on my hands.
Here's a video of it in action as you really need to see it being used to understand the different interaction model it provides.
https://youtu.be/t67Sn0RGK54?t=21
1 - https://chrome.google.com/webstore/detail/vimium/dbepggeogba...
edit: fixed link (but if you enjoyed the writeup of data security requirements let me know).
Not something I had intended to do, but I hope the checklist was useful.
Since eventually switching to Chrome, I've tried vimium every now and then and always found it lacking. It usually got in the way when I didn't want it to and I'd get sick of trying to figure out how to turn it off for a particular site/just for this one interaction and just uninstall it.
It's been a year probably, so I guess I'm about due for another go.
The reason I switched to cVim was that I preferred its approach to the 'type keys to click link on page' feature.
https://github.com/atlas-engineer/nyxt
Additionally, I know that even as non-malware extensions grow in popularity they are solicited by malware companies to integrate their software in an update. I experienced this first hand with the HoverZoom extension. [1]
[0] https://awakesecurity.com/blog/the-internets-new-arms-dealer...
[1] https://www.ghacks.net/2013/12/26/hoverzooms-malware-controv...
I think the only closed-source extension I run is lastpass, and I'm evaluating open-source alternatives.
How do people who cannot read code even cope, I don't know.
What's wrong with Keepass?
I deleted my account and switched to BitDefender. Still getting the LastPass emails though, whenever I check my spam folder.
Also, LastPass slowed my Android phone a lot. BitDefender doesn't seem to do that.
In short, my recommendation is: stay the hell away from LastPass. They can't even handle an email system, I don't trust them at all to handle my passwords.
Their Windows application was also painfully slow.
I paid them for years but I no longer trust them, it seems to me they are incompetent as an organization even if the people who work there might or might not be smart.
Hard pass.
I can't prevent the apps/OSes I use from gathering data about me, but that's at least one vector (although sadly a small one) I can do something about.
"all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites. I may not care if X has access to site Y, but giving it access to Z means giving it the keys to my life so hell no. I don't even want to use it on Z.
So if you want no extension to be able to read gmail,
Add mail.google.com or google.com to
extensions.webextensions.RestrictedDomains in about:config
Thank you. I've been waiting for Firefox to add this feature for almost 2 years. For a privacy focused browser, this should be a must have, top priority.
Now you have to dig into the settings. And give it permission before it could work. At first I found that annoying. But upon reflection. I guess it's a necessary evil.
Edit: I misread the parent comment.
which means, effectively, that it becomes a 0.001% or worse event. arguably the whole point of privacy-focused (or even -aware) software is to increase that beyond "fork and modify"'s ratio, as far as possible, because it doesn't work in practice for the vast majority of the globe.
So if you want no extension to be able to read gmail,
Add mail.google.com or google.com to
extensions.webextensions.RestrictedDomains in about:config
I tried changing the "Site access" setting to "On click" -- but then the extension started acting funny or not working in some cases.
Chrome has added a more limited "activeTab" permission[2], but even that might be too much since it grants control to the tab and continues to allow permission on the same origin.
Like the GP said, even if the extension developer isn't trying to exfiltrate data, they should do more to protect users from a compromise of their extension, and browsers should give them the models to do so.
IMO, good security models can be a foundation forward to better overall security compared to desktop apps since it seems that browsers are becoming an OS of their own.
1: https://help.getpocket.com/article/912-what-permissions-does...
2: https://developer.chrome.com/extensions/activeTab
I disabled all extensions that I don't commonly use and am watching for now, but I have no idea how to actually tell which one did it (many of them were recently updated due to a Chrome change on August 6th or something).
All other ones are nice to haves but those are my building blocks.
I’m skeptical of Grammarly from a privacy standpoint. It seems to be an internet-enabled keylogger.
[1] https://chrome.google.com/webstore/detail/video-speed-contro...
Download notifications - since FF has crappy notifications about finished downloads unlike Chrome, so this way I can't overlook finished download
https://addons.mozilla.org/en-US/firefox/addon/gnome-downloa...
HTTPS Everywhere and uBlock origin - no need explanation
To Google Translate - since FF doesn't have built in translation service, so this way I can easily translate page through right click menu
https://addons.mozilla.org/en-US/firefox/addon/to-google-tra...
but if I would be using Chrome I would need just ublock and https everywhere (although not sure if is is not redundant nowadays in both browsers)
For example, these filters work really well on youtube.com
youtube.com##.ytp-pause-overlay
youtube.com##.ytp-suggestion-set
youtube.com##.ytp-endscreen-content
youtube.com###related
My Youtube list. No recommened videos on the side, unless playing a music or video playlist.
No other crap, signin prompts, etc
https://addons.mozilla.org/en-US/firefox/addon/df-youtube/
https://chrome.google.com/webstore/detail/hover-zoom%20/pccc...
The only thing I miss is lastpass, but I've gotten used to having it run as a desktop app.
Containers in Firefox were nice, but I've also gotten used to switching accounts.
The fact that extensions get 100% access to everything on your page (including password forms) is just a no-go for me. I have to draw the line somewhere.
I trust my browser and OS more than extensions.
Your security posture is probably different than mine.
Bonus point if you download the extensions and manually review it yourself.
What I meant is that if you use a commercial OS and browser (and your ISP too) they're still going to exfiltrate your web activity to their servers.
https://chrome.google.com/webstore/detail/fullscreen-video-t...
The days of uBlock Origin on Google Chrome are numbered. It may not work for Google Chrome when Manifest V3 is implemented (and no recourse provided for uBlock Origin). [1]
P.S: I haven't kept up with the latest developments on this since last year.
[1]: https://www.ghacks.net/2019/01/22/chrome-extension-manifest-...
Microsoft will simply follow Google's lead.
At some point I’m sure they’ll start trying to bypass local DNS by forcing DNS over HTTPS to only their approved servers, at which point someone will build a MITM HTTPS proxy for home users that you can seamlessly install onto a Raspberry Pi until we see the next escalation in the never ending battle for our eyeballs.
It should be quite trivial to write an adblocker that integrates with EasyList using the new APIs.
You seem to not know what manifest v3 is actually doing.
Any adblocker with a static list of domains per-update of the crx file's manifest is useless. Users would have to install hundreds of extensions (each with dozens of domains that they themselves block), just to have the same functionality.
If any anti adblocking team of any ad network decides to just rename foo.tracker.net to bar.tracker.net, all adblocker extension users would have to REINSTALL the chrome extension manually because the manifest's list of domain is statically builtin.
>The Declarative Net Request API now allows for the registration and removal of dynamic rules - specified at runtime rather than statically in the manifest. We’ve also added the capability to remove common tracking headers, such as Referer, Cookie, and Set-Cookie.
https://blog.chromium.org/2019/06/web-request-and-declarativ...
At the end of the post: A comments section with spam in it.