150 comments

[ 3.5 ms ] story [ 268 ms ] thread
The issue I have with Tor Browser is the greater chance of 0day exploits for Tor Browser existing/being held onto, when compared to browsers like Chrome that have much greater resource for security.

Remember, Zerodium revealed a 0day in all Tor Browser v7 and under once v8 had been released https://twitter.com/Zerodium/status/1039127214602641409

Ignoring of course, the blantant tracking that Google itself engages in.
Chromium then ?
The entire point of tor is for very secure end-to-end encryption to the point that certain professionals (state actors and even criminals) use it for their purposes. Chromium is a general purpose browser that does not do that. You can't compare them because zero-days isn't the only relevant detail to compare here.
Recommending chrome over tor browser due security concerns. What are the chances this very specific comment was made in good faith?
> What are the chances this very specific comment was made in good faith?

That's irrelevant, per the guidelines.

> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.

What is your point?

1. I responded to the strongest possible interpretation based on what was said.

2. How is that irrelevant?

If, for whatever reason, your goal is to conceal conflict or negatives in general, I suggest you pick on someone else.

The guidelines mandate you to assume good faith (you must observe them to participate here).

This means (not exclusively) that you have to first answer yourself to that doubt you expressed vis-a-vis the post that originated it, and attempt finding an acceptable interpretation of the original post. Your reply shall reflect that.

(If your «strongest possible interpretation» clashes with the assumption of good faith, you will have to think again, and longer. Surely, your reply will reflect that.)

Contextually, for example: the poster did not recommend a non-identity concealing product over an identity concealing product /in general/ - the poster noted that the way the identity concealing product is developed/distributed, it is easier for exploitable bugs to be fixed comparatively later - the user must be aware of this.

Also:

> conceal conflict

No. "Manage conflict productively", to achieve some result. «For whatever reason»: efficiency, efficacy, productivity, civilization, enthalpy (fighting entropy), "keeping the place in good order".

He's doubting the intentions of the author, he's not attacking a straw man. I don't see a problem there.
The problem is if we get a comment every time someone thinks someone else has a hidden agenda, thats a lot of noise on the forum (or indeed any forum in general). People really slog it out like that on Reddit and it is quite annoying when they do.
I see what's going on here. You've had bad experience on a forum I've never been and projecting your frustrations onto me.

Why can't you assume good faith on my part?

You are off in guessing my state of mind.

My point is making assumptions about intent leads to boring discussion. See the moderators (dang) post history and what he has to reply to, for examples.

There is a guideline on HN about replying to the best possible interpretation.

Doing so diffuses trolls and encourages people who didn’t explain well the first time to expand on their thinking.

It is also super pleasant to read posts of this style.

Like quickthrower2 wrote, plus, the matter of duly post quality. There are two drawbacks: dilution of qualitative posts like signal in noise, and that each post should have inherent value (not cheap). Safeguarding personal expression (of the person as it is), every member should do their homework. This also involves finding the «strongest plausible interpretation of what someone says».

You seem to entail from the formulation of that guideline («...easier to criticize») that only strawman arguments are discriminated: too literal. For that matter, one could have mentioned «curious conversation», «shallow dismissals», «insinuations». You should take the guidelines as a whole - the intention - instead of just their formulated parts (which are not a lean complete formal logical corpus from which all consequences can be entailed through sheer syntactical deduction). Literally, a mandate is there against what «degrades discussion».

Tor Browser is just an old version of Firefox, with lots of known vulnerabilities. FBI is well known to take over Tor hidden services and exploit the visitors with a 0-day/1-day, which makes it easy to de-anonymize them.

Privacy depends on security. Firefox is about 3-5 years behind security level of Chrome (Sandbox, Fuzzing efforts, hardening efforts, source code reviews, etc.).

That's not true, it's based on Firefox ESR which does get security patches, just not new features between major versions.
This is FUD. Neither Chrome nor Firefox are any good for *security*, as they both regularly get pwned at every hacking contest there is. Tor Browser is a different beast, because although it's based on Firefox, its attack surface is infinitely smaller than that of Firefox.

When running in Safest mode, it's essentially just rendering HTML/CSS/images: anything that involves convoluted decoding (video, webfonts, scripts) is disabled. Treating your web browser as an environment for declarative pages is best practice for security: no matter how many layers of sandboxing you'll use, people will find holes.

So apart from a few bypasses like the parent comment explained, TBB is decades ahead any other browser's security level out there (except for your favorite CLI browser over Tor which has roughly the same properties).

Through the Tor Uplift Project,[1] Tor Browser's Fingerprinting Protection feature is now available in Firefox on desktop and Android. The feature makes Firefox hide some pieces of identifying information from the sites you interact with, such as your timezone (which is set to UTC), some of your fonts, your keyboard layout/language, and parts of your user agent (for example, your browser version is set to the latest ESR version).[2]

To enable Fingerprinting Protection in Firefox, go to about:config and set privacy.resistFingerprinting to true.

Some Firefox forks enable Fingerprinting Protection by default, including LibreWolf[3] (desktop) and Mull[4] (Android). If you are on Android, the release version of Firefox does not include access to about:config, and you'll need to either switch to Firefox Beta/Nightly or use a fork like Mull, Fennec F-Droid, or Iceraven to take advantage of this feature.

[1] https://wiki.mozilla.org/Security/Tor_Uplift

[2] https://support.mozilla.org/en-US/kb/firefox-protection-agai...

[3] https://librewolf.net

[4] https://f-droid.org/en/packages/us.spotco.fennec_dos/

I just altered that setting and now Firefox resets my zoom level for every page I read to 100%. Makes HN unreadable as my default zoom for this site is 170% and having to set it every page I visit becomes old very quickly!

Interesting side effect though.

Yes, disabling site-specific zoom is one of the things that Resist Fingerprinting does.[1] If you want to use site-specific zoom while keeping Resist Fingerprinting enabled, the Zoom Page WE add-on[2] should allow this. I've just tried it and it worked for me.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1369357

[2] https://addons.mozilla.org/en-US/firefox/addon/zoom-page-we

Why does a website need to know my zoom level, i.e., why is this information even made available?
It’s been a while but IIRC as long as there’s JS it can be gotten implicitly by probing and comparing dimensions of elements and viewport on the page.

We could question if that’s really necessary as well but the ship has kind of sailed on that one.

IMHO, even when sand-boxed, allowing a fully Turing-complete language with such a vast selection of available APIs to run on page load per default is what kills privacy.

People should be trained to allow script execution only when they trust the site, and there should be levels: Zero, Fully Isolated, Trusted.

OK now time to wait for someone to tell me this will be too much to ask from users. It wouldn't be an invalid point either, we can't even train people to have some common sense when in control of tons of steel going fast loaded with highly flammable liquids... So, there's that.

I don't know.

It's not even per page. I don't care if I trust that page, I don't want any FB scripts to run. There are so many external libraries included (loaded from a CDN they do not control) that I don't trust any developer to know with 100% certainty what their app includes.
Maybe something like randomizing the variables in a realistic way across many sessions where the real session is controlled and viewed directly by the user.

I don't think it would work when there's a state across views or server though, but maybe that's something you avoid when using Tor anyway?

My hunch is that it’s not explicitly provided to the website by the browser, but there are ways to measure what the zoom level is using JavaScript on the page.

One could use element.getBoundingClientRect and similar APIs to measure what size certain elements are rendered at and compare that with their default size for instance.

The resulting zoom level can then be used as a signal for fingerprinting.

To render content based on device screen scaling. window.devicePixelRatio provides page zoom level combined with OS DPI setting. Things like canvas do not use scaling by default, so to render content appropriately you need to know by how much you have to scale it. Other use cases exit too.
(comment deleted)
I find that question valid for almost everything that's used for fingerprinting. Eg. Why is timezone available by default?

I wrote more but I sound like old man shouts at cloud. I've got ad and JavaScript blockers, but so much of the web is created sitting upon a mesh of invasive bullshit that it breaks easily.

Shakes fist at cloud anyway.

so that dates displayed can be correct by default, without having the user select their timezone from a dropdown with a million different options
Why not offer the "dropdown" at a layer the browser manipulates?

IE, web component where you can set a format string and then the browser renders it substituting the info it has?

Then sites that need to know the date can ask for it.

There's a lot we could do by splitting stuff into permissions and some sort of standard templates.

and then you can read it out to indirectly get the time zone anyway (albeit a less specific version of it, since you wouldn't have the DST info). also, sometimes you need to actually have the users time zone for things like e.g. scheduled blog posts, so that they will show up when the user expects them to, not their scheduled time in UTC or whatever.

I use a site that only does UTC, and time zone related complaints are the most common issue asked about on the forums

> IE, web component where you can set a format string and then the browser renders it substituting the info it has?

you can easily detect this

    - please display this localdatetime as a string
    - read it back and parse it
    - are they (almost) exactly multiples of 60 minutes apart?
    - if yes it's most probably your timezone
Do apps really need to read back strings they omitted?
they don't, but they can and by doing it they can check if the date has been changed by the browser because of time zone shift.
Yeah but why do you have to tell the server? The browser could display the date and time locally.
because websites are sometimes interactive and allow the user to schedule things to happen at certain times.

And displaying time/date locally would leak that information anyway if you wanted to do it in a way that works in various contexts it would need to in a website (e.g. canvas based apps)

even if you just let the user stylize the font of the date (which you clearly would need to), you tell your magic date input to only show the current hour, then use a font that has a certain width for each number, allowing you to then based on the width of that element figure out the hour, same for other things, obviously. It's easy to imagine some thing like that without thinking about all the details, but it's not really feasible once you think about how this would be implemented and how it could be circumvented. And that's in addition to not working in contexts where you schedule a blog post, zoom meeting, or whatever else might require the server to account for user time zone

This is the problem with the modern web, which has become an app distribution platform. When you treat the browser as an OS, you need to expose a lot of information for stuff to work.

It would be very interesting to develop a modern web based purely on declarative content (modern HTML/CSS). HTMX is an interesting take on this, although it's currently implemented as server-provided JS: i don't see a reason why such patterns couldn't be implemented by the browser itself.

> It would be very interesting to develop a modern web based purely on declarative content (modern HTML/CSS).

For sure. I think some scripting could also potentially be implementable without massive fingerprinting / privacy implications. E.g. pure compute scripts, form validation, etc. that has no practical way to smuggle any data out of your browser. Anything that sends a request would have to be statically derived (or explicit user input as into form).

Functional data pipelines without side-effects could do the trick indeed. It would also make it a lot easier to debug for performance issues, and the browser could be more clever about optimizations: for example if you've got a loop changing DOM elements, maybe you could wait for the loop to finish before starting a re-render... something that's impossible to do with JS-based rendering where global page state may change under your feet at any given time.

EDIT: Just for the sake of mentioning, simple/obvious computations for interactivity was the promise of GNU's libreJS project. I'm unaware of the current state of it, though.

> It would be very interesting to develop a modern web based purely on declarative content

Is not that the subset of the web that would work when javascript is disabled? Some already develop it in that direction - what is not declarative shall be unnecessary. Or are you suggesting something different?

The problem is the declarativeness of the web is very much limited for UI/UX purposes. There's been good steps taken with HTML5, although dropping XML-compliance was in my view a major mistake in terms of operability/simplicity.

I don't understand why we need to have dozens of CSS frameworks for "components" that have become common practice across the ecosystem. Pagination, "Hero" elements, intra-page tabs, breadcrumbs (and many others) should be HTML standard so that it's more accessible and users can come up with their own stylesheets. The breadcrumbs for example would enable your browser UI to show a "go up" button like your file browser does. Another interesting example would be element filtering: why can't a <form> with a local action property (like "#data") be used to filter a list of elements without JS?

As long as most UI of a page is dictated by dozens of piled-upon CSS hacks, user stylesheets will remain a wild dream. But given how little variety there is on the web these days, many things could be standardized part of the HTML spec so that CSS is only needed for customization (eg. colors, spacing) on simpler pages, while retaining the possibility for the server to suggest more complex CSS UIs as we currently do if you absolutely want to do that.

But why zoom level? Set that locally after the site sends the info.
> It would be very interesting to develop a modern web based purely on declarative content.

There is something like that, the Gemini protocol.

If you're talking about the gemtext format, unfortunately beyond titles, list, blockquotes, preformatted texts, and links, nothing else has been standardized.

I understand the appeal of simplicity but if you ask me that's a huge step backwards compared to HTML5. No <form>, no <section>/<article... It's like markdown but with another syntax :-/

i would very much like for htmx to not have to exist and just have the functionality subsumed into the HTML spec

it wouldn't be much work

Hey thanks for taking the time to reply. Have you maybe got in touch with hacker-friendly browsers such as nyxt? There may be some interested people over there.

Also, is there some good venues to discuss the semantic/declarative web with you htmx folks and hopefully people from other like-minded projects? IRC? XMPP? Matrix?

Sorry for the delayed reponse: nope, never talked w/ the nyxt folks. I tried to post a topic on the working group thingie but they, understandably, weren't very receptive.

We use discord for chat right now:

https://htmx.org/discord

Well the good thing about nyxt is it's super extensible so a PoC doesn't require proper "reception" on their side.

Do you maybe have a gateway/bridge to a libre network such as IRC/XMPP/Matrix? I find HTMX pretty interesting but i wouldn't touch discord with a 10-foot pole, if only because my limited computing resources won't allow for such a resource-hungry app to run in the background.

It seems like matterbridge supports discord backend but i don't have a discord account to try it with. If you're not willing to host matterbridge, i'm already hosting one and i would just need credentials to try and connect it to Discord. If you're willing to give that a try, feel free to mail me at my username @ thunix.net.

https://github.com/42wim/matterbridge

This is something that's confused me about Tor Browser. How helpful could zoom level possibly be towards fingerprinting a user to a degree where it's of any use for targeted advertising and the like?

Seeing that a user has a site's zoom set to 90% seems to be close to worthless in terms of narrowing down what cohort they're in, let alone identifying them individually. What am I missing here?

> Seeing that a user has a site's zoom set to 90% seems to be close to worthless in terms of narrowing down what cohort they're in, let alone identifying them individually.

How so? 90% is by far not the normal zoom level people browser with, so it is a perfectly valid data point to use for fingerprinting. Every single bit of data they can get makes your whole fingerprint more unique.

It adds a little bit of information that might help identify you. It may be less than a bit (e.g. if it's set to 100%), but it's still something.

You can see the informational content of various fingerprints here: https://coveryourtracks.eff.org/

Another thing that has less than a bit of content is having cookies enabled. Nearly everyone has cookies enabled, for better or worse, so having them on doesn't add much to a fingerprint. Having them off adds far more. But both add something.

> How helpful could zoom level possibly be towards fingerprinting a user

It's just another bit of information. Collect enough bits and eventually you'll have a likely-unique id. It doesn't matter what that information is as long as it somehow is about you (and not e.g. random). If you want to fingerprint, you just try to grab every bit of information you can, no matter how irrelevant it is taken on its own.

It doesn't need to say anything about a cohort to be useful, it just needs to enable identifying so that they can track you around and eventually combine other information they discover about you in a profile. And it doesn't even need to be 100% accurate; "that person coming from a Telia-owned IP visiting this site again at 2 AM GMT+2 using Firefox Nightly on Linux, with 1440p display and 120% zoom level and no fonts installed" could be two or three guys if I'm lucky but it's probably close enough to not matter for someone who just wants to sell me garbage.

If your zoom level were the only thing, then indeed it would be useless. Problem is, browsers leak lots of bits. It's better to try plug all leaks you can than it is to ask whether that particular leak alone is harmful enough.

Ah when you put it like that, I see the logic.
> close to worthless ... What am I missing here?

Differential calculus. One negligibility times by a huge amount equals one discreet amount. One bit here, one bit there, you get a fingerprint of a thoundred bits.

(comment deleted)
The UTC cloaking has a lot of downsides. Websites displaying false times, but not reliably, as they are mostly not indicating the timezone, and you never know if they are displaying local time of the site's location or try to get clever and use the visitor's time. No privacy win if you are browsing on locally relevant web websites, because your timezone is implied anyway. e.g. most of Europe has the same one. All of this is justifiable for TOR use, but it is the single most annoying problem making it too inconvenient for regular use.
Am utterly dumb downside is that the browser history - in your own local History window - has times shown in UTC.
With all the things that end up being surprising settings that fingerprint me, why is there not an “absolutely no auto-playing video” setting?
Genuine question, what is Mozilla doing that's so bad? I know stuff like pocket etc but can't you turn this stuff off? Interested so I know what I'm missing and can make an informed decision.
> what is Mozilla doing that's so bad?

Automatically enabling Cloudflare to monitor DNS queries is my biggest current pet peeve. The whole reason I used to use Firefox was that it wasn't a corporate product. Allowing a corporation to monitor DNS resolutions is undesirable, as is having to trust their privacy policy, or that they will abide by Mozilla's policy (I don't, and more importantly, shouldn't have to trust Cloudflare). And yes, you can opt-out, but the fact that it is enabled by default in some regions is offensive.

To be fair, there is almost always a corporation able to monitor your DNS resolutions. If not Cloudflare, then your ISP or proxy/VPN provider.

It's a tradeoff based on the relative risks of leaking them to Cloudflare vs ISPs

I would a thousand times over rather have my local ISP monitor DNS than Cloudflare. But the choice isn't ISP or Cloudflare. There are many options for secure DNS resolvers [1].

[1] https://dnscrypt.info/public-servers/

It's not like ISP's aren't shady af when it comes to this. I can appreciate your concern w.r.t. cloudflare but, at least in the US, ISP's are often more ostensibly dangerous than cloudflare.

To suggest that Cloudflare is "thousand times" worse is a bit of a stretch, I guess.

Mozilla must have had other criteria:

1. how reliable are these resolvers, right now and in the long term? can Mozilla get an SLA in contract?

2. what is the latency to them? (Cloudflare has PoPs everywhere, so it is likely very hard to beat)

3. what is their privacy policy? can Mozilla get assurances of this?

4. will they be crushed under load if all Firefox browsers on the planet starts using them?

etc.

I am no fan of Cloudflare myself; and avoid it whenever I can. But it is not that bad as a default, for users who don't understand any of these.

// 3. what is their privacy policy? can Mozilla get assurances of this? //

4 providers have contractually agreed to abide by Mozilla’s Trusted Recursive Resolver (TRR) program's policy requirements, so far.

https://wiki.mozilla.org/Security/DOH-resolver-policy#Confor...

CIRA Canadian Shield

Cloudflare

NextDNS

Comcast

I think you need to use the specific DoH URL in the above link to get the contract benefits, but maybe I'm wrong

Cloudflare's DNS violates this: https://wiki.mozilla.org/Security/DOH-resolver-policy#Blocki...

I had a user of my email server complain about not being able to receive emails from "cock.li". Turns out that this happened because I was using dnscrypt-proxy with cloudflare's dns (as it is the default in my distro) and thus the DKIM check was failing because it was not able to resolve the domain as it is being filtered by cloudflare. I changed to NextDNS after that.

I guess it's because the contract is valid only for Mozilla Firefox.

cock.li resolves perfectly fine on Firefox with Cloudflare DoH.

Are you sure? It does not for me. Although I am using my distro's release of Firefox. I will be trying it on my windows pc with the official FF release later.
Sure. Maybe your ISP is blocking the domain or something.
I can access it with my ISP, I can also access it with NextDNS (over DoH) and 8.8.8.8. My friends also reproduced my results from their machines.

Can you run dig @1.1.1.1 cock.li just in case?

That command runs fine. No errors.
Dig does not throw an error when it does not get a result, instead you get an output like this:

    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49352
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ; EDE: 0 (Other): (time limit exceeded)
    ;; QUESTION SECTION:
    ;cock.li.                       IN      A
    
    ;; Query time: 115 msec
    ;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
In contrast with a successful run like

    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21996
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;cock.li.                       IN      A
    
    ;; ANSWER SECTION:
    cock.li.                300     IN      A       193.239.85.202
    
    ;; Query time: 159 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
What’s wrong with cloudflare? Are they worse than Google for some reason?
Some people, perhaps correctly, see them as a centralizing entity for the internet with a profit motive. That they are also currently kind of "eating the world" gives cause for concern. They currently haven't yet betrayed their users but many see it as a matter of time before they begin selling user data.

Happy to be corrected on that last bit by the way if they have done anything egregious.

> if they have done anything egregious.

The way they tried to downplay the significance of Cloudbleed, for starters.

> But the choice isn't ISP or Cloudflare.

It is when you're talking about the default being offensive to you. The other options haven't been taken away from you.

So far, only 4 providers have contractually agreed to abide by Mozilla’s Trusted Recursive Resolver (TRR) program's policy requirements.

https://wiki.mozilla.org/Security/DOH-resolver-policy#Confor...

Maybe it's better to choose one among the 4

CIRA Canadian Shield

Cloudflare

NextDNS

Comcast

I think you need to use the specific DoH URL in the above link to get the contract benefits, but maybe I'm wrong

Forgive me if you will, but I don't really understand the idea behind privacy on DNS. If you're not using a VPN, even if the DNS resolution is private, the ISP can still see what IP you're connecting to. It's trivial to do a reverse lookup on that. And if I'm not mistaken, even on HTTPS sites, the domain is visible in the request in plaintext too. So why is there so much focus on proxying DNS?
While encrypted DNS does conceal the domain name from the ISP, it also prevents the ISP from intentionally returning an incorrect IP address in response to a DNS request. This behavior is known as DNS cache poisoning[1] (or DNS spoofing) and has been used by governments to censor websites and perform DDoS attacks on other websites.[2]

[1] https://en.wikipedia.org/wiki/DNS_spoofing

[2] https://www.crowdstrike.com/blog/cyber-kung-fu-great-firewal...

> And if I'm not mistaken, even on HTTPS sites, the domain is visible in the request in plaintext too.

I originally misread this sentence. Yes, HTTPS requests expose the domain/subdomain name in plaintext to support Server Name Indication, which allows a server to host multiple HTTPS sites.[1] The domain/subdomain name can be concealed from the ISP with Encrypted SNI,[2] which Cloudflare's 1.1.1.1 DNS resolver supports.

Firefox used to support ESNI as an about:config option, but in version 85, Firefox replaced it with support for an improved mechanism called Encrypted Client Hello.[3][4] ECH is not widely used yet, though Cloudflare is testing it on some of its servers.[5]

With DNS over HTTPS/TLS and ECH, the entire process of connecting to an HTTPS site can be done without leaking the domain/subdomain name to the ISP. The only remaining parts exposed in plaintext are the remote IP address and port.

[1] https://https.cio.gov/faq/#why-are-domain-names-unencrypted-...

[2] https://www.cloudflare.com/learning/ssl/what-is-encrypted-sn...

[3] https://blog.mozilla.org/security/2021/01/07/encrypted-clien...

[4] https://blog.cloudflare.com/encrypted-client-hello/

[5] https://blog.cloudflare.com/handshake-encryption-endgame-an-...

Thanks a lot for the responses, I understand now :)
>I would a thousand times over rather have my local ISP monitor DNS than Cloudflare.

ISPs lobbied to be able to sell our data. Cloudflare claims that they don't. I trust neither, but I trust Cloudflare %1 more than my scummy ISP.

It doesn't help what you can't find the list of those regions in FF KB.

EDIT: I honestly tried to, though I'm on mobile ATM

You're exactly right, the KB entry is infuriatingly vague about both the exact regions and the rationale for this.
The alternative is that all of your DNS queries are monitorable by anyone who happens to share a network path or segment with you, because the default behavior of DNS is that it is unencrypted.

DoH is a massive security and privacy improvement as a default, and you have many other options besides CloudFlare if you don’t want to use them. Personally I use NextDNS.

The browser now includes ads based on your bookmarks and browsing history through Mozilla's "trusted" partners:

> “When contextual suggestions are enabled, Firefox Suggest uses your city location and search keywords to make contextual suggestions from Firefox and our partners, while keeping your privacy in mind,” the support post reads. The “relevant suggestions” from “trusted partners” appear at the bottom of the usual search suggestions pulled from your bookmarks, browser history, and open tabs — a less intrusive version of a search ad, but technically still an ad.

Source: https://www.theverge.com/2021/10/7/22715179/firefox-suggest-...

(It's annoying that the mods unnecessarily removed my parent post that said Firefox is now an adware / spyware - I stand by it. Including ads and using and sharing users data is the definition of an adware / spyware.)

For those who ask, why not just turn it off - remember that corporations only have to follow the law. They have no obligation to be ethically good. If your country has lax privacy laws, companies will exploit it because it is legal. Then there is the trust factor - Mozilla has lost a lot of goodwill in selfishly only focusing on making more money from its browser than listening to their users and creating a good browser. That's why it has been losing ground to Chrome, and will continue to do so as long as greed guides all its decisions and makes Firefox worse. You'd think uBlock Origin's popularity would already have given some insight to Firefox on how much people hate unwanted and intrusive ads, especially that try to mine our personal data.

Does anyone know how good Epiphany (GNOME Web) is from a privacy/security POV compared to Firefox/Chromium?
They use WebKit. So I guess roughly on par with Safari, albeit with a (significant?) delay.
A browser and its privacy is much more than the engine. You could take webkit and make the most spying browser ever out of it. Most of what Safari does for privacy resides outside the engine itself.
Although I'm not a huge Gnome fan, I don't think they are predatory like that. AFAIK it's just a then wrapper around upstream tarballs.
I didn’t mean to say Epiphany actually is invasive. Just that the engine a browser uses doesn’t tell anything about privacy at all.
Depending on that delay, it could be a significant security problem. A known (n-day) vulnerability is still very useful when software has a lag in updating there components.
> As Mozilla converts Firefox to a spyware / adware

Can you substantiate? I wonder if this is true.

Firefox now includes ads built-in to the browser, and it uses and share your personal data with "trusted" partners to show you these ads - https://www.theverge.com/2021/10/7/22715179/firefox-suggest-... .
Can’t blame Mozilla for trying to find a revenue stream so that they don’t go bust.

I personally don’t think this elevates Firefox to spyware / adware status. It also seems easy to disable.

The search engine deals that make money for Mozilla again steer users to one search engine or the other and their massive ads infrastructure. Suggestions in address bar is just doing it without the intermediary search engine. If you don’t like you can disable. I will label a program adware/spyware if a feature is extremely mischievous and/or tough to disable — this one is neither.

Unzipping a random file into your privacy browser? Sometimes I really don't get these people. Feels like my neighbour who's antivax mostly because she ended up in that part of cyberspace where pharmacology can only do wrong. People overrate their own DIY alternatives.
What are you talking about?

The ghacks link is laying out some env vars and config values one can change.

Librewolf is a set of FF patches (which you can build yourself if you’d actually been corncerned about that vector)

Those steps are right there in the post you link?
You can use google, so you don't depend that every link has all the information you need.
I didn't link nothin'.
The post I replied to, which has disappeared in the meantime. The ghacks link.
The original link (https://www.ghacks.net/2018/11/26/can-you-use-the-tor-browse...) is to a comment in the Ghacks article's comment section made by "Tor11.0 NetworkDisabled". The "Beginner" instructions in the comment do tell us to download a .zip file from Dropbox or ufile.io and unzip it into the Tor Browser folder, which is a little sketchy. The "Advanced" instructions are okay.
Librewolf is really great, but you need to install an extension to be notified automatically of updates. It does well on browser fingerprinting/uniqueness tests (EFF's covermytracks, etc.).
A few months ago i noticed an up tick on the number of people subscribing to my blog. It went from a single person Per day to dozens.

Looking at my logs, I couldn't identify where these people are coming from. I've added a bunch of checks to make sure it's not an automated script, but they seem legit. Until I started i started looking at their ip addresses.

Every single ip is from a tor exit node. I have no idea if these are fake users or real ones. I can't tell if I should be worried or excited.

Tor users are reading your blog, what’s to worry about?

Unless your blog is about online privacy, it does sound sus, though. If it’s all from a single actor, I wonder what the end-game is. Is it on the level where it’s starting to cost more to maintain?

could just be one tor user, through different exit nodes
Yeah... Can't really trust Tor these days can you? With unique members taking over multiple relays and exit points they can now relate where you're coming from and where you're exiting...

Really doesn't matter anymore how extensive it is the browser fingerprinting protection feature or the access you do through Tor.

I believe we need a new type of Tor...

This was always accounted for in Tor's threat model. That's why you take many different circuits depending on what location you're trying to reach.

That's also why for the highest security needs VPN+Tor is a recommendation. Although to be fair i personally believe if an actor is powerful enough to perform traffic analysis across the Tor network, they're probably powerful enough to correlate your computer activity with the VPN<->tor link.

Networks that resist metadata analysis are called mixnets and there's some interesting research about them. The downsides are you add latency (because each hop needs to randomize sleep) so bidirectional sessions like TCP is unthinkable. So nothing as usable as Tor Browser for checking your webmail or reading a blog.

Or, instead of TCP, content-based storage as in Freenet.
Yes P2P CAS (torrent/freenet/ipfs) sounds very interesting over mixnets. Do you have links to specific implementations?
Freenet manages to implement some kind of anonymity without mixnets, relying on inserting/retrieving storage blocks sacrificing latency. In my opinion that's the better approach, because if you separate storage and communication, like ipfs-over-tor, you'll never get anything with proper anonymity and decent performance.

Beyond that, I've heard of xolotl related to gnunet, but I am not sure to what extent it is actually implemented and/or working, as usual with gnunet.

Are you aware of modern Freenet reimplementations, by any chance?
content-based storage is not "instead" of TCP. It's a different solution for a different requirement.
correct, content-addressed storage is often implemented on top of TCP. I wrongly used TCP to generically mean "location-addressed".
I am mild hoarder. I browse Web and write this comment using Tor Browser on Android.

The thing I love about Tor Browser is such that when I end the session all tabs are gone. No more unlimited "interesting" tabs left opened for months. If I want to leave some information for later then I bookmark it in note app with a proper commentary why I would need it.

browser.privatebrowsing.autostart=true

used this for like a decade. this works like firefox focus on android.

And I'm using Qubes disposable virtual machines, which get destroyed after I close the browser. Helps too!
did not know that. don't you need to use a new os for that? while this works on all desktop firefox machines, agreed not as secure and sandboxed but still
Yes, Qubes OS is a special OS based on VMs.
Every browser has this option. You can also set up the startpage to be blank with most.
Your ISP et al may not easily observe the contents of your Tor traffic, but if I’m not mistaken, the usage of Tor itself is easily detected and can have you flagged for further scrutiny. I’ve always seen this as a weakness of Tor. It would be nice if it had the bandwidth to be a default for e.g. Firefox which would solve this problem.
I've never used Tor and practically know nothing about it. But I always wondered about something like this many time.

I mean, while using Tor, sites can't track you or fingerprint you. But the fact you setup Tor in itself gives something to someone so that they can fingerprint you.

Sites can fingerprint you if you use Tor. Tor browser tries hard to keep them from fingerprinting you, but it's a different product built on Tor (although one by the same team, or at least the same organization).
There are Obfsproxy bridges that make Tor traffic look like normal internet traffic. https://tb-manual.torproject.org/circumvention/
A more correct way to describe obfs4 is "makes Tor traffic look like unidentifiable traffic", which is in itself potentially a suspicious marker for people who want to watch Tor users. If Tor makes up the bulk of identifiable traffic, the value add of being unidentifiable is not very high. This is an active area of research for the Tor project.

Pluggable transports are not perfect and can be profiled by a determined adversary, although it takes more resources and sophistication than identifying unbridged Tor traffic.

Another problem is that popular OS’s (macOS/Windows) and popular software vendors (Google, Adobe, Microsoft) install tons of built in daemons/services that are constantly phoning home in the background with telemetry. I imagine it would be trivial to deanonymize Tor (or VPN) traffic by analyzing these payloads.
What are the chances somes org is tracking who is using Tor?

I mean one can't see what I am browsing on Tor browser, but the fact I am using Tor or have downloaded Tor, is it also hidden information?

Sorry, I know very little about it.

If you're using org-provided hardware and their network, assume they know everything you do.
This website was redesigned a little while back, and the replacement is still missing a lot of useful content that was on its predecessor.

For example, although tor --help still sends users to https://www.torproject.org/, as far as I know it's impossible to find the daemon documentation starting from there. The older website https://2019.www.torproject.org/ does have these docs, but it's surprisingly hard to turn up in a search. (You're much more likely to turn up old documentation on one of the man pages sites.)

It's interesting to compare https://www.torproject.org/ and https://2019.www.torproject.org/ more generally. To my eyes, the new site is uglier, less inviting and less useful, but I'm probably just getting old so my tastes don't align with fashion, if they ever did!

The new site loads much more slowly compared to the old one. Around 20 seconds difference for me.
This will be a contested opinion, but I believe full anonymity allows people to become the worst version of themselves.

I've used Tor for a very brief period once in my life, and that was to purchase adderall off of either Silk Road or AlphaBay (I can't remember), and I'm unsure of what the Tor ecosystem is like today, but not even that long ago, the vast majority of the Tor network was used for crime - ranging from child pornography, to hitmen available for hire, banned weapons, and obviously, for drugs.

I did not come across anything meaningful browsing the onion ecosystem, but left with a depressing insight of anonymity.

On a higher level pov, anonymity allows some of the most toxic and damaging ideas to brew and fester.

This is easily pointed out by the characteristics and behaviors between Twitter accounts that have an association with a real individual as opposed to ones that don't.

The difference in what they tweet is staggering.

Not to mention sites like 4chan and it's children.

Don't get me wrong, I'm rather against Big Brother or ISPs tracking and selling off our data, but absolute full anonymity is just an invitation for some of the worst things to happen.

Absolute full anonymity is sometimes the only defense against tyranny.
I think the Tor Network is similar to the clear web in that it can be used the way its users want it to be.

Mind you, if you look to buy drugs on Instagram or Facebook you’ll find many outlets.

Your experience is limited to the markets because that’s what you were after presumably.

We created the BBC Tor site to help audiences access BBC News where they can’t and also to provide more secure access if they want.

You probably don’t know how bad the internet in China or Iran is. Imagine you can’t access any news site other than the government’s own outlets, and forget about social media.

We expected our Tor site to serve more users in Iran but interestingly we found more users coming to BBC Chinese, BBC Mundo and BBC Portuguese.

We think we are getting more users from Hong Kong and Brazil who are doing it for the sake of privacy rather than circumvention (our clear web sites are still accessible in Hong Kong).

At times when the news flares up, we get more users for BBC Russian, presumably because news consumers there want to have access to an independent source of news.

BBC site on Tor:

https://bbcnewsd73hkzno2ini43t4gblxvycyac5aw4gnv7t2rccijh774...

that's an interesting perspective - one that I'll take to heart, for sure.
Check out dark.fail. Sure there are a TON of dark web markets but a lot of news sites and such. Tor sure is a bunch of botnets and hackers and such but there certainly are more “genuine” uses to that.

The alternative is no anonymous internet which is also not something I would want.

Also, based solely on gut feeling, the speed Tor from 10 years ago to today is night and day. Something tells me a ton of nodes are state actors and Tor is quasi broken. Not “buy an oz of weed FBI don’t move we’ll shoot” broken but if you are planning another 9/11 they probably can figure that shit out even if you are on Tor. I base that on zero facts.

If Twitter shut down tomorrow and all it's users flocked to Gab or Parler or whatever network is said to currently be infested with racists, would they all start posting racist tweets because now they're covered by moderation matching 1st amendment rights? No, that's not tenable.

Same applies to Tor, it just needs more users.

All "good" things have serious downsides. Free speech is good but if you defend it you'll no doubt at some point have to defend its use by a scumbag who using it in a scummy way - but the alternative is worse.

Same could be said for democracy, presumption of innocence, habeas corpus or any other of the cornerstones of a liberal society - they have big downsides but the alternative is worse. Sadly, right now, we're living the worse alternative to having strong privacy because people don't see it's value so we'll have to make do with Tor.

> I believe full anonymity allows people to become the worst version of themselves.

Your examples are not things that people are given anonymity and then do naturally - it's what people seek out anonymity to do. That is, you have cause and effect backwards.

Meanwhile, there is a difference between using Tor to access regular websites to avoid surveillance and using .onion sites.

> This will be a contested opinion, but I believe full anonymity allows people to become the worst version of themselves.

> …

> On a higher level pov, anonymity allows some of the most toxic and damaging ideas to brew and fester.

You mention Twitter, but haven’t mentioned Facebook. That anonymity makes people to become or expose the worst version of themselves — or that anonymity allows some of the most toxic and damaging ideas to brew and fester — isn’t necessarily completely true. On Facebook, people use their real names, post personal photos (including participation in local events), their location, etc., and there’s still a huge amount of toxic ideas from these same non-anonymous people that brew there and are allowed to (because that makes the company more money).

I don’t disagree that anonymity allows people to be more honest in expressing themselves without filters. It’s one of the best things that happened with the Internet. But completely banning or not allowing anonymity isn’t the solution that some may immediately reach out for when faced with some social problems. Usually the people who dislike anonymity and want to eliminate it (I’m not saying it’s you) are those in power or want to be in power. And they don’t like it when people can organize outside their surveillance view.

Tor provides access to the regular Internet; you are aren't restricted to .onion sites at all.

> the vast majority of the Tor network was used for crime

How could you know the scope of the Tor network? Is that technically possible? Perhaps looking for ilicit goods, that's what was found?

Tor has sites for the Facebook, NY Times, BBC, ProPublica, Deutche Welle, Buzzfeed, and more.

Tor Browser is great for checking sketch links or for making an anonymous complaint
https://blog.torproject.org/tor-browser-advancing-privacy-in...

`Other reasons`. Would love to know other use-cases for Tor Browser Bundle besides the ones mentioned in the info-graphic. One other reason not mentioned is recon and intelligence gathering, or OSINT. I do little investigations on various topics, safe in the knowledge I'm anonymous doing so. Need to lookup about erectile dysfunction? (ED). Then Tor's perfect for that.

Will we ever see a Tor Incognito tab in Chrome?