I hate ads as much as anyone but providing a free service that runs ads and shares part of that income with content creators is hardly particularly evil.
emotional brainwashing(entertaintment, fear etc) people to buy stuff that they don't need. taking advantage of people's weakness. it's not like "this is our product, this is what it does, and this is the price of it" instead "your neighbour has this cool stuff but you don't means you are lesser person if you don't buy also", "if you don't buy this stuff, you won't get a girlfriend and die alone", "if you don't buy this stuff, you will miss out amazing opportunity of becoming rich and stuck as poor"
It really depends on whether you see ads as "bringing to the user's attention that there is a product out there that might improve their lives" or if you see them as "attempts to manipulate people into spending money on things they don't need or want".
I'm definitely in the latter group, but I can see how some market purists might believe in the first version.
That is not what the article is about though. The article is about a new proposal which people are concerned would give Google even more leverage over how the web functions.
People were quite ok with the ads when they were not as obnoxious as today. Apart from techies, few people would put the effort to block them.
But these days, you want to watch a 2' video on YouTube you are subjected to 20-30" of unskippable ads. Discounting the privacy (and even security) concerns, this alone pushed a lot more people to start ad-blocking were they can.
People pay for Netflix because they want to watch the specific content, for which the platform has already invested money. It feels natural and fair to pay them. For the same reason, if they had a perhaps limited in content, but not obnoxiously annoying ad-supported options, people would be more likely to respect it.
On the other hand, YouTube wants you to pay to get rid of the annoyance they intentionally planted in their platform, while they have invested 0 of their money on content. Also, most creators don't seem to be paid enough from YouTube, and appear to make their living off of 3rd party sponsors, sales, referrals, etc. With this model, it is not surprising that people aren't very keen in having a YouTube subscription.
Lately I started getting shocksites kind of ads (think goatse.cx) of horrific cases of fungus in the legs or whatever. I pressed x on several occasions, naively thinking that anyone cares. Then I decided I don't want to see an ad in my life again. I got ublock origin on firefox and moved to Vivaldi browser in my android (which is a really good browser, coming with an adblocker out of the box). The hardest thing is in the non digital world though, walking in the streets it is hard to look away from the shiny big ass screens everywhere. But with AR vision in the next 5 years it would become obsolete as well.
And if you happen to be a tech giant that can drive the industry literally to every direction you want for decades, and what you choose to innovate is ad tech and NOTHING else, you're not evil, just stupid. Well maybe both. Or either. But definitely stupid.
Well I don't tell myself anything like this because honestly I don't think anything about it is "cool".
It's much cooler to not understand it, which makes you the cool guy :)
I would accept ads more easily with if they were not a privacy disaster.
I’m watching a video about cars, sure show me the ad about this crappy car brand I will never buy. I’m reading an article about Prometheus, sure show me an ad about your greatest SaaS metrics platform that cost more per monitored machine than my machine.
>I would accept ads more easily with if they were not a privacy disaster.
Would you really? I mean I keep hearing this but it doesn't ring true to me. People don't like ads in content because it interrupts what they are trying to consume and tries to leverage them away. This seems like a far greater motive to install an ad-blocker than some hand wavy tracking that probably doesn't even work that well.
> People don't like ads in content because it interrupts what they are trying to consume and tries to leverage them away.
Here you answered it yourself why people adblock. If ads were served on either side of the holy grail layout like the good ol days it wouldnt have been such a pain in the ass.
I remember jumping on the ad-blocking wagon when google started serving their shitty ads in between scroll content, serving diseased peoples photo ( ketto.org ) and getting frighteningly accurate/curated ads of what I searched for previously. Literally fuck google for having a digital private investigator on my ass 24/7 just to sell me shit. I am gonna use ad-blocker till the end of time.
You make it sound like an old fashioned newspaper.
But in reality it's more like the newspaper publisher would then follow you around all day wherever you go and interrupt you every time you try to have a moment's thought or talk to your children, so they could perhaps interest you in this product they're advertising.
Not only would they passively follow you around but instead direct you to places where you find the most outragous people you can think of. When you're all worked up they could put you in touch with the higest bidding political operative that promises to ease all your pains.
I mean sure, maybe the publisher is not evil but I don't know what to call them.
Sergey Brin and Larry Page's original search engine paper fell short of calling it evil. But they did use phrases like "incentive to provide poor quality search results", "particularly insidious" and "inherently biased towards the advertisers and away from the needs of the consumers".
Ads per se are a fine alternative to pay for a website, the problem is when they are the most attractive option. Because them being the most attractive option usually means they are the only option, meaning they are also the only option for people that would be willing to pay to see no ads (me).
I see it like smoking. It should be legal, but there need to be laws in place preventing smokers from harming and annoying anyone that chooses not to smoke. Ads should be legal, but there need to be laws in place allowing people to completely avoid them by paying a fair price. Until this is the case and everyone can choose, making them unavoidable is morally wrong.
How much is the cost of living? Lifestyle creep? Do they have anyone at home sick and they're the only ones working while also living in a high cost of living area?
I'm not joking when I say it's very hard to tell whether you're sarcastically making fun of the facetious arguments they could hypothetically put forth or if you're serious.
I don't work at Google. I know of people that have the circumstances I've mentioned.
Some that help their parents, some that have kids, some that have sick spouses, some that brought their parents to live with them and support them due to health issues, some that have work visas.
I am simply saying that even though the right thing to do would be refusing, you also have to consider everyone's life circumstances when they make decisions.
The fact that they make $100k, $200k, $300k like another comment said means that they don't just need a job, they need a job making roughly the same amount of money and having the same benefits to be able to risk getting fired.
My original comment I wrote it so that we wouldn't just place everyone in the same group and generalize. It's not necessarily always as easy as refusing and risking your job. You're risking whoever else you support for example.
Standing up for your principles is never easy when it counts the most. Usually it's going to cost something. Sometimes that's a fat salary and a cushy job.
And is everyone, or should everyone, be willing to risk that fat salary, cushy job, benefits for their principles if it means risking the quality of life for their family?
Do any of them support a sick kid, spouse, parent? Any of them send money home?
All I'm saying is that some of them might not be in a situation in which they could, on a whim, risk getting fired. And we shouldn't blame them because the fix for that is not on their hands.
> And is everyone, or should everyone, be willing to risk that fat salary, cushy job, benefits for their principles if it means risking the quality of life for their family?
Google engineers are not special. Everyone has a situation, and family, and bills. Everyone has a parent who will die one day. Everyone hits hard times. Everyone faces tests of character at inopportune times. Very few of those people are making $300k a year tho, and nonetheless making the rightethical choices every day. Why can't Google engineers?
That's why I said standing up for your principles is difficult. If it were easy, everyone would do it.
"Im used to spending too much money so in order to not getting a minimal pay cut im gonna work on unethical proyects." Isthe kind of insane thinking only people at HN seem to say without flinching.
Like at that point do not work at google, write ransomware for a company in Russia, they will pay even more money. Make bio weapons for a dictator in a civil war afflicted country of the third world. If Life style creep and your new Tesla to drive your kids to the private school is the only thing keeping you in check, you might as well trade stocks against life expectancy based on obesity reports and climate change effects on coastal areas.
>"Im used to spending too much money so in order to not getting a minimal pay cut im gonna work on unethical proyects."
That also accounts for expenses.
Do any of them send money home? Help parents or grandparents? Do any of them had to bring their parents or grandparents to live with them due to health issues? Lifestyle creep takes into account taking on more debt. That debt is not just in luxury like how most people think.
Yeah, but you know what? Many of us do have choices and many actively do make those choices. Lets not pretend that we are struggling low paid workers whose families would starved if we changed the job or asked for reassignment.
Also, many unethical choices are made or advocated for by engineers themselves.
Yes, there's some that just want to work on different problems and want to just fix the puzzles.
But blanket blaming all of them and saying they all have a choice is not real. Any of them on visas? How would you feel about risking not just your job but also the ability to live somewhere.
You can't blanket blame all engineers and say they all have a choice.
There's a difference between a struggling worker earning a low salary, with low prospects of finding a better position being asked to do unethical things on behalf of their employer, and a Google engineer earning multiple hundreds of thousands of dollars per year.
I have refused to implement unethical code when I earned US$8.8k/year and supported my mother (living in Brazil, beginning of my career), I believe a Google engineer has much more leeway and money sloshing around to decide it's not right to do something unethical, and be vocal about it. There's much more of a choice than I had at that time and if I managed to choose to not be an asshole doing unethical bullshit, and didn't starve my family in the process, they are pretty damn able to do it as well. Might need another job but c'mon, you have Google in your CV, jobs will come, stop being a greedy pig.
Anecdote again: my mom was sick at home when I earned US$8,8k/year and refused to implement code to defraud customers.
I'm very sure if you are earning US$300k/year and depending on every job you get to be comparable or better you have set yourself to be fucked for life... Again, with Google on your CV you can get another job for a visa, or to pay student loans, if you depend on earning US$300k/year to just live your life you have much bigger problems.
You are trying to make it look like someone with one of the highest paid white collar jobs in the world is struggling to live and depends on earning that amount. Let's be real, it's a very, very very very small subset of people earning on that bracket that actually might have enough issues in their lives that require earning that amount (huge amounts of medical and student debt, supporting a family with disabilities [spouse, kids, etc.], etc.).
They might exist in this case, yes they might, but making that possible exception into a "think of the poor golden handcuffed employee who is being forced by some freak life situation to do this hugely unethical thing in name of their employer" excuse is not reality, in reality it's just much more likely these are people that want to keep their cushy job ingratiating their employer by making the web worse for everyone else. Greedy. Pigs.
Makes sense. This is the (labor) market selecting on services it wants to support. Employers like Google have no sort of leverage or responsibility here what-so-ever.
I never said they didn’t, but people seem to be arguing the engineers have no responsibility here. And people wonder why the internet and technology sucks — no one wants to own it, even the people who are literally writing the code.
“What choice do I have?” - a Google engineer who drives a brand new Tesla, living in a $10k per month apartment.
No, ultimately the managers and executives can do nothing without the engineers. At the end of the day some engineer has to build the thing, and no one is holding a gun to their head to do so. They are willingly trading their time for money to do work that makes the world a worse place for us and a better place for Google.
Both should be blamed. A proposal like this would make me not want to hire Ben Wiser, Borbala Benko, Philipp Pfeiffenberger, or Sergey Kataev, ever.
There are projects one of integrity should simply refuse to work on, if they make the world a worse place. With Google on a resume, it's not exactly hard to find jobs. People who agree to work on projects like these are defective human beings.
I might actually start a blacklist over this. We are looking at aggressively hiring and I don't think I want anyone who has ever served time at Google on my staff anymore.
If you're serious, that feels overly broad. I know a lot of very good Googlers. Organizations are a bit of an abstraction in how we organize people.
A blacklist seems like a fine idea here, but it's important it be specific enough to pick out just the bad actors.
The way I manage my life, I want to make sure the work I do makes the world a better place. For the past many years, virtually everything I've done has been aligned with advancing humanity (education, medical, etc.), and has been open-source. I'm fortunate enough to be somewhat well-known for a former project, so I've always been able to find jobs like that. My values state that:
- If that meant working at a good subdivision in an evil organization, I'd do that.
- If it meant doing evil work for a good organization, I wouldn't.
- Heck, if it meant helping reform an evil, powerful organization to be good, that seems like worthwhile work too.
I haven't been in a position to need to manage those conflicts, mind you, but that's how I'd play them according to my ethical compass, if they came up.
I'll also mention: It's also important to be aware of people's situations and more complex trade-offs. Consider a person who does scammy sales pitch telemarketing calling during dinner to sell you on snake oil medicines. Now, consider that they make minimum wage, it's the only job in their town, and they have a five-year-old they need to feed. I'm in no position to judge.
I am in position to judge Ben, Borbala, Phillip, and Sergey.
This isn't Chrome/WEI defense btw. All attestation in web browsers ("user agents" my ass) is bad. Base your complaints on objective problems, not hate of one brand.
The grandparent likely means Augmented Reality; they may be imagining a strange world where you wear glasses that filter ads out of your vision, and yet those ads are on a computer screen you view rather than right there in the headset being projected onto your eyes.
Analog gap. An AR headset that classifies ads in its field of view and filters them in real-time. Adversary model being, the evil Googleborg fully control your web browser and the locked OS it's running on – but you still control the gap between the display screen and your eyeballs.
Their AI agents will be stronger than yours. They'll watch you 24/7 and make sure you're not doing that – verify there are no non-approved gadgets in front of your eyes; verify that there are no visible analog-gap-defeating tools anywhere in your physical proximity. Nothing will escape the machine's notice: no detail too small or subtle for a bored yottaflop God with nothing in the world to do but watch you.
You'll be free to opt out, though most of the internet will be unusable without Environment Integrity.
A good and measured article marred only by a silly, clickbait title.
Unless there is a plan to allow attesters that are independent bodies then this is absolutely a threat to the open internet, or what's left of it.
The biggest dead canary for me is the lack of calling this out explicitly by Google or Apple. We're left to assume that Google is hand-wavingly saying "don't worry we can take care of that" when the private companies already monopolizing parts of the Internet are the absolute last people we want handling attestation.
even assuming unbiased and objective attesters, the issue lies with the "baseline criteria" of attestation and who defines them.
There are two risks here (examples follow):
1. hostile requirements - "the agent won't feature adblockers", or "scraping without explicit website permission must be forbidden"
2. prohibitive requirements - "the agent implements protocols X, Y and Z and adheres to standards A, B and C" - all of these may be reasonable things, but en masse they may be too much work to carry by anyone but a reasonably big vendor
Additionally these criteria must be verifiable, so user can't basically modify the agent, because then the attestation is practically void.
Rest assured it is sarcastic. It is terrifying because you start sensing what power shift that is. And it is not theoretical in the slightest, my wife starts complaining about dynamic pricing in web shops where she used to find deals at seasons end.
Or what is wrong with meeting politicians what have always a very good brief in their hands telling them what words have maximum impact on the small group before them? It seems to work looking at the increasing number of spineless chameleons.
I think for me it's terrifying because it sounds like the same line of reasoning as, "Why should I care about encryption? I don't have anything to hide," and people say (and mean) that a LOT.
So many people genuinely don't understand what would be wrong with this scenario, and that's why I'm afraid.
Obviously this is awful, but I wanted to share some organizations could use that as a bad pattern:
"Oh, this area of $hot_social_media_site is for people earning ($user_salary * 1.4). But you can get access for just $10/month paid monthly or $9/month paid a year in advance! You don't want to be left out and lose the chance to network with higher earners, do you?!?"
> A simple example would be just rejecting ad-blocking extensions from their Chrome store. They've never done anything close to that (including all the manifest v3 hullabaloo where they explicitly worked with ad-blocking teams to help them migrate) so who in their right mind would think that they would try to sneak it in via some fancy new web standard that wouldn't even be able to effectively block ad-blocking if it wanted to.
Like, perhaps like if they didn't allow any extensions on their mobile browsers?
(Note: You can't use extensions on Chrome on mobile devices)
"Brave is on the play store" is a very similar argument to "You do not have to use IE, you can install Netscape". And subject to the same logical holes.
Why? If it were a browser extension, you would still have to install that manually too. Are you mad that Google doesn't ship ad-blocking functionality by default in their standard build?
Google - a company that makes most of its money on ads - removed the ability to install ad blocking extensions on the default mobile browser for over 2 billion devices.
If that does not seem shady to you, then I will be unable to make you understand the point.
This rule applies to discourse, not perspectives. I also wouldn't call many of these concerns "fantasies," because anyone with a basic understanding of public-key cryptography can tell you exactly how this technology, even its most basic form, could be used to:
- Create an absolute monopoly on browsers.
- Give the holder of the browser monopoly the power to control who can/can't crawl the web.
- Give the holder of the browser monopoly the power to control what OS you use to access the web.
and so much more that it's head-spinning.
Is OP's title clickbaity? Yes. Are the concerns brought up by commenters totally legitimate? Yes.
Your premise is broken. How is this even possible in an open source ecosystem? Chrome was built to be forked, and there are several healthy forks that are thriving. There is zero chance of there being a browser monopoly any time soon. Basically every proprietary browser is now dead.
Whether or not the browser is open-source has no impact on this issue. The monopoly would not exist because Google/Apple/whoever are the only people allowed to make browsers. Google would simply have the power to make all of its services (search, docs, etc) totally unusable on any browser that isn't a version of Chrome compiled and distributed by them, thus making all other browsers useless to the vast majority of the population. Because analytics data is money, other companies would have financial incentive to follow suit.
By the way, Chrome contains proprietary code. Chrome and Chromium are not identical.
Must be nice. The major Canadian banks only offered 2FA with SMS until recently and still don't support TOTP or hardware tokens, opting instead for some kind of proprietary flow through their phone app.
Okay, top three banks in the US.. Chase requires MFA, but still allows SMS, which can be broken easily with SIM swapping. BoA and Wells Fargo MFA can be completely disabled, which is how many people likely have their accounts set up.
Until just a few years ago, mine would pop up an MFA prompt, but if you hit the "mobile website" button, it would just bypass it completely. I reported it to them for at least five years before it got fixed, and it's more likely that they just fixed it on accident.
Your hand wavy description of manifest v3 which conveniently skips the core issues makes me skeptical of your position and intent. Sounds like users and developers are the problem here -- I never see anyone else talk about Chrome with such a positive tone. Manifest v3, privacy sandbox and now the "integrity" nonsense should say enough about Chrome and Google.
Maybe each household should host its army of noise-making AI which spews out page visits and random searches in order to let the people hide in the noise.
Projects like these existed, I think it was an extension, but we'd probably need to do better than that.
This is a dumb article that's trying and failing to tie Attestation to ad blocking.
> However, how this plays out with browsers that allow extensions or are modified remains a grey area. As the proposal vaguely mentions, "Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality."
And if ad-blockers are considered illegitimate software?
This would be entirely in line with financial incentives of the proposed attesters and even logically defensible (oh well, we haven’t vetted uBlock, so you can’t browse with that installed).
It isn't just "make ad-blocking (near) impossible" as the current title of the submission suggests. It is:
Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers.
Make browsing the internet possible only on macOS, Windows, Android or iOS (no custom Android distributions, definitely no LineageOS or GrapheneOS or whatever). No competition allowed in Operating Systems, especially no open source operating systems.
Make crawling the internet possible only to Google. No private crawling and no competing search engines.
There won't be an anti-trust suit. The implicit deal will be we will prevent "misinformation" (favor news sources you support and censor anything you request with our algorithm) and you will allow us to monopolize the internet.
Maybe if I donate to American Petroleum Institute I can help tilt their agenda in a more green direction.
Maybe if I donate to NRA-ILA I can tilt their agenda towards gun control.
you’re not going to tilt a think tank against its master, and the point of Mozilla is controlled opposition so google can point out they’re not quite a monopoly.
There are many, many, many web browsers that are not corporate-controlled. Some of my favourites lately are the Argonaut Constellation [0] – mostly because of the interesting technical decisions going in the development (particularly the CSS and the Haskell), but also because Rhapsode is already better than eSpeakNG + AT-SPI2 + Firefox.
There's also the venerable lynx, and elinks (which I reluctantly admit is better than lynx, even if I don't use it much), and Dillo+ [1] (a fork / continuation of Dillo that supports Gopher and Gemini). And could I forget NetSurf, with its graph-y history navigation? And of course, Ladybird, [2] probably the best-funded of the lot.
These are just the ones I've heard of. There are surely dozens more you'd be interested in, and thousands of little hobby projects. Why not try making your own web browser?
> “We (Microsoft) are in a very unique position to be able to go spend Sony out of business,” said Booty in a December 2019 email, referencing spending $2 billion or $3 billion in 2020 to avoid competitors getting ahead in content at a later date.
iirc remote attestation is reliant on hardware attestation, which means these websites will only run on authorized DRM-enforcing hardware and architectures. Only Intel, AMD, Qualcomm and the like. No open-source firmwares, architectures or hardware.
It's important to remember they are only commercial efforts. If you can value something other than money it doesn't matter what the corporate web is doing compared to human ingenuity and the internet. Let them waste their time and money write their specs.
That is why I call for federated publishing tools. Believe it or not I plan on launching such a channel and it will be self-hosted in the 90's meaning of the term. They only way the channel will grow an audience is if it is passed by word of mouth.
The amount of effort that goes in to playing advertising metric games of YouTube is ridiculous to me. Anyone that says well people have to get paid I say maybe.
Real creators create and don't need the like, subscribe, patreon, mantra.
Most of the gunsmithing sights on YouTube are moving towards this idea.
I don't believe in the discovery myth so many talk about as essential. It is only essential if you need inorganic growth.
I would say it's an emerging trend and that the more they tighten their grip the more creators will slip through their fingers.
I visited Practical engineering and tom scott's websites and AFAI seen they embed youtube videos in their websites.
I couldn't find astronaught's website. Its not even linked to in his youtube channel.
He has article versions of his videos which you can find linked in the description of his YouTube videos. The videos on his website are just linked to YouTube however.
Do Channels on Nebula count? Since Nebula is paid only, ads free and creator owned (as far as I understand), it might be the one prime example of a video platform not incentivized to restrict access to only consumers using proprietary, big tech OSes.
Not an answer but your question has me curious now. I'm not old but I've got a particular worldview that could use an update. Why video? Aside from entertainment or live collaboration, I've never found video compelling for productivity.
Reliable machinery always has a shop manual, diagrams and prints. Programming languages have tomes of documentation, computing infrastructure has man pages and volumes of commentary, scholarship and trouble shooting have been committed to characters.
Aside from the point and grunt visuals, solid presentations (viewed after the fact when the value of real time interaction is gone) work fine as text.
If you're dyslexic, I get it but TTS systems are extremely solid these days.
I have been in the tank for Apple since the 80's. So no doubt I'm distorted but content.
Financial transactions could become so streamlined that a "commerce fob" is likely to emerge. That would be a credit card with a screen and buttons.
Think about how streamlined all these tasks have become. Putting those in a single ROM that has a screen and is tied into some legitimate network will emerge.
It is only out of convenience that these services are currently tied to a "phone".
I don't mind in these cases. Because I already have to present my ID card or my driver's license, when I'm doing most of this. I'd buy a cheap laptop, label it as a banking and ecommerce laptop/tablet, and use it to browse the corporate web. More friction, yes, but I'd welcome it as it would make me reluctant to interact with them. Any other sites that try would just end on my blacklist.
Unfortunately, the corporate Web has managed to monopolise how we communicate and learn about things (Facebook, reddit, twitter, YouTube, news sites, etc).
This is a mistaken view. The closest thing I have to social media is HN. I did get a twitter account in the beginning and I was waiting for the right moment to tweet but it seems to have passed.
The above is true only to the extent that you believe it. I don't believe it at all so I'm not part of the "you" I'm an "other".
The "News" is a whole other problem closer to truth. So not technical entirely. Individuals started newspapers and individual will deliver the news.
A big issue corporations currently face is that everything has become so cheap that their scale of effort is a hindrance.
If a corporation is not acting ruthlessly efficient the economy of scale breaks down quickly. The crux of this will cause the success of many smaller scale efforts that don't hold the overhead of a corporation.
The original promise of the public internet was the idea that broadcasting was dead and narrowcasting was the wave of the future. This was true up until ads became legal/common on the internet.
Take away the commercial interest and you are left with passionate publishers and audiences.
What attestation the website accepts entirely depends on the configuration. There's nothing in the spec that will prevent attestations for Linux computers. Linux already works perfectly fine with secure boot and such, I don't see why a signed bootloader starting a signed attestation engine wouldn't be trusted by third party websites.
It'll kill open platforms like the rare open source RISC-V implementations, but for almost any platform in use today this can be implemented.
The real question is "but will it", and in practice websites will probably only whitelist Chrome, Edge, and (reluctantly) Safari.
Yes, a kind of Linux like Ubuntu or Fedora that already boots with secure boot enabled with full support of TPMs and similar technologies. The kind of Linux 99% of Linux users are running today.
More secure variants like Android, leveraging SELinux and such, help with sandboxing but I don't think that SELinux is a struct requirement.
I mean if root can do anything then such system is not "trusted" from corporations point of view. Therefore, it won't be able to pass the attestation or play DRM content.
Huh? Fedora defaults to secure boot's being off and it is complicated to get it turned on.
Even after you manage to turn it on, it only verifies the kernel and cannot do anything about malware hiding in /usr. There is no Linux distro AFIAK that has verification of the entire system like ChromeOS, MacOS, iOS, Android and Windows have.
> Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.
Running your own secure boot CA is not enabled out of the box (for obvious reasons), but that does not pose a problem on most systems. Secure boot only needs special care if you need to load unsigned kernel modules (DKMS, Nvidia) or if you run on a super duper special Microsoft device that doesn't have the third party CA certificate by default.
Nothing you wrote contradicts anything I wrote. Specifically, although Fedora support secure boot, if you follow the standard install process, you will get a system with secure boot turned off. I know because I've installed Fedora on a system capable of secure boot.
And, again, it is complicated to get it turned on. How complicated? Take a look:
>The kind of Linux 99% of Linux users are running today.
I severely doubt that even 5% of Linux installs have secure boot turned on because of how complicated it is to get it working. Specifically I imagine that the complicated instructions on the page I just linked will need to be modified depending on the specific secure-boot firmware.
Most motherboards ship with secure boot enabled out of the box. Fedora will install and boot in that configuration without any changes to your system or motherboard settings. You actually have to go out of your way to disable it. The manual (https://docs.fedoraproject.org/en-US/fedora/f36/install-guid...) does not mention any such setting changes.
The page you link goes into custom secure boot keys, which are usually unnecessary. They're arguably more secure, but it's an entirely optional step unless you decide to load unsigned kernel modules.
If secure boot is enabled on the motherboard, Fedora can be installed and used without going into the motherboard firmware and turning it off, but that is different from secure boot's providing to the Fedora install the kind of security assurances that secure boot provides to the other mainstream operating systems (Windows, MacOS, iOS, Android and ChromeOS).
It's true initrd is not verified; the system boots but the security secure boot is supposed to provide is not available by default. I don't think many Fedora users care, but that can be an issue.
To use secure boot without calls to mokutil and friends, Unified Kernel Images are introduced in Fedora 38. These images contain everything (kernel, initrd, and so on) in one, published package. If https://bugzilla.redhat.com/show_bug.cgi?id=2159490 is to be believed, UKIs are live already in Fedora 38.
I can only find pregenerated UKIs for virtual machines in the Fedora repositories and I can't tell if they're properly signed or not, but support is being extended and this problem is being solved.
As for providing security: Linux really needs an easy, user-friendly GUI application for setting up proper secure boot. Of course at least one step is out of the control of Linux developers (configuring the firmware to load new keys) but right now "I want to load my system keys (and also the keys for my Linux dual boot)" is awful on any Linux distro. Every guide presents scripts to call scripts to call automated tools but none of them seem to make the process any easier or friendlier.
Unified Kernel Images sounds like a useful improvement. I imagine that when combined with whole-disk encryption it provides useful protection against evil-maid attacks, but I haven't been able to find any signs that there is any Linux install in existence anywhere--except for Android and ChromeOS--where the boot process can detect an alteration to a file in /usr/ (e.g., the system's C library) and refuse to boot or at least warn the user. Unlike an evil maid, malware that has succeeded in its goal of running in a privileged process can alter any file in the unencrypted root filesystem.
In my search I focused on the "immutable" distros like Silverblue because it seems to me that the immutability would make the implementation easier.
In contrast, all the other mainstream OSes can detect an alteration in something like the C library during boot.
Gentoo users and people running Nvidia drivers and the like will be out, that's true. That's very different from "only certain architectures allowed", though.
Even still, there are ways to implement this using an open source, signed, reproducibly built daemon that gets loaded early in the boot process. Altering the daemon would've out of the question but it would solve the more immediate problem of "Netflix doesn't work" that most people would actually care about.
This is exactly why people criticized secure boot. To not allow such system to establish themselves is the best defense. True for secure boot as well. Security is not the argument anymore, it is market domination.
Definitely seems like we will have a commercial internet run to satisfy corporations and an adjunct internet that is federated and open for free thinkers. I think focusing on federated publishing tools is the best route around these ideas.
Remember the corporations will need to be more disruptive than a nuclear war to break the internet. We can always route around them ourselves.
As someone who has built a business on browsing certain website using Chrome in headless mode this proposal worries me, and it has the potential to destroy large commercial segments of other similar companies.
Make browsing the internet possible only on CPUs allowed by Apple, Microsoft, Google. So no RISC-V just yet, and even when RISC-V will be supported by them: No competition allowed in CPU.
Make browsing the internet possible only on SoCs allowed by Apple, Microsoft, Google. No competition allowed in SoC. [0]
Make browsing the internet possible only on form factors approved by Apple, Microsoft, Google. So no calculator with a web browser [1]. No competition allowed in form factor.
Make browsing the internet possible only on UX approved by Apple, Microsoft, Google. So backtracking 10 years ago, when Android made documents-oriented web browser (= each tab appears just like a standalone app in recent apps), that would have been abuse of that position. No competition allowed in UX. [2]
PS: I come from Android OS world, all those examples already apply to Google/Android.
[0] Well this one will depend on whether their Web Environment Integrity implementation will enforce full secure boot approved by them. Considering how it went for Android, I'd say it will, but can't say for sure.
[1] Yes you can find calculators running Android (but can't run Google/Android so no Chrome). Amongst a lot of other weird Android devices. You can find walking robots, toothbrushes, urinals running Android.
[2] You'll probably find a better example. Arguably it's the same as "competition allowed in browsers", but that was an OS-wide change, but saying it's "OS" IMO largely reduces it.
You don't need this is stop innovations in CPUs, any new CPU will be for non-computers or for servers - for the same reason that Linux is not yet king of the desktops, which is that people need their computers to run old software.
So? They can force you to pick between running old software or running new software. This is hardly new if you look at the broader "compatibility" scene. Old hardware and software are being dropped all the time. (Remember when MacOS dropped 32-bit support and wiped out a huge chunk of older games?)
If you want to stay in the old chain, you're free to do so, just like how you can still pick up a word processor made a couple decades ago and make documents on it. It only affects you if you want to use the Internet as that keeps evolving. (If you load up some '00s or '10s era browsers you'll see that many of them do not work at all for the popular Internet sites, which have all adopted things like newer TLS implementations and HTTP/3 or whatever the latest one is...
> Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers
Forgive my stupidity, but isn't this only going to be the case for websites that will opt into the use of this api? Currently, websites can already do user agent sniffing, or hide their content behind a login wall; but we are not complaining that this is the end of the web. Or are we?
If that would be the case, then countries with bad relationship with the USA will end up having the real free internet because these tech services and products would be undesirable or inaccessible to them. They might risk political persecution for their online activities but so do people in the "West". The 3rd world will be forced to use homegrown solutions and there's a possibility that they might end up much more innovative when not everything is about advertisements.
Why would anybody expect them to do anything different. They are an ad company. Their revenue comes from selling your attention and profile.
People seem to have some severe cognitive dissonance when it comes to commercial web sites. They are crucified for selling ads and tracking then when they have the temerity to try and charge for their work people will start posting archive.is links to route around their paywalls.
If you don't like advertising then don't visit advertising funded sites or use their "free" tools. If you don't like paywalls then hit the back button and spend your attention elsewhere.
Normies used to use IE. Then their techier friends asked them if they have used FF or Chrome and they moved on. Don’t underestimate the impact of local experts on the choices of people who don’t care/have time to explore.
Because both were a lot faster than IE. Nowdays almost everyone uses Chrome, Safari or Edge. Because Firefox is rather slow given the current competitors, not because the others care more about privacy (Also because that's just what their devices come with)
The "normie" internet is some kind of hell, but they seem to be content.
"We" need to do more / better to educate them!
I tried to implement pi-hole for some extended family members. They asked me to turn it off within a week because they couldn't watch advertising videos to earn a new 'life' on candy crush (or something closely resembling that).
I can't relate to "normies" anymore, it's too late for me...
Techies care enough about ad blockers that they will install Firefox on normies computers, just so when their normie friend wants to show them a youtube video, they don't spend 15 seconds watching some absurd commercial.
Ad blocking is at least as big a deal as speed in terms of browsing comfort.
Well, considering most people using a browser don't even know of the existence of ad-blockers, I'd wager that no, most people will continue to use whatever is already installed to continue browsing Facebook as usual.
I think survey results showing 40% using ad-blockers is sufficient to question your assertion that most people don't know about ad-blockers. Folks may not all be using them, but I think a majority certainly are aware. And outside the U.S., even a majority use them in some countries.
Ordinary folks on the Internet have friends and family that are technically inclined and often seek advice from them. But most of the time, ordinary folks figure things out just fine in their own.
I keep seeing this comment on Hacker News and it makes me wonder. Do you only speak to engineers in your life? I'm on the side of people who think this is a violent threat against the openness of the web, but let's be real. Most of the people you'll run into on the street will have no better sense of this than they did the paradigm shift to HTTPS. In fact it will likely be even more transparent than that, which is part of what makes it so insidious. If you're waiting for a public to mobilise against a self-evident threat, this will fly into being without protest. Most people will need to be made to understand its danger, because they absolutely will not flee by themselves.
This kind of behaviour makes me not trust security researchers (something they should desperately try to protect given that trust in the field is essential).
Many different things, big and small, that shows that their principles are to make the maximum amount of money possible at every given moment, rather than thinking about long term consequencies or any moral values.
One extremely small example from the last 60 minutes of my life is that many Google workspace products don't work very well in non-Chrome browsers. I have to switch from Firefox to Chrome whenever I call someone in Google Meet, because the system load is higher and some features are not supported (e.g. visual effects like background blurring). I'm skeptical that these features can't be done in Firefox, but when you try to use them you get a warning to use a supported browser.
Privacy features like user-agent reduction, IP reduction, preventing cross- site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:
- sign-in gates to access basic content
- invasive user fingerprinting, which is less transparent to users and more difficult to control
This was my take away as well. I see a lot of imaginary, proposed future problems and no concrete issues that this is currently trying to solve. It gives the impression that it's just being put out there to muddy the waters and give some credence to an otherwise awful barrier to entry for the web.
You have to be hopelessly naive to believe that the hold-back feature is going to be implemented as described, if at all, and not quietly removed when the outrage dies down.
And even if it stays as described, the percentage will be low enough that those that fail attestation can be safely barraged with captchas or simply told to go away. (You can try browsing the web with TOR to get a taste of how you will be treated)
The whole post can be summarized as "trust me bro"
Yeah, it was only when I briefly worked for a FAANG that I realised that it doesn't really matter how many well-meaning engineers you have, because ultimately they don't make the decisions. Execs make the big decisions, and they will always take the most profitable choice.
Those cited 5-10% are laughable. If countless US sites prefer to just block the entire EU over bothering with privacy regulations they'll just tell you to reload the page every 10th to 20th time you click on something. Compared to what the majority of people already silently accept with ads, cookie banners and popups it's not even worth mentioning, and that's assuming Google can be trusted for once.
It's not a terrible reply, but it does miss the point.
It focuses heavily on privacy concerns and how those will be resolved - the vast majority of criticism I've seen hasn't been related to this at all, and those aren't especially hard problems to solve in the context of the existing spec.
It still largely ignores browser diversity & experience this will create for non-Chrome users. His argument is that blocking fingerprinting in future will mean anti-fraud will make the web unusable, and WEI will make it usable again. Given you accept the premise, still the conclusion is only true for browsers that can access WEI - which means the web will become unusable for browsers who can't (Linux, rooted Android, Firefox, etc etc).
For the ecosystem as a whole, it's better if everybody has a fair playing field. By definition, WEI structurally privileges certain clients. The more widespread that becomes the worse the effect on the wider ecosystem is. If WEI does not exist, and fingerprinting does not exist, providers will be forced to find ways to limit the impact of anti-fraud mechanisms. If 90%+ of browsers use attestation, that pressure decreases dramatically. Using Tor on the web today is a good example of the likely experience.
The mention of holdbacks here touches on this (though for full blocks, rather than wider impact) but ignores the existing strong pushback against holdbacks from others closely involved in the spec & discussion around this (https://github.com/RupertBenWiser/Web-Environment-Integrity/...) and ignores that the attestation they already shipped on Android for exactly the same use case does _not_ do this.
Fundamentally, the issue isn't about privacy during these checks, or whether defeating fraud without fingerprinting is valuable. Those are reasonable but obvious points. The issue is that client-focused validation for fraud is a flawed goal in itself (it's impossible - even with full & perfect attestation, you can set up a fully automated + WEI-approved machine by automating input peripherals directly) that risks enormous collateral damage, and we shouldn't encourage it in any sense. We definitely shouldn't standardize practices to make it easier.
At the end of the day, if you want to block fraud you have to do so server side (statistical analysis, rate limits, validated user accounts, requiring payments, some kind of proof of work, etc). This is a hard problem, absolutely, but it's unavoidable.
This is precisely what the reported issues are trying to achieve, regardless of their tone. The current path is completely wrong and reckless. The first step of working together would be to abandon this approach entirely.
This is akin to suggesting that we'd solve global warming by triggering a nuclear winter. This is not something you can solve by iterating and finding a middle path. The entire premise of this proposal is dangerous and should be binned.
Just think about all the potential ways in which this approach can (and obviously would) be abused.
(Posting this here as I just noticed they disallowed commenting)
> I’m not sure my personal repository is the best place to do that - we are looking for a better forum and will update when we have found one.
I'm curious what "better forum," if any, Google will actually engage with on this matter. I too wouldn't this sort of overwhelming reaction to happen in a personal repository. But the conversation needs to happen somewhere!
> I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend
After the weekend - leaves long comment but doesn't reopen comments as promised.
I find it interesting that the author thinks "invasive user fingerprinting" would stop with WEI. If you really believe ad networks are _only_ fingerprinting users to fight fraud and will stop doing it after WEI, I have a bridge to sell you.
How else are they going to learn more about me and shove ads that they think I care about?
Sometimes they are relevant and I click. Maybe few times in the last year. Quite a handy way to discover something you had no idea existed. A specialized driving school in my area, for example. Not searchable through Google Maps or Google; it's specific, but not specific enough.
I assume you don't have to click them anymore nowadays?
Should be fairly simple to find a correlation between ads shown to users and products sold, no?? I guess tracking solves this case.
Also as others said, there are quite a few people who still click them or click the first ad-links in google searches
Which implies the click fraud problem. I thought that Google was strongly disinterested in robust counter measures because so much as engagement is straight fraud. If you shine a light on it the market shrinks a lot.
Sure they have known for a long time. What is changing is advertisers awareness of the fake clicks. Creates an opportunity for ad platforms that can prove the humanity of their viewers.
If I do see something in an ad that interests me I make a point of accessing the advertiser’s site without interacting with the ad. Presumably this is still being tracked but I try, at least.
I want the overt metric of a site visit caused by the ad, and the per-click fee to the advertisement host, to be as obfuscated as possible (or ideally, non-existent).
Basically the only ads I click are in search results. If I'm looking for something and the correct answer is the same as the ad right above it, I click the ad. Currently I primarily use Ecosia as my search engine and I'd like them to make money, so if the ad is the correct answer anyway, I use that link.
Other than that... No, I'm newer clicking on ads.
In the article they write:
> Social websites need to differentiate between real user engagement and fake engagement.
No, they really don't. Why would they? They have a platform, you can buy ad space on that platform, it's not the job of the website to provide you with engagement numbers. You run an ad campaign for a given period, you track if sales increase during that time, if they don't your campaign was no good. I'm also okay with tracking sales directly from each campaign, have a tracking code for that campaign, but not the user/customer, that fine. The obsession with tracking everything single little detail back to a person is becoming increasingly obnoxious.
They don't require interaction. Think about billboards, TV/video ads, sponsorship ads, etc. It's enough for you to just see an ad, to not forget a brand or product exists.
At some point, you might think about a product subconsciously due to any reason, and since you saw the ads, you'll think of a specific company's product and likely rank them higher among "unknown" brands by default. That will bubble up at some point and you'll have a desire for it which you either accept or reject. Most will accept, causing more to accept to be in the group. It's human nature.
I've willingly clicked on a couple ads sometime this year when I was desperately trying to find something that neither DuckDuckGo, Amazon, nor Google could find (namely, a very last minute plane ticket for an even remotely reasonable price). My thought being "since the regular results are SEOd to death, maybe the people willing to pay for me to look at their offer are of higher quality". Plot twist: they weren't. But at least that made me realize that my adblocker was disabled so I could at least fix that.
Unfortunately, we will all happily accept this. Because using Chrome is "convenient". People will accept anything for convenience — WhatsApp is a good example, where millions of people worldwide happily share and sync their entire phone book with Facebook/Meta.
If you care, stop using Chrome. If you criticize this evil move, but continue using Chrome, you are part of the problem.
I switched over to a fully open source environment, at least for mobile/desktop OS, browser, almost all software as well as cloud file storage etc. But with a notable exception where I still use Google Search.
Perhaps with the rise of LLMs, one day I will run my own LLM to complete the move to being no longer reliant on monopolists.
Depending on the use-case, I find DDG is far better in many cases in returning sane search results. Might be a option to try. Not entirely open-source but better than the GOOG.
Same here, been using DDG for several years now and have not had any issues. I have tried switching to google a few times when im not finding what i need, but get turned off by their recommendations as well as just bad search results. I remember it took be a few weeks to get used DDG when i first switched. In a way it felt like going back to how search used to work, more keyword based, less trying to guess my life story to try to figure out what i really want.
WhatsApp and Chrome is apples and oranges - not using WhatsApp comes at a social cost (especially in countries like Germany and India where almost everyone uses it) because you can no longer communicate with other WhatsApp users or participate in group chats.
Not using Chrome comes with zero cost - you can use the same websites everyone else is using, just use Firefox.
> Not using Chrome comes with zero cost - you can use the same websites everyone else is using, just use Firefox.
Not quite. Increasingly, as Chrome became popular, you get websites that "work better in Chrome". Or do not work at all in other browsers. And you hear recommendations to "just use Chrome", so that things work. It's just more convenient all around.
Meta use your social connections to create advertising profiles of your friends whether they're on FB or not.
Your social graph is more accessible to other 'actors' than it would be if it weren't on Meta.
You may not care about this kind of thing, but I do. Unfortunately I'm not entirely free of it either, so any finger wagging on my part is at least partially hypocritical.
Well, for one, you tell Meta about me, without my consent.
Let's say I have a kid at a school. I don't use WhatsApp, but several parents have me in their phonebooks. They use WhatsApp and also use Facebook on their phones. Facebook gathers their location information, and given what Facebook knows about them, it isn't difficult to infer that I also must have a kid attending a school at a particular address at particular times during the day.
Data mining quickly gets scary.
You can also look at it another way: if this information wasn't valuable, do you think Facebook/Meta would have paid a billion for WhatsApp back in the day? Do you think they maintain the "end-to-end encrypted" communications app out of the goodness of their hearts? This is extremely valuable information: millions of people share their identifying information (their phone number) and their social network (their phonebook). It's worth a lot!
I hate to say it, but if you used Chrome to read this, then you're part of the problem.
Awful stuff like this wouldn't stand a chance if Google didn't have such a near-monopoly position.
For the sake of the open internet, please switch to a different browser. IMO, Firefox is best*, but even something chromium based is probably fine. Just not Google Chrome.
* On desktop - Firefox is a bit weaker on Android, with an extemely limited set of extensions (but still better than Chrome with no extensions) and just a Safari wrapper on iOS, with no extensions. (But sync works everywhere!)
(I posted something similar in a different thread recently but I think it bears repeating.)
If you have a customer who pays more than 50% of your income that’s not a customer that’s a controlling interest. Track record shows the relationship looks the way google wants it to look and behaves the way google wants it to behave.
Mozilla is two parts, the Mozilla Foundation and a subsidiary which is Mozilla Corporation. Neither of those are "funded" by Google.
I'm guessing you're referring to the search partnership between the two? That doesn't mean that Google owns Mozilla, unless you're really unclear about what "partnership" or "deal" means. Mozilla have multiple deals with search engines, not just Google.
At a much lower price, because search deals are paid based on number of searches done (so indirectly, the number of active users), and because Google has 90%-ish market share, it means a 90% drop in revenue.
Also, Bing has on average twice higher RPMs, so, a 50% of drop in income after rev-share.
So, you remove 90% of the revenue, and you divide by 2 what is remaining.
Technically it might even be healthy for Mozilla to loose 90% of the budget as they are spending that on bs projects that has nothing to do with Firefox. Maybe it would force them to spend the money on the Firefox team, and all the money hungry top management would go somewhere else where they can waste money.
A little nitpick: Mozilla has no shareholders. Mozilla Foundation is a non-profit, while Mozilla Corporation is 100% owned by the Foundation. Your point still stands though.
> The only reason Firefox exists is because Google wants something they can point to in court and say "look! we're not a monopoly!"
A competitor that survives at the charity of a monopoly is evidence of a monopoly, not evidence of the opposite. A court might see a non-profit that is directly dependent on Google for ongoing operating cash very differently that how it saw Gates' one-time personal investment in Apple.
If Google turned off this money faucet, Mozilla would be severely impacted. Unfortunately as Firefox's market penetration gets lower, the value of that deal gets lower, should Google stop paying it and someone like Bing takes over.
They have no motivation to "turn off the money faucet" since the payment is effectively lead generation -- bringing eyeballs to their ads that pay them more.
My guess is, GP is referring to the significant amount of funding that Mozilla gets from Google. Not sure if it's still the case, but I believe at least for a time, it was actually their main source of funding and basically what kept the whole organisation alive.
So by "don't bite the hand that feeds you" logic, they couldn't be interested in being too adverse with Google, because in the end, this could threaten their whole existence.
Not sure if this is still the case though, or if they managed to diversify.
I don't know where you got that idea from (accepting money to make the Google search engine the default?), but Firefox is made by the Mozilla Corporation which is a wholly owned subsidiary of the Mozilla Foundation.
It's true that Mozilla gets the vast majority of their income from Google and has, IMO absolutely squandered most of it.
If Mozilla had put most of its income into an endowment fund instead of hiring tons of staff for a miriad of now-mostly-canceled projects, they'd be in a much better position today. (Hindsight is 20-20 and all that.)
But I think it's an overstatement to say that Google owns Firefox. I donate monthly, and I think a smaller form of Mozilla could survive completely without Google.
You can actually use more extensions on Android. It's just more involved than it should be. The trick is to create an "extension collection" from your Mozilla account. Then you can use any extension, and a lot of them just work.
I know but it never worked for me. I followed the procedure twice, two different years, two different installs. I'm always doing something wrong. On Mozilla's side, why are they even doing that to us on Nightly?
It works for me on the Beta. No need to go to nightly. Mozilla was even gracious enough to allow us to go to about:config!
I don't know what you're doing wrong (all I can say is that the name of the collection is case sensitive) but I haven't had any trouble adding the custom collection settings to my Firefox installs.
Yeah, I know - I ended up switching to Iceraven on my phone, though. I've heard good things about Mull too. But I didn't want to muddy the original post with all that.
Yeah, I'm actually using Iceraven right now, I just didn't want to muddy up the point of that comment any further than I already had. Firefox is an easy recommendation on desktop but mobile needs a bit more nuance.
The point is that using anything that's not Google Chrome is better for the internet.
Nope, I've never seen that. Iceraven is just Firefox for Android with more extensions enabled, about:config support, and a couple of other minor annoyances fixed.
Wait, the post says iceweasel but the link is iceraven, are they the same thing? This was on the default browser one of the times I tried LineageOS, this was back in 2019 or so. I could be misremembering the specific fork.
I found this about iceweasel, which inclines me to believe that you remembered it correctly, and the grandparent was just mistaken about the name:
> In August 2005,[11] the GNUzilla project adopted the GNU IceWeasel name for a rebranded distribution of Firefox that made no references to nonfree plugins.
> [...]
> The GNU LibreJS extension detects and blocks non-free non-trivial JavaScript.
I agree, I use Firefox everywhere. But we must not forget the following:
In 2011 Mozilla income was 85% derrived from Google, through the primary search engine deal. Around a billion was paid over three years as part of this deal at some point. Appearantly there was bidding by Microsoft for making Bing the default, which pushed up the pricing.
So every time Mozilla speaks out against Google, it is a bit awkward, since they are biting the hand that feeds them. I suppose they could take a deal from Microsoft, Yahoo or even DDG (or Baidu!), but without interest from Google I presume the funding would be lower. Quite an interesting situation.
Thank God both Firefox and Chrome are open source. That is at least some small degree of insurance against potential freedom-limiting shenanigans by tech giants.
Yeah, I mentioned this in another comment: it's really a shame that Mozilla spends the majority of that money (often poorly IMO), instead of putting it into an endowment fund or something similar that would leave them in a much better position for the long run.
It actually takes a lot of people to build and maintain a modern competitive browser. Not paying those people and instead investing the revenue would end the project in short order. Mozilla is already outgunned on staff by the other major browser makers and you want us to cut staff to save more? That's not realistic, IMO.
I don't disagree with you, but Mozilla takes in hundreds of millions of dollars a year and I don't think they spend all of that on Firefox - possibly not even the majority of it!
I think that if they cut back on some of the other projects in the short-term, they could ensure the foundation was funded for the long-term - to support Firefox and anything else they deem valuable.
Almost all in Chromium is open-source, there are some missing pieces though.
For example, the per-device configuration (GPU acceleration enabled or not, etc) is not there, the statistics collection infrastructure, the WebAPK minting code is not there, etc.
> That is at least some small degree of insurance against potential freedom-limiting shenanigans by tech giants.
Chromium being open source is a red herring. The web is a protocol between clients and servers, and having the ability to fork the client doesn't matter if all the servers ignore your fork and continue speaking the protocol dictated by the dominant client. You need to fork the entire protocol, which is to say, you need to fork the entire web.
Perfect is the enemy of good. If you postpone or skip using Firefox because of this reason/excuse, you are even more a part of the problem than you probably realize ;)
Mozilla's opposition to such initiatives matters only because of their users. And there are no other significant fighters in this ring on _our_ side, unfortunately.
Mozilla should really double down on Mozilla VPN. Judging by all the NordVPN ads on every major youtuber's video, the profit margins must be astronomical (or their business model must be suspicious). It should provide a good income stream for Mozilla. The entire space is shady and filled with dubious actors. It is just begging to be disrupted by a trustworthy organization.
I can't think of a single candidate other than Mozilla that has the technical expertise, experience, trust, reputation, resources (not to mention non-profit structure) built over 20 years defending the open web. I don't understand why Mozilla is dragging their feet on this. They should have owned the entire VPN market by now. VPNs aren't cryogenic rockets.
Yes. I don't know why though. I don't understand why they can't host and run their own OpenVPN instance. Or why MozillaVPN is only available in 30 countries (mine not included), 4 years after announcement. Or why i haven't seen a single ad for Mozilla VPN anywhere on the web other than in mozilla's homepage. Or what they are doing with their 800 million dollars in annual revenue.
VPNs are barely gonna make a dent in their income. What do you think the market is for VPNs? 99% of people don't know what VPN means.
Of the remaining 1%, most don't need a VPN for anything personal. It's literally just a handful of geeks who need VPN (mainly for secure piracy, or accessing different regional Netflix catalogs), and maybe a few dozen journalists living in dictatorships.
Mozilla needs to gut spending. Get rid of all the diversity /hr/evangelism people bloating their employee headcount and funneling people's donations to divisive causes like that org that doesn't hire white men (forgot the name but it made me cancel my monthly donation to Mozilla). They shouldn't need more than 25% non-technical staff, and the purpose of those 25% should be exclusively to support the technical staff. Instead they became another bloated Big NGO that's basically welfare for liberal arts majors in California.
Is the Mozilla organization generally responsive to social media? I have had a hard time trying to figure out where the organization responds to publicly, generally.
I would love to have a Mozilla hosted email and calendar service from them, for example. I don't understand why they aren't branching out into more common web citizen needed services.
People need to be more aware about this.
I also use Firefox on the desktop. On Android I use Mull, which is based upon Firefox and it's actually pretty good!
> I hate to say it, but if you used Chrome to read this, then you're part of the problem.
Victim blaming BS.
Let's see who else is the problem. How about all those engineers who decided not to contribute to Firefox? Or all those website developers who didn't test their site in Firefox? Or hell, why not all those Mozilla engineers who didn't fix Firefox hard enough?
Let's put the blame where it actually is. Google is to blame. Not the users of their free products they advertise all over the place and have an unlimited marketing budget for.
Victim blaming is absolutely the correct approach here. Of course you shouldn't blame your grandma for using Chrome, but people on HN are a completely different audience. HN readers should be well aware of the damage Google is causing to the open internet, using Chrome is tantamount to supporting this effort.
I don’t know if they won the game of capitalism but their market power and profit incentive are facts.
If you don’t want to stop using Chrome, then your alternative is to buy a controlling share of Alphabet and appoint a Board that forgoes advertising revenue in exchange for being nice to adblock users.
Yes, the worst are the techies who should know better but insist on using chrome because "it feels slightly faster, therefore I have no choice but to use it." Such people pretending to be victims is complete nonsense.
Firstly, the examples you gave are dissimilar; GP is pointing out a positive action (choosing a specific browser) while you're emphasizing negative ones (not doing specific things to contribute to Firefox). Secondly, they did not say that the user is to blame for the situation, merely that they are part of the problem, which is trivially true; Google would not be able to do what they are without a large number of people choosing their browser. Thirdly, the way to effect change through fora like this one is to identify what an audience, personally, can do and encouraging them to do that thing. People can choose what browser they use. They cannot meaningfully change Google's behavior.
I never seen a single chrome add. I'm sure we're in different part of the world and in different add segments, but seems to me chrome marketing in not that widespread, is it ?
As a retired FE engineer, the top reason I used chrome and test with it was the powerful yet light devtools.
With few exceptions the browser market is a lot like the Volkswagen Group. They design key components and depending on market segment they slap a Audi, VW or Skoda label on it, do a few tweaks to the look and feel and add a few features that they know that a particular segment wants. Under "chrome" it's a Volkswagen.
I think the person you are responding to would say that edge is just another chromium skin. It doesn't exactly relieve Google's monopoly on browser technology
Microsoft is exactly the kind of company that would throw its full backing behind this google proposal, seeing how they have spent the last 20 years working towards the same goal. See Windows 11, Trusted Platform Module, Pluton, Palladium, SecureBoot.
Not only is Edge based on Chromium, as a major operating system vendor with strong influence on the hardware market, Microsoft is well positioned to be one of the widely-accepted attesters. So they have little motivation to oppose this proposal.
Chrome feels faster though. I just switched back to it after using Firefox for the last year. Chrome on my work computer felt snappier than Firefox on my comparable spec personal machine.
My concern is that soon the comparison will be "Chrome without ad block" vs "Firefox with ad block". There's no way Chrome outperforms Firefox in that scenario. Even if Chrome is faster for your unique workflow today, prepare to switch back.
I'm honestly (as in putting in multiple hours) trying to switch to Firefox every 4 to 5 months. I tried at least 4 times. I do the dance of migrating bookmarks, passwords, layout preferences, add-ons, workflows, setting up sync, installing on all Android and desktop devices ... and then i run into issues, try to fix some of them, research, then give up and go back to chrome and don't think about it anymore until another article like this pops up on HN.
This time I won't be shamed into doing it again. I don't have the time or motivation.
edit: forgot to mention explicitly, it's not Firefox, it's me. I'm not strong enough.
I find that condescending but I'm sure you didn't mean it that way and had good intentions asking that.
The problems I experienced that can be fixed in Firefox itself probably already got fixed.
My (personal) problem with Firefox is that functionally it's not Chrome and doesn't look/feel like it. The claimed non-functional improvements (privacy, freedom, ...) DON'T make up for the difference for me personally.
If Firefox looked and felt more or less exactly like Chrome for the functional parts then I would not have any problem switching for good. It's not at the moment, so this is what stops me from adoption.
I don't propose to change anything (you did). I was merely stating why I'm not on Firefox yet as a data point.
Absolutely not intended to sound condescending, sorry if that came across that way.
I see your point and it is absolutely within your right to stay on Chrome if you don't want to change. I've found it pretty much identical in terms of functionality and UX for the past decade though. Do you have any particular functional improvements in mind that you're missing in Firefox?
As an example: https://ibb.co/Wynn5Tg
Subjectively(!) Firefox is cluttered and takes much more space than Chrome for itself. Unfocused tabs are hard for me to make out on Firefox.
I think that personally I'm a lost cause. Either give me Firefox in a Chrome's pelt or I stay with Chrome. And maybe that's good this way: Firefox should just focus on new users and make the best browser for "them".
I have zero issues using FF everywhere. I used to have to use Chromium every couple months because some dumb website was pulling in a library that was using some non-industry-standard thing chromium did - and everything broke due to their utter lack of testing - but even that has died down. There is a newer trend where I have to disable uBlock every once in a while to complete a task, which is just as bad, but I rarely have to actually use another browser.
If I remember right, DuckDuckGo's browser just uses the system webview. So that might be Chromium on Windows now that Edge is Chromium-based, but it'd be WebKit on macOS, and I'm not sure what it'd use on Linux.
Web standards are a part of the problem that few people think about. Existing rendering engines grew along with the standards. However, the standards (especially CSS) have become so absurdly complex that implementing a new engine would be nearly impossible. Even Microsoft caved, and Edge is now essentially Chrome.
Some will point out that Chrome is based on open-source software. In reality, however, Google has a huge amount of power here. If Google is serious about this initiative, they will try to force it into the projects, and make it an essential part of the web experience. As others have pointed out, Google is also a primary supporter of Firefox, so they have influence there as well.
THIS...except "a part of the problem" is miserably understated.
Extreme technological complexity is just about the best possible moat a huge business can have. Though in this case "walls around the prison in which the users are incarcerated" might be a better analogy.
And all the prisoners, who just can't resist the endless shiny new goodies added to the web standards, are forever building their own prison walls higher...
I switched to Chrome pretty much the day it first came out and it was revolutionary. Switched back to Firefox a few years ago due to Chrome becoming too dominant and Google throwing their weight around in standards committees too much. When I desperately need Chromium for something I use Edge (which I actually rather like).
The problem with Mozilla Corporation/Foundation is that they blew all their time/money/resources/lead on things that didn't matter, not helping pave the way forward, and then fired a lot of their staff to boot!
Mozilla was once a bright shinning beacon of hope for the open web, but they wasted their good will on too many of us, and it pains me to think what could have been.
Good will is nice but those people also need to eat and mozzilla really needed to find a revenue stream other than google paying them off so they don’t have to spend 100x the amount on antitrust litigations.
This is a perfect case in which I’d like to see my taxes funding their work.
If you're using Apple products, your first preference should be Safari. I use that all the time, it's faster, leaner and syncs tabs/history/bookmarks greatly between different Apple devices.
1. Native integration across devices: Safari integrates seamlessly with Apple's ecosystem due to proprietary features like iCloud, Handoff, and universal clipboard, allowing for a consistent user experience across all Apple devices, with seamless transition among them to stay in your flow across devices.
2. iCloud Private Relay: This is a recent security tool from Apple and participating CDNs that encrypts all Safari traffic and protects the user's privacy by preventing anyone, including both Apple and network providers, from seeing which sites are visited.
3. Password Management Integration: Safari offers seamless integration with Apple’s Keychain for password and two-factor authentication (2FA) management across devices and across apps and browsers. Safari leverages Apple's OS level full password manager that's been quietly iterated each major release, now including support for TOTP and compromised-site checks.
4. Increased security/privacy: Safari uses AI/ML backed Intelligent Tracking Prevention to identify and block trackers, ensuring enhanced user privacy. While similar features can be added to Firefox via extensions, Safari has these capabilities by default.
5. Improved Power Efficiency and Performance: Multiple battery life tests confirm that Safari is significantly more power-efficient than Firefox and Chrome. Apple pulls this off through co-optimization of hardware and software, power-efficient technologies, hardware acceleration, conservative use of resources, efficient resource handling, and the blocking of resource-heavy ads and trackers. In real world use, you may see twice the battery life during web heavy usage.
6. Extended Support for WebKit: Use the browser your users use, so you understand and support their experience.
Other factors like persistent tab groups, 120hz scroll performance, and first class "retina" typography simply add to the smooth experience Safari provides on macOS and iOS.
Here are some lesser known tips for tuning up Safari to your liking and using features folks may be less familiar with:
Apple has a pretty terrible record on security given the Pegasus spyware and 0 clicks. Although most are related to iMessage and hardware exploits.
I still have a hard time believing the Privacy stuff since PRISM and Apple's openness to give data to China and Russia. But if you believe them, don't mind the government's access, and don't want to use other software, I can see where you are coming from.
I use Apple devices for work, but a combination of Windows, Linux, and Android for personal use, and I like that Firefox can sync between all of them.
I will concede that if you're all-in on Apple, then Safari is certainly more convenient. It's also more power efficient on macOS, so if I know I'm going to be on battery all day, I may switch to Safari for the day.
What does HN think about Mozilla adding some premium tier of the browser itself for a small subscription fee? I already subscribe to MDN out of sheer principle, and would be OK substituting some bullshit like Hulu if it would help even more... I am willing to pay the true cost of the "open" web, whatever it is. Just tell me how much and where to sign.
Money is going to be a required tool to fight back against google, whether we like it or not. Capitalizing on the lesser evil to fight the bigger evil is not a terrible idea in my estimation.
I would love to use Firefox, if it wasn't so persistently such an utterly slow piece of shit if you open more than a few tabs or use it much. Across every laptop I've ever owned and across every version of FF I've ever used, this has been the case despite all promises. So unless i'm haunted by some magical digital browser curse, Chrome at least performs rapidly, even for a tab hoarder like me. I barely use anything by Google knowingly, but with Chrome Firefox can fuck off in comparison if it can't simply perform at the basics of agile functionality.
This has never been the case for me at all. I write this comment in Chrome because I have it for testing and specific purposes, but I believe CPU and memory utilization advantages of Chromium always have been a myth for the most part. And I am someone that holds a lot of tabs open without rebooting my work machine for days or months.
Browsers are still memory hogs, but at some point you have to decide if you want speed or low memory usage. Fast reaction time or nicely rendered pictures. On a decent machine, not even a fast one, there is no difference. That said, I despise notebooks and usually use towers.
I'll look into that on my laptop and see if it may just possibly have been a major cause of problems all this time. I'm skeptical, but thanks for the tip.
485 comments
[ 5.2 ms ] story [ 324 ms ] threadI'm definitely in the latter group, but I can see how some market purists might believe in the first version.
But these days, you want to watch a 2' video on YouTube you are subjected to 20-30" of unskippable ads. Discounting the privacy (and even security) concerns, this alone pushed a lot more people to start ad-blocking were they can.
If Netflix introduced a freemium mode where you can watch their content with injected ads for free, would that be evil as well?
People pay for Netflix because they want to watch the specific content, for which the platform has already invested money. It feels natural and fair to pay them. For the same reason, if they had a perhaps limited in content, but not obnoxiously annoying ad-supported options, people would be more likely to respect it.
On the other hand, YouTube wants you to pay to get rid of the annoyance they intentionally planted in their platform, while they have invested 0 of their money on content. Also, most creators don't seem to be paid enough from YouTube, and appear to make their living off of 3rd party sponsors, sales, referrals, etc. With this model, it is not surprising that people aren't very keen in having a YouTube subscription.
And if you happen to be a tech giant that can drive the industry literally to every direction you want for decades, and what you choose to innovate is ad tech and NOTHING else, you're not evil, just stupid. Well maybe both. Or either. But definitely stupid.
It’s the arrogance that kills me.
We have all seen that there are absolutely no boundaries on how many adds and pop-ups sites get plastered with.
They aren't trying to balance it out on their sites, they just try to make as much money as possible. That isn't an acceptable user experience.
Now pair that with the world's most used search engine rewarding the most amount of (their) adds. It is a hellscape.
I’m watching a video about cars, sure show me the ad about this crappy car brand I will never buy. I’m reading an article about Prometheus, sure show me an ad about your greatest SaaS metrics platform that cost more per monitored machine than my machine.
No needs for cookies and tracking.
Would you really? I mean I keep hearing this but it doesn't ring true to me. People don't like ads in content because it interrupts what they are trying to consume and tries to leverage them away. This seems like a far greater motive to install an ad-blocker than some hand wavy tracking that probably doesn't even work that well.
Here you answered it yourself why people adblock. If ads were served on either side of the holy grail layout like the good ol days it wouldnt have been such a pain in the ass.
I remember jumping on the ad-blocking wagon when google started serving their shitty ads in between scroll content, serving diseased peoples photo ( ketto.org ) and getting frighteningly accurate/curated ads of what I searched for previously. Literally fuck google for having a digital private investigator on my ass 24/7 just to sell me shit. I am gonna use ad-blocker till the end of time.
But in reality it's more like the newspaper publisher would then follow you around all day wherever you go and interrupt you every time you try to have a moment's thought or talk to your children, so they could perhaps interest you in this product they're advertising. Not only would they passively follow you around but instead direct you to places where you find the most outragous people you can think of. When you're all worked up they could put you in touch with the higest bidding political operative that promises to ease all your pains.
I mean sure, maybe the publisher is not evil but I don't know what to call them.
I see it like smoking. It should be legal, but there need to be laws in place preventing smokers from harming and annoying anyone that chooses not to smoke. Ads should be legal, but there need to be laws in place allowing people to completely avoid them by paying a fair price. Until this is the case and everyone can choose, making them unavoidable is morally wrong.
Not everyone has the ability to act on said 'choice' and risk their jobs, income, benefits.
It's not that easy.
Some that help their parents, some that have kids, some that have sick spouses, some that brought their parents to live with them and support them due to health issues, some that have work visas.
I am simply saying that even though the right thing to do would be refusing, you also have to consider everyone's life circumstances when they make decisions.
The fact that they make $100k, $200k, $300k like another comment said means that they don't just need a job, they need a job making roughly the same amount of money and having the same benefits to be able to risk getting fired.
My original comment I wrote it so that we wouldn't just place everyone in the same group and generalize. It's not necessarily always as easy as refusing and risking your job. You're risking whoever else you support for example.
Do any of them support a sick kid, spouse, parent? Any of them send money home?
All I'm saying is that some of them might not be in a situation in which they could, on a whim, risk getting fired. And we shouldn't blame them because the fix for that is not on their hands.
Google engineers are not special. Everyone has a situation, and family, and bills. Everyone has a parent who will die one day. Everyone hits hard times. Everyone faces tests of character at inopportune times. Very few of those people are making $300k a year tho, and nonetheless making the rightethical choices every day. Why can't Google engineers?
That's why I said standing up for your principles is difficult. If it were easy, everyone would do it.
"Im used to spending too much money so in order to not getting a minimal pay cut im gonna work on unethical proyects." Isthe kind of insane thinking only people at HN seem to say without flinching.
Like at that point do not work at google, write ransomware for a company in Russia, they will pay even more money. Make bio weapons for a dictator in a civil war afflicted country of the third world. If Life style creep and your new Tesla to drive your kids to the private school is the only thing keeping you in check, you might as well trade stocks against life expectancy based on obesity reports and climate change effects on coastal areas.
That also accounts for expenses.
Do any of them send money home? Help parents or grandparents? Do any of them had to bring their parents or grandparents to live with them due to health issues? Lifestyle creep takes into account taking on more debt. That debt is not just in luxury like how most people think.
Lifestyle creep is believing luxuries or non essentials are essentials due to now them having become part of your day to day.
Also, many unethical choices are made or advocated for by engineers themselves.
But blanket blaming all of them and saying they all have a choice is not real. Any of them on visas? How would you feel about risking not just your job but also the ability to live somewhere.
You can't blanket blame all engineers and say they all have a choice.
I have refused to implement unethical code when I earned US$8.8k/year and supported my mother (living in Brazil, beginning of my career), I believe a Google engineer has much more leeway and money sloshing around to decide it's not right to do something unethical, and be vocal about it. There's much more of a choice than I had at that time and if I managed to choose to not be an asshole doing unethical bullshit, and didn't starve my family in the process, they are pretty damn able to do it as well. Might need another job but c'mon, you have Google in your CV, jobs will come, stop being a greedy pig.
Anyone sick at home? Anyone with a visa? Any debt? Student loans? Kids?
You wouldn't just need any other job, you'd need another comparable job.
https://en.wikipedia.org/wiki/Golden_handcuffs
I'm very sure if you are earning US$300k/year and depending on every job you get to be comparable or better you have set yourself to be fucked for life... Again, with Google on your CV you can get another job for a visa, or to pay student loans, if you depend on earning US$300k/year to just live your life you have much bigger problems.
You are trying to make it look like someone with one of the highest paid white collar jobs in the world is struggling to live and depends on earning that amount. Let's be real, it's a very, very very very small subset of people earning on that bracket that actually might have enough issues in their lives that require earning that amount (huge amounts of medical and student debt, supporting a family with disabilities [spouse, kids, etc.], etc.).
They might exist in this case, yes they might, but making that possible exception into a "think of the poor golden handcuffed employee who is being forced by some freak life situation to do this hugely unethical thing in name of their employer" excuse is not reality, in reality it's just much more likely these are people that want to keep their cushy job ingratiating their employer by making the web worse for everyone else. Greedy. Pigs.
“What choice do I have?” - a Google engineer who drives a brand new Tesla, living in a $10k per month apartment.
There's also Google engineers driving Corollas and helping their parents back home with expenses.
There are projects one of integrity should simply refuse to work on, if they make the world a worse place. With Google on a resume, it's not exactly hard to find jobs. People who agree to work on projects like these are defective human beings.
A blacklist seems like a fine idea here, but it's important it be specific enough to pick out just the bad actors.
The way I manage my life, I want to make sure the work I do makes the world a better place. For the past many years, virtually everything I've done has been aligned with advancing humanity (education, medical, etc.), and has been open-source. I'm fortunate enough to be somewhat well-known for a former project, so I've always been able to find jobs like that. My values state that:
- If that meant working at a good subdivision in an evil organization, I'd do that.
- If it meant doing evil work for a good organization, I wouldn't.
- Heck, if it meant helping reform an evil, powerful organization to be good, that seems like worthwhile work too.
I haven't been in a position to need to manage those conflicts, mind you, but that's how I'd play them according to my ethical compass, if they came up.
I'll also mention: It's also important to be aware of people's situations and more complex trade-offs. Consider a person who does scammy sales pitch telemarketing calling during dinner to sell you on snake oil medicines. Now, consider that they make minimum wage, it's the only job in their town, and they have a five-year-old they need to feed. I'm in no position to judge.
I am in position to judge Ben, Borbala, Phillip, and Sergey.
Making the internet worse? That’s bad, but I’m not convinced it warrants the same reaction.
This isn't Chrome/WEI defense btw. All attestation in web browsers ("user agents" my ass) is bad. Base your complaints on objective problems, not hate of one brand.
Hello, Mr. Yakamoto! Welcome back to The Gap…
You'll be free to opt out, though most of the internet will be unusable without Environment Integrity.
Unless there is a plan to allow attesters that are independent bodies then this is absolutely a threat to the open internet, or what's left of it.
The biggest dead canary for me is the lack of calling this out explicitly by Google or Apple. We're left to assume that Google is hand-wavingly saying "don't worry we can take care of that" when the private companies already monopolizing parts of the Internet are the absolute last people we want handling attestation.
There are two risks here (examples follow):
1. hostile requirements - "the agent won't feature adblockers", or "scraping without explicit website permission must be forbidden"
2. prohibitive requirements - "the agent implements protocols X, Y and Z and adheres to standards A, B and C" - all of these may be reasonable things, but en masse they may be too much work to carry by anyone but a reasonably big vendor
Additionally these criteria must be verifiable, so user can't basically modify the agent, because then the attestation is practically void.
Or what is wrong with meeting politicians what have always a very good brief in their hands telling them what words have maximum impact on the small group before them? It seems to work looking at the increasing number of spineless chameleons.
So many people genuinely don't understand what would be wrong with this scenario, and that's why I'm afraid.
"Oh, this area of $hot_social_media_site is for people earning ($user_salary * 1.4). But you can get access for just $10/month paid monthly or $9/month paid a year in advance! You don't want to be left out and lose the chance to network with higher earners, do you?!?"
Like, perhaps like if they didn't allow any extensions on their mobile browsers?
(Note: You can't use extensions on Chrome on mobile devices)
Chrome Mobile is very stripped down, but the idea that they disabled all extensions just to get at ad-blockers is completely unfounded.
If that does not seem shady to you, then I will be unable to make you understand the point.
This rule applies to discourse, not perspectives. I also wouldn't call many of these concerns "fantasies," because anyone with a basic understanding of public-key cryptography can tell you exactly how this technology, even its most basic form, could be used to:
- Create an absolute monopoly on browsers.
- Give the holder of the browser monopoly the power to control who can/can't crawl the web.
- Give the holder of the browser monopoly the power to control what OS you use to access the web.
and so much more that it's head-spinning.
Is OP's title clickbaity? Yes. Are the concerns brought up by commenters totally legitimate? Yes.
Your premise is broken. How is this even possible in an open source ecosystem? Chrome was built to be forked, and there are several healthy forks that are thriving. There is zero chance of there being a browser monopoly any time soon. Basically every proprietary browser is now dead.
By the way, Chrome contains proprietary code. Chrome and Chromium are not identical.
This was over a decade before any other web service I know of even had optional MFA support.
Until just a few years ago, mine would pop up an MFA prompt, but if you hit the "mobile website" button, it would just bypass it completely. I reported it to them for at least five years before it got fixed, and it's more likely that they just fixed it on accident.
Corporations, corporate communications, public figures, etc. are not deserving of the assumption of positive intent.
- Content sites implement Web Integrity API to block bots
- But they still allow Google crawlers, because Google is their source of traffic
- Google competitors are locked out
How do attesters solve this problem?
Are they sure that even more user hostility is what the modern internet misses?....
An ad-backed site’s trust on not being visited by bots, vs my privacy…
Doesn’t even sound like a trade-off from a user’s perspective.
Projects like these existed, I think it was an extension, but we'd probably need to do better than that.
> Detect non-human traffic in advertising to improve user experience and access to web content
As if the goal to do that would be improving UX...
> However, how this plays out with browsers that allow extensions or are modified remains a grey area. As the proposal vaguely mentions, "Web Environment Integrity attests the legitimacy of the underlying hardware and software stack, it does not restrict the indicated application’s functionality."
That's not vague at all.
This would be entirely in line with financial incentives of the proposed attesters and even logically defensible (oh well, we haven’t vetted uBlock, so you can’t browse with that installed).
And aside from niche platforms, do you want the 3 big companies to decide what you're allowed to see on the internet?
I do not want those companies (or anyone, really) to be able to decide what is or is not an allowed hardware/software setup to access anything.
Make browsing the internet possible only on Chrome, Safari or Edge (with no modifications or extensions). No competition allowed in browsers.
Make browsing the internet possible only on macOS, Windows, Android or iOS (no custom Android distributions, definitely no LineageOS or GrapheneOS or whatever). No competition allowed in Operating Systems, especially no open source operating systems.
Make crawling the internet possible only to Google. No private crawling and no competing search engines.
Let me know if I've missed anything...
Maybe if I donate to NRA-ILA I can tilt their agenda towards gun control.
you’re not going to tilt a think tank against its master, and the point of Mozilla is controlled opposition so google can point out they’re not quite a monopoly.
There's also the venerable lynx, and elinks (which I reluctantly admit is better than lynx, even if I don't use it much), and Dillo+ [1] (a fork / continuation of Dillo that supports Gopher and Gemini). And could I forget NetSurf, with its graph-y history navigation? And of course, Ladybird, [2] probably the best-funded of the lot.
These are just the ones I've heard of. There are surely dozens more you'd be interested in, and thousands of little hobby projects. Why not try making your own web browser?
[0]: https://argonaut-constellation.org/
[1]: https://github.com/crossbowerbt/dillo-plus
[2]: https://ladybird.dev/
https://www.theverge.com/2023/6/26/23774547/microsoft-sony-x...
The FTC lost that case.
I think at this point, if a big tech executive avoids doing something due to the threat of antitrust lawsuits, they're just incompetent.
The amount of effort that goes in to playing advertising metric games of YouTube is ridiculous to me. Anyone that says well people have to get paid I say maybe.
Real creators create and don't need the like, subscribe, patreon, mantra. Most of the gunsmithing sights on YouTube are moving towards this idea.
I don't believe in the discovery myth so many talk about as essential. It is only essential if you need inorganic growth.
I would say it's an emerging trend and that the more they tighten their grip the more creators will slip through their fingers.
Reliable machinery always has a shop manual, diagrams and prints. Programming languages have tomes of documentation, computing infrastructure has man pages and volumes of commentary, scholarship and trouble shooting have been committed to characters.
Aside from the point and grunt visuals, solid presentations (viewed after the fact when the value of real time interaction is gone) work fine as text.
If you're dyslexic, I get it but TTS systems are extremely solid these days.
What is the point?
Buying stuff is on a spectrum and I think a consumer should be able to chose a tightly regulated system for exchanging currency.
Most everything else should be free to choose.
Financial transactions could become so streamlined that a "commerce fob" is likely to emerge. That would be a credit card with a screen and buttons.
Think about how streamlined all these tasks have become. Putting those in a single ROM that has a screen and is tied into some legitimate network will emerge.
It is only out of convenience that these services are currently tied to a "phone".
The above is true only to the extent that you believe it. I don't believe it at all so I'm not part of the "you" I'm an "other".
The "News" is a whole other problem closer to truth. So not technical entirely. Individuals started newspapers and individual will deliver the news.
A big issue corporations currently face is that everything has become so cheap that their scale of effort is a hindrance.
If a corporation is not acting ruthlessly efficient the economy of scale breaks down quickly. The crux of this will cause the success of many smaller scale efforts that don't hold the overhead of a corporation.
The original promise of the public internet was the idea that broadcasting was dead and narrowcasting was the wave of the future. This was true up until ads became legal/common on the internet.
Take away the commercial interest and you are left with passionate publishers and audiences.
It'll kill open platforms like the rare open source RISC-V implementations, but for almost any platform in use today this can be implemented.
The real question is "but will it", and in practice websites will probably only whitelist Chrome, Edge, and (reluctantly) Safari.
Do you mean a kind of Linux where root cannot do anything he wants? Like Android?
More secure variants like Android, leveraging SELinux and such, help with sandboxing but I don't think that SELinux is a struct requirement.
Even after you manage to turn it on, it only verifies the kernel and cannot do anything about malware hiding in /usr. There is no Linux distro AFIAK that has verification of the entire system like ChromeOS, MacOS, iOS, Android and Windows have.
> Fedora includes support for the UEFI Secure Boot feature, which means that Fedora can be installed and run on systems where UEFI Secure Boot is enabled. On UEFI-based systems with the Secure Boot technology enabled, all drivers that are loaded must be signed with a valid certificate, otherwise the system will not accept them. All drivers provided by Red Hat are signed by the UEFI CA certificate.
Running your own secure boot CA is not enabled out of the box (for obvious reasons), but that does not pose a problem on most systems. Secure boot only needs special care if you need to load unsigned kernel modules (DKMS, Nvidia) or if you run on a super duper special Microsoft device that doesn't have the third party CA certificate by default.
[1]: https://docs.fedoraproject.org/en-US/fedora/latest/system-ad...
And, again, it is complicated to get it turned on. How complicated? Take a look:
https://nwildner.com/posts/2021-04-10-secureboot-fedora/
>The kind of Linux 99% of Linux users are running today.
I severely doubt that even 5% of Linux installs have secure boot turned on because of how complicated it is to get it working. Specifically I imagine that the complicated instructions on the page I just linked will need to be modified depending on the specific secure-boot firmware.
> https://nwildner.com/posts/2021-04-10-secureboot-fedora/
Most motherboards ship with secure boot enabled out of the box. Fedora will install and boot in that configuration without any changes to your system or motherboard settings. You actually have to go out of your way to disable it. The manual (https://docs.fedoraproject.org/en-US/fedora/f36/install-guid...) does not mention any such setting changes.
The page you link goes into custom secure boot keys, which are usually unnecessary. They're arguably more secure, but it's an entirely optional step unless you decide to load unsigned kernel modules.
For instance, initrd is not verified: https://news.ycombinator.com/item?id=36717975
>The page you link goes into custom secure boot keys, which are usually unnecessary.
You might be right about that.
To use secure boot without calls to mokutil and friends, Unified Kernel Images are introduced in Fedora 38. These images contain everything (kernel, initrd, and so on) in one, published package. If https://bugzilla.redhat.com/show_bug.cgi?id=2159490 is to be believed, UKIs are live already in Fedora 38.
I can only find pregenerated UKIs for virtual machines in the Fedora repositories and I can't tell if they're properly signed or not, but support is being extended and this problem is being solved.
As for providing security: Linux really needs an easy, user-friendly GUI application for setting up proper secure boot. Of course at least one step is out of the control of Linux developers (configuring the firmware to load new keys) but right now "I want to load my system keys (and also the keys for my Linux dual boot)" is awful on any Linux distro. Every guide presents scripts to call scripts to call automated tools but none of them seem to make the process any easier or friendlier.
In my search I focused on the "immutable" distros like Silverblue because it seems to me that the immutability would make the implementation easier.
In contrast, all the other mainstream OSes can detect an alteration in something like the C library during boot.
Even still, there are ways to implement this using an open source, signed, reproducibly built daemon that gets loaded early in the boot process. Altering the daemon would've out of the question but it would solve the more immediate problem of "Netflix doesn't work" that most people would actually care about.
Remember the corporations will need to be more disruptive than a nuclear war to break the internet. We can always route around them ourselves.
Make browsing the internet possible only on SoCs allowed by Apple, Microsoft, Google. No competition allowed in SoC. [0]
Make browsing the internet possible only on form factors approved by Apple, Microsoft, Google. So no calculator with a web browser [1]. No competition allowed in form factor.
Make browsing the internet possible only on UX approved by Apple, Microsoft, Google. So backtracking 10 years ago, when Android made documents-oriented web browser (= each tab appears just like a standalone app in recent apps), that would have been abuse of that position. No competition allowed in UX. [2]
PS: I come from Android OS world, all those examples already apply to Google/Android.
[0] Well this one will depend on whether their Web Environment Integrity implementation will enforce full secure boot approved by them. Considering how it went for Android, I'd say it will, but can't say for sure.
[1] Yes you can find calculators running Android (but can't run Google/Android so no Chrome). Amongst a lot of other weird Android devices. You can find walking robots, toothbrushes, urinals running Android.
[2] You'll probably find a better example. Arguably it's the same as "competition allowed in browsers", but that was an OS-wide change, but saying it's "OS" IMO largely reduces it.
So? They can force you to pick between running old software or running new software. This is hardly new if you look at the broader "compatibility" scene. Old hardware and software are being dropped all the time. (Remember when MacOS dropped 32-bit support and wiped out a huge chunk of older games?)
If you want to stay in the old chain, you're free to do so, just like how you can still pick up a word processor made a couple decades ago and make documents on it. It only affects you if you want to use the Internet as that keeps evolving. (If you load up some '00s or '10s era browsers you'll see that many of them do not work at all for the popular Internet sites, which have all adopted things like newer TLS implementations and HTTP/3 or whatever the latest one is...
Forgive my stupidity, but isn't this only going to be the case for websites that will opt into the use of this api? Currently, websites can already do user agent sniffing, or hide their content behind a login wall; but we are not complaining that this is the end of the web. Or are we?
How many web sites still serve you http:// instead of https:// ?
The transition was (is) entirely voluntary. Transition happened more slowly until browsers made the lack of https:// look scary.
https://blog.mozilla.org/security/2017/01/20/communicating-t...
People seem to have some severe cognitive dissonance when it comes to commercial web sites. They are crucified for selling ads and tracking then when they have the temerity to try and charge for their work people will start posting archive.is links to route around their paywalls.
If you don't like advertising then don't visit advertising funded sites or use their "free" tools. If you don't like paywalls then hit the back button and spend your attention elsewhere.
Currently Firefox is faster than Chrome : https://news.ycombinator.com/item?id=36770883
"We" need to do more / better to educate them!
I tried to implement pi-hole for some extended family members. They asked me to turn it off within a week because they couldn't watch advertising videos to earn a new 'life' on candy crush (or something closely resembling that).
I can't relate to "normies" anymore, it's too late for me...
Ad blocking is at least as big a deal as speed in terms of browsing comfort.
https://increditools.com/ad-blockers/
I think survey results showing 40% using ad-blockers is sufficient to question your assertion that most people don't know about ad-blockers. Folks may not all be using them, but I think a majority certainly are aware. And outside the U.S., even a majority use them in some countries.
Ordinary folks on the Internet have friends and family that are technically inclined and often seek advice from them. But most of the time, ordinary folks figure things out just fine in their own.
I don't think people are going to mobilize for privacy! I think people will just jump ship to avoid giant banners...
https://hnrankings.info/36778999/
https://news.ycombinator.com/item?id=36778999
You can't get that back.
One extremely small example from the last 60 minutes of my life is that many Google workspace products don't work very well in non-Chrome browsers. I have to switch from Firefox to Chrome whenever I call someone in Google Meet, because the system load is higher and some features are not supported (e.g. visual effects like background blurring). I'm skeptical that these features can't be done in Firefox, but when you try to use them you get a warning to use a supported browser.
I dug into this a little more and they have a page https://support.google.com/meet/answer/10058482?hl=en-GB&exp... which asks you to check for WebGL support, without a major performance caveat, and link to https://webglreport.com/?v=2
On Firefox on a M2 mac, I see "Major Performance Caveat: No".
good job!
I'd do the same thing if I was working for the devil and I knew it.
Privacy features like user-agent reduction, IP reduction, preventing cross- site storage, and fingerprint randomization make it more difficult to distinguish or reidentify individual clients, which is great for privacy, but makes fighting fraud more difficult. This matters to users because making the web more private without providing new APIs to developers could lead to websites adding more:
- sign-in gates to access basic content
- invasive user fingerprinting, which is less transparent to users and more difficult to control
- excessive challenges (SMS verification, captchas)
My question is whether there is any data to back up those claims.
And even if it stays as described, the percentage will be low enough that those that fail attestation can be safely barraged with captchas or simply told to go away. (You can try browsing the web with TOR to get a taste of how you will be treated)
The whole post can be summarized as "trust me bro"
It focuses heavily on privacy concerns and how those will be resolved - the vast majority of criticism I've seen hasn't been related to this at all, and those aren't especially hard problems to solve in the context of the existing spec.
It still largely ignores browser diversity & experience this will create for non-Chrome users. His argument is that blocking fingerprinting in future will mean anti-fraud will make the web unusable, and WEI will make it usable again. Given you accept the premise, still the conclusion is only true for browsers that can access WEI - which means the web will become unusable for browsers who can't (Linux, rooted Android, Firefox, etc etc).
For the ecosystem as a whole, it's better if everybody has a fair playing field. By definition, WEI structurally privileges certain clients. The more widespread that becomes the worse the effect on the wider ecosystem is. If WEI does not exist, and fingerprinting does not exist, providers will be forced to find ways to limit the impact of anti-fraud mechanisms. If 90%+ of browsers use attestation, that pressure decreases dramatically. Using Tor on the web today is a good example of the likely experience.
The mention of holdbacks here touches on this (though for full blocks, rather than wider impact) but ignores the existing strong pushback against holdbacks from others closely involved in the spec & discussion around this (https://github.com/RupertBenWiser/Web-Environment-Integrity/...) and ignores that the attestation they already shipped on Android for exactly the same use case does _not_ do this.
Fundamentally, the issue isn't about privacy during these checks, or whether defeating fraud without fingerprinting is valuable. Those are reasonable but obvious points. The issue is that client-focused validation for fraud is a flawed goal in itself (it's impossible - even with full & perfect attestation, you can set up a fully automated + WEI-approved machine by automating input peripherals directly) that risks enormous collateral damage, and we shouldn't encourage it in any sense. We definitely shouldn't standardize practices to make it easier.
At the end of the day, if you want to block fraud you have to do so server side (statistical analysis, rate limits, validated user accounts, requiring payments, some kind of proof of work, etc). This is a hard problem, absolutely, but it's unavoidable.
This is precisely what the reported issues are trying to achieve, regardless of their tone. The current path is completely wrong and reckless. The first step of working together would be to abandon this approach entirely.
This is akin to suggesting that we'd solve global warming by triggering a nuclear winter. This is not something you can solve by iterating and finding a middle path. The entire premise of this proposal is dangerous and should be binned.
Just think about all the potential ways in which this approach can (and obviously would) be abused.
(Posting this here as I just noticed they disallowed commenting)
I'm curious what "better forum," if any, Google will actually engage with on this matter. I too wouldn't this sort of overwhelming reaction to happen in a personal repository. But the conversation needs to happen somewhere!
> I’m giving everyone a heads up that I’m limiting comments to contributors over the weekend so that I can try to take a breath away from GitHub. I will reopen them after the weekend
After the weekend - leaves long comment but doesn't reopen comments as promised.
How else are they going to learn more about me and shove ads that they think I care about?
I very much doubt author himself believes that.
> An owner of this repository has limited the ability to comment
"There seems to be something wrong with your request, try reloading this page"
Good luck getting this ad infinitum you are on an environment that Google doesn't approve.
Who clicks on ads? Really? What segment of Internet users does?
Also as others said, there are quite a few people who still click them or click the first ad-links in google searches
I want the overt metric of a site visit caused by the ad, and the per-click fee to the advertisement host, to be as obfuscated as possible (or ideally, non-existent).
On Google, I avoid the ad links
Other than that... No, I'm newer clicking on ads.
In the article they write:
> Social websites need to differentiate between real user engagement and fake engagement.
No, they really don't. Why would they? They have a platform, you can buy ad space on that platform, it's not the job of the website to provide you with engagement numbers. You run an ad campaign for a given period, you track if sales increase during that time, if they don't your campaign was no good. I'm also okay with tracking sales directly from each campaign, have a tracking code for that campaign, but not the user/customer, that fine. The obsession with tracking everything single little detail back to a person is becoming increasingly obnoxious.
At some point, you might think about a product subconsciously due to any reason, and since you saw the ads, you'll think of a specific company's product and likely rank them higher among "unknown" brands by default. That will bubble up at some point and you'll have a desire for it which you either accept or reject. Most will accept, causing more to accept to be in the group. It's human nature.
Any interaction is a bonus.
If you care, stop using Chrome. If you criticize this evil move, but continue using Chrome, you are part of the problem.
Not using Chrome comes with zero cost - you can use the same websites everyone else is using, just use Firefox.
Not quite. Increasingly, as Chrome became popular, you get websites that "work better in Chrome". Or do not work at all in other browsers. And you hear recommendations to "just use Chrome", so that things work. It's just more convenient all around.
Your social graph is more accessible to other 'actors' than it would be if it weren't on Meta.
You may not care about this kind of thing, but I do. Unfortunately I'm not entirely free of it either, so any finger wagging on my part is at least partially hypocritical.
Let's say I have a kid at a school. I don't use WhatsApp, but several parents have me in their phonebooks. They use WhatsApp and also use Facebook on their phones. Facebook gathers their location information, and given what Facebook knows about them, it isn't difficult to infer that I also must have a kid attending a school at a particular address at particular times during the day.
Data mining quickly gets scary.
You can also look at it another way: if this information wasn't valuable, do you think Facebook/Meta would have paid a billion for WhatsApp back in the day? Do you think they maintain the "end-to-end encrypted" communications app out of the goodness of their hearts? This is extremely valuable information: millions of people share their identifying information (their phone number) and their social network (their phonebook). It's worth a lot!
Awful stuff like this wouldn't stand a chance if Google didn't have such a near-monopoly position.
For the sake of the open internet, please switch to a different browser. IMO, Firefox is best*, but even something chromium based is probably fine. Just not Google Chrome.
* On desktop - Firefox is a bit weaker on Android, with an extemely limited set of extensions (but still better than Chrome with no extensions) and just a Safari wrapper on iOS, with no extensions. (But sync works everywhere!)
(I posted something similar in a different thread recently but I think it bears repeating.)
You're gonna have to explain why you think this, because publicly, Firefox is owned by Mozilla which is not owned by Google in any way.
But maybe you know something the rest of us don't?
Who owns Mozilla? Put another way, if Google stops funding Mozilla, will it still exist?
The only reason Firefox exists is because Google wants something they can point to in court and say "look! we're not a monopoly!"
I'm guessing you're referring to the search partnership between the two? That doesn't mean that Google owns Mozilla, unless you're really unclear about what "partnership" or "deal" means. Mozilla have multiple deals with search engines, not just Google.
https://github.com/mozilla/standards-positions/issues/852
I guess they would.
The internal organisation of Mozilla doesn't really seem relevant here.
Also, Bing has on average twice higher RPMs, so, a 50% of drop in income after rev-share.
So, you remove 90% of the revenue, and you divide by 2 what is remaining.
If Google stops funding Mozilla, would they manage to get another deal, e.g. with Bing? If so, the power of Google would be limited.
A competitor that survives at the charity of a monopoly is evidence of a monopoly, not evidence of the opposite. A court might see a non-profit that is directly dependent on Google for ongoing operating cash very differently that how it saw Gates' one-time personal investment in Apple.
https://www.bloomberg.com/news/newsletters/2023-05-05/why-go...
If Google turned off this money faucet, Mozilla would be severely impacted. Unfortunately as Firefox's market penetration gets lower, the value of that deal gets lower, should Google stop paying it and someone like Bing takes over.
https://9to5mac.com/2021/08/25/analysts-google-to-pay-apple-...
They have no motivation to "turn off the money faucet" since the payment is effectively lead generation -- bringing eyeballs to their ads that pay them more.
So by "don't bite the hand that feeds you" logic, they couldn't be interested in being too adverse with Google, because in the end, this could threaten their whole existence.
Not sure if this is still the case though, or if they managed to diversify.
If Mozilla had put most of its income into an endowment fund instead of hiring tons of staff for a miriad of now-mostly-canceled projects, they'd be in a much better position today. (Hindsight is 20-20 and all that.)
But I think it's an overstatement to say that Google owns Firefox. I donate monthly, and I think a smaller form of Mozilla could survive completely without Google.
I don't know what you're doing wrong (all I can say is that the name of the collection is case sensitive) but I haven't had any trouble adding the custom collection settings to my Firefox installs.
Definitely not with the Iceweasel fork. https://github.com/fork-maintainers/fenix
The point is that using anything that's not Google Chrome is better for the internet.
> In August 2005,[11] the GNUzilla project adopted the GNU IceWeasel name for a rebranded distribution of Firefox that made no references to nonfree plugins.
> [...]
> The GNU LibreJS extension detects and blocks non-free non-trivial JavaScript.
https://en.wikipedia.org/wiki/GNU_IceCat
In 2011 Mozilla income was 85% derrived from Google, through the primary search engine deal. Around a billion was paid over three years as part of this deal at some point. Appearantly there was bidding by Microsoft for making Bing the default, which pushed up the pricing.
So every time Mozilla speaks out against Google, it is a bit awkward, since they are biting the hand that feeds them. I suppose they could take a deal from Microsoft, Yahoo or even DDG (or Baidu!), but without interest from Google I presume the funding would be lower. Quite an interesting situation. Thank God both Firefox and Chrome are open source. That is at least some small degree of insurance against potential freedom-limiting shenanigans by tech giants.
I think that if they cut back on some of the other projects in the short-term, they could ensure the foundation was funded for the long-term - to support Firefox and anything else they deem valuable.
For example, the per-device configuration (GPU acceleration enabled or not, etc) is not there, the statistics collection infrastructure, the WebAPK minting code is not there, etc.
Chromium being open source is a red herring. The web is a protocol between clients and servers, and having the ability to fork the client doesn't matter if all the servers ignore your fork and continue speaking the protocol dictated by the dominant client. You need to fork the entire protocol, which is to say, you need to fork the entire web.
Mozilla's opposition to such initiatives matters only because of their users. And there are no other significant fighters in this ring on _our_ side, unfortunately.
I can't think of a single candidate other than Mozilla that has the technical expertise, experience, trust, reputation, resources (not to mention non-profit structure) built over 20 years defending the open web. I don't understand why Mozilla is dragging their feet on this. They should have owned the entire VPN market by now. VPNs aren't cryogenic rockets.
Of the remaining 1%, most don't need a VPN for anything personal. It's literally just a handful of geeks who need VPN (mainly for secure piracy, or accessing different regional Netflix catalogs), and maybe a few dozen journalists living in dictatorships.
Mozilla needs to gut spending. Get rid of all the diversity /hr/evangelism people bloating their employee headcount and funneling people's donations to divisive causes like that org that doesn't hire white men (forgot the name but it made me cancel my monthly donation to Mozilla). They shouldn't need more than 25% non-technical staff, and the purpose of those 25% should be exclusively to support the technical staff. Instead they became another bloated Big NGO that's basically welfare for liberal arts majors in California.
I would love to have a Mozilla hosted email and calendar service from them, for example. I don't understand why they aren't branching out into more common web citizen needed services.
Not at all. Controlled opposition has to pretend being an opposition.
Victim blaming BS.
Let's see who else is the problem. How about all those engineers who decided not to contribute to Firefox? Or all those website developers who didn't test their site in Firefox? Or hell, why not all those Mozilla engineers who didn't fix Firefox hard enough?
Let's put the blame where it actually is. Google is to blame. Not the users of their free products they advertise all over the place and have an unlimited marketing budget for.
It’s not always so easy to walk away from an entire platform. People’s entire livelihoods could be based around Google.
I don’t see any issue with Google owning some of this responsibility.
You cannot expect Google to act against its own self-interest only because you ask nicely. You have to stop giving them the market power to do it.
I don’t expect Google to act against its own will, but they should.
If you don’t want to stop using Chrome, then your alternative is to buy a controlling share of Alphabet and appoint a Board that forgoes advertising revenue in exchange for being nice to adblock users.
Most people "choose" a specific browser like I "choose" my landlord when I move in to a new place. It's what's there.
I never seen a single chrome add. I'm sure we're in different part of the world and in different add segments, but seems to me chrome marketing in not that widespread, is it ?
As a retired FE engineer, the top reason I used chrome and test with it was the powerful yet light devtools.
Try browsing Google from a browser other than Chrome.
https://news.ycombinator.com/item?id=36770883
This time I won't be shamed into doing it again. I don't have the time or motivation.
edit: forgot to mention explicitly, it's not Firefox, it's me. I'm not strong enough.
The problems I experienced that can be fixed in Firefox itself probably already got fixed.
My (personal) problem with Firefox is that functionally it's not Chrome and doesn't look/feel like it. The claimed non-functional improvements (privacy, freedom, ...) DON'T make up for the difference for me personally.
If Firefox looked and felt more or less exactly like Chrome for the functional parts then I would not have any problem switching for good. It's not at the moment, so this is what stops me from adoption.
I don't propose to change anything (you did). I was merely stating why I'm not on Firefox yet as a data point.
I see your point and it is absolutely within your right to stay on Chrome if you don't want to change. I've found it pretty much identical in terms of functionality and UX for the past decade though. Do you have any particular functional improvements in mind that you're missing in Firefox?
I think that personally I'm a lost cause. Either give me Firefox in a Chrome's pelt or I stay with Chrome. And maybe that's good this way: Firefox should just focus on new users and make the best browser for "them".
I have zero issues using FF everywhere. I used to have to use Chromium every couple months because some dumb website was pulling in a library that was using some non-industry-standard thing chromium did - and everything broke due to their utter lack of testing - but even that has died down. There is a newer trend where I have to disable uBlock every once in a while to complete a task, which is just as bad, but I rarely have to actually use another browser.
Some will point out that Chrome is based on open-source software. In reality, however, Google has a huge amount of power here. If Google is serious about this initiative, they will try to force it into the projects, and make it an essential part of the web experience. As others have pointed out, Google is also a primary supporter of Firefox, so they have influence there as well.
Extreme technological complexity is just about the best possible moat a huge business can have. Though in this case "walls around the prison in which the users are incarcerated" might be a better analogy.
And all the prisoners, who just can't resist the endless shiny new goodies added to the web standards, are forever building their own prison walls higher...
I switched to Chrome pretty much the day it first came out and it was revolutionary. Switched back to Firefox a few years ago due to Chrome becoming too dominant and Google throwing their weight around in standards committees too much. When I desperately need Chromium for something I use Edge (which I actually rather like).
Mozilla was once a bright shinning beacon of hope for the open web, but they wasted their good will on too many of us, and it pains me to think what could have been.
This is a perfect case in which I’d like to see my taxes funding their work.
1. Native integration across devices: Safari integrates seamlessly with Apple's ecosystem due to proprietary features like iCloud, Handoff, and universal clipboard, allowing for a consistent user experience across all Apple devices, with seamless transition among them to stay in your flow across devices.
2. iCloud Private Relay: This is a recent security tool from Apple and participating CDNs that encrypts all Safari traffic and protects the user's privacy by preventing anyone, including both Apple and network providers, from seeing which sites are visited.
3. Password Management Integration: Safari offers seamless integration with Apple’s Keychain for password and two-factor authentication (2FA) management across devices and across apps and browsers. Safari leverages Apple's OS level full password manager that's been quietly iterated each major release, now including support for TOTP and compromised-site checks.
4. Increased security/privacy: Safari uses AI/ML backed Intelligent Tracking Prevention to identify and block trackers, ensuring enhanced user privacy. While similar features can be added to Firefox via extensions, Safari has these capabilities by default.
5. Improved Power Efficiency and Performance: Multiple battery life tests confirm that Safari is significantly more power-efficient than Firefox and Chrome. Apple pulls this off through co-optimization of hardware and software, power-efficient technologies, hardware acceleration, conservative use of resources, efficient resource handling, and the blocking of resource-heavy ads and trackers. In real world use, you may see twice the battery life during web heavy usage.
6. Extended Support for WebKit: Use the browser your users use, so you understand and support their experience.
Other factors like persistent tab groups, 120hz scroll performance, and first class "retina" typography simply add to the smooth experience Safari provides on macOS and iOS.
Here are some lesser known tips for tuning up Safari to your liking and using features folks may be less familiar with:
https://www.pcmag.com/how-to/hidden-tricks-inside-apples-saf...
Apple has a pretty terrible record on security given the Pegasus spyware and 0 clicks. Although most are related to iMessage and hardware exploits.
I still have a hard time believing the Privacy stuff since PRISM and Apple's openness to give data to China and Russia. But if you believe them, don't mind the government's access, and don't want to use other software, I can see where you are coming from.
You don't need to believe me, info on the authenticity of their effort is priced into the markets.
Or, you can believe those lined up to fight Apple on these capabilities.
This is really outdated: https://images.apple.com/safari/docs/Safari_White_Paper_Nov_...
But boy did it get Meta mad:
https://www.cnbc.com/2019/09/09/facebook-warns-about-apple-i...
But they did more:
https://appleinsider.com/articles/21/06/07/apple-beefing-up-...
And now more:
https://www.tomsguide.com/news/ios-17-will-stop-websites-fro...
Every time generating letters to Washington and Brussels how Apple's taking food out of the mouths of data and ad brokers.
I'd have run out of tiny violins if I didn't have GarageBand to make me a loop.
https://httptoolkit.com/blog/apple-private-access-tokens-att...
I will concede that if you're all-in on Apple, then Safari is certainly more convenient. It's also more power efficient on macOS, so if I know I'm going to be on battery all day, I may switch to Safari for the day.
not sure how far using 'ungoogled-chromium' takes you though.
Money is going to be a required tool to fight back against google, whether we like it or not. Capitalizing on the lesser evil to fight the bigger evil is not a terrible idea in my estimation.
I feel like they could do better, but on the whole, I'm happy with what they provide to everyone for free.
Browsers are still memory hogs, but at some point you have to decide if you want speed or low memory usage. Fast reaction time or nicely rendered pictures. On a decent machine, not even a fast one, there is no difference. That said, I despise notebooks and usually use towers.