Add More Privacy-respecting Browsers #674

2018-12-21T02:26:57Z

asddsaz commented

2018-12-21 02:26:57 +00:00

(Migrated from github.com)

Description: Add More Privacy-respecting Browsers
Why? Currently there are only 2 major open-source web browsers, Chromium and Firefox. Giving to much market share to a few companies can be harmful especially when there are plenty of alternatives.
What software does this add? The following have been added to "Worth Mentioning":

All of these meet the PrivacyTools.io Criteria.

**Description**: Add More Privacy-respecting Browsers **Why**? Currently there are only 2 major open-source web browsers, Chromium and Firefox. Giving to much market share to a few companies can be harmful especially when there are plenty of alternatives. **What software does this add**? The following have been added to "Worth Mentioning": - [Cliqz](https://cliqz.com/) - [Basilisk](https://basilisk-browser.org/) - [NetSurf](http://www.netsurf-browser.org/) - [Dooble](https://textbrowser.github.io/dooble//) - [Otter Browser](https://otter-browser.org/) All of these meet the [PrivacyTools.io Criteria](https://github.com/privacytoolsIO/privacytools.io/blob/master/.github/CONTRIBUTING.md#software-criteria).

👍 1 👎 3 🎉 1 😆 1

ghost commented

2018-12-21 05:21:23 +00:00

(Migrated from github.com)

Can you test how they perform on panopticlick?

beerisgood commented

2018-12-21 07:45:45 +00:00

(Migrated from github.com)

Privacy respecting isn't the same as Fingerprint resistent.
And non of them have a big userbase so the fingerprint is nearly unique

And "Cliqz". Remember the story with Ghostery add-on? Same company so this isn't privacy friendly

Privacy respecting isn't the same as Fingerprint resistent. And non of them have a big userbase so the fingerprint is nearly unique And "Cliqz". Remember the story with Ghostery add-on? Same company so this isn't privacy friendly

👍 1

asddsaz commented

2018-12-21 18:31:14 +00:00

(Migrated from github.com)

Can you test how they perform on panopticlick?

Fingerprinting is based on the number of users and how hard it would be to guess. It is generally a very hard to use metric. That being said, I will try this and come back and edit this post to include them.
Edit:
Basilisk:

Your browser fingerprint appears to be unique among the 2,881,532 tested in the past 45 days.

Currently, we estimate that your browser has a fingerprint that conveys at least 21.46 bits of identifying information.

Dooble:

Your browser fingerprint appears to be unique among the 2,881,536 tested in the past 45 days.

Currently, we estimate that your browser has a fingerprint that conveys at least 21.46 bits of identifying information.

NetSurf:

Within our dataset of several million visitors tested in the past 45 days, only one in 320170.44 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 18.29 bits of identifying information.

I would like to note that if you tried the same test with a non-upgraded Firefox you would see similar results. If there is any more data you would like to see, please reply so.

And "Cliqz". Remember the story with Ghostery add-on? Same company so this isn't privacy friendly

I actually don't, could you please refresh my memory? If there is a genuine security/privacy flaw then I would be willing to remove it from my pull request.

@beerisgood @Shifterovich

> Can you test how they perform on panopticlick? Fingerprinting is based on the number of users and how hard it would be to guess. It is generally a very hard to use metric. That being said, I will try this and come back and edit this post to include them. **Edit:** **Basilisk:** > Your browser fingerprint appears to be unique among the 2,881,532 tested in the past 45 days. > > Currently, we estimate that your browser has a fingerprint that conveys at least 21.46 bits of identifying information. **Dooble:** > Your browser fingerprint appears to be unique among the 2,881,536 tested in the past 45 days. > > Currently, we estimate that your browser has a fingerprint that conveys at least 21.46 bits of identifying information. **NetSurf:** > Within our dataset of several million visitors tested in the past 45 days, only one in 320170.44 browsers have the same fingerprint as yours. > > Currently, we estimate that your browser has a fingerprint that conveys 18.29 bits of identifying information. I would like to note that if you tried the same test with a non-upgraded Firefox you would see similar results. If there is any more data you would like to see, please reply so. > And "Cliqz". Remember the story with Ghostery add-on? Same company so this isn't privacy friendly I actually don't, could you please refresh my memory? If there is a genuine security/privacy flaw then I would be willing to remove it from my pull request. @beerisgood @Shifterovich

kewde (Migrated from github.com) requested changes 2018-12-24 18:26:45 +00:00

kewde (Migrated from github.com) left a comment

I don't want to see any more browsers based on the same rendering engines.
Use the Tor Browser, Firefox or Chromium.

The largest attack surface is the underlying rendering engines, we don't need more browsers which are just the same thing with a new name. 👎

I don't want to see any more browsers based on the same rendering engines. Use the Tor Browser, Firefox or Chromium. The largest attack surface is the underlying rendering engines, we don't need more browsers which are just the same thing with a new name. :-1:

kewde commented

2018-12-24 18:34:31 +00:00

(Migrated from github.com)

Giving to much market share to a few companies can be harmful especially when there are plenty of alternatives.

I don't see how market share translates itself to decreased security.
I also don't see how alternatives that use the rendering engines created by those companies that you claim are "too big" are a valid solution.

In fact I believe we should replace Brave with Chromium.

> Giving to much market share to a few companies can be harmful especially when there are plenty of alternatives. I don't see how market share translates itself to decreased security. I also don't see how alternatives that use the rendering engines _created_ by those companies that you claim are "too big" are a valid solution. In fact I believe we should replace Brave with Chromium.

😕 2 ❤️ 1

t1011 commented

2018-12-24 18:42:12 +00:00

(Migrated from github.com)

Giving to much market share to a few companies can be harmful especially when there are plenty of alternatives.

I don't see how market share translates itself to decreased security.
I also don't see how alternatives that use the rendering engines created by those companies that you claim are "too big" are a valid solution.

In fact I believe we should replace Brave with Chromium.
Shifterovich refuses to remove Brave. They probably paid advertising

> > > > Giving to much market share to a few companies can be harmful especially when there are plenty of alternatives. > > I don't see how market share translates itself to decreased security. > I also don't see how alternatives that use the rendering engines _created_ by those companies that you claim are "too big" are a valid solution. > > In fact I believe we should replace Brave with Chromium. Shifterovich refuses to remove Brave. They probably paid advertising

ghost commented

2018-12-24 19:52:32 +00:00

(Migrated from github.com)

In fact I believe we should replace Brave with Chromium.
Shifterovich refuses to remove Brave. They probably paid advertising

You must be as stupid as @ciampolo.

https://github.com/privacytoolsIO/privacytools.io/issues/649#issuecomment-446340793

If I refused to remove Brave, I obviously wouldn't have had opened an issue to remove Brave and I wouldn't have even participated in that discussion (#649), I would just close it. It's really annoying when you spend a fuckton of time participating in meaningless discussions, rather than closing them after first sign of retardedness (such as the original post by @ciampolo) because @0ndrey and @ciampolo's brain capacity is limited to accusing people of nonsense. And after you put in so much time people still say retarded shit like that.

@kewde Yeah it's possible ungoogled chromium would score better on fingerprinting tests. Can you try that out? It seems like it's possible to detect Brave right now. If ungoogled chromium was (almost) indistinguishable from Chrome/ium, it might be a better choice.

> In fact I believe we should replace Brave with Chromium. > Shifterovich refuses to remove Brave. They probably paid advertising You must be as stupid as @ciampolo. https://github.com/privacytoolsIO/privacytools.io/issues/649#issuecomment-446340793 If I refused to remove Brave, I obviously wouldn't have had opened an issue to remove Brave and I wouldn't have even participated in that discussion (#649), I would just close it. It's really annoying when you spend a fuckton of time participating in meaningless discussions, rather than closing them after first sign of retardedness (such as the original post by @ciampolo) because @0ndrey and @ciampolo's brain capacity is limited to accusing people of nonsense. And after you put in so much time people still say retarded shit like that. @kewde Yeah it's possible ungoogled chromium would score better on fingerprinting tests. Can you try that out? It seems like it's possible to detect Brave right now. If ungoogled chromium was (almost) indistinguishable from Chrome/ium, it might be a better choice.

kewde commented

2018-12-24 20:44:09 +00:00

(Migrated from github.com)

@Shifterovich

I think there's a credible source for Brave detection available.
https://www.ctrl.blog/entry/brave-user-agent-detection

I had a lot of hopes for muon. I had a slight hope that it would beat some common sense into developers using electron but the project has been deprecated.

As far as a substitute goes, I've had my fair share of experience with Chromium and believe that its sandbox capabilities are reliable. It should have a lot of users, so there is no obvious fingerprint available. I haven't tested out ungoogled chromium yet - but I will be delving deeper in

@Shifterovich I think there's a credible source for Brave detection available. https://www.ctrl.blog/entry/brave-user-agent-detection I had a lot of hopes for `muon`. I had a slight hope that it would beat some common sense into developers using electron but the project has been deprecated. As far as a substitute goes, I've had my fair share of experience with Chromium and believe that its sandbox capabilities are reliable. It should have a lot of users, so there is no obvious fingerprint available. I haven't tested out ungoogled chromium yet - but I will be delving deeper in

ghost commented

2018-12-24 20:46:08 +00:00

(Migrated from github.com)

@diracdeltas are you aware of what the blog post @kewde sent mentions?

kewde commented

2018-12-24 20:49:28 +00:00

(Migrated from github.com)

Hmm, upon further inspection it seems like the problems might have been mitigated by the move to the pure chromium based browser.

I believe they deployed the 'pure' Chromium-based browser on the 7th of December whilst the detection method was published a lot earlier. So this might have been behavior that was inherited from the electron codebase.

Hmm, upon further inspection it seems like the problems might have been mitigated by the move to the pure chromium based browser. I believe they deployed the 'pure' Chromium-based browser on the 7th of December whilst the detection method was published a lot earlier. So this might have been behavior that was inherited from the electron codebase.

ghost commented

2018-12-24 20:51:09 +00:00

(Migrated from github.com)

Still worth checking with Brave devs.

diracdeltas commented

2018-12-24 22:30:25 +00:00

(Migrated from github.com)

@Shifterovich @kewde https://www.ctrl.blog/entry/brave-user-agent-detection indeed refers to the old muon-based Brave.

Brave may not have its own HTTP User-Agent request header, but even the order of Brave’s HTTP request headers are in themselves unique to Brave.

I would be surprised if this worked on new Brave which is more similar to Chromium than Electon was.

you can use the following JavaScript function to detect Brave

This or similar functions will work to distinguish Brave from Chromium. For instance we spoof 3rd party referer (by setting the 3rd party referer to the origin of the first party), which is something no other browser does (except maybe Tor browser when visiting .onions). If a site wanted to, it could abuse this feature to distinguish Brave.

@Shifterovich @kewde https://www.ctrl.blog/entry/brave-user-agent-detection indeed refers to the old muon-based Brave. > Brave may not have its own HTTP User-Agent request header, but even the order of Brave’s HTTP request headers are in themselves unique to Brave. I would be surprised if this worked on new Brave which is more similar to Chromium than Electon was. > you can use the following JavaScript function to detect Brave This or similar functions will work to distinguish Brave from Chromium. For instance we spoof 3rd party referer (by setting the 3rd party referer to the origin of the first party), which is something no other browser does (except maybe Tor browser when visiting .onions). If a site wanted to, it could abuse this feature to distinguish Brave.

ghost commented

2018-12-24 23:16:31 +00:00

(Migrated from github.com)

This or similar functions will work to distinguish Brave from Chromium. For instance we spoof 3rd party referer (by setting the 3rd party referer to the origin of the first party), which is something no other browser does (except maybe Tor browser when visiting .onions). If a site wanted to, it could abuse this feature to distinguish Brave.

Anti-fingerprinting features are a pain. By trying to mask one value ("3rd party referer"), you often end up creating another value ("spoofs 3rd party referer") that can be used for fingerprinting. Seems like it's a lot about finding the right balance, since masking some values does more harm than good.

> This or similar functions will work to distinguish Brave from Chromium. For instance we spoof 3rd party referer (by setting the 3rd party referer to the origin of the first party), which is something no other browser does (except maybe Tor browser when visiting .onions). If a site wanted to, it could abuse this feature to distinguish Brave. Anti-fingerprinting features are a pain. By trying to mask one value ("3rd party referer"), you often end up creating another value ("spoofs 3rd party referer") that can be used for fingerprinting. Seems like it's a lot about finding the right balance, since masking some values does more harm than good.

t1011 commented

2018-12-25 06:59:52 +00:00

(Migrated from github.com)

@Shifterovich
Insulting other users does not make you taller or smarter than them. @ciampolo gave very well-reasoned comments, unlike you. You for no apparent reason refuse to delete this browser. The links that you provide are only an attempt to remove suspicions of your interest in Brave being present on the site.

@Shifterovich Insulting other users does not make you taller or smarter than them. @ciampolo gave very well-reasoned comments, unlike you. You for no apparent reason refuse to delete this browser. The links that you provide are only an attempt to remove suspicions of your interest in Brave being present on the site.

ghost commented

2018-12-25 09:45:01 +00:00

(Migrated from github.com)

@ciampolo gave very well-reasoned comments, unlike you

@ciampolo:

The only logical explanation I have is there is money involved.
if I pay you however much @bbondy and/or Eich are paying you and you actually add my malware/adware to your site privacytools.io
Admittingly if it is enough money I can understand OP's position

Clearly mentally deficient.

Insulting other users does not make you taller or smarter than them

I generally do that when people who waste my time do that. More of @ciampolo

Also since I don't use Brave (as I am not mentally challenged) I cannot say which vectors are still leaked currently and which aren't
And yes I didn't think Brave devs would be that dumb but if you look at the issues I opened months ago on their issue trackers you will see yes they actually are that retarded
Mr. Eich, butthurt @bbondy 's boss that got fired off of Mozilla, uses Blink/Webkit. But Webkit can't do shit against zombie cookies

You for no apparent reason refuse to delete this browser

Why did I open an issue to remove Brave then? Why was I against adding it in the first place? Please do your research for at least 5 minutes before accusing people.

> @ciampolo gave very well-reasoned comments, unlike you @ciampolo: > The only logical explanation I have is there is money involved. > if I pay you however much @bbondy and/or Eich are paying you and you actually add my malware/adware to your site privacytools.io > Admittingly if it is enough money I can understand OP's position Clearly mentally deficient. > Insulting other users does not make you taller or smarter than them I generally do that when people who waste my time do that. More of @ciampolo > Also since I don't use Brave (as I am not mentally challenged) I cannot say which vectors are still leaked currently and which aren't > And yes I didn't think Brave devs would be that dumb but if you look at the issues I opened months ago on their issue trackers you will see yes they actually are that retarded > Mr. Eich, butthurt @bbondy 's boss that got fired off of Mozilla, uses Blink/Webkit. But Webkit can't do shit against zombie cookies > You for no apparent reason refuse to delete this browser Why did I open an issue to remove Brave then? Why was I against adding it in the first place? Please do your research for at least 5 minutes before accusing people.

asddsaz commented

2018-12-25 20:13:59 +00:00

(Migrated from github.com)

Giving to much market share to a few companies can be harmful especially when there are plenty of alternatives.

I don't see how market share translates itself to decreased security.
I also don't see how alternatives that use the rendering engines created by those companies that you claim are "too big" are a valid solution.

In fact I believe we should replace Brave with Chromium.

Way too many issue with Chromium. Too many non-free services.

Besides, the only decent open-source layout engine besides Gecko and Blink is NetSurf and my pull request would add NetSurf. Many of these browsers also utilize modified versions of their layout engines.
The layout engine market has become an Oligarchy.

> > Giving to much market share to a few companies can be harmful especially when there are plenty of alternatives. > > I don't see how market share translates itself to decreased security. > I also don't see how alternatives that use the rendering engines _created_ by those companies that you claim are "too big" are a valid solution. > > In fact I believe we should replace Brave with Chromium. Way too many issue with Chromium. Too many [non-free](https://www.wikipedia.org/wiki/Non-free_software) services. Besides, the only decent open-source layout engine besides [Gecko](https://www.wikipedia.org/wiki/Gecko_(software)) and [Blink](https://www.wikipedia.org/wiki/Blink_(browser_engine)) is [NetSurf](https://www.wikipedia.org/wiki/NetSurf) and my pull request would add [NetSurf](https://www.wikipedia.org/wiki/NetSurf). Many of these browsers also utilize modified versions of their layout engines. The layout engine market has become an [Oligarchy](https://www.wikipedia.org/wiki/Oligarchy).

kewde commented

2018-12-25 20:32:53 +00:00

(Migrated from github.com)

@asddsaz

What security measures does the NetSurf rendering engine provide that would compel me to add them? I don't care about oligarchies in the rendering engines - in fact for fingerprinting privacy it is beneficial to have an oligarchy or monopoly.

@asddsaz What security measures does the NetSurf rendering engine provide that would compel me to add them? I don't care about oligarchies in the rendering engines - in fact for fingerprinting privacy it is beneficial to have an oligarchy or monopoly.

David-Beetle commented

2018-12-26 03:06:22 +00:00

(Migrated from github.com)

@asddsaz

What security measures does the NetSurf rendering engine provide that would compel me to add them? I don't care about oligarchies in the rendering engines - in fact for fingerprinting privacy it is beneficial to have an oligarchy or monopoly.

I think you are missing the big picture.
Besides, @asddsaz already did a fingerprinting test:

Within our dataset of several million visitors tested in the past 45 days, only one in 320170.44 browsers have the same fingerprint as yours.

Currently, we estimate that your browser has a fingerprint that conveys 18.29 bits of identifying information.

This is significantly better than what you would see if you tested this in Firefox without making any changes. Besides, it isn't like this PR is for adding it to main, it is just to add it to worth mentioning.

we don't need more browsers which are just the same thing with a new name

To be fair, most of these browsers like Brave are made to make private browser easier and by default. This is something, the privacy community has historically supported. :/

Are you even a privacytools.io developer, @kewde?

> @asddsaz > > What security measures does the NetSurf rendering engine provide that would compel me to add them? I don't care about oligarchies in the rendering engines - in fact for fingerprinting privacy it is beneficial to have an oligarchy or monopoly. I think you are missing the big picture. Besides, @asddsaz already did a fingerprinting test: > Within our dataset of several million visitors tested in the past 45 days, only one in 320170.44 browsers have the same fingerprint as yours. > > Currently, we estimate that your browser has a fingerprint that conveys 18.29 bits of identifying information. > This is significantly better than what you would see if you tested this in Firefox without making any changes. Besides, it isn't like this PR is for adding it to main, it is just to add it to worth mentioning. > we don't need more browsers which are just the same thing with a new name To be fair, most of these browsers like Brave are made to make private browser easier and by default. This is something, the privacy community has historically supported. :/ Are you even a [privacytools.io](https://github.com/privacytoolsIO) developer, @kewde?

👍 1

ghost commented

2018-12-26 10:21:36 +00:00

(Migrated from github.com)

Are you even a privacytools.io developer, @kewde?

@David-Beetle Those 18.29 bits are on NetSurf? Similar numbers can be reached on FF with some tweaking.

> Are you even a privacytools.io developer, @kewde? ![image](https://user-images.githubusercontent.com/4354706/50442680-40017c80-0900-11e9-9f62-e6234dcf7698.png) @David-Beetle Those 18.29 bits are on NetSurf? Similar numbers can be reached on FF with some tweaking.

👍 1

asddsaz commented

2018-12-27 18:29:11 +00:00

(Migrated from github.com)

Are you even a privacytools.io developer, @kewde?

@David-Beetle Those 18.29 bits are on NetSurf? Similar numbers can be reached on FF with some tweaking.

To be fair, you can also tweak NetSurf. :)

A while back I tried to get my family to utilize a more private web configuration, but as soon as the about:config warnings nobody wants me to mess with their browsers.
They all think it is gonna blow up or something.

Firefox is good, but if you are like me with lots of friends and family that lack tech skills, you are better off using a privacy-by-default browser. Brave is great, but it hands over a monopoly to Blink.

I don't see how market share translates itself to decreased security.
I also don't see how alternatives that use the rendering engines created by those companies that you claim are "too big" are a valid solution.

You appear to have forgotten the exact scale of which a monopoly can affect an industry. Many people in the privacy community HATE cell phones for their clear monopolies. They have successfully made it impossible to compete and have stunt the market from moving toward e2e encrypted solutions.

Another instance, the hardware space is ruled by a few companies. Because of this nobody can compete and free hardware is dying1.

And, if you find this all acceptable please read the Wikipedia page on monopolies:
https://www.wikipedia.org/wiki/Monopoly#Monopoly_versus_competitive_markets

@kewde @Shifterovich

> > Are you even a privacytools.io developer, @kewde? > > ![image](https://user-images.githubusercontent.com/4354706/50442680-40017c80-0900-11e9-9f62-e6234dcf7698.png) > > @David-Beetle Those 18.29 bits are on NetSurf? Similar numbers can be reached on FF with some tweaking. To be fair, you can also tweak NetSurf. :) A while back I tried to get my family to utilize a more private web configuration, but as soon as the about:config warnings nobody wants me to mess with their browsers. They all think it is gonna blow up or something. Firefox is good, but if you are like me with lots of friends and family that lack tech skills, you are better off using a privacy-by-default browser. [Brave](https://www.wikipedia.org/wiki/Brave_(web_browser)) is great, but it hands over a [monopoly](https://www.wikipedia.org/wiki/Monopoly#Monopoly_versus_competitive_markets) to [Blink](https://www.wikipedia.org/wiki/Blink_(browser_engine)). > > I don't see how market share translates itself to decreased security. > I also don't see how alternatives that use the rendering engines created by those companies that you claim are "too big" are a valid solution. You appear to have forgotten the exact scale of which a monopoly can affect an industry. Many people in the privacy community HATE cell phones for their clear monopolies. They have successfully made it impossible to compete and have stunt the market from moving toward e2e encrypted solutions. Another instance, the hardware space is ruled by a few companies. Because of this nobody can compete and free hardware is dying[1](https://ryf.fsf.org/). And, if you find this all acceptable please read the Wikipedia page on monopolies: https://www.wikipedia.org/wiki/Monopoly#Monopoly_versus_competitive_markets @kewde @Shifterovich

kewde commented

2018-12-28 03:06:49 +00:00

(Migrated from github.com)

I've grown to become cautious of fingerprinting tests.
The data sets are often skewed, I don't know what data source most of them use but people doing fingerprinting test are often people who are already privacy conscious.

Also, I highly doubt the fingerprinting test above includes the user agent?
I don't know anyone who uses NetSurf and their custom user agent is rather uncommon. Is that reflected in the fingerprint tests? Are the fingerprinting techniques even optimized for the NetSurf browser and rendering engine?

I don't trust new browsers that roll their own rendering engines. I've seen so many jailbreaks based on exploits in the rendering engines that I've become very distrustful of any product that relies on it. Perhaps NetSurf is different, but I don't want to advocate for the next WebKit fiascos.

You have a clear stance on monopolies and oligarchies. You don't like them.
But I don't see how more homogeneity caused by such market characteristics decrease privacy.
From the privacy perspective, everyone using the same browser is the best solution. A bigger set of people to mix in with. You could make the case that diversity of browsers is more resilient against a very specific security vulnerability, but that's a very thin argument as it only applies in on specific instance of a discovered exploit. More code, generally means more bugs. The only thing I currently like about NetSurf is that it doesn't even ship with JavaScript at all. But I haven't been able to find any documentation about the security mechanisms in the browser. Nonetheless, I love the project and I'm keeping tabs on it, glad to know that it exists and is being actively developed. With a big experimental warning, it might be worth mentioning but I wouldn't consider it more private or secure in any manner.

My conclusion is that all the browsers you mentioned are either recycled rendering engines, or they're "worth mentioning" overal but that merit has not been based on any dimension that we care about (privacy and security).

I've grown to become cautious of fingerprinting tests. The data sets are often skewed, I don't know what data source most of them use but people doing fingerprinting test are often people who are already privacy conscious. Also, I highly doubt the fingerprinting test above includes the user agent? I don't know anyone who uses NetSurf and their [custom user agent](https://developers.whatismybrowser.com/useragents/explore/software_name/netsurf/) is rather uncommon. Is that reflected in the fingerprint tests? Are the fingerprinting techniques even optimized for the NetSurf browser and rendering engine? I don't trust new browsers that roll their own rendering engines. I've seen so many jailbreaks based on exploits in the rendering engines that I've become very distrustful of any product that relies on it. Perhaps NetSurf is different, but I don't want to advocate for the next WebKit fiascos. You have a clear stance on monopolies and oligarchies. You don't like them. But I don't see how more homogeneity caused by such market characteristics decrease privacy. From the privacy perspective, everyone using the same browser is the best solution. A bigger set of people to mix in with. You could make the case that diversity of browsers is more resilient against a very specific security vulnerability, but that's a very thin argument as it only applies in on specific instance of a discovered exploit. More code, generally means more bugs. The only thing I currently like about NetSurf is that it doesn't even ship with JavaScript at all. But I haven't been able to find any documentation about the security mechanisms in the browser. Nonetheless, I love the project and I'm keeping tabs on it, glad to know that it exists and is being actively developed. With a big experimental warning, it might be worth mentioning but I wouldn't consider it more private or secure in any manner. My conclusion is that all the browsers you mentioned are either recycled rendering engines, or they're "worth mentioning" overal but that merit has not been based on any dimension that we care about (privacy and security).

😕 1

beerisgood commented

2018-12-28 09:19:17 +00:00

(Migrated from github.com)

@kewde fingerprint tests of course test your User-Agent. It even exist useragent-only tests

ghost commented

2018-12-28 21:03:59 +00:00

(Migrated from github.com)

I don't trust new browsers that roll their own rendering engines. I've seen so many jailbreaks based on exploits in the rendering engines that I've become very distrustful of any product that relies on it.

I agree. The argument against monopolies doesn't take into account that browser engines are probably the second most difficult thing to make securely, right after operating systems. Per se -- browsers literally execute arbitrary code on the client's device and have to manage privacy, sandboxing, etc properly. If Chrome & FF have security issues while being developed by a huge team, a browser with a small development team will be full of vulnerabilities assuming basic features like JS.

> I don't trust new browsers that roll their own rendering engines. I've seen so many jailbreaks based on exploits in the rendering engines that I've become very distrustful of any product that relies on it. I agree. The argument against monopolies doesn't take into account that browser engines are probably the second most difficult thing to make securely, right after operating systems. Per se -- browsers literally execute arbitrary code on the client's device and have to manage privacy, sandboxing, etc properly. If Chrome & FF have security issues while being developed by a huge team, a browser with a small development team will be full of vulnerabilities assuming basic features like JS.

kewde commented

2018-12-28 21:48:49 +00:00

(Migrated from github.com)

@beerisgood

It is very counter intuitive that the NetSurf produces a more private fingerprint than rendering engines based on Blink. Even based, merely on the user agents detection, intuitively it should stick out a lot more than the results of other browsers.
It raises the question whether fingerprinting tests are suitable means to make rank-ordering decisions. It's practically speaking the best solution we have, but is it therefore theoretically a "good" solution?

I can only explain it with the following observations:

The browsers analyzed by the fingerprinting tool is highly biased for privacy focused users. The amount of users who tested the NetSurf browser is likely higher than the real life usage (assumption though). Is the dataset used by the fingerprinting tools representative of the real world landscape?
JavaScript is not supported, which obviously renders JS based fingerprinting techniques useless.

@beerisgood It is very counter intuitive that the NetSurf produces a more private fingerprint than rendering engines based on Blink. Even based, merely on the user agents detection, intuitively it should stick out a lot more than the results of other browsers. It raises the question whether fingerprinting tests are suitable means to make rank-ordering decisions. It's practically speaking the best solution we have, but is it therefore theoretically a "good" solution? I can only explain it with the following observations: * The browsers analyzed by the fingerprinting tool is highly biased for privacy focused users. The amount of users who tested the NetSurf browser is likely higher than the real life usage (assumption though). Is the dataset used by the fingerprinting tools representative of the real world landscape? * JavaScript is not supported, which obviously renders JS based fingerprinting techniques useless.

privacytoolsIO commented

2019-04-01 03:18:31 +00:00

(Migrated from github.com)

Be nice to each other, guys.

This repo is archived. You cannot comment on pull requests.

No reviewers

kewde