web browsers...

58 respuestas [Último envío]
chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

I have recently reached the conclusion that there are no good web browsers, by definition. Some web browsers are a little worse than others in that they are more freedom- or privacy-hostile, but all of them are bad, because by definition a web browser browses the web, and in order to do this, they have to implement web standards, and in doing so they become bad.

A web standard is a feature that has been implemented in Chrome, adopted by websites optimizing for Chrome, implemented by the other major web browsers in order to be able to browse those websites, and finally declared a standard because it has been implemented by the major web browsers.

Chromium is the reference implementation of a web browser. Normal standards can be reimplemented by other vendors, but web standards are different.[1] They proliferate at at approximately the same rate as Chromium features, so in order to implement a web browser a vendor must either use Chromium as a base, or reimplement Chromium's features and keep up with Chromium development, which in practice no one has been able to do. There some complete web browsers based on Chromium, some mostly-complete web browsers based on Firefox (which almost keeps up with Chromium development), and many other incomplete web browsers based on Webkit or written from scratch, which are not complete web browsers because they cannot completely browse the web.

Chromium is free software, so it can be modified to remove some of its antifeatures, like DRM and spyware. Ungoogled Chromium does a pretty good job at this. However, DRM is a web standard, so removing it makes the result no longer a web browser, and in general a downstream project cannot stray too far from Chromium and still be able to browse most of the web.

Firefox is also free software, so it can be modified to remove its antideatures, like DRM and spyware and trademark restrictions. However, the further a downstream strays from Chromium than Firefox already has, the less of a web browser it is.

It's possible to write a program from scratch or based on Webkit that can browse some websites, but it will be too different from Chromium to browse much of the web and therefore be not much of a web browser.

WebBundles[2][3] are a new Chromium feature threatening to become a web standard. There are some browser addons and partial web browsers that break web standards in the interest of user freedom and/or privacy, often by blocking certain non-free or privacy-hostile scripts or requests within web pages. If I understand correctly, a WebBundle dumps everything into a single .wbn file which the browser would load all at once, breaking addons like NoScript and uBlock Origin, as well as browsers with built-in adblocking or tracker-blocking like Brave (trash that no one should use, only mentioned because it's a relevant example) and Eolie, which rely on the ability to allow or block requests from particular domains. This is just the latest in a long series of "features" which make users of the web less free or private.

It is well-recognized in this community that user freedom can be restricted by copyright law or the witholding of source code. The GPL was designed to address these two threats to user freedom. The GPLv2, however, was vulnerable to another threat to user freedom: Tivoization, where the software can be modifed, but modified versions are not useful because they cannot be used with the needed hardware. The GPLv3 patched this vulnerability, but I believe there are other threats that have not received enough attention. One that comes to mind is client-side software that can be freely modified, but of which modified versions are not useful without non-free server-side software. The problem with the web is that although Chromium can be modified or reimplemented with modifications, the result is only useful insofar as it conforms to Chromium's feature set.

I think that attempts to create freedom- and privacy-respecting browsers like Ungoogled Chromium, Icecat, Abrowser, and Iceweasel-UPX, though they are valuable temporary mitigations to some of the problems with the modern web, are trying to solve the problem in the wrong place. The problem is not with web browsers, but with the web. If we want to have non-bad web browsers, it is not enough to fork or create an alternative web browser. We need to fork or create an alternative to the web. A fork might be some subset of HTML, with an emphasis on semantic elements that can be handled appropriately by the browser rather than relying on client-side scripting. An alternative might be something like Gemini[4] for document exchange combined with promoting desktop clients over webapps* for more advanced functionality. I don't know, I'm still thinking this through. There will need to be some strategic compromise between what is good and what websites can be persuaded to adopt that is less bad than what they were doing before. But I am pretty convinced at this point that users of web browsers cannot have real freedom while the web itself evolves according to the whims of Google, and while browsers have to race to keep up with what an advertising company decides the web should look like.

*And that means rejecting Electron too, which extends Google's influence over the web into the desktop as well.

[1] https://drewdevault.com/2020/03/18/Reckless-limitless-scope.html

[2] https://web.dev/web-bundles/

[3] https://brave.com/webbundles-harmful-to-content-blocking-security-tools-and-the-open-web/

[4] https://gemini.circumlunar.space/

RootFarmer
Desconectado/a
se unió: 08/24/2020

We can just ignore all web sites not working properly without java script.
Few news sites refuse to display images without java script. Isn't it an img tag that should work without scripts? Just avoid those sites and problem solved!

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> We can just ignore all web sites not working properly without java script.

The problem is way bigger than JavaScript, and getting bigger. Read about WebBundles. Also, no we can't. We can ignore some of them, for now, but it is becoming harder to participate in society in basic ways (apply for a job, buy something you need, register to vote, take a college course) without using freedom- and privacy-hostile websites. COVID has accelerated this by forcing many previously real-life interactions to move online, and interactions that have proven to be cheaper online will not necessarily go back to being in-person after COVID is over. Avoiding crappy sites whenever possible could be part of a strategy of forking the web, but is not a sustainable solution on its own. The number of unavoidable crappy sites is already non-zero for most people, and will continue to increase for anyone who does not live in a cave.

andyprough
Desconectado/a
se unió: 02/12/2015

You're starting off by looking at the problem rather backward. Chromium is at its heart a piece of spyware, designed specifically to phone home most of users online activity, behavior, and messaging to Google. Don't look at it as the reference standard for the web and then look at ways to strip its bad behavior out of it. Bad behavior is what it was built to do. The web is not inherently bad, but approaching the web from an all-out multi-trillion dollar ad revenue generating Google perspective is where things bog down.

You've got to start with some version of firefox, fork it, and move forward from there. Palemoon has the correct original creative impulse, if not the best implementation. Firefox-esr and Firefox versions prior to their DRM and telemetry and "Pocket" silliness are probably decent starting points. I'm not so worried about WebBundle - ublock and noscript have proven themselves to be much more agile than the technologies that have been introduced to defeat them.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> You're starting off by looking at the problem rather backward. Chromium is at its heart a piece of spyware, designed specifically to phone home most of users online activity, behavior, and messaging to Google. Don't look at it as the reference standard for the web and then look at ways to strip its bad behavior out of it.

I think you misunderstood my post. I am not saying that Chromium *should be* the reference implementation for the web. I'm saying that it *is*, whether we like it or not, because modern web standards follow the adoption of new Chromium features. Suppose for example that websites begin to adopt WebBundles. Palemoon will either (a) implement support for WebBundles or (b) lose the ability to browse these websites. Either way, Palemoon users will be affected. No matter what browser you use, you are affected by the direction Google takes Chromium development, because Chromium sets the standard to which other browsers must adapt or lose access to parts of the web.

> I'm not so worried about WebBundle - ublock and noscript have proven themselves to be much more agile than the technologies that have been introduced to defeat them.

Do you understand how uBlock Origin and NoScript actually work and the specific ways in which they would be affected by WebBundles?

andyprough
Desconectado/a
se unió: 02/12/2015

> I think you misunderstood my post. I am not saying that Chromium *should be* the reference implementation for the web. I'm saying that it *is*, whether we like it or not, because modern web standards follow the adoption of new Chromium features.

Trying to ungoogle chromium or ungoogle Google's web standards and web services is basically an inverse concept from the start, as they are built from the ground up to do something nefarious to you that you won't willingly agree with. It's like trying to "un-tiger" a tiger by calling it a kitten - it's still a tiger. A truly privacy conscious individual would be actually unplugging from the web right now - taking many of those things that they were doing online and transferring them to offline, pen and paper activities again. Interaction with the web should not really be done on Google's terms using variations on Google's spyware. Some people will fall further into that trap, but there are always consequences of failing to be vigilant. I still feel that a slightly older version of firefox is probably the correct place to start, possibly pre-quantum.

> Do you understand how uBlock Origin and NoScript actually work and the specific ways in which they would be affected by WebBundles?

Yes, yes, and yes, all to a limited degree, but no I do not feel overly worried. It's a new concept that Google and partners will surely screw up, leaving lots of openings for privacy and security researchers to reverse engineer. Web bundles are being presented as a solitary opaque page, but I feel quite certain that the end result will have lots of holes and jagged edges and loose threads for researchers to untangle. It's simply the next challenge. We run into these rumors of the impending demise of ad blockers and tracker blockers and script blockers on a yearly basis, but they never amount to anything. In fact, despite the herculean efforts of Google and the multi-trillion dollar ad industry, we have better tools now to block them than we've ever had. Their problem is that they can never agree on anything or do anything in a unified manner from their side. If Google and the ad industry and the major corporations ever all came together and truly united on one technology to bust ad/tracker/script/fingerprint blocking and spoofing, then we'd actually probably be in a bit of trouble. But that will never happen, as they are all led around by the nose by their own self interests.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> Trying to ungoogle chromium or ungoogle Google's web standards and web services is basically an inverse concept from the start

That is not at all what I proposed. Please reread my original post, and if you interpret it the same way then let me know and I will try to explain better.

andyprough
Desconectado/a
se unió: 02/12/2015

I've read it twice now and I disagree twice. The sky is not falling. Google's worst enemy is Google. Our side is more agile and smarter and more motivated.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> I've read it twice now and I disagree twice.

I would love to be wrong about this, and maybe I am. But I feel like you haven't responded to what I actually wrote.

> Our side is more agile and smarter and more motivated.

I wish I agreed. The more I learn the more I realize how little a lot of the people on "our side" know, and many of them seem frustratingly unmotivated to get anything done or to explore any new ideas.

andyprough
Desconectado/a
se unió: 02/12/2015

> But I feel like you haven't responded to what I actually wrote.

Because you are looking at the problem upside down from the way I do. I have zero interest in what Google is trying to do to herd me. If I had to stop using the web completely tomorrow I wouldn't lose any sleep over it. I'm very into palemoon and basilisk and very interested in iceweasel-uxp because they are doing things that are quite different. They may not be doing them all perfectly, but their browsers work on 99%+ of the web and can be made to run with a high degree of apparent security, and that's something really worth exploring. We've talked about this before, but you disregard these projects off-hand. But if you prefer to stew in your own doubts about the impending doom that Google is bringing rather than put your attention on projects that are trying to do something different - even if they fail tragically - then that's your decision. Some people I know are intimately involved in palemoon, and it's been fun for me to follow their progress and test their browsers. You and I just look at the world differently, there's no harm in that. I really shouldn't have responded to you, but I just wanted to point out that your concerns seem a bit misplaced. Google has been planning the destruction of our security tools every year for years now, and so far they have accomplished nothing, and in fact our security tools work better than ever. As I said, they are their own worst enemy. If you stacked all of Google's dead-end and failed projects end to end, they would probably reach the moon. Hardly worth paying attention to their bluster.

Beko
Desconectado/a
se unió: 08/31/2019

"If I had to stop using the web completely tomorrow I wouldn't lose any sleep over it."

This. At the end of the day it is a tool, if your tool is turning YOU into a tool, then get rid of it.

andyprough
Desconectado/a
se unió: 02/12/2015

Exactly, thank you!! Thirty years ago I did the work I do now on a computer with a typewriter and a large metal filing cabinet full of paper files, and I was able to do as much work as I do now. I spend way too much time fixing stuff that goes wrong on computers. About the most I ever had to do to my typewriter was change a ribbon or unstick a key. I really wouldn't mind going back.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

I'm too young to have had the pleasure, but I wouldn't mind going back either. The replacement for problematic software does not necessarily have to be software. In terms of inertia though, it's hard to overcome the expectations that modern computing has created for people.

This is totally off topic, but I recently came across this.[1] Someone connected an SBC to an e-ink screen witha base made of wood to create a typewriter-like interface that incorporates a few features of software without the distractions. If I ever have spare money again I may try something like this.

[1] https://alternativebit.fr/posts/ultimate-writer/

Jaret
Desconectado/a
se unió: 12/19/2018

Source code: MPL 2.0
Binaries: Proprietary freeware, or MPL 2.0 if branding is removed
From palemoon's wikipedia page. I don't like the 'proprietary freeware' part.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

The is a free fork with all Palemoon branding removed available here: https://git.nuegia.net/webbrowser.git/tree/

Jaret
Desconectado/a
se unió: 12/19/2018

Let's say I want to install Palemoon on my work computer, where I have no choice but to use Windows. Are binaries provided by palemoon site safe to use (those that are proprietary freeware)?

Jaret
Desconectado/a
se unió: 12/19/2018

I know, Window is super bad, but in my country all computer jobs require MS Windows and MS Office. Most of them demand that only MS fonts are used (Times for serif, Arial for sans-serif, Calibri for Excel files). I have to work on WC (Windows Computer).

koszkonutek
Desconectado/a
se unió: 03/19/2020

Sorry, that your previous post went unanswered. Despite everyone here disregarding Windoze, I think people understand You. And nobody responded, because nobody knows, what's actually there in Palemoon's Windoze binaries :)
I suppose it might be configured to automatically make requests to some sites. Perhaps some other anti-feautures.

If You're on Windoze anyway, then one program more or less tracking You probably doesn't matter to You that much. But if You're still looking for freedom-respecting browser, then there's little choice. Some ancient versions of Icecat had Windoze releases. But using that is probably a poor choice.

I've once seen TorBrowser being mentioned as the only fully free browser on that os. It'll surely be a better choice than Palemoon or vanilla FF.
And You can use it without Tor, so don't worry about that :)

And btw, I don't think this has much to do with one's country. All countries seem to be crappy in this matter. Although there's also the question what one means by "computer job"...

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> I've once seen TorBrowser being mentioned as the only fully free browser on that os. It'll surely be a better choice than Palemoon or vanilla FF.

Icecat used to provide Windows and macOS binaries. The reason they stopped is that compile Firefox for those browsers requires running proprietary software. If this is still the case, then Tor Browser and Librewolf are making a strategic compromise: give up a little bit of their own freedom in order to help Windows users become more free by making it easier to install their freedom-respecting browsers.

Jaret
Desconectado/a
se unió: 12/19/2018

"Computer job" is any job at the office building. Even the goverments' official education for "PC Operator" is MS Windows, MS Office, 1C Accounting (proprietary accounting software).
I guess, since Windows is already malware, that runs antivirus, which is also malware, and it's not even my own computer, it will be little to no harm to install another malware.

At my home I run Trisquel.

andyprough
Desconectado/a
se unió: 02/12/2015

Yes, I've used palemoon on windows systems at work, the binaries are supposed to be the same as for Linux, just compiled for windows instead. I've read the palemoon devs discussing that on their forum. Seemed trustworthy to me. You can always run wireshark to see what connections are being made, if you are concerned a browser is making inappropriate connections.

Jaret
Desconectado/a
se unió: 12/19/2018

OK, I'll try Pale Moon on my work's computer.
Is this mitigation valid?
https://spyware.neocities.org/guides/palemoon.html

andyprough
Desconectado/a
se unió: 02/12/2015

Changing OCSP querying is based on some articles from 2013 and 2017 that the ghacks guys flagged. I'm not sure it's such a great idea to make these OCSP changes in 2020, as you are really changing the way your browser deals with revoked certificates, which seems risky. If I were you, I would read up on OCSP before changing the config options for that. Here's the 2017 article that ghacks flagged - maybe it will convince you to make these changes, or maybe like me you'll be a bit more skeptical: https://scotthelme.co.uk/revocation-is-broken/

Disabling auto-update for a web browser is illogical to me, especially on a Windows machine, where you are needing it constantly updated against security threats and it's easy to forget to do a manual update. The ghacks guys and apparently this website you found both look at auto updates as "spyware", which I disagree with. Personally, if I'm downloading the binaries for a browser from the browser's own website, I figure I might as well trust the same people to push out updates. But you would need to make your own decision on that.

They recommend turning off the palemoon add-on blocklist. However, keep in mind the only reason for the blocklist is that some add-ons have proven to either do bad things to the palemoon browser or to make it run poorly, and were reported by the community and tested to determine that they were indeed misbehaving add-ons. Any add-ons that were added to the blocklist are probably add-ons that you don't want to run on palemoon as they'll mess up your browsing experience. So I normally leave the add-on blocklist enabled. Once again, you are best off if you do a bit of reading and make your own decision. Here's a palemoon page on their blocklist: https://www.palemoon.org/support/prefs-security

Disabling geolocation is a good idea on any web browser. There's really no reason whatsoever that your web browser should be broadcasting your street address to every website that asks for it - I don't know why this is even an option in 2020, except that many users probably love the "convenience" of all their online shopping places automatically knowing where to ship the goods they are consuming. Definitely turn off geolocation.

I recommend running, at a minimum, the Ublock Origin add-on on every web browser for your own safety. You can get a link to installing it on palemoon from this page: https://addons.palemoon.org/extensions/privacy-and-security/
Install both the Ublock Origin add-on, and the Ublock Origin Updater add-on from that page. Ublock will handle all your ad-blocking and anti-tracking needs. Let me know if you are needing to know about other privacy and security add-ons for palemoon.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> Disabling auto-update for a web browser is illogical to me, especially on a Windows machine, where you are needing it constantly updated against security threats and it's easy to forget to do a manual update. The ghacks guys and apparently this website you found both look at auto updates as "spyware", which I disagree with.

Auto-updates require the browser to make unsolicited connections to the vendor's domain. The objection is less about the binaries themselves (which you are right, you already trust by downloading them directly from the vendor), and more about the incorrect way in which updates are checked for and acquired.

The correct way to update software on your machine is using a package manager. Unfortunately Palemoon's trademark restrictions intentionally make the browser difficult-to-impossible to package properly. Here's what happens if you try: https://github.com/jasperla/openbsd-wip/issues/86

A few distros[1] have begun to package webbrowser[2], a rebranding of Palemoon that can be freely modified, including for packaging purposes. Hopefully it will eventually make its way into major distros like Debian and their derivatives.

> They recommend turning off the palemoon add-on blocklist. However, keep in mind the only reason for the blocklist is that some add-ons have proven to either do bad things to the palemoon browser or to make it run poorly, and were reported by the community and tested to determine that they were indeed misbehaving add-ons.

This is mostly true, with one exception that I am aware of: Moonchild banned an addon that spoofs clicking on ads in order to introduce noise into mass surveillance data. The reason he gave is that this hurts websites like his that make money off of unethical ads that track users. It had nothing to do with quality control like the rest of the blocklist does. If a user feels that punishing privacy-hostile sites is too harsh and doesn't want to do it, they should be able to make that choice, but it's not something that should be imposed by a web browser developer with a conflict of interest.

[1] https://repology.org/project/webbrowser/versions

[2] https://git.nuegia.net/webbrowser.git/

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

It looks like the specific reason that the site jaret linked to advises disabling the blocklist is in order to allow NoScript: https://spyware.neocities.org/articles/palemoon.html

andyprough
Desconectado/a
se unió: 02/12/2015

> Unfortunately Palemoon's trademark restrictions intentionally make the browser difficult-to-impossible to package properly.

I'm pretty sure Steve Pusser has been packaging palemoon for MX, Debian, and other Debian based distros for years now [1], and it's definitely available on Arch [2]. I'm not going to bother going through distros one by one, but I don't think your statement is accurate at all. Packagers simply have to abide by palemoon's packaging terms before calling something an official palemoon binary, just like with a lot of other software like firefox.

> The reason he gave is that this hurts websites like his that make money off of unethical ads that track users.

This sounds like a weird internet rumor. Any source for this one? moonchild is pretty open that he makes his money from patreon donations and from a partnership with duckduckgo, besides probably getting work doing Windows network stuff [3].

And I know for certain there are add-ons on the blocklist (like noscript) that routinely misbehave on palemoon.

[1] https://software.opensuse.org/download.html?project=home%3Astevenpusser&package=palemoon
[2] https://aur.archlinux.org/packages/palemoon/
[3] https://forum.palemoon.org/viewtopic.php?f=65&t=22399&p=169753&hilit=rumor+control#p169753

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> I'm pretty sure Steve Pusser has been packaging palemoon for MX, Debian, and other Debian based distros for years now [1], and it's definitely available on Arch [2]. I'm not going to bother going through distros one by one, but I don't think your statement is accurate at all. Packagers simply have to abide by palemoon's packaging terms before calling something an official palemoon binary, just like with a lot of other software like firefox.

I said "properly". There's a reason it's not in a distro with high packaging standards like Debian, or even Arch proper (as opposed to AUR, which has no quality control). The problem is that in order to package a program, the maintainer must unbundle all the libraries to use the system libs provided by the distro, and Palemoon does not allow this. That's why you linked to a random third-party build instead of packages.debian.org. Firefox does have similar trademark issues, which is why Debian used to have to rebrand it as "Iceweasel", but they have since clarified that it is okay to make the modifications necessary to package Firefox for Debian without rebranding.

> This sounds like a weird internet rumor. Any source for this one?

https://forum.palemoon.org/viewtopic.php?t=16504

Edit: Removed rude language which misdirected my frustration with my landlord and the DMV at an innocent person on the Internet.

andyprough
Desconectado/a
se unió: 02/12/2015

Sorry to hear about your frustration with your landlord and the DMV. I hope that they act more kindly toward you and work things out with you in a helpful and productive manner. You are a good person and deserve to be treated with respect.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

Thanks :)

Jaret
Desconectado/a
se unió: 12/19/2018

> Let me know if you are needing to know about other privacy and security add-ons for palemoon.
I've read you experiment thread about privacy in Abrowser, it's very interesting.
It will be nice to know about privacy add-ons for Pale Moon as well.

andyprough
Desconectado/a
se unió: 02/12/2015

Decentraleyes - this add-on is available for most major browsers. It "aims to cut out the middleman through blazing-fast delivery of local (bundled) content to improve your online privacy". Worth reading more about and installing from here: https://addons.palemoon.org/addon/decentraleyes/

Https always - should use this or 'Https Everywhere' on every browser, will get your browser communication encrypted more often: https://addons.palemoon.org/addon/https-always/

Pure URL - On firefox and abrowser and icecat the similar add-on is called "Neat URL". It strips the tracker stuff that websites put into your url's, also worth reading more about: https://addons.palemoon.org/addon/pureurl4pm/

uMatrix - since noscript does not work well on palemoon, if you want to use a script blocker you should use this special palemoon uMatrix fork: https://addons.palemoon.org/addon/ematrix/
uMatrix will break most of your websites, so it's important to watch some invidio.us videos about how to use it to unbreak sites, and to read documentation: https://github.com/gorhill/uMatrix/wiki

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

Yeah, I understand that people are sometimes forced to use Windows or other non-free software. If you have to run Windows it is better to run freedom- and privacy-respecting applications on it than non-free and privacy-hostile ones. I just don't know the answer to your question.

If you want a decent, free software browser on Windows, you could try to compile a free version of Palemoon yourself, or you could use Librewolf or Ungoogled Chromium, both of which provide Windows binaries.

Jaret
Desconectado/a
se unió: 12/19/2018

Right now I have Irridium installed on WC. I'll try Librewolf and Ungoogled Chromium.

Jaret
Desconectado/a
se unió: 12/19/2018

As far as I understand, Librewolf for windows is not yet released. I'll be looking for them in the future.
https://gitlab.com/librewolf-community/browser/windows

Ungoogled Chromium binaries have this warning:
IMPORTANT: These binaries are provided by anyone who are willing to build and submit them. Because these binaries are not necessarily reproducible, authenticity cannot be guaranteed. For your consideration, each download page lists the GitHub user that submitted those binaries.
https://ungoogled-software.github.io/ungoogled-chromium-binaries/
I'll install 84.0.4147.135-1 64 bit binary.

Pale Moon works OK.

Interestingly, our windows admin said that he hates windows. I hate it too.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> I guess, since Windows is already malware, that runs antivirus, which is also malware, and it's not even my own computer, it will be little to no harm to install another malware.

I would not say that. More spyware makes you even more vulnerable. What I would prioritize in your situation though (if you do not already do this) is avoid using the Windows system for any of your personal computing. Only use it for computing done on behalf of you employer. That way, only your employer is effectively being spied on.

> OK, I'll try Pale Moon on my work's computer.
> Is this mitigation valid?
> https://spyware.neocities.org/guides/palemoon.html

Yes, as far as I know this should address Palemoon's privacy issues (which are already relatively minor compared to most browsers). The freedom issues will remain, so it's not something I can recommend in this forum.

Hopefully that un-branded fork I linked to earlier will start to make its way into more distros repositories. (A few distros already package it, but not Debian yet.) The main thing preventing distros from properly packaging Palemoon is that the trademark restrictions prevent them from using system libraries. Here's what happens if they try: https://github.com/jasperla/openbsd-wip/issues/86

> Right now I have Irridium installed on WC.

In my opinion there is no reason to use Iridium or any Chromium fork other than Ungoogled Chromium. Ungoogled Chromium uses the useful patches from Iridium, and goes further to address privacy issues. All the other Chromium forks I know of make Chromium even worse.

koszkonutek
Desconectado/a
se unió: 03/19/2020

I know its over 2 weeks since You asked about free (as in freedom) WC browsers, but I realized I forgot about a few alternative approaches (similar to each other, since they rely on finding a way for running arbitrary GNU/Linux software on WC).

It's possible to run a Virtual Machine with a GNU/Linux system in it and run any browser there.

It's also possible to run things in WSL. Ppl say it works quite reliably. Perhaps it'd even be possible to run a web browser this way?

Finally, there's Cygwin. It used to allow running Unix stuff on WC. You'd need to check. I think this would be the minimal-overhead way of running GNU/Linux software under WC, but also the most difficult approach - probably requiring compiling a browser yourself and maybe also fixing it in the process?

Sure, there are freedom cave-eats no matter which way You go. Virtualizer might be nonfree, some WSL component might be nonfree... Well, we should be expecting that on such OS as Windoze

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> If I had to stop using the web completely tomorrow I wouldn't lose any sleep over it.

That's good for you, and I'm geninuinely encouraged to hear that you still have that choice. I don't have that option, as I would be kicked out of my PhD program for failing to meet various responsibilities. And I'm not just thinking about myself. Almost nobody I know has that choice either.

> I'm very into palemoon and basilisk and very interested in iceweasel-uxp because they are doing things that are quite different... but you disregard these projects off-hand.

I have pushed back on some ignorant claims about these browsers. That's different from dismissing them off-hand, though I can understand why it would come across that way if you never see me push in the other direction. If someone showed up and made criticisms against these browsers that I felt were unjustified I would push back against those too. I just haven't seen that happen in this forum (though I have seen it happen in plenty of other places, such as this smear job[1] which unfortunately comes up pretty visibly in searches for information about Palemoon).

I don't believe in putting all eggs in one basket. Of course I want those browsers to keep doing what they are doing. I have some doubts about the direction Iceweasel-UXP has gone, but I would love for it to succeed. With Palemoon and Basilisk I have problems less with development decisions and more the freedom issues and hostility toward packagers, though there is a Palemoon fork[2] I'm keeping an eye on that is trying to address those issues while otherwise keeping the good things about the browser. I just want to play it as safe as possible and make efforts on every front. Contributing to browsers that don't blindly copy Chromium is helpful, in that it creates a refuge from Google's vision of what web browsing should look like. But I think there is also value in trying to improve the web itself. Fighting against Chromium's influence over the web is in the best interests of browsers that don't want to imitate Chromium.

> Google has been planning the destruction of our security tools every year for years now, and so far they have accomplished nothing, and in fact our security tools work better than ever. As I said, they are their own worst enemy. If you stacked all of Google's dead-end and failed projects end to end, they would probably reach the moon. Hardly worth paying attention to their bluster.

They have accomplished a great deal. For one, compare the FSF's efforts to get websites to free their JavaScript to Google's efforts to get websites to create alternate versions of their web pages that conform to Goole AMP. The only websites influenced by the FSF have mostly been sites affiliated with them in some way, like this one, whereas nearly every major publisher has adopted AMP. It is normal for megacorps like Google to blindly throw a lot of things at the wall to see what sticks. Most of it fails, and a few things succeed wildly. At their size, that scales better than trying to predict which specific projects will be successful. Google controls the most widely used operating system, browser, search engine, streaming platform, navigation software, and more. I don't see how you can consider them less than a formidible enemy.

By the way, Firefox is only allowed to exist because Google funds it in exchange for being Firefox's default search engine. Mozilla is already in hurting financially.[3] There is real reason to worry about Firefox's future and it's reliance on Google. And if Firefox ever dies, there goes upstream security updates for Pale Moon and Basilisk, and by extension Iceweasel-UXP. Maybe those browsers could survive if the size of their team has greatly increased by then, but so far they don't seem interested in doing that. It's ok to want to keep a project mostly in-house and avoid the messiness and pressure and reduced amount of fun that comes with growth, but it does mean you need to hope that your upstream stays around.

One of my favorite RMS quotes is from an interview I saw a while back, I don't recall exactly where. He is asked whether he things the free software movement will win, and says something along the lines of "If you think you will lose, you risk giving up. If you think you will win, you risk underestimating your enemy. Either way, you weaken yourself by trying to answer that question." You are absoultely right that we shouldn't give in to feelings of "impending doom", which is not what I meant to do, though I did admittedly adopt a pretty negative tone in my OP that reflected my mood and amount of wine ingested at the time, but we should also do our best to identify and preempt potential threats rather than rely on the assumption that a powerful enemy will do our job for us.

[1] https://www.howtogeek.com/335712/update-why-you-shouldnt-use-waterfox-pale-moon-or-basilisk/

[2] https://git.nuegia.net/webbrowser.git/tree/

[3] https://www.zdnet.com/article/mozilla-lays-off-250-employees-while-it-refocuses-on-commercial-products/

Beko
Desconectado/a
se unió: 08/31/2019

"If you think you will lose, you risk giving up. If you think you will win, you risk underestimating your enemy. Either way, you weaken yourself by trying to answer that question."

Maybe he just sees that the, lets call it a Game, of software is an infinite one. For finite games like Chess or Poker you can WIN, but in an infinite game like the Cold War you CANNOT win or lose, only drop out from the game if you don't have enough resources. The thing you said about Google just throwing shit on the wall and seeing what sticks is an infinite strategy as long as they can afford to throw the metaphorical shit on the wall.

Game theory is a helluva drug

andyprough
Desconectado/a
se unió: 02/12/2015

> By the way, Firefox is only allowed to exist because Google funds it

Let's be totally honest - it doesn't take anywhere near $400 million a year to develop a web browser. Mozilla is good at exactly one thing - burning through huge piles of cash. You compare what they accomplish with all the money they could ask for compared to what LibreOffice and KDE accomplish with next to nothing, and you can clearly see that Mozilla isn't putting that money to good use at all. If the money all went away tomorrow and Firefox was forked and taken over by the community, I'd wager that it would probably benefit greatly from the change, similar to how LibreOffice rose from the dead ashes of OpenOffice.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> Let's be totally honest - it doesn't take anywhere near $400 million a year to develop a web browser. Mozilla is good at exactly one thing - burning through huge piles of cash. You compare what they accomplish with all the money they could ask for compared to what LibreOffice and KDE accomplish with next to nothing, and you can clearly see that Mozilla isn't putting that money to good use at all.

Ok, yeah, that's a fair point. I can't exactly hold up Mozilla as a model of efficiency... That said, don't underestimate the work that goes into maintaining a complete web browser without an upstream to base on; even Micro$oft gave up trying, and Mozilla is really the lone holdout. LibreOffice and KDE are great projects, but don't really compare to Firefox in scope. Also, KDE actually integrates Chromium into their software in the form of Qtwebengine.

$ apt-cache rdepends --no-recommends --no-suggests --recurse *qtwebengine* | sort -u

to print a list of Debian/MX packages that hard-depend on Qtwebengine, and you'll see that KDE is not exactly a good example to bring up if you want to downplay the influence of Chromium in the free software ecosystem.

> If the money all went away tomorrow and Firefox was forked and taken over by the community, I'd wager that it would probably benefit greatly from the change, similar to how LibreOffice rose from the dead ashes of OpenOffice.

This is a plausible outcome, and if we reach that point I hope you are right. There wasn't really another free euqivalent to OpenOffice though, was there? The only alternative would have been to start from scratch, so forking OpenOffice was the path of least resistance. Taking over maintainance of Firefox would be much more work and much less fun than the temptation to base on Chromium like everyone else, so while I hope you are right, I would not want to rely on the assumption that things would play out the way we'd hope. Better to avoid assumptions and have a game plan for every reasonably possible outcome.

andyprough
Desconectado/a
se unió: 02/12/2015

> Taking over maintainance of Firefox would be much more work and much less fun than the temptation to base on Chromium like everyone else

That's the thing though, you can't just base on chromium, as google releases it in such a dumpster fire condition that often the distros can't even get it to build and run correctly. I personally know one of the people who work on it for Debian and it causes a world of pain for them. And the whole time the users are screaming, "why did you screw up my internet???? I can't get my netflix!!! You screwed up my facebook!!!" I've recommended that they just drop it, it's not at all worth the trouble.

Companies like Brave and Vivaldi and Opera and Microsoft have huge staffs to deal with the problems of basing on chromium. You know what I'm talking about, you and I have both probably tried to build chromium at different times, and if you get one of google's bad releases then it's nearly an impossible task. If you were going to do anything as a free browser project, basing on chromium is one of the worst things you could do, especially since google could simply yank the rug out from under you anytime they like.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> I personally know one of the people who work on it for Debian and it causes a world of pain for them.

I believe it, especially given Debian's high standards for packaging. Based on my experience creating relatively simple Debian packages that I'm sure would not be high quality enough for use in Debian, I'd rather blow my brains out than take on packaging something as massive and problematic as Chromium.

> Companies like Brave and Vivaldi and Opera and Microsoft have huge staffs to deal with the problems of basing on chromium.

I don't know what size their staffs are. I do know the size of Ungoogled Chromium's unpaid staff, which is not large, and Ungoogled Chromium is probably most representative of the base level of effort needed to deal with Chromium as an upstream, since all they do for the most part is clean up privacy issues, not implement their own features or look-and-feel like the other browsers you list.

> You know what I'm talking about, you and I have both probably tried to build chromium at different times, and if you get one of google's bad releases then it's nearly an impossible task.

Out of the major browsers I have compiled, Chromium certainly has the longest build time, but at least it usually actually builds at all. In terms of breakage I've had an even harder time with Firefox. The only other large browser I've tried to compile is Iceweasel-UXP, which was even harder (though this is probably not a fair comparison, since I was using Trisquel at the time, and unlike Chromium and Firefox, Iceweasel-UXP had not been packaged for Debian-based systems before so I had less to work with. It is likely much easier to build on Hyperbola.)

I do overall agree with your assessment of Chromium, but we're comparing the cost of dealing with Chromium as an upstream to the cost of not having an upstream, right? Do you really think teams like those behind Edge and Opera rebased on Chromium because they were *so* desperate to become reliant on another company that they were willing to take on *more* work?

andyprough
Desconectado/a
se unió: 02/12/2015

> Do you really think teams like those behind Edge and Opera rebased on Chromium because they were *so* desperate to become reliant on another company that they were willing to take on *more* work?

No, I think they're in it for the money, and they realize that they need to consistently deliver netflix and instagram and whatever other garbage people are abusing their web browsers with. Might as well base on google's browser, since google will always support delivering mindless proprietary garbage content to their users.

> In terms of breakage I've had an even harder time with Firefox.

I've built firefox a lot, and the only time I've ever broken it was when I stripped out too much of mozilla's stupid 'Pocket' and telemetry and DRM and other stuff with build flags. I could build successfully without a lot of their junk, but not everything. Could be your build environment for firefox was not ideal - building on Debian stable is super easy once you set up rust and cargo. And I have always built firefox's nightly version, which I've heard is a bit easier. Chromium I've built "successfully" a few times, usually ending up with a browser that won't go online or do nearly any of the chromium functions. Might be that I was just doing it wrong.

> I do know the size of Ungoogled Chromium's unpaid staff, which is not large

Palemoon, basilisk and uxp is also a small group of staff plus a few volunteer coders. So, successfully forking firefox and maintaining that fork is not an insurmountable task, depending on how you want to go about it.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> I've built firefox a lot, and the only time I've ever broken it was when I stripped out too much of mozilla's stupid 'Pocket' and telemetry and DRM and other stuff with build flags. I could build successfully without a lot of their junk, but not everything. Could be your build environment for firefox was not ideal - building on Debian stable is super easy once you set up rust and cargo. And I have always built firefox's nightly version, which I've heard is a bit easier. Chromium I've built "successfully" a few times, usually ending up with a browser that won't go online or do nearly any of the chromium functions. Might be that I was just doing it wrong.

Maybe our different experiences are due to different workflows. I'm usually trying to create distro-style packages using Debian's packaging tools. Setting up Rust or Cargo isn't something I would need to deal with because it would all get pulled in by sbuild. Or, now that I think about it, it could be because I'm usually trying to compile modified versions of those browsers (Abrowser, Icecat, Iceweasel-UXP, or Ungoogled Chromium), so the problems might be due to downstream modifications.

> Palemoon, basilisk and uxp is also a small group of staff plus a few volunteer coders. So, successfully forking firefox and maintaining that fork is not an insurmountable task, depending on how you want to go about it.

Maybe you don't realize (I did not at first) that these browsers are not independent of Firefox when it comes to maintenance. When it comes to design they are independent in the sense that they do not automatically adopt new features just because Firefox does, but they still have most of their code in common with Firefox, and rely on Mozilla's bug fixes and security updates to maintain that code. If Mozilla were to stop maintaining Firefox, those browsers would only survive if they greatly expanded the size of their team to take over the work that Mozilla is doing.

andyprough
Desconectado/a
se unió: 02/12/2015

> Maybe you don't realize (I did not at first) that these browsers are not independent of Firefox when it comes to maintenance. When it comes to design they are independent in the sense that they do not automatically adopt new features just because Firefox does, but they still have most of their code in common with Firefox, and rely on Mozilla's bug fixes and security updates to maintain that code. If Mozilla were to stop maintaining Firefox, those browsers would only survive if they greatly expanded the size of their team to take over the work that Mozilla is doing.

It's interesting to see how the lead dev moonchild describes the situation. For some years the two projects ran fairly parallel, but since Firefox went to quantum there's been a growing difference in their code base. Moonchild claims to have early access to all Firefox security code, but much of it is not used because palemoon does not implement features that Firefox secures against. For instance, you've pointed out in the past that palemoon does not implement interprocess sandboxing, but moonchild has stated that was simply because palemoon never became a multiprocess program when Firefox did. Apparently the differences at this point are substantial. If you are interested, I'll point you to some of moonchild's writing on the topics, I don't want to hunt for them at the moment but I'll have time tomorrow.

I'm not a huge moonchild fan, as he is a more windows-centric programmer. But palemoon has attracted some devs who only work in a GNU/Linux environment, and they seem to be able to coexist. It's an interesting project. I don't agree with all their goals or design decisions which also tend to be Windows-centric, but the fact that it works as well as it does on nearly any GNU/Linux distro is pretty remarkable.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> It's interesting to see how the lead dev moonchild describes the situation. For some years the two projects ran fairly parallel, but since Firefox went to quantum there's been a growing difference in their code base.

I'm sure that's true, but Moonchild still relies on many commits from Mozilla. If Mozilla stopped maintaining Firefox, Palemoon and Baslilisk might survive, but there are only 24 hours in a day and the time Moonchild would spend maintaining Firefox code would take away from the work he'd normally put that time toward.

> For instance, you've pointed out in the past that palemoon does not implement interprocess sandboxing, but moonchild has stated that was simply because palemoon never became a multiprocess program when Firefox did.

If you remember where you found this statement and it is not inconvenient to recover could you link to it? What I think you are referring to is when I was talking about Firefox's use of pulseaudio to isolate per-tab audio streams. Palemoon supports tabbed browsing, so either (a) there is no isolation of audio streams between webpages in different tabs, or (b) they have found a way support such isolation without pulseaudio, in which case I would love to know how, because when I'm setting up pro-audio systems literally the only reason I include pulseaudio is to support modern Firefox. If I could cut out pulseaudio it would really simplify things.

> If you are interested, I'll point you to some of moonchild's writing on the topics, I don't want to hunt for them at the moment but I'll have time tomorrow.

I am interested. No rush, but if/when you have a chance to track it down I'll read it.

> I don't agree with all their goals or design decisions which also tend to be Windows-centric, but the fact that it works as well as it does on nearly any GNU/Linux distro is pretty remarkable.

I have mixed feelings about it too, but I keep an eye on it and I'm really glad it's there as an option. If you haven't already gone through digdeeper.neocities.org, it analyses all the browsers (and other things like mail providers) pretty well. It's worth spending a day going through if you have time.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> digdeeper.neocities.org

Not that I endorse everything said on that site. I have some political disagreements with the author. But in terms of evaluating technology from a privacy perspective I think it's great.

andyprough
Desconectado/a
se unió: 02/12/2015

I've changed my browser security and privacy reading habits in the past year. I've been trying to stick to academic studies of browser privacy and security as much as possible. The study from the University of Dublin on default phone-home behavior by the major browsers earlier this year was a real eye-opener (not related to palemoon, but interesting nonetheless): https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf

As far as palemoon is concerned, it was the first browser to implement canvas poisoning to prevent canvas fingerprinting: https://www.securitee.org/files/canvasauthentication_dimva2019.pdf (see page 5)
It was also the first browser to implement XSSfilt to prevent cross-site scripting and cross-site request forgery: http://www.seclab.cs.sunysb.edu/seclab/pubs/pelizzith.pdf (see page 25)

As far as configuring it for better privacy and security, most of the about:config hacks I had previously learned from ghacks are either available on palemoon, or are not necessary because the offending processes (such as telemetry) do not exist. In terms of add-ons, ublock, umatrix, decentraleyes, PureURL and HTTPSeverywhere are all available as addons, so palemoon pretty much goes toe-to-toe with modern firefox in terms of privacy and security addons. Firefox has the amazing new chameleon anti-fingerprinting add-on, and palemoon is still stuck with a bit older version of Secret Agent, so Firefox gets the edge with that one add-on. And if you prefer noscript to umatrix, then palemoon would be deficient there, but personally I use umatrix on every browser and prefer it to noscript. Using the deviceinfo.me website to test browser fingerprinting, I can defeat or spoof all fingerprinting tests with a few about:config hacks and the above listed add-ons for both firefox and palemoon.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> I've been trying to stick to academic studies of browser privacy and security as much as possible.

That's great, and these papers look good for understanding the particular issues that they are about. But picking out passing references to Pale Moon doing something first is not a scientific way to compare the current state of browsers, even if the papers themselves are scientific. The link I shared is not formally academic, but it does lay out a methodology for evaluating browsers, applies that methodology to each browser, and compares their current state point by point. (Spoiler alert: Palemoon still comes out on top)

> And if you prefer noscript to umatrix, then palemoon would be deficient there, but personally I use umatrix on every browser and prefer it to noscript.

I really wish that the uMatrix author would put some work into usability. I think the only reason people choose the otherwise inferior NoScript is that they can figure out how the hell to get started with it.

However, I'm pretty sure that there was a legacy version of NoScript available back when I used Iceweasel-UXP. No reason to use it if you are already comfortable with uMatrix though.

andyprough
Desconectado/a
se unió: 02/12/2015

> I think the only reason people choose the otherwise inferior NoScript is that they can figure out how the hell to get started with it.

umatrix definitely had a learning curve for me, but once I got used to it I felt I was getting a finer level of control compared to noscript. I think it's great we have both though, and I'm totally comfortable with either one and usually recommend noscript. As you say, it's easier for people to figure out how to get started.

> The link I shared is not formally academic, but it does lay out a methodology for evaluating browsers, applies that methodology to each browser, and compares their current state point by point.

Yes, but I've spent years using other people's methodologies and comparisons, and I'm trying to get to the point where I can build my own methodological framework. The papers I sent you are just a couple out of many, but I'm getting more interested in educating myself at a deeper level. I guess we all grow and change over time. This year, like a lot of people, I've had more time to myself to ponder some of these things that had been on the back burner for me for years.

chaosmonk

I am a member!

I am a translator!

Desconectado/a
se unió: 07/07/2017

> I'm trying to get to the point where I can build my own methodological framework.

If you have time to compile what you've found into an article or organized reading list, it could be a useful resource that helps other people do the same.