web browsers...

69 réponses [Dernière contribution]
chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

I have recently reached the conclusion that there are no good web browsers, by definition. Some web browsers are a little worse than others in that they are more freedom- or privacy-hostile, but all of them are bad, because by definition a web browser browses the web, and in order to do this, they have to implement web standards, and in doing so they become bad.

A web standard is a feature that has been implemented in Chrome, adopted by websites optimizing for Chrome, implemented by the other major web browsers in order to be able to browse those websites, and finally declared a standard because it has been implemented by the major web browsers.

Chromium is the reference implementation of a web browser. Normal standards can be reimplemented by other vendors, but web standards are different.[1] They proliferate at at approximately the same rate as Chromium features, so in order to implement a web browser a vendor must either use Chromium as a base, or reimplement Chromium's features and keep up with Chromium development, which in practice no one has been able to do. There some complete web browsers based on Chromium, some mostly-complete web browsers based on Firefox (which almost keeps up with Chromium development), and many other incomplete web browsers based on Webkit or written from scratch, which are not complete web browsers because they cannot completely browse the web.

Chromium is free software, so it can be modified to remove some of its antifeatures, like DRM and spyware. Ungoogled Chromium does a pretty good job at this. However, DRM is a web standard, so removing it makes the result no longer a web browser, and in general a downstream project cannot stray too far from Chromium and still be able to browse most of the web.

Firefox is also free software, so it can be modified to remove its antideatures, like DRM and spyware and trademark restrictions. However, the further a downstream strays from Chromium than Firefox already has, the less of a web browser it is.

It's possible to write a program from scratch or based on Webkit that can browse some websites, but it will be too different from Chromium to browse much of the web and therefore be not much of a web browser.

WebBundles[2][3] are a new Chromium feature threatening to become a web standard. There are some browser addons and partial web browsers that break web standards in the interest of user freedom and/or privacy, often by blocking certain non-free or privacy-hostile scripts or requests within web pages. If I understand correctly, a WebBundle dumps everything into a single .wbn file which the browser would load all at once, breaking addons like NoScript and uBlock Origin, as well as browsers with built-in adblocking or tracker-blocking like Brave (trash that no one should use, only mentioned because it's a relevant example) and Eolie, which rely on the ability to allow or block requests from particular domains. This is just the latest in a long series of "features" which make users of the web less free or private.

It is well-recognized in this community that user freedom can be restricted by copyright law or the witholding of source code. The GPL was designed to address these two threats to user freedom. The GPLv2, however, was vulnerable to another threat to user freedom: Tivoization, where the software can be modifed, but modified versions are not useful because they cannot be used with the needed hardware. The GPLv3 patched this vulnerability, but I believe there are other threats that have not received enough attention. One that comes to mind is client-side software that can be freely modified, but of which modified versions are not useful without non-free server-side software. The problem with the web is that although Chromium can be modified or reimplemented with modifications, the result is only useful insofar as it conforms to Chromium's feature set.

I think that attempts to create freedom- and privacy-respecting browsers like Ungoogled Chromium, Icecat, Abrowser, and Iceweasel-UPX, though they are valuable temporary mitigations to some of the problems with the modern web, are trying to solve the problem in the wrong place. The problem is not with web browsers, but with the web. If we want to have non-bad web browsers, it is not enough to fork or create an alternative web browser. We need to fork or create an alternative to the web. A fork might be some subset of HTML, with an emphasis on semantic elements that can be handled appropriately by the browser rather than relying on client-side scripting. An alternative might be something like Gemini[4] for document exchange combined with promoting desktop clients over webapps* for more advanced functionality. I don't know, I'm still thinking this through. There will need to be some strategic compromise between what is good and what websites can be persuaded to adopt that is less bad than what they were doing before. But I am pretty convinced at this point that users of web browsers cannot have real freedom while the web itself evolves according to the whims of Google, and while browsers have to race to keep up with what an advertising company decides the web should look like.

*And that means rejecting Electron too, which extends Google's influence over the web into the desktop as well.

[1] https://drewdevault.com/2020/03/18/Reckless-limitless-scope.html

[2] https://web.dev/web-bundles/

[3] https://brave.com/webbundles-harmful-to-content-blocking-security-tools-and-the-open-web/

[4] https://gemini.circumlunar.space/

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> We can just ignore all web sites not working properly without java script.

The problem is way bigger than JavaScript, and getting bigger. Read about WebBundles. Also, no we can't. We can ignore some of them, for now, but it is becoming harder to participate in society in basic ways (apply for a job, buy something you need, register to vote, take a college course) without using freedom- and privacy-hostile websites. COVID has accelerated this by forcing many previously real-life interactions to move online, and interactions that have proven to be cheaper online will not necessarily go back to being in-person after COVID is over. Avoiding crappy sites whenever possible could be part of a strategy of forking the web, but is not a sustainable solution on its own. The number of unavoidable crappy sites is already non-zero for most people, and will continue to increase for anyone who does not live in a cave.

andyprough
Hors ligne
A rejoint: 02/12/2015

You're starting off by looking at the problem rather backward. Chromium is at its heart a piece of spyware, designed specifically to phone home most of users online activity, behavior, and messaging to Google. Don't look at it as the reference standard for the web and then look at ways to strip its bad behavior out of it. Bad behavior is what it was built to do. The web is not inherently bad, but approaching the web from an all-out multi-trillion dollar ad revenue generating Google perspective is where things bog down.

You've got to start with some version of firefox, fork it, and move forward from there. Palemoon has the correct original creative impulse, if not the best implementation. Firefox-esr and Firefox versions prior to their DRM and telemetry and "Pocket" silliness are probably decent starting points. I'm not so worried about WebBundle - ublock and noscript have proven themselves to be much more agile than the technologies that have been introduced to defeat them.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> You're starting off by looking at the problem rather backward. Chromium is at its heart a piece of spyware, designed specifically to phone home most of users online activity, behavior, and messaging to Google. Don't look at it as the reference standard for the web and then look at ways to strip its bad behavior out of it.

I think you misunderstood my post. I am not saying that Chromium *should be* the reference implementation for the web. I'm saying that it *is*, whether we like it or not, because modern web standards follow the adoption of new Chromium features. Suppose for example that websites begin to adopt WebBundles. Palemoon will either (a) implement support for WebBundles or (b) lose the ability to browse these websites. Either way, Palemoon users will be affected. No matter what browser you use, you are affected by the direction Google takes Chromium development, because Chromium sets the standard to which other browsers must adapt or lose access to parts of the web.

> I'm not so worried about WebBundle - ublock and noscript have proven themselves to be much more agile than the technologies that have been introduced to defeat them.

Do you understand how uBlock Origin and NoScript actually work and the specific ways in which they would be affected by WebBundles?

andyprough
Hors ligne
A rejoint: 02/12/2015

> I think you misunderstood my post. I am not saying that Chromium *should be* the reference implementation for the web. I'm saying that it *is*, whether we like it or not, because modern web standards follow the adoption of new Chromium features.

Trying to ungoogle chromium or ungoogle Google's web standards and web services is basically an inverse concept from the start, as they are built from the ground up to do something nefarious to you that you won't willingly agree with. It's like trying to "un-tiger" a tiger by calling it a kitten - it's still a tiger. A truly privacy conscious individual would be actually unplugging from the web right now - taking many of those things that they were doing online and transferring them to offline, pen and paper activities again. Interaction with the web should not really be done on Google's terms using variations on Google's spyware. Some people will fall further into that trap, but there are always consequences of failing to be vigilant. I still feel that a slightly older version of firefox is probably the correct place to start, possibly pre-quantum.

> Do you understand how uBlock Origin and NoScript actually work and the specific ways in which they would be affected by WebBundles?

Yes, yes, and yes, all to a limited degree, but no I do not feel overly worried. It's a new concept that Google and partners will surely screw up, leaving lots of openings for privacy and security researchers to reverse engineer. Web bundles are being presented as a solitary opaque page, but I feel quite certain that the end result will have lots of holes and jagged edges and loose threads for researchers to untangle. It's simply the next challenge. We run into these rumors of the impending demise of ad blockers and tracker blockers and script blockers on a yearly basis, but they never amount to anything. In fact, despite the herculean efforts of Google and the multi-trillion dollar ad industry, we have better tools now to block them than we've ever had. Their problem is that they can never agree on anything or do anything in a unified manner from their side. If Google and the ad industry and the major corporations ever all came together and truly united on one technology to bust ad/tracker/script/fingerprint blocking and spoofing, then we'd actually probably be in a bit of trouble. But that will never happen, as they are all led around by the nose by their own self interests.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> Trying to ungoogle chromium or ungoogle Google's web standards and web services is basically an inverse concept from the start

That is not at all what I proposed. Please reread my original post, and if you interpret it the same way then let me know and I will try to explain better.

andyprough
Hors ligne
A rejoint: 02/12/2015

I've read it twice now and I disagree twice. The sky is not falling. Google's worst enemy is Google. Our side is more agile and smarter and more motivated.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> I've read it twice now and I disagree twice.

I would love to be wrong about this, and maybe I am. But I feel like you haven't responded to what I actually wrote.

> Our side is more agile and smarter and more motivated.

I wish I agreed. The more I learn the more I realize how little a lot of the people on "our side" know, and many of them seem frustratingly unmotivated to get anything done or to explore any new ideas.

andyprough
Hors ligne
A rejoint: 02/12/2015

> But I feel like you haven't responded to what I actually wrote.

Because you are looking at the problem upside down from the way I do. I have zero interest in what Google is trying to do to herd me. If I had to stop using the web completely tomorrow I wouldn't lose any sleep over it. I'm very into palemoon and basilisk and very interested in iceweasel-uxp because they are doing things that are quite different. They may not be doing them all perfectly, but their browsers work on 99%+ of the web and can be made to run with a high degree of apparent security, and that's something really worth exploring. We've talked about this before, but you disregard these projects off-hand. But if you prefer to stew in your own doubts about the impending doom that Google is bringing rather than put your attention on projects that are trying to do something different - even if they fail tragically - then that's your decision. Some people I know are intimately involved in palemoon, and it's been fun for me to follow their progress and test their browsers. You and I just look at the world differently, there's no harm in that. I really shouldn't have responded to you, but I just wanted to point out that your concerns seem a bit misplaced. Google has been planning the destruction of our security tools every year for years now, and so far they have accomplished nothing, and in fact our security tools work better than ever. As I said, they are their own worst enemy. If you stacked all of Google's dead-end and failed projects end to end, they would probably reach the moon. Hardly worth paying attention to their bluster.

Beko
Hors ligne
A rejoint: 08/31/2019

"If I had to stop using the web completely tomorrow I wouldn't lose any sleep over it."

This. At the end of the day it is a tool, if your tool is turning YOU into a tool, then get rid of it.

andyprough
Hors ligne
A rejoint: 02/12/2015

Exactly, thank you!! Thirty years ago I did the work I do now on a computer with a typewriter and a large metal filing cabinet full of paper files, and I was able to do as much work as I do now. I spend way too much time fixing stuff that goes wrong on computers. About the most I ever had to do to my typewriter was change a ribbon or unstick a key. I really wouldn't mind going back.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

I'm too young to have had the pleasure, but I wouldn't mind going back either. The replacement for problematic software does not necessarily have to be software. In terms of inertia though, it's hard to overcome the expectations that modern computing has created for people.

This is totally off topic, but I recently came across this.[1] Someone connected an SBC to an e-ink screen witha base made of wood to create a typewriter-like interface that incorporates a few features of software without the distractions. If I ever have spare money again I may try something like this.

[1] https://alternativebit.fr/posts/ultimate-writer/

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> If I had to stop using the web completely tomorrow I wouldn't lose any sleep over it.

That's good for you, and I'm geninuinely encouraged to hear that you still have that choice. I don't have that option, as I would be kicked out of my PhD program for failing to meet various responsibilities. And I'm not just thinking about myself. Almost nobody I know has that choice either.

> I'm very into palemoon and basilisk and very interested in iceweasel-uxp because they are doing things that are quite different... but you disregard these projects off-hand.

I have pushed back on some ignorant claims about these browsers. That's different from dismissing them off-hand, though I can understand why it would come across that way if you never see me push in the other direction. If someone showed up and made criticisms against these browsers that I felt were unjustified I would push back against those too. I just haven't seen that happen in this forum (though I have seen it happen in plenty of other places, such as this smear job[1] which unfortunately comes up pretty visibly in searches for information about Palemoon).

I don't believe in putting all eggs in one basket. Of course I want those browsers to keep doing what they are doing. I have some doubts about the direction Iceweasel-UXP has gone, but I would love for it to succeed. With Palemoon and Basilisk I have problems less with development decisions and more the freedom issues and hostility toward packagers, though there is a Palemoon fork[2] I'm keeping an eye on that is trying to address those issues while otherwise keeping the good things about the browser. I just want to play it as safe as possible and make efforts on every front. Contributing to browsers that don't blindly copy Chromium is helpful, in that it creates a refuge from Google's vision of what web browsing should look like. But I think there is also value in trying to improve the web itself. Fighting against Chromium's influence over the web is in the best interests of browsers that don't want to imitate Chromium.

> Google has been planning the destruction of our security tools every year for years now, and so far they have accomplished nothing, and in fact our security tools work better than ever. As I said, they are their own worst enemy. If you stacked all of Google's dead-end and failed projects end to end, they would probably reach the moon. Hardly worth paying attention to their bluster.

They have accomplished a great deal. For one, compare the FSF's efforts to get websites to free their JavaScript to Google's efforts to get websites to create alternate versions of their web pages that conform to Goole AMP. The only websites influenced by the FSF have mostly been sites affiliated with them in some way, like this one, whereas nearly every major publisher has adopted AMP. It is normal for megacorps like Google to blindly throw a lot of things at the wall to see what sticks. Most of it fails, and a few things succeed wildly. At their size, that scales better than trying to predict which specific projects will be successful. Google controls the most widely used operating system, browser, search engine, streaming platform, navigation software, and more. I don't see how you can consider them less than a formidible enemy.

By the way, Firefox is only allowed to exist because Google funds it in exchange for being Firefox's default search engine. Mozilla is already in hurting financially.[3] There is real reason to worry about Firefox's future and it's reliance on Google. And if Firefox ever dies, there goes upstream security updates for Pale Moon and Basilisk, and by extension Iceweasel-UXP. Maybe those browsers could survive if the size of their team has greatly increased by then, but so far they don't seem interested in doing that. It's ok to want to keep a project mostly in-house and avoid the messiness and pressure and reduced amount of fun that comes with growth, but it does mean you need to hope that your upstream stays around.

One of my favorite RMS quotes is from an interview I saw a while back, I don't recall exactly where. He is asked whether he things the free software movement will win, and says something along the lines of "If you think you will lose, you risk giving up. If you think you will win, you risk underestimating your enemy. Either way, you weaken yourself by trying to answer that question." You are absoultely right that we shouldn't give in to feelings of "impending doom", which is not what I meant to do, though I did admittedly adopt a pretty negative tone in my OP that reflected my mood and amount of wine ingested at the time, but we should also do our best to identify and preempt potential threats rather than rely on the assumption that a powerful enemy will do our job for us.

[1] https://www.howtogeek.com/335712/update-why-you-shouldnt-use-waterfox-pale-moon-or-basilisk/

[2] https://git.nuegia.net/webbrowser.git/tree/

[3] https://www.zdnet.com/article/mozilla-lays-off-250-employees-while-it-refocuses-on-commercial-products/

Beko
Hors ligne
A rejoint: 08/31/2019

"If you think you will lose, you risk giving up. If you think you will win, you risk underestimating your enemy. Either way, you weaken yourself by trying to answer that question."

Maybe he just sees that the, lets call it a Game, of software is an infinite one. For finite games like Chess or Poker you can WIN, but in an infinite game like the Cold War you CANNOT win or lose, only drop out from the game if you don't have enough resources. The thing you said about Google just throwing shit on the wall and seeing what sticks is an infinite strategy as long as they can afford to throw the metaphorical shit on the wall.

Game theory is a helluva drug

andyprough
Hors ligne
A rejoint: 02/12/2015

> By the way, Firefox is only allowed to exist because Google funds it

Let's be totally honest - it doesn't take anywhere near $400 million a year to develop a web browser. Mozilla is good at exactly one thing - burning through huge piles of cash. You compare what they accomplish with all the money they could ask for compared to what LibreOffice and KDE accomplish with next to nothing, and you can clearly see that Mozilla isn't putting that money to good use at all. If the money all went away tomorrow and Firefox was forked and taken over by the community, I'd wager that it would probably benefit greatly from the change, similar to how LibreOffice rose from the dead ashes of OpenOffice.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> Let's be totally honest - it doesn't take anywhere near $400 million a year to develop a web browser. Mozilla is good at exactly one thing - burning through huge piles of cash. You compare what they accomplish with all the money they could ask for compared to what LibreOffice and KDE accomplish with next to nothing, and you can clearly see that Mozilla isn't putting that money to good use at all.

Ok, yeah, that's a fair point. I can't exactly hold up Mozilla as a model of efficiency... That said, don't underestimate the work that goes into maintaining a complete web browser without an upstream to base on; even Micro$oft gave up trying, and Mozilla is really the lone holdout. LibreOffice and KDE are great projects, but don't really compare to Firefox in scope. Also, KDE actually integrates Chromium into their software in the form of Qtwebengine.

$ apt-cache rdepends --no-recommends --no-suggests --recurse *qtwebengine* | sort -u

to print a list of Debian/MX packages that hard-depend on Qtwebengine, and you'll see that KDE is not exactly a good example to bring up if you want to downplay the influence of Chromium in the free software ecosystem.

> If the money all went away tomorrow and Firefox was forked and taken over by the community, I'd wager that it would probably benefit greatly from the change, similar to how LibreOffice rose from the dead ashes of OpenOffice.

This is a plausible outcome, and if we reach that point I hope you are right. There wasn't really another free euqivalent to OpenOffice though, was there? The only alternative would have been to start from scratch, so forking OpenOffice was the path of least resistance. Taking over maintainance of Firefox would be much more work and much less fun than the temptation to base on Chromium like everyone else, so while I hope you are right, I would not want to rely on the assumption that things would play out the way we'd hope. Better to avoid assumptions and have a game plan for every reasonably possible outcome.

andyprough
Hors ligne
A rejoint: 02/12/2015

> Taking over maintainance of Firefox would be much more work and much less fun than the temptation to base on Chromium like everyone else

That's the thing though, you can't just base on chromium, as google releases it in such a dumpster fire condition that often the distros can't even get it to build and run correctly. I personally know one of the people who work on it for Debian and it causes a world of pain for them. And the whole time the users are screaming, "why did you screw up my internet???? I can't get my netflix!!! You screwed up my facebook!!!" I've recommended that they just drop it, it's not at all worth the trouble.

Companies like Brave and Vivaldi and Opera and Microsoft have huge staffs to deal with the problems of basing on chromium. You know what I'm talking about, you and I have both probably tried to build chromium at different times, and if you get one of google's bad releases then it's nearly an impossible task. If you were going to do anything as a free browser project, basing on chromium is one of the worst things you could do, especially since google could simply yank the rug out from under you anytime they like.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> I personally know one of the people who work on it for Debian and it causes a world of pain for them.

I believe it, especially given Debian's high standards for packaging. Based on my experience creating relatively simple Debian packages that I'm sure would not be high quality enough for use in Debian, I'd rather blow my brains out than take on packaging something as massive and problematic as Chromium.

> Companies like Brave and Vivaldi and Opera and Microsoft have huge staffs to deal with the problems of basing on chromium.

I don't know what size their staffs are. I do know the size of Ungoogled Chromium's unpaid staff, which is not large, and Ungoogled Chromium is probably most representative of the base level of effort needed to deal with Chromium as an upstream, since all they do for the most part is clean up privacy issues, not implement their own features or look-and-feel like the other browsers you list.

> You know what I'm talking about, you and I have both probably tried to build chromium at different times, and if you get one of google's bad releases then it's nearly an impossible task.

Out of the major browsers I have compiled, Chromium certainly has the longest build time, but at least it usually actually builds at all. In terms of breakage I've had an even harder time with Firefox. The only other large browser I've tried to compile is Iceweasel-UXP, which was even harder (though this is probably not a fair comparison, since I was using Trisquel at the time, and unlike Chromium and Firefox, Iceweasel-UXP had not been packaged for Debian-based systems before so I had less to work with. It is likely much easier to build on Hyperbola.)

I do overall agree with your assessment of Chromium, but we're comparing the cost of dealing with Chromium as an upstream to the cost of not having an upstream, right? Do you really think teams like those behind Edge and Opera rebased on Chromium because they were *so* desperate to become reliant on another company that they were willing to take on *more* work?

andyprough
Hors ligne
A rejoint: 02/12/2015

> Do you really think teams like those behind Edge and Opera rebased on Chromium because they were *so* desperate to become reliant on another company that they were willing to take on *more* work?

No, I think they're in it for the money, and they realize that they need to consistently deliver netflix and instagram and whatever other garbage people are abusing their web browsers with. Might as well base on google's browser, since google will always support delivering mindless proprietary garbage content to their users.

> In terms of breakage I've had an even harder time with Firefox.

I've built firefox a lot, and the only time I've ever broken it was when I stripped out too much of mozilla's stupid 'Pocket' and telemetry and DRM and other stuff with build flags. I could build successfully without a lot of their junk, but not everything. Could be your build environment for firefox was not ideal - building on Debian stable is super easy once you set up rust and cargo. And I have always built firefox's nightly version, which I've heard is a bit easier. Chromium I've built "successfully" a few times, usually ending up with a browser that won't go online or do nearly any of the chromium functions. Might be that I was just doing it wrong.

> I do know the size of Ungoogled Chromium's unpaid staff, which is not large

Palemoon, basilisk and uxp is also a small group of staff plus a few volunteer coders. So, successfully forking firefox and maintaining that fork is not an insurmountable task, depending on how you want to go about it.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> I've built firefox a lot, and the only time I've ever broken it was when I stripped out too much of mozilla's stupid 'Pocket' and telemetry and DRM and other stuff with build flags. I could build successfully without a lot of their junk, but not everything. Could be your build environment for firefox was not ideal - building on Debian stable is super easy once you set up rust and cargo. And I have always built firefox's nightly version, which I've heard is a bit easier. Chromium I've built "successfully" a few times, usually ending up with a browser that won't go online or do nearly any of the chromium functions. Might be that I was just doing it wrong.

Maybe our different experiences are due to different workflows. I'm usually trying to create distro-style packages using Debian's packaging tools. Setting up Rust or Cargo isn't something I would need to deal with because it would all get pulled in by sbuild. Or, now that I think about it, it could be because I'm usually trying to compile modified versions of those browsers (Abrowser, Icecat, Iceweasel-UXP, or Ungoogled Chromium), so the problems might be due to downstream modifications.

> Palemoon, basilisk and uxp is also a small group of staff plus a few volunteer coders. So, successfully forking firefox and maintaining that fork is not an insurmountable task, depending on how you want to go about it.

Maybe you don't realize (I did not at first) that these browsers are not independent of Firefox when it comes to maintenance. When it comes to design they are independent in the sense that they do not automatically adopt new features just because Firefox does, but they still have most of their code in common with Firefox, and rely on Mozilla's bug fixes and security updates to maintain that code. If Mozilla were to stop maintaining Firefox, those browsers would only survive if they greatly expanded the size of their team to take over the work that Mozilla is doing.

andyprough
Hors ligne
A rejoint: 02/12/2015

> Maybe you don't realize (I did not at first) that these browsers are not independent of Firefox when it comes to maintenance. When it comes to design they are independent in the sense that they do not automatically adopt new features just because Firefox does, but they still have most of their code in common with Firefox, and rely on Mozilla's bug fixes and security updates to maintain that code. If Mozilla were to stop maintaining Firefox, those browsers would only survive if they greatly expanded the size of their team to take over the work that Mozilla is doing.

It's interesting to see how the lead dev moonchild describes the situation. For some years the two projects ran fairly parallel, but since Firefox went to quantum there's been a growing difference in their code base. Moonchild claims to have early access to all Firefox security code, but much of it is not used because palemoon does not implement features that Firefox secures against. For instance, you've pointed out in the past that palemoon does not implement interprocess sandboxing, but moonchild has stated that was simply because palemoon never became a multiprocess program when Firefox did. Apparently the differences at this point are substantial. If you are interested, I'll point you to some of moonchild's writing on the topics, I don't want to hunt for them at the moment but I'll have time tomorrow.

I'm not a huge moonchild fan, as he is a more windows-centric programmer. But palemoon has attracted some devs who only work in a GNU/Linux environment, and they seem to be able to coexist. It's an interesting project. I don't agree with all their goals or design decisions which also tend to be Windows-centric, but the fact that it works as well as it does on nearly any GNU/Linux distro is pretty remarkable.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> It's interesting to see how the lead dev moonchild describes the situation. For some years the two projects ran fairly parallel, but since Firefox went to quantum there's been a growing difference in their code base.

I'm sure that's true, but Moonchild still relies on many commits from Mozilla. If Mozilla stopped maintaining Firefox, Palemoon and Baslilisk might survive, but there are only 24 hours in a day and the time Moonchild would spend maintaining Firefox code would take away from the work he'd normally put that time toward.

> For instance, you've pointed out in the past that palemoon does not implement interprocess sandboxing, but moonchild has stated that was simply because palemoon never became a multiprocess program when Firefox did.

If you remember where you found this statement and it is not inconvenient to recover could you link to it? What I think you are referring to is when I was talking about Firefox's use of pulseaudio to isolate per-tab audio streams. Palemoon supports tabbed browsing, so either (a) there is no isolation of audio streams between webpages in different tabs, or (b) they have found a way support such isolation without pulseaudio, in which case I would love to know how, because when I'm setting up pro-audio systems literally the only reason I include pulseaudio is to support modern Firefox. If I could cut out pulseaudio it would really simplify things.

> If you are interested, I'll point you to some of moonchild's writing on the topics, I don't want to hunt for them at the moment but I'll have time tomorrow.

I am interested. No rush, but if/when you have a chance to track it down I'll read it.

> I don't agree with all their goals or design decisions which also tend to be Windows-centric, but the fact that it works as well as it does on nearly any GNU/Linux distro is pretty remarkable.

I have mixed feelings about it too, but I keep an eye on it and I'm really glad it's there as an option. If you haven't already gone through digdeeper.neocities.org, it analyses all the browsers (and other things like mail providers) pretty well. It's worth spending a day going through if you have time.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> digdeeper.neocities.org

Not that I endorse everything said on that site. I have some political disagreements with the author. But in terms of evaluating technology from a privacy perspective I think it's great.

andyprough
Hors ligne
A rejoint: 02/12/2015

I've changed my browser security and privacy reading habits in the past year. I've been trying to stick to academic studies of browser privacy and security as much as possible. The study from the University of Dublin on default phone-home behavior by the major browsers earlier this year was a real eye-opener (not related to palemoon, but interesting nonetheless): https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf

As far as palemoon is concerned, it was the first browser to implement canvas poisoning to prevent canvas fingerprinting: https://www.securitee.org/files/canvasauthentication_dimva2019.pdf (see page 5)
It was also the first browser to implement XSSfilt to prevent cross-site scripting and cross-site request forgery: http://www.seclab.cs.sunysb.edu/seclab/pubs/pelizzith.pdf (see page 25)

As far as configuring it for better privacy and security, most of the about:config hacks I had previously learned from ghacks are either available on palemoon, or are not necessary because the offending processes (such as telemetry) do not exist. In terms of add-ons, ublock, umatrix, decentraleyes, PureURL and HTTPSeverywhere are all available as addons, so palemoon pretty much goes toe-to-toe with modern firefox in terms of privacy and security addons. Firefox has the amazing new chameleon anti-fingerprinting add-on, and palemoon is still stuck with a bit older version of Secret Agent, so Firefox gets the edge with that one add-on. And if you prefer noscript to umatrix, then palemoon would be deficient there, but personally I use umatrix on every browser and prefer it to noscript. Using the deviceinfo.me website to test browser fingerprinting, I can defeat or spoof all fingerprinting tests with a few about:config hacks and the above listed add-ons for both firefox and palemoon.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> I've been trying to stick to academic studies of browser privacy and security as much as possible.

That's great, and these papers look good for understanding the particular issues that they are about. But picking out passing references to Pale Moon doing something first is not a scientific way to compare the current state of browsers, even if the papers themselves are scientific. The link I shared is not formally academic, but it does lay out a methodology for evaluating browsers, applies that methodology to each browser, and compares their current state point by point. (Spoiler alert: Palemoon still comes out on top)

> And if you prefer noscript to umatrix, then palemoon would be deficient there, but personally I use umatrix on every browser and prefer it to noscript.

I really wish that the uMatrix author would put some work into usability. I think the only reason people choose the otherwise inferior NoScript is that they can figure out how the hell to get started with it.

However, I'm pretty sure that there was a legacy version of NoScript available back when I used Iceweasel-UXP. No reason to use it if you are already comfortable with uMatrix though.

andyprough
Hors ligne
A rejoint: 02/12/2015

> I think the only reason people choose the otherwise inferior NoScript is that they can figure out how the hell to get started with it.

umatrix definitely had a learning curve for me, but once I got used to it I felt I was getting a finer level of control compared to noscript. I think it's great we have both though, and I'm totally comfortable with either one and usually recommend noscript. As you say, it's easier for people to figure out how to get started.

> The link I shared is not formally academic, but it does lay out a methodology for evaluating browsers, applies that methodology to each browser, and compares their current state point by point.

Yes, but I've spent years using other people's methodologies and comparisons, and I'm trying to get to the point where I can build my own methodological framework. The papers I sent you are just a couple out of many, but I'm getting more interested in educating myself at a deeper level. I guess we all grow and change over time. This year, like a lot of people, I've had more time to myself to ponder some of these things that had been on the back burner for me for years.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> I'm trying to get to the point where I can build my own methodological framework.

If you have time to compile what you've found into an article or organized reading list, it could be a useful resource that helps other people do the same.

andyprough
Hors ligne
A rejoint: 02/12/2015

> If you remember where you found this statement and it is not inconvenient to recover could you link to it?

Here is where you were discussing multiprocess sandboxing - it did not have to do with audio streams: https://trisquel.info/en/forum/brave-web-browser#comment-149146

Here is a forum thread in which moonchild discusses the reasons not to implement firefox's "e10s/Electrolysis" multiprocess setup for browser tabs, and goes into a bit of detail on how palemoon does implement content sandboxing: https://forum.palemoon.org/viewtopic.php?f=5&t=6660&hilit=multiprocess+e10s

I do not know anything about audio stream isolation. I do know that alsa support was briefly disabled and then re-enabled a few years ago, not that that is a meaningful answer to you in any way: https://github.com/MoonchildProductions/moebius/issues/115

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> Here is where you were discussing multiprocess sandboxing - it did not have to do with audio streams: https://trisquel.info/en/forum/brave-web-browser#comment-149146

> I do not know anything about audio stream isolation. I do know that alsa support was briefly disabled and then re-enabled a few years ago, not that that is a meaningful answer to you in any way: https://github.com/MoonchildProductions/moebius/issues/115

Sorry, I think I was thinking of a different discussion about Iceweasel-UXP, which only supports ALSA. Firefox (and presumably Palemoon) has always supported both Pulseaudio and ALSA, though ALSA support is hidden behind of a build-time configuration flag.

> Here is a forum thread in which moonchild discusses the reasons not to implement firefox's "e10s/Electrolysis" multiprocess setup for browser tabs, and goes into a bit of detail on how palemoon does implement content sandboxing: https://forum.palemoon.org/viewtopic.php?f=5&t=6660&hilit=multiprocess+e10s

Ugh, ok I'm two pages in. Moonchild did mention content sandboxing in passing. Does he go into detail later on, or is the rest of it more circular discussions, tangential Google/Mozilla rants, and Moonchild not answering people's questions (in other words, a typical Palemoon forum thread, except that so far Tobin is acting civil, and no Firefox-fanboys have shown up to repeatedly re-ask questions the questions Moonchild actually has answered)?

andyprough
Hors ligne
A rejoint: 02/12/2015

> or is the rest of it more circular discussions, tangential Google/Mozilla rants, and Moonchild not answering people's questions (in other words, a typical Palemoon forum thread, except that so far Tobin is acting civil, and no Firefox-fanboys have shown up to repeatedly re-ask questions the questions Moonchild actually has answered)?

Hahaha, as I said, there are many things I am not a big fan of. Sounds like you and I are on the same page. In this blog post moonchild goes into about his deepest level of detail that I've seen on the subject of sandboxing, which isn't much: https://forum.palemoon.org/viewtopic.php?f=65&t=22399&p=169753&hilit=sandboxing#p169753

If you are willing to withstand the slings and arrows from Tobin and moonchild, you could always pop into the forum and throw out a question. The worst they could do is scream and howl like you stole their puppy, and you might actually get an answer.

Save Nature
Hors ligne
A rejoint: 07/19/2020

I wish people would just not use anything that's based on chromium
which mainly contributes to Google's dominance of the web. One would
think that, people in the free software and "open-source" community at
least would understand these threats and stop using chromium based
browsers. But I see people (In fediverse) where they are not going to
give up using it. Some of them even use proprietary garbage like
Vivaldi because it has nice UI.

Even if someone creates a alternative web standards, to make it main
stream people have to use it. And I doubt anyone would care except
people who are more tech savvy or care about privacy.

The reason Chrome/Chromium has become main-stream because Google
pre-installed it in their Android. So in case of an alternative
protocol, Google can simply not configure Chromium/chrome to show
those website using those protocols (gopher, gemini etc.) and people
wouldn't complain or find out about them. And important websites
wouldn't use them either cause nobody can see them (e.g., Nowadays we
see websites say it only works with chrome).

The only solution I see is mass awareness campaigns, educating people
about these problems and Govt. step in especially the US Govt.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

I've thought of a name for what is troubling me about the the direction that the web is going: "Software as a Document Substitute". Whereas Service as a Software Substitute[1] takes jobs normally by software and instead uses a service, SaaDS takes jobs normally done by documents and instead uses software, and like SaaSS it shifts power away from the user.

The web used to be primarily a way to distribute documents. It was the browser's job to render those documents. Some websites still work this way, but many web pages cannot actually be rendered by the browser. Instead the website provides software written in JavaScript or WebAssembly which takes on the role of rendering the software. The browser is demoted to a shim that runs the real browser, distributed by the website owner. Privacy-wise it still makes a difference which browser you choose, since most of them also contain spyware, but the user's overall experience of browsing the web is shaped more by web developers than by browser developers.

The FSF has sort of recognized this problem,[2] but I feel are overly focused on the license of this software, rather than that shift in power that results from software replacing a document. onpon4, a former member of this community, has an article[3] that I think adresses the scope problem more thoroughly. A free license does not allow you do to much to change in the way of modifying them for your own benefit, unless you are willing to do this for every website you visit, which is not an effort that scales. There are some projects that have improved the experience of browsing the web to some degree, but not in ways that would be facilitated by free JS licenses. Instead, they have worked by either writing alternative document viewers (Invidious, Bilbiogram, Nitter) or by blocking requests to certain domains (uBlock Origin).

Unfortunately, the only large-scale effort to go in another direction to achieve great adoption has been by Google. Although in general SaaDS benefits Google, in that it has effectively provided their browser with an ecosystem of "apps" capable of competing with desktop plaforms, but for news sites the inefficiency of downloading a new copy of the document viewer for each article made them load slowly on mobile browsers, so news publishers began publishing standalone browsers for their own sites as mobile apps, bypassing Google's browser, search engine, and news aggregator. In order to "save the web" as they describe it, or to save themselves from getting cut out of the ad revenue generated from eyeballs reading news stories, they pushed a new subset of web standards for news publishers called AMP,[4] which many major news publishers have now adopted.

Save Nature wrote:
> Even if someone creates a alternative web standards, to make it main
> stream people have to use it. And I doubt anyone would care except
> people who are more tech savvy or care about privacy.

In order to people to adopt it, there needs to be a benefit for users and a benefit for websites. The reason AMP was successful is that it benefitted users in the form of faster page loads and benefitted publishers in the form of rewarding those who adopted AMP with higher priority in Google's search results. Unfortunately, we don't have Google's monopoly power, so we have to be more creative. I have some ideas about this, but am still organizing my thoughts.

> The only solution I see is mass awareness campaigns, educating people
> about these problems and Govt. step in especially the US Govt.

It would be great if the US govt were to do something positive along these lines. Unfortunately, this is not really on their radar, and Google has more influence over the US govt than we do right now, so this would be tough, but I would support any efforts to try. I don't have a ton of faith in the US govt, especially in this administration, but when it comes to potentially regulating tech monopolies I have *slightly* more hope for congress than usual, in light of the recent tech antritrust hearings.

[1] https://www.gnu.org/philosophy/who-does-that-server-really-serve.en.html

[2] https://www.gnu.org/philosophy/javascript-trap.html

[3] https://onpon4.github.io/articles/kill-js.html

[4] https://amp.dev/

koszkonutek
Hors ligne
A rejoint: 03/19/2020

Wow, I haven't been looking into forum for a week and then I came to see this 35-posts long thread...

And You know, what? One can learn a lot of interesting things by reading your posts.

Still, I am surprised nobody wants to just start fixing the websites as I described in this[1] thread (and I'm ready to defend what I wrote there) and see how this works out.

What I'm recently getting worried about, is that with current advancements in machine learning, all captchas might soon get broken. While many captchas were bad in that they required nonfree js, the obvious alternative way megacorps could stop bots would be through authenticating/identificating each user/device, which is just terrifying. Actually, we've been able to observe that approach for the last few years - users connecting through tor are getting more captchas, while users logged in to Gaggle accounts are never getting them. What if this intensifies and in a few years anonymous users get completely and officially blocked from accessing websites using Gaggle's "protection"?

Btw, I've just stumbled upon GNUnet[2] while reading the forum. I'm not sure how stable it is (I'm losing faith in p2p networks, especially since trying to use Jami this year). Still, I think it's worth observing.

[1] https://trisquel.info/en/forum/software-freedom-movement-challenge-javascript-trap
[2] https://gnunet.org/en/about.html

eagle
Hors ligne
A rejoint: 11/29/2020

This is an amazing thread indeed.
I failed however to install Palemoon and, while searching for alternative browsers to use along with Abrowser to achieve more security by means of compartmentalization, came across :
https://digdeeper.neocities.org/ghost/browsers.html#palemoon
It ends with :
"Pale Moon is still the only decent way to browse the modern web that's actually relevant - but it's slowly rotting from the inside. Firefox is dying and will soon bring down all its forks alongside itself, surrendering the Web to Google whose abomination of a browser is just as worthless. Promising projects such as Otter Browser or suckless surf suffer from small dev teams, no / low addon support and are still dependent on Google's engine. The only reasonable choice is Pale Moon until Web Browser gets more support."

Apart from Abrowser, what are currently any reasonable browsers that can be downloaded in a simple manner ( either with a few clicks or a set of clear and complete commands in the terminal ?
The Tor Browser is perhaps fine, although i myself had no idea how to extract the .tar.xz file during the installation, it might be assumed that all linux users are familiar with such technical issues.
What about Midori ?

Magic Banana

I am a member!

Hors ligne
A rejoint: 07/24/2010

In 2019, the Midori project merged with the Astian Foundation. It has been revamped entirely, switching from WebKit2GTK to using Electron.
https://en.wikipedia.org/wiki/Midori_(web_browser)

eagle
Hors ligne
A rejoint: 11/29/2020

I was not aware that Trisquel Mini has Midori as its browser.
As long as that is the case, i will assume ( lacking the relevant knowledge ) it's relatively fine.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> I was not aware that Trisquel Mini has Midori as its browser.

This will probably change in the future, if Magic Banana is correct that Midori now uses Electron.

> As long as that is the case, i will assume ( lacking the relevant knowledge ) it's relatively fine.

That is not a safe assumption.

eagle
Hors ligne
A rejoint: 11/29/2020

right ;)
but at least Trisquel Mini 9.0 will still use the old Midori, i assume.
What about the Eolie browser ?

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> switching from WebKit2GTK to using Electron

Making it yet another browser to succumb to the Google monoculture.

andyprough
Hors ligne
A rejoint: 02/12/2015

Brave now has "Strict" fingerprint blocking that seems to block nearly any attempt to fingerprint based on my testing.

Very interesting...

screen-2021-01-12-14-36-55.jpg
lutes
Hors ligne
A rejoint: 09/04/2020

Thanks Andy, let's discuss Brave.

andyprough
Hors ligne
A rejoint: 02/12/2015

Well, I've been looking for the holy grail of fingerprintless browsing, and up until now I had to make about a quadrillion changes to firefox to get anywhere close to what I was trying. And now, with the flick of a single switch on its settings page, Brave is running circles around my best attempts. It is very intriguing.

Also, on the subject of web browsers, I noticed that LibreWolf is back in business. I really liked using LibreWolf last year on the Arch-based distro I was using at the time, but the project went many months without releasing a decent build. Good to see them back in the action, we could really use another browser whose primary goal is to be completely libre and non-invasive.

lutes
Hors ligne
A rejoint: 09/04/2020

> we could really use another browser whose primary goal is to be completely libre and non-invasive.

Indeed. I was wondering, are LibreWolf and Brave still dependent on the code base of Firefox and Chromium, respectively?

andyprough
Hors ligne
A rejoint: 02/12/2015

> I was wondering, are LibreWolf and Brave still dependent on the code base of Firefox and Chromium, respectively?

Oh yes. The only truly independent code base that actually works as a real browser for the modern web right now that I'm aware of is palemoon. Some other posters will probably scream and holler claiming that it's still dependent on firefox code, but that just isn't true. Mozilla could run out of other-people's-money tomorrow and fire everyone and give their C-suite executives megamillion dollar golden parachutes and put out their final release and palemoon would just keep marching on.

lutes
Hors ligne
A rejoint: 09/04/2020

> palemoon

I was indeed looking in that direction. To quote the preceding discussion:

>> It's interesting to see how the lead dev moonchild describes the situation. For some years the two projects ran fairly parallel, but since Firefox went to quantum there's been a growing difference in their code base.

> I'm sure that's true, but Moonchild still relies on many commits from Mozilla. If Mozilla stopped maintaining Firefox, Palemoon and Basilisk might survive, but there are only 24 hours in a day and the time Moonchild would spend maintaining Firefox code would take away from the work he'd normally put that time toward.

If I read this properly, there is still debate on the actual size of the task, but a couple of extra people on the project would indeed be enough for it to be sustainable without

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> I'm sure that's true, but Moonchild still relies on many commits from Mozilla. If Mozilla stopped maintaining Firefox, Palemoon and Basilisk might survive, but there are only 24 hours in a day and the time Moonchild would spend maintaining Firefox code would take away from the work he'd normally put that time toward.

I think I wrote this, and I seem to have been mistaken. It looks like the number of commits backported from Firefox has slowed a great deal, to a point where I think that Firefox disappearing would not impact Palemoon much, at least in the short term. I am a little skeptical that a small team can really be keeping a codebase that size secure without upstream maintenance, but Palemoon is such an unpopular browser that I doubt many attackers are looking for exploits specific to Palemoon. If Palemoon ever becomes popular, the number of contributors and useful bug reports would likely increase in parallel with the number of attackers. As web standards evolve, fewer and fewer websites will work with browser engines that do not keep up with WebEngine's feature set. However, Palemoon already does not keep up by choice, even when features are available in Firefox and could be backported. For example WebRTC is unsupported due to valid security concerns, which means that sites like Jitsi Meet won't work, and Palemoon's niche of users do not seem to mind. Traditional web pages should always work.

lutes
Hors ligne
A rejoint: 09/04/2020

> I think I wrote this

Indeed.

> I seem to have been mistaken.

Indeed. I am now totally depressed. You also wrote something about forking the web and cited Gemini as an example of what direction it could take. I have no idea what amount of resources that would take but that seems to be the only path still open.

eagle
Hors ligne
A rejoint: 11/29/2020

Librewolf is not ( yet ) in that more fortunate position :
https://digdeeper.neocities.org/ghost/browsers.html#librewolf
This guy does not appreciates Brave, and calls it the "Slave Browser".
Btw i just downloaded it and deleted it soon after since after placing it at the panel or bar next to the Abrowser icon, clicking on the latter would lead to Brave, also after removing it from the bar, it had to be "purged", so i also assume that Brave is evil, not only because it came with google ( with its disinformation motto “don’t be evil” ) search.

andyprough
Hors ligne
A rejoint: 02/12/2015

Last I checked, the digdeeper guy liked palemoon the best, which I agreed with him on.

lutes
Hors ligne
A rejoint: 09/04/2020

Now the same guy is putting it last, alone in an ad hoc "fallen angels" category.

While hosting pandemic denial garbage on his index page. This will never end.

EDIT: removed potentially ambiguous formulation

eagle
Hors ligne
A rejoint: 11/29/2020

It is not just a hoax => denial garbage at all.
"Denial" !? Who the heck can claim the truth ?!
The authorities i assume.
You likely refer to :
https://digdeeper.neocities.org/ghost/corona.html#reset
This guy is a hero with a bright and open mind, and doing fantastic, unselfish and extemely useful work.
Btw, the link to the WEF-page "Welcome to 2030. I own nothing, have no privacy, and life has never been better" is no more accurate, the text has been changed since it did not sell well.
These technocrats will not stop on their own to steal all and everything.
Anyway, we can agree to disagree, on some topics or issues while agreeing on others, or remaining in doubt, which is usually the most sensible thing to do.

He calls Palemoon the "Fallen Hero".
He sounds simply realistic from his perspective, although Abrowser is forgotten here :
"Pale Moon is still the only decent way to browse the modern web that's actually relevant - but it's slowly rotting from the inside. Firefox is dying and will soon bring down all its forks alongside itself, surrendering the Web to Google whose abomination of a browser is just as worthless. Promising projects such as Otter Browser or suckless surf suffer from small dev teams, no / low addon support and are still dependent on Google's engine. The only reasonable choice is Pale Moon until Web Browser gets more support."