Browser privacy

There has been some discussion on the Forum about on-line privacy, and which browsers and search engines might be better than others. The issue is more complicated than I was aware of but for the average user a simple solution is desirable.
I use a combination of Firefox (browser), DuckDuckGo (search engine) and Privacy Badger (tracking blocker). There has been some criticism of Firefox, with a more positive leaning towards Chrome & Chromium but I struggle to to be convinced.
I contribute to the Electronic Frontiers Foundation, a US charity that fights for online safety - mostly on US issues, as expected - but reporting on wider actions such as the GDPRs - an article at EFF is worth reading from which the following extract:

Other browsers, like Firefox and Safari, baked in privacy protections from third-party cookies in 2019 and 2020, respectively. Neither of those browsers has anything like (Google’s) Privacy Sandbox, which makes them better options if you’d prefer more privacy.

It’s worth reading the whole article to put that into context.

I would agree, however bear in mind that some of these large charities have their own agenda’s and don’t necessarily operate in the best interests of the average user. (and in some instances may be tempted to put their own interests first) i.e. always be prepared to add a few grains of salt.

I understand why people use Firefox and Safari, but there are other options. I quite like the look of this one;

For what some might say is the ultimate in privacy there is also the Tor browser;

Privacy aside (!) there are also the security and technical proficiency aspects of browser software. At the moment, as I understand it, there seem to be only two main browser engines that really “do the job”, these are webkit and blink. (or three if you include the Mozilla/Gecko option)

I guess the main reason for this is going to be cost, it takes a huge amount of money to develop and maintain browser engines and there’s no direct financial return for the developer.

Firefox is the distinct competitor, however they are also funded by Google (!) and from my perspective their technology always seems to be playing catchup. As far as I’m aware, all the big names (Apple Safari, Microsoft Edge, Google Chrome etc) use either Webkit or Blink.

I’ve moved to a point where I’ve accepted I have to use something blink based, it’s just a question of which blink based browser. At the moment, Chromium (as opposed to chrome) is provided on Linux as a snap, so it runs inside a Linux container and doesn’t contain Google’s additional “stuff”.

That said, I note that Tor uses the “Gecko” engine (which is the Mozilla/Firefox engine), but Mozilla seem to be running out of funds (as Google pay them less) so I worry about how long this will last.

If you look at the current global browser market and consider who can produce a browser;

I also wonder how many browsers will weather this;

Many thanks for your (as usual) very thorough reply.

The whole business seems to be very incestuous, with dubious funders of idealistic providers. For example, the Google → Firefox/Gecko → Tor link is well hidden from the Tor self-adulation, and if funding from the tech giants is reducing, coupled with the EU’s unthinking rules on open source development, then this is a worry for the future.

I have used Brave in the past, although it seems to have changed a lot in the last five years or so. Although I shall look again at Brave/Tor, I can’t actually tell during use what I am gaining in the way of privacy/security. At least the Privacy Badger FF add-on tells me what trackers it’s blocking and gives me instant control.

All very difficult.

Ok, so here’s a thought, is Privacy Badger an extension / plugin?

On Chrome, extensions seem (at least historically) to have access to all pages in terms of reading what’s in them and (potentially) modifying them. I find this concept horrifying, not least given issues in recent years with extensions being compromised.

As a result, the browser I’m typing in has exactly zero extensions installed. I’m not inclined to trust any third party with the ability to read / write web pages I’m looking at.

I keep a “second” browser into which I install the extensions I need for development purposes, but I’m extremely pedantic about what I do in each browser. I would never for example access online banking using a browser with a third party extension installed. (but then I’d never access online banking from a Windows box, and many people do, so maybe I’m in tin-foil hat land … but still … )

One of the reasons M$ Windows has persisted has been the concept of “safety in numbers”. Whether mis-placed or not, there is something to this concept. The more people use something, the more eyes there are on it, the more chance someone will spot a problem and get it fixed before it becomes a problem for you. I kinda feel this way about browsers, there are so many people using blink based browsers, issues become visible and get reported very quickly, so at least you know what you’re dealing with. Lesser browsers, fewer users, I do wonder how many issues go unreported …

Real example; about two years ago while testing software, I inadvertently found I was able to spoof a root certificate in a browser in such a way that I could present an SSL certificate that claimed to be literally anyone, and the browser happily verified the certificate and reported the underlying site as verified. Seemed to be a fairly critical issue which I duly reported, only to be told that this was an “edge case” that they couldn’t replicate, despite being supplied with an example. Now, I won’t quote the OS (it wasn’t Linux) or the Browser, but IMO if that was a mainstream browser on Linux, it would’ve been fixed posthaste.

There is probably a discussion to be had in terms of security vs privacy that maybe some of the larger privacy advocates are trying to avoid …

Yes; Privacy Badger is a FF Add-on provided by the Electronics Frontiers Foundation (not sure of the difference between extension and plug-in).

I thought I was paranoid about privacy but having read your post it looks like I am positively relaxed in comparison.
I hadn’t considered the “safety in numbers” concept, and Chrome certainly fits that bill since, as you have demonstrated, FF has very little of the “market”.

It is certainly time for a Linux-style browser/search-engine written with the same ethos as Linux, but that’s a huge undertaking. Meanwhile, those of us with less understanding of what’s under the hood (like I) will just have to use what’s available in as safe and sensible a way as we can.

I think a brief post on the difference between security and privacy would be welcome, if you can spare the time - but aimed at the novice, if you would, and with diagrams if relevant as a picture paints a thousand words.

Keith
[EDIT] I see Brave describes itself as having “All the good of ad-blocking, incognito windows, private search, even VPN”. Built-in VPN?

The future of the Firefox browser could well be uncertain in a recent article by Mozilla President Mark Surman called “Looking ahead at Mozilla’s next quarter century” he wrote about four initiatives which were all AI projects. No mention of development of the Firefox web browser.

https://blog.mozilla.org/en/mozilla/mark-surman-mozilla-25-years/

What could be a replacement is the Ladybird web browser which sounds promising but has a very long road ahead of it (more developers required?).

https://awesomekling.github.io/Ladybird-a-new-cross-platform-browser-project/

Mmm, there is certainly a little catch-up required. I can’t help thinking tho’ that this sort of project is now way beyond individual developers. (not least because of the CRA)

Incidentally, the CRA link above, as it stands the CRA will be (IMO) the end of Open Source software development within the EU … which in itself will be quite a big thing. I know it sounds impossible and it’ll never happen, however it “looks” like it already has.

It’s going to be even worse if our government decides it’s going to adopt it to maintain trade alignment with the EU. I’m not sure that’s likely, but then I didn’t think the CRA going through was likely in the first place.

So, just when you thought it was safe to go back in the browser, or maybe just as you were getting comfortable with the idea of online banking - this happens.

It’s like there’s some un-elected idiot sat on a throne somewhere thinking “what can I break next?”. I guess it’s time to start researching my banks to see how tied to EU rules and regs they are.

Well, if it doesn’t just keep getting better. I noticed elsewhere some ads about “EU NS2 and what it means for your business”, figuring it was just more EU regulation I was happy to avoid, I was kind of ignoring it. My curiosity just got the better of me so I looked it up;

Looks like the adoption deadline is 17 October 2024, however it looks like it’s been in play since the beginning of this year.

Now, there seem to be a lot of good things in there within the context of billion dollar social media companies, but that same stuff could prevent small companies from functioning or getting off the ground unless they can afford a legal team.

BUT, the bit that really got my attention was a section relating to “non-EU entities”, without wanting to quote their text, essentially it says that any company offering services within the EU must comply with the directive or risk EU supported legal action … this would explain the background chatter I’m hearing about Open Source software needing to carry “not suitable for use in the EU” tag lines in addition to their license documents. Maybe I’m reading it incorrectly, if not we seem to be in a very sad place right now.

I fell asleep trying to read that document but found these links more understandable, if not as detailed: Link1, Link2.
I agree that there is a worry that small players with considerable potential for providing valuable services will be “priced” out of the market, and that useful advances might be stifled.

I see that Octopus Energy are sending out a pop-up feature that suggests to customers on there web site they “unplug for a few hours” if their battery is fully or nearly charged because “carbon emissions from electricity are currently high”. They can do this because they take a standard bit of data from your browser and contrast it with carbon intensity readings from the National Grid, which show how polluting the UK’s energy system is in real time.

Evidently it works with Google Chrome but not Firefox or Safari as they don’t send battery data out but it shows that everybody is watching us even if there intentions are good.

Mm, so I think the way this works is that when you visit their website, they use a standard browser API to read the level of your battery. If you run chrome and bring up the Javascript console in the web developer tools (Ctrl+Shift+I) and enter;

navigator.getBattery().then((battery) => {
    console.log(battery) 
})

You can see what they have access to. (it’s information your browser is making available to all visited websites). It “was” available in Firefox, but for some reason removed in release #52, although should also work in Edge and Opera.

I’m a little surprised actually, for some things the browser will prompt before allowing access (for location for example), however in this case it appears just to release the information. If you hit the padlock icon next to the URL and select site settings, then disable Javascript, it should prevent the disclosure of such information for the site you’re on … alternatively I’ve read somewhere that the Chrome privacyBadger extension blocks access to the battery API.

After measuring (or failing to) the draw on a battery charger when the battery is full, I can’t help thinking that Octopus would be better off spending their time trying to convince people to drink fewer hot drinks, or maybe cold drinks