
What happens when you launch Google Chrome for the first time? - ingve
https://twitter.com/jonathansampson/status/1165493206441779200
======
jonathansampson
Google Chrome
[https://twitter.com/jonathansampson/status/11654932064417792...](https://twitter.com/jonathansampson/status/1165493206441779200)

Microsoft Edge (Chromium) Beta
[https://twitter.com/jonathansampson/status/11661386925090652...](https://twitter.com/jonathansampson/status/1166138692509065218)

Opera
[https://twitter.com/jonathansampson/status/11653532133081292...](https://twitter.com/jonathansampson/status/1165353213308129281)

Vivaldi (Same thread as Opera)
[https://twitter.com/jonathansampson/status/11653581559220592...](https://twitter.com/jonathansampson/status/1165358155922059266)

Dissenter
[https://twitter.com/jonathansampson/status/11653770639326371...](https://twitter.com/jonathansampson/status/1165377063932637184)

Brave
[https://twitter.com/jonathansampson/status/11653912119995187...](https://twitter.com/jonathansampson/status/1165391211999518720)

Mozilla Firefox
[https://twitter.com/jonathansampson/status/11658588961766604...](https://twitter.com/jonathansampson/status/1165858896176660480)

Cheers!

~~~
lysp
And to read the above a bit easier:

Google Chrome
[https://threadreaderapp.com/jonathansampson/status/116549320...](https://threadreaderapp.com/jonathansampson/status/1165493206441779200)

Microsoft Edge (Chromium) Beta
[https://threadreaderapp.com/jonathansampson/status/116613869...](https://threadreaderapp.com/jonathansampson/status/1166138692509065218)

Opera
[https://threadreaderapp.com/jonathansampson/status/116535321...](https://threadreaderapp.com/jonathansampson/status/1165353213308129281)

Vivaldi (Same thread as Opera)
[https://threadreaderapp.com/jonathansampson/status/116535815...](https://threadreaderapp.com/jonathansampson/status/1165358155922059266)

Dissenter
[https://threadreaderapp.com/jonathansampson/status/116537706...](https://threadreaderapp.com/jonathansampson/status/1165377063932637184)

Brave
[https://threadreaderapp.com/jonathansampson/status/116539121...](https://threadreaderapp.com/jonathansampson/status/1165391211999518720)

Mozilla Firefox
[https://threadreaderapp.com/jonathansampson/status/116585889...](https://threadreaderapp.com/jonathansampson/status/1165858896176660480)

~~~
atoav
“We value your privacy”

Always a good sign that they don’t.

~~~
TeMPOraL
Oh, but they do. The same way a group of muggers does when they stop you in a
dark alley and say, "we value your money".

(Hell, they'll likely offer you an option to consent or proceed without
consent to receive reduced experience.)

~~~
sorokod
That's a nice analogy, can extend it a bit by offering a "reduced experience
due to broken limbs"

------
Quai
Did you know that every Opera install on windows and mac using the net-
installer gets a uniquely modified exe or zip file with information about the
download so that Opera can track where/why a browser was downloaded?

On windows they modify the PE header of the exe, and adds extra information to
a certificate table at the end of the file, without affecting the signature of
the file. (Last 4 bytes of the file gives the size of the payload, giving you
the offset to start reading a string that starts with OPR followed by a base64
encoded string, which contains a checksum and a json object. The json object
contains country of origin, http_referrer of the download, a timestamp, UTM-
parameters seen on the referrer, the user agent and a uuid assigned to the
download. This uuid is kept for the life time of the browser install.)

On mac, the process is a bit different, but there they use appledouble
(._-meta files) to modify the zip-file on the fly while downloading including
the same type of data.

~~~
gnud
Everyone knows (or should know) Opera is adware/malware now, after the
ownership changed.

If you liked Opera, try Vivaldi. It's made by some ex-opera people, reminds me
of good old Opera 6.

~~~
Quai
This was implemented way before Opera changed ownership, and as far as I can
see from the outside, not much has changed in this code. The main difference I
see, is that they have removed the source IP from the JSON.

So, if any, they are tracking less data in that data blob after they changed
ownership.

(I worked on this feature at Opera back in the days)

~~~
danbruc
What was this information used for?

~~~
Quai
Statistics. We wanted to know how different campaigns worked, how the user
retention from different partners was, and also benchmark how well the
autoupdate system worked. While I worked for Opera this was strictly for
internal use, and a very limited set of people had access to logs and raw
data.

------
tannhaeuser
A reality check to those who want to push apps and more workloads into the
browser (via WASM, PWAs/excessive JavaScript, or whatever), with the browser
becoming a gatekeeper. Not only is the browser a laughably complicated app
runtime that isn't capable to do anything with local files (so you need
"services" to store your eg. photos), it's also blatantly power-inefficient
and a privacy catastrophe. Where has the idea of personal computing shared by
a whole generation gone?

~~~
TekMol

        a privacy catastrophe
    

Much less so than a native application.

Native applications can access the web in less restricted ways than websites.

Native applications have more access to your local machine than websites.

Websites for the win!

What we need is a user friendly browser.

~~~
taneq
No, what we need is a proper permissions model for desktop applications. The
idea of permissions being per-user is almost useless in this day and age where
most desktop machines have one user (or a small number of users sharing files)
and where most applications are downloaded from untrusted sources.

We need proper automatic sandboxing of native apps, restricting file, network
and resource access without prior permission from the user.

~~~
jasonvorhe
Like iOS then?

Oh, evil golden cages, right?

~~~
taneq
False dichotomy. A cage _restricting the rightful owner of a computer_ is not
the same as a cage _that the rightful owner can use to restrict untrusted
software_.

------
michaelanckaert
These are great write ups! Just a shame they are in the format of a twitter
“conversation”. The readability really sucks and don’t let me get started on
the UX :/

~~~
jonathansampson
I've noticed multiple people pinging twitter.com/threadreaderapp at the ends
of these threads. It rolls up the tweets into a more traditional single-page,
blog format.

~~~
worble
Sure that helps... Or they could've just written it in a sane format to begin
with, and link to that on their twitter.

~~~
CathedralBorrow
True, but what if that wouldn't have reached as many people and we wouldn't be
having this conversation?

~~~
liability
Huh? Loads of links on HN are not to twitter. Most of them in fact. I don't
see how twitter is a prerequisite for us having the opportunity to discuss
something here.

The reason people post stuff to twitter is because they have an addiction to
the gamification of social media like/share statistics.

~~~
CathedralBorrow
Did you sincerely think that the crux of my message was that Twitter links are
a prerequisite for having the opportunity to discuss something here?

~~~
liability
Well you did suggest that this discussion would go unhad, where it not for
twitter, so yes?

~~~
CathedralBorrow
Thanks. In that case I don't think it's worth carrying on more discussion,
given that you are interpreting something entirely different from what I
meant.

------
jeffk_teh_haxor
Author is a developer on Brave.

~~~
craftyguy
Yea the difference in his analysis of brave is really different:
[https://mobile.twitter.com/jonathansampson/status/1165391211...](https://mobile.twitter.com/jonathansampson/status/1165391211999518720)

Sure, all requests are now sent to one location, including (!!) extension
(Tor, https everywhere, etc) downloads used by brave. What about the
possibility of the brave folks modifying those extensions to suit their needs?
If I am needing to trust Tor, I'm going to download Tor from the appropriate
location, not from brave. Based on the language he used reviewing other
browsers, I suspect if that behavior was seen on anything other than brave the
prognosis would be different.

~~~
jonathansampson
I don't hide the fact that I work for Brave; I mention it in numerous threads
and responses. What do you feel I handled differently on account of my
association with Brave? Will gladly correct any mistakes.

To your question, Brave couldn't get away with modifying extensions on the
fly. This would cause integrity checks on the client to fail. Not to mention,
the code to do this would have to land in our public repos on GitHub, where we
would quickly be tarred and feathered.

If you're capable of running the Tor browser, we encourage you to do so. Brave
isn't as good as the Tor browser if you're smart enough to use the later. That
said, if you need a browser that can also make non-Tor connections, etc., then
Brave is probably more ideal.

~~~
abdullahkhalids
> Not to mention, the code to do this would have to land in our public repos
> on GitHub, where we would quickly be tarred and feathered.

What is the status of reproducible builds for the Brave browser?

~~~
jonathansampson
Please clarify if I'm missing your point, but you can build Brave today. See
github.com/brave/brave-browser. Let me know if you run into any issues.

~~~
cnst
I don't see any mentions of reproducible builds over there.

If you're not familiar what reproducible builds are, I suggest you examine the
following article:

* [https://brendaneich.com/2014/01/trust-but-verify/](https://brendaneich.com/2014/01/trust-but-verify/)

Mozilla, however, is different, in that all builds are posted to
ftp.mozilla.org, in a versioned manner, and kept there for a while, which, at
least in theory, makes it easier to verify or analyse the builds.

What is the situation with Brave? Can I download a version released a few
months ago? As it is, the browser is not only not really versioned (at least
in the binary form), but there's not even a way to disable it from
automatically updating itself. Self-modifying code, where the user has no
control over the channel under which the modifications are pushed, is
inherently insecure from the reproducibility's perspective.

~~~
jonathansampson
You can get older (and many incremental) builds from
[https://github.com/brave/brave-browser/tags](https://github.com/brave/brave-
browser/tags). Hope this helps! There is desire within the team for
reproducible builds, and I'll see to it that these coals are stoked. Our
intent is to be as open, transparent, and accountable as we can be. Brave's
mentality is "Can't be evil", as opposed to "Don't be evil." Thank you for the
feedback!

~~~
cnst
Those are Git tags; they have nothing to do with reproducible builds, because
you're not providing the executable binaries that are the ones being
distributed. It's a huge downgrade in terms of reproducibility of builds
compared to Firefox. (It works for Google with Google Chrome because they have
an entirely different business model where the whole thing is a walled-garden
by design.)

~~~
jonathansampson
Yes, I know those are Git tags. Click on them to find associated binaries. For
instance, [https://github.com/brave/brave-
browser/releases/tag/v0.71.44](https://github.com/brave/brave-
browser/releases/tag/v0.71.44). Not all tags have binaries, but most do. Those
that reach a build channel always do.

~~~
cnst
What a mess, seriously! What is the retention policy? How far into the past
are the binaries stored?

------
rurounijones
Form the related firefox post:

"The tab discussing the importance of Privacy loads in the background,
bringing along with it the Google Tag Manager and Google Analytics. Hello,
Google."

The irony is palpable

~~~
diffeomorphism
The irony is that nobody bothers to look at things past their face value but
then claims to care.

Mozilla has a custom contract protecting your privacy while using google's
software:
[https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14](https://bugzilla.mozilla.org/show_bug.cgi?id=697436#c14)

~~~
TeMPOraL
Honestly, for the amount of flak they still get because of it, they really
should've dropped GA by now and wrote their own analytics backend. If they're
serious about valuing privacy and preventing tracking, that custom backend
wouldn't need to be complicated.

~~~
cameronbrown
Does it matter if they get flak for it if their contract does actually protect
privacy? Or is privacy only for marketing and not an actual principle they
care about?

Writing an analytics backend is not a trivial thing, and more stuff like that
means less resources for Firefox development. It's far more sensible to do
what they did, which was negotiate a contract with those who know what they're
doing.

~~~
TeMPOraL
From the point of view of their principles, the contract with Google is fine
as long as it protects privacy. Some people will always be quick to jump to
conclusions, but there's a _practical_ problem when such people form a good
chunk of your market (and can amplify their outrage via media).

It's a practical problem. On the one hand, you have people turned off by the
_perception_ of Mozilla betraying its principles. On the other hand, you have
resources to be directed to substitute the analytics backend. The right thing
to do would be to pick an option that maximizes the amount of resources
available for Firefox development/Mozilla's mission.

My impression is that building and maintaining an analytics backend consistent
with their mission would not require _that_ much of resources, so the balance
would fall in favor of doing it. But maybe (probably?) I'm wrong about this,
and it's better to stick with Google for now.

~~~
BurnGpuBurn
From the point of view of their principles, the contract with Google is fine
as long as it honored by Google. Hard to check that though, because you never
know what Google really does with that data. Google also doesn't have a very
good track record with privacy. So, yeah, the contract is fine, but there's
also soo much wrong with it. Who trusts it? Mozilla? They seem to. Their
target demographic? The people who are smart enough to understand that you can
switch your browser, and who don't choose Chrome but Firefox? Those people,
not so much.

------
ToFab123
It was unexpected for me that Firefox is calling google. It surprises me and
disappoint me that EdgeChrome is calling google too. I was hoping for a Google
Free Experience with EgdeChrome. That EdgeChrome is calling Facebook leaves me
speechless.

~~~
AsyncAwait
Mozilla has a custom agreement with Google not to sell your data, for what
that's worth.

~~~
BurnGpuBurn
If you trust Google honoring that agreement, for what it's worth.

~~~
snazz
It’s a contract. They’d be in pretty hot water pretty fast if they didn’t
honor it, especially in the EU.

~~~
liability
> _They’d be in pretty hot water pretty fast if they didn’t honor it,_

Only if they got caught, and only if the person who caught them saw fit to
make waves about it and let other people know. And even then they could likely
worm their way out of any real trouble by apologizing and pleading that it was
accidental (because the sycophants would likely eat that shit up.)

Corporations break contracts every damn day. There is no way for me to even
hope to verify that Google isn't breaking their contract in this case. You and
others in this thread expect me to trust Google and trust that the threat of a
contract breach lawsuit will keep them compliant, but there is no reason that
I should. They don't deserve the benefit of my doubt. They lost that a long
time ago.

------
naiveai
While this is all somewhat interesting, I'm not sure what the point here is -
all of these things seem to be reasonable things to do?

~~~
tannhaeuser
You call FF displaying pro-privacy promotionals while connecting to GA and
Google Tag Manager reasonable?

~~~
piotrkubisa
Heads up, Mozilla is on the way to be notorious Google services/Google Cloud
user [0]. Recently, they started adoption of the Google Spanner in the
Firefox-Sync related backend services, while in others they adopted the Google
Pub Sub. The use of GA and GTM might seem like hypocrisy but my guess
mozillians don't have enough workforce and/or assets to control infrastructure
to roll their own analytics platform.

[0]: [https://github.com/search?q=org%3Amozilla-
services+google&ty...](https://github.com/search?q=org%3Amozilla-
services+google&type=Commits)

~~~
tannhaeuser
> _mozillians don 't have enough workforce and/or assets to control
> infrastructure to roll their own analytics platform_

That's hardly an excuse when you want to differentiate on privacy, is it?

~~~
AsyncAwait
Worth noting that Mozilla does have a special contract with Google, they say
preserver privacy.

~~~
tannhaeuser
Yet still I think we should point it out. Mozilla can't have their cake, and
eat it, too.

------
DINKDINK
A chrome fork w/o Google "Google Chromium, sans integration with Google"
[https://github.com/Eloston/ungoogled-
chromium](https://github.com/Eloston/ungoogled-chromium)

The caveat with this software is that it doesn't really have good automatic
update support so there's a high user spend on managing security.

~~~
3JPLW
An auto-updating browser is essential to me. For nearly all other software I
abhor automatic updates, but for something as vulnerable as a browser it's
absolutely crucial.

~~~
wil421
Firefox or chrome has been updated is a much better experience than “your
brother printer software has updates” every time I opened my computer.

I just updated the printer! Nope it’s the update checker that’s needs
updating, ok. Nope still not up to date, now the installer needs updating.

------
stesch
I'm programming since the 1980s. This feels very, very strange to me. I
wouldn't want to rely on so many moving parts even after the whole software
got installed.

They have a totally different philosophy than us old folks.

------
tinus_hn
> r3---sn-8xgp1vo-5uae.gvt1.com

It is not the same but it looks like the punycode used in internationalized
domain names.

~~~
jonathansampson
More information on these: [https://github.com/lennylxx/ipv6-hosts/wiki/sn-
domains](https://github.com/lennylxx/ipv6-hosts/wiki/sn-domains)

------
saagarjha
One thing I would be interested in is file system activity. When does Chrome
install its Keystone updater? What other files does it touch?

~~~
jonathansampson
I was thinking about this too. In fact, to do my review of Edge and Firefox, I
had to dig into the file-system to grok where/how profiles are persisted.
These are different than Chrome, Opera, Vivaldi, and Brave (which all share a
common Chromium ancestry). I am also curious (as a Windows user) how the
Registry is affected by each browser. That too is something I'd like to
investigate.

------
est
The first thing I do with newly installed Chrome is to disable its auto
updater. I do not wish one day to find the feature I relied upon missing and
had to download and install another old version.

Especially like about:net-internals.

~~~
Eli_P
If you're running on Windows there's a group policy templates pack[1] for
tweaking updates for Google products. Copy it then run _gpedit.msc_ and
disable auto-updates.

[1]
[https://support.google.com/chrome/a/answer/6350036](https://support.google.com/chrome/a/answer/6350036)

~~~
est
Thanks. Normaly I just bruteforce set the folder permission to 000 so that no
matter how Chrome checks the update it can never be written to disk.

------
Stratoscope
I wonder if the binary download with language information is a protobuf? If
so, it should be easy to get a slightly better look at it with one of the
various online protobuf decoders, such as this one:

[https://protogen.marcgravell.com/decode](https://protogen.marcgravell.com/decode)

[https://twitter.com/jonathansampson/status/11654932308903403...](https://twitter.com/jonathansampson/status/1165493230890340355)

~~~
jonathansampson
There are quite a few protobuf responses. Unfortunately, I wasn't able to get
Marc's service to work for me. I'd have to revisit it at a later time to peer
further into the bits.

------
bt848
Author doesn’t mention safe browsing data (a random projection of domains
believed to be serving malware). Does that mean the chrome binary comes with
the initial data in the package?

~~~
jonathansampson
I do mention SafeBrowsing data in other reviews; if it didn't come up in the
Chrome review, it may be the case that Chrome uses the Lookup API rather than
the Update API. I would have to dig a bit more to confirm this.

~~~
jonathansampson
I took another dip into Google last night. SafeBrowsing is hit, but it was hit
much later than in other browsers from what I could tell. I believe I had to
attempt navigation before it was called.

------
human20190310
When software on your machine starts doing things before you ask it to start
doing things, it calls into question who it's really working for.

------
panpanna
So how much of this is due to the default bad configuration?

I would like to see a variation of this test when you start with network
turned off, configure the browser to not use Google services, not open an
initial tab, remove all default extensions and turn off telemetry. Then turn
network back on.

I would also like to install ublock right from the start but that is a bit
harder without network.

------
ricardo81
The application IDs can likely be paired up with cookies later in your
browsing journey.

Their safe browsing API is (or was, 3 years ago anyways) also downloaded by
Firefox.

All it takes really is one unique piece of identifying information for a large
proportions of your browsing to be known to Google and attributed to one
entity (you)

------
rishav_sharan
Johnathan, based on your reviews so far, which browser is the best of the
bunch as far as shadiness is concerned, and which one is the very worst?

~~~
jonathansampson
I've shared this disclaimer elsewhere, but I work for Brave. That said, based
on an objective evaluation, I think Brave is the best. This conclusion is
drawn by the results themselves. Brave doesn't pass me around from third-party
to third-party, allowing cookies to collect on my session like barnacles.

As for "very worst," I'm sure there are far, far worse browsers out there

------
cryptozeus
Chrome 32 calls Edge 130+ Opera 19 Firefox 26

------
iamzozo
While I checked this tweet it takes 69 requests. Also noticed, when my
computer turned off, it does 0 requests.

~~~
ajnin
> when my computer turned off, it does 0 requests

I wouldn't be so sure

------
tus88
Do the same for OSs. I recently put win7 through ufw to see what it was
doing....lots of interesting calls. I allowed one app to get out to a specific
IP and when Windows saw it get a few return packets it went bezerk trying to
get out to Windows update etc.

~~~
jonathansampson
I was doing a bit of this unintentionally, while monitoring network activity.
It's intriguing to see which processes are calling out to which end points.

------
treerock
I tried opening Chromium on Linux yesterday (I use it sometimes for testing)
and it prompted me to log in. I had to hit Cancel four or five times before
being able to browse. Bizarre behaviour for a browser.

~~~
torgard
You also cannot log in on Google-owned websites, like YouTube, without signing
in in the browser itself.

I haven't figured out a way to do so, at least. You can use guest tabs, but
then you lose all of your customizations (extensions, bookmarks, etc.), so I
don't consider that a viable option.

ungoogled-chromium removes this, but the current builds fail on my machine for
some reason.

~~~
AsyncAwait
There's a toggle in settings called "Allow Chrome sign in" under "Advanced",
only added after massive backslash.

------
volderette
So if I choose to import cookies to Brave (which is the default option on
first launch), I will have these preset cookies from other browsers as well?

~~~
jonathansampson
Brave wouldn't know if the cookies were collected during a Chrome first-run,
or explicit user navigation. They could also be picked up by direct chains
during normal browsing.

To my knowledge, this type of knowledge would require updates to the
underlying cookie specification itself, where additional meta information
records the type of action responsible for setting the cookie (automatic vs
user-navigation). But then, I would assume, everybody storing cookies would do
so as 'user-navigation' to avoid getting cleaned out.

------
djsumdog
I'd be curious to see the same network dumps, but from the very early versions
of Chrome and Firefox 2 or 3 .. and maybe even IE6/7/8.

------
kritt
Shouldnt some of these requests be hpkp requests to get verified public keys
for ssl traffic?

~~~
LewisMCYoutube
Google Chrome has built-in public keys for Google's websites.

------
alibert
Author did the same for other popular browser.

[https://twitter.com/jonathansampson/status/11660058135483965...](https://twitter.com/jonathansampson/status/1166005813548396549)

------
beardedman
Stopped using Firefox a while ago (recently). For a company so pro-privacy,
they sure do have no problems with pushing 3rd party advertising content
through their product.

~~~
Tepix
What are you using instead?

~~~
beardedman
Brave! Liking it so far.

------
Multrex
So Vivaldi or Brave? Pros and Cons?

~~~
jonathansampson
I work on Brave (stated numerous times elsewhere). That said, Vivaldi was one
of the better browsers I reviewed (as stated in that thread). I still think
Brave is doing the most here, though. I did find a place last night where
Brave failed to proxy a call, and reached out to my team this morning to work
towards resolving. In my sincere opinion (based on objective criteria), Brave
is the best browser to use.

------
mangatmodi
Microsoft Edge: Even with Chromium now, Microsoft gave us bigger reasons to
avoid it.

------
exabrial
Time for a serious anti-trust lawsuit.

~~~
jasonvorhe
Based on what grounds?

