It's unfortunate that there doesn't seem to be a truly "neutral" browser anymore, if you count only the ones that can run the JS-required app-sites which are an increasing percentage of sites that people need to use. Big Tech has made it effectively impossible for other independent browsers by making the "standards" extremely complex and continuously churning them, since only they have the resources to effect such complexity and continuous change; they also popularise the new stuff and attempt to "infect" as many sites with it as they can, usually by way of frameworks. This constant churn of the ecosystem helps reinforce the monopoly. To them, simple static pages which can be viewed with browsers other than the ones they "support" are a threat.
I don’t think that web standards were done too complex with such a long goal in mind. It was an organic growth from the deplorable state it was born in. Now web owners realize it of course, but our peer developers still insist on “enhancements” as if 30 years weren’t enough to fix or uproot all of the bs web has. Bigcorps not only own the internet, they raised an entire generation which yells “amazing awesome” at the things that don’t even remotely deserve it. Who might think in the '90s that a program which shows downloaded text, pictures, videos and some simple controls would be impossible to create nowadays.
We were angry at different browsers and standards (formats, behaviors) at some point. Now this is fixed and only few chosen control the entire “market”, doing whatever they want. Time to learn the lesson?
The problem a new browser would face is much simpler, but far harder to solve, than anything on the tech side - why would users switch to it? Neutrality is not a benefit for most people. It wouldn't harm them, but it isn't enough of a reason to put the effort in to switching either. People being tracked en masse is a problem for society, but not really an issue for any individual.
Expecting people to put in the time and effort individually to understand the benefit of switching browser, the tech knowhow needed to download and install the software, and how to move their data over to it, all for the benefit of society as a whole, is a pretty big ask.
For a new, neutral browser to take any significant market share there has to be a benefit for individuals that's more than simple neutrality. Either that, or there would need to be some sort of international regulation of browsers to force vendors to stop tracking users so much. I don't see either happening.
Chrome also syncs your browser history and passwords with their servers. They have your search history. They have your private email. They have your YouTube history. They have your private documents and photos. They run your phone. They possibly run your laptop.
I guess my point is it goes far beyond Chrome. Google is running the Borg hive mind.
tbf they're fairly competent with it, I don't think I've ever had anything Google related compromised. I'm honestly not sure what the better solution is.
There's a lot of security theater around this where people will de-google their software and then run random binaries compiled by unknown people on the internet instead
> I'm honestly not sure what the better solution is.
How about a browser company that syncs your data on their servers but doesn’t examine it. Even better, they couldn’t do that even if they wanted to, because your data is encrypted on their servers. That company has also never been compromised. Does that sound better?
I don't think Google does examine drive data by default, fairly sure it's encrypted.
complete E2E encryption Signal style with you having sole access to the keys and sync is technically pretty non-trivial across multiple devices (also the reason they don't sync device history on previously unlinked devices), so there's a usability / security trade-off.
Honestly not certain whether that fits the need of most users for most data they have.
These companies are banned for refusing to share the data they collect with the government. Essentially the Chinese government is a competitor when comes to harvesting user data, not a privacy guard.
I don’t think it is ever intended to be a privacy guard but data exfiltration prevention and admittedly to control the narrative, as does with every country including your own for obvious reasons.
Too bad we were slow to do the same thing with all the shitty lazily-named Chinese phone manufacturers like OnePlus who have free reign to skim our devices.
One Plus, using a number and a sign, is lazily named as opposed to what? A company that's named after a misspelled number? A company named after the first two greek letters? A company named after a river in south america? A company named after fruits?
I'm not familiar with Bitwarden. After a bit of Wikipedia and web search research on them, I'm not sure why I'd trust 8Bit Solutions over Google for storage of my PII. Do they have the resources to keep it secure? What is their incentive structure to do so? What happens if they get bought? Should I be concerned about past errors such as "In March 2018, Bitwarden's web vault was criticized for embedding unconstrained third-party JavaScript from BootstrapCDN, Braintree, Google, and Stripe"?
It sounds like it'd add an additional layer of complexity to my situation without an obvious up-side over my existing solution.
um, no? See the famous story of Hushmail [0], which used end-to-end encryption and claimed to have no access to user email until receiving a court order. Then they modified the code they send to one client to exfiltrate encryption keys to law enforcement, and decoded all the "end to end encrypted" email.
Sure, they claim they are open source and that the infrastructure was audited, but this does not prevent them from just configuring their auto-update server to serve a very special update to user at a specific IP.
> Then they modified the code they send to one client to exfiltrate encryption keys to law enforcement, and decoded all the "end to end encrypted" email
This is false. The decryption code was run on the server, which means the password was sent to the server briefly. Hushmail simply stored the password for a few accounts. No client code was modified nor any auto-update changed. In fact, if the criminals had used the Java applet, they'd likely have gotten away with it (assuming they didn't update it)
>However, installing Java and loading and running the Java applet can be annoying. So in 2006, Hushmail began offering a service more akin to traditional web mail. Users connect to the service via a SSL (https://) connection and Hushmail runs the Encryption Engine on their side. Users then tell the server-side engine what the right passphrase is and all the messages in the account can then be read as they would in any other web-based email account.
>The rub of that option is that Hushmail has -- even if only for a brief moment -- a copy of your passphrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail's servers can get at the passphrase and thus all of the messages.
It was always like that. If your threat model is three letter agency/Mossad/etc than you have very limited options. Relevant XKCD: https://xkcd.com/538/
They still have a few of my emails but besides that, only Youtube browsing... I use LineageOS without Gapps on my phone and some other web search engine, most of the time.
And so does Apple, Microsoft, and pretty much anyone else you share that info with. It's a little surreal to hear people complaining about companies having all their data when they were the ones who gave it to them in the first place. You want to buy privacy? They make you pay with convenience.
Chrome only sends these headers to Google-owned domains.
As an attack surface, if you're worried about being spied on by the company that you got your browser from, I'd be more concerned about the closed-source control they have over the code in the browser itself than the unique identifier you're sending to their servers when you use their browser.
Since the article title is generically baity, I changed it (per https://news.ycombinator.com/newsguidelines.html) to one that attempts to summarize what the article says. If anyone has a better suggestion—i.e. one that is more accurate and neutral—we can change it again.
As for this thread: let's try to talk about the specific claim in the article. Generic "boo Chrome" or whatever is too repetitive for a good HN thread.
> Additionally, a subset of low entropy variations are included in network requests sent to Google. The combined state of these variations is non-identifying, since it is based on a 13-bit low entropy value (see above).
The thing is that those numbers are not identifiers. They are just feature IDs.
Although the combination of those numbers can still be used for tracking, this is specially hard because many users have the same varient combinations.
This is great and all - but what's the alternative?
I've been using Firefox as my primary browser for about 2 years now - and the javascript engine on it has recently... sh*t the bed (I cannot paste links or images into facebook, I cannot paste text with line breaks into twitter, I cannot paste using reddit's "markdownmode").
I use google-chrome for netflix, recently chromium stopped working for netflix (apprently the browser is no longer supported)
Edge isn't an option for me, brave isn't on my radar (WHY include cryptojunk with a BROWSER???, it's like the early 2000s where a major vendor was trying to claim that the browser is tied so closely to their kernel as to make it a part of an OS)
The 'cryptojunk' facilitates funding content sans our traditional advertising dystopia. Whether that's you're cup or tea or not neither the rationale nor the mechanism is difficult to understand. The cryptojunk is also off by default[1].
Should you manage to overcome this hangup and give it a try you'll have a browser that is almost indistinguishable from Chrome except that the bulk of Google's abuse has been removed, among other benefits.
Firefox recently started refusing to render pages for me on some sites, no amount of resetting the profile fixes it.
I'm curious why Edge isn't an option for you? I've started using it recently and so far it's a fairly decent experience. Sure, it's Microsoft and run into the same trust and privacy issues you get with Google Chrome, but that being said, my browsing habits are pretty benign so I just accept it for what it is. Let's be honest, options are slim when choosing a web browser.
Another browser on my radar is Valvadi [https://vivaldi.com/], another Chromium based browser with a ton of bells and whistles, most of which can be turned off. It has very much an Opera vibe.
I use Firefox. Haven't noticed any recent issues such as not rendering certain sites, but if I did, I'd just move on from that site. Webdevs, if your product won't at least render something passable/readable on a browser other than Chrome, you're not trying hard enough.
I've started using brave. Feels just like chrome and I can use the Chrome extensions. There's settings for everything so you can disable the parts you don't like.
I personally like it for Windows, it even has an extension to allow the installation of google chrome extensions. In Linux it's a nightmare to use because of libffmpeg issues.
I am not sure what is the issue with your system but I am using Chromium with Netflix on Linux (arch so I guess pretty much latest versions of everything) just fine
Microsoft provides Linux and macOS builds (I use it on macOS whenever something doesn’t work right in Firefox, which is thankfully rare). If the reason you’re not using Windows is a Microsoft allergy though, that doesn’t help. Ungoogled Chromium works for that use case though.
Microsoft now provide binaries for Debian and RHEL based Distros. Used Edge on Ubuntu for more than 6+ months for work, probably one of the best experiences I had with a browser now that I think about it.
It’s a shame that Chrome turned out to be much more than just the chrome of the browser — the UI components built around the rendering and network engine.
I would love to (1) see the two separated and (2) have a much smaller chrome on top. For example, I don’t even need tabs when my WM can handle that stuff for me. I’d also be quite happy for the browser to store no state in between sessions (yet still have the ability to assist with usernames and passwords — if I need persistent state between visits it’s usually handled by logging in to the handful of sites I care about.)
This is part of a wider earthy-crunchiness I’ve found in my later life, including only using a (recycled, 100$) desktop computer instead of my MacBook, and turning it off when I’m not using it. In the true pedigree of earthy-crunchy types I also apparently cannot help proselytising about my life choices!
They already are separated, in the sense that you can, and people do, embed Chromium-powered webviews in custom apps. I don't know if the particular app you're asking for exists, but there's no fundamental reason why it couldn't be built.
(Having to re-log-into everywhere on every new session sounds like a nightmare, though, especially with phone-based 2FA, which unfortunately is still the best that most sites offer.)
Honestly, I'm happy with Safari and Firefox (I use Firefox primarily as a Facebook quarantine, but also for the RECAP extension) on my Mac. I have no reason to ever use Chrome.
Sometimes you have no choice. Send an email to any @gmail.com address and you’re using a Google product. Then you have the myriad of analytics and tracking and such.
https://anybrowser.org/campaign/