If you use Chrome, Google can use a network protocol for tracking and ad delivery that can't be seen or blocked by extensions. TL;DR: You really shouldn't use a web browser made by an ad company.

"AdBlock Plus, uBlock Origin, and other extensions cannot block QUIC requests. Recommended best practice is to disable QUIC from the chrome://flags/ URL."

blog.brave.com/quic-in-the-wil

@ocdtrekkie Ah. So that's what Little Snitch caught the other day.

@ocdtrekkie That's why I continue to use Firefox. And in a worse case scenario I'll switch to Chromium.

@desikn I've been on Edge for a bit, but am back on Firefox again due to "technical issues" with the new Windows version, and am so far impressed with where it's at.

It's really good to see that Firefox is zippy again. I moved off of it a while back because of how sluggish it had gotten.

@Endo I am probably switching back to Firefox fully. But Edge is fine if you shut off literally every single tiny bloody option Microsoft has to sync or share data with them.

@ocdtrekkie Firefox also reports back. Ubuntu doesn't stop their app store from doing that too.

@Endo Firefox telemetry is extremely easy to disable with a single setting. And Mozilla doesn't have conflicts of interest like... operating an advertising company built entirely around collecting data about you.

@ocdtrekkie How do you think that Mozilla pays it's engineers?

Also, why are users supposed to use a measurably inferior and less secure product? I know the types of data Google wants me to disclose and it doesn't include ransomware.

I am pretty sure a security fail (e.g., your advice to use Edge, a very insecure browser ATM) is more expensive than a small amortized and minimal privacy cost.

Especially when the only damages people conceive from these are notional.

@Endo Almost every user I've ever supported on Chrome has malicious browser extensions... They're right in Google's own store! The least secure browser is Chrome. Edge is literally impossible to exploit in the same way right now, every extension is hand approved by actual people. Google is too easy to game.

Mozilla's telemetry is easy to disable, Google's is not.

@ocdtrekkie Also, Firefox was out last year because it was regarded as so insecure as to not actually be worth prize money.

@ocdtrekkie But yes, "Actually patching major flaws discovered at reputable competitions" _is_ sadly an improvement for Firefox.

I agree, that is depressing.

@Endo Bear in mind, you're arguing from the position of defending a company with an operating system it does not effectively patch. ;)

Android 7.1 is on 0.4% of devices.

@Endo If I recall, the year before Chrome was pwned and Edge wasn't. Pwn2Own is not really a metric of security so much as a chance for bragging rights.

@ocdtrekkie You've defined "malicious" as "leaking secondary data" and I've defined it as "enabling people to encrypt your hard drive and return it for money."

Security is expensive and no one charges anything for browsers. Maybe if we did, your support job would be easier? Not really sure.

@ocdtrekkie As a general rule, I feel that people get far too hung up on easily measurable metrics of privacy like "how many bytes of metrics data does it collect".

This is not idea, but it is likewise a very low marginal cost compared to much more profound privacy lost when someone takes your box with you via a remote execution vector.

@Endo I'm not relying on my browser to prevent that. And if I was... It definitely wouldn't be with Chrome. It's the only browser we actively restrict usage of because of how impossible it is to secure.

Because Chrome likes to let non-admin users install it, I actually have to use our AV solution to block it in some places.

Chrome is the new IE6.

@ocdtrekkie You're relying on anti-virus? Which? One of the many with poorly written code that has been used as an attack vector several times last year?

Security is holistic. Saying, "Well I'm fine with a less secure browser because I have anti-virus" is pretty poor reasoning.

Can't we just agree everything is terrible and we have no good options, but that Firefox is especially the worst of all options?

@Endo No, because Firefox is way safer than anything compromised by Google. And no, the antivirus clients I use are not amongst the poorly written recently compromised stuff.

@Endo Browsers do not save you from ransomware. And if you are expecting your browser to save you, you have already lost that battle.

@ocdtrekkie Browsers don't save you, but they can be a vector for a file drop which can kick off ransomware.

If you don't believe that vector has been used, you do not use google.

@Endo Oh, sure Google itself is the number one source of malicious files. Avoiding their software is step one in protecting yourself.

@Elucidating How do you think Google makes money? 99% of their business is ads. Most of it is either scams or malware. They profit off illegal activity.

@ocdtrekkie Firefox sells your search traffic to highest bidder and takes money to be a proxy in technical fights between Google and Microsoft.

This just in: there is no ethical consumption under late capitalism. Stop abusing your position to make users confused and less secure.

@Elucidating Firefox sells your search traffic to the highest bidder. ...Google, being an anticompetitive monopoly, just takes your data for free. ;)

But the biggest issue is just that Google uses every possible way to discourage you from disabling their telemetry and advertising, and some of it is entirely beyond your control. ...Firefox has a single checkbox, and it really doesn't punish you in any way for shutting it off.

I have a position to abuse?

@Elucidating @Endo Also, people have an unrealistic view of security sometimes. I've, to this day, never had someone's browser compromised through zero day vulnerability.

But a week ago I cleaned up someone's computer, and a day ago they already had malicious Chrome extensions again. Malicious Chrome extensions are a daily problem for layperson users. Pwn2Own zero-days are not.

Trust me, I'm not the one making users less secure.

@ocdtrekkie Wait, Google is a monopoly? I could see that argument being made for Amazon.

@Elucidating Google has 85% of mobile devices*, over 75% of search. 60% of web browsers. Well over two thirds of all email is processed by Google on one end or the other.

But far worse than their straight market share is the underhanded deals they make to control other companies and force them to push Google products on people.

*When you consider that Android is "sold" to manufacturers, not consumers, Google has zero competitors since Apple doesn't license iOS.

@ocdtrekkie Oh I see. So if you ignore the actual power and control and consider B2Bs as having infinite reach?

That's lousy logic, Jacob. If you have time for this nonsense, protest Amazon. Amazon actually has no competitors now even in its core business, so its displacing support industries now.

Seriously, your passion is misplaced.

@Elucidating I'm not fond of Amazon particularly, but there's plenty of competition. Actually, Walmart offers a far better deal than Amazon does right now: Free two-day shipping on orders $35 or more without a subscription.

Amazon actually had to drop their super saver shipping tier back down to $35 minimum to compete (it was up to $49), and still you have to have a Prime subscription to get two-day shipping.

Show newer

@lanodan_tmp @ocdtrekkie As we all know, anti-virus code is all written perfectly and opens up no additional attack vectors and has good incentives to provide actual protection & not snake oil.

They totally don't consistently break SSL in risky ways to put credentials at risk of interception!

@Endo @lanodan_tmp Chrome is an additional attack vector. Hence we don't support it.

I do not use antivirus software that breaks SSL in risky ways.

@ocdtrekkie There is a cost to building software. Everyone wants it for free. To drive costs down, a lot of data is necessary (even if you don't sell it).

You can pay more money if you want.

@ocdtrekkie Why does Firefox get a pass? It does a lot of the same things and sells user traffic as well.

@ocdtrekkie not ideal, but I'm guessing that blocking on the network/DNS level would still be effective? ie pi-hole.net

@ennenine I feel like aside from the more difficult configuration and management standpoint, blocking things at the network level is a smart idea, in a world where we can't trust the operating systems or browsers from most parties out there.

@ocdtrekkie Disabled QUIC until the privacy and security enhancing extensions have the ability to treat QUIC like HTTP

Sign in to participate in the conversation
mastodon.cloud

Everyone is welcome as long as you follow our code of conduct! Thank you. Mastodon.cloud is maintained by Sujitech, LLC.