- Can we HN users help push Firefox to incorporate better fingerprint circumvention? (more than current) This is, imo, one of the worst technologies that has been developed around the web. This seems like a thing all privacy focused browsers, which includes FF, should be working on together. This seems like a thing that wins by the network effect, but can be done without an authoritative browser. You just need mass numbers, and while FF isn't that large of a user share, it is large enough that probably most local networks have at least a few connections and every ISP has thousands.
FWIW, using amiunique.org I am unique on FF, Safari, Mullvad, Chrome, and Edge on a M2 Air. Mullvad is 0.22% across the board btw, so looks like that's how many Mullvad/Tor users have tried it. Though I am a bit surprised by some of the results. Similarity is very low for: UTC-07 (3% of users are on the... west coast? This can't be right), screen sizes (I thought this was going to be a win because apple consistency, but all values are <0.1% -- except depth, which is best on Safari and identical on FF/Chrome/Edge. Do people not make their browsers the full screen size? (not clicking green expand)).
- Will the browser end up having a Tor connect switch? I'd imagine this would make Tor more accessible and could make the entry via VPN method easier and safer for many users. Is that why they're working together? I guess I'm a bit confused at the collaboration here? But it does seem natural that they could work to set up easy interfaces like x -> Mullvad -> Tor, x -> Tor -> Mullvad, or even x -> Mullvar -> Tor -> Mullvad? Is this the natural extension?
> Can we HN users help push Firefox to incorporate better fingerprint circumvention?
They can't win, no matter what there's going to a subset of sites that simply won't function when you block their fingerprinting techniques, and you'll get people every thread going "Firefox sucks! It doesn't run this website when Chrome happily does!" and then you get everyone on the other side going "Firefox sucks! It isn't as private as Librefox/Tor/my-other-obscure-fork!"
> Similarity is very low for: UTC-07 (3% of users are on the... west coast? This can't be right)
I dunno, seems about right to me. It's only something like 60ish million people and there are somewhere around 5 billion internet users. Obviously who will be checking the site isn't expected to be perfectly even but that's why the number is also 3x higher than plain user count would suggest.
> screen sizes (I thought this was going to be a win because apple consistency, but all values are <0.1% -- except depth, which is best on Safari and identical on FF/Chrome/Edge. Do people not make their browsers the full screen size? (not clicking green expand)).
Screen size, not browser size. Even on the exact same make and model hardware the OS UI scale setting will alter the reported screen dimensions in the browser. The same is true with people who change the default browser zoom in the browser instead.
> It's only something like 60ish million people and there are somewhere around 5 billion internet users.
You know, I feel dumb now that you're pointing this out. I'm not sure why I originally interpreted this value as an "amount of identifiablity" variable rather than the pure amount. You're right to point that this is a variable that can only be used in support of others and not unique in of itself.
> Screen size, not browser size.
I would think this would make it more likely to be less common. Apple has tight control and thus more consistency. But it is a good point, especially considering the prior point. The M2 Air has a different screen size than the M1 Air, which has a different screen size from *-Air which has a different from pros and so on. We don't need to get into UI scaling to change that. I was just thinking about consistency and popularity of the Apple ecosystem, in the West, compared to the variance in Windows machines. For example, I know that canvas fingerprints tend to have lower variance between apple machines of the same model than windows/linux machines of the same model. Just because there is different chip binning. I was thinking about the same thing with screens. But again, I clearly did a major brain fart and I appreciate the correction.
> FWIW, using amiunique.org I am unique on FF, Safari, Mullvad, Chrome, and Edge on a M2 Air.
Not sure if this is representative. According to their website, they have collected about 2 Million fingerprints. Firefox accounts for 42% of those fingerprints, which does not reflect the global market share.
Isn't this something that's already been in conversation though? Just not popular? I'm pretty sure I've seen discussion and pull requests for this on HN. I know even the strict privacy setting, which affects fingerprints, does not make it anywhere close to a Tor fingerprint.
I was more suggesting that maybe we can demonstrate the desire of this, to put positive pressure on making this, and other privacy measures, a higher priority of FF
You can't simply submit a patch to any self-respecting open source project on a decision so consequential. You have to do annoying things that mostly get in the way, like convince other people and build consensus.
Since there's no way ANYONE could make such a change without building consensus first, I don't think it's really a problem unique to submitting a patch. I simply answered accurately that, yes, there IS a way to get it changed, but it takes work.
>the Mullvad Browser applies a "hide-in-the-crowd" approach to online privacy by creating a similar fingerprint for all of its users. The browser's 'out-of-the-box' configurations and settings will mask many parameters and features commonly used to extract information from a person's device that can make them identifiable, including fonts, rendered content, and several hardware APIs.
What does masking specifically mean? Is it returning pre-canned responses to those queries that match non mullvad browser users. Because otherwise the absence of these APIs basically fingerprints the user to the Mullvad Browser which, realistically, will always be a small fraction of total browser sessions.
It is using the same profile as Tor Browser which will broaden the group a little. There has been effort to upstream many of these fingerprinting resistance changes to Firefox, which would broaden the group even more, but I don't know if they are on par yet.
I don't understand why TOR Browser thought that was a good idea either. It seems extremely risky to try to make every browser appear the same and simply hope that they've managed to cover every single means to fingerprint an individual. It's a game of Whac-A-Mole where your adversary is constantly exploring new fingerprinting techniques so TOR/Mullvad has to invest their time and effort into doing the same just so they can counter them all. If they miss anything or don't catch it before or as soon as anyone else does they lose the ability to hide in the crowd entirely.
Some amount of research into fingerprinting techniques will always be needed but it seems to me that a far simpler solution would be to randomize the fingerprint for each connection. It doesn't matter if your browser fingerprint is unique as long as it's always changing. That would also make it harder to detect TOR/Mullvad users since they'll look exactly the same as anyone else with a unique fingerprint. It also gives users the ability to modify some of their fingerprint according to their needs without losing protection. For example, they could freely change their useragent for certain websites/requests while still having a unique fingerprint.
Honest question, what's the upside of not doing this? You're already identified as a Tor user via the IP address. But wouldn't a unique, for example, canvas fingerprint just deanonymize you further? A shared fingerprint just makes you indistinguishable from others Tor users. Which you're already being classified as and can't escape that printing.
IP addresses won't necessarily ID a TOR user unless all exit nodes are known and being checked for. The TOR browser fingerprint stands out like a sore thumb though.
The shared fingerprint makes TOR users indistinguishable from other TOR users unless/until a single identifying factor isn't accounted for at which point all TOR users are identifiable on every connection, across time, different domains, etc. The sameness of TOR user's fingerprints + even just one consistent identifying feature means TOR users could be individually tracked.
A unique canvas fingerprint can be used to track you, but as long as it's differently unique on every request it can't be used to track you because the resulting fingerprint will always be different.
The "hide in the crowd" trick of trying to make a bunch of different people's browsers look identical isn't a bad thing, it's just extremely fragile. Still, it's better than nothing. Making all browsers randomize their fingerprint every time defeats tracking just as well as the "hide in the crowd" trick does (when that trick is 100% perfect) but also adds resilience and flexibility
> IP addresses won't necessarily ID a TOR user unless all exit nodes are known and being checked for.
Forgive my naivety, I don't really know Tor that well or even use it, but aren't nearly all exit nodes known and aren't they routinely checked for? It does not seem like a difficult thing to check for. I mean when I googled to check it seems like it is easy and Tor even provides a tool and publishes the 2188 addresses[0,1,2]. So... I'm quite confused about your assumption because a quick googling is leading me to believe that this is a rather known thing and doesn't require anywhere near state level action. I mean people routinely scan the entire internet and those posts don't even make it to HN anymore because they are so easy.
> The shared fingerprint makes TOR users indistinguishable from other TOR users unless/until a single identifying factor isn't accounted for at which point all TOR users are identifiable on every connection, across time, different domains, etc. The sameness of TOR user's fingerprints + even just one consistent identifying feature means TOR users could be individually tracked.
This is a great point, and I get it. But I'm not sure how this is different from normal situation. Doesn't this mean a misconfiguration of the Tor browser? One or two metrics may not be enough entropy to have confidence in an identity, though certainty you're right that it is of concern. I'm just trying to intuit the entropy difference. I'd wager it matters which metric is broken. But the question is when we start undoing Tor fingerprint overrides, at what point does the entropy decease before it starts increasing again? (as you're suggesting) Is that enough information to confidently identify a person? I honestly have no idea. This is a question since you're stating this is a cause for concern.
> A unique canvas fingerprint can be used to track you, but as long as it's differently unique on every request it can't be used to track you because the resulting fingerprint will always be different.
Is that true? I heard that Canvas Fingerprint randomizers actually decrease anonymity for the average user (i.e. done without other measures such as what Tor and Mullvad are doing). Due to noise being information itself, and is thus itself a fingerprint. You just call the function multiple times and look for differences or call different functions and look for similarities (i.e. the return const value). Maybe not as clear of an identifier as a normal canvas fingerprint, but it does constitute good information as most browsers aren't randomizing. I mean one piece of information alone isn't enough, that is why they collect several. You aren't being identified by only your canvas fingerprint.
> isn't a bad thing, it's just extremely fragile. Still, it's better than nothing.
I'm just asking what your alternative is. Btw, Tor and Mullvad __are__ randomizing[3]. So what is your complaint and what is your suggestion?
> Doesn't this mean a misconfiguration of the Tor browser?
Not necessarily. It'd just mean that someone figured out a novel way to coax some bit of data from the browser that hadn't been considered or adequately accounted for.
> One or two metrics may not be enough entropy to have confidence in an identity, though certainty you're right that it is of concern.
It'd be less worrying if TOR users were more common, but since so few people use TOR at all, and fewer still will use it for any given site/service it means that what would be a low confidence metric for normal traffic might be all you need to track a TOR user.
> I heard that Canvas Fingerprint randomizers actually decrease anonymity for the average user...You aren't being identified by only your canvas fingerprint.
Canvas randomizations are likely to increase uniqueness which is different from increasing the ability to be tracked. If it's implemented in a way that makes it detectable and/or predictable it could increase the likelihood of being trackable depending on the situation. Canvas randomization is useful, just less useful for easily identifiable browsers which document that they do it since it can just be ignored in those cases.
> I'm just asking what your alternative is.
I think it'd be a robust system where many values were randomized in ways that were logical and consistent. For example, a user agent that implies a certain OS would expose a randomized set of values typical to that OS (fonts, drivers, add-ons, GPU, etc) and randomizations would be appropriate (even customizable) by context (session, window, tab, domain, request) so a website making multiple calls to a function would see consistent results while another (unrelated) website would see you as someone else entirely.
This way you'd always appear as a new unique visitor and if someone comes up with some clever trick to expose some new bit of data you'd still be indistinguishable from every other unique visitor with that bit of data. The vast majority of users on the internet are basically always showing up as "randomized" on first visit. It'd mean you could visit the same website 4 days in a row, but each time you'd just show up as someone new who stopped by, browsed around a bit maybe, and then never came back.
As a side note, Tor Browser/Mullvad Browser does randomize canvas (and this changes every time you restart the browser or press New Identity). I don't remember what the reason for randomizing this specific feature is for, maybe it had better compatibility.
It seems to me whether you're going to make fingerprintable properties be the same or randomize them, you're always going to need to explore every angle. Otherwise a bad actor can just ignore all the properties you randomize and focus on what's left.
Very few data points used in browser fingerprinting are 100% unique to an individual. Multiple data points are combined to form a hash that is unique to an individual. Most people have a unique fingerprint.
You can sort out your TOR browser traffic by user agent then focus on a single data point to track a small number of those users (probably to the individual level because TOR browser traffic is uncommon) but a website can't always know what's been/being randomized and can't separate out the randomized users from everyone else with a unique fingerprint.
To a certain extent. You don't have to make sure you're catching and accounting for 100% of every possible data point that might be collected by a browser if you're randomizing everything else though. Random value + consistent individual value will always produce a changed hash.
If you randomize everything that sounds like a pretty identifiable signal tbh. Unless a very large number of people are also performing that randomization. A large number of people specifically in whichever discriminating group you belong to, which might be something out of your control.
Fair enough, it may be more reliable against general/naive approaches like commercial uses though a sufficiently skilled adversary may only consider the fingerprinting techniques they have missed (one specifically targeting TB users).
"a similar fingerprint for all of its users", to me, makes it sound like they accept the fact that users will be fingerpritable as Mullvad Browser users (but not more precise than that).
Actually, which other crowd could they even be referring to with "hide-in-the-crowd"?
Not sure if you're being sarcastic or not, but Windows 11 users who use Google chrome are only really a crowd at the User Agent string level. Chrome allows much deeper fingerprinting.
It's going to be extremely difficult to imitate another browser like that, especially one of a different codebase. Chrome is extremely fingerprintable too.
The Mullvad Browser download page has this to say:
"Strong anti-fingerprinting from the Tor Project
The Tor Project has a proven track record of building a privacy-focused browser. The Mullvad Browser has the same fingerprinting protection as the Tor Browser – it just connects to the internet with (or without) a VPN instead of the Tor Network."
The alternative (faking Chrome or something) is extremely difficult, especially with a different codebase. There's going to be differences. You can tell if someone is using this browser if they're using Tor/Mullvad too. It's just a better option to create a new identity (TB/Mullvad) and put everyone behind that.
well, each individual browser should not rotate the values to often, every few weeks or months maybe, if at all, or when sessions are cleared. or they could differ per site. but across all browser instances a statistical distribution of values that is similar to the existing distribution would help to ensure that no particular value stands out. given that it is firefox this should also mean that only average firefox values should be used because the browser itself can be detected through checking feature differences which can't be masked as easily.
It would be great if they would bake in some extensions that are "table stakes" for a modern usable browser like uBlock Origin, Multi Account Containers, Total Suspender, and a vertical tabs solution like Sidebury.
Things like Sidebury affect your window width and hence your fingerprint, Tor Browser is extremely careful with these. You might not be in the market for a privacy focused browser.
My whole point is that vertical tabs should be the damn default on any browser. How many people have a screen that is taller than it is wide? How many people have more than 8 tabs open at once?
> How many people have more than 8 tabs open at once?
Basically everyone I know, techie or not have many many tabs open, always. I might have 200+ at the moment? Something like that. They are hidden in containers so I don't see them all but in this current window I have maybe 20.
I never liked vertical tabs, takes up too much screen.
I've never really understood this. I might go 10 or 20 tabs deep in a browsing session if I'm researching something, but if I want to save something for later I will either bookmark it or paste links into a text file. Having hundreds of tabs open all the time just seems inefficient to me.
Well, you've just said it yourself. You used the word "session". There really is no such thing for some of us, the browser is permanently open and also opens the same tabs again if the browser has to be closed for some reason.
Edit: I mean, it's still a session - just a permanent session.
I mean I know you can sort them into folders and such with extensions but if the tabs get corrupted, or you lose your session seems like you're hosed unless you bookmarked them or saved the tab session as a backup
> How many people have more than 8 tabs open at once?
Don't most people? I basically always do. And yes, I'm a techie, but anecdotally I see many non-techies with zillions of browser tabs open because they barely notice that tabs are even a feature and so they continually allow new ones to be opened without going back and closing anything.
I have hundreds of open tabs in FF most of the time and rarely close them. I use it a bit like emacs; ignore the "tab bar" and use ctrl-tab (with browser.ctrlTab.sortByRecentlyUsed set to true) or tab search (with %) to jump between them. The only reason I need to clean up my tabs now and then is the RAM usage.
Not really true any longer, almost all modern browsers will background (unload) tabs when you get more than N windows (or memory % consumption). I think you have to turn that behavior off if you don't want it via about:config chrome://flags
Of course they don't notice the tabs - once you get over ~8, you'd have to scroll to see them.
I can see 40 tabs with 40 characters of tab name in a single window (actually, I pin 3 rows of 8 tabs, which takes up 3 tab spaces, so I can see 24 pinned tabs and 37 full size)
Vertical tabs take a much larger fraction of your screen than horizontal tabs. The entire original USP of Chrome was that the “Chrome” part of the browser window took the absolute bare minimum space in the screen letting you focus on the content. I think people still psychologically expect that to be true.
I wanted to love vertical tabs but I just keep going back. If you have multiple browsers open side by side it gets annoying how much screen the tabs take up.
I use a slightly customised version of tree style tabs to great effect. Actually uses the horizontal bar to show pinned / recent tabs (which time out and hide) and an overlaid / toggle-hidden sidebar for the full list of group-organised tabs.
You can always just toggle the vertical tab view per window, so you don't lose any horizontal screen real estate unless you need them. And at least in Firefox you can remove the existing horizontal tabs using userChrome[1].
Docs in a browser window, next to an editor window, while working with a library that isn't very familiar. Granted, this works better on a display of meaningful size, but I do it a lot and vertical tabs would waste noticeable space.
On the other hand, I have good tab discipline in general, so vertical tabs would waste even more space by virtue of dedicating a lot of real estate for displaying next to nothing. But who needs all those tabs anyway?
While doing research, each search yields numerous links that I need to evaluate so I'll open them all in tabs and then I go through them as a task list to whittle down.
I have a whole window for just email + comms. I have several different businesses that all use separate email, etc in containers.
I also have several interests where each gets its own window and has up to 24 pinned tabs of key sites for that topic. These are not business, so I don't have time pressure to whittle down the tabs that I open.
I currently have 368 tabs open and they are all easy to access: Select a window by topic (I use the Titler extension to name windows) and I have 3 rows of 8 tabs pinned at the top and up to 37 tabs with 40 characters of tab name space. So in each window, I can see 61 tabs without scrolling.
“ I can’t imagine why anyone wouldn’t use vertical threads”
“ doesn’t work on small screens”
“Get a bigger screen”
Consider that most people don’t care to even if they have the money. I sure don’t care for a bigger screen. I find myself more productive in a small screen anyway.
There are plenty of use cases so I'm sure it varies.
For example, I often have my browser on the left side and my editor on the right. With only 50% of the width, I sometimes prefer to reclaim the horizontal space and switch back to horizontal tabs.
While I agree that vertical tabs make sense, personally I never use desktop browsers in fullscreen (nor almost any other application other than IDEs). So I’m probably f’ed anyway with regard to fingerprinting.
okay, people need to stop treating digital canvases like an analog surface. It doesn't matter what dimensions your screen is. The paradigm for virtually every application on a computer is to scroll vertically, so practically that space is unlimited.
What people want to do is fit stuff side-by-side and move up and down, rarely ever the other way around. That's why vertical tabs make no sense in most contexts. It's why narrow-width fonts exist, those columns are valuable real estate as soon as you have another window pulled up to the left or right, there's virtually no case where a few rows made a difference.
These are not table stakes features for usability, especially the last one. I use Arc Browser and while I think vertical tabs is nice, this is not a MVP feature.
Additionally, I'd argue Multi Account Containers + Total Suspender are not either. Even MAC doesn't come by default w/ Firefox, you still need to install it. I'm willing to bit the vast majority of internet users still don't know about it.
And Total Suspender is really a response to RAM use by browsers. It's a great idea, browsers should implement it, but many people still don't know about it and it's not necessarily a deal-breaker.
you can silo websites away from each other. for example, your work uses outlook and slack. a work tab has those logins memorized, but it won't know about your Facebook login.
you could have a banking tab just for logging in to places like that. I'm a fan
Thanks, I've never used that but it does sound useful! I tend to use different browsers to context switch as Cmd+Tab is a nice way to switch between them - Safari for actual browsing, Firefox (and developer edition) for dev.
I prefer to use separate docker containers for that, with some trivial shell wrappers to make creating new persistent "browser profiles" easy. But for non-techies, I guess the Firefox addon is the next best thing.
OT:
I use Mullvad as VPN and have 2 different Firefox instances, Firefox (standard) and Firefox Dev. Does anyone know if it is possible to run all web surfing thru one of the browsers thru Mullvad VPN thru some extension or similar?
In other words: What I want to do is to use one of the Firefox web browsers to connect to my normal ISP and the others traffic to go thru MULLVAD VPN. I know about "split tunnel", but it does not feel optimal, because every single app must be deselected no to use VPN, to just make one web browser use the VPN. And if you want to run another app thru VPN, you must remember to activate it, not only turn on the VPN tunnel. So is there any way an extension could connect Firefox to Mullvad VPN directly or configure some proxies in Firefox that connects to Mullvad VPN app or similar?
One of the reasons I use Qubes OS is that it makes functionality like this easy, with strong guarantees that there won't be a leak since it is achieved though VMs in the background. With any application you can configure it to use only a certain VPN, or have multiple separate instances of the same application connected to different ones
mullvad offers a socks proxy. i generally use the wireguard app, and only allow traffic to the socks proxy through the vpn, and configure firefox to use that socks proxy.
if you use their app it depends on your operating system how their whitelisting works, but you can pick apps you don't want to have routed through their vpn (but by default with their app all system traffic will be routed through the vpn except what you explicitly deny).
I do something like this. I run wireguard in a container along with dante-server (a socks proxy daemon). I then configured a Firefox profile to connect to the socks daemon running in the container.
This way I have a single browser profile that is routed through Mullvad while everything else works normally.
With TOR, even the middle men don't know who you are (not considering some large entity controlling too much of 5he TOR network). With a VPN, the middle man sees all your (encrypted) traffic.
Considering your question from a host/website point of view, connections trough TOR endpoints are blocked way more often than connections trough a VPN.
Years ago, I had the idea to create a clear-net version of Tor, e.g. Tor Browser without the Tor network (was called Aegis Digital, I believe The Epoch Times interviewed me about it). Separate to Waterfox, the idea would be ramp up the privacy to the max.
The problem is, when you did that, many websites would break in the most bizarre of ways. Even now, it still breaks a lot of the web. Couple that with a well known VPN and large swathes of the web are going to be difficult to access.
I'm sure this may go down well with the privacy crowd, but for the general user it was and still is a hard pill to swallow. I wound down any attempts, figuring a balance of privacy and usability would be better and if I were to offer this, why not just point users to use Tor instead?
I figure this is a good opportunity for Mullvad to capture its VPN users and shift them onto a platform they control. Not necessarily a good or bad thing, as I know VPN providers try to launch their own browsers and even some browser vendors launching their own VPN to capture the maximum value out of their users.
I use mullvad's vpn and I know very well what you're talking about. Social media websites will shadowban you without any TOS violating actions on your part. Certain financial sites will straight up refuse to work, and the worst of all are the sites that use only certain js libs hosted on cdns that straight up refuse to serve anyone on a vpn. That leaves you with a site that looks like it's responding, but is in fact broken.
I feel like the very act of trying to opt out of the web's surveillance is enough to mark you as a second class citizen on the web. You either submit, and let your isp and google resell your most sensitive secrets, or you're effectively shunned.
Regarding tor, it's a great idea tarnished by the fact that it's used for vile illegal activity. There's no way I would ever run a tor exit node. The risk of some 3 letter agency taking all my hardware for a few months while they figure out I'm not the guy they're looking for is too damned high.
Yes I wonder how many people actually use Mulvad as their daily driver.
Hell I'm using completely unmodified Edge for banking and government agencies because even something as simple as ublock cosmetic filters manages to break them.
Is there a new directory of onion services thats more reliable?
I used to use dark.fail but every site they listed has been continually down for the last 2 years due to some widespread DDOS attack on onions, and now dark.fail itself is basically always down too
Is there a good Dread replacement while we are at it?
Did everyone really move to i2p? because I rarely see anyone talking about that network
I guess the worry is that this is the tor project turning into the equivalent of the mozilla project at their scale, specifically mozilla of the last 5 years. Somehow it never seems sustainable just running on donations. Literally the only lasting institution to do so is wikimedia, and that's it.
both vpn service and web browser are commodities, giving me a dedicated browser was a trigger for me to learn about them and buy their vpn service. I love that i can login with 1 number. So I think the future is bright for companies that can create differentiation like that
So it's just the TOR browser with TOR disabled? Thing is, you could do that anyway. It did take setting a couple environment variables, no GUI method, but easy enough to do. Unclear what value Mullvad's version provides. Feels like a promotional thing.
> It did take setting a couple environment variables, no GUI method
, which is unknown to almost anyone, would scare an absolute majority of non-technical folk away. Even if what mullvad does is relatively small in scope, it can still provide a lot of value to people.
Of course it's a promotional thing, it's named after a company.
Think of it this way: Mullvad is sponsoring Tor at >=$100,000/year, and in exchange the Tor Browser developers made a slight fork of their codebase that sets a couple of environment variables and changes the branding. Now the fact that it's just a couple of environment variables sounds like a good thing, right?
Well, this will provide signed binaries and a "native" (to the browser) update service that doesn’t rely on a third party to update it.
Librewolf breaks trust (for lack of a better term) by not offering both of those options.
You just have to assume the binary you download isn’t compromised (maybe you could argue checking the hash is enough) and that the third-party updating service won’t serve you a compromised update.
For the millionth time: you can use Brave without any of the crypto nonsense. I'm typing this on Brave now and I still barely understand what a BAT is; I've never spent more than 10 seconds looking into it and the browser makes no attempt to force it on me.
I'm curious, what do people mean by this? How is the bank's financial system any less "nonsense" than crypto? Second question: when the banks start using crypto in not too long (via CBDCs), how will that crypto be any less "nonsense" than crypto?
> How is the bank's financial system any less "nonsense" than crypto?
When things go wrong in real money land, we have a whole legal framework with standing precedent and built up processes for resolving them. Nevermind the fact that I can just call up my local pizza place, give them a credit card number, and get a pizza. Over in the crypto-hellscape, ever since the fall of the big darknet markets, the only real use case for cryptocurrency is trying to convince other people that everybody's getting rich, so that you can sell them your cryptocurrency for real money. Or accepting a ransom for your malware attack. When the only three inhabited niches in your ecosystem are "speculator", "con artist", and "criminal", it's safe to write the entire thing off as "nonsense".
Hmm, I use cryptocurrency on a daily basis, and my usage does not fall in any of those categories you listed.
It sounds like (correct me if I'm wrong), the "nonsense" that you see consists of two things: (1) a lack of integration with a legal framework, and (2) that your local pizza shop doesn't accept crypto.
Neither of those things are fundamental shortcomings of crypto though, as some pizza shops do accept cryptocurrency (just not as many), and custodial cryptocurrency is a thing if you're not into "being your own bank", which does give you some integration with the legal system (as long as your custodian is a law-abiding entity, like a well known company). As far as I'm aware, Brave's usage falls within that category.
If you're trusting the government to resolve your legal issues, you have a root of trust, invalidating the entire need for cryptocurrency. At that point you could just have an SQL DB operated by the Central Reserve. The use of money to affect the real world necessitates a level of trust that completely invalidates the point of a decentralized, trust-less monetary system.
The Silk Road was the last time anybody used cryptocurrency for anything useful, and beyond the criminality of it, crypto wasn't even particularly well-suited for that task. If I ever get asked for cryptocurrency at a pizza place, I suspect they'll have greeted me by inquiring about a fellow named Galt. At this point, nobody in the space is actually exchanging their "currency" for goods and services. They're treating it as a speculative asset. Meanwhile, the entire ecosystem is saturated with criminals, and not even of the kinda fun Silk Road kind. Just con artists, grifters, and the occasional ransomware connoisseur.
I get it, you have a vested interest in people not realizing this and letting the whole "economy" collapse. But as long as the only legal utility in having cryptocurrency is hoping that someone else will be stupid enough to buy it for more than you did, the whole thing is nonsense.
> Just con artists, grifters, and the occasional ransomware connoisseur. I get it, you have a vested interest in people not realizing this and letting the whole "economy" collapse.
I beg your pardon?
I am very aware of all of the fraudsters and rug pullers in cryptocurrency. Do you think I like them? Just as with the fraudsters in FED-world, I hope they all get sent to jail for the crimes they pull. There are criminals, frausters, and grifters, in any economic system of a meaningful size. It's just reality, and acting shocked about this doesn't make any sense.
As for "letting the whole 'economy' collapse", what on Earth are you talking about? I do not want the cryptocurrency economy to collapse, I want to see it grow. I think it's doing many incredibly important valuable things, like freeing humanity from digital slavery, and securing the Internet's broken X.509 system.
As for using a SQL DB - it sounds to me like you do not understand what cryptocurrencies are, why they exist, and why they are designed the way that they are. There are plenty of high-quality, free explainers out there, so I won't bore you with one here.
> As for using a SQL DB - it sounds to me like you do not understand what cryptocurrencies are, why they exist, and why they are designed the way that they are. There are plenty of high-quality, free explainers out there, so I won't bore you with one here.
"Do not cite the old magic at me, Witch". I am acutely acquainted with the concept of how cryptocurrencies work, which I must assume you aren't by your failure to engage in my very well suited analogy. The blockchain is a database. It's a kinda shitty one, in that there are higher performance, distributed, append-only databases, except for it's unique feature of being trust-less. Cryptocurrency builds on this technology by shoving transaction details in this database.
So, the only thing cryptocurrency has going for it over a well-sharded PostegreSQL DB is that lack of trust. If everybody has to trust one or more parties anyway, then there is no need for a blockchain.
To quickly address your other attempts to refute what I said: I'm not offended that there are fraudsters in the cryptocurrency space. I'm concerned with the fact that there are only fraudsters in the cryptocurrency space. If no one is using cryptocurrency for anything but speculation and crime, then the entire thing is a net harm to society. It's a somewhat-legal pyramid scheme (speculation) containing a multitude of illegal pyramid schemes, in addition to an assortment of other scams.
And I said you, you personally, have a vested interest in cryptocurrency continuing to exist. I'm presuming from your defense of the system that you are, like many others, engaged in the speculation on cryptocurrency. I said I get it: It is in your best interest to disagree with me. Because without those defenses, the market won't be able to attract new ~~suckers~~ sorry, "investors", and the speculation bubble will pop, leaving you holding the bag. I don't wish that upon you, but the longer a pyramid scheme runs, the more innocent people will be hurt when it inevitably collapses under its own weight.
> If everybody has to trust one or more parties anyway, then there is no need for a blockchain.
You sound very confused. Everyone does not need to trust one party. The system as a whole is trusted, or should I say, more trustworthy, because of its trustless nature. If you do not trust yourself to be the custodian of your own cryptocurrency, you are free to trust someone else instead.
> I'm concerned with the fact that there are only fraudsters in the cryptocurrency space.
That's just a lie and you know it. It doesn't sound like you are interested in a good-faith discussion, but are interested primarily in hating on cryptocurrencies. Anyway, you will be a user of cryptocurrencies in short time (as I mentioned above: https://hackernews.hn/item?id=37163640 and here: https://hackernews.hn/item?id=37168477), so this conversation is somewhat silly.
> Because without those defenses, the market won't be able to attract new ~~suckers~~ sorry, "investors", and the speculation bubble will pop, leaving you holding the bag.
This again reveals your ignorance of cryptocurrencies. You are angry at something you do not understand. Do you display this sort of anger towards commodities too? If not, why not? They are no different from many cryptocurrencies. What about dollar bills? Do you start cursing at them?
Please tell me how you are using crypto on a DAILY basis. I get maybe using it once it a while for specific transactions but I can't imagine a scenario where I could use it every day.
Well between paying contractors, paying for goods/services, playing with defi (there are non-speculative uses for defi believe it or not), using group income, and paying the random person back for a meal I owe, it comes out to either daily or almost daily.
Don't worry as I mentioned you'll be using it daily soon too, except (unless I'm mistaken), it sounds like you might choose to use a cryptocurrency built from the ground up to surveil and control you, rather than one that's built from the ground up to enable permissionless transactions. To each their own.
Hmm, why is that nonsense? It makes a lot of sense to me for a browser to support cryptocurrency payments for goods & services online using an Internet-native currency. I agree though that the particular way Brave has gone about it could stand to use improvement. I wish they had gone the Alby route.
This is bizarre. Why would Tor lend the credibility of their association to an inferior privacy product? My spidey senses are tingling, something is very wrong here.
Both projects benefit. Tor gets funding to improve parts of the main Tor browser to meet Mullvad's specifications, Mullvad gets a new product and incidentally gets to financially support a project that they obviously admire.
The actual reskin is technically not all that challenging, for all that I'd still not want to do it just for fun. I'm sure that if Mullvad wanted to, they could have released a rebranded Tor Browser with their own development team. But that would have meant missing out on what is probably the main point of the exercise, which is giving more¹ money to the Tor project to make things better for everyone.
Another reason is that the Tor network has been overloaded since it's inception. If Mullvad can take off the load slightly for the uh... less necessary users (aka those who used Tor Browser for anti-fingerprinting uses rather than the type of protection offered by its onion routing), then that would be a win in the books of the Tor Project.
Because not everyone wants to use the Tor network but may still be interested in a browser that comes configured for as much privacy as possible by default instead of having to configure various settings/extensions manually?
Options for incrementally improving privacy are still good, even if it doesn't go as far as the normal Tor browser.
For a superior privacy product to neuter itself for the benefit of supposed people who want inferior privacy is bizarre. Who are these people, who would want to use Tor Browser but wish it were less private? All this does is make the inferior privacy product seem better than it really is, by associating it with a superior one.
I can think of some good uses. Lots of websites block Tor, some websites (like your bank) may lock your account if you start logging in from random countries. Tor can also be a bit slow for some uses.
What's the point of using a private browser (anti-fingerprinting/etc) for logging into your bank? They already know who you are. I understand using a VPN with the exit node in your country to do banking, but that's to hide your location not your identity.
Sorry, late reply. I don't care if my bank knows who I am, but I might care if my bank can learn about my online history/preferences via the many analytics platforms and third party cookies. That shit needs to get shut down.
There are places in the world where police will come and knock on your door if you search for "barbie" or visit some foreign news website that has posted something critical about your country's regime.
You might even encourage some of those criminal acts that will be performed through this browser.
Buying drugs online almost certainly funds criminal acts. Some of the most vicious gangs in Europe traffic “mild” drugs like Ecstasy, Ketamine and marijuana. Denying this is to be profoundly dishonest with one’s self.
Even doing it isn’t a criminal act everywhere. My point was that there are ethical implication of engaging with dark web sites irrespective of what the law says.
In most jurisdictions buying drugs is a criminal act, or why would you buying them online? If you commit a crime you are a criminal, by the definition of the word. You can argue about the merits of the law, but it doesn't mean that you've not committed the crime.
You said "In most jurisdictions buying drugs is a criminal act, or why would you buying them online?" which implies that you only buy things online if it's a crime. You didn't mention where you bought your toaster or your bread, not online I hope!
- Can we HN users help push Firefox to incorporate better fingerprint circumvention? (more than current) This is, imo, one of the worst technologies that has been developed around the web. This seems like a thing all privacy focused browsers, which includes FF, should be working on together. This seems like a thing that wins by the network effect, but can be done without an authoritative browser. You just need mass numbers, and while FF isn't that large of a user share, it is large enough that probably most local networks have at least a few connections and every ISP has thousands.
FWIW, using amiunique.org I am unique on FF, Safari, Mullvad, Chrome, and Edge on a M2 Air. Mullvad is 0.22% across the board btw, so looks like that's how many Mullvad/Tor users have tried it. Though I am a bit surprised by some of the results. Similarity is very low for: UTC-07 (3% of users are on the... west coast? This can't be right), screen sizes (I thought this was going to be a win because apple consistency, but all values are <0.1% -- except depth, which is best on Safari and identical on FF/Chrome/Edge. Do people not make their browsers the full screen size? (not clicking green expand)).
- Will the browser end up having a Tor connect switch? I'd imagine this would make Tor more accessible and could make the entry via VPN method easier and safer for many users. Is that why they're working together? I guess I'm a bit confused at the collaboration here? But it does seem natural that they could work to set up easy interfaces like x -> Mullvad -> Tor, x -> Tor -> Mullvad, or even x -> Mullvar -> Tor -> Mullvad? Is this the natural extension?