Paranoid browser test - is there privacy in FOSS?

Elaborating here: My phone is running LineageOS without using the Gapps. Using ‘brave’ for whatever I don’t want to be tracked. And using a Nextcloud instance to provide what Google delivers on Android…

Thank you. I am glad you understand.

Ok, elaborating too: I use a Samsung Galaxy S3 mini (Android phone) for which I have not found any free software replacement. I very rarely connect it to Wi-Fi or mobile internet, just to check my email if I am away. I also use Gmail and Gapps. I (just like billion others) also use an Intel CPU with that terrible thing called Intel ME (which me_cleaner cannot remove) and a motherboard for which there is no coreboot support. Oh well, I also use Windows as a dual boot (which I never connect to the internet) because there are a few apps for which there is still no decent FOSS alternative and they need graphics acceleration (and so far I have been unable to make vga-passthrough work, I have several threads here related to it). My router is also running (partially) proprietary firmware.

I am willing to change all this but:

1. Librem phone is still not made
2. A laptop does not cover my needs for graphics editing and I am unaware of any workstations which are completely free from Intel ME and proprietary BIOS/UEFI
3. None of the online service providers who talk about great privacy etc (including Kolab Now and others) has even thought about freeing their systems from proprietary stuff running on ring -2 and -3. This basically means that no hosting or mail provider can ensure real security. The only service-providing company (for which we all have mixed feelings) which seems to have serious concerns and actions about this is Google. Without going too much off-topic: To my mind (feel free to correct me if I am wrong), if there is a system running at higher priority than the kernel, which has access, can modify and transmit every bit of information - things like passwords and encryption keys on kernel/user level pretty much loose meaning. Same applies to Tor browsing. Obviously even more for general browsers.
4. Meanwhile one needs to survive materially, so one cannot simply pull all cords or trash all hardware (and go to that cave)

In short: some of the questions are a matter of time, others are really a matter of other people having to do things. It is not a personal thing but something which I think applies to everyone. So it seems to me correct to bring non-freedom to the attention to those who can do something about it (at whatever level/ring). Unfortunately people seem to be so strongly programmed to escape from facts and waste energy in other meaningless an unimportant things that even sharing meets huge resistance.

My point here is that I see many linux users bothering about FF, Chrome and their data, whilst in the meantime giving the same data away through other devices, Or even worse, having one of these new Alexa, Home or whatever devices listening to whatever they say or do in their homes. A friend has such a device and does not understand me laughing about his move to Tor browser etc,
The nasty bits about privacy control is that if one wants to control it, one has to control it everywhere, i.e. on every device owned.

You are quite right. To the best of my knowledge Purism seems to be the only company digging deep into all this. But privacy is not only about the device but primarily about the information. Say you have the perfect device but you need to share info with someone who hasn’t. Even if the other person also uses end-to-end encryption, his system is compromised, so the info can leak.

So personal devices won’t resolve the root issue because it is unlikely that there will be a point in time when every device will be perfectly free from proprietary stuff and malware. Not because it is technically impossible (technology is fine) but because human thought does lots of mischief. If people didn’t do all these crazy things, perhaps we wouldn’t even need to have passwords or door locks. But what we actually have is organizations building quantum computers for the purpose of breaking strongest crypto keys, global spying etc. So in one way or another we are forcing ourselves to go back to the cave.

Thank you to all who added info about this topic. following this I found a number of entries in about:config for which I couldn’t find yet any info: network.idn.whitelist.xn* which I disabled but not sure what are they? anyone could enlighten me? thanks and HAPPY NEW YEAR to ALL!

http://kb.mozillazine.org/Network.IDN.whitelist.*

Thank you found that but that are no entries for network.IDN.whitelist.xn* (ex. network.IDN.whitelist.δοκιμή) in the list, so I’m not sure what are they used for. The link provided has a very limited amount of info(at least for me). So far I set all of them(maybe 20 or so) to false until I found a reason for their existence.

On the other hand, why not simply accept that, the WWW is what it is and that, the W3C seems to be heading in a particular direction?

• In other words, the W3C is continually defined “nice new things” for the WWW and, there’re people (companies) out there who’re taking advantage of everything the WWW protocol suite is offering.

Therefore, instead of attempting to block everything in order to defend your personal privacy, why not do exactly the opposite? With the following caveat:

• Make sure that, the machine’s user which is accessing the WWW is a very boring “(almost) no personal data” user.

We’re using Linux, which means that, we can define thousands of users per system and, make each user’s directory set inaccessible for the other users defined on the machine in question.

For example, define a user who’s only purpose is, to access your online bank account.

• This user’s data is only that data associated with the transactions you’ve executed with your bank – your bank can search (via WWW protocols) that user’s data and what will they find? – only the transaction data they already have (in their vaults).

Define, per forum or “networking” service (Facebook & Co.) a user who only accesses that forum or service by means of the WWW protocols.

• This user’s data is only that data associated with the forum’s (or Facebook) activities.

[HR][/HR]Think about the following “big data” scenario:

• Each (per WWW service) user only has local data which is associated with that particular WWW service.
• The “big data” algorithms only have access to user data which was originated by that particular WWW service.
• The “big data” algorithms continually collect redundant data which was generated by the concerned WWW service.
• The electricity bill for the CPU time needed to search through the large amounts of redundant data will not be small.

Yes, I do admit this is possibly urban terrorism but, given that, being “modern” means that we’re dammed to use the WWW (yes, AFAICS, it does have it’s advantages) and therefore, we need to be aware of the risks involved and, need to be able to deal with those risks . . .

Why people don’t just accept the tyranny of governments but make revolutions etc? It’s not different in any way. Today the wars and the revolutions are largely about information which gives control over others. The central issue though is that people don’t really fight for freedom but for control, i.e. whether I control or whether you control.

Therefore, instead of attempting to block everything in order to defend your personal privacy, why not do exactly the opposite? With the following caveat:

• Make sure that, the machine’s user which is accessing the WWW is a very boring “(almost) no personal data” user.

We’re using Linux, which means that, we can define thousands of users per system and, make each user’s directory set inaccessible for the other users defined on the machine in question.

For example, define a user who’s only purpose is, to access your online bank account.

• This user’s data is only that data associated with the transactions you’ve executed with your bank – your bank can search (via WWW protocols) that user’s data and what will they find? – only the transaction data they already have (in their vaults).

Define, per forum or “networking” service (Facebook & Co.) a user who only accesses that forum or service by means of the WWW protocols.

• This user’s data is only that data associated with the forum’s (or Facebook) activities.

AFAIK QubesOS does exactly that but even deeper - not through users but through separate VM guests.

[HR][/HR]Think about the following “big data” scenario:

• Each (per WWW service) user only has local data which is associated with that particular WWW service.
• The “big data” algorithms only have access to user data which was originated by that particular WWW service.
• The “big data” algorithms continually collect redundant data which was generated by the concerned WWW service.
• The electricity bill for the CPU time needed to search through the large amounts of redundant data will not be small.

Yes, I do admit this is possibly urban terrorism but, given that, being “modern” means that we’re dammed to use the WWW (yes, AFAICS, it does have it’s advantages) and therefore, we need to be aware of the risks involved and, need to be able to deal with those risks . . .

Security through isolation at OS level seems no longer applicable - considering Intel ME, AMD PSP, proprietary BIOS and even binary blobs in “open” BIOS replacements, closed chips in video cards, hard drives and other hardware running their own closed firmware, Spectre/Meltdown. As long as there is a layer with higher priority (closer to the semiconductor) that controls things, software measures become futile. Technology as it is today is not suited to fix our human issues. On the contrary - it is more and more suited to create deeper issues.

New browser tested: Brave

Result: Lots of background communication, even after tightening of settings. Worse than Firefox.

Details submitted in bug report:
https://github.com/brave/browser-laptop/issues/12632

2 new browsers tested:

TOR

Result: Lots of background communication but all of it to subdomains of your-server.de over https.

Midori

Procedure: Set home page to blank, disable scripts, restart.

Result:

On startup: Zero (0) packets sent.

On opening of preferences only this was shown in tcpdump (and I don’t know anything about ssdp):

IP pc.49352 > 239.255.255.250.ssdp: UDP, length 132
IP pc.49352 > 239.255.255.250.ssdp: UDP, length 133

but only the first time the browser is started. Shutting down the browser and opening preferences again doesn’t show such packets in tcpdump (unless the machine is rebooted).

Browsing to https://fsf.org/txt shows only communication with fsf.org and no packet sending to any other hosts whatsoever.

Additional info: Acid3 test shows 100/100 (with enabled JS). It also has quite a few built in extensions, one of them an adblocker which unfortunately is not as advanced as my favorite uMatrix and uBO. Another disadvantage I notice: it has some issues with color management making images appear oversaturated.

A bug noticed: opening https://browserleaks.com/ip causes Midori to crash.

Reading them all with interest.

Following this thread with interest as well.

Tor browser has reputation of being the excellence tool when primary goal is privacy and incognito browsing. In the end, did your tests support or refute this?

I have used Midori before; caught my attention precisely for being lightweight, and portable IIRC…
Your results would make it look not bad indeed… a big shame it seems to no longer have further maintenance since a big while already, and perhaps due to this fact it has problems trying to load certain websites (freezes).

Have you tried Palemoon yet, BTW?

Hi guys! Nice to be back! After my post on the Firefox browser hell broke loose every time I tried to log into this forum. My login didn’t work (I was redirected to some kind of novell login page, the credentials didn’t work) and until some days ago after some minutes my IP got DDOSed from the web every time I tried to log in. Good to be back, but I’m not going to post anything more in this thread. Lesson learned…

I have shared what I found about Tor. It is difficult for me to evaluate anything further because everything it does is in another network, i.e. tcpdump shows only the connection to the node which serves as a gateway to that Tor network.

Have you tried Palemoon yet, BTW?

No.

What lesson have you learned? Are you saying that this forum is DDoS-ing your IP address?

As for login: I always login through https://login.microfocus.com - I think it has always been this way.

The microfocus page redirected me to a novell login page. Again and again. Last time I checked was some days ago. Today login worked again… I tried palemoon: Short version: Pull the LAN cable before the FIRST start of palemoon. Configure the settings, search pages, EMPTY new tab settings (!) / start pages (!!!) and re-open with LAN cable plugged in. Install No-script etc. After that I saw no traffic upon opening the browser again.

Strange.

BTW I have just tested:

PaleMoon

Results:

With default (“factory”) settings the browser starts with some PaleMoon’s page which obviously results in packets exchange.

After tightening of privacy settings (similar to previous browsers) the result is:

• No background chattering on startup
• No background chattering on opening preferences
• Opening https://fsf.org/robots.txt or https://fsf.org communicates only with fsf.org

The browser also supports uBO and uMatrix (though - only older versions, not the new ones which are WebExtensions)

It seems to me I may have finally found a FOSS browser which respects privacy too.

Please test it and share your results.

Apology beforehand if it sounds slightly daring, any particular stuff you’d like to be reported?

I have used PaleMoon only a bit until now, primary as a solution for stuff that no longer works on Firefox or Chrome (mostly plugins related stuff).
But it has also some other good features: portable version, can read system-installed plugins or can be installed other versions in its own folder to override system’s…
Though it’s certainly not as lightweight as Midori, for example…

By the way, speaking about plugins, even though they claim that Adobe Flash is more secure now with its fixes and stuff, I still don’t trust it really since it’s revealing first downfall. Would you share this thought, or would you say it’s not that bad to still use Flash nowadays now that it was “fixed”? I bring this topic because even though Flash should have died long ago it’s sadly still used in many websites…

I still get the background chattering on startup :\