[HN Gopher] Microsoft bakes a VPN into Edge and turns it on
___________________________________________________________________
Microsoft bakes a VPN into Edge and turns it on
Author : elashri
Score : 364 points
Date : 2022-09-30 16:44 UTC (6 hours ago)
(HTM) web link (adguard-vpn.com)
(TXT) w3m dump (adguard-vpn.com)
| eatonphil wrote:
| I think Pixel phones (or maybe it's all Google Fi phones) also do
| this.
| andrewstuart2 wrote:
| Why do I always get a bad feeling about the motivations behind
| stuff like this? I want to believe it's for better privacy and
| security, but it's being driven by a corporation or two, and that
| makes me 100% suspicious. Like, for example, suddenly Edge is no
| longer respecting local DNS options and my pihole protects one
| fewer device from the real dangers to privacy. I don't want to be
| cynical so often, but this really doesn't feel like a benevolent
| move. Yeah, it's conditional at the moment, but as with Chrome
| and manifest v3, among many other examples, I'm losing my faith
| that anything with the potential to increase ad revenue will
| remain turned off for long.
| jahewson wrote:
| The motivation here is surely reducing ad tracking.
| legitster wrote:
| I mean, if you have an attitude that anything an organization
| does must be for an ulterior motive, you're always going to get
| what you are looking for. Heck, people too for that matter.
| Maybe my dog just pretends to love me to get food.
|
| But in this case, Microsoft is looking for any competitive
| advantage against Google. They won't win on targeting, and they
| still make more money selling software than ads. So this does
| seem like an easy win for them.
| hamburglar wrote:
| > if you have an attitude that anything an organization does
| must be for an ulterior motive ...
|
| Well in the case where they are spending a lot of money to
| implement and operate a feature that nobody asked for and
| which has obvious privacy downsides, it does seem worthwhile
| to examine their motives. It's not like we're responding to
| the announcement for the next model of the Microsoft
| ergonomic keyboard with "hmmm, what are they _up to_?"
| nearbuy wrote:
| > obvious privacy downsides
|
| What is the obvious privacy downside of selectively
| enabling a Cloudflare VPN when browsing on public Wifi or
| unsecured sites (which is when it enables)? That Cloudflare
| can see what sites you visit?
|
| On public Wifi and unsecured sites, anyone could
| potentially see and modify the data anyway.
| marcosdumay wrote:
| If it was good for you, Microsoft would the the one announcing
| it. Loudly and repeatedly. They would do it even if it was
| harmful, but there existed some artificial narrative where it
| sounds good.
|
| You are hearing it from a third party exactly because they
| couldn't construct any explanation minimally realistic that
| sounded good.
| ratg13 wrote:
| They haven't announced it yet because it hasn't been
| released. Reading the article, it does sound pretty decent.
|
| Partnership with cloudflare, selectively enables when you are
| connected to untrusted networks like public wifi.
|
| Pretty much the only downside is that they turn it on by
| default... which is always tricky when most of your target
| audience is not computer savvy in the least.
|
| How to give people security features that they have to figure
| out themselves when they can barely open the browser .. a
| dilemma for the ages.
| uup wrote:
| VPNs don't help privacy at all. They allow you to substitute
| trust in your ISP for trust in a different entity. For some,
| that may be good, but for most others it's a wash.
| riedel wrote:
| In Germany (according to TTDSG) an ISP does not have to claim
| that. They need explicit permission to track you. It is
| pretty much as the post does not have to claim that they open
| your envelopes.
| yjftsjthsd-h wrote:
| > VPNs don't help privacy at all.
|
| > For some, that may be good, but for most others it's a
| wash.
|
| That sounds less like "VPNs don't help privacy at all" and
| more like "VPNs are helpful some of the time".
| nine_k wrote:
| VPNs help against geolocation and geofencing though.
| jimmydorry wrote:
| I would reverse that assertion under the one condition that
| you don't use a VPN provider from your own country. In
| Australia at least, ISPs are legally required to maintain
| logs of everything you access for several years. By choosing
| to trust a VPN provider outside of Australia, you defacto
| have better privacy than you otherwise would have.
| AnimalMuppet wrote:
| Does the VPN company have a business presence in Australia?
| If so, then maybe you haven't gained as much as you
| think...
| andrewstuart2 wrote:
| I'd say they're still a net win, generally. The ISP vs VPN
| service tracking who does cancel out (if you ignore privacy
| claims of VPN providers, vs ISPs generally not guaranteeing
| that at all), but for every other service I might consume,
| when I'm on VPN I'm no longer connecting from a unique IP
| that can have other identifying information tagged to it.
| simon1573 wrote:
| To add to that: in Sweden (which is generally pretty ok in
| regards to privacy and rights) ISPs are required to store
| traffic for 6 months, while VPN providers are not.
| lokedhs wrote:
| Wasn't this struck down by the EU recently?
| Double_a_92 wrote:
| They help in public WiFi.
| jacobsenscott wrote:
| Public wifi, assuming you don't send any personal info to
| "sign in" to the public wifi is more anonymous than a vpn
| that has your name/address/etc.
| babypuncher wrote:
| So I can pay $10/mo for a VPN for use when I'm on public
| wifi, or I can run WireGuard on my Raspberry Pi at home and
| get one for free
| wbsss4412 wrote:
| Not sure what services you've looked at, but it
| definitely doesn't cost $10/month.
|
| Your personal solution seems pretty good though.
| wintermutestwin wrote:
| Unless you are a network security expert, aren't you
| greatly increasing your risk by running that WireGuard
| server?
| fjfbsufhdvfy wrote:
| Why would you? Nobody can connect to it without your
| private key. Or is there something I am not aware of?
| Genuine question, as I am running wireguard in a few
| places and thought it was secure by default.
| bilkow wrote:
| WireGuard is pretty minimalist and has great defaults,
| AFAIK if you manage to set it up you're good.
|
| Unless your credentials leak, of course, but a security
| expert would have that same risk.
| elashri wrote:
| It might be cheaper but still not free. Cost of
| electricity + time to maintain + Raspberry Pi itself. Not
| to mention that you don't get the variety of servers (for
| geo-location or more diverse networks not tracked to you
| by websites themselves).
| babypuncher wrote:
| Well the Raspberry Pi is already on 24/7 running a few
| other services for my home network. But even then, the
| energy consumption per month costs pennies. I update the
| device once a quarter and it takes me 5 minutes. These
| costs are so negligible as to have no impact on my
| decision making process.
| zekica wrote:
| Modern TLS is enough to prevent others from eavesdropping
| everything except domain names when on public WiFi. Domain
| names are sent in clear text if your client supports SNI.
| doubled112 wrote:
| A trail of DNS names is more than enough to know what
| somebody is up to.
| uup wrote:
| You could use DoH, which you should do anyway. No reason
| to leak DNS lookups to anyone.
| madars wrote:
| DoH alone is not enough due to
| https://en.wikipedia.org/wiki/Server_Name_Indication
| being sent in plain text. Some day ECH (formerly, eSNI)
| should help with that.
| erinnh wrote:
| I thought TLSv1.3 already encrypted the SNI?
| [deleted]
| ranger_danger wrote:
| you'll always be leaking it to whoever you are sending
| your query to.
| Forge36 wrote:
| While traveling I've used my own VPN hosted at home to
| provide additional security.
|
| It allows me to trust only my ISP instead of every ISP in
| various coffee shops.
| 7952 wrote:
| It is not just about your ISP though. Your IP is getting sent
| to whatever website you are connecting to. People won't
| always trust that website.
| P5fRxh5kUvp2th wrote:
| > VPNs don't help privacy at all
|
| Or course they do, I'm so tired of seeing posts like this
| when really what you mean is that it's not perfect privacy
| and therefore you don't like it.
| shubb wrote:
| One of the main use cases today for VPNs is to pirate
| movies or access geo-blocked content. That and dodgy hotel
| wifi.
|
| The adversary is netflix or a IP rights enforcement
| company, and the user doesn't care what their ISP or a
| state could observe.
|
| For what they are used for, they are fine. If you are
| worried about state or megacorp spying, the solution is
| less technical and more political.
| sascha_sl wrote:
| No as a rule.
|
| They just replace your ISP with a VPN company. Which is the
| two is more shady is something you have to figure out,
| keeping in mind that a subsection of the internet just
| stops working or turns the aggressiveness of their anti-bot
| protections up to the maximum on a VPN.
| pkulak wrote:
| Of course they do? They are a tool that routes traffic
| through a third party. That can be anywhere from terrible
| to fantastic for privacy, with everything in between.
| There's nothing "of course" about it.
| inetknght wrote:
| > _Or course they do_
|
| Let me compare an ISP spying vs a VPN spying:
|
| 1. You make DNS request about example.com. Your ISP sees
| this. Your ISP can see what websites you "might" visit.
|
| 2. You connect to 1.2.3.4. Your ISP sees this. Your ISP can
| see what websites you "did" visit.
|
| 3. You request some data and receive some data. Your ISP
| sees the size of the data. If it's not encrypted, it can
| also see the content. Your ISP can see (at least) the size
| of objects that you requested -- which is enough to
| fingerprint many specific contents.
|
| Okay so not using a VPN gives effectively zero privacy.
| Let's look at a VPN:
|
| 1. You connect to a VPN (and let's assume your connection
| doesn't "leak" insomuch as now _all_ network traffic goes
| through the VPN). Your ISP can see this.
|
| 2. You make DNS request about example.com. Your VPN sees
| this and your ISP can see a network packet. Your VPN can
| see what websites you "might" visit, your ISP can't.
|
| 2. You connect to 1.2.3.4. Your VPN sees this. Your VPN can
| see what websites you "did" visit. Your ISP still sees
| traffic to the VPN.
|
| 3. You request some data and receive some data. Your VPN
| sees the size of the data, and your ISP only sees the
| aggregate-size of data across all of your sessions. If it's
| not encrypted, your VPN can also see the content but your
| ISP should still only see aggregate size. Your VPN can see
| (at least) the size of objects that you requested -- which
| is enough to fingerprint many specific contents. Your ISP
| will have a tough time fingerprinting content from specific
| websites.
|
| 4. Your ISP can note that you have a high amount of
| traffic, possibly note that the traffic is going to a known
| VPN destination, and that your "normal" traffic is now
| gone.
|
| Now, your VPN can see all the stuff that your ISP used to
| see. In addition, your ISP can now determine that you might
| be doing something illegal, suspicious, or at the very
| least "enterprise grade" and demand more money.
|
| Have you really gained more privacy?
| colinmhayes wrote:
| VPNs entire business revolves around not giving up your
| data, that's why you pay them. ISP business revolves
| around protecting their monopoly which means making the
| government happy. Massively different incentives which
| means they will act differently. If VPN leaks data and
| people find out they're done. If ISP does nothing changes
| for them.
| ascar wrote:
| As others have mentioned you gained privacy from your
| government that has easy access to whatever information
| your ISP has but not towards a VPN provider.
|
| But the information you leak towards your ISP or VPN
| isn't the only variable. With a VPN you leak less
| information to the services you interact with (e.g. your
| IP is hidden) which undoubtedly increases privacy.
| miloignis wrote:
| Based on that analysis, I say clearly yes! Privacy is
| about choosing who to share with, be it a specific group
| or no-one. Being able to share with a VPN of my choice
| (who, if reputable, shouldn't further disseminate my
| information) is likely a privacy gain compared to being
| forced to share with my ISP (many of whom would gladly
| sell my data).
|
| Being able to choose to reveal data to Mullvad over
| Comcast or Verizon seems like a clear win to me.
| lijogdfljk wrote:
| Yea i really don't get these people. Frustratingly.
| Perfect is the enemy of good here. Yes, full privacy is
| the goal, but i _know_ certain actors are spying on me.
| If i can bypass them, i can at least attempt to improve
| it.
|
| At the very least i rob Comcast of my data. Which is my
| goal, after all. Not full privacy.
| Aaargh20318 wrote:
| > Yes, full privacy is the goal, but i know certain
| actors are spying on me. If i can bypass them, i can at
| least attempt to improve it.
|
| The problem is that it doesn't actually change anything
| while giving a false sense of security.
|
| Your VPN's 'improved' privacy is just as worthless as the
| privacy you get with just your ISP. If something requires
| privacy, neither can be used, and if it doesn't then why
| should it matter which one you use ?
|
| Privacy is an on/off thing. Either you have it or you
| don't. There is no in-between.
| nirvdrum wrote:
| My VPN provider (Mullvad) doesn't have my full name,
| address, and social security number. They could build a
| profile off my account number, sure, so I have to trust
| that they're not. If they actually aren't, fantastic, I
| win. If they actually are, I still win, because they have
| less data to build a profile on me from. I know for
| certain that my ISP is selling my data, so I'm certainly
| no worse off.
|
| On top of that, I get the benefit of not being tracked
| everywhere on the web. Or if they are tracking me, they
| have bogus data. And I can set my exit server to a
| jurisdiction with more user-friendly privacy laws.
| Aaargh20318 wrote:
| Mullvad is just the first link in the chain of untrusted
| systems between you and whatever server you're connecting
| to.
|
| Also, what better place to tap traffic than the
| connection of a VPN provider.
| P5fRxh5kUvp2th wrote:
| One wonders if you consider your bedroom to be private
| despite the fact that a peeping tom can still look
| through the window.
| hamburglar wrote:
| This is quite a concrete illustration of the concept of
| the perfect being the enemy of the good. Thank you.
| salawat wrote:
| No... It's a demonstration of adherence the axiom "Don't
| let perfect be the enemy of good" being misapplied.
|
| The "Good" (VPN) is exactly as imperfect as it's complete
| abscence. There has been no improvement whatsoever.
| Literally, as far as Privacy is concerned, nothing short
| of "No one actor has the capability to sit on a full
| stream of traffic", will suffice.
|
| Either you're MITM'd or you aren't. Use malicious postmen
| if it makes it easier.
|
| If you have the same guy come, and all of your mail goes
| through him, he can reconstruct all conversational state.
|
| Now imagine you get a different malicious postman at
| random every day. He eacesdrops on every packet, but he's
| not privy to which of his fellows is scheduled to get the
| next packet. Therefore, it's not practicable to MITM in
| any practical way. This all goes out the window when
| someone controls the malicious postman scheduler, of
| course, because then they can figure out a map of who to
| go to to reconstruct your conversation.
|
| The above is the concept behind Tor, and why the only
| effective counter to it is to run a hell of a lot of
| entry/exit nodes so you can conceivably time correlate
| given enough consecutive probe points are hit.
| P5fRxh5kUvp2th wrote:
| Russia has the ability to drop a nuke in the region you
| currently live in, so there's no such thing as safety and
| therefore why do you have locks on your doors?
| genewitch wrote:
| i find this extremely doubtful. I see the point of your
| statement, but i'm willing to bet 99% of all the already
| built nuclear devices wouldn't work today. There's no way
| that they're all stored in such a way that the delicate
| mechanisms are protected from the environment and
| oxidization, moisture ingress, insects, heat and cold
| expansion and contraction.
|
| That a nation could make a _new_ device is arguable, that
| a nation could make a device that could be delivered
| without flying planes over another country is less
| arguable. Even nukes as they stand would only pose
| significant threats to certain parts of a country (there
| was a map floating around the web a few days back of
| areas of the US most susceptible to the - pardon the pun
| - fallout from a tactical strike.)
| P5fRxh5kUvp2th wrote:
| Especially when you consider that what they're really
| saying is that a VPN won't hide you from a state level
| actor.
|
| Yeah, of course not, that's not nearly the only reason to
| use a VPN.
| postalrat wrote:
| You increased the number of choices you can make
| regarding your privacy.
| piaste wrote:
| VPN and ISP are similar in term of middlemen, but there
| is an important difference downstream of said middlemen.
|
| With your ISP, you appear on the internet as a
| residential IP that provides your approximate location
| and most likely doesn't change very often. The requests
| you make can be easily correlated by PRISM or any other
| middleman, or by any CDN running the websites you visit.
|
| With a VPN, your exit IP is unrelated to your geographic
| location, changes very often, and hopefully it is shared
| among many more users.
| DesiLurker wrote:
| Also you could use double VPN config from different VPN
| providers in separate geo locations with openDNS thrown
| in one of them. then it would be much harder to correlate
| your traffic out of the mix. its not about perfect
| secrecy its about becoming hard enough target.
| vel0city wrote:
| GeoIP services are trash. My current IP on most GeoIP
| services gives a location >900 miles away. My last IP had
| a location in another country. I don't think I've ever
| had a GeoIP lookup resolve within 100 miles for any IP
| I've had.
| inetknght wrote:
| > _GeoIP services are trash._
|
| GeoIP is only necessary when seeing a new IP. But once
| the IP starts to build a reputation, then the specific
| location can be determined. It's _especially_ true if you
| buy something online.
| zmmmmm wrote:
| My single data point observation is that it gets my city
| correct nearly 100% of the time and sometimes is able to
| resolve to a nearby suburb.
| yjftsjthsd-h wrote:
| > Now, your VPN can see all the stuff that your ISP used
| to see.
|
| > Have you really gained more privacy?
|
| Absolutely, 100%, unambiguously, yes; my ISP openly says
| that they monetize my data, my VPN says they don't. I'm
| _very_ happy to gamble that the VPN is telling the truth
| when faced with the expectation that the ISP is telling
| the truth.
| squeaky-clean wrote:
| My VPN was unable to give the British government any logs
| or IPs relating to someone who emailed a series of bomb
| threats using them.
|
| As terrible as that is, yeah I feel pretty safe pirating
| movies using it.
|
| But you're right that blindly trusting a VPN without
| doing any research might be worse than blindly trusting
| your ISP.
| Dayshine wrote:
| Your isp is legally resident in the country most likely
| to want to spy on you. There are also very few isps per
| country, so it's less work for the attacker to cover
| everyone they care about.
|
| There are vast numbers of vpns, so total coverage is
| impossible. They are also very likely to be in a
| different legal jurisdiction so it's non trivial to do.
|
| So, yes, you have, by making yourself a harder target
| despite having the same amount of centralisation on your
| part
| simplyinfinity wrote:
| my country has between 3 and 20 isp's per city. of a
| country of 7 million.
| xani_ wrote:
| Same with most VPN providers. Just expands the search
| from "ask ISP" to "ask ISP, they tell government its a
| VPN company, ask VPN company".
|
| Now, sure, they could "just" delete logs, but their
| government can "just" tell them not to, or even tell them
| to live send the logs to them directly.
|
| So it's really "which country's government you trust".
| zepearl wrote:
| Adding that in general a country's law (data
| protection/privacy in this context) usually targets its
| own citizens; traffic related to foreign citizens (as in
| the case of VPNs) would for sure have a lower degree of
| protection.
| Wxc2jjJmST9XWWL wrote:
| https://www.ivpn.net/ see "Do you really need a VPN?" - not
| affiliated with them, but tell me any other VPN-service that
| is actually this upfront... most are marketing the hell out
| of their apparent magic effects...
|
| since we're on the topic: how is it still a thing that vpn
| services are actively pitching content-block/copyright
| circumvention? Seems weird to pitch something as shady this
| loud and publicly? Reminds me of how weird I find it that
| trackers and illegal hosting sites have twitter accounts...
| wintermutestwin wrote:
| >VPNs don't help privacy at all.
|
| 1. They keep your data safe from your ISP. 2. They keep your
| IP hidden to the sites you browse.
|
| Those two clearly "help" privacy.
| rcxdude wrote:
| They also expose your data to the VPN operator. That's a
| negative on privacy. Whether it's a net negative or
| positive depends on the VPN operator and ISP involved.
| ipaddr wrote:
| The VPN provider could be you hosted somewhere using
| bitcoin.
| [deleted]
| swayvil wrote:
| VPNs don't anonymize, they just route you through an
| anonymizing service. Lol.
| voxic11 wrote:
| ISPs generally don't claim to protect your privacy at all
| [0]. So it would be foolish to trust them to do something
| they never claimed they would do. VPNs generally do claim
| they will protect your privacy so at least trusting them
| makes some amount of sense.
|
| Going from "trusting" an entity that explicitly requires you
| to consent to spying when you sign up to trusting one which
| explicitly promises to protect your privacy when you sign up
| does seem like it would "help privacy" in most cases.
|
| [0] https://www.privacypolicies.com/blog/isp-tracking-you/
| dagenix wrote:
| A major difference between your ISP and a VPN is that your
| ISP is generally an established company based in the same
| jurisdiction as you are. So, if they do something terrible,
| in theory at least, they can be brought to court. A non-
| trivial number of VPNs that claim to protect your privacy,
| however, are based all around the world with unclear
| corporate structures. If they do something terrible, you
| likely have no recourse at all. How much faith you want to
| put in a promise made by such a company is up to you - but
| I would push back on the idea that simply making a promise
| really provides much value by itself.
| actuallyalys wrote:
| ISPs don't emphasize privacy in their marketing, but some
| large ISPs claim they protect it [0], although their claims
| are pretty dubious[0][1].
|
| I think your logic holds up, but it's not quite as
| definitive as you say. VPNs are not the straightforward
| privacy upgrade that HTTPS is. (I don't think you were
| trying to imply otherwise.)
|
| I think the picture improves if you choose more carefully.
| Choosing an established VPN that has a no-log policy and
| has been audited seems much better, because now multiple
| companies are putting their reputation on the line. On the
| other hand, I think a relatively unknown company that's
| reselling someone else's VPN and hoping to cash in on the
| "VPN = privacy" is only a slight upgrade over a major ISP.
|
| [0]:
| https://www.latimes.com/business/story/2021-11-12/column-
| int... [1]:
| https://www.ftc.gov/system/files/documents/reports/look-
| what...
| cowmix wrote:
| You are actually being too kind IMHO.
| nerdawson wrote:
| Probably because Facebook already tried the free VPN and it was
| every bit the privacy nightmare you'd expect it to be. Given
| Microsoft's track record, there's no reason to expect that to
| be any different.
| mgraczyk wrote:
| If you have never worked at a large tech company like
| Microsoft, you'll probably have a bad feeling because there's a
| lot you don't know about the business process of shipping
| features like this. It's reasonable to be cynical and confused
| if you have never seen it from the other side.
|
| For the most part, product features like this are shipped for
| boring and completely non-nefarious reasons. It's just hard to
| believe that if you've never worked on one.
| [deleted]
| aeturnum wrote:
| I am 100% with you in general, but this feels more like the
| Windows Defender launch than some fully cynical power grab.
| That is to say - Microsoft gets a lot of grief and work from
| windows installs getting taken over / viruses / etc. For users
| who don't pick up their own protection (and don't choose to
| turn off the default windows protection) this feels like a
| better default. I don't trust Microsoft, but you are already
| exposed to their manipulations when you are using their OS -
| and this will help protect you from other manipulations.
| spicybright wrote:
| Anything that decides to wrap around your internet traffic
| without telling you should definitely raise your antennas.
|
| Even if they had the best intentions, it's pretty easy to botch
| these things which erode your privacy even more.
| numpad0 wrote:
| Block UDP port 53(DNS).
| samstave wrote:
| IMO its so they can keep the data-usage metric in their hose
| and not leak it to other companies which are competing for ad
| attention...?
| kirillzubovsky wrote:
| Check out the book "Hard Drive" about the early days of
| Microsoft, and you will never be able to see anything that
| corporate does without suspicion, and for a good reason.
| kirillzubovsky wrote:
| And apparently we now get downvoted on Hacker News for a book
| recommendation. Amazing.
| r00fus wrote:
| When trying to ascertain the intents of large organizations, I
| find it useful to examine previous actions. In the case of
| Microsoft, their willingness/intent to add ads and telemetry
| (including keylogging) into their OS seem to indicate they are
| doing this for serving ads better to their larger (paying)
| customers.
|
| If you're not paying for the (specific) service, you are the
| product.
| deviantbit wrote:
| The reason you have a bad feeling is it gives the FBI/FEDS a
| single point to collect your data, with a man-in-the-middle
| attack that you will have no idea is there.
|
| This is absolute BS they're implementing this.
| bakuninsbart wrote:
| Maybe a dumb question, but isn't that already a given when
| using a browser? To me it always seemed a bit absurd to use
| VPN as it basically just gives another person all your info,
| but just assumed browsers and the big 5 just got most of the
| data anyway.
| frankfrankfrank wrote:
| The only thing I can see working is pollution, pollution of
| our data. There are some current extensions that do some of
| that, but they are likely not enough and what we really
| need is a kind stream of data and requests that your own
| requests are simply merged into.
|
| The thing is that it would need to be smart enough to
| prevent pattern recognition, e.g., it cannot just be random
| data because your specific searches and string of searches
| or actions will stand out quite obviously.
|
| Yes, it would place a severe tax on the internet and a few
| things could be done to minimize that, but I currently do
| not see any other better option.
|
| I could see it implemented where your activities online are
| merged with and threaded into those of related or similar
| communities, e.g., be it family and friends, the YC
| community, or a combination of different groups. The effect
| would come from the proximity to similar but not exact
| activities. To use a common example, if your legal free
| speech activities could make you a target, those online
| activities are muddled and polluted by being merged with
| other people's legal free speech activities, and your
| activities would be merged with those of others.
|
| Consider it a kind of mutual compromise of society in order
| to provide protection/obfuscation in numbers ... the zebra
| in a herd, if you will. They can't arrest/target everyone
| if everyone has activity data that looks like they defy the
| ruling powers.
| autoexec wrote:
| > The only thing I can see working is pollution,
| pollution of our data.
|
| this is a terrible and dangerous idea. Nobody cares about
| the accuracy of the data they collect on you. Stuffing
| your dossier with random things won't cause anyone to
| throw it away just because there might be errors in it.
| Instead all of that data, random/accurate or not, will be
| used against you all the same.
|
| Your clever browser extension might have been responsible
| for browsing to a bunch of fast food websites, but your
| health insurance provider won't care. They'll just see
| that in your internet history and quietly raise your
| health insurance premiums anyway.
|
| If your legal free speech activities make you a target,
| adding more free speech activities to your permanent
| record just means you'll also now be targeted for those
| activities on top of your own.
|
| You can't know what will prejudice someone else against
| you. You might not be gay, or Muslim, or a heavy drinker,
| or an Andrew Yang supporter, but your browser extension
| pulls in the wrong data that gets you flagged as being
| one and it could cost you your job, get you denied
| housing, etc.
|
| You might not be looking into getting an abortion, but
| anti-abortion activists who buy up the data of anyone who
| appears to be trying to get one, or looking for support
| after getting one, will still see you listed and you will
| still get harassed by them or dragged into a texas court
| room.
|
| You might not be rich, but data brokers and consumer
| reputation services will see that you've been interested
| in expensive vacation spots and online stores will start
| charging you more than your neighbors for the same items
| on the assumption that you are.
|
| If you want to try to hide in the crowd look into a VPN
| or TOR (although be aware device/browser fingerprinting
| can still get your traffic associated with you). Just
| please understand that giving others more ammo to use
| against you isn't helping yourself or anyone else. Adding
| more and more data to your internet history just
| increases your risks substantially because no matter if
| you deserve it or not your life will be impacted in
| countless ways by the data you surrender and none of that
| data, "pollution" or genuine, ever goes away.
| 867-5309 wrote:
| >what we really need is a kind stream of data and
| requests that your own requests are simply merged into
|
| having a wife and kids helps with this. or any shared
| wifi with a guaranteed shitstream for your tunnel to wade
| through
| stavros wrote:
| How are the browsers and the big 5 getting the data? It's
| not like you can't see what your browser is sending where.
| sheerun wrote:
| From my experience, non-tech people just leave browser
| defaults. I'd argue this is better than letting them to use
| public wifi without VPN. If you really care about security
| you won't use it, of course
| dataflow wrote:
| Public Wi-Fi in the world of HTTPS is not exactly
| terrifying.
| mjevans wrote:
| You forget exactly how much the government felt they got
| out of just knowing whom was talking to whom, not even
| bothering to collect the data of the conversation itself.
| NegativeLatency wrote:
| Now they only have to subpoena/hack/partner with
| microsoft for that
| snickerbockers wrote:
| yeah but im pretty sure 99% of the population just clicks
| past those SSL certificate warnings, in part because they
| don't understand what that means, and in part because
| there are way too many sites that let their certificates
| expire.
| samstave wrote:
| Public wifi and bluetooth detectors all over is whats
| scary, as most public wifi is used by phones, not
| machines and who the hell is running edge on their phone?
|
| but this just reminded me of the failed FB phone and the
| failed microsoft phone...
| gambiting wrote:
| HTTPS is trivial to break with a man in the middle
| attack, yes you get a scary warning in your browser about
| an invalid certificate, but I'd bet that 90% of people
| will just click through it and ignore it.
| ShinTakuya wrote:
| I'd argue the invalid certificate would only get the
| middle segment of semi-tech literate but security
| illiterate people. So maybe a lot of people on this site
| . The average user, based on my observations, tends to
| take these warnings very seriously.
| jiayo wrote:
| Have you looked at what the UX is for invalid
| certificates in 2022? It's not like ten years ago where
| you just click enough times and "visit anyway".
|
| Here, try this link in Chrome: https://untrusted-
| root.badssl.com/. When you click Advanced, it tells you
| "the website sent scrambled credentials that Chrome
| cannot process". And beyond that there's just no button
| to bypass it. You can't visit the site. (Sure, there's
| probably a chrome://flags or --disable-web-security way
| to bypass this, but that's well beyond the average user's
| comfort zone, as well it should be.)
| gambiting wrote:
| I clicked that link - in Chrome on Android all I had to
| do was click "advanced" then "proceed anyway". I have
| never changed any flags or default settings in this
| browser.
| 988747 wrote:
| I just tried to open the site in Safari, and there's no
| "Continue anyway" button, only "Go Back". I did not
| change any default settings, because I use Firefox as my
| daily driver ( and Firefox does have "Accept risk and
| continue" button, but I think the word "risk" on it is
| scary enough for many people to not click it).
|
| EDIT: It turns out there is a "visit this website anyway"
| option in Safari, but it is not a button, it's a link
| which you only notice when you click "Show details"
| button and read the warning.
| chrnola wrote:
| A slight digression, but I read[1] recently that typing
| "thisisunsafe" while the tab has focus is sufficient for
| bypassing the warning.
|
| [1]: https://twitter.com/cyb3rops/status/1561995926666985
| 472?s=20...
| shepherdjerred wrote:
| I highly doubt this prediction is accurate. Most people
| will think something is broken and call tech support.
|
| Aside from that, this isn't possible for HSTS sites.
| 1vuio0pswjnm7 wrote:
| "Aside from that, this isn't possible for HSTS sites."
|
| Isn't it possible for the user to disable HSTS. A simple
| web search produces detailed instructions, from a CA.
|
| https://sectigostore.com/blog/how-to-disable-hsts-in-
| chrome-...
|
| Also, what does "HSTS sites" mean. Does it mean (a)
| "official" HSTS via HTTP header alone, (b) "unofficial"
| HSTS via preload list (see RFC 6797 section 12.3), i.e.,
| the list maintained by Google, hardcoded into a browser,
| or (c) both. The "unofficial" approach only seems
| feasible for a limited number of domainnames and
| unworkable for every domainname in existence.
|
| In tests I have done on Chrome (YMMV), executing "Clear
| site data" via Developer Tools, or including
| Clear-Site-Data: *
|
| in an HTTP response header, e.g., added via a user-
| deployed proxy, will clear an "official" HSTS block,
| allowing the "MITM" to proceed.
|
| Besides being generally annoying, HSTS allows for setting
| "supercookies" that persist even in "Incognito" mode
|
| https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-
| bro...
|
| The RFC for HSTS even admits how it can be used for web
| tracking. Not too concerning for the advertising company
| sponsoring the RFC.
|
| 14.9. Creative Manipulation of HSTS Policy Store
|
| Since an HSTS Host may select its own host name and
| subdomains thereof, and this information is cached in the
| HSTS Policy store of conforming UAs, it is possible for
| those who control one or more HSTS Hosts to encode
| information into domain names they control and cause such
| UAs to cache this information as a matter of course in
| the process of noting the HSTS Host. This information can
| be retrieved by other hosts through cleverly constructed
| and loaded web resources, causing the UA to send queries
| to (variations of) the encoded domain names. Such queries
| can reveal whether the UA had previously visited the
| original HSTS Host (and subdomains).
|
| I use a loopback-bound forward proxy to enforce zero
| tolerance for HTTP across all programs, not just the web
| browser. Everything is sent via HTTPS. The proxy is
| configured to to check certificates, and deny
| connections, according to rules I set. I use a text-only
| browser for noncommercial, recreational web use so I need
| a forward proxy, if for nothing other than to deal with
| the spread of TLS. But I also use it for a whole laundry
| list of tasks.
|
| Maybe it is just me, but HSTS, like much of Google's
| rhetoric, comes across as unfriendly if not hostile to
| proxies, regardless of who is running them. Consider this
| line from the RFC
|
| "The rationale behind this is that if there is a "man in
| the middle" (MITM) -- _whether a legitimately deployed
| proxy_ or an illegitimate entity -- it could cause
| various mischief (see also Appendix A ( "Design Decision
| Notes") item 3, as well as Section 14.6 ("Bootstrap MITM
| Vulnerability"));"
|
| "Mischief." Does that include inspecting one's own HTTP
| traffic on one's own network. How about blocking certain
| methods of tracking, data collection and advertising.
| Apparently it includes disabling HSTS.
|
| Let's be honest. Google is an undisputed king of
| "mischief". The stakes for Google mischief are much
| higher and there have been too many fines to count.
| Consider the latest. How many people deploying their own
| proxies get fined $4B. (Arguably, an issue of "control"
| was at the heart of that decision.)
|
| https://www.theregister.com/2022/09/14/european_court_fin
| es_...
|
| If the proxy is "legitimately deployed" then why not stay
| out of the network operator's way. Let them have control.
| Give the option to cede control to Google instead of
| making it a default.
|
| I use HSTS for commercial, nonrecreational web use, when
| I have to use a "modern" browser. That is a small
| fraction of total web use for me.
| gambiting wrote:
| Really? Most people? I cannot think of anyone from my
| family who would even think about it for a second - they
| would just get annoyed they can't get to their bank
| website or whatever and just click continue. Also what
| tech support? Me?
| elcomet wrote:
| But now there is no button "continue", you have to click
| multiple buttons, which are not clearly labelled, in
| order to see the page. I'm sure 90% of people would not
| even be aware that you are able to continue.
|
| Even more, for self-signed certificate on chrome, there
| is _no_ button to continue for example. Check
| https://self-signed.badssl.com/
| gambiting wrote:
| In your example, all I had to do was click advanced then
| proceed(Chrome on Android)
| elcomet wrote:
| Ok, on chrome desktop there is no way to bypass the
| security
| shepherdjerred wrote:
| From my experience working as on-campus tech support in
| college, most people who aren't tech savvy will quickly
| give up or look to someone else for help. They will
| likely not think to click Advanced -> Continue Anyway
| (unless they have been taught to do that before).
|
| Tech support comes in many forms. The owner of the
| website, a friend who knows about computers, someone else
| in the workplace, the vendor they purchased their laptop
| from.
| sbierwagen wrote:
| HSTS cannot be overridden. Which bank domain names are
| you thinking of that are not one of the twelve thousand
| names on the HSTS preload list? https://source.chromium.o
| rg/chromium/chromium/src/+/main:net...
| hsbauauvhabzb wrote:
| Hsts solves sslstrip, I do not believe it enforces cert
| pinning. Iirc browsers deprecated cert pinning some time
| ago.
| shepherdjerred wrote:
| I've seen HSTS not let me continue without the server
| having the expected certificate recently, so I think
| that's still a thing.
| CommitSyn wrote:
| Plus, Firefox is soon implementing HTTPS-Only by default
| if I remember correctly. What was it, maybe 2016 there
| was a big push for SSL and the majority of the web, even
| login and payment pages, were HTTP? Now only a small
| percentage of the web isn't HTTPS. I have HTTPS-Only
| enabled in Firefox and rarely do I have to click the
| 'Continue Anyway' button to browse an HTTP page. For most
| general users that only use popular services, I'm sure
| it's even more rare.
| ct0 wrote:
| Its so easy, even a dummy like myself can grab a cert for
| my self hosted services. I dont give any HTTP only sites
| any slack
| bbarnett wrote:
| I have a site from 1997, pure html, with drivers, install
| disks, documentation for computers from the 80s/90s.
|
| It works. It's fine. No, it does not need ssl. What,
| someone is going to hack a floppy driver for a computer,
| which doesn't even have a built in network stack?!
|
| No, I am not going to do work on it, any work, at all.
|
| Millions of such sites exist, are fine, are safe.
| hcrean wrote:
| It is all fun and games until one of the downloads from
| your site picks up malware in transit and the user goes
| "why did this web admin infect my computer? Sue!"
|
| This genuinely happens a lot in the 2020s.
| [deleted]
| nradov wrote:
| Please provide citations for those lawsuits.
| mgbmtl wrote:
| I think of you say "genuinely happens a lot" you should
| give some examples, because this seems odd to me.
|
| More likely sites get cloned, improve their SEO over the
| original, and distribute malware.
| aliqot wrote:
| I've never heard of this happening ever.
| viraptor wrote:
| > with drivers, install disks
|
| Depending on what the drivers are for, you may be a prime
| candidate for MitM. People already go to your site to
| download software they're going to run in the most
| privileged mode. This is a perfect candidate for a type
| of watering hole attack.
|
| Considering you're providing those for 90s machines, you
| could be the last resort website for a few interesting
| industry computers with no security restrictions around
| them.
| sfink wrote:
| The site contents don't necessarily matter.
|
| You're at a coffee shop or library using their WiFi. Your
| computer sends a plaintext HTTP message. The attacker
| just needs to be able to see that message and get a
| response back to you before the real site does, and the
| real site is a lot further away than the guy sitting at
| the table next to you (or the hacked router, if he
| doesn't want to be there in person). Then they can feed
| your browser whatever they want.
|
| A login form to phish you, perhaps?
|
| They can even start replying, then go off and fetch from
| the actual site before finishing the response, if it
| helps to incorporate the real data.
| memen wrote:
| You could host hashes of the downloads on an https page.
| Should be quite simple. Malware can still work on a
| computer without a built-in network stack and if users
| are getting downloads onto that computer, then data can
| leave through the same means.
| sbierwagen wrote:
| What percentage do you think of all network traffic that
| Edge handles is 1) Over wifi? 2) Over unencrypted wifi?
| itake wrote:
| From my experience, tech people with non-default browsers
| can't use the internet :(
| supernovae wrote:
| why is it ok if firefox and opera do this but no one else?
| princevegeta89 wrote:
| Besides the unremovable junk they fill on the homepage, now
| this. Uninstalled and will be moving to Brave
| cheschire wrote:
| the only unremovable thing that bothers me is the stupid
| bing points thing that i dont care about. It doesnt
| encourage me to use bing, it just makes me question how
| they continue to manage to swipe my queries enough to
| increase that score.
| ectopod wrote:
| Edge is a pretty good local pdf reader so I added a
| firewall rule to stop it connecting to the internet.
| gotoeleven wrote:
| Oh you sweet summer child.
| _V_ wrote:
| Damn you, I just spit out my drink! :-D
| mc32 wrote:
| Also Epic.
| darig wrote:
| smoldesu wrote:
| Using a browser that monetizes itself in _any_ way seems
| like a slippery slope to me. I 'd rather use Ungoogled
| Chromium/Bromite or even LibreWolf if it came down to it.
| Saying "that's it, I'm moving to Brave!" is basically
| declaring that you're moving your data from Microsoft(1) to
| Microsoft(2).
| _emacsomancer_ wrote:
| How is Brave Microsoft(2)?
| [deleted]
| colechristensen wrote:
| I still have a CD of Netscape Navigator Gold I purchased
| in a box in a store... long ago enough that was a thing.
|
| Those were the days.
| forgotmypw17 wrote:
| I still test and validate my websites with Netscape 2.x
| and up.
|
| Any Browser can be a reality.
| colechristensen wrote:
| If I had my billion dollars I would fund a modern
| intentionally crippled hypertext browser with hard limits
| on programmability and style complexity.
| Karunamon wrote:
| It sounds like you are describing Gemini.
| https://gemini.circumlunar.space/
| pdntspa wrote:
| Why not just bring back the 486?
| Thiez wrote:
| A shame that you would waste your money on a browser that
| nobody would use.
| ramesh31 wrote:
| > Using a browser that monetizes itself in any way seems
| like a slippery slope to me. I'd rather use Ungoogled
| Chromium/Bromite or even LibreWolf if it came down to it.
|
| The problem with this approach is that it's impossible to
| get a safe binary that isn't downloaded from
| "libfree.cxcc.gg" or whatever. The other option being to
| build from source, which is an absolute nightmare for
| Chromium.
| smoldesu wrote:
| All of those browsers have signatures available if you
| question the integrity of your binary. Otherwise this
| argument isn't any different for the likes of Brave or
| Chrome even.
| ramesh31 wrote:
| > All of those browsers have signatures available if you
| question the integrity of your binary
|
| Signatures available from whom?
|
| The point being that a web browser is a very special case
| of software that has to _absolutely_ 100% trustworthy
| from a reputable commercial entity (that is, someone that
| can be sued). The only other thing with that level of
| trust is your operating system.
| Entinel wrote:
| This line of thinking is why Chrome owns most of the
| internet. No one else can hope to compete because they
| just get screeched down.
| smoldesu wrote:
| Chrome owns the internet because people like Brave don't
| develop their own browser engine.
| Am4TIfIsER0ppos wrote:
| Companies like google keep expanding the effort needed to
| write a browser engine to ensure everyone uses their
| spyware.
| smoldesu wrote:
| Then companies like Apple should stop shrinking their API
| targets and contribute to the general wellness of
| computing, for a change.
| rytis wrote:
| Can you please give a concrete example of what Apple
| should do, in your opinion, to expand their API targets?
| And how is that related to web standards complexity?
| mozey wrote:
| Few people attempt this... Here is one: Ladybird
| https://awesomekling.github.io/Ladybird-a-new-cross-
| platform...
| Entinel wrote:
| 99% of a web browsers end users do not care if their
| browser uses Servo, Webkit, etc.
| andirk wrote:
| Yes but being able to use all of Chrome's extensions in
| Brave is a huge win to me. And most Chrome documentation,
| Q and A, tutorials are mostly relevant to Brave as well.
| I see Google and other behemoths contributing to an open
| source project as a good thing. The product may not be
| where it is today without their help, including paying
| people to work on a free product. Still, yeah don't trust
| them.
| autoexec wrote:
| I'd guess pretty close to that number don't even know
| what those are in the first place.
| marshray wrote:
| Chrome owns the internet because web standards have
| become so complex that not even Microsoft can afford to
| maintain their own browser engine.
| supernovae wrote:
| Microsoft edge non chromium was fine, but no one used it.
| So they went chromium based.
| q-big wrote:
| > Microsoft edge non chromium was fine, but no one used
| it. So they went chromium based.
|
| Are people now using Edge because of this change?
| int_19h wrote:
| Edge has made substantial gains in market share in the
| past few years. But it's hard to definitively ascribe it
| to any specific change.
| smoldesu wrote:
| So what's the solution? I hate this status quo as much as
| you do, and standing here in a Mexican Standoff is not
| viable forever. You're right. "The web" as a platform has
| been twisted and perverted beyond real usability at this
| point. There is no path forward where we undo Google's
| damage and preserve the qualities of the web we enjoy
| today. So, how do we fix this?
|
| The solution (to me) is simple - fix native app
| distribution. Make platform targets operate the same as
| they used to, and give people control over their computer
| again. The only ones preventing us from a platform-
| agnostic utopia is Apple and Google, both of whom profit
| off the artificial difficulty of distributing
| applications.
|
| So, here we are. Google is poisoning the web while Apple
| refuses to swallow their pride. Everyone is hurting, and
| nobody stands to gain anything but the shareholders. A
| hopeless situation, but let's not pretend like
| _everything_ here is morally grey.
| int_19h wrote:
| For starters, if a company makes a web browser with
| market share exceeding 50%, and also produces web sites
| and web apps, if those web sites and web apps to do any
| sort of user agent testing or require non-standard
| features of the aforementioned browser, it should be
| treated as ipso facto monopoly abuse.
| xani_ wrote:
| The solution is already impossible. When Mozilla had
| browser domination they had a chance to dictate
| _something_. The moment Chrome became popular, now
| another company, just as MS and IE did before, could just
| do the feature creep of "add feature, subtly break/slow
| down opposition, get more users that just want browser
| that works"
| hollerith wrote:
| >not even Microsoft can afford to maintain their own
| browser engine
|
| We don't know that. Maybe Microsoft could maintain their
| own browser engine if Google hadn't provided one on
| permissive open-source licensing terms that met their
| needs.
| bfung wrote:
| >not even Microsoft can afford to maintain their own
| browser engine
|
| MS can afford it financially. The desire to put in the
| effort to is not there.
| IncRnd wrote:
| It's the other way around. Brave uses the Chrome browser
| engine, because Chrome already developed their own
| browser engine.
| NotPractical wrote:
| Exactly. Brave just takes Chromium (from Google) and adds
| weird crypto stuff to it. None of the Chromium forks are
| "different browsers" in my eyes. They all depend on
| upstream for everything important. They couldn't develop
| the browser on their own.
|
| Just use Firefox. It works just as well as Chrome (*),
| but it's based on a completely different engine which was
| built from the ground up.
|
| (*) On desktop at least (on Android I still use a
| Chromium fork for now)
| Ylpertnodi wrote:
| >Just use Firefox. No. Well, I'm not so rude, so "No,
| thank you".
|
| >It works just as well as Chrome ( _) Not on_ anything* I
| use, it doesn't, so "No....thank you".
|
| Tbf, I do keep trying ff, but...clunky, jeepers! 'Fraid
| I'll hang on until my Brave jumps it's particular shark
| and then maybe I'll hop over to something else, but for
| now, and as long as I can still use UblockO, Brave it is.
|
| Even Opera is looking interesting again....
| silisili wrote:
| > Brave just takes Chromium (from Google) and adds weird
| crypto stuff to it
|
| That's a really unfair(and untrue) statement. Brave also
| removes some code they find privacy violating, built in a
| best in class adblocker, built a full cross-device sync
| system that works perfectly, some UI tweaks and
| enhancements, built Tor connectivity in, etc. Probably a
| lot more that I'm leaving out.
|
| I am def not a fan of crypto or BATs or whatever they
| were pushing, but you can use it fine ignoring all of
| that.
| [deleted]
| autoexec wrote:
| Firefox is pretty nice once you beat it into submission.
| I'd put my money there before Brave.
| mhardcastle wrote:
| I'm very glad you mentioned the homepage spam. It's
| increasingly difficult (and valuable) to live without
| information overload these days; Edge's forced "news" spam
| has pushed me away as well.
| SimoneSleek wrote:
| blocking msn.com via hosts will give you a blank new tab
| page in Edge, only including an Edge background image,
| and a search bar leading to your chosen search engine.
| princevegeta89 wrote:
| What is shocking is the content is so low quality it's
| appalling it came from a big, respected company as
| Microsoft. A lot of the posts are often clickbaits, and
| there are ads carelessly interspersed between the posts
| all over the page.
|
| I know it makes a lot of money for Microsoft but the fact
| they chose to keep the quality so low really looks bad.
| w0m wrote:
| I'm all for pushing for more privacy/etc; but is Brave what
| we want to advocate for as an alternative? They did some
| pretty heinous link jacking relatively recently. I'm not
| sure FF/(/chromium) have been caught doing anything worse
| than that yet.
| at-fates-hands wrote:
| I work for a very large corporation who has decided the
| default browser will be Edge. Getting another browser
| installed on your machine takes an act of congress and
| several upper level approvals.
|
| Does this mean they will also have the ability to collect
| corporate data from the browser in companies like mine?
| meltedcapacitor wrote:
| Just compile Firefox or chromium to WebAssembly and run it
| inside Edge. :-)
| cyanydeez wrote:
| Corporations have shown worse proclivities than the US
| government these days.
| muricula wrote:
| Like your internet service provider you already have??
| xboxnolifes wrote:
| An ISP is not a single point for all Windows users.
| bisby wrote:
| While I agree with the sentiment that ultimately we have to
| have some level of trust somewhere on the stack, there are
| a few minor differences.
|
| In theory anyway, I pick my ISP. If this was "support for
| using a VPN" instead of "we're injecting OUR VPN" I would
| feel a lot better.
|
| I'm aware Im using my ISP. Even someone who doesn't know
| much about computers knows their traffic is going
| somewhere. They might not know the repercussions of that,
| but if this is just transparently on in the background,
| effectively a keylogger, a user might never know this is
| happening.
|
| I give my ISP money. Back to the choice option. Some ISPs
| are bad and are trying to nickel and dime you to maximize
| profits. Some ISPs are actually good (I'm not swiss so I
| don't know for sure, but Init7 looks amazing
| https://www.init7.net/en/support/faq/privatsphaere/). I
| don't have to question with my ISP "how are they profiting
| off of me" because I give them money every month. They
| might be, but they don't intrinsically NEED to be scraping
| my data. I am not sure how Microsoft benefits from giving
| me a free VPN unless they are scraping my data.
|
| I can use a VPN to bypass my ISP monitoring if they do
| monitor. I have no idea how Microsoft's stuff is set up
| here. If the end result is that it gets routed through
| their VPN after my VPN, or instead of my VPN, or even
| through their stuff at all, but with stamped metadata, then
| there's not necessarily a great way to get around it other
| than "don't use Edge"
|
| In general, yes, your ISP isn't your friend. But an ISP is
| something I asked for, have a use for, and need. A
| Microsoft stealth VPN is none of those things.
| dheera wrote:
| It's because they are shareholder-driven, not customer-
| driven.
|
| Clueless shareholders on the 59th floor of JP Morgan who
| don't even use Edge see "oooh VPN, me like buzzwords" and
| upvote the stock.
| api wrote:
| It's also a way to front run ISPs in the data market. Then
| these vendors can sell the data on the data broker market and
| pocket the cash the ISPs are getting by selling whatever
| browsing history data they can infer (from DNS and traffic).
|
| I suspect this is the corporate motivation. The increased
| state surveillance and control is a side effect.
| mejutoco wrote:
| Isn't this what they did with Skype (centralize it)?
| salawat wrote:
| Yup.
| d0mine wrote:
| "bad feeling" is too generous. Microsoft is famous for its
| ubiquitous telemetry. It is not a suspicion, data collection is
| a fact. today. already.
| cm2187 wrote:
| Because every recent development in the evolution of Windows
| has been hostile to privacy.
| pricci wrote:
| About the pihole problem, redirect all calls to port 53 to your
| pihole.
|
| If Edge is using DoH, you're out of luck.
| numpad0 wrote:
| Does something like `source 0.0.0.0 dest 8.8.8.8 dport 443
| action drop` work for DoH?
| aborsy wrote:
| The move benefits foreign companies, weakening the domestic
| industry.
|
| Let's see how fast EU can move and regulate the traffic access.
| For instance, demanding that the servers should be accessible
| only to the local governments.
| sedatk wrote:
| > and turns it on
|
| for CANARY users which is a completely normal thing. This kind of
| sensationalism really hurts everyone.
| graypegg wrote:
| When did the world start trusting any company with a VPN more
| than their ISP? I still find the privacy pitch to be flakey at
| best, where at least I can choose who's aware of my traffic, but
| getting past geo-blocks really seems to be the most obvious
| consumer value, which this Cloudflare vpn lacks.
| zapataband1 wrote:
| I thought it was when all the ISPs started basically giving
| away your private info to the government and repeatedly lied
| about it
| seabrookmx wrote:
| I swear VPN privacy is a red herring.
|
| Everyone I know who has a VPN subscription simply uses it to
| prevent DMCA letters from their ISP when torrenting.
|
| VPN providers with a "no logs" policy simply shrug these off.
| BuckRogers wrote:
| I know people that use VPNs 24/7 just for privacy. I would
| assume there's many more that use them for the reason you
| described though. Torrents are less useful than ever, piracy
| is down in general thanks to streaming services and products
| having moved to SaaS. From what I can tell, the number of
| people using VPNs merely for privacy alone is growing and a
| good sign that people feel that strongly about it.
| nvllsvm wrote:
| For some - it was when their ISP started sending their
| customers scary sounding letters regarding certain downloaded
| movies and shows.
|
| Some ISPs also needlessly block certain sites (ex. Verizon
| blocks nyaa.si)
| TheFattestNinja wrote:
| ISP injecting content into your connection is a known story
| (google "ISP injecting ads" for many results).
|
| For better or worse Microsoft (or other corps) have not done
| that in recent memory afaik. They might do equally dodgy stuff
| in other aspects, but they don't tamper with the integrity of
| your connection (they might sniff it a bit).
| math_dandy wrote:
| And often you're paying a nontrivial amount of money to the
| ISP for the "privilege" of getting injecting ads and tracking
| injected. This really rubs people the wrong way, justifiably
| so I think.
| wintermutestwin wrote:
| My ISP actively lobbied to be able to harvest (steal) my data.
| Who do I trust more: the guy who says that they aren't selling
| my data, or the guy who corrupted my government so that they
| can actively sell me out (not to mention their monopoly)?
|
| Sure, the first guy could be a liar, but I _know_ that the
| second guy is a thief.
|
| I don't care about geo-blocking - my only threat model is to
| keep a scumbag ISP at bay.
|
| Edit: I should add that keeping sites I browse from knowing my
| IP is also part of my threat model.
| MichaelCollins wrote:
| VPN also has my credit card number, real name, etc. VPN
| doesn't have that; their data is worth less than the data my
| ISP could sell.
| dizhn wrote:
| Article says the VPN gets activated in public networks. Wifi
| etc. That's one decent use case.
| NoGravitas wrote:
| It's not true of the whole world, but in the US, you generally
| know that your ISP is untrustworthy, while your VPN is a leap
| of faith.
| shuntress wrote:
| This is why net neutrality and easy accessible encryption are
| important.
| collaborative wrote:
| Strangely enough Opera's VPN has suddenly started working after a
| long period of not being "available" and pushing their paid
| version
| jll29 wrote:
| Microsoft as any company must abide by federal laws, including US
| FISA court orders.
| bborud wrote:
| Second time today Hacker News makes Firefox look good.
| saiya-jin wrote:
| Seriously, I can't grok why people here don't use it more
| often. Web is 100% usable, what doesn't work in it doesn't work
| in latest chrome neither. Web development is fine too, just
| different, not worse. But whatever, use chrome for dev work if
| you love it, and Firefox for _everything_ else, especially
| Internet proper (plus you get another full testing browser, not
| just spoofing user-agent)
|
| Its a great product, and ublock origin make it by far the best
| on the market for internet not only for me, across any devices
| ever made, period.
| bborud wrote:
| _I_ can't grok why _I_ haven't switched. :-)
|
| So this weekend I'll make an effort to switch from Chrome.
| pessimizer wrote:
| https://github.com/aris-t2/customcssforfx
|
| Here's something to use if the UI makes you really upset.
|
| Also you will probably miss translation:
| https://addons.mozilla.org/en-US/firefox/addon/traduzir-
| pagi...
| ohbtvz wrote:
| ...in a "canary" (basically a nightly build), for some users, for
| some specific cases (unsecure http, public wifi).
| omgomgomgomg wrote:
| Did anyone test this? Is it better than operas "vpn"?
|
| Can the user configure various geolocations?
| marshray wrote:
| I wonder how it respects legal web censorship orders imposed on
| ISPs like those of China and UK.
| perlgeek wrote:
| I hear the Great Chinese Firewall is pretty good at blocking
| VPNs, they'll likely be able to block this one pretty quickly.
| marshray wrote:
| Sounds like this one is going to appear on the network like
| https connections to Cloudflare.
| edpichler wrote:
| > "...it lacks one important feature users seek in a virtual
| private network: an ability to bypass geo-block. In the case of
| Edge's VPN, you won't be able to choose any server location..."
| legrande wrote:
| Edge is a reskinned Chromium browser with Microsoft tracking and
| telemetry baked in. Just because they have a VPN now, it doesn't
| make it any more private/secure. Why do people use Edge? If
| you're any way privacy conscious you wouldn't use Microsoft
| products.
| seabriez wrote:
| Based on what source exactly? Microsoft is about equivalent to
| privacy protections as Apple, if not more so.
| mtgx wrote:
| isoprophlex wrote:
| I beg to differ.
|
| Please compare the severity and extent of
|
| https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Privacy.
| ..
|
| with
|
| https://en.wikipedia.org/wiki/Criticism_of_Apple_Inc.
|
| Depending on how you weigh the issues MSFT is _far_ from
| equivalent on privacy
| woojoo666 wrote:
| It seems that both had alleged collaborations with PRISM.
| The main difference I see between the two wiki articles, is
| that people complain about Microsoft's telemetry but not
| Apple's (even though they do have a lot of telemetry [1]).
|
| In general it feels like Apple has won the trust of the
| public, partially through good products, partially through
| good marketing.
|
| [1]: https://mspoweruser.com/macos-big-sur-has-its-own-
| telemetry-...
| A4ET8a8uTh0 wrote:
| In my case, it is the default browser at my current company. I
| don't know the reasoning behind it, but we are also forced into
| Teams. Corporate requirements is my reason.
|
| FWIW, it is not bad performance-wise.
| rejectfinite wrote:
| So, I do use Firefox.
|
| But for a windows domain environment Edge makes sense.
|
| - Comes builtin, no need to patch browsers separately and
| worry about outdated Google Chrome installs in a 1000+
| computer fleet.
|
| - Integrates with Office 365 that the company already use/pay
| for.
|
| - Can be managed with policy over Office 365 or Intune
|
| - Has IE Enterprise Mode for the old apps that need IE11
|
| For Teams, the alternative is this:
|
| - Pay for Zoom AND Slack AND Office 365 AND have IT personell
| manage all 3
|
| - Pay for Gsuite and use... hangouts?
|
| or
|
| - Just pay for Office 365 and get email, fileshare, office
| suite and chat/fileshare/video tool all in one that works
| "fine" and can be managed all in admin.microsoft.com (that
| goes into 500 different portals that all change each month
| but I digress...)
|
| Oh, and you can use whatever browser, even if its not the
| default. I use Firefox but Edge is the default one.
| Kwpolska wrote:
| My primary browser is Firefox. I have Edge as my backup browser
| for sites that don't work with Firefox, and sometimes for
| watching stuff. There is no reason for me to install Chrome.
| (And Microsoft isn't that bad, even if Edge sometimes does
| weird things.)
| Koshkin wrote:
| > _for watching stuff_
|
| ... while the browser is watching you [1].
|
| > _Microsoft isn't that bad_
|
| Yes it is. That bad.
|
| [1] https://en.wikipedia.org/wiki/In_Soviet_Russia
| tester756 wrote:
| If you're using Windows, what's the point of using Chrome if
| you already have Edge?
|
| You're already sending data to MS anyway
| MichaelCollins wrote:
| What's the point of using either of those when you could use
| an ungoogled chromium build?
|
| (I use Firefox, but if I were to use a chromium browser it
| wouldn't be Edge _or_ Chrome...)
| sascha_sl wrote:
| In case you want a real answer: battery life.
| MichaelCollins wrote:
| Googled Chromium has better battery life than Ungoogled
| Chromium? That seems like a dubious claim.
| rejectfinite wrote:
| No, Edge does. It actually is the best performing and
| battery life browser on Windows.
| tester756 wrote:
| Because you gotta trust people behind ungoogled Chromium
|
| I don't know them, so I don't trust them.
| bilekas wrote:
| Chromium is open source, and so you can see what the
| changelog is etc.. You don't need to trust the people
| when you can read the source yourself ?
|
| also "ungoogled Chromium" - The process is Chrome is
| Googled Chromium.
|
| Chromium was a thing before Google-Chrome..
|
| Edit: My mistake: Chrome and Chromium were release the
| same time.
| judge2020 wrote:
| > also "ungoogled Chromium" - The process is Chrome is
| Googled Chromium.
|
| You can download Chromium[0], but people tend to be
| referring to the project called "Ungoogled Chromium"[1]
| to remove any calls to Google domains, eg. safe browsing,
| which are still present in Chromium.
|
| 0: https://www.chromium.org/getting-involved/download-
| chromium/
|
| 1: https://github.com/ungoogled-software/ungoogled-
| chromium
| tester756 wrote:
| Yes, I'm definitely going to audit some giant as hell CPP
| code base (diffs) every four weeks.
|
| I'd rather write my own browser from scratch
| bilekas wrote:
| > Yes, I'm definitely going to audit some giant as hell
| CPP code base (diffs) every four weeks.
|
| I've had this discussion with other people too, just
| because you don't want to doesn't mean you can't. So your
| point of suspecting something nefarious is moot for me
| until you can back it up.
| tester756 wrote:
| If I do already use Windows, then I'm already relying on
| MS
|
| Using Edge doesn't change much, meanwhile using ungoogled
| Chromium means that I have to trust additional actors
|
| Additionally MS inserting e.g "backdoor" into Edge could
| cost them a lot of in PR damages meanwhile what if
| ungoogled chromium inserted some kind of "backdoor"?
|
| I don't even know people who maintain it, so I wouldn't
| even be able to break their windows or throw eggs at them
| detaro wrote:
| > _Chromium was a thing before Google-Chrome_
|
| no it wasn't.
| bilekas wrote:
| Sorry that's actually my mistake, I was thinking of
| something else. (Android)
|
| They were both launched the same period, but chromium was
| the 'trimmed' down open source version.
| fsflover wrote:
| But we do know people behind Microsoft are _not_ to be
| trusted with our privacy... See PRISM and their data
| collection practices.
| tester756 wrote:
| The thing is about what data MS wants and what bad actor
| in ungoogled chromium would want
|
| e.g MS doesn't want to steal money from my card
| BiteCode_dev wrote:
| Indeed, they will lock you in to get it legally.
| poopnugget wrote:
| timbit42 wrote:
| I'd choose Edge over Chrome if I didn't have better options.
| dodgerdan wrote:
| I don't think Adguard, the Russian tech company registered in
| cyprus, but with mostly Russian employees living in Russia has
| our best interests at heart.
| aussiesnack wrote:
| Your evidence seems to be repetition of the word 'Russia'.
| Seems a tad thin.
| imbnwa wrote:
| What bothers me about Adguard is offering HTTPS cert spoofing
| as a means to duplicate uBo's dynamic filtering behavior
| lizardactivist wrote:
| What makes you say that? And this is not really about Adguard,
| it's about Microsoft, Cloudflare, and Edge.
| wintermutestwin wrote:
| While I would never use a VPN service fronted by a data thieving
| company, I really hope that VPN usage goes more mainstream so
| that companies can't have "no access from VPN" as a security
| strategy.
|
| Ally bank recently did this and many others have intermittent
| issues due to flagging, etc.
| VoodooJuJu wrote:
| I can see this evolving into something worse.
|
| >try to connect to ally
|
| >vpn not allowed - try connecting through on of our authorized
| vpn partners: microsoft, nordvpn!, etc.
| ascar wrote:
| Is Cloudflare known as a data thieving company? I didn't have
| that association with them yet. They're not really in the data
| selling business, are they?
| wintermutestwin wrote:
| I said "a VPN service fronted by a data thieving company" and
| I misspoke - I should have said "backed" instead of
| "fronted."
|
| AFAIK Cloudflare isn't a data thief (yet). If (when) they
| decide to be, they will have access to quite a lot at the
| rate they are going. At this point, how can we trust that any
| public company won't eventually monetize user data?
| hansel_der wrote:
| they are in the business of collecting data and selling
| insights. cdn is just a means to an end
| scrollaway wrote:
| Oh stop, already. Cloudflare isn't in the "business of
| selling insights". They make their money from enterprise
| sales of their various network products.
|
| They're in the business of competing with AWS and are
| pretty damn good at it, too.
| hibikir wrote:
| Security teams don't block certain VPN traffic for fun.When a
| certain IP block has been running credential stuffing attacks
| all month long, It's very reasonable to see any request from
| said block with a lot of suspicion. In many cases, 99.9% of
| login attempts from certain IP blocks are just fraudulent, and
| there might be more requests from one of said blocks than
| legitimate requests from the rest of the world combined.
|
| Completely blocking a VPN is often too blunt an instrument, but
| even the best alternatives are unfriendly to legitimate
| traffic. The most user-friendly thing you can do is to rely on
| bonus security controls, like asking for two factor
| authentication for everything. No, you will not be able to log
| into anything from a new device, even, without the two factor.
| A very understandable tradeoff for a bank, but we'll end up
| seeing that for any account protecting anything of relatively
| low value.
|
| If your second factor is tied to, say, a phone, it's not going
| to be fun to wait to replace it if it's lost. But in a world
| where most traffic is coming from a VPN, there aren't many good
| alternatives.
| btown wrote:
| From the article, this is powered by a partnership with
| Cloudflare. It's worth noting that until August 6 of this year,
| Cloudflare's WARP VPN would leak your IP address - but only to
| sites using the Cloudflare network.
|
| https://web.archive.org/web/20220609160341/https://developer...
|
| And when Cloudflare released their new SOPs for Warp, they did so
| in a blog post titled "More features, still private" -
| https://blog.cloudflare.com/geoexit-improving-warp-user-expe...
| as referenced in https://developers.cloudflare.com/warp-
| client/known-issues-a...
|
| Microsoft's initial announcement for the feature touted that IP
| addresses would be masked, and one imagines that they did their
| diligence with Cloudflare and are enforcing the strong practices
| that WARP has now rolled out more broadly.
|
| But it's worth noting that you're routing through a company to
| whom the words "still private" encompassed leaking client IP
| address information to Cloudflare's hosting customers as recently
| as two months ago.
| judge2020 wrote:
| Warp/1.1.1.1[0] is a product, not a VPN, despite the fact that
| it tunnels your traffic. Even after the IP address change, the
| current documentation and promotions for Warp do not call it a
| VPN. It was never meant to keep your IP hidden from the
| websites you visit.
|
| 0: https://1.1.1.1/
| btown wrote:
| I wish that were how it had been presented, but they indeed
| did advertise it as a VPN. From
| https://blog.cloudflare.com/1111-warp-better-vpn/ :
|
| "Technically, WARP is a VPN.... We built WARP because we've
| had those conversations with our loved ones too and they've
| not gone well. So we knew that we had to start with turning
| the weaknesses of other VPN solutions into strengths. Under
| the covers, WARP acts as a VPN. But now in the 1.1.1.1 App,
| if users decide to enable WARP, instead of just DNS queries
| being secured and optimized, all Internet traffic is secured
| and optimized. In other words, WARP is the VPN for people who
| don't know what V.P.N. stands for."
| judge2020 wrote:
| I don't think this holds much weight given the regular
| users of this product are likely referred to
| https://1.1.1.1 and are unlikely to read through all of
| this 3000 word blog post with tech jargon. However, indeed,
| many people might've heard about it from other blog posts
| saying it's a VPN or word-of-mouth from more technical
| users also calling it a VPN - but it's obvious Cloudflare
| made a concerted effort not to use that term.
| genewitch wrote:
| it's used _five_ times in that single paragraph. That 's
| cloudflare calling it a VPN. you can't unring the bell.
| jdgoesmarching wrote:
| I think it holds weight when I'm staring at a Cloudflare
| blog URL that explicitly says "Warp better VPN." I don't
| doubt that this has been scrubbed from current
| documentation, but this is fair evidence for the above
| comment's claim that CF has advertised it as a VPN.
|
| I don't have a dog in this fight, but it was especially
| odd in this context to claim that this misconception was
| entirely driven from outside of Cloudflare when the URL
| is sitting right there.
| sproketboy wrote:
| smm11 wrote:
| I'm going to run my VPN on Edge running a VPN.
| rmason wrote:
| I am not saying that they'd do it but what would prevent
| Microsoft from 'theoretically' collecting your information
| themselves and then selling it back to your ISP?
| cphoover wrote:
| Hmmm interesting another reason for me to avoid microsoft
| browsers.
| AlexandrB wrote:
| Interesting to see this on the front page along with
| https://news.ycombinator.com/item?id=33036748
|
| I wonder how long until Microsoft starts blocking sites on their
| VPN for "your protection".
| mikaelsouza wrote:
| I think they already do. Just like chrome and firefox block
| sites that are considered insecure.
|
| I don't think they need a VPN for this.
| xnx wrote:
| Sounds pretty handy for data-scraping!
| witrak wrote:
| If this "VPN" is under the control of an entity collecting
| information about users wherever it can what's the sense of the
| service. "VPN" (in fact the term should be "virtual internet
| access network") make sense only when it is independent of any
| entity controlling internet traffic...
| crazygringo wrote:
| > _the VPN will automatically connect when you're using public
| Wi-Fi or browsing unsecured networks and sites lacking a valid
| HTTP certificate._
|
| OK, that's actually a pretty decent idea. It's not going to be
| always-on, but it's providing security specifically for things
| like coffeeshops/libraries and for sites that don't provide their
| own security. In other words, it's "backup security", not
| rerouting all of your "normal" secure traffic at work/home.
|
| This mainly protects sites you visit from having JavaScript
| injected into them by networks when there aren't any other
| protections, and the VPN is run by Cloudflare so it will be
| performant, so I don't really see any problems here? Seems like a
| positive development actually.
| timmb wrote:
| Just curious but is there really a risk on public WiFi if
| you're using DNS-over-HTTPS and connecting to a site over
| https?
| kibwen wrote:
| No, though DNS-over-HTTPS is already basically a proxy.
| CogitoCogito wrote:
| > This mainly protects sites you visit from having JavaScript
| injected into them by networks when there aren't any other
| protections, and the VPN is run by Cloudflare so it will be
| performant, so I don't really see any problems here? Seems like
| a positive development actually.
|
| How does this protect from having JavaScript injected? Why
| couldn't the VPN do that?
| simsla wrote:
| MITM protection on public networks maybe?
| CogitoCogito wrote:
| > MITM protection on public networks maybe?
|
| How does this address the fact that the operators of the
| VPN can certainly modify any content they access over http
| on your behalf?
| kevingadd wrote:
| It's reducing the number of parties you have to trust
| from 'every hop along the path from the public wifi
| operator to the host' to 'cloudflare', and many site
| operators already trust cloudflare not to MITM them.
| yed wrote:
| The operators of the VPN in this case are also the
| developers of the browser. If they want to inject content
| they can do that without the VPN.
| soulofmischief wrote:
| It's security by consolidation.
| hypertele-Xii wrote:
| Security by consolidation to single point of failure, I
| might add.
| kevmo314 wrote:
| Better than every public wifi access point being able to.
| acdha wrote:
| It's a question of how many entities you have to trust.
| There are many thousands of public networks around the
| world and millions of people using ISPs which tamper with
| traffic (especially on mobile networks). With the VPN,
| you only have to trust the VPN provider; without it, you
| have to review each network you use and its ISP. That
| doesn't mean that the VPN is automatically trustworthy,
| of course, but it's a single entity.
| ViViDboarder wrote:
| The assumption is that the VPN operator is more trustworthy
| than an unsecured network.
| reactspa wrote:
| A crazy thing happened to me on a recent trip to Mexico city. I
| thought my AT&T mobile plan covered Mexico, but after 2 days it
| stopped working. So I tried to log into my account online with
| AT&T. It would keep redirecting me to the Mexico AT&T website
| instead of the US website. The first time I realized I needed a
| VPN.
| Justin_K wrote:
| Why don't we just call it what it is: "Microsoft redirects all
| browser traffic through their servers". At first it sounds great
| but in two years when the start selling the data or start
| injecting ads, what will the privacy advocates think then? How
| long until Microsoft decides they don't like your site, so
| they're going to block it? Yet another move towards
| centralization of the internet, NO THANKS.
| SavageBeast wrote:
| So Edge users are going to be impacted by this - whats that like
| 35 people outside the development team who made it?
| oefrha wrote:
| As a generally happy Cloudflare customer, a Cloudflare VPN makes
| me deeply uneasy. (Yes, I know Warp has been around for a while.)
| Using it means Cloudflare owns a huge chunk of your Internet
| traffic _end to end_ and _decrypted_ , a uniquely powerful
| position to be in. And this is going to be default on in Edge
| according to TFA, even though it's only applied to plain HTTP
| sites by default at the moment.
| xani_ wrote:
| Browsers already want to send every domain you visit to
| cloudflare via DoH.
|
| Other options of securing DNS included "just" encrypting
| traffic to DNS server. But no, they decided to centralize
| sending DNS records via HTTPS
| sascha_sl wrote:
| While I agree that it is concerning, WARP doesn't decrypt your
| traffic unless you sign in to ZeroTrust, enable it in your
| dashboard and install their CA.
|
| Not much you can do about them having decrypted traffic for
| sites that use them.
| oefrha wrote:
| > having decrypted traffic for sites that use them
|
| Yes, that's the huge chunk I'm talking about, and when you
| use them as your VPN they can effortlessly trace that
| decrypted traffic to you.
| sascha_sl wrote:
| How is that different from not using a VPN?
| xboxnolifes wrote:
| Its not, that's the point.
| ViViDboarder wrote:
| It's not _for one party_. The VPN protects your traffic
| from any party other than Cloudflare. Exactly as it would
| with any VPN.
| AtNightWeCode wrote:
| Https is among the most broken ideas in the history of CS. I
| remember the first time I really learned about it and I went
| like it can't be this stupid.
|
| Most Internet traffic today between A and B is decrypted by C
| because of this.
| jimlongton wrote:
| People are fools if think there isn't a Room 641A in
| Cloudflare, except it's a lot better since web service
| operators willingly handed over all their private keys and
| therefore user data.
| chiefalchemist wrote:
| > "However, the VPN will not run while you're streaming or
| watching videos -- so that you can save up on traffic which is
| capped at a modest 1 GB per month."
|
| OK? And what happens after that? After you go over your 1 GB cap?
| You're cut off from the internet?
| ridgered4 wrote:
| How they even id the user for the cap? Some kind of system
| signature? Requirement of a MS account?
| shmde wrote:
| They just turn the VPN off ?
| mdaniel wrote:
| Heh, I wonder if they just quietly do that in the middle of a
| session
|
| * GET bank.example.com/accounts
|
| * GET bank.example.com/accounts/1
|
| _vpn disconnect_
|
| * GET bank.example.com/accounts/1/details <- 403 new IP, who
| dis?
| 1langisbad wrote:
| drexlspivey wrote:
| Pretty cool to see Wireguard, a protocol that is only a few years
| old, making it so fast into the linux kernel and now into Edge.
| Literally shipping into billions of devices in such a small
| amount of time.
| cphoover wrote:
| I don't like this. When I add a URL to the address bar I want
| TCP/IP traffic to be directed to only the remote address I
| requested, and not have traffic relayed through some third party.
| criddell wrote:
| Do a traceroute and see how many third parties your traffic is
| going through. You probably don't get many point-to-point
| connections.
| hbrn wrote:
| I have bad news for you. traceroute
| news.ycombinator.com
| doublerabbit wrote:
| Besides the point, 18 hops to get to HN via my colo server in
| London, UK; what is cogentco doing with the excessive
| routing? 1 24 ms 24 ms 25 ms
| 10.0.0.1 2 32 ms 25 ms 24 ms x.x.x.x 3
| 28 ms 28 ms 27 ms core-router-b-nlc.netwise.co.uk
| [185.17.175.246] 4 29 ms 25 ms 25 ms core-
| router-hex.netwise.co.uk [185.17.175.240] 5 29 ms
| 25 ms 26 ms
| te0-7-0-17.505.rcr21.b015534-1.lon01.atlas.cogentco.com
| [216.168.64.16] 6 27 ms 25 ms 25 ms
| be2186.ccr22.lon01.atlas.cogentco.com [154.54.61.70] 7
| 27 ms 25 ms 28 ms
| be2870.ccr41.lon13.atlas.cogentco.com [154.54.58.173] 8
| 94 ms 93 ms 94 ms
| be2317.ccr41.jfk02.atlas.cogentco.com [154.54.30.185] 9
| 103 ms 100 ms 100 ms
| be2806.ccr41.dca01.atlas.cogentco.com [154.54.40.106] 10
| 118 ms 117 ms 117 ms
| be2112.ccr41.atl01.atlas.cogentco.com [154.54.7.158] 11
| 130 ms 130 ms 134 ms
| be2687.ccr41.iah01.atlas.cogentco.com [154.54.28.70] 12
| 147 ms 146 ms 181 ms
| be2927.ccr21.elp01.atlas.cogentco.com [154.54.29.222] 13
| 155 ms 155 ms 156 ms
| be2930.ccr32.phx01.atlas.cogentco.com [154.54.42.77] 14
| 172 ms 348 ms 192 ms
| be2941.rcr52.san01.atlas.cogentco.com [154.54.41.33] 15
| 198 ms 202 ms 205 ms
| te0-0-2-0.rcr12.san03.atlas.cogentco.com [154.54.82.70]
| 16 209 ms 165 ms 165 ms
| te0-0-2-3.nr11.b006590-1.san03.atlas.cogentco.com
| [154.24.18.194] 17 166 ms 171 ms 203 ms
| 38.96.10.250 18 165 ms 162 ms 162 ms
| news.ycombinator.com [209.216.230.240]
| jdthedisciple wrote:
| only 8 hops for me from Europe
| pGuitar wrote:
| I got 30 hops from Atlanta/Comcast
|
| but hops from 9 to 30 are "blank" like this: 30 * * *
|
| the last non-blank hop is this: 8
| M5-HOSTING.bar1.SanDiego1.Level3.net (4.16.110.170) 69.921
| ms GIGLINX-INC.bar1.SanDiego1.Level3.net (4.16.105.98)
| 60.600 ms M5-HOSTING.bar1.SanDiego1.Level3.net
| (4.16.110.170) 69.882 ms
| dhaavi wrote:
| Cogent is the third biggest network on the Internet by
| CAIDA AS Rank. Your connection used it for pretty much all
| the distance.
| RcouF1uZ4gsC wrote:
| > Also, we must be aware of the risks associated with using the
| built-in VPN services of Microsoft, Apple, and the like. The
| tools they so generously offer might protect you from being
| tracked by your Internet Service Provider (ISP),
|
| It seems using a VPN from your browser vendor does not increase
| your risk. I don't think a VPN would have any information that
| your browser did not.
| oefrha wrote:
| People generally don't tolerate browsers that phone home with
| any and all accessible information. But if you claim to also
| run a built-in VPN service...
| vladvasiliu wrote:
| What do you mean?
|
| I oftentimes see people using Chrome (not Chromium) while
| logged into a profile. Are you telling me that either those
| people are actually a minority, or that Chrome doesn't phone
| home?
| lxgr wrote:
| Not really: Your browser vendor _might_ push out a malicious
| update or enable dormant functionality that sends them
| telemetry on your browsing, or even your entire web traffic,
| but a VPN definitively _does_ receive all of you traffic
| (including, at least, the host name of almost all sites you
| visit).
|
| I can observe who my browser/OS talk to (beyond the sites I
| already visit) - but what happens inside a VPN provider is
| impossible to tell.
| mkl95 wrote:
| Serious question - is there a legitimate use case for Edge when a
| Chrome Stable build is available?
| mrweasel wrote:
| I'm thinking Microsoft is hoping for the reverse: Why download
| Chrome when you have a perfectly good Blink based browser
| already installed.
| vladvasiliu wrote:
| It's already installed and it works well enough. Plus, if I'm
| using Windows, I'm already sending a bunch of telemetry to MS,
| so I don't see a reason to go out of my way to send some to
| goog, too. Also, I'm not a Netflix customer, but I understand
| that on PC you need Edge to get high-definition (>=1080p)
| video. Chrome doesn't work (neither does it work on Mac). So
| the question becomes: is there a legimate use case for Chrome
| when Edge is available (and is mostly the same thing)?
|
| I, personally, am quite against using a Google browser (or
| derivative), but for my gaming PC where I only launch the
| browser once in a blue moon, I just can't be bothered to
| download anything else since Edge works. On my work PC I use
| Firefox, and am quite happy with it.
| wintermutestwin wrote:
| Edge is the only Chromium-based browser that allows for
| Vertical Tabs.
| netsharc wrote:
| Vivaldi has it, and it's a Chromium-based browser made by
| people who left Opera after it was sold to the Chinese. Opera
| had vertical tabs even a decade or so ago, back when it was
| still using its own Presto engine (they switched to Chromium
| and seems to have lost this feature).
| wintermutestwin wrote:
| Thanks for that. Unfortunately, it looks like Vivaldi is
| closed source. Do you know how it is monetized?
| rejectfinite wrote:
| Search engines, bookmarks and they offer email services.
|
| https://vivaldi.com/blog/vivaldi-business-model/
| radicaldreamer wrote:
| There are significant changes in Edge compared to Chrome stable
| and perf and efficiency improvements on Windows (not to mention
| deeper system integration).
| jabroni_salad wrote:
| From a business perspective, IE mode and onedrive userstate
| sync for o365 customers
|
| From a personal perspective, goog and microsoft are basically
| equivalent and I don't want either of their browsers.
| BLO716 wrote:
| The trend towards 0-configuration VPNs though make it totally
| compelling to just port your traffic home. I'm not trying to be a
| fan-boi, but I want ALL my traffic off the network of snoop. I'm
| just going to go out there and say Ubuiti and Teleport with
| WifiMan on phone/tablets/computers and 0 config bar codes, I mean
| its ALMOST frictionless for my family to do this setup once its
| going.
|
| I least try to do this while we travel and are out of network
| range. How do people feel about this?
| gzer0 wrote:
| how about a tailscale exit node running on a computer at home
|
| takes 10 seconds to setup and I can use my home IP from
| anywhere on earth
| hopfog wrote:
| I run a free browser game where you can start playing
| immediately, no registration required. The game has a big sandbox
| element where you can build and paint on the world map.
|
| Naturally I've attracted trolls doing everything in their power
| to grief and ruin it for other players. This has lead me to
| reluctantly implement moderation tools such as IP bans and proxy
| detection.
|
| I'm currently using a couple of services where I can supply an IP
| and get a risk score back but I'm worried about false positives.
| I'm afraid this initiative, while great for privacy, will make my
| defense measures futile.
|
| What should I do? I just want to run a game with as few intrusive
| barriers as possible. I have no interest in collecting any
| private data from users whatsoever.
| xani_ wrote:
| You will just have a bunch of random false positives that get
| blocked and never come back. Even before VPN a lot of ISPs gave
| you dynamic IP that changed anywhere from every few weeks to
| daily, to each reconnect. Same with any public access point
|
| Same with carrier grade NAT, IP stopped being good way to block
| things long time ago. About the only use is "this IP is DoSing
| me now, block it for few hours".
|
| There are few other methods, all of them intrusive on privacy.
| Generating fingerprint of browser and blocking based on that
| might work for the clueless users but dedicated ones will go
| around it. Making using one of the popular SSO logins is one
| option (at least banning-wise) but that's a lot of work
| aaronax wrote:
| You have to have intrusive barriers. This is true in real life
| and it is true online.
|
| The world is not a graffiti free-for-all because there are
| barriers: the government (police) is able to apprehend
| individuals, link that physical individual to an identity
| (which it issued at birth), and effectively implement
| consequences to that identity/individual.
|
| If you want your site to not be a graffiti free-for-all, you
| will need a durable way to identify actual people. Twitter, for
| example, essentially requires a phone number to use their site.
| Phone numbers are fairly difficult to get anonymously.
| Therefore, Twitter has a useful link between their users and a
| physical individual. Other services use other things.
|
| The government should implement cryptographic certificate based
| identities to citizens. Ideally there would be a way to "sign"
| something that says you are a real citizen without revealing
| which citizen you are, but is durably unique (subsequent
| signings identify you as the same citizen).
|
| Facebook, Google, etc. are effectively filling this function
| right now but they leave much to be desired.
| hopfog wrote:
| > Ideally there would be a way to "sign" something that says
| you are a real citizen without revealing which citizen you
| are, but is durably unique (subsequent signings identify you
| as the same citizen).
|
| This is a truly interesting and groundbreaking idea that
| would solve all my problems. Do you know if there are any
| initiatives like that or is it science-fiction?
| aaronax wrote:
| Actually issued by a government? Not sure.
|
| How to implement? Also not sure. I am not an expert in this
| field. "Anonymous credentials" seems like the closest thing
| maybe. Basically you need to somehow prove you have a valid
| signed certificate without disclosing the public key.
|
| https://crypto.stackexchange.com/questions/83412/how-to-
| achi...
| https://crypto.stackexchange.com/questions/52189/zero-
| knowle...
|
| Since you seem open to putting up barriers...in the process
| of looking into this I discovered Idena and checked it out
| a little. You could required verified Idena something or
| other, just as an example. I'm sure there are scores of
| these types of things being built, most or all of which
| will fail to gain traction.
| BrainVirus wrote:
| Redesign the rules so that trolling is not rewarding. Yes, I
| know, it's hard.
| hopfog wrote:
| Yeah, I thought I could pull that off but in the end I was
| naive thinking I could solve it with mechanics. The idea was
| that I would never need to ban anyone, ever. However, even
| with thousands of players playing the game as intended just
| one troll can wreck havoc by creating hundreds of accounts
| through proxies.
|
| I have implemented measures where you can't chat until you've
| finished the tutorial, 5 minutes decay on stuff built/painted
| outside plots and upkeep on claimed plots but it's not
| enough. The trolls are extremely dedicated and devote their
| life to ruining my game.
| dathinab wrote:
| Hm,
|
| I think this is mainly an form of advertisement move to compel
| more users to use edge/not switch away from it. Reason: By now
| many non-technical people think a VPN is necessary (or at least
| recommendable) for "safety". Through how a VPN actually
| helps/works most non-technical people do not understand at all.
| For Microsoft providing a VPN which by default is only enabled on
| public WiFi and similar isn't too expensive.
|
| They also need to compete with Apples Privacy Relay feature.
|
| So putting bias aside it seems a good thing.
|
| But there are some gotchas:
|
| 1. a VPN is not per-se privacy protecting, it is only that if the
| VPN provider legally binding agrees to not sell out the users
| data.
|
| 2. a major browser which tries to force itself on all windows
| users providing a VPN for free hurt the VPN market due to the
| unfair competitive advantage this VPN has.
|
| 3. It could normalize for many people that VPNs do not necessary
| have a feature to avoid geo-blocking => make it easier for
| legislation targeting such features to pass
|
| 4. also more centralization for cloudflair
|
| Through if you ignore all this from a pure "common peoples
| security" perspective (i.e. not state actor attacks) this is an
| neat improvement. There are still to many things which allow
| attacks due to not using HTTPS and for non state-level attackers
| the best attack vector are public hotspots and similar where this
| VPN automatically is enabled. E.g. common security problem is
| HTTP(not s) redirect links in e.g. mails, which an attacker could
| trivially rewrite to point you to their site which automatically
| proxies the site you originally wanted to go to. Worst offender I
| saw was a FIN-tec site using emailing http(not s) redirect links
| containing the auth token for the initial account setup...
| strictfp wrote:
| Cue VPNs being banned
| rntksi wrote:
| I remember this being done back when Opera 7 was used. I think it
| had a feature for mobile OS, where it would route requests to
| Opera's servers and serve clients a minified, smaller version of
| the page, so people on 2G at the time could still use the web. I
| don't remember people being outraged at the time at the prospect
| of a browser having a baked-in VPN option though.
| laundermaf wrote:
| Don't forget about Google's own "optimizer"
|
| https://en.wikipedia.org/wiki/Google_Web_Accelerator
| bityard wrote:
| I remember this as well and thought it was a neat service. One
| that I would have liked to emulate using my own proxy in order
| to save bandwidth on my mobile data but never got around to
| actually doing.
|
| These days with widespread HTTPS, the only way to do this is to
| bake it into the browser itself.
|
| And of course, this was back when you could trust Opera to do
| what they said they were (or weren't) doing.
| sergiotapia wrote:
| God I miss Presto and Dragonfly. :'(
| Nextgrid wrote:
| At the time, spyware was not yet a mainstream business model so
| there was no outrage because respectable, established companies
| didn't yet become spyware operators. There was still mutual
| trust back in the day.
| noja wrote:
| Yes that was mainly because mobile internet was really slow and
| using it without Opera's proxy was an exercise in frustration.
|
| But do not forget that Opera 7 was release TWENTY YEARS AGO.
| Things are a bit different now. Think eternal september.
| pGuitar wrote:
| Why do they even need this? With all the spying/telemetry they
| already do, they probably already know the sites that you
| visit....
| lucasmullens wrote:
| Some users might want this feature, which gets them more users.
| I think outside HN most users would appreciate a free VPN for
| when they're on public Wi-Fi.
| timbit42 wrote:
| They want to keep everyone else from tracking you so their data
| is more valuable.
| jeroen79 wrote:
| cloudflare is nasty, its worse giving them all your data then
| spreading it around.
| counttheforks wrote:
| bilekas wrote:
| > you can save up on traffic which is capped at a modest 1 GB per
| month.
|
| These days that probably wont even manage the tracking requests
| being sent from the machine a month.
| kebman wrote:
| If I'm not mistaken Skype used to be called the most secure video
| calling app back in the day. Until this:
| https://lists.randombit.net/pipermail/cryptography/2013-May/...
| kazinator wrote:
| "Let's use our browser to herd users into our walled network,
| where our competitors cannot track them as easily as we are able
| to."
| donmcronald wrote:
| I think this is the real reason for the "VPN in a browser"
| trend. It's about getting exclusive access to browsing data.
|
| Imagine Facebook data collection, but without being able to
| ignore it. That's where we're headed. Watch for Google to
| release a "security" product that does something similar.
|
| IMO Apple, Microsoft, and (eventually) Google are going to use
| their platform dominance to usurp Facebook's ad business.
| That's why Facebook is making a big bet on VR. It's not that
| they see VR as a naturally popular platform. It's simply one of
| the last platforms that _could_ be popular (for the near
| future), isn 't already dominated by a major player, and has
| network effects that make it a critical mass platform similar
| to how Facebook works. If they can buy their way in, they own
| the whole market.
|
| This kind of thing should get these companies obliterated by
| regulators. It's shameless, blatant, anti-competitive behavior
| where they're using their dominance in one market to gain an
| extremely unfair advantage in another.
|
| The goal is to move the entire ad market away from the open web
| and into closed platforms like OSes and browsers.
| pmarreck wrote:
| Imagine still tolerating Windows in 2022
| seabrookmx wrote:
| Some people play video games.
|
| Some people want to use the Adobe suite on user upgradable
| hardware.
|
| If you come out of your bubble you'll see there's plenty of
| reasons to still use Windows (typing this in Firefox running on
| Fedora, FWIW).
| rejectfinite wrote:
| The great thing about Windows is that you can install another
| browser and set it to default. You don't have to use Edge.
| blibble wrote:
| and then every other update it "accidentally" gets set back
| to Edge
| rodolphoarruda wrote:
| Not even god knows what's going on inside that (not so very much)
| private network.
| tonymet wrote:
| Microsoft obviously benefits from the ability to collect more
| tracking signals. Even over HTTPS they will have many traffic
| signals to use for ads targeting.
|
| Just be mindful of any feature and who it benefits. These
| companies aren't charities.
| MikeYasnev007 wrote:
| netsharc wrote:
| > The VPN feature, known as "Microsoft Edge Secure Network," has
| rolled out to a limited selection of users in the latest Edge
| Canary version.
|
| Now why didn't they call it Microsoft Secure Network! And MSN in
| short.
|
| And next they should start a VPN'ed messaging service, they can
| name it "MSN Messenger".
| kingaillas wrote:
| Everybody is suspicious of Microsoft's motives but I think in
| this, you gotta consider how many windows systems are out there
| used by security novices.
|
| Lots of people are computer savvy but want to use a computer to
| do something else not under the umbrella of hobbyist sysadmin
| work.
|
| I don't see the downside here, again, considering the multi-
| millions average users Windows/Edge has. If you are savvy enough
| to roll your own VPN using algo from Trail of Bits, then do that.
| If you are able to weigh the pros and cons of VPNs from having
| one or not, or which one to use, you are ahead of 99.99% of the
| people this will help.
| sylens wrote:
| Had to move off of Edge to Brave a few weeks back after sticking
| it out longer than I should have. I really liked Edge on both
| Windows and macOS but they keep adding stuff that I don't want to
| the browser.
| 0xbadcafebee wrote:
| Isn't this basically just Chrome's data saver? They never called
| it a VPN but they did send all your traffic to Google.
___________________________________________________________________
(page generated 2022-09-30 23:00 UTC)