this post was submitted on 30 Jul 2024
503 points (91.0% liked)
Firefox
18045 readers
17 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Here is a talk on OHTTP (OHAI) https://www.youtube.com/watch?v=_HEzpnktAwY
and a OHTTP recap https://www.youtube.com/watch?v=qjLwo4Ufp8s
Basically, if you trust the OHTTP Proxy (mozilla) and the OHTTP service provider (fakespot) to not collude, then OHTTP protects your data.
If you think Mozilla and fakespot might collude, then this doesn't give you any privacy. (Update - Someone pointed out Mozilla has purchased fakespot, so this comes down to Trusting mozilla with 100% of your data for their privacy promise and OHTTP is totally pointless here)
Depends on your threat model.
If they actually cared about privacy they would have the OHTTP model, sure, but also a TOR hidden service endpoint that anyone could use as well ; Removing all the links between the user and the service shouldn't be a problem, since they are not monitizing user behavior, right? RIGHT?!?!?
Mozilla says they use a third-party OHTTP intermediary. In the blog post linked above, they name Fastly as their partner. So it's not as bad as Mozilla + Mozilla-wearing-funny-glasses.
Personally, I still think this is the wrong approach to privacy, even though I've used Fakespot on my own many times over the years. Largely because I don't think any of this needs to be built into a web browser.
I would prefer my web browser to minimize information leakage by default, to the greatest degree that it can while still remaining useful as a web browser. Mozilla keeps adding bloat to Firefox, and bloat always comes at a cost. I'd much prefer these to be browser extensions that people can download if they want them, rather than built in by default. The baseline Firefox should be lean. Less "stuff" = smaller attack surface. Simplicity is best.
I mean, the Fakespot browser extension has existed for a long time, and I've never seriously considered installing it. I'd much rather just take an extra three seconds to load their web site and paste in a URL than have it constantly monitoring my activity and doing god-knows-what with it. That way I have better knowledge and control of what is happening with my data. Even if I trust their intentions, I don't implicitly trust their competence (all software has bugs) and I don't trust that they will never go rogue in the future.
And also, I just don't find this claim all that compelling in principle:
I mean...sure. That's fair. Buuuuuut handing half the data to your "partner" doesn't give me a whole lot of confidence. Especially since literally nobody reads all of the privacy policies they are subject to. See:
https://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/
https://www.npr.org/sections/alltechconsidered/2012/04/19/150905465/to-read-all-those-web-privacy-policies-just-take-a-month-off-work
https://www.techradar.com/computing/cyber-security/you-need-a-whole-workweek-every-month-to-read-privacy-policiesand-thats-bad-news
Minimizing privacy policies should be a high-priority goal for any organization that claims to value privacy.
Furthermore, how many additional parties have access (legally or otherwise) to both Mozilla and Fastly? 🤷
i would like to see mozilla making all of these features as full fledged browser extensions (installed by default, sure why not, but uninstallable at user request)
I remember when Firefox was brand new over 20 years ago and one of the reasons for creating it was the main Mozilla browser had too much feature bloat so it was stripped down to just a browser and if you wanted more features you could add them in as extensions, putting just what you wanted in the browser and leaving out what you didn’t. It was great! Eventually Firefox became more popular so Mozilla switched their efforts to it and they’ve been jamming more things that used to be extensions in as features and bloating it full of features I don’t want. It’s one of the reasons I started using Chrome in the early days of Chrome but then of course that and Google started getting worse so I switched back to Firefox, but it still has its problems.
I don't trust Mozilla one single bit with my data as long as they have an advertising network enabled by default and use pingback telemetry for ALL actions you do in the browser by default that can only be turned off by changing multiple "hidden"
about:config
settings.Wait, where does it say that Mozilla is the third-party intermediary server?
It doesn't, but when modeling threats we have to go be capabilities and not intentions.
If we're going by capabilities, then your browser maker can already see everything you do in that browser.