overview for nikqwxq550

privacy recommendations for a digital journal? in c/[email protected]

[–] [email protected] 1 points 6 days ago* (last edited 6 days ago)

KeePassXC and Signal are regarded as security products. Joplin is not, and I doubt the developer wants it to be. If we push for every product developer to bake their own security systems, we will end up with half-baked products and half-baked security. If people want better isolation between apps, they should choose an OS that does so, or push for one if it doesn't exist.

privacy recommendations for a digital journal? in c/[email protected]

[–] [email protected] 2 points 1 week ago (2 children)

If you don't mind I am curious to hear your reasons. I personally agree with the developer, I think it's a lot of work and doesn't provide a meaningful win. If an attacker has access to the system, there are many other ways they can access your notes even if the notes are encrypted at rest. Based on the thread it sounds like what people actually want is isolation and access control, but I don't think that responsibility should fall on the app developer, it should be handled by a broader system (like Veracrypt, or Flatpak).

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 1 points 1 month ago

Then it's not clear what you were trying to say. Does it have to be a flatpak? No. It also doesn't have to be a standalone binary. It's up to the Tor Project how they want to release it.

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Afaik the notification was suppressed, see the linked github issue in the post, or this one. I can guarantee the notification wasn't there on my end or else I would have noticed it

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 1 points 1 month ago (2 children)

It doesn't have to be, but if all Linux apps were standalone binaries, installing apps would be a PITA. Flatpaks have better integration with the desktop environment (like automatically handling desktop shortcuts), can share runtimes to save space, have a standardized way of handling permissions and launch options, etc. The Linux world is moving towards flatpaks for many reasons, and the Tor Browser flatpak is marked as official from the Tor Project. Wouldn't it be reasonable to expect it to work, and to get some sort of notification if it breaks?

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 1 points 1 month ago

Lately they've been rate-limiting more heavily but if I wait and refresh enough times, or change circuits enough times, it tends to work

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 2 points 1 month ago

It sounds like most other users install it that way too. Which surprises me, since I had thought the Linux community had started to move towards Flatpaks. But anybody who searched Flathub for Tor Browser, would have seen the flatpak with the Tor Project author listed as verified, and there would be no indication that this was in fact an unstable installation.

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Ah my mistake, yes a social media post or blog post would have been nice

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 2 points 1 month ago

I get what you're saying, but at the same time if every developer released software as pre-compiled binaries on their website, installing stuff on Linux would become such a PITA. (This is different from how Windows works because apps for Windows are distributed using installers like xxx.msi, and Linux does not have a unified installation system across distros)

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 2 points 1 month ago (1 children)

I've had the opposite experience, and started using Flatpaks after running into dependency conflicts once or twice when updating my system. Though I admit I've run into bugs with Flatpaks as well, just nothing as painful as a dependency conflict.

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 3 points 1 month ago

It's impossible to know for sure whether you are tracked or not, but even the most basic fingerprinting mechanisms check browser version, and Reddit has advanced fingerprinting mechanisms to detect ban evasion. Couple that with the fact that 90% of my searches led me to Reddit, and it's easy to conclude that Reddit correlated all my visits using my fingerprint, and thus has a history of all the things I have searched and been interested in for the past year, and sold that to Google. And Google has enough data on me from back when I used to use Google services, that they were probably able to link that activity to my real identity.

Was anybody else just burned by the Tor Browser flatpak? in c/[email protected]

[–] [email protected] 2 points 1 month ago (1 children)

It sounds as though you were aware of this bug already. How did you find out? Did you notice it yourself or was there a notification somewhere?

109

Was anybody else just burned by the Tor Browser flatpak? (futurology.today)

submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]

31 comments fedilink

cross-posted from: https://futurology.today/post/4000823

And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.

To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.

This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:

using Tor Browser

disabling javascript

keeping software updated

My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.

How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.

Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.

32

Was anybody else just burned by the Tor Browser flatpak? (futurology.today)

submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]

0 comments fedilink

cross-posted from: https://futurology.today/post/4000823

And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.

To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.

This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:

using Tor Browser

disabling javascript

keeping software updated

My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.

How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.

Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.

212

Was anybody else just burned by the Tor Browser flatpak? (futurology.today)

submitted 1 month ago* (last edited 1 month ago) by [email protected] to c/[email protected]

37 comments fedilink

And by burned, I mean "realize they have been burning for over a year". I'm referring to a bug in the Tor Browser flatpak that prevented the launcher from updating the actual browser, despite the launcher itself updating every week or so. The fix requires manual intervention, and this was never communicated to users. The browser itself also doesn't alert the user that it is outdated. The only reason I found out today was because the NoScript extension broke due to the browser being so old.

To make matters worse, the outdated version of the browser that I had, differs from the outdated version reported in the Github thread. In other words, if you were hoping that at least everybody affected by the bug would be stuck at the same version (and thus have the same fingerprint), that doesn't seem to be the case.

This is an extreme fingerprinting vulnerability. In fact I checked my fingerprint on multiple websites, and I had a unique fingerprint even with javascript disabled. So in other words, despite following the best privacy and security advice of:

using Tor Browser
disabling javascript
keeping software updated

My online habits have been tracked for over a year. Even if Duckduckgo or Startpage doesn't fingerprint users, Reddit sure does (to detect ban evasions, etc), and we all know 90% of searches lead to Reddit, and that Reddit sells data to Google. So I have been browsing the web for over a year with a false sense of security, all the while most of my browsing was linked to a single identity, and that much data is more than enough to link it to my real identity.

How was I supposed to catch this? Manually check the About page of my browser to make sure the number keeps incrementing? Browse the Github issue tracker before bed? Is all this privacy and security advice actually good, or does it just give people a false sense of security, when in reality the software isn't maintained enough for those recommendations to make a difference? Sorry for the rant, it's just all so tiring.

Edit: I want to clarify that this is not an attack on the lone dev maintaining the Tor Browser flatpak. They mention in the issue that they were fairly busy last year. I just wanted to know how other people handled this issue.

Update: I just noticed that based on this comment, the flatpak was only verified by Tor Project after this particular issue had been fixed. So perhaps I should have waited before installing the flatpak. Sigh...