Regarding analytics, I believe browsers should take user's side and do not cooperate with marketing companies; even better, they should implement measures to make user tracking and fingerprinting more difficult. There is no need to track user's browsing history; just make a product better than competitors (so that it gets first place in reviews and comparisons) and buy ads from influencers.

It would be great if browsers made fingerprinting more difficult, i.e.: not allowed to read canvas data, not allowed to read GPU name, enumerate audio cards, probe for installed extensions etc. Every new web API should guarantee that it doesn't provide more fingerprinting data or hides the data behind a permission.

Regarding 3rd party cookies: instead of shady lists like RWS browsers should just add a button that allows 3rd party cookies as an exception on a legacy website relying on them (which is probably not very secure). Although, there is a risk that newspaper websites, blog websites and question-answers websites will force users to press the button to see the content.

Browsers were supposed to act as agents working for the user. User-agents. These days it's getting harder and harder to find a browser that doesn't work for an ad company at the expense of the user.

Chrome's entire reason for existing is data collection. Firefox can, for now at least, be hardened to work for the user (and prevent a lot of fingerprinting), but Mozilla is an ad-tech company too now. They've made their lack of respect for Firefox users clear by making Firefox spy on users by default so that Mozilla can sell that data to marketers.

Currently, you can disable that spying in about:config by setting dom.private-attribution.submission.enabled to false (see https://news.ycombinator.com/item?id=41311479 and also https://web.archive.org/web/20240827185708/https://make-fire...). No idea how long that will continue to be an option or how often you'll have to go back and reset that back to false following updates though.

We really need a new browser that actually works in the interest of the users.

What they haven't done before is spend a fortune buying up an ad-tech start up. They barely even bother to maintain a pretense that they care about Firefox users. They basically came right out and said "We know that users don't want this, we can't convince them to, so we were right to force it on them by default and just hope most people don't notice and start complaining" (https://cdn.adtidy.org/blog/new/2wffyscreen_mozilla.png?mw=1...)

Fun fact: by subscribing to Pocket, you're directly contributing to Firefox's development.

Mozilla found itself in a situation of damned if they do, damned if they don't. People scream at them for depending on Google, and then they scream at them for trying to diversify their revenue.

Nobody wants to pay for a browser, browsers are essentially incredibly complex nowadays, and I have yet to hear how in the world are browsers supposed to get funding.

And of course they want to cater to advertisers because it is advertising that maintains the open web, and it is advertising that is paying for all browser development, actually, including Safari. And the open web is also dying, because people have been moving to mobile apps, where all pretence that "the user agent must act on your behalf" is gone. In other words, even if you get what you wish for, in a couple of years it may not matter at all.

As someone who worked both on advertiser and publisher sides (incl. content monetisation): advertisers like to say that they support publishers and the open web, but in fact, they are keeping it hostage.

We've had the means/tech to support publishers directly for years (I don't mean crypto). It's in the interest of companies like Google to keep users (and publishers, and brands) in the dark. And one of the issues here is that they have so much impact on the discourse. There are only few places, where I saw more people using ad blockers than the adtech businesses I worked with or at.

> Nobody wants to pay for a browser

True, but I don't think people would have an issue with paying for browsers if they understood the value of it. At this stage, I think the only solution would involve:

1) education 2) regulation/better legislation

I know what you're saying, I agree, as I worked (in the past) on advertising platforms as well, but both of those statements can be true at the same time.

The open web was built on advertising, but the perverse incentives in advertising are also poisoning the open web.

I don't think we've ever had a good solution. People like free stuff, and also, micro-transactions are not possible given the huge banking fees. What we're seeing, the alternative, are subscription-based services behind closed hardens, and mobile apps whose ads can no longer be blocked, so here we are.

I also think that Google isn't the greater evil, because Google has an incentive to keep the web going. For instance, what happens with local newspapers, when they die, besides depriving ad networks of revenue, is that the audience of these newspapers moves to walled gardens like Facebook. The failure of advertising on the web right now results in more centralisation.

People didn't like Pocket as a product. It wasn't as if they just didn't like it because Firdfox wanted to make money out of it.

Sure they should diversify, but with something that isn't otherwise (so) objectionable. Like their VPN, or sponsorship, or just let go of all the upper management.

I'm sorry, this seems egregious. I agree that it should've been off by default but I challenge anyone to read how the implementation works (not just the blog post and the FUD responses to it) before calling it a giveaway to the ad industry: https://github.com/mozilla/explainers/tree/main/ppa-experime...

FF is currently a key tool in the fight to avoid a Google-top-to-bottom future, and before we start the meme that it's gone to shit we should be really really sure that's actually true.

Firefox is rock solid, open-source, backed by a great organization (which has recently reinvested additional resources in it) and a joy to use imo. Also, the levels of vitriol that even the slightest bit of anonymous telemetry incurs is unhelpful and I encourage people who hold that viewpoint to really interrogate it.

DNS without DoH, DoT, or DoQ, is wide open to anyone snooping traffic in the raw, that’s not necessarily information you want to share with the world.

The browser should respect the OS. The OS should respect the network (dhcp/slacc). If you want to override this then that should be an active choice by the user.

I am quite happy with my OS using normal dns (via WireGuard when out) to my dns server which blocks bad domains before they even reach my firewall, I don’t need DoH, although I have no problem with that as a concept.

What I don’t like is my browser taking away my choice and breaking the model. It should defer to the OS (and I can’t see any time I wouldn’t want it to defer to the OS)

If somebody is on your local network capturing packets or they've cracked your wifi you've got bigger problems than your DNS leaking a list of domains. They'll also see the IP of every server you visit online anyway

The way DoH is implemented usually means that all of your DNS traffic is collected by some third party for-profit corporation like cloudflare anyway (who admittedly will already know most of the domains you visit anyway because of how often cloudflare's IP space is where DNS will point you).

There really aren't any good options for DNS and privacy, just a lot of compromises. Host your own. Or, if your ISP is trustworthy, you might be better off using what they provide. The DNS traffic between you and your ISP's servers should never leave their network.

People were setting their DNS resolver to custom values before DoH.

I agree that DoH would ideally be enabled at the OS level, or that the browser flow would default to still checking host file before sending out the query.

There were other encrypted standards(dnscrypt for example) that didn't require you to do that, but the one that bypasses the OS was forced by adtech monopolist in charge.

> but the one that bypasses the OS was forced by adtech monopolist in charge.

Assuming by “adtech monopolist in charge” you mean Google, I don't think taking control from OS would benefit them given they effectively have control of more than two thirds of the mobile market share globally¹ so they are shooting themselves in the foot as much as anyone else – so I assume there are practical reasons², or purely technical ones, for DoH being their preferred choice (assuming that are pushing a preference).

And anyway, there is nothing that says applications have to implement DoH instead of letting the OS do that, Chrom{e|ium} and FF have gone that way in part because base OS support wasn't (isn't?) commonly available/enabled.

----

[1] A less than two thirds if you only count the US, as some published figures do, because Apple does rather better there compared to global averages.

[2] isn't dnscrypt's standard still officially a work-in-progress?

However it wasn’t, and it doesn’t defer to the OS or the network. I can’t set a dhcp option on my network to tell my dozens of clients what dns server to use, I have to manually adjust each browser. I additionally get different reaults depending what I use, my browser will contact a different server than any other application.

That’s broken behaviour which benefits AdTech companies like Google.

But at that point, you are effectively the ISP trying to control how users do DNS, in a way that might enable you to track/block/redirect. You might be trustworthy to your users so that is fine, but that isn't the case for every user's relationship with their service providers.

Is there an arrangement that would stop less trusted networks from tracking/redirecting/blocking DNS requests without (accidentally) helping AdTech by making DNS-based blocking harder?

It is the entire point of DoH indeed, while hiding behind the idea that is somehow prevents the state/ISP from knowing which sites you go to (which it really doesn't).

There only one way to get best of both world:

    - force your browser to never ever use DoH / DoT: force good old, in the clear, DNS over port 53

    - run your own local DNS resolver (I run *unbound*)

    - only ever allow DNS port 53 to/from your machine and your local resolver (I run *unbound* on an old Raspberry Pi)

    - have your DNS resolver use DoH

But you also get full control over which domains can be resolved or not.

As a sidenote unbound supports "wildcards" when blocking domains, which is sweet (as opposed to your typical OS's hosts files, which doesn't support wildcard).

FWIW I've configured unbound to return 0.0.0.0 for the millions (!) of (wildcarded) domains I'm blocking and then I use dnsmasq, locally, to convert any 0.0.0.0 to transform into NXDOMAIN. It's versatile and I like that way.

It's Linux so you set that up once and it works for years.

> The entire point of these technologies is to prevent your ISP and everyone else along the way from knowing which websites you visit.

More correctly, the point is to shift all that from one organization to another. Maybe you trust Google or Mozilla more than you trust your ISP, but I don't think it's the same for everyone.

You could even argue that your ISP can already see which hosts you connect to, so using it's DNS resolvers doesn't add much information for them. Using DoH means that both your ISP and another party can see that.

Both privacy and security are layered, and perfect is the enemy of good. Securing the DNS is an obvious first step, forcing the Internet to HTTPS by default was another. Google and Mozilla have contributed to better privacy. People that want more privacy, depending on needs, can also use a VPN or for the more extreme cases, something like Tor.

Not sure what you mean about having to trust Google or Mozilla. I'm not using either Google's or Mozilla's DoH servers. But yes, I would trust them more than my local ISP. Google, at least, proved quite competent in handling whatever data they collect.

HUH?! No! You aren't supposed to implement DNS on the application level! Most modern OSes support some form of DNS over TLS at the system level. You should use that.

I don’t have a problem with doing dns lookups over http, or any other protocol you want to use, if I configure my OS resolver to do that.

When people don’t like DoH they tend to mean they have a problem with bypassing the OS.

Theres then the concept of DoH, network admins have a harder job blocking it without MitMing traffic (and in some cases installing new root certificates and thus reducing security for users).

I’m less concerned about that. The argument for DoH often goes to “I don’t trust my network but I do trust Google” but I can see why some don’t trust their network. Personally I’d tunnel all traffic if I were on an untrusted network.

As someone who doesn’t trust Google (as their income comes from selling my personal data against my will) but does trust my network (as I am the network admin) I lean in the “anti DoH” camp, but regardless of which camp, DNS should be configured at the OS level (whether that’s a manual choice to use Google or cloudflare or whatever, or to accept the network hints)

I have a DoH server set in my Chromium browser, installed on my corporate laptop, and I love it, because my DNS queries don't leak to my network admin.

Whoever that creator is it looks like they've even missed some things too. I didn't see anything about the Mr Robot fiasco, or that one time they pushed a pop up ad at everyone and then, after the backlash, told the firefox users who were upset about it to add a line to about:config that would only disable the one ad they'd already clicked past: browser.vpn_promo.enabled = true Keeping the door open for using browser.whatever_else_promo.enabled later on I guess.

Google, of course, has rammed chrome into it's primary place.

FWIW, it's practically impossible to provide that guarantee because the API necessarily provides at least the data point of, "Did they select an option in the permission notification?" ("If yes, what option was selected?" etc.)

It's often said that the only solution to this is regulation and there seems to be a good case for that perspective.

Wrong. The status of permissions should not be visible to the page in most cases. Instead, fake data should be returned from them. That would be practical.

Assuming that's true, it seems to waste everyone's time and bits to fake it instead of just not answering or a minimal denial.

It's actually much worse. That fake data is dangerous because data brokers don't really care how accurate their data is. Even the fake data AdNausium stuffs into your dossier will be used against you eventually, just like the real data will be. If you get turned down for a job, or your health insurance rates go up, or you have to pay more for something than you would have otherwise, you won't even be told that it was because of data someone collected/sold/bought. You sure won't be told if it was fake or real data and you won't be given any opportunity to correct it.

It must suck to live in a capitalist dystopia. Dunno why Americans put up with it.

> Insurers contend that they use the information to spot health issues in their clients — and flag them so they get services they need. And companies like LexisNexis say the data shouldn't be used to set prices. But as a research scientist from one company told me: "I can't say it hasn't happened." source: https://www.propublica.org/article/health-insurers-are-vacuu...

See also:

> Is it legal? As explained by William McGeveran, University of Minnesota professor of law, and Craig Konnoth, University of Colorado associate professor of law, it is — largely because federal law hasn’t kept pace with the modern, technological world in which we live. source: https://www.chicagotribune.com/2018/08/29/help-squad-health-...

Another important takeaway from that second article is that none of your "protected" HIPAA data is prevented from being sold as long as it's "anonymized" which is a total joke since it's often trivial to re-identify anonymized data. It's about as secure as requiring companies to ROT13 your data before they sell it. It will be used to identify and target you individually.

ROT13 was only an example of a step that makes data look "protected" in some way when it really isn't, just like the ineffective means used to anonymize data makes it look safe to sell that data when it really isn't.

There is a lot of research showing how easy it can be to identify an individual using data that has been anonymized. (https://www.technologyreview.com/2019/07/23/134090/youre-ver...)

HIPAA does provide a standard and guidelines for what they call the "de-identification of protected health information" (https://www.hhs.gov/hipaa/for-professionals/special-topics/d...) and it includes, for example, a list of specific identifying information that must be removed from the records before they can be sold or otherwise passed around in order to get safe harbor protections. It also includes an option where an "expert" ("There is no specific professional degree or certification program for designating who is an expert") can just say "Trust me bro, it's anonymized".

If somebody was able to buy their re-identified data from a broker and they could prove that was sold by a health provider bound by HIPAA, they would still have to prove that the provider who sold the data had "actual knowledge" that the broker would be able to re-identify the individual, where:

> actual knowledge means clear and direct knowledge that the remaining information could be used, either alone or in combination with other information, to identify an individual who is a subject of the information.

Which all seems like it would be almost impossible to prove unless the provider left obvious identifying information in the data, or if a whistleblower came forward with records of direct communication between the seller and buyer where the buyer was reassured that the data being sold to them would later be able to be re-identified.

Awareness of the fact that we have mountains of research showing that individuals are easy to re-identify from anonymized data doesn't count as "actual knowledge":

> Much has been written about the capabilities of researchers with certain analytic and quantitative capacities to combine information in particular ways to identify health information.32,33,34,35 A covered entity may be aware of studies about methods to identify remaining information or using de-identified information alone or in combination with other information to identify an individual. However, a covered entity’s mere knowledge of these studies and methods, by itself, does not mean it has “actual knowledge”

Which leaves us with healthcare providers who can use methods to "anonymize" data that have been proven to be vulnerable to re-identification, then freely sell that "anonymized" data to third parties with a nudge and a wink.

I'll admit to being pessimistic. We know that the strength of the regulations we have in the US has done little to slow down the buying and selling of our healthcare data.

We've also already seen a lot of very shady behavior by health care providers and companies such as tricking or coercing people into giving up their rights so that they don't even have to pretend to protect their data with anonymization before selling it. (see https://www.washingtonpost.com/technology/2022/06/13/health-... and https://www.washingtonpost.com/technology/2023/05/01/amazon-... and https://news.ycombinator.com/item?id=22177812 and https://www.12onyourside.com/story/23852025/on-your-side-ale...)

If a bird app (or, heck, pancake recipe site) asked for WebRTC or GPU access I would be rightfully suspicious. It's a shame these things don't happen.

There is a risk that it ends up like cookie banners, and the adtech industry manages to brainwash the world into thinking that the government is the bad guy and they just want some harmless data to share with their 1,345 best friends and they are “forced” to show these. Despite there being no requirement at all to track data, and they break the law with it anyway so why bother.

I was a bit dismayed when mozillians in the bugtracker dismissed the idea of requiring consent to initialize WebRTC. F'k it, scan the local network.

Kinda hard to enact when the leading browser is developed by an ad company. Worse, the same company is contributing to the firefox foundation and drives web "standards." Its all collusion and the simple fact that browsers are more complex than the OS they run on is deliberate in ensuring no scrappy team can disrupt them.

My curmudgeonly solution is to avoid as much of the web as possible and focus on human scale computing.

This should be what browser maker's #1 focus! Preventing fingerprinting of user's browser.

Seems all this cookies talk the news and for policy makers are just limited hangouts.

The tracking is a constant assault, and I'm no longer willing to put up any of it, even if the data being tracked is relatively minor. Screw the bastards, they've burned one too many bridges.

- $120-140k, hetero, white, 190-220 lb, broadly Christian.

- $137,500/y, prefers tall redhead females, Irishman originally from Cork, 197 lb, observant Catholic.

The first one is too unspecific, while the second could suffice to identify a particular person in a neighborhood.

What makes a butter knife safe is not that it's completely devoid of an edge, but that its edge is sufficiently blunt.

I would very much prefer for advertisers to not even be able to determine my city, for personal safety. Throwaway account for obvious reasons.

If you belong to such a category that the mere belonging to it is a death sentence, if revealed, the situation is vastly different. You have to act more like a secret agent or a spy. This means constant, pervasive, fastidious opsec. Any death-sentence-invoking activities should be strictly separated from the normal civil life. Only use the normal browser to visit commerce, official news, and government web sites. Everything that is not openly pious and loyal should belong to ephemeral VMs with a fresh browser install every time (preferably several different), VPNs that are indistinguishable from legitimate web traffic, like XRay, truecrypt-protected media with some plausible deniability data, etc. It all takes quite some technical chops, but is not sufficient. Many other small details, related to technology or not, have to be carefully, well, sanitized, and any small slip can out you.

Such undercover life, while possible, is very tiring, takes a lot of extra time and energy, and noticing this also may mark you as suspicious.

Another browser API that may slightly help track you is a minor problem on this background, unless it pierces any of your layers of protection.

I'd say the only area where I still see Chrome leading a bit is for web development: when I run super-heavy JavaScript in dev mode, Chrome is faster than Firefox at executing all the JavaScript nonsense. Seen that there's no ecosystem with more turds, bloatedness and slowness than that horror that JavaScript-the-piece-of-crap is, having a browser a bit quicker at running JavaScript helps.

Long story short: for Web development, I use Chromium (it ships with Debian). For the rest I use Firefox.

> Firefox also has HTTPS-only mode...

In doubt port 80 is blocked by the firewall too.

> encrypted DNS without fallbacks,

And Firefox has a relatively easy "corporate" setting too where you can force also DNS "in the clear" over port 53 UDP (well, it's 99.9999% of the time going to be UDP so you can even firewall port 53 TCP and things shall keep working: believe me I know: theory vs practice and all that)

It's convenient if you run your own DNS resolver (which, itself, can then be forced to only use encrypted DNS).

> supports SOCKS

I confirm: a SOCKS5 proxy over ssh is always sweet.

Firefox just works.

I assume it's because of situations where websites include JavaScript from a third party, and then that JS uses first party cookies as a state-keeping workaround while synchronizing tracking information in some other way.

> Related Website Sets (RWS) is a way for a company to declare relationships among sites, so that browsers allow limited third-party cookie access for specific purposes.

So the website itself gets to declare other "blessed" domains that can bypass third party cookie blocks? Big websites are constantly looking for ways to abuse users by bypassing their attempts at protecting themselves. How would anyone think these sites can be trusted not to abuse this?

But as the article details, the contents of that preliminary list is already disconcerting. The whole “Google as the arbiter of all things ads” concept is a bust.

But the alternative isn’t great either - today’s system of third party cookies allows for far worse. We need some better ideas.

How is that not the website declaring it? Approval processes are meaningless.

> today’s system of third party cookies allows for far worse.

That's why I want zero third party cookies.

Wtf, seriously? I skimmed the post and honestly didn’t think RWS was so bad, assuming that obviously it would be decentralized. A centralized list that Google (or some shell consortium) controls is the biggest no-no. Decades of erosion of web principles have clearly made us complacent.

Yes, this can, and will, be abused for tracking users across domains that they don't expect to be related.

But there are also legitimate use cases for this.

For example, consider the stackexchange family of sites. They are clearly related, have a unified branding, etc. but are on separate domains. On Firefox, which blocks third party cookies, I have to log in to each of those domains separately. I can't log in to stackoverflow.com, then go to superuser.com and already be logged in. That is a problem that First party sets would solve.

You can argue that it would be better for those sites to be subdomains of a single unified domain, but when the sites were created there wasn't any compelling reason to need to do that, because third party cookies were still very much alive and kicking. And I can say from experience that migrating an app to a different domain without breaking things for users is a royal pain, and can be very expensive.

I'm not saying that First Party Sets should be accepted as is, but it is attempting to solve real problems. And I think a solution that simultaneously protects users' privacy and maintains a good experience for sites that are legitimately related will be difficult to find, or maybe impossible.

i generally like having the option for "sign in with github" as opposed to the all-encompassing "sign in with google" (ignoring that github is a microsoft account but not quite at this point)

smaller-scope IDPs for a particular field ("ey, you work on code stuff? you probably have either a github or gitlab account to log into our code-adjacent service" or "ey, you use stackoverflow? you can use that same login on superuser") is maybe a decent middle ground, where shared authentication is more explicit than third-party cookies were

I would expect a popup like “This site wants to share cookies with stackexchange.com, press Allow to sign in, press Reject to reject forever or press Ignore to decide later”. Takes a single click to enjoy the benefits of both worlds. The mechanism should make sure that every website has a single “first-party domain” shared across all subsites and that first-party domain must not share cookies with any other site than itself to minimize confusion.

Also, there is no way to know which related site the user is logged in to, so they would have to prompt for every one of their sites.

I can also argue that Safari and Firefox have been blocking third party cookies for years now. So stack overflow has had plenty of time to adapt and migrate to the "right" organisation.

To me it look like either they care about allowing unified sign in on their various domaines, and they should have migrated to a subdomain model a long time ago, because users of Firefox, Safari etc have been negatively impacted for a long time. Or they do not care that much (which is fine), but then chrome blocking third-party cookies and the discussion around first party sets should not concern them too much.

The cure is worse than the disease.

Even the minor browsers, pretending to not be funded by ads at this point (while the VC capital is drying up) depend on one of the 3 browser engines, all of which are funded by ads.

Safari? Unless you're going to say that Apple gets the money for Safari through ads which, y'know, technically correct but disingenuous in this context, surely.

Safari is funded ENTIRELY by Google's ads, also making a profit, and this is a fact. We can entertain a counterfactual, maybe Safari would still be funded without Google funding it with billions, but that's not the world we live in today.

And given Apple's reluctance to advance the web, going against their other cash cows, it's disingenuous to suggest otherwise. I recommend reading this opinion: https://infrequently.org/2022/06/apple-is-not-defending-brow...

If my favorite websites stop working with Firefox, they won't be my favorite websites anymore. I'll just stop using them instead.

Easily said, until it's your bank, or a government entity, or the electric company, or any of the thousands of other entities that have started blocking Firefox.

Firefox should really camouflage its user agent, or make it trivial to do so.

If the overwhelming majority of users submits to Google, then Google has the power to erode privacy for everyone.

Still easily said, since I don't use the websites for any of those things anyway. If it's really important, or involves very sensitive personal information, I'm not doing it on the web.

> or make it trivial to do so.

There are extensions that make this very trivial.

My government certainly won’t do that, they have a strong open data background.

Although, I rarely have to do anything with the bank that would require any online or offline process beyond using an ATM.

So no, that wouldn't really be a reason for me to stop using Firefox.

"If Google limited 3rd party cookies, we'd go out of business!", said the companies who have literally 0 Safari users.

Though regardless of that, Related web sites (or whatever that set is currently called) does present a hole in that logic. It was originally meant to allow sites with different domains to share cookies/storage (like google.com and google.co.uk). From what it sounds like, bad actors are using it in the expected ways. There were supposed to be mechanisms to prevent this, but it seems like they failed in this case.

The list is in a public repository however, so Brave could have filled issues and a pull request to address the issue. Instead they decided to stage a meaningless survey and declare Chrome a threat to people everywhere.

Sure but most won’t unless the “go away now” button is “block” which I’m guessing Google wouldn’t do.

After years of back and forth, Google abandoned their efforts. You can still disable third party cookies, in fact I don't think there's been a version of Chrome that doesn't let you block them. Go to your settings and set "third part cookies" to always be blocked. By default, grouped sites may be permitted to read each other's cookies, but you can disable that too.

The problem Google faces is changing the default, simply blocking third party cookie has never been an issue.

Maybe I missed the memo that we stopped hating monopolies? Every browser worth considering, except Firefox and Safari, is based on Chromium. Firefox and Safari make up about 20% global market share, meaning Chromium in about 80% [0]. A bug in Chromium is a bug in all of them. A backdoor in Chromium is a backdoor in all of them. A feature of Chromium, good or __bad__, is a feature in all of them. It baffles me that this isn't a bigger concern to more people.

[0] https://gs.statcounter.com/browser-market-share

I'd like Firefox to stick around, but as far as I'm concerned, if Safari goes away, I couldn't care less.

Most people were never worried, and probably will never be worried, with the points you're listing there. That's not to say they've stopped hating browser monopolies, just maybe not your definition of what a browser monopoly is or why they're problematic.

In general (not just browsers) most people treat "popularity" and "monopoly" as completely orthogonal concepts. I.e. something unpopular can still be a monopoly, something with 99% usage can still not be a monopoly. There is typically just a tendency for extremely popular things to also happen to be a monopoly.

I've been using Brave as primary for years. At this point I'd pay for a license if it were necessary. Frankly that would be an improvement: if it's free, you're the product. Brave just monetizes you differently.

I no longer argue with the legion of Brave haters. I've decided they're a benefit: the more people that don't use Brave the less likely Google et al. will be compelled to destroy it.

Maintaining a very diverged fork can take even more work than building your own browser. I think they don't want to stop receiving upstream updates when the upstream is one of the biggest software projects in the world.

Google earned billions of dollars with their contextual ads long before pervasive tracking was a thing.

Firefox and Safari have both said "no, we're not doing that". And then chrome decided to move forward with it, regardless of whether it gets standardized.

They will have this as proposal, its status will be "not on any standards track", it will be shipped in Chrome, and enabled by default.

I don't know what it might take for people to migrate away from Chrome en masse, but the alternative is there.

I have one internal corporate site which won’t work with Firefox for some reason, but never had any problems elsewhere.

---

I remember reading news in 2005 saying that Mozilla has established its Corporation subsidiary - and I had a bad feelings about it at that time. And years later we can see the effects - what's the revenue, how browsers market share looks like. Now, every time I'm reading that project, foundation xyz is creating "for profit" branch, subsidiary I know that this most likely won't end well. Profits will go over users needs, wishes each time and those at the project will change as well. It's like a magic wand appears and turns open-minded contributors into some mindless corporate drones with an arrogant attitude.

I want to still like Firefox but in last 14 years Mozilla managed to seriously deteriorate trust in its capabilities of handling their main product. And I also cannot fathom how they managed to screw up promotion of the browser and let Google dominate the market. That didn't happen overnight but Google at some point started to bundle their browser as "additional offer" in almost every software installer for Windows, while Mozilla did nothing similar.

I also want to be able to use the same browser at work as at home, and my workplace banned the use of Brave when it started including a VPN.

I'm not normally a fan of Apple at all, and I have no interest in using Safari myself, but here I am glad that they've so far refused to jump on the Chrome bandwagon: it's good for keeping the web standards-based so we don't have a repeat of the IE6 days.

I think Mozilla is poorly managed and feature may have been slow or "lagging behind". But for me the lack of those shiny new things might as well be a feature than a bug.

Mozilla is a husk of what it could have been, and that's hurt Firefox.

No issues with Google services like Youtube (I'm an addict)

I keep Chrome installed just in case, and Edge due to being on Windows.

* side tabs, I would say, the tab is a horizontal extension of the page, so they're horizontal tabs, right?

Also the notion that Mozilla should "just support that"

lol

This is a thing the devs of Firefox should make and implement.

brave a lot more shady and just wont say anything or let you opt out. many examples in the past. imagine if they were anywhere near a quarter of googles size it wouldnt be pretty imo.

All settings in Brave with an impact on user privacy are opt-in. They even inform you of their product metrics, when you first start it, despite having a paper on how they anonymize that data. Versus Firefox, which never bothered. Firefox, which also added metrics for ads, similar with Privacy Sandbox, without informing users.

I've never seen a browser with such a strong focus on privacy, the only contender it has being LibreWolf.

The hate against Brave on this forum is completely unjustified and based on falsehoods, as if the issue isn't about Brave itself.

These are the primary issues I hear about regarding Brave on this forum.

It's also founded by Brendan Eich who was forced out of Mozilla for his strong and vocal opposition of same-sex marriage. I tend to be a bit idealistic, but this is a strong reason for me to avoid Brave, especially when they are injecting content into pages.

Especially when that position of power is the CEO of a browser that replaces content on web pages.

I can't remember all of the details but Mozilla made a blog post regarding 1/6 and their commentary didn't align with a browser that would try and protect users from state, NGO and "just research" edu adversaries.

Those "donations" were from handouts of BAT. What they "collected" was their own BAT that they've donated to users of Brave. And it wasn't long lived. At least they've been trying to create a business model that's privacy preserving and that benefits content creators. Firefox has been selling their users to Google for years.

> "suggesting affiliate links in the address bar"

You mean like what Firefox also did?

> "and installing a paid VPN service without the user's consent."

I've never seen a VPN service installed with Brave. Is this a Windows thing? If you're talking about the VPN functionality in Brave itself, isn't this what Firefox also did?

> "It's also founded by Brendan Eich who was forced out of Mozilla for his strong and vocal opposition of same-sex marriage."

He never talked on the topic. And did you know that, at that time, both Obama and Hillary Clinton were also opposed to same-sex marriage? Times change, people's minds have changed. Whatever beliefs he still has, he keeps private, as he should.

But yes, this confirms my suspicion that this is a US-politics thing, and for non-US citizens, it's getting annoying. While we are on the topic, don't you find it problematic when Mozilla engages in political activism, promoting Marxism? Or when they promote cancel culture?

https://blog.mozilla.org/en/internet-culture/chris-smalls-ri...

https://blog.mozilla.org/en/mozilla/we-need-more-than-deplat...

For me, these were never reasons to avoid Firefox, but seeing that this is how the world works now, maybe they should be. And I'm sorry for pointing at Firefox right now, I used it for years, but I'm sensing a serious double standard. So let's talk of Chrome ... have you surveyed the political beliefs of Chrome's developers? Because it's the big, faceless corporations that benefit from this kind of polarisation the most.

> > "suggesting affiliate links in the address bar"

> You mean like what Firefox also did?

Firefox did experiment with "Sponsored" results in the URL bar but they did not rewrite URLs to include affiliate links, which is also harmful to privacy: https://www.reddit.com/r/ProtonMail/comments/gybv0e/brave_br...

> I've never seen a VPN service installed with Brave. Is this a Windows thing? If you're talking about the VPN functionality in Brave itself, isn't this what Firefox also did?

Yes, this was a Windows thing: https://www.ghacks.net/2023/10/18/brave-is-installing-vpn-se...

Are you referring to the Mozilla VPN that is a separate download? https://www.mozilla.org/en-US/products/vpn/download/

> For me, these were never reasons to avoid Firefox, but seeing that this is how the world works now, maybe they should be.

Yes, you are absolutely entitled to "vote with your money" (or free usage / market share, as the case may be.) Boycotts are an integral component of free speech and self-expression.

Way more than just two chromium browsers in existence.

> In our study, the large majority of users (~73%) made at least one incorrect determination of whether two sites were related to each other, and almost half (~42%) of the determinations made during the study (i.e., all determinations from all users) were incorrect. Most concerning, of the cases where both sites were related (according to the RWS feature), users guessed that the sites were unrelated ~37% of the time, meaning that users would have thought Chrome was protecting them when it was not.

> ... We conclude from this that the premise underlying RWS is fundamentally incorrect; Web users are (understandably, predictably) not able to accurately determine whether two sites are owned by the same organization. And as a result, RWS is reintroducing exactly the kinds of privacy harms that third-party cookies cause.

> Lest anyone judge the study participants for being uninformed, or not taking the study seriously, consider for yourself: which of the following pairs of sites are related?

1. hindustantimes.com and healthshots.com

2. vwo.com and wingify.com

3. economictimes.com and cricbuzz.com

4. indiatoday.in and timesofindia.com

> (For the above quiz, if you chose “4”, then, unfortunately that is incorrect. That is in fact the only pair of the four that isn’t considered “related” to each other.)

I think you're making the assumption that all three data points are needed for all 87%. But obviously some people can be uniquely identified based on just {zip, date or birth}, such that gender isn't necessary.

So the distribution could e.g. be 8% same, 8% opposite, 5% both, 79% neither, and explain the original numbers without triggering the paradox.

To clarify: your date of birth includes the year. It’s more specific than your birthday, which we usually think of as just day & month.

In other words, even if one person is extraordinarily tricky to find [0], their share of the total un-findable-ness does not diffuse outwards to help anybody else.

[0] http://tailsteak.com/archive.php?num=433

timesofindia.com also redirected me on tabbing out to a "you won a free Samsung phone". Shady.