andrewstuart2 2 months ago

Why do I always get a bad feeling about the motivations behind stuff like this? I want to believe it's for better privacy and security, but it's being driven by a corporation or two, and that makes me 100% suspicious. Like, for example, suddenly Edge is no longer respecting local DNS options and my pihole protects one fewer device from the real dangers to privacy. I don't want to be cynical so often, but this really doesn't feel like a benevolent move. Yeah, it's conditional at the moment, but as with Chrome and manifest v3, among many other examples, I'm losing my faith that anything with the potential to increase ad revenue will remain turned off for long.

  • deviantbit 2 months ago

    The reason you have a bad feeling is it gives the FBI/FEDS a single point to collect your data, with a man-in-the-middle attack that you will have no idea is there.

    This is absolute BS they're implementing this.

    • princevegeta89 2 months ago

      Besides the unremovable junk they fill on the homepage, now this. Uninstalled and will be moving to Brave

      • smoldesu 2 months ago

        Using a browser that monetizes itself in any way seems like a slippery slope to me. I'd rather use Ungoogled Chromium/Bromite or even LibreWolf if it came down to it. Saying "that's it, I'm moving to Brave!" is basically declaring that you're moving your data from Microsoft(1) to Microsoft(2).

        • Entinel 2 months ago

          This line of thinking is why Chrome owns most of the internet. No one else can hope to compete because they just get screeched down.

          • smoldesu 2 months ago

            Chrome owns the internet because people like Brave don't develop their own browser engine.

            • NotPractical 2 months ago

              Exactly. Brave just takes Chromium (from Google) and adds weird crypto stuff to it. None of the Chromium forks are "different browsers" in my eyes. They all depend on upstream for everything important. They couldn't develop the browser on their own.

              Just use Firefox. It works just as well as Chrome (*), but it's based on a completely different engine which was built from the ground up.

              (*) On desktop at least (on Android I still use a Chromium fork for now)

              • silisili 2 months ago

                > Brave just takes Chromium (from Google) and adds weird crypto stuff to it

                That's a really unfair(and untrue) statement. Brave also removes some code they find privacy violating, built in a best in class adblocker, built a full cross-device sync system that works perfectly, some UI tweaks and enhancements, built Tor connectivity in, etc. Probably a lot more that I'm leaving out.

                I am def not a fan of crypto or BATs or whatever they were pushing, but you can use it fine ignoring all of that.

                • smoldesu 2 months ago

                  To be fair, you can also disable Microsoft's built-in VPN. The problem is trusting people who don't have your best interests at heart, and using Brave products just kicks that can further down the road.

                  • somenameforme 2 months ago

                    Brave is 100% open source: https://github.com/brave/

                    Normally this might just be a platitude of the sort, "Go check it for yourself." But in this case that's not what I'm saying. Brave is going to be used by large numbers of tech focused users with a privacy/security bent. And they are also competing against Google who will make sure even the slightest slip by Brave is promoted across the entirety of the web.

                    That code is scrutinized heavily. That the worst you can find about Brave is people making false statements about crypto stuff (it is entirely optional and opt-in with 0 coercion or dark patterns to push you there) speaks incredibly highly as to the current state of the Browser. Might that change in the future, as you seem to be suggesting? Yip! And when it does there will be a new Brave. But for now they continue to stay on an excellent path forward.

              • magic_hamster 2 months ago

                I don't see a reason to use anything but Firefox on Android. It's got full parity to it's desktop counterpart. It's amazing.

                • rightbyte 2 months ago

                  Many sites are broken on non-Google browsers though. But the advantage of being able to use adblockers in Firefox alone outweight that - not even taking privacy into consideration.

                  • lemper 2 months ago

                    I actually use firefox on android for 7 years or so. never experienced broken sites on it. can you please give me some examples of broken sites?

                    • rightbyte 2 months ago

                      Thinking about it, only internal time reporting tools. Both on my current and prior employer they only worked with Chrome or IE.

                      I think I overestimate the amount of broken sites due to the adblocker messing them up, not Firefox.

                • maguirre 2 months ago

                  Tangentially related. Using Firefox on Linux for anything Google chat/voice call related is not a very pleasant experience

                • daptaq 2 months ago

                  You could also consider the Firefox forks Fennec and Mull.

                • Zardoz84 2 months ago

                  and allows to install an adblocker

              • staticassertion 2 months ago

                The thing I like most about Brave is actually the crypto stuff, and I hate almost all crypto. This is actually a good use case for it - you have a distributed system (users browsing) across untrusted hosts (users).

                People like to shit on advertising, but much of the internet exists today because of advertising. Do you think Youtube could exist at that scale without ads? I don't think so, personally. At least, not without another way to monetize.

                Brave is the only player providing an alternative monetization strategy. Crypto or not, to me, that is by far the most interesting thing a browser has done in a long, long time.

              • LtWorf 2 months ago

                As if chromium wasn't a fork of konqueror

                • account42 2 months ago

                  Blink (Chrome) is a fork of WebKit which is a fork of KHTML (Konqueror), but that is a very much different situation. None of the Chromium/WebKit-based browsers are full forks but rather merge custom patches with upstream development. They don't have the development capacity to go against any Google changes except for a few things here and there. Meanwhile Google isn't relying on KDE to develop new features - in fact KDE isn't developing any new KHTML features but instead is switching (or has switched) to WebKit/Blink.

              • rs999gti 2 months ago

                > Just use Firefox

                I want to but in Firefox developer tools there is no option for developer tools to follow new tabs.

                Apparently this has been an open bug with Firefox for a while.

                But it is what keeps me from using Firefox vs Chromium's full time

              • antifa 2 months ago

                > (on Android I still use a Chromium fork for now)

                What chromium fork is on android and actually better than Firefox for android? I use Firefox for the best possible experience on android and would like to be aware of another option.

                • NotPractical 2 months ago

                  I personally use Bromite: https://www.bromite.org/

                  From my (anecdotal) experience, Bromite is faster than Firefox on my phone, but your mileage may vary.

                  I was originally using Firefox due to its uBlock Origin support, but Bromite has ad-blocking built-in (unfortunately it's not quite up to par with uBO but it works well enough).

                  I would suggest that you try both and see which one you prefer.

              • tbrownaw 2 months ago

                I have at least three sites I use that i have to open in edge since they don't work properly in Firefox. Local bank, credit card issuer, and employer's guest wifi login portal.

                • brabel 2 months ago

                  I use FF and when this happens it's almost always some extension you have installed. Try disabling some extensions and go to those sites again.

                  If they still don't work, they're doing some messed up stuff on those sites.

                • beebeepka 2 months ago

                  Oh my. I wonder what that banking site must be doing for it to not work on Firefox. It's either malice or inconvenience, or both

              • Ylpertnodi 2 months ago

                >Just use Firefox. No. Well, I'm not so rude, so "No, thank you".

                >It works just as well as Chrome () Not on anything* I use, it doesn't, so "No....thank you".

                Tbf, I do keep trying ff, but...clunky, jeepers! 'Fraid I'll hang on until my Brave jumps it's particular shark and then maybe I'll hop over to something else, but for now, and as long as I can still use UblockO, Brave it is.

                Even Opera is looking interesting again....

                • smoldesu 2 months ago

                  > Even Opera is looking interesting again....

                  What browsers have you been daily-driving to come to that conclusion?

            • marshray 2 months ago

              Chrome owns the internet because web standards have become so complex that not even Microsoft can afford to maintain their own browser engine.

              • hollerith 2 months ago

                >not even Microsoft can afford to maintain their own browser engine

                We don't know that. Maybe Microsoft could maintain their own browser engine if Google hadn't provided one on permissive open-source licensing terms that met their needs.

                • numpad0 2 months ago

                  Microsoft tried with Edge V1, and gave up when Google online services started sabotaging it.

                  • GekkePrutser 2 months ago

                    They gave up way too easily though. I don't think they ever had an interest in actually making a good browser engine. They've never managed one in their entire history. Microsoft love mediocrity, the "just good enough" mindset. Nobody takes their products on because they really excel at what they do. Just because they have a huge installed base, they're not so bad there's really a problem to use them and they integrate with everything else (e.g. Windows) nicely. For example Slack is so much better than that turd called Teams but nobody wants to pay the extra because Teams is free with O365 and user frustration doesn't cost anything on the bottom line.

                    This is why Apple really came out of the blue with Steve Jobs' razor focus on quality above all. Microsoft's goal is never to be 'best in class'. Because they don't need to be. People will buy it anyway.

                • bfung 2 months ago

                  >not even Microsoft can afford to maintain their own browser engine

                  MS can afford it financially. The desire to put in the effort to is not there.

                  • smoldesu 2 months ago

                    ...that's what they're saying. Microsoft has no reason to build their own browser when they can fork Chrome and preinstall it on their computers.

              • propogandist 2 months ago

                It’s simpler than this, imo. Most users rely on Google Search and Google will Constantly nag the user to try Chrome.

                Users, trusting the ad company that provides them free email, search, video, photos etc. will action on the suggestion and install Chrome.

                More users gives google the market power to dictate web standards

              • smoldesu 2 months ago

                So what's the solution? I hate this status quo as much as you do, and standing here in a Mexican Standoff is not viable forever. You're right. "The web" as a platform has been twisted and perverted beyond real usability at this point. There is no path forward where we undo Google's damage and preserve the qualities of the web we enjoy today. So, how do we fix this?

                The solution (to me) is simple - fix native app distribution. Make platform targets operate the same as they used to, and give people control over their computer again. The only ones preventing us from a platform-agnostic utopia is Apple and Google, both of whom profit off the artificial difficulty of distributing applications.

                So, here we are. Google is poisoning the web while Apple refuses to swallow their pride. Everyone is hurting, and nobody stands to gain anything but the shareholders. A hopeless situation, but let's not pretend like everything here is morally grey.

                • int_19h 2 months ago

                  For starters, if a company makes a web browser with market share exceeding 50%, and also produces web sites and web apps, if those web sites and web apps to do any sort of user agent testing or require non-standard features of the aforementioned browser, it should be treated as ipso facto monopoly abuse.

                • xani_ 2 months ago

                  The solution is already impossible. When Mozilla had browser domination they had a chance to dictate something. The moment Chrome became popular, now another company, just as MS and IE did before, could just do the feature creep of "add feature, subtly break/slow down opposition, get more users that just want browser that works"

              • supernovae 2 months ago

                Microsoft edge non chromium was fine, but no one used it. So they went chromium based.

                • q-big 2 months ago

                  > Microsoft edge non chromium was fine, but no one used it. So they went chromium based.

                  Are people now using Edge because of this change?

                  • int_19h 2 months ago

                    Edge has made substantial gains in market share in the past few years. But it's hard to definitively ascribe it to any specific change.

            • Am4TIfIsER0ppos 2 months ago

              Companies like google keep expanding the effort needed to write a browser engine to ensure everyone uses their spyware.

              • smoldesu 2 months ago

                Then companies like Apple should stop shrinking their API targets and contribute to the general wellness of computing, for a change.

                • rytis 2 months ago

                  Can you please give a concrete example of what Apple should do, in your opinion, to expand their API targets? And how is that related to web standards complexity?

                  • smoldesu 2 months ago

                    People complain about excess functionality being added to web browsers (HTML5, WebXR, WebRTC, etc) and many of these complaints are valid. Web browsers don't need these features, they should be relegated to native apps.

                    Except they can't be. Native apps don't offer the same freedoms that the web does. And so, we keep stacking technologies on top of web browsers to alleviate the problem. It's a bad situation, and both Google and Apple are gruesomely complicit in making this situation worse.

                    > Can you please give a concrete example of what Apple should do, in your opinion, to expand their API targets?

                    Stop browser lockdown. Allow sideloading. You know, the basics of computing that we had figured out since the mid-90s or when we sued Microsoft.

            • Entinel 2 months ago

              99% of a web browsers end users do not care if their browser uses Servo, Webkit, etc.

              • autoexec 2 months ago

                I'd guess pretty close to that number don't even know what those are in the first place.

              • andirk 2 months ago

                Yes but being able to use all of Chrome's extensions in Brave is a huge win to me. And most Chrome documentation, Q and A, tutorials are mostly relevant to Brave as well. I see Google and other behemoths contributing to an open source project as a good thing. The product may not be where it is today without their help, including paying people to work on a free product. Still, yeah don't trust them.

            • IncRnd 2 months ago

              It's the other way around. Brave uses the Chrome browser engine, because Chrome already developed their own browser engine.

          • autoexec 2 months ago

            Firefox is pretty nice once you beat it into submission. I'd put my money there before Brave.

            • kdtsh 2 months ago

              Honestly I find the defaults plus uBlock Origin and Multi-Account Containers to be fine, no bearing required.

              • autoexec 2 months ago

                I must have a hundred things that I change on every install. At a bare minimum I'd be disabling pocket, prefetch, and search from the address bar for privacy reasons and then disabling service workers, webgl, and wasm for security reasons.

            • account42 2 months ago

              OTOH, Firefox funding depends almost entirely on Google so they are unlikely to do anything that upsets Google too much.

        • fragmede 2 months ago

          > Using a browser that monetizes itself in any way seems like a slippery slope to me.

          Is that a practical sustainable long-term business practice though? Firefox was only able to be free because Google was paying Mozilla. Browsers are some complex software and software developers wanna get paid. I know that the in's and outs of history of browser software has conditioned us to expecting browsers for free but that doesn't reflect the reality of developing the software.

          • easygenes 2 months ago

            Firefox, with its full complement of full-time developers, could stay alive with a tiny fraction of what Mozilla earns in a year. Most of Mozilla's work is tangential to Firefox at best.

            Surely there's space in the browser market for a model akin more to how Wikipedia operates.

            • TEP_Kim_Il_Sung 2 months ago

              > Surely there's space in the browser market for a model akin more to how Wikipedia operates.

              Donations by corporations, and edited by powerhungry users (ryulong) and bots?

            • GekkePrutser 2 months ago

              This is part of the problem. Mozilla is diverging too much into dead ends. Instead of focusing on what they do best, Firefox.

            • staticassertion 2 months ago

              OK so you do want a business model, it's just a terrible one.

              • smoldesu 2 months ago

                Sounds better than a black-hole cryptocurrency where the devs steal 30% of your transaction 'because they can'

          • account42 2 months ago

            That's the thing, it shouldn't be a business practice at all. Browsers are part of the Internet infrastructure and that should not be treated like any other business but be regulated enough to ensure anyone gets fair use of the infrastucture and should rely primarily on public funding.

            The Internet being global makes this challenging, and almost all countries (including so-called democracies) wanting to drink as much authoritarian juice as they can get away with does mean that there is plenty of risk here as well. But letting one or a few giant megacorporations entirely dicate the primary intrastructure for information interchange is so much worse.

        • ramesh31 2 months ago

          > Using a browser that monetizes itself in any way seems like a slippery slope to me. I'd rather use Ungoogled Chromium/Bromite or even LibreWolf if it came down to it.

          The problem with this approach is that it’s impossible to get a safe binary that isn’t downloaded from “libfree.cxcc.gg” or whatever. The other option being to build from source, which is an absolute nightmare for Chromium.

          • smoldesu 2 months ago

            All of those browsers have signatures available if you question the integrity of your binary. Otherwise this argument isn't any different for the likes of Brave or Chrome even.

            • ramesh31 2 months ago

              > All of those browsers have signatures available if you question the integrity of your binary

              Signatures available from whom?

              The point being that a web browser is a very special case of software that has to absolutely 100% trustworthy from a reputable commercial entity (that is, someone that can be sued). The only other thing with that level of trust is your operating system.

              • rswail 2 months ago

                So my Linux kernel running the majority of the infrastructure of the company I work for is untrustworthy?

                Do you not trust kernel.org? Or the GPG signatures of the commits?

                What about Mozilla?

                As for "someone that can be sued", have you read any of the EULAs of the commercial entities that you think are "reputable" and "100% trustworthy"? You can't sue them.

                Similarly, do you trust all of the CAs that have certificates in your OS or browser trust store?

        • colechristensen 2 months ago

          I still have a CD of Netscape Navigator Gold I purchased in a box in a store… long ago enough that was a thing.

          Those were the days.

          • forgotmypw17 2 months ago

            I still test and validate my websites with Netscape 2.x and up.

            Any Browser can be a reality.

            • colechristensen 2 months ago

              If I had my billion dollars I would fund a modern intentionally crippled hypertext browser with hard limits on programmability and style complexity.

              • Karunamon 2 months ago

                It sounds like you are describing Gemini. https://gemini.circumlunar.space/

                • account42 2 months ago

                  Gemini is on the other extreme (except for requiring the crypto complexity that comes with TLS). I would prefer something that still lets people express themselves creatively like the early web did. Personally, I think even newer CSS is fine even if more complex than it could be if re-designed - the problem is mostly JS and million different APIs that come with that as well as the expectation that that the browser will be able to execute that JS insanely fast.

              • forgotmypw17 2 months ago

                Some browsers you may want to try, which support only HTML and CSS:

                Dillo

                Links

                NetSurf

              • pdntspa 2 months ago

                Why not just bring back the 486?

              • Thiez 2 months ago

                A shame that you would waste your money on a browser that nobody would use.

                • alcover 2 months ago

                  I would. I already use FF mainly under a locked-down profile for mere reading. (I use another profile for madatory interactive sites like banking and stuff).

                  Others like me would. And resource-constrained devices. An eco-system of low-tech sites could emerge with a label signaling them as simple and virtuous.

                  • Thiez 2 months ago
                    • alcover 2 months ago

                      Interesting. But I meant only using a subset of current web stack, and insist on low resource.

                    • forgotmypw17 2 months ago

                      The issue I have with Gemini is that it discards 25+ years of established domain knowledge and existing software for something which does not provide any additional functionality over what today's software already offers.

        • GekkePrutser 2 months ago

          I don't think any way is unacceptable. I'd be totally happy to pay for the software for example. It's all the sneaky crypto / adware / tracking stuff that I have a problem with.

        • LtWorf 2 months ago

          well google is removing adblockers from chrome to better monetise the web…

        • _emacsomancer_ 2 months ago

          How is Brave Microsoft(2)?

          • smoldesu 2 months ago

            They're both for-profit businesses that will consistently put the user experience behind profitability. Open-source, libre browsers will not.

            I'm sure people said the same thing when Edge was in beta. "How is Microsoft Chrome(2)?"

            • _emacsomancer_ 2 months ago

              But Brave is also an open-source, libre browser. And the Mozilla Corporation is a for-profit company.

              (And I think Edge is worse than being Chrome(2).)

      • mhardcastle 2 months ago

        I'm very glad you mentioned the homepage spam. It's increasingly difficult (and valuable) to live without information overload these days; Edge's forced "news" spam has pushed me away as well.

        • princevegeta89 2 months ago

          What is shocking is the content is so low quality it's appalling it came from a big, respected company as Microsoft. A lot of the posts are often clickbaits, and there are ads carelessly interspersed between the posts all over the page.

          I know it makes a lot of money for Microsoft but the fact they chose to keep the quality so low really looks bad.

          • ekianjo 2 months ago

            "Respected"? Since when is Microsoft respected?

            • princevegeta89 2 months ago

              The company is respected for being so big and being a stable, high performer. Obviously they did a lot in "personal computing" as well

            • mistrial9 2 months ago

              Biz, gov and mil management relies on MSFT; executives, their attorneys and bankers, respect MSFT for doing what they do ($$). Similar to big retail and worse, gambling, the single user is last in line; used and abused individuals.. nobody expects a lot from the individuals involved, and their opinion matters less. Wolves among sheep, basically.

        • SimoneSleek 2 months ago

          blocking msn.com via hosts will give you a blank new tab page in Edge, only including an Edge background image, and a search bar leading to your chosen search engine.

          • int_19h 2 months ago

            You can disable all that from Edge itself, at least on the desktop. When on the new tab page, there's a "Page settings" icon in the top right. If you click on that, there's a bunch of options there regarding what should be present on the page; the bottom-most item is "Content", and if you set it to "Content off", it all goes away.

            • KyleK 2 months ago

              true, but the default new tab page sets cookies and connects to MS all the time. When blocking msn.com, it loads local resources only.

      • ectopod 2 months ago

        Edge is a pretty good local pdf reader so I added a firewall rule to stop it connecting to the internet.

        • gotoeleven 2 months ago

          Oh you sweet summer child.

          • _V_ 2 months ago

            Damn you, I just spit out my drink! :-D

      • w0m 2 months ago

        I'm all for pushing for more privacy/etc; but is Brave what we want to advocate for as an alternative? They did some pretty heinous link jacking relatively recently. I'm not sure FF/(/chromium) have been caught doing anything worse than that yet.

      • drews64 2 months ago

        Firefox with uBlock Origin and HTTPS only works beautifully with Pocket disabled.

        Only thing I have to pull out Chrome for is corporate intranet.

      • cheschire 2 months ago

        the only unremovable thing that bothers me is the stupid bing points thing that i dont care about. It doesnt encourage me to use bing, it just makes me question how they continue to manage to swipe my queries enough to increase that score.

      • Datagenerator 2 months ago

        Or the privacy focused Librewolf (fork of Firefox)

      • mc32 2 months ago

        Also Epic.

    • vintermann 2 months ago

      Yup, a VPN is not a security measure at all unless you trust the VPN provider more than the site you're connecting to...

      • Schnurpel 2 months ago

        Actually, with a VPN, you need to trust the VPN provider AND the site you're connecting to...

        • rpgmaker 2 months ago

          And not even then. Most VPN providers in the top 10 are actually very shady and their organizational structure is quite opaque.. to say the least. I wouldn't be surprised if at least half of the top providers are actually FBI fronts, like the ANOM chat app.

        • bryanrasmussen 2 months ago

          well you might have a reason to trust a VPN provider you pay for, but who is the customer for MS Edge.

          • manholio 2 months ago

            The insane thing is that, because the VPN has a 1GB/month traffic limit, there is no way to enforce it unless they associate all traffic with a Microsoft controlled user identity. Cloudflare literally has to keep track of any sites you visit and associate them to your ID to make it work.

            Though, I do believe that for connections from public WiFi it's somewhat of an improvement. It establishes a minimal security baseline of: "ok, we'll sell your data and let FBI snoop on you, but we won't inject trojans in your downloads and then hijack your webcam to create ransom-porn (though the FBI/??? might)".

      • smeagull 2 months ago

        It is so weird that they're 'VPN providers'. They're proxies. It's not really a VPN unless I'm in control, or they're providing servers in the VPN to connect to.

      • eli 2 months ago

        My ISP reserves the right to sell data on the sites I visit. If the VPN provider promises not to do that, it’s probably a win.

        • ptsneves 2 months ago

          ISPs in Poland at least give you the ability to pay so they do not spy on you. It is very small (10%)but I have no doubt most people cheap out. Internet is relatively cheap here.

    • sheerun 2 months ago

      From my experience, non-tech people just leave browser defaults. I'd argue this is better than letting them to use public wifi without VPN. If you really care about security you won't use it, of course

      • dataflow 2 months ago

        Public Wi-Fi in the world of HTTPS is not exactly terrifying.

        • newZWhoDis 2 months ago

          > Public Wi-Fi in the world of HTTPS

          Story time. Someone I know once got laid thanks to Facebook not encrypting their sessions

          My university was still using basic ass unencrypted WiFi with some kind of terrible dns-hijack sign in to “auth”. This of course meant that everyone put their shiny MacBooks on essentially public wifi and logged in to social media in the clear in class.

          Some enterprising chaps made a browser extension that made it trivial to snoop any open sessions and impersonate that session in a new tab.

          Someone I know would do this during lecture and post to people’s social media as them saying they should pay attention in lecture. Possibly some other scandalous things were said. The hilarity that led from that stranger doing so led to the beautiful nerdy girl sitting behind this person noticing and daring them to post more. That became hanging out, parties, and as far as I know they got married and have kids now.

          Literal people exist that wouldn’t otherwise because Facebook didn’t have HTTPS

          • Groxx 2 months ago

            >Some enterprising chaps made a browser extension that made it trivial to snoop any open sessions and impersonate that session in a new tab.

            Firesheep was super big for a while, yeah. I used it to show a few coffee shops that yes, really, WiFi with a password of "password" was measurably better for their customers than no password: https://en.wikipedia.org/wiki/Firesheep

          • staticassertion 2 months ago

            Fuck, HTTPS was already popular by the time I went to college. That explains everything.

            • jcims 2 months ago

              I credit the fact that basically nothing was encrypted over the wire when i got into computers in the 90s for learning how protocols work.

            • newZWhoDis 2 months ago

              To be fair this needed HTTP and WPA(?) lol. Old school wifi let you see everything every other client sent.

        • CommitSyn 2 months ago

          Plus, Firefox is soon implementing HTTPS-Only by default if I remember correctly. What was it, maybe 2016 there was a big push for SSL and the majority of the web, even login and payment pages, were HTTP? Now only a small percentage of the web isn't HTTPS. I have HTTPS-Only enabled in Firefox and rarely do I have to click the 'Continue Anyway' button to browse an HTTP page. For most general users that only use popular services, I'm sure it's even more rare.

          • ct0 2 months ago

            Its so easy, even a dummy like myself can grab a cert for my self hosted services. I dont give any HTTP only sites any slack

            • bbarnett 2 months ago

              I have a site from 1997, pure html, with drivers, install disks, documentation for computers from the 80s/90s.

              It works. It's fine. No, it does not need ssl. What, someone is going to hack a floppy driver for a computer, which doesn't even have a built in network stack?!

              No, I am not going to do work on it, any work, at all.

              Millions of such sites exist, are fine, are safe.

              • viraptor 2 months ago

                > with drivers, install disks

                Depending on what the drivers are for, you may be a prime candidate for MitM. People already go to your site to download software they're going to run in the most privileged mode. This is a perfect candidate for a type of watering hole attack.

                Considering you're providing those for 90s machines, you could be the last resort website for a few interesting industry computers with no security restrictions around them.

                • jjav 2 months ago

                  > Depending on what the drivers are for, you may be a prime candidate for MitM.

                  Doing that MitM is technically very easy, but in practice pretty hard. You'd have to have an adversary on your network path watching for connections to this particular esoteric low-volume site hosting drivers for machines from the 80s and 90s.

                  That is extremely unlikely.

                  I have a much easier way to target that content: Just put up a new site hosting the same content with malware attached. No need for MitM shenanigans.

                  Security isn't about absolutes, it is about risk managment and being aware of the likelihood and consequence of the risks is important.

              • nlewycky 2 months ago

                > No, I am not going to do work on it, any work, at all.

                Without HTTPS, the content can be replaced entirely. Last time it was JavaScript that DDOS'd github. If you don't want to serve content over HTTPS, then you don't care what your users receive. Just delete the site and they all get 404's instead, since you already admit that you don't care either way.

                If it makes you feel any better, HTTP without HTTPS was a mistake we all made together. It should never have happened.

                • jjav 2 months ago

                  > If it makes you feel any better, HTTP without HTTPS was a mistake we all made together. It should never have happened.

                  Given that http predates SSL 1.0 by a few years, somewhat inevitable.

                • account42 2 months ago

                  Given that HTTP without TLS can provide backwards compatibility while anyone and their dog is advocating for deprecating TLS versions and them being too complex for most people to maintain on their own, I respectfully disagree that plain HTTP was a mistake.

                • sanroot99 2 months ago

                  Seems ,like since inception internet protocols was designed with foreseeable security implications, Gnunet is project is attempting to solve this

              • sfink 2 months ago

                The site contents don't necessarily matter.

                You're at a coffee shop or library using their WiFi. Your computer sends a plaintext HTTP message. The attacker just needs to be able to see that message and get a response back to you before the real site does, and the real site is a lot further away than the guy sitting at the table next to you (or the hacked router, if he doesn't want to be there in person). Then they can feed your browser whatever they want.

                A login form to phish you, perhaps?

                They can even start replying, then go off and fetch from the actual site before finishing the response, if it helps to incorporate the real data.

              • jchw 2 months ago

                That is fine. The site itself is safe. Accessing it over untrusted transits is not. What has changed since 97? Well, attacks became far more sophisticated, and the transits that people access stuff over became far less trustworthy.

                There is nothing wrong with your website. However, you shouldn't be surprised when modern browsers stop working with it. Progress doesn't come free.

              • chlorion 2 months ago

                You are hosting executable data of some kind on a non-authenticated protocol. That's totally not dangerous at all. A MITM definitely couldn't cause any damage by altering executable data in transit on unsuspecting users. This has never happened to anyone.

                >are safe

                No, they are not.

                >No, I am not going to do work on it, any work, at all.

                If you are too lazy to do it securely maybe you just shouldn't do it at all.

                HTTPS everywhere by default can't come fast enough. There is no excuse at all to not have HTTPS support today and browsers should deny access to these lazy and careless sites by default. Anyone who can't spend the 5m to set it up for their website can go kick rocks as far as I'm concerned.

              • hcrean 2 months ago

                It is all fun and games until one of the downloads from your site picks up malware in transit and the user goes "why did this web admin infect my computer? Sue!"

                This genuinely happens a lot in the 2020s.

                • mgbmtl 2 months ago

                  I think of you say "genuinely happens a lot" you should give some examples, because this seems odd to me.

                  More likely sites get cloned, improve their SEO over the original, and distribute malware.

                • LtWorf 2 months ago

                  Ok since it happens a lot can you cite it happening in 3 different occasions since 2020?

                • jjav 2 months ago

                  > This genuinely happens a lot in the 2020s.

                  Sceptical of that claim, can you provide a few documented cases?

                  Particularly for low-volume sites like the parent post.

                • nradov 2 months ago

                  Please provide citations for those lawsuits.

              • kbenson 2 months ago

                Not caring about whether some segment (possibly even a majority) of users can or are willing to jump through hoops to access your site is a valid choice, just like publishing through gopher is. You do you.

              • memen 2 months ago

                You could host hashes of the downloads on an https page. Should be quite simple. Malware can still work on a computer without a built-in network stack and if users are getting downloads onto that computer, then data can leave through the same means.

              • gonzo41 2 months ago

                Putting stunnel Infront of that site and opening 443 is about a solid 30 minutes of effort

                • account42 2 months ago

                  And set up certbot/whatever..

                  And update all links to not go back to the HTTP site...

                  And troubleshoot weird issues (TLS errors are generally not helpful)...

                  And maintain that setup for years...

                  Not an insurmountable effort for sure, but if you estimate 30 min for the total additional effort of adding HTTPS to a site then I have a bridge to sell you.

              • anthk 2 months ago

                Set up a gopher mirror too :)

              • yazaddaruvala 2 months ago

                > Millions of such sites exist, are fine, are safe.

                Frankly, even sadly, they are also entirely forgettable and don’t add enough value to hold back the modern web.

              • staticassertion 2 months ago

                No one is forcing you to use TLS. Do whatever the fuck you want, it's your site?

              • searchableguy 2 months ago

                http://n-gate.com/software/2017/

                I always chuckle at this site does not need SSL post from n-gate.

                PS: Use the URL directly in browser because the site doesn't like traffic from HN.

                • account42 2 months ago

                  > PS: Use the URL directly in browser because the site doesn't like traffic from HN.

                  Or just fix your browser settings to not send cross-domain Referer headers.

            • forgotmypw17 2 months ago

              I keep my site HTTP for compatibility and accessibility.

              HTTPS can introduce all scenarios for not being able to connect.

              I'm not hosting any secret data, but I do want to be able to post from anywhere.

          • account42 2 months ago

            Recently I noticed that FF doesn't even let you accept invalid (meaning no longer recognized as valid by FF because they changed the rules to requrie SAN) certificates for HSTS-enabled sites. The bug report's response was that the HSTS standard specifies that. Fuck that, the users should always be the one in control of such decisions in the end.

        • mjevans 2 months ago

          You forget exactly how much the government felt they got out of just knowing whom was talking to whom, not even bothering to collect the data of the conversation itself.

          • NegativeLatency 2 months ago

            Now they only have to subpoena/hack/partner with microsoft for that

            • somenameforme 2 months ago

              Microsoft was one of the first companies to sign up for PRISM [1], doing so in 2007. I think there's a subconscious feel among many that because the media stopped reporting on these things, that it stopped happening. PRISM never ended, and almost certainly has only expanded and grown even more invasive and brazen largely owing society's apathy towards what Snowden revealed.

              Literally to this day one can read things like the NSA manual for using their software that enables real-time absolute surveillance of Skype: "User's Guide For PRISM Skype Collection." [2] The idea of any degree of privacy from any tech company hosted in America is a lie. The main difference with China is that we lie about our surveillance state, and force companies to lie about it, while China openly advertises theirs.

              [1] - https://en.wikipedia.org/wiki/PRISM

              [2] - https://www.aclu.org/sites/default/files/field_document/Guid...

        • aeternum 2 months ago

          You can learn a lot about a person based on the IPs they visit. HTTPS/SSL doesn't protect you from that.

          In many cases you can even determine which protocols and general content they are consuming from that IP based on traffic shaping/fingerprinting. The burst of traffic your browser sends when loading a particular site is quite exploitable. There's plenty of software already available that makes use of this.

        • samstave 2 months ago

          Public wifi and bluetooth detectors all over is whats scary, as most public wifi is used by phones, not machines and who the hell is running edge on their phone?

          but this just reminded me of the failed FB phone and the failed microsoft phone...

          • dmix 2 months ago

            What bluetooth devices are you concerned are going to leak private data?

            Looking at the ones I use daily... headphones, TV soundbar, Xbox controllers, TV remote. None of those provide an interesting attack vector.

            My iPhone isn't really going to be connecting to random stuff and leaking data, so I don't really see the risk here. Maybe I'm missing something?

            • samstave 2 months ago

              >>My iPhone isn't really going to be connecting to random stuff and leaking data

              Incorrect -- BT scanners and loggers have been LONG tracking your things avail...

              and the fact that Apple doesnt allow you to "turn off" it merely pauses..

              both wifi and BT...

              they use prox sensors for BT for airtags, wifi etc and ALL OF THAT data in mined like mad.

              Any Apple person that says otherwise is lying to you.

              • dmix 2 months ago

                So deanonymizing bluetooth device IDs. I know the Canadian spies used airport Wifis to deanonymize Wifi MAC addresses then set up wifi stations all over Toronto to experiment in tracking people.

                How would they do the same for bluetooth? Broadcasting "Dans iPhone" doesn't tell you much.

                • samstave 2 months ago

                  Correct, but its a more insidious web on this level...

                  they have so many correlation engines for device location, that it will soon be impossible to be "off grid", if its not already.

                  how the heck do you think there are fn leaks from over a decade ago of "text messages received by the government reveal that person X who is on the shit-list was quoted as saying [BULLSHIT] sources close to CNN have stated.."]

                  ASIDE: Famous story from ~20 years ago was talking about the CIA handlers at CNN... and the revolving door of in-q-tel emps from fb moving back and forth within the security team (one of which had to be walked out of the building for [things])

                  you dont need "dan's phone" they have had eschelon for DECADES and were able to literally do 6-degrees ppl tracking since the 1990s...

                  WTH do you think they named it "starlink" instead of sky-net...

                  And when they built the first part, they were advertising the wonderful things the rural folks in africa's greater continent will benefit, then after a few years they showed that the system will primarily service the dense populations of the coasts of places like the USA and AUS -- which is where a big portion of the five-eyes service.

                  IMEI and such is a bitch..

                  iOS is the biggest location tracking platform ever...

                  Remember when the founder of Android (from Danger) was let go from google with a ~200MM$ golden parachute at $90MM to gtfo?

        • snickerbockers 2 months ago

          yeah but im pretty sure 99% of the population just clicks past those SSL certificate warnings, in part because they don't understand what that means, and in part because there are way too many sites that let their certificates expire.

        • gambiting 2 months ago

          HTTPS is trivial to break with a man in the middle attack, yes you get a scary warning in your browser about an invalid certificate, but I'd bet that 90% of people will just click through it and ignore it.

          • shepherdjerred 2 months ago

            I highly doubt this prediction is accurate. Most people will think something is broken and call tech support.

            Aside from that, this isn’t possible for HSTS sites.

            • gambiting 2 months ago

              Really? Most people? I cannot think of anyone from my family who would even think about it for a second - they would just get annoyed they can't get to their bank website or whatever and just click continue. Also what tech support? Me?

              • elcomet 2 months ago

                But now there is no button "continue", you have to click multiple buttons, which are not clearly labelled, in order to see the page. I'm sure 90% of people would not even be aware that you are able to continue.

                Even more, for self-signed certificate on chrome, there is no button to continue for example. Check https://self-signed.badssl.com/

                • gambiting 2 months ago

                  In your example, all I had to do was click advanced then proceed(Chrome on Android)

                  • elcomet 2 months ago

                    Ok, on chrome desktop there is no way to bypass the security

                    • not2b 2 months ago

                      Yes, there is. I often have to use it to deal with some internal misconfigured site inside the corporate intranet (the cause is almost always that a certificate has expired, when it isn't it's because a host can be reached with two names and the cert matches only one of them, but that case can be fixed by using the proper URL). I have no trouble telling chrome desktop to bypass.

                      • not2b 2 months ago

                        ... and I always read the details before proceeding (finding out what chrome's problem with the cert is).

                      • elcomet 2 months ago

                        For some type of errors it is possible, for some other it isn't. Check the badssl website and test the various type of bad certs, you'll see.

              • shepherdjerred 2 months ago

                From my experience working as on-campus tech support in college, most people who aren't tech savvy will quickly give up or look to someone else for help. They will likely not think to click Advanced -> Continue Anyway (unless they have been taught to do that before).

                Tech support comes in many forms. The owner of the website, a friend who knows about computers, someone else in the workplace, the vendor they purchased their laptop from.

              • sbierwagen 2 months ago

                HSTS cannot be overridden. Which bank domain names are you thinking of that are not one of the twelve thousand names on the HSTS preload list? https://source.chromium.org/chromium/chromium/src/+/main:net...

                • LtWorf 2 months ago

                  I tried 5 banks (swedish and italian). None of them are in the list. I feel safer now :D :D :D

                  handelsbanken.se danskebank.se unicredit.it fideuram.it sella.it

                  • ripdog 2 months ago

                    Banks often have awful security systems. Kiwibank in NZ has a "two-factor security" system. All it is is a security questions thing where you click on screen to fill in 3 letters of the hidden answer. The on-screen keyboard makes it secure, you see? Against keyloggers.

                    I once wrote them a long email about what two-factor is actually supposed to be and why it exists, and got a reply basically saying "lol ok, our security is great ok?"

                    I've since switched away from them for a bank which does 'two-factor' by sending codes via SMS, but only when its algorithm decides that it needs to. That's not very often.

                  • sbierwagen 2 months ago

                    handelsbanken.se is on line 163144. (I was a little bit off on the length of the list before)

                    unicredit.it is not on the list, but unicredit.ba and unicredit.ro are. (Lines 7331 and 7332) It does send HSTS headers.

                    danskebank.se and sella.it are not in the file, nor are the base strings, but both sites do send HSTS headers.

                    fideuram.it is not on the list, and does not send HSTS headers, so they don't seem particularly interested in security. They also haven't set an A record for the root domain, so visiting `fideuram.it` returns NXDOMAIN. Only `www.fideuram.it` exists.

                    • LtWorf 2 months ago

                      So this shows that your statement about the security of hsts headers was overblown?

                      • sbierwagen 2 months ago

                        You got me. I wildly overestimated the competence of Eurobanks. I'll never make the mistake of assuming an institution knows what it's doing again.

                        • LtWorf 2 months ago

                          fideuram removed the phisical tokens for 2fa and moved to SMS, saying that it was because of some european directive… I went to read the directive. It basically said to not use sms and avoid apps in favour of dedicated 2fa devices for banking.

            • hsbauauvhabzb 2 months ago

              Hsts solves sslstrip, I do not believe it enforces cert pinning. Iirc browsers deprecated cert pinning some time ago.

              • shepherdjerred 2 months ago

                I've seen HSTS not let me continue without the server having the expected certificate recently, so I think that's still a thing.

                • mr_toad 2 months ago

                  That might be because of certificate transparency rather than certificate pinning.

            • 1vuio0pswjnm7 2 months ago

              "Aside from that, this isn't possible for HSTS sites."

              Isn't it possible for the user to disable HSTS. A simple web search produces detailed instructions, from a CA.

              https://sectigostore.com/blog/how-to-disable-hsts-in-chrome-...

              Also, what does "HSTS sites" mean. Does it mean (a) "official" HSTS via HTTP header alone, (b) "unofficial" HSTS via preload list (see RFC 6797 section 12.3), i.e., the list maintained by Google, hardcoded into a browser, or (c) both. The "unofficial" approach only seems feasible for a limited number of domainnames and unworkable for every domainname in existence.

              In tests I have done on Chrome (YMMV), executing "Clear site data" via Developer Tools, or including

                 Clear-Site-Data: *
              
              in an HTTP response header, e.g., added via a user-deployed proxy, will clear an "official" HSTS block, allowing the "MITM" to proceed.

              Besides being generally annoying, HSTS allows for setting "supercookies" that persist even in "Incognito" mode

              https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-bro...

              The RFC for HSTS even admits how it can be used for web tracking. Not too concerning for the advertising company sponsoring the RFC.

              14.9. Creative Manipulation of HSTS Policy Store

              Since an HSTS Host may select its own host name and subdomains thereof, and this information is cached in the HSTS Policy store of conforming UAs, it is possible for those who control one or more HSTS Hosts to encode information into domain names they control and cause such UAs to cache this information as a matter of course in the process of noting the HSTS Host. This information can be retrieved by other hosts through cleverly constructed and loaded web resources, causing the UA to send queries to (variations of) the encoded domain names. Such queries can reveal whether the UA had previously visited the original HSTS Host (and subdomains).

              I use a loopback-bound forward proxy to enforce zero tolerance for HTTP across all programs, not just the web browser. Everything is sent via HTTPS. The proxy is configured to to check certificates, and deny connections, according to rules I set. I use a text-only browser for noncommercial, recreational web use so I need a forward proxy, if for nothing other than to deal with the spread of TLS. But I also use it for a whole laundry list of tasks.

              Maybe it is just me, but HSTS, like much of Google's rhetoric, comes across as unfriendly if not hostile to proxies, regardless of who is running them. Consider this line from the RFC

              "The rationale behind this is that if there is a "man in the middle" (MITM) -- whether a legitimately deployed proxy or an illegitimate entity -- it could cause various mischief (see also Appendix A ("Design Decision Notes") item 3, as well as Section 14.6 ("Bootstrap MITM Vulnerability"));"

              "Mischief." Does that include inspecting one's own HTTP traffic on one's own network. How about blocking certain methods of tracking, data collection and advertising. Apparently it includes disabling HSTS.

              Let's be honest. Google is an undisputed king of "mischief". The stakes for Google mischief are much higher and there have been too many fines to count. Consider the latest. How many people deploying their own proxies get fined $4B. (Arguably, an issue of "control" was at the heart of that decision.)

              https://www.theregister.com/2022/09/14/european_court_fines_...

              If the proxy is "legitimately deployed" then why not stay out of the network operator's way. Let them have control. Give the option to cede control to Google instead of making it a default.

              I use HSTS for commercial, nonrecreational web use, when I have to use a "modern" browser. That is a small fraction of total web use for me.

              • heavyset_go 2 months ago

                Thanks for the informative post.

          • ShinTakuya 2 months ago

            I'd argue the invalid certificate would only get the middle segment of semi-tech literate but security illiterate people. So maybe a lot of people on this site . The average user, based on my observations, tends to take these warnings very seriously.

          • jiayo 2 months ago

            Have you looked at what the UX is for invalid certificates in 2022? It's not like ten years ago where you just click enough times and "visit anyway".

            Here, try this link in Chrome: https://untrusted-root.badssl.com/. When you click Advanced, it tells you "the website sent scrambled credentials that Chrome cannot process". And beyond that there's just no button to bypass it. You can't visit the site. (Sure, there's probably a chrome://flags or --disable-web-security way to bypass this, but that's well beyond the average user's comfort zone, as well it should be.)

            • LtWorf 2 months ago

              Uh I just have to click "advanced" and then "proceed anyway".

              I tried on a blank profile to make sure there were no strange settings.

            • gambiting 2 months ago

              I clicked that link - in Chrome on Android all I had to do was click "advanced" then "proceed anyway". I have never changed any flags or default settings in this browser.

              • 988747 2 months ago

                I just tried to open the site in Safari, and there's no "Continue anyway" button, only "Go Back". I did not change any default settings, because I use Firefox as my daily driver ( and Firefox does have "Accept risk and continue" button, but I think the word "risk" on it is scary enough for many people to not click it).

                EDIT: It turns out there is a "visit this website anyway" option in Safari, but it is not a button, it's a link which you only notice when you click "Show details" button and read the warning.

          • fsckboy 2 months ago

            it's not so easy to click through, because I often try and it really seems like they don't want you to, the dialogs are very confusing.

          • gsich 2 months ago

            >trivial >requires user mistake

            Not sure how that matches.

            • gambiting 2 months ago

              It's trivial to set it up for the attacker. If you have a Linux laptop you can set up a redirect for all the traffic on the network through your machine with two commands, then there's plenty of tools that will intercept any incoming HTTPS certificate, replace it with your own, the decrypt the traffic. It sounds like a lot but anyone can set this up in about 15 minutes - that's why I said it's trivial.

              The user mistake is just clicking "advanced" then "proceed". I know all my family members would do that without questioning.

              • gsich 2 months ago

                Maybe teach them to not do that.

      • sbierwagen 2 months ago

        What percentage do you think of all network traffic that Edge handles is 1) Over wifi? 2) Over unencrypted wifi?

      • itake 2 months ago

        From my experience, tech people with non-default browsers can't use the internet :(

      • kuekacang 2 months ago

        We had recently hired new programmers, 2 freshgrad and 1 junior. All of them use edge on their personal laptop and I didn't notice extension button anywhere.

    • muricula 2 months ago

      Like your internet service provider you already have??

      • bisby 2 months ago

        While I agree with the sentiment that ultimately we have to have some level of trust somewhere on the stack, there are a few minor differences.

        In theory anyway, I pick my ISP. If this was "support for using a VPN" instead of "we're injecting OUR VPN" I would feel a lot better.

        I'm aware Im using my ISP. Even someone who doesn't know much about computers knows their traffic is going somewhere. They might not know the repercussions of that, but if this is just transparently on in the background, effectively a keylogger, a user might never know this is happening.

        I give my ISP money. Back to the choice option. Some ISPs are bad and are trying to nickel and dime you to maximize profits. Some ISPs are actually good (I'm not swiss so I don't know for sure, but Init7 looks amazing https://www.init7.net/en/support/faq/privatsphaere/). I don't have to question with my ISP "how are they profiting off of me" because I give them money every month. They might be, but they don't intrinsically NEED to be scraping my data. I am not sure how Microsoft benefits from giving me a free VPN unless they are scraping my data.

        I can use a VPN to bypass my ISP monitoring if they do monitor. I have no idea how Microsoft's stuff is set up here. If the end result is that it gets routed through their VPN after my VPN, or instead of my VPN, or even through their stuff at all, but with stamped metadata, then there's not necessarily a great way to get around it other than "don't use Edge"

        In general, yes, your ISP isn't your friend. But an ISP is something I asked for, have a use for, and need. A Microsoft stealth VPN is none of those things.

        • gfaster 2 months ago

          This was also how I could justify being more trusting of Apple. They didn't need all my data because that was paid for up front. The ongoing services that needed to make money I used were also paid for. Obviously that's no long quite true with Apple ramping up their ad business, but that attitude is still often the best you can do without a level of effort that I just am not willing to go through.

      • xboxnolifes 2 months ago

        An ISP is not a single point for all Windows users.

        • BillinghamJ 2 months ago

          Cloudflare is probably not far off, though not an ISP in quite the same sense

    • bakuninsbart 2 months ago

      Maybe a dumb question, but isn't that already a given when using a browser? To me it always seemed a bit absurd to use VPN as it basically just gives another person all your info, but just assumed browsers and the big 5 just got most of the data anyway.

      • frankfrankfrank 2 months ago

        The only thing I can see working is pollution, pollution of our data. There are some current extensions that do some of that, but they are likely not enough and what we really need is a kind stream of data and requests that your own requests are simply merged into.

        The thing is that it would need to be smart enough to prevent pattern recognition, e.g., it cannot just be random data because your specific searches and string of searches or actions will stand out quite obviously.

        Yes, it would place a severe tax on the internet and a few things could be done to minimize that, but I currently do not see any other better option.

        I could see it implemented where your activities online are merged with and threaded into those of related or similar communities, e.g., be it family and friends, the YC community, or a combination of different groups. The effect would come from the proximity to similar but not exact activities. To use a common example, if your legal free speech activities could make you a target, those online activities are muddled and polluted by being merged with other people's legal free speech activities, and your activities would be merged with those of others.

        Consider it a kind of mutual compromise of society in order to provide protection/obfuscation in numbers ... the zebra in a herd, if you will. They can't arrest/target everyone if everyone has activity data that looks like they defy the ruling powers.

        • autoexec 2 months ago

          > The only thing I can see working is pollution, pollution of our data.

          this is a terrible and dangerous idea. Nobody cares about the accuracy of the data they collect on you. Stuffing your dossier with random things won't cause anyone to throw it away just because there might be errors in it. Instead all of that data, random/accurate or not, will be used against you all the same.

          Your clever browser extension might have been responsible for browsing to a bunch of fast food websites, but your health insurance provider won't care. They'll just see that in your internet history and quietly raise your health insurance premiums anyway.

          If your legal free speech activities make you a target, adding more free speech activities to your permanent record just means you'll also now be targeted for those activities on top of your own.

          You can't know what will prejudice someone else against you. You might not be gay, or Muslim, or a heavy drinker, or an Andrew Yang supporter, but your browser extension pulls in the wrong data that gets you flagged as being one and it could cost you your job, get you denied housing, etc.

          You might not be looking into getting an abortion, but anti-abortion activists who buy up the data of anyone who appears to be trying to get one, or looking for support after getting one, will still see you listed and you will still get harassed by them or dragged into a texas court room.

          You might not be rich, but data brokers and consumer reputation services will see that you've been interested in expensive vacation spots and online stores will start charging you more than your neighbors for the same items on the assumption that you are.

          If you want to try to hide in the crowd look into a VPN or TOR (although be aware device/browser fingerprinting can still get your traffic associated with you). Just please understand that giving others more ammo to use against you isn't helping yourself or anyone else. Adding more and more data to your internet history just increases your risks substantially because no matter if you deserve it or not your life will be impacted in countless ways by the data you surrender and none of that data, "pollution" or genuine, ever goes away.

          • danuker 2 months ago

            If you have enough money and time, it might still be useful (and satisfying) to serve society in this way.

            You would confuse models currently shooting fish in a barrel.

            You would still pick the cheapest insurer (probably one that does not look at your data).

            You can live without anyone abusing your privacy in this way.

        • 867-5309 2 months ago

          >what we really need is a kind stream of data and requests that your own requests are simply merged into

          having a wife and kids helps with this. or any shared wifi with a guaranteed shitstream for your tunnel to wade through

      • stavros 2 months ago

        How are the browsers and the big 5 getting the data? It's not like you can't see what your browser is sending where.

        • account42 2 months ago

          You mean like sending what you type in the address bar to google as you type it.

          Like sending usage information to the browser developer.

          Like downloading code (experiments) for specific users which can essentially do anything.

          Are you debugging your browser 100% of the time and fully analyzing all communications that there is nothing leaked. Is anyone?

          • stavros 2 months ago

            No, I'm not, but I trust that if I disable the thing, it will disable.

    • mejutoco 2 months ago

      Isn‘t this what they did with Skype (centralize it)?

    • discordance 2 months ago

      I think there's more to it than that. Good for some and bad for others. A few rough off the top of my head:

      Good:

      * Better privacy from the intrusive ad motivated JS shit hole the internet has become.

      * Faster internet for those on slow connections

      * Protection from ISP MITM. Many countries now have mandatory data collection laws that ISPs have to follow.

      * Better than a lot of shady 3rd party commercial VPN providers.

      * Is opt-in (for now)

      * Potential to reduce Google's dominance

      Bad:

      * Obvious MITM choke point, as you mentioned

      * Potential control / monitoring by two large corporations

      * Business goals usually override users.

      • Thorrez 2 months ago

        >* Is opt-in (for now)

        Are you sure?

        >a VPN baked into Edge appears to be turned on by default, but only for certain use cases.

    • datalopers 2 months ago

      Wait til you hear about Cloudflare

      • devwastaken 2 months ago

        CF removed kiwi farms from their services. If they're cooperating with FBI they would continue to host and intercept traffic to decloak users.

        • datalopers 2 months ago

          Honeypots outlive their usefulness. Take silkroad v2 that was actually ran by the FBI, yet they still shut it down.

    • awill88 2 months ago

      Yep, a VPN baked into a browser like this is literally Microsoft stealing the network routes from your ISP, who is probably too embarrassed to complain that what’s happening is they are taking that sweet, sweet data with them. It’s like high-fructose corn syrup for targeted advertising imho. Who’s selling?

    • tekknik 2 months ago

      While it doesn’t resolve all the issues, the single point to monitor is your internet connection where they have jurisdiction, not some arbitrary VPN provider. Then if they can force the IKE a certain way they decrypt.

      I think the other side of this is if you have FBI attention, do you really want to look more suspicious? Whatever fight you try with them you will not win.

    • api 2 months ago

      It's also a way to front run ISPs in the data market. Then these vendors can sell the data on the data broker market and pocket the cash the ISPs are getting by selling whatever browsing history data they can infer (from DNS and traffic).

      I suspect this is the corporate motivation. The increased state surveillance and control is a side effect.

    • at-fates-hands 2 months ago

      I work for a very large corporation who has decided the default browser will be Edge. Getting another browser installed on your machine takes an act of congress and several upper level approvals.

      Does this mean they will also have the ability to collect corporate data from the browser in companies like mine?

      • meltedcapacitor 2 months ago

        Just compile Firefox or chromium to WebAssembly and run it inside Edge. :-)

    • jhchjdjsdh 2 months ago

      they already have this at several points in your network. from ISP to target site. meh.

      the reason microsoft is doing that is because google is forcing their hand with Floc implemented in the browser.

      you wont be in ads next year unless you can slurp more traffic than the NSA. and only google can do that today, thanks to chrome + android. apple is a close second.

      • dannyw 2 months ago

        How is FLOC relevant to this?

        • jhchjdjsdh 2 months ago

          How do you think google competitors will have access to all those user to form the cohorts without having the browser or google analytics code everywhere?

    • still_grokking 2 months ago

      > This is absolute BS they're implementing this.

      Out of the perspective of a PRISM Premium Partner this makes perfect sense.

    • staticassertion 2 months ago

      They already have that with ISPs, right? I don't see this as worse. If anything ISPs are more scummy.

    • cyanydeez 2 months ago

      Corporations have shown worse proclivities than the US government these days.

    • dheera 2 months ago

      It's because they are shareholder-driven, not customer-driven.

      Clueless shareholders on the 59th floor of JP Morgan who don't even use Edge see "oooh VPN, me like buzzwords" and upvote the stock.

    • supernovae 2 months ago

      why is it ok if firefox and opera do this but no one else?

  • uup 2 months ago

    VPNs don’t help privacy at all. They allow you to substitute trust in your ISP for trust in a different entity. For some, that may be good, but for most others it’s a wash.

    • voxic11 2 months ago

      ISPs generally don't claim to protect your privacy at all [0]. So it would be foolish to trust them to do something they never claimed they would do. VPNs generally do claim they will protect your privacy so at least trusting them makes some amount of sense.

      Going from "trusting" an entity that explicitly requires you to consent to spying when you sign up to trusting one which explicitly promises to protect your privacy when you sign up does seem like it would "help privacy" in most cases.

      [0] https://www.privacypolicies.com/blog/isp-tracking-you/

      • dagenix 2 months ago

        A major difference between your ISP and a VPN is that your ISP is generally an established company based in the same jurisdiction as you are. So, if they do something terrible, in theory at least, they can be brought to court. A non-trivial number of VPNs that claim to protect your privacy, however, are based all around the world with unclear corporate structures. If they do something terrible, you likely have no recourse at all. How much faith you want to put in a promise made by such a company is up to you - but I would push back on the idea that simply making a promise really provides much value by itself.

        • Sakos 2 months ago

          > based in the same jurisdiction as you are

          Why would I trust an entity that often has the legal backing to harvest my data and provide it to the government whenever they "deem" it necessary? The same government that has direct means of control over me? Whether it's the US, China, Germany, I think I'd rather put my chances with some private company that at least has financial and maybe ethical motivations (depending on the company) to protect my privacy. An ISP will only go as far as the law requires to protect it and who knows what backdoor deals are made with governments to subvert those same laws.

          There is no realistic/helpful/useful legal process to sue over a breach of privacy. So my ISP being in my jurisdiction doesn't do me any good at all.

      • actuallyalys 2 months ago

        ISPs don't emphasize privacy in their marketing, but some large ISPs claim they protect it [0], although their claims are pretty dubious[0][1].

        I think your logic holds up, but it's not quite as definitive as you say. VPNs are not the straightforward privacy upgrade that HTTPS is. (I don't think you were trying to imply otherwise.)

        I think the picture improves if you choose more carefully. Choosing an established VPN that has a no-log policy and has been audited seems much better, because now multiple companies are putting their reputation on the line. On the other hand, I think a relatively unknown company that's reselling someone else's VPN and hoping to cash in on the "VPN = privacy" is only a slight upgrade over a major ISP.

        [0]: https://www.latimes.com/business/story/2021-11-12/column-int... [1]: https://www.ftc.gov/system/files/documents/reports/look-what...

    • P5fRxh5kUvp2th 2 months ago

      > VPNs don’t help privacy at all

      Or course they do, I'm so tired of seeing posts like this when really what you mean is that it's not perfect privacy and therefore you don't like it.

      • inetknght 2 months ago

        > Or course they do

        Let me compare an ISP spying vs a VPN spying:

        1. You make DNS request about example.com. Your ISP sees this. Your ISP can see what websites you "might" visit.

        2. You connect to 1.2.3.4. Your ISP sees this. Your ISP can see what websites you "did" visit.

        3. You request some data and receive some data. Your ISP sees the size of the data. If it's not encrypted, it can also see the content. Your ISP can see (at least) the size of objects that you requested -- which is enough to fingerprint many specific contents.

        Okay so not using a VPN gives effectively zero privacy. Let's look at a VPN:

        1. You connect to a VPN (and let's assume your connection doesn't "leak" insomuch as now _all_ network traffic goes through the VPN). Your ISP can see this.

        2. You make DNS request about example.com. Your VPN sees this and your ISP can see a network packet. Your VPN can see what websites you "might" visit, your ISP can't.

        2. You connect to 1.2.3.4. Your VPN sees this. Your VPN can see what websites you "did" visit. Your ISP still sees traffic to the VPN.

        3. You request some data and receive some data. Your VPN sees the size of the data, and your ISP only sees the aggregate-size of data across all of your sessions. If it's not encrypted, your VPN can also see the content but your ISP should still only see aggregate size. Your VPN can see (at least) the size of objects that you requested -- which is enough to fingerprint many specific contents. Your ISP will have a tough time fingerprinting content from specific websites.

        4. Your ISP can note that you have a high amount of traffic, possibly note that the traffic is going to a known VPN destination, and that your "normal" traffic is now gone.

        Now, your VPN can see all the stuff that your ISP used to see. In addition, your ISP can now determine that you might be doing something illegal, suspicious, or at the very least "enterprise grade" and demand more money.

        Have you really gained more privacy?

        • Dayshine 2 months ago

          Your isp is legally resident in the country most likely to want to spy on you. There are also very few isps per country, so it's less work for the attacker to cover everyone they care about.

          There are vast numbers of vpns, so total coverage is impossible. They are also very likely to be in a different legal jurisdiction so it's non trivial to do.

          So, yes, you have, by making yourself a harder target despite having the same amount of centralisation on your part

          • xani_ 2 months ago

            Same with most VPN providers. Just expands the search from "ask ISP" to "ask ISP, they tell government its a VPN company, ask VPN company".

            Now, sure, they could "just" delete logs, but their government can "just" tell them not to, or even tell them to live send the logs to them directly.

            So it's really "which country's government you trust".

            • travoltaj 2 months ago

              There's quite a few VPNs who have been asked to keep logs by the authorities but the VPN providers contest it in court, and since their jurisdiction laws don't need them to, the courts side with the VPN providers.

              Mullad, OVPN are a couple.

              What are your opinions on those? Not every country has laws like USA/India, which give the government free reign by citing certain Acts.

            • zepearl 2 months ago

              Adding that in general a country's law (data protection/privacy in this context) usually targets its own citizens; traffic related to foreign citizens (as in the case of VPNs) would for sure have a lower degree of protection.

          • simplyinfinity 2 months ago

            my country has between 3 and 20 isp's per city. of a country of 7 million.

            • psd1 2 months ago

              I assume they are just resellers, buying bulk data from a big carrier. Is that the case?

              • ripdog 2 months ago

                IDK about simplyinfinity, but here in NZ, the last mile of internet infrastructure (the fibre from homes to the exchange) is owned by regulated companies which must lease access to them at set rates or lower, and mustn't act as ISPs.

                As such, we have dozens of ISPs with their own backend infrastructure, all sharing the same last-mile, and most available nation-wide.

                That said, they're all going to be buying transit from a big backbone ISP to get overseas connectivity.

        • piaste 2 months ago

          VPN and ISP are similar in term of middlemen, but there is an important difference downstream of said middlemen.

          With your ISP, you appear on the internet as a residential IP that provides your approximate location and most likely doesn't change very often. The requests you make can be easily correlated by PRISM or any other middleman, or by any CDN running the websites you visit.

          With a VPN, your exit IP is unrelated to your geographic location, changes very often, and hopefully it is shared among many more users.

          • DesiLurker 2 months ago

            Also you could use double VPN config from different VPN providers in separate geo locations with openDNS thrown in one of them. then it would be much harder to correlate your traffic out of the mix. its not about perfect secrecy its about becoming hard enough target.

          • vel0city 2 months ago

            GeoIP services are trash. My current IP on most GeoIP services gives a location >900 miles away. My last IP had a location in another country. I don't think I've ever had a GeoIP lookup resolve within 100 miles for any IP I've had.

            • inetknght 2 months ago

              > GeoIP services are trash.

              GeoIP is only necessary when seeing a new IP. But once the IP starts to build a reputation, then the specific location can be determined. It's especially true if you buy something online.

            • zmmmmm 2 months ago

              My single data point observation is that it gets my city correct nearly 100% of the time and sometimes is able to resolve to a nearby suburb.

              • vel0city 2 months ago

                My several datapoints is wildly inconsistent and has never been within several hundred miles.

                My office: suburb of Chicago My home: downtown Atlanta My friend's house: just outside Phoenix The McDonald's free WiFi: Chicago A church's WiFi: Some random location in Arkansas.

                I'm in North Texas.

                Just a few examples I've remembered since making a point to test while I'm out.

        • miloignis 2 months ago

          Based on that analysis, I say clearly yes! Privacy is about choosing who to share with, be it a specific group or no-one. Being able to share with a VPN of my choice (who, if reputable, shouldn't further disseminate my information) is likely a privacy gain compared to being forced to share with my ISP (many of whom would gladly sell my data).

          Being able to choose to reveal data to Mullvad over Comcast or Verizon seems like a clear win to me.

          • lijogdfljk 2 months ago

            Yea i really don't get these people. Frustratingly. Perfect is the enemy of good here. Yes, full privacy is the goal, but i know certain actors are spying on me. If i can bypass them, i can at least attempt to improve it.

            At the very least i rob Comcast of my data. Which is my goal, after all. Not full privacy.

            • Aaargh20318 2 months ago

              > Yes, full privacy is the goal, but i know certain actors are spying on me. If i can bypass them, i can at least attempt to improve it.

              The problem is that it doesn’t actually change anything while giving a false sense of security.

              Your VPN’s ‘improved’ privacy is just as worthless as the privacy you get with just your ISP. If something requires privacy, neither can be used, and if it doesn’t then why should it matter which one you use ?

              Privacy is an on/off thing. Either you have it or you don’t. There is no in-between.

              • P5fRxh5kUvp2th 2 months ago

                One wonders if you consider your bedroom to be private despite the fact that a peeping tom can still look through the window.

              • nirvdrum 2 months ago

                My VPN provider (Mullvad) doesn't have my full name, address, and social security number. They could build a profile off my account number, sure, so I have to trust that they're not. If they actually aren't, fantastic, I win. If they actually are, I still win, because they have less data to build a profile on me from. I know for certain that my ISP is selling my data, so I'm certainly no worse off.

                On top of that, I get the benefit of not being tracked everywhere on the web. Or if they are tracking me, they have bogus data. And I can set my exit server to a jurisdiction with more user-friendly privacy laws.

                • Aaargh20318 2 months ago

                  Mullvad is just the first link in the chain of untrusted systems between you and whatever server you’re connecting to.

                  Also, what better place to tap traffic than the connection of a VPN provider.

                  • nirvdrum 2 months ago

                    > Also, what better place to tap traffic than the connection of a VPN provider.

                    Well, per my previous post, my ISP is definitely a better place. Hell, you don't even need to tap them. They'll just sell you the data, along with other PII. (Setting aside Mullvad' multi-hop support, which would require taps in multiple jurisdictions).

                    I think the point you're trying to make is that this isn't resilient to the NSA monitoring my traffic. I had hoped it was clear from my message that there's another level of privacy I'm concerned with related to intrusive private entities. I'm not expecting the GDPR or similar privacy laws to stop the NSA either, but they serve a useful purpose.

                    I guess I'm banking on Meta and Google not tapping Mullvad. Or even the RIAA or MPAA, for that matter. Because my ISP will very willingly give those entities data. And as long as unencrypted SNI is the norm, my ISP knows more than I want it to know about my browsing behavior. Not to mention the stuff that isn't HTTPS. Sure, Verizon knows I've established a connection an encrypted tunnel and how much bandwidth I routed through it, but that's a level of metadata I'm not concerned with.

                    So, yeah, Mullvad could be logging every packet through their tunnel. They could even assemble a profile based on my account and sell it to all the data brokers and advertising networks. They still don't have my SSN. Even if all of that happened, then I'm still no worse a situation than if I didn't use them because my ISP is doing those things. At worst, I'll be out 5€ for the month.

                    • Aaargh20318 2 months ago

                      If you don’t trust your ISP, then why not simply switch to another one ? I literally have dozens of ISP’s to choose from at my address. Last time I checked there were 13 ISP’s offering fiber service alone, if you’re willing to settle for DSL or cable there a lot more options. And that is with me living in ‘socialist’ Europe. I can only dream of how many options people in ‘free market’ USA must have.

                      • nirvdrum 2 months ago

                        I have two viable options, ignoring 5G and satellite services. The one I'm on is the lesser of two evils. And I've largely neutralized the primary concern I have with the ISP I'm on.

                        Where would you like to move the goal posts now?

                      • lijogdfljk 2 months ago

                        > I can only dream of how many options people in ‘free market’ USA must have.

                        I think you answered your own question.

                      • ripdog 2 months ago

                        > And that is with me living in ‘socialist’ Europe. I can only dream of how many options people in ‘free market’ USA must have.

                        I can feel the sarcasm dripping from this sentence.

              • hamburglar 2 months ago

                This is quite a concrete illustration of the concept of the perfect being the enemy of the good. Thank you.

                • salawat 2 months ago

                  No... It's a demonstration of adherence the axiom "Don't let perfect be the enemy of good" being misapplied.

                  The "Good" (VPN) is exactly as imperfect as it's complete abscence. There has been no improvement whatsoever. Literally, as far as Privacy is concerned, nothing short of "No one actor has the capability to sit on a full stream of traffic", will suffice.

                  Either you're MITM'd or you aren't. Use malicious postmen if it makes it easier.

                  If you have the same guy come, and all of your mail goes through him, he can reconstruct all conversational state.

                  Now imagine you get a different malicious postman at random every day. He eacesdrops on every packet, but he's not privy to which of his fellows is scheduled to get the next packet. Therefore, it's not practicable to MITM in any practical way. This all goes out the window when someone controls the malicious postman scheduler, of course, because then they can figure out a map of who to go to to reconstruct your conversation.

                  The above is the concept behind Tor, and why the only effective counter to it is to run a hell of a lot of entry/exit nodes so you can conceivably time correlate given enough consecutive probe points are hit.

                  • P5fRxh5kUvp2th 2 months ago

                    Russia has the ability to drop a nuke in the region you currently live in, so there's no such thing as safety and therefore why do you have locks on your doors?

                    • genewitch 2 months ago

                      i find this extremely doubtful. I see the point of your statement, but i'm willing to bet 99% of all the already built nuclear devices wouldn't work today. There's no way that they're all stored in such a way that the delicate mechanisms are protected from the environment and oxidization, moisture ingress, insects, heat and cold expansion and contraction.

                      That a nation could make a new device is arguable, that a nation could make a device that could be delivered without flying planes over another country is less arguable. Even nukes as they stand would only pose significant threats to certain parts of a country (there was a map floating around the web a few days back of areas of the US most susceptible to the - pardon the pun - fallout from a tactical strike.)

                • P5fRxh5kUvp2th 2 months ago

                  Especially when you consider that what they're really saying is that a VPN won't hide you from a state level actor.

                  Yeah, of course not, that's not nearly the only reason to use a VPN.

        • ascar 2 months ago

          As others have mentioned you gained privacy from your government that has easy access to whatever information your ISP has but not towards a VPN provider.

          But the information you leak towards your ISP or VPN isn't the only variable. With a VPN you leak less information to the services you interact with (e.g. your IP is hidden) which undoubtedly increases privacy.

        • yjftsjthsd-h 2 months ago

          > Now, your VPN can see all the stuff that your ISP used to see.

          > Have you really gained more privacy?

          Absolutely, 100%, unambiguously, yes; my ISP openly says that they monetize my data, my VPN says they don't. I'm very happy to gamble that the VPN is telling the truth when faced with the expectation that the ISP is telling the truth.

        • squeaky-clean 2 months ago

          My VPN was unable to give the British government any logs or IPs relating to someone who emailed a series of bomb threats using them.

          As terrible as that is, yeah I feel pretty safe pirating movies using it.

          But you're right that blindly trusting a VPN without doing any research might be worse than blindly trusting your ISP.

        • colinmhayes 2 months ago

          VPNs entire business revolves around not giving up your data, that's why you pay them. ISP business revolves around protecting their monopoly which means making the government happy. Massively different incentives which means they will act differently. If VPN leaks data and people find out they're done. If ISP does nothing changes for them.

        • crtasm 2 months ago

          > your ISP can now determine that you might be doing something illegal, suspicious

          and my neighbours can determine I might be doing something illegal when I close my curtains, sure.

        • tzs 2 months ago

          > Have you really gained more privacy?

          No, but you have lost less privacy.

          The amount of loss of privacy you incur when some particular item of personal information about you is revealed to another party often depends on how much other information that party has about you.

        • Schroedingersat 2 months ago

          If the ISP is legally protected from any inquiry or transparency into what they do with the data and is systematically incompetent about protecting it and the vpn exists in a country with good privacy laws, then yeah.

        • postalrat 2 months ago

          You increased the number of choices you can make regarding your privacy.

      • pkulak 2 months ago

        Of course they do? They are a tool that routes traffic through a third party. That can be anywhere from terrible to fantastic for privacy, with everything in between. There's nothing "of course" about it.

      • shubb 2 months ago

        One of the main use cases today for VPNs is to pirate movies or access geo-blocked content. That and dodgy hotel wifi.

        The adversary is netflix or a IP rights enforcement company, and the user doesn't care what their ISP or a state could observe.

        For what they are used for, they are fine. If you are worried about state or megacorp spying, the solution is less technical and more political.

      • sascha_sl 2 months ago

        No as a rule.

        They just replace your ISP with a VPN company. Which is the two is more shady is something you have to figure out, keeping in mind that a subsection of the internet just stops working or turns the aggressiveness of their anti-bot protections up to the maximum on a VPN.

    • Forge36 2 months ago

      While traveling I've used my own VPN hosted at home to provide additional security.

      It allows me to trust only my ISP instead of every ISP in various coffee shops.

    • jimmydorry 2 months ago

      I would reverse that assertion under the one condition that you don't use a VPN provider from your own country. In Australia at least, ISPs are legally required to maintain logs of everything you access for several years. By choosing to trust a VPN provider outside of Australia, you defacto have better privacy than you otherwise would have.

      • AnimalMuppet 2 months ago

        Does the VPN company have a business presence in Australia? If so, then maybe you haven't gained as much as you think...

        • jimmydorry 2 months ago

          Absolutely true. The VPN provider's servers and business must be outside of your country.

    • Wxc2jjJmST9XWWL 2 months ago

      https://www.ivpn.net/ see "Do you really need a VPN?" - not affiliated with them, but tell me any other VPN-service that is actually this upfront... most are marketing the hell out of their apparent magic effects...

      since we're on the topic: how is it still a thing that vpn services are actively pitching content-block/copyright circumvention? Seems weird to pitch something as shady this loud and publicly? Reminds me of how weird I find it that trackers and illegal hosting sites have twitter accounts...

    • andrewstuart2 2 months ago

      I'd say they're still a net win, generally. The ISP vs VPN service tracking who does cancel out (if you ignore privacy claims of VPN providers, vs ISPs generally not guaranteeing that at all), but for every other service I might consume, when I'm on VPN I'm no longer connecting from a unique IP that can have other identifying information tagged to it.

      • simon1573 2 months ago

        To add to that: in Sweden (which is generally pretty ok in regards to privacy and rights) ISPs are required to store traffic for 6 months, while VPN providers are not.

        • lokedhs 2 months ago

          Wasn't this struck down by the EU recently?

    • wintermutestwin 2 months ago

      >VPNs don’t help privacy at all.

      1. They keep your data safe from your ISP. 2. They keep your IP hidden to the sites you browse.

      Those two clearly "help" privacy.

      • rcxdude 2 months ago

        They also expose your data to the VPN operator. That's a negative on privacy. Whether it's a net negative or positive depends on the VPN operator and ISP involved.

        • ipaddr 2 months ago

          The VPN provider could be you hosted somewhere using bitcoin.

    • riedel 2 months ago

      In Germany (according to TTDSG) an ISP does not have to claim that. They need explicit permission to track you. It is pretty much as the post does not have to claim that they open your envelopes.

    • wan_ala 2 months ago

      I think the only good reasons to use VPNs are for torrenting and accessing movies only available in other countries. For any privacy reasons its best to use Tor.

    • yjftsjthsd-h 2 months ago

      > VPNs don’t help privacy at all.

      > For some, that may be good, but for most others it’s a wash.

      That sounds less like "VPNs don’t help privacy at all" and more like "VPNs are helpful some of the time".

    • Nifty3929 2 months ago

      I believe it is harder for my government to get my data from a foreign VPN service than from my local oligopoly ISP that is already effectively an arm of the government.

    • 7952 2 months ago

      It is not just about your ISP though. Your IP is getting sent to whatever website you are connecting to. People won't always trust that website.

    • nine_k 2 months ago

      VPNs help against geolocation and geofencing though.

    • swayvil 2 months ago

      VPNs don't anonymize, they just route you through an anonymizing service. Lol.

    • Double_a_92 2 months ago

      They help in public WiFi.

      • jacobsenscott 2 months ago

        Public wifi, assuming you don't send any personal info to "sign in" to the public wifi is more anonymous than a vpn that has your name/address/etc.

      • zekica 2 months ago

        Modern TLS is enough to prevent others from eavesdropping everything except domain names when on public WiFi. Domain names are sent in clear text if your client supports SNI.

        • doubled112 2 months ago

          A trail of DNS names is more than enough to know what somebody is up to.

          • uup 2 months ago

            You could use DoH, which you should do anyway. No reason to leak DNS lookups to anyone.

            • madars 2 months ago

              DoH alone is not enough due to https://en.wikipedia.org/wiki/Server_Name_Indication being sent in plain text. Some day ECH (formerly, eSNI) should help with that.

              • erinnh 2 months ago

                I thought TLSv1.3 already encrypted the SNI?

                • detaro 2 months ago

                  No. ESNI is an later-created extension to TLS 1.3

                • uup 2 months ago

                  It does

                  • Varloom 2 months ago

                    ESNI is not implemented yet on any website. And there is no software support except beta versions of Chrome/Edge and you have to manually toggle flags in dev mode.

                    All SNIs are passed as plain text to your ISP/VPN, even with DoH/TLS secure DNS enabled.

            • ranger_danger 2 months ago

              you'll always be leaking it to whoever you are sending your query to.

      • babypuncher 2 months ago

        So I can pay $10/mo for a VPN for use when I'm on public wifi, or I can run WireGuard on my Raspberry Pi at home and get one for free

        • elashri 2 months ago

          It might be cheaper but still not free. Cost of electricity + time to maintain + Raspberry Pi itself. Not to mention that you don't get the variety of servers (for geo-location or more diverse networks not tracked to you by websites themselves).

          • babypuncher 2 months ago

            Well the Raspberry Pi is already on 24/7 running a few other services for my home network. But even then, the energy consumption per month costs pennies. I update the device once a quarter and it takes me 5 minutes. These costs are so negligible as to have no impact on my decision making process.

        • wbsss4412 2 months ago

          Not sure what services you’ve looked at, but it definitely doesn’t cost $10/month.

          Your personal solution seems pretty good though.

        • wintermutestwin 2 months ago

          Unless you are a network security expert, aren't you greatly increasing your risk by running that WireGuard server?

          • fjfbsufhdvfy 2 months ago

            Why would you? Nobody can connect to it without your private key. Or is there something I am not aware of? Genuine question, as I am running wireguard in a few places and thought it was secure by default.

          • bilkow 2 months ago

            WireGuard is pretty minimalist and has great defaults, AFAIK if you manage to set it up you're good.

            Unless your credentials leak, of course, but a security expert would have that same risk.

          • babypuncher 2 months ago

            You do not need to be a "network security expert" to safely run a WireGuard server

  • spicybright 2 months ago

    Anything that decides to wrap around your internet traffic without telling you should definitely raise your antennas.

    Even if they had the best intentions, it's pretty easy to botch these things which erode your privacy even more.

  • marcosdumay 2 months ago

    If it was good for you, Microsoft would the the one announcing it. Loudly and repeatedly. They would do it even if it was harmful, but there existed some artificial narrative where it sounds good.

    You are hearing it from a third party exactly because they couldn't construct any explanation minimally realistic that sounded good.

    • ratg13 2 months ago

      They haven't announced it yet because it hasn't been released. Reading the article, it does sound pretty decent.

      Partnership with cloudflare, selectively enables when you are connected to untrusted networks like public wifi.

      Pretty much the only downside is that they turn it on by default... which is always tricky when most of your target audience is not computer savvy in the least.

      How to give people security features that they have to figure out themselves when they can barely open the browser .. a dilemma for the ages.

  • newZWhoDis 2 months ago

    The pain/anger you’re feeling is called stallmanogenesis: the suffering induced by realizing, by force or otherwise, that stallman was right

    • kranke155 2 months ago

      Nostradamus of technology, even if we all didn’t want to believe him.

  • idiocrat 2 months ago

    MS motivation is quite clear.

    Windows is an appliance (an interface) for amazon shopping and watching netflix.

    The MS telemetry has proven that 99.999% of consumers do not tweak default settings or dig under the hood.

    The 1-2 million now former "windows power users" are just too small population to be economically feasible to deal with.

    For MS it does not matter to lose those few to other tweakable OSs.

    Instead MS's product department is dreaming of scooping the remaining billions of cash-laden consumers. Presumably this is what the telemetry tells them.

    Cash is good, consuming is good, keeps the economy running, making shareholders happy.

    • stinos 2 months ago

      Ok, but how exactly is your story an explanation of the motivation for VPN in their browser?

  • r00fus 2 months ago

    When trying to ascertain the intents of large organizations, I find it useful to examine previous actions. In the case of Microsoft, their willingness/intent to add ads and telemetry (including keylogging) into their OS seem to indicate they are doing this for serving ads better to their larger (paying) customers.

    If you're not paying for the (specific) service, you are the product.

  • legitster 2 months ago

    I mean, if you have an attitude that anything an organization does must be for an ulterior motive, you're always going to get what you are looking for. Heck, people too for that matter. Maybe my dog just pretends to love me to get food.

    But in this case, Microsoft is looking for any competitive advantage against Google. They won't win on targeting, and they still make more money selling software than ads. So this does seem like an easy win for them.

    • hamburglar 2 months ago

      > if you have an attitude that anything an organization does must be for an ulterior motive …

      Well in the case where they are spending a lot of money to implement and operate a feature that nobody asked for and which has obvious privacy downsides, it does seem worthwhile to examine their motives. It’s not like we’re responding to the announcement for the next model of the Microsoft ergonomic keyboard with “hmmm, what are they up to?”

      • nearbuy 2 months ago

        > obvious privacy downsides

        What is the obvious privacy downside of selectively enabling a Cloudflare VPN when browsing on public Wifi or unsecured sites (which is when it enables)? That Cloudflare can see what sites you visit?

        On public Wifi and unsecured sites, anyone could potentially see and modify the data anyway.

        • hamburglar 2 months ago

          The privacy issue is obvious. If my browser is funneling all of its traffic through a specific VPN instead of letting my system handle it, I have to wonder whether that choice was based on the VPN operator wanting to see my data or cooperating with someone who does.

          This is like finding out Microsoft decided all internet traffic on windows should be proxied through their servers. Could there be a benefit? Yes. Does it raise serious questions? Most definitely.

          • nearbuy 2 months ago

            > If my browser is funneling all of its traffic through a specific VPN instead of letting my system handle it

            It's not. According to the article, it only funnels insecure traffic through the Cloudflare VPN (eg, to a site with an invalid certificate). And this doesn't prevent you from using your own VPN as well.

            If you're connecting to a site over HTTP, and the packet takes 10 hops to get there, that's 10 machines that can see who you're connecting to and what data you're sending. Including, in all likelihood, a major CDN like Cloudflare. Also including anyone on the same public Wifi network. This data was never kept private to begin with.

            If you're connecting over HTTPS with a valid certificate, the VPN isn't used. Even if it were though, they couldn't see your data. It's encrypted.

  • cm2187 2 months ago

    Because every recent development in the evolution of Windows has been hostile to privacy.

  • kirillzubovsky 2 months ago

    Check out the book “Hard Drive” about the early days of Microsoft, and you will never be able to see anything that corporate does without suspicion, and for a good reason.

    • kirillzubovsky 2 months ago

      And apparently we now get downvoted on Hacker News for a book recommendation. Amazing.

  • pricci 2 months ago

    About the pihole problem, redirect all calls to port 53 to your pihole.

    If Edge is using DoH, you're out of luck.

    • numpad0 2 months ago

      Does something like `source 0.0.0.0 dest 8.8.8.8 dport 443 action drop` work for DoH?

  • cowmix 2 months ago

    You are actually being too kind IMHO.

  • nerdawson 2 months ago

    Probably because Facebook already tried the free VPN and it was every bit the privacy nightmare you'd expect it to be. Given Microsoft's track record, there's no reason to expect that to be any different.

  • aeturnum 2 months ago

    I am 100% with you in general, but this feels more like the Windows Defender launch than some fully cynical power grab. That is to say - Microsoft gets a lot of grief and work from windows installs getting taken over / viruses / etc. For users who don't pick up their own protection (and don't choose to turn off the default windows protection) this feels like a better default. I don't trust Microsoft, but you are already exposed to their manipulations when you are using their OS - and this will help protect you from other manipulations.

  • simonh 2 months ago

    This is where Apple's implementation, where the info is split between them and a third party with neither of them able to read the traffic on their own is so smart. Especially since there are multiple counter-parties to Apple. It also negates the risk of an MITM attack. Yes of course they could collaborate with a counter-party to break the system, but it seems significantly less likely to happen, and if it was happening it would be significantly more likely to come to light.

  • Markoff 2 months ago

    I mean nobody is forcing you to use Edge or Chrome, there are better alternatives like Vivaldi or if you really want to take it to extreme Ungoogled Chromium. But I agree with your sentiment, although it just means you should probably move to open source and obscure options.

    Also:

    > Brave, Mozilla, and Vivadi have said they intend to continue supporting Manifest v2 extensions for an indeterminate amount of time.

  • eastdakota 2 months ago

    The motivation is to keep up with Apple who themselves are trying to distinguish themselves from Google. Doesn’t need to be sinister. If your primary business model doesn’t depend on tracking people to sell ads, and you’re competing with someone else whose does, then leaning in to making the use of your software/hardware more private makes sense.

  • bitsoda 2 months ago

    I noticed today I can't find the Chrome flag (v105) to enable its reader mode. It's like they just nuked it since it made articles actually readable. It's not a huge deal, but I liked not having to launch another service like Pocket.

  • marcodiego 2 months ago

    > Why do I always get a bad feeling about the motivations behind stuff like this?

    Because of microsoft history. Including recent history.

  • GekkePrutser 2 months ago

    Exactly.. I would take it from Firefox if they offered something like iCloud Private Relay.

    But the thing they offer from Mullvad is no better than a traditional VPN (because it is a traditional VPN). And even more limited because it only works in the browser.

    And indeed the circumvention of Pihole is a big problem.

  • d0mine 2 months ago

    "bad feeling" is too generous. Microsoft is famous for its ubiquitous telemetry. It is not a suspicion, data collection is a fact. today. already.

  • samstave 2 months ago

    IMO its so they can keep the data-usage metric in their hose and not leak it to other companies which are competing for ad attention...?

  • mgraczyk 2 months ago

    If you have never worked at a large tech company like Microsoft, you'll probably have a bad feeling because there's a lot you don't know about the business process of shipping features like this. It's reasonable to be cynical and confused if you have never seen it from the other side.

    For the most part, product features like this are shipped for boring and completely non-nefarious reasons. It's just hard to believe that if you've never worked on one.

  • jvanderbot 2 months ago

    How is this not a transparent attempt to secure user information and conceil it from the usual other suspects?

  • amatecha 2 months ago

    No, yeah, it's sketchy as hell. Welp, another browser I'll never touch I guess.

  • numpad0 2 months ago

    Block UDP port 53(DNS).

  • jahewson 2 months ago

    The motivation here is surely reducing ad tracking.

  • ekianjo 2 months ago

    just creating a honeypot for the 3 letters agency. Microsoft loves doing that. just dont use edge I guess?

  • chinathrow 2 months ago

    Firefox, having your back since 2002.

crazygringo 2 months ago

> the VPN will automatically connect when you’re using public Wi-Fi or browsing unsecured networks and sites lacking a valid HTTP certificate.

OK, that's actually a pretty decent idea. It's not going to be always-on, but it's providing security specifically for things like coffeeshops/libraries and for sites that don't provide their own security. In other words, it's "backup security", not rerouting all of your "normal" secure traffic at work/home.

This mainly protects sites you visit from having JavaScript injected into them by networks when there aren't any other protections, and the VPN is run by Cloudflare so it will be performant, so I don't really see any problems here? Seems like a positive development actually.

  • timmb 2 months ago

    Just curious but is there really a risk on public WiFi if you’re using DNS-over-HTTPS and connecting to a site over https?

    • Gigachad 2 months ago

      You can still do reverse domain lookups using the IP address as well as see the domain in the SNI details.

      So the content is safe but the sites you visit are still exposed unlike with a vpn.

      • angry_octet 2 months ago

        Although you would commonly find a long list of AWS or similar IP addresses which wouldn't be very useful, unless you simultaneously crawl tens of thousands of possible sites (from the same source IP range) to map IPs to sites.

    • kibwen 2 months ago

      No, though DNS-over-HTTPS is already basically a proxy.

      • tsimionescu 2 months ago

        By this definition, any DNS server is basically a proxy (assuming you are not hitting an authoritative name server for the domain you are trying to access).

      • Gigachad 2 months ago

        No it isn’t. The DoH server is the final destination. It isn’t relaying your traffic to somewhere else.

  • CogitoCogito 2 months ago

    > This mainly protects sites you visit from having JavaScript injected into them by networks when there aren't any other protections, and the VPN is run by Cloudflare so it will be performant, so I don't really see any problems here? Seems like a positive development actually.

    How does this protect from having JavaScript injected? Why couldn't the VPN do that?

    • ViViDboarder 2 months ago

      The assumption is that the VPN operator is more trustworthy than an unsecured network.

      • hot_gril 2 months ago

        Yeah, and even if the network operator is trustworthy, often times any other user on that network can mess with you, e.g. ARP poisoning.

    • simsla 2 months ago

      MITM protection on public networks maybe?

      • CogitoCogito 2 months ago

        > MITM protection on public networks maybe?

        How does this address the fact that the operators of the VPN can certainly modify any content they access over http on your behalf?

        • acdha 2 months ago

          It's a question of how many entities you have to trust. There are many thousands of public networks around the world and millions of people using ISPs which tamper with traffic (especially on mobile networks). With the VPN, you only have to trust the VPN provider; without it, you have to review each network you use and its ISP. That doesn't mean that the VPN is automatically trustworthy, of course, but it's a single entity.

          • tsimionescu 2 months ago

            Note that you still have to trust the server's ISP and any intermediate ISP routing traffic from the VPN exit node to the server, if you're accessing a server over an insecure protocol.

            • acdha 2 months ago

              Of course, but almost all of the tampering has happened on the client end historically, especially since this VPN is backed by Cloudflare who have widely distributed nodes. It’s still much better to deploy TLS everywhere but this shuts down most of the non-NSA attacks.

              • tsimionescu 2 months ago

                Absolutely, I just wanted to give the full picture.

        • yed 2 months ago

          The operators of the VPN in this case are also the developers of the browser. If they want to inject content they can do that without the VPN.

        • soulofmischief 2 months ago

          It's security by consolidation.

          • hypertele-Xii 2 months ago

            Security by consolidation to single point of failure, I might add.

            • dredmorbius 2 months ago

              The question is whether your basket is made of chains (one bad link), cables (many bundled wires), how many baskets there are, how many eggs in each, and how effective and trustworthy the guards are.

              Simply shrieking "SPOF!!! SPOF!!!" lacks naunce after a while.

              I've concerns with proposals such as this similar to what others are voicing on this thread. But if one considers the proposal in light of the present status quo for the typical person, then it's probably a net improvement.

            • hot_gril 2 months ago

              I agree, and it's hard for me to trust the VPN more than my own ISP. Like yeah, someone else on this public coffee shop wifi network can waste a whole day finding a couple of random victims. Does that actually happen, idk. Have huge, reputable VPNs been hacked before, yes, and there's much greater incentive there. Either way I won't know, so it feels like they're selling snake oil.

              "Microsoft" and "security" also don't go together in my head.

              • soulofmischief 2 months ago

                coffee shop hacking is usually done in an automated, at-scale fashion, often with a remote device that doesn't require an operator to be present or paying attention.

                It uses lowest common denominator tactics. This VPN strategy is precisely for the lowest common denominator.

                I don't understand how something can feel like snake oil when you haven't researched your own questions. I can sow doubt on anything; is it always justified?

        • kevmo314 2 months ago

          Better than every public wifi access point being able to.

        • kevingadd 2 months ago

          It's reducing the number of parties you have to trust from 'every hop along the path from the public wifi operator to the host' to 'cloudflare', and many site operators already trust cloudflare not to MITM them.

          • account42 2 months ago

            I don't think that CF already MITMs most of the internet is such a great argument for letting them MITM the rest.

  • kburman 2 months ago

    How hard it would be silently push an update to redirect all google traffic through VPN. We have already seen them trying to get google search query and results. And why stop at Google basically they can do any website they want.

    • tsimionescu 2 months ago

      The only way they can do that is at the client level, not the network level. Whether it's running over a VPN or not, your traffic to Google is TLS, so you have an excellent guarantee that it's impossible to snoop on the contents of your HTTP requests at the network level.

      However, you are using a Microsoft client and/or a Microsoft OS to do this - and of course, if they want to, Edge or even Windows itself can report on the input and output of any operation you make, regardless of any network security. Similarly, WhatsApp or Signal or iMessage or Android/iOS could send a copy of the plain text of any messages you send or receive to home base despite them being E2E encrypted on the wire. You always have to trust the device and client software you are using to access the internet.

      So, if you personally don't trust Microsoft not to snoop on your traffic with Google, using Edge or Windows is completely wrong.

      • tekknik 2 months ago

        > your traffic to Google is TLS, so you have an excellent guarantee that it's impossible to snoop on the contents of your HTTP requests at the network level.

        It’s definitely not impossible, MITM attacks work for TLS and this is exactly how cloudflare work (it MITMs TLS sites by terminating the tunnel and recreating.). TLS is only secure if you have pinned certs.

        • tsimionescu 2 months ago

          MITM for TLS only works if you have the cooperation of the server owner (like Cloudflare does, or illegally be stealing the server owner private keys) or a malicious CA, or if you ignore the security errors that the browser offers.

          Otherwise, TLS is completely impervious to MITM attacks as a protocol.

          Of course, various implementations of TLS may also have exploitable vulnerabilities.

          • tekknik 2 months ago

            I’m not sure what you refuted here, you seem to have said exactly the same thing I did.

    • barsonme 2 months ago

      They’re not magic. They can’t peek into the TLS connection between your browser and google.com.

      • tekknik 2 months ago

        Conversely many people here think TLS is magic and unhackable, but it is not.

        • barsonme 2 months ago

          I’m not sure what you mean. Do you know how to break TLS?

          • tekknik 2 months ago

            Yes a MITM attack. Exactly what cloudflare does to provide their services over TLS.

            • barsonme 2 months ago

              But that’s not a problem with TLS any more than you giving out your AES keys is a problem with AES.

              • tekknik 2 months ago

                I’m not sure even how to respond to this. If a protocol is weak due to a flaw, like being susceptible to MITM attacks, then yes it is a problem with the protocol.

                This is exactly my point. People are desperate for there to be no flaws in TLS, so much so they ignore MITM attacks.

btown 2 months ago

From the article, this is powered by a partnership with Cloudflare. It's worth noting that until August 6 of this year, Cloudflare's WARP VPN would leak your IP address - but only to sites using the Cloudflare network.

https://web.archive.org/web/20220609160341/https://developer...

And when Cloudflare released their new SOPs for Warp, they did so in a blog post titled "More features, still private" - https://blog.cloudflare.com/geoexit-improving-warp-user-expe... as referenced in https://developers.cloudflare.com/warp-client/known-issues-a...

Microsoft's initial announcement for the feature touted that IP addresses would be masked, and one imagines that they did their diligence with Cloudflare and are enforcing the strong practices that WARP has now rolled out more broadly.

But it's worth noting that you're routing through a company to whom the words "still private" encompassed leaking client IP address information to Cloudflare's hosting customers as recently as two months ago.

  • judge2020 2 months ago

    Warp/1.1.1.1[0] is a product, not a VPN, despite the fact that it tunnels your traffic. Even after the IP address change, the current documentation and promotions for Warp do not call it a VPN. It was never meant to keep your IP hidden from the websites you visit.

    0: https://1.1.1.1/

    • btown 2 months ago

      I wish that were how it had been presented, but they indeed did advertise it as a VPN. From https://blog.cloudflare.com/1111-warp-better-vpn/ :

      "Technically, WARP is a VPN.... We built WARP because we’ve had those conversations with our loved ones too and they’ve not gone well. So we knew that we had to start with turning the weaknesses of other VPN solutions into strengths. Under the covers, WARP acts as a VPN. But now in the 1.1.1.1 App, if users decide to enable WARP, instead of just DNS queries being secured and optimized, all Internet traffic is secured and optimized. In other words, WARP is the VPN for people who don't know what V.P.N. stands for."

      • judge2020 2 months ago

        I don't think this holds much weight given the regular users of this product are likely referred to https://1.1.1.1 and are unlikely to read through all of this 3000 word blog post with tech jargon. However, indeed, many people might've heard about it from other blog posts saying it's a VPN or word-of-mouth from more technical users also calling it a VPN - but it's obvious Cloudflare made a concerted effort not to use that term.

        • jdgoesmarching 2 months ago

          I think it holds weight when I’m staring at a Cloudflare blog URL that explicitly says “Warp better VPN.” I don’t doubt that this has been scrubbed from current documentation, but this is fair evidence for the above comment’s claim that CF has advertised it as a VPN.

          I don’t have a dog in this fight, but it was especially odd in this context to claim that this misconception was entirely driven from outside of Cloudflare when the URL is sitting right there.

        • genewitch 2 months ago

          it's used five times in that single paragraph. That's cloudflare calling it a VPN. you can't unring the bell.

  • jkpe 2 months ago

    I remember seeing this blog post and the updated docs suggest they no longer reveal your IP but enable WARP and visit https://www.whatismyip-address.com (uses Cloudflare) and you’ll see your actual IP.

oefrha 2 months ago

As a generally happy Cloudflare customer, a Cloudflare VPN makes me deeply uneasy. (Yes, I know Warp has been around for a while.) Using it means Cloudflare owns a huge chunk of your Internet traffic end to end and decrypted, a uniquely powerful position to be in. And this is going to be default on in Edge according to TFA, even though it’s only applied to plain HTTP sites by default at the moment.

  • jimlongton 2 months ago

    People are fools if think there isn't a Room 641A in Cloudflare, except it's a lot better since web service operators willingly handed over all their private keys and therefore user data.

  • xani_ 2 months ago

    Browsers already want to send every domain you visit to cloudflare via DoH.

    Other options of securing DNS included "just" encrypting traffic to DNS server. But no, they decided to centralize sending DNS records via HTTPS

  • sascha_sl 2 months ago

    While I agree that it is concerning, WARP doesn't decrypt your traffic unless you sign in to ZeroTrust, enable it in your dashboard and install their CA.

    Not much you can do about them having decrypted traffic for sites that use them.

    • oefrha 2 months ago

      > having decrypted traffic for sites that use them

      Yes, that’s the huge chunk I’m talking about, and when you use them as your VPN they can effortlessly trace that decrypted traffic to you.

      • sascha_sl 2 months ago

        How is that different from not using a VPN?

        • oefrha 2 months ago

          When you don’t use a VPN, at least your traffic to Cloudflare doesn’t carry a unique ID of yours. Effort is required to correlate your traffic, especially if you are CGNAT’ed and share an IP with others, or have a dynamic IP that changes frequently.

        • xboxnolifes 2 months ago

          Its not, that's the point.

          • ViViDboarder 2 months ago

            It’s not for one party. The VPN protects your traffic from any party other than Cloudflare. Exactly as it would with any VPN.

  • AtNightWeCode 2 months ago

    Https is among the most broken ideas in the history of CS. I remember the first time I really learned about it and I went like it can't be this stupid.

    Most Internet traffic today between A and B is decrypted by C because of this.

    • barsonme 2 months ago

      What are you talking about?

      • AtNightWeCode 2 months ago

        Https is a wrapper around http. The result is that any service that needs any http information can decrypt all https traffic. So on the web, passwords, apikeys, personal information and so is in general decrypted by a third party, Fastly, Akamai, Cloudflare and so on.

        • barsonme 2 months ago

          That is entirely untrue. HTTPS is just HTTP encrypted with TLS. The only parties that can decrypt the traffic are the people with the session keys: you and the website you’re visiting.

          • AtNightWeCode 2 months ago

            You are plain wrong.

            • barsonme 2 months ago

              How so?

              • AtNightWeCode 2 months ago

                Cause requests are often sent through any of the large third-party layer 7 reverse proxy networks that sits between the user and the origin host.

                • barsonme 2 months ago

                  All they see is ciphertext unless they’re terminating TLS and forwarding your traffic on to the target website.

                  • AtNightWeCode 2 months ago

                    They are terminating TLS.

                    • barsonme 2 months ago

                      Not sure how this is a problem with HTTPS, then. It’s like complaining that AES encryption is broken because you have away your keys to a bunch of people.

                      • AtNightWeCode 2 months ago

                        It is a problem with HTTPS as it removes capabilities of HTTP without offering any other solution except terminating TLS.

                        • barsonme 2 months ago

                          What you’ve said so far has been generally confused and incorrect. I would suggest doing more research about HTTPS.

                          • AtNightWeCode 2 months ago

                            Says the guy who did not even know that all these reverse proxies like Cloudflare does TLS termination on the edge.

                            • parasubvert 2 months ago

                              You’re glossing over that these third parties C are contracted trusted parties of entity B and thus for B’s purposes are considered part of B.

                              HTTPS and transport security isn’t a broken idea.

                              Standardized content security has been tried in many contexts and has typically been even less secure unless it’s for long lived opaque media, like S/MIME for emails. Structured data like XML security has been abysmal.

wintermutestwin 2 months ago

While I would never use a VPN service fronted by a data thieving company, I really hope that VPN usage goes more mainstream so that companies can't have "no access from VPN" as a security strategy.

Ally bank recently did this and many others have intermittent issues due to flagging, etc.

  • VoodooJuJu 2 months ago

    I can see this evolving into something worse.

    >try to connect to ally

    >vpn not allowed - try connecting through on of our authorized vpn partners: microsoft, nordvpn!, etc.

  • hibikir 2 months ago

    Security teams don't block certain VPN traffic for fun.When a certain IP block has been running credential stuffing attacks all month long, It's very reasonable to see any request from said block with a lot of suspicion. In many cases, 99.9% of login attempts from certain IP blocks are just fraudulent, and there might be more requests from one of said blocks than legitimate requests from the rest of the world combined.

    Completely blocking a VPN is often too blunt an instrument, but even the best alternatives are unfriendly to legitimate traffic. The most user-friendly thing you can do is to rely on bonus security controls, like asking for two factor authentication for everything. No, you will not be able to log into anything from a new device, even, without the two factor. A very understandable tradeoff for a bank, but we'll end up seeing that for any account protecting anything of relatively low value.

    If your second factor is tied to, say, a phone, it's not going to be fun to wait to replace it if it's lost. But in a world where most traffic is coming from a VPN, there aren't many good alternatives.

    • egberts1 2 months ago

      For my home gateway, all HTTPS, VPN, SSTP, SMTP, PPTP, IPSec, UDP, DNS, and proxy are blocked.

      All JavaScript scripts are blanked by Squid ICAP clients.

      WireGuard to a VPS for DNS resolver/nameserver.

      Run a mean transparent Squid proxy, Snort/Zeek/Suricata and whitelist bastion dns forwarder.

      No problem. No spam. No headache.

  • ascar 2 months ago

    Is Cloudflare known as a data thieving company? I didn't have that association with them yet. They're not really in the data selling business, are they?

    • wintermutestwin 2 months ago

      I said "a VPN service fronted by a data thieving company" and I misspoke - I should have said "backed" instead of "fronted."

      AFAIK Cloudflare isn't a data thief (yet). If (when) they decide to be, they will have access to quite a lot at the rate they are going. At this point, how can we trust that any public company won't eventually monetize user data?

    • hansel_der 2 months ago

      they are in the business of collecting data and selling insights. cdn is just a means to an end

      • scrollaway 2 months ago

        Oh stop, already. Cloudflare isn't in the "business of selling insights". They make their money from enterprise sales of their various network products.

        They're in the business of competing with AWS and are pretty damn good at it, too.

graypegg 2 months ago

When did the world start trusting any company with a VPN more than their ISP? I still find the privacy pitch to be flakey at best, where at least I can choose who’s aware of my traffic, but getting past geo-blocks really seems to be the most obvious consumer value, which this Cloudflare vpn lacks.

  • wintermutestwin 2 months ago

    My ISP actively lobbied to be able to harvest (steal) my data. Who do I trust more: the guy who says that they aren't selling my data, or the guy who corrupted my government so that they can actively sell me out (not to mention their monopoly)?

    Sure, the first guy could be a liar, but I know that the second guy is a thief.

    I don't care about geo-blocking - my only threat model is to keep a scumbag ISP at bay.

    Edit: I should add that keeping sites I browse from knowing my IP is also part of my threat model.

    • MichaelCollins 2 months ago

      VPN also has my credit card number, real name, etc. VPN doesn't have that; their data is worth less than the data my ISP could sell.

      • account42 2 months ago

        Seing how many webstes' TLS is terminated by Cloudflare, you shouldn't state that they don't have your credit card info with such conviction unless you never used it online.

  • TheFattestNinja 2 months ago

    ISP injecting content into your connection is a known story (google "ISP injecting ads" for many results).

    For better or worse Microsoft (or other corps) have not done that in recent memory afaik. They might do equally dodgy stuff in other aspects, but they don't tamper with the integrity of your connection (they might sniff it a bit).

    • account42 2 months ago

      It is only a known story in some countries. In others ISPs are held to much higher privacy standards than Cloudflare is.

    • math_dandy 2 months ago

      And often you're paying a nontrivial amount of money to the ISP for the "privilege" of getting injecting ads and tracking injected. This really rubs people the wrong way, justifiably so I think.

  • seabrookmx 2 months ago

    I swear VPN privacy is a red herring.

    Everyone I know who has a VPN subscription simply uses it to prevent DMCA letters from their ISP when torrenting.

    VPN providers with a "no logs" policy simply shrug these off.

    • BuckRogers 2 months ago

      I know people that use VPNs 24/7 just for privacy. I would assume there's many more that use them for the reason you described though. Torrents are less useful than ever, piracy is down in general thanks to streaming services and products having moved to SaaS. From what I can tell, the number of people using VPNs merely for privacy alone is growing and a good sign that people feel that strongly about it.

      • aliqot 2 months ago

        > torrents are less useful than ever

        ok I'll bite, let's hear it

        • hot_gril 2 months ago

          Media piracy is less tempting than in 2006 (before streaming) but more tempting than in 2014 (before competition decreased overall and everyone started siloing content as part of their truce).

          Server-side control has been making software piracy less and less viable, video games sorta included. And a lot of mainstream games have found ways to make money without charging to buy the game upfront.

          • LilBytes 2 months ago

            Media privacy might be less tempting, but it's been swinging in the other direction (of becoming valid again) for quite a few years.

  • nvllsvm 2 months ago

    For some - it was when their ISP started sending their customers scary sounding letters regarding certain downloaded movies and shows.

    Some ISPs also needlessly block certain sites (ex. Verizon blocks nyaa.si)

  • hot_gril 2 months ago

    It can go either way. Many ISPs are known to be nasty, but hardly anyone sees the effects of that, so it's hard to tell. I think VPNs market "more security," people mostly blindly buy it, and everyone is happy.

    Yeah, to me, a VPN is only a way around geo restrictions.

  • dizhn 2 months ago

    Article says the VPN gets activated in public networks. Wifi etc. That's one decent use case.

  • NoGravitas 2 months ago

    It's not true of the whole world, but in the US, you generally know that your ISP is untrustworthy, while your VPN is a leap of faith.

  • zapataband1 2 months ago

    I thought it was when all the ISPs started basically giving away your private info to the government and repeatedly lied about it

legrande 2 months ago

Edge is a reskinned Chromium browser with Microsoft tracking and telemetry baked in. Just because they have a VPN now, it doesn't make it any more private/secure. Why do people use Edge? If you're any way privacy conscious you wouldn't use Microsoft products.

  • tester756 2 months ago

    If you're using Windows, what's the point of using Chrome if you already have Edge?

    You're already sending data to MS anyway

    • MichaelCollins 2 months ago

      What's the point of using either of those when you could use an ungoogled chromium build?

      (I use Firefox, but if I were to use a chromium browser it wouldn't be Edge or Chrome...)

      • sascha_sl 2 months ago

        In case you want a real answer: battery life.

        • MichaelCollins 2 months ago

          Googled Chromium has better battery life than Ungoogled Chromium? That seems like a dubious claim.

          • rejectfinite 2 months ago

            No, Edge does. It actually is the best performing and battery life browser on Windows.

      • tester756 2 months ago

        Because you gotta trust people behind ungoogled Chromium

        I don't know them, so I don't trust them.

        • bilekas 2 months ago

          Chromium is open source, and so you can see what the changelog is etc.. You don't need to trust the people when you can read the source yourself ?

          also "ungoogled Chromium" - The process is Chrome is Googled Chromium.

          Chromium was a thing before Google-Chrome..

          Edit: My mistake: Chrome and Chromium were release the same time.

          • tester756 2 months ago

            Yes, I'm definitely going to audit some giant as hell CPP code base (diffs) every four weeks.

            I'd rather write my own browser from scratch

            • bilekas 2 months ago

              > Yes, I'm definitely going to audit some giant as hell CPP code base (diffs) every four weeks.

              I've had this discussion with other people too, just because you don't want to doesn't mean you can't. So your point of suspecting something nefarious is moot for me until you can back it up.

              • tester756 2 months ago

                If I do already use Windows, then I'm already relying on MS

                Using Edge doesn't change much, meanwhile using ungoogled Chromium means that I have to trust additional actors

                Additionally MS inserting e.g "backdoor" into Edge could cost them a lot of in PR damages meanwhile what if ungoogled chromium inserted some kind of "backdoor"?

                I don't even know people who maintain it, so I wouldn't even be able to break their windows or throw eggs at them

                • bilekas 2 months ago

                  > I don't even know people who maintain it, so I wouldn't even be able to break their windows or throw eggs at them

                  I hear your point on this, it's pretty hard to put your faith in a browser that updates regularly and not just for schema reasons. But you seem okay with Edge..

                  > Using Edge doesn't change much, meanwhile using ungoogled Chromium means that I have to trust additional actors

                  This is where I'm confused.

                  > Additionally MS inserting e.g "backdoor" into Edge could cost them a lot of in PR damages

                  I'm not an M$ hater, they've been incredible. dotNet core is a gift. GoPilot is a good use of whatever we're doing here. But why do you think if they could work a 'backdoor' (without leaks from employees) would actually matter. Their fine would be minimal.. See FB

                  I think we've come full circle. I'm defending your point that Edge might be just another 'Okay' browser.

                  • tester756 2 months ago

                    > Using Edge doesn't change much, meanwhile using ungoogled Chromium means that I have to trust additional actors

                    Because I'm already on Windows, thus I already trust Microsoft

                    >I'm not an M$ hater, they've been incredible. dotNet core is a gift. GoPilot is a good use of whatever we're doing here. But why do you think if they could work a 'backdoor' (without leaks from employees) would actually matter. Their fine would be minimal.. See FB

                    On the other hand take a look at Intel - they had security issues and not even intentional and there was a lot of dmg to their brand due to all those CPU related vulns in last years

          • detaro 2 months ago

            > Chromium was a thing before Google-Chrome

            no it wasn't.

            • bilekas 2 months ago

              Sorry that's actually my mistake, I was thinking of something else. (Android)

              They were both launched the same period, but chromium was the 'trimmed' down open source version.

        • fsflover 2 months ago

          But we do know people behind Microsoft are not to be trusted with our privacy... See PRISM and their data collection practices.

          • tester756 2 months ago

            The thing is about what data MS wants and what bad actor in ungoogled chromium would want

            e.g MS doesn't want to steal money from my card

            • BiteCode_dev 2 months ago

              Indeed, they will lock you in to get it legally.

        • s3p 2 months ago

          Waiting for the /sarcasm tag

  • Kwpolska 2 months ago

    My primary browser is Firefox. I have Edge as my backup browser for sites that don’t work with Firefox, and sometimes for watching stuff. There is no reason for me to install Chrome. (And Microsoft isn’t that bad, even if Edge sometimes does weird things.)

  • A4ET8a8uTh0 2 months ago

    In my case, it is the default browser at my current company. I don't know the reasoning behind it, but we are also forced into Teams. Corporate requirements is my reason.

    FWIW, it is not bad performance-wise.

    • rejectfinite 2 months ago

      So, I do use Firefox.

      But for a windows domain environment Edge makes sense.

      - Comes builtin, no need to patch browsers separately and worry about outdated Google Chrome installs in a 1000+ computer fleet.

      - Integrates with Office 365 that the company already use/pay for.

      - Can be managed with policy over Office 365 or Intune

      - Has IE Enterprise Mode for the old apps that need IE11

      For Teams, the alternative is this:

      - Pay for Zoom AND Slack AND Office 365 AND have IT personell manage all 3

      - Pay for Gsuite and use... hangouts?

      or

      - Just pay for Office 365 and get email, fileshare, office suite and chat/fileshare/video tool all in one that works "fine" and can be managed all in admin.microsoft.com (that goes into 500 different portals that all change each month but I digress...)

      Oh, and you can use whatever browser, even if its not the default. I use Firefox but Edge is the default one.

  • cookiengineer 2 months ago

    I would be cautious with such assumptions.

    There is a good reason why Trident is alive and kicking, people just don't know about it. But it's the reason for more than 98% of exploits, because shitty software of Microsoft still uses Trident to render MSHTML based documents (office etc).

    The same will be true for a traffic-observing webview2, for decades to come. And it will never be removed again, because of Microsoft's development philosophy.

  • seabriez 2 months ago

    Based on what source exactly? Microsoft is about equivalent to privacy protections as Apple, if not more so.

  • timbit42 2 months ago

    I'd choose Edge over Chrome if I didn't have better options.

ohbtvz 2 months ago

...in a "canary" (basically a nightly build), for some users, for some specific cases (unsecure http, public wifi).

hopfog 2 months ago

I run a free browser game where you can start playing immediately, no registration required. The game has a big sandbox element where you can build and paint on the world map.

Naturally I've attracted trolls doing everything in their power to grief and ruin it for other players. This has lead me to reluctantly implement moderation tools such as IP bans and proxy detection.

I'm currently using a couple of services where I can supply an IP and get a risk score back but I'm worried about false positives. I'm afraid this initiative, while great for privacy, will make my defense measures futile.

What should I do? I just want to run a game with as few intrusive barriers as possible. I have no interest in collecting any private data from users whatsoever.

  • aaronax 2 months ago

    You have to have intrusive barriers. This is true in real life and it is true online.

    The world is not a graffiti free-for-all because there are barriers: the government (police) is able to apprehend individuals, link that physical individual to an identity (which it issued at birth), and effectively implement consequences to that identity/individual.

    If you want your site to not be a graffiti free-for-all, you will need a durable way to identify actual people. Twitter, for example, essentially requires a phone number to use their site. Phone numbers are fairly difficult to get anonymously. Therefore, Twitter has a useful link between their users and a physical individual. Other services use other things.

    The government should implement cryptographic certificate based identities to citizens. Ideally there would be a way to "sign" something that says you are a real citizen without revealing which citizen you are, but is durably unique (subsequent signings identify you as the same citizen).

    Facebook, Google, etc. are effectively filling this function right now but they leave much to be desired.

    • hopfog 2 months ago

      > Ideally there would be a way to "sign" something that says you are a real citizen without revealing which citizen you are, but is durably unique (subsequent signings identify you as the same citizen).

      This is a truly interesting and groundbreaking idea that would solve all my problems. Do you know if there are any initiatives like that or is it science-fiction?

      • aaronax 2 months ago

        Actually issued by a government? Not sure.

        How to implement? Also not sure. I am not an expert in this field. "Anonymous credentials" seems like the closest thing maybe. Basically you need to somehow prove you have a valid signed certificate without disclosing the public key.

        https://crypto.stackexchange.com/questions/83412/how-to-achi... https://crypto.stackexchange.com/questions/52189/zero-knowle...

        Since you seem open to putting up barriers...in the process of looking into this I discovered Idena and checked it out a little. You could required verified Idena something or other, just as an example. I'm sure there are scores of these types of things being built, most or all of which will fail to gain traction.

      • dejawu 2 months ago

        I don't know if a government would use it, but 4chan has tripcodes that can uniquely identify an anonymous user across multiple posts without the user ever needing to create a permanent identity.

  • xani_ 2 months ago

    You will just have a bunch of random false positives that get blocked and never come back. Even before VPN a lot of ISPs gave you dynamic IP that changed anywhere from every few weeks to daily, to each reconnect. Same with any public access point

    Same with carrier grade NAT, IP stopped being good way to block things long time ago. About the only use is "this IP is DoSing me now, block it for few hours".

    There are few other methods, all of them intrusive on privacy. Generating fingerprint of browser and blocking based on that might work for the clueless users but dedicated ones will go around it. Making using one of the popular SSO logins is one option (at least banning-wise) but that's a lot of work

  • BrainVirus 2 months ago

    Redesign the rules so that trolling is not rewarding. Yes, I know, it's hard.

    • hopfog 2 months ago

      Yeah, I thought I could pull that off but in the end I was naive thinking I could solve it with mechanics. The idea was that I would never need to ban anyone, ever. However, even with thousands of players playing the game as intended just one troll can wreck havoc by creating hundreds of accounts through proxies.

      I have implemented measures where you can't chat until you've finished the tutorial, 5 minutes decay on stuff built/painted outside plots and upkeep on claimed plots but it's not enough. The trolls are extremely dedicated and devote their life to ruining my game.

AlexandrB 2 months ago

Interesting to see this on the front page along with https://news.ycombinator.com/item?id=33036748

I wonder how long until Microsoft starts blocking sites on their VPN for "your protection".

  • mikaelsouza 2 months ago

    I think they already do. Just like chrome and firefox block sites that are considered insecure.

    I don't think they need a VPN for this.

kingaillas 2 months ago

Everybody is suspicious of Microsoft's motives but I think in this, you gotta consider how many windows systems are out there used by security novices.

Lots of people are computer savvy but want to use a computer to do something else not under the umbrella of hobbyist sysadmin work.

I don't see the downside here, again, considering the multi-millions average users Windows/Edge has. If you are savvy enough to roll your own VPN using algo from Trail of Bits, then do that. If you are able to weigh the pros and cons of VPNs from having one or not, or which one to use, you are ahead of 99.99% of the people this will help.

_mwnc 2 months ago

I don't like this. When I add a URL to the address bar I want TCP/IP traffic to be directed to only the remote address I requested, and not have traffic relayed through some third party.

  • hbrn 2 months ago

    I have bad news for you.

        traceroute news.ycombinator.com
    • _mwnc 2 months ago

      Sorry I misspoke I know that routing traffic isn't a direct peer to peer connection but that's different from ALL traffic going through one company.

      I'm not an expert on internet routing but it seems to me a bit disconcerting how much of web traffic is already routed through cloudflare servers. This centralization scares me.

    • doublerabbit 2 months ago

      Besides the point, 18 hops to get to HN via my colo server in London, UK; what is cogentco doing with the excessive routing?

        1    24 ms    24 ms    25 ms  10.0.0.1
        2    32 ms    25 ms    24 ms  x.x.x.x
        3    28 ms    28 ms    27 ms  core-router-b-nlc.netwise.co.uk [185.17.175.246]
        4    29 ms    25 ms    25 ms  core-router-hex.netwise.co.uk [185.17.175.240]
        5    29 ms    25 ms    26 ms  te0-7-0-17.505.rcr21.b015534-1.lon01.atlas.cogentco.com [216.168.64.16]
        6    27 ms    25 ms    25 ms  be2186.ccr22.lon01.atlas.cogentco.com [154.54.61.70]
        7    27 ms    25 ms    28 ms  be2870.ccr41.lon13.atlas.cogentco.com [154.54.58.173]
        8    94 ms    93 ms    94 ms  be2317.ccr41.jfk02.atlas.cogentco.com [154.54.30.185]
        9   103 ms   100 ms   100 ms  be2806.ccr41.dca01.atlas.cogentco.com [154.54.40.106]
       10   118 ms   117 ms   117 ms  be2112.ccr41.atl01.atlas.cogentco.com [154.54.7.158]
       11   130 ms   130 ms   134 ms  be2687.ccr41.iah01.atlas.cogentco.com [154.54.28.70]
       12   147 ms   146 ms   181 ms  be2927.ccr21.elp01.atlas.cogentco.com [154.54.29.222]
       13   155 ms   155 ms   156 ms  be2930.ccr32.phx01.atlas.cogentco.com [154.54.42.77]
       14   172 ms   348 ms   192 ms  be2941.rcr52.san01.atlas.cogentco.com [154.54.41.33]
       15   198 ms   202 ms   205 ms  te0-0-2-0.rcr12.san03.atlas.cogentco.com [154.54.82.70]
       16   209 ms   165 ms   165 ms  te0-0-2-3.nr11.b006590-1.san03.atlas.cogentco.com [154.24.18.194]
       17   166 ms   171 ms   203 ms  38.96.10.250
       18   165 ms   162 ms   162 ms  news.ycombinator.com [209.216.230.240]
      • ziml77 2 months ago

        Is that excessive? It looks like it's taking the most direct route it can. First goes west to NY, then goes south to DC, south again to Atlanta, and then makes a series of westward hops to Houston, El Paso, Phoenix, and San Diego. And I'm guessing the hops within London and San Diego would be something like a router for local traffic, a router for regional traffic, and a router for international/interstate traffic.

      • pGuitar 2 months ago

        I got 30 hops from Atlanta/Comcast

        but hops from 9 to 30 are "blank" like this: 30 * * *

        the last non-blank hop is this: 8 M5-HOSTING.bar1.SanDiego1.Level3.net (4.16.110.170) 69.921 ms GIGLINX-INC.bar1.SanDiego1.Level3.net (4.16.105.98) 60.600 ms M5-HOSTING.bar1.SanDiego1.Level3.net (4.16.110.170) 69.882 ms

      • dhaavi 2 months ago

        Cogent is the third biggest network on the Internet by CAIDA AS Rank. Your connection used it for pretty much all the distance.

  • criddell 2 months ago

    Do a traceroute and see how many third parties your traffic is going through. You probably don't get many point-to-point connections.

bborud 2 months ago

Second time today Hacker News makes Firefox look good.

  • saiya-jin 2 months ago

    Seriously, I can't grok why people here don't use it more often. Web is 100% usable, what doesn't work in it doesn't work in latest chrome neither. Web development is fine too, just different, not worse. But whatever, use chrome for dev work if you love it, and Firefox for everything else, especially Internet proper (plus you get another full testing browser, not just spoofing user-agent)

    Its a great product, and ublock origin make it by far the best on the market for internet not only for me, across any devices ever made, period.

dodgerdan 2 months ago

I don’t think Adguard, the Russian tech company registered in cyprus, but with mostly Russian employees living in Russia has our best interests at heart.

  • aussiesnack 2 months ago

    Your evidence seems to be repetition of the word 'Russia'. Seems a tad thin.

  • gdy 2 months ago

    Of course, we all stand by our beloved president who is threatening to start a nuclear war. What's not to like.

  • imbnwa 2 months ago

    What bothers me about Adguard is offering HTTPS cert spoofing as a means to duplicate uBo's dynamic filtering behavior

  • lizardactivist 2 months ago

    What makes you say that? And this is not really about Adguard, it's about Microsoft, Cloudflare, and Edge.

vinay_ys 2 months ago

In India, it is illegal to operate an open unauthenticated wifi. All public Internet access requires a secure auth and you have to present a government ID to the operator to get access. (This applies to getting a mobile SIM card or landline Internet at home as well). This is to deter anonymous illicit activity being conducted from from public Internet locations (like cafes, bus/train/airport stations etc.) Also, same real identity requirement is now applied to VPN operators. Additionally, they have to collect and retain traffic logs, and cooperate with government cybercrime investigations.

Obviously there are potential loopholes – apparently a lot of VPN services are planning to continue operating services with Indian residents with servers not physically hosted in India without logs.

Apple with its Private Relay and now Microsoft with Edge Browser VPN – don't provide VPN with exit nodes hosted in foreign jurisdictions. I'm curious to know if they will cooperate with requirements to collect/retain logs as well.

netsharc 2 months ago

> The VPN feature, known as “Microsoft Edge Secure Network,” has rolled out to a limited selection of users in the latest Edge Canary version.

Now why didn't they call it Microsoft Secure Network! And MSN in short.

And next they should start a VPN'ed messaging service, they can name it "MSN Messenger".

bilekas 2 months ago

> you can save up on traffic which is capped at a modest 1 GB per month.

These days that probably wont even manage the tracking requests being sent from the machine a month.

jll29 2 months ago

Microsoft as any company must abide by federal laws, including US FISA court orders.

hda2 2 months ago

I can see it now:

Microsoft: "Sorry $site_owner, We (some unaccountable ML model) detected that you have violated some rule (we will not tell you which) and as a result, your website can no longer be accessed.

This decision is final and permanent."

There are other ways to protect user privacy without conveniently putting yourself in charge. They pulled the same move with UEFI and secure boot

Microsoft needs to be investigated and fined.

kazinator 2 months ago

"Let's use our browser to herd users into our walled network, where our competitors cannot track them as easily as we are able to."

  • donmcronald 2 months ago

    I think this is the real reason for the "VPN in a browser" trend. It's about getting exclusive access to browsing data.

    Imagine Facebook data collection, but without being able to ignore it. That's where we're headed. Watch for Google to release a "security" product that does something similar.

    IMO Apple, Microsoft, and (eventually) Google are going to use their platform dominance to usurp Facebook's ad business. That's why Facebook is making a big bet on VR. It's not that they see VR as a naturally popular platform. It's simply one of the last platforms that could be popular (for the near future), isn't already dominated by a major player, and has network effects that make it a critical mass platform similar to how Facebook works. If they can buy their way in, they own the whole market.

    This kind of thing should get these companies obliterated by regulators. It's shameless, blatant, anti-competitive behavior where they're using their dominance in one market to gain an extremely unfair advantage in another.

    The goal is to move the entire ad market away from the open web and into closed platforms like OSes and browsers.

    • kazinator 2 months ago

      VPNs can destroy net neutrality. The internet can be reduced to a dumb pipe that gives everyone equal bandwidth, which is used to operate VPNs, inside of which entirely private rules apply that are inscrutable from the outside.

dathinab 2 months ago

Hm,

I think this is mainly an form of advertisement move to compel more users to use edge/not switch away from it. Reason: By now many non-technical people think a VPN is necessary (or at least recommendable) for "safety". Through how a VPN actually helps/works most non-technical people do not understand at all. For Microsoft providing a VPN which by default is only enabled on public WiFi and similar isn't too expensive.

They also need to compete with Apples Privacy Relay feature.

So putting bias aside it seems a good thing.

But there are some gotchas:

1. a VPN is not per-se privacy protecting, it is only that if the VPN provider legally binding agrees to not sell out the users data.

2. a major browser which tries to force itself on all windows users providing a VPN for free hurt the VPN market due to the unfair competitive advantage this VPN has.

3. It could normalize for many people that VPNs do not necessary have a feature to avoid geo-blocking => make it easier for legislation targeting such features to pass

4. also more centralization for cloudflair

Through if you ignore all this from a pure "common peoples security" perspective (i.e. not state actor attacks) this is an neat improvement. There are still to many things which allow attacks due to not using HTTPS and for non state-level attackers the best attack vector are public hotspots and similar where this VPN automatically is enabled. E.g. common security problem is HTTP(not s) redirect links in e.g. mails, which an attacker could trivially rewrite to point you to their site which automatically proxies the site you originally wanted to go to. Worst offender I saw was a FIN-tec site using emailing http(not s) redirect links containing the auth token for the initial account setup...

pGuitar 2 months ago

Why do they even need this? With all the spying/telemetry they already do, they probably already know the sites that you visit....

  • timbit42 2 months ago

    They want to keep everyone else from tracking you so their data is more valuable.

  • lucasmullens 2 months ago

    Some users might want this feature, which gets them more users. I think outside HN most users would appreciate a free VPN for when they're on public Wi-Fi.

tonymet 2 months ago

Microsoft obviously benefits from the ability to collect more tracking signals. Even over HTTPS they will have many traffic signals to use for ads targeting.

Just be mindful of any feature and who it benefits. These companies aren't charities.

edpichler 2 months ago

> "...it lacks one important feature users seek in a virtual private network: an ability to bypass geo-block. In the case of Edge’s VPN, you won’t be able to choose any server location..."

BLO716 2 months ago

The trend towards 0-configuration VPNs though make it totally compelling to just port your traffic home. I'm not trying to be a fan-boi, but I want ALL my traffic off the network of snoop. I'm just going to go out there and say Ubuiti and Teleport with WifiMan on phone/tablets/computers and 0 config bar codes, I mean its ALMOST frictionless for my family to do this setup once its going.

I least try to do this while we travel and are out of network range. How do people feel about this?

  • gzer0 2 months ago

    how about a tailscale exit node running on a computer at home

    takes 10 seconds to setup and I can use my home IP from anywhere on earth

Justin_K 2 months ago

Why don't we just call it what it is: "Microsoft redirects all browser traffic through their servers". At first it sounds great but in two years when the start selling the data or start injecting ads, what will the privacy advocates think then? How long until Microsoft decides they don't like your site, so they're going to block it? Yet another move towards centralization of the internet, NO THANKS.

sirmike_ 2 months ago

Lol the traffic is Capped at 1gb. It’s also super obscure. Only in small rollouts to edge canary users. It’s opt in I believe and It can be turned off.

Even MSFT isn’t going to pay the network bill for everyone forever

Split decision if this is a true good faith thing for consumers. Time will tell. I can easily see where it’s a great thing on one hand but also a terrible one too. This is where a company’s integrity comes in.

rntksi 2 months ago

I remember this being done back when Opera 7 was used. I think it had a feature for mobile OS, where it would route requests to Opera's servers and serve clients a minified, smaller version of the page, so people on 2G at the time could still use the web. I don't remember people being outraged at the time at the prospect of a browser having a baked-in VPN option though.

  • noja 2 months ago

    Yes that was mainly because mobile internet was really slow and using it without Opera's proxy was an exercise in frustration.

    But do not forget that Opera 7 was release TWENTY YEARS AGO. Things are a bit different now. Think eternal september.

  • bityard 2 months ago

    I remember this as well and thought it was a neat service. One that I would have liked to emulate using my own proxy in order to save bandwidth on my mobile data but never got around to actually doing.

    These days with widespread HTTPS, the only way to do this is to bake it into the browser itself.

    And of course, this was back when you could trust Opera to do what they said they were (or weren't) doing.

  • int_19h 2 months ago

    That was Opera Mini, and it's still around (and popular in areas where Internet speed is still measured in Kbps and/or you pay for data per megabyte).

    It's not even that it served a minified version, too. It basically did all layout server-side, so the client got something more akin to a PDF of the webpage optimized for its screen size. It also compressed images.

  • Nextgrid 2 months ago

    At the time, spyware was not yet a mainstream business model so there was no outrage because respectable, established companies didn't yet become spyware operators. There was still mutual trust back in the day.

  • sergiotapia 2 months ago

    God I miss Presto and Dragonfly. :'(

RcouF1uZ4gsC 2 months ago

> Also, we must be aware of the risks associated with using the built-in VPN services of Microsoft, Apple, and the like. The tools they so generously offer might protect you from being tracked by your Internet Service Provider (ISP),

It seems using a VPN from your browser vendor does not increase your risk. I don’t think a VPN would have any information that your browser did not.

  • lxgr 2 months ago

    Not really: Your browser vendor might push out a malicious update or enable dormant functionality that sends them telemetry on your browsing, or even your entire web traffic, but a VPN definitively does receive all of you traffic (including, at least, the host name of almost all sites you visit).

    I can observe who my browser/OS talk to (beyond the sites I already visit) – but what happens inside a VPN provider is impossible to tell.

  • oefrha 2 months ago

    People generally don’t tolerate browsers that phone home with any and all accessible information. But if you claim to also run a built-in VPN service...

    • vladvasiliu 2 months ago

      What do you mean?

      I oftentimes see people using Chrome (not Chromium) while logged into a profile. Are you telling me that either those people are actually a minority, or that Chrome doesn't phone home?

reactspa 2 months ago

A crazy thing happened to me on a recent trip to Mexico city. I thought my AT&T mobile plan covered Mexico, but after 2 days it stopped working. So I tried to log into my account online with AT&T. It would keep redirecting me to the Mexico AT&T website instead of the US website. The first time I realized I needed a VPN.

remram 2 months ago

Back in the days, a network relay at the application later was called a proxy. Any reason we are now calling this VPN?

  • crazygringo 2 months ago

    Yes, because proxies and VPNs are totally different.

    Proxies are generally unencrypted and a new connection is usually made per-request.

    VPN's are inherently encrypted and maintain a single connection.

    They're totally different technologies. So hope that answers your question.

    • remram 2 months ago

      None of this is true. Proxies use HTTP and can therefore use "keep-alive"; they are usually HTTPS. VPN are usually UDP and therefore connectionless.

      The usual difference is that they operate at application layer (proxy) or ethernet/IP (VPN). Which would make this a proxy, not a VPN.

witrak 2 months ago

If this "VPN" is under the control of an entity collecting information about users wherever it can what's the sense of the service. "VPN" (in fact the term should be "virtual internet access network") make sense only when it is independent of any entity controlling internet traffic...

marshray 2 months ago

I wonder how it respects legal web censorship orders imposed on ISPs like those of China and UK.

  • perlgeek 2 months ago

    I hear the Great Chinese Firewall is pretty good at blocking VPNs, they'll likely be able to block this one pretty quickly.

    • marshray 2 months ago

      Sounds like this one is going to appear on the network like https connections to Cloudflare.

yenwodyah 2 months ago

I wouldn't care about this VPN if it weren't for the fact that I can't ignore it. There's an option to hide it from the toolbar, but every time I open an incognito window it pops back up again. It's incredibly annoying.

chiefalchemist 2 months ago

> "However, the VPN will not run while you’re streaming or watching videos — so that you can save up on traffic which is capped at a modest 1 GB per month."

OK? And what happens after that? After you go over your 1 GB cap? You're cut off from the internet?

  • shmde 2 months ago

    They just turn the VPN off ?

    • mdaniel 2 months ago

      Heh, I wonder if they just quietly do that in the middle of a session

      * GET bank.example.com/accounts

      * GET bank.example.com/accounts/1

      vpn disconnect

      * GET bank.example.com/accounts/1/details <- 403 new IP, who dis?

  • ridgered4 2 months ago

    How they even id the user for the cap? Some kind of system signature? Requirement of a MS account?

stereoradonc 2 months ago

Edge-VPN is primarily Cloudfare. Now Cloudfare has potentially even "more" data about users. They don't have an ad platform, yet. What will stop Cloudfare from accumulating and then targeting the users through "Bing-Ads"?

  • zarmin 2 months ago

    Did you misspell Cloudflare as Cloudfare three times?

    • sdmike1 2 months ago

      Sure, they did, but that doesn't make their point any less relevant...

Nifty3929 2 months ago

Privacy from our government is becoming illegal. I believe that with widespread adoption of VPN services, at some point in the next few years the government will prohibit ISPs from sending traffic to foreign VPN services - for our protection.

sylens 2 months ago

Had to move off of Edge to Brave a few weeks back after sticking it out longer than I should have. I really liked Edge on both Windows and macOS but they keep adding stuff that I don't want to the browser.

aborsy 2 months ago

The move benefits foreign companies, weakening the domestic industry.

Let’s see how fast EU can move and regulate the traffic access. For instance, demanding that the servers should be accessible only to the local governments.

drexlspivey 2 months ago

Pretty cool to see Wireguard, a protocol that is only a few years old, making it so fast into the linux kernel and now into Edge. Literally shipping into billions of devices in such a small amount of time.

la_fayette 2 months ago

There will be times when more people are fed up with all the corporate BS. Duckduckgo, Lineageos, Firefox, Protonmail, ... is all working fine for me. I don't miss any corp tech.

shuntress 2 months ago

This is why net neutrality and easy accessible encryption are important.

rmason 2 months ago

I am not saying that they'd do it but what would prevent Microsoft from 'theoretically' collecting your information themselves and then selling it back to your ISP?

sh1mmer 2 months ago

Can someone explain to me how this is different from apple’s privacy relay? Is it because it’s all traffic instead of just some traffic Apple designates as “trackers”?

29athrowaway 2 months ago

The Microsoft Network is back apparently.

The AOL-like hell that the Microsoft Network was in the 90s makes its return in its Neo-Internet Explorer dystopian nightmare.

collaborative 2 months ago

Strangely enough Opera's VPN has suddenly started working after a long period of not being "available" and pushing their paid version

0xbadcafebee 2 months ago

Isn't this basically just Chrome's data saver? They never called it a VPN but they did send all your traffic to Google.

SavageBeast 2 months ago

So Edge users are going to be impacted by this - whats that like 35 people outside the development team who made it?

peanut_worm 2 months ago

Doesn’t that mean that all my connections are routed MS servers? How is MS more trustworthy than my ISP

ChoGGi 2 months ago

That's nice I suppose...

The only time I use Edge is when something Microsoft opens it, then I have to close it.

sedatk 2 months ago

> and turns it on

for CANARY users which is a completely normal thing. This kind of sensationalism really hurts everyone.

mkl95 2 months ago

Serious question - is there a legitimate use case for Edge when a Chrome Stable build is available?

  • vladvasiliu 2 months ago

    It's already installed and it works well enough. Plus, if I'm using Windows, I'm already sending a bunch of telemetry to MS, so I don't see a reason to go out of my way to send some to goog, too. Also, I'm not a Netflix customer, but I understand that on PC you need Edge to get high-definition (>=1080p) video. Chrome doesn't work (neither does it work on Mac). So the question becomes: is there a legimate use case for Chrome when Edge is available (and is mostly the same thing)?

    I, personally, am quite against using a Google browser (or derivative), but for my gaming PC where I only launch the browser once in a blue moon, I just can't be bothered to download anything else since Edge works. On my work PC I use Firefox, and am quite happy with it.

  • radicaldreamer 2 months ago

    There are significant changes in Edge compared to Chrome stable and perf and efficiency improvements on Windows (not to mention deeper system integration).

  • jabroni_salad 2 months ago

    From a business perspective, IE mode and onedrive userstate sync for o365 customers

    From a personal perspective, goog and microsoft are basically equivalent and I don't want either of their browsers.

  • wintermutestwin 2 months ago

    Edge is the only Chromium-based browser that allows for Vertical Tabs.

    • netsharc 2 months ago

      Vivaldi has it, and it's a Chromium-based browser made by people who left Opera after it was sold to the Chinese. Opera had vertical tabs even a decade or so ago, back when it was still using its own Presto engine (they switched to Chromium and seems to have lost this feature).

  • mrweasel 2 months ago

    I'm thinking Microsoft is hoping for the reverse: Why download Chrome when you have a perfectly good Blink based browser already installed.

omgomgomgomg 2 months ago

Did anyone test this? Is it better than operas "vpn"?

Can the user configure various geolocations?

rodolphoarruda 2 months ago

Not even god knows what's going on inside that (not so very much) private network.

eatonphil 2 months ago

I think Pixel phones (or maybe it's all Google Fi phones) also do this.

Thorentis 2 months ago

Just wait. VPNs, under the guise of privacy, will be used to continue mass surveillance operations. Soon you won't be able to access certain sites unless you're using an "official" VPN.

smm11 2 months ago

I'm going to run my VPN on Edge running a VPN.

tarunmuvvala 2 months ago

The walled gardens are raising their walls.

The plan is to sell the corporates VPN enabled services. The corporate will buy it without hesitation too if it comes bundled with Office 365.

pmarreck 2 months ago

Imagine still tolerating Windows in 2022

  • seabrookmx 2 months ago

    Some people play video games.

    Some people want to use the Adobe suite on user upgradable hardware.

    If you come out of your bubble you'll see there's plenty of reasons to still use Windows (typing this in Firefox running on Fedora, FWIW).

    • pmarreck 2 months ago

      I play video games. Things have actually changed a heck of a lot in the last couple of years and seem to be accelerating thanks to the Steam Deck. 90% of the games I care about now work fine in Linux, sometimes with a little massaging (there are also now many more tools and forum posts to help with this). Modding certain things is occasionally the biggest impediment but that too is getting easier thanks to stuff like https://github.com/frostworx/steamtinkerlaunch , which if you use the Flatpak Steam can be installed via the app installer right alongside it.

      • seabrookmx 2 months ago

        You're describing a worse user experience than gaming on Windows. Single player games on Steam is a best case scenario.. Blizzard games, or games with anti cheat are a total pain to run or won't run at all.

        This is why people tolerate Windows in 2022.

        I'm not saying I like it, I was just trying to answer your question :)

  • rejectfinite 2 months ago

    The great thing about Windows is that you can install another browser and set it to default. You don't have to use Edge.

    • blibble 2 months ago

      and then every other update it "accidentally" gets set back to Edge

xnx 2 months ago

Sounds pretty handy for data-scraping!

_mwnc 2 months ago

Hmmm interesting another reason for me to avoid microsoft browsers.

jfdi 2 months ago

Nice work MSFT

MrPatan 2 months ago

What do I need to do to disable this?

jeroen79 2 months ago

cloudflare is nasty, its worse giving them all your data then spreading it around.

strictfp 2 months ago

Cue VPNs being banned