(disclaimer I guess I own a company that offers VPN services, it's like ~1% of revenue though).
I think this seems like a bit much. I'd love Firefox to double down on building a great browser, rather than getting into Pocket, VPN, a Phone, IOT, etc.
Sure, a VPN can be really helpful when you're on sketchy open wifi, or other adversarial network conditions. But you're still trusting someone to handle your connections reliably and fairly. Several ISPs have proven themselves to be sketchy: injecting ads, adding tracking headers, etc. But do we really expect VPN providers to not crunch the same numbers and come to the same conclusions?
Note that despite my thinking, it does fit in well with their agenda:
> Mozilla has identified five key issues that are critical to build the open Internet we want:
Privacy and Security
Open Innovation
Decentralization
Web Literacy
Digital Inclusion
Look,you're missing two very important points here.
1) yes,vpn providers crunch the numbers and come at a different conclusion. This is because they sell privacy before anything else. You don't gamble on the heart of your business model unless you intended to sell out your users from the begining. And there are well vetted providers run by well known individuals with a lot to lose if they sell out users.
2) It is in the interest of Mozilla's users for mozilla to diversify it's revenue source. So long at they don't forget to make features optional,I don't see the problem.
This partnership is great because both Mozilla and ProtonVPN have similar business models. Heck,it would even make a lot of sense for Mozilla to operate protonmail. Except unlike with Google and Gmail,they would charge you money and that's it. Give us what we want,to be your customers not your product!
I don't want another all in one behemoth corporation. I want a browser that's not connected to any services but sports open protocols. I hope protonmail remains independent.
>But do we really expect VPN providers to not crunch the same numbers and come to the same conclusions?
Yes, because those numbers are different -- there's actual competition among the providers, which is not so for ISPs. I agree it's still a gamble, and still requires trust, but if/when that trust is broken, there's someone else ready to fill that void.
Having worked at Mozilla I can honestly say that I'm confident Mozilla can't keep a neferious secret :)
There is a lot of passionate privacy activists at Mozilla. Many of whom to would leak an NSL at the risk of persecution.
(In fact I dare say the lineup would be long)
Make no mistake, Mozilla Corporation is a for-profit entity. They're owned by a nonprofit shell, but I imagine that nonprofit could easily sell them off.
The incident was trivial, but it exposed serious concerns in the process. Mozilla itself strongly promotes privacy and digital rights, but their marketing people did not understand that this was a breach of trust, and all of the technical people involved in the release of the add-on either did not realise this either, or were overruled.
No, I agree at least. I mean, it was a bad move and thoroughly short-sighted, but then again - what's the score?
One slight privacy infraction from Mozilla, vs. the countless others from Google, or Facebook, or whatever. It wasn't a good move, it also wasn't as bad as people make it out to be, and it's defeinitely better than any competition.
But keep in mind that while it was pushed out into people's browsers in a stupidly-lacking-in-foresight fashion, it still required use activation before it'd do anything...
I'm at least four nines sure Google have got worse privacy-eroding code in Chrome that does way worse things that flip some text upside down after you specifically activate an add-on...
Like logging you into Chrome when you log into GMail.
This one hit me hard. And that was after I knew about it. I logged into Gmail on Chrome on my personal computer, without realizing I had been logged into Chrome itself, which then ended up mixing my personal browsing history with my work account, something I’ve tried very hard to avoid.
As I tell everyone that tries to defend this, it's not about what the plugin did or didn't do. It could have literally been a copy of about:blank, it changes nothing.
The entirely justified outrage was its purpose for being put there (which boils down to advertising) and the lack of consent for its being put there. That's it.
Doing nothing is not advertising. The only way for this to be used in advertisement was from Mr. Robot fans to Firefox.
> lack of consent
Pretend it was a copy of about:blank when you answer this question: What makes this different from the giant pile of patches merged into each release of firefox that you don't read?
(I'm making this a separate post because I don't want any distractions in the other one.)
If they had done it correctly, it would have been invisible and it would not have advertised anything to firefox users. That is the purpose. It showing up the way it did was an oversight.
> But you're still trusting someone to handle your connections reliably and fairly.
Some of us live in tinpot totalitarian reigemes[x] where ISPs are required by the government to retain "meta data" records of all customer connections and traffic.
It's a privacy win for me just to move the endpoint where my unencrypted traffic (and dns lookups) out of my local jurisdiction, since at least that way I'm not using a service that's required by law to snitch me out to any curious local cop... (Hopefully my chosen VPN provider really isn't keeping logs or snooping y traffic, but even if they are - moving that out of my local legal jurisdiction is an improvement for me...)
[x] That's a little intentionally overhyperboled - but fuck me our Australian politicians are making some insane laws around internet use by the whole population...
Agreed. I switched back from Chrome to Firefox partly because Firefox had a constant reminder of a thing I don't use, Pocket, in the address bar. I don't have anything extra in Chrome that permanently shows up, just a temporary window that pops up asking me if I want to sync when I save passwords, which I'm used to dismissing.
You can remove Pocket from the address bar. All you do is right click it and the only option shows up as "Remove from address bar", so you don't have to stare at the reminder if you don't want to!
What I don't understand is why everyone needs VPNs all of the sudden. There must be a ton of money in selling VPNs, every YouTuber seems to be sponsored by a VPN provider, and now Mozilla is getting in on the action?
As others have pointed out, Mozilla is a for-profit, and I doubt that they would be able to keep up with the development of Chrome if they where not. That being said I wish I'd keep their focus on the browser part it self, and avoid going in the direction of Chrome, which have basically become an OS without a kernel.
While it is a little hypocritical, I would wish that they'd add Chromecast support to Firefox. That's really the only feature I'm missing.
This seems like another attempt to acquire a new revenue stream for Mozilla. I'm glad it's through something like providing a user-focused VPN as opposed to increased ads and tracking, but I still feel a bit bummed that Mozilla feels the need to do this.
The other day I came to the realization that Firefox is the only portal to the web that's not affiliated with a tech giant. Microsoft has Edge, Google has Chrome, and Apple has Safari. It's so strange that the web is such a huge, important part of our lives, and we only have four ways[1] to access it, three of which are driven by profit-seeking organizations.
[1] I'm not counting forks since those are largely still the same as the original code base, and none of them have gained a significant amount of traction. I'm also not counting experimental browsers since I'm not aware of any that are both largely-compatible with current web platform features and not based on a fork of one of the primary browser engines.
Just to be a pain in the ass, ELinks has known vulnerabilities. The last stable release was from 2009, and the last pre-release from 2012 [1]. At the very, very least it has vulnerabilities in SpiderMonkey.
If you need a console browser with picture, JS, color, and table support, consider Browsh [2] instead: "Browsh is a fully-modern text-based browser. It renders anything that a modern browser can; HTML5, CSS3, JS, video and even WebGL."
I have mixed feelings about this move. On one hand I like that Mozilla gets additional source of income to support their mission. Plus people will certainly benefit from using a vpn service.
On the other hand though this will redirect people to a particular provider that may not necessarily meet their needs. Proton VPN offers a decent service, but not sure if the best one. I'd be much more comfortable with this if they were suggesting multiple different providers.
And let's not forget that this is also a jump into the abyss of in-browser ads that may be difficult to block even with an add-on. From the screenshots it seems that FF analyzes your behavior (connection to an unprotected network) and displays the ad based on that. I fear what's going to happen when Chrome team picks this idea (e.g. "we see that you are logging into a bank X, how about you try bank Y?")
> I'd be much more comfortable with this if they were suggesting multiple different providers.
I don't see anything saying that they won't. They might only offer ProtonVPN for all of time, but I could also see them adding additional providers down the line. In any case, I'm imagining that the vetting process is relatively costly to perform and keep up, and I'd trust Mozilla more than myself to do it.
Honest question: Why not bundle Tor, instead of relying on a proprietary VPN service? It seems that Tor satisfies the advertised use case ("insecure public WiFi") just as well.
Tor and Firefox are working together to make Tor network the default within private browsing mode. A number of privacy-related patches from Tor have already landed in Firefox (example: Firefox now has first-party isolation). It's a slow progress, but it's on its way.
Well, "Tor Browser", which shares code in both directions with the Firefox project, is already available. So that's already an option.
It's not ideal though. A large fraction of the web blocks access from Tor relays, or makes you jump through extra hoops, like completing onerous captchas. It's not a great experience.
Plus, by nature of having to go through several hops, it will always be slower than a standard VPN. (And that's in the best case. In reality it's noticeably slower, I assume due to congestion of exit nodes.)
Because bundling Tor in Firefox would generate so much traffic it would take down the network. Tor needs to grow significantly before that integration is possible.
TBH, I'd be more comfortable using insecure public wifi than I would be using Tor.
Tor hides the source of your communication, and evades filtering. It does not protect the contents of your communications from eavesdropping. It's trivial to set up Tor exits to log traffic, and people do.
If you're hitting a TLS-enabled site, then exit nodes can't see the content of your traffic, only the destination IP/host. Exit nodes also can't see your source IP, only the IP of the relay node.
If you last tried it several years ago, you will be pleasantly surprised with how fast it is now (I was). It used to be practically unusable, but most of the time I now don't notice any slowdown at all for normal browsing.
ProtonVPN is simply the best choice for a VPN if your goal includes anonymity / privacy; I place zero stock in this.
1. No other VPN that I'm aware of has any of its own data center infrastructure.
2. Even though ProtonVPN (and essentially all VPNs) works with untrustworthy companies like Leaseweb to provide many of their servers, SecureCore allows you to route traffic through their own data center infrastructure to another exit node server.
3. Public-facing CEO who has a verifiable history. You know his name, his face, he's given a talk. This helps with accountability.
When will people stop dragging this bs article over the internet? There aren't any physical facts showing that ProtonVPN or NordVPN shouldn't be trusted! Only these false accusations spread by competitor troll band. Or are u one of them?
Isn't there at least some controversy about that (perhaps it's only a disgruntled competitor who jumps on every second post I see mentioning them, but I'm 99% sure I've seen a few questions/accusations levelled at them...)
Having said that - seeing them vouched for by the Mozilla Foundation seems to be a significantly better indicator of their trustworthiness than this post from a day or two ago: https://news.ycombinator.com/item?id=18260920 - I _mostly_ trust Mozilla to not be guided just by whoever offers them money, and hopefully to have learnt from their dumb Mr Robot fuckup...
I fully agree that ProtonVPN seems like a poor choice, considering all the controversy around them, especially when its backed up by that much evidence. Mullvad, Private Internet Access, TorGuard etc. would have been a better choice, but perhaps Mozilla didn't want to look like it was picking sides among 'established' VPNs..
As mentioned in Mozilla's blogpost, they did their homework and thoroughly checked ProtonVPN, including visiting us in Geneva at our main office, which also refutes these allegations.
Stay away from PIA. One of their employees was caught red handed spreading false information about other VPNs a few months back. The guy's google profile picture was in one of the screenshots. It was half covered by another window but it was enough to figure out who he was
For better or worse, Mozilla managed to brand itself as the equivalent of the open internet and an organisation that would put the users first.
This is quite important in today's world that's full of Googles, Facebooks, Microsofts etc.
That doesn't mean that Mozilla has done nothing wrong. I'm just saying that I would feel much better having a VPN service run by Mozilla as opposed to a VPN being run by Facebook.
There doesn't seem to be a way to sign up for this directly. If one wants to support Mozilla through this, it looks like one has to be in the U.S. (or fake being in the U.S. with a free account of ProtonVPN) and hope to be picked up by random for this experiment.
Anyone from Mozilla or ProtonVPN reading this and can confirm that this understanding is correct?
This is a little vague on the technicals, but it sounds like you would be downloading and installing the full VPN service as if you had obtained it directly from ProtonVPN? i.e. this isn't a browser plugin? It'd be interesting if there were some tie-ins with the browser, like perhaps separate VPN connections per container (not sure this is possible, I'm no expert).
I'd prefer it if it used some kind of way to proxy traffic through WireGuard instead (which ProtonVPN does not yet support while they should if not just for performance reasons alone [1])
If you need a beta tester, let me know. I already am a paid subscriber, but I am considering quitting ProtonVPN because this feature is lacking and more and more competitors are catching up on it.
I haven't completely read it but I did spot one difference:
"These subscriptions will be billed directly by Mozilla and the majority of the revenue from these subscriptions will go to Mozilla, directly supporting Mozilla’s mission."
Mozilla was less clear about how it'd be distributed.
I think this seems like a bit much. I'd love Firefox to double down on building a great browser, rather than getting into Pocket, VPN, a Phone, IOT, etc.
Sure, a VPN can be really helpful when you're on sketchy open wifi, or other adversarial network conditions. But you're still trusting someone to handle your connections reliably and fairly. Several ISPs have proven themselves to be sketchy: injecting ads, adding tracking headers, etc. But do we really expect VPN providers to not crunch the same numbers and come to the same conclusions?
Note that despite my thinking, it does fit in well with their agenda:
> Mozilla has identified five key issues that are critical to build the open Internet we want: