Hacker News new | past | comments | ask | show | jobs | submit login
Microsoft bakes a VPN into Edge and turns it on (adguard-vpn.com)
608 points by bluish29 on Sept 30, 2022 | hide | past | favorite | 584 comments



Why do I always get a bad feeling about the motivations behind stuff like this? I want to believe it's for better privacy and security, but it's being driven by a corporation or two, and that makes me 100% suspicious. Like, for example, suddenly Edge is no longer respecting local DNS options and my pihole protects one fewer device from the real dangers to privacy. I don't want to be cynical so often, but this really doesn't feel like a benevolent move. Yeah, it's conditional at the moment, but as with Chrome and manifest v3, among many other examples, I'm losing my faith that anything with the potential to increase ad revenue will remain turned off for long.


The reason you have a bad feeling is it gives the FBI/FEDS a single point to collect your data, with a man-in-the-middle attack that you will have no idea is there.

This is absolute BS they're implementing this.


Besides the unremovable junk they fill on the homepage, now this. Uninstalled and will be moving to Brave


Using a browser that monetizes itself in any way seems like a slippery slope to me. I'd rather use Ungoogled Chromium/Bromite or even LibreWolf if it came down to it. Saying "that's it, I'm moving to Brave!" is basically declaring that you're moving your data from Microsoft(1) to Microsoft(2).


This line of thinking is why Chrome owns most of the internet. No one else can hope to compete because they just get screeched down.


Chrome owns the internet because people like Brave don't develop their own browser engine.


Exactly. Brave just takes Chromium (from Google) and adds weird crypto stuff to it. None of the Chromium forks are "different browsers" in my eyes. They all depend on upstream for everything important. They couldn't develop the browser on their own.

Just use Firefox. It works just as well as Chrome (*), but it's based on a completely different engine which was built from the ground up.

(*) On desktop at least (on Android I still use a Chromium fork for now)


> Brave just takes Chromium (from Google) and adds weird crypto stuff to it

That's a really unfair(and untrue) statement. Brave also removes some code they find privacy violating, built in a best in class adblocker, built a full cross-device sync system that works perfectly, some UI tweaks and enhancements, built Tor connectivity in, etc. Probably a lot more that I'm leaving out.

I am def not a fan of crypto or BATs or whatever they were pushing, but you can use it fine ignoring all of that.


To be fair, you can also disable Microsoft's built-in VPN. The problem is trusting people who don't have your best interests at heart, and using Brave products just kicks that can further down the road.


Brave is 100% open source: https://github.com/brave/

Normally this might just be a platitude of the sort, "Go check it for yourself." But in this case that's not what I'm saying. Brave is going to be used by large numbers of tech focused users with a privacy/security bent. And they are also competing against Google who will make sure even the slightest slip by Brave is promoted across the entirety of the web.

That code is scrutinized heavily. That the worst you can find about Brave is people making false statements about crypto stuff (it is entirely optional and opt-in with 0 coercion or dark patterns to push you there) speaks incredibly highly as to the current state of the Browser. Might that change in the future, as you seem to be suggesting? Yip! And when it does there will be a new Brave. But for now they continue to stay on an excellent path forward.


I don't see a reason to use anything but Firefox on Android. It's got full parity to it's desktop counterpart. It's amazing.


Many sites are broken on non-Google browsers though. But the advantage of being able to use adblockers in Firefox alone outweight that - not even taking privacy into consideration.


I actually use firefox on android for 7 years or so. never experienced broken sites on it. can you please give me some examples of broken sites?


Thinking about it, only internal time reporting tools. Both on my current and prior employer they only worked with Chrome or IE.

I think I overestimate the amount of broken sites due to the adblocker messing them up, not Firefox.


Tangentially related. Using Firefox on Linux for anything Google chat/voice call related is not a very pleasant experience


You could also consider the Firefox forks Fennec and Mull.


and allows to install an adblocker


The thing I like most about Brave is actually the crypto stuff, and I hate almost all crypto. This is actually a good use case for it - you have a distributed system (users browsing) across untrusted hosts (users).

People like to shit on advertising, but much of the internet exists today because of advertising. Do you think Youtube could exist at that scale without ads? I don't think so, personally. At least, not without another way to monetize.

Brave is the only player providing an alternative monetization strategy. Crypto or not, to me, that is by far the most interesting thing a browser has done in a long, long time.


As if chromium wasn't a fork of konqueror


Blink (Chrome) is a fork of WebKit which is a fork of KHTML (Konqueror), but that is a very much different situation. None of the Chromium/WebKit-based browsers are full forks but rather merge custom patches with upstream development. They don't have the development capacity to go against any Google changes except for a few things here and there. Meanwhile Google isn't relying on KDE to develop new features - in fact KDE isn't developing any new KHTML features but instead is switching (or has switched) to WebKit/Blink.


> Just use Firefox

I want to but in Firefox developer tools there is no option for developer tools to follow new tabs.

Apparently this has been an open bug with Firefox for a while.

But it is what keeps me from using Firefox vs Chromium's full time


> (on Android I still use a Chromium fork for now)

What chromium fork is on android and actually better than Firefox for android? I use Firefox for the best possible experience on android and would like to be aware of another option.


I personally use Bromite: https://www.bromite.org/

From my (anecdotal) experience, Bromite is faster than Firefox on my phone, but your mileage may vary.

I was originally using Firefox due to its uBlock Origin support, but Bromite has ad-blocking built-in (unfortunately it's not quite up to par with uBO but it works well enough).

I would suggest that you try both and see which one you prefer.


I have at least three sites I use that i have to open in edge since they don't work properly in Firefox. Local bank, credit card issuer, and employer's guest wifi login portal.


I use FF and when this happens it's almost always some extension you have installed. Try disabling some extensions and go to those sites again.

If they still don't work, they're doing some messed up stuff on those sites.


Oh my. I wonder what that banking site must be doing for it to not work on Firefox. It's either malice or inconvenience, or both


>Just use Firefox. No. Well, I'm not so rude, so "No, thank you".

>It works just as well as Chrome () Not on anything* I use, it doesn't, so "No....thank you".

Tbf, I do keep trying ff, but...clunky, jeepers! 'Fraid I'll hang on until my Brave jumps it's particular shark and then maybe I'll hop over to something else, but for now, and as long as I can still use UblockO, Brave it is.

Even Opera is looking interesting again....


> Even Opera is looking interesting again....

What browsers have you been daily-driving to come to that conclusion?


Chrome owns the internet because web standards have become so complex that not even Microsoft can afford to maintain their own browser engine.


>not even Microsoft can afford to maintain their own browser engine

We don't know that. Maybe Microsoft could maintain their own browser engine if Google hadn't provided one on permissive open-source licensing terms that met their needs.


Microsoft tried with Edge V1, and gave up when Google online services started sabotaging it.


They gave up way too easily though. I don't think they ever had an interest in actually making a good browser engine. They've never managed one in their entire history. Microsoft love mediocrity, the "just good enough" mindset. Nobody takes their products on because they really excel at what they do. Just because they have a huge installed base, they're not so bad there's really a problem to use them and they integrate with everything else (e.g. Windows) nicely. For example Slack is so much better than that turd called Teams but nobody wants to pay the extra because Teams is free with O365 and user frustration doesn't cost anything on the bottom line.

This is why Apple really came out of the blue with Steve Jobs' razor focus on quality above all. Microsoft's goal is never to be 'best in class'. Because they don't need to be. People will buy it anyway.


>not even Microsoft can afford to maintain their own browser engine

MS can afford it financially. The desire to put in the effort to is not there.


...that's what they're saying. Microsoft has no reason to build their own browser when they can fork Chrome and preinstall it on their computers.


It’s simpler than this, imo. Most users rely on Google Search and Google will Constantly nag the user to try Chrome.

Users, trusting the ad company that provides them free email, search, video, photos etc. will action on the suggestion and install Chrome.

More users gives google the market power to dictate web standards


So what's the solution? I hate this status quo as much as you do, and standing here in a Mexican Standoff is not viable forever. You're right. "The web" as a platform has been twisted and perverted beyond real usability at this point. There is no path forward where we undo Google's damage and preserve the qualities of the web we enjoy today. So, how do we fix this?

The solution (to me) is simple - fix native app distribution. Make platform targets operate the same as they used to, and give people control over their computer again. The only ones preventing us from a platform-agnostic utopia is Apple and Google, both of whom profit off the artificial difficulty of distributing applications.

So, here we are. Google is poisoning the web while Apple refuses to swallow their pride. Everyone is hurting, and nobody stands to gain anything but the shareholders. A hopeless situation, but let's not pretend like everything here is morally grey.


For starters, if a company makes a web browser with market share exceeding 50%, and also produces web sites and web apps, if those web sites and web apps to do any sort of user agent testing or require non-standard features of the aforementioned browser, it should be treated as ipso facto monopoly abuse.


The solution is already impossible. When Mozilla had browser domination they had a chance to dictate something. The moment Chrome became popular, now another company, just as MS and IE did before, could just do the feature creep of "add feature, subtly break/slow down opposition, get more users that just want browser that works"


Microsoft edge non chromium was fine, but no one used it. So they went chromium based.


> Microsoft edge non chromium was fine, but no one used it. So they went chromium based.

Are people now using Edge because of this change?


Edge has made substantial gains in market share in the past few years. But it's hard to definitively ascribe it to any specific change.


Companies like google keep expanding the effort needed to write a browser engine to ensure everyone uses their spyware.


Then companies like Apple should stop shrinking their API targets and contribute to the general wellness of computing, for a change.


Can you please give a concrete example of what Apple should do, in your opinion, to expand their API targets? And how is that related to web standards complexity?


People complain about excess functionality being added to web browsers (HTML5, WebXR, WebRTC, etc) and many of these complaints are valid. Web browsers don't need these features, they should be relegated to native apps.

Except they can't be. Native apps don't offer the same freedoms that the web does. And so, we keep stacking technologies on top of web browsers to alleviate the problem. It's a bad situation, and both Google and Apple are gruesomely complicit in making this situation worse.

> Can you please give a concrete example of what Apple should do, in your opinion, to expand their API targets?

Stop browser lockdown. Allow sideloading. You know, the basics of computing that we had figured out since the mid-90s or when we sued Microsoft.


Few people attempt this... Here is one: Ladybird https://awesomekling.github.io/Ladybird-a-new-cross-platform...


99% of a web browsers end users do not care if their browser uses Servo, Webkit, etc.


I'd guess pretty close to that number don't even know what those are in the first place.


Yes but being able to use all of Chrome's extensions in Brave is a huge win to me. And most Chrome documentation, Q and A, tutorials are mostly relevant to Brave as well. I see Google and other behemoths contributing to an open source project as a good thing. The product may not be where it is today without their help, including paying people to work on a free product. Still, yeah don't trust them.


It's the other way around. Brave uses the Chrome browser engine, because Chrome already developed their own browser engine.


Firefox is pretty nice once you beat it into submission. I'd put my money there before Brave.


Honestly I find the defaults plus uBlock Origin and Multi-Account Containers to be fine, no bearing required.


I must have a hundred things that I change on every install. At a bare minimum I'd be disabling pocket, prefetch, and search from the address bar for privacy reasons and then disabling service workers, webgl, and wasm for security reasons.


OTOH, Firefox funding depends almost entirely on Google so they are unlikely to do anything that upsets Google too much.


> Using a browser that monetizes itself in any way seems like a slippery slope to me.

Is that a practical sustainable long-term business practice though? Firefox was only able to be free because Google was paying Mozilla. Browsers are some complex software and software developers wanna get paid. I know that the in's and outs of history of browser software has conditioned us to expecting browsers for free but that doesn't reflect the reality of developing the software.


Firefox, with its full complement of full-time developers, could stay alive with a tiny fraction of what Mozilla earns in a year. Most of Mozilla's work is tangential to Firefox at best.

Surely there's space in the browser market for a model akin more to how Wikipedia operates.


> Surely there's space in the browser market for a model akin more to how Wikipedia operates.

Donations by corporations, and edited by powerhungry users (ryulong) and bots?


This is part of the problem. Mozilla is diverging too much into dead ends. Instead of focusing on what they do best, Firefox.


OK so you do want a business model, it's just a terrible one.


Sounds better than a black-hole cryptocurrency where the devs steal 30% of your transaction 'because they can'


That's the thing, it shouldn't be a business practice at all. Browsers are part of the Internet infrastructure and that should not be treated like any other business but be regulated enough to ensure anyone gets fair use of the infrastucture and should rely primarily on public funding.

The Internet being global makes this challenging, and almost all countries (including so-called democracies) wanting to drink as much authoritarian juice as they can get away with does mean that there is plenty of risk here as well. But letting one or a few giant megacorporations entirely dicate the primary intrastructure for information interchange is so much worse.


> Using a browser that monetizes itself in any way seems like a slippery slope to me. I'd rather use Ungoogled Chromium/Bromite or even LibreWolf if it came down to it.

The problem with this approach is that it’s impossible to get a safe binary that isn’t downloaded from “libfree.cxcc.gg” or whatever. The other option being to build from source, which is an absolute nightmare for Chromium.


All of those browsers have signatures available if you question the integrity of your binary. Otherwise this argument isn't any different for the likes of Brave or Chrome even.


> All of those browsers have signatures available if you question the integrity of your binary

Signatures available from whom?

The point being that a web browser is a very special case of software that has to absolutely 100% trustworthy from a reputable commercial entity (that is, someone that can be sued). The only other thing with that level of trust is your operating system.


So my Linux kernel running the majority of the infrastructure of the company I work for is untrustworthy?

Do you not trust kernel.org? Or the GPG signatures of the commits?

What about Mozilla?

As for "someone that can be sued", have you read any of the EULAs of the commercial entities that you think are "reputable" and "100% trustworthy"? You can't sue them.

Similarly, do you trust all of the CAs that have certificates in your OS or browser trust store?


I still have a CD of Netscape Navigator Gold I purchased in a box in a store… long ago enough that was a thing.

Those were the days.


I still test and validate my websites with Netscape 2.x and up.

Any Browser can be a reality.


If I had my billion dollars I would fund a modern intentionally crippled hypertext browser with hard limits on programmability and style complexity.


It sounds like you are describing Gemini. https://gemini.circumlunar.space/


Gemini is on the other extreme (except for requiring the crypto complexity that comes with TLS). I would prefer something that still lets people express themselves creatively like the early web did. Personally, I think even newer CSS is fine even if more complex than it could be if re-designed - the problem is mostly JS and million different APIs that come with that as well as the expectation that that the browser will be able to execute that JS insanely fast.


Some browsers you may want to try, which support only HTML and CSS:

Dillo

Links

NetSurf


Why not just bring back the 486?


A shame that you would waste your money on a browser that nobody would use.


I would. I already use FF mainly under a locked-down profile for mere reading. (I use another profile for madatory interactive sites like banking and stuff).

Others like me would. And resource-constrained devices. An eco-system of low-tech sites could emerge with a label signaling them as simple and virtuous.



Interesting. But I meant only using a subset of current web stack, and insist on low resource.


The issue I have with Gemini is that it discards 25+ years of established domain knowledge and existing software for something which does not provide any additional functionality over what today's software already offers.


I don't think any way is unacceptable. I'd be totally happy to pay for the software for example. It's all the sneaky crypto / adware / tracking stuff that I have a problem with.


well google is removing adblockers from chrome to better monetise the web…


How is Brave Microsoft(2)?


They're both for-profit businesses that will consistently put the user experience behind profitability. Open-source, libre browsers will not.

I'm sure people said the same thing when Edge was in beta. "How is Microsoft Chrome(2)?"


But Brave is also an open-source, libre browser. And the Mozilla Corporation is a for-profit company.

(And I think Edge is worse than being Chrome(2).)


I'm very glad you mentioned the homepage spam. It's increasingly difficult (and valuable) to live without information overload these days; Edge's forced "news" spam has pushed me away as well.


What is shocking is the content is so low quality it's appalling it came from a big, respected company as Microsoft. A lot of the posts are often clickbaits, and there are ads carelessly interspersed between the posts all over the page.

I know it makes a lot of money for Microsoft but the fact they chose to keep the quality so low really looks bad.


"Respected"? Since when is Microsoft respected?


The company is respected for being so big and being a stable, high performer. Obviously they did a lot in "personal computing" as well


Biz, gov and mil management relies on MSFT; executives, their attorneys and bankers, respect MSFT for doing what they do ($$). Similar to big retail and worse, gambling, the single user is last in line; used and abused individuals.. nobody expects a lot from the individuals involved, and their opinion matters less. Wolves among sheep, basically.


blocking msn.com via hosts will give you a blank new tab page in Edge, only including an Edge background image, and a search bar leading to your chosen search engine.


You can disable all that from Edge itself, at least on the desktop. When on the new tab page, there's a "Page settings" icon in the top right. If you click on that, there's a bunch of options there regarding what should be present on the page; the bottom-most item is "Content", and if you set it to "Content off", it all goes away.


true, but the default new tab page sets cookies and connects to MS all the time. When blocking msn.com, it loads local resources only.


Edge is a pretty good local pdf reader so I added a firewall rule to stop it connecting to the internet.


Oh you sweet summer child.


Damn you, I just spit out my drink! :-D


I'm all for pushing for more privacy/etc; but is Brave what we want to advocate for as an alternative? They did some pretty heinous link jacking relatively recently. I'm not sure FF/(/chromium) have been caught doing anything worse than that yet.


Firefox with uBlock Origin and HTTPS only works beautifully with Pocket disabled.

Only thing I have to pull out Chrome for is corporate intranet.


the only unremovable thing that bothers me is the stupid bing points thing that i dont care about. It doesnt encourage me to use bing, it just makes me question how they continue to manage to swipe my queries enough to increase that score.


Or the privacy focused Librewolf (fork of Firefox)


Also Epic.


Yup, a VPN is not a security measure at all unless you trust the VPN provider more than the site you're connecting to...


Actually, with a VPN, you need to trust the VPN provider AND the site you're connecting to...


And not even then. Most VPN providers in the top 10 are actually very shady and their organizational structure is quite opaque.. to say the least. I wouldn't be surprised if at least half of the top providers are actually FBI fronts, like the ANOM chat app.


well you might have a reason to trust a VPN provider you pay for, but who is the customer for MS Edge.


The insane thing is that, because the VPN has a 1GB/month traffic limit, there is no way to enforce it unless they associate all traffic with a Microsoft controlled user identity. Cloudflare literally has to keep track of any sites you visit and associate them to your ID to make it work.

Though, I do believe that for connections from public WiFi it's somewhat of an improvement. It establishes a minimal security baseline of: "ok, we'll sell your data and let FBI snoop on you, but we won't inject trojans in your downloads and then hijack your webcam to create ransom-porn (though the FBI/??? might)".


It is so weird that they're 'VPN providers'. They're proxies. It's not really a VPN unless I'm in control, or they're providing servers in the VPN to connect to.


My ISP reserves the right to sell data on the sites I visit. If the VPN provider promises not to do that, it’s probably a win.


ISPs in Poland at least give you the ability to pay so they do not spy on you. It is very small (10%)but I have no doubt most people cheap out. Internet is relatively cheap here.


From my experience, non-tech people just leave browser defaults. I'd argue this is better than letting them to use public wifi without VPN. If you really care about security you won't use it, of course


Public Wi-Fi in the world of HTTPS is not exactly terrifying.


> Public Wi-Fi in the world of HTTPS

Story time. Someone I know once got laid thanks to Facebook not encrypting their sessions

My university was still using basic ass unencrypted WiFi with some kind of terrible dns-hijack sign in to “auth”. This of course meant that everyone put their shiny MacBooks on essentially public wifi and logged in to social media in the clear in class.

Some enterprising chaps made a browser extension that made it trivial to snoop any open sessions and impersonate that session in a new tab.

Someone I know would do this during lecture and post to people’s social media as them saying they should pay attention in lecture. Possibly some other scandalous things were said. The hilarity that led from that stranger doing so led to the beautiful nerdy girl sitting behind this person noticing and daring them to post more. That became hanging out, parties, and as far as I know they got married and have kids now.

Literal people exist that wouldn’t otherwise because Facebook didn’t have HTTPS


>Some enterprising chaps made a browser extension that made it trivial to snoop any open sessions and impersonate that session in a new tab.

Firesheep was super big for a while, yeah. I used it to show a few coffee shops that yes, really, WiFi with a password of "password" was measurably better for their customers than no password: https://en.wikipedia.org/wiki/Firesheep


Fuck, HTTPS was already popular by the time I went to college. That explains everything.


I credit the fact that basically nothing was encrypted over the wire when i got into computers in the 90s for learning how protocols work.


To be fair this needed HTTP and WPA(?) lol. Old school wifi let you see everything every other client sent.


Is your friend Samy Kamkar?


Plus, Firefox is soon implementing HTTPS-Only by default if I remember correctly. What was it, maybe 2016 there was a big push for SSL and the majority of the web, even login and payment pages, were HTTP? Now only a small percentage of the web isn't HTTPS. I have HTTPS-Only enabled in Firefox and rarely do I have to click the 'Continue Anyway' button to browse an HTTP page. For most general users that only use popular services, I'm sure it's even more rare.


Its so easy, even a dummy like myself can grab a cert for my self hosted services. I dont give any HTTP only sites any slack


I have a site from 1997, pure html, with drivers, install disks, documentation for computers from the 80s/90s.

It works. It's fine. No, it does not need ssl. What, someone is going to hack a floppy driver for a computer, which doesn't even have a built in network stack?!

No, I am not going to do work on it, any work, at all.

Millions of such sites exist, are fine, are safe.


> with drivers, install disks

Depending on what the drivers are for, you may be a prime candidate for MitM. People already go to your site to download software they're going to run in the most privileged mode. This is a perfect candidate for a type of watering hole attack.

Considering you're providing those for 90s machines, you could be the last resort website for a few interesting industry computers with no security restrictions around them.


> Depending on what the drivers are for, you may be a prime candidate for MitM.

Doing that MitM is technically very easy, but in practice pretty hard. You'd have to have an adversary on your network path watching for connections to this particular esoteric low-volume site hosting drivers for machines from the 80s and 90s.

That is extremely unlikely.

I have a much easier way to target that content: Just put up a new site hosting the same content with malware attached. No need for MitM shenanigans.

Security isn't about absolutes, it is about risk managment and being aware of the likelihood and consequence of the risks is important.


> No, I am not going to do work on it, any work, at all.

Without HTTPS, the content can be replaced entirely. Last time it was JavaScript that DDOS'd github. If you don't want to serve content over HTTPS, then you don't care what your users receive. Just delete the site and they all get 404's instead, since you already admit that you don't care either way.

If it makes you feel any better, HTTP without HTTPS was a mistake we all made together. It should never have happened.


> If it makes you feel any better, HTTP without HTTPS was a mistake we all made together. It should never have happened.

Given that http predates SSL 1.0 by a few years, somewhat inevitable.


Given that HTTP without TLS can provide backwards compatibility while anyone and their dog is advocating for deprecating TLS versions and them being too complex for most people to maintain on their own, I respectfully disagree that plain HTTP was a mistake.


Seems ,like since inception internet protocols was designed with foreseeable security implications, Gnunet is project is attempting to solve this


The site contents don't necessarily matter.

You're at a coffee shop or library using their WiFi. Your computer sends a plaintext HTTP message. The attacker just needs to be able to see that message and get a response back to you before the real site does, and the real site is a lot further away than the guy sitting at the table next to you (or the hacked router, if he doesn't want to be there in person). Then they can feed your browser whatever they want.

A login form to phish you, perhaps?

They can even start replying, then go off and fetch from the actual site before finishing the response, if it helps to incorporate the real data.


That is fine. The site itself is safe. Accessing it over untrusted transits is not. What has changed since 97? Well, attacks became far more sophisticated, and the transits that people access stuff over became far less trustworthy.

There is nothing wrong with your website. However, you shouldn't be surprised when modern browsers stop working with it. Progress doesn't come free.


You are hosting executable data of some kind on a non-authenticated protocol. That's totally not dangerous at all. A MITM definitely couldn't cause any damage by altering executable data in transit on unsuspecting users. This has never happened to anyone.

>are safe

No, they are not.

>No, I am not going to do work on it, any work, at all.

If you are too lazy to do it securely maybe you just shouldn't do it at all.

HTTPS everywhere by default can't come fast enough. There is no excuse at all to not have HTTPS support today and browsers should deny access to these lazy and careless sites by default. Anyone who can't spend the 5m to set it up for their website can go kick rocks as far as I'm concerned.


It is all fun and games until one of the downloads from your site picks up malware in transit and the user goes "why did this web admin infect my computer? Sue!"

This genuinely happens a lot in the 2020s.


I think of you say "genuinely happens a lot" you should give some examples, because this seems odd to me.

More likely sites get cloned, improve their SEO over the original, and distribute malware.


Ok since it happens a lot can you cite it happening in 3 different occasions since 2020?


> This genuinely happens a lot in the 2020s.

Sceptical of that claim, can you provide a few documented cases?

Particularly for low-volume sites like the parent post.


Please provide citations for those lawsuits.


Not caring about whether some segment (possibly even a majority) of users can or are willing to jump through hoops to access your site is a valid choice, just like publishing through gopher is. You do you.


You could host hashes of the downloads on an https page. Should be quite simple. Malware can still work on a computer without a built-in network stack and if users are getting downloads onto that computer, then data can leave through the same means.


Putting stunnel Infront of that site and opening 443 is about a solid 30 minutes of effort


And set up certbot/whatever..

And update all links to not go back to the HTTP site...

And troubleshoot weird issues (TLS errors are generally not helpful)...

And maintain that setup for years...

Not an insurmountable effort for sure, but if you estimate 30 min for the total additional effort of adding HTTPS to a site then I have a bridge to sell you.


Set up a gopher mirror too :)


> Millions of such sites exist, are fine, are safe.

Frankly, even sadly, they are also entirely forgettable and don’t add enough value to hold back the modern web.


No one is forcing you to use TLS. Do whatever the fuck you want, it's your site?


http://n-gate.com/software/2017/

I always chuckle at this site does not need SSL post from n-gate.

PS: Use the URL directly in browser because the site doesn't like traffic from HN.


> PS: Use the URL directly in browser because the site doesn't like traffic from HN.

Or just fix your browser settings to not send cross-domain Referer headers.


I keep my site HTTP for compatibility and accessibility.

HTTPS can introduce all scenarios for not being able to connect.

I'm not hosting any secret data, but I do want to be able to post from anywhere.


Recently I noticed that FF doesn't even let you accept invalid (meaning no longer recognized as valid by FF because they changed the rules to requrie SAN) certificates for HSTS-enabled sites. The bug report's response was that the HSTS standard specifies that. Fuck that, the users should always be the one in control of such decisions in the end.


You forget exactly how much the government felt they got out of just knowing whom was talking to whom, not even bothering to collect the data of the conversation itself.


Now they only have to subpoena/hack/partner with microsoft for that


Microsoft was one of the first companies to sign up for PRISM [1], doing so in 2007. I think there's a subconscious feel among many that because the media stopped reporting on these things, that it stopped happening. PRISM never ended, and almost certainly has only expanded and grown even more invasive and brazen largely owing society's apathy towards what Snowden revealed.

Literally to this day one can read things like the NSA manual for using their software that enables real-time absolute surveillance of Skype: "User's Guide For PRISM Skype Collection." [2] The idea of any degree of privacy from any tech company hosted in America is a lie. The main difference with China is that we lie about our surveillance state, and force companies to lie about it, while China openly advertises theirs.

[1] - https://en.wikipedia.org/wiki/PRISM

[2] - https://www.aclu.org/sites/default/files/field_document/Guid...


You can learn a lot about a person based on the IPs they visit. HTTPS/SSL doesn't protect you from that.

In many cases you can even determine which protocols and general content they are consuming from that IP based on traffic shaping/fingerprinting. The burst of traffic your browser sends when loading a particular site is quite exploitable. There's plenty of software already available that makes use of this.


Public wifi and bluetooth detectors all over is whats scary, as most public wifi is used by phones, not machines and who the hell is running edge on their phone?

but this just reminded me of the failed FB phone and the failed microsoft phone...


What bluetooth devices are you concerned are going to leak private data?

Looking at the ones I use daily... headphones, TV soundbar, Xbox controllers, TV remote. None of those provide an interesting attack vector.

My iPhone isn't really going to be connecting to random stuff and leaking data, so I don't really see the risk here. Maybe I'm missing something?


>>My iPhone isn't really going to be connecting to random stuff and leaking data

Incorrect -- BT scanners and loggers have been LONG tracking your things avail...

and the fact that Apple doesnt allow you to "turn off" it merely pauses..

both wifi and BT...

they use prox sensors for BT for airtags, wifi etc and ALL OF THAT data in mined like mad.

Any Apple person that says otherwise is lying to you.


So deanonymizing bluetooth device IDs. I know the Canadian spies used airport Wifis to deanonymize Wifi MAC addresses then set up wifi stations all over Toronto to experiment in tracking people.

How would they do the same for bluetooth? Broadcasting "Dans iPhone" doesn't tell you much.


Correct, but its a more insidious web on this level...

they have so many correlation engines for device location, that it will soon be impossible to be "off grid", if its not already.

how the heck do you think there are fn leaks from over a decade ago of "text messages received by the government reveal that person X who is on the shit-list was quoted as saying [BULLSHIT] sources close to CNN have stated.."]

ASIDE: Famous story from ~20 years ago was talking about the CIA handlers at CNN... and the revolving door of in-q-tel emps from fb moving back and forth within the security team (one of which had to be walked out of the building for [things])

you dont need "dan's phone" they have had eschelon for DECADES and were able to literally do 6-degrees ppl tracking since the 1990s...

WTH do you think they named it "starlink" instead of sky-net...

And when they built the first part, they were advertising the wonderful things the rural folks in africa's greater continent will benefit, then after a few years they showed that the system will primarily service the dense populations of the coasts of places like the USA and AUS -- which is where a big portion of the five-eyes service.

IMEI and such is a bitch..

iOS is the biggest location tracking platform ever...

Remember when the founder of Android (from Danger) was let go from google with a ~200MM$ golden parachute at $90MM to gtfo?


yeah but im pretty sure 99% of the population just clicks past those SSL certificate warnings, in part because they don't understand what that means, and in part because there are way too many sites that let their certificates expire.


HTTPS is trivial to break with a man in the middle attack, yes you get a scary warning in your browser about an invalid certificate, but I'd bet that 90% of people will just click through it and ignore it.


I highly doubt this prediction is accurate. Most people will think something is broken and call tech support.

Aside from that, this isn’t possible for HSTS sites.


Really? Most people? I cannot think of anyone from my family who would even think about it for a second - they would just get annoyed they can't get to their bank website or whatever and just click continue. Also what tech support? Me?


But now there is no button "continue", you have to click multiple buttons, which are not clearly labelled, in order to see the page. I'm sure 90% of people would not even be aware that you are able to continue.

Even more, for self-signed certificate on chrome, there is no button to continue for example. Check https://self-signed.badssl.com/


In your example, all I had to do was click advanced then proceed(Chrome on Android)


Ok, on chrome desktop there is no way to bypass the security


Yes, there is. I often have to use it to deal with some internal misconfigured site inside the corporate intranet (the cause is almost always that a certificate has expired, when it isn't it's because a host can be reached with two names and the cert matches only one of them, but that case can be fixed by using the proper URL). I have no trouble telling chrome desktop to bypass.


... and I always read the details before proceeding (finding out what chrome's problem with the cert is).


For some type of errors it is possible, for some other it isn't. Check the badssl website and test the various type of bad certs, you'll see.


From my experience working as on-campus tech support in college, most people who aren't tech savvy will quickly give up or look to someone else for help. They will likely not think to click Advanced -> Continue Anyway (unless they have been taught to do that before).

Tech support comes in many forms. The owner of the website, a friend who knows about computers, someone else in the workplace, the vendor they purchased their laptop from.


HSTS cannot be overridden. Which bank domain names are you thinking of that are not one of the twelve thousand names on the HSTS preload list? https://source.chromium.org/chromium/chromium/src/+/main:net...


I tried 5 banks (swedish and italian). None of them are in the list. I feel safer now :D :D :D

handelsbanken.se danskebank.se unicredit.it fideuram.it sella.it


Banks often have awful security systems. Kiwibank in NZ has a "two-factor security" system. All it is is a security questions thing where you click on screen to fill in 3 letters of the hidden answer. The on-screen keyboard makes it secure, you see? Against keyloggers.

I once wrote them a long email about what two-factor is actually supposed to be and why it exists, and got a reply basically saying "lol ok, our security is great ok?"

I've since switched away from them for a bank which does 'two-factor' by sending codes via SMS, but only when its algorithm decides that it needs to. That's not very often.


handelsbanken.se is on line 163144. (I was a little bit off on the length of the list before)

unicredit.it is not on the list, but unicredit.ba and unicredit.ro are. (Lines 7331 and 7332) It does send HSTS headers.

danskebank.se and sella.it are not in the file, nor are the base strings, but both sites do send HSTS headers.

fideuram.it is not on the list, and does not send HSTS headers, so they don't seem particularly interested in security. They also haven't set an A record for the root domain, so visiting `fideuram.it` returns NXDOMAIN. Only `www.fideuram.it` exists.


So this shows that your statement about the security of hsts headers was overblown?


You got me. I wildly overestimated the competence of Eurobanks. I'll never make the mistake of assuming an institution knows what it's doing again.


fideuram removed the phisical tokens for 2fa and moved to SMS, saying that it was because of some european directive… I went to read the directive. It basically said to not use sms and avoid apps in favour of dedicated 2fa devices for banking.


Hsts solves sslstrip, I do not believe it enforces cert pinning. Iirc browsers deprecated cert pinning some time ago.


I've seen HSTS not let me continue without the server having the expected certificate recently, so I think that's still a thing.


That might be because of certificate transparency rather than certificate pinning.


"Aside from that, this isn't possible for HSTS sites."

Isn't it possible for the user to disable HSTS. A simple web search produces detailed instructions, from a CA.

https://sectigostore.com/blog/how-to-disable-hsts-in-chrome-...

Also, what does "HSTS sites" mean. Does it mean (a) "official" HSTS via HTTP header alone, (b) "unofficial" HSTS via preload list (see RFC 6797 section 12.3), i.e., the list maintained by Google, hardcoded into a browser, or (c) both. The "unofficial" approach only seems feasible for a limited number of domainnames and unworkable for every domainname in existence.

In tests I have done on Chrome (YMMV), executing "Clear site data" via Developer Tools, or including

   Clear-Site-Data: *
in an HTTP response header, e.g., added via a user-deployed proxy, will clear an "official" HSTS block, allowing the "MITM" to proceed.

Besides being generally annoying, HSTS allows for setting "supercookies" that persist even in "Incognito" mode

https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-bro...

The RFC for HSTS even admits how it can be used for web tracking. Not too concerning for the advertising company sponsoring the RFC.

14.9. Creative Manipulation of HSTS Policy Store

Since an HSTS Host may select its own host name and subdomains thereof, and this information is cached in the HSTS Policy store of conforming UAs, it is possible for those who control one or more HSTS Hosts to encode information into domain names they control and cause such UAs to cache this information as a matter of course in the process of noting the HSTS Host. This information can be retrieved by other hosts through cleverly constructed and loaded web resources, causing the UA to send queries to (variations of) the encoded domain names. Such queries can reveal whether the UA had previously visited the original HSTS Host (and subdomains).

I use a loopback-bound forward proxy to enforce zero tolerance for HTTP across all programs, not just the web browser. Everything is sent via HTTPS. The proxy is configured to to check certificates, and deny connections, according to rules I set. I use a text-only browser for noncommercial, recreational web use so I need a forward proxy, if for nothing other than to deal with the spread of TLS. But I also use it for a whole laundry list of tasks.

Maybe it is just me, but HSTS, like much of Google's rhetoric, comes across as unfriendly if not hostile to proxies, regardless of who is running them. Consider this line from the RFC

"The rationale behind this is that if there is a "man in the middle" (MITM) -- whether a legitimately deployed proxy or an illegitimate entity -- it could cause various mischief (see also Appendix A ("Design Decision Notes") item 3, as well as Section 14.6 ("Bootstrap MITM Vulnerability"));"

"Mischief." Does that include inspecting one's own HTTP traffic on one's own network. How about blocking certain methods of tracking, data collection and advertising. Apparently it includes disabling HSTS.

Let's be honest. Google is an undisputed king of "mischief". The stakes for Google mischief are much higher and there have been too many fines to count. Consider the latest. How many people deploying their own proxies get fined $4B. (Arguably, an issue of "control" was at the heart of that decision.)

https://www.theregister.com/2022/09/14/european_court_fines_...

If the proxy is "legitimately deployed" then why not stay out of the network operator's way. Let them have control. Give the option to cede control to Google instead of making it a default.

I use HSTS for commercial, nonrecreational web use, when I have to use a "modern" browser. That is a small fraction of total web use for me.


Thanks for the informative post.


I'd argue the invalid certificate would only get the middle segment of semi-tech literate but security illiterate people. So maybe a lot of people on this site . The average user, based on my observations, tends to take these warnings very seriously.


Have you looked at what the UX is for invalid certificates in 2022? It's not like ten years ago where you just click enough times and "visit anyway".

Here, try this link in Chrome: https://untrusted-root.badssl.com/. When you click Advanced, it tells you "the website sent scrambled credentials that Chrome cannot process". And beyond that there's just no button to bypass it. You can't visit the site. (Sure, there's probably a chrome://flags or --disable-web-security way to bypass this, but that's well beyond the average user's comfort zone, as well it should be.)


Uh I just have to click "advanced" and then "proceed anyway".

I tried on a blank profile to make sure there were no strange settings.


I clicked that link - in Chrome on Android all I had to do was click "advanced" then "proceed anyway". I have never changed any flags or default settings in this browser.


I just tried to open the site in Safari, and there's no "Continue anyway" button, only "Go Back". I did not change any default settings, because I use Firefox as my daily driver ( and Firefox does have "Accept risk and continue" button, but I think the word "risk" on it is scary enough for many people to not click it).

EDIT: It turns out there is a "visit this website anyway" option in Safari, but it is not a button, it's a link which you only notice when you click "Show details" button and read the warning.


A slight digression, but I read[1] recently that typing “thisisunsafe” while the tab has focus is sufficient for bypassing the warning.

[1]: https://twitter.com/cyb3rops/status/1561995926666985472?s=20...


it's not so easy to click through, because I often try and it really seems like they don't want you to, the dialogs are very confusing.


>trivial >requires user mistake

Not sure how that matches.


It's trivial to set it up for the attacker. If you have a Linux laptop you can set up a redirect for all the traffic on the network through your machine with two commands, then there's plenty of tools that will intercept any incoming HTTPS certificate, replace it with your own, the decrypt the traffic. It sounds like a lot but anyone can set this up in about 15 minutes - that's why I said it's trivial.

The user mistake is just clicking "advanced" then "proceed". I know all my family members would do that without questioning.


Maybe teach them to not do that.


What percentage do you think of all network traffic that Edge handles is 1) Over wifi? 2) Over unencrypted wifi?


From my experience, tech people with non-default browsers can't use the internet :(


We had recently hired new programmers, 2 freshgrad and 1 junior. All of them use edge on their personal laptop and I didn't notice extension button anywhere.


Like your internet service provider you already have??


While I agree with the sentiment that ultimately we have to have some level of trust somewhere on the stack, there are a few minor differences.

In theory anyway, I pick my ISP. If this was "support for using a VPN" instead of "we're injecting OUR VPN" I would feel a lot better.

I'm aware Im using my ISP. Even someone who doesn't know much about computers knows their traffic is going somewhere. They might not know the repercussions of that, but if this is just transparently on in the background, effectively a keylogger, a user might never know this is happening.

I give my ISP money. Back to the choice option. Some ISPs are bad and are trying to nickel and dime you to maximize profits. Some ISPs are actually good (I'm not swiss so I don't know for sure, but Init7 looks amazing https://www.init7.net/en/support/faq/privatsphaere/). I don't have to question with my ISP "how are they profiting off of me" because I give them money every month. They might be, but they don't intrinsically NEED to be scraping my data. I am not sure how Microsoft benefits from giving me a free VPN unless they are scraping my data.

I can use a VPN to bypass my ISP monitoring if they do monitor. I have no idea how Microsoft's stuff is set up here. If the end result is that it gets routed through their VPN after my VPN, or instead of my VPN, or even through their stuff at all, but with stamped metadata, then there's not necessarily a great way to get around it other than "don't use Edge"

In general, yes, your ISP isn't your friend. But an ISP is something I asked for, have a use for, and need. A Microsoft stealth VPN is none of those things.


This was also how I could justify being more trusting of Apple. They didn't need all my data because that was paid for up front. The ongoing services that needed to make money I used were also paid for. Obviously that's no long quite true with Apple ramping up their ad business, but that attitude is still often the best you can do without a level of effort that I just am not willing to go through.


An ISP is not a single point for all Windows users.


Cloudflare is probably not far off, though not an ISP in quite the same sense


Maybe a dumb question, but isn't that already a given when using a browser? To me it always seemed a bit absurd to use VPN as it basically just gives another person all your info, but just assumed browsers and the big 5 just got most of the data anyway.


The only thing I can see working is pollution, pollution of our data. There are some current extensions that do some of that, but they are likely not enough and what we really need is a kind stream of data and requests that your own requests are simply merged into.

The thing is that it would need to be smart enough to prevent pattern recognition, e.g., it cannot just be random data because your specific searches and string of searches or actions will stand out quite obviously.

Yes, it would place a severe tax on the internet and a few things could be done to minimize that, but I currently do not see any other better option.

I could see it implemented where your activities online are merged with and threaded into those of related or similar communities, e.g., be it family and friends, the YC community, or a combination of different groups. The effect would come from the proximity to similar but not exact activities. To use a common example, if your legal free speech activities could make you a target, those online activities are muddled and polluted by being merged with other people's legal free speech activities, and your activities would be merged with those of others.

Consider it a kind of mutual compromise of society in order to provide protection/obfuscation in numbers ... the zebra in a herd, if you will. They can't arrest/target everyone if everyone has activity data that looks like they defy the ruling powers.


> The only thing I can see working is pollution, pollution of our data.

this is a terrible and dangerous idea. Nobody cares about the accuracy of the data they collect on you. Stuffing your dossier with random things won't cause anyone to throw it away just because there might be errors in it. Instead all of that data, random/accurate or not, will be used against you all the same.

Your clever browser extension might have been responsible for browsing to a bunch of fast food websites, but your health insurance provider won't care. They'll just see that in your internet history and quietly raise your health insurance premiums anyway.

If your legal free speech activities make you a target, adding more free speech activities to your permanent record just means you'll also now be targeted for those activities on top of your own.

You can't know what will prejudice someone else against you. You might not be gay, or Muslim, or a heavy drinker, or an Andrew Yang supporter, but your browser extension pulls in the wrong data that gets you flagged as being one and it could cost you your job, get you denied housing, etc.

You might not be looking into getting an abortion, but anti-abortion activists who buy up the data of anyone who appears to be trying to get one, or looking for support after getting one, will still see you listed and you will still get harassed by them or dragged into a texas court room.

You might not be rich, but data brokers and consumer reputation services will see that you've been interested in expensive vacation spots and online stores will start charging you more than your neighbors for the same items on the assumption that you are.

If you want to try to hide in the crowd look into a VPN or TOR (although be aware device/browser fingerprinting can still get your traffic associated with you). Just please understand that giving others more ammo to use against you isn't helping yourself or anyone else. Adding more and more data to your internet history just increases your risks substantially because no matter if you deserve it or not your life will be impacted in countless ways by the data you surrender and none of that data, "pollution" or genuine, ever goes away.


If you have enough money and time, it might still be useful (and satisfying) to serve society in this way.

You would confuse models currently shooting fish in a barrel.

You would still pick the cheapest insurer (probably one that does not look at your data).

You can live without anyone abusing your privacy in this way.


>what we really need is a kind stream of data and requests that your own requests are simply merged into

having a wife and kids helps with this. or any shared wifi with a guaranteed shitstream for your tunnel to wade through


How are the browsers and the big 5 getting the data? It's not like you can't see what your browser is sending where.


You mean like sending what you type in the address bar to google as you type it.

Like sending usage information to the browser developer.

Like downloading code (experiments) for specific users which can essentially do anything.

Are you debugging your browser 100% of the time and fully analyzing all communications that there is nothing leaked. Is anyone?


No, I'm not, but I trust that if I disable the thing, it will disable.


Isn‘t this what they did with Skype (centralize it)?


Yup.


I think there's more to it than that. Good for some and bad for others. A few rough off the top of my head:

Good:

* Better privacy from the intrusive ad motivated JS shit hole the internet has become.

* Faster internet for those on slow connections

* Protection from ISP MITM. Many countries now have mandatory data collection laws that ISPs have to follow.

* Better than a lot of shady 3rd party commercial VPN providers.

* Is opt-in (for now)

* Potential to reduce Google's dominance

Bad:

* Obvious MITM choke point, as you mentioned

* Potential control / monitoring by two large corporations

* Business goals usually override users.


>* Is opt-in (for now)

Are you sure?

>a VPN baked into Edge appears to be turned on by default, but only for certain use cases.


Wait til you hear about Cloudflare


CF removed kiwi farms from their services. If they're cooperating with FBI they would continue to host and intercept traffic to decloak users.


Honeypots outlive their usefulness. Take silkroad v2 that was actually ran by the FBI, yet they still shut it down.


Yep, a VPN baked into a browser like this is literally Microsoft stealing the network routes from your ISP, who is probably too embarrassed to complain that what’s happening is they are taking that sweet, sweet data with them. It’s like high-fructose corn syrup for targeted advertising imho. Who’s selling?


While it doesn’t resolve all the issues, the single point to monitor is your internet connection where they have jurisdiction, not some arbitrary VPN provider. Then if they can force the IKE a certain way they decrypt.

I think the other side of this is if you have FBI attention, do you really want to look more suspicious? Whatever fight you try with them you will not win.


It's also a way to front run ISPs in the data market. Then these vendors can sell the data on the data broker market and pocket the cash the ISPs are getting by selling whatever browsing history data they can infer (from DNS and traffic).

I suspect this is the corporate motivation. The increased state surveillance and control is a side effect.


I work for a very large corporation who has decided the default browser will be Edge. Getting another browser installed on your machine takes an act of congress and several upper level approvals.

Does this mean they will also have the ability to collect corporate data from the browser in companies like mine?


Just compile Firefox or chromium to WebAssembly and run it inside Edge. :-)


This reminds me of this here: https://en.wikipedia.org/wiki/EncroChat

However, there analogy is not 100% on point.


they already have this at several points in your network. from ISP to target site. meh.

the reason microsoft is doing that is because google is forcing their hand with Floc implemented in the browser.

you wont be in ads next year unless you can slurp more traffic than the NSA. and only google can do that today, thanks to chrome + android. apple is a close second.


How is FLOC relevant to this?


How do you think google competitors will have access to all those user to form the cohorts without having the browser or google analytics code everywhere?


> This is absolute BS they're implementing this.

Out of the perspective of a PRISM Premium Partner this makes perfect sense.


They already have that with ISPs, right? I don't see this as worse. If anything ISPs are more scummy.


Corporations have shown worse proclivities than the US government these days.


what makes you think its the US government you should worry about?

EDIT: clarified "US" government, though I don't necessarily intend to suggest other governments are the worry.



It's because they are shareholder-driven, not customer-driven.

Clueless shareholders on the 59th floor of JP Morgan who don't even use Edge see "oooh VPN, me like buzzwords" and upvote the stock.


why is it ok if firefox and opera do this but no one else?


VPNs don’t help privacy at all. They allow you to substitute trust in your ISP for trust in a different entity. For some, that may be good, but for most others it’s a wash.


ISPs generally don't claim to protect your privacy at all [0]. So it would be foolish to trust them to do something they never claimed they would do. VPNs generally do claim they will protect your privacy so at least trusting them makes some amount of sense.

Going from "trusting" an entity that explicitly requires you to consent to spying when you sign up to trusting one which explicitly promises to protect your privacy when you sign up does seem like it would "help privacy" in most cases.

[0] https://www.privacypolicies.com/blog/isp-tracking-you/


A major difference between your ISP and a VPN is that your ISP is generally an established company based in the same jurisdiction as you are. So, if they do something terrible, in theory at least, they can be brought to court. A non-trivial number of VPNs that claim to protect your privacy, however, are based all around the world with unclear corporate structures. If they do something terrible, you likely have no recourse at all. How much faith you want to put in a promise made by such a company is up to you - but I would push back on the idea that simply making a promise really provides much value by itself.


> based in the same jurisdiction as you are

Why would I trust an entity that often has the legal backing to harvest my data and provide it to the government whenever they "deem" it necessary? The same government that has direct means of control over me? Whether it's the US, China, Germany, I think I'd rather put my chances with some private company that at least has financial and maybe ethical motivations (depending on the company) to protect my privacy. An ISP will only go as far as the law requires to protect it and who knows what backdoor deals are made with governments to subvert those same laws.

There is no realistic/helpful/useful legal process to sue over a breach of privacy. So my ISP being in my jurisdiction doesn't do me any good at all.


ISPs don't emphasize privacy in their marketing, but some large ISPs claim they protect it [0], although their claims are pretty dubious[0][1].

I think your logic holds up, but it's not quite as definitive as you say. VPNs are not the straightforward privacy upgrade that HTTPS is. (I don't think you were trying to imply otherwise.)

I think the picture improves if you choose more carefully. Choosing an established VPN that has a no-log policy and has been audited seems much better, because now multiple companies are putting their reputation on the line. On the other hand, I think a relatively unknown company that's reselling someone else's VPN and hoping to cash in on the "VPN = privacy" is only a slight upgrade over a major ISP.

[0]: https://www.latimes.com/business/story/2021-11-12/column-int... [1]: https://www.ftc.gov/system/files/documents/reports/look-what...


> VPNs don’t help privacy at all

Or course they do, I'm so tired of seeing posts like this when really what you mean is that it's not perfect privacy and therefore you don't like it.


> Or course they do

Let me compare an ISP spying vs a VPN spying:

1. You make DNS request about example.com. Your ISP sees this. Your ISP can see what websites you "might" visit.

2. You connect to 1.2.3.4. Your ISP sees this. Your ISP can see what websites you "did" visit.

3. You request some data and receive some data. Your ISP sees the size of the data. If it's not encrypted, it can also see the content. Your ISP can see (at least) the size of objects that you requested -- which is enough to fingerprint many specific contents.

Okay so not using a VPN gives effectively zero privacy. Let's look at a VPN:

1. You connect to a VPN (and let's assume your connection doesn't "leak" insomuch as now _all_ network traffic goes through the VPN). Your ISP can see this.

2. You make DNS request about example.com. Your VPN sees this and your ISP can see a network packet. Your VPN can see what websites you "might" visit, your ISP can't.

2. You connect to 1.2.3.4. Your VPN sees this. Your VPN can see what websites you "did" visit. Your ISP still sees traffic to the VPN.

3. You request some data and receive some data. Your VPN sees the size of the data, and your ISP only sees the aggregate-size of data across all of your sessions. If it's not encrypted, your VPN can also see the content but your ISP should still only see aggregate size. Your VPN can see (at least) the size of objects that you requested -- which is enough to fingerprint many specific contents. Your ISP will have a tough time fingerprinting content from specific websites.

4. Your ISP can note that you have a high amount of traffic, possibly note that the traffic is going to a known VPN destination, and that your "normal" traffic is now gone.

Now, your VPN can see all the stuff that your ISP used to see. In addition, your ISP can now determine that you might be doing something illegal, suspicious, or at the very least "enterprise grade" and demand more money.

Have you really gained more privacy?


Your isp is legally resident in the country most likely to want to spy on you. There are also very few isps per country, so it's less work for the attacker to cover everyone they care about.

There are vast numbers of vpns, so total coverage is impossible. They are also very likely to be in a different legal jurisdiction so it's non trivial to do.

So, yes, you have, by making yourself a harder target despite having the same amount of centralisation on your part


Same with most VPN providers. Just expands the search from "ask ISP" to "ask ISP, they tell government its a VPN company, ask VPN company".

Now, sure, they could "just" delete logs, but their government can "just" tell them not to, or even tell them to live send the logs to them directly.

So it's really "which country's government you trust".


There's quite a few VPNs who have been asked to keep logs by the authorities but the VPN providers contest it in court, and since their jurisdiction laws don't need them to, the courts side with the VPN providers.

Mullad, OVPN are a couple.

What are your opinions on those? Not every country has laws like USA/India, which give the government free reign by citing certain Acts.


Adding that in general a country's law (data protection/privacy in this context) usually targets its own citizens; traffic related to foreign citizens (as in the case of VPNs) would for sure have a lower degree of protection.


my country has between 3 and 20 isp's per city. of a country of 7 million.


I assume they are just resellers, buying bulk data from a big carrier. Is that the case?


IDK about simplyinfinity, but here in NZ, the last mile of internet infrastructure (the fibre from homes to the exchange) is owned by regulated companies which must lease access to them at set rates or lower, and mustn't act as ISPs.

As such, we have dozens of ISPs with their own backend infrastructure, all sharing the same last-mile, and most available nation-wide.

That said, they're all going to be buying transit from a big backbone ISP to get overseas connectivity.


VPN and ISP are similar in term of middlemen, but there is an important difference downstream of said middlemen.

With your ISP, you appear on the internet as a residential IP that provides your approximate location and most likely doesn't change very often. The requests you make can be easily correlated by PRISM or any other middleman, or by any CDN running the websites you visit.

With a VPN, your exit IP is unrelated to your geographic location, changes very often, and hopefully it is shared among many more users.


Also you could use double VPN config from different VPN providers in separate geo locations with openDNS thrown in one of them. then it would be much harder to correlate your traffic out of the mix. its not about perfect secrecy its about becoming hard enough target.


GeoIP services are trash. My current IP on most GeoIP services gives a location >900 miles away. My last IP had a location in another country. I don't think I've ever had a GeoIP lookup resolve within 100 miles for any IP I've had.


> GeoIP services are trash.

GeoIP is only necessary when seeing a new IP. But once the IP starts to build a reputation, then the specific location can be determined. It's especially true if you buy something online.


My single data point observation is that it gets my city correct nearly 100% of the time and sometimes is able to resolve to a nearby suburb.


My several datapoints is wildly inconsistent and has never been within several hundred miles.

My office: suburb of Chicago My home: downtown Atlanta My friend's house: just outside Phoenix The McDonald's free WiFi: Chicago A church's WiFi: Some random location in Arkansas.

I'm in North Texas.

Just a few examples I've remembered since making a point to test while I'm out.


Based on that analysis, I say clearly yes! Privacy is about choosing who to share with, be it a specific group or no-one. Being able to share with a VPN of my choice (who, if reputable, shouldn't further disseminate my information) is likely a privacy gain compared to being forced to share with my ISP (many of whom would gladly sell my data).

Being able to choose to reveal data to Mullvad over Comcast or Verizon seems like a clear win to me.


Yea i really don't get these people. Frustratingly. Perfect is the enemy of good here. Yes, full privacy is the goal, but i know certain actors are spying on me. If i can bypass them, i can at least attempt to improve it.

At the very least i rob Comcast of my data. Which is my goal, after all. Not full privacy.


> Yes, full privacy is the goal, but i know certain actors are spying on me. If i can bypass them, i can at least attempt to improve it.

The problem is that it doesn’t actually change anything while giving a false sense of security.

Your VPN’s ‘improved’ privacy is just as worthless as the privacy you get with just your ISP. If something requires privacy, neither can be used, and if it doesn’t then why should it matter which one you use ?

Privacy is an on/off thing. Either you have it or you don’t. There is no in-between.


One wonders if you consider your bedroom to be private despite the fact that a peeping tom can still look through the window.


My VPN provider (Mullvad) doesn't have my full name, address, and social security number. They could build a profile off my account number, sure, so I have to trust that they're not. If they actually aren't, fantastic, I win. If they actually are, I still win, because they have less data to build a profile on me from. I know for certain that my ISP is selling my data, so I'm certainly no worse off.

On top of that, I get the benefit of not being tracked everywhere on the web. Or if they are tracking me, they have bogus data. And I can set my exit server to a jurisdiction with more user-friendly privacy laws.


Mullvad is just the first link in the chain of untrusted systems between you and whatever server you’re connecting to.

Also, what better place to tap traffic than the connection of a VPN provider.


> Also, what better place to tap traffic than the connection of a VPN provider.

Well, per my previous post, my ISP is definitely a better place. Hell, you don't even need to tap them. They'll just sell you the data, along with other PII. (Setting aside Mullvad' multi-hop support, which would require taps in multiple jurisdictions).

I think the point you're trying to make is that this isn't resilient to the NSA monitoring my traffic. I had hoped it was clear from my message that there's another level of privacy I'm concerned with related to intrusive private entities. I'm not expecting the GDPR or similar privacy laws to stop the NSA either, but they serve a useful purpose.

I guess I'm banking on Meta and Google not tapping Mullvad. Or even the RIAA or MPAA, for that matter. Because my ISP will very willingly give those entities data. And as long as unencrypted SNI is the norm, my ISP knows more than I want it to know about my browsing behavior. Not to mention the stuff that isn't HTTPS. Sure, Verizon knows I've established a connection an encrypted tunnel and how much bandwidth I routed through it, but that's a level of metadata I'm not concerned with.

So, yeah, Mullvad could be logging every packet through their tunnel. They could even assemble a profile based on my account and sell it to all the data brokers and advertising networks. They still don't have my SSN. Even if all of that happened, then I'm still no worse a situation than if I didn't use them because my ISP is doing those things. At worst, I'll be out 5€ for the month.


If you don’t trust your ISP, then why not simply switch to another one ? I literally have dozens of ISP’s to choose from at my address. Last time I checked there were 13 ISP’s offering fiber service alone, if you’re willing to settle for DSL or cable there a lot more options. And that is with me living in ‘socialist’ Europe. I can only dream of how many options people in ‘free market’ USA must have.


I have two viable options, ignoring 5G and satellite services. The one I'm on is the lesser of two evils. And I've largely neutralized the primary concern I have with the ISP I'm on.

Where would you like to move the goal posts now?


> I can only dream of how many options people in ‘free market’ USA must have.

I think you answered your own question.


> And that is with me living in ‘socialist’ Europe. I can only dream of how many options people in ‘free market’ USA must have.

I can feel the sarcasm dripping from this sentence.


This is quite a concrete illustration of the concept of the perfect being the enemy of the good. Thank you.


No... It's a demonstration of adherence the axiom "Don't let perfect be the enemy of good" being misapplied.

The "Good" (VPN) is exactly as imperfect as it's complete abscence. There has been no improvement whatsoever. Literally, as far as Privacy is concerned, nothing short of "No one actor has the capability to sit on a full stream of traffic", will suffice.

Either you're MITM'd or you aren't. Use malicious postmen if it makes it easier.

If you have the same guy come, and all of your mail goes through him, he can reconstruct all conversational state.

Now imagine you get a different malicious postman at random every day. He eacesdrops on every packet, but he's not privy to which of his fellows is scheduled to get the next packet. Therefore, it's not practicable to MITM in any practical way. This all goes out the window when someone controls the malicious postman scheduler, of course, because then they can figure out a map of who to go to to reconstruct your conversation.

The above is the concept behind Tor, and why the only effective counter to it is to run a hell of a lot of entry/exit nodes so you can conceivably time correlate given enough consecutive probe points are hit.


Russia has the ability to drop a nuke in the region you currently live in, so there's no such thing as safety and therefore why do you have locks on your doors?


i find this extremely doubtful. I see the point of your statement, but i'm willing to bet 99% of all the already built nuclear devices wouldn't work today. There's no way that they're all stored in such a way that the delicate mechanisms are protected from the environment and oxidization, moisture ingress, insects, heat and cold expansion and contraction.

That a nation could make a new device is arguable, that a nation could make a device that could be delivered without flying planes over another country is less arguable. Even nukes as they stand would only pose significant threats to certain parts of a country (there was a map floating around the web a few days back of areas of the US most susceptible to the - pardon the pun - fallout from a tactical strike.)


Especially when you consider that what they're really saying is that a VPN won't hide you from a state level actor.

Yeah, of course not, that's not nearly the only reason to use a VPN.


As others have mentioned you gained privacy from your government that has easy access to whatever information your ISP has but not towards a VPN provider.

But the information you leak towards your ISP or VPN isn't the only variable. With a VPN you leak less information to the services you interact with (e.g. your IP is hidden) which undoubtedly increases privacy.


> Now, your VPN can see all the stuff that your ISP used to see.

> Have you really gained more privacy?

Absolutely, 100%, unambiguously, yes; my ISP openly says that they monetize my data, my VPN says they don't. I'm very happy to gamble that the VPN is telling the truth when faced with the expectation that the ISP is telling the truth.


My VPN was unable to give the British government any logs or IPs relating to someone who emailed a series of bomb threats using them.

As terrible as that is, yeah I feel pretty safe pirating movies using it.

But you're right that blindly trusting a VPN without doing any research might be worse than blindly trusting your ISP.


VPNs entire business revolves around not giving up your data, that's why you pay them. ISP business revolves around protecting their monopoly which means making the government happy. Massively different incentives which means they will act differently. If VPN leaks data and people find out they're done. If ISP does nothing changes for them.


> your ISP can now determine that you might be doing something illegal, suspicious

and my neighbours can determine I might be doing something illegal when I close my curtains, sure.


> Have you really gained more privacy?

No, but you have lost less privacy.

The amount of loss of privacy you incur when some particular item of personal information about you is revealed to another party often depends on how much other information that party has about you.


If the ISP is legally protected from any inquiry or transparency into what they do with the data and is systematically incompetent about protecting it and the vpn exists in a country with good privacy laws, then yeah.


You increased the number of choices you can make regarding your privacy.


Of course they do? They are a tool that routes traffic through a third party. That can be anywhere from terrible to fantastic for privacy, with everything in between. There's nothing "of course" about it.


One of the main use cases today for VPNs is to pirate movies or access geo-blocked content. That and dodgy hotel wifi.

The adversary is netflix or a IP rights enforcement company, and the user doesn't care what their ISP or a state could observe.

For what they are used for, they are fine. If you are worried about state or megacorp spying, the solution is less technical and more political.


No as a rule.

They just replace your ISP with a VPN company. Which is the two is more shady is something you have to figure out, keeping in mind that a subsection of the internet just stops working or turns the aggressiveness of their anti-bot protections up to the maximum on a VPN.


While traveling I've used my own VPN hosted at home to provide additional security.

It allows me to trust only my ISP instead of every ISP in various coffee shops.


I would reverse that assertion under the one condition that you don't use a VPN provider from your own country. In Australia at least, ISPs are legally required to maintain logs of everything you access for several years. By choosing to trust a VPN provider outside of Australia, you defacto have better privacy than you otherwise would have.


Does the VPN company have a business presence in Australia? If so, then maybe you haven't gained as much as you think...


Absolutely true. The VPN provider's servers and business must be outside of your country.


https://www.ivpn.net/ see "Do you really need a VPN?" - not affiliated with them, but tell me any other VPN-service that is actually this upfront... most are marketing the hell out of their apparent magic effects...

since we're on the topic: how is it still a thing that vpn services are actively pitching content-block/copyright circumvention? Seems weird to pitch something as shady this loud and publicly? Reminds me of how weird I find it that trackers and illegal hosting sites have twitter accounts...


I'd say they're still a net win, generally. The ISP vs VPN service tracking who does cancel out (if you ignore privacy claims of VPN providers, vs ISPs generally not guaranteeing that at all), but for every other service I might consume, when I'm on VPN I'm no longer connecting from a unique IP that can have other identifying information tagged to it.


To add to that: in Sweden (which is generally pretty ok in regards to privacy and rights) ISPs are required to store traffic for 6 months, while VPN providers are not.


Wasn't this struck down by the EU recently?


>VPNs don’t help privacy at all.

1. They keep your data safe from your ISP. 2. They keep your IP hidden to the sites you browse.

Those two clearly "help" privacy.


They also expose your data to the VPN operator. That's a negative on privacy. Whether it's a net negative or positive depends on the VPN operator and ISP involved.


The VPN provider could be you hosted somewhere using bitcoin.


In Germany (according to TTDSG) an ISP does not have to claim that. They need explicit permission to track you. It is pretty much as the post does not have to claim that they open your envelopes.


I think the only good reasons to use VPNs are for torrenting and accessing movies only available in other countries. For any privacy reasons its best to use Tor.


> VPNs don’t help privacy at all.

> For some, that may be good, but for most others it’s a wash.

That sounds less like "VPNs don’t help privacy at all" and more like "VPNs are helpful some of the time".


I believe it is harder for my government to get my data from a foreign VPN service than from my local oligopoly ISP that is already effectively an arm of the government.


It is not just about your ISP though. Your IP is getting sent to whatever website you are connecting to. People won't always trust that website.


VPNs help against geolocation and geofencing though.


VPNs don't anonymize, they just route you through an anonymizing service. Lol.


They help in public WiFi.


Public wifi, assuming you don't send any personal info to "sign in" to the public wifi is more anonymous than a vpn that has your name/address/etc.


Modern TLS is enough to prevent others from eavesdropping everything except domain names when on public WiFi. Domain names are sent in clear text if your client supports SNI.


A trail of DNS names is more than enough to know what somebody is up to.


You could use DoH, which you should do anyway. No reason to leak DNS lookups to anyone.


DoH alone is not enough due to https://en.wikipedia.org/wiki/Server_Name_Indication being sent in plain text. Some day ECH (formerly, eSNI) should help with that.


I thought TLSv1.3 already encrypted the SNI?


No. ESNI is an later-created extension to TLS 1.3


It does


ESNI is not implemented yet on any website. And there is no software support except beta versions of Chrome/Edge and you have to manually toggle flags in dev mode.

All SNIs are passed as plain text to your ISP/VPN, even with DoH/TLS secure DNS enabled.


you'll always be leaking it to whoever you are sending your query to.


So I can pay $10/mo for a VPN for use when I'm on public wifi, or I can run WireGuard on my Raspberry Pi at home and get one for free


It might be cheaper but still not free. Cost of electricity + time to maintain + Raspberry Pi itself. Not to mention that you don't get the variety of servers (for geo-location or more diverse networks not tracked to you by websites themselves).


Well the Raspberry Pi is already on 24/7 running a few other services for my home network. But even then, the energy consumption per month costs pennies. I update the device once a quarter and it takes me 5 minutes. These costs are so negligible as to have no impact on my decision making process.


Not sure what services you’ve looked at, but it definitely doesn’t cost $10/month.

Your personal solution seems pretty good though.


Unless you are a network security expert, aren't you greatly increasing your risk by running that WireGuard server?


Why would you? Nobody can connect to it without your private key. Or is there something I am not aware of? Genuine question, as I am running wireguard in a few places and thought it was secure by default.


WireGuard is pretty minimalist and has great defaults, AFAIK if you manage to set it up you're good.

Unless your credentials leak, of course, but a security expert would have that same risk.


You do not need to be a "network security expert" to safely run a WireGuard server


Anything that decides to wrap around your internet traffic without telling you should definitely raise your antennas.

Even if they had the best intentions, it's pretty easy to botch these things which erode your privacy even more.


If it was good for you, Microsoft would the the one announcing it. Loudly and repeatedly. They would do it even if it was harmful, but there existed some artificial narrative where it sounds good.

You are hearing it from a third party exactly because they couldn't construct any explanation minimally realistic that sounded good.


They haven't announced it yet because it hasn't been released. Reading the article, it does sound pretty decent.

Partnership with cloudflare, selectively enables when you are connected to untrusted networks like public wifi.

Pretty much the only downside is that they turn it on by default... which is always tricky when most of your target audience is not computer savvy in the least.

How to give people security features that they have to figure out themselves when they can barely open the browser .. a dilemma for the ages.


The pain/anger you’re feeling is called stallmanogenesis: the suffering induced by realizing, by force or otherwise, that stallman was right


Nostradamus of technology, even if we all didn’t want to believe him.


MS motivation is quite clear.

Windows is an appliance (an interface) for amazon shopping and watching netflix.

The MS telemetry has proven that 99.999% of consumers do not tweak default settings or dig under the hood.

The 1-2 million now former "windows power users" are just too small population to be economically feasible to deal with.

For MS it does not matter to lose those few to other tweakable OSs.

Instead MS's product department is dreaming of scooping the remaining billions of cash-laden consumers. Presumably this is what the telemetry tells them.

Cash is good, consuming is good, keeps the economy running, making shareholders happy.


Ok, but how exactly is your story an explanation of the motivation for VPN in their browser?


When trying to ascertain the intents of large organizations, I find it useful to examine previous actions. In the case of Microsoft, their willingness/intent to add ads and telemetry (including keylogging) into their OS seem to indicate they are doing this for serving ads better to their larger (paying) customers.

If you're not paying for the (specific) service, you are the product.


I mean, if you have an attitude that anything an organization does must be for an ulterior motive, you're always going to get what you are looking for. Heck, people too for that matter. Maybe my dog just pretends to love me to get food.

But in this case, Microsoft is looking for any competitive advantage against Google. They won't win on targeting, and they still make more money selling software than ads. So this does seem like an easy win for them.


> if you have an attitude that anything an organization does must be for an ulterior motive …

Well in the case where they are spending a lot of money to implement and operate a feature that nobody asked for and which has obvious privacy downsides, it does seem worthwhile to examine their motives. It’s not like we’re responding to the announcement for the next model of the Microsoft ergonomic keyboard with “hmmm, what are they up to?”


> obvious privacy downsides

What is the obvious privacy downside of selectively enabling a Cloudflare VPN when browsing on public Wifi or unsecured sites (which is when it enables)? That Cloudflare can see what sites you visit?

On public Wifi and unsecured sites, anyone could potentially see and modify the data anyway.


The privacy issue is obvious. If my browser is funneling all of its traffic through a specific VPN instead of letting my system handle it, I have to wonder whether that choice was based on the VPN operator wanting to see my data or cooperating with someone who does.

This is like finding out Microsoft decided all internet traffic on windows should be proxied through their servers. Could there be a benefit? Yes. Does it raise serious questions? Most definitely.


> If my browser is funneling all of its traffic through a specific VPN instead of letting my system handle it

It's not. According to the article, it only funnels insecure traffic through the Cloudflare VPN (eg, to a site with an invalid certificate). And this doesn't prevent you from using your own VPN as well.

If you're connecting to a site over HTTP, and the packet takes 10 hops to get there, that's 10 machines that can see who you're connecting to and what data you're sending. Including, in all likelihood, a major CDN like Cloudflare. Also including anyone on the same public Wifi network. This data was never kept private to begin with.

If you're connecting over HTTPS with a valid certificate, the VPN isn't used. Even if it were though, they couldn't see your data. It's encrypted.


Because every recent development in the evolution of Windows has been hostile to privacy.


Check out the book “Hard Drive” about the early days of Microsoft, and you will never be able to see anything that corporate does without suspicion, and for a good reason.


And apparently we now get downvoted on Hacker News for a book recommendation. Amazing.


About the pihole problem, redirect all calls to port 53 to your pihole.

If Edge is using DoH, you're out of luck.


Does something like `source 0.0.0.0 dest 8.8.8.8 dport 443 action drop` work for DoH?


You are actually being too kind IMHO.


Probably because Facebook already tried the free VPN and it was every bit the privacy nightmare you'd expect it to be. Given Microsoft's track record, there's no reason to expect that to be any different.


I am 100% with you in general, but this feels more like the Windows Defender launch than some fully cynical power grab. That is to say - Microsoft gets a lot of grief and work from windows installs getting taken over / viruses / etc. For users who don't pick up their own protection (and don't choose to turn off the default windows protection) this feels like a better default. I don't trust Microsoft, but you are already exposed to their manipulations when you are using their OS - and this will help protect you from other manipulations.


This is where Apple's implementation, where the info is split between them and a third party with neither of them able to read the traffic on their own is so smart. Especially since there are multiple counter-parties to Apple. It also negates the risk of an MITM attack. Yes of course they could collaborate with a counter-party to break the system, but it seems significantly less likely to happen, and if it was happening it would be significantly more likely to come to light.


I mean nobody is forcing you to use Edge or Chrome, there are better alternatives like Vivaldi or if you really want to take it to extreme Ungoogled Chromium. But I agree with your sentiment, although it just means you should probably move to open source and obscure options.

Also:

> Brave, Mozilla, and Vivadi have said they intend to continue supporting Manifest v2 extensions for an indeterminate amount of time.


The motivation is to keep up with Apple who themselves are trying to distinguish themselves from Google. Doesn’t need to be sinister. If your primary business model doesn’t depend on tracking people to sell ads, and you’re competing with someone else whose does, then leaning in to making the use of your software/hardware more private makes sense.


I noticed today I can't find the Chrome flag (v105) to enable its reader mode. It's like they just nuked it since it made articles actually readable. It's not a huge deal, but I liked not having to launch another service like Pocket.


> Why do I always get a bad feeling about the motivations behind stuff like this?

Because of microsoft history. Including recent history.


Exactly.. I would take it from Firefox if they offered something like iCloud Private Relay.

But the thing they offer from Mullvad is no better than a traditional VPN (because it is a traditional VPN). And even more limited because it only works in the browser.

And indeed the circumvention of Pihole is a big problem.


"bad feeling" is too generous. Microsoft is famous for its ubiquitous telemetry. It is not a suspicion, data collection is a fact. today. already.


IMO its so they can keep the data-usage metric in their hose and not leak it to other companies which are competing for ad attention...?


If you have never worked at a large tech company like Microsoft, you'll probably have a bad feeling because there's a lot you don't know about the business process of shipping features like this. It's reasonable to be cynical and confused if you have never seen it from the other side.

For the most part, product features like this are shipped for boring and completely non-nefarious reasons. It's just hard to believe that if you've never worked on one.


How is this not a transparent attempt to secure user information and conceil it from the usual other suspects?


No, yeah, it's sketchy as hell. Welp, another browser I'll never touch I guess.


Block UDP port 53(DNS).


The motivation here is surely reducing ad tracking.


just creating a honeypot for the 3 letters agency. Microsoft loves doing that. just dont use edge I guess?


Firefox, having your back since 2002.


> the VPN will automatically connect when you’re using public Wi-Fi or browsing unsecured networks and sites lacking a valid HTTP certificate.

OK, that's actually a pretty decent idea. It's not going to be always-on, but it's providing security specifically for things like coffeeshops/libraries and for sites that don't provide their own security. In other words, it's "backup security", not rerouting all of your "normal" secure traffic at work/home.

This mainly protects sites you visit from having JavaScript injected into them by networks when there aren't any other protections, and the VPN is run by Cloudflare so it will be performant, so I don't really see any problems here? Seems like a positive development actually.


Just curious but is there really a risk on public WiFi if you’re using DNS-over-HTTPS and connecting to a site over https?


You can still do reverse domain lookups using the IP address as well as see the domain in the SNI details.

So the content is safe but the sites you visit are still exposed unlike with a vpn.


Although you would commonly find a long list of AWS or similar IP addresses which wouldn't be very useful, unless you simultaneously crawl tens of thousands of possible sites (from the same source IP range) to map IPs to sites.


No, though DNS-over-HTTPS is already basically a proxy.


By this definition, any DNS server is basically a proxy (assuming you are not hitting an authoritative name server for the domain you are trying to access).


No it isn’t. The DoH server is the final destination. It isn’t relaying your traffic to somewhere else.


> This mainly protects sites you visit from having JavaScript injected into them by networks when there aren't any other protections, and the VPN is run by Cloudflare so it will be performant, so I don't really see any problems here? Seems like a positive development actually.

How does this protect from having JavaScript injected? Why couldn't the VPN do that?


The assumption is that the VPN operator is more trustworthy than an unsecured network.


Yeah, and even if the network operator is trustworthy, often times any other user on that network can mess with you, e.g. ARP poisoning.


MITM protection on public networks maybe?


> MITM protection on public networks maybe?

How does this address the fact that the operators of the VPN can certainly modify any content they access over http on your behalf?


It's a question of how many entities you have to trust. There are many thousands of public networks around the world and millions of people using ISPs which tamper with traffic (especially on mobile networks). With the VPN, you only have to trust the VPN provider; without it, you have to review each network you use and its ISP. That doesn't mean that the VPN is automatically trustworthy, of course, but it's a single entity.


Note that you still have to trust the server's ISP and any intermediate ISP routing traffic from the VPN exit node to the server, if you're accessing a server over an insecure protocol.


Of course, but almost all of the tampering has happened on the client end historically, especially since this VPN is backed by Cloudflare who have widely distributed nodes. It’s still much better to deploy TLS everywhere but this shuts down most of the non-NSA attacks.


Absolutely, I just wanted to give the full picture.


The operators of the VPN in this case are also the developers of the browser. If they want to inject content they can do that without the VPN.


It's security by consolidation.


Security by consolidation to single point of failure, I might add.


The question is whether your basket is made of chains (one bad link), cables (many bundled wires), how many baskets there are, how many eggs in each, and how effective and trustworthy the guards are.

Simply shrieking "SPOF!!! SPOF!!!" lacks naunce after a while.

I've concerns with proposals such as this similar to what others are voicing on this thread. But if one considers the proposal in light of the present status quo for the typical person, then it's probably a net improvement.


I agree, and it's hard for me to trust the VPN more than my own ISP. Like yeah, someone else on this public coffee shop wifi network can waste a whole day finding a couple of random victims. Does that actually happen, idk. Have huge, reputable VPNs been hacked before, yes, and there's much greater incentive there. Either way I won't know, so it feels like they're selling snake oil.

"Microsoft" and "security" also don't go together in my head.


coffee shop hacking is usually done in an automated, at-scale fashion, often with a remote device that doesn't require an operator to be present or paying attention.

It uses lowest common denominator tactics. This VPN strategy is precisely for the lowest common denominator.

I don't understand how something can feel like snake oil when you haven't researched your own questions. I can sow doubt on anything; is it always justified?


Better than every public wifi access point being able to.


It's reducing the number of parties you have to trust from 'every hop along the path from the public wifi operator to the host' to 'cloudflare', and many site operators already trust cloudflare not to MITM them.


I don't think that CF already MITMs most of the internet is such a great argument for letting them MITM the rest.


How hard it would be silently push an update to redirect all google traffic through VPN. We have already seen them trying to get google search query and results. And why stop at Google basically they can do any website they want.


The only way they can do that is at the client level, not the network level. Whether it's running over a VPN or not, your traffic to Google is TLS, so you have an excellent guarantee that it's impossible to snoop on the contents of your HTTP requests at the network level.

However, you are using a Microsoft client and/or a Microsoft OS to do this - and of course, if they want to, Edge or even Windows itself can report on the input and output of any operation you make, regardless of any network security. Similarly, WhatsApp or Signal or iMessage or Android/iOS could send a copy of the plain text of any messages you send or receive to home base despite them being E2E encrypted on the wire. You always have to trust the device and client software you are using to access the internet.

So, if you personally don't trust Microsoft not to snoop on your traffic with Google, using Edge or Windows is completely wrong.


> your traffic to Google is TLS, so you have an excellent guarantee that it's impossible to snoop on the contents of your HTTP requests at the network level.

It’s definitely not impossible, MITM attacks work for TLS and this is exactly how cloudflare work (it MITMs TLS sites by terminating the tunnel and recreating.). TLS is only secure if you have pinned certs.


MITM for TLS only works if you have the cooperation of the server owner (like Cloudflare does, or illegally be stealing the server owner private keys) or a malicious CA, or if you ignore the security errors that the browser offers.

Otherwise, TLS is completely impervious to MITM attacks as a protocol.

Of course, various implementations of TLS may also have exploitable vulnerabilities.


I’m not sure what you refuted here, you seem to have said exactly the same thing I did.


They’re not magic. They can’t peek into the TLS connection between your browser and google.com.


Conversely many people here think TLS is magic and unhackable, but it is not.


I’m not sure what you mean. Do you know how to break TLS?


Yes a MITM attack. Exactly what cloudflare does to provide their services over TLS.


But that’s not a problem with TLS any more than you giving out your AES keys is a problem with AES.


I’m not sure even how to respond to this. If a protocol is weak due to a flaw, like being susceptible to MITM attacks, then yes it is a problem with the protocol.

This is exactly my point. People are desperate for there to be no flaws in TLS, so much so they ignore MITM attacks.


From the article, this is powered by a partnership with Cloudflare. It's worth noting that until August 6 of this year, Cloudflare's WARP VPN would leak your IP address - but only to sites using the Cloudflare network.

https://web.archive.org/web/20220609160341/https://developer...

And when Cloudflare released their new SOPs for Warp, they did so in a blog post titled "More features, still private" - https://blog.cloudflare.com/geoexit-improving-warp-user-expe... as referenced in https://developers.cloudflare.com/warp-client/known-issues-a...

Microsoft's initial announcement for the feature touted that IP addresses would be masked, and one imagines that they did their diligence with Cloudflare and are enforcing the strong practices that WARP has now rolled out more broadly.

But it's worth noting that you're routing through a company to whom the words "still private" encompassed leaking client IP address information to Cloudflare's hosting customers as recently as two months ago.


Warp/1.1.1.1[0] is a product, not a VPN, despite the fact that it tunnels your traffic. Even after the IP address change, the current documentation and promotions for Warp do not call it a VPN. It was never meant to keep your IP hidden from the websites you visit.

0: https://1.1.1.1/


I wish that were how it had been presented, but they indeed did advertise it as a VPN. From https://blog.cloudflare.com/1111-warp-better-vpn/ :

"Technically, WARP is a VPN.... We built WARP because we’ve had those conversations with our loved ones too and they’ve not gone well. So we knew that we had to start with turning the weaknesses of other VPN solutions into strengths. Under the covers, WARP acts as a VPN. But now in the 1.1.1.1 App, if users decide to enable WARP, instead of just DNS queries being secured and optimized, all Internet traffic is secured and optimized. In other words, WARP is the VPN for people who don't know what V.P.N. stands for."


I don't think this holds much weight given the regular users of this product are likely referred to https://1.1.1.1 and are unlikely to read through all of this 3000 word blog post with tech jargon. However, indeed, many people might've heard about it from other blog posts saying it's a VPN or word-of-mouth from more technical users also calling it a VPN - but it's obvious Cloudflare made a concerted effort not to use that term.


I think it holds weight when I’m staring at a Cloudflare blog URL that explicitly says “Warp better VPN.” I don’t doubt that this has been scrubbed from current documentation, but this is fair evidence for the above comment’s claim that CF has advertised it as a VPN.

I don’t have a dog in this fight, but it was especially odd in this context to claim that this misconception was entirely driven from outside of Cloudflare when the URL is sitting right there.


it's used five times in that single paragraph. That's cloudflare calling it a VPN. you can't unring the bell.


I remember seeing this blog post and the updated docs suggest they no longer reveal your IP but enable WARP and visit https://www.whatismyip-address.com (uses Cloudflare) and you’ll see your actual IP.


As a generally happy Cloudflare customer, a Cloudflare VPN makes me deeply uneasy. (Yes, I know Warp has been around for a while.) Using it means Cloudflare owns a huge chunk of your Internet traffic end to end and decrypted, a uniquely powerful position to be in. And this is going to be default on in Edge according to TFA, even though it’s only applied to plain HTTP sites by default at the moment.


People are fools if think there isn't a Room 641A in Cloudflare, except it's a lot better since web service operators willingly handed over all their private keys and therefore user data.


Browsers already want to send every domain you visit to cloudflare via DoH.

Other options of securing DNS included "just" encrypting traffic to DNS server. But no, they decided to centralize sending DNS records via HTTPS


While I agree that it is concerning, WARP doesn't decrypt your traffic unless you sign in to ZeroTrust, enable it in your dashboard and install their CA.

Not much you can do about them having decrypted traffic for sites that use them.


> having decrypted traffic for sites that use them

Yes, that’s the huge chunk I’m talking about, and when you use them as your VPN they can effortlessly trace that decrypted traffic to you.


How is that different from not using a VPN?


When you don’t use a VPN, at least your traffic to Cloudflare doesn’t carry a unique ID of yours. Effort is required to correlate your traffic, especially if you are CGNAT’ed and share an IP with others, or have a dynamic IP that changes frequently.


Its not, that's the point.


It’s not for one party. The VPN protects your traffic from any party other than Cloudflare. Exactly as it would with any VPN.


Https is among the most broken ideas in the history of CS. I remember the first time I really learned about it and I went like it can't be this stupid.

Most Internet traffic today between A and B is decrypted by C because of this.


What are you talking about?


Https is a wrapper around http. The result is that any service that needs any http information can decrypt all https traffic. So on the web, passwords, apikeys, personal information and so is in general decrypted by a third party, Fastly, Akamai, Cloudflare and so on.


That is entirely untrue. HTTPS is just HTTP encrypted with TLS. The only parties that can decrypt the traffic are the people with the session keys: you and the website you’re visiting.


You are plain wrong.


How so?


Cause requests are often sent through any of the large third-party layer 7 reverse proxy networks that sits between the user and the origin host.


All they see is ciphertext unless they’re terminating TLS and forwarding your traffic on to the target website.


They are terminating TLS.


Not sure how this is a problem with HTTPS, then. It’s like complaining that AES encryption is broken because you have away your keys to a bunch of people.


It is a problem with HTTPS as it removes capabilities of HTTP without offering any other solution except terminating TLS.


What you’ve said so far has been generally confused and incorrect. I would suggest doing more research about HTTPS.


Says the guy who did not even know that all these reverse proxies like Cloudflare does TLS termination on the edge.


You’re glossing over that these third parties C are contracted trusted parties of entity B and thus for B’s purposes are considered part of B.

HTTPS and transport security isn’t a broken idea.

Standardized content security has been tried in many contexts and has typically been even less secure unless it’s for long lived opaque media, like S/MIME for emails. Structured data like XML security has been abysmal.


While I would never use a VPN service fronted by a data thieving company, I really hope that VPN usage goes more mainstream so that companies can't have "no access from VPN" as a security strategy.

Ally bank recently did this and many others have intermittent issues due to flagging, etc.


I can see this evolving into something worse.

>try to connect to ally

>vpn not allowed - try connecting through on of our authorized vpn partners: microsoft, nordvpn!, etc.


Security teams don't block certain VPN traffic for fun.When a certain IP block has been running credential stuffing attacks all month long, It's very reasonable to see any request from said block with a lot of suspicion. In many cases, 99.9% of login attempts from certain IP blocks are just fraudulent, and there might be more requests from one of said blocks than legitimate requests from the rest of the world combined.

Completely blocking a VPN is often too blunt an instrument, but even the best alternatives are unfriendly to legitimate traffic. The most user-friendly thing you can do is to rely on bonus security controls, like asking for two factor authentication for everything. No, you will not be able to log into anything from a new device, even, without the two factor. A very understandable tradeoff for a bank, but we'll end up seeing that for any account protecting anything of relatively low value.

If your second factor is tied to, say, a phone, it's not going to be fun to wait to replace it if it's lost. But in a world where most traffic is coming from a VPN, there aren't many good alternatives.


For my home gateway, all HTTPS, VPN, SSTP, SMTP, PPTP, IPSec, UDP, DNS, and proxy are blocked.

All JavaScript scripts are blanked by Squid ICAP clients.

WireGuard to a VPS for DNS resolver/nameserver.

Run a mean transparent Squid proxy, Snort/Zeek/Suricata and whitelist bastion dns forwarder.

No problem. No spam. No headache.


Is Cloudflare known as a data thieving company? I didn't have that association with them yet. They're not really in the data selling business, are they?


I said "a VPN service fronted by a data thieving company" and I misspoke - I should have said "backed" instead of "fronted."

AFAIK Cloudflare isn't a data thief (yet). If (when) they decide to be, they will have access to quite a lot at the rate they are going. At this point, how can we trust that any public company won't eventually monetize user data?


they are in the business of collecting data and selling insights. cdn is just a means to an end


Oh stop, already. Cloudflare isn't in the "business of selling insights". They make their money from enterprise sales of their various network products.

They're in the business of competing with AWS and are pretty damn good at it, too.


When did the world start trusting any company with a VPN more than their ISP? I still find the privacy pitch to be flakey at best, where at least I can choose who’s aware of my traffic, but getting past geo-blocks really seems to be the most obvious consumer value, which this Cloudflare vpn lacks.


My ISP actively lobbied to be able to harvest (steal) my data. Who do I trust more: the guy who says that they aren't selling my data, or the guy who corrupted my government so that they can actively sell me out (not to mention their monopoly)?

Sure, the first guy could be a liar, but I know that the second guy is a thief.

I don't care about geo-blocking - my only threat model is to keep a scumbag ISP at bay.

Edit: I should add that keeping sites I browse from knowing my IP is also part of my threat model.


VPN also has my credit card number, real name, etc. VPN doesn't have that; their data is worth less than the data my ISP could sell.


Seing how many webstes' TLS is terminated by Cloudflare, you shouldn't state that they don't have your credit card info with such conviction unless you never used it online.


ISP injecting content into your connection is a known story (google "ISP injecting ads" for many results).

For better or worse Microsoft (or other corps) have not done that in recent memory afaik. They might do equally dodgy stuff in other aspects, but they don't tamper with the integrity of your connection (they might sniff it a bit).


It is only a known story in some countries. In others ISPs are held to much higher privacy standards than Cloudflare is.


And often you're paying a nontrivial amount of money to the ISP for the "privilege" of getting injecting ads and tracking injected. This really rubs people the wrong way, justifiably so I think.


I swear VPN privacy is a red herring.

Everyone I know who has a VPN subscription simply uses it to prevent DMCA letters from their ISP when torrenting.

VPN providers with a "no logs" policy simply shrug these off.


I know people that use VPNs 24/7 just for privacy. I would assume there's many more that use them for the reason you described though. Torrents are less useful than ever, piracy is down in general thanks to streaming services and products having moved to SaaS. From what I can tell, the number of people using VPNs merely for privacy alone is growing and a good sign that people feel that strongly about it.


> torrents are less useful than ever

ok I'll bite, let's hear it


Media piracy is less tempting than in 2006 (before streaming) but more tempting than in 2014 (before competition decreased overall and everyone started siloing content as part of their truce).

Server-side control has been making software piracy less and less viable, video games sorta included. And a lot of mainstream games have found ways to make money without charging to buy the game upfront.


Media privacy might be less tempting, but it's been swinging in the other direction (of becoming valid again) for quite a few years.


For some - it was when their ISP started sending their customers scary sounding letters regarding certain downloaded movies and shows.

Some ISPs also needlessly block certain sites (ex. Verizon blocks nyaa.si)


It can go either way. Many ISPs are known to be nasty, but hardly anyone sees the effects of that, so it's hard to tell. I think VPNs market "more security," people mostly blindly buy it, and everyone is happy.

Yeah, to me, a VPN is only a way around geo restrictions.


Article says the VPN gets activated in public networks. Wifi etc. That's one decent use case.


It's not true of the whole world, but in the US, you generally know that your ISP is untrustworthy, while your VPN is a leap of faith.


I thought it was when all the ISPs started basically giving away your private info to the government and repeatedly lied about it


Edge is a reskinned Chromium browser with Microsoft tracking and telemetry baked in. Just because they have a VPN now, it doesn't make it any more private/secure. Why do people use Edge? If you're any way privacy conscious you wouldn't use Microsoft products.


If you're using Windows, what's the point of using Chrome if you already have Edge?

You're already sending data to MS anyway


What's the point of using either of those when you could use an ungoogled chromium build?

(I use Firefox, but if I were to use a chromium browser it wouldn't be Edge or Chrome...)


In case you want a real answer: battery life.


Googled Chromium has better battery life than Ungoogled Chromium? That seems like a dubious claim.


No, Edge does. It actually is the best performing and battery life browser on Windows.


Because you gotta trust people behind ungoogled Chromium

I don't know them, so I don't trust them.


Chromium is open source, and so you can see what the changelog is etc.. You don't need to trust the people when you can read the source yourself ?

also "ungoogled Chromium" - The process is Chrome is Googled Chromium.

Chromium was a thing before Google-Chrome..

Edit: My mistake: Chrome and Chromium were release the same time.


Yes, I'm definitely going to audit some giant as hell CPP code base (diffs) every four weeks.

I'd rather write my own browser from scratch


> Yes, I'm definitely going to audit some giant as hell CPP code base (diffs) every four weeks.

I've had this discussion with other people too, just because you don't want to doesn't mean you can't. So your point of suspecting something nefarious is moot for me until you can back it up.


If I do already use Windows, then I'm already relying on MS

Using Edge doesn't change much, meanwhile using ungoogled Chromium means that I have to trust additional actors

Additionally MS inserting e.g "backdoor" into Edge could cost them a lot of in PR damages meanwhile what if ungoogled chromium inserted some kind of "backdoor"?

I don't even know people who maintain it, so I wouldn't even be able to break their windows or throw eggs at them


> I don't even know people who maintain it, so I wouldn't even be able to break their windows or throw eggs at them

I hear your point on this, it's pretty hard to put your faith in a browser that updates regularly and not just for schema reasons. But you seem okay with Edge..

> Using Edge doesn't change much, meanwhile using ungoogled Chromium means that I have to trust additional actors

This is where I'm confused.

> Additionally MS inserting e.g "backdoor" into Edge could cost them a lot of in PR damages

I'm not an M$ hater, they've been incredible. dotNet core is a gift. GoPilot is a good use of whatever we're doing here. But why do you think if they could work a 'backdoor' (without leaks from employees) would actually matter. Their fine would be minimal.. See FB

I think we've come full circle. I'm defending your point that Edge might be just another 'Okay' browser.


> Using Edge doesn't change much, meanwhile using ungoogled Chromium means that I have to trust additional actors

Because I'm already on Windows, thus I already trust Microsoft

>I'm not an M$ hater, they've been incredible. dotNet core is a gift. GoPilot is a good use of whatever we're doing here. But why do you think if they could work a 'backdoor' (without leaks from employees) would actually matter. Their fine would be minimal.. See FB

On the other hand take a look at Intel - they had security issues and not even intentional and there was a lot of dmg to their brand due to all those CPU related vulns in last years


> Chromium was a thing before Google-Chrome

no it wasn't.


Sorry that's actually my mistake, I was thinking of something else. (Android)

They were both launched the same period, but chromium was the 'trimmed' down open source version.


> also "ungoogled Chromium" - The process is Chrome is Googled Chromium.

You can download Chromium[0], but people tend to be referring to the project called "Ungoogled Chromium"[1] to remove any calls to Google domains, eg. safe browsing, which are still present in Chromium.

0: https://www.chromium.org/getting-involved/download-chromium/

1: https://github.com/ungoogled-software/ungoogled-chromium


But we do know people behind Microsoft are not to be trusted with our privacy... See PRISM and their data collection practices.


The thing is about what data MS wants and what bad actor in ungoogled chromium would want

e.g MS doesn't want to steal money from my card


Indeed, they will lock you in to get it legally.


Waiting for the /sarcasm tag


My primary browser is Firefox. I have Edge as my backup browser for sites that don’t work with Firefox, and sometimes for watching stuff. There is no reason for me to install Chrome. (And Microsoft isn’t that bad, even if Edge sometimes does weird things.)


> for watching stuff

... while the browser is watching you [1].

> Microsoft isn’t that bad

Yes it is. That bad.

[1] https://en.wikipedia.org/wiki/In_Soviet_Russia


In my case, it is the default browser at my current company. I don't know the reasoning behind it, but we are also forced into Teams. Corporate requirements is my reason.

FWIW, it is not bad performance-wise.


So, I do use Firefox.

But for a windows domain environment Edge makes sense.

- Comes builtin, no need to patch browsers separately and worry about outdated Google Chrome installs in a 1000+ computer fleet.

- Integrates with Office 365 that the company already use/pay for.

- Can be managed with policy over Office 365 or Intune

- Has IE Enterprise Mode for the old apps that need IE11

For Teams, the alternative is this:

- Pay for Zoom AND Slack AND Office 365 AND have IT personell manage all 3

- Pay for Gsuite and use... hangouts?

or

- Just pay for Office 365 and get email, fileshare, office suite and chat/fileshare/video tool all in one that works "fine" and can be managed all in admin.microsoft.com (that goes into 500 different portals that all change each month but I digress...)

Oh, and you can use whatever browser, even if its not the default. I use Firefox but Edge is the default one.


I would be cautious with such assumptions.

There is a good reason why Trident is alive and kicking, people just don't know about it. But it's the reason for more than 98% of exploits, because shitty software of Microsoft still uses Trident to render MSHTML based documents (office etc).

The same will be true for a traffic-observing webview2, for decades to come. And it will never be removed again, because of Microsoft's development philosophy.


Based on what source exactly? Microsoft is about equivalent to privacy protections as Apple, if not more so.


I beg to differ.

Please compare the severity and extent of

https://en.wikipedia.org/wiki/Criticism_of_Microsoft#Privacy...

with

https://en.wikipedia.org/wiki/Criticism_of_Apple_Inc.

Depending on how you weigh the issues MSFT is far from equivalent on privacy


It seems that both had alleged collaborations with PRISM. The main difference I see between the two wiki articles, is that people complain about Microsoft's telemetry but not Apple's (even though they do have a lot of telemetry [1]).

In general it feels like Apple has won the trust of the public, partially through good products, partially through good marketing.

[1]: https://mspoweruser.com/macos-big-sur-has-its-own-telemetry-...


I can't tell if serious or ...

Windows 10 is a privacy disaster compared to previous versions of Windows. They track every single app and website you open, what files you have on your PC, and much more.


I'd choose Edge over Chrome if I didn't have better options.


...in a "canary" (basically a nightly build), for some users, for some specific cases (unsecure http, public wifi).


I run a free browser game where you can start playing immediately, no registration required. The game has a big sandbox element where you can build and paint on the world map.

Naturally I've attracted trolls doing everything in their power to grief and ruin it for other players. This has lead me to reluctantly implement moderation tools such as IP bans and proxy detection.

I'm currently using a couple of services where I can supply an IP and get a risk score back but I'm worried about false positives. I'm afraid this initiative, while great for privacy, will make my defense measures futile.

What should I do? I just want to run a game with as few intrusive barriers as possible. I have no interest in collecting any private data from users whatsoever.


You have to have intrusive barriers. This is true in real life and it is true online.

The world is not a graffiti free-for-all because there are barriers: the government (police) is able to apprehend individuals, link that physical individual to an identity (which it issued at birth), and effectively implement consequences to that identity/individual.

If you want your site to not be a graffiti free-for-all, you will need a durable way to identify actual people. Twitter, for example, essentially requires a phone number to use their site. Phone numbers are fairly difficult to get anonymously. Therefore, Twitter has a useful link between their users and a physical individual. Other services use other things.

The government should implement cryptographic certificate based identities to citizens. Ideally there would be a way to "sign" something that says you are a real citizen without revealing which citizen you are, but is durably unique (subsequent signings identify you as the same citizen).

Facebook, Google, etc. are effectively filling this function right now but they leave much to be desired.


> Ideally there would be a way to "sign" something that says you are a real citizen without revealing which citizen you are, but is durably unique (subsequent signings identify you as the same citizen).

This is a truly interesting and groundbreaking idea that would solve all my problems. Do you know if there are any initiatives like that or is it science-fiction?


Actually issued by a government? Not sure.

How to implement? Also not sure. I am not an expert in this field. "Anonymous credentials" seems like the closest thing maybe. Basically you need to somehow prove you have a valid signed certificate without disclosing the public key.

https://crypto.stackexchange.com/questions/83412/how-to-achi... https://crypto.stackexchange.com/questions/52189/zero-knowle...

Since you seem open to putting up barriers...in the process of looking into this I discovered Idena and checked it out a little. You could required verified Idena something or other, just as an example. I'm sure there are scores of these types of things being built, most or all of which will fail to gain traction.


I don't know if a government would use it, but 4chan has tripcodes that can uniquely identify an anonymous user across multiple posts without the user ever needing to create a permanent identity.


You will just have a bunch of random false positives that get blocked and never come back. Even before VPN a lot of ISPs gave you dynamic IP that changed anywhere from every few weeks to daily, to each reconnect. Same with any public access point

Same with carrier grade NAT, IP stopped being good way to block things long time ago. About the only use is "this IP is DoSing me now, block it for few hours".

There are few other methods, all of them intrusive on privacy. Generating fingerprint of browser and blocking based on that might work for the clueless users but dedicated ones will go around it. Making using one of the popular SSO logins is one option (at least banning-wise) but that's a lot of work


Redesign the rules so that trolling is not rewarding. Yes, I know, it's hard.


Yeah, I thought I could pull that off but in the end I was naive thinking I could solve it with mechanics. The idea was that I would never need to ban anyone, ever. However, even with thousands of players playing the game as intended just one troll can wreck havoc by creating hundreds of accounts through proxies.

I have implemented measures where you can't chat until you've finished the tutorial, 5 minutes decay on stuff built/painted outside plots and upkeep on claimed plots but it's not enough. The trolls are extremely dedicated and devote their life to ruining my game.


Interesting to see this on the front page along with https://news.ycombinator.com/item?id=33036748

I wonder how long until Microsoft starts blocking sites on their VPN for "your protection".


I think they already do. Just like chrome and firefox block sites that are considered insecure.

I don't think they need a VPN for this.


Everybody is suspicious of Microsoft's motives but I think in this, you gotta consider how many windows systems are out there used by security novices.

Lots of people are computer savvy but want to use a computer to do something else not under the umbrella of hobbyist sysadmin work.

I don't see the downside here, again, considering the multi-millions average users Windows/Edge has. If you are savvy enough to roll your own VPN using algo from Trail of Bits, then do that. If you are able to weigh the pros and cons of VPNs from having one or not, or which one to use, you are ahead of 99.99% of the people this will help.


I don't like this. When I add a URL to the address bar I want TCP/IP traffic to be directed to only the remote address I requested, and not have traffic relayed through some third party.


I have bad news for you.

    traceroute news.ycombinator.com


Sorry I misspoke I know that routing traffic isn't a direct peer to peer connection but that's different from ALL traffic going through one company.

I'm not an expert on internet routing but it seems to me a bit disconcerting how much of web traffic is already routed through cloudflare servers. This centralization scares me.


Besides the point, 18 hops to get to HN via my colo server in London, UK; what is cogentco doing with the excessive routing?

  1    24 ms    24 ms    25 ms  10.0.0.1
  2    32 ms    25 ms    24 ms  x.x.x.x
  3    28 ms    28 ms    27 ms  core-router-b-nlc.netwise.co.uk [185.17.175.246]
  4    29 ms    25 ms    25 ms  core-router-hex.netwise.co.uk [185.17.175.240]
  5    29 ms    25 ms    26 ms  te0-7-0-17.505.rcr21.b015534-1.lon01.atlas.cogentco.com [216.168.64.16]
  6    27 ms    25 ms    25 ms  be2186.ccr22.lon01.atlas.cogentco.com [154.54.61.70]
  7    27 ms    25 ms    28 ms  be2870.ccr41.lon13.atlas.cogentco.com [154.54.58.173]
  8    94 ms    93 ms    94 ms  be2317.ccr41.jfk02.atlas.cogentco.com [154.54.30.185]
  9   103 ms   100 ms   100 ms  be2806.ccr41.dca01.atlas.cogentco.com [154.54.40.106]
 10   118 ms   117 ms   117 ms  be2112.ccr41.atl01.atlas.cogentco.com [154.54.7.158]
 11   130 ms   130 ms   134 ms  be2687.ccr41.iah01.atlas.cogentco.com [154.54.28.70]
 12   147 ms   146 ms   181 ms  be2927.ccr21.elp01.atlas.cogentco.com [154.54.29.222]
 13   155 ms   155 ms   156 ms  be2930.ccr32.phx01.atlas.cogentco.com [154.54.42.77]
 14   172 ms   348 ms   192 ms  be2941.rcr52.san01.atlas.cogentco.com [154.54.41.33]
 15   198 ms   202 ms   205 ms  te0-0-2-0.rcr12.san03.atlas.cogentco.com [154.54.82.70]
 16   209 ms   165 ms   165 ms  te0-0-2-3.nr11.b006590-1.san03.atlas.cogentco.com [154.24.18.194]
 17   166 ms   171 ms   203 ms  38.96.10.250
 18   165 ms   162 ms   162 ms  news.ycombinator.com [209.216.230.240]


Is that excessive? It looks like it's taking the most direct route it can. First goes west to NY, then goes south to DC, south again to Atlanta, and then makes a series of westward hops to Houston, El Paso, Phoenix, and San Diego. And I'm guessing the hops within London and San Diego would be something like a router for local traffic, a router for regional traffic, and a router for international/interstate traffic.


I got 30 hops from Atlanta/Comcast

but hops from 9 to 30 are "blank" like this: 30 * * *

the last non-blank hop is this: 8 M5-HOSTING.bar1.SanDiego1.Level3.net (4.16.110.170) 69.921 ms GIGLINX-INC.bar1.SanDiego1.Level3.net (4.16.105.98) 60.600 ms M5-HOSTING.bar1.SanDiego1.Level3.net (4.16.110.170) 69.882 ms


Cogent is the third biggest network on the Internet by CAIDA AS Rank. Your connection used it for pretty much all the distance.


only 8 hops for me from Europe


Do a traceroute and see how many third parties your traffic is going through. You probably don't get many point-to-point connections.


Second time today Hacker News makes Firefox look good.


Seriously, I can't grok why people here don't use it more often. Web is 100% usable, what doesn't work in it doesn't work in latest chrome neither. Web development is fine too, just different, not worse. But whatever, use chrome for dev work if you love it, and Firefox for everything else, especially Internet proper (plus you get another full testing browser, not just spoofing user-agent)

Its a great product, and ublock origin make it by far the best on the market for internet not only for me, across any devices ever made, period.


_I_ can't grok why _I_ haven't switched. :-)

So this weekend I'll make an effort to switch from Chrome.


https://github.com/aris-t2/customcssforfx

Here's something to use if the UI makes you really upset.

Also you will probably miss translation: https://addons.mozilla.org/en-US/firefox/addon/traduzir-pagi...


I don’t think Adguard, the Russian tech company registered in cyprus, but with mostly Russian employees living in Russia has our best interests at heart.


Your evidence seems to be repetition of the word 'Russia'. Seems a tad thin.


Of course, we all stand by our beloved president who is threatening to start a nuclear war. What's not to like.


What bothers me about Adguard is offering HTTPS cert spoofing as a means to duplicate uBo's dynamic filtering behavior


What makes you say that? And this is not really about Adguard, it's about Microsoft, Cloudflare, and Edge.


In India, it is illegal to operate an open unauthenticated wifi. All public Internet access requires a secure auth and you have to present a government ID to the operator to get access. (This applies to getting a mobile SIM card or landline Internet at home as well). This is to deter anonymous illicit activity being conducted from from public Internet locations (like cafes, bus/train/airport stations etc.) Also, same real identity requirement is now applied to VPN operators. Additionally, they have to collect and retain traffic logs, and cooperate with government cybercrime investigations.

Obviously there are potential loopholes – apparently a lot of VPN services are planning to continue operating services with Indian residents with servers not physically hosted in India without logs.

Apple with its Private Relay and now Microsoft with Edge Browser VPN – don't provide VPN with exit nodes hosted in foreign jurisdictions. I'm curious to know if they will cooperate with requirements to collect/retain logs as well.


> The VPN feature, known as “Microsoft Edge Secure Network,” has rolled out to a limited selection of users in the latest Edge Canary version.

Now why didn't they call it Microsoft Secure Network! And MSN in short.

And next they should start a VPN'ed messaging service, they can name it "MSN Messenger".


> you can save up on traffic which is capped at a modest 1 GB per month.

These days that probably wont even manage the tracking requests being sent from the machine a month.


Microsoft as any company must abide by federal laws, including US FISA court orders.


I can see it now:

Microsoft: "Sorry $site_owner, We (some unaccountable ML model) detected that you have violated some rule (we will not tell you which) and as a result, your website can no longer be accessed.

This decision is final and permanent."

There are other ways to protect user privacy without conveniently putting yourself in charge. They pulled the same move with UEFI and secure boot

Microsoft needs to be investigated and fined.


Especially timely given that https://news.ycombinator.com/item?id=33036748 just happened.


"Let's use our browser to herd users into our walled network, where our competitors cannot track them as easily as we are able to."


I think this is the real reason for the "VPN in a browser" trend. It's about getting exclusive access to browsing data.

Imagine Facebook data collection, but without being able to ignore it. That's where we're headed. Watch for Google to release a "security" product that does something similar.

IMO Apple, Microsoft, and (eventually) Google are going to use their platform dominance to usurp Facebook's ad business. That's why Facebook is making a big bet on VR. It's not that they see VR as a naturally popular platform. It's simply one of the last platforms that could be popular (for the near future), isn't already dominated by a major player, and has network effects that make it a critical mass platform similar to how Facebook works. If they can buy their way in, they own the whole market.

This kind of thing should get these companies obliterated by regulators. It's shameless, blatant, anti-competitive behavior where they're using their dominance in one market to gain an extremely unfair advantage in another.

The goal is to move the entire ad market away from the open web and into closed platforms like OSes and browsers.


VPNs can destroy net neutrality. The internet can be reduced to a dumb pipe that gives everyone equal bandwidth, which is used to operate VPNs, inside of which entirely private rules apply that are inscrutable from the outside.


Hm,

I think this is mainly an form of advertisement move to compel more users to use edge/not switch away from it. Reason: By now many non-technical people think a VPN is necessary (or at least recommendable) for "safety". Through how a VPN actually helps/works most non-technical people do not understand at all. For Microsoft providing a VPN which by default is only enabled on public WiFi and similar isn't too expensive.

They also need to compete with Apples Privacy Relay feature.

So putting bias aside it seems a good thing.

But there are some gotchas:

1. a VPN is not per-se privacy protecting, it is only that if the VPN provider legally binding agrees to not sell out the users data.

2. a major browser which tries to force itself on all windows users providing a VPN for free hurt the VPN market due to the unfair competitive advantage this VPN has.

3. It could normalize for many people that VPNs do not necessary have a feature to avoid geo-blocking => make it easier for legislation targeting such features to pass

4. also more centralization for cloudflair

Through if you ignore all this from a pure "common peoples security" perspective (i.e. not state actor attacks) this is an neat improvement. There are still to many things which allow attacks due to not using HTTPS and for non state-level attackers the best attack vector are public hotspots and similar where this VPN automatically is enabled. E.g. common security problem is HTTP(not s) redirect links in e.g. mails, which an attacker could trivially rewrite to point you to their site which automatically proxies the site you originally wanted to go to. Worst offender I saw was a FIN-tec site using emailing http(not s) redirect links containing the auth token for the initial account setup...


Why do they even need this? With all the spying/telemetry they already do, they probably already know the sites that you visit....


They want to keep everyone else from tracking you so their data is more valuable.


Some users might want this feature, which gets them more users. I think outside HN most users would appreciate a free VPN for when they're on public Wi-Fi.


Microsoft obviously benefits from the ability to collect more tracking signals. Even over HTTPS they will have many traffic signals to use for ads targeting.

Just be mindful of any feature and who it benefits. These companies aren't charities.


> "...it lacks one important feature users seek in a virtual private network: an ability to bypass geo-block. In the case of Edge’s VPN, you won’t be able to choose any server location..."


The trend towards 0-configuration VPNs though make it totally compelling to just port your traffic home. I'm not trying to be a fan-boi, but I want ALL my traffic off the network of snoop. I'm just going to go out there and say Ubuiti and Teleport with WifiMan on phone/tablets/computers and 0 config bar codes, I mean its ALMOST frictionless for my family to do this setup once its going.

I least try to do this while we travel and are out of network range. How do people feel about this?


how about a tailscale exit node running on a computer at home

takes 10 seconds to setup and I can use my home IP from anywhere on earth


Why don't we just call it what it is: "Microsoft redirects all browser traffic through their servers". At first it sounds great but in two years when the start selling the data or start injecting ads, what will the privacy advocates think then? How long until Microsoft decides they don't like your site, so they're going to block it? Yet another move towards centralization of the internet, NO THANKS.


Lol the traffic is Capped at 1gb. It’s also super obscure. Only in small rollouts to edge canary users. It’s opt in I believe and It can be turned off.

Even MSFT isn’t going to pay the network bill for everyone forever

Split decision if this is a true good faith thing for consumers. Time will tell. I can easily see where it’s a great thing on one hand but also a terrible one too. This is where a company’s integrity comes in.


I remember this being done back when Opera 7 was used. I think it had a feature for mobile OS, where it would route requests to Opera's servers and serve clients a minified, smaller version of the page, so people on 2G at the time could still use the web. I don't remember people being outraged at the time at the prospect of a browser having a baked-in VPN option though.


Yes that was mainly because mobile internet was really slow and using it without Opera's proxy was an exercise in frustration.

But do not forget that Opera 7 was release TWENTY YEARS AGO. Things are a bit different now. Think eternal september.


I remember this as well and thought it was a neat service. One that I would have liked to emulate using my own proxy in order to save bandwidth on my mobile data but never got around to actually doing.

These days with widespread HTTPS, the only way to do this is to bake it into the browser itself.

And of course, this was back when you could trust Opera to do what they said they were (or weren't) doing.


That was Opera Mini, and it's still around (and popular in areas where Internet speed is still measured in Kbps and/or you pay for data per megabyte).

It's not even that it served a minified version, too. It basically did all layout server-side, so the client got something more akin to a PDF of the webpage optimized for its screen size. It also compressed images.


Don't forget about Google’s own "optimizer"

https://en.wikipedia.org/wiki/Google_Web_Accelerator


At the time, spyware was not yet a mainstream business model so there was no outrage because respectable, established companies didn't yet become spyware operators. There was still mutual trust back in the day.


God I miss Presto and Dragonfly. :'(


> Also, we must be aware of the risks associated with using the built-in VPN services of Microsoft, Apple, and the like. The tools they so generously offer might protect you from being tracked by your Internet Service Provider (ISP),

It seems using a VPN from your browser vendor does not increase your risk. I don’t think a VPN would have any information that your browser did not.


Not really: Your browser vendor might push out a malicious update or enable dormant functionality that sends them telemetry on your browsing, or even your entire web traffic, but a VPN definitively does receive all of you traffic (including, at least, the host name of almost all sites you visit).

I can observe who my browser/OS talk to (beyond the sites I already visit) – but what happens inside a VPN provider is impossible to tell.


People generally don’t tolerate browsers that phone home with any and all accessible information. But if you claim to also run a built-in VPN service...


What do you mean?

I oftentimes see people using Chrome (not Chromium) while logged into a profile. Are you telling me that either those people are actually a minority, or that Chrome doesn't phone home?


If I'm not mistaken Skype used to be called the most secure video calling app back in the day. Until this: https://lists.randombit.net/pipermail/cryptography/2013-May/...


A crazy thing happened to me on a recent trip to Mexico city. I thought my AT&T mobile plan covered Mexico, but after 2 days it stopped working. So I tried to log into my account online with AT&T. It would keep redirecting me to the Mexico AT&T website instead of the US website. The first time I realized I needed a VPN.


Back in the days, a network relay at the application later was called a proxy. Any reason we are now calling this VPN?


Yes, because proxies and VPNs are totally different.

Proxies are generally unencrypted and a new connection is usually made per-request.

VPN's are inherently encrypted and maintain a single connection.

They're totally different technologies. So hope that answers your question.


None of this is true. Proxies use HTTP and can therefore use "keep-alive"; they are usually HTTPS. VPN are usually UDP and therefore connectionless.

The usual difference is that they operate at application layer (proxy) or ethernet/IP (VPN). Which would make this a proxy, not a VPN.


If this "VPN" is under the control of an entity collecting information about users wherever it can what's the sense of the service. "VPN" (in fact the term should be "virtual internet access network") make sense only when it is independent of any entity controlling internet traffic...


I wonder how it respects legal web censorship orders imposed on ISPs like those of China and UK.


I hear the Great Chinese Firewall is pretty good at blocking VPNs, they'll likely be able to block this one pretty quickly.


Sounds like this one is going to appear on the network like https connections to Cloudflare.


I wouldn't care about this VPN if it weren't for the fact that I can't ignore it. There's an option to hide it from the toolbar, but every time I open an incognito window it pops back up again. It's incredibly annoying.


> "However, the VPN will not run while you’re streaming or watching videos — so that you can save up on traffic which is capped at a modest 1 GB per month."

OK? And what happens after that? After you go over your 1 GB cap? You're cut off from the internet?


They just turn the VPN off ?


Heh, I wonder if they just quietly do that in the middle of a session

* GET bank.example.com/accounts

* GET bank.example.com/accounts/1

vpn disconnect

* GET bank.example.com/accounts/1/details <- 403 new IP, who dis?


How they even id the user for the cap? Some kind of system signature? Requirement of a MS account?


Edge-VPN is primarily Cloudfare. Now Cloudfare has potentially even "more" data about users. They don't have an ad platform, yet. What will stop Cloudfare from accumulating and then targeting the users through "Bing-Ads"?


Did you misspell Cloudflare as Cloudfare three times?


Sure, they did, but that doesn't make their point any less relevant...


Okay?


Privacy from our government is becoming illegal. I believe that with widespread adoption of VPN services, at some point in the next few years the government will prohibit ISPs from sending traffic to foreign VPN services - for our protection.


Had to move off of Edge to Brave a few weeks back after sticking it out longer than I should have. I really liked Edge on both Windows and macOS but they keep adding stuff that I don't want to the browser.


The move benefits foreign companies, weakening the domestic industry.

Let’s see how fast EU can move and regulate the traffic access. For instance, demanding that the servers should be accessible only to the local governments.


Pretty cool to see Wireguard, a protocol that is only a few years old, making it so fast into the linux kernel and now into Edge. Literally shipping into billions of devices in such a small amount of time.


There will be times when more people are fed up with all the corporate BS. Duckduckgo, Lineageos, Firefox, Protonmail, ... is all working fine for me. I don't miss any corp tech.


This is why net neutrality and easy accessible encryption are important.


I am not saying that they'd do it but what would prevent Microsoft from 'theoretically' collecting your information themselves and then selling it back to your ISP?


Can someone explain to me how this is different from apple’s privacy relay? Is it because it’s all traffic instead of just some traffic Apple designates as “trackers”?


The Microsoft Network is back apparently.

The AOL-like hell that the Microsoft Network was in the 90s makes its return in its Neo-Internet Explorer dystopian nightmare.


Strangely enough Opera's VPN has suddenly started working after a long period of not being "available" and pushing their paid version


Isn't this basically just Chrome's data saver? They never called it a VPN but they did send all your traffic to Google.


So Edge users are going to be impacted by this - whats that like 35 people outside the development team who made it?


Doesn’t that mean that all my connections are routed MS servers? How is MS more trustworthy than my ISP


That's nice I suppose...

The only time I use Edge is when something Microsoft opens it, then I have to close it.


> and turns it on

for CANARY users which is a completely normal thing. This kind of sensationalism really hurts everyone.


Serious question - is there a legitimate use case for Edge when a Chrome Stable build is available?


It's already installed and it works well enough. Plus, if I'm using Windows, I'm already sending a bunch of telemetry to MS, so I don't see a reason to go out of my way to send some to goog, too. Also, I'm not a Netflix customer, but I understand that on PC you need Edge to get high-definition (>=1080p) video. Chrome doesn't work (neither does it work on Mac). So the question becomes: is there a legimate use case for Chrome when Edge is available (and is mostly the same thing)?

I, personally, am quite against using a Google browser (or derivative), but for my gaming PC where I only launch the browser once in a blue moon, I just can't be bothered to download anything else since Edge works. On my work PC I use Firefox, and am quite happy with it.


There are significant changes in Edge compared to Chrome stable and perf and efficiency improvements on Windows (not to mention deeper system integration).


From a business perspective, IE mode and onedrive userstate sync for o365 customers

From a personal perspective, goog and microsoft are basically equivalent and I don't want either of their browsers.


Edge is the only Chromium-based browser that allows for Vertical Tabs.


Vivaldi has it, and it's a Chromium-based browser made by people who left Opera after it was sold to the Chinese. Opera had vertical tabs even a decade or so ago, back when it was still using its own Presto engine (they switched to Chromium and seems to have lost this feature).


Thanks for that. Unfortunately, it looks like Vivaldi is closed source. Do you know how it is monetized?


Search engines, bookmarks and they offer email services.

https://vivaldi.com/blog/vivaldi-business-model/


I'm thinking Microsoft is hoping for the reverse: Why download Chrome when you have a perfectly good Blink based browser already installed.


Did anyone test this? Is it better than operas "vpn"?

Can the user configure various geolocations?


Not even god knows what's going on inside that (not so very much) private network.


I think Pixel phones (or maybe it's all Google Fi phones) also do this.


Just wait. VPNs, under the guise of privacy, will be used to continue mass surveillance operations. Soon you won't be able to access certain sites unless you're using an "official" VPN.


I'm going to run my VPN on Edge running a VPN.


The walled gardens are raising their walls.

The plan is to sell the corporates VPN enabled services. The corporate will buy it without hesitation too if it comes bundled with Office 365.


Imagine still tolerating Windows in 2022


Some people play video games.

Some people want to use the Adobe suite on user upgradable hardware.

If you come out of your bubble you'll see there's plenty of reasons to still use Windows (typing this in Firefox running on Fedora, FWIW).


I play video games. Things have actually changed a heck of a lot in the last couple of years and seem to be accelerating thanks to the Steam Deck. 90% of the games I care about now work fine in Linux, sometimes with a little massaging (there are also now many more tools and forum posts to help with this). Modding certain things is occasionally the biggest impediment but that too is getting easier thanks to stuff like https://github.com/frostworx/steamtinkerlaunch , which if you use the Flatpak Steam can be installed via the app installer right alongside it.


You're describing a worse user experience than gaming on Windows. Single player games on Steam is a best case scenario.. Blizzard games, or games with anti cheat are a total pain to run or won't run at all.

This is why people tolerate Windows in 2022.

I'm not saying I like it, I was just trying to answer your question :)


The great thing about Windows is that you can install another browser and set it to default. You don't have to use Edge.


and then every other update it "accidentally" gets set back to Edge


Sounds pretty handy for data-scraping!


Hmmm interesting another reason for me to avoid microsoft browsers.


Nice work MSFT


What do I need to do to disable this?


cloudflare is nasty, its worse giving them all your data then spreading it around.


Cue VPNs being banned




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: