I’m no Google fanboy but I wasn’t satisfied with this:
> Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed
What information does Chrome provide in this scenario that Firefox doesn’t? It feels like backward logic: it worked in Chrome therefore it must be because Chrome gave extra info. In reality it could be a whole bunch of things, something as mundane as Firefox being a rarer user agent so subject to more filtering.
It strikes me that all of this is an inexact science. I've run into rate limit messages with sites before now that go away when I switch browsers, no matter what the browser is. I assume it's because, with the limited information given, the DDOS protection software assumes that same IP + different UA = different computer.
I have no clue but I wasn’t persuaded that this specific scenario works with Chrome because it was giving away more information. At a bare minimum at least try a third browser!
I don't mean to support or refuse the author's main points or analysis, but you might like to know that the Chrome team is currently working towards shipping the Topics API. I have strong opinions about it but I will try not to editorialize.
My high-level understanding is that they're going to run an ML model over your browsing history (locally on your device) to build a list of "topics" that you care about. Sites you browse can use the Topics API to pull a set of these interests from the browser to show you "relevant" ads. Mozilla has taken a negative position against this standard.
No, the idea is they're abusing existing APIs for fingerprinting purposes that Firefox privacy settings disallow --canvas font rendering difference detection, detecting your GPU model, and things of that nature.
But this new API demonstrates that Google is not on the consumers side when it comes to limiting tracking/data gathering ability, as the new API is explicitly for fingerprinting.
> No, the idea is they're abusing existing APIs for fingerprinting purposes that Firefox privacy settings disallow
But that’s exactly what I’m saying: the author asserts as fact the reason Chrome worked was because it gives up more personal information but there’s no interrogation of whether that’s actually true and if true, how it’s achieved.
I’m no defender of Google I just believe we should be making arguments we’re able to actually back up.
Fingerprinting is one of the techniques used to track you across the web.
If the site is serving Google, Meta, or ads from other networks, your unique browser fingerprint is one of the tools that makes it possible to target and retarget you.
I think we’re all aware of that. Where’s the specific evidence that Chrome passed the Cloudflare DDOS protection because it gave up more private information than Firefox did?
especially since the author had to change the privacy.resistFingerprinting in Firefox to true to get it to work (meaning that it was able to bypass Cloudflare's loop by being MORE secure). But that appeared to break other non-Cloudflare sites.
I think the fingerprinting is a red herring. Yes, Chrome is less secure. But Chrome worked.
It's quite possible someone at the author's workplace updated their Cloudflare WAF settings and made things more strict, causing more checks. I'd even offer that a Firefox extension might be contributing.
But the argument that Chrome worked because it offered Cloudflare personal information is pretty out there ;)
I thought it was the opposite: that instead of fingerprinting users, web services would instead just ask the browser which topics the user is interested in and display the relevant ADs. It's an explicit design goal to reduce the dependence on fingerprinting users, otherwise why would they do it. Topics are supposed to be the locally sourced privacy preserving alternative to invasive tracking.
Whether Mozilla/Apple/others agree is a different story. The blowback has mostly been around how topics aren't perfect and the design still leaves room for abuse and therefor effectively devolves to traditional tracking: https://mozilla.github.io/ppa-docs/topics.pdf.
Browsers don’t do that today and the result is that AD networks fingerprint and track you to try and serve you more relevant content.
The argument from supporters is that this is a step away from the “fingerprint and track” status quo MO. The argument from detractors is that it doesn't quite achieve that goal.
All you need to address your concern is for access to the API to be user-configurable.
That's a distinction without a difference. In both cases, user privacy is compromised. If anything, the proposal to make "user agents" snoop on the user is even more infuriating. That sounds more like trojan horse than "user agent."
When I started having this problem logging into a certain credit card co.'s website beginning with about Firefox 105.0.2 on Fedora 38, I was told by their apparently outsourced customer service that I had to use Chrome, which I don't have installed there and couldn't try. Yeah, they wanted me to use LogMeIn so they could fix the problem, too. Right.
Firefox on Android was still working, though, loathe as I am to put passwords of any significance on my phone. Doesn't directly address your question, which I'd like to know the answer to as well.
Brings me back. My company "upgraded" the time entry system at the beginning of this century.. Issue, our whole dev team was on unix (hpux, Solaris) and used firefox, which didn't work anymore (IE only). They solution to have 3 separate terminals we would "cytrix" into an NT machine to do our time machine on Internet Explorer...
PayPal's "secure browser" effectively becomes broken by Firefox's first part isolation. that took some time to figure out.
In terms of being blocked by CloudFront (not cloudflare),I actually got a website to fix their policies by just emailing their tech support and showing that simple user-agent changes bypasses their policy anyhow.
If my own bank/credit card blocked Firefox I would cancel with them. I'm pointing out that this isn't really normal or justifiable.
To your specific point about just moving elsewhere, complaining in public about bad industry practices is part of Capitalism and part of how consumers regulate the free market. "Take your business elsewhere instead of complaining" has never really been how this has worked; businesses don't get to opt out of being shamed just because they have a cancellation form, and they shouldn't have any expectation that users will or should be quiet about their bad business practices. The free market is not a replacement for criticism within social spaces; the free market works alongside that criticism and is reinforced by that criticism.
Public complaining is an essential part of how consumers within a free market coordinate with each other and educate each other about abusive corporate behavior, and it serves as an additional mechanism alongside boycotts and cancellations to help punish bad actors in the market.
> I'm pointing out that this isn't really normal or justifiable.
Oh well, what can you do? Vote with your wallet. Tell everyone on HN and Reddit. I agree. But at a certain point it wastes too much of my energy, so I'll basically just cancel cand tell them I can not use their service because reasons, very disappointed, bye.
Maybe back when standarts where on shaky ground and different versions of the same content was made? I too cant see the performance advantage of it. Deprioritizing less mainstream browsers to mess with the nerds?
Ahhh yes I remember those days... if you wanted to use advanced IE-only features, send to one codebase, if you wanted broader compatability, send to another. Similar to how mobile websites used to work. Thanks for the ideas! Any other hypotheses?
My "third" browser is GNOME Web, however, I uninstalled it thanks to performance issues. I installed Chrome from Flathub, but with limited permissions, which I only use for cross-browser testing. My main browser is Firefox.
I remember back when you could run the Servo app on macOS, it was a doge inside a cog and you could actually browse the internet, there was an address bar and back/forward buttons. But now they've actually removed that sort of stuff and given up on making a standalone browser in Rust, in favor of augmenting Firefox instead. See Firefox Quantum.
Mozilla actually fired the Servo developers to focus solely on Firefox (they still employ Rust developers, just not on Servo). But after some years, other companies picked up development on Servo.
Servo doesn't have a browser but I'd wager that writing a full featured browser for Servo would be much more useful than another Blink browser
I think Servo has already served to bootstrap a bunch of Rust-ecosystem things, and that's why they yeeted it. Though webrender and some other offshoots from Servo are still useful for a lot of projects.
I've had sporadic issues with Firefox not working on work-related sites one day when the previous day it worked just fine.
I have ublock, privacy badger, decentraleyes, canvas blocker, facebook disconnect, and duckduckgo privacy essentials installed.
I would go through and disable each extension in order to see if it was the cause of the issue, and so far, every single time it has been duckduckgo privacy essentials that is breaking websites for me.
I think I should remove it at this point, but who knows? Maybe it's protecting me from something that I don't see.
@afavour: The topic isn't as simple as having a HTTP header with a unique identifier. Browser Fingerprinting is a complex process, that uses unintentional implementation details, like how things are rendered with different graphics drivers or details you can get from APIs that are intended for other purposes (like WebRTC).
The site that morjom posted gives you a simple overview and Firefox is known for the privacy preserving features it comes with. However, you are right, that it is an inexact science as long as we don't know the logic of the Cloudflare implementation.
Chrome will indeed divulge more information than other browsers but only on the condition that you have opted-in for such collection.
“The Chrome User Experience Report (CrUX) provides user experience metrics for how real-world Chrome users experience popular destinations on the web. This data is automatically collected by Chrome from users who have opted in, . . .”
It's not a real time API, though. It's an aggregated dataset available via BigQuery. I don't think Cloudflare could use it as part of DDOS protection except in very vague ways.
seems like the author mentioned that in FireFox disabling "privacy.resistFingerprinting" worked. So looks like Chrome by default is allowing the server to collect Fingerprinting. If cloud flare is using that, then it is a big red flag.
The opposite. enabling the flag fixed the issue although it broke other sites.
> Eventually, I found some suggestions that if you’re using Firefox you can disable the privacy.resistFingerprinting option in the about:config page. But that was already listed as false for me when I got stuck, so I switched the value to true just to see if that would do anything.
> And that worked!
No. And there’s still the central issue of the author really hand-waving the specifics of their accusations about Chrome. It really seems to come down to “Google bad”.
To be clear, I don’t even use Chrome, in part because “Google bad”. This just isn’t intellectually honest.
> Chrome will happily collect as much private information about me and my browsing history and share them with select parties, as needed
What information does Chrome provide in this scenario that Firefox doesn’t? It feels like backward logic: it worked in Chrome therefore it must be because Chrome gave extra info. In reality it could be a whole bunch of things, something as mundane as Firefox being a rarer user agent so subject to more filtering.
It strikes me that all of this is an inexact science. I've run into rate limit messages with sites before now that go away when I switch browsers, no matter what the browser is. I assume it's because, with the limited information given, the DDOS protection software assumes that same IP + different UA = different computer.
I have no clue but I wasn’t persuaded that this specific scenario works with Chrome because it was giving away more information. At a bare minimum at least try a third browser!