this post was submitted on 30 Jul 2024
4 points (100.0% liked)
Firefox
17937 readers
39 users here now
A place to discuss the news and latest developments on the open-source browser Firefox
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Here is a talk on OHTTP (OHAI) https://www.youtube.com/watch?v=_HEzpnktAwY
and a OHTTP recap https://www.youtube.com/watch?v=qjLwo4Ufp8s
Basically, if you trust the OHTTP Proxy (mozilla) and the OHTTP service provider (fakespot) to not collude, then OHTTP protects your data.
If you think Mozilla and fakespot might collude, then this doesn't give you any privacy. (Update - Someone pointed out Mozilla has purchased fakespot, so this comes down to Trusting mozilla with 100% of your data for their privacy promise and OHTTP is totally pointless here)
Depends on your threat model.
If they actually cared about privacy they would have the OHTTP model, sure, but also a TOR hidden service endpoint that anyone could use as well ; Removing all the links between the user and the service shouldn't be a problem, since they are not monitizing user behavior, right? RIGHT?!?!?
Mozilla says they use a third-party OHTTP intermediary. In the blog post linked above, they name Fastly as their partner. So it's not as bad as Mozilla + Mozilla-wearing-funny-glasses.
Personally, I still think this is the wrong approach to privacy, even though I've used Fakespot on my own many times over the years. Largely because I don't think any of this needs to be built into a web browser.
I would prefer my web browser to minimize information leakage by default, to the greatest degree that it can while still remaining useful as a web browser. Mozilla keeps adding bloat to Firefox, and bloat always comes at a cost. I'd much prefer these to be browser extensions that people can download if they want them, rather than built in by default. The baseline Firefox should be lean. Less "stuff" = smaller attack surface. Simplicity is best.
I mean, the Fakespot browser extension has existed for a long time, and I've never seriously considered installing it. I'd much rather just take an extra three seconds to load their web site and paste in a URL than have it constantly monitoring my activity and doing god-knows-what with it. That way I have better knowledge and control of what is happening with my data. Even if I trust their intentions, I don't implicitly trust their competence (all software has bugs) and I don't trust that they will never go rogue in the future.
And also, I just don't find this claim all that compelling in principle:
I mean...sure. That's fair. Buuuuuut handing half the data to your "partner" doesn't give me a whole lot of confidence. Especially since literally nobody reads all of the privacy policies they are subject to. See:
https://www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/
https://www.npr.org/sections/alltechconsidered/2012/04/19/150905465/to-read-all-those-web-privacy-policies-just-take-a-month-off-work
https://www.techradar.com/computing/cyber-security/you-need-a-whole-workweek-every-month-to-read-privacy-policiesand-thats-bad-news
Minimizing privacy policies should be a high-priority goal for any organization that claims to value privacy.
Furthermore, how many additional parties have access (legally or otherwise) to both Mozilla and Fastly? 🤷