Browser research

After various discussions about browsers recently I'd
been meaning to try some out. I decided to try
SRWare Iron, which is supposed to be a clean,
non-spyware version of Chrome. I also decided to
try Qupzilla, another OSS WebKit browser.

The results were very discouraging. first, both browsers
fell far short of providing adequate settings. Even setting
up the UI was limited. My unofficial ratings:

Qupzilla - D+
Iron - F-

Privacy was a surprisingly big problem with both, though
Iron was far worse than anything else I've ever seen.

Qupzilla -

At startup tried to contact the following via
numerous ports:
Hetzner Online AG
HETZNER-RZ-NBG-NET
Datacenter Nuernberg

Contacted the following via port 80 or 443:

Domain Name: hukot.net
Registrant Name: Petr Pomajbik
Registrant Street: U Velorexu
Registrant City: Zamberk
Registrant Postal Code: 56401
Registrant Country: CZ
Registrant Phone: +420.732445203

So Qupzilla calls home for no reason.
-------------------------------------------------

Iron -

SRWare Iron was far worse than Qupzilla. Despite
that they advertise having removed Google spyware
functionality, I found the following:

Without my actually going online Iron contacted
the following at first startup:

iron-start.com
www.chrome-themes.info
www.chrome-plugins.info
www.bild.me
securewamp.org
www.ip-secrets.com
104.197.11.112 (Google Cloud)
cache.google.com
various cloudfront.net (owned by Amazon)

When the settings were opened Iron contacted
the following repeatedly:

qg-in-f95.1e100.net:443 (Google)

*Without having actually gone online* I had about
10 cookies from the following:

adk2x.com, adpdx.com

Whois for both domains:

adk2x.com:
Registrant Name: David Markowitz
Registrant Organization: PLYmedia
Registrant Street: 48 King George
Registrant City: Tel Aviv
Registrant Country: Israel
Registrant Phone: +972.547631761
Registrant Email:

Plymedia is an ad network.

ALL OF THE ABOVE WAS BEFORE I EVEN
USED THE BROWSER.

I then made one visit online, to duckduckgo.com,
after having set as many privacy options in Iron as
I could find, and merely loaded the page. That resulted
in an extra contact to cache.google.com, which doesn't
happen when I load the same page in Pale Moon.

So SRWare Iron is, in fact, Google spyware. And
that seems to be only part of the privacy
transgression happening.

Qupzilla seems to be more honest, but still calls
home and has no particular qualities to recommend
it. The one nice feature, that it could import Firefox
bookmarks, turned out not to work properly.

Mayayana wrote:
After various discussions about browsers recently I'd
been meaning to try some out. I decided to try
SRWare Iron, which is supposed to be a clean,
non-spyware version of Chrome. I also decided to
try Qupzilla, another OSS WebKit browser.

The results were very discouraging. first, both browsers
fell far short of providing adequate settings. Even setting
up the UI was limited. My unofficial ratings:

Qupzilla - D+
Iron - F-

Privacy was a surprisingly big problem with both, though
Iron was far worse than anything else I've ever seen.

Qupzilla -

At startup tried to contact the following via
numerous ports:
Hetzner Online AG
HETZNER-RZ-NBG-NET
Datacenter Nuernberg

Contacted the following via port 80 or 443:

Domain Name: hukot.net
Registrant Name: Petr Pomajbik
Registrant Street: U Velorexu
Registrant City: Zamberk
Registrant Postal Code: 56401
Registrant Country: CZ
Registrant Phone: +420.732445203

So Qupzilla calls home for no reason.
-------------------------------------------------

Iron -

SRWare Iron was far worse than Qupzilla. Despite
that they advertise having removed Google spyware
functionality, I found the following:

Without my actually going online Iron contacted
the following at first startup:

iron-start.com
www.chrome-themes.info
www.chrome-plugins.info
www.bild.me
securewamp.org
www.ip-secrets.com
104.197.11.112 (Google Cloud)
cache.google.com
various cloudfront.net (owned by Amazon)

When the settings were opened Iron contacted
the following repeatedly:

qg-in-f95.1e100.net:443 (Google)

*Without having actually gone online* I had about
10 cookies from the following:

adk2x.com, adpdx.com

Whois for both domains:

adk2x.com:
Registrant Name: David Markowitz
Registrant Organization: PLYmedia
Registrant Street: 48 King George
Registrant City: Tel Aviv
Registrant Country: Israel
Registrant Phone: +972.547631761
Registrant Email:

Plymedia is an ad network.

ALL OF THE ABOVE WAS BEFORE I EVEN
USED THE BROWSER.

I then made one visit online, to duckduckgo.com,
after having set as many privacy options in Iron as
I could find, and merely loaded the page. That resulted
in an extra contact to cache.google.com, which doesn't
happen when I load the same page in Pale Moon.

So SRWare Iron is, in fact, Google spyware. And
that seems to be only part of the privacy
transgression happening.

Qupzilla seems to be more honest, but still calls
home and has no particular qualities to recommend
it. The one nice feature, that it could import Firefox
bookmarks, turned out not to work properly.

Good to know, thanks. I had d/l Qupzilla when it was first mentioned here
thinking I might try it. Decided not to, dumped it, glad I did.

--

dadiOH
____________________________

Winters getting colder? Tired of the rat race?
Taxes out of hand? Maybe just ready for a change?
Check it out... http://www.floridaloghouse.net

On Sun, 19 Apr 2015 14:10:50 -0400, Mayayana wrote:

After various discussions about browsers recently I'd been meaning to
try some out. I decided to try SRWare Iron, which is supposed to be a
clean,
non-spyware version of Chrome. I also decided to try Qupzilla, another
OSS WebKit browser.


chromium, I believe (see chromium.org) is the open source, unbranded
version of chrome.

| chromium, I believe (see chromium.org) is the open source, unbranded
| version of chrome.

Yes, which is what Iron is claimed to be:

https://www.srware.net/en/software_srware_iron.php

Though in my Online Armor status window it showed
"chrome.exe" going online.

Mayayana wrote on 4/19/2015 2:10 PM:
After various discussions about browsers recently I'd
been meaning to try some out. I decided to try
SRWare Iron, which is supposed to be a clean,
non-spyware version of Chrome. I also decided to
try Qupzilla, another OSS WebKit browser.

The results were very discouraging. first, both browsers
fell far short of providing adequate settings. Even setting
up the UI was limited. My unofficial ratings:

Qupzilla - D+
Iron - F-

Privacy was a surprisingly big problem with both, though
Iron was far worse than anything else I've ever seen.

Qupzilla -

At startup tried to contact the following via
numerous ports:
Hetzner Online AG
HETZNER-RZ-NBG-NET
Datacenter Nuernberg

Contacted the following via port 80 or 443:

Domain Name: hukot.net
Registrant Name: Petr Pomajbik
Registrant Street: U Velorexu
Registrant City: Zamberk
Registrant Postal Code: 56401
Registrant Country: CZ
Registrant Phone: +420.732445203

So Qupzilla calls home for no reason.
-------------------------------------------------

Iron -

SRWare Iron was far worse than Qupzilla. Despite
that they advertise having removed Google spyware
functionality, I found the following:

Without my actually going online Iron contacted
the following at first startup:

iron-start.com
www.chrome-themes.info
www.chrome-plugins.info
www.bild.me
securewamp.org
www.ip-secrets.com
104.197.11.112 (Google Cloud)
cache.google.com
various cloudfront.net (owned by Amazon)

When the settings were opened Iron contacted
the following repeatedly:

qg-in-f95.1e100.net:443 (Google)

*Without having actually gone online* I had about
10 cookies from the following:

adk2x.com, adpdx.com

Whois for both domains:

adk2x.com:
Registrant Name: David Markowitz
Registrant Organization: PLYmedia
Registrant Street: 48 King George
Registrant City: Tel Aviv
Registrant Country: Israel
Registrant Phone: +972.547631761
Registrant Email:

Plymedia is an ad network.

ALL OF THE ABOVE WAS BEFORE I EVEN
USED THE BROWSER.

I then made one visit online, to duckduckgo.com,
after having set as many privacy options in Iron as
I could find, and merely loaded the page. That resulted
in an extra contact to cache.google.com, which doesn't
happen when I load the same page in Pale Moon.

So SRWare Iron is, in fact, Google spyware. And
that seems to be only part of the privacy
transgression happening.

Qupzilla seems to be more honest, but still calls
home and has no particular qualities to recommend
it. The one nice feature, that it could import Firefox
bookmarks, turned out not to work properly.


Scary! for sure.

On 4/19/2015 11:10 AM, Mayayana wrote [in part]:
After various discussions about browsers recently I'd
been meaning to try some out. I decided to try
SRWare Iron, which is supposed to be a clean,
non-spyware version of Chrome. I also decided to
try Qupzilla, another OSS WebKit browser.


Why not SeaMonkey? See http://www.seamonkey-project.org/.

Yes, SeaMonkey calls home each time it is launched. The purpose is to
get the latest blocklist.xml file, which indicates those extensions and
plugins that are blocked as malware. Other interfaces with the
SeaMonkey and Mozilla Web sites (e.g., silent updates) can be disabled.

SeaMonkey has a user interface that provides more options than does
Firefox. Firefox has been evolving into something that attempts to
protect the most naive user from himself or herself. SeaMonkey is still
being maintained with the attitude that the user knows what the user
wants and likely understands what results will occur whenchanging options.

--
David E. Ross

Why do we tolerate political leaders who
spend more time belittling hungry children
than they do trying to fix the problem of
hunger? http://mazon.org/

| Why not SeaMonkey? See http://www.seamonkey-project.org/.
|

I thought it was basically FF with email. I don't need
an email program and I've never used chat, nor
do I want to. I have my own HTML editor. What's
better/different in the SM browser, as compared to
FF or Pale Moon, that would justify carrying all that
extra baggage? Their description seems to indicate
it's the same.

| Yes, SeaMonkey calls home each time it is launched. The purpose is to
| get the latest blocklist.xml file

FF/PM don't have to be allowed to call home
for anything. You're saying the blocklist call
can't be stopped?

On 4/19/2015 6:27 PM, Mayayana wrote:
| Why not SeaMonkey? See http://www.seamonkey-project.org/.
|

I thought it was basically FF with email. I don't need
an email program and I've never used chat, nor
do I want to. I have my own HTML editor. What's
better/different in the SM browser, as compared to
FF or Pale Moon, that would justify carrying all that
extra baggage? Their description seems to indicate
it's the same.

| Yes, SeaMonkey calls home each time it is launched. The purpose is to
| get the latest blocklist.xml file

FF/PM don't have to be allowed to call home
for anything. You're saying the blocklist call
can't be stopped?



I never use SeaMonkey for E-mail, newsgroups, or RSS feeds. For those,
I use Thunderbird. I use SeaMonkey because I can tailor its
configuration to a greater extent than I could with Firefox. SeaMonkey
is not merely Firefox plus Thunderbird. While the "guts" of SeaMonkey
are the same as for Firefox plus Thunderbird, the user interface is
unique to SeaMonkey.

Automatic updating the blocklist.xml file is analogous to automatically
updating the virus definitions for an anti-virus application. The
purpose is safety, not collecting information about users. I prefer the
protection that automatic updates provide. If blocklist.xml starts
blocking something that I do not want blocked, it is easily edited and
then marked read-only.

NOTE: I allow automatic updates of virus definitions for AVG 2015 Free,
but I block automatic updates of the AVG software. I allow
notifications of Microsoft updates, but I decline to download and
install them for at least a week after receiving the notifications. For
all other software, I occasionally check manually for updates, never
allowing automatic updates.

--
David E. Ross

Why do we tolerate political leaders who
spend more time belittling hungry children
than they do trying to fix the problem of
hunger? http://mazon.org/

Mayayana wrote:

After various discussions about browsers recently I'd
been meaning to try some out. I decided to try
SRWare Iron, which is supposed to be a clean,
non-spyware version of Chrome. I also decided to
try Qupzilla, another OSS WebKit browser.

The results were very discouraging. first, both browsers
fell far short of providing adequate settings. Even setting
up the UI was limited. My unofficial ratings:

Qupzilla - D+
Iron - F-

Privacy was a surprisingly big problem with both, though
Iron was far worse than anything else I've ever seen.

Qupzilla -

At startup tried to contact the following via
numerous ports:
Hetzner Online AG
HETZNER-RZ-NBG-NET
Datacenter Nuernberg

Contacted the following via port 80 or 443:

Domain Name: hukot.net
Registrant Name: Petr Pomajbik
Registrant Street: U Velorexu
Registrant City: Zamberk
Registrant Postal Code: 56401
Registrant Country: CZ
Registrant Phone: +420.732445203

So Qupzilla calls home for no reason.
-------------------------------------------------

Iron -

SRWare Iron was far worse than Qupzilla. Despite
that they advertise having removed Google spyware
functionality, I found the following:

Without my actually going online Iron contacted
the following at first startup:

iron-start.com
www.chrome-themes.info
www.chrome-plugins.info
www.bild.me
securewamp.org
www.ip-secrets.com
104.197.11.112 (Google Cloud)
cache.google.com
various cloudfront.net (owned by Amazon)

When the settings were opened Iron contacted
the following repeatedly:

qg-in-f95.1e100.net:443 (Google)

*Without having actually gone online* I had about
10 cookies from the following:

adk2x.com, adpdx.com

Whois for both domains:

adk2x.com:
Registrant Name: David Markowitz
Registrant Organization: PLYmedia
Registrant Street: 48 King George
Registrant City: Tel Aviv
Registrant Country: Israel
Registrant Phone: +972.547631761
Registrant Email:

Plymedia is an ad network.

ALL OF THE ABOVE WAS BEFORE I EVEN
USED THE BROWSER.

I then made one visit online, to duckduckgo.com,
after having set as many privacy options in Iron as
I could find, and merely loaded the page. That resulted
in an extra contact to cache.google.com, which doesn't
happen when I load the same page in Pale Moon.

So SRWare Iron is, in fact, Google spyware. And
that seems to be only part of the privacy
transgression happening.

Qupzilla seems to be more honest, but still calls
home and has no particular qualities to recommend
it. The one nice feature, that it could import Firefox
bookmarks, turned out not to work properly.

What I've found out with the so-called more private web browsers is they
come with the default config that isn't so private. You still have to
configure them to be truly private, like always starting in inprivate
mode, flushing everything on exit, change cookie policies, set them to
NOT allow mixed content, and so on. For example, I looked at Comodo
Dragon which, like SRware Iron, are a Chromium derivative claiming to be
more private than Google's derivative (Google Chrome). Nope, I still
had to make lots of settings to get a decent level of privacy which were
the same settings I can make in Google Chrome.

If you search on install or client ID for Google Chrome, the articles
are dated in or before 2010. There were utilities to set the install ID
to a null string. That scare disappeared back in 2010 when Google
changed the web browser to erase the install ID after the first time
Google Chrome connected for an update. So those articles scaring users
about the install ID were out of date as where the privacy tools to
remove or nullify the install ID (which was already nullified by Google
after the first update). While I figured out how to make IE as secure
when directly loaded as when it is loaded as a child process (e.g.,
clicking on a URL link in a message displayed in an e-mail client), I
haven't figured out how to make Firefox and Google Chrome always load in
inprivate mode no matter how it was started (directly or as a child
process). Command-line arguments are worthless when those web browsers
are started as child processes. So supposedly "safer" Chromium
derivatives that I have to configure just the same as Google Chromium to
really make they safe still have an advantage *if* they default to
loading in inprivate mode.

However, inprivate mode is of value only when visiting multiple sites
within the same session of the web browser. If you configure the web
browser to flush everything (cookies, DOM storage, passwords, form data,
etc) on its exit then all the same info that inprivate mode secures has
been secured with the flush-on-exit setting. Since users often visit
multiple sites during a web browser session, and if they don't load the
web browser in its inprivate mode by default, then they have to start
another web browser session to isolate data in each until they exit
whereupon all that data gets flushed. Since inprivate mode disables
add-ons which you may want to use at a site, inprivate mode can
interfere with your experience at a site. So I don't bother worrying
about starting the web browser inprivate mode (don't even use the
registry hack to get IE to always start in inprivate mode, anymore).
Configuring the web browser to flush everything on exit is, to me, just
as safe as inprivate mode.

The other problem with other "safer" Chromium variants, like Comodo
Dragon and SRware Iron, is they don't get updated as often. In fact,
Dragon was languishing on attention from Comodo for quite awhile.
Security updates that get applied to Google Chrome won't show up in the
safer Chromium variants for a longer time. If, for example, Google
Chrome got an update to help mitigate the FREAK vulnerability (by
getting rid of the weak export-grade encryption schemes), you don't get
it in the safer Chromium versions for awhile. I don't remember what are
their update schedules but it seemed there were too long, especially if
you were waiting for security updates to plug or fix vulnerabilities.

I could configure Google Chrome to be just as secure. Obviously that
was not when using the default or install-time config. I actually
wander through the options to determine how I want the web browser to
behave, like disabling Suggestions (which requires sending your entered
string to their server and it sending back suggestions - so there is web
traffic most users don't know about). About the only real difference I
saw for safer Chromium variants was they are easier to uninstall.
Google Chromium creates a startup item, scheduled events in Task
Scheduler, and digs deep into the registry. There's more work to
eradicate Google Chrome (or Google anything) from your computer setup.
Comodo Dragon's uninstall actually uninstalled it. After Google
Chrome's uninstall, there was still a lot of remnant registry and file
cleanup to really get rid of Google Chrome.

As I recall, SRware Iron does not come clean. That is, there are
already pre-installed add-ons in Iron. Add-ons have the same ability to
connect to sites as does the web browser. So if an add-on wants to
track you, sync to an account, or check for updates then they connect
without you ever specifying to visit those sites. For example, part of
the "better privacy" of Iron is that it comes with an ad blocker
pre-installed. Sorry, but that doesn't make Iron more private since
Firefox and Google Chrome both have add-ons for ad blocking, too. They
claim Iron is safer because, gee, it comes with an ad blocker. Users
that don't know about adding NoScript, Ghostery, Adblock Plus, and so on
also don't know about using a pre-installed ad blocker (which can
prevent good sites from working, too, but the user won't know what
causes the problem). I think there's a User Agent (UAstring) add-on in
Iron, too. So look at the list of add-ons in Iron. Each probably
checks for updates (unless you configure the add-on manager in the web
browser to not allow update checking - which I do along with disabling
auto-updates in the web browser). The auto-update check in Iron and the
add-ons doing their auto checks means you will have network connections
despite you set the home page to about:blank and supposedly don't
connect anywhere when you first load the web browser (by running its
executable and not as a child process by clicking on a hyperlink).

| I use SeaMonkey because I can tailor its
| configuration to a greater extent than I could with Firefox.

Yes, but how? FF seems very adaptable to me.
With the addition of userChrome.css I can also
do things like change font face/size on menus and
have my own Cape Neddick Lighthouse activity
indicator. (Which I think I originally got from a
K-Meleon site.)
So before doing a lot of research I was just
wondering if there are specific selling points that
are not available in other Mozilla browsers.

| Automatic updating the blocklist.xml file is analogous to automatically
| updating the virus definitions for an anti-virus application. The
| purpose is safety, not collecting information about users.

I understand. My question was whether it can be
disabled. I'not interested in the Mozilla peoples'
efforts to protect my online safety.

I consider it bad manners, at best, to force calling
home without notification or permission. And the
general trend is setting a bad precedent.

The notion that *any* collection is not about
collecting "user data" is dubious at best. Even when it
starts out harmless it usually turns into useful research,
which then turns into a profitable side product. I doubt
there are many companies that would perceive a moral
issue with the idea of selling customer data. Also, it's
not always their choice. There was an interesting article
in that vein recently about Radio Shack. Apparently they've
prided themselves on protecting customer privacy. The
article was pointing out that if they'd gone bankrupt they
might have been forced by the bankruptcy court to sell
out their customers. Their data would have qualified as
a sale-able asset.

| I prefer the
| protection that automatic updates provide. If blocklist.xml starts
| blocking something that I do not want blocked, it is easily edited and
| then marked read-only.
|
| NOTE: I allow automatic updates of virus definitions for AVG 2015 Free,

That's fine. Personally I haven't used AV for many
years and consider it nearly useless, but it's your
choice. That's all I'm asking for, is to be able to make
my own choice.

|
| What I've found out with the so-called more private web browsers is they
| come with the default config that isn't so private. You still have to
| configure them to be truly private

Yes. I think that goes without saying. If I
were really trying to maximize privacy I would
have kept offline until I had finished setting
up Iron. But as I noted above, even after having
adjusted all the settings, it connected to
cache.google.com when I visited duckduckgo --
the only website I visited; and all I did was to load
the page. I can only assume that Iron was tracking
me for Google. There's a disconnect between the
SRWare website claims and the actual behavior of
the browser.

There's also a general trustworthiness issue
involved: If a product calls out without asking
me (and to ad servers, no less!) I have to assume
the people are not trustworthy. There are
degrees. Iron was worse than anything I've ever
seen. It seems to be a Google infestation. Qupzilla,
by contrast, appears that it may be just collecting
install data. Still, I didn't give permission for that.
Nor was I informed as Qupzilla attempted to call out
to numerous IPs on dozens of ports.

Mayayana wrote:

even after having adjusted all the settings, it connected to
cache.google.com when I visited duckduckgo

That's why I mentioned disabling add-ons, removing them, or loading the
web browser in its safe mode. The add-ons load when you load the web
browser and they can phone home looking for updates.

Also, if you leave suggestions enabled for whomever you chose to be your
search provider in the web browser, it will send your strings entered in
the address bar back to the search provider to give you those
suggestions. I though Iron had suggestions disabled by default but
that's something I would check after installing Iron. In the web
browsers that I've used, I still had to disable suggestions so what I
type as I type in the address bar is NOT getting sent to whichever
search provider is specified as the default in the web browser.

To be truly private, I'd like to disable ALL search providers; that is,
NOT have the web browser do any searching from a combo address bar or
using a searchbox. Don't automate anything regarding searching and
instead I choose when to visit an online search provider by going to
their web site to enter the search.


There's also a general trustworthiness issue
involved: If a product calls out without asking
me (and to ad servers, no less!) I have to assume
the people are not trustworthy.

You mentioned other sites to which the web browser connected before you
specified a site to visit. I'm assuming you are not clicking on a URL
link somewhere, like in an e-mail, which loads the web browser as a
child or forked process and are directly loading the web browser and
also have the home page set to about:blank. One of the other sites
looked like an adblock site. Iron comes with an ad blocker, a "feature"
they mention that makes Iron supposedly more private than Google Chrome.
Yeah, well, anyone can install an ad block add-on to accomplish the same
privacy feature. However, ad blockers need to periodically check for
updates to their block list. Even when first installed, that installer
package is old so the first time the ad block add-on gets loaded (which
will be when you first load the web browser) will have the add-on go
check for an update.

So some of the sites to which you saw the web browser connecting could
be due to the pre-installed add-ons in Iron. The Google connection
might be due to Suggestions enabled for the search provider (Google)
specified in the web browser - so check Suggestions is disabled.

Qupzilla,
by contrast, appears that it may be just collecting
install data. Still, I didn't give permission for that.
Nor was I informed as Qupzilla attempted to call out
to numerous IPs on dozens of ports.

That comes with an pre-installed optimized version of AdBlock so that
also has to connect out to get updates to its block list. The whole
point of ad blockers (and a 'hosts' file compiled by someone else as
another example) is to use someone else's compiled list of bad sites
instead of you having to do it.

I don't see that Qupzilla has a published privacy policy. I downloaded
the portable version to see if there was a text file describing their
policy. They do a **** poor job of organzing the files in the .zip
archive: most files are flattened into a single folder. Nothing popped
out as a TOS or privacy policy file. I extracted the files from the
..zip archive and did a search on "privacy" but got zero hits (other than
for privacy options configurable within the program).

As far as I'm concerned, if they don't publish a privacy policy then
they don't have one.

Srware is another private or community-driven project that apparently
believe he/they don't have to publish a privacy policy.