If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Browser research
After various discussions about browsers recently I'd
been meaning to try some out. I decided to try SRWare Iron, which is supposed to be a clean, non-spyware version of Chrome. I also decided to try Qupzilla, another OSS WebKit browser. The results were very discouraging. first, both browsers fell far short of providing adequate settings. Even setting up the UI was limited. My unofficial ratings: Qupzilla - D+ Iron - F- Privacy was a surprisingly big problem with both, though Iron was far worse than anything else I've ever seen. Qupzilla - At startup tried to contact the following via numerous ports: Hetzner Online AG HETZNER-RZ-NBG-NET Datacenter Nuernberg Contacted the following via port 80 or 443: Domain Name: hukot.net Registrant Name: Petr Pomajbik Registrant Street: U Velorexu Registrant City: Zamberk Registrant Postal Code: 56401 Registrant Country: CZ Registrant Phone: +420.732445203 So Qupzilla calls home for no reason. ------------------------------------------------- Iron - SRWare Iron was far worse than Qupzilla. Despite that they advertise having removed Google spyware functionality, I found the following: Without my actually going online Iron contacted the following at first startup: iron-start.com www.chrome-themes.info www.chrome-plugins.info www.bild.me securewamp.org www.ip-secrets.com 104.197.11.112 (Google Cloud) cache.google.com various cloudfront.net (owned by Amazon) When the settings were opened Iron contacted the following repeatedly: qg-in-f95.1e100.net:443 (Google) *Without having actually gone online* I had about 10 cookies from the following: adk2x.com, adpdx.com Whois for both domains: adk2x.com: Registrant Name: David Markowitz Registrant Organization: PLYmedia Registrant Street: 48 King George Registrant City: Tel Aviv Registrant Country: Israel Registrant Phone: +972.547631761 Registrant Email: Plymedia is an ad network. ALL OF THE ABOVE WAS BEFORE I EVEN USED THE BROWSER. I then made one visit online, to duckduckgo.com, after having set as many privacy options in Iron as I could find, and merely loaded the page. That resulted in an extra contact to cache.google.com, which doesn't happen when I load the same page in Pale Moon. So SRWare Iron is, in fact, Google spyware. And that seems to be only part of the privacy transgression happening. Qupzilla seems to be more honest, but still calls home and has no particular qualities to recommend it. The one nice feature, that it could import Firefox bookmarks, turned out not to work properly. |
Ads |
#2
|
|||
|
|||
Browser research
Mayayana wrote:
After various discussions about browsers recently I'd been meaning to try some out. I decided to try SRWare Iron, which is supposed to be a clean, non-spyware version of Chrome. I also decided to try Qupzilla, another OSS WebKit browser. The results were very discouraging. first, both browsers fell far short of providing adequate settings. Even setting up the UI was limited. My unofficial ratings: Qupzilla - D+ Iron - F- Privacy was a surprisingly big problem with both, though Iron was far worse than anything else I've ever seen. Qupzilla - At startup tried to contact the following via numerous ports: Hetzner Online AG HETZNER-RZ-NBG-NET Datacenter Nuernberg Contacted the following via port 80 or 443: Domain Name: hukot.net Registrant Name: Petr Pomajbik Registrant Street: U Velorexu Registrant City: Zamberk Registrant Postal Code: 56401 Registrant Country: CZ Registrant Phone: +420.732445203 So Qupzilla calls home for no reason. ------------------------------------------------- Iron - SRWare Iron was far worse than Qupzilla. Despite that they advertise having removed Google spyware functionality, I found the following: Without my actually going online Iron contacted the following at first startup: iron-start.com www.chrome-themes.info www.chrome-plugins.info www.bild.me securewamp.org www.ip-secrets.com 104.197.11.112 (Google Cloud) cache.google.com various cloudfront.net (owned by Amazon) When the settings were opened Iron contacted the following repeatedly: qg-in-f95.1e100.net:443 (Google) *Without having actually gone online* I had about 10 cookies from the following: adk2x.com, adpdx.com Whois for both domains: adk2x.com: Registrant Name: David Markowitz Registrant Organization: PLYmedia Registrant Street: 48 King George Registrant City: Tel Aviv Registrant Country: Israel Registrant Phone: +972.547631761 Registrant Email: Plymedia is an ad network. ALL OF THE ABOVE WAS BEFORE I EVEN USED THE BROWSER. I then made one visit online, to duckduckgo.com, after having set as many privacy options in Iron as I could find, and merely loaded the page. That resulted in an extra contact to cache.google.com, which doesn't happen when I load the same page in Pale Moon. So SRWare Iron is, in fact, Google spyware. And that seems to be only part of the privacy transgression happening. Qupzilla seems to be more honest, but still calls home and has no particular qualities to recommend it. The one nice feature, that it could import Firefox bookmarks, turned out not to work properly. Good to know, thanks. I had d/l Qupzilla when it was first mentioned here thinking I might try it. Decided not to, dumped it, glad I did. -- dadiOH ____________________________ Winters getting colder? Tired of the rat race? Taxes out of hand? Maybe just ready for a change? Check it out... http://www.floridaloghouse.net |
#3
|
|||
|
|||
Browser research
On Sun, 19 Apr 2015 14:10:50 -0400, Mayayana wrote:
After various discussions about browsers recently I'd been meaning to try some out. I decided to try SRWare Iron, which is supposed to be a clean, non-spyware version of Chrome. I also decided to try Qupzilla, another OSS WebKit browser. chromium, I believe (see chromium.org) is the open source, unbranded version of chrome. |
#4
|
|||
|
|||
Browser research
| chromium, I believe (see chromium.org) is the open source, unbranded | version of chrome. Yes, which is what Iron is claimed to be: https://www.srware.net/en/software_srware_iron.php Though in my Online Armor status window it showed "chrome.exe" going online. |
#5
|
|||
|
|||
Browser research
Mayayana wrote on 4/19/2015 2:10 PM:
After various discussions about browsers recently I'd been meaning to try some out. I decided to try SRWare Iron, which is supposed to be a clean, non-spyware version of Chrome. I also decided to try Qupzilla, another OSS WebKit browser. The results were very discouraging. first, both browsers fell far short of providing adequate settings. Even setting up the UI was limited. My unofficial ratings: Qupzilla - D+ Iron - F- Privacy was a surprisingly big problem with both, though Iron was far worse than anything else I've ever seen. Qupzilla - At startup tried to contact the following via numerous ports: Hetzner Online AG HETZNER-RZ-NBG-NET Datacenter Nuernberg Contacted the following via port 80 or 443: Domain Name: hukot.net Registrant Name: Petr Pomajbik Registrant Street: U Velorexu Registrant City: Zamberk Registrant Postal Code: 56401 Registrant Country: CZ Registrant Phone: +420.732445203 So Qupzilla calls home for no reason. ------------------------------------------------- Iron - SRWare Iron was far worse than Qupzilla. Despite that they advertise having removed Google spyware functionality, I found the following: Without my actually going online Iron contacted the following at first startup: iron-start.com www.chrome-themes.info www.chrome-plugins.info www.bild.me securewamp.org www.ip-secrets.com 104.197.11.112 (Google Cloud) cache.google.com various cloudfront.net (owned by Amazon) When the settings were opened Iron contacted the following repeatedly: qg-in-f95.1e100.net:443 (Google) *Without having actually gone online* I had about 10 cookies from the following: adk2x.com, adpdx.com Whois for both domains: adk2x.com: Registrant Name: David Markowitz Registrant Organization: PLYmedia Registrant Street: 48 King George Registrant City: Tel Aviv Registrant Country: Israel Registrant Phone: +972.547631761 Registrant Email: Plymedia is an ad network. ALL OF THE ABOVE WAS BEFORE I EVEN USED THE BROWSER. I then made one visit online, to duckduckgo.com, after having set as many privacy options in Iron as I could find, and merely loaded the page. That resulted in an extra contact to cache.google.com, which doesn't happen when I load the same page in Pale Moon. So SRWare Iron is, in fact, Google spyware. And that seems to be only part of the privacy transgression happening. Qupzilla seems to be more honest, but still calls home and has no particular qualities to recommend it. The one nice feature, that it could import Firefox bookmarks, turned out not to work properly. Scary! for sure. |
#6
|
|||
|
|||
Browser research
On 4/19/2015 11:10 AM, Mayayana wrote [in part]:
After various discussions about browsers recently I'd been meaning to try some out. I decided to try SRWare Iron, which is supposed to be a clean, non-spyware version of Chrome. I also decided to try Qupzilla, another OSS WebKit browser. Why not SeaMonkey? See http://www.seamonkey-project.org/. Yes, SeaMonkey calls home each time it is launched. The purpose is to get the latest blocklist.xml file, which indicates those extensions and plugins that are blocked as malware. Other interfaces with the SeaMonkey and Mozilla Web sites (e.g., silent updates) can be disabled. SeaMonkey has a user interface that provides more options than does Firefox. Firefox has been evolving into something that attempts to protect the most naive user from himself or herself. SeaMonkey is still being maintained with the attitude that the user knows what the user wants and likely understands what results will occur whenchanging options. -- David E. Ross Why do we tolerate political leaders who spend more time belittling hungry children than they do trying to fix the problem of hunger? http://mazon.org/ |
#7
|
|||
|
|||
Browser research
| Why not SeaMonkey? See http://www.seamonkey-project.org/.
| I thought it was basically FF with email. I don't need an email program and I've never used chat, nor do I want to. I have my own HTML editor. What's better/different in the SM browser, as compared to FF or Pale Moon, that would justify carrying all that extra baggage? Their description seems to indicate it's the same. | Yes, SeaMonkey calls home each time it is launched. The purpose is to | get the latest blocklist.xml file FF/PM don't have to be allowed to call home for anything. You're saying the blocklist call can't be stopped? |
#8
|
|||
|
|||
Browser research
On 4/19/2015 6:27 PM, Mayayana wrote:
| Why not SeaMonkey? See http://www.seamonkey-project.org/. | I thought it was basically FF with email. I don't need an email program and I've never used chat, nor do I want to. I have my own HTML editor. What's better/different in the SM browser, as compared to FF or Pale Moon, that would justify carrying all that extra baggage? Their description seems to indicate it's the same. | Yes, SeaMonkey calls home each time it is launched. The purpose is to | get the latest blocklist.xml file FF/PM don't have to be allowed to call home for anything. You're saying the blocklist call can't be stopped? I never use SeaMonkey for E-mail, newsgroups, or RSS feeds. For those, I use Thunderbird. I use SeaMonkey because I can tailor its configuration to a greater extent than I could with Firefox. SeaMonkey is not merely Firefox plus Thunderbird. While the "guts" of SeaMonkey are the same as for Firefox plus Thunderbird, the user interface is unique to SeaMonkey. Automatic updating the blocklist.xml file is analogous to automatically updating the virus definitions for an anti-virus application. The purpose is safety, not collecting information about users. I prefer the protection that automatic updates provide. If blocklist.xml starts blocking something that I do not want blocked, it is easily edited and then marked read-only. NOTE: I allow automatic updates of virus definitions for AVG 2015 Free, but I block automatic updates of the AVG software. I allow notifications of Microsoft updates, but I decline to download and install them for at least a week after receiving the notifications. For all other software, I occasionally check manually for updates, never allowing automatic updates. -- David E. Ross Why do we tolerate political leaders who spend more time belittling hungry children than they do trying to fix the problem of hunger? http://mazon.org/ |
#9
|
|||
|
|||
Browser research
Mayayana wrote:
After various discussions about browsers recently I'd been meaning to try some out. I decided to try SRWare Iron, which is supposed to be a clean, non-spyware version of Chrome. I also decided to try Qupzilla, another OSS WebKit browser. The results were very discouraging. first, both browsers fell far short of providing adequate settings. Even setting up the UI was limited. My unofficial ratings: Qupzilla - D+ Iron - F- Privacy was a surprisingly big problem with both, though Iron was far worse than anything else I've ever seen. Qupzilla - At startup tried to contact the following via numerous ports: Hetzner Online AG HETZNER-RZ-NBG-NET Datacenter Nuernberg Contacted the following via port 80 or 443: Domain Name: hukot.net Registrant Name: Petr Pomajbik Registrant Street: U Velorexu Registrant City: Zamberk Registrant Postal Code: 56401 Registrant Country: CZ Registrant Phone: +420.732445203 So Qupzilla calls home for no reason. ------------------------------------------------- Iron - SRWare Iron was far worse than Qupzilla. Despite that they advertise having removed Google spyware functionality, I found the following: Without my actually going online Iron contacted the following at first startup: iron-start.com www.chrome-themes.info www.chrome-plugins.info www.bild.me securewamp.org www.ip-secrets.com 104.197.11.112 (Google Cloud) cache.google.com various cloudfront.net (owned by Amazon) When the settings were opened Iron contacted the following repeatedly: qg-in-f95.1e100.net:443 (Google) *Without having actually gone online* I had about 10 cookies from the following: adk2x.com, adpdx.com Whois for both domains: adk2x.com: Registrant Name: David Markowitz Registrant Organization: PLYmedia Registrant Street: 48 King George Registrant City: Tel Aviv Registrant Country: Israel Registrant Phone: +972.547631761 Registrant Email: Plymedia is an ad network. ALL OF THE ABOVE WAS BEFORE I EVEN USED THE BROWSER. I then made one visit online, to duckduckgo.com, after having set as many privacy options in Iron as I could find, and merely loaded the page. That resulted in an extra contact to cache.google.com, which doesn't happen when I load the same page in Pale Moon. So SRWare Iron is, in fact, Google spyware. And that seems to be only part of the privacy transgression happening. Qupzilla seems to be more honest, but still calls home and has no particular qualities to recommend it. The one nice feature, that it could import Firefox bookmarks, turned out not to work properly. What I've found out with the so-called more private web browsers is they come with the default config that isn't so private. You still have to configure them to be truly private, like always starting in inprivate mode, flushing everything on exit, change cookie policies, set them to NOT allow mixed content, and so on. For example, I looked at Comodo Dragon which, like SRware Iron, are a Chromium derivative claiming to be more private than Google's derivative (Google Chrome). Nope, I still had to make lots of settings to get a decent level of privacy which were the same settings I can make in Google Chrome. If you search on install or client ID for Google Chrome, the articles are dated in or before 2010. There were utilities to set the install ID to a null string. That scare disappeared back in 2010 when Google changed the web browser to erase the install ID after the first time Google Chrome connected for an update. So those articles scaring users about the install ID were out of date as where the privacy tools to remove or nullify the install ID (which was already nullified by Google after the first update). While I figured out how to make IE as secure when directly loaded as when it is loaded as a child process (e.g., clicking on a URL link in a message displayed in an e-mail client), I haven't figured out how to make Firefox and Google Chrome always load in inprivate mode no matter how it was started (directly or as a child process). Command-line arguments are worthless when those web browsers are started as child processes. So supposedly "safer" Chromium derivatives that I have to configure just the same as Google Chromium to really make they safe still have an advantage *if* they default to loading in inprivate mode. However, inprivate mode is of value only when visiting multiple sites within the same session of the web browser. If you configure the web browser to flush everything (cookies, DOM storage, passwords, form data, etc) on its exit then all the same info that inprivate mode secures has been secured with the flush-on-exit setting. Since users often visit multiple sites during a web browser session, and if they don't load the web browser in its inprivate mode by default, then they have to start another web browser session to isolate data in each until they exit whereupon all that data gets flushed. Since inprivate mode disables add-ons which you may want to use at a site, inprivate mode can interfere with your experience at a site. So I don't bother worrying about starting the web browser inprivate mode (don't even use the registry hack to get IE to always start in inprivate mode, anymore). Configuring the web browser to flush everything on exit is, to me, just as safe as inprivate mode. The other problem with other "safer" Chromium variants, like Comodo Dragon and SRware Iron, is they don't get updated as often. In fact, Dragon was languishing on attention from Comodo for quite awhile. Security updates that get applied to Google Chrome won't show up in the safer Chromium variants for a longer time. If, for example, Google Chrome got an update to help mitigate the FREAK vulnerability (by getting rid of the weak export-grade encryption schemes), you don't get it in the safer Chromium versions for awhile. I don't remember what are their update schedules but it seemed there were too long, especially if you were waiting for security updates to plug or fix vulnerabilities. I could configure Google Chrome to be just as secure. Obviously that was not when using the default or install-time config. I actually wander through the options to determine how I want the web browser to behave, like disabling Suggestions (which requires sending your entered string to their server and it sending back suggestions - so there is web traffic most users don't know about). About the only real difference I saw for safer Chromium variants was they are easier to uninstall. Google Chromium creates a startup item, scheduled events in Task Scheduler, and digs deep into the registry. There's more work to eradicate Google Chrome (or Google anything) from your computer setup. Comodo Dragon's uninstall actually uninstalled it. After Google Chrome's uninstall, there was still a lot of remnant registry and file cleanup to really get rid of Google Chrome. As I recall, SRware Iron does not come clean. That is, there are already pre-installed add-ons in Iron. Add-ons have the same ability to connect to sites as does the web browser. So if an add-on wants to track you, sync to an account, or check for updates then they connect without you ever specifying to visit those sites. For example, part of the "better privacy" of Iron is that it comes with an ad blocker pre-installed. Sorry, but that doesn't make Iron more private since Firefox and Google Chrome both have add-ons for ad blocking, too. They claim Iron is safer because, gee, it comes with an ad blocker. Users that don't know about adding NoScript, Ghostery, Adblock Plus, and so on also don't know about using a pre-installed ad blocker (which can prevent good sites from working, too, but the user won't know what causes the problem). I think there's a User Agent (UAstring) add-on in Iron, too. So look at the list of add-ons in Iron. Each probably checks for updates (unless you configure the add-on manager in the web browser to not allow update checking - which I do along with disabling auto-updates in the web browser). The auto-update check in Iron and the add-ons doing their auto checks means you will have network connections despite you set the home page to about:blank and supposedly don't connect anywhere when you first load the web browser (by running its executable and not as a child process by clicking on a hyperlink). |
#10
|
|||
|
|||
Browser research
| I use SeaMonkey because I can tailor its
| configuration to a greater extent than I could with Firefox. Yes, but how? FF seems very adaptable to me. With the addition of userChrome.css I can also do things like change font face/size on menus and have my own Cape Neddick Lighthouse activity indicator. (Which I think I originally got from a K-Meleon site.) So before doing a lot of research I was just wondering if there are specific selling points that are not available in other Mozilla browsers. | Automatic updating the blocklist.xml file is analogous to automatically | updating the virus definitions for an anti-virus application. The | purpose is safety, not collecting information about users. I understand. My question was whether it can be disabled. I'not interested in the Mozilla peoples' efforts to protect my online safety. I consider it bad manners, at best, to force calling home without notification or permission. And the general trend is setting a bad precedent. The notion that *any* collection is not about collecting "user data" is dubious at best. Even when it starts out harmless it usually turns into useful research, which then turns into a profitable side product. I doubt there are many companies that would perceive a moral issue with the idea of selling customer data. Also, it's not always their choice. There was an interesting article in that vein recently about Radio Shack. Apparently they've prided themselves on protecting customer privacy. The article was pointing out that if they'd gone bankrupt they might have been forced by the bankruptcy court to sell out their customers. Their data would have qualified as a sale-able asset. | I prefer the | protection that automatic updates provide. If blocklist.xml starts | blocking something that I do not want blocked, it is easily edited and | then marked read-only. | | NOTE: I allow automatic updates of virus definitions for AVG 2015 Free, That's fine. Personally I haven't used AV for many years and consider it nearly useless, but it's your choice. That's all I'm asking for, is to be able to make my own choice. |
#11
|
|||
|
|||
Browser research
| | What I've found out with the so-called more private web browsers is they | come with the default config that isn't so private. You still have to | configure them to be truly private Yes. I think that goes without saying. If I were really trying to maximize privacy I would have kept offline until I had finished setting up Iron. But as I noted above, even after having adjusted all the settings, it connected to cache.google.com when I visited duckduckgo -- the only website I visited; and all I did was to load the page. I can only assume that Iron was tracking me for Google. There's a disconnect between the SRWare website claims and the actual behavior of the browser. There's also a general trustworthiness issue involved: If a product calls out without asking me (and to ad servers, no less!) I have to assume the people are not trustworthy. There are degrees. Iron was worse than anything I've ever seen. It seems to be a Google infestation. Qupzilla, by contrast, appears that it may be just collecting install data. Still, I didn't give permission for that. Nor was I informed as Qupzilla attempted to call out to numerous IPs on dozens of ports. |
#12
|
|||
|
|||
Browser research
Mayayana wrote:
even after having adjusted all the settings, it connected to cache.google.com when I visited duckduckgo That's why I mentioned disabling add-ons, removing them, or loading the web browser in its safe mode. The add-ons load when you load the web browser and they can phone home looking for updates. Also, if you leave suggestions enabled for whomever you chose to be your search provider in the web browser, it will send your strings entered in the address bar back to the search provider to give you those suggestions. I though Iron had suggestions disabled by default but that's something I would check after installing Iron. In the web browsers that I've used, I still had to disable suggestions so what I type as I type in the address bar is NOT getting sent to whichever search provider is specified as the default in the web browser. To be truly private, I'd like to disable ALL search providers; that is, NOT have the web browser do any searching from a combo address bar or using a searchbox. Don't automate anything regarding searching and instead I choose when to visit an online search provider by going to their web site to enter the search. There's also a general trustworthiness issue involved: If a product calls out without asking me (and to ad servers, no less!) I have to assume the people are not trustworthy. You mentioned other sites to which the web browser connected before you specified a site to visit. I'm assuming you are not clicking on a URL link somewhere, like in an e-mail, which loads the web browser as a child or forked process and are directly loading the web browser and also have the home page set to about:blank. One of the other sites looked like an adblock site. Iron comes with an ad blocker, a "feature" they mention that makes Iron supposedly more private than Google Chrome. Yeah, well, anyone can install an ad block add-on to accomplish the same privacy feature. However, ad blockers need to periodically check for updates to their block list. Even when first installed, that installer package is old so the first time the ad block add-on gets loaded (which will be when you first load the web browser) will have the add-on go check for an update. So some of the sites to which you saw the web browser connecting could be due to the pre-installed add-ons in Iron. The Google connection might be due to Suggestions enabled for the search provider (Google) specified in the web browser - so check Suggestions is disabled. Qupzilla, by contrast, appears that it may be just collecting install data. Still, I didn't give permission for that. Nor was I informed as Qupzilla attempted to call out to numerous IPs on dozens of ports. That comes with an pre-installed optimized version of AdBlock so that also has to connect out to get updates to its block list. The whole point of ad blockers (and a 'hosts' file compiled by someone else as another example) is to use someone else's compiled list of bad sites instead of you having to do it. I don't see that Qupzilla has a published privacy policy. I downloaded the portable version to see if there was a text file describing their policy. They do a **** poor job of organzing the files in the .zip archive: most files are flattened into a single folder. Nothing popped out as a TOS or privacy policy file. I extracted the files from the ..zip archive and did a search on "privacy" but got zero hits (other than for privacy options configurable within the program). As far as I'm concerned, if they don't publish a privacy policy then they don't have one. Srware is another private or community-driven project that apparently believe he/they don't have to publish a privacy policy. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|