Anyone at Google who is listening- this kind of behavior kills my desire to continue using your products dead. I need functionality, of the type PushBullet has provided for years, to do my work. The recent nerfing of ublock origin has already had me feeling iffy on things. Behavior like this is simply unacceptable. If you want people to use your services, you need to have some way to communicate. Period. "If you use our tools, we can kill your livelihood at any time for any reason and tough shit if you want a why" doesn't exactly inspire, you know?
ProtonMail has come a long way as a replacement for Gmail as well. Suuuper happy with them, they're really responsive to feature requests and support inquiries. I requested for an iOS feature to choose browsers so I could open all links from PM in Firefox. They had it implemented in a month or something... it a quick fix but that impressed me. hence me shilling here
They recently added ProtonCalendar too.
Switching email isn't nearly as friction-free as switching your browser. Not only do you have to change your email in every service you've registered for, you also need to convince your friends and other contacts to use the new email.
The most important change you can make for your email is to own your own domain. Once you own your own domain, changing providers is much easier since it is transparent to the people that email you.
Even if you decide to keep Gmail, you should switch your email to your own domain.
One worry about tying your identity to your own domain, is the security of your identity (aka your domain) hinges on the security of your registrar. If a bad actor can socially engineer their way into controlling your domain, your entire identity is compromised.
owning your domain and having control of a domain through a trusted registrar is better than relying on the worlds largest advertising company to manage your digital identity (email), which is offered as a free service, that's subject to a catch-all ToS.
An isolated fail in 2014 by one vendor, primarily due to poor support processes, is not a convincing argument to keep all digital identities in Google's possession.
There's also the risk of Google shutting down your account because you do something they don't like. This will lead to a similiar outcome and you won't have any recourse.
I think that GP's point is that "safe" is a tricky word to use when your data is in the custody of the world's largest non-governmental surveillance network with a a catch-all TOS.
But do you lose your domain if google bans your account?
The requirement is being able to switch email providers, especially google, when they lock your account. You don't secure your flow of email with a domain if that domain is managed by google, too.
So my statement was a total comedic effort not to be taken seriously, I'd never suggest anyone use a company on the basis of terrible customer support. That's what the semi-colon parentheses at the end was meant to signify.
To attempt to actually answer your question, I believe the nature of the governance around registrars would ensure you have recourse to transfer your domain in the case that Google be Google. It might not be slick. I don't know. But, it's unlikely they can override the overarching policies for such things and continue being a registrar.
I think the bigger question is how much work it is to update the DNS servers with your registrar and then change your DNS provider. If google locks you out of your email that you use to manage your domain you could be in trouble...
If you don't use your google account for anything but domain registration, what could they even possibly ban you for?
While I am aware that Google tends to have quite a few false positive account bans, it is one of the most extremely unlikely things to happen, if all you do with it is pay for your domain registration.
I generally trust the major cloud providers a bit more than the companies focused on acting as a domain registrar.
The domain registrars are generally a race to the bottom and focused on "add-on" sales as most people are shopping on price and that's going to reflect in the overall quality of the things that most people don't really notice like, y'know, security and validation.
You don't hear a lot of stories about Amazon/GCP/Azure handing over someone's entire account based on a couple digits of a credit card number and it would be a PR nightmare if they did (hell, look at the flak they catch just for the data that people leave public on their services that ends up released... imagine if they handed it to someone). An active account with 2FA/etc enabled and a secure recovery email is probably safe enough for most people.
Spend the extra couple bucks to register through one of those guys instead of JimbosDiscountDomains.
Or… use a smaller registrar which actually charges more in order to provide support which you can contact personally. Most (if not all) large registrars are indeed in a “race to the bottom”, but that does not mean that all registrars are.
(Disclaimer: I work at such a small registrar. No, I’m not going to tell you which one; we aren’t targeting the global market, anyway, only our local area.)
The main issue raised several comments up is portability. No provider locks you to only using their email offering/cloud offerings if you register their domain through them. Even if they did, transferring domains is trivial and well-supported everywhere.
As far as any other objections people usually raise around using hosted email and the like, a domain really has no comparable privacy implications in the real world (you're not handing Google or Microsoft a huge corpus on your life). It's also through their enterprise offerings where as long as your bill is paid they're generally not going to have some automated review suspend your account with no reason, and if they did they have actual support you can get in touch with.
This solves basically all of the problems with using an @gmail.com/@outlook.com/etc email address.
Google, Microsoft and AWS offer registrar services becuase it keeps you in their ecosystem for their higher margin products. THey generally offer competitive pricing for things like doamin registration and don't pull stunts like charging 2x as much for "privacy protection" or the even more dirty tricks like godaddy and other bottom feeders.
I recently trialed hosted email with AWS and while it is very basic it only costs 4/user/month - cheaper than my google apps service. I was also able to register a new domain at market rates and get dns automatically setup (I think?) on AWS as part of the service. Now because I tie my monthly AWS spend with my registrar I'm more confident I can get some customer service as well.
staying inside a vendor's ecosystem for very selective services can actually work out quite well, as long as the seller/customer incentives align and they are relatively commodity services.
I use Namecheap too, but they took forever to add 2FA (it was added a few months to a year ago, maybe?) and I don't have any faith they'll add FIDO2/U2F any time soon.
EDIT: Oh daaamn it looks like they did it! Huh, faith restored. jgc, CloudFlare should follow!
EDIT 2: I'm just full of failures today, CloudFlare supports U2F as well. This is great news all around.
I've been happy with Joker and AWS Route 53. I've used Joker for years and years; at the time they seemed sane both technically and as a business, and that's how it still feels. Route 53 is more recent, but it's been solid and reliable for me. And it's been very nice to control it declaratively with Terraform.
EasyDNS (https://easydns.com), based in Canada has been around for years, and has a good reputation for not blindly actioning DMCA requests (which can be important for some). :)
I agree that that would be catastrophic, but I’m not convinced that using custom DNS changes my risk factor. If someone took over <my name>@gmail.com, they could do as much damage as they could by taking over <my name>@<my domain>.
Yes, but there's still an increase in the attack surface - it's a lot harder to convince a registrar to turn over gmail.com than <my domain>, for most values of <my domain>. It's not a deal breaker, of course, but it's something to consider when looking at the risk factor.
> Even if you decide to keep Gmail, you should switch your email to your own domain.
Do you pay for Google Domains, or just have some other thing forwarding to gmail, and gmail configured to send with that as a 'from' address, which I think is possible? What's your advice?
You can just do forwarding. I’ve run my own mail service since the 80s, and when I need a google login to work with someone I just create it and forward my mail. When the project is over, just delete it. Easy-peasy.
Unless a client wants to use google docs I‘ve never found an account to add any value anyway. I don’t use google search much any more but when I do it works fine without cookies.
And I try chrome occasionally (it’s needed to use google docs) but it uses too many resources to use as any kind of default. It’s also harder to enforce privacy with it.
Oh, ok. In my case some of my servers are over 20 years old, though I run less critical services on them. My newest machines is about 4 months old. My buddy in the rack next to me is a few servers from the same batch as my 20 year old ones. Obviously the most critical stuff runs on the newest hardware but when you’ve had a machine running uninterrupted for a decade or so why mess with it? Annualized cap ex + the op ex is negligible at this point.
As personal servers of course “critical“ is pretty idiosyncratic, though I have used them to start and host various companies overnthe years until it was worth giving them their “own” hardware and identity.
I admit the age of managing a rack full of servers in a colo has largely passed.
There is always a risk of loosing an asset, that includes hijacking. However to reduce forgeting of renewal there is the recipe I have once read here on HN:
Renew your doman for 10 years now, and then every next year do 1 year renewal. If you forget it then you still have 9 years of buffer.
If your domain name provider is serious, almost none: there's a transition period (a few weeks) between the expiration date of your domain and when somebody else can buy it again. So if you forget to renew it, your emails stop working and you'll renew it really quickly ;).
Source: it happened to me last month (the provider being OVH).
Most registrars are going to send you multiple emails leading up to the expiration, when it expires, and after it expires reminding you it expired. You'd have to miss a lot of emails.
And once it has expired, you have (depending on the TLD) over a month of grace period where it's not available for general registration where you can still renew it. You'd have to miss the fact that all of your services were offline for over a month.
I only work with a company who’s team I can actually call. i pay a bit more, but that direct access is great.
It’s actually hard to lose a domain if you have a good registrar. There is 90 day quarantine period even if you cross the renewal treshold. You can also domain lock, which means you need to manually unlock a domain before moving.
That's we something like PayPal is nice, your cards can expire and be replaced without interruption to automatic payments.
And like the email problem, you don't have to go around changing it every couple of years.
I feel your pain.. I accidentally let my main blog domain go a long while ago when I decided to drop most of the domains I was holding.
Beyond this, I've had a few pretty good ones over the years... right now, I've got about 30 of them, and just keep thinking I should let most of them go.
I recall seeing this recently on another HN post, where they had set up a blanket forwarding rule from their Gmail to another email account. Their Gmail later got dinged but the forwarding rule continued to work.
Have to respectfully disagree here...we tried protonmail for ages and it wasn't good. Wet feature adding it sounds like you got lucky but we ask for several features over the course of a year - ranging from simple things such as HTML signatures (that they fully support, they just hide the button on their editor) to more enterprisey user management 2fa enforcement style features and it just didn't hold up in the slightest. No features got added and we ended up going back to o365..for a personal email it's ok though but I wouldn't tout them as responsive to feature requests as this wasn't our experience at all. We were a sma the on their visionary package if that makes a difference.
You don't have to switch overnight, i simply forwarded all my incoming Gmail e-mails to my new account, and then reply to all my Friends (etc.) from my NEW e-mail address. That way they will all, eventually, automagically update me in their address book. It worked very well :)
ProtonMail user for years too. And non-tech people who get my e-mail immediately like (and ask about) the protonmail.com domain, which opens up an avenue to discuss privacy and the upside of non-Google products.
I'm a paying customer (paid for 2 years upfront), and I only found out after paying that ProtonMail has an incredibly poor implementation of 2FA. All it supports is app-based authentication[1].
No support for U2F (FIDO) keys[2].
No support for sending SMS to phones.
In comparison, my Google account is protected with: (a) three distinct U2F FIDO keys that are stored safely in different countries, (b) three separate phones for SMS authentication (my phone, dad's pone, mom's phone), (c) lastly there's the authenticator app which I rarely use. This is so much more versatile and reassuring that ProtonMail's extremely-mininal 2FA implementation.
Also, ProtonMail has no excuse for not supporting SMS-based 2FA. They can send a SMS to your phone, when you setup a new account -- but for some reason can't do this for 2FA. Despite being a paid service, they trying to save on the SMS charges that SMS-based 2FA would incur?
Not sure about the other stuff, but SMS 2FA is generally frowned upon for auth.. though obviously they've decided it's fine for the one time setup just as a verification on signup (not used as 2fa in that case, more like crude proof of identity). U2F has been a challenge for everyone from what I've seen.
I think most people are never going to choose ProtonMail, but it can be good for people who like simplicity and consistency. I don't need a million bajillion options, "plugins" or "apps" for my web mail. Just show me my emails, let me load attachments, and I'm good. That's why I pay for ProtonMail instead of Gmail. Well, that and all the other reasons to distrust Google.
Is there a provider that lets you send emails from free format users on your domain? With catch all addresses the mail goes into my other@domain account. I use a different email address per site. Now with gmail if I want to reply with that account I first need to create it as an alias. If I want to reply from my phone it even needs to be a full account. Is there any way to fix this? Short of using mutt and write the from header myself?
I can do this with fastmail, though fastmail is a subscription (like $5/month? IIRC, mine auto renews every 2 years so not sure). I have my primary email setup as <firstname>@<lastname>.org. If you set your dns records correctly with them, that allows you to use without any ahead of time setup <randomtag>@<firstname>.<lastname>.org. Setting a different tag where I have <firstname> is can be done too, but you need to set those up individually.
replying to emails, I can change <randomtag> to whatever I want.
They also offer random domains that you can setup burners under, though that does involve some ahead of time setup.
Fastmail lets you create wildcard identities like this so you can send from any username at any domain you have with them, but if you are sending from a third party app you usually still need to set up the sending identity in the app itself, which is annoying. The email programs I've tried haven't let me type arbitrary addresses into the 'from' line.
Many programs won't even automatically reply from the same alias the message was received at.
I used protonmail for a week, but i got tired of waiting hours and days for some emails to arrive. some we so late the verification links were no longer active. ugh, if only proton mail was up to par with Gmail.
I transitioned to FFox myself. I occasionally have to use Chrome for work, and it's nothing I find myself missing. If Chrome is messing up your day, it's really easy to cut it out.
I've found the exact opposite to be true in my very specific experience. Five years ago I used every Google product under the sun, today the only Google product I use at all (even search) is Chrome because it's the only one I haven't been able to replace.
I try Firefox with a fresh install on nearly every major release and I keep it installed as a secondary browser, but I can never manage to use it as my daily browser. For whatever reason, none of my company's (major tech company but not a competitor to Mozilla in any way) internal web pages load in Firefox. No error, no warning, nothing in the console, just zero content. Blank page. I've tried it on two computers with the same result and just nothing. No extensions installed, nothing I've installed on my network or computer to block anything. It just doesn't load anything.
On the other hand I keep Firefox installed because Chrome refuses to load my dev environment with a self-signed certificate. Firefox will let me click "I accept the risk" but Chrome just refuses to load with a self-signed cert.
I'd love to use just one (preferably Firefox) but I guess the web is still hard to get right.
I was doing that but it does break things so you need to remember you're doing it. For weeks I wondered why Slack wouldn't work via my browser until I found it was loading some Javascript only when UA was set to Chrome, and that was breaking something.
IIRC, the intent is that no one should be doing this and anyone doing it should be at least technical enough to figure out what they're doing and be reminded that it's a bad idea.
On the other hand these stupid dialog tricks are why I stopped using Chrome. I'm not an idiot and I know what I'm doing. It's pretty arrogant to assume that I shouldn't be visiting my router's configuration page just because it uses a self-signed certificate. I don't care to set up an X.509 infrastructure at my house, thank you. Please stop mollycoddling me.
Firefox continues to do a good job of just letting me visit the damn website after warning me.
I'm confused - Firefox and Chrome act completely identically to a self signed cert for me. Both let me click through after looking at the cert or expanding a section. I have never been "blocked" by some hidden modal unless the site chooses to be HSTS-enforcing, and in that case Firefox does not allow a clickthrough either.
You’re right to be confused because I’ve never seen a rhyme or reason to it either. I generated a cert using OpenSSL’s command line tools and told Django’s manage.py to use my self-generated cert and it works in Firefox but not Chrome.
It did work in Chrome. And then after an update it didn’t work anymore. I don’t know why and it seems like no one else here does either.
Your router's self-signed cert can be imported into your browser and trusted from thereon — that will also stop any potential attacks from someone pretending to be your wifi ap nearby because I am pretty sure you are not double-checking the cert fingerprint every time you visit the router's admin interface. Provided you were not MITMed once you added the cert in the first place :)
And instead many people will just do a Google search for "Chrome [insert error here]" and run the first command they find, while people like me will say "okay I'll just Firefox where I can click past this warning".
For what it's worth I've always been able to click straight through a self-signed cert on Chrome - in fact I just did it right now to log in to something internal. I am a nearly 50-50 split Firefox/Chrome user.
Are you sure you aren't sending HSTS headers that demand the site be TLS in some way?
Also, have you considered the slightly-saner way of doing it, which is making an internal self-signed CA, trusting that internal CA, and then having it sign the rest of your "self dev stuff" certs?
Yeah, I actually think these sorts of strategies are clever. They're a way to protect normal users without outright barring power users from doing as they wish.
macOS operates in a similar way. I really like how the difficulty increases depending on the task:
• Want to allow one app through Gatekeeper? Instead of double-clicking the app icon directly, right click it and select "open".
• Want to turn off Gatekeeper for all apps? You need to open the Terminal and execute a command.
• Want to turn off System Integrity Protection? You need to reboot your computer into recovery mode and execute a Terminal command there.
Except for those of us who are finding out about it only via a Hacker News comment. As happened with this user, who seems, you know, sufficiently a power user to need that info. Even a "if you know this site to be safe, please read this knowledge base article (link)" and buried in that, amidst all the reasons you shouldn't use untrusted certs, are the instructions.
> Even a "if you know this site to be safe, please read this knowledge base article (link)" and buried in that, amidst all the reasons you shouldn't use untrusted certs, are the instructions.
I don't think that's a bad way to go about it either, if it's sufficiently buried.
I'm primarily just thankful there's a workaround, hidden or not, given how many tech companies seem to respond to these things by disallowing them completely.
You're kidding right? You look at every commit of every open source app you use, or that a closed source app is built atop? For me, off the top of my head, that would mean, yes, Chrome, Firefox, the Linux Kernel, Libre Office, Android, VLC...probably plenty more that I am unaware are open source, and that's not even considering the dev tools to do my job. When would I actually have time to have a life?
Exactly. Reading the source of every program you used was certainly possible back in the 80's when the FOSS movement started; but nowadays, with every program being millions of lines of code, it's implausible to get through all that and still have time to actually use the software.
If you're on OSX/macOS (what a silly rebrand) then if you look in ~/Library/LaunchAgents (and possibly /Library/LaunchAgents and /Library/LaunchDaemons) for any .plist from Google (or Keystone) in there and add
<key>Disabled</key><true/>
under the first <dict> and then unload each file, e.g.
Assuming you are on a Windows domain, since they are able to control your Chrome. Chrome uses all the built in Windows settings. Have you check for proxy settings in internet options? Firefox I believe still uses standalone settings, and will need to be configured manually.
Other thing they could be doing is adding certificates to the Windows certificate store, that Firefox does not trust. Though I expect you would see an error about invalid certs in that case.
Sure, and I use it daily. But my frustration isn't about me particularly, it's about Google's increasingly hostile behavior. They're the 800-pound gorilla of the internet, and the way they behave affects all of us.
I second the Fastmail vote. I have been a happy user for... maybe 3 years now? A while at least. The web UI on mobile and desktop is second-to-none (I love not having an app) and the spam filtering is as good or better than gmail and the other big players.
Because when it first was released, they were one of (if not the only) (free) email providers to give every user over a gigabyte of storage. At the time, most email providers only allowed mailboxes in the dozens of megabytes range.
Nowadays, everywhere gives you plenty of space, but for me personally, it’s just been the fact that I’ve been using it for so long and switching is a hassle. I’m sure it’s the same for a lot of other people, and for the majority, they probably also don’t care enough.
Pretty sure Hotmail (which at the time was like 20% of all web traffic) was still offering a whopping 2MB of space when Gmail launched. It was only after Gmail came out that they started bumping the quota from where it had been since the mid-90s.
Gmail was a HUGE deal. People were going nuts over the invites.
I have fastmail bookmarked waiting for me to find some time to switch over my gsuite admin and some cname redirects off of Google's platform. It's definitely past time for me to get a little less dependent on them.
I am not sure why would one trust something as important as email to any company. Register and use your own domain. Then you are totally free in your choice and switching is no problem
I switched from Pushbullet to Join and one of the hurdle the dev is having is that something regarding push messaging was severely lacking in Firefox compared to Chrome, hence the lack of an extension for it on Firefox.
The only Google product I still use is Android. I won't switch to iOS, that's like cutting off your nose to spite your face. Sadly, the FOSS alternatives do not support Blackberry phones, and for physical reasons I _greatly_ prefer a real keyboard.
I switched when Google killed of ublock origin in Chrome. Firefox is quite nice these days. I just use chrome for development because I'm more familiar with their dev tools.
I will very occasionally find a site that's broken in Firefox and works in Chrome though.
> Firefox's new DNS over HTTPS was bypassing all my firewall DNS rules.
A misstep by Firefox, though it was done with genuine intent to safeguard users (as opposed to just being spun that way).
Though they've walked it back it still needs to be opt-in or be trivially easy for average users to opt-out.
Hard to quantify, but neither Firefox nor Chrome were compromised at Pwn2Own this year. The sandbox architectures are very similar now. Chrome's still ahead in having a slightly tighter sandbox and already shipping process-per-site, while Mozilla is working hard to catch up on those. Firefox gets a slight advantage from using Rust in some places instead of C++. I'd say Firefox security is still behind Chrome but in practice not by "a lot".
Yup, exactly the same. That's what I use. The only thing Chrome was better in the past was audio pitch correction in sped up videos. Firefox recently fixed that so now for me there is absolutely no need to use Chrome anymore.
Thanks for the link. So it's a subset of kdeconnect/gsconnect for Linux/Android [1] [2] [3]. I'm using it to share files and tabs from my phones / tablets to my pc and viceversa. It does many other things including sms from the pc. It works with any browser or with no browser at all. There is no need for an extension.
I'm sure Apple has had that too for a long time and I saw something like that from Microsoft a few days ago.
I have temporary containers extension plus an extension to manage google and Facebook containers and the whole thing has become such a pleasurable experience. Combined with pihole it feels like I’m reclaiming the web back again. Such a blissful experience.
Yep, for me Multi-Account Containers and Tree Style Tabs are both killer features. Being able to load the same page with multiple accounts within the same browser and without losing everything after each session is a game changer for all sorts of situations, as is being able to keep dozens or even hundreds of tabs open without squeezing and squishing them unreadably into the top of the window like some kind of maniac.
And with temporary containers isolation pages that don't have their own dedicated containers get all their history deleted after they close (by default a few minutes later, so undo close tab works), just as if you'd opened each new tab in an incognito window.
Mozilla is becoming more and more Google Like as time progresses, where a few years ago I would have believed it would be unthinkable for Mozilla do so something like this to an extension, today I am not so sure I would trust them either
Can you give a few examples of how Mozilla/Firefox have changed?
We all know about FF Quantum. Yeah it sucks what happened. Maybe there was an alternative, but any one saying Firefox should’ve just stuck to not being compatible with Chromium extensions is kidding themselves on how badly that would’ve continued hurting Firefox’s market share. The XUL powered extension I’m sure were powerful so the outcry in certain places was huge. Vocal minority.
The Pocket integration got lots of outcry which seemed pretty silly to me. It’s one product they own. Mozilla doesn’t have a ton of products. Yes that is Google like. Much like any synergy or integrating is Google like. Which is really just being a modern internet corporation. If this is one of the reasons. Why would Mozilla of 5 years ago not have done that vs the Mozilla of today and whenever they did do it. 1-2 years ago I think?
FWIW, killing XUL extensions wasn't even really about Chromium compatibility. The changes in the Quantum rearchitecting were going to break everything anyway; the decision was made to move everything onto an add-on system which wouldn't just break again and again with every architectural change (which, yes, did have the benefit of Chromium compatibility).
Quantum wasn't even about Chrome compatibility. The XUL extension mechanism was permanent technical debt loaded onto the browser because of how it exposed features, basically welding things directly onto the browser's guts, which on the one hand is super-convenient for making radical changes in an extension and on the other hand is a nightmare to maintain.
The analogy I've used is the Amiga operating system design versus Unix when it comes to multi-core / multi-processor versus multiprocessing. Amiga welds everything to the hardware, the Unix design has a "system call" mechanism cleanly separating your programs from the OS and vice versa.
Because Unix has this relatively thick layer between the OS kernel and the rest of the world, you can just pick up your entire kernel, wrap it in a lock (in Linux this was called the Big Kernel Lock in some BSDs it was Giant Lock and other Unix systems gave it different names) and you've got a multi-processor capable system. Linux did this in about a year IIRC. For purely CPU bound software this minimal work gets you 99.9% of the performance of a custom built OS designed from the outset for multiple processors. Subsequent work to get rid of the BKL further improves performance on more sophisticated workloads, but you're off to a great start.
Amiga couldn't do that, every part of their system could interact with every other part as it liked, so if you tried to just add one lock to protect things the resulting system might randomly deadlock, maybe only on systems with specific hardware or software combinations, and you basically needed to reconsider everything from the ground up.
You need a degree of abstraction like this, the Chromium-style web extensions have it, the XUL extensions didn't, adding it to the latter would have been years of work only to deliberately be incompatible with both existing software on Firefox AND everybody else, madness.
There are definitely things we want in extensions. For example Firefox has a copy of the Public Suffix List baked inside it (all browsers should have this, in its absence you'll get weird security behaviour around how domains and sub-domains work) and I'd like to access their copy from inside an extension to make it behave how users expect. But obviously the extension can just ship its own copy of the PSL, and then keep that up-to-date it's just a waste of resources.
> The XUL extension mechanism was permanent technical debt loaded onto the browser because of how it exposed features, basically welding things directly onto the browser's guts, which is a nightmare to maintain.
There is no evidence for this at all. Extensions can't modify the rendering engine.
"guts" meant the XUL implementing the Firefox UI. tialaramex is absolutely right about that, extensions had total access to that XUL/JS state, which is why changes to the Firefox UI inevitably broke extensions.
DNS-over-HTTPS was the big one for me. Mozilla betrayed us here. They've pushed something browsers shouldn't do into the browser, and in my case, started to roll it out to my browsers despite my network device being set to block it.
They actually managed to implement a policy that respects user choice and freedom less than Chrome, which only implements DoH if your set DNS provider supports it.
> DNS-over-HTTPS was the big one for me. Mozilla betrayed us here.
Betrayal indicates some intent to harm users; the intent of DoH is clearly to safeguard users. However, the rollout was absolutely hamfisted & shortsided.
It's notable that the DoH deployment is about the only example here of Firefox harming users. Compare that with Google rewriting Chrome's code to hobble uBlock Origin & leave users more vulnerable to nefarious ad tech.
The former was Mozilla putting user safety first (in a poorly handled way) while the latter was clearly Google doing the opposite.
Don't get me wrong, I would always choose Firefox over Chrome, but I lament the lack of a major option that seems to not follow Google's plans and generally assume they know better than the user how to use the web.
I don't think the Pocket was owned by Mozilla when they announced their integration. Looking it up, it looks like they bought it 2 years after the initial announcement so I can see it being controversial.
> The Pocket integration got lots of outcry which seemed pretty silly to me. It’s one product they own. Mozilla doesn’t have a ton of products.
I switched to Firefox after the Pocket thing happened, so I didn't follow the "outcry" and can't say if the tenor was justified.
However, as a new Firefox user not familiar with the history, the pocket integration just felt "icky", particularly in combination with the new tab page. Regardless of Mozilla's intentions, it seemed like another instance of Software A trying to push me toward unwanted unrelated Service B, as so many modern tech products are wont to do. Mozilla should be a sanctuary from that crap.
Luckily, I found out about the about:config flag to disable Pocket, and I've been happily ignoring it ever since. I just think it's an unfortunate experience for new users. Hopefully I'm wrong and Mozilla is right about what most new users want.
Being in a country that was the last holdout for Firefox (majority usage) before it was also taken over by Chrome, I know that several others as well as I have issues with Mozilla. Personally, I've always used Firefox, without exception, and stayed with XUL, rather than switch to their new browser, as add-ons are the most important part of a browser for me. I don't care if one is half a second faster or not.
Not to mention that stuff like stupid redesigns of logos as well as the Pocket issue made me basically lose all trust in Mozilla. Privacy is a huge deal here after all. Those who switched regularly complain about design issues (apparently the desktop browser is becoming somewhat "mobile-like") and most recently the address bar problem which upset everyone except for one person who didn't care about that. (Meanwhile, I'm happy with my address bar being my address bar and my search bar (being just right of it) being my search bar.[1]) If you would ask the people still using Firefox here whether they would recommend it...they would most likely say "no" but then would go on that while it isn't good, the alternatives aren't either.
So the question of change in direction (which is obviously there) regarding Firefox begs the question which people they are actually targeting? It's certainly not your average Joe because Firefox will never be able to out-Google Google. They are also annoying the more advanced users who just want privacy as well as useful things (add-ons, proper baked-in features etc) with their shenanigans, so it can't be them either. The only people I see actually celebrating new releases all the time (regardless of negative changes) are the crowd on HN. So, to me, it seems like they are targeting some kind of tech bubble (no offense) while basically ignoring the users out there. This is, of course, also reflected in them continuously losing marketshare while all the back-patting is happening.
Mozilla has to target the mass market or they won't survive. They certainly have to target people who, unlike you, care about performance more than anything else, since that's most of the market. You can argue it's hopeless but you can't expect them just to give up, nor should they.
I'm not the previous commenter, but on Android Mozilla is removing the ability to install extensions from third parties (think GitHub, etc.) and will trim the only left official extension store down to a few extensions. (I think it's below 20 right now.)
An ecosystem where all extensions need to be channelled through one central power broker is pretty much the main requirement to allow them to do what Google is doing in the linked Pushbullet case.
edit: this is all factual, sadly downvotes won't change it.
They've rebuilt their browser from scratch and are re-adding the APIs. It makes total sense to prioritize the most frequently used ones now and expand to the other ones later on.
For me personally, Privacy Badger and uBlock Origin are already there. I don't think I need a third one at all.
This is temporary while the Android team builds out and stabilizes the add-on APIs supported in the new Firefox for Android. Otherwise it'd be a total crapshoot whether an add-on you tried to install worked or broke randomly (potentially in gnarly ways).
If locking down on the extension ecosystem were only temporary they could just defer the nearing downgrade of their main line browser until their replacement is fully functional.
But that's not what they do. Instead we do have a clear announcement on a feature removal and a vague hint that they might add it again in the future.
It's absolutely not sure that disabling non-store extensions is only a temporary defect.
If you have evidence that suggests otherwise, feel free to add it.
It does not help that their marketing language feels designed to consistently avoid any meaning whatsoever.
> If locking down on the extension ecosystem were only temporary they could just defer the nearing downgrade of their main line browser until their replacement is fully functional.
The update is going ahead because the new Firefox for Android is such a dramatic improvement along all other axes, and because, from a development perspective, the incarnation it's replacing is saddled with legacy and technical debt. It never received most of the benefits from Quantum, for example.
> The update is going ahead because Firefox Preview is such a dramatic improvement along all other axes.
...and even the extension axis, from a power-aware Mozilla position. That's what makes it suspicious in the first place.
A few years ago they had a bug that added seconds to every page load that they didn't fix for half a year, but once an update coincidentally consolidates power at Mozilla it needs to be pushed for all its supposed benefits and despite all its known drawbacks asap.
We wouldn't buy that if it were Google or Microsoft and we shouldn't buy it in Mozillas case either. ... If they even announced that they plan to reopen the extension system, which they (to my knowledge) did not.
Personally I don't notice any grave difference between Firefox and preview. Apparently scrolling should be different, but my mid-range phone scrolls just fine in both apps.
> For a long time, it was just setting the default search provider to Google in exchange for a beefy stipend. Later, paid links in your new tab page were added. Then, a proprietary service, Pocket, was bundled into the browser - not as an addon, but a hardcoded feature. In the past few days, we’ve discovered an advertisement in the form of browser extension was sideloaded into user browsers. Whoever is leading these decisions at Mozilla needs to be stopped.
> Here’s a breakdown of what happened a few days ago. Mozilla and NBC Universal did a “collaboration” (read: promotion) for the TV show Mr. Robot. It involved sideloading a sketchy browser extension which will invert text that matches a list of Mr. Robot-related keywords like “fsociety”, “robot”, “undo”, and “fuck”, and does a number of other things like adding an HTTP header to certain sites you visit.
> Mozilla’s motto is “internet for people, not profit,” however the realities of having to fund all of its ventures are forcing the company into adopting one of the web’s less human-friendly aspects: sponsored content. Having acquired read-it-later service Pocket last year, Mozilla has been populating new tabs in Firefox with Pocket reading suggestions — and those are now going to include links that an advertiser has paid for.
I agree to some extent, e.g. the pocket integration and Mozilla burning cash on things that aren't related to Firefox, but Chrome's decision to limit/break key adblocking APIs across their whole ecosystem is much worse. I'd be willing to ignore almost any number of removed extensions to continue using a browser that's not owned by a glorified adtech company.
Browser extensions are going to be turned into a web standard, and W3C is controlled by Google, so Firefox will probably lose its adblocking API: http://browserext.github.io/
Doesn't Mozilla get nearly all its money from Google; I've assumed that actions by Mozilla have been coloured by not wanting to ditch its multi-hundred-million dollar benefactor.
Google has apparently paid Mitchell Baker personally multiple millions of dollars too.
Seems Google know how to manage their risks.
Mozilla seem perhaps even more beholden to ad revenue than Google.
I know that Mozilla has historically been paid by Google to make Google search the default search provider in Firefox. But you just claimed "Google has apparently paid Mitchell Baker personally multiple millions of dollars too" which is something different that I have heard nothing about. So, what is that claim about?
Who do you trust? Certainly not Chromium-Edge. That leaves "only browse the internet on a Mac with Safari" or browsers with such tiny market share that they'll never be tested against, and sites will routinely be broken for you. My company doesn't do any non-Chrome compatibility testing, so all our intranet sites require Chrome.
Why not? Chromium (= Blink, plus some other stuff like a network request stack) development happens in the open, just like WebKit development. It might be steered by Google to such an extent that there's always the possibility of it going in a bad direction; but it's not like you're not going to hear about it if something privacy-violating is introduced into the Chromium codebase (rather than the downstream Chrome codebase.) And you can switch away from the browsers that use it if/when that happens.
For that matter, if upstream Chromium ever did start "going bad", those browsers that rely upon it would also likely switch away from it, either cooperatively forking it into a new community-maintained project, or switching over to WebKit (with which it is still mostly ABI-compatible.)
> browsers with such tiny market share that they'll never be tested against, and sites will routinely be broken for you
Even if you don't want to use anything based on Blink, WebKit is also a large ecosytem, and minor WebKit-based browsers can "inherit compatibility" from developers targeting (mostly Mobile) Safari. Several Linux browsers (GNOME Web, Falkon, Midori) use WebKit, for example. They render everything just fine (i.e. just like Safari does.)
> The browser also sends unique hardware identifiers to Microsoft, which is a "strong and enduring identifier" that cannot be easily changed or deleted.
Oh, ah; I thought the above meant "why not Chromium and/or Edge" rather than "why not the Chromium version of Edge."
Yes, I can see why you'd avoid Edge specifically, same as avoiding Chrome specifically.
But that's not an argument against using upstream Chromium (which is, in fact, a browser all on its own, stadnalone downloadable and shipping with several Linux distros); or against other Blink/Chromium-based browsers (e.g. Brave), no? Either choice would get you compatibility with anything Chrome itself is compatible with (in terms of websites; not necessarily in terms of extensions—though the difference is just in the legacy Chrome extension APIs; WebExtensions work fine everywhere.)
> The recent nerfing of ublock origin has already had me feeling iffy on things.
What did they do to ublock origin? The single best Chrome extension ever. If it stops working and I must suffer YouTube ads again, it's bye bye Chrome.
They're going down the Safari line of limiting the number of rules an extension can use, significantly reducing the efficiency of adblockers.
If it goes as planned, you won't see ads on YouTube for sure, but there likely won't be enough space to add rules for less mainstream ad networks and some of the specific sites you visit.
It's a lot more than just limiting the count; expanding the count would not offer equivalent functionality. Basically they're hobbling adblockers' ability to compete in the arms race, which makes sense as Google is an advertising company.
If Youtube ads mean that much to you, why not just pay for it? I'm all for ad blocking (I use ublock too) but if I heavily use a site that offers me a way to pay a reasonable price, I think it's the right thing to do. Uploaders with monetized videos still get paid that way (and I don't want to bother with Patreon etc, that doesn't nearly scale to everyone I watch videos from).
Eventually there's a whole deal of stuff you end up paying for, a few bucks at a time. I draw the line somewhere. Ads are one such line. I won't watch them anyway, so their only purpose is to annoy me -- and I tend to swat away annoying things.
Never let anyone make you feel bad for blocking ads. It's the right thing to do.
It would be interesting to hear Google's actual reasoning but I don't expect that we will. I will speculate that it is exactly the clipboard permissions as there have been apocryphal reports of Android apps and web extensions that use this to steal passwords that password managers put there for users to "paste" into their pages.
If that is the case, then a much better solution would be for Chrome to implement a secure channel for password managers to use for just that purpose and make access really really explicit. But again, without them saying anything we won't know.
My advice is to watch for a CVE regarding sniffing sensitive data off the clipboard to surface in the next 30 - 90 days.
I've been using PushBullet for years. Great product! It's not fair what big companies are doing to what it seems to be, prioritizing their own features over third party well-built products. It's abusive.
Chrome's Extension v3 API will remove the ability for uBlock Origin to filter web requests in code, instead the application will have to submit a list of URLs to filter to an internal API and this list has a maximum size and limits the flexibility of the URL filtering.
This is ironic, because uBlock implements an extremely efficient filter and is even looking into using WASM to speed it up even more. Google's public position is that implementing functionality in JS or WASM is unacceptably slow. They say "[Preventing or weakening ad blockers] is absolutely not the goal. In fact, this change is meant to give developers a way to create safer and more performant ad blockers."[1]
Google's public position is also that WASM is "consistently fast"[2], fast enough to rewrite Google Earth to target it[3], and "It's entirely feasible to build a complex code-base to run performantly in the browser using WebAssembly"[4].
So which is it? Is the Web Request API being deprecated because it's not possible to write performant code in extensions using Chrome's powerful JS and WASM engine, or is it possible but there might be some other, different reason that they're blocking it?
These days Google's core value appears to be a Kafkaesque hypocrisy.
They promote efficient websites to increase ranking with their search algorithm, while operating ad services that bog websites down. Not to mention the whole AMP business where they looked at Facebook and developed a severe case of walled garden envy after previously being a champion of open web standards.
> They promote efficient websites to increase ranking with their search algorithm, while operating ad services that bog websites down
The online-advertising economy that Google operates in does slow-down websites.
Google's own ads, don't. AdSense ads are loaded asynchronously and I've been happy to run them on my websites. Google Analytics is also fast and light.
It's other scripts that bog things down - right now on my most AdSense-laden webpage the real killer is ZenDesk's chat widget - even when loaded asynchronously it still blocks the page render and pulls in over 600KB of resources, which is ridiculous: https://support.zendesk.com/hc/en-us/community/posts/3600042...
> Not to mention the whole AMP business where they looked at Facebook and developed a severe case of walled garden envy after previously being a champion of open web standards.
I'm not a fan of AMP either, but you don't have to use Google's AMP cache CDN to use AMP - it may surprise you (as it surprised me!) to learn [that Google endorses Bing's AMP cache](https://amp.dev/documentation/guides-and-tutorials/learn/amp...), for example (Google owns and runs amp.dev) - but I won't be happy with AMP until it's possible for people to run their own AMP CDN/caches.
That said, I fully understand why original-content providers aren't keen to adopt AMP: because it restricts the kinds of advertising displayed in a page and restricts monetization, and means you have to trust your CDN to accurately report pageviews.
uBlock Origin is not available for Safari in its original form. It only exists as a (somewhat neutered) fork that's basically dead[0].
There's a disconnect in the sense that a lot of people think that adblocking in Safari is fine, even though it is pretty objectively less capable than Firefox/Chrome in this area right now. There's no disconnect in saying that Manifest v3 is going to hurt adblockers, because the same changes in Safari also hurt adblockers, and (as of last time I checked) Chrome's proposed changes go even farther than Safari's did.
But in general, yes, you should already be avoiding Safari today if you want to use the best adblockers on the market. Safari suffers from the exact same problems, that's why I use Firefox even when I'm on a Mac -- because the adblockers and security extensions for Firefox are just a lot better.
It's not about just me. I use a half-dozen different browsers during my work day. It's how the provider of the world's dominant browser is behaving, with ramifications that affect all of us.
They blocked ublock origin?! Really?! What was their stated rationale (I assume they didn’t admit it is because they want people not to block ads)? Might I suggest using Firefox? I use it and don’t have any trouble with it.
I switched to Firefox because of Google banning Bypass Paywalls extension that is available as a Firefox add-on. When I was building my bootstraped company, Google really taunted us with emails like this, when our AdSense monthly earnings reached $10,000 and we're my only source of income. We had 20 million user profile pages, and they were saying that something is wrong with some of them, without saying what, forcing us to "review" them all. We built sophisticated ML content filters, to receive more unspecified warnings and get the account shut down. I managed to reinstate the account, but it left a very evil taste. I am in the process of degoogling, using Bing as the default in Firefox.
I whole-heartedly agree and this is why I give money to AWS and Azure will not give any to GCP until the lack of transparency and random product killings stop.
If you haven't switched to Firefox, you should! There were a few things I didn't like at first, but after searching StackOverflow and blog posts for how to change the settings, I am now fairly happy!
(old dude here) I knew this attitude was coming when i saw the billboards recruiting PhD's back in 2008 (or so). I figured they'd be completely infected by arrogant (but clever) twats around 2015. i believe my guess proved to be true and it's been getting worse ever since. also, the fact that their (organic) search is so awesome also-also that they were allowed to buy Waze, ffs, get out of my life!.
Anyone at Google who is listening- this kind of behavior kills my desire to continue using your products dead. I need functionality, of the type PushBullet has provided for years, to do my work. The recent nerfing of ublock origin has already had me feeling iffy on things. Behavior like this is simply unacceptable. If you want people to use your services, you need to have some way to communicate. Period. "If you use our tools, we can kill your livelihood at any time for any reason and tough shit if you want a why" doesn't exactly inspire, you know?