And it's where these basic websites for paying bills get the most focus of web-vandals, because these websites have automatic client-side software being forced to end-user which just want to "get the bills paid".
What you should do instead is contact the website owners and tell them to change to a solution which doesn't require any client-side software besides a browser with HTML and CSS support and no JS, extensions nor plug-ins. If you are not a programmer or not a web developer, tell them to contact libreplanet-discuss (this forum, trisquel-users, isn't for this kind of requests unfortunatelly), with more and more people doing the same for a given company they will eventually give it a try, if they ignore you, you have a reason to not use their disservice anymore. ;) 2018-01-12T01:17:01+0100 [email protected] wrote: > What's wrong with just calling it "privacy"? Privacy is important > enough on its own that I don't think we need to reframe the discussion > in ways that might cause confusion. > Nothing wrong at all. I just wanted to accent on the fact that for > people privacy (as a form of personal security) is more important then > the ability to inspect/change/redistribute. That's why I think we need > stronger criterion when evaluating the quality of software (or > hardware). As discussed here, just being free (in the FSF sense) is > obviously not enough and with the state of what is happening in the > world we need new things. Hence my idea about a new network. > > I will figure it out when I have more time. > You can also try wireshark. > > It doesn't seem to prove that no additional data is sent by Firefox or > Chromium during browsing, just that this data at minimum is sent on > startup. > I don't know what lower/upper-bond means but the very fact that any > browser which sends these packets without the user initiating > explicitly that communication is enough for me to mark it not privacy > respecting and not consider it for further testing. Of course you are > right - we need to test how it works during browsing. Perhaps the best > thing to do would be to keep it simple - e.g. opening remote txt or > html without scripts or extensions and looking at tcpdump. Let me know > if you have any better idea. > > I said that it had been closed, but it's alarming that it ever happened. > > That is in no way different from Ubuntu's case or from Mozilla's > telemetry. In such scenario, when flaws are all around, all we can do > is look at facts as they are right now: Chromium does not send packets > to any third party on startup. Konqueror sends no packets at all on > startup but has other issues as it seems. > > However, right now I am more concerned with the issues linked to by > Magic Banana, since they are active and haven't been adequately > addressed after several years. > I am honestly having a difficulty in understanding what you > mean. Aren't they primarily licensing issues? Why are you more > concerned about licensing while your browser is sending packets to > company X, Y, Z? Please explain as I may be missing something. > > Replicant, the operating system, is 100% libre. You are likely > referring to the modem or bootloader that the device itself uses > regardless of what operating system it runs. > Exactly. > > Purism's phone... > It is still not produced, so nobody can possibly evaluate it. But from > what I know there will be complete hardware separation between the > modem and the rest of the system. So you can use it as a pocket libre > computer, hopefully without any coreboot or whatever firmware blobs, > otherwise it won't be much different from a Samsung + Replicant. Also > from what I have heard, it would be able to use the mobile network as > a pipe, to make encrytped phone calls. So basically the only tracking > will be possible through the location of the phone based on nearby > mobile stations (which perhaps cannot be avoided if one wants to talk > to anybody). > > I suggest looking into JMP if you live in North America > I don't but thanks for the info. What you describe is similar to Librem5. > > In this case the advantage of using Tor is that you do not reveal your > location. This is especially important if it is a site or account you > use frequently (like an email provider) as otherwise they can track > you to the point of detecting behavioral patterns. > Sure. You can probably even use Facebook anonymously but FB (and many > other sites) won't allow you to sign up/in with a disposable email > address (they seem to recognize the domains). I know the FSF page > which you linked but it seems dated. From all the recommended ones > only safe-mail.net seems to work without JS but it requires a current > email address and I can't find any site which gives disposable email > without JS, so there is still no possibility for complete untraceable > anonymity. As for Kolabnow - I have been in touch with these guys and > asked them if they have cleaned their systems from Intel ME, > proprietary BIOS, what is their approach to quantum resistant security > etc. The answer was "We are still learning to ride the bike" and some > advertising that they use only FOSS. I explained further that security > at ring 0-3 means nothing when a system is flawed at ring -3 and they > told me the would forward my concerns to some operations > department. ProtonMail's answer was even worse. So far I haven't found > a single online service provider who can guarantee a clean and > completely tested system and without that there can be no privacy, > regardless of how deep the server may be buried in the Alps (or > wherever). And considering the most recent side-channel bugs, things > are really out of hand, globally. I think it is a much bigger problem > than cleaning up ones own machine(s) as we still need to communicate > with the majority who use PRISMed services and have no idea what > end-to-end encryption is. So considering the mid-man is always flawed > (in one way or another) and that end points are already infected, > freedom/privacy for one's own computer becomes a petty little affair. > > Asymmetrical protections... > My previous comment was about your example of 2 people having a > private discussion in a public place and one of them hiding his > face. My point was: that is unnatural and will never work, it will > always lead to conflicts. Our current approach to security is through > isolation and isolation itself creates separate conflicting sides. So > we cannot be secure through isolation. We are naturally secure when we > are together - when we think together, work together, share > together. I am not proposing communism (that's an illusory ideal which > didn't work) but perhaps we need to fix ourselves as species first, > not technology (which is just the product of what we are). Just > thinking... > > Thanks for the links to EFF's images. I enable JS in private mode > (i.e. temporarily) for individual sites when it is absolutely > necessary (e.g. to pay some bills) and for my local web server on > which I do some front-end web dev. But as a whole I browse with JS, > cookies and 3rd-party images and CSS blocked. It is amazing how very > few good designed sites are out there. Most of the web is really > terrible, just like the increasing length of my posts :)
