[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The Spirit of Free Software, or The Reality

Nikolaus Rath writes ("Re: The Spirit of Free Software, or The Reality"):
> On Jul 15 2015, Ian Jackson <ijackson@chiark.greenend.org.uk> wrote:
> > Nikolaus Rath writes ("Re: The Spirit of Free Software, or The Reality"):
> >> 2. Would it be ok if Firefox did all this at the time you visited the
> >>    first webpage, rather than at the time of startup?
> >
> > I think that depends on what the first webpage is.
> >
> > If the first webpage is (say)
> >   https://en.wikipedia.org/wiki/Embarrassing_medical_problem
> >   https://act.eff.org/login
> >   https://search.debian.org/cgi-bin/omega?DB=en&P=vulnerability+scanner
> >   https://fetlife.com/home/v4
> > then I don't see any reason why Ebay or Amazon would have to know even
> > that I am running Iceweasel.
> > It is obviously not practical for us to do very much about that, other
> > than by promoting (a) privacy-enhancing client-side tools
> > (b) privacy-respecting websites, where relevant and (c) political
> > change.
> Yes. I guess what I'm trying to say is that calling Iceweasel isn't the
> same as calling "ls" or make. Having the latter programs do the above
> would be severe. But in order to protect your privacy when browsing with
> Iceweasel, you have to run it through tor anyway (and probably add all
> sorts of other measures to prevent fingerprinting). So why worry about a
> few extra requests?

I'm feeling a bit frustrated now because I feel you didn't really read
the part of my mail a bit earlier (quoted again above).  Perhaps I
wasn't clear enough, so I will try to explain it again:

If I use Iceweasl to visit the EFF's web pages, over TLS, I see no
reason why I should be exposed to any privacy violations (other than
any implied by decisons taken by the EFF).

People who care about their privacy choose which web pages to read,
and when (for example, in what network environment) to read them.

They might even launch a browser simply to read local HTML files.

Also, privacy is not the only reason to avoid unnecessary transactions
with third-party servers.  Such transactions:

 * Unnecessarily expose any bugs in Iceweasl (or software it calls
   such as TLS and image libraries) to attacks from a wider range of

 * Simply by generating network traffic, may cost the user money, or
   may interfere (in environments of poor connectivity) with the tasks
   the user is trying to perform.

 * Might permit the third-party servers to cause the software to
   function in ways that we consider undesirable.

   For example, in this case, it would be technically possible for
   (say) Google (or someone masquerading as Google) to change the icon
   offered to Debian's Iceweasel to one which looks very like
   Wikipedia's icon.

   More realistically, it would permit the operators of these sites to
   change the icons dynamically, for marketing reasons which we might
   not agree with.

 * Can cause the software to fail, or degrade, for difficult-to-debug
   and ephemeral reasons.  In this case, the icons might not appear
   some of the time, which would be annoying but not critical; but the
   principle remains.


Reply to: