Add Sware Iron

[eloydegen]

Some people would probably prefer a Chrome based browsed, because of the plug-ins or the performance.

[Zegnat]

Are there any third party reviews of SRWare’s Iron? I am hesitant to just accept any fork of Chrome.

If this is about getting a WebKit browser on the list I think I would prefer Midori (see #88).

[gitkitten]

I'm using SRWare Iron for years, but I won't recommend for newbies.

Iron is just like a Chromium(Chrome base),
it also access to *.google.com.

I'm using Iron because I am blocking google's domain and IP range
using Firewall, Peerblock, Router DROP packet system.

Definitely, Iron is better than Chrome, but I say again:
STAY AWAY FROM CHROME_BASE BROWSER, IF YOU CAN'T DENY GOOGLE SPY ACTIVITY

[Zegnat]

Iron is just like a Chromium(Chrome base), it also access to *.google.com.

Are you saying it accesses Google services automatically without the user’s consent? If this is true than there is no way Iron will make it to the list.

[gitkitten]

Are you saying it accesses Google services automatically without the user’s consent?
Yep. Chromium is just a Google-spyware.

When I start Iron with "--incognito" (Privacy) option, it try to connect to:

Request: exskdbvyfw/
juxbzdzmzx/

wdvlhiylzo/

And also, clients2.google.com AND clients4.google.com.
Of course, I always disable these 2 things:

Predict network actions to improve page load performance
Enable phishing and malware protection

[gitkitten]

And another funny thing to tell you;

I delete Google from Settings:Search section, and add Startpage, select as default.

Sometimes, in the old version 26 (current is 27, which I'm using),
it modifies search engine to Google. Without user notice.

If you select a word, and right-click it, it appears
"Search Google for ***"

This is bad because everytime I didn't check these words.

Select word -> First click ->
www.google.com: This webpage is not available (Because I block Google-Spyware)
-> Oh, again... -> Right-click words again -> "Search Startpage for ***" -> Okay...

I _will_move to Firefox, if,

1. Firefox is more faster and lighter than Chrome-base browser
2. Firefox don't connect to *.mozilla.com automatically without user notice (BAD THING)

[Zegnat]

The first random requests (e.g. exskdbvyfw and juxbzdzmzx) are done by Chrome to see if your ISP is messing with the DNS. These should not really hurt your privacy as your ISP already knows who you are and what your IP is. If you use a good DNS provider they will simply return NXDOMAIN and nothing has happened. In theory your DNS provider now knows you use Chrome (or any other Chromium based browser… has Opera copied this behaviour?) but nothing else happened. Sources: serverfault.com and isc.sans.edu.

The latter source also talks about another data leakage issue with Chrome. When is is guessing domain names it will request www.cn (China) when you are writing www.cnn.com. I expect this to go for Chromium as well and thus possibly for Iron.

The request for clients2.google.com is where the browser checks if any of your extensions need to be updated. You can chose not to use any extensions and it should go away. According to this thread (groups.google.com). I can’t find anything concrete about clients4.google.com but I would guess it fills a similar use case. Neither have I been able to find a way to turn this off. Maybe never installing extensions from the internet but always manually installing them from your hard drive would work but I do not have the time to test this and we are not recommending Chrome anyway.

While researching the above I found a topic that mentions clients2.google.com all the way to clients9.google.com so we can assume they spread out their hits over several domains and servers. This same topic made the following comment (godlikeproductions.com):

Latest version SRWare Iron 11.0.700.3 phoned home during launch

If this is true I would disqualify Iron too.

Thanks for all your input @ikurua22. I think it is safe to say Iron will not be accepted on the list for now.

@nylira, please close this issue.

[sjalq]

Since Chromium is OpenSource, and current quite a bit faster that the Fox, can't we just rip out the offensive bits and fork a NonNSA compliant Chromium?

[Zegnat]

@sjalq, of course. If you were to make a fork of the browser that makes no external requests and it is scrutinized by experts (which might take some time…) than there is no reason it wouldn’t be included.

But until we hear from experts about a WebKit based browser that protects your privacy PRISM-Break will stick with Firefox.

Some good ones have been brought to our attention already, such as Midori. But they were either said to be buggy on several systems or have bad Tor integration. Something old and well tested like Firefox just feels better when you want to recommend something secure.

[tebowy]

Just to point out: there is Chromium code search, you can find aforementioned servers there.

[gothmog123]

Can someone please go through the chromium code? I want to use it - it's much better than FF.

Things that are better: faster, better html5 videos, better webrtc implementation, uptodate flash, safer sandboxing, etc, etc, etc ....

[Zegnat]

@gothmog123 there are several projects out there that try to do this. SRWare Iron is one of them, but @ikurua22 found it didn’t do a very good job of it. (Also [1] and [2].)

Another one that has recently gained publicity is the Epic Privacy Browser. But I haven’t seen any tests of it yet and therefore cannot recommend it. I also cannot find its source code anywhere. Note that these browsers are prone to overstating things in their marketing. E.g. I have no idea what the URLTracker is, as far as I know Chrome does not ‘track’ URLs in any real way, and the ‘RLZ-Tracking Number’ does not even exist in Chromium.

Also, as far as the ‘uptodate flash’ is concerned, Flash is not included in Chromium. It is one of the things that Google adds to turn Chromium into Chrome. I have no idea if other Chromium builds (Iron, Epic, etc) include it or not.

Other things you can look for are WebKit based browsers. WebKit is what Chrome is originally based on. (Nowadays they have forked WebKit into Blink). So these browsers are able to reach the same speeds and renderings as you are used to. If you can live with the instabilities you might want to give Midori a try, although it is not officially endorsed by PRISM Break (cf. #88).

[gothmog123]

@Zegnat it is possible to run pepper flash in chromium in archlinux for example, where it's packaged for it. Sorry I didn't make it clear. I only have up-to-date flash in chromium because i use linux. Regular Linux flash plugin is not supported anymore by Adobe.

Seems like EPB has no Linux support though... shame.

Midori, nor any other browser, has nowhere near the web technologies support that chromium does.

Anyway, you're right, it's not 'officially proven' that chromium spies on users, is it? Might as well use it.

There is also the chromium privacy promise

http://www.chromium.org/Home/chromium-privacy

hehe

[samwisekoi]

Ah yes, the policy that states that if Chromium sends any data to Google, it is protected by Google's "privacy" policy. Which itself states that Google can do anything it wants with any data uploaded to its servers or services.

e.g.:

"We use the information we collect from all of our services to provide, maintain, protect and improve them, to develop new ones, and to protect Google and our users. We also use this information to offer you tailored content – like giving you more relevant search results and ads."

http://www.google.com/policies/privacy/

Safe as houses! (Glass houses.)

[gorhill]

I don't know if that makes any difference, but I wrote an extension which can block those "behind-the-scene" requests: https://github.com/gorhill/httpswitchboard

[Zegnat]

@gorhill, props for the nice looking extension. But is this able to block any of the requests the browser makes behind the scenes – rather than just those by websites? Does it see any of the clients*.google.com calls, or the random requests (e.g. exskdbvyfw and juxbzdzmzx)?

[gorhill]

It is able to block the behind-the-scene requests (hence the ability to turn off the feature, as I found out soon enough this was breaking chrome store from working properly).

Obviously the extension can't block anything before it is loaded and working, so yes, whatever is sent before the extension is active can't be blocked. Otherwise when the extension is active, I've seen these web requests being blocked:

• https://www.google.ca/complete/search?client=ubuntu&q=w&cp=1&pgcl=9&sugkey=AIzaSyAQfxPJiounkhOjODEO5ZieffeBv6yft2Q
• https://www.google.com/searchdomaincheck?format=url&type=chrome
• http://suggestions/ (???... after entering the word "suggestions" in omnibox while using startpage.com as search engine)
• [I remember an oauth2 request at some point, I suspect it was related to "signing in" to chromium, I will write down here when I see this again]
• [I will add more here as I find new ones]

[gothmog123]

So is chromium safe to use now with this extension? Experts?

[Zegnat]

@gothmog123, I don’t think it is safe, just safer than by default.

It can still only block things sent after Chrome loads the extension and only the things that go through extensions are block-able. If Chrome decides to make behind-the-scenes requests these could easily be routed around it, it is also not clear if the random DNS requests mentioned earlier in this issue are even seen by it.

[gorhill]

after Chrome loads the extension

Just for the record, Chromium !== Chrome.

[keesbaake]

Err... what about aviator browser?

[alerque]

@hoodanity If you think a case can be made for recommending it, please open a new issue with the suggestion (and why you think it should be included ) rather than tagging onto this old one about another browser. That will ensure it gets proper consideration and feedback.

[vyp]

@hoodanity #882

• proprietary
• only supports proprietary operating systems (windows, mac)

[mastercoms]

#1311 Iridium browser.

Also, just as a note, Chromium downloads a binary blob unconditionally: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909. Just another obstacle to getting it on prism break.

[mastercoms]

The binary blob no longer automatically downloads.

[cig0]

Hi all,
PaleMoon should definitely be on the list; project's lead as well its community are though defenders of privacy and surfing freedom -- they even decided to not include WebRTC because the privacy issues and potential security issues involved.

[alerque]

@msx This issue is for discussion of Sware Iron, not Palemoon. Please see issue #1385 and review the discussion to date and then comment there if you have something to add.

[gothmog123]

Brave browser? It's chromium based.

[alerque]

@gothmog123 Brave is a good potential candidate for PRISM-Break, but this issue is not the place for it. A new issue should be opened with that suggestion and some background on the project and why it's an appropriate recommendation. In the mean time this issue was about Sware Iron and should be left alone unless something changes in regard to that project.

[aznakh]

Hello,

I am rather new to this. Are the default KDE browsers, konqueror and rekonq, safe for my privacy, and should they be added to prism-break ?

Thanks

[filipecatraia]

@aznakh Please see the comment exactly above yours. Don't discuss other browsers in this thread.

[awilfox]

I'd like to note that no extension can block QUIC requests from Chromium, at least the last time I audited it. Since Google is migrating a lot of their privacy-busting requests to QUIC it's probably not ever going to be secure to use Chromium-based browsers.

If it helps: last I checked, RLZ tracking is present in binary builds of Chromium, but not enabled by default in source builds. This is why most forks probably won't have it.

[lukateras]

(This has been moved over to https://gitlab.com/prism-break/prism-break/issues/169).

[Hillside502]

QUIC - Wikipedia
https://en.wikipedia.org/wiki/QUIC

RLZ - Wikipedia
https://en.wikipedia.org/wiki/Google_Chrome#User_tracking

[alerque]

@Hillside502 and @awilfox lets keep discussion on this at one place. The canonical location for issue discussion is now Gitlab. Can we please lock this issue?

[awilfox]

I followed a link from the site to this issue, but I haven't said anything since the move was noted. I don't need to be @'d.