An EFF analysis looks at the problems with some of Google's new "Privacy Sandbox" proposals, a few of which it calls "downright dangerous": Perhaps the most fleshed-out proposal in the Sandbox is the conversion measurement API. This is trying to tackle a problem as old as online ads: how can you know whether the people clicking on an ad ultimately buy the product it advertised....? Google's ID field can contain 64 bits of information -- a number between 1 and 18 quintillion. This will allow advertisers to attach a unique ID to each and every ad impression they serve, and, potentially, to connect ad conversions with individual users. If a user interacts with multiple ads from the same advertiser around the web, these IDs can help the advertiser build a profile of the user's browsing habits.

Even worse is Google's proposal for Federated Learning of Cohorts (or "FLoC").... FLoC would use Chrome users' browsing history to do clustering. At a high level, it will study browsing patterns and generate groups of similar users, then assign each user to a group (called a "flock"). At the end of the process, each browser will receive a "flock name" which identifies it as a certain kind of web user. In Google's proposal, users would then share their flock name, as an HTTP header, with everyone they interact with on the web. This is, in a word, bad for privacy. A flock name would essentially be a behavioral credit score: a tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate...

If the Privacy Sandbox won't actually help users, why is Google proposing all these changes? Google can probably see which way the wind is blowing. Safari's Intelligent Tracking Prevention and Firefox's Enhanced Tracking Protection have severely curtailed third-party trackers' access to data. Meanwhile, users and lawmakers continue to demand stronger privacy protections from Big Tech. While Chrome still dominates the browser market, Google might suspect that the days of unlimited access to third-party cookies are numbered. As a result, Google has apparently decided to defend its business model on two fronts. First, it's continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers' access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.

At the same time, Google seems to be hedging its bets. The "Privacy Sandbox" proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google's targeting business will continue as usual.

The Sandbox isn't about your privacy. It's about Google's bottom line. At the end of the day, Google is an advertising company that happens to make a browser.

Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic. From a report: Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates. This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise. Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats." But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.

AmiMoJo writes: WebKit, the open source HTML engine used by Apple's Safari browser and a number of others, has created a new policy on tracking prevention. The short version is that many forms of tracking will now be treated the same way as security flaws, being blocked or mitigated with no exceptions. While on-site tracking will still be allowed (and is practically impossible to prevent anyway), all forms of cross-site tracking and covert tracking will be actively and aggressively blocked.

"Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company's name in the address bar," reports Bleeping Computer. When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks. One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser's address bar. This allegedly makes the site feel more trustworthy to a visitor.

In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.

With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead.
AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.

A federal appeals court on Tuesday struck down Google's class-action settlement meant to resolve claims it invaded the privacy of millions of computer users by installing "cookies" in their browsers, but paying those users nothing for their troubles. Reuters reports: In a 3-0 decision, the 3rd U.S. Circuit Court of Appeals in Philadelphia said it could not tell whether the $5.5 million settlement was fair, reasonable and adequate, and said a lower court judge should revisit the case. Google, a unit of Alphabet Inc, had been accused of exploiting loopholes in Apple's Safari and Microsoft's Internet Explorer browsers to help advertisers bypass cookie blockers. The settlement approved in February 2017 by U.S. District Judge Sue Robinson in Delaware called for Google to stop using cookies for Safari browsers, and pay the $5.5 million mainly to the plaintiffs' lawyers and six groups, including some with prior Google ties, to research and promote browser privacy. But in Tuesday's decision, Circuit Judge Thomas Ambro said the settlement raised a "red flag" and possible due process concerns because it broadly released money damages claims.

"Google has finally chopped the 'www' from Chrome's address bar after delaying the controversial move due to a backlash," reports TechRepublic: The move to remove 'www' was initially planned for last year, when Google announced it would cut "trivial subdomains" from the address bar in Chrome 69. Now Google has begun truncating the visible URL in Chrome for desktop and Android, rolling out the change in version 76 of the browser, released this week. By default sites in Chrome now no longer display the "https" scheme or the "www" subdomain, with the visible address starting after this point. To view the full URL, users now have to click the address bar twice on desktop and once on mobile. Google has argued the move is driven by a desire for greater simplicity and usability of Chrome...

However the announcement provoked a fresh wave of criticism, from those who say the move will confuse users and even potentially make it easier for them to inadvertently connect to fake sites... There are also some who claim Google's motivation in changing how the URL is displayed may be to make it harder for users to tell whether they are on a page hosted on Google's Accelerated Mobile Pages subdomain...

Google says it has also built a Chrome extension that doesn't obfuscate the URL to "help power users recognize suspicious sites and report them to Safe Browsing". Despite the backlash from some online, Chrome isn't the first browser to truncate the URL in this way, with Apple's Safari similarly hiding the full address.

Slashdot's gotten over 17,000 votes in its poll about which web browser people use on their desktop. (The current leader? Firefox, with 53% of the vote, followed by Chrome with 30%.)

But Slashdot reader koavf asks an interesting follow-up question: "What's everyone's go-to Plan B browser and why?"

To start the conversation, here's how James Gelinas (a contributor at Kim Komando's tech advice site) recently reviewed the major browsers:

• He calls Chrome "a safe, speedy browser that's compatible with nearly every page on the internet" but also says that Chrome "is notorious as a resource hog, and it can drastically slow your computer down if you have too many tabs open."
  
  "Additionally, the perks of having your Google Account connected to your browser can quickly turn into downsides for the privacy-minded among is. If you're uncomfortable with your browser knowing your searching and spending behaviors, Chrome may not be the best choice for you."

• He calls Firefox "the choice for safety".
  
  "Predating Chrome by 6 years, Firefox was the top choice for savvy Netizens in the early Aughts. Although Chrome has captured a large segment of its user base, that doesn't mean the Fox is bad. In fact, Mozilla is greatly appreciated by fans and analysts for its steadfast dedication to user privacy... Speedwise, Firefox isn't a slouch either. The browser is lighter weight than Chrome and is capable of loading some websites even faster."

• He calls Apple's Safari and Microsoft Edge "the default choice...because both of these browsers come bundled with new computers."
  
  "Neither one has glaring drawbacks, but they tend to lack some of the security features and extensions found in more popular browsers. Speedwise, however, both Edge and Safari are able to gain the upper hand against their competition. When it comes to startup time and functions, the apps are extremely lightweight on your system's resources. This is because they're part of the Mac and Window's operating systems, respectively, and are optimized for performance in that environment."

Finally, he gives the Tor browser an honorable mention. ("It's still one of the best anonymous web browsers available. It's so reliable, in fact, that people living under repressive governments often turn to it for their internet needs -- installing it on covert USB sticks to use on public computers.") And he awards a "dishonorable mention" to Internet Explorer. ("Not only is the browser no longer supported by Microsoft, but it's also vulnerable to a host of malware and adware threats.")

But what do Slashdot's readers think? Putting aside your primary desktop browser -- what's your own go-to "Plan B" web browser, and why? Leave your best answers in the comments.

What's your "backup" browser?

Mozilla is adding a random password generator to Firefox. From a report: The Firefox random password generator is expected to become publicly available for all Firefox users with the release of Firefox 69, scheduled for release in early September, roughly a year after Chrome 69. Currently, the random password generator is only available in Firefox Nightly, a Firefox version for testing new features before they land in the stable branch. When Firefox 69 will be released, the random password generator is expected to be available as a checkbox in the Firefox settings section, under "Privacy & Security," under "Logins and Passwords."

Google today launched a new Chrome extension that will simplify the process of reporting a malicious site to the Google Safe Browsing team so that it can be analyzed, reviewed, and blacklisted in Chrome and other browsers that support the Safe Browsing API. From a report: Named the Suspicious Site Reporter, this extension adds an icon to the Google Chrome toolbar that when pressed, opens a popup window from where users can file an automatic report for the current site they're on, and which they suspect might be up to no good. "If the site is added to Safe Browsing's lists, you'll not only protect Chrome users but users of other browsers and across the entire web," said Emily Schechter, Chrome Product Manager. The Safe Browsing API is implemented not only in the mobile and desktop versions of Chrome but also in the mobile and desktop versions of Mozilla Firefox and Apple's Safari.

Hotstar, India's largest video streaming service with more than 300 million users, disabled support for Apple's Safari web browser last week to mitigate a security flaw that allowed unauthorized usage of its platform, TechCrunch reports, citing sources. From the report: As users began to complain about not being able to use Hotstar on Safari, the company's official support account asserted that "technical limitations" on Apple's part were the bottleneck. "These limitations have been from Safari; there is very little we can do on this," the account tweeted Friday evening. Sources at Hotstar told TechCrunch that this was not an accurate description of the event. Instead, company's engineers had identified a security hole that was being exploited by unauthorized users to access and distribute Hotstar's content -- including the premium catalog. Hotstar, which assumes the global record for most concurrent views on a live event, is operated by Star India, a media conglomerate in India that was part of 20th Century Fox that Disney acquired earlier this year.

An anonymous reader quotes a report from Ars Technica: iOS 13 will introduce Dark Mode to iPhones, iPads, and iPods for the first time. Apple brought Dark Mode to Macs via macOS Mojave last year, to much fanfare. As was the case there, Dark Mode doesn't actually change anything about the interface -- just the aesthetics. Apple showed Dark Mode running on the company's first-party apps for news, calendar, messages, and more. Dark Mode may also save battery life on devices with emissive OLED displays -- savings like that were discovered in our own tests comparing Android devices with LCD and OLED displays. But we'll have to test the new OS to be sure.

Every iOS update brings changes to key apps made by Apple itself, and most of the apps included with a new installation of iOS have seen some changes. Mail now allows you to mute certain conversations. Maps has a new, easier way of accessing saved locations. The upgrade to Apple Maps will bring far more detail to the overhead view of roads and landmarks, with this rolling out to the entire United States by the end of 2019 and "select countries" next year. Reminders has seen a ground-up interface overhaul, with natural-language processing similar to what's seen in third-party apps -- you'll be able to type the relevant details and Reminders will understand when and where the reminder should be set for. Apple is also adding a swipe-typing ability to its iOS keyboard for the first time, replicating something that has been available in third-party keyboards for years. Notes will have a new gallery view and support for shared folders. Safari will have new options to change text sizing, with per-website settings. The iPad's multitasking UI has also been overhauled, bringing a new window-based experience and an easier way to switch between apps in Slide Over mode. You'll also be able to plug thumb drives into newer iPads with USB-C.

Onstage at WWDC, Apple announced that iPad's software will now exist inside its own vertical OS. The new iPadOS doesn't look dramatically different from iOS 12, but the name change undoubtedly makes it easier for Apple to introduce functionality to iPads that won't exist in any capacity on the iPhone. Here's is the list of features it offers: 1. Chances are the best update is that desktop sites are now the default in Safari, hallelujah!!
2. You'll be able to bring widgets to the home screen that are just a swipe away. You'll also be able to fit more app icons on each screen.
3. Changes in iPadOS include an update to the Files app which will allow you share folders in iCloud drive, there's a new column view and you'll be able to grab files from USB-C flash drives.
4. You'll be able to bring up multiple windows of the same app, which wasn't previously possible and there are a lot of small interface changes that make it easier to multi-task with your larger screen real estate.
5. Apple Pencil latency is dropping from 20ms to 9ms, Apple is bringing a PencilKit developer API so that third-party app developers can integrate some new controls.

An anonymous reader quotes a report from Thurrott: Microsoft started testing a new Microsoft Edge browser based on Chromium a little while ago. The company has been releasing new canary and dev builds for the browser over the last few weeks, and the preview is actually really great. But if you watch YouTube quite a lot, you will face a new problem on the new Edge. It turns out, Google has randomly disabled the modern YouTube experience for users of the new Microsoft Edge. Users are now redirected to the old YouTube experience, which lacks the modern design as well as the dark theme for YouTube, as first spotted by Gustave Monce. And when you try to manually access the new YouTube from youtube.com/new, YouTube simply asks users to download Google Chrome, stating that the Edge browser isn't supported. Ironically, the same page states "We support the latest versions of Chrome, Firefox, Opera, Safari, and Edge." The change affects the latest versions of Microsoft Edge Canary and Dev channels. It is worth noting that the classic Microsoft Edge based on EdgeHTML continues to work fine with the modern YouTube experience.

Few home-grown Google products have been as successful as Chrome. Launched in 2008, it has more than 63% of the market and about 70% on desktop computers, according to StatCounter data. Mozilla's Firefox is far behind, while Apple's Safari is the default browser for iPhones. Microsoft's Internet Explorer and Edge browsers are punchlines. From a report: Google won by offering consumers a fast, customizable browser for free, while embracing open web standards. Now that Chrome is the clear leader, it controls how the standards are set. That's sparking concern Google is using the browser and its Chromium open-source underpinnings to elbow out online competitors and tilt entire industries in its favor. Most major browsers are now built on the Chromium software code base that Google maintains. Opera, an indie browser that's been used by techies for years, swapped its code base for Chromium in 2013. Even Microsoft is making the switch this year. That creates a snowball effect, where fewer web developers build for niche browsers, leading those browsers to switch over to Chromium to avoid getting left behind.

This leaves Chrome's competitors relying on Google employees who do most of the work to keep Chromium software code up to date. Chromium is open source, so anyone can suggest changes to it, but the majority of programmers who approve contributions are Google employees, and any major disagreements get settled by a small circle of senior Google employees. Chrome is so ascendant these days that web developers often don't bother to test their sites on competing browsers. Google services including YouTube, Docs and Gmail sometimes don't work as well on rival browsers, sending frustrated users to Chrome. Instead of just another ship slicing through the sea of the web, Chrome is becoming the ocean.

An anonymous reader writes: For more than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to show any phishing warnings to users, according to a research paper published this week. "We identified a gaping hole in the protection of top mobile web browsers," the research team said. "Shockingly, mobile Chrome, Safari, and Firefox failed to show any blacklist warnings between mid-2017 and late 2018 despite the presence of security settings that implied blacklist protection." The issue only impacted mobile browsers that sued the Google Safe Browsing link blacklisting technology. The research team -- consisting of academics from Arizona State University and PayPal staff -- notified Google of the problem, and the issue was fixed in late 2018. "Following our disclosure, we learned that the inconsistency in mobile GSB blacklisting was due to the transition to a new mobile API designed to optimize data usage, which ultimately did not function as intended," researchers said.

Google is set to launch new tools to limit the use of tracking cookies, a move that could strengthen the search giant's advertising dominance and deal a blow to other digital-marketing companies, WSJ reported Monday, citing people familiar with the matter. [Editor's note: the link may be paywalled; alternative source.] From the report: After years of internal debate, Google could as soon as this week roll out a dashboard-like function in its Chrome browser that will give internet users more information about what cookies are tracking them and offer options to fend them off, the people said. This is a more incremental approach than less-popular browsers, such as Apple's Safari and Mozilla's Firefox, which introduced updates to restrict by default the majority of tracking cookies in 2017 and 2018, respectively. Google's move, which could be announced at its developer conference in Mountain View, Calif., starting Tuesday, is expected to be touted as part of the company's commitment to privacy -- a complicated sell, given the torrent of data it continues to store on users -- and press its sizable advantage over online-advertising rivals.

tedlistens writes: One of the most common techniques people think can help hide their activity is the use of an "incognito" mode in a browser," writes Michael Grothaus at Fast Company. But "despite what most people assume, incognito modes are primarily built to block traces of your online activity being left on your computer -- not the web. Just because you are using incognito mode, that doesn't mean your ISP and sites like Google, Facebook, and Amazon can't track your activity."

However, there's still a way to brew your own, safer "incognito mode." It's called browser compartmentalization. Grothaus writes: "The technique sees users using two or even three browsers on the same computer. However, instead of switching between browsers at random, users of browser compartmentalization dedicate one browser to one type of internet activity, and another browser to another type of internet activity.
Specifically, the article recommends one browser for sites you need to log into, and another for random web surfing and any web searches. "By splitting up your web activity between two browsers, you'll obtain the utmost privacy and anonymity possible without sacrificing convenience or the ease of use of the websites you need to log in to." It recommends choosing a privacy-focused browser like Brave, Firefox, Apple's Safari, or Microsoft's Edge. "As for Chrome: It's made by Google, whose sole aim is to know everything you do online, so it's probably best to stay away from Chrome if you value your privacy."

The article is part of a series titled "The Privacy Divide," which explores "misconceptions, disparities, and paradoxes that have developed around our privacy and its broader impacts on society."

9to5Mac has learned of several new features expected to be included in iOS 13. From the report: Dark Mode: There will be a system-wide Dark Mode that can be enabled in Settings, including a high contrast version, similar to what's already available on macOS. Speaking of macOS, iPad apps that run on the Mac using Marzipan will finally take advantage of the Dark Mode support on both systems.
Multitasking: There are many changes coming to iPad with iOS 13, including the ability for apps to have multiple windows. Each window will also be able to contain sheets that are initially attached to a portion of the screen, but can be detached with a drag gesture, becoming a card that can be moved around freely, similar to what an open-source project called "PanelKit" could do. These cards can also be stacked on top of each other, and use a depth effect to indicate which cards are on top and which are on the bottom. Cards can be flung away to dismiss them.
Undo gesture: With iOS 13, Apple is introducing a new standard undo gesture for text input on the iPad. The gesture starts as a three-finger tap on the keyboard area, sliding left and right allows the user to undo and redo actions interactively.
Safari improvements: Safari on iOS 13 for the iPad will automatically ask for a desktop version of websites when necessary, preventing a common issue where websites will render their iPhone version even when running on an iPad with a big screen. YouTube is notorious for this behavior, forcing users to rely on a 'Request Desktop Site' button.
Font management: Font management is getting a major upgrade on iOS 13. It will not be necessary to install a profile to get new fonts into the system anymore. Instead there will be a new font management panel in Settings. A new standard font picker component will be available for developers and the system will notify the user when they open a document that has missing fonts.
Smarter Mail: The upgraded Mail app will be able to organize messages into categories such as marketing, purchases, travel, "not important" and more, with the categories being searchable. Users will also be able to add messages to a "read later" queue similar to third-party email apps. Improved multiple item selection: The focus on productivity on iOS continues with the inclusion of new gestures to allow for the selection of multiple items in table views and collection views, which make up for most of the user interfaces found in apps that list large amounts of data. Users will be able to drag with multiple fingers on a list or collection of items to draw a selection, similar to clicking and dragging in Finder on the Mac.
New Volume HUD and other changes: Other features to come with iOS 13 include a redesigned Reminders app, which is also coming to the Mac, a new volume HUD, better "Hey Siri" rejection for common mistaken noises such as laughter and crying babies, better multilingual support for keyboards and dictation, and expanded in-app printing controls. Apple is expected to officially unveil the next major iPhone and iPad OS at its annual Worldwide Developers Conference on June 3rd.

It's a browser feature few users will have heard of, but forthcoming versions of Chrome, Safari and Opera are in the process of removing the ability to disable a long-ignored tracking feature called hyperlink auditing pings. From a report: This is a long-established HTML feature that's set as an attribute -- the ping variable -- which turns a link into a URL that can be tracked by website owners or advertisers to monitor what users are clicking on. When a user follows a link set up to work like this, an HTTP POST ping is sent to a second URL which records this interaction without revealing to the user that this has happened. It's only one of several ways users can be tracked, of course, but it's long bothered privacy experts, which is why third-party adblockers often include it on their block list by default.

Until now, an even simpler way to block these pings has been through the browser itself, which in the case of Chrome, Safari and Opera is done by setting a flag (in Chrome you type chrome://flags and set hyperlink auditing to 'disabled'). Notice, however, that these browsers still allow hyperlink auditing by default, which means users would need to know about this setting to change that. It seems that very few do.

x_t0ken_407 quotes BleepingComputer: A HTML standard called hyperlink auditing that allows sites to track link clicks is enabled by default on Safari, Chrome, Opera, and Microsoft Edge, but will soon have no way to disable it. As it is considered a privacy risk, browsers previously allowed you to disable this feature. Now they are going in the opposite direction.

Hyperlink auditing is an HTML standard that allows the creation of special links that ping back to a specified URL when they are clicked on. These pings are done in the form of a POST request to the specified web page that can then examine the request headers to see what page the link was clicked on.
The article concludes that "Firefox and Brave win the award" for people who want this click-tracking capability disabled -- since "only Brave and Firefox currently disable it by default, and do not appear to have any plans on enabling it in the future."