Web Browser

[leviramsey]

Yeah, the BBC has had adverts for years if it detects that you're browsing from outside the UK.

[BOF]

I've gone back to Firefox from Chrome and I'm gonna try DuckDuckGo instead of Google's search.

[blandy]

Does that also happen in incognito mode? It doesn't happen for me. I'd blame your ISP before Google for that, but my suspicion is that it's because you are outside the UK (and the BBC devs are still favouring Apple users).

Maybe, but it doesn’t happen on Safari (which tbh is only “OK”).

I’m not sure how to turn on incognito mode. I can’t see any settings for it, and I’ve now stopped using chrome again, anyway.

[limpid]

So you've stopped using Chrome because it is rendering pages properly and Safari isn't? Blimey. You keep robbing the BBC of its revenue then

[Stevo985]

 

Does that also happen in incognito mode? It doesn't happen for me. I'd blame your ISP before Google for that, but my suspicion is that it's because you are outside the UK (and the BBC devs are still favouring Apple users).

Maybe, but it doesn’t happen on Safari (which tbh is only “OK”).

I’m not sure how to turn on incognito mode. I can’t see any settings for it, and I’ve now stopped using chrome again, anyway.

 

Get Ad Blocker Pro for Chrome. That way you won't see any adverts. Anywhere. On any site.

 

(obviously stick VT on your "White" list though. Or donate)

[darrenm]

Chrome or Google don't re-render pages with adverts. It's pretty disingenuous to suggest they do.

[BOF]

In fairness to Blandy, it might be an inaccurate suggestion but I don't think he was being insincere in knowingly suggesting something he knew to be false.

[darrenm]

Yeah disingenuous was too strong so apologies to Blandy for that.

 

The problem is that this is how misconceptions get started. Before you know it it's become accepted common fact.

[BOF]

Firefox outperforms Chrome for the first time in years. It's a fairly graph(ic)-intensive article so it's probably worth clicking the link to read the original.

Chrome 27, Firefox 22, IE10, And Opera Next, Benchmarked

Well, folks, this brings us to the end of another installment of the Web Browser Grand Prix. We're about to tally up our eight categories of testing. But first, let's have a look at the performance and non-performance breakdown.

Performance Index

The data in the chart below is a geometric mean of all four performance-based categories: Wait Times, JavaScript/DOM, HTML5/CSS3, and Hardware Acceleration.

Firefox 22 pulls off an upset, replacing the long-time performance champion Google Chrome as the new speed king! Google doesn't lose by very much though. In fact, if we moved the decimal point and rounded, this would show up as a tie. Meanwhile, moving on to the next win-eligible browser, IE10 is far behind in third place, with less than half the performance score of Firefox 22 or Chrome 27. Opera 12 is in last place, lagging slightly behind IE10.

Opera Next technically lands the number-three spot with a score right below Chrome. Our performance index shows the browser to be nearly three times faster than its current version! In fact, the upcoming Chromium-based Norwegian Web browser only shows weakness in HTML5 and its native HWA.

Non-Performance Index

The data in the chart below is achieved through the geometric mean of all four non-performance categories: Memory Efficiency, Reliability, Security, and Standards Conformance.

Firefox manages to conquer this category thanks to a stellar finish in proper page loads as well as strong scores in all three remaining non-performance categories. Chrome 27 finds itself in a comparatively distant second place. Its terrible page load reliability, combined with tighter scoring in the other metrics, sink Google's chances. IE10 is around 15% behind Chrome in third, with Opera 12 landing in last place with a score of less than half that of Firefox 22.

With Opera Next in the mix, the placing order would change a bit. The upcoming version nearly doubles the non-performance score of the browser's current version, and even manages to top Chrome 27 by a slim margin. Yet another substantial gain for the Norwegian Web browser.

WBGP XVI Champion

Now we combine equal parts performance and non-performance metrics, stir, and taste...

With no apparent weaknesses and generally strong finishes all-around, combined with near-native start times, greatly-improved hardware acceleration scores, and almost-perfect reliability, the latest version of Firefox soundly wins this installment of the Web Browser Grand Prix.

While Chrome 27 is the leader in most categories, Firefox 22 is right on its heels in second place. So, with close second-place finishes in nearly all categories that Chrome wins, Mozilla really needed to exploit any weakness in Chrome. And it does just that. Chrome's extreme fall from grace in start-up time really hurt. With Firefox attaining top marks in that category, an extreme divide is created where we'd normally expect both browsers to pace each other. The same type of brutality is used against Chrome in reliability testing, where Firefox 22 almost pulls off a perfect score, while Chrome 27 has issues with more than 25% of the workload.

Although this is not the first time that Firefox has edged out Chrome, this is the most punishing margin of victory. It's as if Mozilla knew just where to strike. Now, the onus is on Google to either completely outpace Firefox in performance (as it once did), or focus on addressing Chrome's own weaknesses. Either way, Mozilla buys Firefox some time at the top.

Moving on to our third- and fourth-place finishers. At this point, IE10 is showing its age, unable to compete with either of the two rapid-release browsers. Opera 12, well...Opera started slipping in the ranking with version 11, and Opera 12 was a big enough disappointment for the Norwegian software house to switch to Chromium. Speaking of...

If You Can't Beat 'Em, Join 'Em

Opera Next technically places second, just a hair above Chrome 27, but still a ways away from Firefox 22. However, and we really can't stress these two points enough: 1) Opera Next is using using a newer version of Chromium than Chrome, and 2) Opera Next is not yet feature-complete. So, tack on a ton of features, as we've seen Opera do in the past, and the overhead increases. Or even simpler, when Opera Next goes stable, Chrome will have "caught-up" to the same version of Chromium, meaning the spread could narrow, or even reverse. But right now, Chrome and Opera Next are showing practically-equal scores, however, they both display strengths and weaknesses in different categories, so we're not ready to give Opera the big heave-ho quite yet. While we don't plan on checking in with Opera Next again until it goes stable, we'll definitely be testing the final product.

[Nigel]

That was the article I read before changing to Firefox.

 

Must say after using it for a good few weeks it does seem faster, especially when I have a lot of screens open.

[blandy]

So you've stopped using Chrome because it is rendering pages properly and Safari isn't? Blimey. You keep robbing the BBC of its revenue then

No, I’ve stopped using chrome because  I don’t like google. There’s an adblocker on safari, which works better. The one on google seemed not to, (in)conveniently displaying google’s ads. I thought you said the bbc internet people favoured apple in some way? If that’s true, then the bbc pages which are shown in safari would be how they tested it. And using safari for the bbc internet seems like a good idea. it’s not my favourite browser, that was Camino, but they stopped developing it and said “go use chrome or firefox or some other one” to be safe.

 

Firefox is the next one I’ll try.

[limpid]

So Safari doesn't display the ad because it's got an adblocker. Chrome gives you a choice of adblockers. You posted claiming the Google was injecting their advert. That isn't true.

 

If you don't like Google, that's fine, but this isn't something to beat Google with. The BBC inserted that ad, not Google. Apple chose to manipulate the page the BBC sent, not Google.

[islingtonclaret]

Firefox in either MacOX Snow Leopard or Firefox in Ubuntu 12.10, with Ghostery installed and no caching whatsoever. Ghostery is one of the best pieces of web software I've ever come across. It's free, it makes your internets faster and can be installed on Opera, IE and Chrome.

 

IE is the worst piece of Netscape-plagirised crap I've seen. Microsoft are as bad at fixing bugs promptly as Apple are admitting they're there.

[blandy]

So Safari doesn't display the ad because it's got an adblocker. Chrome gives you a choice of adblockers. You posted claiming the Google was injecting their advert. That isn't true.

 

If you don't like Google, that's fine, but this isn't something to beat Google with. The BBC inserted that ad, not Google. Apple chose to manipulate the page the BBC sent, not Google.

What I said was that  I only recently put chrome back on, because people said it was better. (for me) It’s not. Somehow google's browser was displaying ads, and safari (which isn't ideal) wasn't. If it's because safari's ad blocker stopped it, then I'm glad. If I could do the same via chrome, then that's good too. I thought I had ad blocker enabled on it. It doesn't matter now anyway, because I've removed chrome (again) from my mac. I'll try firefox for a while.

 

Different people prefer different browsers. I’m not an expert. I don’t care, other than trying to find a replacement for Camino which was my favourite and familiar browser, but isn't being developed any more.

 

It's also interesting to see people leap to the defence of Google (or Apple or Windows or whatever) like you've offended their honour. I guess that's the world we live it.

 

Apple = big bad tech company

Google= big bad tech company

Facebook = big bad tech company

 

and so on

 

They all make products or services that (some) people like, but none of 'em are much worth defending, IMO. 

[limpid]

I'm not defending Google per se. I couldn't do that unless you explained why you don't like them and this isn't the thread for that. I'm letting you know that your hypothesis for why the BBC page views you attached were different is erroneous.

Having lots of competition in the browser market is good. Except for IE obviously.

[leviramsey]

So Opera 15 is out for Windows (and Mac?) and for now, it's basically Chrome minus Google (but also minus Opera's UI and a few often useful rendering features). That the Linux version is delayed is a blessing in disguise.

[Davkaus]

The old Opera is ridiculously feature rich, I can't understand why they think existing Opera users will downgrade to this turd.

 

I mean, surely if people want Chrome without Google, the answer is Chromium...

Edited July 3, 2013 by Davkaus

[leviramsey]

Apparently, most of the old UI features will return (and the rendering features are being added by Opera to Webkit, so Safari and Chrome will also get them). But that process is going to take months/years...

Opera's social media staff are on G+ saying "many of the missing features can be re-added via extensions". The point of Opera is that you got features in stock (and thus well-integrated) that were, at best, only available via extensions in the other browsers.

Edited July 3, 2013 by leviramsey

[leviramsey]

Netcraft confirms: Use Opera for maximal protection from NSA snooping

Millions of websites and billions of people rely on SSL to protect the transmission of sensitive information such as passwords, credit card details, and personal information with the expectation that encryption guarantees privacy. However, recently leaked documents appear to reveal that the NSA, the United States National Security Agency, logs very high volumes of internet traffic and retains captured encrypted communication for later cryptanalysis. The United States is far from the only government wishing to monitor encrypted internet traffic: Saudi Arabia has asked for help decrypting SSL traffic, China has been accused of performing a MITM attack against SSL-only GitHub, and Iran has been reported to be engaged in deep packet inspection and more, to name but a few.

The reason that governments might consider going to great lengths to log and store high volumes of encrypted traffic is that if the SSL private key to the encrypted traffic later becomes available — perhaps through court order, social engineering, successful attack against the website, or through cryptanalysis — all of the affected site’s historical traffic may then be decrypted at once. This really would open Pandora’s Box, as on a busy site a single key would decrypt all of the past encrypted traffic for millions of people.

There is a defence against this, known as perfect forward secrecy (PFS). When PFS is used, the compromise of an SSL site's private key does not necessarily reveal the secrets of past private communication; connections to SSL sites which use PFS have a per-session key which is not revealed if the long-term private key is compromised. The security of PFS depends on both parties discarding the shared secret after the transaction is complete (or after a reasonable period to allow for session resumption).

Eavesdroppers wishing to decrypt past communication which has used PFS face a daunting task: each previous session needs to be attacked independently. Even knowing the long-term private key does not help as the session key is not available by simple decryption. Conversely, when SSL connections do not use PFS, the secret key used to encrypt the rest of the session is generated by the SSL site and sent encrypted with the long-term private-public key pair. If this long-term private key is ever compromised all previous encrypted sessions are easily decrypted.

Perfect forward secrecy was invented in 1992, pre-dating the SSL protocol by two years, and consequently one might reasonably have expected that SSL would have made operational use of PFS from the outset. Nevertheless, almost twenty years later, PFS usage is not used by the majority of SSL sites.

The use of PFS is dependent on the negotiation between the browser and the web site successfully agreeing on a PFS cipher suite. One might reasonably expect browsers to do all they can to support PFS cipher suites as PFS confers an advantage in privacy for the browser’s user community, and any PFS performance disadvantages may only be a serious issue at the larger scales found on the server-side. On the other hand, there are only a small number of browsers in widespread use, and if a government wished to maximise its influence in restricting the use of PFS in order to facilitate decryption of recorded encrypted transactions it would start with the web browsers.

Browser support for PFS

Netcraft has tested the cipher suite selection of five major browsers — Internet Explorer, Google Chrome, Firefox, Safari and Opera — against 2.4 Million SSL sites from Netcraft's June SSL Survey. The support for PFS varied significantly between browsers: only a tiny fraction of Internet Explorer's SSL connections operated with PFS; whereas Google Chrome, Opera and Firefox were protected for approximately one third of connections. Safari fared only a little better than Internet Explorer.

Internet Explorer does particularly poorly as it does not support any cipher suite that uses both RSA public keys and non-elliptic-curve DH key exchange, which includes the most popular PFS cipher suite. The PFS cipher suites that IE does support have a lower priority than some of the most commonly supported non-PFS cipher suites. Curiously, IE does support DHE-DSS-AES256-SHA, which uses the rarer DSS authentication method, but not the very popular DHE-RSA-AES256-SHA.

Safari supports many PFS cipher suites but non-elliptic-curve cipher suites are used only as a last resort. As several non-PFS ciphers have a higher priority, web servers respecting the browser's preferences will end up selecting a non-PFS cipher suite even if the web server itself does support some (non elliptic-curve) PFS cipher suites.

Chrome, Firefox, and Opera all do better, preferring PFS cipher suites ahead of non-PFS at any given strength level — for example Opera's preference list starts: DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, AES256-SHA, DHE-RSA-AES128-SHA, DHE-DSS-AES128-SHA, AES128-SHA. Netcraft did not include any cipher suites only present in TLS 1.2 which includes many of Opera's PFS cipher suites, so the results for Opera form a lower bound on the number of SSL sites using PFS with Opera.

None of the browsers change their user interface perceptibly to reflect the presence of PFS akin to the way EV certificates are treated to a green address bar. Google Chrome and Opera show the cipher suite used (in popups or dialog boxes), but they rely on a user understanding the implications of wording such as "[..] ECDHE_RSA as the key exchange mechanism".

Web server support for PFS

Despite a browser's best efforts to prefer PFS cipher suites, the key exchange method used is selected by the server and it may either not support any PFS cipher suites or it may prefer to use an alternative cipher suite (and perhaps reasonably so for performance reasons). The use of the Diffie-Hellman key exchange does impose a performance penalty as there is additional computation required to derive the secret key.

Using any browser's cipher suite preference order, at least two-thirds of the SSL connections made in the Netcraft SSL survey did not use a cipher suite with PFS at all.

nginx, an open-source web server originally written by Russian Igor Sysoev, uses strong cipher suites by default, which has caused some to comment on nginx's SSL performance. With the exception of Internet Explorer and Safari, more than 70% of SSL sites using the web server selected a PFS cipher suite when visited with a modern browser.

The usage of PFS amongst SSL sites using Apache is also fair, around two-thirds of the SSL sites it serves use a PFS cipher suite when visited in Firefox, Chrome, or Opera. Conversely, Microsoft's support for PFS cipher suites is notably lacking; both Microsoft IIS and Internet Explorer only rarely use PFS cipher suites — when used together only 111 (0.01%) of SSL connections between IIS and IE used PFS.

Whilst Google uses PFS cipher suites for some Google SSL sites, it appears that many SSL sites hosted on Google App Engine do not.

How is this related to PRISM?

Many SSL sites of those companies implicated in the PRISM programme do not use PFS cipher suites when visited in any of the major browsers. Google, however, does use a PFS cipher suite in most browsers, with the notable exception of Opera. If PRISM operates by examining SSL traffic, which has been said to be fairly unlikely given its quoted $20M cost, all of the traffic to these SSL sites (except for Google) could have been compromised if the NSA had access to the private key.

Some other noteworthy SSL sites

DuckDuckGo, a search engine, has been prominent in the media since the start of the Snowden revelations due to its privacy policy which promotes anonymity. If the private key used by DuckDuckGo were ever compromised — for example if one of their servers were seized — all previous searches would be revealed where logged traffic is available. DuckDuckGo may be a particularly interesting target for the NSA due to its audience and the small volume of traffic (as compared to Google).

It would not surprise me at all if DuckDuckGo itself is more intimately connected to the NSA or other American intelligence organs (as is, for instance, Tor) than Google is.

CloudFlare has taken a similar approach to Google using ECDHE RC4 or AES cipher suites, but also leave Opera users without the protection of PFS. One of CloudFlare's options for SSL deployment is 'flexible' SSL which encrypts traffic from the browser to CloudFlare but if the content is not returned from its cache, the connection from CloudFlare to the original website is made without SSL. Rather than attempting to decrypt the encrypted content it may be easier to intercept unencrypted traffic between CloudFlare and the original website.

Mega does not use PFS cipher suites, perhaps a risky move given the history of raids on Megaupload's servers by the US Government. With physical access to the servers, it is not implausible that the private keys of any server could be extracted, even if it is from non-persistent memory.

Conclusions

Conspiracy theorists may be unsurprised that:

* Microsoft’s support for PFS is conspicuous by its absence across Internet Explorer, IIS, and some of its own web sites. Apple’s support for PFS in Safari is only slightly better.

* Russia, long-time target of US spies, is the home of the developer of nginx, the web server which uses PFS most often.

* Almost all of the websites run by companies involved in the PRISM programme do not use PFS.

Whilst conspiracy theorists may delight in speculating on the reasons why PFS isn't ubiquitous, one reason may be web sites' (bona fide) performance concerns: Mavrogiannopoulos reports up to a 3x performance penalty starting an SSL connection using DHE-RSA instead of plain RSA. The lack of clear in-browser notifications of the use of PFS cipher suites may persuade popular SSL sites to forgo the protection PFS offers, which typical users do not notice, to instead improve the web site's performance, which typical users do notice.

Without the support of two major browsers and major websites most internet users are missing out on the security benefits of perfect forward secrecy. Without the protection of PFS, if an organisation were ever compelled — legally or otherwise — to turn over RSA private keys, all past communication over SSL is at risk. Perfect forward secrecy is no panacea, however; whilst it makes wholesale decryption of past SSL connections difficult, it does not protect against targeted attack on individual sessions. Whether or not PFS is used, SSL remains an important tool for web sites to use to secure data transmission across the internet to protect against (perhaps all but the most well-equipped) eavesdroppers.

It should be noted that the US Government, along with many others governments, can issue any SSL certificate of its choosing — albeit at the risk of breaking the rules of the programme and at the risk of detection by alert users and by Google (for certain SSL sites). The scale at which an active attack is practical and unlikely to be detected, however, would be significantly smaller than that of a passive eavesdropper exploiting the lack of PFS.

[Xann]

Been using DuckDuckGo for a couple of months now, along with Startpage and Ixquick.

 

Initially didn't like DDG. It seemed a bit primitive after using the clean and refined Google, so I started flicking between the four different engines.

 

My overall impression is that Google has been compromised quite badly since its heyday. There are things Google just doesn't want (or isn't allowed) to show you, that clearly don't come under shady porn or terrorist banners.

 

IMHO one search engine ain't enough any more. Bring back Sherlock.