Two years ago, Apple launched an aggressive battle against ads that track users across the web. Today executives in the online publishing and advertising industries say that effort has been stunningly effective -- posing a problem for advertisers looking to reach affluent consumers. The Information reports: Since Apple introduced what it calls its Intelligent Tracking Prevention feature in September 2017, and with subsequent updates last year, advertisers have largely lost the ability to target people on Safari based on their browsing habits with cookies, the most commonly used technology for tracking. One result: The cost of reaching Safari users has fallen over 60% in the past two years, according to data from ad tech firm Rubicon Project. Meanwhile ad prices on Google's Chrome browser have risen slightly.

That reflects the fact that advertisers pay more money for ads that can be targeted at people with specific demographics and interests. "The allure of a Safari user in an auction has plummeted," said Rubicon Project CEO Michael Barrett. "There's no easy ability to ID a user." This shift is significant because iPhone owners tend to be more affluent and therefore more attractive to advertisers. Moreover, Safari makes up 53% of the mobile browser market in the U.S., according to web analytics service Statscounter. Only about 9% of Safari users on an iPhone allow outside companies to track where they go on the web, according to Nativo, which sells software for online ad selling. It's a similar story on desktop, although Safari has only about 13% of the desktop browser market. In comparison, 79% of people who use Google's Chrome browser allow advertisers to track their browsing habits on mobile devices through cookies. (Nativo doesn't have historical data so couldn't say what these percentages were in the past.)

An anonymous reader quotes the International Business Times: At the recent Tianfu cup held in Chengdu, China, Chinese China's top white-hat hackers have converged to test zero-days against top software available in the market today. During the first day of the event, Chinese security researchers were able to break into major browsers such as Safari, Microsoft Edge, and Google Chrome.

Since March 2018, the Chinese government has officially discouraged security researchers from joining hacking competitions outside the county. The recent Tianfu Cup is the venue for hackers to showcase their skills and even earn six-figure bounties for successful exploits. Former Pwn2Own winner Team 360 Vulcan took home $382,500 for successfully hacking the old version of Office 365, Microsoft Edge, Adobe PDF Reader, VMWare Workstation, and gemu+ Ubuntu during the two days event, reports ZDNet... Search engine giant Google has a representative in the event with some members of the Google Chrome security team present on site. Organizers plan to submit a report of all bugs uncovered during the event to all vendors when the competition concludes, says ZDNet.

"Mozilla is no longer fighting for market share of its browser: it is fighting for the future of the web," writes the Guardian, citing Mozilla Project co-founder Mitchell Baker: Baker's pitch is that only Mozilla is motivated, first and foremost, to make using the web a pleasurable experience. Google's main priority is to funnel user data into the enormous advertising engine that accounts for most of its revenue. Apple's motivation is to ensure that customers continue to buy a new iPhone every couple of years and don't switch to Android...."

Firefox now runs sites such as Facebook in "containers", effectively hiving the social network off into its own little sandboxed world, where it can't see what's happening on other sites. Baker says: "It reduces Facebook's ability to follow you around the web and track you when you're not on Facebook and just living your life...." Mozilla has launched Monitor, a data-breach reporting service; Lockwise, a password manager; and Send, a privacy-focused alternative to services such as WeSendit. It's also beta-testing a VPN (virtual private network) service, which it hopes to market to privacy-conscious users...

Apple's iOS (mobile operating system) is an acknowledged disaster for Mozilla. Safari is the default and, while users can install other browsers, they come doubly hindered: they can never be set as the default, meaning any link clicked in other applications will open in Safari; and they must use Safari's "rendering engine", a technical limitation that means that even the browsers that Firefox does have on the platform are technically just fancy wrappers for Apple's own browser, rather than full versions of the service that Mozilla has built over the decades... "Even if you do download a replacement, iOS drops you back into the default. I don't know why that's acceptable. Every link you open on a phone is the choice of the phone maker, even if you, as a user, want something else."
Summarizing Baker's concerns, the Guardian writes that "It is perfectly possible to build a browser that prevents advertising companies from aggregating user data. But it is unlikely that any browser made by an advertising company would offer such a feature..."

And an activist for the Small Technology Foundation tells them that Google "wants the web to go through Google. It already mostly does: with eyes on 70% to 80% of the web."

All major browsers -- including Chrome, Firefox, Safari, Opera, Microsoft Edge, Vivaldi, Brave -- have plans to support DNS-over-HTTPS (or DoH), a protocol that encrypts DNS traffic and helps improve a user's privacy on the web. From a report: The DoH protocol has been one of the year's hot topics. It's a protocol that, when deployed inside a browser, it allows the browser to hide DNS requests and responses inside regular-looking HTTPS traffic. Doing this makes a user's DNS traffic invisible to third-party network observers, such as ISPs. But while users love DoH and have deemed it a privacy boon, ISPs, networking operators, and cyber-security vendors hate it. A UK ISP called Mozilla an "internet villain" for its plans to roll out DoH, and a Comcast-backed lobby group has been caught preparing a misleading document about DoH that they were planning to present to US lawmakers in the hopes of preventing DoH's broader rollout. However, this may be a little too late. ZDNet has spent the week reaching out to major web browser providers to gauge their future plans regarding DoH, and all vendors plan to ship it, in one form or another.

Apple's iOS 13 has had a rocky start since its release last month, with it being among the most buggy Apple software releases in recent memory. Now, iPhone owners are complaining of yet another issue that may be bug-related. From a report: A growing number of iPhone and iPad users have complained about poor RAM management on iOS 13 and iPadOS 13, leading to apps like Safari, YouTube, and Overcast reloading more frequently upon being reopened. We've lightly edited some of the comments to correct things like capitalization.

Apple this year differentiated the iPad by creating a superset of iOS that only works on the company's tablet, the cleanly named iPadOS. In theory, iPadOS fixes the many shortcomings of previous iOS versions that tried to serve two masters, the iPad and the iPhone. But some fundamental issues remain. From a column: Apple's iPadOS page is adamant that a world of possibilities is now "ours." The "Features" section provides a long, long list of new iPad talents. Without getting into the embarrassing details about the klutziness that makes me a good product tester because I tend to do things that knowledgeable users already know how to do, I'm confused and frustrated by all of these "possibilities." For relatively simple tasks such as using multiple apps side by side or opening more than one window for an app such as Pages, the iPad support site is cryptic and, in some cases, just plain wrong. As just one example, the on-line guidance advises: "go to Settings > General > Multitasking & Dock..." Trouble is, the General section of Settings on my iPad Pro doesn't have a Multitasking & Dock section. A little bit of foraging gets me to the Home Screen & Dock section where, yes, the Multitasking adjustments are available.

On the positive side, one now has a real Safari browser, equivalent in most regards to the "desktop" version, and the ability to open two independent windows side by side. Because I feel self-conscious about my mental and motor skills, I compared notes with a learned friend, a persistent fellow who forced himself to learn touch typing by erasing the letters on his keyboard. He, too, finds iPadOS discoverability to be severely lacking. There are lot of new and possibly helpful features but, unlike the 1984 Mac, not enough in the way of the hints that menu bars and pull-down menus provide. It all feels unfinished, a long, long list of potentially winning features that are out of the reach of this mere mortal and that I assume will remain undiscovered by many others. Kvetching aside, we know that Apple plays the long game. Today's stylus equipped and mouse-capable iPad shows great promise. (I connected my trusted Microsoft Mouse and its two buttons and wheel -- no problem.) It clearly has the potential to become a multifaceted device capable of a wide range of interactions. From the simplest one-finger control enjoyed by children and adults alike to the windows and pointing device interactions "power users" hope for, the iPad shows great potential -- and the need for more work to make the new features more discoverable.

An anonymous reader quotes a report from ZDNet: Firefox is the only browser that received top marks in a recent audit carried out by Germany's cyber-security agency -- the German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI). The BSI tested Mozilla Firefox 68 (ESR), Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. The tests did not include other browsers like Safari, Brave, Opera, or Vivaldi. The audit was carried out using rules detailed in a guideline for "modern secure browsers" that the BSI published last month, in September 2019. The BSI normally uses this guide to advise government agencies and companies from the private sector on what browsers are safe to use. The article includes a list of all the minimum requirements required for the BSI to consider a browser "secure." It also lists the areas where the other browsers failed, such as: Lack of support for a master password mechanism (Chrome, IE, Edge); No built-in update mechanism (IE), and No option to block telemetry collection (Chrome, IE, Edge).

Over the weekend, reports emerged that claimed that Apple was sending users' browsing details to Tencent to run it against Chinese company's safe browsing feature. In a statement on Monday, an Apple spokesperson has offered a clarification: Apple protects user privacy and safeguards your data with Safari Fraudulent Website Warning, a security feature that flags websites known to be malicious in nature. When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of website you visit is never shared with a safe browsing provider and the feature can be turned off.

"Apple, which often positions itself as a champion of privacy and human rights, is sending some IP addresses from users of its Safari browser on iOS to Chinese conglomerate Tencent -- a company with close ties to the Chinese Communist Party," reports the Reclaim the Net blog: Apple admits that it sends some user IP addresses to Tencent in the "About Safari & Privacy" section of its Safari settings.... The "Fraudulent Website Warning" setting is toggled on by default which means that unless iPhone or iPad users dive two levels deep into their settings and toggle it off, their IP addresses may be logged by Tencent or Google when they use the Safari browser. However, doing this makes browsing sessions less secure and leaves users vulnerable to accessing fraudulent websites...

Even if people install a third-party browser on their iOS device, viewing web pages inside apps still opens them in an integrated form of Safari called Safari View Controller instead of the third-party browser. Tapping links inside apps also opens them in Safari rather than a third-party browser. These behaviors that force people back into Safari make it difficult for people to avoid the Safari browser completely when using an iPhone or iPad.
Engadget adds that it's "not clear" whether or not Tencent is actually collecting IP addresses from users outside of China. ("You'll see mention of the collection in the U.S. disclaimer, but that doesn't mean it's scooping up info from American web surfers.")

But Reclaim the Net points out that the possibility is troubling, in part because Safari is the #1 most popular mobile internet browser in America, with a market share of over 50%.

sharkbiter shares a report from ZDNet: Over the course of the last year and a half, Apple has effectively neutered ad blockers in Safari, something that Google has been heavily criticized all this year. But unlike Google, Apple never received any flak, and came out of the whole process with a reputation of caring about users' privacy, rather than attempting to "neuter ad blockers." The reasons may be Apple's smaller userbase, the fact that changes rolled out across years instead of months, and the fact that Apple doesn't rely on ads for its profits, meaning there was no ulterior motive behind its ecosystem changes.

The reason may have to do with the fact that Apple is known to have a heavy hand in enforcing rules on its App Store, and that developers who generally speak out are usually kicked out. It's either obey or get out. Unlike in Google's case, where Chrome is based on an open-source browser named Chromium and where everyone gets a voice, everything at Apple is a walled garden, with strict rules. Apple was never criticized for effectively "neutering" or "killing ad blockers" in the same way Google has been all this year. In Google's case, the pressure started with extension developers, but it then extended to the public. There was no public pressure on Apple mainly because there aren't really that many Safari users to begin with. With a market share of 3.5%, Safari users aren't even in the same galaxy as Chrome and its 65% market lead.

Furthermore, there is also the problem of public perception. When Apple rolled out a new content blocking feature to replace the old Safari extensions and said it was for everyone's privacy -- as extensions won't be able to access browsing history -- everyone believed it. On the other hand, ads are Google's life blood, and when Google announced updates that limited ad blockers, everyone saw it a secret plan for a big corp to keep its profits intact, rather than an actual security measure, as Google said it was.

Mozilla has switched on Firefox's tracking protection feature for everyone on Windows and Android, dialing up its effort to protect privacy from website publishers and advertisers that would like to keep tabs on your online behavior. From a report: Mozilla enabled tracking protection for new Firefox users in June, but now it's on for everyone, the nonprofit said Tuesday. Tracking protection is all the rage among browser makers, including Apple's Safari, Brave Software's Brave and Microsoft's new Chromium-based Edge. Even Google's Chrome, long the laggard among major browsers, is starting to tackle the problem. It's a thorny issue for websites and advertisers that seek to improve advertising revenue by targeting ads based on their assessment of your interests. "Currently over 20% of Firefox users have Enhanced Tracking Protection on. With today's release, we expect to provide protection for 100% of ours users by default," Mozilla said in a blog post Tuesday.

An EFF analysis looks at the problems with some of Google's new "Privacy Sandbox" proposals, a few of which it calls "downright dangerous": Perhaps the most fleshed-out proposal in the Sandbox is the conversion measurement API. This is trying to tackle a problem as old as online ads: how can you know whether the people clicking on an ad ultimately buy the product it advertised....? Google's ID field can contain 64 bits of information -- a number between 1 and 18 quintillion. This will allow advertisers to attach a unique ID to each and every ad impression they serve, and, potentially, to connect ad conversions with individual users. If a user interacts with multiple ads from the same advertiser around the web, these IDs can help the advertiser build a profile of the user's browsing habits.

Even worse is Google's proposal for Federated Learning of Cohorts (or "FLoC").... FLoC would use Chrome users' browsing history to do clustering. At a high level, it will study browsing patterns and generate groups of similar users, then assign each user to a group (called a "flock"). At the end of the process, each browser will receive a "flock name" which identifies it as a certain kind of web user. In Google's proposal, users would then share their flock name, as an HTTP header, with everyone they interact with on the web. This is, in a word, bad for privacy. A flock name would essentially be a behavioral credit score: a tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate...

If the Privacy Sandbox won't actually help users, why is Google proposing all these changes? Google can probably see which way the wind is blowing. Safari's Intelligent Tracking Prevention and Firefox's Enhanced Tracking Protection have severely curtailed third-party trackers' access to data. Meanwhile, users and lawmakers continue to demand stronger privacy protections from Big Tech. While Chrome still dominates the browser market, Google might suspect that the days of unlimited access to third-party cookies are numbered. As a result, Google has apparently decided to defend its business model on two fronts. First, it's continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers' access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.

At the same time, Google seems to be hedging its bets. The "Privacy Sandbox" proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google's targeting business will continue as usual.

The Sandbox isn't about your privacy. It's about Google's bottom line. At the end of the day, Google is an advertising company that happens to make a browser.

Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic. From a report: Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates. This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise. Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats." But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.

AmiMoJo writes: WebKit, the open source HTML engine used by Apple's Safari browser and a number of others, has created a new policy on tracking prevention. The short version is that many forms of tracking will now be treated the same way as security flaws, being blocked or mitigated with no exceptions. While on-site tracking will still be allowed (and is practically impossible to prevent anyway), all forms of cross-site tracking and covert tracking will be actively and aggressively blocked.

"Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company's name in the address bar," reports Bleeping Computer. When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks. One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser's address bar. This allegedly makes the site feel more trustworthy to a visitor.

In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.

With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead.
AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.

A federal appeals court on Tuesday struck down Google's class-action settlement meant to resolve claims it invaded the privacy of millions of computer users by installing "cookies" in their browsers, but paying those users nothing for their troubles. Reuters reports: In a 3-0 decision, the 3rd U.S. Circuit Court of Appeals in Philadelphia said it could not tell whether the $5.5 million settlement was fair, reasonable and adequate, and said a lower court judge should revisit the case. Google, a unit of Alphabet Inc, had been accused of exploiting loopholes in Apple's Safari and Microsoft's Internet Explorer browsers to help advertisers bypass cookie blockers. The settlement approved in February 2017 by U.S. District Judge Sue Robinson in Delaware called for Google to stop using cookies for Safari browsers, and pay the $5.5 million mainly to the plaintiffs' lawyers and six groups, including some with prior Google ties, to research and promote browser privacy. But in Tuesday's decision, Circuit Judge Thomas Ambro said the settlement raised a "red flag" and possible due process concerns because it broadly released money damages claims.

"Google has finally chopped the 'www' from Chrome's address bar after delaying the controversial move due to a backlash," reports TechRepublic: The move to remove 'www' was initially planned for last year, when Google announced it would cut "trivial subdomains" from the address bar in Chrome 69. Now Google has begun truncating the visible URL in Chrome for desktop and Android, rolling out the change in version 76 of the browser, released this week. By default sites in Chrome now no longer display the "https" scheme or the "www" subdomain, with the visible address starting after this point. To view the full URL, users now have to click the address bar twice on desktop and once on mobile. Google has argued the move is driven by a desire for greater simplicity and usability of Chrome...

However the announcement provoked a fresh wave of criticism, from those who say the move will confuse users and even potentially make it easier for them to inadvertently connect to fake sites... There are also some who claim Google's motivation in changing how the URL is displayed may be to make it harder for users to tell whether they are on a page hosted on Google's Accelerated Mobile Pages subdomain...

Google says it has also built a Chrome extension that doesn't obfuscate the URL to "help power users recognize suspicious sites and report them to Safe Browsing". Despite the backlash from some online, Chrome isn't the first browser to truncate the URL in this way, with Apple's Safari similarly hiding the full address.

Slashdot's gotten over 17,000 votes in its poll about which web browser people use on their desktop. (The current leader? Firefox, with 53% of the vote, followed by Chrome with 30%.)

But Slashdot reader koavf asks an interesting follow-up question: "What's everyone's go-to Plan B browser and why?"

To start the conversation, here's how James Gelinas (a contributor at Kim Komando's tech advice site) recently reviewed the major browsers:

• He calls Chrome "a safe, speedy browser that's compatible with nearly every page on the internet" but also says that Chrome "is notorious as a resource hog, and it can drastically slow your computer down if you have too many tabs open."
  
  "Additionally, the perks of having your Google Account connected to your browser can quickly turn into downsides for the privacy-minded among is. If you're uncomfortable with your browser knowing your searching and spending behaviors, Chrome may not be the best choice for you."

• He calls Firefox "the choice for safety".
  
  "Predating Chrome by 6 years, Firefox was the top choice for savvy Netizens in the early Aughts. Although Chrome has captured a large segment of its user base, that doesn't mean the Fox is bad. In fact, Mozilla is greatly appreciated by fans and analysts for its steadfast dedication to user privacy... Speedwise, Firefox isn't a slouch either. The browser is lighter weight than Chrome and is capable of loading some websites even faster."

• He calls Apple's Safari and Microsoft Edge "the default choice...because both of these browsers come bundled with new computers."
  
  "Neither one has glaring drawbacks, but they tend to lack some of the security features and extensions found in more popular browsers. Speedwise, however, both Edge and Safari are able to gain the upper hand against their competition. When it comes to startup time and functions, the apps are extremely lightweight on your system's resources. This is because they're part of the Mac and Window's operating systems, respectively, and are optimized for performance in that environment."

Finally, he gives the Tor browser an honorable mention. ("It's still one of the best anonymous web browsers available. It's so reliable, in fact, that people living under repressive governments often turn to it for their internet needs -- installing it on covert USB sticks to use on public computers.") And he awards a "dishonorable mention" to Internet Explorer. ("Not only is the browser no longer supported by Microsoft, but it's also vulnerable to a host of malware and adware threats.")

But what do Slashdot's readers think? Putting aside your primary desktop browser -- what's your own go-to "Plan B" web browser, and why? Leave your best answers in the comments.

What's your "backup" browser?

Mozilla is adding a random password generator to Firefox. From a report: The Firefox random password generator is expected to become publicly available for all Firefox users with the release of Firefox 69, scheduled for release in early September, roughly a year after Chrome 69. Currently, the random password generator is only available in Firefox Nightly, a Firefox version for testing new features before they land in the stable branch. When Firefox 69 will be released, the random password generator is expected to be available as a checkbox in the Firefox settings section, under "Privacy & Security," under "Logins and Passwords."

Google today launched a new Chrome extension that will simplify the process of reporting a malicious site to the Google Safe Browsing team so that it can be analyzed, reviewed, and blacklisted in Chrome and other browsers that support the Safe Browsing API. From a report: Named the Suspicious Site Reporter, this extension adds an icon to the Google Chrome toolbar that when pressed, opens a popup window from where users can file an automatic report for the current site they're on, and which they suspect might be up to no good. "If the site is added to Safe Browsing's lists, you'll not only protect Chrome users but users of other browsers and across the entire web," said Emily Schechter, Chrome Product Manager. The Safe Browsing API is implemented not only in the mobile and desktop versions of Chrome but also in the mobile and desktop versions of Mozilla Firefox and Apple's Safari.