My idea would be that the wiki would basically be an index and link to relevant forum posts people could read for more details. It would be more accessible than performing a search, which is what you currently have to do.
4 Likes
I don’t see the point. Even for certain categories where there’s only one recommendation e.g. Cryptocurrency, the criteria is privacy by default. So even using BTC with your own node or CoinJoin would not fit the criteria.
Or even custom ROMs, if you can’t install GrapheneOS, then isn’t stock Android generally recommended over any other custom ROMs? If there aren’t many recommendations, then maybe there’s a reason for it.
This is why there’s an option to only bring back worth mentioning recommendations for certain categories.
I can’t see any reason to use any other crypto over Monero.
It is now that DivestOS and CalyxOS are both unmaintained.
I’m using Crypto and ROMs as examples because they only have one recommendation. That seems to suit “certain categories” which “don’t have many recommendations already”.
For web browsers, we have three good ones. Librewolf seems to be a no-config Arkenfox, which could be a decent honorable mention and seems more usable. But if someone wants a hardened browser, we already recommend Mullvad. And if they have a lower threat model, I think I would be more comfortable recommending stock Firefox.
I’m not completely against this idea. I just don’t see a reason for it, yet. Using password managers as an example, if open-source becomes a requirement for password managers, and honorable mentions don’t require open-source so that 1Password can be considered as an honorable mention, that’s fine since it’s in a different category with a different criteria. But I’ve tested Proton Pass, Bitwarden and KeePass. Is there a reason to use 1Password over the others? We have many different options already that an honorable mention seems pointless.
Stock Firefox without hardening isn’t any better than Chrome for privacy. For those who aren’t concerned about fingerprinting but want to use Firefox hardened, the choices are either to install custom user.js/policies like Arkenfox or Phoenix, or use LibreWolf. Both have their advantages and disadvantages with LibreWolf being more convenient and easy to setup but with slower updates.
Yes it is pointless, which is why 1Password should be removed entirely.
1 Like
I think it’s pointless to recommend Librewolf as well. And Apple Mail. If someone is entrenched in Apple’s ecosystem, they’re most likely using Apple Mail anyway.
And sure, stock Firefox may not be much better than Chrome, but the problem with Librewolf isn’t slower updates, it doesn’t support auto-updates. For Linux users, you can auto-update through package manager, but for everyone else, most people don’t bother with updates. So for convenience (and even security), isn’t stock Firefox arguably better?
But if we were to bring back Honorable Mentions with looser criterias, we would also have to decide if “must support automatic updates” should be exempt from honorable mentions.
If you want LibreWolf to be automatically updated (recommended), you can choose to install the LibreWolf WinUpdater, which is included in the installer. You then can open the WinUpdater program and enable automatic updates by checking the box “Schedule a task for automatic update checks…”.
So it doesn’t *include auto-updates by default. But it still doesn’t meet “must receive engine updates in 0-1 days from upstream release” criteria. So we would have to find a compromise that’s acceptable for honorable mentions.
If that’s agreed upon (hypothetically), I could agree with Librewolf as HM if labelled as “advanced” option, just like with Arkenfox.
Compared to most other Firefox forks, it’s more popular among privacy enthusiasts, has a stronger focus on privacy, has been around longer, and delivers updates more reliably (although still inconsistent at times). Afaik, IceCat is constantly behind and they haven’t distributed official binaries since 2019. Most other forks are based on ESR meaning not all security vulnerabilities are fixed each release. I haven’t tested Zen but it appears relatively new.
Simply put, LibreWolf is the least bad option for this threat model and use case. I’m not sure I’d label it as an “advanced” option since there are ways to auto-update it for each major OS. Some browsers will disable automatic updates for privacy reasons despite the enormous security tradeoff because checking for updates makes connections in the background or browsers could be compromised at any time and auto-updating to a new malicious version could put users at risk, and automatic updates aren’t necessary for Linux at all since package managers can handle that. But for most people, automatic updates are necessary depending on how they installed the browser.
It’s not always about changing the criteria to find compromises, but about finding the least bad solution.
Very interesting thread indeed. I cannot vote but that’s OK. If people actually read, maybe the “worth mentioning” could make sense. HOWEVER, the sad fact is that people do not read. Most just look for whatever is “recommended”, even without checking why or without verifying the source. That’s why so many paid review sites exist.
I also believe that there is a reason we have a criteria and should be applied without other considerations such as politics - if a product passes the criteria it gets listed, if not, then… no. And that’s not a bad thing and doesn’t mean that such product is bad.
I don’t think the criteria needs to be changed. I think Librewolf could be listed as an HM and just state the reason/reasons it’s not on the recommended list. Readers can take that into account and decide what they would like to use.
2 Likes
I would suggest Librewolf as HM with a disclaimer that it doesn’t meet the following requirements. But it circles back to the argument that recommendations are based on the criteria, so if we can make exceptions, why bother having criteria at all?
And I agree with @lumino that people don’t actually read. At best, they skim for information. So to see Firefox being recommended, most people would just install Firefox because they most likely won’t read about Arkenfox. And an honorable mention would seem like a recommendation to most people. That’s why Mullvad is better because it’s great ootb, and Brave is a decent ootb option too, whereas Librewolf requires a bit of tweaking to enable auto-updates.
It seems like a simple thing, but most people can’t do simple things. Just recently, I had a support call because a user couldn’t send a document. I asked what the error message was, and it was because the file was opened in another program. The answer was right in front of them, but they had to call IT support.
If we’re going to recommend products to the average user, I think having fewer options will keep things simple. If an average user uses Brave without understanding the difference between that and Chrome because they only see it as a web browser, then at least that’s a small step forward.
Again, worth mentioning “recommendations” are not recommendations. As @No_Name pointed out, Librewolf wouldn’t be recommended but it could still be useful for some people. And a criteria is necessary either way because without it everything would be worth mentioning.
1 Like
Because there are many cases where there is a lesser of two evils. Music apps and social media are great examples of this. You aren’t going to find all the content you want on the smaller platforms, but some of the larger ones are worse than others. There should definitely be a clear distinction between services privacy guides endorses and services that dont meet the requirements, but all or nothing mentalities dont help anyone in this space
1 Like
I think this is a false equivalence there is a difference between having all or nothing stances and having high standards and requirements. The website serves as a resource for a lot of people so understandably the tools listed there should have to reach a certain standard.
There is no rule against discussing rejected options here on the forum, in fact several times I have searched for a service and found a thread from this forum which gave a lot of good insight into why I might not want to choose it.
1 Like
Fair enough. But I do think that this standard isn’t the same for everybody, and a lot of beginners aren’t given very good advice on threat modeling when asking questions in forums like this or r/privacy on reddit. But yeah part of what makes this website great is the standards you guys have set. Maybe a separate website or page dedicated to doing the best you can in environments that don’t meet these standards would be helpful for newbies. This could even be an article that just goes over the basics of checking the settings within these services, using more private emails for these services(at least on the ones that accept private email addresses) reading the privacy policies of services you use, and having good opsec.
The all or nothing comment is more about the idea that you aren’t private if there is any weak point or non private thing that you use, which I know isn’t something you guys push, it’s just something I see way too often