| ▲ | jokoon 2 days ago |
| I set firefox to clear cookies, also using cookies to "strict" This somehow causes a huge pain to connect to mozilla's matrix instance, and I never understood why. This is a bit ironic since firefox has that feature to clear cookies. I had to reset password, and do other weird things, I can't remember what exactly. I hope this MAS thing fixes it. |
|
| ▲ | apples_oranges 2 days ago | parent | next [-] |
| So unusable for people like me who only surf in private mode |
|
| ▲ | jeroenhd a day ago | parent | prev | next [-] |
| Putting tracking protection to strict essentially makes Firefox violate certain web standards. Developers aren't going to test against that, and if they are they're probably not going to be able to do much about the problems strict tracking protection causes. If MAS fixes this, it'll be by accident and it'll probably break in the future. Firefox warns against this kind of breakage if you enable strict tracking protection in the settings. You can't have strict tracking protection + websites doing cross-domain authentication working. |
|
| ▲ | anon7000 2 days ago | parent | prev | next [-] |
| I mean, yeah, tracking prevention features basically completely break cross-domain authentication. There are a surprising number of valid use cases that need cross-domain auth (or make the user experience a lot easier). While there are workarounds these days, sometimes it does require deep changes in how auth works |
| |
| ▲ | jokoon 2 days ago | parent [-] | | > There are a surprising number of valid use cases that need cross-domain auth I am not a web developer, but I would disagree with that. Either web standards respect privacy or they don't, but I would not sacrifice privacy for anything. Firefox was right to prevent tracking, it highlights how webstandards are just not good. I something doesn't work properly in a firefox private window, to me it should not exist. | | |
| ▲ | dwattttt 2 days ago | parent | next [-] | | Authentication requires the opposite of privacy. If you don't want to be identified, you can't restrict anything to your identity. | | |
| ▲ | johnmaguire 2 days ago | parent | next [-] | | It kind of depends. See Kagi Privacy Pass ("Allows you to use Kagi Search with Privacy Pass, which cryptographically ensures that Kagi cannot tie that request to an account and allows for further privacy and anonymity."): https://help.kagi.com/kagi/privacy/privacy-pass.html | | |
| ▲ | jeroenhd a day ago | parent [-] | | ... which requires an addon to the browser, or for it to be built in specifically for that company. That's not something companies like Matrix can use. If you're installing software already, why not skip the browser engine and install a full Matrix client instead? | | |
| ▲ | johnmaguire a day ago | parent [-] | | I wasn't responding directly to Matrix's use of MAS. More generally I aimed to make the parent poster aware of a new technology that allows for private authentication, which they claimed was impossible. Privacy Pass is currently being standardized by the IETF, so we may see more widespread adoption eventually: https://privacypass.github.io/ | | |
| ▲ | dwattttt 20 hours ago | parent [-] | | Just to make the claim clearer: it can't matter what the authentication mechanism is. If a Privacy Pass token is needed for access to your email, then redeeming the token tells the service you (the client) can access your email. That's identified you. |
|
|
| |
| ▲ | kevin_thibedeau 2 days ago | parent | prev [-] | | If I'm authenticating with server A. I shouldn't have to carry ephemera from server B. A can interact with B on its own if necessary. Bubbling up these architectural details to the front end is a symptom of the webdev cargo cult coming up with broken ideas that get fossilized as the status quo. | | |
| ▲ | johnmaguire 2 days ago | parent [-] | | With OIDC, both occur: the client is redirected to the authentication server where they directly authenticate, then carries a token cross-domain back to the service. Finally, the service validates the token against the auth server. The alternative would be something where I enter my Google username/password on random websites, and trust that they will forward it to Google and not do anything nefarious. This is less secure and less private. |
|
| |
| ▲ | kibwen 2 days ago | parent | prev [-] | | The status quo appears to involve handing over your account password to your chosen client. That's worse than this. | | |
| ▲ | wkat4242 2 days ago | parent | next [-] | | If you don't trust your matrix client, why use it at all? It's also a bit disheartening to see Matrix putting all that "Log in with Google", Apple, Facebook etc so prominently on their login page. The whole idea of decentralised services was getting out of those walled gardens. | | |
| ▲ | johnmaguire 2 days ago | parent [-] | | Yeah, I would argue it's less about removing trust from the client (which will ultimately get an auth token in addition to secrets and plaintext messages) and more about allowing for centralized authentication and authorization policies. |
| |
| ▲ | cvwright 2 days ago | parent | prev [-] | | But you already trust your client with all the private keys and message plaintexts for your account. I struggle to see why I should trust it with those things but not the account password. | | |
| ▲ | tcfhgj a day ago | parent | next [-] | | Not necessarily, you could give restricted access to a client | |
| ▲ | lucyjojo a day ago | parent | prev [-] | | my google account has way more power over me than whatever i ever wrote in matrix in my life (ever, ever) |
|
|
|
|
|
| ▲ | nurettin 2 days ago | parent | prev [-] |
| How do you prevent them from collecting "Interaction Data"? https://www.mozilla.org/en-US/privacy/firefox/#bookmark-how-... |
