Mozilla is the “socially acceptable” face of Big Tech.

For example, Google and friends know you’d never “donate your voice” for whatever their next privacy eroding product is. So thank goodness they don’t have to ask you. Because an entity they invest ~ half a billion dollars into every year and which you trust (maybe it’s time to review that choice?) can ask you instead.

So Mozilla creates a voice dataset and licenses it liberally so any surveillance capitalist like Google, etc., can use it.

@aral I totally agree that this seems to be the stance of big tech now. As a Firefox user though we have no where else left to go. What's the communities next move to counter this you think?

@rustygopher I hear you. I can’t speak for the community but this is what I’m working on: small-tech.org/research-and-de :)

@aral
If it's based on Site.js, doesn't that mean it relies on JS and thus isn't good for privacy or older machines?
@rustygopher

@dheadshot @rustygopher No, it doesn’t mean that because there is nothing inherent in JS that “isn’t good for privacy” or runs badly on older machines. On the contrary, keeping your secrets on the client (which you control) *requires JS* and requires that all logic runs on the client and that the server (which you don’t control) is as dumb as possible and never has your secrets. Sadly this generic dogma about “JS is dangerous” is perpetuated by folks like the FSF and it’s both wrong and harmful.

@aral Client code is served from its server so to control the client you have to control the server anyway. Keeping most of logic in the client will eventually slow it down, as well as sometimes unnecessarily complicating the setup with APIs and ways to keep in sync, and it gets worse if you get into hybrid rendering to speed things up.

Look at sites like Sourcehut or Invidious, they work fine without JS and are still usable. [1/2]

@yyp For Small Web we treat the server as an app download. We can verify the download out of band (eg., via a browser extension) to rule out tampering by the host if that’s within your threat model. Otherwise the security depends on your secrets never leaving a space you own and control. So we MUST implement it in JavaScript. We CANNOT implement it on the server.

JS isn’t the enemy. Someone else (Big Tech/people farmers) holding your data and keys is the enemy.

See small-tech.org/research-and-de

@aral do you know if signing of JS (or other assets) is a thing already? I mean I know about Subresource Integrity, but that's just a hash. I mean a way to SIGN a file, so that a browser(-extension) could verify (perhaps from DNS TXT) that this is the very file a developer intended, regardless where it's hosted and if SRI is in place?

Follow

@claudius Been looking into it quite a bit. Nothing to sign the initial download. So we’ll have to have a browser extension + dev/build workflow conventions.

· · Web · 0 · 0 · 1
Sign in to participate in the conversation
Aral’s Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!