8 Reasons to ditch Chrome and use Firefox

Surprisingly many reasons, have a big one:

Firefox has a whole lot more than chrome too. :wink:
But yeah, chrome has a ton more than safari.

2 Likes

:icon_surprised:

2 Likes

Still ok to send verification codes tho I reckon, if anyone gets one out of the blue the alarm bells would almost certainly start ringing and if there was a systems hack to send them when someone actually requested it via an official app or website, well then they probably have bigger things to worry about :lol:

1 Like

Except a big BIG issue with SMS is how incredibly easy it is to social-engineer phone providers to swap SMS to a new, scammer-controlled phone, so you would never see your SMS message, they would.

2 Likes

I wouldn’t trust anything that comes over the phone network these days. I have seen scam calls originate from my own number, it is as bad as email.

2 Likes

Yep, you can put anything you want into the ‘sender’ field of things like SMS, it’s horrifying, that should never have been allowed, or at least let it be an ‘addon’ to the main number. ^.^;

2 Likes

True, i have even done it when setting things up for alerts etc for customers. To compare it to email is probably unfair given todays very aggressive main mail servers that effectively raise the standards for everyone(a sword with more than one side), it is probably fairer to say it is like email in the mid-90s

2 Likes

Well the SMS replacement, RCS, fixes this I hear, now if only Apple was capable of updating to modern standards as they are the only holdout left, lol, then kill SMS!

2 Likes

It isn’t like it is a problem free solution, or like Google has ever succeeded in a messaging solution ever. I’m not sure why Apple would adopt another solution that is worse than their own and less universal than their fallback while being worse for their ecosystem and better for their competitors. I mean you can blame them if you want, but it isn’t in their interest at all and the free market doesn’t seem to be changing that.

2 Likes

RCS may have been pushed by google but that’s only because the industry was being lazy (it was a standard for over 8 years before google decided to shim it on android phones because cell providers were lazy, and by doing so they pushed the providers to actually do their job and implement it). The industry supports it pretty well at this point without any google infrastructure at all, it is a standard and has been a standard for a long time now.

It’s not a competitor, it’s literally the SMS replacement, it’s standard spec, it is THE message standard on cell networks along with SMS (different usages). It’s not tied to any competitor or anything, it’s the standard SMS replacement.

2 Likes

And yes, just checked, RCS v11 (2019) added the verified sender spec that does fix that SMS spoofing issue.


But yeah, iMessages is not comparable. First of all the apple stuff requires a data connection, RCS does not, it only needs the base voice connection like SMS. Second of all the apple stuff doesn’t work elsewhere as it’s not an open network. Third, the apple stuff was built for E2E, which RCS is not (the voice data space isn’t that large, BUT you can split an encrypted message among multiple messages so individual clients can add E2E easily enough, like they could on SMS, though on SMS it ate messages like crazy due to SMS’s tiny size so not often done there).


Still, RCS doesn’t fix the issue of SMS Swapping, that’s not something easily fixable until the phone carriers themselves stop being stupid. ^.^;

And until that point, nothing on a phone connection should be required for 2fa, EVER.

2 Likes

It was pushed by Google because it is in their interests, not because it is a standard, or because it is good for anyone other than them. The fact that carriers are on board makes it easier. It is reasonable to say that RCS is better than SMS but that isn’t relevant, all the players are choosing a business strategy not a social good and it doesn’t take much to speculate why a solution without a half decent end to end encryption solution is in favour with this group of supporters.

So what? It’s their competitors who adopt it, it is their competitors who may have an advantage or disadvantage depending on its support. It may or may not be better for everyone, in an ideal world that would matter but the market systems don’t work like that, if it isn’t better for them to adopt it… why would they?

2 Likes

It was indeed in there interest to make a better SMS as it makes for a better phone messaging system for users, but they did not make the spec, GSMA did, way back in 2008 (my phone provider was the only one in the USA that supported RCS for many many years back in the day, some others outside of the USA did too though).

Them being on board has nothing to do with it, it’s part of the GSMA spec, they are supposed to implement it.

You can still easily build E2E on top of it, it’s not an encryption spec, it’s a wireline cell tower communication spec, in the same class as SMS (no data connection needed as it works over the voice control space). Things can be built on top of it, like E2E. E2E was specifically NOT built in to it because encryption standards change over time so that should be up to and controlled by the clients being used (was their reasoning).

What it does mean is that apple users can’t get verified messages, so they are still extremely susceptible to spoofed SMS (in addition to its other limitations), since no one can send 2fa message over iMessage anyway (nor would that be reliable as not everyone has a reliable data line, like in my area, SMS/RCS works fine even with the data connection down). It is user hostile of them because they are making it easier for malicious parties to spoof things on apple devices that can’t be done elsewhere as such.

2 Likes

They tried and failed many other approaches that were much closer to apples prior to embracing the spec as a way forward. They point is more that if they could succeed in the way Apple did with iMessage, they wouldn’t have backed RCS at all. It isn’t about making a better solution for users, it is about making sure the prevalent solution is one that they are at least an equal contributor in when they fail to control it. It doesn’t matter who made the spec really because no one cared until Google got behind it.

I mean I’m not arguing that it isn’t an improvement I’m only arguing that

  1. it isn’t perfect, which presumably since it doesn’t solve the problem at hand is agreeable.
  2. that it doesn’t make sense for Apple to spend money adopting things they think aren’t worth spending money on because why would they?
  3. Google didn’t side with it because they are saints (embrace extend extinguish are about the only three words in their vocabulary).

Again they push alternative approaches. It is unfortunate that they always have a bespoke solution to these things ( iMessage included) and I would like to see them open up an participate in making these things globally better for the benefit of those both inside and outside their ecosystem. They get some parts of it in my opinion wrong, but they generally get right a fairly seemless and deeply integrated experience. It would be good to see them bring solutions for making the experience seemless and deeply integrated in open standards so that everything can move forward on both sides… Still that isn’t the game that is being played. On this particular point using OTP apps (including the ones built in to macos) is generally the only decent solution at the moment for 2fa codes. The confirm login app with biometricsthat PayPal (and some others do) is probably reasonable as well. Sending them via message on any form isn’t really acceptable.

2 Likes

As the old saying goes, “Perfect is the enemy of good”, use stuff if it’s better, even if its not perfect. At least RCS is designed to be versioned and advance over time (it’s up to version 11 now after all, it’s not new, it’s been a standard since 2008 and talked about before that as well). Just doing nothing is hostile and dangerous.

This is why the FIDO spec is important, it’s an actually secure, easy to implement 2fa. No weird insecure SMS messaging, no proprietary systems, it’s a Standard now and even getting enforced at various government levels, it is Good, it is dang near Perfect. Yes apple supports FIDO, android supports FIDO, hell this pinephone supports FIDO, my hardware authenticator supports FIDO, it is a very well set spec, there is NO reason for any place to be using anything related to something phone number specific for 2fa.

Screw texting for 2fa! Screw ANY connection to a phone number for 2fa at all!!! ^.^

2 Likes

I have mixed feelings on this. The argument at hand aside even as a concept in general. It is often the case that making things slightly better seems to be a good idea but it leads to a consequence where people think it is good or trustworthy at least enough as to not worry about it when it really is not the case. I’d much rather have a bad solution that people know is a bad solution than a quite bad solution that everyone trusts and thinks is great, because that is a much more dangerous situation. It is unfortunate that more people trust SMS than they should, I’d hate to think how much they would trust RCS when they (in general) absolutely should not trust it as much as they already trust SMS now. As a technical argument better solutions make sense, as a social one I’m not so sure, even as a technical one often worse is better at least according to a ton of things that almost everyone appears to have jumped on (not that I agree with them in principle but it seems that is how you get things to become standards or defacto standards).

This, 100%!

2 Likes

How can they do that?

But even if they did, they would still need to know your username, password and memorable word:

I’m not sure what else they could do that is accessible to most people… other than also send a code via email, but that has it’s own potential problems :lol:

Ooooo you should youtube it, and lookup articles, lol.

In short, scammers look up some info about you, then call your cell provider, pretend to be you and your phone had an accident or whatever and you need to switch SIM cards right now, supplying enough information to trick the person on the other side that it is you, sooooo, they do, and they now have your number on their own SIM card. No, a ‘password’ or ‘memorable word’ doesn’t help, that’s the point of social engineering, they just need to pretend that they are freaking out enough to make the other person upset enough to not go through their entire secure procedures. And if they fail with one tech then they will just call back and keep calling back until they get a person that will.

Modern E-Mail is far FAR more secure than SMS, to a HUGE degree, lol.

2 Likes

Wonder if that’s what happened to you @mindriot?

Generally here if you have lost your phone/sim, they will send you out a replacement in the post.

I’m not sure what their procedures are for porting a number to a new provider tho… I vaguely remember there was a loophole where ‘new’ companies were stealing numbers but they quickly came up with a system to prevent that… so maybe it’s more of a US issue right now?

1 Like

Not really, that comment was somewhat adjacent to this particular issue and more speaking to the overall state of security on the phone network. That specific example was because a lot of scam callers use numbers similar to the target so that they look local or partly familiar, though occasionally they mess that up and use the actual targets number though that is more about spoofing rather taking over the SIM. The point was just that you can’t trust anything.

1 Like