For those who are still on Win 7: Firefox (and so Tor Browser) will stop supporting Win 7 soon. Seriously, you better plan to migrate to Linux. Not-so-good privacy issues aside, everyone knows Windows is not very secure/safe/convenient anyway.

Tor Browser is planning to remove Google from the search engine options a user can choose: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41835

There some say brave onion + no JS is good: https://search.brave4u7jddbv7cyviptqjc7jusxh72uik7zt6adtckl5f4nwy2v72qd.onion/

Mullvad team seems to be considering 4 possible options:

• Startpage: https://www.startpage.com/
• Mojeek: https://www.mojeek.com/
• Brave Search: https://search.brave.com/
• Metager: https://metager.org/

PS: Not disgussing ddg / ddg onion too much, basically because ddg is the long-time default search engine of TB. Most TB users assume ddg is a decent, standard, generic option, esp. its non-JS version.

Agreed. It’s an option worth considering (even EFF said so)—in fact a bridge itself could be run by something like Team Cymru (Augury), removed in TB v11.5.4. On the other hand, a VPN could collaborate with “them” so you’ll have to trust them… adding yet another unknown.

There are many ways to de-anonymoze Tor users indeed. Like Keystroke fingerprinting or Deep Packet Inspection… Usually a local ISP is not a big problem but it depends. The fact remains that even in a country with heavy Internet censorship, currently a nation-state can’t block Tor (via Bridge or Snowflake).

Also, one should consider using Bridges (obfs4), so that your local ISP may not know you’re on Tor. Tails suggests that too. Using a VPS is not necessary a best option for that, though it might be a good option under some situation.

Actually, Proton + your local key = don’t work very good. Usually you’ll have to use a key pair generated by Proton—sharing your sec with the provider is not good.

Nevertheless, Proton is 100 times better than Google to be sure. Those who are trying to ditch Google, Proton and Tuta are two good options to consider, also recommended by PrivacyGuides. For those who had ditched Big Tech and now starting to wonder if Proton is okay… that’s a bit tricky, still I say Proton is nod bad. I had recommended Proton to my friends until the French activist incident, followed by a few more bad incidents. Yet it’s understandable that Proton must obey it if they get a valid court order… If you’re a normal, daily user, Proton is good enough (if not the best), albeit a bit overpriced.

Not a recommendation but I too trust Disroot pretty much. You can get a custom domain there without “buying a paid plan” once you make a donation. Would that be an option for you?

Using multiple providers (having multiple accounts) is a good idea, though. Don’t put all the eggs in one basket. I’ve never heard the two providers you mentioned, so I can’t tell. If you can sign up anonymously via Tor, if they’re Google-free + not behind CF, and (most importantly) if you feel them “good” (subjective but gut feeling…), I think they’re usable.

If their support use PGP, that’s a good sign too. (Proton even doesn’t share its pub key iirc.) If they also accept the privacy coin like Disroot and Tuta do, that’s nice too. Ultimately, though, believe your gut feeling, because everyone has different priorities, different threat models, etc.

While doing this is generally not recommended, EFF does indeed suggest this option in some context: https://ssd.eff.org/module/choosing-vpn-thats-right-you#things-to-consider-what-vpns-don-t-do

Don’t worry about e2ee: Even if you get the most expensive plan from e.g. Proton, it’s not e2ee unless both parties use Proton. There is a free, “easy” way to realize true e2e: OpenPGP in Thunderbird (convenient), GnuPG (more secure), etc.

As for mailbox.org: I used it before but it showed Google reCaptcha, which was an obvious red flag:
cf. [Security and GDPR Issue] ProtonMail includes Google Recaptcha for Login, every single time. #242

Also, technical score of mailbox.org has been relatively low, not improving: https://internet.nl/mail/mailbox.org/1080449/ (Don’t worry too much about this score, though. It’s only technical; human factors (philosophies, trust, etc.) are more important when it comes to privacy.) This is not a recommendation. DYOR; ultimately, believe your own intuition.

• Tuta (free): you can send only like 6 email per day. Otherwise, Tor-friendly. No onion. Support forum on Reddit 😞 Germany.
• Posteo.de: 1 €/mo affordable. Nothing fancy. Support via PGP like that’s common sense. Germany. Non-crypto anonymous payments w/ various options (e.g. a prepaid CC): they don’t even ask your name (much less address, cell phone number).
• Disroot.org: Free, pop/smtp, community-based, trusted even by the Tails team. w/ onion. Netherlands.
• Cock.li: Free, pop/smtp etc. Very Tor-friendly w/ fast onion. It’s good if you think it like disposal. Irresponsible in a way (aka Freedom), but actually 10-year-old & stable. Romania.
• Proton (free): bloated, very mixed opinions, yet better than Google. w/ onion (slow). Switzerland. A simple feature like Plain Text view is missing (HTML by default: not serious about privacy).

You’re right. Use a centralized exchange (CEX), and you’ll be KYCed and de-anonymized. That’s why most privacy-coin users prefer DEX. For normal persons, if privacy is important, using anonymous gift cards or prepaid credit cards, which you can easily buy without ID, is more practical, much better than KYC’ed crypto.

If you can somehow get KYC-free coin, maybe from DEX, i.e. if you can get it personally from your friend or peer without showing ID etc., then and only then, you have real private crypto. There are two popular ways for this (Bisq and LocalMonero). Another option called Haveno is hopefully usable soon, but that is still iffy.

Using DEX is not essentially difficult, much safer than you might imagine due to a mechanism called multisig, but maybe this option is not for normal people. When you feel experimental, you might want to try to buy a small amount via DEX, to see what it’s like. If you’re a popular programmer or artist, accepting donations in crypto is also an easy way to get no-KYC coin. Another option is p2pooling—you can get a few Euro worth of XMR relatively easily; yet this last option is time-consuming and not very effective. Many of p2pool users or full-node people are privacy-advocating volunteers, maintaining/participating the Monero network for philosophical reasons, fully aware it’s not profitable in terms of money. This might be part of the reason why Monero tx fees are almost zero (like 1/100 of that of BTC). At the same time, there are many sketchy people around crypto too 😟 Be careful and stay safe!

It depends on how much you have, etc. If it’s just like 10 or 100 €, maybe you don’t need to be super careful.

The following is just one possible way—get a safe and libre “poor man’s hardware wallet” quickly and easily without paying:

1. Main wallet

• Get a USB stick, install Tails. This takes about an hour (most time is for downloading the .img file)
• Create a persistent storage, with a strong password (maybe 7 or 8 random words).
• Install Feather. This takes 10–15 minutes; 30 minutes if generating a new wallet. Use it as your main wallet, and send your Monero to it.
• When ready, shut down Tails. Pull out the USB and save it in a safe place. Now your wallet is physically disconnected from the Internet, air gapped. Very hard for any attacker to hack it.

2. Hot wallet

• Set up whatever wallet(s) you like on your daily device(s) for daily use. It too can be Feather, or it can be something different. Just don’t have too much money in a daily wallet.

3. When you send Monero from 1 to 2

• Insert the said USB, boot into Tails, send a necessary (small) amount from 1 to 2. Unlike BTC, the tx fees are like 1 cent or less. You can make a lot of small TXs without worrying about fees.
• Once you signed and sent, immediately close your main Feather, shut down Tails, and physically disconnect the USB again. You don’t need to wait for confirmations. It’ll be fully confirmed in 15 or 30 minutes, and for which your wallet doesn’t need to be online.
• So your daily wallet will be moderately funded, ready to use. You can enjoy private transactions, e.g. buying VPS or making anonymous donations to support your favorite software. Even if your daily wallet is hacked, your main wallet will be safe, physically disconnected from the Internet.

In theory this should work pretty well, if not the strongest possible. It’s not a recommendation, though. Do your own research. You may want to ask the same question in !monero@monero.town; hearing various opinions, not just trusting one person (me), is a good idea.

If you’re familiar with Electrum and migrating to the privacy coin, Feather may be a convenient choice.

The fundamental problem for you might not be the wallet; but KYC vs. non-KYC. Is it allowed to post a link or mention specific platforms here? You may want to check a website about no-kyc and try a trusted, no-kyc platform—not a CEX but a DEX (pure P2P), so no company can monitor your private life (related to shopping). You can browse monero.town, which is a friendly Lemmy instance of !privacyguides@lemmy.one in the sense that Monero is recomended on the official site of Privacy Gudies: https://www.privacyguides.org/en/cryptocurrency/ (I’m a mod from !privacy@monero.town)

The tricky part is, if you have been once KYCed, your privacy invaded, then you couldn’t undo it (un-KYC it). You may need to start over, creating totally new addresses, doing everything anonymously over Tor. If you’re not that privacy-oriented, you can just swap the KYC coin you have to Monero, and you’ll be invisible from that point.

But Moneo is not magic to solve everything. DYOR and stay safe!

That’s a good point. One of the two biggest weak points of a so-called e2e provider/platform is, the e2e provider itself.

The only true e2e is e.g. Alice does gpg -ea on an offline computer, copy-pastes ascii and sends it to Bob via an online computer, who copy-pastes this ascii to his offline computer and does gpg -d there. Their seckeys are airgapped from the communication channel. Sharing your sec with a provider is especially ridiculous (e.g. Proton). At least that’s what I think.

@ride I know the background: this info could be very useful, and you commented, “Even if not directly Monero-related, this draws attention to the community when such contributions come from here.”

The problem is, !privacyguides@lemmy.one has a different set of rules than Monero.town does, explicitly stating:

This is not the place for self-promotion if you are not listed on privacyguides.org. If you want to be listed, make a suggestion on our forum first.

Hence, as you can see in https://monero.town/post/1085883 (you double-posted the same thing, too), a negative comment about this:

I feel like this might count as self-promotion, given it’s mentioning a particular website, their GitHub, their running service, etc. Regardless, it is informative

@LWD@lemm.ee is not “childish”, even stating “it is informative.” But even if this post may be useful, we should follow the rules of !privacyguides@lemmy.one when (cross-)posting here; otherwise, Monero.town may look bad.

Leave it to the cryptocurrency people to turn a simple tutorial into an ad.

I’m from the same Lemmy instance monero.town (technically a mod?) and can see your point. Initially I was vocal about perceived link-spamming, advertising this SimplifiedPrivacy thing; at least a few users there were/are feeling the same way, as you can see e.g. here. So please don’t lump crypto (esp. Monero) users as a single kind of people.

Like @leraje@lemmy.blahaj.zone pointed out, some of info provided by this user (ShadowRebel) can be useful. Perhaps some people prefer a video to text. Monero users tend to respect freedom (of speech) and advertisement is not forbidden in Monero.town anyway. Perhaps you can understand that this does not mean “the cryptocurrency people” are the same.

The SimplyTranslate front end has many languages, translate engines selectable: Google | DeepL (Testing) | ICIBA | Reverso | LibreTranslate. Some instances are Tor-friendly, even onion. The project page seems to be https://codeberg.org/SimpleWeb/SimplyTranslate

Refusing to use Google is just common sense. LibreTranslate itself is decent (at least not Google), except a website hosting it may have some opaque JS or Google things (Font, Analytics, TagManagers, etc.)

Either way, translation can’t be super-private in general. For example, if you use it to write a private message or love letter in a foreign language… even including real names and physical addresses…

Also, metadata like “a Danish-speaker is reading this German text about X” can’t be hidden, and if the language pair is uncommon and/or if text to be translated is specialized (not generic), the engine provider may easily guess “this request and that request yesterday may be from the same user”, etc. if they want to. A sufficiently powerful “attacker” might de-anonymize you, helped by other info about you, already gathered. In practice, maybe not a big concern, if you’re just translating generic, non-sensitive text, not showing your real IP, and clearing cookies frequently.

Just fyi: recently EFF is creating Privacy Badger browser add-on and GNU also has LibreJS. They’re technically not ad-blockers, though; apparently a tracker-blocker and a non-free-script-blocker, respectively.

That is correct. Tor Browser on Tails comes with uBlock Origin. It might be that DDG (or some other financial supporters) are not happy if the Tor Project ships TB with uBlock. There are many things to be blocked by uB even on DDG, Brave, MetaGer, etc. (although obviously they are much less invasive than you-know-what search engines). Purely privacy-wise they’re annoying of course. But understandably they do need to monetize something to provide search engines, and I think some of them are financially supporting the Tor Project too, or they’re helping each other, so… I don’t know. Just a guess.

Isn’t it like Mozilla has to be nice to Google? Ultimately, doesn’t this mean that end users are not making enough donations? People say privacy and freedom are important, but normal people really don’t like to pay for these important things, like assuming libre is like free beer!

I’ve been a long time Mozilla-supporter, since forever—since much before Firefox was even born. Every browser I use now is also Firefox-based [EDIT: one of them is SeaMonkey, not firefox-bsed but from Mozilla too]. As such, I wouldn’t like to say bad things about Mozilla. While I could clarify what I was trying to say, let’s just say several other people prefer LibreWolf to Firefox (I’m not a LibreWolf user, though).

In the big picture, we don’t want to be abused by big tech companies like Google, and relatively speaking, Firefox is a much better choice. Also, you’re absolutely right about how free software is supposed to work (at least in principle). Like I said, I really hope I’m totally wrong here.

The original (initial) post is a question about Brave, and we’re getting so off-topic now. Besides it seems that most Lemmy users don’t even read anything older than a week anyway, too busy to have a slow, deep conversations. So let’s call it a day. What I was trying to say in passing might become painfully clearer soon enough, or perhaps—hopefully—I’m just overly worrying about nothing. Although maybe Mozilla as an organization can’t exist anymore without Google’s financial supports (and so not in a position to keep saying “No!” to Google for a long time), as you pointed out, let’s hope that the philosophy of free (libre) software will prevail in the end.

That is correct—or at least they said so. Brave might be an option too, except if you open their pages, analytics.brave(.)com may be loaded instead of google-analytics(.)com…

I agree that their search engine may be sometimes helpful. Having their own index is awesome.