This is, sadly, not true at all. You have to trust

1) that the actual author of the site is playing fair

2) that you are not being mitm attacked by anyone in this list [1]. Note that 3 organisations on this list are known to have issued false certificates with the express purpose of stealing login credentials. They did this by sending through "amended" login javascript bundles.

> I agree that server-run non-free software is neither safe nor private, but I still believe that this is the flaw of particular programs, not web-based software in general. It only emphasizes what a need there is for further development of open standards in web apps.

No. Web apps can be replaced by malicious software every time you use it, and there is nothing you can do to prevent this. It is a fundamental design flaw of web based systems. And, of course, "cert pinning" simply means that a few organisations (google, facebook) get isolated from a few kinds of attacks.

The flaw is that control is placed entirely in the hands of the remote side. Needless to say, this is not secure.

I don't get where this idea of open standards being the solution to privacy problems comes from. Cookies are an open standard, the web is an open standard, TPMs are an open standard, the SSL certiciate chain principle is an open standard. Hell, microsoft palladium is an open standard. All are complete disasters for privacy and freedom.

> But the ability to use a cross-platform browser as a universal client and run software that is built on the advantages of networking is a huge bonus for software in general. Free software just needs to catch up in a few areas, but in general it is dominating the backbone of the web. Now we just need to push that freedom forward to the user.

I disagree. The web has brought back the "freedoms" of the mainframe era, only with a much bigger dependency on the mainframe system. Mainframes also in many cases ran free software. Can you claim with a straight face that a non-root account on a mainframe system is in any way free and private ?

If you don't decide what software runs on your machine, like on the web, you have ZERO security guarantees. Zero. Nothing, nada, zilch, ... no matter how secure anything built on top of that is. I don't get why this is even the slightest bit controversial.

[1] https://www.mozilla.org/en-US/about/governance/policies/secu...

Improving the trust model has almost nothing to do with how much of the computer you have administrative access too. Secure computing means trusting those who build and maintain your computers and the software that runs on them. It's less possible than ever to do everything yourself.

There are big privacy and security advances happening because people have lost so much control of their data. People are trusting others more than ever with control of their computers, and that means certain demands for trustworthines that didn't manifest when people felt better about their data because they knew where it was physically stored.

Moving the easiest point of attack on a system to the external network just means we have to be more explicit about what we do with each other's data. We have to learn to trust each other, and that means developing systems that are transparent, auditable, and free, but it also means developing cultures that promote trust and proof of trustworthiness, because that's where real security will come from.

Basically all your cloud data will be used against you in any civil dispute in the US. So remember when you use web apps : anything you type in there is accessible to anybody who enters into a serious court case with you.

Another example : any office 365 document (esp. spreadsheets) WILL be read by the IRS if they ever decide to sue you (and you'll pay the wage of the person doing it, to make matters worse, whether or not they find any wrongdoing). Again, the evidence is plain to see in court transcripts.

And, lastly, sometimes your accounts will be compromised in petty legal disputes.

Therefore my policy is :

1) As microsoft has publicly demonstrated, they will use your hotmail stored information and use it to take action against you. If you work for a company that has a cloud platform, or a company that has a significant relationship to one of the cloud platform companies, you're taking unacceptable risks.

2) any dollar sign in any mail to me will immediately result in dead silence. I'll call you up and warn you to never do that again. If it's important enough I'll call. And if it's really important I'll drop by. Both kinds of interactions have vastly superior legal protection.

3) I will NEVER negotiate or store any contract over email, not even my freaking cell phone bill. I have them on my (encrypted) hard drive, of course, even indexed. But contracts on online services is just stupid.

Note that this behaviour is NOT illegal : the purpose here is to safeguard my personal information, which is a normal thing to do that is in fact encouraged by the relevant departments. I am trying to hide personal information from everybody and everything, which is my right.

The right way to do web apps is to have something like a Debian Freedom Box, where you have your own server running free software sitting in your living room and you can access it from anywhere. Another pretty good option is to buy hosting from someone you trust with your data and run your server in their data center, preferably encrypting your data client-side before it's sent to the data center. These privacy issues you mention with Microsoft are due to using their particular implementation of web apps.