This seems like an a slightly more complete version of Firefox Profilemaker (https://ffprofile.com/).
I personally use a fairly vanilla Firefox with a few addons and try to keep customization as default as possible. How will further differentiating yourself from the masses (especially since Firefox is already a minority browser) help with privacy, tracking, and fingerprinting? Why not at that point just change your user agent to Chrome/Win7 and run everything in a virtual machine?
edit: To that end, does anyone use browser forks (like Waterfox and Palemoon, or things like unGoogled Chromium) and seriously think they're better than the mainline browser? I see a lot of fair criticism for what Mozilla has done with Firefox (deprecating old extensions, Mr. Robot addons, Cliqz, etc) but it's pretty much the most trustworthy Internet company as far as I'm aware. They seem to genuinely have good will and Open Source at their core, and these forks claiming that Mozilla is this monstrous organization looking to invade your privacy (along the lines of what Google does) seem a little silly to me.
Forked software is usually reasonable, but for me, the sheer complexity of the graphical, interactive web sadly begets an exception for modern browsers. Even if much of the work is offloaded to the corporations backing modern free/libre browsers (e.g. keeping up with new web standards and technologies), it certainly goes without saying that rebasing with upstream or even just applying the latest security fixes is no trivial task I would entrust any browser fork with minimal developer backing with.
This problem is especially worsened with the kind of user base that firefox forks tend to attract, from what I have seen. These users tend to ask very high-level questions e.g. "is waterfox more secure than pale moon" and will usually blindly switch from one fork to the next based on poorly-backed, unsubstantial crowd opinion. No userbase means waning support + maintenance. If you ask me, I think in the very special case of browser technologies, it would be more beneficial if the developers and users of firefox forks directed their energies towards making generally desirable changes in upstream.
Not just the weird habits of the users, either. I have way more confidence that Mozilla will fix issues in a timely manner than the one developer behind Waterfox, or the several behind Palemoon. Especially when the forks are depending on upstream to fix things for them. A few years ago there was a build of Waterfox that was substantially late because the one developer had exams.
It seems like the solution to this would be to have the build system reproducible from a base image with everything other than the code repo required to successfully kick off a build other than the code repo itself. Uploaded (or made available to upload yourself) to any of the cloud providers (or run locally in a VM), it would allow you to sync the repo and kick off a build for any supported architecture.
Dev not available to integrate a pull request and start a build? Download the appropriate build arch image, fire up VirtualBox, sync the repo (and apply a pull request if the dev hasn't had a chance to do that yet) and start the build script.
This doesn't entirely solve the problem, if nobody has submitted a fix yet, and you don't know enough to pull in the upstream fix and merge it yourself, you're at the mercy of some other user having that knowledge and making a pull request. It does close the gap somewhat though.
Are there existing projects to help get to this level of build reproducibility that can serve as a base to use? It would be awesome to know people are already working on making this easy to adopt.
I was speaking more to the general case of projects with small bus factors for deploying. And slow is moistly irrelevant to the point, which is making something possible which largely wasn't before.
Some of the changes are alternative defaults however. That isn't something one can just merge upstream since there are busi ESS and product reasons for Mozilla to reject certain changes
>and these forks claiming that Mozilla is this monstrous organization looking to invade your privacy
Do they claim that? I felt like most of the forks were made in good feeling, appreciating the work that Mozilla has done, but customising it in their own way/aligning vanilla FireFox with their views.
I used to do web dev in chrome but installed ungoogled-chromium after that scandalous update where they forced you to login; in fact, after installing said update, I suddenly found myself "logged in" with a gmail address that I never even created in the first place (something like mycompanyname[at]gmail[dot]com). My trust in Google was already crumbling, this creepy move was the final blow. So far, my experience with ungoogled-chromium has been great, but I must admit I'm not really following up on the project (devs, userbase, security updates, etc).
I've been using Waterfox since Mozilla changed their extension format and it's been incredibly stable. I used it for the Tree Style Tab extension. There's probably less reason to use it just for that anymore but vertical tabs in Firefox still isn't the best experience. I use Firefox with Tree Tabs at work with the extra user UI modification required to hide the top tabs and the sidebar headings. Only allowing one sidebar means when I accidentally open the bookmarks I need to mess around to get my tabs back.
>How will further differentiating yourself from the masses (especially since Firefox is already a minority browser) help with privacy, tracking, and fingerprinting?
I don't think that's what fingerprinting is about. Whether you're 1 in 50k or 1 in 500k - it's not usable from a marketing/data perspective. Stuff like cookie retention & IP addr seem much more dangerous on this front than browser choice - both of those are more like 1 in 1 or 1 in say 20 depending on NAT.
Sorry you found it unsubstantial. I mean to express distaste for people who tend to loosely throw the terms "privacy" and "security" around, especially when recommending laundry lists of configuration options, patches, extensions, etc. There is often little to no regard for threat modeling and pragmatism. Take "gHacks/pyllyukko base is kept up to date" for example - these batch tweaks and their effects are hard to understand and apply for the average user, and unfortunately tend to break the mainstream web.
I view projects like these as temporary bandages that pacify users (those technical enough to even be able to use them) in the now to ignore the larger and more fundamental issues at hand. Upstream should adopt reasonably sane defaults, because whack-a-mole with complex software simply isn't sustainable and the projects in question will become less effective over time as maintainership wanes. With regards to further hardening options, there really needs to be better upstream documentation, education, and accessibility. When that is realized in the free/libre browsers with the majority market share, then I am optimistic that the mainstream web will heal in accomodation.
> I mean to express distaste for people who tend to loosely throw the terms "privacy" and "security" around, especially when recommending laundry lists of configuration options, patches, extensions, etc.
This is a much, much more useful description. And I'd agree. Usability is a critical part of privacy and security, and recommendations for tools that cater exclusively to advanced users (whether the tool developers realize that or not) can do more harm than good.
Not just recommendations for advanced tools, but the unfortunate reality that they are currently necessary means. I reiterate - this functionality must be made upstream, accessible, and visible.
I find that "upstream" might be at odds with security/privacy, both in terms of funding and data collection (benign reasons being debug/crash data collection as well as "what and how do people use this")
Icecat has issues with so many sites because it wants you to block no free JavaScript. If you use it as intended, the internet isn't the same and is it even more private since there are fewer extensions?
You could make a totally open-source, libre-licensed DRM enforcement framework -- any user willing to dig through it could probably modify and defuse it, but out of the box, it would be an example of free software which aims to defeat freedom.
Something I'd like to see instead of a modified version of ff is some sort of meta-extension that I could install on vanilla ff.
It would essentially be a bundle of
* add blocker (say ublock)
* js disabler (noscript)
* https stuff
* anti tracker
* url cleaner
* user agent spoofer
* cookie cleaner
* whatever decentraleyes does
* enable the right settings in about:config
* …?
All the extensions are there already, but it would guarantee them working well together and you wouldn't have to look for each extension and wonder if it's actually the one you want, but just install "the one".
The problem I find with Firefox is that options in about:config are too stateful.
You can't use user.js as a regular dotfile such as .emacs, .vimrc or .muttrc. That is, once you set an option you need to manually unset it. I wished they introduced a more sane mechanism.
Besides, there is no way to programmatically declare you want to use some addons.
IMHO, all this makes maintaining relatively complex user configurations very costly.
Yes, I find the about:config option stickiness behaviour isn't intuitive. I am guessing that a lot of people don't realize that if you set options in user.js they stay set until you manually unset them, even if you remove the user.js file.
A hack around this would be to remove things by specifically unsetting them in the user.js file, much as one would do to remove a previously installed package using configuration management software.
I'd like to see these kinds of features upstreamed into TBB, then eventually make their way into mainline Firefox. I know HTTPS Everywhere and NoScript already exist in TBB, I'm trying to think of what other extensions would do well for it...
I just want something that gives me maximum privacy without compatibility issues. I run into websites every week that just don't render elements or clickable links in firefox with my current extensions (looking at you, barclays).
The only privacy extensions I use are cookie autodelete, decentraleyes, and ublock origin with default settings (the super private settings broke more websites than not, and I gave up making dozens of exceptions), and google and FB containers.
I'm considering dropping google container too, very annoying clicking a link opens a tab in the default container and closes the google one, so I have to shift cmd tab through all my recently closed tabs or dig through history instead of hitting back to return to the results.
It's like either you let your guard down or make navigating around the web insufferable.
That's also a feature that I want. Something like a dotfile for Firefox that I can use to set it up automatically with the rest of the system.
However what bothers me about privacy add-ons is that each one that I install is giving permissions in my browser to another person. It would be better if there was a single add-on that was audited by someone trustworthy.
A single all-in-one add-on could also work on making each of its users fingerprint the same, which is something that can't happen when each person is using a different combination of privacy enhancements.
As the sibling comment says, the "extension bundle" thing would allow for: less people to trust when installing the extension and guaranteed uniform behaviour without extensions stepping on each other toes, plus the fingerprinting thing which I actually didn't think about!
umatrix and decentraleyes are wonderful. They don't quite work together (I think you have to unblock some sites in umatrix before decentraleyes will be able to emulate them)
URLs often have lots of referral and tracking information in them (see anything with UTM parameters: https://en.wikipedia.org/wiki/UTM_parameters ). I use the Neat URL extension and it's been great.
Considering this hasn't received an update in two months, it seems unsafe to install and download it. There have been many fixed security issues in Firefox just in the past few weeks.
I haven't tried Librefox yet, but Internet privacy&security is a big interest of mine, and I'd like to suggest that another option to consider is Tor Browser.
Tor Browser is generally more privacy-focused than Mozilla, and the nicely integrated Tor support gives me a bit of privacy from my infamous ISP (VPN services tend to be sketchy, too).
Drawbacks to Tor Browser are that Tor itself is a bit creepy (e.g., presumably draws more attention to you from your own country's domestic surveillance), some news sites block US Tor exit nodes (whether they know it or not; Cloudflare seems to most often be the culprit), uBlock Origin is not part of the Tor Browser distribution (which means that people who add it lose some crowd anti-fingerprinting benefit), the NoScript part should really be replaced with uBlock Origin, Tor is much slower than direct, and the Tor or Tor Browser project could end/fizzle much sooner than Firefox does.
How I'm using Tor Browser currently is that I use it for sites that don't require logins or otherwise identify me. For sites that identify me anyway (e.g., banking, online ordering), I use Firefox. I don't use Firefox often. Keeping them separate also discourages me from logging into sites unnecessarily.
What I'd ideally like is for Mozilla to become more aggressive than Tor Browser about privacy -- not going to Tor, but doing things that would peeve much of the dotcom surveillance industry. This includes pushing privacy tweaks upstream to Web standards. Mozilla is perhaps the best positioned to play chicken with the dotcoms on this; most genuine privacy efforts would be simply broken by the sites, and lose their users. Mozilla has a lot of upper management, so presumably they could figure out how to peeve a lot of dotcoms, while still keeping the funding flowing.
(I should add that I use Tor Browser for only a casual, on-principle attempt at privacy from snooping companies. I don't believe that Tor or Tor Browser is sufficiently safe for many kinds of journalists and activists, for example.)
It's become a common way of signaling that your app/service is "Free as in Freedom", as opposed to "Free as in beer", open source vs. FOSS, etc.
I find it a little odd here, because Firefox already meets the definition of FOSS. But it's not unheard of for a popular project to go from free to proprietary, and for a fork of the last free version to somewhere work "libre" into the title.
More to the point, "Librefox" is a project about privacy, not freedom. Others have pointed out that this project actually bundles some proprietary addons—so the name makes no sense.
It's become a very effective way for me to detect projects that have prioritized idealism over pragmatism. (I personally fall on the pragmatism side of that spectrum, and so I find it useful to avoid the oil-water problems that causes.)
Which always irks me, because we already have a great word to mean "Free as in Freedom", and that is: "Freedom."
I'd love if we could start calling free software, Freedom Software. Think of the benefits to the FLOSS PR movement!
I actually e-mailed rms about this, he said they considered the name but couldn't use it because of a trademark. I say to hell with that: the needs of the many, and all that! Freedom Software for all!
I'd just like to interject for a moment. What you're referring to as FOSS, is in fact FLOSS, or as I've recently taken to calling it F/L/OS/S meaning “Free/Libre and Open Source Software”. Free is not free by itself, call if F/L/OS/S to explicitly avoid a preference between the two political camps. If you wish to be neutral, this is a good way to do it, since this makes the names of the two camps equally prominent.
There really is a F/L/OS software and there are people who use it, but it is just a part of the system they use, that in fact called GNU/Linux. Anyway Libre refers to freedom, instead of calling it open source you could also start to call this type of software Libre software. “Free and Open Source Software” is misleading since it can be interpreted as free as in beer when it is Free as in Freedom. Not calling it FLOSS is an obstacle to understanding GNU philosophy, free software and open source are different political positions that are completely not the same.
So, I would assume that the French pronunciation is the intended one. Although I might be wrong.
Of course, the author has used the name "Librefox" as a single word, so there would presumably be liaison between the "e" and the "f", and so therefore you would presumably actually hear the "e" in the French pronunciation.
Even now people everywhere have problems pronouncing GNU, Emacs, or Linux, and the word's connection to "liberty" should become clear if someone thinks about it for any time. Both "free" and "open" have their own problems, it seems like a fine alternative.
My main concernsvwith these types of posts are management and defaults.
If management isn't automous, then you'll get fragmentation which becomes a fingerprinting mechanism.
If the defaults are too harsh, then you deter adoption and encourage fragmentation of those that do adopt (as they'll muck about in the config and unbreak different things).
With low adoption, using this could potentially make you more identifiable (mirroring the concern of Do Not Track as of late) , [citation needed, on mobile].
I'll definitely spin up an instance of later today, but it looks like the defaults might cause a fair bit of breakage
(2) How can this be a valid claim: "Librefox is NOT associated with Mozilla or its products." It's obviously associated with one of Mozilla's products -- Firefox. What distinction am I missing here?
Significantly different. From what I understand, Librefox intends to follow upstream development with limited changes. Waterfox, on the other hand, is a fork of the pre-XUL, pre-Electrolysis Firefox circa 2017. As upstream development continues, it will become increasingly difficult to maintain these sorts of forks.
Why isn't it a fork? Does it make full use of the `privacy.resistFingerprinting` settings? Surely Tracking Protection should be switched on unless uBlock Origin is actually installed? Either that or bundle uBlock Origin.
For ease in keeping current with Firefox/trademark issues. Seemingly yes. Tracking protection is too new to be worth competing with uBlock Origin, and I'd guess the current release format makes bundling difficult.
>Updated browser: because this project is not a fork, it is kept updated with the latest Firefox version.
My pet peeve with all of these privacy-focused browsers is that they encourage people to stay at least one version behind the release version, essentially forcing a trade between security and privacy. By not being a fork, this project seems to avoid that particular pitfall.
Honestly I wouldn't go anywhere near Palemoon. Not unless you feel like using an antiquated browser such as Firefox 28 which is where it forked.
I expect their shills will be deployed to this thread shortly.
It's certainly not more secure when you've got all your extensions running at highest level privileged (not WebExtensions), the sandboxing code "removed" because mattatobin a Palemoon developer says that it "doesn't work", without giving any specific use case and their non-compliance with the HSTS spec RFC6797 [0]. There's probably countless other things wrong with it, but that's what I spotted after a cursory look.
Many of your sentiments there are demonstrated in that very thread. One of the developers (mattatobin) repeatedly avoids answering my questions and just says "fake news" and goes all trumpian on me.
Don't bother trying to ask on their forums about this they will just delete your posts and go on about "the untrue narrative" without addressing your questions.
If you contact them on twitter they will block you. It seemed like their while mode of operation was very "alt-right" if that makes sense. They live in a small "social bubble" it would seem.
I also found it rather lol that a so called "privacy browser" has to resort to using google advertising on their main page.
I'm sorry for your bad experiences with the Palemoon guys. You are obviously not who this software is meant for.
I don't need or want sandboxing for my extensions -- I can take care of my own sandboxing external to the browser profile instance. And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool, Chrome is a toy.
I don't know why you are upset, because the vast majority of the Internet agrees with you. Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset?
Why are you threatened by a small group of users who want a browser their own way?
As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.
Besides, Google, Apple, Facebook and Microsoft happily trample on the RFCs when it's convenient for them. Chrome itself was infamous for this when it first came out. I remember seeing Chrome users clobbering webservers and violating protocol to get slightly more speed. Of course, Chrome now sets the standards.
I have to disagree with your characterization of Palemoon users as fascists.
If you don't like Palemoon, then you are more than welcome to not use it and leave the community alone. The Palemoon community represents a dying breed. Soon enough, most hardware will be forced to use their browser, and will only be permitted to go to websites that they approve of. And mandatory DRM. Mozilla also loves DRM.
Anyway, if you have any more questions I'd be happy to answer.
> I'm sorry for your bad experiences with the Palemoon guys. You are obviously not who this software is meant for.
Who is it meant for if it's not meant for users? Are they intentionally trying to turn away certain people?
> I don't need or want sandboxing for my extensions
I think you'll find with all security, it's best to have the "principal of least privilege" https://en.wikipedia.org/wiki/Principle_of_least_privilege at all levels of software. The reason for this is because if something happens to exploit one area of your setup, the hope is that it will be stopped somewhere else.
> I can take care of my own sandboxing external to the browser profile instance.
As do I. I use multiple VLANs (network segregation), Virtual Machines, and other things in addition to browser profiles. Most people however do not. Software should be designed for "most people".
> And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool,
There's plenty of frameworks out there. Perhaps what you're trying to do shouldn't be a browser extension.
> Chrome is a toy.
Okay if you mean high performance web browser with a lot of market share that Mozilla must compete against in order to stay relevant?
> I don't know why you are upset, because the vast majority of the Internet agrees with you.
They do because I am right. I rarely say this as I do often like a good debate, however in this situation I will.
> Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset? Why are you threatened by a small group of users who want a browser their own way?
I didn't engage with them. They came to our bug tracker and started to push their software on us. I contribute to the privacytools.io website. I was explaining why that particular piece of software did not belong there.
> As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.
For software that is distributed to the public certain 'sane' defaults are expected for the software to be labeled as secure. These are usually according to spec as I pointed out in https://github.com/privacytoolsIO/privacytools.io/issues/375... there are a number of reasons why software developers should make certain choices for users.
There are a couple of reasons for this:
> 1. Users could be socially engineered into bypassing the warning
> 2. The warning gets "ignored" because lazy users just want to "visit that website", without thinking of or understanding the consequences.
> 4. Website owners will fix errors as it will mean their customers, visitors will not be granted access.
The fact is, if Mozilla designed software for "a small group of users who think they know everything" nobody would use their software as the majority would have a poor user experience.
What I mean by that is allowing users to override certain security (they may not understand and may put them at risk) is not a solution to lazy site owners who have TLS errors. It is very good that those site owners must now fix their problems, or the sites simply won't work.
> Besides, Google, Apple, Facebook and Microsoft happily trample on the RFCs when it's convenient for them. Chrome itself was infamous for this when it first came out. I remember seeing Chrome users clobbering webservers and violating protocol to get slightly more speed. Of course, Chrome now sets the standards.
Maybe so, and those are separate issues. Those issues should be constructively criticized when they come.
> I have to disagree with your characterization of Palemoon users as fascists.
I didn't say their users were. I said that certain developers certainly give off that vibe. I also said that they do engage in censorship, on their forums and on Twitter https://news.ycombinator.com/item?id=13395682. I've read about that here on HN and Reddit, ie 'forums' that they do not control. I witnessed it in that thread when one of them attempted to brigade the GitHub issue I was conversing in.
> If you don't like Palemoon, then you are more than welcome to not use it and leave the community alone.
[Insert Leave Britney Alone meme] The point is I only made an argument as to why it would not be added to privacytools.io the "defenders of Palemoon" came there and accused me of spreading "fake news", and spreading "false narrative". They didn't however refute what I said in a technical sense, which is what is expected in technical communities.
If you want to say someone is wrong, then provide proof/examples, or you'll be laughed at.
> The Palemoon community represents a dying breed.
Progress will do that.
> Soon enough, most hardware will be forced to use their browser, and will only be permitted to go to websites that they approve of.
I don't believe that for a minute. The big tech companies have been very active in standards forums like the IETF.
> And mandatory DRM.
That only happens when you want to use content like Netflix, and then it's a part of the user license agreement that Netflix MUST agree to in order to satisfy content creators/rights owners etc.
Mozilla never says that a site must use DRM, but does provide the option should they need to.
> Mozilla also loves DRM.
You mean they implement it so their browser can use things like Netflix? Sure, because if they didn't everyone would just use Chrome.
> Anyway, if you have any more questions I'd be happy to answer.
This is the point, though isn't it. The "Palemoon defenders" never refute what I say with actual evidence.
I never got to read your reply. Look I'm sorry for any negativity. I think there is a place for you and what you are doing. But I'd like to make my own software my own way.
I don't agree with your paradigm for how people should use computers, but that's ok. I know I can very vocally disagree with the direction software is going, but I'd very much like for us to coexist peacefully.
Pale Moon's JavaScript support was atrocious last time I checked, indicating that it's not actually keeping pace with Mozilla. I was developing a user script at the time and had to ask a user to stop using what amounts to a copy of Firefox that's several years past it's expiry.
Who knows what kind of issues are lingering around? Given that Pale Moon users advertise themselves as power users they might make quite a valuable target.
I personally use a fairly vanilla Firefox with a few addons and try to keep customization as default as possible. How will further differentiating yourself from the masses (especially since Firefox is already a minority browser) help with privacy, tracking, and fingerprinting? Why not at that point just change your user agent to Chrome/Win7 and run everything in a virtual machine?
edit: To that end, does anyone use browser forks (like Waterfox and Palemoon, or things like unGoogled Chromium) and seriously think they're better than the mainline browser? I see a lot of fair criticism for what Mozilla has done with Firefox (deprecating old extensions, Mr. Robot addons, Cliqz, etc) but it's pretty much the most trustworthy Internet company as far as I'm aware. They seem to genuinely have good will and Open Source at their core, and these forks claiming that Mozilla is this monstrous organization looking to invade your privacy (along the lines of what Google does) seem a little silly to me.