So, I would assume that the French pronunciation is the intended one. Although I might be wrong.
Of course, the author has used the name "Librefox" as a single word, so there would presumably be liaison between the "e" and the "f", and so therefore you would presumably actually hear the "e" in the French pronunciation.
Even now people everywhere have problems pronouncing GNU, Emacs, or Linux, and the word's connection to "liberty" should become clear if someone thinks about it for any time. Both "free" and "open" have their own problems, it seems like a fine alternative.
It's become a common way of signaling that your app/service is "Free as in Freedom", as opposed to "Free as in beer", open source vs. FOSS, etc.
I find it a little odd here, because Firefox already meets the definition of FOSS. But it's not unheard of for a popular project to go from free to proprietary, and for a fork of the last free version to somewhere work "libre" into the title.
It's become a very effective way for me to detect projects that have prioritized idealism over pragmatism. (I personally fall on the pragmatism side of that spectrum, and so I find it useful to avoid the oil-water problems that causes.)
I'd just like to interject for a moment. What you're referring to as FOSS, is in fact FLOSS, or as I've recently taken to calling it F/L/OS/S meaning “Free/Libre and Open Source Software”. Free is not free by itself, call if F/L/OS/S to explicitly avoid a preference between the two political camps. If you wish to be neutral, this is a good way to do it, since this makes the names of the two camps equally prominent.
There really is a F/L/OS software and there are people who use it, but it is just a part of the system they use, that in fact called GNU/Linux. Anyway Libre refers to freedom, instead of calling it open source you could also start to call this type of software Libre software. “Free and Open Source Software” is misleading since it can be interpreted as free as in beer when it is Free as in Freedom. Not calling it FLOSS is an obstacle to understanding GNU philosophy, free software and open source are different political positions that are completely not the same.
More to the point, "Librefox" is a project about privacy, not freedom. Others have pointed out that this project actually bundles some proprietary addons—so the name makes no sense.
Which always irks me, because we already have a great word to mean "Free as in Freedom", and that is: "Freedom."
I'd love if we could start calling free software, Freedom Software. Think of the benefits to the FLOSS PR movement!
I actually e-mailed rms about this, he said they considered the name but couldn't use it because of a trademark. I say to hell with that: the needs of the many, and all that! Freedom Software for all!
Significantly different. From what I understand, Librefox intends to follow upstream development with limited changes. Waterfox, on the other hand, is a fork of the pre-XUL, pre-Electrolysis Firefox circa 2017. As upstream development continues, it will become increasingly difficult to maintain these sorts of forks.
Why isn't it a fork? Does it make full use of the `privacy.resistFingerprinting` settings? Surely Tracking Protection should be switched on unless uBlock Origin is actually installed? Either that or bundle uBlock Origin.
For ease in keeping current with Firefox/trademark issues. Seemingly yes. Tracking protection is too new to be worth competing with uBlock Origin, and I'd guess the current release format makes bundling difficult.
>Updated browser: because this project is not a fork, it is kept updated with the latest Firefox version.
My pet peeve with all of these privacy-focused browsers is that they encourage people to stay at least one version behind the release version, essentially forcing a trade between security and privacy. By not being a fork, this project seems to avoid that particular pitfall.
Something I'd like to see instead of a modified version of ff is some sort of meta-extension that I could install on vanilla ff.
It would essentially be a bundle of
* add blocker (say ublock)
* js disabler (noscript)
* https stuff
* anti tracker
* url cleaner
* user agent spoofer
* cookie cleaner
* whatever decentraleyes does
* enable the right settings in about:config
* …?
All the extensions are there already, but it would guarantee them working well together and you wouldn't have to look for each extension and wonder if it's actually the one you want, but just install "the one".
That's also a feature that I want. Something like a dotfile for Firefox that I can use to set it up automatically with the rest of the system.
However what bothers me about privacy add-ons is that each one that I install is giving permissions in my browser to another person. It would be better if there was a single add-on that was audited by someone trustworthy.
A single all-in-one add-on could also work on making each of its users fingerprint the same, which is something that can't happen when each person is using a different combination of privacy enhancements.
As the sibling comment says, the "extension bundle" thing would allow for: less people to trust when installing the extension and guaranteed uniform behaviour without extensions stepping on each other toes, plus the fingerprinting thing which I actually didn't think about!
I'd like to see these kinds of features upstreamed into TBB, then eventually make their way into mainline Firefox. I know HTTPS Everywhere and NoScript already exist in TBB, I'm trying to think of what other extensions would do well for it...
The problem I find with Firefox is that options in about:config are too stateful.
You can't use user.js as a regular dotfile such as .emacs, .vimrc or .muttrc. That is, once you set an option you need to manually unset it. I wished they introduced a more sane mechanism.
Besides, there is no way to programmatically declare you want to use some addons.
IMHO, all this makes maintaining relatively complex user configurations very costly.
Yes, I find the about:config option stickiness behaviour isn't intuitive. I am guessing that a lot of people don't realize that if you set options in user.js they stay set until you manually unset them, even if you remove the user.js file.
A hack around this would be to remove things by specifically unsetting them in the user.js file, much as one would do to remove a previously installed package using configuration management software.
URLs often have lots of referral and tracking information in them (see anything with UTM parameters: https://en.wikipedia.org/wiki/UTM_parameters ). I use the Neat URL extension and it's been great.
I just want something that gives me maximum privacy without compatibility issues. I run into websites every week that just don't render elements or clickable links in firefox with my current extensions (looking at you, barclays).
The only privacy extensions I use are cookie autodelete, decentraleyes, and ublock origin with default settings (the super private settings broke more websites than not, and I gave up making dozens of exceptions), and google and FB containers.
I'm considering dropping google container too, very annoying clicking a link opens a tab in the default container and closes the google one, so I have to shift cmd tab through all my recently closed tabs or dig through history instead of hitting back to return to the results.
It's like either you let your guard down or make navigating around the web insufferable.
umatrix and decentraleyes are wonderful. They don't quite work together (I think you have to unblock some sites in umatrix before decentraleyes will be able to emulate them)
Icecat has issues with so many sites because it wants you to block no free JavaScript. If you use it as intended, the internet isn't the same and is it even more private since there are fewer extensions?
Sorry you found it unsubstantial. I mean to express distaste for people who tend to loosely throw the terms "privacy" and "security" around, especially when recommending laundry lists of configuration options, patches, extensions, etc. There is often little to no regard for threat modeling and pragmatism. Take "gHacks/pyllyukko base is kept up to date" for example - these batch tweaks and their effects are hard to understand and apply for the average user, and unfortunately tend to break the mainstream web.
I view projects like these as temporary bandages that pacify users (those technical enough to even be able to use them) in the now to ignore the larger and more fundamental issues at hand. Upstream should adopt reasonably sane defaults, because whack-a-mole with complex software simply isn't sustainable and the projects in question will become less effective over time as maintainership wanes. With regards to further hardening options, there really needs to be better upstream documentation, education, and accessibility. When that is realized in the free/libre browsers with the majority market share, then I am optimistic that the mainstream web will heal in accomodation.
> I mean to express distaste for people who tend to loosely throw the terms "privacy" and "security" around, especially when recommending laundry lists of configuration options, patches, extensions, etc.
This is a much, much more useful description. And I'd agree. Usability is a critical part of privacy and security, and recommendations for tools that cater exclusively to advanced users (whether the tool developers realize that or not) can do more harm than good.
Not just recommendations for advanced tools, but the unfortunate reality that they are currently necessary means. I reiterate - this functionality must be made upstream, accessible, and visible.
I find that "upstream" might be at odds with security/privacy, both in terms of funding and data collection (benign reasons being debug/crash data collection as well as "what and how do people use this")
You could make a totally open-source, libre-licensed DRM enforcement framework -- any user willing to dig through it could probably modify and defuse it, but out of the box, it would be an example of free software which aims to defeat freedom.
This seems like an a slightly more complete version of Firefox Profilemaker (https://ffprofile.com/).
I personally use a fairly vanilla Firefox with a few addons and try to keep customization as default as possible. How will further differentiating yourself from the masses (especially since Firefox is already a minority browser) help with privacy, tracking, and fingerprinting? Why not at that point just change your user agent to Chrome/Win7 and run everything in a virtual machine?
edit: To that end, does anyone use browser forks (like Waterfox and Palemoon, or things like unGoogled Chromium) and seriously think they're better than the mainline browser? I see a lot of fair criticism for what Mozilla has done with Firefox (deprecating old extensions, Mr. Robot addons, Cliqz, etc) but it's pretty much the most trustworthy Internet company as far as I'm aware. They seem to genuinely have good will and Open Source at their core, and these forks claiming that Mozilla is this monstrous organization looking to invade your privacy (along the lines of what Google does) seem a little silly to me.
>and these forks claiming that Mozilla is this monstrous organization looking to invade your privacy
Do they claim that? I felt like most of the forks were made in good feeling, appreciating the work that Mozilla has done, but customising it in their own way/aligning vanilla FireFox with their views.
I do not use a Firefox fork but customizing Firefox with add-ons can improve privacy even if it makes you more unique when looking at your fingerprint only.
Forked software is usually reasonable, but for me, the sheer complexity of the graphical, interactive web sadly begets an exception for modern browsers. Even if much of the work is offloaded to the corporations backing modern free/libre browsers (e.g. keeping up with new web standards and technologies), it certainly goes without saying that rebasing with upstream or even just applying the latest security fixes is no trivial task I would entrust any browser fork with minimal developer backing with.
This problem is especially worsened with the kind of user base that firefox forks tend to attract, from what I have seen. These users tend to ask very high-level questions e.g. "is waterfox more secure than pale moon" and will usually blindly switch from one fork to the next based on poorly-backed, unsubstantial crowd opinion. No userbase means waning support + maintenance. If you ask me, I think in the very special case of browser technologies, it would be more beneficial if the developers and users of firefox forks directed their energies towards making generally desirable changes in upstream.
Not just the weird habits of the users, either. I have way more confidence that Mozilla will fix issues in a timely manner than the one developer behind Waterfox, or the several behind Palemoon. Especially when the forks are depending on upstream to fix things for them. A few years ago there was a build of Waterfox that was substantially late because the one developer had exams.
It seems like the solution to this would be to have the build system reproducible from a base image with everything other than the code repo required to successfully kick off a build other than the code repo itself. Uploaded (or made available to upload yourself) to any of the cloud providers (or run locally in a VM), it would allow you to sync the repo and kick off a build for any supported architecture.
Dev not available to integrate a pull request and start a build? Download the appropriate build arch image, fire up VirtualBox, sync the repo (and apply a pull request if the dev hasn't had a chance to do that yet) and start the build script.
This doesn't entirely solve the problem, if nobody has submitted a fix yet, and you don't know enough to pull in the upstream fix and merge it yourself, you're at the mercy of some other user having that knowledge and making a pull request. It does close the gap somewhat though.
Are there existing projects to help get to this level of build reproducibility that can serve as a base to use? It would be awesome to know people are already working on making this easy to adopt.
I was speaking more to the general case of projects with small bus factors for deploying. And slow is moistly irrelevant to the point, which is making something possible which largely wasn't before.
Some of the changes are alternative defaults however. That isn't something one can just merge upstream since there are busi ESS and product reasons for Mozilla to reject certain changes
>How will further differentiating yourself from the masses (especially since Firefox is already a minority browser) help with privacy, tracking, and fingerprinting?
I don't think that's what fingerprinting is about. Whether you're 1 in 50k or 1 in 500k - it's not usable from a marketing/data perspective. Stuff like cookie retention & IP addr seem much more dangerous on this front than browser choice - both of those are more like 1 in 1 or 1 in say 20 depending on NAT.
I've been using Waterfox since Mozilla changed their extension format and it's been incredibly stable. I used it for the Tree Style Tab extension. There's probably less reason to use it just for that anymore but vertical tabs in Firefox still isn't the best experience. I use Firefox with Tree Tabs at work with the extra user UI modification required to hide the top tabs and the sidebar headings. Only allowing one sidebar means when I accidentally open the bookmarks I need to mess around to get my tabs back.
I used to do web dev in chrome but installed ungoogled-chromium after that scandalous update where they forced you to login; in fact, after installing said update, I suddenly found myself "logged in" with a gmail address that I never even created in the first place (something like mycompanyname[at]gmail[dot]com). My trust in Google was already crumbling, this creepy move was the final blow. So far, my experience with ungoogled-chromium has been great, but I must admit I'm not really following up on the project (devs, userbase, security updates, etc).
I haven't tried Librefox yet, but Internet privacy&security is a big interest of mine, and I'd like to suggest that another option to consider is Tor Browser.
Tor Browser is generally more privacy-focused than Mozilla, and the nicely integrated Tor support gives me a bit of privacy from my infamous ISP (VPN services tend to be sketchy, too).
Drawbacks to Tor Browser are that Tor itself is a bit creepy (e.g., presumably draws more attention to you from your own country's domestic surveillance), some news sites block US Tor exit nodes (whether they know it or not; Cloudflare seems to most often be the culprit), uBlock Origin is not part of the Tor Browser distribution (which means that people who add it lose some crowd anti-fingerprinting benefit), the NoScript part should really be replaced with uBlock Origin, Tor is much slower than direct, and the Tor or Tor Browser project could end/fizzle much sooner than Firefox does.
How I'm using Tor Browser currently is that I use it for sites that don't require logins or otherwise identify me. For sites that identify me anyway (e.g., banking, online ordering), I use Firefox. I don't use Firefox often. Keeping them separate also discourages me from logging into sites unnecessarily.
What I'd ideally like is for Mozilla to become more aggressive than Tor Browser about privacy -- not going to Tor, but doing things that would peeve much of the dotcom surveillance industry. This includes pushing privacy tweaks upstream to Web standards. Mozilla is perhaps the best positioned to play chicken with the dotcoms on this; most genuine privacy efforts would be simply broken by the sites, and lose their users. Mozilla has a lot of upper management, so presumably they could figure out how to peeve a lot of dotcoms, while still keeping the funding flowing.
(I should add that I use Tor Browser for only a casual, on-principle attempt at privacy from snooping companies. I don't believe that Tor or Tor Browser is sufficiently safe for many kinds of journalists and activists, for example.)
Considering this hasn't received an update in two months, it seems unsafe to install and download it. There have been many fixed security issues in Firefox just in the past few weeks.
My main concernsvwith these types of posts are management and defaults.
If management isn't automous, then you'll get fragmentation which becomes a fingerprinting mechanism.
If the defaults are too harsh, then you deter adoption and encourage fragmentation of those that do adopt (as they'll muck about in the config and unbreak different things).
With low adoption, using this could potentially make you more identifiable (mirroring the concern of Do Not Track as of late) , [citation needed, on mobile].
I'll definitely spin up an instance of later today, but it looks like the defaults might cause a fair bit of breakage
Honestly I wouldn't go anywhere near Palemoon. Not unless you feel like using an antiquated browser such as Firefox 28 which is where it forked.
I expect their shills will be deployed to this thread shortly.
It's certainly not more secure when you've got all your extensions running at highest level privileged (not WebExtensions), the sandboxing code "removed" because mattatobin a Palemoon developer says that it "doesn't work", without giving any specific use case and their non-compliance with the HSTS spec RFC6797 [0]. There's probably countless other things wrong with it, but that's what I spotted after a cursory look.
Many of your sentiments there are demonstrated in that very thread. One of the developers (mattatobin) repeatedly avoids answering my questions and just says "fake news" and goes all trumpian on me.
Don't bother trying to ask on their forums about this they will just delete your posts and go on about "the untrue narrative" without addressing your questions.
If you contact them on twitter they will block you. It seemed like their while mode of operation was very "alt-right" if that makes sense. They live in a small "social bubble" it would seem.
I also found it rather lol that a so called "privacy browser" has to resort to using google advertising on their main page.
I'm sorry for your bad experiences with the Palemoon guys. You are obviously not who this software is meant for.
I don't need or want sandboxing for my extensions -- I can take care of my own sandboxing external to the browser profile instance. And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool, Chrome is a toy.
I don't know why you are upset, because the vast majority of the Internet agrees with you. Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset?
Why are you threatened by a small group of users who want a browser their own way?
As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.
Besides, Google, Apple, Facebook and Microsoft happily trample on the RFCs when it's convenient for them. Chrome itself was infamous for this when it first came out. I remember seeing Chrome users clobbering webservers and violating protocol to get slightly more speed. Of course, Chrome now sets the standards.
I have to disagree with your characterization of Palemoon users as fascists.
If you don't like Palemoon, then you are more than welcome to not use it and leave the community alone. The Palemoon community represents a dying breed. Soon enough, most hardware will be forced to use their browser, and will only be permitted to go to websites that they approve of. And mandatory DRM. Mozilla also loves DRM.
Anyway, if you have any more questions I'd be happy to answer.
> I'm sorry for your bad experiences with the Palemoon guys. You are obviously not who this software is meant for.
Who is it meant for if it's not meant for users? Are they intentionally trying to turn away certain people?
> I don't need or want sandboxing for my extensions
I think you'll find with all security, it's best to have the "principal of least privilege" https://en.wikipedia.org/wiki/Principle_of_least_privilege at all levels of software. The reason for this is because if something happens to exploit one area of your setup, the hope is that it will be stopped somewhere else.
> I can take care of my own sandboxing external to the browser profile instance.
As do I. I use multiple VLANs (network segregation), Virtual Machines, and other things in addition to browser profiles. Most people however do not. Software should be designed for "most people".
> And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool,
There's plenty of frameworks out there. Perhaps what you're trying to do shouldn't be a browser extension.
> Chrome is a toy.
Okay if you mean high performance web browser with a lot of market share that Mozilla must compete against in order to stay relevant?
> I don't know why you are upset, because the vast majority of the Internet agrees with you.
They do because I am right. I rarely say this as I do often like a good debate, however in this situation I will.
> Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset? Why are you threatened by a small group of users who want a browser their own way?
I didn't engage with them. They came to our bug tracker and started to push their software on us. I contribute to the privacytools.io website. I was explaining why that particular piece of software did not belong there.
> As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.
For software that is distributed to the public certain 'sane' defaults are expected for the software to be labeled as secure. These are usually according to spec as I pointed out in https://github.com/privacytoolsIO/privacytools.io/issues/375... there are a number of reasons why software developers should make certain choices for users.
There are a couple of reasons for this:
> 1. Users could be socially engineered into bypassing the warning
> 2. The warning gets "ignored" because lazy users just want to "visit that website", without thinking of or understanding the consequences.
Maybe you should be more succinct then. If it's too long for the comments I'm not going to read it. A comment can be 2000 characters which is fairly generous. You can always post more than one reply.
I'm not going to open something on a pastebin like dpaste.com which will only be around for a year. If you're afraid of downvotes write something that makes sense.
Also hello there mattatobin. I know that writing style from a mile away. There's no point in me responding to you, because you never address the question and you just throw a bunch of other nonsense in there that has nothing to do with what was being talked about.
I never got to read your reply. Look I'm sorry for any negativity. I think there is a place for you and what you are doing. But I'd like to make my own software my own way.
I don't agree with your paradigm for how people should use computers, but that's ok. I know I can very vocally disagree with the direction software is going, but I'd very much like for us to coexist peacefully.
You should have limited your response to, "That is for me to decide." You can't reason with someone who's unreasonable, and you shouldn't prostrate yourself before him by trying. As you observed, he appears to be not only a fool, but an ignorant one. Only time and painful experience have a chance to get through to him.
In other words, don't be a victim of BS asymmetry.
> > I'm sorry for your bad experiences with the Palemoon guys. You are obviously not who this software is meant for.
> Who is it meant for if it's not meant for users? Are they intentionally trying to turn away certain people?
Only people like you, who are trying to tell them what they ought to do with their free time.
> > I don't need or want sandboxing for my extensions
> I think you'll find with all security, it's best to have the "principal of least privilege" https://en.wikipedia.org/wiki/Principle_of_least_privilege at all levels of software. The reason for this is because if something happens to exploit one area of your setup, the hope is that it will be stopped somewhere else.
And people like you complain that religious people act morally superior! If only he would read what you read, then he would think like you! You must be one of these extremely religious atheists, more convinced of your own correctness than any theist...
> > I don't know why you are upset, because the vast majority of the Internet agrees with you.
> They do because I am right. I rarely say this as I do often like a good debate, however in this situation I will.
...yep! You are!
> > The Palemoon community represents a dying breed.
> Progress will do that.
Here you are, trying to tell people what they ought to do and what they ought to want and how they ought to want it. You're an actual fascist, because you want to deny freedom to others, completely convinced of your own superiority. If only you were king, then everything would be fixed!
But you project that onto others, calling them the fascists!
You're an ignorant moron, as well, because you don't even recognize that it's only due to such freedom that we even have the software and general prosperity that we enjoy.
There is only one appropriate response to a comment like yours: fuck you and your tribal regressivism. Go stone-age yourself, and leave the rest of us alone.
Pale Moon's JavaScript support was atrocious last time I checked, indicating that it's not actually keeping pace with Mozilla. I was developing a user script at the time and had to ask a user to stop using what amounts to a copy of Firefox that's several years past it's expiry.
Who knows what kind of issues are lingering around? Given that Pale Moon users advertise themselves as power users they might make quite a valuable target.
(2) How can this be a valid claim: "Librefox is NOT associated with Mozilla or its products." It's obviously associated with one of Mozilla's products -- Firefox. What distinction am I missing here?
121 comments
[ 3.1 ms ] story [ 200 ms ] thread(Is it lee-bruh, as French, or lee-bray, as Spanish?)
Of course, the author has used the name "Librefox" as a single word, so there would presumably be liaison between the "e" and the "f", and so therefore you would presumably actually hear the "e" in the French pronunciation.
I find it a little odd here, because Firefox already meets the definition of FOSS. But it's not unheard of for a popular project to go from free to proprietary, and for a fork of the last free version to somewhere work "libre" into the title.
https://www.gnu.org/philosophy/floss-and-foss.en.html
Is there a longer form explanation I can read / bookmark?
free as in beer just means you're not charged a fee.
I'd love if we could start calling free software, Freedom Software. Think of the benefits to the FLOSS PR movement!
I actually e-mailed rms about this, he said they considered the name but couldn't use it because of a trademark. I say to hell with that: the needs of the many, and all that! Freedom Software for all!
What should be shared instead is the scandalous Mozilla's blocking of this project.
https://github.com/intika/Librefox/issues/119#issuecomment-4...
It does turn on privacy.resistFingerprinting (although this is a somewhat experimental feature that uplifts TOR Browser changes into Firefox proper).
My pet peeve with all of these privacy-focused browsers is that they encourage people to stay at least one version behind the release version, essentially forcing a trade between security and privacy. By not being a fork, this project seems to avoid that particular pitfall.
* add blocker (say ublock)
* js disabler (noscript)
* https stuff
* anti tracker
* url cleaner
* user agent spoofer
* cookie cleaner
* whatever decentraleyes does
* enable the right settings in about:config
* …?
All the extensions are there already, but it would guarantee them working well together and you wouldn't have to look for each extension and wonder if it's actually the one you want, but just install "the one".
However what bothers me about privacy add-ons is that each one that I install is giving permissions in my browser to another person. It would be better if there was a single add-on that was audited by someone trustworthy.
A single all-in-one add-on could also work on making each of its users fingerprint the same, which is something that can't happen when each person is using a different combination of privacy enhancements.
I've not yet tried it, but I think user.js might be helpful for this: http://kb.mozillazine.org/User.js_file
* https://github.com/dngray/ghacks-user.js/tree/fx-desktop
* https://github.com/dngray/ghacks-user.js/tree/fx-android
If you use Windows, you can use local group policy (if you're not part of a domain) and it's not too difficult to export/import for new machines.
If you look at their website https://www.torproject.org they refer to it as "Tor Browser".
You can't use user.js as a regular dotfile such as .emacs, .vimrc or .muttrc. That is, once you set an option you need to manually unset it. I wished they introduced a more sane mechanism.
Besides, there is no way to programmatically declare you want to use some addons.
IMHO, all this makes maintaining relatively complex user configurations very costly.
Options that can be set only for the duration of the current session?
What I did was created a fork, ie https://github.com/dngray/ghacks-user.js/tree/fx-desktop
Then I added it as a submodule, ie "yadm submodule add ..." as they mention here https://stackoverflow.com/a/18797720
Yadm allows for a bootstrap[0], so I simply do:
Note the Jinja2[1] syntax there.[0]: https://yadm.io/docs/bootstrap [1]: https://yadm.io/docs/alternates
ha, yes, it's hard to keep track of all these little modules sometimes.
decentraleyes caches bundles (like jquery) from cdn's so the cdn's can't track you as easily.
¹ https://github.com/idlewan/link_cleaner
I rather like Clean URLs (seems more maintained) and can pull a set of rules (regxp) from https://gitlab.com/KevinRoebert/ClearUrls/raw/master/data/da...
That's built in to Firefox already, just go to privacy settings and set it to work in all windows.
> user agent spoofer
Same. privacy.resistFingerprinting will set the UA to something like the latest stable Firefox on Windows.
> https stuff
Is it that necessary anymore? The HSTS Preload list covers the big and important sites, and most links you see are https already.
The only privacy extensions I use are cookie autodelete, decentraleyes, and ublock origin with default settings (the super private settings broke more websites than not, and I gave up making dozens of exceptions), and google and FB containers.
I'm considering dropping google container too, very annoying clicking a link opens a tab in the default container and closes the google one, so I have to shift cmd tab through all my recently closed tabs or dig through history instead of hitting back to return to the results.
It's like either you let your guard down or make navigating around the web insufferable.
Check IceCat instead for a more free/libre Firefox.
I like how brave bakes in the settings by default
I view projects like these as temporary bandages that pacify users (those technical enough to even be able to use them) in the now to ignore the larger and more fundamental issues at hand. Upstream should adopt reasonably sane defaults, because whack-a-mole with complex software simply isn't sustainable and the projects in question will become less effective over time as maintainership wanes. With regards to further hardening options, there really needs to be better upstream documentation, education, and accessibility. When that is realized in the free/libre browsers with the majority market share, then I am optimistic that the mainstream web will heal in accomodation.
This is a much, much more useful description. And I'd agree. Usability is a critical part of privacy and security, and recommendations for tools that cater exclusively to advanced users (whether the tool developers realize that or not) can do more harm than good.
You could make a totally open-source, libre-licensed DRM enforcement framework -- any user willing to dig through it could probably modify and defuse it, but out of the box, it would be an example of free software which aims to defeat freedom.
You can throw out crap like that and presto: libre as in free beer.
I personally use a fairly vanilla Firefox with a few addons and try to keep customization as default as possible. How will further differentiating yourself from the masses (especially since Firefox is already a minority browser) help with privacy, tracking, and fingerprinting? Why not at that point just change your user agent to Chrome/Win7 and run everything in a virtual machine?
edit: To that end, does anyone use browser forks (like Waterfox and Palemoon, or things like unGoogled Chromium) and seriously think they're better than the mainline browser? I see a lot of fair criticism for what Mozilla has done with Firefox (deprecating old extensions, Mr. Robot addons, Cliqz, etc) but it's pretty much the most trustworthy Internet company as far as I'm aware. They seem to genuinely have good will and Open Source at their core, and these forks claiming that Mozilla is this monstrous organization looking to invade your privacy (along the lines of what Google does) seem a little silly to me.
Do they claim that? I felt like most of the forks were made in good feeling, appreciating the work that Mozilla has done, but customising it in their own way/aligning vanilla FireFox with their views.
This problem is especially worsened with the kind of user base that firefox forks tend to attract, from what I have seen. These users tend to ask very high-level questions e.g. "is waterfox more secure than pale moon" and will usually blindly switch from one fork to the next based on poorly-backed, unsubstantial crowd opinion. No userbase means waning support + maintenance. If you ask me, I think in the very special case of browser technologies, it would be more beneficial if the developers and users of firefox forks directed their energies towards making generally desirable changes in upstream.
Dev not available to integrate a pull request and start a build? Download the appropriate build arch image, fire up VirtualBox, sync the repo (and apply a pull request if the dev hasn't had a chance to do that yet) and start the build script.
This doesn't entirely solve the problem, if nobody has submitted a fix yet, and you don't know enough to pull in the upstream fix and merge it yourself, you're at the mercy of some other user having that knowledge and making a pull request. It does close the gap somewhat though.
Are there existing projects to help get to this level of build reproducibility that can serve as a base to use? It would be awesome to know people are already working on making this easy to adopt.
The problem is that it is a giant codebase, you need to compile C++, Rust for hours. Even pulling the latest code is an ordeal.
It's not feasible on lowly workstations and garden variety cheap cloud VM builders, the performance is just crap.
Yeah Mozilla isn't going to like that.
I don't think that's what fingerprinting is about. Whether you're 1 in 50k or 1 in 500k - it's not usable from a marketing/data perspective. Stuff like cookie retention & IP addr seem much more dangerous on this front than browser choice - both of those are more like 1 in 1 or 1 in say 20 depending on NAT.
(Disclaimer: I work for Mozilla but not directly on the browser)
Tor Browser is generally more privacy-focused than Mozilla, and the nicely integrated Tor support gives me a bit of privacy from my infamous ISP (VPN services tend to be sketchy, too).
Drawbacks to Tor Browser are that Tor itself is a bit creepy (e.g., presumably draws more attention to you from your own country's domestic surveillance), some news sites block US Tor exit nodes (whether they know it or not; Cloudflare seems to most often be the culprit), uBlock Origin is not part of the Tor Browser distribution (which means that people who add it lose some crowd anti-fingerprinting benefit), the NoScript part should really be replaced with uBlock Origin, Tor is much slower than direct, and the Tor or Tor Browser project could end/fizzle much sooner than Firefox does.
How I'm using Tor Browser currently is that I use it for sites that don't require logins or otherwise identify me. For sites that identify me anyway (e.g., banking, online ordering), I use Firefox. I don't use Firefox often. Keeping them separate also discourages me from logging into sites unnecessarily.
What I'd ideally like is for Mozilla to become more aggressive than Tor Browser about privacy -- not going to Tor, but doing things that would peeve much of the dotcom surveillance industry. This includes pushing privacy tweaks upstream to Web standards. Mozilla is perhaps the best positioned to play chicken with the dotcoms on this; most genuine privacy efforts would be simply broken by the sites, and lose their users. Mozilla has a lot of upper management, so presumably they could figure out how to peeve a lot of dotcoms, while still keeping the funding flowing.
(I should add that I use Tor Browser for only a casual, on-principle attempt at privacy from snooping companies. I don't believe that Tor or Tor Browser is sufficiently safe for many kinds of journalists and activists, for example.)
https://www.mozilla.org/en-US/security/advisories/
Why isnt the EFF's HTTPS Everywhere recommended? (And why is this addon, tagged "experimental", with <100 users opted for?)
https://github.com/intika/Librefox/commit/45a4d3ce647b8c896e...
may have Terms & conditions violations.
If management isn't automous, then you'll get fragmentation which becomes a fingerprinting mechanism.
If the defaults are too harsh, then you deter adoption and encourage fragmentation of those that do adopt (as they'll muck about in the config and unbreak different things).
With low adoption, using this could potentially make you more identifiable (mirroring the concern of Do Not Track as of late) , [citation needed, on mobile].
I'll definitely spin up an instance of later today, but it looks like the defaults might cause a fair bit of breakage
I expect their shills will be deployed to this thread shortly.
It's certainly not more secure when you've got all your extensions running at highest level privileged (not WebExtensions), the sandboxing code "removed" because mattatobin a Palemoon developer says that it "doesn't work", without giving any specific use case and their non-compliance with the HSTS spec RFC6797 [0]. There's probably countless other things wrong with it, but that's what I spotted after a cursory look.
Their developers are also toxic https://github.com/privacytoolsIO/privacytools.io/issues/375 that's all the proof you ever needed.
Many of your sentiments there are demonstrated in that very thread. One of the developers (mattatobin) repeatedly avoids answering my questions and just says "fake news" and goes all trumpian on me.
Don't bother trying to ask on their forums about this they will just delete your posts and go on about "the untrue narrative" without addressing your questions.
If you contact them on twitter they will block you. It seemed like their while mode of operation was very "alt-right" if that makes sense. They live in a small "social bubble" it would seem.
I also found it rather lol that a so called "privacy browser" has to resort to using google advertising on their main page.
[0]: https://tools.ietf.org/html/rfc6797#section-8.4I don't need or want sandboxing for my extensions -- I can take care of my own sandboxing external to the browser profile instance. And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool, Chrome is a toy.
I don't know why you are upset, because the vast majority of the Internet agrees with you. Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset? Why are you threatened by a small group of users who want a browser their own way?
As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.
Besides, Google, Apple, Facebook and Microsoft happily trample on the RFCs when it's convenient for them. Chrome itself was infamous for this when it first came out. I remember seeing Chrome users clobbering webservers and violating protocol to get slightly more speed. Of course, Chrome now sets the standards.
I have to disagree with your characterization of Palemoon users as fascists.
If you don't like Palemoon, then you are more than welcome to not use it and leave the community alone. The Palemoon community represents a dying breed. Soon enough, most hardware will be forced to use their browser, and will only be permitted to go to websites that they approve of. And mandatory DRM. Mozilla also loves DRM.
Anyway, if you have any more questions I'd be happy to answer.
Who is it meant for if it's not meant for users? Are they intentionally trying to turn away certain people?
> I don't need or want sandboxing for my extensions
I think you'll find with all security, it's best to have the "principal of least privilege" https://en.wikipedia.org/wiki/Principle_of_least_privilege at all levels of software. The reason for this is because if something happens to exploit one area of your setup, the hope is that it will be stopped somewhere else.
> I can take care of my own sandboxing external to the browser profile instance.
As do I. I use multiple VLANs (network segregation), Virtual Machines, and other things in addition to browser profiles. Most people however do not. Software should be designed for "most people".
> And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool,
There's plenty of frameworks out there. Perhaps what you're trying to do shouldn't be a browser extension.
> Chrome is a toy.
Okay if you mean high performance web browser with a lot of market share that Mozilla must compete against in order to stay relevant?
> I don't know why you are upset, because the vast majority of the Internet agrees with you.
They do because I am right. I rarely say this as I do often like a good debate, however in this situation I will.
> Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset? Why are you threatened by a small group of users who want a browser their own way?
I didn't engage with them. They came to our bug tracker and started to push their software on us. I contribute to the privacytools.io website. I was explaining why that particular piece of software did not belong there.
> As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.
For software that is distributed to the public certain 'sane' defaults are expected for the software to be labeled as secure. These are usually according to spec as I pointed out in https://github.com/privacytoolsIO/privacytools.io/issues/375... there are a number of reasons why software developers should make certain choices for users.
There are a couple of reasons for this:
> 1. Users could be socially engineered into bypassing the warning
> 2. The warning gets "ignored" because lazy users just want to "visit that website", without thinking of or understanding the consequences.
> 3. Advanced users (web developers etc) can simply fix the error server side, do something like this, https://blog.filippo.io/mkcert-valid-https-certificates-for-... or at worst compile their own browser.
> 4. Website owners will fix errors as it will mean their customers, visitors will not b...
Maybe you should be more succinct then. If it's too long for the comments I'm not going to read it. A comment can be 2000 characters which is fairly generous. You can always post more than one reply.
I'm not going to open something on a pastebin like dpaste.com which will only be around for a year. If you're afraid of downvotes write something that makes sense.
Also hello there mattatobin. I know that writing style from a mile away. There's no point in me responding to you, because you never address the question and you just throw a bunch of other nonsense in there that has nothing to do with what was being talked about.
Insinuations of shilling aren't allowed either. Please review https://news.ycombinator.com/newsguidelines.html and follow the rules when posting here.
No problems. Simply split your post over multiple replies. There is a 2000 character limit per reply.
I don't agree with your paradigm for how people should use computers, but that's ok. I know I can very vocally disagree with the direction software is going, but I'd very much like for us to coexist peacefully.
In other words, don't be a victim of BS asymmetry.
> Who is it meant for if it's not meant for users? Are they intentionally trying to turn away certain people?
Only people like you, who are trying to tell them what they ought to do with their free time.
> > I don't need or want sandboxing for my extensions
> I think you'll find with all security, it's best to have the "principal of least privilege" https://en.wikipedia.org/wiki/Principle_of_least_privilege at all levels of software. The reason for this is because if something happens to exploit one area of your setup, the hope is that it will be stopped somewhere else.
And people like you complain that religious people act morally superior! If only he would read what you read, then he would think like you! You must be one of these extremely religious atheists, more convinced of your own correctness than any theist...
> > I don't know why you are upset, because the vast majority of the Internet agrees with you.
> They do because I am right. I rarely say this as I do often like a good debate, however in this situation I will.
...yep! You are!
> > The Palemoon community represents a dying breed.
> Progress will do that.
Here you are, trying to tell people what they ought to do and what they ought to want and how they ought to want it. You're an actual fascist, because you want to deny freedom to others, completely convinced of your own superiority. If only you were king, then everything would be fixed!
But you project that onto others, calling them the fascists!
You're an ignorant moron, as well, because you don't even recognize that it's only due to such freedom that we even have the software and general prosperity that we enjoy.
There is only one appropriate response to a comment like yours: fuck you and your tribal regressivism. Go stone-age yourself, and leave the rest of us alone.
Who knows what kind of issues are lingering around? Given that Pale Moon users advertise themselves as power users they might make quite a valuable target.
It's quite ironic that you accuse them of toxicity when in that very thread you call their project "a shitty pointless effort".
https://www.opendesktop.org/p/1265177/
(1) Why does the logo for Librefox look like a flatter, less colorful version of the Chrome logo?
Edit: Apparently (from a sibling comment) it's actually the AppVeyor logo. https://en.wikipedia.org/wiki/AppVeyor. Why?
(2) How can this be a valid claim: "Librefox is NOT associated with Mozilla or its products." It's obviously associated with one of Mozilla's products -- Firefox. What distinction am I missing here?