192 comments

[ 4.8 ms ] story [ 211 ms ] thread
I can't live without Tree Style Tabs[0] in Firefox. It's The Thing that finally got me to switch back to FF and I will never look back.

0: https://addons.mozilla.org/en-US/firefox/addon/tree-style-ta...

(comment deleted)
Second. It's the single biggest reason I'm still on firefox.
Would add HTTPS Everywhere https://www.eff.org/https-everywhere and NoScript https://noscript.net/ to that list
These are essential- I also add Privacy Badger and uBlock Origin. I choose Firefox over Chrome.
If you have the latest chrome/firefox, doesn't that default to https all the time? Thus making "HTTPS Everywhere" redundant?
HTTPS Everywhere will block a site if it does not have HTTPS available iirc. Chrome/Firefox don't do that by default.
you can disable scripts even with ublock, so I don't understand why people still keep noscript
I just use uMatrix. Much easier to manage scripts, cookies and XHRs
Does HTTPS Everywhere actually work for you? It's utterly useless for me as far as I can tell. Try going to some site (say, example.net) in Chrome and watch it just load HTTP.
HTTPS Everywhere only loads HTTPS on a predefined list of sites. I just use SmartHTTPS on Firefox now.
IIRC, you have to enable the "strict" mode, or something along those lines, in the settings before it rejects HTTP connections from being made. I had the same issue.
Thanks, but then what do I do about HTTP-only sites? Why can't it default to HTTPS and then auto-fallback to HTTP when HTTPS connections fail for sites that aren't in the known-HTTPS list? It seems like a logical thing to do instead of just going straight to HTTP.
This only helps you at all against passive adversaries.

An active adversary will just cheerfully block that HTTPS connection because you'll fall back to insecure silently.

I fully understand that and that's still clearly still better than going straight to HTTP, which it's already doing.
Great addons, also available at the firefox browser.
Imagus to zoom into images maybe? Buster to solve captchas?
I hate captchas and love how buster is feeding them their own dog food by using speech to text to defeat captchas!

Seriously though, it almost makes me look forward to sites that have captchas to feel like I’m sticking it to google instead of working for free to help them make their computer vision models better.

> Buster to solve captchas?

Had to install "privacy pass" cos of cloudflare's move to hCaptcha

Color picker, produce approx. hex n rgb color of page

screenshot whole page (not always produce good result)

Magnifier

one thing I only started doing recently was to (in firefox, not sure chrome even gives you that control) disable the option to use fonts.

I set my serif/san-serif fonts (ubuntu, ubuntu mono) and disable "allow website to choose their own font"

It's incredible how having a standard font all over makes reading easier.

Only downside is a handful of sites that uses the neo-windings (fontawesome et al) for icons. But it's not hard to click the button with an "S" instead of the one with a magnifying glass.

If you can live without Chrome, you can live without all Chrome extensions in the article; If you can live without a desktop/laptop, you can live without all Chrome extensions. I just don't like this kind of eyeball-attracting title: Too much exaggeration
I agree. No need to be hyperbolic. These titles literally kill me.
That’s an insane amount of extensions, most of which seems to deal with fixing “broken” website or at least make them tolerable.

Reader mode is a little surprising, doesn’t Chrome have that built in?

I have seen it a few times, but only on mobile IIRC and it wasn't consistently shown across all pages where I wanted the functionality. I definitely can't seem to find it anywhere on desktop Chrome.
Enable it in accessibility (on Mobile). Always show 'Simplified View'
Google makes money from websites showing ads, so making a reader mode readily available would be counter to that. There used to be a hacky way to approximate reader mode in Chrome [1] but not sure if that still works. Just another reason to favor Firefox over Chrome IMO.

Google will always give only enough privacy options to give the veneer of supporting privacy, but never enough to truly allow it (e.g., anti-fingerprinting measures). You can't blame them really, it's just not their business model, but if you disagree with that model and its effects on you, you can choose a different browser.

[1] https://www.cnet.com/how-to/how-to-enable-reader-mode-in-chr...

Yes, Chrome has reader mode.

chrome://flags/#enable-reader-mode

Didn't they remove it?

Didn't find it in chromium. Might look again.

I think of extensions as a way to adapt the web to my preferences. Sane defaults are not that universal and it's good to harness the power of the web to make everyone happy.
Yes, Chrome has reader mode.

chrome://flags/#enable-reader-mode

>Grammarly

Are we cool with them now or are they still stealing your data? I'm not up to date

I even pay them for premium. I can't send an email without it. It makes business emailing much more professional.
Can I ask how? What does it correct or suggest that makes it so useful?
I'm curious about this as well. Seems just like a normal spell checker to me
Well, it would highlight your second sentence and offer something like, "To me, it seems just like a normal spell checker."
In a 300 word email I make at least 3-4 spelling errors either because I don't know the words spelling properly (yes there are many words) or because I type fast make mistakes. Grammarly checks their database and compare my sentences and suggest different ones. Try it, it really does help.
Out of curiosity, is English your first language? I can see that it would be helpful for fixing the types of errors you mention, and the kinds that appear in your comment. Does it give suggestions for text boxes like in HN comments as well?

I have tried it and found nothing useful for me, but am interested to know why/how people use it.

You guessed it right. No, it is not my first language that's why maybe I am more inclined to use paid tools like Grammarly. Although, my coworkers/employees are native speakers they make more spelling mistakes than non-native speakers (maybe confidence?). I force them to use grammarly and almost every email there is 5-10 corrections. If you didn't try yet, just download and scan some of your old emails. I bet you will find minimum of 5 mistakes. Better safe than sorry.
As far as I know they still send everything you type to their cloud service, and their privacy policy gives them broad latitude to use that info to "improve the service."

Right now I use "LanguageTool" with the Java-based server running locally. After I imported the ngrams it works good enough to be a clear improvement over Firefox's bad built in spelling/grammar checker. The UI is passable. It does randomly decide I typed another language though and tell me everything I typed is misspelled in that language.

In an ideal world I'd prefer to pay LanguageTool money for their premium product, but they have the same privacy problems as Grammarly. Heck I'd pay Grammarly if they had a more private offering, it is a good idea.

I'm so sick of their ads on Youtube. How is their revenue if they have to show 50 ads to every person in the world per day?
Hmm, that's a long list. I use zero extensions, and I've never really had the urge to go looking for them. Now I feel like a weirdo ;)
That is quite a list. Some of the choices I don't agree with. For me the first thing I install though is Ublock Origin. Can't use the web without it.
uBlock is a godsend indeed. Which ones do you disagree with, and why?
Not commenter you were replying to, but...

Honestly, most of them. Grammarly in particular because of privacy concerns, but I avoid using any that are not both open source and high payoff.

I use Privacy Badger and NoScript. I may add Ublock Origin to cover the edge cases where I need to enable JS. Anything else is adding bloat, not cutting back on it.

NoScript in particular covers: UBlock Origin, Nano Defender, Hover+Unpaywall, and ShutUp

Most of the others, I already use something outside of a browser or don't need.

There's an incredibly useful extension that's not on that list that I bet a good number of HN folks would like:

Vimium [1]

It lets you use keyboard shortcuts to navigate through webpages, click buttons, jump to text boxes, etc. it's been huge for me both as a productivity tool (it's significantly faster than using a mouse for navigation) and also for reducing RSI/strain on my hands.

Here's a video of it in action as you really need to see it being used to understand the different interaction model it provides.

https://youtu.be/t67Sn0RGK54?t=21

1 - https://chrome.google.com/webstore/detail/vimium/dbepggeogba...

edit: fixed link (but if you enjoyed the writeup of data security requirements let me know).

Vimium is a CPRA checklisk?
Ironically Vimium (and most extensions) are disabled on the Chrome Extensions domains. So when I hit 'yy' to copy the URL of the existing page it didn't copy it, so I instead pasted the last URL I had, which was the CPRA checklist.

Not something I had intended to do, but I hope the checklist was useful.

Ahh, makes sense. Thanks for the reference though. So far I like it.
I used to use vimperator and/or pentadactyl back before the big firefox change that redid how the browser buttons/menus/etc were rendered and it was pretty ideal. The bar at the bottom, the ability to do bind any menu action, the quick addon management interface, the beautiful completion when opening a link.

Since eventually switching to Chrome, I've tried vimium every now and then and always found it lacking. It usually got in the way when I didn't want it to and I'd get sick of trying to figure out how to turn it off for a particular site/just for this one interaction and just uninstall it.

It's been a year probably, so I guess I'm about due for another go.

I use cVim and turning it off for a domain is a matter of clicking on the extension icon and then 'disable for this domain'.

The reason I switched to cVim was that I preferred its approach to the 'type keys to click link on page' feature.

I've been using Tridactyl ever since Vimperator went belly-up. It's not 100% there yet, but it's getting close!
banana_giraffe's comment is pointing out that you linked to an unrelated google doc – maybe you meant to link to the vimium homepage instead?
I prefer Vimvixen for Firefox, but it's essentially the same thing. Cannot live without it.
I'm using Saka keys for this. May be availlable for Chrome too, not sure.
I am too wary of malware extensions to install that many. It is clearly trivial [0] for malware to get into the Chrome store, and Google is not doing enough to make me feel comfortable with it.

Additionally, I know that even as non-malware extensions grow in popularity they are solicited by malware companies to integrate their software in an update. I experienced this first hand with the HoverZoom extension. [1]

[0] https://awakesecurity.com/blog/the-internets-new-arms-dealer...

[1] https://www.ghacks.net/2013/12/26/hoverzooms-malware-controv...

Yes, this - absolutely. Every extension you install is another potential risk/attack vector. Consider the sources carefully and run the least number of extensions possible. Each one potentially has control of your browser, so choose accordingly.
Lately I ended up running much fewer extensions than I used to, and actually looking at their source first.

I think the only closed-source extension I run is lastpass, and I'm evaluating open-source alternatives.

How do people who cannot read code even cope, I don't know.

+1 for bitwarden. Of all the things not to trust closed source software with, passwords are the main one
KeepassXC is fortunately the only sane password-manager; so; bite your heads off with all the other crap. Bitwarden is a POS over-commercialized POS; use KeepassXC instead. Obvisously not afflitiated with KXC; and certainly not Shitwarden. Good for you that KeepassXC is free; unlike Shitwarden! Have your choices.
Can you comment on why you think Bitwarden is a „POS“ and what KeepassXC does better?
>KeepassXC is fortunately the only sane password-manager

What's wrong with Keepass?

If there were ever a post to drive me away from a product, this'd be it. Good to know that I should stay well away from KeepassXC, if this is what its defenders sound like.
It's really disappointing to see what's a now flagged post and push-back to what was obviously a flagrant comment. For a more level-headed opinion on KeepassXC, it's decently polished and easy to use. It's also open-source and cross-platform. I like it and came from the original Keepass. I didn't have any specific issues with the first besides wanting to try something new. I haven't noticed any major issues with KeepassXC myself but open to hearing others' experiences.
Comment was flagged so I have no idea what they said, but I use KeePassXC and I'm happy with it. Regular KeePass is good too, but I use XC because it's cross-platform.
If you turn on showdead in your user profile settings you can see flagged comments. I find it helps with context in situations like this, but certain types of posts do attract a lot of racist/sexist garbage that you normally cant see so be forewarned.
Can you list those open source extensions you run? I think this could help a lot to cope ..
I signed up for LastPass a couple of weeks ago, and they started sending me spammy emails every single day. I went into account settings and disabled the emails, and they kept coming. I opened a support thread on their forum, linking many other similar threads going back several years, and saying that they have to fix this under GDPR... Silence.

I deleted my account and switched to BitDefender. Still getting the LastPass emails though, whenever I check my spam folder.

Also, LastPass slowed my Android phone a lot. BitDefender doesn't seem to do that.

In short, my recommendation is: stay the hell away from LastPass. They can't even handle an email system, I don't trust them at all to handle my passwords.

> Also, LastPass slowed my Android phone a lot.

Their Windows application was also painfully slow.

I paid them for years but I no longer trust them, it seems to me they are incompetent as an organization even if the people who work there might or might not be smart.

You meant to say bitwarden? Afaik Bitdefender Is an Antivirus.
Isn't this true, to some degree, with all software distribution channels? Weren't CCleaner and FileZilla hacked to distribute malware alongside the main payload?
Unvalidated auto-update really is an anti-pattern. Giving arbitrary third parties the power to install and run software on your system in perpetuity is a massive attack vector. Most software doesn't represent a large active and ongoing attack surface that auto-updates would be a net positive.
I can't count the time I have heard good things about an extension, went to the chrome store page and ... "asks to read your data on all websites".

Hard pass.

I can't prevent the apps/OSes I use from gathering data about me, but that's at least one vector (although sadly a small one) I can do something about.

I really wish browsers would change their security model for extensions :\

"all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites. I may not care if X has access to site Y, but giving it access to Z means giving it the keys to my life so hell no. I don't even want to use it on Z.

Chrome lets you limit access to a list of specified websites. Right click the extension icon, click manage extension, and find the option there.
Excellent, I hadn't noticed that one yet. Yeah, that's a good start.
It's fairly new (maybe 1-2 years old, I forget), that's probably why you didn't notice it.
I only discovered it because I was going to add a similar feature to my Chrome extension, and I was researching to see how others tend to implement it. I was glad to see that Chrome offers the feature natively, and surprised to see that Firefox didn’t.
You can add domains to protected sites. No addons will work there.

So if you want no extension to be able to read gmail,

Add mail.google.com or google.com to

extensions.webextensions.RestrictedDomains in about:config

I wish there was a way to exclude some websites instead! I want most of the extensions like ad/script/etc blockers to run everywhere, except say GMail.
> "all or nothing" is ridiculous as the only option - let me revoke access or restrict it to specific sites.

Thank you. I've been waiting for Firefox to add this feature for almost 2 years. For a privacy focused browser, this should be a must have, top priority.

I think they have already? In the old days, you just click once to install a mouse gesture addon.

Now you have to dig into the settings. And give it permission before it could work. At first I found that annoying. But upon reflection. I guess it's a necessary evil.

Edit: I misread the parent comment.

You could fork the extension and modify it for your own usage
while true, you can say this about anything which doesn't have any permissions system too. why worry about end-user security, they can just fork and modify.

which means, effectively, that it becomes a 0.001% or worse event. arguably the whole point of privacy-focused (or even -aware) software is to increase that beyond "fork and modify"'s ratio, as far as possible, because it doesn't work in practice for the vast majority of the globe.

In Firefox you can choose for every extension if it is allowed to work in private mode.
But this ties me to use private mode everytime I visit an important site. This is not what I want.
You can add domains to protected sites. No addons will work there.

So if you want no extension to be able to read gmail,

Add mail.google.com or google.com to

extensions.webextensions.RestrictedDomains in about:config

Agreed. Like with Pocket's Chrome extension permission model[1] that has a "read everything on all websites", when really it only needs brief access to the URL when I want to save something.

I tried changing the "Site access" setting to "On click" -- but then the extension started acting funny or not working in some cases.

Chrome has added a more limited "activeTab" permission[2], but even that might be too much since it grants control to the tab and continues to allow permission on the same origin.

Like the GP said, even if the extension developer isn't trying to exfiltrate data, they should do more to protect users from a compromise of their extension, and browsers should give them the models to do so.

IMO, good security models can be a foundation forward to better overall security compared to desktop apps since it seems that browsers are becoming an OS of their own.

1: https://help.getpocket.com/article/912-what-permissions-does...

2: https://developer.chrome.com/extensions/activeTab

Just yesterday I ran into an invisible layer right here on HN when replying with a comment that opened a new page when I tried to click on something.

I disabled all extensions that I don't commonly use and am watching for now, but I have no idea how to actually tell which one did it (many of them were recently updated due to a Chrome change on August 6th or something).

For me it's uBlock Origin and uMatrix. The web is unbearable without those two. Pages load at least 50% faster. Makes you realize the amount of crap modern sites load.
NoScript, uBlock Origin and Dark Reader.

All other ones are nice to haves but those are my building blocks.

What are your nice to haves?
Panorama view (think spaces for tabs) Multi-account container (keeps facebook properties and google properties on their own world) User-agent switcher (I switch to mobile on heavy websites) Evernote clipper FoxyProxy Auto-tab discarder HTTPS Everywhere S3 translator
why noscript though? you can block scripts with ublock
Indeed. And not only 'can' but 'should' :-)
I find the granularity of noscript easier to manage
Nano Defender hasn’t been necessary in my experience. uBlock Origin can circumvent anti-adblock measures by itself.

I’m skeptical of Grammarly from a privacy standpoint. It seems to be an internet-enabled keylogger.

Grammarly has been in the news for some privacy and security issues (around 2018). It was leaking everything that you typed.
It is mentioned in the link, but I just want to emphasize that Video Speed Controller [1] has been amazing for me. Unfortunately, it didn't work as well on Firefox (stuttering on higher speeds above 2X) when I tried it a year ago. Which means I'm stuck with chrome for at least a decent amount of my activity.

[1] https://chrome.google.com/webstore/detail/video-speed-contro...

in my firefox (not that it would really matter) I have only four:

Download notifications - since FF has crappy notifications about finished downloads unlike Chrome, so this way I can't overlook finished download

https://addons.mozilla.org/en-US/firefox/addon/gnome-downloa...

HTTPS Everywhere and uBlock origin - no need explanation

To Google Translate - since FF doesn't have built in translation service, so this way I can easily translate page through right click menu

https://addons.mozilla.org/en-US/firefox/addon/to-google-tra...

but if I would be using Chrome I would need just ublock and https everywhere (although not sure if is is not redundant nowadays in both browsers)

I just use uBlock Origin to clean up websites I visit of their trending sections, recommendation sections, comment sections. Sometimes I get rid of links that I might mindlessly click, like the whole top bar of reddit.com.

For example, these filters work really well on youtube.com

youtube.com##.ytp-pause-overlay

youtube.com##.ytp-suggestion-set

youtube.com##.ytp-endscreen-content

youtube.com###related

Do you have more of this? Perhaps on a github gist?
Worth publishing as a new block list for uBlock.
I recently deleted all of my extension off all three browsers (Chrome, Firefox, and Safari). The ad blocking on Firefox is almost as good as Ublock Origin. I found privacy badger to be largely useless.

The only thing I miss is lastpass, but I've gotten used to having it run as a desktop app.

Containers in Firefox were nice, but I've also gotten used to switching accounts.

The fact that extensions get 100% access to everything on your page (including password forms) is just a no-go for me. I have to draw the line somewhere.

You still have to trust your browser and your OS.
Obviously. That's why I said "I have to draw the line somewhere".

I trust my browser and OS more than extensions.

Your security posture is probably different than mine.

Well if you're worried about chain of trust, you could only use recommended extensions on Firefox. They're manually reviewed so you're still only really trusting the organization that runs your browser.

Bonus point if you download the extensions and manually review it yourself.

My comment wasn't clear sorry. I was thinking about privacy, not security.

What I meant is that if you use a commercial OS and browser (and your ISP too) they're still going to exfiltrate your web activity to their servers.

> Privacy Badger + UBlock Origin

The days of uBlock Origin on Google Chrome are numbered. It may not work for Google Chrome when Manifest V3 is implemented (and no recourse provided for uBlock Origin). [1]

P.S: I haven't kept up with the latest developments on this since last year.

[1]: https://www.ghacks.net/2019/01/22/chrome-extension-manifest-...

oof, really hope this doesn't see the light.
On the other hand, this might be the push some people need to start using Firefox.
Or, ironically, MS's chromium fork powering Edge
> MS's chromium fork powering Edge

Microsoft will simply follow Google's lead.

Although it’s not quite as good as uBlock Origin, moving to a network based setup, like PiHole or AdGuard Home, can make great strides across all your devices with minimal headache or worrying as much about Google making it harder to control your web content. It makes it very apparent when I’m browsing on my phone or iPad and they switch over to LTE because all the sudden there are ads everywhere.

At some point I’m sure they’ll start trying to bypass local DNS by forcing DNS over HTTPS to only their approved servers, at which point someone will build a MITM HTTPS proxy for home users that you can seamlessly install onto a Raspberry Pi until we see the next escalation in the never ending battle for our eyeballs.

GP here. You can also try NextDNS.io, which allows you to choose blocking lists. There are apps for iOS as well as other platforms to allow it to be used on all networks (or even configure it not to be used on specific WiFi networks).
If uBlock Origin doesn't update, there'll be a dozen adblockers that work with Manifest v3 on day 1.

It should be quite trivial to write an adblocker that integrates with EasyList using the new APIs.

If its trivial what's stopping you from doing it?
Why would I need to? Manifest v3 isn't even out yet, and dedicated developers will easily beat me to the punch.
What? Manefist v3 is not even out yet...
> If uBlock Origin doesn't update, there'll be a dozen adblockers that work with Manifest v3 on day 1.

You seem to not know what manifest v3 is actually doing.

Any adblocker with a static list of domains per-update of the crx file's manifest is useless. Users would have to install hundreds of extensions (each with dozens of domains that they themselves block), just to have the same functionality.

If any anti adblocking team of any ad network decides to just rename foo.tracker.net to bar.tracker.net, all adblocker extension users would have to REINSTALL the chrome extension manually because the manifest's list of domain is statically builtin.

You're operating off of outdated information. Rules do not need to be baked into the manifest.

>The Declarative Net Request API now allows for the registration and removal of dynamic rules - specified at runtime rather than statically in the manifest. We’ve also added the capability to remove common tracking headers, such as Referer, Cookie, and Set-Cookie.

https://blog.chromium.org/2019/06/web-request-and-declarativ...

In the post: "Shut Up disables comments everywhere. When I trust a platform's audience enough to read the unfiltered outputs from their brains, I enable comments for just that site. Sometimes I turn it back off immediately"

At the end of the post: A comments section with spam in it.

You know, if he can't see it, maybe he forgot it was there? That would be an amusing side effect.
Honestly, I can imagine that content creators would love the option of not seeing their comment sections, at least after they take off. If I were, say, Dan Harmon, I'd be really happy to have the option of filtering every post anywhere with a reference to his work.