20 comments

[ 2.9 ms ] story [ 28.4 ms ] thread
(comment deleted)
I didn't experience faster Firefox on: high end desktop, laptop, mobile. UI changed, promotion of features like Pocket that I don't use. But not performance. Chromium is still faster in everything sadly.
Oh come on, when will everyone stop bitching about Pocket? It's decent if you use it and out of your way if you don't? Especially when the alternative is Chrome, which pushes it's shit on you constantly.

And regarding performance, I find it rather unlikely that you didn't experience a performance improvement, especially on mobile. Seriously try downloading the last build of Fennec and load the same webpage on it, then on Fenix (the new Firefox for Android). I've seen 2x load time improvements on plently of sites and the speedup seems to be proportional to how heavy the page is. Yes, Chrome still beats it at anything using JS, but even horribly slow things like GDrive are now completely usable on FF, even with many tabs.

> Oh come on (...)

Would it be better if we talk about leanplum and firebase analytics, or say mozilla's telemetry service, or how google safebrowsing is implemented?

I mean, if you comment on Chrome for integrating Google services, you gotta do the same when Mozilla does it, too.

If you don't believe me, run an MITMproxy to check for yourself.

I'd rather recommend Ungoogled Chromium, even on mobile, due to Fenix's lack of privacy.

Adding Pocket, which is basically the Read It Later feature that every other browser has, and there is no complaint about, is trivial compared to Google, say, logging you into your Google account in Chrome when you log into GMail in your browser.

Also, the OP comment is hilarious because they clearly seem to have forgotten why people bitched about Pocket in the first place. It wasn’t because it was an integration of Mozilla’s services. It was exactly the opposite. It was the fact that Pocket was NOT a Mozilla service at the time the integration happened that people bitched about it.

Which just goes to show that it wasn’t a real concern, but a Twitter net pointless and baseless moral crusade.

The concern with Pocket is primarily, IMO, that the service wasn't and still isn't Open Source, which is a hard sell for a browser that champions user control.
> Would it be better if we talk about...

Yes! Talk about the things that actually have anything to do with privacy, security, experience...

- Leanplum seems to be there for A/B testing and doesn't have access to anything sensitive.

- Firebase is partially unavoidable (GCM) and as far as I can tell, the only usage of it that impacts privacy is in Rocket (FF Lite) which barely exists anymore.

- Google Safe Browsing seems to be designed in a way that makes it nearly impossible to violate privacy, even if you wanted to. On top of that, FF takes extra measures to protect privacy "just in case".

So where's the problem? Yeah, Mozilla has done some dumb shit (like auto-installing some weird extensions and basically anything upper management does) in the last few years, and they aren't the Stallman* utopia some people want them to be, but they never really claimed to be. Just like DDG, they give you the best privacy level they can while staying sustainable enough to survive.

I tend to disagree with your statements. The codebases provide enough evidence that this is not the case.

> - Leanplum seems to be there for A/B testing and doesn't have access to anything sensitive.

Leanplum has access to at least geolocation and the device id (See [1]), due to their geofencing A/B testing feature. Combine that with an IP and you can uniquely identify any user. Additionally, Leanplum sends its messages via their own Firebase Provider [2].

> - Firebase is partially unavoidable (GCM)

Firebase Push Notifications are necessary since Android 10, and only if your application consistently runs in the background. If you have e.g. a download notification with a high priority displayed, your app is allowed to continue to run without any firebase, at all. Source: The Telegram FOSS fork does this, actually. See [3] for details

> - Google Safe Browsing seems to be designed in a way that makes it nearly impossible to violate privacy, even if you wanted to.

Okay, now it's time to refine this in context of "Firefox Klar", "Firefox Focus" or say, the Fenix codebase(s). I'm focussing on Fenix here only, because all current Firefox products for mobile rely on it as an engine.

(Usually the same metrics are included in Firefox for Desktop, too, but this post would explode this comment; see spywarewatchdog or similar audits for more details on it, which still hasn't been improved over the years by mozilla.)

- Mozilla implemented their own ads distribution system that hijacks google ads on pages and replaces the id with the one that was specifically generated for the web browser (after first opening the web browser) [4].

- Mozilla's Safebrowsing uses a generated hash, that is used specifically to identify a single device [5].

- The server for both of those hash URLs is hosted by Alibaba in CHINA, which is certainly a GDPR "violation by the book", as the server is contacted for everyone, not only people that live within China; every time the Browser is online again; even in an interval. (also [5])

- Fenix also adds Tab interactions and sends the data to their telemetry service; including the URL and history of that specific tab [6]

> On top of that, FF takes extra measures to protect privacy "just in case".

As my links prove: No, they don't. For example, they activate Leanplum's device id specific tracking even if the user is outside the geofences, so they track users even if they already know it's unnecessary. [7]

=========

[1] https://github.com/Leanplum/Leanplum-Android-SDK (especially the AndroidSdkCore is relevant here, assuming the discussion of the "most privacy respecting" featureset)

[2] https://github.com/Leanplum/Leanplum-Android-SDK/blob/master...

[3] https://github.com/Telegram-FOSS-Team/Telegram-FOSS/blob/mas...

[4] https://github.com/mozilla-mobile/fenix/blob/5ad714db864bce7...

[5]

> Leanplum, location, "device id"

Doesn't have access to location and the unique id is specific to leanplum so it can't be tied to anything else. See [1] for an explanation (the source seems to match from my quick look)

> GCM

Firefox has certain real-time features (like sending tabs) that wouldn't be feasible without cloud messaging. Telegram FOSS and many other apps use workarounds that are less reliable, worse UX and drain battery anywhere from a bit more to HOLY SHIT WHERE DID THOSE 4500mAh GO? (source: Telegram FOSS on my OP3T) If you want to propose a better solution, I'm sure the 3 remaining devs at Mozilla would love to hear it.

> Okay, now it's time to refine this in context of "Firefox Klar", "Firefox Focus" or say, the Fenix codebase(s). ...

Sure, let's talk about Fenix - what is now available in G Play as the standard "Firefox for Android". I don't use Klar or Focus, but they use much of the same code, so all of this is quite general.

> - Mozilla implemented their own ads distribution system that hijacks google ads on pages and replaces the id with the one that was specifically generated for the web browser

The link you provided doesn't make that clear and neither do you. What "id" are you referring to? What is its significance and where in the code is it replaced?

> - Mozilla's Safebrowsing uses a generated hash, that is used specifically to identify a single device

The link you give makes no sense. The URL at the marked line is the URL from which hashes of unsafe URLs are fetched (for China). The hashes are (anonymized) URLs, not devices, and they are received, not sent. If what you're concerned about is "SAFEBROWSIND_ID" in that string, it is mapped to an implementation-specific not instance-specific identifier, as is clearly required by Google's API [2] and is in fact taken from a the about:config entry "browser.safebrowsing.id" that you can check for yourself only contains something generic like "navclient-auto-ffox".

> - The server for both of those hash URLs is hosted by Alibaba in CHINA ...

Only for Chinese builds of the engine. See the if statement at [3] and explanation of the config option at [4]. The code you linked simply overrides the default SafeBrowsing API URL for the Chinese market as the original URL is not available there. The browsers treats it identically as the original, so all the client-side privacy guarantees are still there.

> > On top of that, FF takes extra measures to protect privacy "just in case". > As my links prove: No, they don't

That part of my post was still referring to SafeBrowsing, specifically the part where they separate the cookie jar and inject some extra noise. [5] explains the whole process quite well (it's similar to how HaveIBeenPwned works)

> For example, they activate Leanplum's device id specific tracking even if the user is outside the geofences, so they track users even if they already know it's unnecessary. [7]

But they're not "tracking" them in any significant way. My first link outlines this quite well. As for why those locales are hard-coded, It's probably because those are the biggest markets and will usually be the first in A/B any rollouts, so using geofences would just be wasteful as they'd always return true anyways. Either way, nothing nefarious there.

[1] https://github.com/mozilla-mobile/fenix/blob/b8de7079a963efb...

[2] https://developers.google.com/safe-browsing/v4/reference/res...

[3]

I recently became a developer for a terrible no good platform that I shouldn’t name (ServiceNow). It’s bad in ways you can’t even understand unless you develop for it. I want to use Firefox for all kinds of reasons, only problem is chromium is an order of magnitude faster working with their shitty javascript. I truly wish it was not so, but if I want to go home to my family as soon as possible, it’a chrome/edge. FF introduces too much lag.
V8 is superior for sure but to make matters even worse, tech companies refuse to support firefox breaking feedback that would have aided its development. Users will not subit a github issue/bugzilla.

Also, if you think that product is terrible you must not have tried their competition (Remedy) which I can only describe as a product that feels like a hundred teams all that exclusively use IE came up with a 100 checklist feature items and then randomly distributed it to a hundred other dev teams that also only use IE and skipped UAT.

Much like GNU/Linux, my theory is that FF devs themselves rarely use enterprisy products with webui and a lot of bad js that magically works great under chrome.

I spent an hour today on support for a certain app because it turns out their app was using my default browser (FF) for certain features which just would not work. Worked great in chrome.

Not trashing FF, but we need to talk about these issues if they are to ever be addressed.

I’ve found that firefox has become quite slow on X11 on linux, can anyone suggest some fixes? Can’t switch to wayland because of nvidia.

On windows it’s solid however!

Edit: just saw this in the release notes for 84: “ Additionally we'll ship an accelerated rendering pipeline for Linux/GNOME/X11 users for the first time, ever!”

Fingers crossed, gonna check it right away!

If it doesn't automatically enable it for yout (check about:support), try force enabling WebRender. It made things much better for me both on Wayland and X11 for the past year or so. I don't know the about:config option, but some googling (ducking?) should get you some instructions.

And out of curiosity, what's your current problem with Wayland+Nvidia? For me, it's been pretty much equally as unstable as it is on X.

Thanks, I already tried that once before and it didn't really make a difference, will try again.

On GNOME you can't use wayland if you're using nvidia's binary driver, which I am.

> ducking?

I've been using "DDG" as a stand in:

"If you DDG it you should find some references"

It's not perfect, but at least on tech focused sites where the readership knows about DuckDuckGo I've found it works.

Yeah, that makes more sense. I've used it before too, but when I was writing that, my brain just completely failed at remembering it :)
But most importantly, search keywords now become blue on activation. I am unreasonably pleased with this improvement.
> The new Firefox for Android that launched in August loads pages 20 percent faster than at the start of the year making it the fastest Firefox browser ever on Android.

But messes up video experience when going full screen, dropped support for almost all extensions without warning, sometimes I have to restart the app because it freezes, header sometimes doesn't show up when scrolling up and ux is not quite there yet.

I had to downgrade the android app version and don't even get me started on my experience with Firefox on Ubuntu (random crashes, sometimes I can't close tabs or open them, I keep hearing audio from a tab I already closed and some more).

I really love the product and I hope the Firefox teams makes it better.

Sorry for the rant.

If only they would fix the font rendering

Particularly small point sizes seem lumpy and not anti-aliased correctly

(on macOS)

"We did it by making it slower in 2019, then bring it back to the original speed in 2020."