I cannot overstate my disgust with everyone at Mozilla for doing this. This is the straw that broke the camel's back. I have been using Firefox begrudgingly every since the "studies" feature got unearthed.
It seems to me there are entirely too many people feeding at the trough at Mozilla and they are not managing their money very well.
It seems like I am going to MITM our browser traffic and set up custom filters or something.
When I looked, I saw that the option was automatically checked during the upgrade with not a notice given. This is the latest in a series of scummy moves. I spent the last hour trawling through Firefox source code.
In any case, when people act like this, I do not trust that turning off the option actually stops them from keylogging, which is why I am going to look into inspecting traffic.
I think this is the correct way of phrasing it. "Suggestions based on X" merely implies that information on X is now sent to an (additional) 3rd party, and doesn't state so explicitly.
In fact I would say the lack of explicit statements on what data is sent is a deliberate attempt to hide that fact from users. Note how similar the language is to the privacy options on Google's Android.
I don’t think phoning home by default is part of the mission of being a ‘Privacy focused browser’.
Worse thing is Mozilla keeps projecting this empty message of ‘privacy’ whilst still continuing to be more than 80% funded by one of the most anti-privacy companies in the world who directly goes against their entire mission statement.
I honestly believe that the leaders at Mozilla are actively trying to ruin Firefox, and are perhaps paid off/run by people with interests in another competing browser. Even if that's the case I can't keep using this shitty browser, Chromium here I come
I don't care how few users Firefox has. I do care that the product has become a pile of garbage. I already tolerate the dumb tab bar, the update nag screen that interrupts my work, the telemetry setting that doesn't actually disable telemetry, the web services I don't want like Pocket, the ads, the memory issues that hobble my machine when I stream video...
I won't move to a browser like Chromium with a connection to Google, but I'm moving to something. I'm done with Firefox.
If you're on Linux, exclude it from automatic updates in your package manager, and it won't interrupt you. On Windows, you should be able to set app.update.auto to false in about:config, but I don't know if that still works.
And what browser would that be? Mozilla keeps doing these things because they're desperately searching for a revenue stream that doesn't make them beholden to their biggest competitor. There aren't any other viable options because no one else knows of any better revenue streams for web browsers either
To avoid significant layoffs they'd something like 10% of their user base to donate $20/year. I'm far from an expert on nonprofit finances, but that strikes me as a tough but potentially doable goal
The reason I stopped donating to Mozilla is because they have too many people not doing things I think are important and are paying their executives too much.
None of these projects have enough resources to keep up with web standards, and patch security bugs on their own. So forks are either almost the same as Firefox, or may be less secure and/or doesn't work for as many websites and addons as Firefox.
Try LibreWolf -- it's Firefox with the nasty stuff stripped out. You can use your existing Firefox profile, but be sure to go through LibreWolf's settings as some of the defauts may be different than what you already have set up (they select privacy-protecting options by default).
Try Brave, really. I always had issues with Chrome and RAM usage. Brave behaves better, plus the UI is slick.
People here complain about it having some sort of cryptocurrency embedded, but it's opt-in, so as long as you don't enable it, I don't see the issue. Plus it comes with an ad-blocker / anti-tracker out of the box.
Seems to me that Brendan Eich actually knows what he's doing.
Using Brave right now and no stupid popups. Make sure you turn off "Brave ads" or whatever causes popups. Always scan through every option in Settings at least once and turn all the junk off. The only mild annoyance left after doing this is that sometimes the new tab page has a little box shilling some Crypto coin biz which you can then silence. If this is all I have to suffer in order to fund a solid de-googled Chromium it's not too bad.
We don't put any popups anywhere by default. Are you sure the website wasn't trying, which flies a permission prompt same as in Chrome and other browsers?
I turned on the special, approved Brave ads thing last time I used it because I wanted to support Brave; and they only showed up as little pop ups on the systray and were infinitely more annoying to me than a static banner ad.
You click on them to open new tab pages if interested, can thumbs down and lower frequency in ads settings. You also get 70% of the sponsored images shown in 1 of 4 new tab pages. Static banner isn’t going to perform as well, so I hope you will give ads a try again. You could even turn off notifications but keep the sponsored images.
I think those ads are much better. In-page ads interrupt my content, claim my attention when I want to see something else, and distract from the page (and sometimes even break it). Ad-heavy pages are nearly unusable, especially on lower-power mobile devices. OTOH, I don't mind a popup once per hour - it's not modal, does not require me to do anything, does not consume resources and I can easily deal with it whenever I want. Page popup ads are infuriating, but Brave ones never really bothered me.
Just so I understand you, is your position that Sundar Pichai or Tim Cook or whoever is approaching Mozilla employees in dark alleys, Willy Wonka and the Chocolate Factory Slugworth style, and offering cash to covertly sabotage the product?
It's really amazing how far Firefox has fallen. This used to be a browser people bought TSHIRTS for. TSHIRTS! And wore them! And not just in SV: I'd see them in the wild in small cities too.
The discussion is always the same, I'm not sure what can be added at this point. Yes the way they're actively destroying it is mystifying, yes, maybe money issues are part of that but god can't you just make your own browser? Mozilla's problem, more than any specific incident like this, is that they've become completely incapable of thinking for themselves. Everything is a follower move, trying to find something popular and than emulating it.
I'll continue to use FF, but only because it's easier to massively "tweak" into a usable product than chrome.
They fired Eich and turned from a company of smart engineers and users of their product to randos who work on weird projects using their big paycheck from Google.
Their products suck because they don’t care about them. They don’t genuinely want to compete with or anger Google for fear of losing funding.
They’d be better off cutting down to a lean $5/year spend and just making a browser.
A lot of their lack of focus predated Brendan Eich's 11 day CEO tenure. By 2014 Firefox had already lost a ton of mindshare and Mozilla was working on their unsuccessful Firefox Phone.
Eichs short lived reign was a symptom, not a cause. The decision to put him there was certainly a decision made by an executive board that is out of touch.
In retrospect it seems firefox phone was actually a good idea, it’s been reborn as KaiOS and doing great. Pretty embarrassing for Mozilla to fail and cancel the project and then have another company take it and succeed…
Before reading TFA, I would have called you paranoid. Now I wonder... Excluding Firefox from my package manager won't work for long -- surely I'll have to update, just for security purposes. Does anyone know of a good Firefox fork?
What's worse is that even if you have "Search Suggestions" disabled, which I do, then the "other address bar suggestions", which includes "contextual suggestions" *remains enabled*.
Why isn't it off by default! We always get mad at all these companies invading our privacy by default, or why aren't we notified and given the chance to turn it off from the start.
Sadly It doesn’t come as a complete surprise to me. About 2 years ago using Firefox Focus on iOS I came across an odd behavior - each time I launched the app it was accessing and reading the device’s clipboard.
I called it out to Mozilla both through the app review and Mozilla support. The only response I got was that it was a feature. That I misunderstood what they were attempting to do. They removed that “feature” in the following version.
Just a guess, but it could've been a way for them to determine if you were about to paste content into the address bar. I worked for a company that did something similar. It would compare the clipboard to the contents of the input field. If it was a URL and they matched it would assume you had pasted a URL and would take some extra actions based on that.
It wasn't until the OS started alerting the user to this clipboard read that it started to look very suspicious.
The title is misleading. Sending keystrokes isn't new. Both Firefox and Chrome have "keylogged" address bar tying for a long time to perform search suggestions. What's changed is that now Mozilla gets a copy too instead of just Google
(There's also the part about showing ads, which bleugh, but that's separate from the 'sending' part)
"Firefox Now Sends Your Address Bar Keystrokes to Mozilla like it already did for Google but only if you had search suggestions turned on in the address bar" doesn't have quite the same ring to it.
As others have mentioned[0], this happens even when search suggestions have already been disabled. I’m pretty disappointed over this, I’m not moving to a chrome based browser but I wish we had more options.
I dunno if I agree the title is misleading - it's right on the spot for someone like me - I always turn off search suggestions when I install ffx - for the privacy.
So this title is an important warning for folks who want privacy - and I would guess that a higher percentage of ffx users care about that than chrome.
There's no technical solution to this, short of writing your own browser. Web browsers are big, and there will only ever be a few organisations capable of building one. Like Boeing and Airbus. Those organisations are rich targets for all kinds of shonks, spivs and chancers, who are more motivated than you are. Resistance is as futile as wearing a parcahute on a 737 Max.
There is a time tested and effective political solution: separation of powers. If Abine Blur blocks Mozilla from doing this stuff, and the Firefox plugin auditors keep an eye on what rorts Abine is pulling, then we dumb punters are in with a chance. Abine and Mozilla could gang up, but that puts them in a prisoner's dilemma—either one could win free advertising, then customers, by dobbing the other in to 60 Minutes. Some people are capable of resolving the prisoner's dilemma superrationally, but they don't become shonks, spivs, or chancers, so this is a fairly reliable solution. I think the priority for a privacy respecting internet should be to get Mozilla, Abine, and Duck Duck Go to start acting as if the others exist, and users of any are likely to use them all.
Maybe, in the end, big tech bastards are just another kind of bastard. That would be nice. In 200 years of democratic reform, the people have invented some sophisticated and effective ways of stuffing the bastards back underneath whatever rock they most recently slithered out from.
Maybe this is a bit naive of me, but has anyone been of the impression that keystrokes in an address bar are not public (or at least un-private)?
I have been under the operating assumption since circa 2006 that anything done in a browser is potentially sent of somewhere to somebody's server. If I want privacy, I use tor.
Anything that's not the body of an https request is at minimum going to be logged somewhere.
You are not alone. I operate under the assumption that any application that connects to the internet indeed sends back my activity in that app back home.
What frustrates me is that everyone goes out of their way to make fragile, internet connected and internet dependent applications when there basically no need to.
I still use a split address bar and search bar with "Show search suggestions in the address bar" toggled off, so until this version the address bar suggestions were only from bookmarks and history items.
Firefox has been using Google's safe search since version 6. So unless you disable or block it, Google knows about your whereabouts, even if you used Bing.
> anyone been of the impression that keystrokes in an address bar are not public
They shouldn't be. Logs containing URLs are commonly considered private information, and while it's a bad practice to put passwords, etc. in the URLs, people still do it, and even more often things like tokens, keys, object IDs etc. are part of the URLs. Disclosing this to a third party is essentially a MITM attack, and even though we're talking only about user input, this still includes stuff like URLs copies from emails, terminals, documentation files, etc. - and those may contain very un-public thing. Simplest example - do you consider the password reset URL many sites send to be public or private? Of course, not many people would type it - but people would copy-paste it and then maybe type something else - and who can guarantee the whole URL isn't then sent to an untrusted party?
Furious. I encourage users on Linux distros to file distro bugs about this. I just handled the Gentoo bug report[1]. We can't trust Mozilla upstream at this point to resolve these issues.
The issue wasn't so much that they added this functionality to grub some extra money, the issue was the opt-in happened on our targets without any notification or informed consent.
Thanks for filing the report! I don't know that we can expect distributions to have the manpower to manage these issues, but neither can we expect users in the middle of the "Juse Use Chrome -> GHacks User Config" to be served by any other mechanism right now. I'd like to see Mozilla respond to the expressions in this thread, but that's frankly unlikely, so at the very least; it warms my heart to that this despise exists, has representation, calls to action, and demands which may someday be fulfilled, be it by leadership at Mozilla or elsewhere.
I'm sure Firefox developers read Hacker News, so I'm going to talk here.
I have "Provide Search Suggestions" disabled. All 3 of the options underneath them are disabled, because search suggestions are disabled. This makes sense.
THEN, I click "change settings for other address bar suggestions" and in *THERE* everything is in there, INCLUDING "Contextual suggestions".
What do you think the first disabling of suggestions meant? You're searching without my consent. If I would have consented, it would have been in that first check box. What are you guys doing? What happened to the Firefox I trust and choose over Google to avoid the monoculture?
When I was still a Firefox user, I just ended up blocking any domain owned by mozilla. And by 'when I was still a Firefox user' I mean 'until approximately 12 hours ago.' What priorities and values Mozilla has left I don't seem to share.
I'm currently using Brave to reply to this comment because it was already on my drive. I don't like Brave's philosophy and I don't like its proximity to Google. I'm using it as a stop gap till I find something better.
It's going to take me a few weeks of research to pick my new permanent browser. I want something far-removed from Google, but with an active enough developer community that it doesn't fall apart after an OS update or turn out to have a back-door hidden in the code base.
Firefox is alive because of Google money. It looks like they don't like this single-source dependency too much, and want to find their own monetization model. Unfortunately, it's looks like it's the same old one - sell user's eyeballs (and maybe also tracking data, who knows) to advertisers.
Is it not possible to embed Gecko anymore? Why aren't there a couple of browsers with the Firefox engine but wothout the horrible Firefox UI decisions?
Iirc, it's mostly not practical to embed gecko anymore. Mozilla stopped maintaining/caring that ability and the best you can realistically do is to just fork Firefox now. Gecko is basically intended to just be part of Firefox nowadays.
I explicitly chose the option to have a Search bar separate from the address bar... why would I want Search suggestions or Contextual suggestions in the address bar.
I've been using Firefox since version 1, but this is the first time I'm considering switching to something else. (like ungoogled-chromium)
"We haven't quite hit our mark. We've received feedback that it's difficult to figure out which Firefox experience you've got enabled. We are hard at work to address this and continue to improve the feature."
I don't trust any company that much. But in this regard, its even worse - Google makes it no secret that theyre collecting your data, while mozilla goes all-in on the privacy messaging and then pulls a stunt like this.
Where else can I go to get a quality, privacy focused FOSS browser? I want non-chromium. Someone on HN the other day suggested using the TOR browser without connecting to a tor circuit, but that seems overkill.
Maybe it's time for Firefox premium. Same as on youtube premium or gitlab premium, no ads, no annoyances, additional features, maybe better performance, maybe some value add cloud features, all for 1-20$ a month.
With premium it'd probably be worse, because signing up you'd surely sign an agreement that somewhere on page 37 says "we can track you any way we like, and do anything we like with the data" and you couldn't claim you didn't know - you made an explicit action to sign up and even paid money for it, surely you knew what you're doing!
The time has come to fork Firefox. That’s the benefit of open source software, it’s not beholden to one entity. Don’t give in to a chromium monoculture.
102 comments
[ 2.8 ms ] story [ 185 ms ] threadIt seems to me there are entirely too many people feeding at the trough at Mozilla and they are not managing their money very well.
It seems like I am going to MITM our browser traffic and set up custom filters or something.
Of course, that doesn't make this any less of a scumbag move.
In any case, when people act like this, I do not trust that turning off the option actually stops them from keylogging, which is why I am going to look into inspecting traffic.
In fact I would say the lack of explicit statements on what data is sent is a deliberate attempt to hide that fact from users. Note how similar the language is to the privacy options on Google's Android.
Worse thing is Mozilla keeps projecting this empty message of ‘privacy’ whilst still continuing to be more than 80% funded by one of the most anti-privacy companies in the world who directly goes against their entire mission statement.
This is hardly surprising.
I don't care how few users Firefox has. I do care that the product has become a pile of garbage. I already tolerate the dumb tab bar, the update nag screen that interrupts my work, the telemetry setting that doesn't actually disable telemetry, the web services I don't want like Pocket, the ads, the memory issues that hobble my machine when I stream video...
I won't move to a browser like Chromium with a connection to Google, but I'm moving to something. I'm done with Firefox.
If you're on Linux, exclude it from automatic updates in your package manager, and it won't interrupt you. On Windows, you should be able to set app.update.auto to false in about:config, but I don't know if that still works.
https://itdm.com/mozilla-firefox-usage-down-85-but-why-are-e...
The reason I stopped donating to Mozilla is because they have too many people not doing things I think are important and are paying their executives too much.
[1] https://en.wikipedia.org/wiki/Waterfox
[2] https://en.wikipedia.org/wiki/Pale_Moon_(web_browser)
[3] https://en.wikipedia.org/wiki/GNU_IceCat
[4] https://en.wikipedia.org/wiki/SeaMonkey
People here complain about it having some sort of cryptocurrency embedded, but it's opt-in, so as long as you don't enable it, I don't see the issue. Plus it comes with an ad-blocker / anti-tracker out of the box.
Seems to me that Brendan Eich actually knows what he's doing.
Last I used Brave, it gave me stupid little popups on my notification bar and that's, to me, worse than in-page ads.
https://www.reddit.com/r/BATProject/comments/pl2lgi/were_bre...
The discussion is always the same, I'm not sure what can be added at this point. Yes the way they're actively destroying it is mystifying, yes, maybe money issues are part of that but god can't you just make your own browser? Mozilla's problem, more than any specific incident like this, is that they've become completely incapable of thinking for themselves. Everything is a follower move, trying to find something popular and than emulating it.
I'll continue to use FF, but only because it's easier to massively "tweak" into a usable product than chrome.
Their products suck because they don’t care about them. They don’t genuinely want to compete with or anger Google for fear of losing funding.
They’d be better off cutting down to a lean $5/year spend and just making a browser.
I think.
Scroll down to Address Bar — Firefox Suggest
uncheck Contextual suggestions
This is unacceptable.
It wasn't until the OS started alerting the user to this clipboard read that it started to look very suspicious.
Maybe sprinkle in a bit of users didn't consider it suspicious until it was reported that some apps were abusing the privilege.
dom.event.clipboardevents.enabled
To false
Edit: my mental molasses delayed my seeing that the feature was removed and that you've moved on. I'll leave the comment though.
(There's also the part about showing ads, which bleugh, but that's separate from the 'sending' part)
[0] https://news.ycombinator.com/item?id=28805896
So this title is an important warning for folks who want privacy - and I would guess that a higher percentage of ffx users care about that than chrome.
There is a time tested and effective political solution: separation of powers. If Abine Blur blocks Mozilla from doing this stuff, and the Firefox plugin auditors keep an eye on what rorts Abine is pulling, then we dumb punters are in with a chance. Abine and Mozilla could gang up, but that puts them in a prisoner's dilemma—either one could win free advertising, then customers, by dobbing the other in to 60 Minutes. Some people are capable of resolving the prisoner's dilemma superrationally, but they don't become shonks, spivs, or chancers, so this is a fairly reliable solution. I think the priority for a privacy respecting internet should be to get Mozilla, Abine, and Duck Duck Go to start acting as if the others exist, and users of any are likely to use them all.
Maybe, in the end, big tech bastards are just another kind of bastard. That would be nice. In 200 years of democratic reform, the people have invented some sophisticated and effective ways of stuffing the bastards back underneath whatever rock they most recently slithered out from.
I have been under the operating assumption since circa 2006 that anything done in a browser is potentially sent of somewhere to somebody's server. If I want privacy, I use tor.
Anything that's not the body of an https request is at minimum going to be logged somewhere.
What frustrates me is that everyone goes out of their way to make fragile, internet connected and internet dependent applications when there basically no need to.
There was pandemonium back when Ubuntu first started doing that in its search line, for example.
Now, no one cares and thinks it's "just how it is", except for some privacy holdouts, like myself.
This isn't the way the world used to be.
They shouldn't be. Logs containing URLs are commonly considered private information, and while it's a bad practice to put passwords, etc. in the URLs, people still do it, and even more often things like tokens, keys, object IDs etc. are part of the URLs. Disclosing this to a third party is essentially a MITM attack, and even though we're talking only about user input, this still includes stuff like URLs copies from emails, terminals, documentation files, etc. - and those may contain very un-public thing. Simplest example - do you consider the password reset URL many sites send to be public or private? Of course, not many people would type it - but people would copy-paste it and then maybe type something else - and who can guarantee the whole URL isn't then sent to an untrusted party?
In any case, if I wanted spyware parity with Chrome, I'd use Chrome.
The issue wasn't so much that they added this functionality to grub some extra money, the issue was the opt-in happened on our targets without any notification or informed consent.
[1] https://bugs.gentoo.org/817014
I have "Provide Search Suggestions" disabled. All 3 of the options underneath them are disabled, because search suggestions are disabled. This makes sense.
THEN, I click "change settings for other address bar suggestions" and in *THERE* everything is in there, INCLUDING "Contextual suggestions".
What do you think the first disabling of suggestions meant? You're searching without my consent. If I would have consented, it would have been in that first check box. What are you guys doing? What happened to the Firefox I trust and choose over Google to avoid the monoculture?
It's going to take me a few weeks of research to pick my new permanent browser. I want something far-removed from Google, but with an active enough developer community that it doesn't fall apart after an OS update or turn out to have a back-door hidden in the code base.
In the address bar suggestions I do have everything ticked. The full list is: Browsing history, Bookmarks, Open tabs, Shortcuts and Search engines.
Edit: having now read the linked article, I realise this is a US-only (anti-)feature, at least for now.
I've been using Firefox since version 1, but this is the first time I'm considering switching to something else. (like ungoogled-chromium)
"We haven't quite hit our mark. We've received feedback that it's difficult to figure out which Firefox experience you've got enabled. We are hard at work to address this and continue to improve the feature."
Why do you trust google with this data over Mozilla?