176 comments

[ 2.6 ms ] story [ 193 ms ] thread
Always wondered why such projects are not part of Debian main repository.
Librewolf has been requested since 2021, but no Debian Developer has volunteered to be responsible for the package: <https://bugs.debian.org/981291>

Since the Librewolf developers are providing a .deb package themselves, they could apply to become a Debian Maintainer; i.e. be able to upload that package (and no other packages) directly to Debian.

Browsers are complicated to package and so maintainers may not feel it's worth the time to package a fork of Firefox. Especially as pale moon's drama in the past may have led to a general skepticism about the whole ecosystem.
Never heard about this drama. Any link to share?
Manual updates for macOS and repo link 404…?
Use brew.
If you're using this, you should be aware that the Homebrew package manager also includes the kind of nonconsensual surveillance features that this software patches out of Firefox.

For this reason I switched from Homebrew to Nixpkgs.

Nonconsensual? Homebrew lets you know upfront before they send anything to their (non-US) analytics server, and running `brew analytics off` turns off analytics permanently. Sure, opt-in in preferable, but this is as good as it gets for opt-out.
It happens without obtaining consent. Notice is not consent. It's nonconsensual.

The example I provide: imagine if you put up a sign at the entrance to a party that said "by entering this party, you are going to be groped".

Telling someone you are about to violate consent is not the same as getting affirmative consent. Equating them is dishonest.

Well, no. To amend your example, let’s go with the sign saying “This is a gropy sort of party. Please use one of these convenient ‘I don’t want to be groped’ stickers before coming in if that’s not your thing.’”
That sign example is exactly what the film industry does to notify people of filming activity inside an establishment. It’s perfectly reasonable.

Using the example of sexual assault just makes the issue look more extreme than it is.

You might as well say “By entering this building you consent to be murdered,” but we all know that’s taking the slippery slope too far.

Usage statistics and bug telemetry isn’t the same as getting groped. Homebrew is up front about exactly what is collected: https://docs.brew.sh/Analytics

You don't need consent to film someone in a public space. It's done as a courtesy, not a legal requirement.

My computer is not a public space and the software that is installed on it, and when, and the IP address used to do so, are private information. Exfiltrating that data without consent is a violation of my right to privacy, full stop. Nothing that is said, no notice that is provided, can change that.

You could just as well say "by entering this building you consent to be murdered". It illustrates the point similarly: a lack of objection is not affirmative consent.

Haha, man, I wish more people than literally just you and I still thought this way

Every fucking piece of software out there is packed with shady spyware and BS, and everyone thinks he's entitled to treat users as cattle and do whatever he wants to them.

It's probably going to keep getting worse at this rate too. It'll become illegal to do anything privately or anonymously in the name of preventing misinformation and spam/click fraud

The need to gain consent is highly dependent on what is being consented to.

If you invite me over for dinner I don’t need to get your consent to wash my hands or use your bathroom. That is implied by inviting me over to dinner.

That’s why I think the “consent to be murdered” argument is such a bad analogy. It assumes the slippery slope goes all the way.

Just because I think (e.g.) Homebrew’s analytics doesn’t need opt-in consent doesn’t mean I believe that all forms of analytics and data collection shouldn’t need opt-in consent.

I think that an application having a default that collects non-personal crash and bug analytics is acceptable, while an application that collects more detailed personal information isn’t.

There are many valid counterpoints on why you shouldn't trust/use this, but the mere existence of it raises a very valid point and calls Mozilla's BS; why does this fork exist at all if Mozilla supposedly cares about your privacy, security and freedom?
Mozilla ships Firefox with telemetry (aka spyware, given that it operates silently and automatically without consent) enabled by default. They also ship closed source DRM in the browser which infringes on software freedoms.

Mozilla doesn't actually care that much about privacy or freedom, it's just marketing to make line go up and to the right while Mozilla staff can keep collecting paychecks for being "the good guys". There's a lot of money involved.

There is a big disconnect between what they say and what they do.

They're not an ad company, so Google/Chrome is obviously worse, but if you care about privacy you don't ship a browser with surveillance features in it (which is what Firefox is).

I am happy this project exists, and I will support them. This is how free software is supposed to work.

Telemetry and spyware are not the same thing (irrespective of whatever Firefox is doing). There is a big difference between tracking to try to understand how users are using a software or getting information on bugs and crashes, and tracking with the aim of monetizing personal data.

I'm personally not crazy about telemetry implying information is uploaded to a software provider, but from experience I know that trying to create a software without getting in-use data is basically flying blind. You cannot expect users to tell you about problems or bugs they have, they will just stop using your software and you will never know why.

Tracking is tracking, no matter what outcomes you derive from it.
So your general thesis is that software that tracks errors and problems the software might have, and software that deliberately slows down the machine to make you buy new hardware A LA Apple is 100% the same thing?
The Apple throttling thing was specifically to extend the life of the device. When a battery is old, if the CPU is not throttled, the device will instantly power off when the draw is too high.

Apple was throttling the CPU when the battery was old and could not sustain such power draw peaks in an effort to make the device remain usable for a longer period with a mostly-consumed battery pack. Had they not done so, the device would be unusable sooner.

To assert that it is to make you buy new hardware is a factual error.

Propaganda. Even if, a user toggle would have worked wonders.
Which is what ended up being implemented. That was a PR disaster on apple's part, but their motivation was genuinely good. They could have just let the phones power off randomly, like they were 5-6 years old -- android wouldn't even know about them anymore.
Random poweroffs could not happen, not with the current those devices are drawing.
And what do you think happens when that currency level can’t be drawn from the battery? There literally were many reported cases of random reboots.
A replaceable battery is a better solution.
They are replaceable. In a service for a low fee after 6 years of usage.
Paying apple hundreds of dollars to do something the owner of the phone should be able to do while waiting in line at the store is not an acceptable alterative.
I’m saying anything that tracks a user is not good for mankind. Telemetry is increasingly used for nefarious purposes. I have no problem if you want to track your own apps, but you can leave me out of it. You can derive my behavior from my access, my id, and my requests. You do not need to track my clicks, my history, my search phrases, my shopping habits, my location (unless I grant it to you), my cookies…

You may not force feed me cookies.

You can actually see all of the telemetry data Firefox is sending by going to about:telemetry in your browser. You can also see all of the probes it could be collecting here: https://probes.telemetry.mozilla.org/ Keep in mind that the telemetry that is captured in Firefox goes through a thorough review process, so that it respects user privacy: https://wiki.mozilla.org/Data_Collection
This statement is false.

Even with all telemetry disabled (including the option "Allow Firefox to send technical and interaction data to Mozilla") and without anything showing on that page, the browser still sends out interaction data by means of so called "pings", URL parameters, etc.

Wow, a browser is making network connections, how dare it. Come on, these things are there so that if you are on "connected" to a network that require some registration, e.g. an airport, then you can actually be forwarded to that registration page.

Like what do you even think, Mozilla people are sitting on top of all that sweet

  PING www.mozilla.org (3.161.119.172) 56(84) bytes of data.
  64 bytes from server-3-161-119-172.vie50.r.cloudfront.net (3.161.119.172): icmp_seq=1 ttl=248 time=4.06 ms
  64 bytes from server-3-161-119-172.vie50.r.cloudfront.net (3.161.119.172): icmp_seq=2 ttl=248 time=4.16 ms
  64 bytes from server-3-161-119-172.vie50.r.cloudfront.net (3.161.119.172): icmp_seq=3 ttl=248 time=3.64 ms
What the hell would they do with that?
It makes these connections even when all the things mentioned in the official "How to stop Firefox from making automatic connections"[1] are disabled. This includes the captive portal detection you allude to.

Regardless:

The browser asks me if I allow it to make these connections.

I tell it in unmistakable and irrevocable terms that I do not.

The browser makes these connections anyway.

The problem was never the connections or the contents of the data stream. You were aware of this before posting your comment, and yet you commented anyway. You are a troll.

1: https://support.mozilla.org/en-US/kb/how-stop-firefox-making...

Am I really the troll, or those who bring down the only remaining truly libre, open-source browser engine over stupid nitpicky bullshits, while not contributing anything positive to improve on the status?
Just as a courtesy I'll let you know that I won't bite here. This is entirely pointless.
The point is, if you provide an option to turn off telemetry, it should be off. No exception. In this case of an airport connection requiring a registration page intranetwork, this occurs via first request through their proxy with header redirect.

The point is, don’t lie about saying you respect privacy with half-baked options and telemetry for me but not for thee bs. If I turn off telemetry, you aren’t allowed to send telemetry. Of any kind. Not a crash log. Not an install token. Not a call home to see if maybe possibly your on an airport wifi and make-our-app-work-edge-case()

There is a distinct difference between telemetry and the captive portal requests Firefox makes. The captive portal checks have nothing to do with telemetry and contain no payload, which is why they are not covered by that setting.
Captive portal detection was only brought up by the non-constructive commenter and isn't part of the problem.

When the setting labelled "Allow Firefox to send technical and interaction data to Mozilla" is unchecked, the browser still sends out technical and interaction data through parameters added to various browser-provided/generated URLs (e.g. search results pages from built-in search providers, Firefox documentation links provided by the browser, DevTools compatibility panel links to MDN, etc.), by sending out pings when hovering over or clicking interactive browser-native interface elements, and in several other ways.

In summary: that setting is non-functional and should either be fixed, re-labelled, or removed entirely.

Firefox doesn't get to wear the white hat if they're doing a bunch of shady stuff and saying it's for my own good.

By your logic, realistically, Google invading my privacy isn't a particularly big deal since they know the value of the data they're harvesting and will guard it. And third party data brokers are actually just making my web experience more tailored and relevant, so I should let them have their way with me too. Everyone has a good reason to cram something into my business.

There's an obvious difference between diagnostic data and data that's used to push ads to me.

People might still object to diagnostic data and Firefox's handling of it, but it's disingenuous to state that they're the same.

What is that obvious difference? It isn't obvious to me.

They're both companies spying on people to improve their own products, ostensibly to the customers' benefit.

Ridiculous comment
Everything I said is 100% true. There are a lot of people on this very site working in adtech who don't feel like they're doing anything wrong at all and use the exact same logic that people use to justify "telemetry". In their mind, they're making a better product and a wealthier, more productive world in the process.

You have literally no logical or moral delimiter between how Firefox spies on me to improve Firefox and how Windows does it or how ad companies do it. I'm sure you'll move the goalpost now and strain yourself to come up with something ex post facto, let's hear it.

> There is a big difference between tracking to try to understand how users are using a software or getting information on bugs and crashes, and tracking with the aim of monetizing personal data.

I don't see the difference. In one case you are trying to improve your product using stolen data (which presumably results in your user sat scores and/or userbase going up and you continuing to receive a paycheck, ie monetization), and in the other case you are just selling the stolen data directly.

In both cases you are taking private data without consent and using it to get money, or money-equivalent things (like a better product or more users).

Technically and philosophically there is absolutely no distinguishing feature between opt-out "telemetry" and spyware. Both are using private user activity information, exfiltrated silently and without affirmative consent.

Spyware exists primarily to steal data, firefox also has "some" other uses. Calling firefox "spyware" dilutes the meaning by implying it's somehow similar to actual spyware.
It is human psychology 101 that the default option is chosen in order of magnitudes more cases -- people are lazy. Should they really just let all that usability statistics be lost, even though their owner would more than likely be fine with its usage in most cases?

Are countries with opt-out organ donation also evil? Doesn't the litany of saved lives worth more than a post-death "inconvenience"?

> Should they really just let all that usability statistics be lost, even though their owner would more than likely be fine with its usage in most cases?

Yes, 100%. They should not exfiltrate data without consent. If the owner is fine with it, they can just ask! (I'll let you in on a secret: they don't ask because most users, when asked, do not want to be placed under surveillance!)

> Are countries with opt-out organ donation also evil? Doesn't the litany of saved lives worth more than a post-death "inconvenience"?

You don't need your organs when you are dead. You do need your privacy when you are alive.

Like the argument with copyright, it's not theft. It's only theft if the user is deprived of something.

> In both cases you are taking private data without consent and using it to get money, or money-equivalent things (like a better product or more users)

This is just word salad. Opting in is consent. You are absolutely free to opt out, by following the clear instructions on the website [0], and you can continue to use the software. Your rights are being deprived here.

Secondly, "money equivalent things" is a reductionist argument. Not everything fits neatly into a black and white "right" and "wrong" bucket, and arguing it does is forgetting about the fact that technology doesn't exist in a vacuum any more than any other product or industry.

> Technically and philosophically there is absolutely no distinguishing feature between opt-out "telemetry" and spyware.

Technically there's no difference between me sending any kind of data to a remote service. Using rote logic to infer behaviour is a fallacy, and when I read comments like this I end up (unfortunately) coming away thinking "this person has no critical thinking skills". I'm aware it's an ad-hominem, but logically there's no other explanation other than you can't possibly understand anything other than your narrow world view.

[0] https://support.mozilla.org/en-US/kb/telemetry-clientid

> Telemetry and spyware are not the same thing

Telemetry is spyware if it's done without the active informed consent of the user. What the collected data is actually used for isn't relevant. Consent is the relevant factor.

I'm sure it is written in some license agreement you implicitly accept by downloading/installing the software.
That's not true. Firefox is free software. It is licensed under the MPL.
> Mozilla ships Firefox with telemetry (aka spyware, given that it operates silently and automatically without consent) enabled by default.

So opt out of it. Calling it spyware is inflammatory, and disregards the reality of the world that we exist in.

> It's just marketing to make line go up and to the right while Mozilla staff can keep collecting paychecks for being "the good guys". There's a lot of money involved.

And makes you sound like a conspiricy theorist.

> They also ship closed source DRM in the browser which infringes on software freedoms.

If FF didn't have media support I would switch to chrome, immediately. This is speaking as someone who has dogmatically used Firefox for 15 years. Software, such as web browsers don't exist in a perfect world that I wish it did. Instead, we have DRM, we have telemetry. A userbase requires marketing, which requires money. I wish it didn't, but it does.

(comment deleted)
It's hidden. It's spying. It's software. It's spyware.
It is neither hidden nor spying. The options are prominent in the settings, and both the source code and the policies around what is collection and explanations of how it is used are public. Moreover there is literally a page ("about:telemetry") where you can see exactly what data is being collected and links to all of the aforementioned resources and more. And the data itself (aggregated) is available for viewing at telemetry.mozilla.org.

And they blog about all of this, from how the data is used to how you can see it for yourself to what efforts they make to ensure privacy while doing so.

To call it "hidden" is either deliberately ignorant or a lie, I'm not sure which.

https://blog.mozilla.org/data/tag/telemetry/

https://wiki.mozilla.org/Data_Collection

https://www.mozilla.org/en-US/privacy/faq/

As a reverse engineer who works with malware most of the time (and my current project is related to a spyware family) I'm annoyed by your incorrect and inflammatory use of the word "spyware". Words have meanings for a reason, and using the strongest possible word to describe something you don't like doesn't make your point stronger.
100% agree, but I have to add:DRM is not necessary for all media, just a small percentage of sites (like netflix/spotify i guess) use it. I personally never enabled DRM in my firefox.
> They also ship closed source DRM in the browser which infringes on software freedoms.

I thought it wasn't shipped with the browser but the browser asks if you want to download it when you first need it.

Honestly, it is a pretty disgusting stance is all I can say. It is fine to not agree with every default config Firefox ships with, and feel free to change it for yourself (and distribute that), sure.

But calling it out like that is just scummy, as they don't do anything malicious. All of these are just basic business practices done by most software you have on your computer.

The lion's share of Mozilla's funding comes directly from Google [0]. The official reason is to feature G search as the default in Firefox, but it also conveniently keeps alive the only browser preventing antitrust action against chromium. They may want to care about freedom - or have cared at some point in the past - but at the end of the day they're beholden to Google in order to survive

[0] https://www.pcmag.com/news/mozilla-signs-lucrative-3-year-go...

> They may want to care about freedom - or have cared at some point in the past - but at the end of the day they're beholden to Google in order to survive

Which makes one wonder if the existence of a competitor is a good measure of whether a monopoly exists. If a company is funding its main competitor, is it really a competitor?

Google has a stranglehold on the browser market.

The mere existence of a fork doesn’t prove anything one way or another. I can fork Firefox right now and say “It’s Firefox but without the code that the aliens use to abduct people.”

Mozilla gets a some heat from the tech community for their pretty reasonable business model. I’ve seen Firefox be accused of being just about as bad as Chrome when it comes to user privacy and product monetization.

To me that has always felt like a “both sides are the same” argument.

In other words, not all telemetry is created equal.

> There are many valid counterpoints on why you shouldn't trust/use this

Such as?

Binaries are unsigned, third party update service, Google safe browsing disabled unless you build from source, running unusual browser setups can actually make you more distinctive online, unencrypted DNS by default, speed of security patches is slower than base Firefox, etc.
Also, the expertise of its author is quite questionable. Browsers are insanely complex beasts, I think Mozilla does know their thing and necessary configs much better.
Mozilla has a pragmatic view on privacy. Your freedom has no worth, when you can't use the browser because it breaks sites all the time. Though, it's true that Mozilla has become kinda lazy in their quest for protecting the user. They could do significant better.
Because Mozilla has to ship a browser that actually works? My grandma won't be going into about:config to temporarily disable this and that to make that site work. Also, people want to watch Netflix as well.

Also, I really don't get all that fuss about some basic "telemetry", that word became way too overloaded. But the least I can do is like, share some basic data with this open-source project I freely use for many hours each day, e.g. in case of a crash.

privacytests.org shows how Librewolf privacy testing scores compares to others.
Very interesting website! I submitted it[1] because it's quite the eye-opener for me (e.g. blob tracking is new to me, and if you click on the cell, it shows you PoC test code!) and I had missed its previous submission two years ago.

Brave, Librewolf, Mullvad, and Tor hide the user's screen dimensions, whereas Firefox and Chrome don't. I'm curious, how often does that break things? I imagine that quite a few sites use this for choosing how to position things with JavaScript. Certainly not a majority, but with how many websites an average techy visits on an average day, it might still be somewhat frequent that you get ill-fitting content.

Do you use Librewolf, or does someone else use it who can tell?

[1] https://news.ycombinator.com/item?id=37433207

>I'm curious, how often does that break things?

Pretty much never. They hide it by changing it. This results in a margin around your view port that is fitted to one of several common dimensions. Since they are common, nearly all websites look okay in it.

Oh I see! I know that from the Tor browser, didn't realise they all do it that way.
Iceraven is a similar (in principle) fork of Firefox for Android.

=> https://github.com/fork-maintainers/iceraven-browser/

Just yesterday I had noticed that, "Suggestions from sponsors" in the address bar had been turned back on after a recent Firefox update, and then installed Librewolf. I really want to use it as my main browser, but certain use cases such as online banking (at least with my credit union) doesn't seem to work properly, so I re-disabled "Suggestions from sponsors" in Firefox and went on with my day. Seriously, changing user settings with updates is a major dick move and something I'd expect from Microsoft and not Mozilla.

Edit: Turning off the anti-fingerprinting feature in LibreWolf is needed for online banking to work.

I use both Firefox and Librewolf to achieve browser isolation. Librewolf is my default browser for all anonymous browsing such as news sites. I use Firefox for all my real name ID account logins such as banking. This way your Librewolf browser fingerprint is never associated to your real ID.
Yeah, I get the concept of using different browsers for different things to compartmentalize, and I've tried it, but to me it just seems like I'm making my life more complicated switching back and forth, and I feel like it's cluttering up my system. I love how Librewolf takes privacy to another level, but honestly, all I want is Firefox without all the BS and the ability to disable things I don't want (and not having them turned back on).
A custom user.js will do the job
(comment deleted)
It used to be really easy to search about:config for 'http' and just delete all URL's to quiet things down. More recently the about:config search only searches attributes not values so you have to "show all" and it's quite tedious to find them all. Even then there are some things you have to block with a hosts file entry.

That said it is possible to have firefox start cleanly with absolutely no network traffic except for sites you visit.

    alias workfox="firefox -P work"
    alias funfox="librewolf"
Browser isolation is smart, and Firefox+Librewolf is better than Firefox+somethingelse.

Don't forget about Firefox profiles though. You can have unlimited, 100% isolated browsers with profiles. I use a few dozen Firefox profiles.

For isolation of cookies but not preferences, you can use Multi-Account Containers within a single Firefox profile. I use this for admin-vs-user accounts at AWS, GitHub, etc.

I still think it's better to use Firefox containers on either of these browser, and combine them with temporary containers to isolate different aspects of your online life. By default all browser sessions are ephemeral, so no cookies are stored, just like incognito mode. Only when you whitelist a site to use a named container do they gain the ability to use your local storage. Using different containers appear to change fingerprints, it seems.
You can just disable the anti-fingerprinting features in LibreWolf and it'll work fine with online banking and stuff if you just want de-cluttered Firefox.
Thank you! I just fired up Librewolf and turned off Fingerprint Resisting and my online banking now loads my transaction history. This had been a big annoyance and why I hadn't completely switched. The recommendation I got 6 months ago was "just use Firefox for banking". Much appreciated!
The amount of stuff (personal preference) I have to disable in firefox such as Telemetry, Studies/Normandy, Pocket, Advertising and such makes LibreWolf worth it.

I do keep a user.js around to speed things up when doing a new install, but it's still annoying to have to read reddit or here to see if an update adds something new to disable.

Mullvad browser is another option for those who enjoy Mullvad. Note that it can be used without Mullvad service.

> I do keep a user.js around to speed things up when doing a new install

Could you share, if possible..

Mozilla has been frustrating, at least to me lately. I want to support them, but very little of the money given to them goes to the browser itself or even their research projects, and the "phoning home" aspect also annoys me. On top of that they are also heavily funded by Google. My personal theory on why they do that is so they don't get hit with an antitrust. Its concerning to me though because that means Google has influence in Firefox, so "using the alternative" still means being affected by Google's decision making. They have stood against some of Google's decisions like their web DRM, which is great! But I do wonder if any lower-profile changes might have been pushed through on Google's request.
> but very little of the money given to them goes to the browser itself or even their research projects

hi, do you have a breakdown or some stats for this?

not him. but there's this person whose paycheck is 7digits. pretty sure the person in question doesn't know a lick about rendering engine or other nitty gritty details of how browser works.
Am I misreading the financial statement linked by your sibling comment? It looks like they spent in the $250,000 or so range on all salaries combined in a given year, but maybe I’m misreading it.
Remember how the new CEO upon joining fired 250 employees and simultaneously upped her own pay to 2.5 million? (Its much more now)
And it is nothing remarkable compared to any other tech company CEO's salary. Sure, shitty thing to do, but to smear Firefox's name over it..
I am saying the IT workers receiving low pay or being outright fired while non-tech gets paid more has precedent under the current CEO. Besides its not Firefox thats being smeared, its the CEO who is, and should be smeared for acts such as this. Firefox the software is still mostly fine.
>but very little of the money given to them goes to the browser itself or even their research projects

They can't take money given to a 501c3 charitable organization and use it to fund the expenses of a for-profit corporation (Mozilla Corp). That would be tax fraud. On the other hand the Mozilla Corp has to exist because otherwise it would be legally challenging to do a lot of things they need to do such as business deals. Exceedingly few Foundations work that way without doing something akin to what Mozilla does.

>Its concerning to me though because that means Google has influence in Firefox, so "using the alternative" still means being affected by Google's decision making. ... They have stood against some of Google's decisions like their web DRM, which is great! But I do wonder if any lower-profile changes might have been pushed through on Google's request.

HNers say this often but nobody has ever freaking pointed to anything. It's nothing but FUD at this point and it's incredibly tiring.

I disagree that its FUD. The fact of the matter is that Google is their biggest financial contributor, and that means by proxy Google can influence them. I don't have any examples right off the bat, but that doesn't discount the fact that it's a clear conflict of interest.
>The fact of the matter is that Google is their biggest financial contributor, and that means by proxy Google can influence them. I don't have any examples right off the bat,

Exhibit A.

Fine, it's a potential conflict of interest. But there's still a step between having a potential conflict of interest and being compromised by Google / influenced by proxy. You don't get to jump from point A to point B. That's FUD.

There are near-monthly examples of Mozilla going against Google on big-ticket items, and nobody seems to be able to point to any examples otherwise, but we're supposed to criticize them for being too dependent on Google while ALSO criticizing them for profitable side-projects or cross-marketing that diversifies their revenue (like VPN, Pocket, the Disney movie thing, etc.)

Simultaneously:

* "how dare they work on something other than Firefox even if it makes money" and

* "how dare they monetize Firefox" and

* "how dare they take so much money from Google"

> Simultaneously: "how dare they work on something other than Firefox even if it makes money" and "how dare they monetize Firefox" and "how dare they take so much money from Google"

Yes. Perhaps you've heard of the concept of a non-profit? Specifically a foundation, organized and operated exclusively for charitable purposes?

https://www.law.cornell.edu/uscode/text/26/501, subsection (c)(3).

(comment deleted)
okay, and Librewolf is a fork of Firefox. even if I was worried, I'm not exactly reassured that Librewolf would be peachy if Mozilla got hit hard by something.

I'd rather Google does pull that trigger so we can get some anti-trust going. They've been overdue for years on that front.

> "phoning home" aspect also annoys me

That thing is so minuscule and more of an everyday feature that I really don't see all the fuss about it.

Also, it is a game theory "both would lose if stopped" situation with google, so no, google has no way to affect Mozilla directly. If they were to stop it, Firefox might stop being developed and Google definitely gets sued, and it is basically free money for Firefox, setting the default search engine is no big deal.

I’ve had problems with e-commerce as well. Recently I tried this with Nike & the checkout phase was trying to read all my sensors, canvas, etc. were all being hit & failing according to the console. Disabling fingerprinting let me get ‘further’ but even disabling uBlock, something on my network was blocking some other piece of tracking spyware & I couldn’t complete the checkout. I reported it to customer service & later got an no-reply email response from their technical teams saying I should “disable your anti-virus, then proceed with the checkout, and reenable when the purchase was complete”. Funny since I don’t run an anti-virus on Linux just being careful but already having a lot of malware blocked by my system/router/DNS. What’s also funny is that you don’t need to fingerprint me to prove its me since I’m already on an authenticated account, so what are they doing with that fingerprint? Ultimately, I traded a Hong Kong pie to a friend to do the purchase on my behalf as he doesn’t care about his online privacy—and I got to add noise to his purchase history with my own.

When are we going to get e-commerce & e-banking to stop being so hostile towards consumers?

> When are we going to get e-commerce & e-banking to stop being so hostile towards consumers?

"We" won't because the vast majority of internet users don't care about privacy. It sucks, but that's the way it is.

You and I, however, are free to vote with our wallets. I literally will not buy from a company or brand that tries to take advantage of me in some way, even if the alternatives are worse somehow. It's a drop in the bucket, but it's all I can do.

(And before someone mentions it, no, shouting about it on social media is not a valid action to take, because social media is where everybody shouts about everything all the time.)

Don’t care or are ignorant about why they should care (even when they “have nothing to hide”)? I think this part of the these conversations get lost. Consumers care about privacy, even if just at a surface level as we’ve seen the megacorps change their messaging to trick folks into feeling they are safer. These consumers just don’t know what is at stake when they do something ‘foolish’ like running not using an ad blocker, browsing with Google Chrome, emailing with GMail, chatting in Discord, hosting code with Microsoft GitHub, sharing their contacts with WhatsApp, tweeting on X/x-ing on Twitter, etc. When it comes to e-commerce, often it’s the only way to get items now & when it comes to banks, they’re all blocking root “for our safety” but users not understanding their value doesn’t mean there is no value.
Disclaimer: I develop Waterfox.

I think it’s worth noting that Librewolf provides unsigned binaries and at least on Windows, you need to trust a third party service to provide automatic updates.

These are both interesting niche projects from a user privacy perspective.

Is anyone who is more familiar with Waterfox and LibreWolf able to objectively expand on the differences between these projects?

It sounds like the unsigned binary may be a maturity issue that will get tackled based on the mission statement(educated guess?).

Would greatly appreciate anyone with more knowledge about these projects elaborating.

I’m happy to expand on it - maybe someone else can chime in as well.

From a comment[1] I’ve made before for this kind of comparison:

“Now, ignoring feature differences between all the forks out there, I'd like to present a different perspective and consideration that I think gets overlooked when comparing forks like Waterfox to other forks (if I am incorrect regarding Librewolf, someone please correct me).

* Waterfox provides signed binaries for download. Librewolf (and most of the rest) do not. Checksum's are all well and good, but IMO, not enough. Code signing provides trust.

* Librewolf does not provide auto-updates. There are 3rd party tools out there, but IMHO that brings in its own set of problems, and breaks the chain-of-trust.

* The most important one that I believe, maybe apart from Pale Moon, only Waterfox does, is offers accountability. There is (and has been since 2012) a legal entity behind Waterfox. That used to be Waterfox Limited, then it was System1 and now BrowserWorks (the entity I control). Laws must be abided and the end user actually has an entity to hold accountable. GDPR, CCPA, the rest are things that actually need to be followed. The other projects, who are you really going to hold accountable if things go wrong? To me this is super important because a browser is used for sensitive information. It's just not worth the risk otherwise. This also goes hand in hand with the code signing.

* Above all else, Waterfox has been around for 12 years now.

Don't get me wrong, things like EV code signing certs are a bit of a racket, and yeah you can jump in and code audit all those other forks too. But really, push comes to shove, they can just disappear into the aether.”

[1] https://reddit.com/r/waterfox/comments/14seevh/waterfox_or_l...

I use Waterfox daily and have evaluated LibreWolf.

My use case: I mainly run the Unity desktop on Linux, both on traditional Ubuntu and on the Ubuntu Unity newly-official remix. On other distros, I use Xfce and I am trying to make a macOS-like layout via the Docklike Taskbar and AppMenu panel plugins.

Waterfox works with external global menus, like Firefox used to in the pre-Quantum era when Ubuntu used Unity itself.

LibreWolf does not.

So, I removed LibreWolf.

I don't care much about the telemetry stuff. Waterfox survived the Foxstuck outage fine and unaffected:

https://www.theregister.com/2022/01/18/foxstuck_firefox_brow...

That's a win.

I adopted Waterfox because I made extensive use of XUL extensions and Mozilla disabled them in Quantum. They still worked in Waterfox, for years, so I stayed.

Waterfox seems to work harder for its users. Mozilla doesn't care.

Waterfox: I came for the extensions, but I stay for the UI improvements and greater reliability.

Fair warning. But wasn't Waterfox sold to System1 - "an advertising company that tries to "make advertising better and safer, while respecting consumer privacy" - https://www.ghacks.net/2020/02/14/waterfox-web-browser-sold-... ? I'd feel a lot safer to use a browser that is not owned by an ad company ...
Waterfox is independent again: https://www.waterfox.net/en-US/blog/a-new-chapter-for-waterf...

And System1 are an “ad-tech” company but the term should be used loosely. The ownership made sense as they are a search engine aggregator and they own a bunch of old school search engines like DogPile, InfoSpace etc. Nothing to do with what people associate ad-tech with, i.e. tracking you across the web or collecting personal data.

I'm sure I've heard of Waterfox before, but this is the first time I have checked it out.

Some constructive criticism, if you're open to it: The web page is just a bunch of standard marketing fluff with about 5 download links scattered around. It looks a lot like every other "product" website out there screaming, "trust us, it'll be worth it!"

If you really want to attract people like me to it, you can't just _say_ you're awesome, you need to _show_ us you're awesome. In your blog (which is hard to find), you express great gratitude towards your users and community. Where is this community, exactly? I might like to join it but I can't find it anywhere. I had to scroll all the way to the bottom of the page to find a link to the source code (which just says "GitHub," mind).

I had to search pretty hard to find out that it is open source and apparently actively maintained, so I will check it out after all. But I was seconds away from just closing the tab out of disinterest and not looking back.

> Some constructive criticism, if you're open to it:

Definitely, much appreciated. You aren’t wrong about the fluff. We did user studies and showed people responded really well to this kind of landing page. I’ll see if I can have some more “hard facts”, but the average user doesn’t really understand the terminology which is why it’s dumbed down on this page - which essentially equates to fluff I suppose.

For the blog, it’s in the navigation, not sure how to have it more prominent without it being obnoxiously placed? Open to suggestions.

For the community, good points. I’ll make sure the subreddit and GitHub are more easily accessible as that’s where the community is based around and it’s very active.

LibreWolf is a set of patches against Firefox.
The biggest problem with all these "privacy" oriented web browsers is that you have to trust their creators explicitly and I just cannot.

Most often the developers are some random anonymous Joes without CVs or anything proving they have reputation at stake.

Thank you, but no thank you. Even if the official Firefox "leaks" something it's well controlled and well known.

What do these browsers do? I've no idea.

it's open source, you can simply look at the code (or, better, at the differences with firefox)
Just like that North Korean symbol downloader on GitHub, which had a malware downloader hidden in plain sight for nearly a year with no one noticing?
On the other hand, on might ask: How long would it have gone unnoticed if the source wasn't open?
This approach also assumes that you then compile the browser from source yourself (and also do that for each future update).
Yeah, and we know it's relatively common for open source projects to end up with malicious code in them unless the project has maintainers that can be trusted.

I have LibreWolf installed and I use it from time to time (although I prefer Brave), but I don't have that much trust in project as is. I think if it had sponsorship and could afford to pay a few reputable pro-privacy developers to maintain the project then there's less risk, but as it stands is anyone honestly looking through all the source code to validate their pro-privacy claims? And even if they did, could you trust them or their releases?

If I have to read and understand all the diffs myself I might as well maintain my own fork.
> it's open source, you can simply look at the code (or, better, at the differences with firefox)

Are you really serious? Firefox source is 21 million lines of code.

The diff between Firefox and librewolf is not that big though.
Honestly, I find that in many cases I would trust an anonymous random Joe more than a company because they can be more mission driven and limited in their ambition than a growth driven tech company. Firefox keeps trying to push advertising while keeping it private, trying to get people to subscribe to a VPN subscription. Google actively undermines adblocking extensions with Manifest v3 and Web Integrity API. Edge tries to monetize your browsing data by trying to randomly sign your browser in your Microsoft account and sync your bookmarks, history, and passwords to their cloud and keep trying to get you to use their chatbot. There are several more examples.
> Honestly, I find that in many cases I would trust an anonymous random Joe more than a company because they can be more mission driven and limited in their ambition than a growth driven tech company.

If it is a random Joe and not, say, a malicious effort of a major government posing as one. That's the problem.

and we wouldn't need any trust if banks just used a real protocol that we could implement in 5 minutes, instead of a thing made for rendering magazines in real time.

> but the poor non programmer user wouldn't be able to do this

we are on a programmer forum.

Yeah, and we're still aware that the rest of the world exists and has to also use web browsers.
>you have to trust their creators explicitly

Yes, and that same issue stands for extensions that are essential for making the browser usable. Who uses Firefox without uBlock? I won't use a browser that lacks a feature rich vertical tabs solution and that requires me to use sidebery with Firefox. That essentially forces me to trust a host of extension creators that I know nothing about. Yes, source can be reviewed, but I don't have the chops to do it and it doesn't seem like there is a non-profit organization that is taking that on (why doesn't EFF?)

If you limit yourself to the recommended ones they're supposed to be reviewed by a human and subject to some amount of guidelines - https://support.mozilla.org/en-US/kb/recommended-extensions-... and https://extensionworkshop.com/documentation/develop/build-a-...

Personally I do try to limit the amount of them I run, stick with recommended and take at least a glance at the source from time to time, but it would not defend against version updates or good efforts to obfuscate bad code. I do feel at least somewhat confident that for recommended extensions with substantial usage the internet would surface funny business quite quickly.

But yes, I would love for some independent third party to have some review program! Unfortunately it's not clear how it would be funded.

Not only that, trustworthy extensions normally have serious well-known developers behind them which decreases the risk of stumbling into something malicious.

To this date not a single extension which has been marked as recommended by Mozilla was found to contain malware.

Google on the other hand while being 1000 times richer has none of it.

Mozilla has a special program when they check manually and mark extensions which are trustworthy. It's been there since the advent of WebExtensions.
I hate this “I can’t trust open source” mentality. Open source contributors automatically getting labeled as malware is insane. I’d rather trust an individual contributor over large corporate interests any day of the week. And don’t act like the same thing can’t happen to corporate software
?

I use open source for the vast majority of things I do, but I'm still very selective about what I run. It's not an open source thing -- I also don't go out and grab random closed source executables from people I've never heard of.

People are distrusting unknown software from unknown devs, not open source software.

Just use a custom user.js, LibreWolf doesn't deliver much beyond a few major tweaks and a logo.
do you have an example or directions?
https://github.com/arkenfox/user.js/

I don't use or recommend exactly what they do but they have a long list of settings you might want to change that is better documented than any other source I've seen and if you click the wiki link there is detailed info about how user.js works.

You can start with mine, I've mostly stripped all the telemetry, added DoQ DNS (please, don't use my NextDNS id :D otherwise it's going to eat the free 300k limit), lots extra DNS/HTTP/rendering performance tweaks, some security fixes (e.g. deprecated ciphers) without performance penalties and personal Firefox's quality of life changes (smaller delays, ability to save everything, tracker stripping, etc). Some configs like the already mentioned Arkenfox's take security to a next level with first party cookies only, sandboxing and etc, it might be too overwhelming and not actually that necessary.

https://gitlab.com/ac130kz/dotfiles/-/blob/main/configs/user...

What exactly do we gain by browsing more anonymously if we just read news or go on social media sites?
People profiling your interests, mental state, politics, religion, sexysl orientation, .....

You can deduce a lot with enough data.

how often is this data correlated with an actual person? or is this info collected in aggregate on a group of people?
I got fed up with Chrome recently (some real ugly on-by-default advertising tracking) and switched to Firefox on my work computer but not my home computer yet.

Is anyone out there self-hosting firefox sync successfully? My googling seemed to only bring up a deprecated version so I haven't really tried setting it up yet.

Firefox sync encrypts your data with your password (it's not exactly like that but that's the gist of it) and Mozilla has zero access to it, none at all. I see no reason not to trust them with that. It's a lot easier and _safer_ to use their service then to set up your own.

Why safer? Because with your own self-hosting, now you have to have an extra device wide open to the Internet whose safety and security you need to maintain. If it's some shared hosting, you'll have to trust your hosting provider.

You make a good point about a potential pitfall of self-hosting things. I'll mention though that if you are self-hosting for just yourself (or some small number of people), you can set up a VPN connection for secure access to your private network, which eliminates the need to open ports to the public internet at all. Other than the VPN of course.

Not that you should necessarily rely solely on the VPN for your security, but it helps.

It's fascinating that there are quite a number of forks from Firefox aiming for more privacy, security and old codebases, but none for improving the browser itself, making it more interesting for power users. Considering all that was lost in the quantum-phase, I would think someone would fork it just for improving some small things like better vim-style support or a second sidebar.
A browser is easily larger than a whole OS. Like, even Microsoft gave up on their own engine. That's why we should be so thankful for Firefox.
Another reason to use it on Ubuntu is simply it's still available as a normal app instead of a snap.
Thanks! Macroexpanded:

LibreWolf: A custom version of Firefox, focused on privacy, security and freedom - https://news.ycombinator.com/item?id=36921443 - July 2023 (8 comments)

LibreWolf: A privacy-focused Firefox fork - https://news.ycombinator.com/item?id=31894749 - June 2022 (77 comments)

LibreWolf – A fork of Firefox, focused on privacy, security and freedom - https://news.ycombinator.com/item?id=30720301 - March 2022 (217 comments)

LibreWolf – A fork of Firefox, focused on privacy, security and freedom - https://news.ycombinator.com/item?id=29106155 - Nov 2021 (306 comments)

LibreWolf: A fork of Firefox, focused on privacy, security and freedom - https://news.ycombinator.com/item?id=26034774 - Feb 2021 (1 comment)

LibreWolf – A fork of Firefox, focused on privacy, security and freedom - https://news.ycombinator.com/item?id=23901130 - July 2020 (5 comments)

The name is really weird, like it was selected by a 12 years old
The daily dose of privacyguides forum dissing LibreWolf for unjustified [reason](https://discuss.privacyguides.net/t/librewolf-browser-firefo...), while their recommanded "Brave" was delibrately a product to replace annoying ads with their own commercial ads and earn BAT crypto, built-in VPN, built-in Web3, wallet, whatever stuff...

Their opinion TLDR; no auto-updater (community auto-updater exists), no advantage to config Arkenfox.js by yourself (but why do I need to be a json geek to just use a browser?)

LW the best daily-driver browser for me, they still include the option to use FF Sync, which is supposed to be safe as E2EE. Mullvad Browser is better but hard to daily drive.

Similar to ublock origin advanced mode (which basically is uMatrix continued), be prepared to fix the site by yourself sometimes. But for safety, privacy, anonymity and security, hell yah.

Any fellow OperaGX users here? It's kind of a meme but the feature set is neat and performance seems fine. I wonder how HN would feel about it
Great browser. LW is much better in terms of accessing sites than Firefox portable or any other FF based browser I've tried.
i believe LW is the only browser that can defeat advanced fingerprinting techniques.
I liked that they advertised webextensions firewall. But I was not able to make it work and don't see that anymore