
“Our primary goal is to un-fork the Tor Browser” - dao-
https://bugzilla.mozilla.org/show_bug.cgi?id=1173199#c31
======
confounded
Note: I believe "un-fork" in this context means the Tor browser being able to
use the latest version of Firefox (instead of an old fork), by Mozilla
merging-in some of the privacy enhancements made in the Tor Browser, for
ordinary clearnet use (likely as default-off options).

It does not mean making Firefox into the Tor Browser.

It's a great way to make the efforts of both teams available to both groups of
users. I'm very glad this effort is happening!

~~~
dao-
See also this comment further up in the bug:

"Mozilla leadership has already decided to help Tor move toward being able to
build off a Release Firefox rather than an ESR--it's safer for our users. I
don't know if we'll get to the point where they can just ship a re-packaged
bundle with some pref flips and add-ons, but the more of their patches we
incorporate into mozilla-central the easier it will be for them to apply their
remaining patches each release."
([https://bugzilla.mozilla.org/show_bug.cgi?id=1173199#c16](https://bugzilla.mozilla.org/show_bug.cgi?id=1173199#c16))

~~~
technomancy
It's worrying to me that they imply ESR is less secure; isn't the whole point
that it gets security fixes applied to it? Less churn should make it more
secure.

~~~
tedmiston
> Maintenance of each ESR, through point releases, is limited to high-
> risk/high-impact security vulnerabilities and in rare cases may also include
> off-schedule releases that address live security vulnerabilities. Backports
> of any functional enhancements and/or stability fixes are not in scope.

[https://www.mozilla.org/en-
US/firefox/organizations/faq/](https://www.mozilla.org/en-
US/firefox/organizations/faq/)

~~~
technomancy
Damn; I assumed since it was shipped in Debian Stable it had all the same
guarantees as the rest of the distro, but I guess the browser codebases tend
to be such security disasters that they can't necessarily keep up.

~~~
mgbmtl
Projects release new versions of software not just for new features, but (one
would hope) constant improvements to the underlying architecture.

Firefox in particular has been evolving quickly, with many of under-the-hood
improvements that may not fix "high-risk" security issues, but constantly
improve security directly or indirectly (e10s?). You can't expect maintainers
of an ESR to backport all those things.

There's always a risk in adopting the latest version of a program, but there's
also a risk with keeping the old, less actively maintained version. I get
burned all the time with Debian Stable, running into bugs fixed in the latest
version but not backported. (nonetheless, I do prefer Debian Stable to most
other solutions)

A project I'm involved in even has an automatic "toxic code" warning for PRs
on known functions/classes that need to be refactored, and where monkey-
patching will likely cause other security issues one way or another.

------
intherdfield
What is meant here IS NOT that every Firefox user would be browsing using Tor.

The idea is that the Tor Browser would be standard Firefox with certain strong
privacy settings enabled. i.e., the Tor project wouldn't have to patch Firefox
source and recompile because their patches would already be in Firefox, just
run-time disabled. They wouldn't have to maintain their own set of patches
that could be broken by Firefox development. For Tor, stock Firefox would be
launched with those (strong privacy) settings enabled.

Tor might have to rework their patches to live in Firefox in this way, but it
would simplify their work because Firefox development wouldn't cause upstream
breakage of the Tor browser.

~~~
mtgx
Why couldn't Firefox use Tor in the "private mode"? Wouldn't that be the
_ultimate_ private mode? It would also greatly help the Tor community, as it
would "mainstream Tor" so it wouldn't have as much stigma as it does today.

~~~
phyzome
Because that's not safe. Exit nodes can trivially screw around with plain HTTP
(both snoop on and rewrite), and it also puts them in a MitM position for new
HTTPS bugs. That's a risk you take when using Tor, and it's not a tradeoff you
can reasonably convey to existing Firefox users who are used to Private mode
meaning a certain thing.

Also, the Tor network probably doesn't have enough exit node capacity to
handle the volume it would get.

~~~
tedmiston
Not to mention non-technical users will be confused and complain how slow it
would become.

~~~
c22
Especially this since most users of private browsing are probably streaming
video content.

------
Fej
This would be a miracle for privacy advocates. However, I'm worried that
Mozilla could become irrelevant in the meantime. I say this as a die-hard
Firefox user (I even refuse to use any of the forks that remove the branding).

Mozilla needs to be making moves that keep them relevant. This move is great
for some privacy-minded folks who don't know that the Tor Browser Bundle
exists, but unfortunately... most people don't care about their privacy
online.

Does Mozilla even have a path they can take that keeps Firefox from dying a
slow death? I say this because I love what they do - they're the only major
browser developer that is interested in protecting their users instead of
their profits. They need to start acting like the situation is getting dire.

~~~
Paul-ish
We see that % share is going down for Firefox, but is there any indication
that total number of users is dropping for Firefox? I suspect that as more
people have been getting on the internet, the absolute number of FF users is
actually going up. It stands to reason that Firefox isn't dieing at all.

~~~
martinvol
I broke my Chrome instance and decided to give Firefox a try, and I must say
it has A LOT of usability problems compared to Google's. I'd say Mozilla has a
lot to work on to avoid losing users, if they aren't already.

~~~
cdmckay
What usability problems did you experience vs Chrome?

~~~
discreditable
Granted, this is non-default config. When blocking third-party cookies, Chrome
shows a little icon which you can click to whitelist blocked cookies. There is
no such Firefox option that I've found yet.

It's also a lot easier to toggle javascript for individual sites in Chrome
without extensions.

~~~
Sylos
This is arguable in my opinion. Someone who wants to block third-party Cookies
or JavaScript shouldn't have any trouble with installing extensions.

~~~
ak4g
Now you've forced me to make at at least two more decisions: to open up
addons.mozilla to find a cookie-management extension, and to open up
addons.mozilla to find a javascript-permissions-management extension.

At each of these interactions, I would be confronted with the worst possible
next-actionable-step: a large, seemingly unbounded number of options. Picking
any of them then requires an additional interaction to confirm, possibly
whilst (realistically speaking) disregarding scary-looking security warnings
about what the extension will be able to do with my first-born child.

Of course, IRL, users respond as you'd expect when given such immediate
negative feedback. They will make it through at most one forced-decision
interaction. By the time they hit #2, the user's goal will become "install
Chrome", not "figure out which extension to install next".

It's really important to recognize here that the extension
search/installation/configuration user flow is more-or-less indistinguishable
from actively punishing the user for using firefox. Oh, so you want to use
firefox, _and_ actually do something? Kindly direct this barrage of STOP NO
DONT feedback to your decision-making apparatus until it comes around to it's
senses and installs something, _anything_ else.

~~~
Drdrdrq
What a great summary of extension installation process! I wonder why they
never streamlined it and made at least a list of featured (curated / reviewed
for security) extensions.

That said, I still prefer Firefox to anything produced by MS, sorry, I mean
Google... :)

------
Uptrenda
It would be really cool if Tor became like an open web standard that every
browser supported. We would be able to freely host services with incredibly
strong privacy guarantees and then work them into existing web infrastructure
so that normal users can benefit from strong privacy without having any
special knowledge.

Doing the same thing with Bitcoin wallets would also be a good idea, though
I'd want for there to be a much better security model before that's considered
... otherwise every new browser zero-day will be the equivalent of being able
to mass hack bank accounts.

~~~
micaksica
I agree with this. "Tor Browser Mode" should become the default "Private
browsing mode" on Firefox. It seems to me that a lot of uneducated users seem
to have the idea that Incognito/Private mode does, somehow, give them more
anonymity in a way other than locally.

The extra streaming traffic would probably cripple Tor exit nodes in the short
run if Mozilla didn't run worldwide fast exits on their own, but it'd be a
start in a good direction, IMO.

I'm sure someone will come along and tell me that "this isn't what Tor is
useful for," but as far as I am concerned Tor has a PR problem. If everyone
uses Tor as part of Firefox Private Browsing, a lot, lot more _normal_ people
become Tor users, not "extremists" or "dissidents" or "criminals", the
headless horsemen of the anonymity apocalypse.

~~~
jrochkind1
> if Mozilla didn't run worldwide fast exits on their own

If a huge portion of tor traffic is going through exit nodes owned by one
organization and presumably deployed on a uniform consistent infrastructure,
this becomes a prime target for hackers, state-sponsored or otherwise.

~~~
micaksica
Tor itself is already a prime target for hackers. There are plenty of
malicious exit nodes as is; as for nation-states, the cost of entry into
polluting the Tor network with your own circuits to probabilistically
deanonymize users is low enough as is that you'd be stupid not to do it. By
the same logic, torservers.net shouldn't exist, or ipredator's massive exit.

Tor has a fair amount of relay bandwidth; Mozilla running exit nodes adds
strength to where the bigger bottleneck is. There isn't a lot of personal risk
in running middles or guards to the common techie; an exit node with abusive
traffic can get your house raided in the United States [1] and Germany makes
you responsible for traffic on your IP [2].

They have the legal and personnel resources to be able to deal with abuse
complaints from bad actors, and should, for the sake of the network they
support.

[1] [http://www.ibtimes.co.uk/seattle-police-raid-home-privacy-
ac...](http://www.ibtimes.co.uk/seattle-police-raid-home-privacy-activists-
who-maintain-tor-anonymity-network-node-1552524)

[2] [http://www.young-germany.de/topic/live/your-digital-
rights-i...](http://www.young-germany.de/topic/live/your-digital-rights-in-
germany)

------
dredmorbius
This is awesome.

No, backfitting a stock browser isn't going to give you high-level security.
An Uber-Incognito mode, however, would be a real plus.

Far more useful: _making Tor so available and ubiquitous that site operators
and infrastructure providers have to address Tor usability issues._ Yes, I'm
looking at you specifically, Cloudflare and Craigslist.

On the site ops side, this is going to play major havok with methods typically
used for mitigating site abuse (and other problems), specifically IP-based
tracking. If I find a specific issue and can note that a single address or
block of addresses _which likely represents a single user or user-class_ is
problematic, I can take action. If "the Internet" becomes a Tor-
undifferentiated request cloud, as we've been diagramming it on zero-content
slidedecks for 20 years, then that really useful tool will end its useful life
(or more likely: be less useful in more cases).

But that's a hell of a good reason for coming up with other ways of
establishing and enforcing good user behavior through ad-hoc, anonymous,
systems-based reputation systems.

------
Achshar
I think using Tor as it is intended to be used requires some change in user's
browsing habits as well. So pulling in all the Tor specific settings into
firefox won't be much help if the user then goes and signs into facebook and
gmail.

~~~
Manishearth
I'm not sure how this is relevant to the post?

They're not talking about giving Firefox a "tor mode". The Tor browser uses
Firefox under the hood with a few add-on and flipped default settings.
Currently, it uses a fork of Firefox with slight modifications (like the
ability to disable mathml). They intend to make it so that this fork is
unnecessary. The Tor browser will probably continue to be something you need
to install to use.

~~~
yohui
I think some people read the title ( _Mozilla: “Our primary goal is to un-fork
the Tor Browser”_ ) and assumed Mozilla wants to incorporate all the Tor
Browser's features. A closer look at the link should make it clear that the
changes being discussed are more specific.

It's almost clickbait.

~~~
int_19h
I've interpreted the title that way, too, but partly because it might actually
make sense.

Consider this. Firefox peaked a while ago; since then, Chrome ate every other
browser's lunch, and the only browser that had user share declining faster
than Firefox was IE (but even so, IE still has more users). Google has the
brand recognition on their side, and on top of that, they have actually made a
browser that "just works" for 99% of people out there, the way Firefox never
quite did.

Since contesting Chrome's market share is rather pointless, Firefox needs a
niche of its own now. Integrating Tor in a seamless way would be a great
opportunity to create one.

~~~
RubyPinch
eh, the final pieces are kind of all being worked on

multiprocessing to stop freezing issues and increase response speed

a permissioned API for extensions, easier and saner full themes system
(faster/easier development time for updates, and a wider range of
extensions/themes as a result)

and switching critical components to a safer language)

which imo are more important for users than doing something an existing
firefox fork does (like, if there was demand for firefox with seamless tor,
then they would get the firefox with seamless tor today, because it already
exists)

------
sprin
This is not about integrating Tor into Firefox, rather it is about
incorporating switches into Firefox for the security/privacy improvements that
have been made in Tor Browser.

You can think of Tor Browser as a better Firefox that just happens to include
built-in support for the Tor network. Tor Browser is security-hardened and
makes numerous changes to improve privacy, such as reducing fingerprinting
opportunities and attempting to isolate browser state by URL bar domain. The
Design and Implementation of the Tor Browser doc [1] is an excellent read on
the approach taken.

Since it is trivial to configure Tor Browser to run on the "normal internet"
(not on the Tor network), there may not be much reason to run Firefox instead
of Tor Browser. There is one possible reason: not all security fixes may be
backported to Firefox Extended Support Releases (ESR). According to the ESR
FAQ [2], only "high-risk/high-impact security vulnerabilities" will be
backported to ESRs. So clearly some security vulnerabilties that are not
considered by Mozilla to be high-risk/high-impact may be left unfixed in ESRs.
Additionally, it seems likely that not all bugs that are security
vulnerabilities will be correctly identified as such. Many exploitable bugs
that can lead to code execution are often published as only stability or
denial of service bugs by project maintainers - so-called "Denial of Reality"
vulnerabilities [3]. I think this is what Daniel Veditz is alluding to when he
says "Mozilla leadership has already decided to help Tor move toward being
able to build off a Release Firefox rather than an ESR--it's safer for our
users."

So in that sense, it is great news that Mozilla is working to make it easier
for Tor Browser to be based on top of Release Firefox instead of an ESR. Even
if all Tor Browser patches make it in to Firefox, I imagine it will be a good
deal of work to get out-of-the-box Firefox to behave like Tor Browser. And
given that every six weeks, Firefox may have new features that present new
attack surface, or enables new fingerprinting opportunities, it still seems
like a safer bet to have Tor Browser devs vet each release, rather than
constantly try to stay on top of what switches need to be flipped.

Personally I will continue to trust Tor Project to ship a browser that is
configured for strong security and privacy out-of-the-box.

[1]
[https://www.torproject.org/projects/torbrowser/design/](https://www.torproject.org/projects/torbrowser/design/)

[2] [https://www.mozilla.org/en-
US/firefox/organizations/faq/](https://www.mozilla.org/en-
US/firefox/organizations/faq/)

[3] [https://lwn.net/Articles/191080/](https://lwn.net/Articles/191080/)

------
nxzero
Anyone able to provide commentary on who's who in the comment linked to. Seems
like if this was an official effort one of the two parties would have posted
an announcement.

------
r-w
* squee * _

~~~
anonbanker
agreed. this is the biggest news a privacy advocate could ever want. How do
Google and Microsoft compete? They've pretty much set on a path of VPN'ing
everyone over Tor by default.

Perhaps it's too much to ask if they'd do the same for i2pbrowser?

------
MichaelMoser123
will we also get enough onion routers to keep the system running under high
demand?

------
yusee
Who really thinks that the NSA, Palantir, Mossad, Russia, etc. aren't
surveilling the dark net?

Privacy is dead.

~~~
Sylos
Of course, they are surveilling the dark net. The idea is that you're
anonymized in such a way that you don't have to care about the surveillance.

~~~
dredmorbius
And/or that the surveilling costs (against you, against others) are raised.

------
FungalRaincloud
I mean, I think it's a cool idea, but I kind of hope not. Firefox is the only
browser that seems to consistently be able to play video at my work, because
of aggressive firewalls. If they enable tor by default, it's pretty much
guaranteed that it'll be uninstalled from all company machines.

~~~
Aldo_MX
You're misunderstanding, the intention is to integrate any privacy-related
change made by the Tor Browser, but in a configurable way via `about:config`
under the `privacy.*` namespace.

Firefox should allow you to disable any privacy-concerning feature out-of-the-
box, it shouldn't be needed to maintain a separate fork to achieve better
privacy.

