
Firefox bullshit removal - tobiasrenger
https://gist.github.com/haasn/69e19fc2fe0e25f3cff5
======
kirb
This gist misleads in a few ways by being so vague and seems to be more about
disabling every somewhat useful feature that sounds bad for tinfoil hat
enthusiasts. Still has useful things, like disabling Pocket if you don’t want
it and forcing newer TLS versions. Others are silly (disabling things that
already ask for your permission, like location), dangerous (disabling Google
Safe Browsing), or already exposed in the settings UI anyway (DNT, tracking
protection, telemetry). To each their own, use these if you think they’re
important to you, but for most people it’s fear-mongering about nothing and
enabling a few things in the privacy settings page is sufficient.

~~~
TAForObvReasons
> for most people it’s fear-mongering about nothing

To be fair, a core argument in favor of Firefox is essentially fear-mongering
about google and your personal data. It always struck me as odd that actions
many people would call "shady" if google does it are condoned in FF because
Mozilla.

~~~
jkolem2
Mozilla is not the largest advertising company on Earth whose core business is
profiling people to package and sell them.

~~~
Tloewald
No it’s just beholden to one or another of them.

~~~
windlep
I was under the impression the search deals are merely which engine are the
default. How does having the default search be Google make the Mozilla corp
beholden to Google?

~~~
ftlio
If Google is paying what Yahoo was, it's $300 million a year for the default
search option on Firefox. Google pays Apple billions to stay the default on
the iPhone as well.

~~~
windlep
Ok, so that makes Mozilla beholden to them how exactly? Is Google calling up
Mozilla asking them to do them favors in the product? Are Mozilla engineers
being asked to write in special features that Google asks for?

Yes, Google provides 90% of the revenue or somewhere around there. But I still
haven't heard how exactly Mozilla is doing special favors to Google or is in
some way beholden to it.

Mozilla has a contract with Google to be the default search provider for a set
period of years. I have never heard of anything else being in there that
allows Google to make any product requests on Mozilla.

How come no one wants to say how exactly Mozilla is doing what Google wants?

~~~
Tloewald
Mozilla’s bizarre stance on H264 coincidentally favored Google’s position.
Mozilla’s anti-ad-tracking stuff was all switched off by default. They make
their money from ads meaning their incentives parallel those of ad networks.

All ad supported products have bad incentives. It’s the same reason HBO and
Nerflix produces great TV shows and ad based broadcast and cable networks
mainly produce garbage.

------
quiquex
"These are used by Mozilla to spy on you, and are as such a significant risk
to privacy."

Wow that's a big claim. Any proofs that the data collected is not anonymous?
It sounds a lot like fear-mongering

~~~
outworlder
Yeah.

Companies should be transparent about the data they collect and how they
anonymize it – and should be easily disabled if needed if you need serious
privacy, as is possible that some resourceful actor could de-anonymize the
information somehow. But this kind of data is not necessarily harmful.

People disabling telemetry will often be the same ones complaining about
"poorly written applications and company X should know better". Well they
don't because you disabled telemetry, now the company or organization has no
data to improve anything, be it performance, crashes or even UI. Bug reports
are not enough.

~~~
TheAdamAndChe
Yet organizations went decades making fantastic and ever-improving software
without telemetry. What changed? Why would telemetry suddenly become a basic
requirement for improvement?

~~~
oatmealsnap
Software is generally a lot more complex these days, and telemetry data is
needed to stay competitive and keep improving.

Using Firefox as an example, look at how many improvements they have made over
the last 5 years. I'm not here to argue whether we need these feature or if
Firefox 2 was the last version of Firefox that we needed. Firefox (or Chrome,
or whatever) wouldn't look as great as it does today without lots of data.

~~~
dingaling
On the other hand Mozilla has frequently quoted telemetry as the reason for
removing niche or power-user features, for example Tab Groups and Themes. "Low
usage" in both cases.

So telemetry doesn't always improve the user experience.

~~~
thatcat
Power users disable telemetry.

------
jftuga
[https://waterfoxproject.org/](https://waterfoxproject.org/)

[https://www.reddit.com/r/waterfox/](https://www.reddit.com/r/waterfox/)

    
    
        Disabled Encrypted Media Extensions (EME)
        Disabled Web Runtime (deprecated as of 2015)
        Removed Pocket
        Removed Telemetry
        Removed data collection
        Removed startup profiling
        Allow running of all 64-Bit NPAPI plugins
        Allow running of unsigned extensions
        Removal of Sponsored Tiles on New Tab Page
        Addition of Duplicate Tab option
        Locale selector in about:preferences > General

~~~
CapacitorSet
>Allow running of all 64-Bit NPAPI plugins >Allow running of unsigned
extensions

That doesn't sound very nice.

~~~
krapp
It's to "fix" Firefox's deprecation of XUL-based plugins[0].

[0][https://news.ycombinator.com/item?id=15800634](https://news.ycombinator.com/item?id=15800634)

------
outworlder
Websockets? Really?

Even if they are an ugly hack on top of HTTP, they are too damn useful to be
disabled.

Let's disable Javascript too while we are at it.

~~~
krapp
>Let's disable Javascript too while we are at it.

...as if much of HN's userbase doesn't already do that.

~~~
outworlder
Indeed. I wonder how they can get anything done. (Other than posting on HN
itself, that is)

~~~
Momquist
Surprisingly well, from my own experience. It can even increase your
productivity and dicrease distractions: it blocks most ads, suppresses
annoying "interactive" features, bans participation in most time-wasting sites
(eg. facebook) while still allowing browsing. And of course security.

For the very few domains I deem absolutely necessary, I can always whitelist
them.

~~~
twhb
It sounds like the problem is you're spending your time on adversarial
websites. Give JS to a skillful developer who shares your goals, and they'll
use it to make the website better.

~~~
Momquist
Actually I don't. I never had any account on FB for example, but once in a
blue moon I get to visit a public FB page (like a recent blog post posted on
HN recently), and having JS disabled let me browse it without worries.

How can a skillful JS developer make the site better for me when I want to
avoid ANY extra features and distractions? My personal tastes tend to go not
too far off this kind of design:
[http://bettermotherfuckingwebsite.com/](http://bettermotherfuckingwebsite.com/)

If this hypothetical developer is really sharing my goals then he'll use the
<noscript> tag, and I'll be happy enough with HTML/CSS.

For text-heavy sites, which are the ones I use the most, JS adds nothing I
want: tracking? 3rd-party ads? lazy-loading? comments via disqus? sharing to
social media? Thanks, but not for me.

~~~
twhb
> How can a skillful JS developer make the site better for me when I want to
> avoid ANY extra features and distractions?

devdocs.io uses JS to make an essentially-static website much faster to load
and navigate. HN lets you vote without reloading the page. Shopping carts.
Webmail. Google Maps. Rich text editors. Navigating around Spotify while the
music keeps playing. Feedback on forms without clearing or changing something.
Keeping a table of contents in sync with what you're viewing. Keeping changing
data correct, like feeds, whether a service is up, whether you're signed in.
Chat. Video calls.

And areas not yet widespread. AMP's speed (which would be inoffensive, I
think, if intra-site). Layouts more advanced than CSS can express, like a
newspaper's or the positioning of plaques at museums. Even smarter data
compression for repetitive content.

And areas we're just now getting the tech for, like 3D simulations and peer-
to-peer networking.

------
cocktailpeanuts
Would have not gotten the backlash it's getting if the author was a bit modest
and titled the repo:

"How to get rid of FireFox features you don't need", or something like that.

Security is an important issue, but as someone who thinks WebRTC is the only
missing piece of the puzzle that could help bring true decentralization to the
Web, I think bashing on WebRTC just because of its security issue is short
sighted. (Not to mention a couple other features mentioned on there)

But if you're so paranoid about security that you're going to disable
WebSockets, I think web browser is not the only thing you need to worry about.
There are ton more attack vectors and hackers can hack in no matter how you
get rid of these "FireFox bullshit" to increase security. After all, most
hacking nowadays is based on social engineering.

One thing I agree though is "Pocket Integration" IS a bullshit.

~~~
balladeer
> "Pocket Integration" IS a bullshit

And it is still around. It has still not been made into a removable AND turned
off by default component which is the least Firefox should have done if at all
they can't live without shipping Firefox with it.

------
mrob
To this I would add:

    
    
      middlemouse.contentLoadURL=false
    

This anti-feature means missing the target of a middle-click by a single pixel
can leak the contents of your clipboard or load unexpected URLs. I don't
understand why it's still on by default -- Mozilla has been willing to break
peoples workflow for UI improvements many times before.

~~~
bzbarsky
> middlemouse.contentLoadURL=false

This is the default in Firefox 57 and later. See
[https://bugzilla.mozilla.org/show_bug.cgi?id=366945](https://bugzilla.mozilla.org/show_bug.cgi?id=366945)

> I don't understand why it's still on by default

It's not.

~~~
louiz
I don’t understand, what does it do?

~~~
bzbarsky
When set to true, lets you middle-mouse-paste into the content area to load
the url in the PRIMARY selection. That way you don't have to worry about
whether selecting the text in the URL bar so you can replace it with the URL
will clobber PRIMARY.

Only relevant on X, where there is a PRIMARY, of course. See
[https://unix.stackexchange.com/a/139193](https://unix.stackexchange.com/a/139193)
for a quick description of what PRIMARY is and how it differs from CLIPBOARD.

------
halestock
Fwiw, I wasn't a fan of the original integration of pocket into Firefox, but
they are now completely owned by Mozilla:
[https://blog.mozilla.org/blog/2017/02/27/mozilla-acquires-
po...](https://blog.mozilla.org/blog/2017/02/27/mozilla-acquires-pocket/)

~~~
mulmen
This explanation has never satisfied any of my concerns. I don't doubt
Mozilla's motivations but the fact that they bought Pocket does not mean that
the architecture is designed with my best interests in mind. I'd rather hear
about what Mozilla is doing as the owner of Pocket to continue fighting for my
best interests.

------
JepZ
Anybody knows if it is possible to use Pocket with a custom server? So far I
found only the ticket which tracks the open sourcing process of pocket:

[https://bugzilla.mozilla.org/show_bug.cgi?id=1343006](https://bugzilla.mozilla.org/show_bug.cgi?id=1343006)

11 month old, not even assigned yet... looks like I should come back 2038.

~~~
boomboomsubban
They've started releasing some of the code, I don't think it's at the point of
a custom server yet.

[https://github.com/Pocket](https://github.com/Pocket)

------
gavreh
> NOTE: Unfortunately this is somewhat out of date. The comments link to some
> resources that may be more up-to-date. Patches welcome.

------
xg15
I'm puzzled that he sees websockets as a privacy hazard. From what I
understand, WS connections are CORS protected (though the model is slightly
different than standard CORS for historical reasons) and were designed somwhat
friendly to proxies. So what is the problem?

(Though browsers don't seem to honor proxy settings for WS in practice. I
guess, this coughs be corrected. Does anyone know the reasons for that?)

WebRTC is more understandable: Connection setup is different for each
application, the connection itself is encrypted and browsers don't seem to
offer any way to inspect or manage WebRTC flows.

It's sad that a technology which offers so many interesting applications is
implemented in such a problematic way for privacy. This should really be
improved.

(Warning: rant follows)

Generally, I think we should have a general discussion about the ability of
inspecting the network traffic of your own machines. Current practice seems to
be that this ability is sacrificed in favor of an "encryption-first" doctrine:
Browser vendors are aggressively pushing HTTPS everywhere and it's almost a
requirement that new network protocols have built-in encryption. There are
still some escape hatches by installing custom root CAs, but programs are
starting to circumvent that without much consequences (or even encouragement
by OS vendors - e.g. on Android)

For example, right now it's impossible to inspect traffic from the Dropbox
client on windows (short of patching the program) because the client ignores
custom root CAs. Trying to inspect traffic from a smartphone is already pretty
hopeless.

As traffic inspection would be a powerful tool in finding privacy leaks, we
should lobby more for it.

~~~
philipwhiuk
You don't need to decrypt TLS to know where it's going. SNI leaks the domain
in plaintext and if SNI isn't enabled you can just use the IP address.

------
qwerty456127
Is there something like this for Chrome too?

BTW I wish I could just disable all features but those basic ones every
website uses (and "data URIs" support please!!! I really want to to disable
it!) and enable them manually on per-domain basis (the way I do with scripts
using NoScript and uMatrix).

~~~
Digital-Citizen
With Chrome you face the inherent untrustworthiness of nonfree software.
Chrome users always trust Google. No set of preference changes or add-ons
makes Chrome safe from Google's power over your data or your computer. This
strikes me as a fundamentally worse position for any Chrome user.

------
mediocrejoker
Websockets are used for nefarious purposes?

~~~
twic
I use them for nefarious purposes. But then i use everything for nefarious
purposes.

~~~
ricree
Please remember to set the evil bit properly when you do.

------
ravenstine
I'd never heard of social media integration. That is true bullshit, and I
wonder what the analog is in Chrome.

But what's wrong with DRM? DRM sucks, but I don't know why it's in someone's
interest to not be able to watch Netflix in their browser.

------
Feniks
Tip for Android users:

Fennec F-droid.

Firefox wants to be (a less evil) Chrome, which is great for the 90% but that
leaves the rest of us scrambling. No I don't need my browser to support DRM in
order to watch Netflix ffs...

[https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/](https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/)

~~~
clircle
It's not really clear to me how this differs from Firefox for Android. Removes
some DRM? Anything else?

------
solomatov
Having a separate privacy conscious fork of FF would be a better solution.
They can easily workaround such tweaks.

~~~
brendyn
I use IceCat which is essentially that. It's based on the ESR releases though
since it's hard for the few volunteers to keep up with Firefox's releases.

------
yegle
Why not just use TorBrowser if you are too concerned about those settings?

------
jasonkostempski
network.websocket.enabled=false

This isn't even in my about:config anymore. I'm pretty sure it was at some
point. Did they remove the option to disable it for some reason?

~~~
bzbarsky
It was removed in Firefox 41, once WebSocket had been shipping for a while.
See
[https://bugzilla.mozilla.org/show_bug.cgi?id=1159792](https://bugzilla.mozilla.org/show_bug.cgi?id=1159792)

The only reason the pref was there is that new features tend to have prefs to
disable them. First because those are useful for enabling a feature for
testing before it may be ready to be on by default, second in case there's a
serious problem with the feature that requires it to be turned off in a hurry.
But once a feature has been shipping and on by default for a while, prefs to
disable it just end up being technical debt, and tend to get removed like any
other technical debt when people get a chance.

------
Tepix
It got the "pocket" name wrong. On my Firefox 57 it's

    
    
         extensions.pocket.enabled

------
sebastian
Very helpful. It definitely would be worth developing an addon that would
apply these settings for you.

~~~
tdurden
Privacy Settings is a good start: [https://addons.mozilla.org/en-
US/firefox/addon/privacy-setti...](https://addons.mozilla.org/en-
US/firefox/addon/privacy-settings/)

------
borplk
Unplug your devices for maximum security.

In all seriousness it's not a bad list as a handy reference.

------
MollyR
Interesting. Though at that point why wouldn't you just use Brave ?

~~~
JepZ
Better use a safe© solution:

    
    
      curl -sL https://www.mozilla.com | html2pdf | pdfviewer
    

Just kidding ;-)

~~~
sli
That isn't too far from how Stallman browses the internet, I don't think. I
know he does some weird, roundabout thing involving email (or used to,
anyway).

------
dangrover
You forgot the last step, which is to respond to every link posted on Hacker
News, regardless of what it's about, with a complaint about how the site
doesn't function correctly with your unique browser config.

~~~
CaptSpify
If websites were smart, they'd design their webpages to work with every unique
browser. It's actually super easy to do.

It's just not as profitable to treat your users with respect, unfortunately.

------
NelsonMinar
bathwater.baby = false

------
Karunamon
I wrote something similar a while back, and it’s in a similar state of not-
updated-ness

[http://fixfirefox.com](http://fixfirefox.com)

~~~
urda

      > Your connection is not secure
      >
      > SEC_ERROR_EXPIRED_CERTIFICATE (expired October 31, 2017)
    

Doesn't make me want to listen to any website claiming to "fix firefox" when
they can't even bother to keep their SSL certs up to date.

~~~
CompuHacker
I added an exception and read the page I received. A single author describes
changes he made to his Firefox options from 29 onward. There is no plural
"they", and, to my understanding, the information is not current.

Should this information become inaccessible because certs weren't paid for?

~~~
yborg
I think he's just pointing out the irony of someone purporting to aid the
security-conscious having an expired cert on his own site. Unless this is
really some meta-level social commentary on how people will trust a complete
stranger's website despite an invalid cert because he seems like a nice guy.

~~~
urda
> I think he's just pointing out the irony of someone purporting to aid the
> security-conscious having an expired cert on his own site.

This is exactly the point I was going after. It would be one thing if the cert
had just expired but cmon, October 31, 2017 really?

~~~
Karunamon
Cert expiration dates provide very little in the way of actual security.
Normally it would mean that yes, your connection is secure, yes, everything
matches, but you hadn't paid your protection money to the CA racket in a
while.

In my case, it's because I haven't had the desire to go in and redo the nginx
config on this machine. But sure, that makes the content wrong, or something.

~~~
urda
> But sure, that makes the content wrong, or something.

If your own Nginx server cannot serve up a proper _and_ protected session, why
should I consider what you've written on the website? Actually how can I know
that what I'm reading is what you wrote if the session is already compromised
from the start?

> but you hadn't paid your protection money to the CA racket in a while.

Yes, you sometimes have to pay for that cert from a CA but that's not why
certificates expire.

Besides, your CA is Let's Encrypt so this point is completely useless but it
does make an easy excuse.

Enough with the drama please.

~~~
Karunamon
It is protected. Cert expiration has no impact on the safety of the connection
whatsoever. LE uses the same encryption as the big guys, they just set the
expiry date field to a lower number. Please explain how that meaningfully
reduces security.

> _Enough with the drama please._

Indeed. Petty sniping in an attempt to avoid engaging the content lowers the
level of discourse substantially.

