
Waterfox Browser - cameronbrown
https://www.waterfox.net/
======
bscphil
Alternatives that allow you to still get your security and stability updates
from Mozilla include two Gnu soft-forks. There's IceCat, which is the best-
supported version and runs off of ESR. [1] There's also "abrowser" (that's
literally what it's called) that is part of the Gnu Trisquel distribution,
which is based on the most recent release. Both patch the browser to be more
security and privacy friendly. [2] There are also several projects that
provide patches for Firefox or user.js files [3] to minimize the privacy
impact of recent Mozilla decisions. (I publish patches that remove Pocket and
disable various forms of tracking in Firefox.) The problem with the patch-
based approach is that you have to build Firefox yourself, which most people
are unable or unwilling to do.

[1]
[https://www.gnu.org/software/gnuzilla/](https://www.gnu.org/software/gnuzilla/)

[2] [https://trisquel.info/en/wiki/abrowser-
help](https://trisquel.info/en/wiki/abrowser-help)

[3] [https://github.com/ghacksuserjs/ghacks-
user.js](https://github.com/ghacksuserjs/ghacks-user.js)

~~~
66fm472tjy7
The most recent version of IceCat at this time is 60.3.0, published on
2018-11-09 [1], 18 days after upstream [2]. Upstream is currently at 60.7.0,
published on 2019-05-20 [3]. This puts IceCat more than half a year behind
upstream. Waterfox published their version merging upstream 60.7.0 security
fixes before upstream [4].

Using IceCat thus seems to a bad idea security-wise.

I use upstream ESR ever since FF disabled add-ons since they let their cert
expire [5] and the release channel version ignores the
'xpinstall.signatures.required' flag.

[1]
[http://ftp.gnu.org/gnu/gnuzilla/60.3.0/](http://ftp.gnu.org/gnu/gnuzilla/60.3.0/)

[2]
[https://ftp.mozilla.org/pub/firefox/releases/60.3.0esr/](https://ftp.mozilla.org/pub/firefox/releases/60.3.0esr/)

[3]
[https://ftp.mozilla.org/pub/firefox/releases/60.7.0esr/](https://ftp.mozilla.org/pub/firefox/releases/60.7.0esr/)

[4] [https://www.waterfox.net/blog/waterfox-56.2.10-release-
downl...](https://www.waterfox.net/blog/waterfox-56.2.10-release-download/)

[5] [https://arstechnica.com/information-
technology/2019/05/firef...](https://arstechnica.com/information-
technology/2019/05/firefox-add-ons-mass-disabled-by-certificate-bug-hotfix-
for-some-ready/)

~~~
bscphil
I'm not sure what URL is technically supposed to be the correct one, but they
do seem to have updated through at least 60.5:
[http://devel.trisquel.info/repos/packages/icecat/pool/main/i...](http://devel.trisquel.info/repos/packages/icecat/pool/main/i/icecat/)
Trisquel in general seems to be pretty dead, looking at their git.

While I'm not sure whether that includes any backported security fixes or not,
you're right that this is concerning. Perhaps building it yourself _is_ the
way to go.

>I use upstream ESR ever since FF disabled add-ons since they let their cert
expire [5]

Unless I'm mistaken that bug would have bitten you on ESR as well. The expired
certificate was an intermediate used to sign most of the addons on AMO. If ESR
wasn't using that certificate then it wouldn't have been able to validate
those addons. Correct me if I'm wrong.

~~~
66fm472tjy7
Looking at their SCM, they updated to the newest upstream less than two days
ago [1]. However, the change appears trivial, so it might be feasible to track
upstream if building from source as long as their customization scripts remain
compatible.

> that bug would have bitten you on ESR as well

Sorry, I didn't word that clearly. ESR was affected, but the signature check
could be disabled from about:config. The release channel had that flag listed,
but it had no effect.

[1]
[http://git.savannah.gnu.org/cgit/gnuzilla.git/log/](http://git.savannah.gnu.org/cgit/gnuzilla.git/log/)

~~~
bscphil
Ah, I didn't realize ESR did that. (And frankly I'm surprised it does.) One of
the things I change when I build Firefox for myself is allowing the disabling
of addon signings via about:config.

------
godelski
> Waterfox does not collect ANY telemetry, meaning you don't have to worry
> about any tracking or usage information about what you do inside YOUR
> browser.

This is woefully uninformed or malicious. There's a lot of tracking that is
out of your hands. Such as canvas fingerprinting. Even sending back 0's (like
tor does) doesn't prevent fingerprinting. In either case I lost confidence for
the browser just by reading what was on their landing page.

Either they don't know that tactics like this are common, which means that
they likely aren't aware of other basic security flaws. Or they are aware and
lying, which begs the question of how we can trust anything else.

In either case it doesn't build trust for a tool that is so highly dependent
upon trust.

~~~
geofft
I think they are claiming "you don't have to worry about any tracking or usage
information _being sent to the Waterfox developers_ ," but if so, they
shouldn't say "you don't have to worry" (see also Lavabit and Protonmail's
"you don't have to worry about government surveillance... well, not until the
government decides to surveil you"). I agree it's weird for a web browser of
all products to omit this clarity!

~~~
godelski
That's fair, but it is also very misleading. It also isn't hard to see how it
is misleading, enough so that I'm sure I'm not the first to notice it and that
I would assume it has been brought to their attention. If not, well... someone
ping them.

~~~
Liquix
I don't think it's misleading in the slightest.. When you disable telemetry in
an application or operating system, you're disabling _that application 's_
collection and transmission of metrics to its developers.

Disabling telemetry in Windows doesn't prevent programs from collecting
metrics, it disables the transmission of Windows metrics to Microsoft. Can you
give an example of the kind of 'disable telemetry' option you describe which
prevents third parties from fingerprinting or transmitting data?

~~~
geofft
Sure! On an iPhone, Settings | Privacy | Analytics | Share with App Developers
(there's an option "Share iPhone Analytics" right before it that has
explanatory text that says it's specifically about sharing with Apple) and
Settings | Privacy | Advertising | Limit Ad Tracking.

On the browser side, options about camera access, microphone access, location
sharing, etc. are about sharing it with websites, who are not entitled to make
their own permission prompts. Options about third-party cookies affect third-
party cookies from websites, not from third parties who work with the browser
developer.

------
vecplane
I wanted to use Waterfox, but I wasn't sure about the security side of things.

When vulnerabilities are found in Firefox, we can expect them to be fixed
pretty quickly. Can the same be said for this project?

~~~
sjwright
Given the project is so small, I wouldn't trust their future response to be
rapid even if they have been in the past.

Right now most security fixes come in the form of merging upstream security
fixes from Mozilla. As their code base becomes increasingly divergent to the
Firefox head, merging in upstream security fixes will become increasingly
difficult and increasingly cumbersome.

------
erikpukinskis
I don’t get it, the concern is that Firefox sends telemetry to Mozilla? Can’t
you turn that off?

~~~
gruez
AFAIK the main selling point is xul (legacy) extension support.

~~~
ravenstine
I guess if someone really needs to use a legacy extension, it's a good thing
that it's around, but I'm personally glad that XUL is dead both from a
developer standpoint and as a user.

~~~
smacktoward
Yeah, projects like this give me the heebie-jeebies, to be honest. NPAPI and
XUL were discontinued for _really good reasons._ Some users say they still
want them, but that's because (1) people hate change, even when it's good for
them and (2) they don't really appreciate all the security baggage those old
APIs were lugging around with them. Projects that assure those users that they
can keep on trucking with their old plugins like there's no problem just
encourage them to do dangerous things they really should not be doing.

~~~
kevin_thibedeau
The problem is that the replacement is crippled and Google is clearly more
interested in stripping features from the extension API. I'm still waiting for
a way to hide the tab bar which is a privileged UI feature now.

~~~
ronjouch
> _" I'm still waiting for a way to hide the tab bar which is a privileged UI
> feature now"_

userChrome.css to the rescue:

\- Tree Style Tab's wiki offers tips to do exactly that:
[https://github.com/piroor/treestyletab/wiki/Code-snippets-
fo...](https://github.com/piroor/treestyletab/wiki/Code-snippets-for-custom-
style-rules#for-userchromecss) .

\- Or you can combine the address and tab bar:
[https://github.com/rstacruz/firefox-
stealthfox](https://github.com/rstacruz/firefox-stealthfox)

If none is to your exact taste,
[https://www.reddit.com/r/FirefoxCSS/](https://www.reddit.com/r/FirefoxCSS/)
may help.

~~~
bscphil
That's the correct solution for now, but we can only hope Mozilla won't
disable the ability to use these files. They're disabled by default in FF 69:
[https://www.ghacks.net/2019/05/24/firefox-69-userchrome-
css-...](https://www.ghacks.net/2019/05/24/firefox-69-userchrome-css-and-
usercontent-css-disabled-by-default/)

And the key to reenable them has _legacy_ in the name:

    
    
        toolkit.legacyUserProfileCustomizations.stylesheets

~~~
ronjouch
Thanks for pointing that out. I'm worried too:

\- At first, the discussion on bugzilla [1] is reasonable: user stylesheets
off by default for performance, and there's even backward compat code enabling
the pref during Firefox 68 if you are using them. All good...

\- ... but then comes this _legacy_ in the pref name :-| :-| :-|

I hope Mozilla keeps the feature alive, it's appreciated by many "power"
users.

[1]
[https://bugzilla.mozilla.org/show_bug.cgi?id=1541233](https://bugzilla.mozilla.org/show_bug.cgi?id=1541233)

EDIT good news: re-reading recent comments, in
[https://bugzilla.mozilla.org/show_bug.cgi?id=1541233#c61](https://bugzilla.mozilla.org/show_bug.cgi?id=1541233#c61)
, Florian Quèze (mozilla dev) affirms: _" the word 'legacy' was used in the
preference name to avoid giving the impression that with this new preference
we are adding a new customization feature. I'm not aware of any plan to drop
support for these files"_.

~~~
bscphil
That is good news, thanks.

------
SamuelAdams
Looks like there is another version of waterfox at the .org domain. Which
domain is the correct one? Can you get the incorrect domain de-listed from
google search results?

[https://waterfoxproject.org/en-US/](https://waterfoxproject.org/en-US/)

~~~
tazard
When you go to the blog/web log on the. Org site, it redirects you too the
.net site, so I would guess the .net is the legit one

------
lproven
Glad to see some coverage of this.

It's my default browser, since Firefox Quantum.

It still allows rich customisation, via classic XUL addons. I have a vertical
tab bar, merged with a vertical bookmarks bar, which is flattened via another
addon. I have a rich download manager with multi-streaming, resuming, and
more.

When Firefox Quantum came out, 13 of my 17 add-ons stopped working. Several
versions later, I can customise it a bit, but only in limited, clunky ways,
requiring manual hacking of userChrome.css, and it's not very widescreen-
friendly.

I don't care about privacy. Scott McNeally was right in 1999, and he's still
right: "You _have_ no privacy on the Internet. Get over it."

I don't like the new Firefox and I probably won't be back. Waterfox fills the
need nicely.

------
sdan
_Says limited data collection_

 _Proceeds to use Google Analytics on waterfox.net_

~~~
unreal37
You seem obsessed with this. :)

~~~
sdan
Yes :). But in either case, if the browser is advocating for "no data
collection" and "no telemetry" I would at least expect no referral links or
Google Analytics on their homepage.

------
sdan
_Doesn 't collect any data_

 _Proceeds to links to Stackpath (in the footer) with a bunch of query tags_ :
[https://www.stackpath.com/?utm_campaign=Partner%20Display&ut...](https://www.stackpath.com/?utm_campaign=Partner%20Display&ut..).

~~~
trufflepig
What’s stackpath

~~~
pheeney
Looks like its a sponsor of their CDN. The link doesn't embed any tracking
that I can see. Its simply a referral link so that stackpath can determine how
many people clicked from waterfox.

------
unicornporn
So, here's a thing to work on... This is what I did:

I went to the landing page and though: sounds good. But version 56? When was
this last updated? Firefox is long beyond 56. Went to the "releases" page and
found nothing about when 56.2.10 was released. Had to go to their Twitter
account to find out it's dated 2019-05-20.

I would also recommend renaming the "releases" page to "download" if you wish
to reach beyond the geek pool.

EDIT: release dates are also in the blog...

------
etaioinshrdlu
I really think that it is cool that there is a browser that is looking towards
maintenance of what we had (XPCOM, NPAPI for old plugins) versus creating
something new.

Very little of that out there nowadays.

It seems like a very conservative project.

It is good that we have this choice.

~~~
TorKlingberg
It feels a bit like SeaMonkey, repeated a decade later.

~~~
Paianni
At least Seamonkey was somewhat well maintained for a while, for at least the
first eight years of its existence.

------
paxys
I don't see why I wouldn't use Firefox itself over a closed-source fork with
no visible advantages.

~~~
sanxiyn
Isn't this the source code?
[https://github.com/MrAlex94/Waterfox](https://github.com/MrAlex94/Waterfox)

~~~
paxys
It isn't linked from [https://www.waterfox.net](https://www.waterfox.net) at
all, so hard to say

~~~
sanxiyn
I mean, about page says Alex Kontos, MrAlex94 is Alex Kontos, so it almost
certainly is.

Not linking the source code is somewhat understandable because it is likely to
increase support burden without any increase in contribution.

~~~
couchand
I would say matching a repository based solely on a person's name is not a
great way to ensure you have the right code.

~~~
sanxiyn
Note that while website does not link to repository, repository does link to
website.

~~~
couchand
Well it would, wouldn't it?

------
dlbucci
Is this the same Waterfox that was a Firefox build for 64-bit Windows? Is it
moving towards privacy now that Firefox is 64-bit on Windows, or do the
projects just share (an obvious) name?

~~~
jusob
Same project. It kept the old extension API from Firefox, this is why I use
it.

------
theandrewbailey
Nice to know this project is still going.

I used Waterfox about 8 years ago, since standard Firefox didn't provide
64-bit Windows releases. After about a year, I got frustrated that it was
skipping every other release, so I went back to standard Firefox. Between
using NoScript (blocking most scripts), and benchmarks showing 64-bit wasn't
much (if any) faster, I didn't notice standard Firefox being slow.

------
dallbee
This has been around for a while. I used it as my primary driver several years
ago, back when its main feature was that it had 64-bit support. After Firefox
implemented a 64-bit build, I sort of just assumed waterfox would die off.
Neat to see they've kept around and changed focus.

------
kbumsik
> They should be used responsibly, but Waterfox still supports the use of Java
> and Silverlight plugins, as well as any other 64-Bit NPAPI plugins.

Are Java and NPAPI still a thing? I have never come across such plugins
lately.

~~~
MrAlex94
Java NPAPI is still maintained AFAIK, but not sure for how much longer.

And a few of my friends say that they have Waterfox deployed company wide
because of NPAPI support, which means they don't have to still use an out-
dated browser which is cool!

------
guilhas
I think it is visibly faster. And there are still some nice classical addons
that you can install using the addon archive. Together with the newer addons.

------
cbsks
Why does it need to send your OS and browser version to check for updates?
Couldn't it just look up whatever the latest versions are?

~~~
sanxiyn
Well, I guess you can _check_ for update without disclosing OS, but since
binaries differ between OS you need to disclose OS to actually download the
update.

Browser version is not necessary, but sending browser version allows serving
smaller binary diff instead of full binary, which Firefox actually does.

~~~
itslennysfault
No way! Just download the binary for every OS then only install the one for
your OS and delete the rest (/s)

------
barnaclejive
Dumb question maybe, but regardless of the browser you use, isn't your ISP
able to collect a ton of data either way just based on the network traffic?
How happy should I really be that the browser vendor (Watermark or any other
browser) itself might not also be doing it also?

------
RyanShook
Are there any similar projects in the Chromium world?

~~~
paxys
[https://github.com/Eloston/ungoogled-
chromium](https://github.com/Eloston/ungoogled-chromium)

~~~
keyle
Not sure why you got downvoted, this project answers the question exactly.
People downvote nowadays withtout giving any information as to why the post is
bad. When it's sarcasm, I get it, but when it's an actual answer...

------
bjnord
Can Airfox and Earthfox be far behind?

------
terrycody
waterfox, LOL hahahahahahahahahahahaahahahahahahaha, lovely name!

