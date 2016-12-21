But I personally would feel far more secure if there was a firefox-lite where no sensitive stuff (access camera, share screen) were included to start with. And I don't mean turned off by default, I want it removed at compile time.
Then you make a custom mozconfig file to disable or enable features, or to add your own extensions (ie: windows): https://developer.mozilla.org/en-US/docs/Mozilla/Developer_g...
ac_add_options --disable-activex
ac_add_options --disable-activex-scripting
ac_add_options --disable-installer
ac_add_options --disable-crashreporter
But I agree, I can't find any documentation what exactly every feature is and why you would not want to disable/enable them. The Chromium build process is much more straight forward, or you could just use 3rd party sandbox and regular release FF.
https://developer.mozilla.org/en-US/docs/Mozilla/Developer_g...
On Linux I clone the source and run "./mach build".
I have no use for WebRTC, so I would not install the addon/plugin. You may want it, so you would. When there was a problem with Mozilla's implementation, I wouldn't have to care, and neither would anyone else who didn't use or want it. Only those that chose to have the functionality would need to be concerned, and even then it could be updated without a full browser update.
So if your threat model includes targeted attacks, where an attacker might invest some (even a small) level of effort to find a 0-day vulnerability, I don't think I'd use it.
You can test it here: https://browserleaks.com/webrtc
I tried that test page with the mentioned setting 1) enabled and 2) disabled. I did not see my local IP on 1), I did get see it reported with 2) - so it seems the block works. NOTE: Whether uBlock Origin was enabled for the specific page did not matter, the WebRTC block setting seems to be global and independent of whether the extension blocks anything else on the site.
It has no information on CA, whenever it's first time you saw this exact certificate or not, whenever a "weak" or "strong" ciphers are used (and if PFS is enabled), etc - things one'd really want to see if they care about their connection encryption and authentication. It's all still available, but hidden after long sequence of button clicks. Heck, it would be useful to have client certificate and HTTP auth status there as well - it would actually make those nice things closer to being usable.
I really fail to understand why it can't be displayed in a sanely concise manner - and why things that were there before were removed. Surely there's a plenty of screen space and it's not like it would scare Joe Sixpack off to Chrome, or confuse anyone. Or analytics show it otherwise?
Feeling safe, and being safe are two different things.
Same goes for self signed (or expired) certificates and 'not secure' connections, they are not per definition 'not secure'.
Ironically, as far as "privacy-oriented browsers" go, Chrome has domain whitelisting of Cookies/JS/Plugins easily accessible from address bar and it works as expected.
https://blog.mozilla.org/futurereleases/2016/12/21/update-on...
The statement quoted in Slashdot is really unfair.
No. Reasons not aside. Reasons are very important.
If the guys had said, "We didn't bother with Firefox because they weren't willing to pay us as much as Google or Microsoft", okay. But they didn't. What they said was:
'We wanted to focus on the browsers that have made serious security improvements in the last year,' Brian Gorenc, manager of Vulnerability Research at HPE said."
And now Firefox looks weak by comparison.
https://wiki.mozilla.org/Security/Sandbox
I'm quite glad that Firefox implements sandboxing of its own.
