To be fair, a core argument in favor of Firefox is essentially fear-mongering about google and your personal data. It always struck me as odd that actions many people would call "shady" if google does it are condoned in FF because Mozilla.
Do you have any proof of this statement?
Google is an advertising company. It doesn't make any sense that they would sell your information to other advertising companies.
Google's in the business of knowing EVERYTHING they can about you, so they can better sell "you" to their customers (advertisers). You are not a customer of Google, you are their product. Nestle, Exon, Ford, etc are the customers of Google.
Their products are AdWords and AdSense. These services network customers together who want to 1. make money from ads, and 2. advertise themselves.
Google mediates this exchange between both parties, and uses data from users to target their ads more accurately.
Calling the user a product is rather hyperbolic. The only interaction with a user is in choosing which ad to serve, and recording if they view or click the ad.
It's not slavery after all.
Like you said "uses data from users to target their ads more accurately". exactly.
but when you say the only interaction with a user is in choosing which add to serve is misleading, at best. You can't currently say to google, I want this ad to be displayed to John Smith @ 1818 Mockingird lane. But you can buy ads saying this age group, in this city, interested in X and Y subject(s), which if you happen to also know about John Smith, will definitely reach him specifically (assuming John Smith sees a google delivered Ad, which is almost a certainty).
It's scary, being in the Too Much Information age. It feels so easy to be misled when it's hard to devote the time to properly understand complex topics like this.
I don't know if I feel any more confident in my browser choice (or anything else related to cybersecurity), but... thanks, still? Acknowledging how little I can know about any one thing feels so destabilizing... hoorah for existential crises?
Personally I do still believe privacy is very important. I often take up the devil's advocate position on Hacker News because there is a lot of groupthink on this site. The issues are rarely black and white, and almost never come down to "X is evil".
eg. I use an adblocker to remove social media widgets. I find them clutter and I don't care for the tracking. Otherwise though my settings are pretty light.
I hope you find your happy medium.
Well, when someone pays your paycheck, that makes you beholden to them. Unless you don't want another paycheck.
PS I didn't downvote you.
Besides for the search engine requirement per contract, how is Mozilla's product beholden to Google?
I'm somewhat surprised that was downvoted, as I thought people knew how these contracts were arranged and what they included. They're about the default search engine placement, that's it. Google obviously doesn't get to provide input/requirements into Mozilla product design, marketing, etc.
Yes, Google provides 90% of the revenue or somewhere around there. But I still haven't heard how exactly Mozilla is doing special favors to Google or is in some way beholden to it.
Mozilla has a contract with Google to be the default search provider for a set period of years. I have never heard of anything else being in there that allows Google to make any product requests on Mozilla.
How come no one wants to say how exactly Mozilla is doing what Google wants?
All ad supported products have bad incentives. It’s the same reason HBO and Nerflix produces great TV shows and ad based broadcast and cable networks mainly produce garbage.
Whenever your earnings depends on someone giving you money, whether it's through advertising or a grant, it's quite normal and common you'll be very careful not to upset them. At least you'll think twice before doing so.
Dangerous is a strong word here. Yes, this feature does make browsing the web safer, but I would stop short of inverting that statement to mean that disabling it makes the web dangerous. It primarily protects you from sites engaging in social engineering of some kind: these can admittedly be extremely sophisticated, to the point of fooling most very technical people, but generally speaking it's still mostly avoidable with some care.
I would recommend most people having a safe browsing feature enabled, but I wouldn't fear-monger those disabling it either.
It's also worth mentioning that Mozilla provide their own service here -- Shavar -- so one needn't use Goog
Try it: https://whereamirightnow.com/ It puts my laptop exactly where I am.
Did you allow permission for location? Because if you did, it kind of defeats the purpose of showing that disabling this permission helps obscure your location to websites.. On my desktop, it asked for permission, and when denied it threw up its hands and said that it had no idea where I was.
Smartphone, it want to use GPS. That's kind of cheating, isn't it?
It is, but it also shows just how much information people could leak if they casually dismiss any permissions prompting with "allow" (or even worse, have such permissions be granted by default.)
I use this so that I get actually accurate results.
Wow that's a big claim. Any proofs that the data collected is not anonymous?
It sounds a lot like fear-mongering
Companies should be transparent about the data they collect and how they anonymize it – and should be easily disabled if needed if you need serious privacy, as is possible that some resourceful actor could de-anonymize the information somehow. But this kind of data is not necessarily harmful.
People disabling telemetry will often be the same ones complaining about "poorly written applications and company X should know better". Well they don't because you disabled telemetry, now the company or organization has no data to improve anything, be it performance, crashes or even UI. Bug reports are not enough.
This is the sort of argument that gets thrown around often, and I disagree completely --- data collection should always be opt-in, not opt-out. Normalising the invasion of privacy and subverting the default expectation thereof is harmful to individual freedom.
Respect the users: let them tell you what they want, when they want, and how they want. Don't paternalistically monitor them or tell them what they should/"really" want.
To expand on this a bit, the past several years advertisers and attention brokers have focused on the difference between stated preferences and observed behavior, optimizing for the latter. Unfortunately it seems optimizing for observed behavior amplifies the worst of our base instincts, so even if it improves the bottom line in the short term, we are degrading our civilization in the process.
It's possible a similar discrepancy between behavior and intention exists in UI telemetry. Ask people what they want when at their best, don't optimize for measurements of them at their worst.
Using Firefox as an example, look at how many improvements they have made over the last 5 years. I'm not here to argue whether we need these feature or if Firefox 2 was the last version of Firefox that we needed. Firefox (or Chrome, or whatever) wouldn't look as great as it does today without lots of data.
If violating user's privacy is your way to stay competitive, then that's your personal problem. You have no right to spy on everyone just because you have problems staying relevant.
So telemetry doesn't always improve the user experience.
Telemetry doesn't replace user feedback or interviews, but it really does help.
Sometimes telemetry is just telemetry.
If that's the case then ask the user to email you the log. Instead, we get covert eavesdropping.
Note, when we're talking about telemetry we're not talking about tracking your time on a site to show you ads, we're talking about tacking bugs you encounter so they can be fixed.
A datum isn't anonymous unless proven otherwise. Today's "practically anonymous" is tomorrow's "deanonymized".
You can read about our data collection approval process here:
An IP address would be Category 4 - I think it is pretty much impossible to get approval for category 4.
I highly doubt we have any products out there that actually collect Category 4 data.
I've accepted it as a given that if I interact with a website, it will know my IP, but "phoning home" is a slightly different matter.
Or .. just talk to someone on the team and ask questions. Mozilla is incredibly open and transparent. Anyone can even join team/product meetings on video chat.
Step #1: read modules/libpref/Preferences.cpp
Step #2: default all function calls to `PREF_SetBoolPref`
for `kTelemetryPref` with args true to false; remove all
`PREF_LockPref` calls with kTelemetryPref
Step #3: ./mach build
Disabled Encrypted Media Extensions (EME)
Disabled Web Runtime (deprecated as of 2015)
Removed data collection
Removed startup profiling
Allow running of all 64-Bit NPAPI plugins
Allow running of unsigned extensions
Removal of Sponsored Tiles on New Tab Page
Addition of Duplicate Tab option
Locale selector in about:preferences > General
That doesn't sound very nice.
Even if they are an ugly hack on top of HTTP, they are too damn useful to be disabled.
...as if much of HN's userbase doesn't already do that.
For the very few domains I deem absolutely necessary, I can always whitelist them.
Current sites load 20-100 external scripts, mostly in ads, analytics, and non essential content.
How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions?
My personal tastes tend to go not too far off this kind of design:
If this hypothetical developer is really sharing my goals then he'll use the <noscript> tag, and I'll be happy enough with HTML/CSS.
For text-heavy sites, which are the ones I use the most, JS adds nothing I want: tracking? 3rd-party ads? lazy-loading? comments via disqus? sharing to social media? Thanks, but not for me.
devdocs.io uses JS to make an essentially-static website much faster to load and navigate. HN lets you vote without reloading the page. Shopping carts. Webmail. Google Maps. Rich text editors. Navigating around Spotify while the music keeps playing. Feedback on forms without clearing or changing something. Keeping a table of contents in sync with what you're viewing. Keeping changing data correct, like feeds, whether a service is up, whether you're signed in. Chat. Video calls.
And areas not yet widespread. AMP's speed (which would be inoffensive, I think, if intra-site). Layouts more advanced than CSS can express, like a newspaper's or the positioning of plaques at museums. Even smarter data compression for repetitive content.
And areas we're just now getting the tech for, like 3D simulations and peer-to-peer networking.
It also help dimension images correctly, which I could not manage to do using pure CSS, unfortunately.
No script. If the page breaks, whitelist the primary domain.
For most non shady sites, this gives you a blazing fast site with near zero crap on it.
I see how long other's computers take to render simple pages, and I just shake my head.
Plus my bandwidth is a fraction of others and browser responsiveness shoots up...
I think you may have it arse-backwards when it comes to productivity...
/numbers pulled out of said backwards-arse.
Going beyond what the grandparent post said, JS is a big reason why websites are slow, insecure (from the user's perspective), and time-consuming. Amazon.com's site is ridiculously sluggish precisely because of needless JS. There's nothing about purchasing something online that legitimately needs JS to make that purchase work. You can search for stuff on Amazon without JS but (for all I know) purchasing doesn't work without JS because of implementation choices Amazon made. I'm not so convinced Amazon's prices are all that great, and buying locally is often a better deal for things I buy. The more I learn about how Amazon conducts business (see https://stallman.org/amazon.html for many reasons why) the more interested I am in avoiding them.
If you want to buy new or used books and you want to do business with Amazon, AbeBooks is owned by Amazon and AbeBooks works fully without JS.
I'm guessing there are other places to get items instead of using eBay.
Now I find uMatrix better but the first rule I created was:
* * * block
Since that was the basic starting point for NoScript.
Yes, let's do that.
That happened a few years ago.
"How to get rid of FireFox features you don't need", or something like that.
Security is an important issue, but as someone who thinks WebRTC is the only missing piece of the puzzle that could help bring true decentralization to the Web, I think bashing on WebRTC just because of its security issue is short sighted. (Not to mention a couple other features mentioned on there)
But if you're so paranoid about security that you're going to disable WebSockets, I think web browser is not the only thing you need to worry about. There are ton more attack vectors and hackers can hack in no matter how you get rid of these "FireFox bullshit" to increase security. After all, most hacking nowadays is based on social engineering.
One thing I agree though is "Pocket Integration" IS a bullshit.
And it is still around. It has still not been made into a removable AND turned off by default component which is the least Firefox should have done if at all they can't live without shipping Firefox with it.
Well, the security concern is real. In other news, bashing on scammers because they scammed someone is short sighted?
The anime avatar also adds to his credibility.
This is the default in Firefox 57 and later. See https://bugzilla.mozilla.org/show_bug.cgi?id=366945
> I don't understand why it's still on by default
Only relevant on X, where there is a PRIMARY, of course. See https://unix.stackexchange.com/a/139193 for a quick description of what PRIMARY is and how it differs from CLIPBOARD.
11 month old, not even assigned yet... looks like I should come back 2038.
(Though browsers don't seem to honor proxy settings for WS in practice. I guess, this coughs be corrected. Does anyone know the reasons for that?)
WebRTC is more understandable: Connection setup is different for each application, the connection itself is encrypted and browsers don't seem to offer any way to inspect or manage WebRTC flows.
It's sad that a technology which offers so many interesting applications is implemented in such a problematic way for privacy. This should really be improved.
(Warning: rant follows)
Generally, I think we should have a general discussion about the ability of inspecting the network traffic of your own machines. Current practice seems to be that this ability is sacrificed in favor of an "encryption-first" doctrine: Browser vendors are aggressively pushing HTTPS everywhere and it's almost a requirement that new network protocols have built-in encryption. There are still some escape hatches by installing custom root CAs, but programs are starting to circumvent that without much consequences (or even encouragement by OS vendors - e.g. on Android)
For example, right now it's impossible to inspect traffic from the Dropbox client on windows (short of patching the program) because the client ignores custom root CAs. Trying to inspect traffic from a smartphone is already pretty hopeless.
As traffic inspection would be a powerful tool in finding privacy leaks, we should lobby more for it.
BTW I wish I could just disable all features but those basic ones every website uses (and "data URIs" support please!!! I really want to to disable it!) and enable them manually on per-domain basis (the way I do with scripts using NoScript and uMatrix).
When I was using Windows I had a software firewall that would ask me about every app that is trying to access the Internet and let me choose if I want to block or allow it - I would only allow the web browser, the messenger and the SSH client and completely block everything else (DroidWall and XPrivacy let you do this on Android, LittleSnitch does this on Mac, I miss such a tool on destkop GNU/Linux a huge lot).
Websockets were created sedcifically to get clients to transfer data to the server at the request of the server and without the user specifically wanting to send it.
Websockets don't inherently allow anything that isn't possible with other technologies. What they do is make certain data transfer patterns more efficient by removing the need for polling, or for redundant HTTP requests.
But what's wrong with DRM? DRM sucks, but I don't know why it's in someone's interest to not be able to watch Netflix in their browser.
Firefox wants to be (a less evil) Chrome, which is great for the 90% but that leaves the rest of us scrambling. No I don't need my browser to support DRM in order to watch Netflix ffs...
This isn't even in my about:config anymore. I'm pretty sure it was at some point. Did they remove the option to disable it for some reason?
The only reason the pref was there is that new features tend to have prefs to disable them. First because those are useful for enabling a feature for testing before it may be ready to be on by default, second in case there's a serious problem with the feature that requires it to be turned off in a hurry. But once a feature has been shipping and on by default for a while, prefs to disable it just end up being technical debt, and tend to get removed like any other technical debt when people get a chance.
In all seriousness it's not a bad list as a handy reference.
On iOS it links to Fabric and Crashlytics. Both of those did not pass Mozilla's strict data collection rules. I'd love to use them in our mobile products, but they collect too much data, too much personal identifyable data, and store all of that at a third party. (Owned by Google)
curl -sL https://www.mozilla.com | html2pdf | pdfviewer
The whole raison d'être of Brave is to restore privacy to consumers of advertisements while being fair to publishers.
The codebase is all MPL2 on Github. Nothing stopping you or anyone forking it, yada yada.
What we're most excited about are opt-in, user-private and -anonymous ads, long form and at low frequency, where you get 70% of the gross revenue.
In either case some brand principles:
1. We pay 70% to the ad "inventory owner" -- the person who is giving attention space up for the ad
2. We always pay the user as much as, or more than, we take. This aligns our interests.
3. We never keep user data on any servers, whitelist ads for a fee, let trackers through to target or attribute/confirm.
The grand-parent post here is just flat wrong. In no case do we track user data for profit -- we never did and never will. All data in clear stays on your device. We use a ZKP protocol over a VPN for anonymous settlements/confirmations. Our site details all this: https://brave.com/.
It's just not as profitable to treat your users with respect, unfortunately.
> Your connection is not secure
> SEC_ERROR_EXPIRED_CERTIFICATE (expired October 31, 2017)
Should this information become inaccessible because certs weren't paid for?
This is exactly the point I was going after. It would be one thing if the cert had just expired but cmon, October 31, 2017 really?
In my case, it's because I haven't had the desire to go in and redo the nginx config on this machine. But sure, that makes the content wrong, or something.
If your own Nginx server cannot serve up a proper and protected session, why should I consider what you've written on the website? Actually how can I know that what I'm reading is what you wrote if the session is already compromised from the start?
> but you hadn't paid your protection money to the CA racket in a while.
Yes, you sometimes have to pay for that cert from a CA but that's not why certificates expire.
Besides, your CA is Let's Encrypt so this point is completely useless but it does make an easy excuse.
Enough with the drama please.
>Enough with the drama please.
Indeed. Petty sniping in an attempt to avoid engaging the content lowers the level of discourse substantially.