Hacker News new | comments | show | ask | jobs | submit login
Firefox bullshit removal (gist.github.com)
243 points by tobiasrenger 11 months ago | hide | past | web | favorite | 171 comments

This gist misleads in a few ways by being so vague and seems to be more about disabling every somewhat useful feature that sounds bad for tinfoil hat enthusiasts. Still has useful things, like disabling Pocket if you don’t want it and forcing newer TLS versions. Others are silly (disabling things that already ask for your permission, like location), dangerous (disabling Google Safe Browsing), or already exposed in the settings UI anyway (DNT, tracking protection, telemetry). To each their own, use these if you think they’re important to you, but for most people it’s fear-mongering about nothing and enabling a few things in the privacy settings page is sufficient.

> for most people it’s fear-mongering about nothing

To be fair, a core argument in favor of Firefox is essentially fear-mongering about google and your personal data. It always struck me as odd that actions many people would call "shady" if google does it are condoned in FF because Mozilla.

Mozilla is not the largest advertising company on Earth whose core business is profiling people to package and sell them.

>whose core business is profiling people to package and sell them

Do you have any proof of this statement?

Google is an advertising company. It doesn't make any sense that they would sell your information to other advertising companies.

Not only does that violate their privacy policy, but it makes no business sense, either.

I think maybe you misunderstood the point here. I agree Google is probably not directly selling your information it gathers to other people but instead is selling access to that information in the form of directed advertising.

Google's in the business of knowing EVERYTHING they can about you, so they can better sell "you" to their customers (advertisers). You are not a customer of Google, you are their product. Nestle, Exon, Ford, etc are the customers of Google.

That doesn't make a whole lot of sense to me. Google's data is a part of their offering, but that doesn't somehow make me as a person a "product".

Their products are AdWords and AdSense. These services network customers together who want to 1. make money from ads, and 2. advertise themselves.

Google mediates this exchange between both parties, and uses data from users to target their ads more accurately.

Calling the user a product is rather hyperbolic. The only interaction with a user is in choosing which ad to serve, and recording if they view or click the ad.

It's not slavery after all.

Maybe it is a bit hyperbolic, but their products are based almost entirely on the information they gather about you specifically(and everyone else they can).

Like you said "uses data from users to target their ads more accurately". exactly.

but when you say the only interaction with a user is in choosing which add to serve is misleading, at best. You can't currently say to google, I want this ad to be displayed to John Smith @ 1818 Mockingird lane. But you can buy ads saying this age group, in this city, interested in X and Y subject(s), which if you happen to also know about John Smith, will definitely reach him specifically (assuming John Smith sees a google delivered Ad, which is almost a certainty).

As a complete outsider to this conversation who has gotten caught up in the fearmongering mentioned, but who is too ignorant to really have strong opinions either way, thanks for having this conversation.

It's scary, being in the Too Much Information age. It feels so easy to be misled when it's hard to devote the time to properly understand complex topics like this.

I don't know if I feel any more confident in my browser choice (or anything else related to cybersecurity), but... thanks, still? Acknowledging how little I can know about any one thing feels so destabilizing... hoorah for existential crises?

Well thank you for willing to be vulnerable.

Personally I do still believe privacy is very important. I often take up the devil's advocate position on Hacker News because there is a lot of groupthink on this site. The issues are rarely black and white, and almost never come down to "X is evil".

My advise is to stay aware of the issues, but don't get consumed by them. In almost all cases a site's privacy policy will tell you exactly what they collect, and you always maintain the power to block that at the browser level if you want to.

eg. I use an adblocker to remove social media widgets. I find them clutter and I don't care for the tracking. Otherwise though my settings are pretty light.

I hope you find your happy medium.

No it’s just beholden to one or another of them.

> windlep 0 minutes ago [-] I was under the impression the search deals are merely which engine are the default. How does having the default search be Google make the Mozilla corp beholden to Google?

Well, when someone pays your paycheck, that makes you beholden to them. Unless you don't want another paycheck.

PS I didn't downvote you.

The person that pays my paycheck tells me what to do. The only thing Mozilla was told to do in the contract with Google is to have them as the default search engine.

Besides for the search engine requirement per contract, how is Mozilla's product beholden to Google?

I'm somewhat surprised that was downvoted, as I thought people knew how these contracts were arranged and what they included. They're about the default search engine placement, that's it. Google obviously doesn't get to provide input/requirements into Mozilla product design, marketing, etc.

I was under the impression the search deals are merely which engine are the default. How does having the default search be Google make the Mozilla corp beholden to Google?

If Google is paying what Yahoo was, it's $300 million a year for the default search option on Firefox. Google pays Apple billions to stay the default on the iPhone as well.

Ok, so that makes Mozilla beholden to them how exactly? Is Google calling up Mozilla asking them to do them favors in the product? Are Mozilla engineers being asked to write in special features that Google asks for?

Yes, Google provides 90% of the revenue or somewhere around there. But I still haven't heard how exactly Mozilla is doing special favors to Google or is in some way beholden to it.

Mozilla has a contract with Google to be the default search provider for a set period of years. I have never heard of anything else being in there that allows Google to make any product requests on Mozilla.

How come no one wants to say how exactly Mozilla is doing what Google wants?

Mozilla’s bizarre stance on H264 coincidentally favored Google’s position. Mozilla’s anti-ad-tracking stuff was all switched off by default. They make their money from ads meaning their incentives parallel those of ad networks.

All ad supported products have bad incentives. It’s the same reason HBO and Nerflix produces great TV shows and ad based broadcast and cable networks mainly produce garbage.

So if Google stopped paying Apple, what would they do? Switch to Bing? I'm sure their users would love that </s>

Given that Apple had been using Bing for search from 2014-2017, I'm not sure users actually care that much.


That article is about Siri web search.

search engines pay for 80% of mozilla's cheques, so search engines have 80% control over mozilla's income, which is a bit iffy, especially for something meant to be community controlled and directed (non profit open source right?)

What I don’t understand is why are there no paid browsers? I’d pay $xx(x?) for a browser where I’m the customer, not the product. Every open-source browser is either awful and outdated, or is beholden to outside interests, or internal monetization strategy.

If the search engine is unhappy, they will pay less money to be the default.

Then another search engine will happily take the that browser's market share.

Maybe for less money, then your colleagues will get fired and your salary will be cut etc.

Whenever your earnings depends on someone giving you money, whether it's through advertising or a grant, it's quite normal and common you'll be very careful not to upset them. At least you'll think twice before doing so.

Which search engine might that be? Last time I looked, Google operated a de facto monopoly.

What is their core business then?

Alphabet/Google has significantly more power than Mozilla.

> dangerous (disabling Google Safe Browsing)

Dangerous is a strong word here. Yes, this feature does make browsing the web safer, but I would stop short of inverting that statement to mean that disabling it makes the web dangerous. It primarily protects you from sites engaging in social engineering of some kind: these can admittedly be extremely sophisticated, to the point of fooling most very technical people, but generally speaking it's still mostly avoidable with some care.

I would recommend most people having a safe browsing feature enabled, but I wouldn't fear-monger those disabling it either.

It's also worth mentioning that Mozilla provide their own service here -- Shavar -- so one needn't use Goog

Location is pretty useless. It is based on what address your ISP has in most cases.

On the contrary. Maybe if you're on a hardwired desktop, but for everything else it is incredibly accurate. You don't even need to have GPS in your device -- WiFi is plenty.

Try it: https://whereamirightnow.com/ It puts my laptop exactly where I am.

I'm on a desktop with no wi-fi card and it's within a stone's throw, how the hell...

> It puts my laptop exactly where I am.

Did you allow permission for location? Because if you did, it kind of defeats the purpose of showing that disabling this permission helps obscure your location to websites.. On my desktop, it asked for permission, and when denied it threw up its hands and said that it had no idea where I was.

Yes, of course because the comment I was replying to was about location being worthless in general.

Wired, it gives me a location 3 miles away from my house.

Smartphone, it want to use GPS. That's kind of cheating, isn't it?

Smartphone, it want to use GPS. That's kind of cheating, isn't it?

It is, but it also shows just how much information people could leak if they casually dismiss any permissions prompting with "allow" (or even worse, have such permissions be granted by default.)

Which makes the removal of the location feature (or the default off) all the more better.

The OP said wifi w/o GPS. Give that a shot maybe?

Yeah, I tried that, but the mobile version of website refuses to proceed without GPS.

You can get an addon to set your location manually if like mmost non mobile devices there is no actual gps.

I use this so that I get actually accurate results.

"These are used by Mozilla to spy on you, and are as such a significant risk to privacy."

Wow that's a big claim. Any proofs that the data collected is not anonymous? It sounds a lot like fear-mongering


Companies should be transparent about the data they collect and how they anonymize it – and should be easily disabled if needed if you need serious privacy, as is possible that some resourceful actor could de-anonymize the information somehow. But this kind of data is not necessarily harmful.

People disabling telemetry will often be the same ones complaining about "poorly written applications and company X should know better". Well they don't because you disabled telemetry, now the company or organization has no data to improve anything, be it performance, crashes or even UI. Bug reports are not enough.

People disabling telemetry will often be the same ones complaining about "poorly written applications and company X should know better". Well they don't because you disabled telemetry, now the company or organization has no data to improve anything, be it performance, crashes or even UI. Bug reports are not enough.

This is the sort of argument that gets thrown around often, and I disagree completely --- data collection should always be opt-in, not opt-out. Normalising the invasion of privacy and subverting the default expectation thereof is harmful to individual freedom.

Respect the users: let them tell you what they want, when they want, and how they want. Don't paternalistically monitor them or tell them what they should/"really" want.

Respect the users: let them tell you what they want, when they want, and how they want.

To expand on this a bit, the past several years advertisers and attention brokers have focused on the difference between stated preferences and observed behavior, optimizing for the latter. Unfortunately it seems optimizing for observed behavior amplifies the worst of our base instincts, so even if it improves the bottom line in the short term, we are degrading our civilization in the process.

It's possible a similar discrepancy between behavior and intention exists in UI telemetry. Ask people what they want when at their best, don't optimize for measurements of them at their worst.

Firefox is not transparent enough? Their privacy policy is pretty straightforward and there's a ton more technical details on the wiki.

Yet organizations went decades making fantastic and ever-improving software without telemetry. What changed? Why would telemetry suddenly become a basic requirement for improvement?

I don’t know — my Pentium used to run software that crashed constantly, corrupted files, and was in hindsight horrendously insecure. I don’t think there’s ever been a time where software quality was magically excellent?

Software is generally a lot more complex these days, and telemetry data is needed to stay competitive and keep improving.

Using Firefox as an example, look at how many improvements they have made over the last 5 years. I'm not here to argue whether we need these feature or if Firefox 2 was the last version of Firefox that we needed. Firefox (or Chrome, or whatever) wouldn't look as great as it does today without lots of data.

> Software is generally a lot more complex these days, and telemetry data is needed to stay competitive and keep improving.

If violating user's privacy is your way to stay competitive, then that's your personal problem. You have no right to spy on everyone just because you have problems staying relevant.

On the other hand Mozilla has frequently quoted telemetry as the reason for removing niche or power-user features, for example Tab Groups and Themes. "Low usage" in both cases.

So telemetry doesn't always improve the user experience.

Power users disable telemetry.



I have worked on products and have made changes based on data I got on how users were using them.

Telemetry doesn't replace user feedback or interviews, but it really does help.

I don't believe your personal convenience trumps everyone's right to privacy.

A crash log doesn't violate your privacy, nor does usage statistics when properly anonymized.

Sometimes telemetry is just telemetry.

> A crash log doesn't violate your privacy

Says who?

If that's the case then ask the user to email you the log. Instead, we get covert eavesdropping.

Properly anonymised doesn't exist. Every mechanism has been broken.

Some of us are assholes though and don't really care about helping you out with making money. No offense intended.

That's just stupid. Obviously the product has some value for you or you wouldn't be using it, and telemetry is a practically zero effort way for you to help improve it.

Note, when we're talking about telemetry we're not talking about tracking your time on a site to show you ads, we're talking about tacking bugs you encounter so they can be fixed.

Sure. Over 1 million deaths a year. Cars are a great idea.

Just because it's not obvious to the user, doesn't mean it's not going towards bug fixes and other improvements.

> Well they don't because you disabled telemetry, now the company or organization has no data to improve anything


For a datum to be mathematically anonymous means that there is a proof that no function exists which maps instances of that datum to identities more reliably than a random guess.

A datum isn't anonymous unless proven otherwise. Today's "practically anonymous" is tomorrow's "deanonymized".

it's very hard to completely anonymize data... companies have so much data nowadays that they can de-anonymize it more easily.

You send them data. Now they have your IP. You don't know if it gets deleted.

AFAIK We throw IP addresses away pretty quickly after receiving a telemetry packet.

You can read about our data collection approval process here:


An IP address would be Category 4 - I think it is pretty much impossible to get approval for category 4.

I highly doubt we have any products out there that actually collect Category 4 data.

The problem hereby is that nobody can actually verify this. But this is true for all companies/servers you don't control.

Do your webservers really not have any logging? By default they all do.

I've accepted it as a given that if I interact with a website, it will know my IP, but "phoning home" is a slightly different matter.

Perhaps a little melodramatic of a statement by the gist author. But the point is these settings are insecure by default. Exploitable by Mozilla, and perhaps by third parties.

I would rather expect the one collecting the data to prove that they are anonymous. And MetaData anyway? In many countries they may be used without a court order. A false sense of security is the worst.

Especially when it is open source.

It's not on us to prove it's not anonymous. It's on Mozilla to prove it is.

I believe you can see the data that's being sent by typing about:telemetry in the address bar.

Or you can put a sniffer on the line, or read the source code, or read the code for the receiving end.

Or .. just talk to someone on the team and ask questions. Mozilla is incredibly open and transparent. Anyone can even join team/product meetings on video chat.

>…or read the source code…

Good idea:

Step #1: read modules/libpref/Preferences.cpp

Step #2: default all function calls to `PREF_SetBoolPref` for `kTelemetryPref` with args true to false; remove all `PREF_LockPref` calls with kTelemetryPref

Step #3: ./mach build

They should not be collecting data by default anyway.



    Disabled Encrypted Media Extensions (EME)
    Disabled Web Runtime (deprecated as of 2015)
    Removed Pocket
    Removed Telemetry
    Removed data collection
    Removed startup profiling
    Allow running of all 64-Bit NPAPI plugins
    Allow running of unsigned extensions
    Removal of Sponsored Tiles on New Tab Page
    Addition of Duplicate Tab option
    Locale selector in about:preferences > General

>Allow running of all 64-Bit NPAPI plugins >Allow running of unsigned extensions

That doesn't sound very nice.

It's to "fix" Firefox's deprecation of XUL-based plugins[0].


Websockets? Really?

Even if they are an ugly hack on top of HTTP, they are too damn useful to be disabled.

Let's disable Javascript too while we are at it.

>Let's disable Javascript too while we are at it.

...as if much of HN's userbase doesn't already do that.

Indeed. I wonder how they can get anything done. (Other than posting on HN itself, that is)

Surprisingly well, from my own experience. It can even increase your productivity and dicrease distractions: it blocks most ads, suppresses annoying "interactive" features, bans participation in most time-wasting sites (eg. facebook) while still allowing browsing. And of course security.

For the very few domains I deem absolutely necessary, I can always whitelist them.

It sounds like the problem is you're spending your time on adversarial websites. Give JS to a skillful developer who shares your goals, and they'll use it to make the website better.

By the look of it that altruism died ten years ago.

Current sites load 20-100 external scripts, mostly in ads, analytics, and non essential content.

Not altruism (except occasionally), incentive alignment. Websites that don't otherwise profit from you are incentivized to be as you describe; websites that profit from your happiness (paid directly, funded for a purpose, a generosity, etc) aren't.

Actually I don't. I never had any account on FB for example, but once in a blue moon I get to visit a public FB page (like a recent blog post posted on HN recently), and having JS disabled let me browse it without worries.

How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions? My personal tastes tend to go not too far off this kind of design: http://bettermotherfuckingwebsite.com/

If this hypothetical developer is really sharing my goals then he'll use the <noscript> tag, and I'll be happy enough with HTML/CSS.

For text-heavy sites, which are the ones I use the most, JS adds nothing I want: tracking? 3rd-party ads? lazy-loading? comments via disqus? sharing to social media? Thanks, but not for me.

> How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions?

devdocs.io uses JS to make an essentially-static website much faster to load and navigate. HN lets you vote without reloading the page. Shopping carts. Webmail. Google Maps. Rich text editors. Navigating around Spotify while the music keeps playing. Feedback on forms without clearing or changing something. Keeping a table of contents in sync with what you're viewing. Keeping changing data correct, like feeds, whether a service is up, whether you're signed in. Chat. Video calls.

And areas not yet widespread. AMP's speed (which would be inoffensive, I think, if intra-site). Layouts more advanced than CSS can express, like a newspaper's or the positioning of plaques at museums. Even smarter data compression for repetitive content.

And areas we're just now getting the tech for, like 3D simulations and peer-to-peer networking.

> How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions?

I don't know if I qualify as a skillful JS developer, but I run a website displaying pictures that works correctly without Javascript.

However, Javascript makes this website way faster, smoother and easier on the connection by downloading only the moving parts when clicking on a link, carefully preserving history so back/next works as if this script did nothing. When Javascript is disabled, an ugly white flash appears when navigating between some pages and rendering is just slower, even though it remains decent (my code is minimalist anyway…)

When leaving the page of a picture to come back to the album it is in, scroll position is restored. This is impossible without Javascript. History Back button is not sufficient: you might have looked at 10 pictures before coming back to the album. Sure, you can still ask your browser to come back 10 pages ago, but this is less convenient than just clicking on a cross.

It also help dimension images correctly, which I could not manage to do using pure CSS, unfortunately.

No Javascript tracker is present. You want Javascript enabled on this website because it helps using less resources and makes things easier to use. This is a 9 KB Javascript file that gets compressed to 3 KB and served using HTTP2 only once, so this is basically a null cost when considering how much a picture weighs (~ 100KB). And this is free software, for the sake of it.

But you cannot know this on random websites. Problem is, Javascript is not used like this in general. Unfortunately for websites like this one, disabling Javascript by default is still a reasonable thing to do.

Worse, visitors of this website that disable Javascript won't be aware of that, because things pretty much work as expected and I don't display a warning message.

I wonder how you all get anything done by not disabling it.

No script. If the page breaks, whitelist the primary domain.

For most non shady sites, this gives you a blazing fast site with near zero crap on it.

Pretty easily. Just temp whitelist if it's really needed (ie, a bank or government website). Otherwise close the tab and avoid the waste of time that 'web app' sites represent.

> Indeed. I wonder how they can get anything done. (Other than posting on HN itself, that is)

It's very straightforward. I allow javascript on the sites that I trust to run javascript - in a protected environment. There are tons of ways to do this.

I see how long other's computers take to render simple pages, and I just shake my head.

Well, 99% of the javascript/web is more about distraction, advertising and tracking than about getting anything done, and the other 1% is a small number of high-frequency sites that can be selectively white-listed.

Plus my bandwidth is a fraction of others and browser responsiveness shoots up...

I think you may have it arse-backwards when it comes to productivity...

/numbers pulled out of said backwards-arse.

With the exception of a couple of sites, I rarely turn on javascript.

(There are a few sites where the homepage will have just show something like "turn javascript on to see this site"; I just take that as an invitation to leave the site and, if necessary, to search for an alternative.)

About the only thing I'm having difficulty with at the moment are TV listings: was able to see TV listings without javascript on zap2it until last week, but have not yet found an alternative. Anyone have any suggestions?

eBay, PayPal, and Amazon are useless without JavaScript, just off the top of my head.

Perhaps, but like the grandparent post said, one can find other online stores that don't require JavaScript.

Going beyond what the grandparent post said, JS is a big reason why websites are slow, insecure (from the user's perspective), and time-consuming. Amazon.com's site is ridiculously sluggish precisely because of needless JS. There's nothing about purchasing something online that legitimately needs JS to make that purchase work. You can search for stuff on Amazon without JS but (for all I know) purchasing doesn't work without JS because of implementation choices Amazon made. I'm not so convinced Amazon's prices are all that great, and buying locally is often a better deal for things I buy. The more I learn about how Amazon conducts business (see https://stallman.org/amazon.html for many reasons why) the more interested I am in avoiding them.

If you want to buy new or used books and you want to do business with Amazon, AbeBooks is owned by Amazon and AbeBooks works fully without JS.

I'm guessing there are other places to get items instead of using eBay.

I don't completely disable javascript but I use uMatrix... it seems like a good middle ground...

I used to use NoScript. It was a revelation to see how much junk just disappears when there's no javascript.

Now I find uMatrix better but the first rule I created was:

* * * block

Since that was the basic starting point for NoScript.

Then slowly build up your whitelist of sites to allow javascript as desired/needed.

>Let's disable Javascript too while we are at it.

Yes, let's do that.

I disable javascript and I miss out on a lot of the internet. I don't miss any of it though.

> Let's disable Javascript too while we are at it.

That happened a few years ago.

What plugins or techniques do you use to disable JavaScript while keeping the flexibility to whitelist some of the websites where JavaScript can be enabled?

i love “is blocker” for safari; it’s hugely configurable with regexes, allowing things on some domains only, allowing globally from some domains, blocking of canvas elements, XHR requests, frames, plenty more too!

When you use a thing like "is blocker", do you still need a separate ad blocker or is the JavaScript blocker sufficient to block ads as well?

sorry i didn’t see the reply... i meant “js blocker” and auto correct happened. i use ublock as well, because it picks up on regexes for things like piwik (you could have something like https://somesite.com/piwik.js allowed because you just unblock somesite.com, or ga hosted locally etc)

Does this add that to the preferences GUI again? That was one of the big features I was looking for.

Well, Meltdown proves the formerly-paranoid Javascript rejectors were actually insightful.

That they happened to be right? Yes. That they were insightful? Not so clear.

Would have not gotten the backlash it's getting if the author was a bit modest and titled the repo:

"How to get rid of FireFox features you don't need", or something like that.

Security is an important issue, but as someone who thinks WebRTC is the only missing piece of the puzzle that could help bring true decentralization to the Web, I think bashing on WebRTC just because of its security issue is short sighted. (Not to mention a couple other features mentioned on there)

But if you're so paranoid about security that you're going to disable WebSockets, I think web browser is not the only thing you need to worry about. There are ton more attack vectors and hackers can hack in no matter how you get rid of these "FireFox bullshit" to increase security. After all, most hacking nowadays is based on social engineering.

One thing I agree though is "Pocket Integration" IS a bullshit.

> "Pocket Integration" IS a bullshit

And it is still around. It has still not been made into a removable AND turned off by default component which is the least Firefox should have done if at all they can't live without shipping Firefox with it.

> I think bashing on WebRTC just because of its security issue is short sighted. (Not to mention a couple other features mentioned on there)

Well, the security concern is real. In other news, bashing on scammers because they scammed someone is short sighted?

> Would have not gotten the backlash it's getting if the author was a bit modest and titled the repo...

The anime avatar also adds to his credibility.

To this I would add:

This anti-feature means missing the target of a middle-click by a single pixel can leak the contents of your clipboard or load unexpected URLs. I don't understand why it's still on by default -- Mozilla has been willing to break peoples workflow for UI improvements many times before.

> middlemouse.contentLoadURL=false

This is the default in Firefox 57 and later. See https://bugzilla.mozilla.org/show_bug.cgi?id=366945

> I don't understand why it's still on by default

It's not.

I don’t understand, what does it do?

When set to true, lets you middle-mouse-paste into the content area to load the url in the PRIMARY selection. That way you don't have to worry about whether selecting the text in the URL bar so you can replace it with the URL will clobber PRIMARY.

Only relevant on X, where there is a PRIMARY, of course. See https://unix.stackexchange.com/a/139193 for a quick description of what PRIMARY is and how it differs from CLIPBOARD.

Seems to only apply to Linux, but basically it either pastes your clipboard content into any focused text field or tries to open the clipboard contents as an URL (and falls back to Google Search if that fails).

Fwiw, I wasn't a fan of the original integration of pocket into Firefox, but they are now completely owned by Mozilla: https://blog.mozilla.org/blog/2017/02/27/mozilla-acquires-po...

This explanation has never satisfied any of my concerns. I don't doubt Mozilla's motivations but the fact that they bought Pocket does not mean that the architecture is designed with my best interests in mind. I'd rather hear about what Mozilla is doing as the owner of Pocket to continue fighting for my best interests.

Anybody knows if it is possible to use Pocket with a custom server? So far I found only the ticket which tracks the open sourcing process of pocket:


11 month old, not even assigned yet... looks like I should come back 2038.

They've started releasing some of the code, I don't think it's at the point of a custom server yet.


Don't know anything about open-sourcing Pocket. As an (open-source) alternative you can self-host Wallabag[1]


> NOTE: Unfortunately this is somewhat out of date. The comments link to some resources that may be more up-to-date. Patches welcome.

I'm puzzled that he sees websockets as a privacy hazard. From what I understand, WS connections are CORS protected (though the model is slightly different than standard CORS for historical reasons) and were designed somwhat friendly to proxies. So what is the problem?

(Though browsers don't seem to honor proxy settings for WS in practice. I guess, this coughs be corrected. Does anyone know the reasons for that?)

WebRTC is more understandable: Connection setup is different for each application, the connection itself is encrypted and browsers don't seem to offer any way to inspect or manage WebRTC flows.

It's sad that a technology which offers so many interesting applications is implemented in such a problematic way for privacy. This should really be improved.

(Warning: rant follows)

Generally, I think we should have a general discussion about the ability of inspecting the network traffic of your own machines. Current practice seems to be that this ability is sacrificed in favor of an "encryption-first" doctrine: Browser vendors are aggressively pushing HTTPS everywhere and it's almost a requirement that new network protocols have built-in encryption. There are still some escape hatches by installing custom root CAs, but programs are starting to circumvent that without much consequences (or even encouragement by OS vendors - e.g. on Android)

For example, right now it's impossible to inspect traffic from the Dropbox client on windows (short of patching the program) because the client ignores custom root CAs. Trying to inspect traffic from a smartphone is already pretty hopeless.

As traffic inspection would be a powerful tool in finding privacy leaks, we should lobby more for it.

You don't need to decrypt TLS to know where it's going. SNI leaks the domain in plaintext and if SNI isn't enabled you can just use the IP address.

Is there something like this for Chrome too?

BTW I wish I could just disable all features but those basic ones every website uses (and "data URIs" support please!!! I really want to to disable it!) and enable them manually on per-domain basis (the way I do with scripts using NoScript and uMatrix).

With Chrome you face the inherent untrustworthiness of nonfree software. Chrome users always trust Google. No set of preference changes or add-ons makes Chrome safe from Google's power over your data or your computer. This strikes me as a fundamentally worse position for any Chrome user.

Websockets are used for nefarious purposes?

Websockets can be used for many things and are actually a sound tech idea but I don't know about a single website that would use them to do something I need (no, I don't use social networks, don't play online games and don't use web voip - these are the 3 major areas that can make use of them) so disabling them seems a good idea. In general: disable everything you don't use - this will most certainly increase your safety and disrupt a huge portion of mainstream malware and spyware functioning.

When I was using Windows I had a software firewall that would ask me about every app that is trying to access the Internet and let me choose if I want to block or allow it - I would only allow the web browser, the messenger and the SSH client and completely block everything else (DroidWall and XPrivacy let you do this on Android, LittleSnitch does this on Mac, I miss such a tool on destkop GNU/Linux a huge lot).

So is HTTP. Better disable that too.

I use them for nefarious purposes. But then i use everything for nefarious purposes.

Please remember to set the evil bit properly when you do.

> Websockets are used for nefarious purposes?

Websockets were created sedcifically to get clients to transfer data to the server at the request of the server and without the user specifically wanting to send it.

That's a rather odd way of describing Websockets. XMLHttpRequest fits your description equally well.

Websockets don't inherently allow anything that isn't possible with other technologies. What they do is make certain data transfer patterns more efficient by removing the need for polling, or for redundant HTTP requests.

I'd never heard of social media integration. That is true bullshit, and I wonder what the analog is in Chrome.

But what's wrong with DRM? DRM sucks, but I don't know why it's in someone's interest to not be able to watch Netflix in their browser.

Tip for Android users:

Fennec F-droid.

Firefox wants to be (a less evil) Chrome, which is great for the 90% but that leaves the rest of us scrambling. No I don't need my browser to support DRM in order to watch Netflix ffs...


It's not really clear to me how this differs from Firefox for Android. Removes some DRM? Anything else?

Having a separate privacy conscious fork of FF would be a better solution. They can easily workaround such tweaks.

I use IceCat which is essentially that. It's based on the ESR releases though since it's hard for the few volunteers to keep up with Firefox's releases.

Try the Tor browser.

Why not just use TorBrowser if you are too concerned about those settings?


This isn't even in my about:config anymore. I'm pretty sure it was at some point. Did they remove the option to disable it for some reason?

It was removed in Firefox 41, once WebSocket had been shipping for a while. See https://bugzilla.mozilla.org/show_bug.cgi?id=1159792

The only reason the pref was there is that new features tend to have prefs to disable them. First because those are useful for enabling a feature for testing before it may be ready to be on by default, second in case there's a serious problem with the feature that requires it to be turned off in a hurry. But once a feature has been shipping and on by default for a while, prefs to disable it just end up being technical debt, and tend to get removed like any other technical debt when people get a chance.

It got the "pocket" name wrong. On my Firefox 57 it's


Very helpful. It definitely would be worth developing an addon that would apply these settings for you.

A utility that could do this across browsers as well as for the operating system would be a good startup idea.

Unplug your devices for maximum security.

In all seriousness it's not a bad list as a handy reference.

Interesting. Though at that point why wouldn't you just use Brave ?

You think Brave does not send telemetry :-)

On iOS it links to Fabric and Crashlytics. Both of those did not pass Mozilla's strict data collection rules. I'd love to use them in our mobile products, but they collect too much data, too much personal identifyable data, and store all of that at a third party. (Owned by Google)

Better use a safe© solution:

  curl -sL https://www.mozilla.com | html2pdf | pdfviewer
Just kidding ;-)

That isn't too far from how Stallman browses the internet, I don't think. I know he does some weird, roundabout thing involving email (or used to, anyway).

Future HN Headline: On the exploitation of pdfviewer via html2pdf.

Brave are just a different kind of evil. They basically want to hijack advertising and tracking so that they get the money rather than google, but it’s the same crap.

Where did you get that idea? His stance on SSM aside, Brendan Eich is not a guy I typically associate with evil.

The whole raison d'être of Brave is to restore privacy to consumers of advertisements while being fair to publishers.

The codebase is all MPL2 on Github. Nothing stopping you or anyone forking it, yada yada.

Not sure if it is the case, but the original plan was for Brave to replace ads with its own: https://arstechnica.com/information-technology/2016/01/mozil...

That is only if publishers and users consent. Both get paid in that case, 70% to publisher, 15% to user. But it's not the private ad model we are trying first.

What we're most excited about are opt-in, user-private and -anonymous ads, long form and at low frequency, where you get 70% of the gross revenue.

In either case some brand principles:

1. We pay 70% to the ad "inventory owner" -- the person who is giving attention space up for the ad

2. We always pay the user as much as, or more than, we take. This aligns our interests.

3. We never keep user data on any servers, whitelist ads for a fee, let trackers through to target or attribute/confirm.

The grand-parent post here is just flat wrong. In no case do we track user data for profit -- we never did and never will. All data in clear stays on your device. We use a ZKP protocol over a VPN for anonymous settlements/confirmations. Our site details all this: https://brave.com/.

Sorry for the slow response. Thanks Brendan for clearing up my misconceptions.

Add-ons perhaps? Does Brave support those?

Yes, chromium extensions. We are curating, as we want to make sure they work correctly and aren't doing anything that goes against our privacy and security principles.

You forgot the last step, which is to respond to every link posted on Hacker News, regardless of what it's about, with a complaint about how the site doesn't function correctly with your unique browser config.

If websites were smart, they'd design their webpages to work with every unique browser. It's actually super easy to do.

It's just not as profitable to treat your users with respect, unfortunately.

bathwater.baby = false

I wrote something similar a while back, and it’s in a similar state of not-updated-ness


  > Your connection is not secure
  > SEC_ERROR_EXPIRED_CERTIFICATE (expired October 31, 2017)
Doesn't make me want to listen to any website claiming to "fix firefox" when they can't even bother to keep their SSL certs up to date.

I added an exception and read the page I received. A single author describes changes he made to his Firefox options from 29 onward. There is no plural "they", and, to my understanding, the information is not current.

Should this information become inaccessible because certs weren't paid for?

I think he's just pointing out the irony of someone purporting to aid the security-conscious having an expired cert on his own site. Unless this is really some meta-level social commentary on how people will trust a complete stranger's website despite an invalid cert because he seems like a nice guy.

> I think he's just pointing out the irony of someone purporting to aid the security-conscious having an expired cert on his own site.

This is exactly the point I was going after. It would be one thing if the cert had just expired but cmon, October 31, 2017 really?

Cert expiration dates provide very little in the way of actual security. Normally it would mean that yes, your connection is secure, yes, everything matches, but you hadn't paid your protection money to the CA racket in a while.

In my case, it's because I haven't had the desire to go in and redo the nginx config on this machine. But sure, that makes the content wrong, or something.

> But sure, that makes the content wrong, or something.

If your own Nginx server cannot serve up a proper and protected session, why should I consider what you've written on the website? Actually how can I know that what I'm reading is what you wrote if the session is already compromised from the start?

> but you hadn't paid your protection money to the CA racket in a while.

Yes, you sometimes have to pay for that cert from a CA but that's not why certificates expire.

Besides, your CA is Let's Encrypt so this point is completely useless but it does make an easy excuse.

Enough with the drama please.

It is protected. Cert expiration has no impact on the safety of the connection whatsoever. LE uses the same encryption as the big guys, they just set the expiry date field to a lower number. Please explain how that meaningfully reduces security.

>Enough with the drama please.

Indeed. Petty sniping in an attempt to avoid engaging the content lowers the level of discourse substantially.

Why do few pages of readonly text advice need a certificate that badly?

The wrong read-only text gets you arrested.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact