Hacker News new | comments | ask | show | jobs | submit login
Firefox updates its iOS web browser to turn Tracking Protection on by default (techcrunch.com)
268 points by cpeterso 9 months ago | hide | past | web | favorite | 69 comments

I don't get the point of 3rd party browsers on iOS. When Apple doesn't allow vendors to use their own engines. I think Apple should be taken to court over that matter. Safari on iOS is the same as IE on Windows in the early noughts. If Apple could grant Uber privileged API access, i'm sure they can give Mozilla and Google the same permissions to build independent browsers on iOS.

The rendering engine is, to most non-geek users, the least important part of the browser. Third party browsers can do many things differently, including a different UI (say address bar at bottom), different interactions like gestures, different privacy enhancements (like the very article you're commenting on), different management of credentials and cookies, synchronization of open tabs and bookmarks with desktop browsers, feature addons like integrated RSS. Even among geeks who care about the implementation details there can still be differences in parts other than the rendering engine, such as the network stack (Chrome on iOS uses a different TLS stack for example).

> I think Apple should be taken to court over that matter. Safari on iOS is the same as IE on Windows in the early noughts.

The law you’re referring to is “using a monopoly in one area to gain an advantage in another.” Crucial word being: monopoly. iOS is not a monopoly in the mobile market. Windows had 300 000% of the market, iOS has around… 20% worldwide? Let’s be generous and double it to 40%: still a far cry from a monopoly.

> iOS is not a monopoly in the mobile market.

Whether iOS is a legal monopoly does not depend on market share in a common descriptive market segment, but instead in whether it in fact has market (pricing) power; that is, an antitrust market is in effect defined by where substitution actually occurs with price changes, not on how media/analysts describe markets based on product characteristics.

Very interesting. Although in this particular case: seems like it would still not qualify iOS as a monopoly?

Didn’t know this, though. It makes a lot of sense, in fact.

> Although in this particular case: seems like it would still not qualify iOS as a monopoly?

Maybe. Market / pricing power is not sinple to assess, and I'm not sure if device / OS side or the application distribution side is most relevant to the browser bundling decision. I'd say it' seems to me more likely that the Apple has pricing power in the App Store that in iOS devices (it doesn't sell iOS as such, so that's probably not the thing to look at), and either device or app store market power, if it exists, could be leveraged against competing browsers with the policies restricting them.)

IANAL, but: iOS is not a monopoly, but it has a dominant position, especially in US (over or close to 50% market share). For tablets their market share is even bigger than that. That should be enough to at least consider some actions, on some level, by someone. Google and Mozilla could sue, I guess? On the other hand, Apple making it a security issue could be a solid defense in court, maybe that's why no one bothers.

I think you're missing the point. As web apps get more and more powerful (and more difficult to distinguish from native apps), they become more of a serious challenge Apple's cash cow of their App Store.

If you click on a web app and tip the creator $5 or buy the pro version unlock / etc, they don't get to siphon any of your money away from the content creator like they do on their App Store. THIS is why they block 3rd party browser engines (along with console / arcade emulators, Amazon / HumbleBundle app stores / etc). Anything that competes with their app store is bad.

If you don't like it, vote with your wallet and come on over to Android (like 8.8/10 phones sold today)!

If they would allow 3rd party engines, everyone would switch to Chrome and Safari would die because many sites wouldn't be adapted for Safari. And Apple likes to control their system, so they want Safari to stay relevant. Now iPhone has large enough user base, so developers forced to test their sites in Safari and it helps desktop Safari too.

It's so they can do exactly this sort of thing. Firefox has their won chrome wrapper on the engine, you can sign in with their sync account and it has inbuilt Pocket, tracking protection etc.

The problem was never IE having a monopoly on Windows. The problem was Windows having a monopoly on computers.

I use iCabMobile browser on iPad for several reasons. Easy Font size changing, zoom enabled for all sites, desktop user agent, I hate mobile version websites on iPad, especially Google search results and Wikipedia. Completely customizable UI for buttons such as Fontsize, nice full screen mode with floating buttons. Its a bit slower than Safari but worth the tradeoff. It amazes me that Safari desktop has Fontsize control but mobile (where you need it more) does not. I know there are hacks using bookmarked JS to get this but they are not as convenient as iCabMobile.

Apple doesn't even allow changing default browser on iOS.

Bookmark, password and history sync are super useful for me. The same as "send tab to <device>".

How does this compare to Safari's intelligent tracking protection that came out last year? That uses ML and sounds like it's considerably more sophisticated, allowing certain forms of desirable cross-site tracking and not relying on a centralized blocklist.[1]

[1] https://webkit.org/blog/7675/intelligent-tracking-prevention...

Firefox simply uses the Disconnect.me tracker list, and prevents connections to anything on it. It's basically a DNSBL.

I want to know how it compares to the EasyPrivacy list.

Took them long enough, glad they're becoming a bit braver (almost like Brave :p).

Any plans for desktop though...? After all, desktop seems to be the main platform for Mozilla.

The reason why Brave can be Brave, is because it can hide under Chrome. Webpage owners will build their webpages Chrome-compatible, which makes them Brave-compatible, so whether they make any money off of supporting Brave is unimportant.

Mozilla can't do the same with Firefox, because they don't have anything to hide under. They rely on webpage owners making money off of Firefox, otherwise they're not going to build/test against Firefox.

Mozilla can be Brave with Firefox for iOS, and with Firefox Focus as well, because there they don't use Gecko as layout engine, they hide underneath someone else's layout engine. (Apple forces other browsers to use WebKit on iOS; Firefox Focus for Android uses Android Webview because it keeps the binary small, which is important as it's sort of meant to be a secondary browser.)

So, they're most definitely not doing the same for desktop and Android Firefox. It would kill Firefox/Gecko in no time, if they did that. It wouldn't be brave, it'd be suicide.

Apple has, well, courage to enable some anti-tracking features by default in desktop Safari. But of course Mobile Safari is so ubiquitous they know sites must continue supporting their engine.

Desktop also has tracking protection by default in private browsing windows. See Preferences -> Privacy -> Tracking Protection to enable it everywhere.

Per the roadmap at https://wiki.mozilla.org/Firefox/Roadmap, we're explicitly working toward making Firefox more opinionated in 2018. Specifically, "Firefox will take a stand against tracking," will "filter certain types of ads by default," and will "block ad re-targeting."

on android ff is by far the best browser for usability especially tab management ... chrome is a decided non starter on that OS

Switching from default Chrome to Brave on Android has been the best thing I've ever done on my phone.

May have to check out how FF compares

Brave is great but until they include dark mode I'll stick with Chromium from F-droid.

I'm inclined to agree. It runs beautifully on my Nextbit Robin. My wife however has nothing but problems with it on her Google Pixel.

They might just be looking for some way to differentiate themselves on iOS given Apple's policy of not allowing 3rd party rendering engines.

It looks like they want to turn this on incrementally. First private browsing, now this.

It gives web developers time to notice issues with their websites/webapps and fix/report them.

I would very much love it if Privacy Badger were included by default in browsers (or at least something with similar functionality).

Is there any reason for using Firefox on iOS as opposed to Safari? I'm guessing sync'ing history and stuff with the desktop version; but apart form that?

Tab sync, better UI (especially on iPad), better private mode (e.g. blanks out the screen when switching apps), honestly just the warm fuzzy feeling of having Firefox.

Without a different rendering engine or plugins(Android version has both), the only reason I can think of is to sync history and passwords.

I use Safari on desktop because it syncs that stuff so well with iOS. (And it’s much better for battery life than Chrome)

To sync history and bookmarks with desktop. Safari could do that too, but I’m not always in the Mac ecosystem.

Firefox on Android has plugins (such as uBlock). I assume it's the same on iOS.

Firefox on iOS doesn't even exist really, it's a lie. It's a Firefox front-end to Safari designed just to look a certain way and sync settings and bookmarks. Apple won't allow anything more, it's not Mozilla's fault.

Is the only thing that defines a browser its underlying rendering engine?

I hope that there are other things that make a product unique. Like features or defaults or what it looks like.

okay it's probably fair to say "it' snot a lie" but it's definitely not what I expected (a full build of Firefox for iOS).

I wonder if it'll eventually be possible to compile Firefox to WASM and then run it on iOS Safari...dawg...

It does not; Apple does not allow code execution outside of its app store.

Apple allows limited code execution. You can build cordova application and download new JavaScript code as an update. That's fine from Apple's PoV. They don't allow arbitrary machine code execution, like someone getting into AppStore and then downloading and executing malicious code calling private API. But if your code is run with JavaScript engine, it's fine.

Now I don't know about possibility of implementing browser plugins. I guess that it should be possible, but API would be different from other platforms.

iOS has built in content blocking that works with Safari and the newest embedded web view - meaning that you get the same ad blocking in apps like Feedly.

Unfortunately that is not true. The native content blockers that you can install for Safari will only work in Safari.

Apps like Feedly, or Firefox, will have to do additional work to include _their own_ content blocking.

There are multiple ways to embed a webview in an app. The SFSafariViewController is an out of process webview that you can embed in your app. It can share cookies with Safari and it will use whatever content blocker you have installed. The hosting app doesn't have any access to the cookies or any information you type in. Feedly uses this web view. https://stackoverflow.com/questions/32681511/deactive-ios-9-...

Firefox doesn't use SFSafariViewController. It uses the WKWebView (?). The WKWebView gives the hosting app a lot more control over the webview and whatever you do in the webview is accessible to the hosting app. Cookies, bookmarks, etc. are not available to the hosting app.

Ah yes I see now that Feedly has an "Open Webpage Directly" option. I've never used that before since I prefer the Feedly rendered version.

I know what Firefox for iOS uses.

This is excellent news defaults make a big statement. I’ve been using Firefox Focus on iOS as my daily browser for a few months and its been great.

Are there any consumer-centric arguments against this being the default, or is this generally considered to be good for users?

I've heard the argument against setting the DNT field by default (https://en.wikipedia.org/wiki/Do_Not_Track#Internet_Explorer...) so I'm wondering if there are any similar arguments in this case. Presumably Tracking Protection doesn't rely on the honor system, but might being a default spurn the development of countermeasures to circumvent it?

One consumer centric argument that I've heard is that some people like targeted ads.

Would be interesting to see how many people would optin to see retaregeted ads though.

There are websites that break or don't work as expected with an AdBlock plugin. We had to redesign the section of our site that talked about advertising because various AdBlock plugins blocked chunks of the page or disabled the javascript for the contact form. This was very confusing to users even though they presumably made a choice to install an ad blocking plugin.

The specifics of how Firefox has implemented this feature are fairly conservative so that's less likely, but I think you need to be really careful about blocking certain lists of domains by default.

> Are there any consumer-centric arguments against this being the default

You can use the same arguments that support the census. Corporations need good data to know where to invest.

> might being a default spurn the development of countermeasures to circumvent it?

Certainly. This is an endless arms race.

eh, not compelling enough for me. Is there any evaluation of these kinds of blockers? 1Blocker with Safari seems quite good, and does ad blocking as well.

What’s the difference between this and browsing using Safari with “Prevent Cross-Site Tracking” turned on?

The default setting, because 95% of the world will never change it. If Safari and Chrome and Android followed suit, the ripple effect would change a lot of things on the web. I'm not sure what the final result would be ... greedy people get to innovate too.

As I understand things, Prevent Cross Site Tracking allows all requests, but blocks all third-party cookies. This allows cookies on requests it makes, but blocks requests that match a commonly-used blacklist.

Can't tracking just move to the servers if it becomes too hard on the clients?

(pure speculation follows, I do not work in the ad industry)

Lets say I run a website lets say youtube.com or whatever.

I want to serve ads. I have to go to a marketplace like double click where advertisers bid for ads. In an ideal world, the client web browser will never talk to double click. When I serve a website, I will also serve the advertising myself from my own web servers using just html and css (no javascript). We can do a lot of flashy things using css animations so it shouldn't be a problem. If I really want my users to go away, maybe I can even serve video ads. I will simply get the ads from the marketplace and tell them I served an ad. However, reality is not that simple. If they let me do that, then I will have strong incentives to just lie. I probably won't do it for a while but after a bit the temptation to lie just becomes too great. Of course, I had twenty trillion page views yesterday. Why not? I am not saying youtube.com lies (and it would be trivial for Google to check if they did because they own YouTube). I am confident Google is probably the most upstanding member of the prominent players in the ad game. However, how can an advertiser trust some random website? I don't think advertisers will trust them.

I think we can get rid of a lot of problems in advertising by simply prohibiting any kind of javascript in advertisements. I don't know how though. https://static.doubleclick.net/instream/ad_status.js for example take a look at a more benign website https://i.imgur.com/KS3gjMV.png and compare it to this website https://news.ycombinator.com what if we could get rid of all the calls to third party servers?


This is a nonstarter because it doesn’t solve the media measurement problem.

Everyone in the advertising value chain has a financial incentive to run their own metrics. Nobody trusts anyone else’s metrics; and publishers will overstate viewership and advertisers will understate impressions. Nobody can even agree on a standard set of metrics for measuring the success of an ad.

That’s why all sorts of JavaScript tracking and analytics get included in online media properties. It’s called the “measurement problem” and it is far from a new problem in media. It’s one of those rare situations where incentives are so opposed that both parties have no reason to pretend they’re not screwing the other.

Edit: also, every decently large publisher will have its own ad standards as to what you can and cannot include, sizing, etc. usually you just work with an ad buyer and a creative firm to identify publishers to target, what keywords to aim for and design the ads for the format at each publisher. And most serious publishers will only serve ads hosted directly on their servers or a set of approved CDNs/DSPs.

Edit2: also there are mature formats for this stuff already like VAST, etc. they all include JavaScript and flash.

> And most serious publishers will only serve ads hosted directly on their servers or a set of approved CDNs/DSPs.

If the ads are hosted on my own servers, all is good.

I don't know YouTube or how its leadership thinks about these things but if I were in charge, I would go bankrupt before I allowed WPP to insert their arbitrary code on YouTube website and apps.

Point is that we have to put our foot on the ground and tell advertisers that they have to trust us. If that means publishers get paid less per "impression", I would be ok with it. This just seems like common sense to me because advertisers had to simply trust publishers when it came to print journalism. I think we need something to level the playing field so advertisers cannot compel publishers (or exchanges if we can sort of merge the publisher and the exchange) to give up their crown jewels.

A standardized and builtin API for ads, a-la DRM in HTML 5?

(Maybe this would make blocking ads easier now that I think about it.)

It's certainly possible to do tracking without the ability to execute code on the client, and for example Google is probably able to log 99% of your browsing history with this method alone even today.

But it should still very much lower the amount of tracking, as it requires a lot more effort than adding something like Google Analytics to your page. And there's got to be a huge number of pages out there, which don't actually have a real use for analytics. They just included analytics, because it required no more than five clicks to do so and made some pretty graphs appear.

The next step in the tracking arms-race might involve more difficult solutions, like integrating the tracking scripts into the host site's client-side javascript and the host site's servers, then forwarding to the third party's sites.

But these are way more expensive and involved for hosts than "put this one script tag on each page".

about:config - when?

As soon as apple allows to ship an actual browser engine on the ap store. Until then Firefox for iOS - like every other browser on iOS - has to build on top of platform WebKit/WebView APIs

Yea but why not make the url about:config just go to a configuration page of the browser for the time being?

What would be the advantage of that? Functionally that is the same as tapping the application menu and then choosing 'settings'.

If there is something specific you would like to see exposed in about:config that is currently not available in settings, let us know.

Sorry, I didn't mean that it would be an actual feature request. The grandparent poster wanted about:config and I proposed that it do that. I don't actually think it has any advantage overall.

You can already enable Tracking Protection in Firefox for iOS (and Android and desktop) in the settings UI without digging in about:config. With this iOS release, Mozilla is just changing the default value.


Why? What do you want mess with in about:config? We have been talking about an 'advanced settings' section for things that most users don't want to change, but we don't have enough feedback yet to understand what should go in there. Let us know.

Why? Ability to disable prefetch, Referer spoof to top domain and other privacy related stuff.

I love Firefox - it’s my default desktop browser for many years. The about:config settings gives you that old Amiga feeling (like Netscape also had) where you can configure a system to your liking. I change/review/edit some advanced settings for new installs. Nerdy? Yes!

Mozilla is one of my main topics of my essay: http://yuhongbao.blogspot.ca/2018/04/google-doubleclick-mozi...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact