kirb 4 days ago [-]
This gist misleads in a few ways by being so vague and seems to be more about disabling every somewhat useful feature that sounds bad for tinfoil hat enthusiasts. Still has useful things, like disabling Pocket if you don’t want it and forcing newer TLS versions. Others are silly (disabling things that already ask for your permission, like location), dangerous (disabling Google Safe Browsing), or already exposed in the settings UI anyway (DNT, tracking protection, telemetry). To each their own, use these if you think they’re important to you, but for most people it’s fear-mongering about nothing and enabling a few things in the privacy settings page is sufficient.
TAForObvReasons 4 days ago [-]
> for most people it’s fear-mongering about nothing

To be fair, a core argument in favor of Firefox is essentially fear-mongering about google and your personal data. It always struck me as odd that actions many people would call "shady" if google does it are condoned in FF because Mozilla.

jkolem2 4 days ago [-]
Mozilla is not the largest advertising company on Earth whose core business is profiling people to package and sell them.
SquareWheel 3 days ago [-]
>whose core business is profiling people to package and sell them

Do you have any proof of this statement?

Google is an advertising company. It doesn't make any sense that they would sell your information to other advertising companies.

Not only does that violate their privacy policy, but it makes no business sense, either.

zie 2 days ago [-]
I think maybe you misunderstood the point here. I agree Google is probably not directly selling your information it gathers to other people but instead is selling access to that information in the form of directed advertising.

Google's in the business of knowing EVERYTHING they can about you, so they can better sell "you" to their customers (advertisers). You are not a customer of Google, you are their product. Nestle, Exon, Ford, etc are the customers of Google.

SquareWheel 2 days ago [-]
That doesn't make a whole lot of sense to me. Google's data is a part of their offering, but that doesn't somehow make me as a person a "product".

Their products are AdWords and AdSense. These services network customers together who want to 1. make money from ads, and 2. advertise themselves.

Google mediates this exchange between both parties, and uses data from users to target their ads more accurately.

Calling the user a product is rather hyperbolic. The only interaction with a user is in choosing which ad to serve, and recording if they view or click the ad.

It's not slavery after all.

cordial 2 days ago [-]
As a complete outsider to this conversation who has gotten caught up in the fearmongering mentioned, but who is too ignorant to really have strong opinions either way, thanks for having this conversation.

It's scary, being in the Too Much Information age. It feels so easy to be misled when it's hard to devote the time to properly understand complex topics like this.

I don't know if I feel any more confident in my browser choice (or anything else related to cybersecurity), but... thanks, still? Acknowledging how little I can know about any one thing feels so destabilizing... hoorah for existential crises?

SquareWheel 2 days ago [-]
Well thank you for willing to be vulnerable.

Personally I do still believe privacy is very important. I often take up the devil's advocate position on Hacker News because there is a lot of groupthink on this site. The issues are rarely black and white, and almost never come down to "X is evil".

My advise is to stay aware of the issues, but don't get consumed by them. In almost all cases a site's privacy policy will tell you exactly what they collect, and you always maintain the power to block that at the browser level if you want to.

eg. I use an adblocker to remove social media widgets. I find them clutter and I don't care for the tracking. Otherwise though my settings are pretty light.

I hope you find your happy medium.

Tloewald 4 days ago [-]
No it’s just beholden to one or another of them.
CodeWriter23 4 days ago [-]
> windlep 0 minutes ago [-] I was under the impression the search deals are merely which engine are the default. How does having the default search be Google make the Mozilla corp beholden to Google?

Well, when someone pays your paycheck, that makes you beholden to them. Unless you don't want another paycheck.

PS I didn't downvote you.

windlep 4 days ago [-]
The person that pays my paycheck tells me what to do. The only thing Mozilla was told to do in the contract with Google is to have them as the default search engine.

Besides for the search engine requirement per contract, how is Mozilla's product beholden to Google?

I'm somewhat surprised that was downvoted, as I thought people knew how these contracts were arranged and what they included. They're about the default search engine placement, that's it. Google obviously doesn't get to provide input/requirements into Mozilla product design, marketing, etc.

windlep 4 days ago [-]
I was under the impression the search deals are merely which engine are the default. How does having the default search be Google make the Mozilla corp beholden to Google?
ftlio 4 days ago [-]
If Google is paying what Yahoo was, it's $300 million a year for the default search option on Firefox. Google pays Apple billions to stay the default on the iPhone as well.
windlep 4 days ago [-]
Ok, so that makes Mozilla beholden to them how exactly? Is Google calling up Mozilla asking them to do them favors in the product? Are Mozilla engineers being asked to write in special features that Google asks for?

Yes, Google provides 90% of the revenue or somewhere around there. But I still haven't heard how exactly Mozilla is doing special favors to Google or is in some way beholden to it.

Mozilla has a contract with Google to be the default search provider for a set period of years. I have never heard of anything else being in there that allows Google to make any product requests on Mozilla.

How come no one wants to say how exactly Mozilla is doing what Google wants?

Tloewald 3 days ago [-]
Mozilla’s bizarre stance on H264 coincidentally favored Google’s position. Mozilla’s anti-ad-tracking stuff was all switched off by default. They make their money from ads meaning their incentives parallel those of ad networks.

All ad supported products have bad incentives. It’s the same reason HBO and Nerflix produces great TV shows and ad based broadcast and cable networks mainly produce garbage.

mtarnovan 3 days ago [-]
So if Google stopped paying Apple, what would they do? Switch to Bing? I'm sure their users would love that </s>
blisse 3 days ago [-]
Given that Apple had been using Bing for search from 2014-2017, I'm not sure users actually care that much.

https://techcrunch.com/2017/09/25/apple-switches-from-bing-t...

AndrewCHMcM 4 days ago [-]
search engines pay for 80% of mozilla's cheques, so search engines have 80% control over mozilla's income, which is a bit iffy, especially for something meant to be community controlled and directed (non profit open source right?)
emh68 2 days ago [-]
What I don’t understand is why are there no paid browsers? I’d pay $xx(x?) for a browser where I’m the customer, not the product. Every open-source browser is either awful and outdated, or is beholden to outside interests, or internal monetization strategy.
nitrogen 4 days ago [-]
If the search engine is unhappy, they will pay less money to be the default.
tekromancr 4 days ago [-]
Then another search engine will happily take the that browser's market share.
dvfjsdhgfv 3 days ago [-]
Maybe for less money, then your colleagues will get fired and your salary will be cut etc.

Whenever your earnings depends on someone giving you money, whether it's through advertising or a grant, it's quite normal and common you'll be very careful not to upset them. At least you'll think twice before doing so.

geezerjay 4 days ago [-]
Which search engine might that be? Last time I looked, Google operated a de facto monopoly.
testvox 3 days ago [-]
What is their core business then?
girvo 4 days ago [-]
Alphabet/Google has significantly more power than Mozilla.
lucideer 3 days ago [-]
> dangerous (disabling Google Safe Browsing)

Dangerous is a strong word here. Yes, this feature does make browsing the web safer, but I would stop short of inverting that statement to mean that disabling it makes the web dangerous. It primarily protects you from sites engaging in social engineering of some kind: these can admittedly be extremely sophisticated, to the point of fooling most very technical people, but generally speaking it's still mostly avoidable with some care.

I would recommend most people having a safe browsing feature enabled, but I wouldn't fear-monger those disabling it either.

It's also worth mentioning that Mozilla provide their own service here -- Shavar -- so one needn't use Goog

gsich 4 days ago [-]
Location is pretty useless. It is based on what address your ISP has in most cases.
Viper007Bond 4 days ago [-]
On the contrary. Maybe if you're on a hardwired desktop, but for everything else it is incredibly accurate. You don't even need to have GPS in your device -- WiFi is plenty.

Try it: https://whereamirightnow.com/ It puts my laptop exactly where I am.

oxguy3 4 days ago [-]
I'm on a desktop with no wi-fi card and it's within a stone's throw, how the hell...
craftyguy 3 days ago [-]
> It puts my laptop exactly where I am.

Did you allow permission for location? Because if you did, it kind of defeats the purpose of showing that disabling this permission helps obscure your location to websites.. On my desktop, it asked for permission, and when denied it threw up its hands and said that it had no idea where I was.

Viper007Bond 3 days ago [-]
Yes, of course because the comment I was replying to was about location being worthless in general.
loeg 4 days ago [-]
Wired, it gives me a location 3 miles away from my house.

Smartphone, it want to use GPS. That's kind of cheating, isn't it?

userbinator 4 days ago [-]
Smartphone, it want to use GPS. That's kind of cheating, isn't it?

It is, but it also shows just how much information people could leak if they casually dismiss any permissions prompting with "allow" (or even worse, have such permissions be granted by default.)

gsich 3 days ago [-]
Which makes the removal of the location feature (or the default off) all the more better.
weberc2 3 days ago [-]
The OP said wifi w/o GPS. Give that a shot maybe?
loeg 3 days ago [-]
Yeah, I tried that, but the mobile version of website refuses to proceed without GPS.
michaelmrose 4 days ago [-]
You can get an addon to set your location manually if like mmost non mobile devices there is no actual gps.

I use this so that I get actually accurate results.

quiquex 4 days ago [-]
"These are used by Mozilla to spy on you, and are as such a significant risk to privacy."

Wow that's a big claim. Any proofs that the data collected is not anonymous? It sounds a lot like fear-mongering

outworlder 4 days ago [-]
Yeah.

Companies should be transparent about the data they collect and how they anonymize it – and should be easily disabled if needed if you need serious privacy, as is possible that some resourceful actor could de-anonymize the information somehow. But this kind of data is not necessarily harmful.

People disabling telemetry will often be the same ones complaining about "poorly written applications and company X should know better". Well they don't because you disabled telemetry, now the company or organization has no data to improve anything, be it performance, crashes or even UI. Bug reports are not enough.

userbinator 4 days ago [-]
People disabling telemetry will often be the same ones complaining about "poorly written applications and company X should know better". Well they don't because you disabled telemetry, now the company or organization has no data to improve anything, be it performance, crashes or even UI. Bug reports are not enough.

This is the sort of argument that gets thrown around often, and I disagree completely --- data collection should always be opt-in, not opt-out. Normalising the invasion of privacy and subverting the default expectation thereof is harmful to individual freedom.

Respect the users: let them tell you what they want, when they want, and how they want. Don't paternalistically monitor them or tell them what they should/"really" want.

nitrogen 4 days ago [-]
Respect the users: let them tell you what they want, when they want, and how they want.

To expand on this a bit, the past several years advertisers and attention brokers have focused on the difference between stated preferences and observed behavior, optimizing for the latter. Unfortunately it seems optimizing for observed behavior amplifies the worst of our base instincts, so even if it improves the bottom line in the short term, we are degrading our civilization in the process.

It's possible a similar discrepancy between behavior and intention exists in UI telemetry. Ask people what they want when at their best, don't optimize for measurements of them at their worst.

eli 4 days ago [-]
Firefox is not transparent enough? Their privacy policy is pretty straightforward and there's a ton more technical details on the wiki.
TheAdamAndChe 4 days ago [-]
Yet organizations went decades making fantastic and ever-improving software without telemetry. What changed? Why would telemetry suddenly become a basic requirement for improvement?
girvo 4 days ago [-]
I don’t know — my Pentium used to run software that crashed constantly, corrupted files, and was in hindsight horrendously insecure. I don’t think there’s ever been a time where software quality was magically excellent?
oatmealsnap 4 days ago [-]
Software is generally a lot more complex these days, and telemetry data is needed to stay competitive and keep improving.

Using Firefox as an example, look at how many improvements they have made over the last 5 years. I'm not here to argue whether we need these feature or if Firefox 2 was the last version of Firefox that we needed. Firefox (or Chrome, or whatever) wouldn't look as great as it does today without lots of data.

geezerjay 4 days ago [-]
> Software is generally a lot more complex these days, and telemetry data is needed to stay competitive and keep improving.

If violating user's privacy is your way to stay competitive, then that's your personal problem. You have no right to spy on everyone just because you have problems staying relevant.

dingaling 4 days ago [-]
On the other hand Mozilla has frequently quoted telemetry as the reason for removing niche or power-user features, for example Tab Groups and Themes. "Low usage" in both cases.

So telemetry doesn't always improve the user experience.

thatcat 3 days ago [-]
Power users disable telemetry.
SquareWheel 4 days ago [-]
And another thing -- what's the deal with automobiles? Horses do a perfectly fine job at getting us around.
stonogo 4 days ago [-]
Shitty analogy. Cars provided demonstrable benefits to users. Telemetry does not.
zachlatta 4 days ago [-]
I have worked on products and have made changes based on data I got on how users were using them.

Telemetry doesn't replace user feedback or interviews, but it really does help.

geezerjay 4 days ago [-]
I don't believe your personal convenience trumps everyone's right to privacy.
SquareWheel 4 days ago [-]
A crash log doesn't violate your privacy, nor does usage statistics when properly anonymized.

Sometimes telemetry is just telemetry.

geezerjay 3 days ago [-]
> A crash log doesn't violate your privacy

Says who?

If that's the case then ask the user to email you the log. Instead, we get covert eavesdropping.

2 days ago [-]
philipwhiuk 3 days ago [-]
Properly anonymised doesn't exist. Every mechanism has been broken.
Feniks 4 days ago [-]
Some of us are assholes though and don't really care about helping you out with making money. No offense intended.
dreae 4 days ago [-]
That's just stupid. Obviously the product has some value for you or you wouldn't be using it, and telemetry is a practically zero effort way for you to help improve it.

Note, when we're talking about telemetry we're not talking about tracking your time on a site to show you ads, we're talking about tacking bugs you encounter so they can be fixed.

megablast 4 days ago [-]
Sure. Over 1 million deaths a year. Cars are a great idea.
SquareWheel 4 days ago [-]
Just because it's not obvious to the user, doesn't mean it's not going towards bug fixes and other improvements.
inferiorhuman 4 days ago [-]
> Well they don't because you disabled telemetry, now the company or organization has no data to improve anything

No.

kazinator 4 days ago [-]
For a datum to be mathematically anonymous means that there is a proof that no function exists which maps instances of that datum to identities more reliably than a random guess.

A datum isn't anonymous unless proven otherwise. Today's "practically anonymous" is tomorrow's "deanonymized".

yorby 4 days ago [-]
it's very hard to completely anonymize data... companies have so much data nowadays that they can de-anonymize it more easily.
gsich 4 days ago [-]
You send them data. Now they have your IP. You don't know if it gets deleted.
st3fan 4 days ago [-]
AFAIK We throw IP addresses away pretty quickly after receiving a telemetry packet.

You can read about our data collection approval process here:

https://wiki.mozilla.org/Firefox/Data_Collection

An IP address would be Category 4 - I think it is pretty much impossible to get approval for category 4.

I highly doubt we have any products out there that actually collect Category 4 data.

gsich 4 days ago [-]
The problem hereby is that nobody can actually verify this. But this is true for all companies/servers you don't control.
userbinator 4 days ago [-]
Do your webservers really not have any logging? By default they all do.

I've accepted it as a given that if I interact with a website, it will know my IP, but "phoning home" is a slightly different matter.

CodeWriter23 4 days ago [-]
Perhaps a little melodramatic of a statement by the gist author. But the point is these settings are insecure by default. Exploitable by Mozilla, and perhaps by third parties.
qbaqbaqba 3 days ago [-]
I would rather expect the one collecting the data to prove that they are anonymous. And MetaData anyway? In many countries they may be used without a court order. A false sense of security is the worst.
yuhong 4 days ago [-]
Especially when it is open source.
stonogo 4 days ago [-]
It's not on us to prove it's not anonymous. It's on Mozilla to prove it is.
______53 4 days ago [-]
I believe you can see the data that's being sent by typing about:telemetry in the address bar.
4 days ago [-]
st3fan 4 days ago [-]
Or you can put a sniffer on the line, or read the source code, or read the code for the receiving end.

Or .. just talk to someone on the team and ask questions. Mozilla is incredibly open and transparent. Anyone can even join team/product meetings on video chat.

cinquemb 4 days ago [-]
>…or read the source code…

Good idea:

Step #1: read modules/libpref/Preferences.cpp

Step #2: default all function calls to `PREF_SetBoolPref` for `kTelemetryPref` with args true to false; remove all `PREF_LockPref` calls with kTelemetryPref

Step #3: ./mach build

ekianjo 3 days ago [-]
They should not be collecting data by default anyway.
OnlyRepliesToBS 4 days ago [-]
Always raise uncertainty.
jftuga 4 days ago [-]
https://waterfoxproject.org/

https://www.reddit.com/r/waterfox/

    Disabled Encrypted Media Extensions (EME)
    Disabled Web Runtime (deprecated as of 2015)
    Removed Pocket
    Removed Telemetry
    Removed data collection
    Removed startup profiling
    Allow running of all 64-Bit NPAPI plugins
    Allow running of unsigned extensions
    Removal of Sponsored Tiles on New Tab Page
    Addition of Duplicate Tab option
    Locale selector in about:preferences > General
CapacitorSet 4 days ago [-]
>Allow running of all 64-Bit NPAPI plugins >Allow running of unsigned extensions

That doesn't sound very nice.

krapp 4 days ago [-]
It's to "fix" Firefox's deprecation of XUL-based plugins[0].

[0]https://news.ycombinator.com/item?id=15800634

4 days ago [-]
outworlder 4 days ago [-]
Websockets? Really?

Even if they are an ugly hack on top of HTTP, they are too damn useful to be disabled.

Let's disable Javascript too while we are at it.

krapp 4 days ago [-]
>Let's disable Javascript too while we are at it.

...as if much of HN's userbase doesn't already do that.

outworlder 4 days ago [-]
Indeed. I wonder how they can get anything done. (Other than posting on HN itself, that is)
Momquist 4 days ago [-]
Surprisingly well, from my own experience. It can even increase your productivity and dicrease distractions: it blocks most ads, suppresses annoying "interactive" features, bans participation in most time-wasting sites (eg. facebook) while still allowing browsing. And of course security.

For the very few domains I deem absolutely necessary, I can always whitelist them.

twhb 4 days ago [-]
It sounds like the problem is you're spending your time on adversarial websites. Give JS to a skillful developer who shares your goals, and they'll use it to make the website better.
quickben 4 days ago [-]
By the look of it that altruism died ten years ago.

Current sites load 20-100 external scripts, mostly in ads, analytics, and non essential content.

twhb 4 days ago [-]
Not altruism (except occasionally), incentive alignment. Websites that don't otherwise profit from you are incentivized to be as you describe; websites that profit from your happiness (paid directly, funded for a purpose, a generosity, etc) aren't.
Momquist 4 days ago [-]
Actually I don't. I never had any account on FB for example, but once in a blue moon I get to visit a public FB page (like a recent blog post posted on HN recently), and having JS disabled let me browse it without worries.

How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions? My personal tastes tend to go not too far off this kind of design: http://bettermotherfuckingwebsite.com/

If this hypothetical developer is really sharing my goals then he'll use the <noscript> tag, and I'll be happy enough with HTML/CSS.

For text-heavy sites, which are the ones I use the most, JS adds nothing I want: tracking? 3rd-party ads? lazy-loading? comments via disqus? sharing to social media? Thanks, but not for me.

twhb 4 days ago [-]
> How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions?

devdocs.io uses JS to make an essentially-static website much faster to load and navigate. HN lets you vote without reloading the page. Shopping carts. Webmail. Google Maps. Rich text editors. Navigating around Spotify while the music keeps playing. Feedback on forms without clearing or changing something. Keeping a table of contents in sync with what you're viewing. Keeping changing data correct, like feeds, whether a service is up, whether you're signed in. Chat. Video calls.

And areas not yet widespread. AMP's speed (which would be inoffensive, I think, if intra-site). Layouts more advanced than CSS can express, like a newspaper's or the positioning of plaques at museums. Even smarter data compression for repetitive content.

And areas we're just now getting the tech for, like 3D simulations and peer-to-peer networking.

jraph 2 days ago [-]
> How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions?

I don't know if I qualify as a skillful JS developer, but I run a website displaying pictures that works correctly without Javascript.

However, Javascript makes this website way faster, smoother and easier on the connection by downloading only the moving parts when clicking on a link, carefully preserving history so back/next works as if this script did nothing. When Javascript is disabled, an ugly white flash appears when navigating between some pages and rendering is just slower, even though it remains decent (my code is minimalist anyway…)

When leaving the page of a picture to come back to the album it is in, scroll position is restored. This is impossible without Javascript. History Back button is not sufficient: you might have looked at 10 pictures before coming back to the album. Sure, you can still ask your browser to come back 10 pages ago, but this is less convenient than just clicking on a cross.

It also help dimension images correctly, which I could not manage to do using pure CSS, unfortunately.

No Javascript tracker is present. You want Javascript enabled on this website because it helps using less resources and makes things easier to use. This is a 9 KB Javascript file that gets compressed to 3 KB and served using HTTP2 only once, so this is basically a null cost when considering how much a picture weighs (~ 100KB). And this is free software, for the sake of it.

But you cannot know this on random websites. Problem is, Javascript is not used like this in general. Unfortunately for websites like this one, disabling Javascript by default is still a reasonable thing to do.

Worse, visitors of this website that disable Javascript won't be aware of that, because things pretty much work as expected and I don't display a warning message.

quickben 4 days ago [-]
I wonder how you all get anything done by not disabling it.

No script. If the page breaks, whitelist the primary domain.

For most non shady sites, this gives you a blazing fast site with near zero crap on it.

superkuh 4 days ago [-]
Pretty easily. Just temp whitelist if it's really needed (ie, a bank or government website). Otherwise close the tab and avoid the waste of time that 'web app' sites represent.
IncRnd 4 days ago [-]
> Indeed. I wonder how they can get anything done. (Other than posting on HN itself, that is)

It's very straightforward. I allow javascript on the sites that I trust to run javascript - in a protected environment. There are tons of ways to do this.

I see how long other's computers take to render simple pages, and I just shake my head.

ACow_Adonis 4 days ago [-]
Well, 99% of the javascript/web is more about distraction, advertising and tracking than about getting anything done, and the other 1% is a small number of high-frequency sites that can be selectively white-listed.

Plus my bandwidth is a fraction of others and browser responsiveness shoots up...

I think you may have it arse-backwards when it comes to productivity...

/numbers pulled out of said backwards-arse.

IgniteTheSun 4 days ago [-]
With the exception of a couple of sites, I rarely turn on javascript.

(There are a few sites where the homepage will have just show something like "turn javascript on to see this site"; I just take that as an invitation to leave the site and, if necessary, to search for an alternative.)

About the only thing I'm having difficulty with at the moment are TV listings: was able to see TV listings without javascript on zap2it until last week, but have not yet found an alternative. Anyone have any suggestions?

jrcii 4 days ago [-]
eBay, PayPal, and Amazon are useless without JavaScript, just off the top of my head.
Digital-Citizen 3 days ago [-]
Perhaps, but like the grandparent post said, one can find other online stores that don't require JavaScript.

Going beyond what the grandparent post said, JS is a big reason why websites are slow, insecure (from the user's perspective), and time-consuming. Amazon.com's site is ridiculously sluggish precisely because of needless JS. There's nothing about purchasing something online that legitimately needs JS to make that purchase work. You can search for stuff on Amazon without JS but (for all I know) purchasing doesn't work without JS because of implementation choices Amazon made. I'm not so convinced Amazon's prices are all that great, and buying locally is often a better deal for things I buy. The more I learn about how Amazon conducts business (see https://stallman.org/amazon.html for many reasons why) the more interested I am in avoiding them.

If you want to buy new or used books and you want to do business with Amazon, AbeBooks is owned by Amazon and AbeBooks works fully without JS.

I'm guessing there are other places to get items instead of using eBay.

yorby 4 days ago [-]
I don't completely disable javascript but I use uMatrix... it seems like a good middle ground...
bhrgunatha 4 days ago [-]
I used to use NoScript. It was a revelation to see how much junk just disappears when there's no javascript.

Now I find uMatrix better but the first rule I created was:

* * * block

Since that was the basic starting point for NoScript.

Then slowly build up your whitelist of sites to allow javascript as desired/needed.

amiga-workbench 4 days ago [-]
>Let's disable Javascript too while we are at it.

Yes, let's do that.

mulmen 4 days ago [-]
I disable javascript and I miss out on a lot of the internet. I don't miss any of it though.
IncRnd 4 days ago [-]
> Let's disable Javascript too while we are at it.

That happened a few years ago.

foo101 4 days ago [-]
What plugins or techniques do you use to disable JavaScript while keeping the flexibility to whitelist some of the websites where JavaScript can be enabled?
rickycook 4 days ago [-]
i love “is blocker” for safari; it’s hugely configurable with regexes, allowing things on some domains only, allowing globally from some domains, blocking of canvas elements, XHR requests, frames, plenty more too!
foo101 4 days ago [-]
When you use a thing like "is blocker", do you still need a separate ad blocker or is the JavaScript blocker sufficient to block ads as well?
swiley 4 days ago [-]
Does this add that to the preferences GUI again? That was one of the big features I was looking for.
CodeWriter23 4 days ago [-]
Well, Meltdown proves the formerly-paranoid Javascript rejectors were actually insightful.
duskwuff 3 days ago [-]
That they happened to be right? Yes. That they were insightful? Not so clear.
4 days ago [-]
cocktailpeanuts 4 days ago [-]
Would have not gotten the backlash it's getting if the author was a bit modest and titled the repo:

"How to get rid of FireFox features you don't need", or something like that.

Security is an important issue, but as someone who thinks WebRTC is the only missing piece of the puzzle that could help bring true decentralization to the Web, I think bashing on WebRTC just because of its security issue is short sighted. (Not to mention a couple other features mentioned on there)

But if you're so paranoid about security that you're going to disable WebSockets, I think web browser is not the only thing you need to worry about. There are ton more attack vectors and hackers can hack in no matter how you get rid of these "FireFox bullshit" to increase security. After all, most hacking nowadays is based on social engineering.

One thing I agree though is "Pocket Integration" IS a bullshit.

balladeer 4 days ago [-]
> "Pocket Integration" IS a bullshit

And it is still around. It has still not been made into a removable AND turned off by default component which is the least Firefox should have done if at all they can't live without shipping Firefox with it.

craftyguy 3 days ago [-]
> I think bashing on WebRTC just because of its security issue is short sighted. (Not to mention a couple other features mentioned on there)

Well, the security concern is real. In other news, bashing on scammers because they scammed someone is short sighted?

dokem 4 days ago [-]
> Would have not gotten the backlash it's getting if the author was a bit modest and titled the repo...

The anime avatar also adds to his credibility.

mrob 4 days ago [-]
To this I would add:

  middlemouse.contentLoadURL=false
This anti-feature means missing the target of a middle-click by a single pixel can leak the contents of your clipboard or load unexpected URLs. I don't understand why it's still on by default -- Mozilla has been willing to break peoples workflow for UI improvements many times before.
bzbarsky 4 days ago [-]
> middlemouse.contentLoadURL=false

This is the default in Firefox 57 and later. See https://bugzilla.mozilla.org/show_bug.cgi?id=366945

> I don't understand why it's still on by default

It's not.

louiz 2 days ago [-]
I don’t understand, what does it do?
bzbarsky 2 days ago [-]
When set to true, lets you middle-mouse-paste into the content area to load the url in the PRIMARY selection. That way you don't have to worry about whether selecting the text in the URL bar so you can replace it with the URL will clobber PRIMARY.

Only relevant on X, where there is a PRIMARY, of course. See https://unix.stackexchange.com/a/139193 for a quick description of what PRIMARY is and how it differs from CLIPBOARD.

Rjevski 2 days ago [-]
Seems to only apply to Linux, but basically it either pastes your clipboard content into any focused text field or tries to open the clipboard contents as an URL (and falls back to Google Search if that fails).
halestock 4 days ago [-]
Fwiw, I wasn't a fan of the original integration of pocket into Firefox, but they are now completely owned by Mozilla: https://blog.mozilla.org/blog/2017/02/27/mozilla-acquires-po...
mulmen 4 days ago [-]
This explanation has never satisfied any of my concerns. I don't doubt Mozilla's motivations but the fact that they bought Pocket does not mean that the architecture is designed with my best interests in mind. I'd rather hear about what Mozilla is doing as the owner of Pocket to continue fighting for my best interests.
JepZ 4 days ago [-]
Anybody knows if it is possible to use Pocket with a custom server? So far I found only the ticket which tracks the open sourcing process of pocket:

https://bugzilla.mozilla.org/show_bug.cgi?id=1343006

11 month old, not even assigned yet... looks like I should come back 2038.

boomboomsubban 4 days ago [-]
They've started releasing some of the code, I don't think it's at the point of a custom server yet.

https://github.com/Pocket

dyukqu 4 days ago [-]
Don't know anything about open-sourcing Pocket. As an (open-source) alternative you can self-host Wallabag[1]

[1]https://wallabag.org/en

gavreh 4 days ago [-]
> NOTE: Unfortunately this is somewhat out of date. The comments link to some resources that may be more up-to-date. Patches welcome.
xg15 3 days ago [-]
I'm puzzled that he sees websockets as a privacy hazard. From what I understand, WS connections are CORS protected (though the model is slightly different than standard CORS for historical reasons) and were designed somwhat friendly to proxies. So what is the problem?

(Though browsers don't seem to honor proxy settings for WS in practice. I guess, this coughs be corrected. Does anyone know the reasons for that?)

WebRTC is more understandable: Connection setup is different for each application, the connection itself is encrypted and browsers don't seem to offer any way to inspect or manage WebRTC flows.

It's sad that a technology which offers so many interesting applications is implemented in such a problematic way for privacy. This should really be improved.

(Warning: rant follows)

Generally, I think we should have a general discussion about the ability of inspecting the network traffic of your own machines. Current practice seems to be that this ability is sacrificed in favor of an "encryption-first" doctrine: Browser vendors are aggressively pushing HTTPS everywhere and it's almost a requirement that new network protocols have built-in encryption. There are still some escape hatches by installing custom root CAs, but programs are starting to circumvent that without much consequences (or even encouragement by OS vendors - e.g. on Android)

For example, right now it's impossible to inspect traffic from the Dropbox client on windows (short of patching the program) because the client ignores custom root CAs. Trying to inspect traffic from a smartphone is already pretty hopeless.

As traffic inspection would be a powerful tool in finding privacy leaks, we should lobby more for it.

philipwhiuk 3 days ago [-]
You don't need to decrypt TLS to know where it's going. SNI leaks the domain in plaintext and if SNI isn't enabled you can just use the IP address.
qwerty456127 4 days ago [-]
Is there something like this for Chrome too?

BTW I wish I could just disable all features but those basic ones every website uses (and "data URIs" support please!!! I really want to to disable it!) and enable them manually on per-domain basis (the way I do with scripts using NoScript and uMatrix).

Digital-Citizen 3 days ago [-]
With Chrome you face the inherent untrustworthiness of nonfree software. Chrome users always trust Google. No set of preference changes or add-ons makes Chrome safe from Google's power over your data or your computer. This strikes me as a fundamentally worse position for any Chrome user.
mediocrejoker 4 days ago [-]
Websockets are used for nefarious purposes?
qwerty456127 4 days ago [-]
Websockets can be used for many things and are actually a sound tech idea but I don't know about a single website that would use them to do something I need (no, I don't use social networks, don't play online games and don't use web voip - these are the 3 major areas that can make use of them) so disabling them seems a good idea. In general: disable everything you don't use - this will most certainly increase your safety and disrupt a huge portion of mainstream malware and spyware functioning.

When I was using Windows I had a software firewall that would ask me about every app that is trying to access the Internet and let me choose if I want to block or allow it - I would only allow the web browser, the messenger and the SSH client and completely block everything else (DroidWall and XPrivacy let you do this on Android, LittleSnitch does this on Mac, I miss such a tool on destkop GNU/Linux a huge lot).

joosters 4 days ago [-]
So is HTTP. Better disable that too.
twic 4 days ago [-]
I use them for nefarious purposes. But then i use everything for nefarious purposes.
ricree 4 days ago [-]
Please remember to set the evil bit properly when you do.
geezerjay 4 days ago [-]
> Websockets are used for nefarious purposes?

Websockets were created sedcifically to get clients to transfer data to the server at the request of the server and without the user specifically wanting to send it.

duskwuff 3 days ago [-]
That's a rather odd way of describing Websockets. XMLHttpRequest fits your description equally well.

Websockets don't inherently allow anything that isn't possible with other technologies. What they do is make certain data transfer patterns more efficient by removing the need for polling, or for redundant HTTP requests.

ravenstine 3 days ago [-]
I'd never heard of social media integration. That is true bullshit, and I wonder what the analog is in Chrome.

But what's wrong with DRM? DRM sucks, but I don't know why it's in someone's interest to not be able to watch Netflix in their browser.

Feniks 4 days ago [-]
Tip for Android users:

Fennec F-droid.

Firefox wants to be (a less evil) Chrome, which is great for the 90% but that leaves the rest of us scrambling. No I don't need my browser to support DRM in order to watch Netflix ffs...

https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/

clircle 4 days ago [-]
It's not really clear to me how this differs from Firefox for Android. Removes some DRM? Anything else?
solomatov 4 days ago [-]
Having a separate privacy conscious fork of FF would be a better solution. They can easily workaround such tweaks.
brendyn 4 days ago [-]
I use IceCat which is essentially that. It's based on the ESR releases though since it's hard for the few volunteers to keep up with Firefox's releases.
kccqzy 4 days ago [-]
Try the Tor browser.
yegle 4 days ago [-]
Why not just use TorBrowser if you are too concerned about those settings?
jasonkostempski 4 days ago [-]
network.websocket.enabled=false

This isn't even in my about:config anymore. I'm pretty sure it was at some point. Did they remove the option to disable it for some reason?

bzbarsky 4 days ago [-]
It was removed in Firefox 41, once WebSocket had been shipping for a while. See https://bugzilla.mozilla.org/show_bug.cgi?id=1159792

The only reason the pref was there is that new features tend to have prefs to disable them. First because those are useful for enabling a feature for testing before it may be ready to be on by default, second in case there's a serious problem with the feature that requires it to be turned off in a hurry. But once a feature has been shipping and on by default for a while, prefs to disable it just end up being technical debt, and tend to get removed like any other technical debt when people get a chance.

borplk 3 days ago [-]
Unplug your devices for maximum security.

In all seriousness it's not a bad list as a handy reference.

Tepix 3 days ago [-]
It got the "pocket" name wrong. On my Firefox 57 it's

     extensions.pocket.enabled
sebastian 4 days ago [-]
Very helpful. It definitely would be worth developing an addon that would apply these settings for you.
tdurden 4 days ago [-]
mistermann 4 days ago [-]
A utility that could do this across browsers as well as for the operating system would be a good startup idea.
MollyR 4 days ago [-]
Interesting. Though at that point why wouldn't you just use Brave ?
st3fan 4 days ago [-]
You think Brave does not send telemetry :-)

On iOS it links to Fabric and Crashlytics. Both of those did not pass Mozilla's strict data collection rules. I'd love to use them in our mobile products, but they collect too much data, too much personal identifyable data, and store all of that at a third party. (Owned by Google)

JepZ 4 days ago [-]
Better use a safe© solution:

  curl -sL https://www.mozilla.com | html2pdf | pdfviewer
Just kidding ;-)
sli 4 days ago [-]
That isn't too far from how Stallman browses the internet, I don't think. I know he does some weird, roundabout thing involving email (or used to, anyway).
CodeWriter23 4 days ago [-]
Future HN Headline: On the exploitation of pdfviewer via html2pdf.
toyg 4 days ago [-]
Brave are just a different kind of evil. They basically want to hijack advertising and tracking so that they get the money rather than google, but it’s the same crap.
isjamesalive 4 days ago [-]
Where did you get that idea? His stance on SSM aside, Brendan Eich is not a guy I typically associate with evil.

The whole raison d'être of Brave is to restore privacy to consumers of advertisements while being fair to publishers.

The codebase is all MPL2 on Github. Nothing stopping you or anyone forking it, yada yada.

sekh60 4 days ago [-]
Not sure if it is the case, but the original plan was for Brave to replace ads with its own: https://arstechnica.com/information-technology/2016/01/mozil...
BrendanEich 1 days ago [-]
That is only if publishers and users consent. Both get paid in that case, 70% to publisher, 15% to user. But it's not the private ad model we are trying first.

What we're most excited about are opt-in, user-private and -anonymous ads, long form and at low frequency, where you get 70% of the gross revenue.

In either case some brand principles:

1. We pay 70% to the ad "inventory owner" -- the person who is giving attention space up for the ad

2. We always pay the user as much as, or more than, we take. This aligns our interests.

3. We never keep user data on any servers, whitelist ads for a fee, let trackers through to target or attribute/confirm.

The grand-parent post here is just flat wrong. In no case do we track user data for profit -- we never did and never will. All data in clear stays on your device. We use a ZKP protocol over a VPN for anonymous settlements/confirmations. Our site details all this: https://brave.com/.

Feniks 4 days ago [-]
Add-ons perhaps? Does Brave support those?
BrendanEich 1 days ago [-]
Yes, chromium extensions. We are curating, as we want to make sure they work correctly and aren't doing anything that goes against our privacy and security principles.
dangrover 4 days ago [-]
You forgot the last step, which is to respond to every link posted on Hacker News, regardless of what it's about, with a complaint about how the site doesn't function correctly with your unique browser config.
CaptSpify 4 days ago [-]
If websites were smart, they'd design their webpages to work with every unique browser. It's actually super easy to do.

It's just not as profitable to treat your users with respect, unfortunately.

NelsonMinar 4 days ago [-]
bathwater.baby = false
Karunamon 4 days ago [-]
I wrote something similar a while back, and it’s in a similar state of not-updated-ness

http://fixfirefox.com

urda 4 days ago [-]

  > Your connection is not secure
  >
  > SEC_ERROR_EXPIRED_CERTIFICATE (expired October 31, 2017)
Doesn't make me want to listen to any website claiming to "fix firefox" when they can't even bother to keep their SSL certs up to date.
CompuHacker 4 days ago [-]
I added an exception and read the page I received. A single author describes changes he made to his Firefox options from 29 onward. There is no plural "they", and, to my understanding, the information is not current.

Should this information become inaccessible because certs weren't paid for?

yborg 4 days ago [-]
I think he's just pointing out the irony of someone purporting to aid the security-conscious having an expired cert on his own site. Unless this is really some meta-level social commentary on how people will trust a complete stranger's website despite an invalid cert because he seems like a nice guy.
urda 3 days ago [-]
> I think he's just pointing out the irony of someone purporting to aid the security-conscious having an expired cert on his own site.

This is exactly the point I was going after. It would be one thing if the cert had just expired but cmon, October 31, 2017 really?

quickben 4 days ago [-]
Why do few pages of readonly text advice need a certificate that badly?
philipwhiuk 3 days ago [-]
The wrong read-only text gets you arrested.
4 days ago [-]
gimmeayrwlt 3 days ago [-]
I think we are going full circle from IE5 times. Those days activeX was bad as it can get.. today's browsers are full of features like that.. and now it's not safe anymore to use them.. did we learn anything from flash ?
4 days ago [-]
shrimp_emoji 4 days ago [-]