In a similar vein, I'd appreciate it if Mozilla would stop using updates to Firefox as a mechanism to re-enable misfeatures I've explicitly disabled like Pocket integration and the "recommend X feature|extension while you are browsing but don't forget we totally respect your privacy!" settings. :-/
I've disabled Pocket via about:config and despite a year worth of updates, I honestly had never had the issue of it reenabling. And that is both on Windows with Auto-Update and Linux via package manager.
I run mostly FF dev & nightly and I've had it happen to me multiple times. I'm assuming the Pocket getting re-enabled problem is the result of an internal update to the extension that caused it to re-populate all the defaults in the config.
The other config settings I'm going to be less charitable about considering there would be no rational reason for an update to ever change those values.
I've never had the other settings change values either, I suspect you either ran into some bug or the sharing of a profile between dev&nightly is blowing this up.
Maybe - but definitely no sharing of profiles between dev & nightly and as you can see based on other comments in this thread I'm not the only one that has witnessed the behavior.
> If you configure Firefox to not automatically update, and then use, say, a package manager to update it, automatic updates will get re-enabled.
That isn't what the bug report says - package managers don't use the Firefox installer. Are you talking about a real bug (if so, is it logged?), or are you spreading FUD?
On the other hand, Firefox does respect locked preferences after update. Debian sets both app.update.enabled and toolkit.telemetry.enabled locked to false.
I may be mistaken about their revenue model, but I think it’s actually costing them money because they bought the company behind Pocket and they don’t seem to monetize the feature in any way.
My understanding is that they are using the Pocket organization as a way of managing the ads they now show by default on the new tab page. They call this "recommended by pocket". I don't know if it currently makes any money, but showing ads on every new tab opened in their browser certainly has the potential to.
I eventually disabled Recommended by Pocket on my new tab screen because the recommendations were typically clickbaity and being on the new tab screen, it would many times divert me from whatever more important original action I meant to take.
The creators probably had good intentions, but Recommended by Pocket seems almost like a dark pattern.
Since not all of the links are interesting, I'd like Recommended by Pocket to be able to learn from my input. I want to punish the uninteresting links and reward the interesting ones, so that I see more of something that I like.
It's a tool I have perfectly good alternatives for I already use that keeps using screen and menu space in my browser. I.e. why does my context menu have a "save to pocket" option despite me not being signed up for it, that I only ever will click accidentally? I don't mind there being a Pocket integration in Firefox, I somewhat mind it getting in the way if I don't want to use it.
The fact that there's both optin=bool and optout=bool suggests how it could be a dumb mistake, like there are competing opt-in mechanisms and the Firefox Send marketing email reads from optin (new) instead of optout (legacy) or something like that.
Some of the comments here remind me of when my users think everything is deliberately implemented and if something doesn't work perfectly, it's because I'm incompetent/malicious and designed it that way when it's just a bug or oversight.
What a power move on Mozilla's part... "No, YOU'RE spamming US." And then they add insult to injury, directing you to read about how their server should be configured... classic
> A year ago I reported a security issue in Mozilla Basket (not publicly accessible). The essence is that subscribing anybody to Mozilla’s newsletters is trivial
I don’t see how signing someone up to a newsletter is a security vulnerability.
So they emailed you about a new service; shrug. Of all the "spam" you could possibly receive this is by far the most useful.
What is it with all Firefox/Mozilla hating as of late? They don't seem to be able to do anything right in the eyes of some people, and seem to be held to a ridiculously high standard (far higher than anyone else).
When I opt out (or never opted in) and am still sent promotional material, it is an explicit message that the company disrespects me. Responding to that with shrug is layering more disrespect on top of it. Disrespect for users is a cardinal sin, and quickly reaches unforgivable levels if left unchecked. It is simply incorrect that this is an issue of bias against Mozilla. Other companies behaving worse doesn't make it acceptable - in fact, Mozilla's image of being "better" makes these kinds of infractions worse.
I'd argue they're merging into the same thing for certain products with frequent releases. Things like VS code get free marketing every month with their release announcements hitting the front page of HN, reddit and the like.
If your primary point is "We're the ethical ones fighting for the good", people will hold you to that.
While I generally think there's lots of overblown criticism of Mozilla and that Mozilla is still far ahead of the others in these regards overall, it's worrysome that they get basics like this wrong.
They are held to a higher standard because the alternative Chrome is as bad as it gets in terms of usability and utilizing sneaky ways to subvert privacy. The sneakiness is not necessarily malicious - it is driven by Google's revenue model.
Firefox remains configurable and privacy-enabling to a large extent, but it is becoming harder and harder, especially for non-technical folks, to realize that default Firefox settings are not necessarily user or privacy friendly. See the ruckus last year about defaulting to Cloudflare's DNS servers.
I'm going to wager that it's because Firefox has devolved into a Chrome wannabe that you suffer through for ideological reasons and little else. XUL addons were the reason to use Firefox; it's an otherwise mediocre browser that gets trounced by Chrome in every conceivable way but privacy (and even that might not be a guarantee). Mozilla started to get really into the whole ethics and responsibility arena around the same time they deprecated XUL, and them trying to act like they could do anything after giving their core competency a death sentence left a bad taste in a lot of people's mouths, mine included. I say this all as somebody who has used Firefox for almost my entire life, and will continue to use Waterfox until the wheels fall off the bus. The best thing that can happen to Firefox now is for it dwindle into irrelevance and disappear so that people can see that good intentions don't make up choosing to create the inferior product.
Mozilla is ethically compromised at the highest levels. They’ve made a shift over the last few years from a scrappy, low-rent, nonprofit dedicated to helping the web to just another data mining tech company. Just try setting your Firefox browser to a blank page with no requests on startup and watching the Wireshark log if you think otherwise.
> Just try setting your Firefox browser to a blank page with no requests on startup and watching the Wireshark log if you think otherwise
OK, so I just did this, and I don't really see what the issue is. Looking at Wireshark, I see requests for:
* detectportal.firefox.com, which is used to detect whether you're connected to a captive portal network and need to sign in before you can connect to the internet. As far as I'm aware, no personal information is transmitted as part of this request, and there's apparently a pref to disable it [0]
* A couple of requests for OCSP certificate validation [1], which seems like a useful feature, and is also pretty easy to disable if you really don't want it.
* A request to download.mozilla.org and another one to download.cdn.mozilla.net, which looks like it's checking whether an update is available.
You seriously don't have an issue with being fingerprinted and tracked every single time you open an application on your computer?
The point is that there should be zero. I should not have a single outgoing network request triggered by opening a web browser to a blank page until interacting in some way. The fact that we've lost this as a standard is terrifying to me.
The whole point of Firefox _is_ to make network requests. All of the features above aren't leaking your user data or fingerprinting you, they're assisting you in what the applications purpose is... to make network requests. Not to mention firefox is an open-source project, so you could go look at all the network communication it makes when it starts up. All of these options are configurable anyways.
I think you're looking in the wrong direction. Try the closed-source (or partial closed source) operating systems you interact with on a daily basis: Windows, Android, macOS, iOS- that's where you'll find the "fingerprinted and tracked every single time you open" sort of thing you speak of. :)
Every one of the requests that 43920 listed in a request in service of you, the user. The first is to detect captive portals, which is something you'll find very important if you're behind a captive portal. The second is for OCSP certificate validation, which helps ensure your safety while browsing. The third is checking for updates, which again is for your benefit.
A captive portal is a login screen of a service that prevents other activity unless logged in.
My guess is that Firefox will not try to check for updates or other things if it notices that the detectportal-request was not successful (i.e. the user is not logged into the hotel-wifi or something like this yet).
It also then can prompt the user to go to the captive portal page and log in, without the other redirection methods of the captive portal breaking anything (e.g. if they spoof DNS responses to redirect you to the login page) or the user being confused why they can't use the web despite being in the network.
Then turn those off? These things are a tradeoff for usability, Firefox is trying to be competitive for the masses, I have a feeling your ideal Firefox would feel pretty clunky to someone who's not familiar with tech.
>All of the features above aren't leaking your user data or fingerprinting you, they're assisting you in what the applications purpose is... to make network requests.
And you can prove this how?
All I'm saying is think twice before blindly trusting a tech company, because Mozilla is no longer the fun and friendly company we once knew. They are very much a rank and file data mining company now, generating tons of cash, and being infiltrated by CEO and marketing types.
Yeah, portal checking and update checking are surely things 99% of people appreciate.
Captive portal popup seems like an obvious UX improvement for 99% of people. I wonder how many people on HN even know how to trigger it if the browser didn't try to do it for you.
Update checking and over the air updates make obvious sense to me given that my mother and girlfriend will click "Remind me tomorrow" for years on the macOS update popup, and there's nothing user-friendly about making it so easy for users use old browser versions.
The rare user can turn both off if they want, so what's the big deal?
That's getting harder and harder as people add HSTS.
There's still neverssl.com, but with the most popular pages using HSTS like Google Facebook and Reddit, captive portal detection is essential for your average user.
Although I wish the IETF would make a standard for doing this at the network level as part of DHCP rather than the current ridiculousness we have. Captive portals are just the buggiest shit.
How often do you open a web browser to then not interact with it? Does it make a meaningful difference if it instead slows down the first request triggered by you to make the captive portal and OCSP checks, and moves the update request to a random time?
Honestly you sound paranoid. What if a dev wants to add instrumentation to make sure a page is loaded? What if you have some weird OS version, CPU, or kernel that might crash 1% of app opens?
A web page is not an app. It is a sandboxed rendered template that should not be able to crash due to a web page nor care about what OS, CPU or kernel the user is running. If a user wants to give that information away, then they should be prompted.
I think Mozilla's leadership honestly tries to be ethical, but their frame of reference is marketing. They seemingly think tactics that are only moderately scummy instead of flagrantly scummy represent a pro-user revolution.
The hell of it is that with the way ad tech has eaten the web, I'm not sure they're wrong.
Good question. Other than Firefox, Webkit/Blink based browsers are pretty much the only thing usable on the modern web without crashing. That leaves ungoogled Chromium, which unless you're compiling it yourself (good luck) means just blindly trusting some random internet person for binaries. There's really no good answer at this point.
Worse: even if the person (or organization) providing the binary is well-meaning, they would need some serious resources (mostly programmers) to provide security updates quickly enough.
The least resource-intensive way to provide attack-resistance near the level provided by Google's Chrome team would probably be to notify the user when a vulnerability is disclosed so that the user can either switch to Chrome or restrict their browsing to safe sites till the binary provider can get a security update out.
I know of no one doing that or providing timely security updates however except Google, possibly Opera, possibly Brave and probably some day soon Microsoft.
I would consider IceCat, but it looks like development has fallen behind Firefox considerably.
I mean no offense by this but I consider myself a privacy wonk and that website is a bit too tin foil hat even for me.
I think we're in a bad way as far as choices go for browsers these days, but Firefox seems like the best of a bad situation to me. If people are still concerned, they should take a look at the changes made to Firefox for the Tor browser.
I like Icecat (annoyingly not in the Debian repos).
I've also started to make use of text browsers. Links and Links2 are two that I use. Links2 is a nice halfway option as it will support images too.
I find them great for websites where I want to read info, but the interface is ironically designed to make that harder than it should be. News sites are a perfect example. Text browsers turn them from bloated billboards back into a readable format.
I don't think anyone has mentioned Opera yet. Why? It's quite a bit snappier than FF imo, and has extensions like uBlock Origin/HTTPS Everywhere/Privacy Badger available (and the ability to install Chrome extensions).
Edit: I know it's chromium-based, but still wondering!
The collect money on someone's behalf, without that person knowing. It's a scam. It would be like me taking money on behalf of you. Only I wouldn't tell you. And now someone thinks they are paying you by going through me.
Blocking ads and depriving publishers of income is a scam. You are stealing from content creators. BAT gives more revenue to content creators than Google ever would.
New Knowledge is the organization that setup a fake Russian botnet, and then tried to push a narrative about how the Republican candidate in an Alabama Senate race was being assisted by this "Russian election interference"... anybody involved with that organization is a scumbag - it has zero redeeming qualities. Renee has been making the rounds lately on Youtube, informing everyone about how much of a threat these operations are (not her organizations fabricated ops, the totally real ones). I haven't yet found the prime mover in this, but her activities are well aligned with those of the DoD ratcheting up the scaremongering about the (according to them) active Chinese operations against the US population. So there is a pretty strong push for further internet lockdown measures being made right now by these people - and Mozilla is associated. At this point I would not be at all surprised to hear Mozilla announce RealID browser integration.
I hadn't heard of this before, so I just dug up the original NYT story.
At least one person from New Knowledge was involved in a small experiment designed to explore how the sorts of tactics used by the Russians worked, which attempted to convince Republicans that Mr. Moore was receiving Russian help, but it was designed to be too small to actually affect the outcome of the election (as the goal was to explore how the tactics worked, not to produce any effect). This is a little shady, but as long as it didn't actually affect the outcome I see no harm in a group of people trying to better understand how the Russian social media tactics work.
First of all, the story has actually changed a couple of times. So if you really want to understand the timeline - you are going to need to refer to archives of those articles. Second, the "small experiment" had a budget of at least $100k that they are willing to admit to - traceable money that flowed through people related to the USDS and DoJ. You know that Obama repealed the ban on domestic propaganda before he left office, right? I couldn't tell you the number of times a counter-intel op leaked into domestic media (PopSci was really bad about it) - and months of work would instantly go up in smoke as the operation got scuttled, it makes me sick thinking that is no longer the case. New Knowledge's objective was to deceive voters. That is damage that can't be undone, they even tricked the media (a disappointingly easy task) into spreading the lie.
If you can't see something very wrong with this, well you'll be just fine in cold-war 2.0 - we can pick up where we left off in government experimentation on an unwitting public. MKULTRA 2 electricboogaloo. I'm sure its been a while since we updated our nuclear/biological/chemical weapons models... so long as it doesn't affect the public by a statistically significant amount - we should be fine to resume the 1970s practice of releasing airborne pathogens over major American population centers, doubling the number of deaths in the elderly.
> New Knowledge's objective was to deceive voters.
From reading the article, the group's¹ objective wasn't to deceive voters, it was to research how these tactics worked. Are you suggesting that a single $100k research project was sufficient to alter the course of an election with a $51M advertising budget? As near as I can tell, that's just how the right-wing media is trying to spin it. Certainly if I were to actually try and alter the outcome of an election like this, I'd expect to be spending a lot more than $100k to do so.
That said, I find it hard to believe you're arguing in good faith when you're drawing parallels between a limited spread of misinformation centered around a single event with literally murdering people.
¹Which seems to have involved at least one New Knowledge member but it seems wasn't actually run by New Knowledge.
> ...the group's¹ objective wasn't to deceive voters...
"The report does not say whether the project purchased the Russian bot Twitter accounts that suddenly began to follow Mr. Moore. But it takes credit for “radicalizing Democrats with a Russian bot scandal” and points to stories on the phenomenon in the mainstream media. “Roy Moore flooded with fake Russian Twitter followers,” reported The New York Post."
Deception.
> Which seems to have involved at least one New Knowledge member but it seems wasn't actually run by New Knowledge.
Reid Hoffman, the billionaire funding AET wrote an apology. What does he have to apologize for? Well he paid AET $750k, AET paid New Knowledge at least $100k of that to run this disinformation campaign. So you can knock it off with the "at least one member... seems wasn't run by New Knowledge..." Obviously my patience has run thin on this - it has been proven that Morgan is a liar and that New Knowledge was deeply involved.
As I said, they've change their story more than once. When Morgan was pressed on the leaked internal report's clearly political goals, he said that "it didn't ring a bell".
Oh, and go check out their release of the report they provided the Senate Select Committee on Intelligence in December. What, you didn't know that this politically motivated organization with an agenda was asked to inform the Senate about Russian interference in US election? Yeah, they were - and did, in December. Checkout the timestamp on that pdf - not December... weird...
> That said, I find it hard to believe you're arguing in good faith when you're drawing parallels between a limited spread of misinformation centered around a single event with literally murdering people.
When you say "limited spread" do you actually mean "completely unrestrained"? And no. I find it hard to believe that you don't see the parallels between the justifications for unethical experimentation conducted on an unwitting population during the cold war, and the rationalization you've provided in this thread. It has nothing to do with deaths, it has everything to do with the ethics and the non-zero cost to individuals. In the cold war a statistically insignificant portion of the population involuntarily paid a heavy price, in this "experiment" (it wasn't, the leak shows it was a political action) a statistically insignificant portion of the population was convinced that their president was a traitorous Russian agent and driven mad with impotent rage.
They were researching a tactic already used in the wild that involves deception, yes. But the end goal of the experiment wasn't to deceive voters, which is what you claimed. The goal was to learn about how this tactic, a tactic that involves deception, works, presumably to help identify and combat it in the future.
> What, you didn't know that this politically motivated organization with an agenda was asked to inform the Senate about Russian interference in US election?
So what you're saying is an organization doing research into Russian interference was asked to inform the Senate about Russian interference? When you put it like that, it sounds like they have an excellent reason to conduct this sort of research.
> When you say "limited spread" do you actually mean "completely unrestrained"?
No I don't, which is why I didn't say that.
In any case, it sounds like this discussion has run its course.
If the experiment was designed to be small enough to not affect the outcome of the election, then they're not experimenting with affecting the outcome, they're investigating and learning about tactics that, on a larger scale, could be used to affect the outcome of the election.
I did say it was a bit shady, but I'm not really sure how to do this sort of research in a way that doesn't potentially affect the real world, because the whole point is to see how this sort of thing affects real people. Doing it in simulation doesn't help because that only tests your simulation.
I'm taking it as a given that this kind of research is important to be able to identify and combat actual interference of this kind from malicious entities in the future.
> Mozilla is [...] made a shift over the last few years from a scrappy, low-rent, nonprofit dedicated to helping the web to just another data mining tech company.
This is a delightfully concise summary of Mozilla today. I was a Mozilla contributor in the "scrappy" years and became one of those listed on /about/owners.html. But Mozilla today is basically unrecognizable. A few years ago, even after I'd stopped contributing, it made me sick to my stomach to think about where things have gone, but I can process it better nowadays.
Mozilla's done worse than what's written in OP, but the absolute worst they can do is continue getting people to believe they're the same scrappy organization fighting for good.
If you believe in the Mozilla mission, then use Firefox, I guess, because there's not really a better option. (Although I suppose a WebKit-based browser should be an acceptable equivalent.) But please don't give Mozilla any money or tell people that Mozilla is their friend. It sort of tarnishes how things were around the time when you could say that and it was actually true all the way through.
Requests like what, updating extensions? Telemetry? There's quite a bit that ships on by default but that can be disabled in about:config. What proof do you have they're data mining besides FUD?
