1. Download installer from Mozilla from your home network - Mozilla now has your home IP and installer ID.
2. Transfer it via USB key to a secure, anonymous computer - one not linked to you, on a network not associated with you, such as public WiFi.
3. Install Firefox using that installer on said computer. It transmits the installer ID to Mozilla, which matches the one given to your home IP, thereby deanonymizing you.
4. Mozilla receives a warrant for this information, or it is hacked, or the organization is infiltrated by a single government or corporate spy.
Edit: It gets worse. Suppose a newspaper IT department takes care of providing Firefox and other trusted software installers to their reporters. Now Mozilla can determine who that newspaper helped with IT, such as journalists or sources. Or if you provide trusted software to your friends, Mozilla gets part of your social graph.
You know I let a lot of important things in Firefox slide (like the poor Webspeech API support, bad text-to-speech, some missing extensions and a lot of other things) but I still make it a habit to use it over Chrome (and recommend it to everybody) as somewhere in my mind it feels like a small revolt against the giant evil Google corp.
But stuff like this and other shenanigans in the past (like Mr.robot, misuse of funding, etc) is really off-putting sometimes. It really makes me feel naive and just drinking the support open-source kool-aid.
Firefox has no real competitive pressure and no need to improve. Google is their sugar daddy and Mozilla stopped innovating a decade ago. It's just constantly playing catchup while suckling on Google teats, desperately clinging onto relevance. Without Google nobody would pay for their browser.
At this point it'd be better for the web if we standardized on Blink and moved on, cleaning up some of the invasive tracking in Chrome but leaving the renderer intact. Gecko and Safari/Webkit are just holding back the web.
Firefox provides nothing but a bunch of incompatibilities these days and some warm fuzzies that honestly haven't been deserved for years and years. Modern Firefox is slow, bloated spamware.
Firefox has fixed a lot of issues in their Quantum release. It removed a lot of what you called bloat as well. In tests it uses a lot less memory on average compared to Chrome. The privacy settings have been extended even further in recent years. Chrome’s settings come not even close to it. The extension system is still more flexible than Chrome’s. It has some built-in features such as autoplay stop and audio control that Chrome lacks. I also think you’re vastly overstating the incompatibilities on Firefox.
Finally, isn’t it better if there are multiple browser engines instead of just one? This allows for more innovation and has done so in the past too. The past pretty much proves that Firefox has and still can innovate despite your assertion.
I also wonder why you are stating all this in such a polemic and vulgar fashion. “ suckling on Google teats”, “bloated spamware”. None of this is even remotely accurate. But anyhow, what’s the point?
Sure, you go ahead and believe that. Every release of Firefox I've tried, including the recent ones, have sucked and been full of spam.
I'm angry at them because how the hell did we get here from the beauty of early Firefox and Phoenix? They've become the monster they were trying to fight.
You don't agree with my assertions, that's fine. Its marketshare speaks for itself. People don't trust Mozilla anymore, with good reason.
I'm old enough to remember the news of a "young kid" taking on Mozilla, IE and Netscape with their super lean Firefox browser, that was 20 years ago. It was meant to be lean, with the ability to install additional optional functionality through Plugins.
Now Firefox is old and bloated (Pocket?). It never got to be "lean" (always struggling with memory leaks, bad performance, etc) and poor compatibility (not Firefox fault, but still Firefox problem).
Yeah, exactly. Somewhere along the way leadership lost their way and made Firefox into bloated adware and kept uglifying it and mutating its interface to be worse and worse every iteration, all while posting flamboyant front-page news that they've made some major innovation. They haven't, they just... sucked even more.
It's not about trust. It's about convenience. Chrome comes with Android, so it's more convenient to use. Most people already use Google as search engine, and Google spams you to get Chrome, so it's more convenient to just use Chrome since you're also using Google, somehow using both products from the same house should be better, right?
Yeah, but those projects are forever downstream of Firefox, no? Like they still depend on Mozilla to build new features and such, but then remove the Mozilla-y stuff before publishing?
I think the Chromium model has them forking from a shared base, and Google adds their own Chrome bits after that...? Or am I wrong?
I honestly don't know why Google keeps funding Mozilla. Maybe it's a "useful fool" type of situation where having an inferior browser they can financially puppeteer helps them set their own standards (via WHATWG), since Firefox tries to keep parity with Chrome. Having another browser toe that line maybe helps legitimize those standards such that Google can remain in control and not worry as much about W3C/Microsoft/Apple domination? I dunno. Just speculating here.
It matters less these days since Microsoft gave up and went Chromium and Apple just doesn't care about its browser. Maybe Google already won and Firefox is on its last breaths?
I changed my default browser few days ago back to Safari. In Firefox, I would usually click the first two items on the home page which would be photopea or reddit. That day, they put 2 sponsored items for Amazon and Trivago instead at the first 2 spots and I accidentally clicked the amazon one without realizing because that first item was supposed to be Photopea. That was enough to piss me off:
Advertising inside of Firefox is going insane, even if it’s just ads for Mozilla. Tabs that opens when you open FF, little lines on the home page, “Big browser takes care of your privacy” starts looking very creepy.
The asshole homophobe who was CEO for like a week? Yeah, he deserved that. If you're going to try to tell people who they can fuck, don't be surprised if they say fuck you right back. He deserved it.
Mozilla was on its downhill slide long before him anyway.
Yeah, by using a better browser... Mozilla is kinda incompetent these days and shouldn't be trusted with stewardship. All they do is posture and market. All the real engineering seemingly stopped a long time ago.
Arguably Google can't either but at least they provide the engineering talent, if not the ethical leadership. Mozilla just offers spam.
The first bug is because of daylight savings the was also in chrome. People mistakenly thought it was to do with brave servers being down.
The second one is people trying to install plugins from the chrome web store, apparently it has to do this through brave servers. I don't think it's entirely unreasonable that when installing a plugin from your browser that your browser has to connect to a server to do so.
Trying to present bugs as some sort of malware is dishonest, the source code is open if it was really phoning home why not just link that code?
> On 6 June 2020, a Twitter user pointed out that Brave inserts affiliate referral codes when users type a URL of Binance into the address bar, which earns Brave money. Further research revealed that Brave redirects the URLs of other cryptocurrency exchange websites, too. In response to the backlash from the users, Brave's CEO apologized and called it a "mistake" and said "we're correcting". [0]
Suggest everyone here read up on Brave - internally the care for privacy is much higher than Mozilla [I have worked for both] and things like P3A liked here are carefully designed to avoid leaking PII and implemented honestly somewhat begrudgingly.
I did, too. All I can tell you is that when I have Brave running on an M1 with four tabs open, it's consistently using 240MB of memory. When I fire up Firefox Developer Edition with the same tabs open, it starts at 660MB and quickly balloons up to 1.05GB of memory usage.
My experience also. I’ve slowly edged away from Firefox and have primarily been using Brave and Safari for the last 6mos or so. Brave just feels snappier, and it’s close enough to Chrome that most work required websites aren’t broken.
I currently have a number of Google Docs and Sheets open in Brave. Because of your comment, I started poking around. Try as I might, I couldn't break anything. That probably doesn't mean there's absolutely no way anything could be broken, but just anecdotal—I couldn't find anything.
a browser who does not develop their own code base but reuse google's, with a business model based on monetizing users attention to ads network while pretending to protect privacy and block ads.
I wonder what could go wrong here ? maybe their history of misbehaving with money and injecting affiliate links in users browsing or the security issues and leaks could give us a pointer or two.
Interestingly this is likely for privacy reasons in a roundabout way. Brave doesn't connect to Google and so had to implement much of the serverside functionality (updates, sync etc) itself.
All people are fallible — by this logic, you should stop buying anything at all. Someone associated with anything you purchase or use just might have a scary opinion you can't tolerate, and we can't have that, can we now? Oh the agony!
The threat model is reasonable behavior + a single warrant or data leak. It may not be the most likely way of compromise, but it's very possible, and such small insecurities add up. Mozilla should be making such compromise less likely, not more.
They add up in the sense that each increases the likelihood you will be compromised, and reduces the set of activities that you may safely and privately perform.
I can't believe the apologists commenting on this.
Firefox put a lot of effort into tracking download to install behavior. Maybe this is the only violation you know about. There's no reason to continue to believe in Mozilla's good faith. They've been captured, and are 90% dependent on Google revenue.
Firefox is dead. It's time to move past denial. It doesn't stand for anything you think it does. I'm sad, too. Time to bury the putrid, rotting corpse.
I can. I'd still rather use Firefox than Chrome or Edge when it comes to privacy. "Firefox is dead ... Time to bury the putrid, rotting corpse" is ridiculously dramatic.
I like the idea of Vivaldi and honestly probably would use it, but I've been using Firefox as my primary browser for the last 7 years or so and just don't have a reason to switch.
I also think competition is good and am concerned if Blink became the only
browser engine.
Mozilla as an org is a husk of it's former self. They're constantly playing catch up with Firefox, almost abandonwared thunderbird, and have little actual usable innovation. What part of Firefox is "open source" when you can't integrate in your own projects? What's the point when the tech is non portable? Chromium is the clear OS winner, so open and modular you can just make your own browsers.
> What part of Firefox is "open source" when you can't integrate in your own projects?
Let's not mix everything up. For a good debate we need clear ideas. Firefox can be built from sources available under open source licenses, it is sufficient to makes it open source. Being embeddable and modular may be desirable features but it isn't a requirement to be open source.
> What part of Firefox is "open source" when you can't integrate in your own projects?
AFAIK, all of it; there are even full independent forks running around. Just because you can't bend the code to your particular use doesn't make it not FOSS.
I know that you meant something else with this, but the wording amused me as currently Firefox is the only up-to-date "portable" browser that lets you carry around your browser profile in a usb stick.
Anything with Chromium deletes your extensions, passwords etc. whenever you open it in a new computer.
Elinks looks like it hasn't had an update in years. There's a fork of it called Felinks [0] which seems pretty actively maintained. The last release was on December 24, 2021.
Yes, I'm in Vivaldi as well. For now! We need to avoid making software/product choices part of our identity.
A true firefox fan would've raised the alarm years ago, and voted with their feet when it kept moving in the wrong direction and stopped being the best option on the market.
Loving a brand no matter what they do is suboptimal.
I just disabled all of that. No Chromium browser is my main browser but when I need one, Brave seems like the best option.
If you were to pick between Brave, Vivaldi and I dunno, maybe Edge, just for when you need Chrome-compatibility and pretty much no other reason, which one would you pick and why?
They report anonymised data that can be turned off. They also connect to servers for auto updates and safe browsing checks, everything you would expect of a modern secure browser.
The people upset with brave for auto updates also consider tor browser spyware because it checks for updates LOL.
> Firefox is dead. It's time to move past denial. It doesn't stand for anything you think it does. I'm sad, too. Time to bury the putrid, rotting corpse.
I don't disagree, it's just that I need a browser, and there's no real alternatives.
Looking a lot at Librewolf. Have there been any independent audits of it?
The two are separate things. Chrome is built on top of the chromium base. I guess technically chromium and chrome v1 were developed and released about the same time so chicken and egg thing.
Firefox to my eye jumped the shark a long, long time ago, when they took to using deliberate deception during the install process to get people to sign up to a Mozilla account.
Pretty much everything they've introduced for years I've not wanted or disliked.
The saving grace has been that pretty much everything can be turned off in about::config.
I may be wrong, but I think Moz has become a typical larger company, wholly divorced from its users, unable to know what users want, let alone respond.
What Moz as a large company wants is really completely different to what users want, and a unique tracking ID is a shining example of this.
I'll be using Tor, but I my secondary browser now has to change, as this is intolerable.
It's like how when you're baking a cake, the easiest way to do it is to buy a cake mix and follow the directions on the back. Yes, maybe you can make a tastier cake by changing the directions or using better ingredients, but you also introduced the possibility of the cake exploding. Particularly with anonymity, the trick is to do what everyone else who wants to be anonymous is doing.
This isn't a landmine in any normal threat model. The average person is concerned with identity theft and perhaps their local law enforcement, not the full weight of domestic or foreign intelligence services.
It may not concern the "average person", but it contributes to the omnipresent surveillance endangering the extraordinary people we rely on to keep an eye on our governments and corporations.
If we only care about the average person, we may as well have Firefox snitch to the NSA and their Russian, Chinese, Indian, etc. equivalents, plus Microsoft, Google, Raytheon, General Electric,..
Nothing I said requires a statistic, it is common knowledge US police officers kill roughly 1000 civilians a year on average.
It is also clear from investigative reporting that many police departments have a long history of colluding with local coroners to cover up many additional deaths.
Colin Kaepernick didn't recently start a multimillion dollar fund to aid families of victims in getting secondary independent coroner/autopsy reports without reason.
If the fact that this is necessary doesnt terrify you or the people in your community, then I don't know what to say.
I don’t know whether the OP was thinking of it, but world-wide, it is thousands (https://worldpopulationreview.com/country-rankings/police-ki.... Numbers “include those killed by security forces such as military police and intelligence agents”, but I think removing those would easily keep it ‘thousands’)
Checking the bug tracker, it only does something if you have Firefox Data Collection turned on in the settings. Personally, the first thing I do is turning that off on a fresh install.
considering it sends your unique ID (or download token) during installation, when you disable settings after installation, it's already too late.
it seems there's actually a way to turn it off before installation using enterprise policies, but I have not tried it as I left mozilla's firefox long ago first for waterfox and now librewolf.
That's a slight bit different because that file metadata is being assigned on the receiving client side and not from the distributor of the file. Likewise, that info is stored in your Spotlight index, not the file itself and isn't moved with the file (you can look at the raw metadata with the `mdls` command on a Mac and see that it is lost when you move something to a USB stick, or upload it to your own server or something)
Isn't that just storing the domain name from which served the file? I actually find this useful for those times when I can't remember where a file came from but need to use the site again. Having that data in a Get Info windo has been useful and faster than web searching.
That is also annoying but two wrongs don't make a right.
Also Apple seems to just track this to show a prompt as to why they need approval for the install. And it's just stored locally in the metadata.
But yes I wish this prompt could be completely turned off. This isn't just security for the user though, they have a clear financial motive in promoting their app store as an easier option. After all the app store is a huge revenue driver for them on mobile but not on Mac.
Also Apple has done a lot worse things like checking the notarisation online every time an app was launched. They have now cut this back to once every few days since the outcry about it but still it's something you should be able to turn off IMO.
But what do you expect from a closed source OS (yes it is, only the kernel is open). And again, the fact that Apple does it too does not make Mozilla's action less questionable.
I have a hard time viewing Apple's Spotlight metadata as a wrong. It's locally created and stored, it's transparently shown in File info and mdls. It can be purged and edited with xattrs. It doesn't follow the file across computers and you can outright disable file metadata and indexing if you really care enough and I've never seen or heard of any evidence of Apple sending this local data outside your computer. Windows indexes files and creates metadata, even popular Linux desktop distros do it, because it's a usability improvement for most people.
>But yes I wish this prompt could be completely turned off.
defaults write com.apple.LaunchServices LSQuarantine -bool NO
Except this is an attribute saved on the file locally on your system, added by your browser when you download it, not something that Apple stores on their servers and tracks.
Any connection to Mozilla's servers reveals your IP to them. Given the amount of telemetry in Firefox, it's foolish to assume they don't log these IPs. And in either case, they could be legally compelled to. But afaik, under US law, they cannot be compelled to subvert their software, e.g. to add such spyware features if they were not already present.
Even if they don't (currently) feel that they need them, they could be compelled by law enforcement to retain logs and forbidden from revealing this fact publicly. Or their network could get infiltrated.
How do you propose to prevent a user from leaking their home IP address to Mozilla without undermining the ability to:
* Download the browser
* implement a safe browsing mechanism
* support automatic updates (which are a critical security feature)
If the updates are signed, then there is no danger in downloading them from a third party mirror. As for finding a mirror, Mozilla could put locations as TXT records in the DNS.
There would still be the problem that someone would have a log of your IP address downloading a Firefox update, but it wouldn't be Mozilla. Also, with a big enough list of mirrors, across 100 different jurisdictions, the probability of any given mirror being subpoenaed and having data on any given user is very small.
As for how to bootstrap the whole thing by letting the user securely download Firefox in the first place, that is of course difficult, but it should be an infinitesimally rare event compared to checking for browser updates. A user could therefore take special care to use public Wi-Fi when doing the initial download.
What part of Mozilla's behavior makes you assume they don't? It's easy to come up with some dubious internal justification to store IPs (like to determine where to focus internationalization efforts).
It's not even internal justification, it's just plainly the default for practically any web server that does logging. You would have to go out of your way to disable it.
Yeah, it definitely is. But that doesn't automatically mean they actually did it.
"Best practices" are moot unless they're implemented, and since the default is to log these things, then something (even a blog post from them claiming it's been done) has to exist to show it's there and doing the right thing.
They had to serve you the file, for which they needed your IP. If they're willing to assign each downloaded client a unique ID what are the odds they are not storing the IP address associated with that unique ID?
Why would they need installer IDs? The question is if they collect it, not if they need it, and all their other behavior suggests that they do collect it.
They can probably reach the same conclusions about why there might be more installs than downloads by thinking about it for maybe 5 seconds instead of tracking people.
Easiest explanation off the top of my head, without reading the article, would be IT departments including Firefox in their base image they use on all their standard issue computers, resulting in hundreds and possibly thousands of different installs having the same download ID. That alone by itself would cause an absolutely massive discrepancy between download and install numbers. My company includes Firefox in our base image and it's on at least 200,000 different laptops and desktops, with a handful of different download IDs between them depending on when they got issued the computer.
You seem to be unaware that intelligence services have been hoovering up internet traffic wholesale for decades, and that telcos do it internally as well. Verizon's "supercookie" is a great example.
On the other hand, if intelligence agencies are personally targeting you it's already over. This might help them, but even they can probably get everything they need on you with way less effort.
Are you suggesting in good faith that Mozilla would implement and transmit a unique ID without linking you to your download session? I've never come so close to breaking hacker news etiquette.
It's possible that they are tracking how many times an installer gets used without violating your privacy. Installers can be shared online or you can install it on someone else's computer. It's not like they are specific to a person.
They promote their product by claiming that it protects people's privacy. They do something that can be reasonably interpreted as tracking (which it is, whether it is download/installation tracking as they claim, or user tracking as some people claim).
For the most part, privacy is based upon trust. Trust is earned. You don't earn trust by doing things behind people's backs or claiming that they are technically telling the truth.
1. Download installer from Mozilla from your home network - Mozilla now has your home IP and installer ID.
2. Transfer it via USB key to a secure, anonymous computer - one not linked to you, on a network not associated with you, such as public WiFi.
3. Install Firefox using that installer on said computer. It transmits the installer ID to Mozilla, which matches the one given to your home IP, thereby deanonymizing you.
4. Mozilla receives a warrant for this information, or it is hacked, or the organization is infiltrated by a single government or corporate spy.
Edit: It gets worse. Suppose a newspaper IT department takes care of providing Firefox and other trusted software installers to their reporters. Now Mozilla can determine who that newspaper helped with IT, such as journalists or sources. Or if you provide trusted software to your friends, Mozilla gets part of your social graph.