In a similar vein, I'd appreciate it if Mozilla would stop using updates to Firefox as a mechanism to re-enable misfeatures I've explicitly disabled like Pocket integration and the "recommend X feature|extension while you are browsing but don't forget we totally respect your privacy!" settings. :-/
On the other hand, Firefox does respect locked preferences after update. Debian sets both app.update.enabled and toolkit.telemetry.enabled locked to false.
I may be mistaken about their revenue model, but I think it’s actually costing them money because they bought the company behind Pocket and they don’t seem to monetize the feature in any way.
My understanding is that they are using the Pocket organization as a way of managing the ads they now show by default on the new tab page. They call this "recommended by pocket". I don't know if it currently makes any money, but showing ads on every new tab opened in their browser certainly has the potential to.
I eventually disabled Recommended by Pocket on my new tab screen because the recommendations were typically clickbaity and being on the new tab screen, it would many times divert me from whatever more important original action I meant to take.
The creators probably had good intentions, but Recommended by Pocket seems almost like a dark pattern.
It's a tool I have perfectly good alternatives for I already use that keeps using screen and menu space in my browser. I.e. why does my context menu have a "save to pocket" option despite me not being signed up for it, that I only ever will click accidentally? I don't mind there being a Pocket integration in Firefox, I somewhat mind it getting in the way if I don't want to use it.
The fact that there's both optin=bool and optout=bool suggests how it could be a dumb mistake, like there are competing opt-in mechanisms and the Firefox Send marketing email reads from optin (new) instead of optout (legacy) or something like that.
Some of the comments here remind me of when my users think everything is deliberately implemented and if something doesn't work perfectly, it's because I'm incompetent/malicious and designed it that way when it's just a bug or oversight.
What a power move on Mozilla's part... "No, YOU'RE spamming US." And then they add insult to injury, directing you to read about how their server should be configured... classic
> A year ago I reported a security issue in Mozilla Basket (not publicly accessible). The essence is that subscribing anybody to Mozilla’s newsletters is trivial
I don’t see how signing someone up to a newsletter is a security vulnerability.
So they emailed you about a new service; shrug. Of all the "spam" you could possibly receive this is by far the most useful.
What is it with all Firefox/Mozilla hating as of late? They don't seem to be able to do anything right in the eyes of some people, and seem to be held to a ridiculously high standard (far higher than anyone else).
When I opt out (or never opted in) and am still sent promotional material, it is an explicit message that the company disrespects me. Responding to that with shrug is layering more disrespect on top of it. Disrespect for users is a cardinal sin, and quickly reaches unforgivable levels if left unchecked. It is simply incorrect that this is an issue of bias against Mozilla. Other companies behaving worse doesn't make it acceptable - in fact, Mozilla's image of being "better" makes these kinds of infractions worse.
I'd argue they're merging into the same thing for certain products with frequent releases. Things like VS code get free marketing every month with their release announcements hitting the front page of HN, reddit and the like.
They are held to a higher standard because the alternative Chrome is as bad as it gets in terms of usability and utilizing sneaky ways to subvert privacy. The sneakiness is not necessarily malicious - it is driven by Google's revenue model.
Firefox remains configurable and privacy-enabling to a large extent, but it is becoming harder and harder, especially for non-technical folks, to realize that default Firefox settings are not necessarily user or privacy friendly. See the ruckus last year about defaulting to Cloudflare's DNS servers.
If your primary point is "We're the ethical ones fighting for the good", people will hold you to that.
While I generally think there's lots of overblown criticism of Mozilla and that Mozilla is still far ahead of the others in these regards overall, it's worrysome that they get basics like this wrong.
I'm going to wager that it's because Firefox has devolved into a Chrome wannabe that you suffer through for ideological reasons and little else. XUL addons were the reason to use Firefox; it's an otherwise mediocre browser that gets trounced by Chrome in every conceivable way but privacy (and even that might not be a guarantee). Mozilla started to get really into the whole ethics and responsibility arena around the same time they deprecated XUL, and them trying to act like they could do anything after giving their core competency a death sentence left a bad taste in a lot of people's mouths, mine included. I say this all as somebody who has used Firefox for almost my entire life, and will continue to use Waterfox until the wheels fall off the bus. The best thing that can happen to Firefox now is for it dwindle into irrelevance and disappear so that people can see that good intentions don't make up choosing to create the inferior product.
Mozilla is ethically compromised at the highest levels. They’ve made a shift over the last few years from a scrappy, low-rent, nonprofit dedicated to helping the web to just another data mining tech company. Just try setting your Firefox browser to a blank page with no requests on startup and watching the Wireshark log if you think otherwise.
> Just try setting your Firefox browser to a blank page with no requests on startup and watching the Wireshark log if you think otherwise
OK, so I just did this, and I don't really see what the issue is. Looking at Wireshark, I see requests for:
* detectportal.firefox.com, which is used to detect whether you're connected to a captive portal network and need to sign in before you can connect to the internet. As far as I'm aware, no personal information is transmitted as part of this request, and there's apparently a pref to disable it [0]
* A couple of requests for OCSP certificate validation [1], which seems like a useful feature, and is also pretty easy to disable if you really don't want it.
* A request to download.mozilla.org and another one to download.cdn.mozilla.net, which looks like it's checking whether an update is available.
You seriously don't have an issue with being fingerprinted and tracked every single time you open an application on your computer?
The point is that there should be zero. I should not have a single outgoing network request triggered by opening a web browser to a blank page until interacting in some way. The fact that we've lost this as a standard is terrifying to me.
The whole point of Firefox _is_ to make network requests. All of the features above aren't leaking your user data or fingerprinting you, they're assisting you in what the applications purpose is... to make network requests. Not to mention firefox is an open-source project, so you could go look at all the network communication it makes when it starts up. All of these options are configurable anyways.
I think you're looking in the wrong direction. Try the closed-source (or partial closed source) operating systems you interact with on a daily basis: Windows, Android, macOS, iOS- that's where you'll find the "fingerprinted and tracked every single time you open" sort of thing you speak of. :)
Every one of the requests that 43920 listed in a request in service of you, the user. The first is to detect captive portals, which is something you'll find very important if you're behind a captive portal. The second is for OCSP certificate validation, which helps ensure your safety while browsing. The third is checking for updates, which again is for your benefit.
>All of the features above aren't leaking your user data or fingerprinting you, they're assisting you in what the applications purpose is... to make network requests.
And you can prove this how?
All I'm saying is think twice before blindly trusting a tech company, because Mozilla is no longer the fun and friendly company we once knew. They are very much a rank and file data mining company now, generating tons of cash, and being infiltrated by CEO and marketing types.
How often do you open a web browser to then not interact with it? Does it make a meaningful difference if it instead slows down the first request triggered by you to make the captive portal and OCSP checks, and moves the update request to a random time?
Honestly you sound paranoid. What if a dev wants to add instrumentation to make sure a page is loaded? What if you have some weird OS version, CPU, or kernel that might crash 1% of app opens?
A web page is not an app. It is a sandboxed rendered template that should not be able to crash due to a web page nor care about what OS, CPU or kernel the user is running. If a user wants to give that information away, then they should be prompted.
Yeah, portal checking and update checking are surely things 99% of people appreciate.
Captive portal popup seems like an obvious UX improvement for 99% of people. I wonder how many people on HN even know how to trigger it if the browser didn't try to do it for you.
Update checking and over the air updates make obvious sense to me given that my mother and girlfriend will click "Remind me tomorrow" for years on the macOS update popup, and there's nothing user-friendly about making it so easy for users use old browser versions.
The rare user can turn both off if they want, so what's the big deal?
I think Mozilla's leadership honestly tries to be ethical, but their frame of reference is marketing. They seemingly think tactics that are only moderately scummy instead of flagrantly scummy represent a pro-user revolution.
The hell of it is that with the way ad tech has eaten the web, I'm not sure they're wrong.
New Knowledge is the organization that setup a fake Russian botnet, and then tried to push a narrative about how the Republican candidate in an Alabama Senate race was being assisted by this "Russian election interference"... anybody involved with that organization is a scumbag - it has zero redeeming qualities. Renee has been making the rounds lately on Youtube, informing everyone about how much of a threat these operations are (not her organizations fabricated ops, the totally real ones). I haven't yet found the prime mover in this, but her activities are well aligned with those of the DoD ratcheting up the scaremongering about the (according to them) active Chinese operations against the US population. So there is a pretty strong push for further internet lockdown measures being made right now by these people - and Mozilla is associated. At this point I would not be at all surprised to hear Mozilla announce RealID browser integration.
I hadn't heard of this before, so I just dug up the original NYT story.
At least one person from New Knowledge was involved in a small experiment designed to explore how the sorts of tactics used by the Russians worked, which attempted to convince Republicans that Mr. Moore was receiving Russian help, but it was designed to be too small to actually affect the outcome of the election (as the goal was to explore how the tactics worked, not to produce any effect). This is a little shady, but as long as it didn't actually affect the outcome I see no harm in a group of people trying to better understand how the Russian social media tactics work.
First of all, the story has actually changed a couple of times. So if you really want to understand the timeline - you are going to need to refer to archives of those articles. Second, the "small experiment" had a budget of at least $100k that they are willing to admit to - traceable money that flowed through people related to the USDS and DoJ. You know that Obama repealed the ban on domestic propaganda before he left office, right? I couldn't tell you the number of times a counter-intel op leaked into domestic media (PopSci was really bad about it) - and months of work would instantly go up in smoke as the operation got scuttled, it makes me sick thinking that is no longer the case. New Knowledge's objective was to deceive voters. That is damage that can't be undone, they even tricked the media (a disappointingly easy task) into spreading the lie.
If you can't see something very wrong with this, well you'll be just fine in cold-war 2.0 - we can pick up where we left off in government experimentation on an unwitting public. MKULTRA 2 electricboogaloo. I'm sure its been a while since we updated our nuclear/biological/chemical weapons models... so long as it doesn't affect the public by a statistically significant amount - we should be fine to resume the 1970s practice of releasing airborne pathogens over major American population centers, doubling the number of deaths in the elderly.
> New Knowledge's objective was to deceive voters.
From reading the article, the group's¹ objective wasn't to deceive voters, it was to research how these tactics worked. Are you suggesting that a single $100k research project was sufficient to alter the course of an election with a $51M advertising budget? As near as I can tell, that's just how the right-wing media is trying to spin it. Certainly if I were to actually try and alter the outcome of an election like this, I'd expect to be spending a lot more than $100k to do so.
That said, I find it hard to believe you're arguing in good faith when you're drawing parallels between a limited spread of misinformation centered around a single event with literally murdering people.
¹Which seems to have involved at least one New Knowledge member but it seems wasn't actually run by New Knowledge.
Good question. Other than Firefox, Webkit/Blink based browsers are pretty much the only thing usable on the modern web without crashing. That leaves ungoogled Chromium, which unless you're compiling it yourself (good luck) means just blindly trusting some random internet person for binaries. There's really no good answer at this point.
Worse: even if the person (or organization) providing the binary is well-meaning, they would need some serious resources (mostly programmers) to provide security updates quickly enough.
The least resource-intensive way to provide attack-resistance near the level provided by Google's Chrome team would probably be to notify the user when a vulnerability is disclosed so that the user can either switch to Chrome or restrict their browsing to safe sites till the binary provider can get a security update out.
I know of no one doing that or providing timely security updates however except Google, possibly Opera, possibly Brave and probably some day soon Microsoft.
I don't think anyone has mentioned Opera yet. Why? It's quite a bit snappier than FF imo, and has extensions like uBlock Origin/HTTPS Everywhere/Privacy Badger available (and the ability to install Chrome extensions).
Edit: I know it's chromium-based, but still wondering!
The collect money on someone's behalf, without that person knowing. It's a scam. It would be like me taking money on behalf of you. Only I wouldn't tell you. And now someone thinks they are paying you by going through me.
Requests like what, updating extensions? Telemetry? There's quite a bit that ships on by default but that can be disabled in about:config. What proof do you have they're data mining besides FUD?
reply