22
votes
Is Firefox still a good (enough) browser for privacy?
Someone posted this on the privacy subreddit. I also ended up finding this and this after doing a bit of searching. As someone who isn’t in the CS/IT spheres (chemical engineering is my background), Firefox has been my go-to browser for awhile, although I’m being made aware of the flaws of Firefox (most of which go over my head) and behavior of Mozilla. What can be done to fix this, especially considering that Firefox is the only FOSS browser with a significant user base?
I would say so, it's definitely my browser of choice. I'd add uBlock Origin and Privacy Badger as add-ons, as well as enable them to work in private mode. This is a reasonable enough solution for myself and most folks in my opinion (my background is software/network security.)
A good one-stop-shop site for privacy information that I recommend to folks is privacytools.io, however some solutions proposed there may be tedious and a bit overkill for your specific threat model.
I'd personally actually disable them in private to look as much like any other Firefox browser as possible unless the goal is simply to remove ads then fair enough.
For a regular user, the domains blocked by uBlock Origin will always provide a better privacy increase than allowing these domains to load their code. I just don't see where allowing all those ad networks to load their js is worth it to slightly decrease chances of fingerprinting.
In fact, I'd go as far as to say that having uBlock Origin is always better unless one is disabling Javascript entirely, which is simply unreasonable for most users. Unless you are a dissident in Saudi Arabia, a drug lord, or a whistleblower, I don't see the value here.
Is browser fingerprinting honestly that much of a concern for you when private browsing? Because at least for me, I don't use the private browsing feature to avoid the threat of external tracking (any more than I already try to avoid that anyways), but more as a means of avoiding having certain things show up in my own browser history. ;)
Well, that's true, hahaha. It's just that I don't also really see a benefit in having these extensions when it's ephemeral in the first place, I guess?
I can't speak for @RNG, but I personally keep a bunch of my extensions enabled in private browsing because fingerprinting is not really that much of a concern to me, and ads are annoying as fuck and I hate seeing them under almost any circumstances. And while I don't personally use Privacy Badger, I do use uMatrix (which I also keep enabled in private browsing), since I prefer to have more control over what Javascript runs on my browser.
I keep them enabled in private browsing because there might be an 'escalation to private browsing mode bug' that could potentially be exploited to launch a new private window with no protection against JavaScript exploits or any other.
I never use private mode though.
You could also disable third party cookies:
Options > Privacy & Security > Select Custom > Select All third-party cookies
Despite not mentioning them in the list it still blocks social media trackers like in Strict mode.
There is an HTTPS only mode there too right at the bottom.
In a world dominated by Chrome and Chrome derivatives, Firefox stands as the lone guard against full monopolization of the browser market.
Since other browsers are even more heavily dependent on Google, one of the least privacy concious companies, Firefox is better by default.
Because unless people are willing to hard-fork Chromium in order to stop Google's slow transition away from end-user empowerment, using Chromium will strengthen Google's power.
Firefox isn't particularly any better or any worse than its competitors in most departments. Comprehensive extension options always outweigh browser-specific features or capabilities, and there's a thriving ecosystem around both major players. Telemetry is perhaps the biggest differentiator, and what you see groups on reddit dot com and twitter dot com regularly flip out over - in this regard, Firefox is clearly the better option, collecting much less data than Chromium by default and providing user-facing options to opt out of all data collection.
You also hear much more about the flaws of Mozilla and Firefox because they're always held (perhaps unfairly) to a much higher standard than Google. The first Reddit link is a good example of telemetry-related FUD that seems to circle around, and although the Neocities article has some true points, it does mix them in with fiery rhetoric and certain controversial design decisions in an attempt to make Firefox look unfairly bad.
reddit dot com fud in depth
The user from the Reddit post doesn't seem to understand that each and every one of the "tracking" domains they mentioned are tied to optional features within Firefox, that can be turned off by merit of being optional.
locprod2-elb-us-west-2.prod.mozaws.net- Firefox's update service. Trivial to disable when compiling (ac_add_options --disable-updater), and IIRC disableable in either in Preferences or about:config as well.location.services.mozilla.com- Firefox's location service. The poster mentioned they know it can be turned off, but decided to include it as a "tracking domain" anyway.android-safebrowsing.google.com / safebrowsing.googleapis.com- Safe Browsing, or the "Deceptive Content and Dangerous Software Protection" setting. I'd be willing to bet the poster didn't realize these are from the "Deceptive Content and Dangerous Software Protection" setting, and have them turned on. Regardless, Firefox's behavior here is actually quite privacy-respecting - it pulls an updated list of URLs from the previous links every so often, and checks against it locally.mozilla.cloudflare-dns.com- DNS over HTTPS. Although I don't know if what the author says about Firefox still pinging this while using an alternate DNS provider is true, it doesn't change that it can be completely disabled regardless.The Wikipedia article linked is also misleading. Chromium, the FOSS backbone of Chrome, has perhaps a larger user base than Firefox, but isn't mentioned at all / distinguished from Google Chrome.
Thanks for your thoughts.
The Neocities link is definitely... interesting. They seem to make some legitimate points (most of which are going over my head), but it does come off as being “cranky old dev who hates the post 1995 internet,” which isn’t exactly helpful to non-devs (like me).
Regarding the wiki link, I personally wouldn’t separate Chromium from Chrome, seeing as the top browsers built on Chromium are all proprietary. I’m also hesitant when considering Google ultimately controls it.
I did mean privacy, mostly referring to what the OP in the first link identifies as data being utilized by FF and OP having issues with it, along with perceiving r/Privacy to be a bit of a hive mind on supporting Firefox. Personally, I think it is fine, if not perfect, and it’s basically the only representation of decent-privacy FOSS software to almost anyone not in the CS/IT sphere, in spite of a decreasing market share.
It depends what you mean by privacy.
For me, when I think of online privacy, I think of online services only collecting the info that is relevant to their service and nothing more. For example, Google collecting information about what searches I perform as I type my queries into Google I can understand. Having Google track my online behaviour with Google Analytics, AMP, and whatnot is what I call overreaching, overbearing, and an invasion of my privacy.
In this case, I've found that Firefox with uBlock Origin does a decent job at stopping a good deal of that privacy invasion. Out of the box, it blocks a lot of Javascript and web browser defaults (like preloading) and you can configure it to go even further. Hell, you can flat out tell it to disable JS, images, fonts, all sorts on websites without any additional extra plugins. Not only that, but Firefox isn't in the data broker business and have built their brand on privacy first, so it would be foolish of them to start being invasive with my data as I go about the internet. I cannot say the same with Google Chrome or even Microsoft's Edge browser (as good as it is). Brave browser is made by an ad company, so no doubt they don't really care that much about privacy - at least not as much as Mozilla.
However, there's that other kind of privacy that other people online talk about. Not being tracked whatsoever, not leaving a trail, etc. To me at least, that's just a laughable idea - the fact that I went online and typed "www.tildes.net" meant that connections to a good few servers had to happen for the browser to even understand where that points to (DNS) and then going to Tildes, which exposes my IP address (and my IP address pretty much exposes the town where I live). Online smartypants might go "well just unplug and replug in your modem lololol" but the problem with that is that my ISP already knows I've visited Tildes and very likely keeps record logs of which customer with which IP went to whatever website. Use a VPN? All I've done is offloaded that information from my ISP to a private company. And to me, the privacy subreddit has this sort of tinfoil-hat conspiracy like thinking which is pretty dangerous if unchecked.
Now true, Mozilla does have things like Google search as default and it will send websites to Google's Safe Browsing service. Some people will see that as a "betrayal" of Mozilla. But if you realise Mozilla has to cater to the general public as well as techies, then having that service set as on as default while allowing it to be turned off in the about:config is a good compromise - their users are less likely to get phished when they go to www.paypal.com-realwebsite.org or whatever, and techies who know better can turn that off. The only other browser that I know that is equal or better than Firefox is Safari, but for me it has too many compromises to be of use (mac only, and extensions are a nightmare).Turns out the above isn't even true thanks to @dblohm7's linked article. Only the download gets sent to Google, and only in very specific examples (i.e. when all possible options have been exhausted). The article goes to show how much Firefox takes privacy into consideration, so I'd say read that, as that should tell you how much Mozilla takes privacy seriously.
It's all about moderation and being sensible, really. Nothing you do online is untracable, but you can do your best to avoid being tracked and traced by private data broker companies who just want to pilfer through your data to make $$$ of you.
Firefox does not send websites to Google for SafeBrowsing. The former maintainer of Firefox’s SafeBrowsing code wrote about this in his blog.
I’ll quote here:
One of our biggest headaches with respect to Firefox and privacy is that too many commentators make and spread incorrect assumptions about how things work. Please do not fuel the misinformation machine!
Thanks for this comment. I've updated my post accordingly.
Thanks for your thoughts. I agree that Firefox is the best for most people, and while there needs to be concerted pressure on Mozilla to remain true to themselves, I believe it is the best browser we have to normalize privacy outside the CS/IT-sphere.