Firefox is malware?

Posting in an inactive/dead topic. What is deemed inactive or dead varies between forums, along with enforcement, if any. For example, here is the relevant rule in the Lock Picking 101 Forum topic:

Lock Picking 101 Forum • How to Pick Locks, Locksport, Locksmithing, Locks, Lock Picks.

Other similar terms are gravedigging and resurrecting.

3 Likes

I like this metaphorical term!

3 Likes

So I haven’t personally used Librewolf but I found myself reading one of their GitHub issues that was linked a while back. The users on this forum were discussing how you can IP trace that Firefox was connecting to a node in Google Cloud whenever it opened, and leaving the connection open until Firefox closes - for the lifetime of the process - even if we do not visit any Google-based website.

And in the context of that discussion, there was this GitHub issue linked where someone confronted the Librewolf developer about it, and asked why they do not remove this constant connection to Google Cloud that opens before we visit any site, to make Librewolf better than Firefox for privacy, so we’re not essentially telling Google metadata about whenever we use the browser.

And the developer got kind of hostile about this. He was saying that anybody who doesn’t want to connect to Google in this way is an idiot who doesn’t know what they’re talking about, and who doesn’t understand that we connect to many things in many ways for our technology to operate and therefore nothing matters and these details don’t matter.

The way it was written seemed so flagrantly contrary to how I would want to approach the problem that I honestly wondered if whoever this “Librewolf dev” was, if perhaps he was under duress from the U.S. government, forced to say what he was saying, because from a distance it felt like it didn’t make any sense.

Does not - at all - make me want to use Librewolf, though.

1 Like

I have been hearing about LibreWolf for many years but i have never been interested in trying it and to the date from today i have never tried it as it looks like a “Libre” Opensource Honeypot.
Personally when i see phrases like Open Source or FLOSS in Software/Programmers it is a Red Flag(warning) for me.

1 Like

Citation:

The LibreWolf team mirrored the (now archived) GitLab repository issues to Codeberg using a bot. The Codeberg issue itself is still open.

7 Likes

?Possibly a reference to: Firefox search by default - #10 by irvinewade and that topic in general.

My goal in that specific post in that topic is that, for example, if I type “dog” in the Address bar, nothing will be sent to the internet -

  • not a search for “dog” (whether that search is handled by Google or Bing or anyone else) and
  • not a DNS lookup involving various attempts to make “dog” into the likely intended fully qualified domain name.

The only thing that will happen is that it will ask my local DNS server to resolve “dog” as a host on the local network (which in my case will fail, there isn’t an Internet of Animals yet).

However that assumes that the person is running a local DNS server e.g. PiHole. Without that, a single DNS lookup (of dog.) may escape to the internet - or another DNS server may apply default suffixes. That is, just because I stopped Firefox applying default suffixes, doesn’t stop a DNS server applying default suffixes elsewhere.

Merely expressing an opinion here: It is requiring more and more settings in about:config to get decent behaviour from Firefox i.e. the defaults are getting further away from what I would consider desirable from a security / privacy point of view - but I understand that what I consider desirable may not align with what anyone else does. It is also possible that I am becoming more knowledgeable about what you can adjust with config settings i.e. that previously I didn’t even know you could, so I just put up with the behaviour.

2 Likes

Right, the current strategy by @arkenfox, @yokoffing, and @pyllyukko is to have users manually configure their overrides.

PS I suspect that feature bloat is also part of the problem here. Each new privacy-risky feature requires a setting to disable it, saying to Firefox that the increase in attack surface outweighs, for me, the benefit of having the feature.

2 Likes

PPS Possibly a better approach to Firefox default settings would be that you can choose between High, Medium and Low security/privacy defaults - and changing the set of defaults would change every individual setting that has not already been overridden explicitly by the user.

So on a brand new computer, I would choose High - and then have to make fewer explicit changes to individual settings before I use the computer.

2 Likes

Firefox already does that for Enhanced Tracking Protection, but what I assume you want is more like how Tor Browser’s Security Level slider works. @pyllyukko’s user.js GitHub repository has two branches for those who prefer a hardened or relaxed configuration:

pyllyukko/user.js - GotHub (on my GotHub instance)

The issue with @pyllyukko’s approach is the maintenance required for each Firefox release.

3 Likes

The answer is using multiple browsers for browser fingerprint isolation. I use google chrome for google accounts, facebook logins, and other big tech accounts. I use brave browser for other persistent logins. I use librewolf for temporary logins. I use yet another browser for simple searching without login. I also use hardened firefox when librewolf doesn’t work well. I use tor browser for circumventing VPN censorship or geographical censorship. Use ad blockers in browsers that support ad blockers.

Combine browser fingerprint isolation with VPN. Even if VPN servers are watched by ISP, traffic timing analysis is going to be an expensive manual targeted attack that requires human brain, and the destination websites will not know your real IP address. If you physically roam on mobile networks, then you don’t need VPN because mobile networks are like VPNs.

Sandbox web browsers in firejail or apparmor. Firejail is easy. Web browsers are going to execute arbitrary untrusted remote javascript code. Some people criticize firejail for being a relatively large SUID binary, but its threat model is preventing user applications from having full user rights which are essentially root. firejail is also not much larger than ping which is another SUID binary.

Bubblewrap is smaller than firejail and is not a SUID binary, but it can’t choose a network namespace or do other privileged operations because it is not SUID.

3 Likes

Librewolf has been great for me for opening something like a link from an email.

2 Likes

It’s weird that this thread was forked from a reply on one of my posts, and now it looks like I took the bait and weighed in on this topic out of nowhere… not quite my style.

But yes, I agree. Can’t just believe everything you hear – and I haven’t really seen anything to give me reason to believe Firefox is doing things that I wouldn’t be happy about. Even the woke comment, was just something I heard and don’t know first-hand. I couldn’t name a thing they’ve done that could be considered woke.

I was more so being polite and replying to someone on a post I made. Wasn’t trying to open any doors!

1 Like

Firefox tracks you with “privacy preserving” features

Mozilla for quietly enabling a supposed “privacy feature” (called Privacy Preserving Attribution) in its Firefox browser. Contrary to its reassuring name, this technology allows Firefox to track user behaviour on websites. In essence, the browser is now controlling the tracking, rather than individual websites. While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it 0n by default once people installed a recent software update. This is particularly worrying because Mozilla generally has a reputation for being a privacy-friendly alternative when most other browsers are based on Googles Chromium.

Firefox follows Google? With a recent Firefox v128+ update, Mozilla seems to have taken a leaf out of Googles playbook: without directly telling its users, the company has secretly enabled a so-called “Privacy Preserving Attribution” (PPA) feature. Similar to ‘Googles Privacy Sandbox’, this turned the browser into a tracking tool for websites. The idea: instead of placing traditional tracking cookies, websites have to ask Firefox to store information about peoples ad interactions in order to receive the bundled data of multiple users.

Less invasive is still invasive. In this sense, Mozilla claims that the development of “privacy preserving attribution” improves user privacy by allowing ad performance to be measured without individual websites collecting personal data. In reality, part of the tracking is now done directly in Firefox. While this may be less invasive than unlimited tracking, which is still the norm in the US, it still interferes with user rights under the EUs GDPR. In reality, this tracking option doesnt replace cookies either, but is simply an alternative way for websites to target advertising.

Tracking by default, no information. To make matters worse, Mozilla has turned 0n its “privacy preserving attribution” by default. Users have not been informed about this move, nor have they been asked for their consent to be tracked by Firefox. The feature isnt even mentioned in Mozillas data protection policies. The only way for users to turn it 0ff is to find the opt-out function in a sub-menu of the browsers settings.

Time to go for Ladybird Browser

5 Likes

Directly related topic:

2 Likes

Strangely, that setting is “off” and “greyed out” for me i.e. I can’t even turn it on (not that I want to).

I wonder if there’s more to the story here.

2 Likes

Calling firefox a malware is a bit misleading.

Malware includes viruses which firefox is not.

Better call it a spyware. Thanks for letting me know that mozilla wants to make firefox track users and then shape their behavior based on tracking data.

User tracking is usually done to understand users and then shape their behaviors. It’s about social engineering. If you don’t understand users, you can’t shape their minds through targeted solicitations.

Youtube recommended videos are based on tracking data. Search results might also be based on tracking data.

I still use firefox among many other browsers because I want to implement browser isolation. My firefox is hardened enough.

1 Like

If you are using upstream mobile-config-firefox, their policies.json has changed the value to false and marked the status as locked:

postmarketOS has since archived that GitLab repository.

I was a bit aggressive, but it may falls into the Malware category already.

1 Like

No, sorry, this is Firefox 131 on a desktop and I don’t have that package. I’ll have to look more closely.


Update:

It’s an interaction with

Firefox Data Collection and Use
☐ Allow Firefox to send technical and interaction data to Mozilla

Once you turn that off, it also turns off and locks

Website Advertising Preferences
☐ Allow websites to perform privacy-preserving ad measurement

3 Likes