More Proof Firefox is Bad

… and with the address bar being a de facto search bar, being the default search engine means being involved in potentially every navigation via the address bar.

Completely agree. I pointed this out with my first post in this thread ( More Proof Firefox is Bad - #2 by Privacy2 ) … when I said “I don’t like the fact that the URL line is confused with the Search line. But given that it is, …”.

It’s not a complaint I would have thought I would hear from a Librem 5 owner! . Fortunately, one can always revert to default settings ( Configuration Editor for Firefox | Firefox Help ). Or, as I explained, one can always use an extension like noscript (it seems that half the time, extensions are there mainly to manage configuration settings). In replying, I did wonder whether the complaint was serious or was for some other reason.

It’s a good question. I will say that I feel more comfortable with the transparency from a non-profit like the Mozilla Foundation (here are their Board Meeting slides Board - MozillaWiki ) than I get from a for-profit company like Purism (they are far from transparent IMO).

This article address that. Firefox Suggest for Mobile | Mozilla Support . Note that, at least on roll-out, the default is on for firefox-mobile in the US. Look at “What Settings are On By Default”.

I don’t disagree that “defaults matter” and that more broadly it’s known as “Nudge Theory”. Nudge theory - Wikipedia . The point of FOSS is that in regard to Firefox on PureOS, the blame for defaults is not Mozilla … and certainly not Google. Heck, with this default setting, I even see this as an attempt to diversify their revenue away from Google.

Yes. This is important. It’s why I don’t usually use the URL+search bar for anything except URL’s. If I’m going to search, I bring up the URL of my preferred search engine (e.g. duckduckgo.com, google.com, bing.com, search.brave.com, …).

Hi weirdnerd,

firefox and other products of daily computer usage, need to be ideal for the mainstream. Firefox itself have the ability to be easy to adjust with privacy features. And because of this the tor browser is based on firefox instead of chrome. However Firefox itself uses parts of Chrome or other web-engines too. This is because a Browser is as complex as a Operating System to support all kind of Web-Pages.

I like the approach to grep some Web-Pages by curl, wget and try to build yourself a script, which extract your information from your target and do not deliver privacy information about using a phone, a web Browser or some Application of third Parties (like Apps on usual Smartphones).

For Video you can use some Video-Downloading tools or Podcast.

Back to Firefox: In Germany we have the Privacy Handbook, its only in German available i think and not translated yet. But the most switches via about:config listed there are easy to understand, or the english howto about the internet, what something do is well documented.

If you like to have privacy you should edit your Firefox on you Librem5.

https://www.privacy-handbuch.de/handbuch_21u.htm

Hope this will help you a little on your journey further.

I do not like third-parties to examine every keystroke i done in some url bar. So i use just the terminal and bookmarks (mostly).

Yes, Mozilla sucks. But giving in to a chromium-only world is even worse.

If only a mobile-config-firefox project that fixed a few bad defaults existed… oh, wait, it exists!

Quoting from the readme:

What this config does

• Adapt UI elements and “about:” pages to small screen sizes (when opened on small screen)
• Enable mobile gestures
• Privacy tweaks:
  • Disable search suggestions
  • Disable Firefox studies
  • Disable Telemetry
  • Set DuckDuckGo as default search engine, remove other search engines except for Wikipedia (only works in Firefox ESR, limitation of policies.json)
• Install uBlock origin by default (why?)
• Uncluttering:
  • Disable built-in advertisements (e.g. hardcoded links for certain social media sites on the start page)
  • Disable “User Messaging” about new features etc.

To easily install it, I recommend having git and make installed.
After that it’s just

git clone https://gitlab.com/postmarketOS/mobile-config-firefox.git
cd mobile-config-firefox
make
sudo make install

Enjoy!

Disclosure: I have contributed to mobile-config-firefox and aim to keep doing so

@user0 has a Codeberg repository for that:

Thread:

I am becoming less and less convinced of any meaningful ethical or competitive distinction between firefox and chromium… but I hope you’re right.

EDIT: thanks for the tip about building firefox-mobile-config from source. I believe that I am using that from PureOS, but I imagine it isn’t too recent.

To get a “working” browser, yes, but I think we’ve already established that the default settings are unsatisfactory from a privacy point of view - which
a) would mean that reverting to default settings would only be one step along the way back to a working browser, and
b) is why I keep notes about what Firefox settings I change (for both the scenario of after having gone back to default settings / using a completely new profile and for the scenario of setting up a new computer).

We 100% know that the blame for what is the default search engine is on Google, and on Mozilla for agreeing to that (but I can see that Mozilla doesn’t really have an alternative). As for any other defaults … the more we find out, the more further suspicion falls on Google / Mozilla - and there really isn’t much transparency on how the defaults are chosen.

You may be implying that a distro is free to alter the defaults before distributing Firefox. However that comes with a cost, for a range of reasons.

(I’m not too worried about “noscript”. IMO that ship has sailed. Even some web sites that I have myself written use Javascript, although I try to keep that to inessential functionality so that the site degrades gracefully if all JS gets ignored.)

Or: enable the search bar. That’s what I do. Address bar: only for addresses. Search bar: only for searches (using the search engine that I configure as the default - although the search bar does readily allow you to override the default search engine on a per-search basis). This approach works on a decent sized screen.

I disagree. Mozilla is only to blame for the copies of Firefox that they distribute.

Given that defaults can be changed by the whoever distributes Firefox … and, in the case of the OP, this was distributed as part of PureOS, the blame is with Purism.

As you see, that’s exactly what I was implying. But, keeping in mind that Purism has written about “the power of defaults”, please tell me what costs and range of reasons would override that sentiment.

Or: enable the search bar. That’s what I do. Address bar: only for addresses. Search bar: only for searches (using the search engine that I configure as the default - although the search bar does readily allow you to override the default search engine on a per-search basis). This approach works on a decent sized screen.

I’m not sure what firefox you use, but I have the search bar enabled (I think it’s the default) and AFAIU firefox still will filter (and/or save search parameters in its history). The only certain way to not have firefox filter is to type the search into your search engine’s https page. Similarly the address bar will do a search if it doesn’t find a valid address (unless you explicitly preface with https:// or some such URI qualifier).

Regarding mobile-config-firefox in PureOS: Yes, it’s outdated, and very heavily patched/less opinionated: debian/patches · pureos/byzantium · Librem5 / debs / firefox-esr-mobile-config · GitLab

{That said, the entire removal of Google will likely be reconsidered, the reason for that can be found in the latest episode of the postmarketOS podcast (TL;DR: duckduckgo is blocked in countries where Google is not))

@FranklyFlawless: Thanks for mentioning @user0 's excellent fork. It’s worth giving it a try - after cloning her repo and changing into the directory (before running make), make sure to change to the correct branch:

git checkout fenix

My first post in this topic (#15) links to a topic where I think we have got that under control. The goal is: address bar only for addresses. What you type is exactly what you get as a URL and only as a URL.

Yes, it still saves search strings in a history and matches against those searches and therefore offers to repeat those searches.

For my threat model, that is acceptable. (This is quite different from doing autocompletion by uploading the string so far as you type and matching against a central database.)

Maybe there is a way of disabling even that behaviour.

It is easy “enough” to clear out those saved searches (and I do do that periodically) although maybe it should be made easier (e.g. automatic X days after last use).

The thing is … that’s what Purism used to do in order to create Purebrowser, but they found it unsatisfactory e.g. An Epiphany regarding Purebrowser – Purism

I did not read the whole linked thread. However, I have both a search bar and an address bar and:

1. If I type “thisiswhatitis” (no quotes) into the address bar, I get a search.

2. If I type “https://thisiswhatitis” (no quotes) into the address bar, I get an address not found message.

Firefox tells you what it’s going to do before you hit enter … but what is going on is that without the URI formatting (e.g. leading “https://”), while Firefox tries to find an address first, if it isn’t found, it does a search.

If they had just stuck with “distributing firefox with privacy respecting defaults”, it would have been easy. They tried to do more (and bit off more than they could chews) and, somehow, thought it would be better to switch from modified-firefox and move to Epiphany. It is absolutely not difficult to distribute Firefox with different default settings (it’s a couple hundred lines).

If anything, I think this is really an admission that the distributor is responsible for the defaults.

Me too before I made the config changes that I mention in that other post.

Now I get the joy of a local complaint that “thisiswhatitis” does not exist as a host on my network (although most people would instead get an error that DNS lookup on “thisiswhatitis” gave an error, presumably NXDOMAIN). No search occurs at all and, in my case, nothing is sent to the internet. Which is exactly what I want.

I think this illustrates that the sheer number and complexity of config changes that is required to make Firefox private is too high. I can understand that someone would decide that a different base would be a better starting point for a private browser. I concede that the blog post that I linked to is not an in-depth discussion of all the considerations that led to the decision to cease using Firefox.

In my opinion the problem is not exclusively one of the browser. Some privacy problems are inherent in HTTP / HTML. Hence the Back-to-the-Pleistocene movement of the web (Gemini).

This seems like a bad analogy. I have private projects that my employer is not affiliated with. This is clear because what they pay me for specifically has nothing to do with those projects.

If instead my “private project” were receiving revenue, and 80% of that revenue was from my employer to change the default behavior of my “private project,” then the analogy would become much more reasonable.

…

But anyway, that’s not really a concern. Firefox is already solved. All you need to do is type “about:mozilla” into the Firefox URL bar, at which point it will load a page with creepy white text on a red background citing a bible verse from the antichrist bible, informing the user that the Firefox build they are using is a piece of the Beast reproduced in small forms to spread amongst the people. This is not some joke, I’m not typing this out of crazed emotion, that’s just how Firefox actually works.

Eek! Tis true. That’s not something that I was previously aware of. Easter Rotten Egg?

I haven’t seen The Book of Mozilla in about 30 years… forgot that Firefox was keeping the legend of the dragon alive.

That’s kind of scary

I guessing that Firefox may have an Opensource backdoor like XZ from Google Opensource or. However i using 50% Firefox based Browser like Icecat and the other 50% Netsurt as my daily use ATM.

If firefox has a “backdoor like xz” then certainly icecat does too since their codebases are virtually the same (icecat = firefox LTS + scripts to remove branding - non-Free addons). I’ve never tried netsurf.