kirb 38 days ago

This gist misleads in a few ways by being so vague and seems to be more about disabling every somewhat useful feature that sounds bad for tinfoil hat enthusiasts. Still has useful things, like disabling Pocket if you don’t want it and forcing newer TLS versions. Others are silly (disabling things that already ask for your permission, like location), dangerous (disabling Google Safe Browsing), or already exposed in the settings UI anyway (DNT, tracking protection, telemetry). To each their own, use these if you think they’re important to you, but for most people it’s fear-mongering about nothing and enabling a few things in the privacy settings page is sufficient.

  • TAForObvReasons 38 days ago

    > for most people it’s fear-mongering about nothing

    To be fair, a core argument in favor of Firefox is essentially fear-mongering about google and your personal data. It always struck me as odd that actions many people would call "shady" if google does it are condoned in FF because Mozilla.

    • jkolem2 38 days ago

      Mozilla is not the largest advertising company on Earth whose core business is profiling people to package and sell them.

      • SquareWheel 38 days ago

        >whose core business is profiling people to package and sell them

        Do you have any proof of this statement?

        Google is an advertising company. It doesn't make any sense that they would sell your information to other advertising companies.

        Not only does that violate their privacy policy, but it makes no business sense, either.

        • zie 37 days ago

          I think maybe you misunderstood the point here. I agree Google is probably not directly selling your information it gathers to other people but instead is selling access to that information in the form of directed advertising.

          Google's in the business of knowing EVERYTHING they can about you, so they can better sell "you" to their customers (advertisers). You are not a customer of Google, you are their product. Nestle, Exon, Ford, etc are the customers of Google.

          • SquareWheel 37 days ago

            That doesn't make a whole lot of sense to me. Google's data is a part of their offering, but that doesn't somehow make me as a person a "product".

            Their products are AdWords and AdSense. These services network customers together who want to 1. make money from ads, and 2. advertise themselves.

            Google mediates this exchange between both parties, and uses data from users to target their ads more accurately.

            Calling the user a product is rather hyperbolic. The only interaction with a user is in choosing which ad to serve, and recording if they view or click the ad.

            It's not slavery after all.

            • zie 32 days ago

              Maybe it is a bit hyperbolic, but their products are based almost entirely on the information they gather about you specifically(and everyone else they can).

              Like you said "uses data from users to target their ads more accurately". exactly.

              but when you say the only interaction with a user is in choosing which add to serve is misleading, at best. You can't currently say to google, I want this ad to be displayed to John Smith @ 1818 Mockingird lane. But you can buy ads saying this age group, in this city, interested in X and Y subject(s), which if you happen to also know about John Smith, will definitely reach him specifically (assuming John Smith sees a google delivered Ad, which is almost a certainty).

            • cordial 37 days ago

              As a complete outsider to this conversation who has gotten caught up in the fearmongering mentioned, but who is too ignorant to really have strong opinions either way, thanks for having this conversation.

              It's scary, being in the Too Much Information age. It feels so easy to be misled when it's hard to devote the time to properly understand complex topics like this.

              I don't know if I feel any more confident in my browser choice (or anything else related to cybersecurity), but... thanks, still? Acknowledging how little I can know about any one thing feels so destabilizing... hoorah for existential crises?

              • SquareWheel 37 days ago

                Well thank you for willing to be vulnerable.

                Personally I do still believe privacy is very important. I often take up the devil's advocate position on Hacker News because there is a lot of groupthink on this site. The issues are rarely black and white, and almost never come down to "X is evil".

                My advise is to stay aware of the issues, but don't get consumed by them. In almost all cases a site's privacy policy will tell you exactly what they collect, and you always maintain the power to block that at the browser level if you want to.

                eg. I use an adblocker to remove social media widgets. I find them clutter and I don't care for the tracking. Otherwise though my settings are pretty light.

                I hope you find your happy medium.

      • Tloewald 38 days ago

        No it’s just beholden to one or another of them.

        • CodeWriter23 38 days ago

          > windlep 0 minutes ago [-] I was under the impression the search deals are merely which engine are the default. How does having the default search be Google make the Mozilla corp beholden to Google?

          Well, when someone pays your paycheck, that makes you beholden to them. Unless you don't want another paycheck.

          PS I didn't downvote you.

          • windlep 38 days ago

            The person that pays my paycheck tells me what to do. The only thing Mozilla was told to do in the contract with Google is to have them as the default search engine.

            Besides for the search engine requirement per contract, how is Mozilla's product beholden to Google?

            I'm somewhat surprised that was downvoted, as I thought people knew how these contracts were arranged and what they included. They're about the default search engine placement, that's it. Google obviously doesn't get to provide input/requirements into Mozilla product design, marketing, etc.

        • windlep 38 days ago

          I was under the impression the search deals are merely which engine are the default. How does having the default search be Google make the Mozilla corp beholden to Google?

          • ftlio 38 days ago

            If Google is paying what Yahoo was, it's $300 million a year for the default search option on Firefox. Google pays Apple billions to stay the default on the iPhone as well.

            • windlep 38 days ago

              Ok, so that makes Mozilla beholden to them how exactly? Is Google calling up Mozilla asking them to do them favors in the product? Are Mozilla engineers being asked to write in special features that Google asks for?

              Yes, Google provides 90% of the revenue or somewhere around there. But I still haven't heard how exactly Mozilla is doing special favors to Google or is in some way beholden to it.

              Mozilla has a contract with Google to be the default search provider for a set period of years. I have never heard of anything else being in there that allows Google to make any product requests on Mozilla.

              How come no one wants to say how exactly Mozilla is doing what Google wants?

              • Tloewald 37 days ago

                Mozilla’s bizarre stance on H264 coincidentally favored Google’s position. Mozilla’s anti-ad-tracking stuff was all switched off by default. They make their money from ads meaning their incentives parallel those of ad networks.

                All ad supported products have bad incentives. It’s the same reason HBO and Nerflix produces great TV shows and ad based broadcast and cable networks mainly produce garbage.

          • AndrewCHMcM 38 days ago

            search engines pay for 80% of mozilla's cheques, so search engines have 80% control over mozilla's income, which is a bit iffy, especially for something meant to be community controlled and directed (non profit open source right?)

            • emh68 37 days ago

              What I don’t understand is why are there no paid browsers? I’d pay $xx(x?) for a browser where I’m the customer, not the product. Every open-source browser is either awful and outdated, or is beholden to outside interests, or internal monetization strategy.

          • nitrogen 38 days ago

            If the search engine is unhappy, they will pay less money to be the default.

            • tekromancr 38 days ago

              Then another search engine will happily take the that browser's market share.

              • dvfjsdhgfv 38 days ago

                Maybe for less money, then your colleagues will get fired and your salary will be cut etc.

                Whenever your earnings depends on someone giving you money, whether it's through advertising or a grant, it's quite normal and common you'll be very careful not to upset them. At least you'll think twice before doing so.

              • geezerjay 38 days ago

                Which search engine might that be? Last time I looked, Google operated a de facto monopoly.

      • testvox 37 days ago

        What is their core business then?

    • girvo 38 days ago

      Alphabet/Google has significantly more power than Mozilla.

  • lucideer 38 days ago

    > dangerous (disabling Google Safe Browsing)

    Dangerous is a strong word here. Yes, this feature does make browsing the web safer, but I would stop short of inverting that statement to mean that disabling it makes the web dangerous. It primarily protects you from sites engaging in social engineering of some kind: these can admittedly be extremely sophisticated, to the point of fooling most very technical people, but generally speaking it's still mostly avoidable with some care.

    I would recommend most people having a safe browsing feature enabled, but I wouldn't fear-monger those disabling it either.

    It's also worth mentioning that Mozilla provide their own service here -- Shavar -- so one needn't use Goog

  • gsich 38 days ago

    Location is pretty useless. It is based on what address your ISP has in most cases.

    • Viper007Bond 38 days ago

      On the contrary. Maybe if you're on a hardwired desktop, but for everything else it is incredibly accurate. You don't even need to have GPS in your device -- WiFi is plenty.

      Try it: It puts my laptop exactly where I am.

      • oxguy3 38 days ago

        I'm on a desktop with no wi-fi card and it's within a stone's throw, how the hell...

      • craftyguy 38 days ago

        > It puts my laptop exactly where I am.

        Did you allow permission for location? Because if you did, it kind of defeats the purpose of showing that disabling this permission helps obscure your location to websites.. On my desktop, it asked for permission, and when denied it threw up its hands and said that it had no idea where I was.

        • Viper007Bond 38 days ago

          Yes, of course because the comment I was replying to was about location being worthless in general.

      • loeg 38 days ago

        Wired, it gives me a location 3 miles away from my house.

        Smartphone, it want to use GPS. That's kind of cheating, isn't it?

        • userbinator 38 days ago

          Smartphone, it want to use GPS. That's kind of cheating, isn't it?

          It is, but it also shows just how much information people could leak if they casually dismiss any permissions prompting with "allow" (or even worse, have such permissions be granted by default.)

          • gsich 38 days ago

            Which makes the removal of the location feature (or the default off) all the more better.

        • weberc2 38 days ago

          The OP said wifi w/o GPS. Give that a shot maybe?

          • loeg 38 days ago

            Yeah, I tried that, but the mobile version of website refuses to proceed without GPS.

    • michaelmrose 38 days ago

      You can get an addon to set your location manually if like mmost non mobile devices there is no actual gps.

      I use this so that I get actually accurate results.

quiquex 38 days ago

"These are used by Mozilla to spy on you, and are as such a significant risk to privacy."

Wow that's a big claim. Any proofs that the data collected is not anonymous? It sounds a lot like fear-mongering

  • outworlder 38 days ago


    Companies should be transparent about the data they collect and how they anonymize it – and should be easily disabled if needed if you need serious privacy, as is possible that some resourceful actor could de-anonymize the information somehow. But this kind of data is not necessarily harmful.

    People disabling telemetry will often be the same ones complaining about "poorly written applications and company X should know better". Well they don't because you disabled telemetry, now the company or organization has no data to improve anything, be it performance, crashes or even UI. Bug reports are not enough.

    • userbinator 38 days ago

      People disabling telemetry will often be the same ones complaining about "poorly written applications and company X should know better". Well they don't because you disabled telemetry, now the company or organization has no data to improve anything, be it performance, crashes or even UI. Bug reports are not enough.

      This is the sort of argument that gets thrown around often, and I disagree completely --- data collection should always be opt-in, not opt-out. Normalising the invasion of privacy and subverting the default expectation thereof is harmful to individual freedom.

      Respect the users: let them tell you what they want, when they want, and how they want. Don't paternalistically monitor them or tell them what they should/"really" want.

      • nitrogen 38 days ago

        Respect the users: let them tell you what they want, when they want, and how they want.

        To expand on this a bit, the past several years advertisers and attention brokers have focused on the difference between stated preferences and observed behavior, optimizing for the latter. Unfortunately it seems optimizing for observed behavior amplifies the worst of our base instincts, so even if it improves the bottom line in the short term, we are degrading our civilization in the process.

        It's possible a similar discrepancy between behavior and intention exists in UI telemetry. Ask people what they want when at their best, don't optimize for measurements of them at their worst.

    • eli 38 days ago

      Firefox is not transparent enough? Their privacy policy is pretty straightforward and there's a ton more technical details on the wiki.

    • TheAdamAndChe 38 days ago

      Yet organizations went decades making fantastic and ever-improving software without telemetry. What changed? Why would telemetry suddenly become a basic requirement for improvement?

      • girvo 38 days ago

        I don’t know — my Pentium used to run software that crashed constantly, corrupted files, and was in hindsight horrendously insecure. I don’t think there’s ever been a time where software quality was magically excellent?

      • oatmealsnap 38 days ago

        Software is generally a lot more complex these days, and telemetry data is needed to stay competitive and keep improving.

        Using Firefox as an example, look at how many improvements they have made over the last 5 years. I'm not here to argue whether we need these feature or if Firefox 2 was the last version of Firefox that we needed. Firefox (or Chrome, or whatever) wouldn't look as great as it does today without lots of data.

        • geezerjay 38 days ago

          > Software is generally a lot more complex these days, and telemetry data is needed to stay competitive and keep improving.

          If violating user's privacy is your way to stay competitive, then that's your personal problem. You have no right to spy on everyone just because you have problems staying relevant.

        • dingaling 38 days ago

          On the other hand Mozilla has frequently quoted telemetry as the reason for removing niche or power-user features, for example Tab Groups and Themes. "Low usage" in both cases.

          So telemetry doesn't always improve the user experience.

          • thatcat 37 days ago

            Power users disable telemetry.

      • SquareWheel 38 days ago

        And another thing -- what's the deal with automobiles? Horses do a perfectly fine job at getting us around.

        • stonogo 38 days ago

          Shitty analogy. Cars provided demonstrable benefits to users. Telemetry does not.

          • zachlatta 38 days ago

            I have worked on products and have made changes based on data I got on how users were using them.

            Telemetry doesn't replace user feedback or interviews, but it really does help.

            • geezerjay 38 days ago

              I don't believe your personal convenience trumps everyone's right to privacy.

              • SquareWheel 38 days ago

                A crash log doesn't violate your privacy, nor does usage statistics when properly anonymized.

                Sometimes telemetry is just telemetry.

                • geezerjay 38 days ago

                  > A crash log doesn't violate your privacy

                  Says who?

                  If that's the case then ask the user to email you the log. Instead, we get covert eavesdropping.

                • philipwhiuk 38 days ago

                  Properly anonymised doesn't exist. Every mechanism has been broken.

            • Feniks 38 days ago

              Some of us are assholes though and don't really care about helping you out with making money. No offense intended.

              • dreae 38 days ago

                That's just stupid. Obviously the product has some value for you or you wouldn't be using it, and telemetry is a practically zero effort way for you to help improve it.

                Note, when we're talking about telemetry we're not talking about tracking your time on a site to show you ads, we're talking about tacking bugs you encounter so they can be fixed.

          • megablast 38 days ago

            Sure. Over 1 million deaths a year. Cars are a great idea.

          • SquareWheel 38 days ago

            Just because it's not obvious to the user, doesn't mean it's not going towards bug fixes and other improvements.

    • inferiorhuman 38 days ago

      > Well they don't because you disabled telemetry, now the company or organization has no data to improve anything


  • kazinator 38 days ago

    For a datum to be mathematically anonymous means that there is a proof that no function exists which maps instances of that datum to identities more reliably than a random guess.

    A datum isn't anonymous unless proven otherwise. Today's "practically anonymous" is tomorrow's "deanonymized".

  • yorby 38 days ago

    it's very hard to completely anonymize data... companies have so much data nowadays that they can de-anonymize it more easily.

  • gsich 38 days ago

    You send them data. Now they have your IP. You don't know if it gets deleted.

    • st3fan 38 days ago

      AFAIK We throw IP addresses away pretty quickly after receiving a telemetry packet.

      You can read about our data collection approval process here:

      An IP address would be Category 4 - I think it is pretty much impossible to get approval for category 4.

      I highly doubt we have any products out there that actually collect Category 4 data.

      • gsich 38 days ago

        The problem hereby is that nobody can actually verify this. But this is true for all companies/servers you don't control.

      • userbinator 38 days ago

        Do your webservers really not have any logging? By default they all do.

        I've accepted it as a given that if I interact with a website, it will know my IP, but "phoning home" is a slightly different matter.

  • CodeWriter23 38 days ago

    Perhaps a little melodramatic of a statement by the gist author. But the point is these settings are insecure by default. Exploitable by Mozilla, and perhaps by third parties.

  • qbaqbaqba 38 days ago

    I would rather expect the one collecting the data to prove that they are anonymous. And MetaData anyway? In many countries they may be used without a court order. A false sense of security is the worst.

  • yuhong 38 days ago

    Especially when it is open source.

  • stonogo 38 days ago

    It's not on us to prove it's not anonymous. It's on Mozilla to prove it is.

    • ______53 38 days ago

      I believe you can see the data that's being sent by typing about:telemetry in the address bar.

      • st3fan 38 days ago

        Or you can put a sniffer on the line, or read the source code, or read the code for the receiving end.

        Or .. just talk to someone on the team and ask questions. Mozilla is incredibly open and transparent. Anyone can even join team/product meetings on video chat.

        • cinquemb 38 days ago

          >…or read the source code…

          Good idea:

          Step #1: read modules/libpref/Preferences.cpp

          Step #2: default all function calls to `PREF_SetBoolPref` for `kTelemetryPref` with args true to false; remove all `PREF_LockPref` calls with kTelemetryPref

          Step #3: ./mach build

  • ekianjo 38 days ago

    They should not be collecting data by default anyway.

jftuga 38 days ago

    Disabled Encrypted Media Extensions (EME)
    Disabled Web Runtime (deprecated as of 2015)
    Removed Pocket
    Removed Telemetry
    Removed data collection
    Removed startup profiling
    Allow running of all 64-Bit NPAPI plugins
    Allow running of unsigned extensions
    Removal of Sponsored Tiles on New Tab Page
    Addition of Duplicate Tab option
    Locale selector in about:preferences > General
outworlder 38 days ago

Websockets? Really?

Even if they are an ugly hack on top of HTTP, they are too damn useful to be disabled.

Let's disable Javascript too while we are at it.

  • krapp 38 days ago

    >Let's disable Javascript too while we are at it. if much of HN's userbase doesn't already do that.

    • outworlder 38 days ago

      Indeed. I wonder how they can get anything done. (Other than posting on HN itself, that is)

      • Momquist 38 days ago

        Surprisingly well, from my own experience. It can even increase your productivity and dicrease distractions: it blocks most ads, suppresses annoying "interactive" features, bans participation in most time-wasting sites (eg. facebook) while still allowing browsing. And of course security.

        For the very few domains I deem absolutely necessary, I can always whitelist them.

        • twhb 38 days ago

          It sounds like the problem is you're spending your time on adversarial websites. Give JS to a skillful developer who shares your goals, and they'll use it to make the website better.

          • quickben 38 days ago

            By the look of it that altruism died ten years ago.

            Current sites load 20-100 external scripts, mostly in ads, analytics, and non essential content.

            • twhb 38 days ago

              Not altruism (except occasionally), incentive alignment. Websites that don't otherwise profit from you are incentivized to be as you describe; websites that profit from your happiness (paid directly, funded for a purpose, a generosity, etc) aren't.

          • Momquist 38 days ago

            Actually I don't. I never had any account on FB for example, but once in a blue moon I get to visit a public FB page (like a recent blog post posted on HN recently), and having JS disabled let me browse it without worries.

            How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions? My personal tastes tend to go not too far off this kind of design:

            If this hypothetical developer is really sharing my goals then he'll use the <noscript> tag, and I'll be happy enough with HTML/CSS.

            For text-heavy sites, which are the ones I use the most, JS adds nothing I want: tracking? 3rd-party ads? lazy-loading? comments via disqus? sharing to social media? Thanks, but not for me.

            • twhb 38 days ago

              > How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions?

     uses JS to make an essentially-static website much faster to load and navigate. HN lets you vote without reloading the page. Shopping carts. Webmail. Google Maps. Rich text editors. Navigating around Spotify while the music keeps playing. Feedback on forms without clearing or changing something. Keeping a table of contents in sync with what you're viewing. Keeping changing data correct, like feeds, whether a service is up, whether you're signed in. Chat. Video calls.

              And areas not yet widespread. AMP's speed (which would be inoffensive, I think, if intra-site). Layouts more advanced than CSS can express, like a newspaper's or the positioning of plaques at museums. Even smarter data compression for repetitive content.

              And areas we're just now getting the tech for, like 3D simulations and peer-to-peer networking.

            • jraph 37 days ago

              > How can a skillful JS developer make the site better for me when I want to avoid ANY extra features and distractions?

              I don't know if I qualify as a skillful JS developer, but I run a website displaying pictures that works correctly without Javascript.

              However, Javascript makes this website way faster, smoother and easier on the connection by downloading only the moving parts when clicking on a link, carefully preserving history so back/next works as if this script did nothing. When Javascript is disabled, an ugly white flash appears when navigating between some pages and rendering is just slower, even though it remains decent (my code is minimalist anyway…)

              When leaving the page of a picture to come back to the album it is in, scroll position is restored. This is impossible without Javascript. History Back button is not sufficient: you might have looked at 10 pictures before coming back to the album. Sure, you can still ask your browser to come back 10 pages ago, but this is less convenient than just clicking on a cross.

              It also help dimension images correctly, which I could not manage to do using pure CSS, unfortunately.

              No Javascript tracker is present. You want Javascript enabled on this website because it helps using less resources and makes things easier to use. This is a 9 KB Javascript file that gets compressed to 3 KB and served using HTTP2 only once, so this is basically a null cost when considering how much a picture weighs (~ 100KB). And this is free software, for the sake of it.

              But you cannot know this on random websites. Problem is, Javascript is not used like this in general. Unfortunately for websites like this one, disabling Javascript by default is still a reasonable thing to do.

              Worse, visitors of this website that disable Javascript won't be aware of that, because things pretty much work as expected and I don't display a warning message.

      • quickben 38 days ago

        I wonder how you all get anything done by not disabling it.

        No script. If the page breaks, whitelist the primary domain.

        For most non shady sites, this gives you a blazing fast site with near zero crap on it.

      • superkuh 38 days ago

        Pretty easily. Just temp whitelist if it's really needed (ie, a bank or government website). Otherwise close the tab and avoid the waste of time that 'web app' sites represent.

      • IncRnd 38 days ago

        > Indeed. I wonder how they can get anything done. (Other than posting on HN itself, that is)

        It's very straightforward. I allow javascript on the sites that I trust to run javascript - in a protected environment. There are tons of ways to do this.

        I see how long other's computers take to render simple pages, and I just shake my head.

      • ACow_Adonis 38 days ago

        Well, 99% of the javascript/web is more about distraction, advertising and tracking than about getting anything done, and the other 1% is a small number of high-frequency sites that can be selectively white-listed.

        Plus my bandwidth is a fraction of others and browser responsiveness shoots up...

        I think you may have it arse-backwards when it comes to productivity...

        /numbers pulled out of said backwards-arse.

      • IgniteTheSun 38 days ago

        With the exception of a couple of sites, I rarely turn on javascript.

        (There are a few sites where the homepage will have just show something like "turn javascript on to see this site"; I just take that as an invitation to leave the site and, if necessary, to search for an alternative.)

        About the only thing I'm having difficulty with at the moment are TV listings: was able to see TV listings without javascript on zap2it until last week, but have not yet found an alternative. Anyone have any suggestions?

        • jrcii 38 days ago

          eBay, PayPal, and Amazon are useless without JavaScript, just off the top of my head.

          • Digital-Citizen 38 days ago

            Perhaps, but like the grandparent post said, one can find other online stores that don't require JavaScript.

            Going beyond what the grandparent post said, JS is a big reason why websites are slow, insecure (from the user's perspective), and time-consuming.'s site is ridiculously sluggish precisely because of needless JS. There's nothing about purchasing something online that legitimately needs JS to make that purchase work. You can search for stuff on Amazon without JS but (for all I know) purchasing doesn't work without JS because of implementation choices Amazon made. I'm not so convinced Amazon's prices are all that great, and buying locally is often a better deal for things I buy. The more I learn about how Amazon conducts business (see for many reasons why) the more interested I am in avoiding them.

            If you want to buy new or used books and you want to do business with Amazon, AbeBooks is owned by Amazon and AbeBooks works fully without JS.

            I'm guessing there are other places to get items instead of using eBay.

    • yorby 38 days ago

      I don't completely disable javascript but I use uMatrix... it seems like a good middle ground...

      • bhrgunatha 38 days ago

        I used to use NoScript. It was a revelation to see how much junk just disappears when there's no javascript.

        Now I find uMatrix better but the first rule I created was:

        * * * block

        Since that was the basic starting point for NoScript.

        Then slowly build up your whitelist of sites to allow javascript as desired/needed.

  • amiga-workbench 38 days ago

    >Let's disable Javascript too while we are at it.

    Yes, let's do that.

  • mulmen 38 days ago

    I disable javascript and I miss out on a lot of the internet. I don't miss any of it though.

  • IncRnd 38 days ago

    > Let's disable Javascript too while we are at it.

    That happened a few years ago.

  • foo101 38 days ago

    What plugins or techniques do you use to disable JavaScript while keeping the flexibility to whitelist some of the websites where JavaScript can be enabled?

    • rickycook 38 days ago

      i love “is blocker” for safari; it’s hugely configurable with regexes, allowing things on some domains only, allowing globally from some domains, blocking of canvas elements, XHR requests, frames, plenty more too!

      • foo101 38 days ago

        When you use a thing like "is blocker", do you still need a separate ad blocker or is the JavaScript blocker sufficient to block ads as well?

        • rickycook 34 days ago

          sorry i didn’t see the reply... i meant “js blocker” and auto correct happened. i use ublock as well, because it picks up on regexes for things like piwik (you could have something like allowed because you just unblock, or ga hosted locally etc)

  • swiley 38 days ago

    Does this add that to the preferences GUI again? That was one of the big features I was looking for.

  • CodeWriter23 38 days ago

    Well, Meltdown proves the formerly-paranoid Javascript rejectors were actually insightful.

    • duskwuff 37 days ago

      That they happened to be right? Yes. That they were insightful? Not so clear.

cocktailpeanuts 38 days ago

Would have not gotten the backlash it's getting if the author was a bit modest and titled the repo:

"How to get rid of FireFox features you don't need", or something like that.

Security is an important issue, but as someone who thinks WebRTC is the only missing piece of the puzzle that could help bring true decentralization to the Web, I think bashing on WebRTC just because of its security issue is short sighted. (Not to mention a couple other features mentioned on there)

But if you're so paranoid about security that you're going to disable WebSockets, I think web browser is not the only thing you need to worry about. There are ton more attack vectors and hackers can hack in no matter how you get rid of these "FireFox bullshit" to increase security. After all, most hacking nowadays is based on social engineering.

One thing I agree though is "Pocket Integration" IS a bullshit.

  • balladeer 38 days ago

    > "Pocket Integration" IS a bullshit

    And it is still around. It has still not been made into a removable AND turned off by default component which is the least Firefox should have done if at all they can't live without shipping Firefox with it.

  • craftyguy 38 days ago

    > I think bashing on WebRTC just because of its security issue is short sighted. (Not to mention a couple other features mentioned on there)

    Well, the security concern is real. In other news, bashing on scammers because they scammed someone is short sighted?

  • dokem 38 days ago

    > Would have not gotten the backlash it's getting if the author was a bit modest and titled the repo...

    The anime avatar also adds to his credibility.

mrob 38 days ago

To this I would add:

This anti-feature means missing the target of a middle-click by a single pixel can leak the contents of your clipboard or load unexpected URLs. I don't understand why it's still on by default -- Mozilla has been willing to break peoples workflow for UI improvements many times before.
  • bzbarsky 38 days ago

    > middlemouse.contentLoadURL=false

    This is the default in Firefox 57 and later. See

    > I don't understand why it's still on by default

    It's not.

    • louiz 36 days ago

      I don’t understand, what does it do?

      • bzbarsky 36 days ago

        When set to true, lets you middle-mouse-paste into the content area to load the url in the PRIMARY selection. That way you don't have to worry about whether selecting the text in the URL bar so you can replace it with the URL will clobber PRIMARY.

        Only relevant on X, where there is a PRIMARY, of course. See for a quick description of what PRIMARY is and how it differs from CLIPBOARD.

      • Rjevski 36 days ago

        Seems to only apply to Linux, but basically it either pastes your clipboard content into any focused text field or tries to open the clipboard contents as an URL (and falls back to Google Search if that fails).

halestock 38 days ago

Fwiw, I wasn't a fan of the original integration of pocket into Firefox, but they are now completely owned by Mozilla:

  • mulmen 38 days ago

    This explanation has never satisfied any of my concerns. I don't doubt Mozilla's motivations but the fact that they bought Pocket does not mean that the architecture is designed with my best interests in mind. I'd rather hear about what Mozilla is doing as the owner of Pocket to continue fighting for my best interests.

JepZ 38 days ago

Anybody knows if it is possible to use Pocket with a custom server? So far I found only the ticket which tracks the open sourcing process of pocket:

11 month old, not even assigned yet... looks like I should come back 2038.

gavreh 38 days ago

> NOTE: Unfortunately this is somewhat out of date. The comments link to some resources that may be more up-to-date. Patches welcome.

xg15 38 days ago

I'm puzzled that he sees websockets as a privacy hazard. From what I understand, WS connections are CORS protected (though the model is slightly different than standard CORS for historical reasons) and were designed somwhat friendly to proxies. So what is the problem?

(Though browsers don't seem to honor proxy settings for WS in practice. I guess, this coughs be corrected. Does anyone know the reasons for that?)

WebRTC is more understandable: Connection setup is different for each application, the connection itself is encrypted and browsers don't seem to offer any way to inspect or manage WebRTC flows.

It's sad that a technology which offers so many interesting applications is implemented in such a problematic way for privacy. This should really be improved.

(Warning: rant follows)

Generally, I think we should have a general discussion about the ability of inspecting the network traffic of your own machines. Current practice seems to be that this ability is sacrificed in favor of an "encryption-first" doctrine: Browser vendors are aggressively pushing HTTPS everywhere and it's almost a requirement that new network protocols have built-in encryption. There are still some escape hatches by installing custom root CAs, but programs are starting to circumvent that without much consequences (or even encouragement by OS vendors - e.g. on Android)

For example, right now it's impossible to inspect traffic from the Dropbox client on windows (short of patching the program) because the client ignores custom root CAs. Trying to inspect traffic from a smartphone is already pretty hopeless.

As traffic inspection would be a powerful tool in finding privacy leaks, we should lobby more for it.

  • philipwhiuk 38 days ago

    You don't need to decrypt TLS to know where it's going. SNI leaks the domain in plaintext and if SNI isn't enabled you can just use the IP address.

qwerty456127 38 days ago

Is there something like this for Chrome too?

BTW I wish I could just disable all features but those basic ones every website uses (and "data URIs" support please!!! I really want to to disable it!) and enable them manually on per-domain basis (the way I do with scripts using NoScript and uMatrix).

  • Digital-Citizen 38 days ago

    With Chrome you face the inherent untrustworthiness of nonfree software. Chrome users always trust Google. No set of preference changes or add-ons makes Chrome safe from Google's power over your data or your computer. This strikes me as a fundamentally worse position for any Chrome user.

mediocrejoker 38 days ago

Websockets are used for nefarious purposes?

  • qwerty456127 38 days ago

    Websockets can be used for many things and are actually a sound tech idea but I don't know about a single website that would use them to do something I need (no, I don't use social networks, don't play online games and don't use web voip - these are the 3 major areas that can make use of them) so disabling them seems a good idea. In general: disable everything you don't use - this will most certainly increase your safety and disrupt a huge portion of mainstream malware and spyware functioning.

    When I was using Windows I had a software firewall that would ask me about every app that is trying to access the Internet and let me choose if I want to block or allow it - I would only allow the web browser, the messenger and the SSH client and completely block everything else (DroidWall and XPrivacy let you do this on Android, LittleSnitch does this on Mac, I miss such a tool on destkop GNU/Linux a huge lot).

  • joosters 38 days ago

    So is HTTP. Better disable that too.

  • twic 38 days ago

    I use them for nefarious purposes. But then i use everything for nefarious purposes.

    • ricree 38 days ago

      Please remember to set the evil bit properly when you do.

  • geezerjay 38 days ago

    > Websockets are used for nefarious purposes?

    Websockets were created sedcifically to get clients to transfer data to the server at the request of the server and without the user specifically wanting to send it.

    • duskwuff 37 days ago

      That's a rather odd way of describing Websockets. XMLHttpRequest fits your description equally well.

      Websockets don't inherently allow anything that isn't possible with other technologies. What they do is make certain data transfer patterns more efficient by removing the need for polling, or for redundant HTTP requests.

ravenstine 38 days ago

I'd never heard of social media integration. That is true bullshit, and I wonder what the analog is in Chrome.

But what's wrong with DRM? DRM sucks, but I don't know why it's in someone's interest to not be able to watch Netflix in their browser.

Feniks 38 days ago

Tip for Android users:

Fennec F-droid.

Firefox wants to be (a less evil) Chrome, which is great for the 90% but that leaves the rest of us scrambling. No I don't need my browser to support DRM in order to watch Netflix ffs...

  • clircle 38 days ago

    It's not really clear to me how this differs from Firefox for Android. Removes some DRM? Anything else?

solomatov 38 days ago

Having a separate privacy conscious fork of FF would be a better solution. They can easily workaround such tweaks.

  • brendyn 38 days ago

    I use IceCat which is essentially that. It's based on the ESR releases though since it's hard for the few volunteers to keep up with Firefox's releases.

  • kccqzy 38 days ago

    Try the Tor browser.

yegle 38 days ago

Why not just use TorBrowser if you are too concerned about those settings?

jasonkostempski 38 days ago


This isn't even in my about:config anymore. I'm pretty sure it was at some point. Did they remove the option to disable it for some reason?

  • bzbarsky 38 days ago

    It was removed in Firefox 41, once WebSocket had been shipping for a while. See

    The only reason the pref was there is that new features tend to have prefs to disable them. First because those are useful for enabling a feature for testing before it may be ready to be on by default, second in case there's a serious problem with the feature that requires it to be turned off in a hurry. But once a feature has been shipping and on by default for a while, prefs to disable it just end up being technical debt, and tend to get removed like any other technical debt when people get a chance.

Tepix 38 days ago

It got the "pocket" name wrong. On my Firefox 57 it's

borplk 37 days ago

Unplug your devices for maximum security.

In all seriousness it's not a bad list as a handy reference.

MollyR 38 days ago

Interesting. Though at that point why wouldn't you just use Brave ?

  • st3fan 38 days ago

    You think Brave does not send telemetry :-)

    On iOS it links to Fabric and Crashlytics. Both of those did not pass Mozilla's strict data collection rules. I'd love to use them in our mobile products, but they collect too much data, too much personal identifyable data, and store all of that at a third party. (Owned by Google)

  • JepZ 38 days ago

    Better use a safe© solution:

      curl -sL | html2pdf | pdfviewer
    Just kidding ;-)
    • sli 38 days ago

      That isn't too far from how Stallman browses the internet, I don't think. I know he does some weird, roundabout thing involving email (or used to, anyway).

    • CodeWriter23 38 days ago

      Future HN Headline: On the exploitation of pdfviewer via html2pdf.

  • toyg 38 days ago

    Brave are just a different kind of evil. They basically want to hijack advertising and tracking so that they get the money rather than google, but it’s the same crap.

    • isjamesalive 38 days ago

      Where did you get that idea? His stance on SSM aside, Brendan Eich is not a guy I typically associate with evil.

      The whole raison d'être of Brave is to restore privacy to consumers of advertisements while being fair to publishers.

      The codebase is all MPL2 on Github. Nothing stopping you or anyone forking it, yada yada.

      • sekh60 38 days ago

        Not sure if it is the case, but the original plan was for Brave to replace ads with its own:

        • BrendanEich 36 days ago

          That is only if publishers and users consent. Both get paid in that case, 70% to publisher, 15% to user. But it's not the private ad model we are trying first.

          What we're most excited about are opt-in, user-private and -anonymous ads, long form and at low frequency, where you get 70% of the gross revenue.

          In either case some brand principles:

          1. We pay 70% to the ad "inventory owner" -- the person who is giving attention space up for the ad

          2. We always pay the user as much as, or more than, we take. This aligns our interests.

          3. We never keep user data on any servers, whitelist ads for a fee, let trackers through to target or attribute/confirm.

          The grand-parent post here is just flat wrong. In no case do we track user data for profit -- we never did and never will. All data in clear stays on your device. We use a ZKP protocol over a VPN for anonymous settlements/confirmations. Our site details all this:

          • sekh60 32 days ago

            Sorry for the slow response. Thanks Brendan for clearing up my misconceptions.

  • Feniks 38 days ago

    Add-ons perhaps? Does Brave support those?

    • BrendanEich 36 days ago

      Yes, chromium extensions. We are curating, as we want to make sure they work correctly and aren't doing anything that goes against our privacy and security principles.

dangrover 38 days ago

You forgot the last step, which is to respond to every link posted on Hacker News, regardless of what it's about, with a complaint about how the site doesn't function correctly with your unique browser config.

  • CaptSpify 38 days ago

    If websites were smart, they'd design their webpages to work with every unique browser. It's actually super easy to do.

    It's just not as profitable to treat your users with respect, unfortunately.

Karunamon 38 days ago

I wrote something similar a while back, and it’s in a similar state of not-updated-ness

  • urda 38 days ago

      > Your connection is not secure
      > SEC_ERROR_EXPIRED_CERTIFICATE (expired October 31, 2017)
    Doesn't make me want to listen to any website claiming to "fix firefox" when they can't even bother to keep their SSL certs up to date.
    • CompuHacker 38 days ago

      I added an exception and read the page I received. A single author describes changes he made to his Firefox options from 29 onward. There is no plural "they", and, to my understanding, the information is not current.

      Should this information become inaccessible because certs weren't paid for?

      • yborg 38 days ago

        I think he's just pointing out the irony of someone purporting to aid the security-conscious having an expired cert on his own site. Unless this is really some meta-level social commentary on how people will trust a complete stranger's website despite an invalid cert because he seems like a nice guy.

        • urda 37 days ago

          > I think he's just pointing out the irony of someone purporting to aid the security-conscious having an expired cert on his own site.

          This is exactly the point I was going after. It would be one thing if the cert had just expired but cmon, October 31, 2017 really?

          • Karunamon 34 days ago

            Cert expiration dates provide very little in the way of actual security. Normally it would mean that yes, your connection is secure, yes, everything matches, but you hadn't paid your protection money to the CA racket in a while.

            In my case, it's because I haven't had the desire to go in and redo the nginx config on this machine. But sure, that makes the content wrong, or something.

            • urda 33 days ago

              > But sure, that makes the content wrong, or something.

              If your own Nginx server cannot serve up a proper and protected session, why should I consider what you've written on the website? Actually how can I know that what I'm reading is what you wrote if the session is already compromised from the start?

              > but you hadn't paid your protection money to the CA racket in a while.

              Yes, you sometimes have to pay for that cert from a CA but that's not why certificates expire.

              Besides, your CA is Let's Encrypt so this point is completely useless but it does make an easy excuse.

              Enough with the drama please.

              • Karunamon 32 days ago

                It is protected. Cert expiration has no impact on the safety of the connection whatsoever. LE uses the same encryption as the big guys, they just set the expiry date field to a lower number. Please explain how that meaningfully reduces security.

                >Enough with the drama please.

                Indeed. Petty sniping in an attempt to avoid engaging the content lowers the level of discourse substantially.

        • quickben 38 days ago

          Why do few pages of readonly text advice need a certificate that badly?

          • philipwhiuk 38 days ago

            The wrong read-only text gets you arrested.

gimmeayrwlt 38 days ago

I think we are going full circle from IE5 times. Those days activeX was bad as it can get.. today's browsers are full of features like that.. and now it's not safe anymore to use them.. did we learn anything from flash ?