This gist misleads in a few ways by being so vague and seems to be more about disabling every somewhat useful feature that sounds bad for tinfoil hat enthusiasts. Still has useful things, like disabling Pocket if you don’t want it and forcing newer TLS versions. Others are silly (disabling things that already ask for your permission, like location), dangerous (disabling Google Safe Browsing), or already exposed in the settings UI anyway (DNT, tracking protection, telemetry). To each their own, use these if you think they’re important to you, but for most people it’s fear-mongering about nothing and enabling a few things in the privacy settings page is sufficient.
"These are used by Mozilla to spy on you, and are as such a significant risk to privacy."
Wow that's a big claim. Any proofs that the data collected is not anonymous? It sounds a lot like fear-mongering
Disabled Encrypted Media Extensions (EME) Disabled Web Runtime (deprecated as of 2015) Removed Pocket Removed Telemetry Removed data collection Removed startup profiling Allow running of all 64-Bit NPAPI plugins Allow running of unsigned extensions Removal of Sponsored Tiles on New Tab Page Addition of Duplicate Tab option Locale selector in about:preferences > General
Even if they are an ugly hack on top of HTTP, they are too damn useful to be disabled.
Would have not gotten the backlash it's getting if the author was a bit modest and titled the repo:
"How to get rid of FireFox features you don't need", or something like that.
Security is an important issue, but as someone who thinks WebRTC is the only missing piece of the puzzle that could help bring true decentralization to the Web, I think bashing on WebRTC just because of its security issue is short sighted. (Not to mention a couple other features mentioned on there)
But if you're so paranoid about security that you're going to disable WebSockets, I think web browser is not the only thing you need to worry about. There are ton more attack vectors and hackers can hack in no matter how you get rid of these "FireFox bullshit" to increase security. After all, most hacking nowadays is based on social engineering.
One thing I agree though is "Pocket Integration" IS a bullshit.
To this I would add:
This anti-feature means missing the target of a middle-click by a single pixel can leak the contents of your clipboard or load unexpected URLs. I don't understand why it's still on by default -- Mozilla has been willing to break peoples workflow for UI improvements many times before.
Fwiw, I wasn't a fan of the original integration of pocket into Firefox, but they are now completely owned by Mozilla: https://blog.mozilla.org/blog/2017/02/27/mozilla-acquires-po...
Anybody knows if it is possible to use Pocket with a custom server? So far I found only the ticket which tracks the open sourcing process of pocket:
11 month old, not even assigned yet... looks like I should come back 2038.
> NOTE: Unfortunately this is somewhat out of date. The comments link to some resources that may be more up-to-date. Patches welcome.
I'm puzzled that he sees websockets as a privacy hazard. From what I understand, WS connections are CORS protected (though the model is slightly different than standard CORS for historical reasons) and were designed somwhat friendly to proxies. So what is the problem?
(Though browsers don't seem to honor proxy settings for WS in practice. I guess, this coughs be corrected. Does anyone know the reasons for that?)
WebRTC is more understandable: Connection setup is different for each application, the connection itself is encrypted and browsers don't seem to offer any way to inspect or manage WebRTC flows.
It's sad that a technology which offers so many interesting applications is implemented in such a problematic way for privacy. This should really be improved.
(Warning: rant follows)
Generally, I think we should have a general discussion about the ability of inspecting the network traffic of your own machines. Current practice seems to be that this ability is sacrificed in favor of an "encryption-first" doctrine: Browser vendors are aggressively pushing HTTPS everywhere and it's almost a requirement that new network protocols have built-in encryption. There are still some escape hatches by installing custom root CAs, but programs are starting to circumvent that without much consequences (or even encouragement by OS vendors - e.g. on Android)
For example, right now it's impossible to inspect traffic from the Dropbox client on windows (short of patching the program) because the client ignores custom root CAs. Trying to inspect traffic from a smartphone is already pretty hopeless.
As traffic inspection would be a powerful tool in finding privacy leaks, we should lobby more for it.
Is there something like this for Chrome too?
BTW I wish I could just disable all features but those basic ones every website uses (and "data URIs" support please!!! I really want to to disable it!) and enable them manually on per-domain basis (the way I do with scripts using NoScript and uMatrix).
Websockets are used for nefarious purposes?
I'd never heard of social media integration. That is true bullshit, and I wonder what the analog is in Chrome.
But what's wrong with DRM? DRM sucks, but I don't know why it's in someone's interest to not be able to watch Netflix in their browser.
Tip for Android users:
Firefox wants to be (a less evil) Chrome, which is great for the 90% but that leaves the rest of us scrambling. No I don't need my browser to support DRM in order to watch Netflix ffs...
Having a separate privacy conscious fork of FF would be a better solution. They can easily workaround such tweaks.
Why not just use TorBrowser if you are too concerned about those settings?
This isn't even in my about:config anymore. I'm pretty sure it was at some point. Did they remove the option to disable it for some reason?
It got the "pocket" name wrong. On my Firefox 57 it's
Very helpful. It definitely would be worth developing an addon that would apply these settings for you.
Unplug your devices for maximum security.
In all seriousness it's not a bad list as a handy reference.
Interesting. Though at that point why wouldn't you just use Brave ?
You forgot the last step, which is to respond to every link posted on Hacker News, regardless of what it's about, with a complaint about how the site doesn't function correctly with your unique browser config.
bathwater.baby = false
I wrote something similar a while back, and it’s in a similar state of not-updated-ness
I think we are going full circle from IE5 times. Those days activeX was bad as it can get.. today's browsers are full of features like that.. and now it's not safe anymore to use them.. did we learn anything from flash ?