I feel the strong need to point out some of these settings will break Firefox in subtle and hard to understand ways. There’s a reason you “void the warranty” when tweaking the about:config preferences. No rule against it, but just watch out. (Mozilla employee)
As a FF user (and a browser's user in general) I found actual browsers absurd monsters that service like ffprofile only try to mitigate. Few example: any complex enough software offer config files/dir. normally human readable and manageable. I can easily install plugins in Emacs via a simple config edit, same for (n)vim, same for zsh or fish, I can change my OS (NixOS) with a simple human-readable config file. Same for GuixSD, same for services etc in nearly all unices.
On FF however I found no damn simple way to do basic things like:
- install extensions via CLI/wrappers (for instance homeManager), there are some hack but they are not reliable and Mozilla seems to try avoiding supporting such a thing;
- configure preferences, like about:config, outside firefox;
- customize ff themes in a simple manner.
Modern browsers seems to mimic the most closed commercial OSes I know of instead of mimic classic FOSS model and that's a big problem.
Today I can easily automate my entire desktop, but browsers and they demand more and more settings and third parties tools/extensions to be "at least less unsafe" for us users (from firejail/capsicum to cookies deleters, adblockers etc.
This seems to be by design: when these things are available, spyware -- especially on Windows -- will be quick to make malicious changes in all these if they can.
It's a pain, but I can see the compromise. If it makes the average Firefox user more vulnerable, there's definitely a case to protect them, even at the expense of its more capable users.
Yes, this leads Firefox to be fairly conservative with its permissions.
In general, blocking userspace from installing extensions and otherwise running malicious code stops FF from being exploited. Blocking all of these options blocks the OS from bad behaviour, especially where the user may expect a new computer/phone to have the default behaviour.
The vendors of phones and personal computers seem to have an interest in interfering with users' internet access; perhaps it is a good decision that Firefox does not let them.
Actually homeManager can manage Firefox, installing extensions etc... Only it's a hack-ish and not much reliable way.
So no, actual Mozilla strategy does NOT work to stop malware's on Windows nor commercial OEMs customization, as a matter of fact made only life of pro users and admin harder and open the door for less safe setup (for instance extensions added via homeManager may not get updated by FF).
We would and should expect that it is be possible: unless Firefox signs configuration changes per-user, server-side (violating their privacy intentions), the whole configuration code is open source, and can easily be easily used or reverse engineered to make an external editor.
This doesn't change that a sanctioned API invites abuse far more readily than reverse-engineering, especially when spyware is less frequently updated than Firefox itself. That there isn't a sanctioned API, and that the de facto API can and does change every version, is an advantage for Firefox against potential attackers.
If this is something you are sorely lacking, Firefox has also been straightforward to modify and compile, in my experience. You can always share a patch and enjoy these features as part of a smaller community, without compromising the userbase as a whole.
I can agree in general, but, for now, disabling a firefox --install maliciousaddon.xpi and firefox --setconfig keyyoudontwant=valueyoudontlike is enough barrier to stop a majority of bad actors. None of us want users to click yes through install screens, having toolbars and spyware installed for the average user, but that has been the reality of those APIs thus far.
Perhaps a more fine-grained permission model is needed for cross-application changes, but I can't think of anybody actively working on it in an OS.
Having a simple text-based config with a repo, like
[AddOns]
ensure-ffpkg AddonName
[Themes]
set-default ThemeName
install ThemeA, ThemeB
[Settings]
key:val
...
and have the AddonName downloaded with GNUPG signature check from an official Mozilla repo is by far more save that demand using interactive GUIs. Simply ask at startup to accept "potentially dangerous" extensions if you specify a local .xpi file it the same.
What you describe is the classic Windows approach that have proved enough to be ineffective and only useful for commercial practice. Mozilla is formally a foundation and Firefox is formally a FOSS project...
Firefox had color management and color profiles support years before the other browsers. I'd venture to guess this is why it's favorite among photographers.
> ... Mozilla seems to try avoiding supporting such a thing
Back when I was trying to manage the configuration of my machines by having a git repository in my home directory or using stow, I got a little upset when I found that firefox stored its configuration in a profile directory with a random prefix. Why would it make it random? It's got to be the only program to do such a thing. I cannot imagine it's for anything other than to annoy people trying to manage its configuration with tools different from their own.
I've since found a way to make the profile directory not have a random prefix, but it still requires doing the change through Firefox's GUI profile manager.
https://bugzilla.mozilla.org/show_bug.cgi?id=56002 has the long discussion about it, but briefly: the profile directory name randomization was introduced to prevent web sites from being able to place data they control in known locations on your hard drive (via the browser cache) and then use that as a stepping-stone in a privilege escalation.
If that's dangerous in Firefox, isn't it just as dangerous, if not more, for them to reference other non-firefox files? I can't see this being a proper security measure for anything.
It is. The most dangerous part though is when you can access files in the browser cache because scripts in file:// can read files in file:// (so all your files) and you can really easily put files in the browser cache.
Firejail on GNU/Linux, Capsicum on FreeBSD etc do something for that, and IMO any tech-savvy users should use them.
Basically they restrict browser capabilities to see entire filesystem to the minimum extent possible so an webappp can't download from you your personal ssh settings, plain-text saved passwords in home, secret porn collection etc.
That is not entirely true, there is a prefs.js in my Profile folder that contains the changes done to my about:config page, if I interpret it correctly.
user.js is the supported and reliable way to set preferences that should just be set no matter what the default configuration is or what about:config says.
prefs.js is the storage for the current non-default pref values. At runtime, default pref values are loaded, then prefs.js, then user.js.
You _can_ edit prefs.js and the effect will be the same as if you changed the pref in about:config, as long as you do it while Firefox is not running against that profile. If you do it while Firefox is running, your changes will be overwritten at shutdown when Firefox writes out then-current in-memory pref values.
That might be true for a technical user, but is the average user going to know that discord is broken because they disabled webrtc? Also, resistfingerprinting is going to significantly increase the difficulty of recaptcha challenges you encounter.
I always have a hard time using some services when in incognito mode; I get the captchas, and either they are wrong or are really hard, and it can take several tries to get through them.
I used to run Firefox with resist fingerprinting enabled. I believe it was causing chat time stamps on websites like WhatsApp to be incorrect, which was annoying but I don’t know if you consider that broken.
Yes I discovered that when viewing the TV guide on plex. Everything was an hour out (UK). I think with resist fingerprinting the timezone is set to UTC0. In the end I had to turn that setting off.
Ironically, checking for UTC+0 JavaScript time from an obviously-not-UTC+0 IP geolocation might give additional hints for fingerprinting, as does everything else that looks non-default, like odd language preferences or even a DNT header.
Good point. I'm pretty sure this component of resistFingerprinting is derived from Project Fusion, which uplifts privacy/anonymity-related changes from Tor Browser into Firefox. In the Tor Browser threat model, the idea is that you can't avoid looking like a Tor user, so the goal is to make all Tor users indistinguishable from each other. Flipping this pref as a regular Firefox user is incompatible with its primary intent/threat model, so it fails to deliver and may even make you _more_ identifiable in some circumstances.
This is a great example of why I'm generally skeptical of these scattershot approaches to making users more secure by changing default settings in mainstream browsers. Security and privacy features always entail tradeoffs and should be designed and implemented holistically for best results.
> should be designed and implemented holistically for best results
This is why I, a privacy-conscious individual, don't follow any of these guides in my Firefox. If you follow the discussion on Bugzilla, the weekly team meeting notes, and occasionally ask respectful questions on Mozilla IRC, you come to a similar conclusion to me in that the Firefox development community is doing the right thing in not enabling this by default.
It also breaks add-on compatibility because it sets your user agent to the last ESR version of Firefox, which may be several versions behind the version you're actually running.
That's the compatibility issues for webextensions at all, but the bug still exists for extensions that declare compatibility ranges between the latest version and the previous ESR: https://bugzilla.mozilla.org/show_bug.cgi?id=1394448
I feel a strong need to point out the bad faith Mozilla seem to have for Firefox users and their privacy, eg Pocket, Mr Robot, DRM & binary blobs, dark pattern configs, etc.
As much as I loved the browser in the past, nobody should consider running it today, without being informed of the implications. The ffprofile.com site is something I have been waiting for, but stuff like this should not be necessary and IMO Mozilla Corp. has won. Nobody celebrates a new version of FF anymore.
>(This is in fact sarcasm before you get too eager with that down arrow)
I see this defense quite a lot on the internet, and I think it's misplaced. Even without your comment, I would have downvoted you, not because I though you were in earnest, but because your sarcastic comment doesn't add anything to the conversation.
I think it adds a lot to the conversation.
It's an obviously poor argument, which points out how poor it is when Mozilla uses it to make obviously poor choices.
I agree that my comment is of extremely limited value. Usually I just down vote and move on for that very reason. Today I chose to explain why instead.
The difference is that I believe that my comment has a very small positive value, while I believe that the comment I responded to has a small to moderate negative value.
Yep, since most people forget nntp... But I'm here not elsewhere and I'm receive HN updates via mail (RSS2Email) and planning to try my first Emacs serious work with a modification of HN plugin to allow posts not only view...
You're correct. Firefox compares a hash of the URL in question to a local database of hashes of unsafe URLs. If a an unsafe hash match is found, Firefox will then double check by contacting Google's Safe Browsing server to request the current status for a truncated part of the suspect URL plus some random "chaff" hashes. So Google never receives the suspect URL or even the URL's full hash.
I wish Firefox exposed a better UI for it's profiles. It seems like a really powerful feature that is much less useful than it might be due to poor ergonomics...
That's something that I like about experiments in "Container Tabs", where you get the power of separate profiles, but the ability to mix-and-match them in the same browser window and opening a profile can be as simple as opening a new tab.
I understand though why Mozilla seems to be having such a hard time converging on a UX for Container Tabs that makes everyone happy and it may be impossible to ever surface 100% of the power of profiles to the average user. But -ProfileManager is so long in the tooth and so clearly predates modern niceties that it would be great for better UI/UX out of the box today.
I don’t understand why Firefox removed the tab exposé feature they had. Clicking a button gave you a look at all your open tabs allowing you to then drag them into groups. Only your active group was displayed but you could always switch to another group when browsing in a different context.
Combine that experience with the current Containers sandboxing feature and that would be a dream.
You can read more about the decision to remove it on Mozilla's Bugzilla [0].
There are extension providing pretty much the same experience, like Panorama view [1]. I agree that it's very convenient to separate tabs into separate topics, and only view the ones that are relevant at any time.
« Container Tabs » doesn’t build trust in user’s mind. You’re always one click away from sending data with the wrong profile. With Chrome, you get a separate window, and different skins, and a different data folder on the hard drive, you can at least comfort yourself with the idea that you’ve somewhat isolated your lives.
Besides the classic work/home/sysadmin profiles, I also have a profile for browsing websites like /r/MensRights or christian websites: People have been fired for way less, so with such an incentive, Firefox tabs are way below expectations in terms of design.
That's a solvable UX problem. Admittedly, it's a UX problem that Mozilla has struggled with trying to build a UX that is trustworthy for both inexperienced users and power users alike.
Most browsers already have highly separated threads/processes for different tabs for performance reasons alone, but also cross-tab security issues. In most cases the technical difference between two tabs in the same window and two tabs in different windows is minimal. Technical differences in profiles such as different data folder on the hard drive is even already a part of Firefox's container tabs.
There is definitely an experiential difference, but a lot of the same signifiers (different themes / different "title" bars / etc) can be brought in and applied to multiple tabs in the same window, switching with tabs themselves. Or perhaps new UX signifiers might be developed that work better in a mixed tab space. It was encouraging that Mozilla was experimenting in that space, at least, even if what they built they weren't entirely happy with user studies of it. Again, the fundamental issue should be solvable with enough applied UX. We likely haven't discovered the solution for that yet (especially not one usable by novice users), but its still something interesting to continue to research and something that I hope is continued to be researched.
(PS If you are worried about getting fired over your dirty laundry, I'm not sure airing it in cleartext on HN is exactly the right idea either.)
You can configure container tabs to always open desired URLs in specified containers. You just click the containers button and check "Always open in <container>".
After that when you click a link to that site from a different container, it will prompt you and ask if you want to use the other container or continue with the one you were just using. It will remember your choice.
I think the Facebook Container add-on does support this, though just for Facebook. There's an issue to add something similar to Multi-Account Containers, not sure what the status is on that:
> « Container Tabs » doesn’t build trust in user’s mind. You’re always one click away from sending data with the wrong profile.
Which users are you referring to, the ones who read HN and use firefox with containers? Most non-technical people would think you told them a conspiracy theory if you said Facebook can track their browsing outside the site, let alone be aware of that possibility enough to install firefox then install and configure containers. People who know about these risks and are installing extensions like containers are already conscious of their exposure on the web and are doing their due diligence not to leave much-identifying information out there, to begin with.
The sad truth is we write, and comment, and endlessly debate security best practices here that only get used by people reading this forum or small, highly technical and specific corners of Reddit.
I love container tabs, my biggest worry and the reason I'm hesitant to rely on them is that I suspect they'll get scrapped in the future because Mozilla seems to be building a Chrome clone lately.
Yeah, I've been following with keen eyes Mozilla's efforts in the space. I really like that they are experimenting with it, and I really hope them success, or at least to continue to take risks and experiment with it, but also due to the nature of the experiments to date there hasn't yet been a case where I'd swap my existing profiles for container tabs (even with the headaches of maintaining -ProfileManager launch shortcuts and remembering when I need to --no-remote or use weirder workarounds/shortcuts to get things launched properly).
In migrating the primary container tab UI into an extension, Mozilla seems committed to at least providing the functionality as a long term extension API. So I don't expect the feature to be scrapped at this point; maybe just to remain rather anemic "out of the box" for the time being as Mozilla iterates on its extension. That has me curious if there's a good power user-focused extension already to meet my profile needs (or how hard it would be to build one), but so far that's only been an idle curiosity.
Container tabs are so clunky in practice, they really need a lot of work. Google something in your Google container, click a link, and instead of just directing to the link, the link is opened in a new tab and the search result tab is closed instantly. You can't go back to the results, you have to unclose the tab.
Container tabs also were terrible if you needed a persistent login. My school proxy for journal subscriptions has like half a dozen redirects with different URL names, I either had to not use containers here or add an exception for every step in the login process that it would break because of the container system. I hated constantly running into problems with containers breaking websites and making browsing so cumbersome that I stopped using them entirely.
Like some of the esoteric Adblocker configurations favored here, they are good in principle, but in practice break 50% of websites on the internet without spending serious time crafting exceptions for every issue you run into on every new site you find.
I've posted this a bunch of times on HN, but these scripts I use let me launch a new instance of the Firefox engine with its own prefs.js and extensions from the terminal[1].
They could. That seems to me like a useful feature to support. With the modern extensions (as opposed to old XPCOM/XUL components), that sounds technically doable to me.
I feel that it has become less useful since containerised tabs were introduced. One of the use cases for profiles were using a separate browsing profile.
An alternative that works would be "Google search link fix" [1], which is written/maintained by the current developer of Adblock Plus. (There's probably no reason that the core script [2] couldn't be adapted into a userscript for Tampermonkey/Greasemonkey/etc. if he isn't considered trusted.) It does currently have a problem on Firefox for Android where a long-press on a link doesn't trigger the tracking removal. [3]
I used to work in IT and had built this exact thing via Python for large scale, role-based, preference management on our workstations (particularly in lab situation at Universities). I wish chrome had something similar!
If I opt for multiple "hidden" settings that make my browser more private, am I not giving away my privacy? I mean, finger-printers will notice my unique fingerprint consisting of tailor made privacy choices.
