Alternatives that allow you to still get your security and stability updates from Mozilla include two Gnu soft-forks. There's IceCat, which is the best-supported version and runs off of ESR. [1] There's also "abrowser" (that's literally what it's called) that is part of the Gnu Trisquel distribution, which is based on the most recent release. Both patch the browser to be more security and privacy friendly. [2] There are also several projects that provide patches for Firefox or user.js files [3] to minimize the privacy impact of recent Mozilla decisions. (I publish patches that remove Pocket and disable various forms of tracking in Firefox.) The problem with the patch-based approach is that you have to build Firefox yourself, which most people are unable or unwilling to do.
The most recent version of IceCat at this time is 60.3.0, published on 2018-11-09 [1], 18 days after upstream [2].
Upstream is currently at 60.7.0, published on 2019-05-20 [3]. This puts IceCat more than half a year behind upstream.
Waterfox published their version merging upstream 60.7.0 security fixes before upstream [4].
Using IceCat thus seems to a bad idea security-wise.
I use upstream ESR ever since FF disabled add-ons since they let their cert expire [5] and the release channel version ignores the 'xpinstall.signatures.required' flag.
I'm not sure what URL is technically supposed to be the correct one, but they do seem to have updated through at least 60.5: http://devel.trisquel.info/repos/packages/icecat/pool/main/i... Trisquel in general seems to be pretty dead, looking at their git.
While I'm not sure whether that includes any backported security fixes or not, you're right that this is concerning. Perhaps building it yourself is the way to go.
>I use upstream ESR ever since FF disabled add-ons since they let their cert expire [5]
Unless I'm mistaken that bug would have bitten you on ESR as well. The expired certificate was an intermediate used to sign most of the addons on AMO. If ESR wasn't using that certificate then it wouldn't have been able to validate those addons. Correct me if I'm wrong.
Looking at their SCM, they updated to the newest upstream less than two days ago [1]. However, the change appears trivial, so it might be feasible to track upstream if building from source as long as their customization scripts remain compatible.
> that bug would have bitten you on ESR as well
Sorry, I didn't word that clearly. ESR was affected, but the signature check could be disabled from about:config. The release channel had that flag listed, but it had no effect.
Ah, I didn't realize ESR did that. (And frankly I'm surprised it does.) One of the things I change when I build Firefox for myself is allowing the disabling of addon signings via about:config.
> Waterfox does not collect ANY telemetry, meaning you don't have to worry about any tracking or usage information about what you do inside YOUR browser.
This is woefully uninformed or malicious. There's a lot of tracking that is out of your hands. Such as canvas fingerprinting. Even sending back 0's (like tor does) doesn't prevent fingerprinting. In either case I lost confidence for the browser just by reading what was on their landing page.
Either they don't know that tactics like this are common, which means that they likely aren't aware of other basic security flaws. Or they are aware and lying, which begs the question of how we can trust anything else.
In either case it doesn't build trust for a tool that is so highly dependent upon trust.
I think they are claiming "you don't have to worry about any tracking or usage information being sent to the Waterfox developers," but if so, they shouldn't say "you don't have to worry" (see also Lavabit and Protonmail's "you don't have to worry about government surveillance... well, not until the government decides to surveil you"). I agree it's weird for a web browser of all products to omit this clarity!
That's fair, but it is also very misleading. It also isn't hard to see how it is misleading, enough so that I'm sure I'm not the first to notice it and that I would assume it has been brought to their attention. If not, well... someone ping them.
I don't think it's misleading in the slightest.. When you disable telemetry in an application or operating system, you're disabling that application's collection and transmission of metrics to its developers.
Disabling telemetry in Windows doesn't prevent programs from collecting metrics, it disables the transmission of Windows metrics to Microsoft. Can you give an example of the kind of 'disable telemetry' option you describe which prevents third parties from fingerprinting or transmitting data?
Sure! On an iPhone, Settings | Privacy | Analytics | Share with App Developers (there's an option "Share iPhone Analytics" right before it that has explanatory text that says it's specifically about sharing with Apple) and Settings | Privacy | Advertising | Limit Ad Tracking.
On the browser side, options about camera access, microphone access, location sharing, etc. are about sharing it with websites, who are not entitled to make their own permission prompts. Options about third-party cookies affect third-party cookies from websites, not from third parties who work with the browser developer.
I'm sorry, but this is a somewhat uncharitable analysis given the audience this browser is aimed at.
I took their statement in good faith to mean that their software doesn't actively send telemetry to all and sundry without you knowing.
Anyone concerned about privacy would already be aware of tracking that occurs once traffic has left the browser which is clearly difficult to influence.
It's not worded precisely, but I believe what they have in mind is tracking performed without prior consent by the browser author. Obviously if you don't block tracking scripts that doesn't protect you from websites that want to track you, but that's not the point of the statement.
> It's not worded precisely, but I believe what they have in mind is tracking performed without prior consent by the browser author.
That was my interpretation. If I tell someone "I'm not collecting any data on you, so you don't have to worry about being tracked", it would be odd for them to accuse me of lying or being incompetent since obviously the government is tracking them.
No, it's not obvious. If you don't have any idea how it works, it's easy to read in that statement that not including telemetry in the browser prevents all tracking, including by sites.
This seems more like people having different ideas of what the word 'telemetry' means than a malicious statement meant to mislead users. Telemetry metrics were used before the digital age in diving equipment, rockets, airplanes, factory equipment, etc. Traditionally, they are used exclusively to better understand and improve the performance of the device collecting them (and nothing else).
Recent unethical practices of either using true telemetry metrics for advertising purposes or collecting data not used to improve the software under the guise of 'telemetry' have muddied the meaning of the term. I agree that the author could change the phrasing in that blurb to use a different word which has not shifted meanings in the last decade.
Sorry maybe I worded it badly? But I thought the context of the sentence made it clear that Waterfox itself does not collect any telemetry or usage information.
This sentence has nothing to do with websites themselves.
I'll try and make the sentence a bit more obvious to avoid confusion :-)
Awesome! I think it makes sense to most people on HN, because we know about these things, but I doubt to anyone not on here (and I'm willing to bet more people than we'd suspect here).
I think there could be a simple fix that specifies that Watermark is not doing the tracking.
> Waterfox does not collect ANY telemetry, meaning you don't have to worry about us tracking or using information about what you do inside YOUR browser.
I think this sentence is still compelling and I don't find misleading.
> Or they are aware and lying, which begs the question of how we can trust anything else.
It raises the question [...].
I'd also say that while your points are valid, its perhaps a bit too black/white to completely distrust them based on such a statement. On the other hand, who's behind this browser exactly? With Mozilla Firefox, Mozilla is behind it, and development is in the open.
For Mozilla Firefox I can recommend CanvasBlocker [1] to mitigate the technique you described. However, it comes at a price: you'll have a harder time with captcha's.
This is like saying that a given browser is malicious, because it sends HTTP requests, accepts cookies and uses JS. It's a fork of Firefox (or distribution?), so you're barking up the wrong tree.
Given the project is so small, I wouldn't trust their future response to be rapid even if they have been in the past.
Right now most security fixes come in the form of merging upstream security fixes from Mozilla. As their code base becomes increasingly divergent to the Firefox head, merging in upstream security fixes will become increasingly difficult and increasingly cumbersome.
I guess if someone really needs to use a legacy extension, it's a good thing that it's around, but I'm personally glad that XUL is dead both from a developer standpoint and as a user.
Yeah, projects like this give me the heebie-jeebies, to be honest. NPAPI and XUL were discontinued for really good reasons. Some users say they still want them, but that's because (1) people hate change, even when it's good for them and (2) they don't really appreciate all the security baggage those old APIs were lugging around with them. Projects that assure those users that they can keep on trucking with their old plugins like there's no problem just encourage them to do dangerous things they really should not be doing.
Saying that "people hate change, even when it's good for them" has to be the most arrogant thing I've read today. If someone is most comfortable using their browser with a certain extension for which there is no good WebExtensions-based alternative, how can you say that forcing them to stop using that extension is "good for them"? Even if there is a suitable alternative, which requires re-learning a bunch of things the user is used to, how is that change "good for them"?
The move away from XUL and NPAPI is great for Mozilla, it makes it easier to maintain and develop the browser, it's probably good for extension developers (except for those who now can't port their extension to the new API because it's more limited), but it's not good for users who are forced to take time out of their day to find and alternatives or users who just have to accept that what they were previously using their browser for just isn't possible anymore with Firefox.
Saying that change is "good" for users even if the users don't realize it and resist, prevents us from considering the very real negative effects of introducing breaking changes or removing features of our software.
> If someone is most comfortable using their browser with a certain extension for which there is no good WebExtensions-based alternative, how can you say that forcing them to stop using that extension is "good for them"?
If supporting that extension requires exposing the user to security risks.
The downside of “extensions can do anything!” is that it means extensions can do, well, anything, including things that are hostile to the user’s interests. A more restrictive API means some things extensions used to be able to do aren’t possible anymore, but that’s as true of the bad things as it is of the good. And the bad things were bad enough that it was worth losing the good ones to protect users from them.
Look, I get it, it sucks to lose an extension you like and rely on. I lost a couple of these in the move myself. But the browser’s first responsibility to the user is primum non nocere: “first, do no harm.” And those old APIs, which were naïvely designed twenty years ago in a time when the Internet was far less weaponized than it is today, were exposing an awful lot of people to a great deal of harm.
I'm not trying to argue that Firefox shouldn't have deprecated XUL or NPAPI. I'm one of the people who didn't depend on any add-ons which aren't available anymore; I just had to update the add-on I wrote to work with the new API, which was easy because it's one of those add-ons which essentially just needs some javascript to be injected into all web pages.
I'm just saying that when Mozilla decided to break the browser for many people, it wasn't "good for" the people who ended up with a browser which doesn't let them do what they want. It's not even "good for" the people who "only" had to invest hours into learning a new workflow with a new set of add-ons. Pretending that it is, is harmful; there are very real drawbacks which have to be weighed up against the advantages of a cleaner API which it's easier to maintain and which might be more secure. I think Mozilla absolutely made the right choice; I just don't think we can focus exclusively on the benefits and pretend that the costs don't exist.
I'm also kind of curious about how the security angle works. Currently, any WebExtension which asks for the proper permission can just read the content of your banking websites if it wants, and send what it finds (your social security number, your password, your bank account numbers, etc) to an attacker. With the new API, you still have to make sure not to install malicious add-ons. How is that different between XUL and WebExtensions?
> The downside of “extensions can do anything!” is that it means extensions can do, well, anything, including things that are hostile to the user’s interests.
This is also arrogant: why do you think it is OK to say I can't do something I want to do because it is possible that I use that freedom to do something that harms my own interests? People fundamentally should be allowed to do things that harm them if blocking them from harm restricts their ability to do things they wanted to do; I mean, you aren't even suggesting some kind of user-controlled sandbox: you are advocating for putting the user themselves in a sandbox because you think they are too stupid to handle power.
There's zero hope of implementing something like the unfortunately named Scrapbook Plus & Scrapbook X research addons. In-browser editing & powerful manipulation, full text search within saved pages, direct access to the saved archives, the sidebar, the specialized capture options and quite a bit more require features (XUL-based and otherwise) that Mozilla won't implement. It's the biggest thing keeping me on Waterfox beyond Mozilla continual slide into sleaziness on privacy and afaik no browser not based on pre-quantum firefox supports anything like it.
Beyond research or archiving pages I think will disappear If I want to yank the content from posts across five sites, clean it up quickly, merge it into a single document and export it for conversion with calibre it's trivial with Scrapbook X and a pain with anything else I've tried. If I want to archive everything that I look at while digging into a topic or site I just turn on auto-save and start browsing. I'm fairly certain having no replacement for a major part of my workflow & browsing habits doesn't mean that I'm anti-security* or I'm scared, but that Mozilla no longer supports the tools I need. I'm grateful that Waterfox does.
*It's almost a hobby: Firejail, uMatrix & NoScript in paranoid mode, rejecting all cookies by default & extensive use of containers, different vpn connections and separate profiles for different kinds of browsing, etc.
The problem is that the replacement is crippled and Google is clearly more interested in stripping features from the extension API. I'm still waiting for a way to hide the tab bar which is a privileged UI feature now.
- At first, the discussion on bugzilla [1] is reasonable: user stylesheets off by default for performance, and there's even backward compat code enabling the pref during Firefox 68 if you are using them. All good...
- ... but then comes this legacy in the pref name :-| :-| :-|
I hope Mozilla keeps the feature alive, it's appreciated by many "power" users.
EDIT good news: re-reading recent comments, in https://bugzilla.mozilla.org/show_bug.cgi?id=1541233#c61 , Florian Quèze (mozilla dev) affirms: "the word 'legacy' was used in the preference name to avoid giving the impression that with this new preference we are adding a new customization feature. I'm not aware of any plan to drop support for these files".
Ugh, if you're gonna pull this shit make sidebar tabs first class! They knew this way before they switched, gave some lip service to make sure the most popular extensions would get the support they needed, and now however many releases later i still have to dig through hidden files and hash-named profile directories to make this work right. And still no usable alternative to tab groups last time I checked, which they took out of core with the reasoning that it should be an extension. At least adblock still works.
Being compatible with the Extension API doesn't require Mozilla to follow Google on every decision. As long as the deviations are well documented and developers perform feature detection, Mozilla won't ever have to make changes that serve the interests of Google ahead of their users.
And (3) they are still having to support old broken shit at work which requires NPAPI plugins or even shudders java. Not everyone lives in a tech utopia.
I loved DownThemAll, but I'm not sad to see it go because I realised how rarely it was actually needed these days. The downloading interface built into Firefox really is fine 99% of the time.
On the rarer occasions that I need to download extremely large files, I send them to an HTTP download client (pyload) that runs directly on my NAS in docker.
One thing that DownThemAll got right that I am not sure any other downloader I have found does is that if a download is terminated by the server before the reported file size of the file had been downloaded, it would see that as a failure and retry. Unreliable servers often terminate the download partway through and it seems most other download mangers, browsers etc. will just leave the truncated file on the disk and report the download as successful, not allowing you to continue from where it got to.
Yes, and I remember really appreciating DownThemAll's quite robust architecture back when I had a 1.5 megabit ADSL connection. But now that I have a 100 megabit connection at home, I'm rarely downloading anything that doesn't finish within 5 minutes. In the exceedingly rare event that a 10GB download fails, it's just not a big deal to start it again.
I didn't really use the segmented downloads feature. The important part of it for me was the fact that I could download all the files of a particular type and download URL ranges. Stuff like https://example.com/[0-999].png.
You can do that rather easily with curl (comes with Windows nowadays) or wget. Just copy the resource location of the object you want as curl command line string from developer tools (cf https://stackoverflow.com/a/33384016 ) and adjust the range (same syntax as DownThemAll) and download it manually.
I don't care about the technical details as a user as long as I can get the functionality I want. I want to be able to move UI elements around like menu bars, tabs, bookmarks bar, address bar. I need DownThemAll or something equal to it to work because I use it a dozen times a day.
I am glad Mozilla made the much needed change and don't have long-term problems with Mozilla other than perhaps lack of trust. I did not like how Mozilla made the swift change with little announcement for long-term add-ons though, particularly making the change right after allowing for multi-processing.
My recollection of the change is that they did announce it well in advance, but left many of the needed replacement APIs missing or broken until it was far too late for many developers to make the switch before XUL got deprecated. (We're still feeling the effects of the lacking WebExtenions APIs, actually.)
It was a bit of both as I see it. Tab-groups developer quit soon after rewriting the add-on to fit the multi-processing update (which was announced several years in advance I believe, and was anticipated nonetheless), and then right after Mozilla announced the depreciation of XUL in favor of WebExtensions in a year's time, forcing another rewrite and wouldn't be fully functional until the replacement API's are developed.
Besides, that replacement API's haven't even now been fully developed points all the same to Mozilla forcing WebExtensions much too quick, as waiting more would have fixed this problem from occurring.
I'm still waiting for a working vertical tabs extension that doesn't leave the tab bar across the top wasting space. Dumping XUL is why it's hard to see firefox as a viable browser.
That was my determination as well. Reading the features of the browsers just lead me to believe they were unhappy with the changes Mozilla was making to Firefox which both improve security and performance.
I wonder what performance is like? I can't imagine it's great.
I suppose the difference is that in Firefox you have to opt out of it, and in Waterfox you opt in (?). The default makes a difference, since most users don't know about it.
Looks like there is another version of waterfox at the .org domain. Which domain is the correct one? Can you get the incorrect domain de-listed from google search results?
It still allows rich customisation, via classic XUL addons. I have a vertical tab bar, merged with a vertical bookmarks bar, which is flattened via another addon. I have a rich download manager with multi-streaming, resuming, and more.
When Firefox Quantum came out, 13 of my 17 add-ons stopped working. Several versions later, I can customise it a bit, but only in limited, clunky ways, requiring manual hacking of userChrome.css, and it's not very widescreen-friendly.
I don't care about privacy. Scott McNeally was right in 1999, and he's still right: "You have no privacy on the Internet. Get over it."
I don't like the new Firefox and I probably won't be back. Waterfox fills the need nicely.
Yes :).
But in either case, if the browser is advocating for "no data collection" and "no telemetry" I would at least expect no referral links or Google Analytics on their homepage.
Looks like its a sponsor of their CDN. The link doesn't embed any tracking that I can see. Its simply a referral link so that stackpath can determine how many people clicked from waterfox.
So, here's a thing to work on... This is what I did:
I went to the landing page and though: sounds good. But version 56? When was this last updated? Firefox is long beyond 56. Went to the "releases" page and found nothing about when 56.2.10 was released. Had to go to their Twitter account to find out it's dated 2019-05-20.
I would also recommend renaming the "releases" page to "download" if you wish to reach beyond the geek pool.
I really think that it is cool that there is a browser that is looking towards maintenance of what we had (XPCOM, NPAPI for old plugins) versus creating something new.
Is this the same Waterfox that was a Firefox build for 64-bit Windows? Is it moving towards privacy now that Firefox is 64-bit on Windows, or do the projects just share (an obvious) name?
I used Waterfox about 8 years ago, since standard Firefox didn't provide 64-bit Windows releases. After about a year, I got frustrated that it was skipping every other release, so I went back to standard Firefox. Between using NoScript (blocking most scripts), and benchmarks showing 64-bit wasn't much (if any) faster, I didn't notice standard Firefox being slow.
This has been around for a while. I used it as my primary driver several years ago, back when its main feature was that it had 64-bit support. After Firefox implemented a 64-bit build, I sort of just assumed waterfox would die off. Neat to see they've kept around and changed focus.
Java NPAPI is still maintained AFAIK, but not sure for how much longer.
And a few of my friends say that they have Waterfox deployed company wide because of NPAPI support, which means they don't have to still use an out-dated browser which is cool!
I think it is visibly faster. And there are still some nice classical addons that you can install using the addon archive. Together with the newer addons.
Well, I guess you can check for update without disclosing OS, but since binaries differ between OS you need to disclose OS to actually download the update.
Browser version is not necessary, but sending browser version allows serving smaller binary diff instead of full binary, which Firefox actually does.
Dumb question maybe, but regardless of the browser you use, isn't your ISP able to collect a ton of data either way just based on the network traffic? How happy should I really be that the browser vendor (Watermark or any other browser) itself might not also be doing it also?
Not sure why you got downvoted, this project answers the question exactly. People downvote nowadays withtout giving any information as to why the post is bad. When it's sarcasm, I get it, but when it's an actual answer...
There's even more if you include WebKit-based browsers[1]. Out of those I would strongly recommend surf[2], which is not discontinued despite what Wikipedia says (latest upstream commit was a few months ago[3], but there are many active forks as well).
Shameless plug, but I've used my own fork[4] as main web browser for the past few months, and despite the amount of hacks and limitations, it fits my workflow on Linux quite well. It does involve some external tooling and configuration, and I still keep Firefox and Chromium around for tricky sites, but it's provided a great user experience more often than not.
The key benefit of surf is its simplicity, which we should all strive for as programmers and consumers of technology. The entire browser is under 3KLOC of very readable and well-documented C code. Granted, it relies heavily on WebKitGTK, but it avoids all the mess and complexity of modern browsers, extensions and security concerns simply because of its minimalism.
I would encourage anyone willing to make certain compromises to give it a try and contribute so we can make it easier to use and approachable for a larger and non-technical user base. As web browsers have become the main gateway to the Internet for a vast majority of people, we should actively work towards preventing abuses of user freedoms via aggressive advertising, fueled by corporate greed. We need to take the web back, and simplicity is key.
My goal would be to eventually strip out WebKit entirely, but that's a gargantuan task with no clear way forward, unfortunately. As mentioned in today's Google/ad-blocking thread, we need new and alternative browser engines, outside of the sphere of influence of large corporations.
[1] https://www.gnu.org/software/gnuzilla/
[2] https://trisquel.info/en/wiki/abrowser-help
[3] https://github.com/ghacksuserjs/ghacks-user.js