#58 Consider fixing the Mitigation guide for Firefox

Open
opened 3 months ago by Rupert · 11 comments
Rupert commented 3 months ago

First of all, sorry if this topic sounds harsh.

Unfortunately, arkenfox user.js maintains a lot of automatic connections, geolocation, safebrowsing and son on.
You old guide was by far better than this.

Nowadaways, Mozilla is bloating its browser and it's almost impossible to mitigate it.

After trying dozens of user.js this is the best I found (from a forked arkenfox one)
https://git.nixnet.services/Narsil/desktop_user.js
However, we still have to add firefox.settings.services.mozilla.com to our host file.

This way, it seems there is no unsolicited connections, but what will be the next step? Will we have to continue adding more and more in the future in order to control Firefox?

To sum up I think you would consider even deleting that guide.

Thanks for your time.

First of all, sorry if this topic sounds harsh. Unfortunately, arkenfox user.js maintains a lot of automatic connections, geolocation, safebrowsing and son on. You old guide was by far better than this. Nowadaways, Mozilla is bloating its browser and it's almost impossible to mitigate it. After trying dozens of user.js this is the best I found (from a forked arkenfox one) https://git.nixnet.services/Narsil/desktop_user.js However, we still have to add firefox.settings.services.mozilla.com to our host file. This way, it seems there is no unsolicited connections, but what will be the next step? Will we have to continue adding more and more in the future in order to control Firefox? To sum up I think you would consider even deleting that guide. Thanks for your time.
baobab commented 3 months ago
Owner

I'm unsure how being a bloated browser has to do with disabling spyware. If you feel as though using a user.js doesn't help, I'm not sure why you'd be using Firefox to begin with.

Using ghacks with a few tweaks helps a lot of people who are stuck on Firefox. Unless if there's a better way to mitigate Firefox, I prefer to leave the guide be.

I'll retest Firefox later on and show specific options to disable that isn't covered by ghacks.

I'll leave this up to @anonymous for the final decision.

I'm unsure how being a bloated browser has to do with disabling spyware. If you feel as though using a user.js doesn't help, I'm not sure why you'd be using Firefox to begin with. Using ghacks with a few tweaks helps a lot of people who are stuck on Firefox. Unless if there's a better way to mitigate Firefox, I prefer to leave the guide be. I'll retest Firefox later on and show specific options to disable that isn't covered by ghacks. I'll leave this up to @anonymous for the final decision.
baobab added the
wontfix
label 3 months ago
baobab removed the
wontfix
label 3 months ago
anonymous was assigned by baobab 3 months ago
Rupert commented 3 months ago
Poster

Sorry for the pesimistic message.

Anyway, if would be nice if you add those specific options.

People come here looking for the connections of their browsers and how to mitigate them. However, arkenfox (new name for ghacks) isn't the best way.

On the other hand, Mozilla telling us we have to add some of them to the host file is a nefarious behaviour.

BTW, on mobile it appears the same connection.

Greetings.

Sorry for the pesimistic message. Anyway, if would be nice if you add those specific options. People come here looking for the connections of their browsers and how to mitigate them. However, arkenfox (new name for ghacks) isn't the best way. On the other hand, Mozilla telling us we have to add some of them to the host file is a nefarious behaviour. BTW, on mobile it appears the same connection. Greetings.
Owner

The guide needs to be updated.

https://git.nixnet.services/Narsil/desktop_user.js

Page doesn't seem to load, even with JS turned on?

And thank you for bringing the issue to our attention.

The guide needs to be updated. > https://git.nixnet.services/Narsil/desktop_user.js Page doesn't seem to load, even with JS turned on? And thank you for bringing the issue to our attention.
Rupert commented 3 months ago
Poster

That Git instance seems to be quite erratic.

Reload the page once or even several times.

That Git instance seems to be quite erratic. Reload the page once or even several times.
Owner

Possibly worth investigation or adding into "further reading":
https://old.reddit.com/r/privacy/comments/d3obxq/firefox_privacy_guide/

Possibly worth investigation or adding into "further reading": https://old.reddit.com/r/privacy/comments/d3obxq/firefox_privacy_guide/
Owner

Also, you are correct in about

Will we have to continue adding more and more in the future in order to control Firefox?

Firefox continues to add more bloat and botnet, and switching to a different browser should be done any user (im currently working on a page for this).

But at least for now we will provide the guide so long as it is doable.
Especially since there is a user.js out there that seems to get ~95% of the unwarranted connctions to stop (not that that is enough, if indeed it is only 95%).

Also, you are correct in about > Will we have to continue adding more and more in the future in order to control Firefox? Firefox continues to add more bloat and botnet, and switching to a different browser should be done any user (im currently working on a page for this). But at least for now we will provide the guide so long as it is doable. Especially since there is a user.js out there that seems to get ~95% of the unwarranted connctions to stop (not that that is enough, if indeed it is only 95%).

@anonymous
"switching to a different browser should be done by any user"
I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing.

@Rupert
You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. probably and maybe opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.

@anonymous "switching to a different browser should be done by any user" I agree but the only obstacle that i see are distributions not having these browsers in their repos or them having Firefox as the default. (with the default user.js for some reason..) I do not see flatpak or equivalents as a good way to package anything, in fact they should not be a thing. @Rupert You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. *probably* and *maybe* opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.
Rupert commented 3 months ago
Poster

@Rupert
You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. probably and maybe opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address.

According to https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections

*Login breach information

Firefox Monitor warns you if your online accounts were involved in a known data breach.
For more information, see Firefox Lockwise - Alerts for breached websites.

To get the latest login breach information and more, Firefox connects to **firefox.settings.services.mozilla.com **

> @Rupert > You're using something that mozilla made and you're using a browser of course, it is of no surprise that there's something verbose thrown in there. *probably* and *maybe* opening up an issue (to mozilla) will grant a good explanation of what is being sent to that address. According to https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections *Login breach information Firefox Monitor warns you if your online accounts were involved in a known data breach. For more information, see Firefox Lockwise - Alerts for breached websites. To get the latest login breach information and more, Firefox connects to **firefox.settings.services.mozilla.com ** *
Rupert commented 3 months ago
Poster

This is a madness...
And now, we have to add aus5.mozilla.org to the host file.

This is a madness... And now, we have to add aus5.mozilla.org to the host file.
baobab commented 3 months ago
Owner

Yeah, I just tested the ghacks last night. Their user.js is horrible. I'm not sure why in my right mind I decided to use it in the guide. If I remember correctly, they didn't use to be like that. I'll put a deprecated warning in the guide tomorrow and maybe next week I'll update it with a better user.js.

I'm changing the title from "Consider deleting Mitigation guide for Firefox" to "Consider fixing the Mitigation guide for Firefox" for better accuracy of this issue.

Yeah, I just tested the ghacks last night. Their user.js is horrible. I'm not sure why in my right mind I decided to use it in the guide. If I remember correctly, they didn't use to be like that. I'll put a deprecated warning in the guide tomorrow and maybe next week I'll update it with a better user.js. I'm changing the title from "Consider deleting Mitigation guide for Firefox" to "Consider fixing the Mitigation guide for Firefox" for better accuracy of this issue.
baobab changed title from Consider deleting Mitigation guide for Firefox to Consider fixing the Mitigation guide for Firefox 3 months ago
baobab added the
bug
label 3 months ago
baobab self-assigned this 3 months ago

@baobab

I've never seen the profile manager being mentioned. Have a profile that disables telemetry, zaps fingerprinting and gets rid of other anti-features at its fullest and simply have another one that is less strict. Problem solved and no need to leave stuff in because of (x) not working properly.

@baobab I've never seen the profile manager being mentioned. Have a profile that disables telemetry, zaps fingerprinting and gets rid of other anti-features at its fullest and simply have another one that is less strict. Problem solved and no need to leave stuff in because of (x) not working properly.
baobab referenced this issue from a commit 3 months ago
Sign in to join this conversation.
No Milestone
No Assignees
4 Participants
Notifications
Due Date

No due date set.

Dependencies

This issue currently doesn't have any dependencies.

Loading…
There is no content yet.