I wonder if this will fix Twitch too, video playback in VODs seem to get stuck as well…

Yeah, everything kinda bad Firefox does, everything else seems to do worse. So I’m staying with it until that changes.

Cool, I just figured packagers would be lazy and just use upstream builds. That’s what I would do.

Evidence? And if so, I don’t think Mozilla cares (e.g. snaps are probably repackaged installers).

If you’re renaming things, you’re going to recompile to put your branding on it. So things like Mull, Mullvad Browser, Librewolf, etc will all use their own binaries.

It’s not. It’s literally talking about installers, not source forks.

Believe what you want, I guess, but the facts available say otherwise.

This isn’t about forks, it’s about installers that pull directly from Mozilla’s servers. This could be installers that bundle malware/adware with it.

If you fork it, you’ll be building the source and distributing it yourself. This isn’t about that.

Mongoose.

You could also get xmonad or dwm or something to look like this as well.

I’ve never used Snapchat on mobile, so I didn’t bother checking if it works on web. It’s neat, but I still don’t care.

(Bryan Lunduke) whose entire commentary career has been shaped by his political beliefs, regardless of truth.

I think that’s unfair. Lunduke was pretty interesting 10-15 years ago or so. It’s only recently where his political beliefs have taken over.

Screw his current career path, I want old Lunduke back, he was actually kind of funny and interesting to listen to.

And how do they have effective marketing? Turns out it is well crafted propaganda.

Propaganda can be good or bad depending on your perspective, and a lot of effective marketing could be categorized as propaganda.

Proton, for example, uses propaganda about freedom and privacy in their marketing, yet they’re actually selling a suite of services for email, data storage, VPN, etc. That’s true for pretty much every privacy-oriented product and service.

I’m not all that interested in deciding what counts as propaganda, I’m interested in the details of products and how effective the marketing is at getting people interested in those products.

They concluded after 2 years of investigation that USA labs are more likely to be the origin of virus than China labs.

They were coooerating together. US labs collaborated with Chinese labs to do research. I don’t think it getting out was intentional by any party, but the right heavily implies it to fit their anti-China narrative and the left downplay it to fit their “China isn’t so bad” narrative. As is the case most of the time, the truth is probably in the middle.

Go question or criticise them on their forums.

That is not a litmus test of technical merit, that’s a litmus test of how big their ego is. That’s irrelevant.

If it serves to destroy privacy and anonymity at the expense of them getting to control privacy community

Again, this seems blatantly false. Nothing GrapheneOS does destroys privacy or anonymity, they just prioritize security.

And they don’t control “the privacy community,” they just control a few popular, privacy-oriented corners of the web. By its vary nature, you can’t control “the privacy community” because the privacy community is all about bucking control. In fact, “privacy community” is kind of an oxy-moron, privacy enthusiasts try to limit talking about themselves. If you pair privacy and anonymity, you’ll get discussions about solutions, but people probably won’t try to sell you on any one solution.

GrapheneOS is a security-focused OS with strong privacy and anonymity features you can choose to use. Here’s their tagline from their webpage:

The private and secure mobile operating system with Android app compatibility.

That’s what they deliver, privacy and security, and they do both reasonably well. If you look at their FAQ, private or privacy appears about 60 times, secure or security appears over 100, and anonymous appears once. If you read their documentation, it’s clear that their focus is security first, privacy second, and that’s about it.

They’re not the only game in town, but they do have the most effective marketing. If that gets people interested in security and privacy that otherwise wouldn’t, that’s a good thing! Like any org, I think they have flaws, but I think they’re generally a force for good.

Trump is treated as a disease in USA due to this very reason, him claiming “China virus” needs to be cured using eating bleach, fentanyl, other people claiming to eat tidepods and all kinds of mentally deranged nonsense.

Again, more inaccuracies. The FBI thinks COVID-19 likely came from a lab, so “China virus,” while inflammatory, isn’t necessarily too far from the truth. I doubt it was intentional, but that explanation seems more likely than the official explanation of “wet market.” The US was also likely complicit here since the CDC was likely helping fund “gain of function” research (compare recent Congressional investigations vs the original statements).

Trump is problematic because he’s a narcissist that will say anything to get attention, regardless of the truth. But sometimes he says true things, if they benefit him (or he gets lucky; I doubt he researches much).

After years of endlessly engaging with people trying to make them understand, there are not enough people listening to me.

Why are you making this about you? We were talking about the technical merits of various policies, but you seem to keep bringing up Daniel Micay and yourself. I don’t see how either is relevant.

I honestly don’t care too much about you (no offense intended) or Daniel Micay, I care about technical merits of apps and hardware. I’m reasonably technical, so I think I can do a decent job judging for myself which products fit what I want, and I recommend them accordingly. I’ll often point out if a project has toxic leadership, but a good product is a good product.

So if you want to engage with me, it’ll be on a technical level with no personal attacks.

Blocking 3rd party scripts and frames

Yes, there are multiple ways to address a given problem, with different tradeoffs. I don’t know the specifics of per-site isolation, but I’m guessing it also protects against non-JS attacks like CSS or HTML-processing attacks, which could trigger those same Spectre/Meltdown-style attacks. That’s a pretty niche case, but hopefully it shows that even a good plan has potential holes.

Ideally, we could eat our cake and have it too, and hopefully Mozilla is working on that. In the meantime, you need to decide if you want something more configurable (Tor, you, and I seem to prefer this) and accept tradeoffs, or solve for the general case of scripting enabled (e.g. Chromium’s isolation). Micay isn’t wrong for his preference, and you and I aren’t wrong for ours.

there is no privacy without security

That’s close to the truth, but it’s a system of degrees. You need enough security to make protecting privacy feasible. But they are separate goals, especially if adding Anonymity into the mix. For example:

• secure, but not private or anonymous - Google services; you can’t get much better security than gmail, but it’s horrendous for privacy because Google’s reading your stuff; or a more tangible example, it’s like living in a bulletproof glass house
• private, but not secure or anonymous - closing the blinds at your house, and not locking doors; nobody can see what you’re doing, but home ownership is public record and anyone can walk in
• anonymous, but not secure or private - counter-protesting - they don’t know who you are, but everyone can see and hear you, and they can come beat you up

But there’s a lot of overlap too. Really good privacy often requires pretty good security, especially depending on your threat model. Effective anonymity also requires good security and often provides good privacy. So it’s not necessarily wrong to say they’re extremely closely related, so I could see it being shortened to “no privacy without security” as a general rule of thumb.

The only method to counter their malicious narrative is nullifying their advice and proposed/developed tools

I disagree on all accounts:

• I don’t think their narrative is malicious, I think it’s overly simplified, which is what you want in a sales pitch
• nullifying their advice isn’t worthwhile, there’s more than one way to solve a problem, and different problems can look similar

Instead of attacking them, I think it’s better to provide accurate information that they’re omitting. If you aggressively attack something, it puts people who like/support that thing on the defensive (relevant Louis Rossmann video, who you should like because he ripped into Daniel Micay as well). Instead, highlight the benefits of your proposed solution, and limit your criticism of other solutions to only those that negatively impact your target audience.

At least that’s my takeaway from various sources (laws of power, how to win friends and influence people, etc).

Fission has existed since many versions as experimental on Android, and I have tried it, but it causes bugs and crashes after using browser for a while.

Yup, it’s not ready yet on Firefox, hence why I don’t use that experimental feature.

dFPI

Well yeah, Google is an ad company, so they’re going to be slow in adopting things that make advertising less effective/gives them less data. I’m guessing they’ll implement it once they can effectively use first party cookies to serve ads (would require websites to help).

FPI isn’t really a security feature (login cookies and whatnot are first party and thus not sent to third parties), it’s a privacy feature. Google doesn’t particularly care about privacy, only security.

If site isolation isn’t a critical security feature, why would Mozilla implement it and say that it is?

Without Site Isolation, Firefox might load a malicious site in the same process as a site that is handling sensitive information. In the worst case scenario, a malicious site might execute a Spectre-like attack to gain access to memory of the other site.

…

Despite existing security mitigations, the only way to provide memory protections necessary to defend against Spectre-like attacks is to rely on the security guarantees that come with isolating content from different sites using the operating system’s process separation.

So Firefox for Android not having this feature makes it less secure than browsers that do, at least for this class of attack.

Tor Browser being built on Firefox shouldn’t imply that Firefox is more secure than anything else, it means Firefox is closest to its requirements, which are a lot more than security features. The two biggest reasons, from what I can glean, are:

• LTS release - means users are far more likely to report the same fingerprint and whatnot, and releases only need to be closely scrutinized on major releases; this is an anonymity feature, not a security feature
• only needs a handful of patches to meet goals instead of a big reengineering - it says more about Firefox’s config options than security features

Don’t get me wrong, Firefox absolutely is a secure browser (incl. Android), but it is missing certain security features vs Chromium-based browsers. Tor is more interested in privacy and anonymity than security (though security is still a priority), so pointing at them isn’t really a valid argument (it’s an appeal to authority at best).

Google is really interested in security, and not interested in privacy or anonymity, because being secure gets orgs interested, and orgs have valuable data and users. If your primary concern is security, you’ll probably be better off with Chromium browsers, and that seems to be where Micay is coming from. But if privacy and/or anonymity is your goal, Firefox is easier to configure to meet those goals, and it’s pretty secure too.

That’s why I use Firefox despite being fully aware of Firefox’s security limitations. I’m told per site isolation is in progress on Android, so that’s pretty cool.

Both things can be true. Firefox is less secure in the site isolation area, but that’s just a backup to the things Firefox is already doing. Firefox is still plenty secure, though it would be quite nice to have this feature.

I use Mull because it takes the best parts of Tor Browser and ships it through F-Droid. For those unaware, it’s basically Firefox with additional privacy settings enabled by default, and it syncs just fine with Firefox browsers.

Yes, don’t buy into FUD about Firefox being insecure, but also don’t misrepresent the value this feature brings. It’s not a must-have for me, but I do very much want it.

You can sideload if you have the extension file.

The proper response, imo, is to implement third party add-on repos, so if Mozilla is forced to remove access to something, someone else can make a mirror or something. That way someone could create and host a repo that has blocked extensions and Mozilla doesn’t get in trouble for it.

There should absolutely be a line drawn here. Mozilla shouldn’t make any code changes to any of their services to appease censorship orgs (e.g. domain block lists). Blocking access to services that can be hosted/replaced by someone else shouldn’t be an issue.

Sure, but you have to weigh the pros and cons. This request seems benign enough that Mozilla shouldn’t be limited in delivering on its mission in Russia by following it, but they would certainly would be limited if they’re completely blocked.

If Russia asks Mozilla to do something that compromises their core mission, that’s the time to refuse.

That’s certainly true from Google’s or Meta’s perspective, but it wasn’t always that way.

I get ads in my mailbox that are completely irrelevant to me, like Medicare ads (probably for the previous owner). As a kid, I watched lots of ads on TV that definitely weren’t applicable to me (e.g. cutco knives, when I wasn’t old enough to use a knife). I see billboards on my way to work for debt relief (not in any debt, aside from mortgage) and addiction recovery (no addictions here). Companies pay quite a bit for those ads even if they won’t be relevant for most people because of the sheer reach of those ads.

I’m proposing a middleground. Ad companies don’t get as accurate of targeting for ads, but in exchange they get seen by people who would otherwise block them.

It’s how they should work.

When I get an ad in the mail, the advertiser doesn’t know that I actually looked at it. When I grab a newspaper ad at the store, the advertiser doesn’t know that I did that unless I use a coupon or something.

That’s how I’d like online ads to work, but with a bit of targeting based on local-only data.

If they want me to look at ads, they’re going to need to respect my privacy. If not, I’m content leaving my ad-blocker enabled.

Perhaps. But they can also intuit that if someone gets to the landing page without clicking the link, because that’s what that program appeals to. They also likely have a variety of other categories as well, such as non-obese and non-fit, lower class but living with parents, upper-class and single, etc.

But the important thing is that they wouldn’t know which website the ad was served from or a unique identifier from the website to correlate to other data. If it’s replacing Google or Facebook ads, that can be a lot of data, including my occupation, hobbies, accounts at other websites, etc. If all they get is that I was at least a >X% match for their ad-campaign through Mozilla, I’m fine with that. I can always clear/prune my browsing history to reset what types of categories I fall into.

But yeah, I get that many advertisers aren’t going to be interested giving up that much data. However, if the alternative is no ads whatsoever, maybe that’s attractive enough that they buy in. Idk, but that’s my policy. If the ads won’t respect my privacy, I’ll block them. That’s my line in the sand. If Mozilla offers a product I’m okay with, I’d be willing to disable my ad-blocker for those sites that opt-in.