Mozilla is Evil
computer-science data-protection privacyFirstly, many browsers are not your friends, so this is not a Mozilla is worse than X post.
So why bash Mozilla? #
Google get bashed, Microsoft get bashed and Apple do, but the alternative is not a saint. It boasts about privacy, but doesn't enable it for most users, it complains about tracking and then teaches web developers how to do it. It has had complaints for around a decade (since then there have been others, like 970092) that user privacy is being invaded because of browser features.
But Mozilla are just following a standard? #
Mozilla staff can often play a key role in changing the web, from work on drafting standards to work on demonstrating new ideas with new features that are yet to be fully standardised. Web standards are not legal requirements and there is nothing to stop Mozilla either breaking from them to fix privacy and security or providing a default alternative release or feature flags that protect users.
Fixing the design that would break everyone? #
So? Apple broke a lot when they stopped supporting Flash. Is Firefox incapable of leading beyond broken standards, to protect users when others have already demonstrated a precedent that it can be done? Firefox can even re-use the same security pattern adopted for SSL certificates that if you get into trouble you can opt-in to delegate to a less secure mode on a site.
So why does Mozilla have to lead? #
Because they boast of caring about privacy.
Sites like https://advocacy.mozilla.org/en-US and https://www.mozilla.org/en-US/privacy/firefox/ boast of how they wish to defend privacy, but their flagship product fails most users.
Sorry, but whatever you do to cure the minority, if the majority are still suffering, then boasting about the minority is a falsehood. It's like BP boasting about it's solar energy project... great job, but they're still mostly an oil company. Firefox is still mostly a web browser business for which most of their users have their privacy breached because of the insecure design of the flagship product.
But they have private browsing mode and tracking protection? #
- Private browsing is designed primarily at local privacy from others users of a machine, don't confuse it. In doing so it achieved some mitigation of tracking cookies, but not saving history, searches, cookies, temporary files is quite an expensive feature set to lose that people typically would like to have because they trust their local machine, it's the remote ones they want to protect themselves from.
- Which brings us to tracking protection that when included blocks "many" trackers.... Many? That's not enough and on notable sites including health services I've found tracking still happens and referer urls are still sent.
- It isn't turned on by default, so for you to be beter protected, your first thought after installing Firefox has to be, I don't trust Firefox to protect my privacy by default, I need to configure that in and how many users think like that and then how many know what to do - (please at least install something like Privacy Badger from a very trusted source).
- But... neither solve the problems of third party JavaScript running in the same context as the site you are using. This is a fundamental failure in the design of the web and one they acknowledge https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Security_best_practices - so they advise devs (if you find this page), don't do it, but don't advise their users when it is happening. Show a red flag, a do you want to continue notice or something to advise people this site executes remote JS.
But it's not their fault websites include tracking, it's web developers who add this stuff?# #
- Mozilla teach developers to add it https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Client-side_web_APIs/Introduction
- Mozilla even showcase tracking happening on their own site https://developer.mozilla.org/en-US/docs/Learn/HTML/Multimedia_and_embedding/Other_embedding_technologies ironically, whilst also describing it is a security problem
- You have to go out of your way to then find the pages on why you shouldn't do this if you need security https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Security_best_practices then from my experience and watching other developers, the time between learning how to add insecure features and learning how to spot and fix that is typically years... not one or two years, maybe 5-10 if you're a good developer.
But you're blowing this out of proportion #
No, when Snowden blew the whistle and shouted we were all being watched, he didn't recommend Firefox, he suggested Tor browser and that was five years ago. The fundamental design of the internet was failing society and in the last five years since, Mozilla hasn't protected most of its users. It cares about them as much as maybe BP cares about clean energy.
I've been complaining to various companies and regulators for years about browsers leaking data. The UK regulator even blogged about my complaint https://iconewsblog.org.uk/2015/09/16/does-your-website-have-a-leak/ as millions of users and several major sites suffered a major problem I found.
Since then I've started demonstrating some of the problems I've found https://www.youtube.com/channel/UCt0RTPkU-38xn5rUxZsWTig/videos and typically these problems boil down to URLs are leaking personal information in referer headers, tracking IDs are shared in cookies that allow cross referencing of personal information between sites to build up an identifiable tracking picture and third party JavaScript executed in the same context as same-origin scripts can perform complete account takeover and surveillance on a per user basis with little if any ability for a website to audit or realise it happening if an attack uses a little competence.
I'm not alone... browser based attacks are becoming more common and you only have to search Google News briefly to find things like:
- https://www.v3.co.uk/v3-uk/news/3026428/ico-website-taken-down-after-it-was-hacked-to-spread-coinhive-monero-mining-malware
- https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/
Some aren't even attacks that were intended to be malicious:
The businesses that use analytics, advertising and social media services are often leaking a lot of tracking data and handing over keys to their castles. Their management and often even web developers are so naive about how insecure the web is by default, they don't realise that users are at risk from what these third parties are allowed to do in the browser.
So why is Mozilla Evil, perhaps they're just, not the best? #
Remember they're not alone, they have company in their sins, but I'm pointing them out because people fail to and because I feel they are two faced. They are likely a lesser evil than some, but still...
They boast about why you should use them, because they care about privacy.
They boast of features that don't work properly, like tracking protection, that "mostly" works: what does mostly mean? Would you use a condom that was mostly watertight?
They don't inform most users. You don't know that when you visit this blog, your own computer has been used to send tracking data to various other companies... did you read my cookie policy? Do you know who's got access to this page? Are you reading what I wrote or what the analytics company JavaScript replaced it with?
I'm no angel #
Edit 2019/03/22: This blog is being migrated off wordpress.com and hopefully does protect your privacy appropriately.
I'm not going to tell you this website is secure or private. Maintaining a website requires an operational overhead I feel I might get wrong and put users at a higher risk (it could get cryptojacked) and I've delegated instead to wordpress.com. Maybe I should find something better, but the reason I'm not evil, is I'm not lying to you. I'm not pretending this site is something that it isn't and I'm not advising you to use this site in a manner that would put more users privacy at risk. Can I do better, yes, but then my comment about the risks you face when reading this blog wouldn't be possible.