Mark Alan Richards

Mozilla is Evil

computer-science data-protection privacy

Firstly, many browsers are not your friends, so this is not a Mozilla is worse than X post.

So why bash Mozilla?

Google get bashed, Microsoft get bashed and Apple do, but the alternative is not a saint. It boasts about privacy, but doesn't enable it for most users, it complains about tracking and then teaches web developers how to do it. It has had complaints for around a decade (since then there have been others, like 970092) that user privacy is being invaded because of browser features.

But Mozilla are just following a standard?

Mozilla staff can often play a key role in changing the web, from work on drafting standards to work on demonstrating new ideas with new features that are yet to be fully standardised. Web standards are not legal requirements and there is nothing to stop Mozilla either breaking from them to fix privacy and security or providing a default alternative release or feature flags that protect users.

Fixing the design that would break everyone?

So? Apple broke a lot when they stopped supporting Flash. Is Firefox incapable of leading beyond broken standards, to protect users when others have already demonstrated a precedent that it can be done? Firefox can even re-use the same security pattern adopted for SSL certificates that if you get into trouble you can opt-in to delegate to a less secure mode on a site.

So why does Mozilla have to lead?

Because they boast of caring about privacy.

Sites like and boast of how they wish to defend privacy, but their flagship product fails most users.

Sorry, but whatever you do to cure the minority, if the majority are still suffering, then boasting about the minority is a falsehood. It's like BP boasting about it's solar energy project... great job, but they're still mostly an oil company. Firefox is still mostly a web browser business for which most of their users have their privacy breached because of the insecure design of the flagship product.

But they have private browsing mode and tracking protection?

But it's not their fault websites include tracking, it's web developers who add this stuff?#

But you're blowing this out of proportion

No, when Snowden blew the whistle and shouted we were all being watched, he didn't recommend Firefox, he suggested Tor browser and that was five years ago. The fundamental design of the internet was failing society and in the last five years since, Mozilla hasn't protected most of its users. It cares about them as much as maybe BP cares about clean energy.

I've been complaining to various companies and regulators for years about browsers leaking data. The UK regulator even blogged about my complaint as millions of users and several major sites suffered a major problem I found.

Since then I've started demonstrating some of the problems I've found and typically these problems boil down to URLs are leaking personal information in referer headers, tracking IDs are shared in cookies that allow cross referencing of personal information between sites to build up an identifiable tracking picture and third party JavaScript executed in the same context as same-origin scripts can perform complete account takeover and surveillance on a per user basis with little if any ability for a website to audit or realise it happening if an attack uses a little competence.

I'm not alone... browser based attacks are becoming more common and you only have to search Google News briefly to find things like:

Some aren't even attacks that were intended to be malicious:

The businesses that use analytics, advertising and social media services are often leaking a lot of tracking data and handing over keys to their castles. Their management and often even web developers are so naive about how insecure the web is by default, they don't realise that users are at risk from what these third parties are allowed to do in the browser.

So why is Mozilla Evil, perhaps they're just, not the best?

Remember they're not alone, they have company in their sins, but I'm pointing them out because people fail to and because I feel they are two faced. They are likely a lesser evil than some, but still...

They boast about why you should use them, because they care about privacy.

They boast of features that don't work properly, like tracking protection, that "mostly" works: what does mostly mean? Would you use a condom that was mostly watertight?

They don't inform most users. You don't know that when you visit this blog, your own computer has been used to send tracking data to various other companies... did you read my cookie policy? Do you know who's got access to this page? Are you reading what I wrote or what the analytics company JavaScript replaced it with?

I'm no angel

Edit 2019/03/22: This blog is being migrated off and hopefully does protect your privacy appropriately.

I'm not going to tell you this website is secure or private. Maintaining a website requires an operational overhead I feel I might get wrong and put users at a higher risk (it could get cryptojacked) and I've delegated instead to Maybe I should find something better, but the reason I'm not evil, is I'm not lying to you. I'm not pretending this site is something that it isn't and I'm not advising you to use this site in a manner that would put more users privacy at risk. Can I do better, yes, but then my comment about the risks you face when reading this blog wouldn't be possible.