My name is Jeaye

I'm a leader, a problem solver, and a hacker with a passion for privacy and security.

Don't abandon Mozilla Firefox just yet

Just today, a diatribe against Mozilla made it to the front page of Hacker News, gathering a great deal of discussion. Unfortunately, a significant portion of that discussion was around choosing alternatives to Firefox, forking it, or otherwise abandoning ship. Please, if you do care about your privacy, security, and voice in the matter, refrain from the brash decisions and read on.

Some of the key issues

Briefly, some of the issues being discussed are the uninvited introduction of Firefox Pocket, as well as the side-loading of plugins by Mozilla, used in aid of promotion of a TV show. The effect of this promotion is mostly benign, but the problem is that this was done entirely unbeknownst to the user and was enabled by default.

So, time for a new browser

This is the next logical step for a number of participants thus far, but I think they’re not quite considering the implications of using those browsers, as well as the possibility that Mozilla is not a completely lost cause. First, a bit on forks and soft forks, as well as Chrome and Chromium.

Chrome and Chromium

Perhaps the worst result of this assault is that Firefox users will jump over to Chrome. Put simply, since the issue here is about privacy and control over one’s browser, that makes absolutely no sense. This is a serious problem with diatribes against Mozilla for something so relatively small; compared to Google, and the lack of privacy you have within its ecosystem, these Mozilla nitpicks are bantam.

Even with Chromium, there are still in-built Google services which impose upon your privacy. This has lead to the soft fork ungoogled-chromium, but forks have their own baggage to carry as well.

Forks of Firefox or Chromium

To start with, note that browsers are one of the most complex programs running on your OS. Interfacing with the internet, various sites, technologies, etc. means that browsers need to be constantly updating to remain secure. Running any version of Firefox, for example, which is not either the latest or the latest ESR, is putting yourself at risk of all of the known exploits which have been found since.

Hard forks are at serious risk of growing stale behind the upstream parent. Furthermore, any hard fork with a focus on privacy and security will need its own team of developers specifically looking for and quickly patching vulnerabilities in both the new code, as well as the originally forked code. Mozilla pays its security engineers over $150K per year to focus on this sort of work full-time. Replicating that level of commitment with a hard fork is incredibly difficult.

Soft forks

A generally safer bet is a soft fork, which follows the upstream parent closely, but typically just removes some features, or makes some relatively small changes which allow it to remain quite compatible with its parent. Examples of these would be Waterfox and the previously linked ungoogled-chromium. While it’s easier for these projects to follow the progress of the parent, it’s still not guaranteed. Furthermore, the removal of some feature in the soft fork, or the preservation of an old feature which was removed in the parent, may introduce new vulnerabilities which are unique to the soft fork.

Catching these new issues would require security-minded individuals working on the project regularly. Ensuring that the soft fork is following the parent closely remains up to the whim of those running the project. In short, it’s not nearly as reliable as sticking with a company such as Mozilla, who has been invested in developing Firefox for over 15 years.

What to do with Mozilla

So, don’t bite the hand that feeds?

No, that’s not my point. Mozilla shouldn’t have side-loaded plugins in my browser to promote a show of which I’d never even heard. I also still don’t like seeing Pocket there, an uninvited guest in my otherwise tidy browsing environment. Still, that doesn’t mean that Mozilla is evil and I should try my luck with Google or some fork on Github which managed to get a few hundred stars. Instead, it’s important to voice the opinion to Mozilla that this wasn’t cool and it should be removed. Jumping to a one-off fork is not a sustainable option; working with Mozilla, as a community, to show how pissed or pleased we are, at any given moment, is a much more sustainable option.

The Mozilla manifesto contains a few great points relevant to this topic. One of which is the involvement of commercial products in the internet.

  1. Commercial involvement in the development of the Internet brings many benefits; a balance between commercial profit and public benefit is critical.

This balance is hard to strike. It’s the sort of struggle which requires the community to be as active with Mozilla as the companies for which Mozilla is advertising. That’s not to say it’s the community’s fault for this happening; it’s to say that Mozilla isn’t perfect and we occasionally need to slap it back into shape. Right now, it’d be great to see more people herding Mozilla and fewer assuming all is lost.