Slashdot Mirror

He was using node.js (which using V8 Javascript engine)

And he was using it for some security related function (in this case generating id's of sessions).

Maybe he should have been using a cryptographically strong pseudo-random generator:
https://nodejs.org/api/crypto....

Why did they need to 'fix' V8 Math.random () function which everyone knows is not meant for such things ? It even says so in for example the Mozilla documentation (the organisation that created Javascript in the first place):
"Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security."
https://developer.mozilla.org/...

This makes no sense to me.

What irked me about their pivot to connected devices announcement, was this last statement:

We are excited about the challenges and opportunities ahead of us. We believe that the Web can be the right platform for this future of connected devices and we can’t wait to share more with everyone soon.

They still don't get it. By the time developers learn of their new direction, it's already been decided behind closed doors. Where's the incentive for the unwashed masses to contribute when community input isn't relevant?

Here you go. Oh, you wanted to be able to use a modern internet? Well try this then.

Modern browsers are staggeringly complex beasts. Video, Audio, Applications, storage. You name it. Don't ask how well the bear dances, it's impressive that it dances at all.

https://bugzilla.mozilla.org/s...

Firefox only currently supports DHE with SHA1. Are they going add support for SHA256 DHE when they disable SHA1?

To quote Michael Staruch from the above link: It looked more like attempts to discredit DHE and push everyone into ECC. And I am not so sure if that's best way to protect our privacy, especially with multiple TLS clients supporting only NSA Suite B curves.


Mozilla, we really need DHE to work with SHA256 and GCM. Sure, fallback to something else (with a second connection, if necessary) if weak dhparams are used by the server.

Adblock Edge was a fork of ABP created specifically because of the "acceptable ads" policy. It has since been discontinued in favor of uBlock Origin

Privacy Badger has its own "Acceptable Ads" policy, which is as simple as promising to respect the "Do not track" header and supporting HTTPS.

I am an online advertising / tracking company. How do I stop Privacy Badger from blocking me?

One way is to stop tracking third party users who have turned on the Do Not Track header (i.e., stop collecting cookies, supercookies or fingerprints from them). That will work for new Privacy Badger installs.

If copies of Privacy Badger have already blocked your domain, you can unblock yourself by promising to respect the Do Not Track header in a way that conforms with the user's privacy policy. You can do that by posting a specific compliant DNT policy to the URL https://example.com/.well-know..., where "example.com" is all of your DNT-compliant domains. Note that the domain must support HTTPS, to protect against tampering by network attackers. The path contains ".well-known" per RFC 5785.

Privacy Badger currently checks for this specific verbatim policy document, though in the future Privacy Badger may allow content from sites that post different versions of a compliant DNT Policy, and that there may be ways for users to specify their own acceptable DNT policies if they wish to.

Source

Personally, I find the approach to be less naive than ABP's, but only slightly.

I use uBlock Origin and find it to be lighter weight than the old Adblock Plus/edge extensions. Combined with uMatrix, it's a much more responsive and usable combination than the old ABP + NoScript pairing.

As far as I know, your only option is to browse full time in private mode and to prevent the browser from caching stuff, which makes the browsing experience awful.

Self Destructing Cookies can clear the cache when the browser goes idle for a given time (I use 1 min), without having to brows in private mode, so it doesn't affect my browsing experience all that much.

The fact that you can still easily disable acceptable ads makes ABP a good option going forward. But, I've recently found out about other products that I'd like to hear what experiences others may have had.

Recently, I heard about and started using Privacy Badger form the EFF. I can't tell if it's useful yet, what are your thoughts.

I've also heard that uBlock Origin is superior to ABP and uBlock. Anyone with experience with these?

AC wrote: "We've lost the arms race for content over presentation in this medium. Pages with perhaps a kilobyte of text take over a megabyte to download and 10 seconds to render. Firefox is mortally wounded. Safari and Opera are hobbled. Chrome is a trojan horse. Guys, I think the Gopher people were right."

This is a very insightful AC post. That is a big part part of why for the last week (since hearing about the Thunderbird uncertainty) as a sprint, I've been working towards a webapp / server called Twirlip as a proof-of-concept for a server version of Thunderbird. The idea is to support the same functionality as Thunderbird (and more) but use standard Firefox as the client loading a Thunderbird-like webapp from a local Node.js server. The project repository is currently here:
https://github.com/pdfernhout/...

The sprint is not "blessed" by Mozilla or the Thunderbird Council at the moment. It is just my own take on things and to demonstrate what is possible. And given I just blew all our cash/credit writing another FOSS project (NarraFirma, a webapp in TypeScript/Mithril/D3 with Node.js and WordPress backends) over the past year or so, financially, this is so stupid for me to be doing right now instead of finding a paying job. :-)

That said, the leader of the Thunderbird Council (Kent James) suggested in September considering making Thunderbird into a webapp, so the idea is not completely new, or presumably unwelcome as a proof-of-concept demo:
"Future Planning: Thunderbird as a Web App"
https://mail.mozilla.org/piper...
"As we are discussing our future, both in relation to radical changes expected in the Mozilla platform, and our need to express where we are going to potential partners and donors, we need to discuss and agree on some big-picture issues. One of those was end-to-end encryption that we discussed recently. I want to discuss here our future platform, and how it related to users and their needs.
tl;dr Thunderbird over the next 3 years needs to convert to being a web app that can run on any browser that supports ES6 Javascript and HTML5. (web app does not imply cloud-based, only that the underlying platform is js/html)."

Here is an update on my last week's progress sent to the Thunderbird Planning list.
https://mail.mozilla.org/piper...

I've used Thunderbird for over a decade, and have a million messages in it totaling over 15 GB (mainly from a bunch of mailing lists). I know of others who have 50 GB in it. So, I'm obviously concerned about its future.

All that said, there is no immediate reason to panic. Thunderbird still works well for what it does.

In looking into this issue though, maintaining Thunderbird is apparently difficult though because the codebase includes a copy of Firefox, which bloats the source code by 20X or more up to about a gigabyte of mostly C++.Any security patch to Firefox needs to be evaluated and then likely integrated into Thunderbird to keep it secure. That may be the biggest issue -- and it is worse now that Mozilla has essentially defunded Thunderbird over the last few years to make it a "community" project, so synergy has been lost with the Firefox development team. (SeaMonkey, formerly the Mozilla application suite, is in the same boat and uses essentially the same codebase.) Thunderbird itself also has a lot of XUL to define UI functionality, but Mozilla has deprecated XUL (not reasonably, but there are consequences) creating an obvious future maintenance issue of sizable proportions. Thunderbird plugins likewise are written with XUL. So, while Thunderbird can be maintained, given that codebase and the size and the need to closely track Firefox, maintenance is hard and probably not a lot of fun (given the C++ and XUL) as a legacy thing.

As others have said, this i

AC wrote: "We've lost the arms race for content over presentation in this medium. Pages with perhaps a kilobyte of text take over a megabyte to download and 10 seconds to render. Firefox is mortally wounded. Safari and Opera are hobbled. Chrome is a trojan horse. Guys, I think the Gopher people were right."

This is a very insightful AC post. That is a big part part of why for the last week (since hearing about the Thunderbird uncertainty) as a sprint, I've been working towards a webapp / server called Twirlip as a proof-of-concept for a server version of Thunderbird. The idea is to support the same functionality as Thunderbird (and more) but use standard Firefox as the client loading a Thunderbird-like webapp from a local Node.js server. The project repository is currently here:
https://github.com/pdfernhout/...

The sprint is not "blessed" by Mozilla or the Thunderbird Council at the moment. It is just my own take on things and to demonstrate what is possible. And given I just blew all our cash/credit writing another FOSS project (NarraFirma, a webapp in TypeScript/Mithril/D3 with Node.js and WordPress backends) over the past year or so, financially, this is so stupid for me to be doing right now instead of finding a paying job. :-)

That said, the leader of the Thunderbird Council (Kent James) suggested in September considering making Thunderbird into a webapp, so the idea is not completely new, or presumably unwelcome as a proof-of-concept demo:
"Future Planning: Thunderbird as a Web App"
https://mail.mozilla.org/piper...
"As we are discussing our future, both in relation to radical changes expected in the Mozilla platform, and our need to express where we are going to potential partners and donors, we need to discuss and agree on some big-picture issues. One of those was end-to-end encryption that we discussed recently. I want to discuss here our future platform, and how it related to users and their needs.
tl;dr Thunderbird over the next 3 years needs to convert to being a web app that can run on any browser that supports ES6 Javascript and HTML5. (web app does not imply cloud-based, only that the underlying platform is js/html)."

Here is an update on my last week's progress sent to the Thunderbird Planning list.
https://mail.mozilla.org/piper...

I've used Thunderbird for over a decade, and have a million messages in it totaling over 15 GB (mainly from a bunch of mailing lists). I know of others who have 50 GB in it. So, I'm obviously concerned about its future.

All that said, there is no immediate reason to panic. Thunderbird still works well for what it does.

In looking into this issue though, maintaining Thunderbird is apparently difficult though because the codebase includes a copy of Firefox, which bloats the source code by 20X or more up to about a gigabyte of mostly C++.Any security patch to Firefox needs to be evaluated and then likely integrated into Thunderbird to keep it secure. That may be the biggest issue -- and it is worse now that Mozilla has essentially defunded Thunderbird over the last few years to make it a "community" project, so synergy has been lost with the Firefox development team. (SeaMonkey, formerly the Mozilla application suite, is in the same boat and uses essentially the same codebase.) Thunderbird itself also has a lot of XUL to define UI functionality, but Mozilla has deprecated XUL (not reasonably, but there are consequences) creating an obvious future maintenance issue of sizable proportions. Thunderbird plugins likewise are written with XUL. So, while Thunderbird can be maintained, given that codebase and the size and the need to closely track Firefox, maintenance is hard and probably not a lot of fun (given the C++ and XUL) as a legacy thing.

As others have said, this i

The update TB is apparently never getting is a usable maildir support (desactivated by default due to many bugs and bugs and crashes, see https://support.mozilla.org/en... ). The maildir storage format is the only thing keeping me from using TB (I'm using mutt since the kmail akonadi disaster).

On the other hand Thunderbird has never worked properly with Gmail tags. Some extensions claim to make it work, but they just give the illusion of working, until everything breaks even more.

Since when does Thunderbird run on iOS? If there is something called Thunderbird on iOS it is not from Mozilla.

I've been looking for alternatives to Thunderbird myself. It has the classic signs of insufficient devs, so while the remaining devs still work away on things that interest them, other things get ignored. For example, the formerly very useful filelink feature, originally announced with some fanfare, is broken, has been for ages, and nobody seems to be working on it. Once an application gets into that kind of decay, it's usually a slow death spiral.

<rant> You really would think that it should be simple to publish existing contact lists (customer lists from a database, personal address books, and such) as LDAP - it's "lightweight" right? - but there is practically no documentation or existing code that shows how to write an LDAP server. It would be nice if Thunderbird at least could have a contacts API with their crufty internal format as a replaceable option.</rant>

2 interesting things about panopticlick: first, they report on browser fingerprinting, which is notoriously hard to defeat.

Would it help to add some randomisation into the properties? Quick googling suggests it might be a solution, and there are some plugins: https://addons.mozilla.org/en-... https://www.dephormation.org.u... https://addons.mozilla.org/en-...

You would have to not only change the random agent though (which may hide the fact you are running Linux or 64bi-vs-32bit). The plugin string is also pretty damning -- which version of Flash you have (and additional plugins, etc). For any GNOME user, the gnome Firefox plugin is a give-away.
It would be useful if there was a extension that shows plugins to a site only on request (the gnome plugin is only important for extensions.gnome.org), Flash may be only important for a few websites of your choosing. That does not exist at the moment.

2 interesting things about panopticlick: first, they report on browser fingerprinting, which is notoriously hard to defeat.

Would it help to add some randomisation into the properties? Quick googling suggests it might be a solution, and there are some plugins: https://addons.mozilla.org/en-... https://www.dephormation.org.u... https://addons.mozilla.org/en-...

You would have to not only change the random agent though (which may hide the fact you are running Linux or 64bi-vs-32bit). The plugin string is also pretty damning -- which version of Flash you have (and additional plugins, etc). For any GNOME user, the gnome Firefox plugin is a give-away.
It would be useful if there was a extension that shows plugins to a site only on request (the gnome plugin is only important for extensions.gnome.org), Flash may be only important for a few websites of your choosing. That does not exist at the moment.

Firefox for Windows being only 32-bit

They were also running 64-bit Firefox on Windows (see the first chart). It wasn't released in time for their benchmark, but Firefox 43 is out and has 64-bit builds available for Windows.

More likely that the Mac version of Chrome is optimized for Intel graphics chipsets (since most Macs have them), whereas the Chrome version for Windows has very little optimizations specific to a video chipset(which is a shame).

I'd be curious to see the benchmark run on Windows 10 using the built-in Intel video chipset instead of the Nvidia and see if Chrome runs faster.

Also, keep in mind Firefox and Unity have collaborated in the past to optimize the engine in the browser.

https://blog.mozilla.org/blog/...

In my opinion Firefox OS is the only thing that stands between us and the enternal rule of giant Megacorps in the mobile space. It get's way to little attention and not enough support. Jolla is struggling to survive and last their OS wasn't fully FOSS and the Ubuntu Phones are not approachable as a plattform. A FOSS web-centric mobile OS is a truely feasible thing. If I had the time and resources, I'd build a kickstarter prototype for a high-end Firefox OS phone.

systemd get's the credit for raising hell amoung the FOSS crowd. Couldn't say I particulalry like or hate it, but the attention it has gotten definitely make it the most talked about project.

Blender gets far to little credit.

Atom and Electron are both neat too. ... Love that video-ad for Atom. :-) ... I like Atom for the hippster vibe it brings to FOSS with UIs and usability that don't look or feel dated. ... It does still have some issues though. :-) And, btw., unlike .Net Atom did start off as a true FOSS project done by GitHub. These folks put their money where their mouth is - unlike some other folks in the industry.

On ridiculous shit like this: https://blog.mozilla.org/blog/2015/12/10/mozilla-open-source-support-first-awards-made/

From Wikipedia 'bikeshedding' article:

everyone can visualize a cheap, simple bicycle shed, so planning one can result in endless discussions because everyone involved wants to add a touch and show personal contribution.

This is not necessarily true of all people, but it is true of people with inflated egos. Some engineers like to develop the simplest design that accomplishes the project's objectives, and take pride in doing so. That means the end product shows no signs of personalization or features that can directly be attributable to one person.

People with inflated egos, whether justified or not, are an anathema to most organizations. Most of Bugzilla's decades-old bugs involve some sort of pissing match between the module owners and the users, which prevents any real progress in improving the issues most important to the users. As an example, check out bug 18574 which became a battle of egos between Stuart Parmenter and most of Mozilla's userbase. There were a number of contributors willing to do the work necessary to address Stuart's alleged concerns about MNG support in imglib, so Stuart just started refusing to establish a set of criteria needed for returning MNG support to Mozilla. Instead, he decided that he didn't want MNG support and it didn't matter how many people wanted it because HE was the dictator of imglib.

We see the same behavior embedded in the whole corporate culture of Mozilla, where unwanted new features are added and popular features are removed without any regard for user input. You don't want Pocket? Fuck you. You want plugins like Greasemonkey, uBlock, and AdBlock to work? Our corporate donors don't like what users are doing with that power, so fuck you.

uMatrix doesn't offer defenses against Cross-Site Scripting (XSS) exploits, or provide Application Boundary Enforcement (ABE). The consensus among uMatrix users appears to be to install NoScript for its XSS and ABE features, but turn off its script blocking, leaving that task to uMatrix.

Tracking cookies are cookies that cross origins. Mozilla refuses to implement the same-origin policy for cookies and other browser state.

To me, the most important feature of Firefox is the add-ons. I like Session Manager, for example.

Question about Firefox: Microsoft's Process Explorer shows that Firefox uses the CPU while no Firefox windows are in the foreground. Why? Firefox's CPU use is especially intense when many windows and tabs are open. Also Process Explorer shows that often Firefox continually adds memory to its "Private Bytes" and "Working Set", even when there is no Again, why?

Someone above mentioned Pale Moon. Pale Moon has a 64-bit edition.

Joke:
Instead of browser.pocket.enabled = false in Firefox, try:
browser.adult.supervision.enabled = true in Pale Moon. (Not a real Pale Moon choice, of course.)

Pale Moon has tools for backup and migration. Adblock Latitude blocks ads. There are other Pale Moon ad-ons, and usually Firefox add-ons work perfectly.

"Pale Moon Commander ... provides a user-friendly interface to advanced preferences that would otherwise require manual editing of parameters, which can be cumbersome and time-consuming to do."

I know that Thunderbird has a plug-in that supports exporting emails messages into .eml files were you can have the filename show date and subject and such. But it's not that easy to use. https://addons.mozilla.org/en-... I have personally been archiving with two programs, Outlook and eM client. Outlook because it provides a .PST file where you have a database that's easy to search through (in outlook) plus I can archive calendar, contacts, and tasks. eM Client, which is free to use for two email accounts (at a time, you can always delete and add another). It's like the Thunderbird plugin (exports to .eml) above but much more intuitive and works really well.

In most cases, nobody needs to know the identity anyway. It would be far more important to know that it is the same website I looked at before

That's called "key continuity management" (KCM) or "trust on first use" (TOFU). SSH uses it but recommends that you verify the key fingerprint out of band. It could be used with HTTPS or email as well, but without a way to verify the fingerprint out of band, it's vulnerable if your connection is compromised by a man in the middle from day one. Bug 460374 relates the story of how such an MITM in the wild was discovered.

The benefit comes when everyone does it all the time. All traffic is encrypted and integrity checked thusly. Yes it is vulnerable to MITM on initial use, but it raises the bar for intelligence agencies because they now have to MITM everything, all the time to have a hope of pulling off a targeted attack later. Their bulk data browsing becomes fairly pointless. Instead they have to perform bulk MITMing.

Part of the dynamic here is that the PKI is so fragile that TOFU simply works better. It fails less often than TLS, which fails completely when a single CA misbehaves. TOFU isn't by any means perfect, but it's better than TLS and X.509 PKIs. It would be nice to have a PKI that works, but we don't.

The middle ground I would like to get to is
1) Everything establishes session keys on first use and key continuity, all the time. If there's identity authentication as well, then great, but don't make it requirement that gets in the way of running a link cipher.

2) Identity authentication can happen before, at the time of or after first use.

This way hardware and software can be built that encrypts by default without user involvement or understanding. Identity verification can be post-hoc applied if necessary and applied beforehand when it matters or people care enough.

The technical details are endlessly fascinating and hard work.

In most cases, nobody needs to know the identity anyway. It would be far more important to know that it is the same website I looked at before

That's called "key continuity management" (KCM) or "trust on first use" (TOFU). SSH uses it but recommends that you verify the key fingerprint out of band. It could be used with HTTPS or email as well, but without a way to verify the fingerprint out of band, it's vulnerable if your connection is compromised by a man in the middle from day one. Bug 460374 relates the story of how such an MITM in the wild was discovered.

The Firefox installer is in the neighborhood of 40 MB. That's two and a half hours of tying up the phone line if you have v.90/v.92 dial-up, or a nonzero cost if your ISP charges per bit as many cellular and satellite ISPs do.

One of the worst things that browsers did was virtually destroy the ability to use shortcut keys

You can put keyboard shortcuts into your web pages with the HTML attribute called accesskey. Like if you have a link for the Next page, you could write it like this:

<a href="pages/2" accesskey=N><u>N</u>ext</a>

Pressing Alt N would click it.

The "new tab" page got hidden from the UI for no reason.

It was relegated to "browser.newtab.url" in about:config for a long fucking time, and I used it to specify the new tab page should be "about:blank" the instant they added the "new tab" page that showed your top visited sites, etc. because I knew the ads were coming.

It worked until they started putting ads on the new tab page. The browser.newtab.url setting was ignored.
People bitched and moaned. Mozilla and their dogs on the bug tracker made up some bullshit about how it was a security issue. They claimed malware was hijacking the new tab page via that setting. They did not provide any example of this actually happening.

They SHOULD have just re-exposed the option in the main settings page - use a url, use blank or use the tiles page.
But their "solution" was to ignore the setting and force everyone onto the shitty tiles page.

Choosing "show a blank page" on the tiles page options menu (yes, it has it's own options menu with a gear icon separate from the browser's main options menu) doesn't show you a blank page. It's loads the tiles new tab page with content hidden and the options gear visible. This "blank page" option was inconsistent with the "blank page" option for the home page (which gave you about:blank - a true blank page).

People bitched because they wanted to load a specific page for their new tabs, or wanted a blank page. Mozilla and their goons on the bug tracker started closing bug reports left and right without ever considering user feedback. As I predicted, it was all about the ads. Mozilla said that if users wanted this functionality they should install an addon. So I did. https://www.soeren-hentzschel....

Everyone laughed at how Mozilla said the change was done for user security and then pointed people to an unverified third party addon to restore functionality that used to be on the browser's main settings page.

And here I am laughing again. I'll continue to laugh as long as Mozilla continues to fail.

If you would like to laugh along, check out:
https://bugzilla.mozilla.org/s...
https://bugzilla.mozilla.org/s...
https://bugzilla.mozilla.org/s...
And all the dozens of other reports they've marked as dupes and closed. Make sure you expand and read all of the censored comments. (There were many more they outright removed.)

The "new tab" page got hidden from the UI for no reason.

It was relegated to "browser.newtab.url" in about:config for a long fucking time, and I used it to specify the new tab page should be "about:blank" the instant they added the "new tab" page that showed your top visited sites, etc. because I knew the ads were coming.

It worked until they started putting ads on the new tab page. The browser.newtab.url setting was ignored.
People bitched and moaned. Mozilla and their dogs on the bug tracker made up some bullshit about how it was a security issue. They claimed malware was hijacking the new tab page via that setting. They did not provide any example of this actually happening.

They SHOULD have just re-exposed the option in the main settings page - use a url, use blank or use the tiles page.
But their "solution" was to ignore the setting and force everyone onto the shitty tiles page.

Choosing "show a blank page" on the tiles page options menu (yes, it has it's own options menu with a gear icon separate from the browser's main options menu) doesn't show you a blank page. It's loads the tiles new tab page with content hidden and the options gear visible. This "blank page" option was inconsistent with the "blank page" option for the home page (which gave you about:blank - a true blank page).

People bitched because they wanted to load a specific page for their new tabs, or wanted a blank page. Mozilla and their goons on the bug tracker started closing bug reports left and right without ever considering user feedback. As I predicted, it was all about the ads. Mozilla said that if users wanted this functionality they should install an addon. So I did. https://www.soeren-hentzschel....

Everyone laughed at how Mozilla said the change was done for user security and then pointed people to an unverified third party addon to restore functionality that used to be on the browser's main settings page.

And here I am laughing again. I'll continue to laugh as long as Mozilla continues to fail.

If you would like to laugh along, check out:
https://bugzilla.mozilla.org/s...
https://bugzilla.mozilla.org/s...
https://bugzilla.mozilla.org/s...
And all the dozens of other reports they've marked as dupes and closed. Make sure you expand and read all of the censored comments. (There were many more they outright removed.)

The "new tab" page got hidden from the UI for no reason.

It was relegated to "browser.newtab.url" in about:config for a long fucking time, and I used it to specify the new tab page should be "about:blank" the instant they added the "new tab" page that showed your top visited sites, etc. because I knew the ads were coming.

It worked until they started putting ads on the new tab page. The browser.newtab.url setting was ignored.
People bitched and moaned. Mozilla and their dogs on the bug tracker made up some bullshit about how it was a security issue. They claimed malware was hijacking the new tab page via that setting. They did not provide any example of this actually happening.

They SHOULD have just re-exposed the option in the main settings page - use a url, use blank or use the tiles page.
But their "solution" was to ignore the setting and force everyone onto the shitty tiles page.

Choosing "show a blank page" on the tiles page options menu (yes, it has it's own options menu with a gear icon separate from the browser's main options menu) doesn't show you a blank page. It's loads the tiles new tab page with content hidden and the options gear visible. This "blank page" option was inconsistent with the "blank page" option for the home page (which gave you about:blank - a true blank page).

People bitched because they wanted to load a specific page for their new tabs, or wanted a blank page. Mozilla and their goons on the bug tracker started closing bug reports left and right without ever considering user feedback. As I predicted, it was all about the ads. Mozilla said that if users wanted this functionality they should install an addon. So I did. https://www.soeren-hentzschel....

Everyone laughed at how Mozilla said the change was done for user security and then pointed people to an unverified third party addon to restore functionality that used to be on the browser's main settings page.

And here I am laughing again. I'll continue to laugh as long as Mozilla continues to fail.

If you would like to laugh along, check out:
https://bugzilla.mozilla.org/s...
https://bugzilla.mozilla.org/s...
https://bugzilla.mozilla.org/s...
And all the dozens of other reports they've marked as dupes and closed. Make sure you expand and read all of the censored comments. (There were many more they outright removed.)

Australis

What in particular is so terrible about the Australis UI? I think you're getting worked up over nothing. If you want Firefox to look different then use Classic Theme Restorer or something like it.

Neither.

"uBlock is using 33MB of RAM" - by andymadigan (792996) on Friday June 12, 2015 @10:31PM (#49902053)

Inefficient: Hosts @ 3-11mb w/ current data & does things adblock variants can't & U RAN FROM IT http://apple.slashdot.org/comm... ).

UBlock uses 63++ MB & AdBlock = 128mb++ -> http://www.ghacks.net/2014/06/...

SCREENSHOT -> http://cdn.ghacks.net/wp-conte...

BEST UBlock's done = 38mb/ABP = 64mb -> http://www.extremetech.com/wp-... From http://www.extremetech.com/wp-...

* See 'p.s.' below - Says all (& I didn't do the saying!)

---

"which blocks more ads? Answer: uBlock/Adblock" by andymadigan (792996) on Sunday June 14, 2015 @12:04AM (#49907001)

WRONG - "Almost ALL Ads Blocked"'s PAID NOT TO by default-> http://techcrunch.com/2013/07/...

&

ABP too http://finance.yahoo.com/news/...

UBlock/Adblock = far less efficient on CPU & RAM (added messagepassing, SLOW usermode vs. hosts in kernelmode) & NEITHER does a fraction of what hosts do in more speed, security, reliability, & anonymity.

---

"your system blocks fewer ads" by andymadigan (792996) on Sunday June 14, 2015 @12:04AM (#49907001)

See above: + hosts do MORE w/ less via 1st link above!

---

"I'm more than happy to spend an extra 1% of my computer's power to block far more ads than your shitty idea" by andymadigan (792996) on Sunday June 14, 2015 @12:04AM (#49907001)

You're 'happy' being illogical & stupid?

AdBlock's 4++gb & 100% CPU use inefficiency -> https://blog.mozilla.org/nneth...

+

ClarityRay defeats it & NOT hosts (clarityray BLOCKS addons via native browser methods).

APK

P.S.=> Howard Stark in "Capt. America" - hosts (Cap's Shield) vs. AdBlock & variants (steel):

"It's stronger than steel & 1/3rd the weight"

So

"Run, Forrest: RUN!!!" & "eat your words"

... apk

Firefox: has telemetry on, Do-Not-Track off, etc. by default. Also has built-in ads that read your browsing history.

You're confused about telemetry:
https://wiki.mozilla.org/Telem...

Also, the Do-Not-Track flag is an utter failure. No ad network listens to the DNT flag. If you don't want to be tracked, you need proactive browser support. Something like:
https://www.eff.org/deeplinks/...

And, for what it's worth, the in-browser advertising project ("tiles") in Firefox is being shut down, per a company-wide announcement sent out earlier today. Look for a public announcement soon.

There should be nothing but panic at Mozilla right now when looking at those numbers.

But what does Netcraft say about the numbers? I know it offers an anti-phishing extension for Firefox, but has it released any news stories about Firefox's decline?

By the way, who is funding Mozilla these days?

Yahoo.

Great, another "girl" ruining software...

The sad state of affairs started under the previous CEO — or even before him. Although libxul is available separately and could be used shared by all Mozilla apps, each one of them bundles its own slightly different tree instead. As a result, the sources available for download are perpetually somewhat behind times — for example, at the time of this typing, firefox is at version 42, but libxul is only at 41.0.2 — because fixes go into an application's fork, instead of the main project.

It would seem to me, that a better manager would've pulled the people working on libxul from all of the application-specific teams — and made the apps use the single shared library. From pure technical perspective, this is, how things ought to be. I'm sure, there are administrative and personal problems, but that's exactly, what the CEO is supposed to control.

But, again, the CEO's sex is unlikely to be to blame — she may (or may not) be mediocre, but this problem is an inherited one.

Great, another "girl" ruining software...

The sad state of affairs started under the previous CEO — or even before him. Although libxul is available separately and could be used shared by all Mozilla apps, each one of them bundles its own slightly different tree instead. As a result, the sources available for download are perpetually somewhat behind times — for example, at the time of this typing, firefox is at version 42, but libxul is only at 41.0.2 — because fixes go into an application's fork, instead of the main project.

It would seem to me, that a better manager would've pulled the people working on libxul from all of the application-specific teams — and made the apps use the single shared library. From pure technical perspective, this is, how things ought to be. I'm sure, there are administrative and personal problems, but that's exactly, what the CEO is supposed to control.

But, again, the CEO's sex is unlikely to be to blame — she may (or may not) be mediocre, but this problem is an inherited one.

I suspect thunderbird still uses XUL and other things...

You "suspect"? No kidding... Both programs (as well as some other, less known ones) are just thin layers on top of libxul.

For years I've been puzzled, why they would not separate libxul out — the way NSPR and NSS are separated out — and make the multiple apps use the shared library instead of the current practice of each app bundling a separate copy of it.

Worse, XUL, actually, is available separately, but all of Mozilla's apps bundle their own, subtly incompatible, subtrees of it.

At some point FreeBSD ports-team considered doing the right thing for FreeBSD-users, at least, but was afraid, Mozilla will prohibit the use of the name "firefox" as a result — as happened to Debian/Ubuntu.

Mozilla is running amok. While driven as a corporation, it does not have paying customers, so we, the users, get the worst of both worlds...

I suspect thunderbird still uses XUL and other things...

You "suspect"? No kidding... Both programs (as well as some other, less known ones) are just thin layers on top of libxul.

For years I've been puzzled, why they would not separate libxul out — the way NSPR and NSS are separated out — and make the multiple apps use the shared library instead of the current practice of each app bundling a separate copy of it.

Worse, XUL, actually, is available separately, but all of Mozilla's apps bundle their own, subtly incompatible, subtrees of it.

At some point FreeBSD ports-team considered doing the right thing for FreeBSD-users, at least, but was afraid, Mozilla will prohibit the use of the name "firefox" as a result — as happened to Debian/Ubuntu.

Mozilla is running amok. While driven as a corporation, it does not have paying customers, so we, the users, get the worst of both worlds...

I suspect thunderbird still uses XUL and other things...

You "suspect"? No kidding... Both programs (as well as some other, less known ones) are just thin layers on top of libxul.

For years I've been puzzled, why they would not separate libxul out — the way NSPR and NSS are separated out — and make the multiple apps use the shared library instead of the current practice of each app bundling a separate copy of it.

Worse, XUL, actually, is available separately, but all of Mozilla's apps bundle their own, subtly incompatible, subtrees of it.

At some point FreeBSD ports-team considered doing the right thing for FreeBSD-users, at least, but was afraid, Mozilla will prohibit the use of the name "firefox" as a result — as happened to Debian/Ubuntu.

Mozilla is running amok. While driven as a corporation, it does not have paying customers, so we, the users, get the worst of both worlds...

I'll just offer this fully-supported, Windows 64-bit build here:

https://download.mozilla.org/?...

"you cannot see in which folders reside the bookmarks found. "

https://addons.mozilla.org/en-...

https://addons.mozilla.org/en-...

"you cannot see in which folders reside the bookmarks found. "

https://addons.mozilla.org/en-...

https://addons.mozilla.org/en-...

Rather than use the "Request Policy, No Script" combo I switched to uMatrix because it has an awesome matrix UI that really makes sense. I also moved to the uBlock Origin ad blocker as it's lighter on the resource usage.

https://addons.mozilla.org/en-...
https://addons.mozilla.org/en-...

Rather than use the "Request Policy, No Script" combo I switched to uMatrix because it has an awesome matrix UI that really makes sense. I also moved to the uBlock Origin ad blocker as it's lighter on the resource usage.

https://addons.mozilla.org/en-...
https://addons.mozilla.org/en-...

I have a Yahoo email account, because the ISP I had when I started in florida -- BellSouth -- later AT&T -- outsourced their email to yahoo.

I still have an ATT account, which is still my BellSouth email address.

I'm paying for this so-called Yahoo email.. Which is why Yahoo can go fuck themselves into oblivion, they seem to be very good at that.

I wonder if they'd be able to detect this for FireFox Mozilla Yahoo Ad Hide Plugin or for Chrome

Yeah, I use that on top of AdBlockPlus.