Firefox and Firefox Forks

Open-Source

I would like to discuss in detail about Firefox and Firefox forks with detail. This article will attempt to discuss about current technical involvement with these projects. Note, that not every possible aspect will be discussed here, but a great deal of information will be placed here none-the-less.

Firefox

Firefox is the open-source web browser web browser developed by Mozilla, and its many volunteers worldwide. The browser has since gone many transformations, with Quantum being the biggest change. The browser advocates to be private based browser. Although some people criticize Firefox for not being as private as they would like it, here is an explanation on why it doesn't come with any of the privacy settings configured by default.

The reason stems from usability, while first-party isolation and resist fingerprinting could be enabled by default. It could prevent a website from working at its best. Thus causing distress to the user. However many websites like PrivacytoolsIO provide resources to enable these privacy-oriented settings through about:config. While Google Safe Browsing is enabled by default. Bits of information is stripped out. Also, a list is generally downloaded to provide this capability. As stated here

From ghack's user.js:

There are NO privacy issues here. IF required, a full URL is never sent to Google, only a PART-hash of the prefix, and this is hidden with noise of other real PART-hashes. Google also swear it is anonymized and only used to flag malicious sites activity. Firefox also takes measures such as striping [sic] out identifying parameters and storing safe browsing cookies in a separate jar.

Browser studies and telemetry. While telemetry normally is used to track people. There are services that provide anonymous based telemetry that allow statistics to be gathered without violating privacy. If the user does not wish to participate in browser based experiments. They can go to about:preferences A.K.A options. Then uncheck the areas under privacy and security.

Web Extensions, are the current architecture that has replaced the previous XPCOM/XUL architecture. There was a debate on whether this was a good choice to make. There are people apposed to it, while others are for it. The reason why there was a discussion of it, originated from a security and development point of view. The old architecture suffered from extension permissions. Extensions could access the whole browser, while also accessing other extensions themselves. This posed a problem with malicious extensions. The old architecture made certain extensions prone to conflicting with a new release of Firefox. This could cause the extension, or Firefox to crash. There was also the issue with an extension that would be unable to function in the new release. A patch from the developer of the extension would be needed. In order for the extension to work. While many extensions have successfully been made compatible, there are others that aren't. This can stem from the extension is no longer under active development, trouble with making the switch, or outright deciding not to make the change. In this case, try to find a web-extension that what the previous extension did.

Currently Mozilla has been trying to create an open standard for web-extensions. Progress is slowly being made, but it hasn't been completed yet.

Waterfox

Waterfox is a Firefox fork, started by a student. The project uses the Pre-Quantum code v56. The project comes with the privacy oriented changes by default.

While Waterfox tries to be appealing to privacy respecting users. The problem lies in the security aspect of software. Waterfox doesn't include the latest Firefox code, due to the nature of keeping the old extension architecture. With two extension architectures supported at the same. There is the danger of a larger attack surface, and software bloat. The old extension architecture means running the risks of malicious extensions accessing the browser, and other extensions. While Waterfox does come with settings enabled by default, unlike Firefox. Most of the settings are able to be changed easily, with the help of online guides. Updates are also a problem. Waterfox doesn't have as many developers as Firefox. When an update arrives, the developer/s must integrate these patches into Waterfox before updating. This causes delays, that can result in a greater risk of application exploitation.

Pale Moon/Basilisk

Since both forks are from the same developer. I will join them together. Pale Moon is a browser fork that uses the Firefox ESR 38 code, while using the classic Firefox UI. Basilisk is another fork based on Firefox ESR 52. The rendering engine for both of these browsers is named Goanna.

Pale Moon aims to be another privacy respecting browser, with configurations made by default, unlike Firefox. Pale Moon also suffers from security flaws. Firefox v38 lacks many modern day capabilities, including security capabilities. One notable aspect is the lack of e10. E10 is what allows each tab process to isolate web content to prevent any leaks from happening. Without this protection, users are at risk of malicious code from accessing web content from the browser. This can cause manipulation of web content resulting in dangerous redirects, injection attacks, and more. From a security perspective, even Waterfox provides better support for modern security capabilities. Pale Moon and Basilisk also suffer from lack of developer resources. Basilisk also is able to support e10, but it was chosen not to enable it.

Tor Browser

The Tor Browser is a fork from the Tor Project. It is based on Firefox ESR v60. With plans to update to Firefox ESR v68 in the future. The browser comes configured with the ability to access the Tor Anonymity Network. Tor Browser also comes with HTTPS Everywhere and NoScript by default. The Tor Browser comes with API changes that help the Tor Browser become ambiguous. This helps protect against browser fingerprinting. A technique that advertisers, and websites can use to identify you. The Tor Browser recommends not to change any settings, to prevent you from creating privacy risks. More information can be located at the TorProject Website

The Tor Project has previously suffered from delayed patches also, but the Tor Uplift Project. Which is a collaboration with Mozilla and the Tor Project. Helps the Tor Project upstream their releases, to better keep up with the latest code.

Privacy and Security

Privacy and security go hand in hand. Security can also affect your privacy. For example encryption keeps users safe, and protects their privacy. Both need to exist in order to benefit each other. Respecting one over the other can result in an unbalanced experience, that doesn't give you the full benefit of both.

Creating a good fork

I have been considering for a while, of creating a browser fork of Firefox. One that one allow users to install with privacy oriented settings by default, or not too and let them choose to customize the settings themselves. This fork would include a standard and extended support release. Patches would come from Mozilla, and be applied by the time the patch is available. This project is called Nova. I would be glad to be head of this project and work on creating this fork.