I read in a few places that LibreWolf's anti-fingerprinting features are breaking websites. One person complained that their meeting got scheduled incorrectly because the browser was messing with the user's time zone (for privacy reasons).
I can confirm that. I switched to using LibreWolf as a work-dedicated browser parallel to Firefox Developer Edition.
In two weeks of using it, I got annoyed by the following:
- no automatic dark-mode (against fingerprinting, some websites don't have a setting to switch it on - not sure if you can turn it off)
- timezone is always UTC (can be worked-around with an extension, messed up my time tracking app and some log viewer)
- login on some websites/tools is broken altogether by the strict privacy settings (did not even bother to debug, I switched to Firefox)
- WebGL off by default (you can turn it on via config flag)
I switched from Firefox to Chrome and back and never had to debug and work-around so many issues. It's a decent browser, but I'm not sure the value it brings justifies the costs of time spent debugging and the inconveniences.
I will continue to use it for work, but I will not switch entirely from Firefox because I want my history available across devices.
Unchecking resistFingerprinting in the settings disables these. You can also use the new firefox FPP settings to enable most if RFP stuff but opt out of specific stuff like dark mode, timezone, etc. You can even add per-site exceptions.
I used to have terrible time with forgetting my keys, or letting the cleaner in when I wasn't home. Then I just stopped locking the door and never looked back. It's so convenient and saves me precious time. What can I say, it just works!
Unironically tho when were the last time you see people trying random doors if they are unlocked. There is absolutely no need to lock your door if you are not vocal about it.
That kind of thinking (neglecting a broken lock on the back door, because I figured chances were low that someone would take advantage) got my apartment "broken" in to a few years ago.
Are you not using librewold-overrides.cfg to disable/enable features that you want/need? All of the things you mentioned are just flags you can set in the file to turn them on or off.
https://librewolf.net/docs/settings/
Thanks for pointing this out. I wasn't aware of this feature.
I enabled Firefox sync and lost all my history. It was a user error: I should have disabled configuration sync (clear history when you close the browser).
After this incident, I decided I had enough, so I uninstalled LibreWolf. I recovered my lost history from different instances, but I don't want to spend my time making this browser work.
LibreWolf is a decent browser with annoying default settings, which made me lose more time than I wanted to make it work.
Would you expect a "privacy focused" browser to offer you networking disabled by default but the ability to enable completely unrestricted networking in the settings (you can install a plugin for CORS and the like if you want) or to natively provide the privacy controls you need to actually use the browser? If the latter, why is it different depending which attack surface you ask about? If the former, why not just make that plugin part of the browser itself?
> Would you expect a "privacy focused" browser to offer you networking disabled by default
Obviously not, because at that point it can no longer be used to browse the web. (That said, "do no network requests" should be the default idle state of the browser until appropriate user interaction. Allowing CORS is also a horrible default but that ship has long sailed.)
I also disable WebGL in my Firefox profile and this does not inconvenience me in any way. So I do not think WebGL support is as instrumental to browsing the web as you claim; it entirely depends on what sites you visit. (And let's be honest here, a very significant majority of websites does not need WebGL.)
Everyone is welcome to have their own definition of what browsing the web requires be supported but if it wasn't part of browsing the web it shouldn't be part of the browser you can enable in the first place. That it is part of the browser you can enable is why it should have privacy support by the same browser, not because I personally think it should be part of what browsing the web requires.
If WebGL is a straw man to browsing the web why is the feature still included in the browser itself at all then? You certainly don't have to utilize every feature of the browser yourself but it is part of that browser nonetheless, it's just not a natively securable part.
I've run into this (it's in Librewolf, but is more obnoxious in Mull/IronFox on Android where I actually use this), where the privacy protections prevent the Jackbox games like Drawful from sending the contents of a drawing to Jackbox's servers. Both browsers don't fail - they just upload a rainbow pattern every time.
I use IronFox and LibreWolf as my daily drivers, but I keep Firefox installed alongside them for the inevitable site that just doesn't behave correctly. Not unlike having to reach for the big blue "E" in the bad old days.
Can definitely attest to this. Librewolf is my daily and I run it pretty aggressively (uBO options/lists, strict blocking DNS, etc) and sometimes I'm left scratching my head where things break. Recently had an aha-moment that felt triumphant when disabling the limit cross-origin referers, as silly as it sounds. Alas, I guess I prefer it this way.
That is, as so many things with tech, a matter of giving proper UI for humans as much priority as the feature itself.
It would be solved with something as simple as a "Privacy Blocks" drop-down menu that was prominently shown in the browser, that could visually warn about which feature is being accessed by a website (WebGL, UTC time, scripting...), and that let the user enable/disable that feature in that specific website with just 1 click.
A bit of telemetry (albeit kinda contradictory in this case) would allow to collect data on which sites tend to require which permissions, and proactively warn the users, like "Hey it seems most users of Google Calendar .com tend to disable time clock privacy; would you like to do so too?", that'd remove a lot of worries from users upon accessing an important site and not knowing which privacy settings might be breaking it.
I also ran into this, but it was manageable (after a bit of research of course).
Would love to see a "startup"-Dialog, where they explain these features in a bit of detail with a choice of three modes...
Finger printing and privacy protection:
- [x] Full - best for privacy (default)
- [ ] Moderate - most features work, but may break some websites
- [ ] Off - just behave like normal Firefox
The last option would be for firefox users who just want a browser working like before. Although this might not be the target audience, I think this could support funding.
However, I also ran into the issue of Librewolf deleting ALL cookies by default when it closes. I would also love to have Domain whitelist for this:
- Delete all cookies except the following websites: a.org, b.com, c.net
Oh, and another tip: Don't go to there matrix channel with your first class account, they have a spam problem and Element is nowhere near prepared for it with any settings to prevent getting spam invitations. Once you were in, you get spam invitations all the time.
Librewolf is pretty aggressive. That would be ok if it was just defaults that you could disable if you wish but I couldn't find out how. Too opinionated.
Amazon equivalent in Poland - Allegro was notoriously blocking me in Librewolf; I was served puzzle captcha or blocked from browsing at all due to "suspicious activity" 98% of the time.
As someone responsible for login/registration at a large online retailer, I see so much bot traffic and attacks. Attackers try to enumerate registered users, try to mass-login with credentials from password dumps, try to register accounts controlled by bots.
Login forms are a war zone. Looking for patterns that indicate the other party is a bot and serve them (and only them) a captcha is a technique that is quite effective. But it is not perfect. Especially business customers often get forced to solve captchas in our system.
If you know of a better solution (other than: don't be a big online shop), I'm all ears.
I'd guess that their problem is data pollution (marketing unhappy, ads impressions unaligned, data needs to be cleaned anyway before PowerPoint presentations for shareholders are made). And technically: unnecessary database growth which impacts migration efficiency, backup size and duration and stuff like that.
They don't seem to care about ad impressions being unaligned when their ads hit people who consider all forms of advertising to be a form of offensive and unauthorized graffiti on the mind, AKA vandalism.
> Also, fuck companies that do this. I just start permanently deleting accounts whenever services do this.
On the one hand yes, on the other - these times call for ditching US companies and switching to local (EU) ones. So it's better to tell these local ones to be more welcome / less hostile.
I have just yesterday asked Amazon to delete my account and all my personal data and stop processing it, quoting "Article 17 and Article 18 of the General Data Protection Regulation".
I'm also planning (as in: technically planning) to move all my data off AWS reasonably ASAP, too. It's personal stuff; mostly S3, domains registered and parked at Route53, some CloudFront distributions fronting static files, SQS/SNS - not much overall - and domains are the main PITA.
I found on 136.0.0-ish that some settings persist despite checking/unchecking that box and restarting LibreWolf, but YMMV. I also manually inspect 'about:config' and search there for relevant settings (like 'fingerprint'). For fingerprinting, browser breakage is unlikely so toggling these hidden flags is easy.
Librewolf Lite / Light REALLY should be a release too. Less aggressive, more friendly to people who are moving towards a more secure experience. E.G. let session managers work properly, allow that 10 year old password database in the browser to be used during the 30 year transition* (I exaggerate, but until there's a bulk import tool to MIGRATE) to a stronger password manager. Generally don't enable the tiny fingerprint gains (~1/20th of world population, but they can already fingerprint that from the IP you're using and/or ping ANYWAY, so just leave the damned time zone on!) which have a huge trade off in annoyance for the end user.
Yes, I want a 'de enshitified' version of Firefox. Not a browser for someone trying to write impactful news stories who needs to follow a strong opsec.
I'm not convinced that "trusting the browser about the timezone it says it's in" is a dark pattern when it's done in service of scheduling meetings that the user directly requested.
