librewolf or abrowser, which is best on privacy and security?

14 réponses [Dernière contribution]
tonlee
Hors ligne
A rejoint: 09/08/2014

librewolf
https://librewolf.net/
abrowser
https://trisquel.info/en/wiki/abrowser-help
Which one is better on privacy and security?

I got to read this about librewolf.
https://www.unixsheikh.com/articles/choose-your-browser-carefully.html#librewolf
Thank you.

lanun
Hors ligne
A rejoint: 04/01/2021
andyprough
Hors ligne
A rejoint: 02/12/2015

I'd still say stick with abrowser. I've learned since then that apparently Ruben uses the Icecat configuration to build abrowser, and Icecat is about as good as you can get privacy-wise.

Avron

I am a translator!

Hors ligne
A rejoint: 08/18/2020

I'd be interested to know more about the exact meaning of "security" and of "privacy" in the context of a web browser and what the user does.

For "security", I assume it is related to execution of the browser and the received pages and Javascript, not to interact with browsing activity in another tab or window, or anything else on the computer. If one would be accessing only websites without any Javascript, or would have all Javascript disabled, wouldn't the risk of such kind of unexpected interaction be exactly zero? Side question, what about the case of using a browser extension such as Haketilo configured so that only locally stored scripts can be executed?

If one would be accessing websites where the Javascript is only fetched from a place that has only Javascript published as free software and largely inspected, wouldn't any "security flaw" in the web browser have a rather low risk of unexpected interactions resulting in harmful consequences for the user?

I am not recommending this to everyone as the way to ensure security. Personally, mostly with the motivation to only run things that there is some control on (so my purpose is not just "security"), I use NoScript and LibreJS and, if the website is not usable with maximum restrictions and not using this website would make my life really difficult, I try allowing some things, as little as I can, until the site seems functional enough. In some cases, this is extremely tedious because of the huge amount of scripts, so I need to decide whether to give up using the website or to allow (nearly) everything.

For "privacy", unless one is using a web browser to write personal messages (I never do that), in which case one's privacy may even be violated by the server, I am not sure what people are talking about exactly.

andyprough
Hors ligne
A rejoint: 02/12/2015

>"I use NoScript and LibreJS and, if the website is not usable with maximum restrictions and not using this website would make my life really difficult, I try allowing some things, as little as I can, until the site seems functional enough. In some cases, this is extremely tedious because of the huge amount of scripts, so I need to decide whether to give up using the website or to allow (nearly) everything."

This is what I do as well.

>"For "privacy", unless one is using a web browser to write personal messages (I never do that), in which case one's privacy may even be violated by the server, I am not sure what people are talking about exactly.

Two main areas:
1. Phone-home behavior: Telemetry, plus by default Firefox sends all url's through a google server for google search autocomplete, and compares all the url's you visit to lists of sites from google's 'safe browsing' servers. abrowser and Icecat don't allow any of this by default.
2. Tracking (cookies, referral links, IP address tracking, etc) and tracking your surfing habits through fingerprinting

Magic Banana

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/24/2010

Telemetry, plus by default Firefox sends all url's through a google server for google search autocomplete, and compares all the url's you visit to lists of sites from google's 'safe browsing' servers.

No URL is ever sent to Google's Safe Browsing servers. https://trisquel.info/forum/abrowser-what-dangers-removing-all-https-web-addresses-aboutconfig#comment-156568 sums up what Safe Browsing does and https://trisquel.info/forum/abrowser-what-dangers-removing-all-https-web-addresses-aboutconfig#comment-156585 the results of a technical investigation on Safe Browsing by academics. They conclude: "Use of the Safe Browsing API therefore appears to raise few privacy concerns".

As for the telemetry, Firefox's releases only collect by default “Technical data” and “Interaction data” as defined in https://wiki.mozilla.org/Data_Collection#Data_Collection_Categories (category 1 and 2) and unchecking a box in the settings disables it.

As you wrote, Abrowser and IceCat have all that disabled.

andyprough
Hors ligne
A rejoint: 02/12/2015

>"No URL is ever sent to Google's Safe Browsing servers."

You've corrected me on that point before, and I specifically did not claim that in my post above if you'll notice. Regardless, many people view it as something that Google could somehow use to violate their privacy.

Agreed that it's disabled in abrowser and Icecat.

andyprough
Hors ligne
A rejoint: 02/12/2015

And the key point is still the Google search autocomplete being on by default. That data is definitely phoned home to Google.

Not that DuckDuckGo and other search engines don't try to do it by default as well. There's a checkbox in Firefox settings to turn it off, Firefox calls it "Search Suggestions". I would imagine search autocomplete is a major source of ad revenue for Google. What could be better than having your product displayed in the search bar before a person has even typed in a whole word?

lanun
Hors ligne
A rejoint: 04/01/2021

> What could be better than having your product displayed in the search bar before a person has even typed in a whole word?

Having your name become a synonym for your core product is not bad either.

Also, having magical elongated fruits ready to go to unfathomable depths to defend your name against imaginary attacks.

Avron

I am a translator!

Hors ligne
A rejoint: 08/18/2020

> 2. Tracking (cookies, referral links, IP address tracking, etc) and tracking your surfing habits through fingerprinting

To what extent is "you" identified?

If one connects to some online account with the same browser or computer or public IP address, at the same time or at another time, can the surfing habits be correlated with the identity on that online account? Or the connections to multiple online accounts be correlated?

If so, are there reliable means to avoid that? If the public IP address can be used, to avoid correlation between two accounts, does is mean they should never be accessed via the same IP address, so one can access directly to one account and, for each other account, one needs to use a different VPN gateway? Or use a TOR circuit only once to connect to one account only and disconnect before accessing another one?

I am not considering the case where the tracking would be by the ISP, I guess defeating tracking by the ISP is more tricky.

andyprough
Hors ligne
A rejoint: 02/12/2015

Yes, researchers have shown that even Tor users can theoretically be fingerprinted and tracked. Although most companies probably wouldn't bother to go to the expense of trying to track a few Tor users, when they know that 99% of the internet using public is unaware enough to let them set tracker cookies and to click on links with tracker referral headings.

Ways to overcome this include constant randomization of fingerprint characteristics, such as by the 'Chameleon' extension for Mozilla based browsers, and using tracker blockers like ublock and like 'Neat URL' for cleaning up URL links with embedded tracker headings.

Noscript also seems to defeat many fingerprinting attempts in my experience because the fingerprint techniques commonly rely on you running some bit of js on your machine.

SkedarKing
Hors ligne
A rejoint: 11/01/2021

Something you should be aware of about that website...

It has links to this page:

https://digdeeper.neocities.org/ghost/mozilla.html

Why is this a problem?

Because digdeeper.neocities.org has a bunch of antivax nonsense on it.

Some things might be trustworthy on the website, but anything releated to the beliefs usa politicans have, particularly if it is pro extremist, is very much untrustworthy...

Such as the below:

https://digdeeper.neocities.org/ghost/corona.html

My point being, no one should ever, link to digdeeper.neocities.org except to criticize the hell out of them.

I admit I probably did that a few times, like 2+ years ago. Aka, I thought they were completely trustworthy... not so.

Man was I ignorant...

Yeah... don't trust this garbage.

Always get a second opinon if you find trash like that on a website.

Had to edit to clarify...

andyprough
Hors ligne
A rejoint: 02/12/2015

digdeeper is a Windows user who hates free software and calls us "freetards", infected with the disease of "freetardism" - https://digdeeper.neocities.org/ghost/freetardism.html#fixfoss

I don't care what he thinks about vaccines, but he clearly doesn't understand software enough to be considered a competent critic. The reason no one should bother with his stuff is because he's a moron.

andyprough
Hors ligne
A rejoint: 02/12/2015

He goes on to call "freetardism" a "particular brand of autism": https://digdeeper.neocities.org/ghost/addons.html

You hear that? Everyone on this forum is autistic, because digdeeper says so.

What a sweet fellow. Now, let's all let him decide for us which web browsers and privacy extensions and email providers and search engines we should use - clearly if we are so autistic, we can't make important decisions like that for ourselves.

nparafe

I am a member!

Hors ligne
A rejoint: 10/20/2020

Autistic is not bad, it's just another way of looking things. By "retards", I thing he means special needs persons, which is not bad either. It is just the way some people are.

I do not care if he is right or wrong, he is toxic.