Compared librewolf.cfg with arkenfox user.js

[brokoler]

Hello,

at first thanks so much for this project, it is a privacy innovation in my eyes and it helped other projects like Librewolf to exist.

I follow Arkenfox since long time (Hello Ghacks user.js) and discovered, that it's philosophy changed from no outgoing connections to specific outgoing connections that make sense and offer security features. The right choice in my point of view.

Still I compared both configurations (took me hours) and would like to understand why following settings from Librewolf are not part of Arkenfox:

- user_pref("browser.safebrowsing.blockedURIs.enabled", false);
- user_pref("browser.region.network.url", "");
- user_pref("browser.region.update.enabled", false);
- user_pref("browser.search.update", false);
- user_pref("services.settings.server", "https://%.invalid");
- user_pref("toolkit.coverage.enabled", false);
- user_pref("toolkit.crashreporter.infoURL", "");
- user_pref("security.protectionspopup.recordEventTelemetry", false);
- user_pref("default-browser-agent.enabled", false);

There are more differences but these are the ones I'm wondering about.
Especially why URI Safebrowsing is enabled, when all other Safebrowsing functions are disabled with Arkenfox.

Would be great to understand why above lines are not added or if they might be considered by Arkenfox.

[Thorin-Oakenpants]

that it's philosophy changed from no outgoing connections to specific outgoing connections

not really. There is nothing wrong with how Mozilla do telemetry (prio, new glean designs, access to data, transparency (you can actually see everything collected - it's all harmless, etc), and even the coverage ping is harmless. We just choose to "be quiet" since that's what most users kinda want - I will address this at some stage in #1660

shit like URLs are mostly meaningless (maybe defense in depth) since they are all controlled by master switches. There is no need to bloat the project with such crap. And e.g. disabling learn more links is counter-productive - just results in a broken UI, in which case these forks (which all mostly rely in arkenfox otherwise they can't seem to make any decisions on anything) should simply modify the UI, not piss around with URLs

I also question dubious decisions that take away user choice: such as deciding/prompting the user to set as the default browser. This is asked once, and it is the user who chooses, not fucking LW. Same goes for other options where there is clearly no right or wrong answer; such as DoH - not saying LW set DoH, just saying there are other things that we have no right to set

When fxbrit was around (he has gone quiet the last 4 or 5 months, I fear the worst), I worked with him behind the scenes for 2+ yrs in order to get LW into shape - they were giving arkenfox a bad name. And together both projects benefited (mostly LW) and fxbrit made his own decisions and basically always came round to the same consensus as me

At some point the differences were minimal (maybe 25 prefs - it used to over 600 in total, a right royal fucked up shitshow): excluding all the extra shit prefs they do like learn more URLs and URLs and other crap, and the disabling of SBing (not 100% sure what LW does now) - as a default it must be on, it's a security feature. We only disable the real-time "binary" checks. I think LW now do the same.

While fxbrit and I got that number down, IDK to maybe 3 or 4 major'ish diffs (not sure how many pref numbers), I suspect with some more changes in AF coming up (RFP vs FPP), and the inactivity (+ no-leadership/direction) at LW ~~upstream~, and with more big under the hood changes coming from Mozilla (e.g. sanitizing), that the differences will simply grow and I will be forced to publicly disclaim AF LW (again) as having anything to do with this LW repo and even start disparaging it again as a PoS when warranted and to point out their inept changes or lack of (which is already happening)

With fxbrit gone, LW is already rapidly spiraling. And they diverged from RFP with their own patches (they just need to wait and be patient). Their matrix room is mostly full of conspiracy theorists or people ranting about philosophies and big tech nonsense and things that have no bearing. LW's issues tracker is currently 230 open issues, 150 of which were opened in the last 3 months - that's almost 2/3rds. Think about that. This is a sign of a leaderless and dysfunctional project. Seriously, LW is returning to shite and has had limitations for a long time.

Give it up and come to arkenfox .. we have cake 🍰 Also, we have instant updates direct from FF, and more user choice (more languages although since then live language packs exist but I still think they only build en-US (not sure), more packages, more info in the user.js, blah blah) and we're 25-33% faster since we get Mozilla's PTO, LTO.

ALL HAIL ARKENFOX

[Thorin-Oakenpants]

THE ANCIENT BOOER

Your true arkenfox lives. And you marry another. True Arkenfox saved her in the Fire Swamp, and she treated it like garbage. And that's what she is, the Queen of Refuse. So bow down to her if you want, bow to her. Bow to the Queen of Slime, the Queen of Filth, the Queen of Putrescence. Boo. Boo. Rubbish. Filth. Slime. Muck. Boo. Boo. Boo.

[Thorin-Oakenpants]

Especially why URI Safebrowsing is enabled, when all other Safebrowsing functions are disabled with Arkenfox

AF does not disable all SB functions. Maybe you need to check the user.js again

[Thorin-Oakenpants]

not really. There is nothing ...

missed the important part. So ignoring the telemetry part which we've always disabled. SB on ghacks from memory was off, but once I moved here in 2017(?), it was changed to allow all of it except real-time binary checks, because as I said, security as a default. At one stage I ripped out all the other prefs, but eventually put them back in for the info factor.

Everything else, as per usual, is always about: security trumps "privacy" and honestly, all these outgoing connections are not a privacy issue. e.g. at one stage we didn't do app update checks, I flipped that, because big deal if you check for an update, there's no PII, and FFS, if you don't trust FF with a ping, why even bother using their software .. etc

I could go on, and I've just had someone who seems to think ZERO connections is fine preach at me (and spam the same shit everywhere except at Tor Browser, and if I see it there I'll going to also shut it down, yup, I can do things at Tor Project) in #1807 . When this sort of black vs white and no grey comes up, I shut it down as it is a red flag and I do not want to become the nazi bar

[Thorin-Oakenpants]

https://www.techdirt.com/tag/nazi-bar/

• https://old.reddit.com/r/TalesFromYourServer/comments/hsiisw/kicking_a_nazi_out_as_soon_as_they_walk_in/

[Thorin-Oakenpants]

sharing is caring

WIZARDS

on fingerprinting and on FPing + the intersection of prefs - in reality fxbrit would check with me or already know the answer (from me earlier, or we worked it out / checked it together if I wasn't sure), and I have access to tor project members on tap (super smart unicorn ones should I need it)

• to be clear: fxbrit can and no doubt has worked some of these out himself
• just showing that without fxbrit they generally do not know

ophf ohfp acknowledging reality

• link (if it works for you): https://app.gitter.im/#/room/#librewolf:matrix.org/$3kqGwq_Lce6HlKfasLdHw8hDHSDKs7-rSXHgsK-q74s
  • date is Jan 31st 2024

[Thorin-Oakenpants]

@brokoler

Still I compared both configurations (took me hours)

so you take the cfg file, rename it lw-user.js and search and replace strings so the prefs are user_pref("... (I forgot what's in that file) - basically tweak the contents so the syntax matches AF

then you use from the wiki ... Compare-UserJS and compare lw-user.js and af-user.js .. kaching! profit :)