Mozilla enabled ads in Firefox and they're active in Fedora
Bruno Wolff III
bruno at wolff.to
Mon Nov 17 14:28:58 UTC 2014
On Mon, Nov 17, 2014 at 15:06:21 +0100,
Reindl Harald <h.reindl at thelounge.net> wrote:
>Am 17.11.2014 um 14:41 schrieb Bruno Wolff III:
>>Firefox is really not set up with privacy as a high priority. Some bad
>>things it does from a privacy perspective are:
>>If you type a name in the url bar and send, if the name dosn't match a
>>domain google is contacted. (And it is google even if you have some
>>other search engine set.)
>>OSCP is used to check for certificate revocations. For some threat
>>models this cure is worse than the disease. There should be an easy way
>>to disable this.
>not such problem if more sites would be configured properly
That does sound like an improvement, but I haven't run across an easy way
to enable that while disabling normal OCSP.
>>plugin, and the way that plugin works still leaves some exposure to
>and everytime a newspaper recommends to disable it weeks later we got
>complaints that some forms don't work because tech to make it harder
>submit them automated until analyze what JS actions are expected
web sites way over use it. Yes it is needed for web sites that are
really applications, but most websites could be set up so they are
usable without it. They just don't bother.
>>The referer header is sent by default. It isn't obvious how to disable
>please don't propose disable the Referer globally
>a samrt default would be
>https://addons.mozilla.org/DE/firefox/addon/smart-referer/ to send it
>only to the same domain
Having to install a third party package to do this doesn't make it simple.
This feature should be built in.
Some people may not want to supply referer headers when moving around
within sites. For that there should be a per domain override similar
>everytime when people come out with "how to disable referrer,
>doing for sane websites wich try to protect themself and their owners
>from automated attacks / junk
Web sites should work just fine without a supplied user agent. If they
don't, they are broken. bots can forge common user agent strings easily,
relying on checking for user agent for security purposes is silly.
A number of sites think there are only 3 or 4 different browers and refuse
to work if you aren't using one of them. Other web sites aren't designed
to handle the optional user agent header not being supplied and will
More information about the devel