Mozilla enabled ads in Firefox and they're active in Fedora

Bruno Wolff III bruno at wolff.to
Mon Nov 17 14:28:58 UTC 2014 

On Mon, Nov 17, 2014 at 15:06:21 +0100,
  Reindl Harald <h.reindl at thelounge.net> wrote:
>
>Am 17.11.2014 um 14:41 schrieb Bruno Wolff III:
>>Firefox is really not set up with privacy as a high priority. Some bad
>>things it does from a privacy perspective are:
>>
>>If you type a name in the url bar and send, if the name dosn't match a
>>domain google is contacted. (And it is google even if you have some
>>other search engine set.)
>>
>>OSCP is used to check for certificate revocations. For some threat
>>models this cure is worse than the disease. There should be an easy way
>>to disable this.
>
>not such problem if more sites would be configured properly
>http://en.wikipedia.org/wiki/OCSP_stapling

That does sound like an improvement, but I haven't run across an easy way 
to enable that while disabling normal OCSP.

>>Javascript is not easy to disable without installing a third party
>>plugin, and the way that plugin works still leaves some exposure to
>>javascript related issues.
>
>and everytime a newspaper recommends to disable it weeks later we got 
>complaints that some forms don't work because tech to make it harder 
>submit them automated until analyze what JS actions are expected

javascript is way too powerful to leave on for any old web site. Most 
web sites way over use it. Yes it is needed for web sites that are 
really applications, but most websites could be set up so they are 
usable without it. They just don't bother.

>>The referer header is sent by default. It isn't obvious how to disable
>>that
>
>please don't propose disable the Referer globally
>a samrt default would be 
>https://addons.mozilla.org/DE/firefox/addon/smart-referer/ to send it 
>only to the same domain

Having to install a third party package to do this doesn't make it simple. 
This feature should be built in.

Some people may not want to supply referer headers when moving around 
within sites. For that there should be a per domain override similar 
to cookies.

>everytime when people come out with "how to disable referrer, 
>javascript and the useragent" they have no clue what harm they are 
>doing for sane websites wich try to protect themself and their owners 
>from automated attacks / junk

Web sites should work just fine without a supplied user agent. If they 
don't, they are broken. bots can forge common user agent strings easily, 
relying on checking for user agent for security purposes is silly. 
A number of sites think there are only 3 or 4 different browers and refuse 
to work if you aren't using one of them. Other web sites aren't designed 
to handle the optional user agent header not being supplied and will 
break needlessly.

More information about the devel mailing list