Mozilla enabled ads in Firefox and they're active in Fedora
Bruno Wolff III
bruno at wolff.to
Mon Nov 17 14:28:58 UTC 2014
On Mon, Nov 17, 2014 at 15:06:21 +0100,
Reindl Harald <h.reindl at thelounge.net> wrote:
>
>Am 17.11.2014 um 14:41 schrieb Bruno Wolff III:
>>Firefox is really not set up with privacy as a high priority. Some bad
>>things it does from a privacy perspective are:
>>
>>If you type a name in the url bar and send, if the name dosn't match a
>>domain google is contacted. (And it is google even if you have some
>>other search engine set.)
>>
>>OSCP is used to check for certificate revocations. For some threat
>>models this cure is worse than the disease. There should be an easy way
>>to disable this.
>
>not such problem if more sites would be configured properly
>http://en.wikipedia.org/wiki/OCSP_stapling
That does sound like an improvement, but I haven't run across an easy way
to enable that while disabling normal OCSP.
>>Javascript is not easy to disable without installing a third party
>>plugin, and the way that plugin works still leaves some exposure to
>>javascript related issues.
>
>and everytime a newspaper recommends to disable it weeks later we got
>complaints that some forms don't work because tech to make it harder
>submit them automated until analyze what JS actions are expected
javascript is way too powerful to leave on for any old web site. Most
web sites way over use it. Yes it is needed for web sites that are
really applications, but most websites could be set up so they are
usable without it. They just don't bother.
>>The referer header is sent by default. It isn't obvious how to disable
>>that
>
>please don't propose disable the Referer globally
>a samrt default would be
>https://addons.mozilla.org/DE/firefox/addon/smart-referer/ to send it
>only to the same domain
Having to install a third party package to do this doesn't make it simple.
This feature should be built in.
Some people may not want to supply referer headers when moving around
within sites. For that there should be a per domain override similar
to cookies.
>everytime when people come out with "how to disable referrer,
>javascript and the useragent" they have no clue what harm they are
>doing for sane websites wich try to protect themself and their owners
>from automated attacks / junk
Web sites should work just fine without a supplied user agent. If they
don't, they are broken. bots can forge common user agent strings easily,
relying on checking for user agent for security purposes is silly.
A number of sites think there are only 3 or 4 different browers and refuse
to work if you aren't using one of them. Other web sites aren't designed
to handle the optional user agent header not being supplied and will
break needlessly.
More information about the devel
mailing list