Do you trust waterfox?

I can't trust firefox these days, obviously not for privacy since they started telemetry, but not even for security (which was the main reason to use them) after the extension incident (which also affected tor browser!). If they can't keep 1 certificate up to date then how can they be trusted to keep any up to date?
Anyways, waterfox seems to be the first "telemetry-free" browser I've used that doesn't break sites or isn't severely out of date. Icecat breaks sites, ungoogled chromium is still built off google code, and pale moon is so fucking out of date its not funny.
There is only one thing that concerns me though - the first time you start waterfox after installing, it pings a long list of websites which is what i am assuming is a network test - but why? I haven't noticed any other outgoing traffic after the initial bootup, but the first startup does concern me - I still use it daily regardless because I don't see any other logical alternative.
Do you trust it? trustless browsers are pretty busted up these days, because the nu-web does everything that leaves them behind (JS, remote fonts, abstracting code so that it only runs with proprietary measures implimented etc.)
sorry for the long post bros, i have adhd and talk a lot.

Attached: waterfoxlogo.png (1632x918, 111.69K)

Other urls found in this thread:



almost forgot, pale moon has a more up-to-date version:

Pale Moon is not outdated in any way that actually matters.

the interface is taken from a more recent version of Firefox than Pale Moon, but the underlying browser code is the same. Only difference I remember is that Basilisk has support for Encrypted Media Extensions enabled.

Developer abandoned it after being contacted by Firefox lawyers apparently. There's a community fork going on at

Attached: ClipboardImage.png (680x333 12.04 KB, 12.99K)

2. Thank you for at least showing us they/we didn't give up.

basilisks is just palemoon with all the cancer and botnet of firefox

It sounds like its doing what firefox would do.

It's Firefox with a blue logo and a few about:config changes.

the only web browser without botnet is Tor Browser
use it or get fucked into asshole by CIA

Tor Browser

don't resist, order it now at

enjoy being banned on every part of the net because the devs are retarded and will activly signal to every website/server that it's tor.
Telling everyone your privacy concerned is like sneaking into a police office but you yell at the top of your lungs that your being sneaky so they shouldn't chase you.

Attached: 1465174774798.png (555x739, 142.17K)

are you retarded? Tor Browser uses Firefox ESR user-agent. What better do you propose?
Tor is detected by IP, as tor exit nodes are publicly listed. if it wasn't, any person or corporation could just generate such list by downloading Tor and using a script to visit their IP checker, then change Tor circuit and check IP again, in loop. they would generate 95% complete list fast. I am sure (((some people))) would share unofficial Tor exit node lists on the internet
how do you want Tor to work while not looking as Tor?

not comparable at all. when you use Tor you might tell that you are Tor user, but there is millions of people like you that use it. they don't know why are you using it, if you are paranoid, leftist, nazi, pedo, terrorist, hacker, privacy advocate etc
the more people use Tor, the better for everyone

And still on 56. And backported security fixes. Those two alone make it worthwhile, I can edit about:config myself.

a piece of software that requires mass adaptation is always sketchy, especially when there alternative would be not sending anything at all and getting the same level of privacy...

First off don't make the list public. Even if it has to be scraped, having to programmatically refresh the circuit and send a request to their endpoint is harder than simply scraping an html table, that will deter some people.
Then make sure that there's a subset of exit nodes that aren't usable by any given geographical area and IP subnet, so the attacker has to have access to IPs from different countries and ISPs.
Then make people have to fill a captcha and wait a while to get a new exit node (at least for some of them which are marked as ban resistant).
Make some server IPs temporarily not be given out randomly or when they reach the time of day when they're most loaded.
Find some way to get a large number of IPs for cheap.
Instead of for example not returning Canvas data for fingerprinting (which makes it easy to know you're using Tor Browser) make it send random data that changes with each session and website. So the fingerprinting doesn't become any more harmful than a session cookie.
Send the traffic through Amazon, Google, and Azure servers so sites have to block all traffic coming from VPSs too.
Most of that is already done for Bridges, and some of them aren't blocked even by China. So why can't it be done for exit nodes?

How exactly do you plan to connect to a website and not give them your IP?


Basado y rojo pastilleado nojoda

Literally advocating security through obscurity
except that the exit node cannot know the IP of the origin to even do that. Also YOU select the exit node. It is not assigned to you. You have to know the list of exit nodes to select one. Having the tor foundation assign all the routes would be incredibly insecure. Even if it COULD be done I would just fire up a VPN that has all the countries to scrape. It would be done by one company that would publish the list.
except that is not how canvas fingerprinting works.

Or a way to switch between them often.
For example, deleting the VPS running the exit node and spinning up a new instance might get you a new IP with the same monthly expenses than a fixed IP. I'm pretty sure that could be automated with some VPS providers.

Oh another note. The IP would be from a data center ASN. Not an ISP ASN. This makes it incredibly clear the user is either a bot or using a VPN. This is easy to check and the list is public.

They are fine with this, they use captchas and limits to how IPs each client can get to discourage scraping bridges from BridgeDB.
All informational security is security through information asymmetries (for example someone knowing a password and someone else not, or in this case an IP).
I admit it's a feature that seems to be hard or impossible to implement without weakening the anonymization in some way. But think about it this way, it's better to be able to use websites like with weakened anonymity, than using a (((VPN))), barebacking, or not being able to use them at all, since most people (me included) will choose to use it in a shitty non anonymous at all way rather than leave. Maybe you could make the entry nodes add a flag to the following nodes that identifies the origin as belonging to one out of a number of sets of IP addresses, designed in a way so that each group contains an equal amount of people, trying to make it so belonging to a group doesn't reveal too much information about the owner of that IP address. And you could make the nodes relaying that flag optional, depending on if the client wants to use those "secret" Tor exit nodes.
I don't see why it has to be this way. If you're worried about the nodes given to a pre-exit node revealing information about what the pre-exit node was just by knowing the exit node, then make the clients that chose to use this subset of secret nodes request a 4 relay path instead of the default 3.
Yeah, all the stuff I said that could be done would help prevent against this. If you don't think those help, then you also must think BridgeDB is useless, since it uses a lot of the same methods I proposed.
Maybe, or maybe there isn't the economic incentive to go through all the trouble to circumvent those measures just to prevent Tor posters.
Even if it was done, the list would probably be behind a paywall, which would discourage a lot of would-be blockers.

Then how does canvas fingerprinting work, according to you?

why do those nigger companies maintain the lists for free and even give free access to apis that let faggots use the service to make accessing something harder. they should at least make the api a feature that costs money.

Good browsers 2019:
especially luakit

OK retard

By actually rendering to the canvas, reading the result, to detect differences in how the GPU itself handles things.

Oh god no company has ever published anything for free this is simply impossible no one would ever do that. It's not like there are free commercial geolocation data sets or anything.

Wow faggot this is unbelievably stupid. The search space of a good password is bigger than is physically possible to brute force given all the energy in the entire universe. Totally different than opening a tor connection a few thousand times.

Hey, don't worry about the other guy, I really like your posts. I agree exit nodes shouldn't be made public by tor project themselves. Make it harder for the attackers even if only a little.

OK fam

if everyone was using Tor network, we could have few browsers, not only one based on firefox
and if almost everyone was using Tor network we could also use alternatives to Tor


your solutions to hide exit nodes are something to consider, we could forward that to the Tor Project
but another problem is if exit nodes are not so public, it would be harder to identify malicious and CIA exit nodes

if Tor Browser will send random canvas data it will be the only web browser doing it, so it will be trivial to detect Tor Browser

bridges are guard nodes, first nodes in circuit. second and third node will be standard node
you can host Tor exit nodes on Amazon, Google, Azure. I don't understand how would it be different than hosting them on any VPS or server, except it's dangerous to host many exit nodes on such centralized corporations like Amazon and Google

>but think about it this way, it's better to be able to use websites like with weakened anonymity, than using a (((VPN))), barebacking, or not being able to use them at all, since most people (me included) will choose to use it in a shitty non anonymous at all way rather than leave.
sounds like a problem with you and people
if we started boycotting websites that block Tor, or even ddos and spam them in revenge, they would be forced to enable Tor access

how would this canvas fingerprinting provide any useful data if you have the same hardware and software that millions others have too


It just provides a few bits of entropy it is not even close to unique. Combined with 50 other things it becomes an issue.

Yeah, that's the problem.

I don't think current fingerprinting techniques are smart enough to figure out what engine you are using from pixel variations. I think they just render a static frame and compare the hash with a known database.
If they saw a previously unseen hash resulting from random data they would recognize it a rare event, but not necessarily coming from Tor Browser, since presumably other browsers also return unique results.
And in any case, don't just send random data or block the feature altogether, send what [most popular firefox version] would send.