Do you trust waterfox?

James Butler
James Butler

I can't trust firefox these days, obviously not for privacy since they started telemetry, but not even for security (which was the main reason to use them) after the extension incident (which also affected tor browser!). If they can't keep 1 certificate up to date then how can they be trusted to keep any up to date?
Anyways, waterfox seems to be the first "telemetry-free" browser I've used that doesn't break sites or isn't severely out of date. Icecat breaks sites, ungoogled chromium is still built off google code, and pale moon is so fucking out of date its not funny.
There is only one thing that concerns me though - the first time you start waterfox after installing, it pings a long list of websites which is what i am assuming is a network test - but why? I haven't noticed any other outgoing traffic after the initial bootup, but the first startup does concern me - I still use it daily regardless because I don't see any other logical alternative.
Do you trust it? trustless browsers are pretty busted up these days, because the nu-web does everything that leaves them behind (JS, remote fonts, abstracting code so that it only runs with proprietary measures implimented etc.)
sorry for the long post bros, i have adhd and talk a lot.

Attached: waterfoxlogo.png (111.69 KB, 1632x918)

Other urls found in this thread:

spyware.neocities.org/articles/waterfox.html
github.com/intika/Librefox
basilisk-browser.org/
gitlab.com/librewolf-community
torproject.org

Adrian Barnes
Adrian Barnes

no spyware.neocities.org/articles/waterfox.html

Charles Watson
Charles Watson

Icecat.

Luke Butler
Luke Butler

github.com/intika/Librefox

Wyatt Cruz
Wyatt Cruz

almost forgot, pale moon has a more up-to-date version:
basilisk-browser.org/

Ryan Wilson
Ryan Wilson

Pale Moon is not outdated in any way that actually matters.

Henry Torres
Henry Torres

the interface is taken from a more recent version of Firefox than Pale Moon, but the underlying browser code is the same. Only difference I remember is that Basilisk has support for Encrypted Media Extensions enabled.

Jose Lewis
Jose Lewis

Developer abandoned it after being contacted by Firefox lawyers apparently. There's a community fork going on at gitlab.com/librewolf-community

Attached: ClipboardImage.png (12.99 KB, 680x333)
Attached: ClipboardImage.png (12.04 KB, 682x240)

Brayden Rivera
Brayden Rivera

1. THOSE FUCKERS!
2. Thank you for at least showing us they/we didn't give up.

Owen Smith
Owen Smith

basilisks is just palemoon with all the cancer and botnet of firefox

David Lewis
David Lewis

It sounds like its doing what firefox would do.

Noah Reed
Noah Reed

It's Firefox with a blue logo and a few about:config changes.

Landon Williams
Landon Williams

the only web browser without botnet is Tor Browser
use it or get fucked into asshole by CIA

waterfox seems to be the first "telemetry-free" browser I've used that doesn't break sites or isn't severely out of date. Icecat breaks sites, ungoogled chromium is still built off google code, and pale moon is so fucking out of date its not funny.
Tor Browser
telemetry-free
up to date
doesn't break sites on Low security settings (except cloudflare botnet)
fingerprint protection (waterfox doesn't offer)
you get unique IP for every website or even for same website on another session (waterfox gives you same IP for all sites, you are extremely tracked)

don't resist, order it now at torproject.org

Justin Edwards
Justin Edwards

tor browser
enjoy being banned on every part of the net because the devs are retarded and will activly signal to every website/server that it's tor.
Telling everyone your privacy concerned is like sneaking into a police office but you yell at the top of your lungs that your being sneaky so they shouldn't chase you.

Attached: 1465174774798.png (142.17 KB, 555x739)

Matthew Miller
Matthew Miller

enjoy being banned on every part of the net because the devs are retarded and will activly signal to every website/server that it's tor.
are you retarded? Tor Browser uses Firefox ESR user-agent. What better do you propose?
Tor is detected by IP, as tor exit nodes are publicly listed. if it wasn't, any person or corporation could just generate such list by downloading Tor and using a script to visit their IP checker, then change Tor circuit and check IP again, in loop. they would generate 95% complete list fast. I am sure (((some people))) would share unofficial Tor exit node lists on the internet
how do you want Tor to work while not looking as Tor?

Telling everyone your privacy concerned is like sneaking into a police office but you yell at the top of your lungs that your being sneaky so they shouldn't chase you.
not comparable at all. when you use Tor you might tell that you are Tor user, but there is millions of people like you that use it. they don't know why are you using it, if you are paranoid, leftist, nazi, pedo, terrorist, hacker, privacy advocate etc
the more people use Tor, the better for everyone

Chase Young
Chase Young

And still on 56. And backported security fixes. Those two alone make it worthwhile, I can edit about:config myself.

Luke Jones
Luke Jones

a piece of software that requires mass adaptation is always sketchy, especially when there alternative would be not sending anything at all and getting the same level of privacy...

Cameron Howard
Cameron Howard

First off don't make the list public. Even if it has to be scraped, having to programmatically refresh the circuit and send a request to their endpoint is harder than simply scraping an html table, that will deter some people.
Then make sure that there's a subset of exit nodes that aren't usable by any given geographical area and IP subnet, so the attacker has to have access to IPs from different countries and ISPs.
Then make people have to fill a captcha and wait a while to get a new exit node (at least for some of them which are marked as ban resistant).
Make some server IPs temporarily not be given out randomly or when they reach the time of day when they're most loaded.
Find some way to get a large number of IPs for cheap.
Instead of for example not returning Canvas data for fingerprinting (which makes it easy to know you're using Tor Browser) make it send random data that changes with each session and website. So the fingerprinting doesn't become any more harmful than a session cookie.
Send the traffic through Amazon, Google, and Azure servers so sites have to block all traffic coming from VPSs too.
Most of that is already done for Bridges, and some of them aren't blocked even by China. So why can't it be done for exit nodes?

Easton Myers
Easton Myers

not sending anything at all
How exactly do you plan to connect to a website and not give them your IP?

Cameron Nguyen
Cameron Nguyen

N

Sebastian Richardson
Sebastian Richardson

N
Basado y rojo pastilleado nojoda

Charles Roberts
Charles Roberts

Even if it has to be scraped
Literally advocating security through obscurity
Then make sure that there's a subset of exit nodes that aren't usable by any given geographical area and IP subnet
except that the exit node cannot know the IP of the origin to even do that. Also YOU select the exit node. It is not assigned to you. You have to know the list of exit nodes to select one. Having the tor foundation assign all the routes would be incredibly insecure. Even if it COULD be done I would just fire up a VPN that has all the countries to scrape. It would be done by one company that would publish the list.
make it send random data that changes with each session and website. So
except that is not how canvas fingerprinting works.

Henry Robinson
Henry Robinson

Find some way to get a large number of IPs for cheap.
Or a way to switch between them often.
For example, deleting the VPS running the exit node and spinning up a new instance might get you a new IP with the same monthly expenses than a fixed IP. I'm pretty sure that could be automated with some VPS providers.

Daniel Torres
Daniel Torres

Oh another note. The IP would be from a data center ASN. Not an ISP ASN. This makes it incredibly clear the user is either a bot or using a VPN. This is easy to check and the list is public.

Grayson Hughes
Grayson Hughes

They are fine with this, they use captchas and limits to how IPs each client can get to discourage scraping bridges from BridgeDB.
All informational security is security through information asymmetries (for example someone knowing a password and someone else not, or in this case an IP).
except that the exit node cannot know the IP of the origin to even do that.
I admit it's a feature that seems to be hard or impossible to implement without weakening the anonymization in some way. But think about it this way, it's better to be able to use websites like 8ch.net with weakened anonymity, than using a (((VPN))), barebacking, or not being able to use them at all, since most people (me included) will choose to use it in a shitty non anonymous at all way rather than leave. Maybe you could make the entry nodes add a flag to the following nodes that identifies the origin as belonging to one out of a number of sets of IP addresses, designed in a way so that each group contains an equal amount of people, trying to make it so belonging to a group doesn't reveal too much information about the owner of that IP address. And you could make the nodes relaying that flag optional, depending on if the client wants to use those "secret" Tor exit nodes.
Also YOU select the exit node. It is not assigned to you.
I don't see why it has to be this way. If you're worried about the nodes given to a pre-exit node revealing information about what the pre-exit node was just by knowing the exit node, then make the clients that chose to use this subset of secret nodes request a 4 relay path instead of the default 3.
Having the tor foundation assign all the routes would be incredibly insecure.
Yes.
Even if it COULD be done I would just fire up a VPN that has all the countries to scrape.
Yeah, all the stuff I said that could be done would help prevent against this. If you don't think those help, then you also must think BridgeDB is useless, since it uses a lot of the same methods I proposed.
It would be done by one company that would publish the list.
Maybe, or maybe there isn't the economic incentive to go through all the trouble to circumvent those measures just to prevent Tor posters.
Even if it was done, the list would probably be behind a paywall, which would discourage a lot of would-be blockers.

Jacob Reyes
Jacob Reyes

except that is not how canvas fingerprinting works.
Then how does canvas fingerprinting work, according to you?

Nathaniel Bell
Nathaniel Bell

why do those nigger companies maintain the lists for free and even give free access to apis that let faggots use the service to make accessing something harder. they should at least make the api a feature that costs money.

Jacob Baker
Jacob Baker

Good browsers 2019:
luakit
brave
especially luakit

Eli Butler
Eli Butler

making tor insecure for a shitty reason is a good thing
OK retard
By actually rendering to the canvas, reading the result, to detect differences in how the GPU itself handles things.
Oh god no company has ever published anything for free this is simply impossible no one would ever do that. It's not like there are free commercial geolocation data sets or anything.

Landon Williams
Landon Williams

All informational security is security through information asymmetries (for example someone knowing a password and someone else not,
Wow faggot this is unbelievably stupid. The search space of a good password is bigger than is physically possible to brute force given all the energy in the entire universe. Totally different than opening a tor connection a few thousand times.

Aaron Baker
Aaron Baker

Hey, don't worry about the other guy, I really like your posts. I agree exit nodes shouldn't be made public by tor project themselves. Make it harder for the attackers even if only a little.

Julian Turner
Julian Turner

make it harder for the attackers at a massive reduction in security
OK fam

Jayden Carter
Jayden Carter

a piece of software that requires mass adaptation is always sketchy,
if everyone was using Tor network, we could have few browsers, not only one based on firefox
and if almost everyone was using Tor network we could also use alternatives to Tor

especially when there alternative would be not sending anything at all and getting the same level of privacy...
how?

First off don't make the list public.
your solutions to hide exit nodes are something to consider, we could forward that to the Tor Project
but another problem is if exit nodes are not so public, it would be harder to identify malicious and CIA exit nodes

Instead of for example not returning Canvas data for fingerprinting (which makes it easy to know you're using Tor Browser) make it send random data that changes with each session and website.
if Tor Browser will send random canvas data it will be the only web browser doing it, so it will be trivial to detect Tor Browser

Send the traffic through Amazon, Google, and Azure servers so sites have to block all traffic coming from VPSs too.
Most of that is already done for Bridges, and some of them aren't blocked even by China. So why can't it be done for exit nodes?
bridges are guard nodes, first nodes in circuit. second and third node will be standard node
you can host Tor exit nodes on Amazon, Google, Azure. I don't understand how would it be different than hosting them on any VPS or server, except it's dangerous to host many exit nodes on such centralized corporations like Amazon and Google

but think about it this way, it's better to be able to use websites like 8ch.net with weakened anonymity, than using a (((VPN))), barebacking, or not being able to use them at all, since most people (me included) will choose to use it in a shitty non anonymous at all way rather than leave.
sounds like a problem with you and people
if we started boycotting websites that block Tor, or even ddos and spam them in revenge, they would be forced to enable Tor access

Samuel Russell
Samuel Russell

how would this canvas fingerprinting provide any useful data if you have the same hardware and software that millions others have too

Nathan Turner
Nathan Turner

the "open and free privacy browser" shuts down actual open and free browser

Grayson Collins
Grayson Collins

It just provides a few bits of entropy it is not even close to unique. Combined with 50 other things it becomes an issue.

Kevin Lewis
Kevin Lewis

Yeah, that's the problem.

Angel Thompson
Angel Thompson

By actually rendering to the canvas, reading the result, to detect differences in how the GPU itself handles things.
I don't think current fingerprinting techniques are smart enough to figure out what engine you are using from pixel variations. I think they just render a static frame and compare the hash with a known database.
If they saw a previously unseen hash resulting from random data they would recognize it a rare event, but not necessarily coming from Tor Browser, since presumably other browsers also return unique results.
And in any case, don't just send random data or block the feature altogether, send what [most popular firefox version] would send.