Firefox users: Mozilla's plan is troubling

[mikeymikec]

I'd be back to Firefox like a shot if they managed to get it to perform competitively with Chrome and if they managed to do something respectable with regard to security (ie. a noteworthy innovation that puts them ahead of the curve). There are plenty of features that I prefer Firefox for and a fair few things that irritate me about Chrome's main functions (that it doesn't have the old "open with or save to disk" UI which was common in web browsers once, and is still in FF), and my overall use of Chrome is bordering on 'begrudging'.

I think Mozilla is at the 'waiting for god' stage right now and for someone with vision to fork Firefox and Thunderbird and harness the enthusiasm of the developer community.

 

[Ichinisan]

... There are plenty of features that I prefer Firefox for and a fair few things that irritate me about Chrome's main functions (a download 'save as' feature would be really nice), and my overall use of Chrome is bordering on 'begrudging'.

I'm pretty sure both browsers have always had the option to show "save as" by default for downloads. I don't enable it because some seconds are wasted when it could have been downloading. I can quickly move a downloaded file to wherever I want anyway.

 

[mikeymikec]

I'm pretty sure both browsers have always had the option to show "save as" by default for downloads. I don't enable it because some seconds are wasted when it could have been downloading. I can quickly move a downloaded file to wherever I want anyway.

Yeah, when you worded it like that I was a bit confused, thinking that I'm sure I've seen that setting in Chrome. What I should have said was that I prefer the 'open with or save to disk' window that FF has. In Chrome, you can tell it to ask you where to save a download, but you apparently can't tell it to just show you a file to be automatically disposed of once the browser is closed (unless it's a PDF or image).

I've edited my previous post to avoid further confusion.

 

[lxskllr]

I'd hate to see FF go away but I do feel it needs a HUGE revamp, maybe even a rewrite. It's gotten so bloated and cpu and memory intensive, they could do better.

Firefox is probably the leanest mainstream browser out there. That's what you get when you're single process. If you want to talk bloated, look at chrome.

That said, they are doing a complete rewrite, and that's what everyone's bitching about. Multi process(bloat), and web extensions(addon breakage/impossibility). I'm waiting to see what it looks like when it's done. but I haven't been impressed with mozilla for a few years now. Today, it's the best of a bad set of choices. Tomorrow??

 

[Ichinisan]

Firefox is probably the leanest mainstream browser out there. That's what you get when you're single process. If you want to talk bloated, look at chrome.

That said, they are doing a complete rewrite, and that's what everyone's bitching about. Multi process(bloat), and web extensions(addon breakage/impossibility). I'm waiting to see what it looks like when it's done. but I haven't been impressed with mozilla for a few years now. Today, it's the best of a bad set of choices. Tomorrow??

Multiprocess is the opposite of "bloat." It should *really* help simplify the code to handle each page separately. It will also optimize threading efficiency with the OS. It's really a complete shame FF didn't do a proper multi-process + sandboxing model a loooong time ago. If they did. I'd probably still be using FF.

 

[lxskllr]

Multiprocess is the opposite of "bloat." It should *really* help simplify the code to handle each page separately. It will also optimize threading efficiency with the OS. It's really a complete shame FF didn't do a proper multi-process + sandboxing model a loooong time ago. If they did. I'd probably still be using FF.

multiprocess uses much more ram than single process. It's exactly bloat. It may or may not give other benefits, but it isn't lean.

 

[mikeymikec]

That's a pretty unique definition of bloatware!

If you have a product that can perform its core function far quicker than competitors, that's exactly what its users want.

If however you have a competitor that performs that same function almost as quickly or quicker than the first product while using significantly less resources, then you could define the first product as bloated. A decent multi-process implementation like Chrome's has massive performance benefits, easily demonstrable benefits, and it leaves Firefox in the dust.

What you're doing is like comparing a Ferrari to a 70's mini and saying the latter is clearly the better car because it weighs less. Sure, that might be a handy benefit in some scenarios, but not really the ones that people would use the Ferrari for!

 

[pcslookout]

Multiprocess is the opposite of "bloat." It should *really* help simplify the code to handle each page separately. It will also optimize threading efficiency with the OS. It's really a complete shame FF didn't do a proper multi-process + sandboxing model a loooong time ago. If they did. I'd probably still be using FF.

I agree! Don't care how much ram my browser uses. That is why I have 32 GB of ram.

 

[lxskllr]

That's a pretty unique definition of bloatware!

If you have a product that can perform its core function far quicker than competitors, that's exactly what its users want.

If however you have a competitor that performs that same function almost as quickly or quicker than the first product while using significantly less resources, then you could define the first product as bloated. A decent multi-process implementation like Chrome's has massive performance benefits, easily demonstrable benefits, and it leaves Firefox in the dust.

What you're doing is like comparing a Ferrari to a 70's mini and saying the latter is clearly the better car because it weighs less. Sure, that might be a handy benefit in some scenarios, but not really the ones that people would use the Ferrari for!

Chrome isn't massively faster. Just faster, but with less customization potential. Some people are happy with what's handed to them, and don't change things at all. I'm not one of those people. Every browser aside from firefox pretty much presents itself on take it or leave it terms. At r57 firefox will be like every other browser; probably... I'll wait and see, but it isn't looking good.

 

[mikeymikec]

Chrome isn't massively faster. Just faster, but with less customization potential. Some people are happy with what's handed to them, and don't change things at all. I'm not one of those people. Every browser aside from firefox pretty much presents itself on take it or leave it terms. At r57 firefox will be like every other browser; probably... I'll wait and see, but it isn't looking good.

On a multi-tab (32 tabs IIRC) loading job that I do on a regular basis, Firefox takes 40 seconds to finish loading the content. Chrome takes 15. I'd call that a pretty massive difference. And it's not a question of iffy plug-ins/add-ons, page caching or fresh profiles.

If it wasn't a question of experience of Mozilla's complete lack of dedication to what matters in a web browser, I'd frankly be amazed that Firefox still works like dual-core processors are hot stuff. As I've said already, I like a lot of Firefox's features, but your accusation of bloatware is far better aimed at Firefox and the farces such as 'Hello' and 'Pocket'.

 

[sweenish]

I'm pretty sure FF is still a security nightmare, and for that reason alone, I've stopped using it.

I will use Edge before FF these days. And after the Creator's Update, Edge is a lot nicer than it used to be.

 

[coffeemonster]

I'm pretty sure FF is still a security nightmare, and for that reason alone, I've stopped using it.

security nightmare?
even back in 2014 tiptopsecurity.com said after ranking chrome #1 in security:

"Chrome is probably the marginal winner in security. Of course it’s not always so cut and dry. As stated, I actually use Firefox. I believe it has the best security/privacy combo in this roundup.
In the end, your security is based mostly on your behavior. No browser can always protect a user who’s browsing habits are unsafe."

https://tiptopsecurity.com/safest-web-browser-chrome-firefox-ie-opera-safari-comparison-chart/

 

[mikeymikec]

security nightmare?
even back in 2014 tiptopsecurity.com said after ranking chrome #1 in security:

"Chrome is probably the marginal winner in security. Of course it’s not always so cut and dry. As stated, I actually use Firefox. I believe it has the best security/privacy combo in this roundup.
In the end, your security is based mostly on your behavior. No browser can always protect a user who’s browsing habits are unsafe."

https://tiptopsecurity.com/safest-web-browser-chrome-firefox-ie-opera-safari-comparison-chart/

"Chrome is the marginal winner.... of this opinion piece". The updated article that the author suggests you read gives out ratings in its highly scientific analysis such as "okay".

The author's review of Internet Explorer and their rating of its security as "the worst" is just mind-boggling: The author literally gives zero basis for their rating, and therefore it's less than worthless because they've also completely wasted their readers' time. Who bothers wasting their time writing this stuff? It's like an early teen was given their first IT essay to write, though to be fair by that standard it's quite good; it's just of no use whatsoever to help anyone make informed decisions. If I had written it as a kid I'd probably keep it out of sentimental/chuckle value.

"One of Firefox’s biggest shortcomings is that it does not use a sandbox to keep the internet separated from your system. These days I consider a sandbox essential for most users. Every other browser I cover here uses a sandbox of some kind."

He thinks that a sandbox is essential for browsing, yet he gave Firefox an "okay" security rating? IE apparently has a sandbox implementation yet received a lower rating?

Wow: Talk about having an opinion and seeking to justify it rather than doing research then forming conclusions based on the available evidence.

 

[Chiefcrowe]

I agree with you. I'd love to see some new innovations that are not in other browsers for example blocking more tracking by default and some other things I liked that they have been testing like allowing videos to play in a small window on the screen similar to picture in picture, snooze tabs, containers, etc...

Several of them are available for testing here:
https://testpilot.firefox.com

I'd be back to Firefox like a shot if they managed to get it to perform competitively with Chrome and if they managed to do something respectable with regard to security (ie. a noteworthy innovation that puts them ahead of the curve). There are plenty of features that I prefer Firefox for and a fair few things that irritate me about Chrome's main functions (that it doesn't have the old "open with or save to disk" UI which was common in web browsers once, and is still in FF), and my overall use of Chrome is bordering on 'begrudging'.

I think Mozilla is at the 'waiting for god' stage right now and for someone with vision to fork Firefox and Thunderbird and harness the enthusiasm of the developer community.

 

[Red Squirrel]

Browsers in general are piss pour in security, part of it is because of outdated web standards that need to be let to die, and then shot again just to make sure. For one, it should not be possible for a web page to execute any kind of code on the client system. That should simply not be something that is doable. yes, that means kill flash. We need to kill all forms of plugins. Stuff like video playback can be done with HTML5, a lot of interactive stuff can be done in javascript - speaking of which, I think that can execute code on the client system, so that needs a revamp too. Essentially, a web page needs to be a self contained thing that has zero access to the client system. This needs to be done by design so that no exploit or trick can escape that. Each tab could be in it's own VM/jail/container, or something.

Of course you do need access to the client system in order to store cache and downloads, but that access should be restricted to only those folders.

 

[Chiefcrowe]

Yes!! that would be really great if they could pull that off.
Wonder how close edge or chrome are to this model?

Browsers in general are piss pour in security, part of it is because of outdated web standards that need to be let to die, and then shot again just to make sure. For one, it should not be possible for a web page to execute any kind of code on the client system. That should simply not be something that is doable. yes, that means kill flash. We need to kill all forms of plugins. Stuff like video playback can be done with HTML5, a lot of interactive stuff can be done in javascript - speaking of which, I think that can execute code on the client system, so that needs a revamp too. Essentially, a web page needs to be a self contained thing that has zero access to the client system. This needs to be done by design so that no exploit or trick can escape that. Each tab could be in it's own VM/jail/container, or something.

Of course you do need access to the client system in order to store cache and downloads, but that access should be restricted to only those folders.

 

[Ichinisan]

Browsers in general are piss pour in security, part of it is because of outdated web standards that need to be let to die, and then shot again just to make sure. For one, it should not be possible for a web page to execute any kind of code on the client system. That should simply not be something that is doable. yes, that means kill flash. We need to kill all forms of plugins. Stuff like video playback can be done with HTML5, a lot of interactive stuff can be done in javascript - speaking of which, I think that can execute code on the client system, so that needs a revamp too. Essentially, a web page needs to be a self contained thing that has zero access to the client system. This needs to be done by design so that no exploit or trick can escape that. Each tab could be in it's own VM/jail/container, or something.

Of course you do need access to the client system in order to store cache and downloads, but that access should be restricted to only those folders.

JavaScript is not allowed to do anything to the system.

 

[Red Squirrel]

JavaScript is not allowed to do anything to the system.

What about stuff like "OneClick" or whatever it's called? It's meant to make it convenient to install stuff, though I admit I have not seen that much, is it something that's gone? I remember installing Chrome that way, just had to click a link and it would start to install. This was not malicious, but that same type of code could be used maliciously.

Mobile is maybe different, but I've had sites launch the app store, so nothing stops them from launching malicious code too. Maybe that's not javascript though but either way this kind of execution of code should not be allowed.

 

[CZroe]

What about stuff like "OneClick" or whatever it's called? It's meant to make it convenient to install stuff, though I admit I have not seen that much, is it something that's gone? I remember installing Chrome that way, just had to click a link and it would start to install. This was not malicious, but that same type of code could be used maliciously.

Mobile is maybe different, but I've had sites launch the app store, so nothing stops them from launching malicious code too. Maybe that's not javascript though but either way this kind of execution of code should not be allowed.

Sounds more like something that requires a helper application or plugin. JavaScript can't just install stuff on your computer.

 

[Ichinisan]

What about stuff like "OneClick" or whatever it's called? It's meant to make it convenient to install stuff, though I admit I have not seen that much, is it something that's gone? I remember installing Chrome that way, just had to click a link and it would start to install. This was not malicious, but that same type of code could be used maliciously.

Mobile is maybe different, but I've had sites launch the app store, so nothing stops them from launching malicious code too. Maybe that's not javascript though but either way this kind of execution of code should not be allowed.

Chrome usually installs without a single question, but it's still an executable file you downloaded and then clicked to run. You're confused about exactly which point because there's a "share info with Google" opt-out option just before the download. It just downloads a slightly different executable based on your selection.

If Chrome somehow did that somehow, it would have nothing to do with JavaScript. I think everyone knows that would be the single worst idea of all the bad ideas there ever were.

I've downloaded Chrome hundreds and hundreds of times for so many people over the years. It does not execute itself.

 

[sweenish]

security nightmare?
even back in 2014 tiptopsecurity.com said after ranking chrome #1 in security:

"Chrome is probably the marginal winner in security. Of course it’s not always so cut and dry. As stated, I actually use Firefox. I believe it has the best security/privacy combo in this roundup.
In the end, your security is based mostly on your behavior. No browser can always protect a user who’s browsing habits are unsafe."

https://tiptopsecurity.com/safest-web-browser-chrome-firefox-ie-opera-safari-comparison-chart/

https://it.slashdot.org/story/16/02/12/034206/pwn2own-2016-wont-attack-firefox-because-its-too-easy

Try next time.

 

[coffeemonster]

https://it.slashdot.org/story/16/02/12/034206/pwn2own-2016-wont-attack-firefox-because-its-too-easy

Try next time.

besides a clickbait title with little substance, you didn't actually read any of the comments section there did you?
but please don't try again

This thread is for discussion of Firefox's future and what it's forks offer for current users and fans.

 

[sweenish]

Like this comment?

All modern browsers except Firefox have decomposed their browser into multiple processes, so that a compromise from one site will only gain control over an unprivileged (i.e. isolated from other stuff the user cares about) process. They also run plugins in separate processes and have fairly narrow communication paths between them. Firefox is still a massive monolithic process, including all add-ons, plugins, and so on.

This basically means that you just need one arbitrary code execution vulnerability in Firefox and it's game over. In contrast, if you have the same in Chrome, Edge, or Safari, then it's just the first step - you now have an environment where you can run arbitrary exploit code, but you can't make (most) system calls and you have to find another exploit to escape from the sandbox. Typical Chrome compromises are the result of chaining half a dozen vulnerabilities together.

https://it.slashdot.org/comments.pl?sid=8737473&cid=51493745

Maybe this one?

The FF developers don't have the time for that, they're far too busy destroying the user experience just a little bit more with each release.

It takes a lot of time and effort and great skill to ruin what used to be the best browser you know, it doesn't happen by itself!

(I just wish I were joking. Unfortunately they have the Microsoft disease of "The UI must change with each release to show that we're doing something". It's mind-boggling in its insanity, and it annoys their supporters continually. If they hadn't touched the UI in the last 5 years and devoted all their energy to security and performance instead, FF would still be the leading browser today.)

https://it.slashdot.org/comments.pl?sid=8737473&cid=51493695

How about this?

Obviously Firefox wasn't shamed last year, or they would have tried to improve security. Instead, they made a bunch of useless UI changes, removed features, etc. They didn't get the message. Spending large amounts of money to send them the same message again would be a wasted effort. By ignoring them this year, Pwn2Own is sending an even stronger message that Firefox is a browser to be avoided. And it doesn't cost them any prize money to send that message.

Parent

https://it.slashdot.org/comments.pl?sid=8737473&cid=51494035




I will concede one point. It's safer than I thought. However, that doesn't mean much given how poorly of it I thought.

If Firefox's future doesn't include security at its core, and it hasn't for a while now, it has no future. Someone in those comments mentioned servo, and if that actually happens, I'll gladly change my tune. But today, FF should be avoided.

 

[bononos]

https://forum.palemoon.org/viewtopic.php?f=4&t=14846&sid=f229e87c9006e7f968f1167d455e36d6
For those of you who, like me, prefer firefox(and forks) for all it's differences to chrome, especially customizability and a huge catalog of extensions. Check out palemoon if you havent.
.........

Why did you choose such a thread title which is totally wrong?

Its not FF which is being killed, its Palemoon. The thread you quoted is written by a PM fan who is having trouble letting go of PM, and hoping beyond reason that FF dies as well.

Because of FF's new extension scheme, PM users are going to be left out in the cold when legacy mode for non-multiprocess compatible extensions will not work. I would certainly not advise anyone to check out PM since its going belly up. Waterfox tweaks its browser to allow npapi extensions which opens it up to security, stability issues. I'd look at Cliqz if only the basic addons (eg. adblock) are needed.

 

[taisingera]

I am finding FF 53 pretty fast. My plan for this year is to see if all my extensions stay working into FF57. If not, I will see which browser is the fastest and use that full time. Then I have FF52 ESR installed on a PortableApps flash drive if I ever need to use any of the extensions that will stop working in FF57.