Crazy like a (Fire)Fox
August 22, 2015 5:30 PM Subscribe
While it used to be the leading alternative to Internet Explorer (and others), Firefox has seen its market share erode steadily since the 2008 debut of Google Chrome. The Mozilla Foundation has made several oft-controversial bids at relevancy, including native video chat, Pocket integration, a mobile browser (and OS), a UI overhaul, and a rapid release schedule that's reached version 40 (and counting). But the latest proposal -- part of a reboot of the stalled Electrolysis multiprocessing project -- will prove the most daunting. Although it will modernize the browser's architecture, it also deprecates the longtime XUL framework in favor of more limited and Chrome-like "web extensions" -- requiring Firefox's vast catalog of powerful add-ons to be rewritten from scratch or cease functioning. While developers will have until 2017 to fully adapt, opinion is divided -- NoScript's Giorgio Maone reassures doubters, while the DownThemAll! team says "it feels like I just learned my dear old friend Firefox is going to die."
Most popular Firefox add-ons
Is your favorite add-on compatible with Electrolysis?
AskMeFi: What add-ons to Firefox do you find useful? (2009) - What are some essential Firefox addons? (2011)
Greasemonkey Scripts and Plugins on the MeFi Wiki (note you can change any userscripts.org URL to userscripts-mirror.org to get a working copy)
An abridged history of Firefox on MetaFilter:
Most popular Firefox add-ons
Is your favorite add-on compatible with Electrolysis?
AskMeFi: What add-ons to Firefox do you find useful? (2009) - What are some essential Firefox addons? (2011)
Greasemonkey Scripts and Plugins on the MeFi Wiki (note you can change any userscripts.org URL to userscripts-mirror.org to get a working copy)
An abridged history of Firefox on MetaFilter:
(Mozilla, pre-2004: Netscape 6 vs. Mozilla M14 - Mozilla savaged by suck - New Mozilla Browser - Blogzilla - Mozilla 1.0 - Mozilla criticized for name conflict - AOL Kills Netscape)
2004: Take the browser plunge! - Now even Slate is saying that you should ditch IE and switch to Firefox - The new browser war - Firefox 1.0 released - Firefox's ad in the New York Times
2005: Greasemonkey - April: 50 million Firefox downloads - October: 100 million! - Tools for surfing porn - Firefox 1.5 released
2006: Is Firefox too extensible? (part deux) - When Firefox, privacy and relationships collide... - WHEEEEEEE (mirror) - Revamping the browser - It's Firefox Day! - Firefox 2.0 released - Introducing Microsoft Firefox - Google's Browser Sync
2007: Gina Trapani's Invisibility Cloak - Zotero, a free open-source research tool - Is Firefox bad for the Internet?
2008: Firefox 3.0 released - Mozilla's Ubiquity project - Google Chrome released - Experience the Great Firewall at home! - Read It Later
2009: Add Art - Free yourself from the tyranny of Facebook quizzes - Can a Firefox extension extend rationality? - Mozilla unofficially recommends Bing over Google
2010: The new browser video wars - Disabling Facebook Connect on Non-Facebook Websites - TabCandy
2011: Firefox nixes the RSS button - Video Wars, round 2 - HTML 5 Circus - Mozilla defies the Justice Department - Ever wondered what the ad networks know about you? - NewsCorp blockers - View a web page's DOM in 3D - Mozilla's webdev collection
2012: On the Choice of Browser and Numerical Intelligence - BrowserQuest - The death of Thunderbird - Turn all Youtube Comments into "HERP DERP" - Design Principles Behind the Firefox OS UX
2013: The death of Google Reader (and implications for Firefox) - The death of the Blink tag - FBI pwns Firefox's TOR Browser Bundle
2014: Brandon Eich controversy - Translating technological terms
2015: Mihai's legacy - Mozilla is moving to deprecate support of HTTP
Hrrm. Firebug is 9/10ths of why I still use the thing, hoping that's not affected.
posted by Artw at 5:38 PM on August 22, 2015 [7 favorites]
posted by Artw at 5:38 PM on August 22, 2015 [7 favorites]
NPAPI 1995–2015
posted by infinitewindow at 5:42 PM on August 22, 2015 [7 favorites]
posted by infinitewindow at 5:42 PM on August 22, 2015 [7 favorites]
The developer behind TenFourFox (Firefox for old PowerPC Macs) is not happy, referring to this as a "footgun add-on policy".
posted by vasi at 5:45 PM on August 22, 2015 [4 favorites]
posted by vasi at 5:45 PM on August 22, 2015 [4 favorites]
I really hope Firefox doesn't become obsolete. I hate using Google stuff. I already use Gmail and that's enough for me.
posted by ChuckRamone at 5:56 PM on August 22, 2015 [13 favorites]
posted by ChuckRamone at 5:56 PM on August 22, 2015 [13 favorites]
Other than Microsoft, all other browsers are either unusably half baked or Chromium forks, so I really hate the idea of Firefox going away.
I liked Chrome when it was new, but now it's so bloated that I can't stand it. Maybe I could tweak and optimize it, but Firefox works great out of the box and has good privacy features built in.
posted by mccarty.tim at 5:57 PM on August 22, 2015 [17 favorites]
I liked Chrome when it was new, but now it's so bloated that I can't stand it. Maybe I could tweak and optimize it, but Firefox works great out of the box and has good privacy features built in.
posted by mccarty.tim at 5:57 PM on August 22, 2015 [17 favorites]
Really interested to see how (if?) this affects TOR browser, as far as I know there's no version based on Chrome.
posted by T.D. Strange at 5:58 PM on August 22, 2015 [1 favorite]
posted by T.D. Strange at 5:58 PM on August 22, 2015 [1 favorite]
Oddly Firefox gives me a bit more of an appreciation for Google, as it's one of the browsers that now by default give you anything-but-Google as the search engine - Yahoo in this case I believe - and if you forget that post setup and go a search you end up with garbage search result until you change the default.
posted by Artw at 5:59 PM on August 22, 2015 [8 favorites]
posted by Artw at 5:59 PM on August 22, 2015 [8 favorites]
this is gonna sound like some crazy conspiracy-theorist stuff, but we really don't want Chrome to become the leading browser. one of the Google fellas has a huge stake in 23and me, personal genomics company. if you use Google, Gmail, Chrome and 23andMe, Google will know literally everything about you.
posted by ChuckRamone at 6:03 PM on August 22, 2015 [3 favorites]
posted by ChuckRamone at 6:03 PM on August 22, 2015 [3 favorites]
Firefox offshoot Palemoon is my default browser these days... wondering and worried how they're going to handle this.
posted by Auden at 6:05 PM on August 22, 2015 [2 favorites]
posted by Auden at 6:05 PM on August 22, 2015 [2 favorites]
I resisted chrome as long as I could but the major ui redesign was the last straw for me.
posted by Evstar at 6:06 PM on August 22, 2015
posted by Evstar at 6:06 PM on August 22, 2015
I've had this weird issue for the last couple of years where I just don't know why I'd use one browser or another. I use Chrome because... inertia?
I remember when Firefox first came out, and it was REALLY exciting, because it was a slim, usable browser that did great rendering the web, and it wasn't the hellish IE. Now I open any web browser, and think, "Gee, this sure does load webpages." Newest one was Edge. It sure does load webpages!
posted by selfnoise at 6:07 PM on August 22, 2015 [28 favorites]
I remember when Firefox first came out, and it was REALLY exciting, because it was a slim, usable browser that did great rendering the web, and it wasn't the hellish IE. Now I open any web browser, and think, "Gee, this sure does load webpages." Newest one was Edge. It sure does load webpages!
posted by selfnoise at 6:07 PM on August 22, 2015 [28 favorites]
If this does kill it off finally I won't be surprised; I'm already sad. I stopped using it a couple of years ago because of the slowness and incredible bloat it was acquiring due to all the features it seemed to "need" (and it kept corrupting my bookmarks). I started using it when it was called Phoenix 0.2 because it was so simple and fast even on older systems, and when the adblocker showed up I was hooked. Now I am stuck with the fast and simple but ultimately untrustworthy Chrome. Opera still is too goofy for my taste and is a PITA to add extensions to. I'm hopeful for the new MS browser called Edge, which is fast and simple, but has no extension support.
I just want something that will browse, not connect to all this social stuff and go nuts with toolbars and such, and I want something secure, with the ability to block all the crap that allows the content owners and financial wizards to track me wherever I go.
I don't think Firefox became obsolete - I do think it lost it's sense of why it existed in the first place. Of course come to think of it much of the Web has as well.
posted by cybrcamper at 6:10 PM on August 22, 2015 [19 favorites]
I just want something that will browse, not connect to all this social stuff and go nuts with toolbars and such, and I want something secure, with the ability to block all the crap that allows the content owners and financial wizards to track me wherever I go.
I don't think Firefox became obsolete - I do think it lost it's sense of why it existed in the first place. Of course come to think of it much of the Web has as well.
posted by cybrcamper at 6:10 PM on August 22, 2015 [19 favorites]
I don't know how people use the internet without NukeAnything and ImageZoom.
posted by Pope Guilty at 6:11 PM on August 22, 2015 [9 favorites]
posted by Pope Guilty at 6:11 PM on August 22, 2015 [9 favorites]
Version 33.0.3, and all updates are turned off. The proposals I hear coming from the Mozilla leads all seem to take it away from what I want it to be, which is a highly hackable and open internet tool. It's open source, yes? It'll be interesting to see how hard it's going to be to fork it.
posted by benito.strauss at 6:11 PM on August 22, 2015 [1 favorite]
posted by benito.strauss at 6:11 PM on August 22, 2015 [1 favorite]
Iceweasel, the Firefox fork, will likely continue to be available (at least on Debian and derivatives). I use Firefox, mostly, but I have an old laptop with Iceweasel on it and it's functionally identical, as far as I can tell. It even syncs with my Firefox install.
posted by mondo dentro at 6:12 PM on August 22, 2015 [3 favorites]
posted by mondo dentro at 6:12 PM on August 22, 2015 [3 favorites]
I'm pretty much the opposite of a power user. I can't really think of any specific features that I know or care about when it comes to browsers. But I stopped using Firefox a few years ago when it just became noticeably laggy and crashy.
posted by threeants at 6:12 PM on August 22, 2015 [5 favorites]
posted by threeants at 6:12 PM on August 22, 2015 [5 favorites]
IceWeasel? Well, let's go see if anyone's building for Windows, and looks trustworthy ...... wow, nostalgia as strong as an ice cream headache!
posted by benito.strauss at 6:15 PM on August 22, 2015 [2 favorites]
posted by benito.strauss at 6:15 PM on August 22, 2015 [2 favorites]
I always thought that people's talk of [Firefox] lag and crashes were 1) shitty extensions they installed, or 2) Flash. So this announcement could possibly deal with #1 (and at the same time allow for multiprocess browsing, also a win), and Flash is doing a good job of killing itself off...
Sounds like good news to me.
posted by sutt at 6:16 PM on August 22, 2015 [8 favorites]
Sounds like good news to me.
posted by sutt at 6:16 PM on August 22, 2015 [8 favorites]
Lately I've been trying out Opera as a way to use WebKit and Chromium technology while being reasonably confident it's not phoning home to Apple or Google. My review so far: "Enh. It's okay."
posted by George_Spiggott at 6:23 PM on August 22, 2015 [2 favorites]
posted by George_Spiggott at 6:23 PM on August 22, 2015 [2 favorites]
I use Firefox because a) I like a dose of orange in my day, and b) so far it has managed to retain (and even improve) its usability. Anything I want it to do, it can do without too much fuss.
If it stays orange and unobtrusive it will probably continue being my go-to browser.
posted by mantecol at 6:34 PM on August 22, 2015 [7 favorites]
If it stays orange and unobtrusive it will probably continue being my go-to browser.
posted by mantecol at 6:34 PM on August 22, 2015 [7 favorites]
I don't doubt that the people who currently use Firefox as it is now are fairly likely to like Firefox as it is now. But if Firefox's market share is dwindling--I haven't used it regularly in years--then "this big change will kill it" doesn't make sense to me. I guess it might kill it in the sense that the Mozilla Suite died. It did go away and was replaced with something that felt very different. I remember people who were upset by that. And yet Firefox after that had a period of being incredibly successful. I don't see Mozilla-the-organization going away because of this, and while rewriting extensions will I'm sure be annoying? Electrolysis is the thing that needs to happen before I'll even consider using it again.
The part of this that concerns me is the "more limited". But the Ars Technical article seems high on FUD and low on details about what's going to go wrong with that. "Extensions were given fairly free and unfettered access to Firefox internals, including the HTML on the rendered page. This provided extension developers great power, but it also made Firefox brittle and hard to maintain." I have run into some times when Firefox extensions looked better than Chrome extensions, but it always looked like it was just a case of the developer being a Firefox user and not supporting both. Are there really things the new model will outright forbid you to do? It seems impossible that the new model is going to make altering the page off-limits, that seems like a core function of things like ad blockers. The article makes it sound like Firefox extensions will be less cool afterwards, but it sounds more like they're just going to have to be rewritten. Sometimes you just can't maintain backwards compatibility forever.
posted by Sequence at 6:37 PM on August 22, 2015 [4 favorites]
The part of this that concerns me is the "more limited". But the Ars Technical article seems high on FUD and low on details about what's going to go wrong with that. "Extensions were given fairly free and unfettered access to Firefox internals, including the HTML on the rendered page. This provided extension developers great power, but it also made Firefox brittle and hard to maintain." I have run into some times when Firefox extensions looked better than Chrome extensions, but it always looked like it was just a case of the developer being a Firefox user and not supporting both. Are there really things the new model will outright forbid you to do? It seems impossible that the new model is going to make altering the page off-limits, that seems like a core function of things like ad blockers. The article makes it sound like Firefox extensions will be less cool afterwards, but it sounds more like they're just going to have to be rewritten. Sometimes you just can't maintain backwards compatibility forever.
posted by Sequence at 6:37 PM on August 22, 2015 [4 favorites]
If this does kill it off finally I won't be surprised; I'm already sad. I stopped using it a couple of years ago because of the slowness and incredible bloat it was acquiring due to all the features it seemed to "need" (and it kept corrupting my bookmarks).
We've got a few hundred million users and a vibrant, global developer and contributor community working with us, so we're not going anywhere anytime soon. If you haven't tried Firefox in the last year or two, though, you should fire it up. It's crazy fast now, there's a developer-tools edition that's excellent if that's what you need, it's really a good time.
We're not making these changes out of desperation, though definitely out of necessity. XUL is legacy technology that dates from a time that cross-platform anything was unheard-of and HTML wasn't up for the job. A lot's changed since then, and XUL is a millstone these days, a barrier to participation and development speed that we just don't need.
Likewise, the original addons model that XUL enabled - where you can change literally anything, whatever you want, with no restrictions omg whoa - was a product of a much more permissive, free-as-in-freedom-to-do-whatever-you-like model that was culturally as much a product of its time as XUL, and also hasn't stood up as well. The internet's a way bigger town than it was back in the frontier days and it's got some pretty scummy neighborhoods in it with some pretty scummy people doing scummy-people things.
Our users end up in those places. That's fine, it's a big city and there's something there for everyone, but a distressing number of our users wind up making some unwise choices and/or installing some dodgy third-party software that a guy on the corner said would be perfectly safe and legal and also a good time, and wake up with a headache and no wallet and some addons that don't _quite_ do what that guy on the corner said they would. And when they try to figure out why their computer is suddenly so slow, process monitor isn't going to tell them it's because that download-accelerator that ad on the torrent site said to install is mining bitcoins on the side, it's going to say "Firefox, 99% CPU".
So It was a long, difficult discussion and a tough set of tradeoffs to make, but it came down to a decision that the freedom of our users _to_ do anything they want with Firefox is outweighed by their right to be free _from_ the harassment, surveillance and other malfeasance of the modern Internet's many bad actors. Or to put it more plainly, bad people were using that part of our product to hurt a lot of our users and that had to stop.
On a personal note, the last few months have been pretty amazing; we're focusing way better on user experience, shipping better and more interesting products faster, there's just a ton of interesting, important stuff happening everywhere.
(As you may have guessed, I work there. Hi, internet. It's getting late here, so I don't want to say Ask Me Anything, but I don't mind if you ask me a few things?)
posted by mhoye at 6:42 PM on August 22, 2015 [185 favorites]
We've got a few hundred million users and a vibrant, global developer and contributor community working with us, so we're not going anywhere anytime soon. If you haven't tried Firefox in the last year or two, though, you should fire it up. It's crazy fast now, there's a developer-tools edition that's excellent if that's what you need, it's really a good time.
We're not making these changes out of desperation, though definitely out of necessity. XUL is legacy technology that dates from a time that cross-platform anything was unheard-of and HTML wasn't up for the job. A lot's changed since then, and XUL is a millstone these days, a barrier to participation and development speed that we just don't need.
Likewise, the original addons model that XUL enabled - where you can change literally anything, whatever you want, with no restrictions omg whoa - was a product of a much more permissive, free-as-in-freedom-to-do-whatever-you-like model that was culturally as much a product of its time as XUL, and also hasn't stood up as well. The internet's a way bigger town than it was back in the frontier days and it's got some pretty scummy neighborhoods in it with some pretty scummy people doing scummy-people things.
Our users end up in those places. That's fine, it's a big city and there's something there for everyone, but a distressing number of our users wind up making some unwise choices and/or installing some dodgy third-party software that a guy on the corner said would be perfectly safe and legal and also a good time, and wake up with a headache and no wallet and some addons that don't _quite_ do what that guy on the corner said they would. And when they try to figure out why their computer is suddenly so slow, process monitor isn't going to tell them it's because that download-accelerator that ad on the torrent site said to install is mining bitcoins on the side, it's going to say "Firefox, 99% CPU".
So It was a long, difficult discussion and a tough set of tradeoffs to make, but it came down to a decision that the freedom of our users _to_ do anything they want with Firefox is outweighed by their right to be free _from_ the harassment, surveillance and other malfeasance of the modern Internet's many bad actors. Or to put it more plainly, bad people were using that part of our product to hurt a lot of our users and that had to stop.
On a personal note, the last few months have been pretty amazing; we're focusing way better on user experience, shipping better and more interesting products faster, there's just a ton of interesting, important stuff happening everywhere.
(As you may have guessed, I work there. Hi, internet. It's getting late here, so I don't want to say Ask Me Anything, but I don't mind if you ask me a few things?)
posted by mhoye at 6:42 PM on August 22, 2015 [185 favorites]
I was thinking about switching to Chrome, but made the discovery that Chrome is at least a bloated as Firefox is now. Microsoft Edge, seemed okay at first, but then turned out not to be any better -- I've seen single Edge tabs ring up over 300MB of RAM. So, Firefox is still my primary browser.
posted by JHarris at 6:44 PM on August 22, 2015
posted by JHarris at 6:44 PM on August 22, 2015
And thanks foe chiming in mhoye! I might ask a few things, but can't think of anything at the moment.
posted by JHarris at 6:46 PM on August 22, 2015
posted by JHarris at 6:46 PM on August 22, 2015
mhoye, do you have any stats or at least a general impression of the share of all add-ones that are still actively maintained? My gut feeling is that there are a lot of abandoned niche add-ons that continue to function out of sheer luck (I use several of them!), and that even if they can be rewritten with the same functionality in the new model, it doesn't mean they will.
posted by Rhaomi at 6:49 PM on August 22, 2015 [2 favorites]
posted by Rhaomi at 6:49 PM on August 22, 2015 [2 favorites]
My Firefox kept eating up between 700 and 900 MB of RAM, and my internet was running slower than it should have been, so I switched to Chrome like a week ago, and it's been much better. Firefox was great before it kept upgrading and changing features and being really annoying, and obviously before it started slowing down.
posted by Slinga at 6:52 PM on August 22, 2015 [1 favorite]
posted by Slinga at 6:52 PM on August 22, 2015 [1 favorite]
These people are supposedly working on a secure, de-Googlefied fork on Chrome/Chromium with privacy as a priority. Mind you, they haven't yet got any code to show for it, so I have no idea whether that is actually a real project or just a trial balloon of some sort.
posted by acb at 6:55 PM on August 22, 2015 [1 favorite]
posted by acb at 6:55 PM on August 22, 2015 [1 favorite]
I'm gonna chime in to say that I've been back on Firefox pretty much full time for, I dunno, a year or two now, and I think it's in pretty good shape as a browser these days. The mobile version has even gotten usable-enough to be my default, which I discovered after mobile Chrome started hiding all but the domain portion of URLs and I ragequit.
Shorter: I dispute the shit-talking.
posted by brennen at 6:56 PM on August 22, 2015 [14 favorites]
Shorter: I dispute the shit-talking.
posted by brennen at 6:56 PM on August 22, 2015 [14 favorites]
oh hey, you left out the recent news that Firefox will soon require that every browser add-on is signed by Mozilla (i.e., distributed through addons.mozilla.org). also btw, the wait for "review" stretches past several months and if you happen to have written an ad blocker, you might just get accidentally forgotten in the review queue.
posted by indubitable at 6:58 PM on August 22, 2015 [7 favorites]
posted by indubitable at 6:58 PM on August 22, 2015 [7 favorites]
The proposals I hear coming from the Mozilla leads all seem to take it away from what I want it to be, which is a highly hackable and open internet tool. It's open source, yes? It'll be interesting to see how hard it's going to be to fork it.
I'll put down a $20 saying that once XUL is gone, addons are certified and E10S rolls out, you'll find Firefox way better in every respect for all your hacking needs, not less.
But if you want to fork it, go crazy; apart from the people you can pretty much fork the entire organization, if you're so inclined. The code is all there either in Mercurial or on GitHub, Bugzilla is open-source and the last time I looked most (maybe all now?) of our build infrastructure was in a public repository and dockerized. I think the only licensing restriction you'd face there is that you can't call whatever you end up building "Mozilla" or "Firefox" without Mozilla signing off on it. (That's where "iceweasel" comes from, incidentally.)
posted by mhoye at 6:59 PM on August 22, 2015 [16 favorites]
I'll put down a $20 saying that once XUL is gone, addons are certified and E10S rolls out, you'll find Firefox way better in every respect for all your hacking needs, not less.
But if you want to fork it, go crazy; apart from the people you can pretty much fork the entire organization, if you're so inclined. The code is all there either in Mercurial or on GitHub, Bugzilla is open-source and the last time I looked most (maybe all now?) of our build infrastructure was in a public repository and dockerized. I think the only licensing restriction you'd face there is that you can't call whatever you end up building "Mozilla" or "Firefox" without Mozilla signing off on it. (That's where "iceweasel" comes from, incidentally.)
posted by mhoye at 6:59 PM on August 22, 2015 [16 favorites]
I've been using Firefox exclusively for many years. I, too, would hate to see it die. I've tried Chrome and just can't feel any love (or like) for it. And Safari? Ugh.
I really liked the native video chat they added to FF awhile back.
Also...By what logic is the chart in the "Is you favorite add-on..." link arranged? It certainly isn't alphabetical. At least not on this planet.
posted by Thorzdad at 7:01 PM on August 22, 2015
I really liked the native video chat they added to FF awhile back.
Also...By what logic is the chart in the "Is you favorite add-on..." link arranged? It certainly isn't alphabetical. At least not on this planet.
posted by Thorzdad at 7:01 PM on August 22, 2015
I'd be much happier with a browser that didn't immediately establish two dozen open TCP with various cloud services at launch. Neither Chromium nor Firefox can manage to do this, though.
In my perfect web browsing world, the "intelligent" search tool and the actual tool for viewing web pages are different processes that have almost nothing to do with each other.
posted by phooky at 7:06 PM on August 22, 2015 [4 favorites]
In my perfect web browsing world, the "intelligent" search tool and the actual tool for viewing web pages are different processes that have almost nothing to do with each other.
posted by phooky at 7:06 PM on August 22, 2015 [4 favorites]
mhoye, do you have any stats or at least a general impression of the share of all add-ones that are still actively maintained? My gut feeling is that there are a lot of abandoned niche add-ons that continue to function out of sheer luck (I use several of them!), and that even if they can be rewritten with the same functionality in the new model, it doesn't mean they will.
I don't, but I can ask around and see what information I can find and share what I can. I'm very peripheral to the discussions that went into this decision, but I know that the long-tail problem you're describing was on their radar.
Incidentally, if you're an addon writer, please remember to pick a license for your software! We made an explicit choice not to impose or even suggest a default license during the addons submission process a long time ago, because licensing is such a complex question and we didn't want to impose on people's choices there, not even a little. But the downside of that is that it's really hard for people who want to keep your code alive to know what they can or can't do. Pick a license!
posted by mhoye at 7:08 PM on August 22, 2015 [2 favorites]
I don't, but I can ask around and see what information I can find and share what I can. I'm very peripheral to the discussions that went into this decision, but I know that the long-tail problem you're describing was on their radar.
Incidentally, if you're an addon writer, please remember to pick a license for your software! We made an explicit choice not to impose or even suggest a default license during the addons submission process a long time ago, because licensing is such a complex question and we didn't want to impose on people's choices there, not even a little. But the downside of that is that it's really hard for people who want to keep your code alive to know what they can or can't do. Pick a license!
posted by mhoye at 7:08 PM on August 22, 2015 [2 favorites]
Some of the old-school Opera people are working on a browser called Vivaldi, so not all hope for good browsing is lost.
posted by Ray Walston, Luck Dragon at 7:09 PM on August 22, 2015 [7 favorites]
posted by Ray Walston, Luck Dragon at 7:09 PM on August 22, 2015 [7 favorites]
Psh, graphical web browser? Okay, grandma! If you aren't forking your own w3m-like in a Debian terminal you have no excuse being on the interne
posted by shakespeherian at 7:10 PM on August 22, 2015 [9 favorites]
posted by shakespeherian at 7:10 PM on August 22, 2015 [9 favorites]
For the demonstration of exceptional restraint in not including the "++ATH NO CARRIER" messages everyone types but that never actually got echoed back into the terminal, I award Shakespeherian five internet points.
posted by mhoye at 7:15 PM on August 22, 2015 [25 favorites]
posted by mhoye at 7:15 PM on August 22, 2015 [25 favorites]
I switched to safari for a while but it kept having quirks that bothered me so I have been back to Firefox on my computer for a year or two and it has been working fine. I hope the changes are largely for the better.
posted by Dip Flash at 7:18 PM on August 22, 2015 [1 favorite]
posted by Dip Flash at 7:18 PM on August 22, 2015 [1 favorite]
My Firefox kept eating up between 700 and 900 MB of RAM, and my internet was running slower than it should have been, so I switched to Chrome like a week ago, and it's been much better.
I see this too, except then Chrome slows down and I switch back to Firefox, which is fast for a while, then slows down, so I switch back to Chrome, etc. I don't know what the deal is. Deleting the cache doesn't fix things. It's like the browsers just get tired after a while.
posted by dirigibleman at 7:19 PM on August 22, 2015 [5 favorites]
I see this too, except then Chrome slows down and I switch back to Firefox, which is fast for a while, then slows down, so I switch back to Chrome, etc. I don't know what the deal is. Deleting the cache doesn't fix things. It's like the browsers just get tired after a while.
posted by dirigibleman at 7:19 PM on August 22, 2015 [5 favorites]
I've been a Firefox dead-ender while all my friends and coworkers have switched to Chrome precisely because of the extension ecosystem. For each extension I use, there's probably a Chrome addon or two that purports to do the same thing, but they always seem to be missing some key feature. Often times, this will be because the Chrome APIs simply don't provide the required hooks to enable these features, and good luck getting Google to care enough about the esoteric thing you need in your add-on.
Firefox, on the other hand, always seems to have the right hooks that devs need, and if it doesn't, the devs have over the years managed to get those hooks added. Maybe Chrome will get better in the future, or maybe it has in the 6 months or so since I tried to find the Add-ons I needed, but at this point, you can pry Firefox from my cold, dead hands. I've pretty much submitted to Google for everything else -- Android, G+, Drive, etc. -- but I just can't let go of the browser yet.
posted by tonycpsu at 7:24 PM on August 22, 2015 [9 favorites]
Firefox, on the other hand, always seems to have the right hooks that devs need, and if it doesn't, the devs have over the years managed to get those hooks added. Maybe Chrome will get better in the future, or maybe it has in the 6 months or so since I tried to find the Add-ons I needed, but at this point, you can pry Firefox from my cold, dead hands. I've pretty much submitted to Google for everything else -- Android, G+, Drive, etc. -- but I just can't let go of the browser yet.
posted by tonycpsu at 7:24 PM on August 22, 2015 [9 favorites]
I liked Firefox a lot, but between eating memory and doing shitty stuff about "save your bookmarks etc to the cloud hahaha your email alone isn't enough to get back into it, sorry we're wiping it all", I switched to Chrome, and I dislike it less. I occasionally use Firefox to log in to multiple accounts at the same time, but I don't intend to switch over until Chrome (inevitably) does something to ruin the experience. (There were a number of things Firefox did differently, but they slowly copied Chrome's UI. I do miss "warn before closing multiple tabs".)
posted by jeather at 7:25 PM on August 22, 2015 [2 favorites]
posted by jeather at 7:25 PM on August 22, 2015 [2 favorites]
My impression of Firefox is that it's been getting consistently better and faster over the last couple of years – less memory, faster startup time, etc. Chrome has consistently been on the opposite trajectory, with noticeable increases in startup time, memory usage, time-to-new-tab, etc. as they pile in dubious new features. I switched to Chrome around the time it came out and switched back to Firefox a couple of years ago; I still use Chrome a bit but it's noticeably less snappy.
That said, in both cases if you think your browser is slow or memory-hungry, check your extensions after you finish uninstalling Flash. Ad Block Plus is notoriously bad: 9 times out of 10, when someone says Firefox is slow they're talking about ABP.
posted by adamsc at 7:27 PM on August 22, 2015 [13 favorites]
That said, in both cases if you think your browser is slow or memory-hungry, check your extensions after you finish uninstalling Flash. Ad Block Plus is notoriously bad: 9 times out of 10, when someone says Firefox is slow they're talking about ABP.
posted by adamsc at 7:27 PM on August 22, 2015 [13 favorites]
as they pile in dubious new features
What exactly are these new features? I've also noticed it's not as fast lately, but I have no idea what it is they're larding it up with.
posted by tonycpsu at 7:32 PM on August 22, 2015
What exactly are these new features? I've also noticed it's not as fast lately, but I have no idea what it is they're larding it up with.
posted by tonycpsu at 7:32 PM on August 22, 2015
I like Firefox overall, but I dropped it, because it stopped properly running the gravitar services that the webcomics I like use. And since reading and commenting on webcomics is one of the major pastimes on the internet, well, Chrome works.
In fact, I think that's the main reason why Firefox has fallen behind. Chrome works.
posted by happyroach at 7:32 PM on August 22, 2015
In fact, I think that's the main reason why Firefox has fallen behind. Chrome works.
posted by happyroach at 7:32 PM on August 22, 2015
oh hey, you left out the recent news that Firefox will soon require that every browser add-on is signed by Mozilla (i.e., distributed through addons.mozilla.org). also btw, the wait for "review" stretches past several months and if you happen to have written an ad blocker, you might just get accidentally forgotten in the review queue.That's partially true but https://wiki.mozilla.org/Addons/Extension_Signing shows the scarier claims are not: the review process is automatic, you're not required to distribute through addons.mozilla.org, and there's nothing in the guidelines to support the conspiracy theory about ad blockers.
Given the degree to which add-ons have been used to ship malware, that seems like a necessary balance to me: the default needs to be safe for the average user and that includes not giving them a setting which will routinely be social-engineered.
posted by adamsc at 7:40 PM on August 22, 2015 [7 favorites]
CAN I STILL USE ZOTERO?!?!?
posted by MisantropicPainforest at 7:42 PM on August 22, 2015 [9 favorites]
posted by MisantropicPainforest at 7:42 PM on August 22, 2015 [9 favorites]
Firefox on Android isn't great, but it's the only Android browser that supports adblocking.
posted by straight at 7:42 PM on August 22, 2015 [8 favorites]
posted by straight at 7:42 PM on August 22, 2015 [8 favorites]
The addition of Pocket was just plain evil. Probably a money deal, without any transparency/disclosure. Grmbl.
posted by slater at 7:43 PM on August 22, 2015 [1 favorite]
posted by slater at 7:43 PM on August 22, 2015 [1 favorite]
Whenever a point comes up in software design where a decision has to be made, most people's impulse is to say "make a checkbox in the settings" without realizing that every checkbox you add doubles the amount of testing that you have to do. If the required testing exceeds your capacity, you'll be releasing a buggy, crashy product.
It's the same situation when defining a plugin API. The path of least resistance is to just expose the same interface that your internals use to plugins. You don't realize at the time that you're locking in your current API forever. Any changes will have to preserve the old API or break compatibility, which will seriously hobble your architecture choices in the future.
I have a lot of respect for Mozilla for taking this action. It takes a lot of guts, but it seems like the internet outrage machine is shifting into high gear, so they'll probably be forced to backpedal. I think that there's no question that this will be the worse outcome for Firefox in the long run. End users don't make the connection that there's a relationship between a browser that crashes and a browser that has a lot of options. And that there's a relationship between a browser that leaks memory and a browser that has a completely unrestricted plugin API.
posted by zixyer at 7:47 PM on August 22, 2015 [11 favorites]
It's the same situation when defining a plugin API. The path of least resistance is to just expose the same interface that your internals use to plugins. You don't realize at the time that you're locking in your current API forever. Any changes will have to preserve the old API or break compatibility, which will seriously hobble your architecture choices in the future.
I have a lot of respect for Mozilla for taking this action. It takes a lot of guts, but it seems like the internet outrage machine is shifting into high gear, so they'll probably be forced to backpedal. I think that there's no question that this will be the worse outcome for Firefox in the long run. End users don't make the connection that there's a relationship between a browser that crashes and a browser that has a lot of options. And that there's a relationship between a browser that leaks memory and a browser that has a completely unrestricted plugin API.
posted by zixyer at 7:47 PM on August 22, 2015 [11 favorites]
One which I had in mind was the revised “new tab” page which larded up the start page with a bunch of attempts to provide a tailored experience. Worthy goals perhaps but it added a second or two to the new tab creation time on an otherwise idle machine with an SSD. They've been slowly improving that but it's still not where it was before last October.as they pile in dubious new featuresWhat exactly are these new features? I've also noticed it's not as fast lately, but I have no idea what it is they're larding it up with.
The more general trend was the sort of faux-OS features like in-app profiles or building a non-standard desktop notification rather than using the native OS interface. Those aren't necessarily bad but they're things which don't seem valuable relative to investing in general performance or mainstream UI.
posted by adamsc at 7:49 PM on August 22, 2015 [3 favorites]
If your Firefox is taking up too much memory, open a tab and put "about:memory" in the address bar and find out why, or just flush the memory altogether.
posted by Leviathant at 7:50 PM on August 22, 2015 [20 favorites]
posted by Leviathant at 7:50 PM on August 22, 2015 [20 favorites]
I see this too, except then Chrome slows down and I switch back to Firefox, which is fast for a while, then slows down, so I switch back to Chrome, etc. I don't know what the deal is.
So, this is not to make excuses, but what is happening to you there is the internet. Chrome, Safari, Firefox, Edge, we all have the same fundamental problem, and that is that the internet is huge and people seem to want all of it, and want it all to be fast and safe.
When you click a link, what are you really asking of your web browser?
Take arbitrary input. Literally any sequence of bytes that anyone has dumped into a file and smothered in angle brackets, full of executable code that could be or try to do just about anything. And if it says it's a webpage, show it to me, and if says it's a script, run it.
Every time you click anything in a browser you are saying "yes, computer, I want you to take whatever pile of ambiguously-specced, incorrectly-implemented hamburger you find at the end of that link and render it for me to pixel accuracy. All of that unverified code you've just pulled in from those ten or fifteen or thirty or 90 other hosts that could be anywhere and could arrive in any condition? Right, yes, run that. And do it safely, so I can put my kids' pictures or my credit card number into whatever I end up looking at."
"And be quick about it, I don't have all day here."
For real, letting thousands of random strangers run arbitrary programs on your machine is insane and you should never do that because it's insane, but that's basically what everyone who browses the web does every day, whatever browser they're using, and a big chunk of the modern economy and our ability to talk to each other at all depends on that working fast and safely and well. And miraculously, it seems for the most part that it does.
You're using a lot of CPU and memory because what you're asking for is a lot.
When you click the back button and the page you're coming back to snaps back immediately, with all the forms filled out or other changes you made to it right there in perfect condition without making a single round trip across the network, some of that 900MB of RAM is where they're coming from. And when your CPU maxes out because a compiler is trying to make 200,000 lines of javascript to do whatever it does before you can lift your finger off the mouse, that's because that's what you've asked it for.
And it's worth it, because you're worth it. Your CPU and RAM is way, way cheaper than your time.
posted by mhoye at 7:57 PM on August 22, 2015 [85 favorites]
So, this is not to make excuses, but what is happening to you there is the internet. Chrome, Safari, Firefox, Edge, we all have the same fundamental problem, and that is that the internet is huge and people seem to want all of it, and want it all to be fast and safe.
When you click a link, what are you really asking of your web browser?
Take arbitrary input. Literally any sequence of bytes that anyone has dumped into a file and smothered in angle brackets, full of executable code that could be or try to do just about anything. And if it says it's a webpage, show it to me, and if says it's a script, run it.
Every time you click anything in a browser you are saying "yes, computer, I want you to take whatever pile of ambiguously-specced, incorrectly-implemented hamburger you find at the end of that link and render it for me to pixel accuracy. All of that unverified code you've just pulled in from those ten or fifteen or thirty or 90 other hosts that could be anywhere and could arrive in any condition? Right, yes, run that. And do it safely, so I can put my kids' pictures or my credit card number into whatever I end up looking at."
"And be quick about it, I don't have all day here."
For real, letting thousands of random strangers run arbitrary programs on your machine is insane and you should never do that because it's insane, but that's basically what everyone who browses the web does every day, whatever browser they're using, and a big chunk of the modern economy and our ability to talk to each other at all depends on that working fast and safely and well. And miraculously, it seems for the most part that it does.
You're using a lot of CPU and memory because what you're asking for is a lot.
When you click the back button and the page you're coming back to snaps back immediately, with all the forms filled out or other changes you made to it right there in perfect condition without making a single round trip across the network, some of that 900MB of RAM is where they're coming from. And when your CPU maxes out because a compiler is trying to make 200,000 lines of javascript to do whatever it does before you can lift your finger off the mouse, that's because that's what you've asked it for.
And it's worth it, because you're worth it. Your CPU and RAM is way, way cheaper than your time.
posted by mhoye at 7:57 PM on August 22, 2015 [85 favorites]
Aaaghhh! I sure hope the folks at Vimperator/Pentadactyl find a way to continue their excellent addons (modal browsing / vi keybindings / powerful command-line ) within this new framework. From a glance at their respective bug trackers it sounds like there are some major hurdles. Time to dust off vimprobable/vimb/qutebrowser just in case. I refuse to use the mouse unless absolutely necessary.
posted by Lorin at 8:00 PM on August 22, 2015 [7 favorites]
posted by Lorin at 8:00 PM on August 22, 2015 [7 favorites]
adamsc: "That's partially true but https://wiki.mozilla.org/Addons/Extension_Signing shows the scarier claims are not: the review process is automatic, you're not required to distribute through addons.mozilla.org"
Except if you're using a basically abandoned extension that is not going to be submitted for review, in which case it will, in the near future, be involuntarily deactivated, without any user ability to override. I get the security concerns, and I'd be fine with a warning, and a setting buried in user:config to get around it. That's exactly what is happening in the latest beta, and seems like a reasonable compromise - only advanced users would be mucking around in there. But FF is going to take away any ability to choose risky behavior, and I think that blows.
Anyway, Pale Moon is recommended - actively developed and supports most extensions.
posted by Chrysostom at 8:03 PM on August 22, 2015 [3 favorites]
Except if you're using a basically abandoned extension that is not going to be submitted for review, in which case it will, in the near future, be involuntarily deactivated, without any user ability to override. I get the security concerns, and I'd be fine with a warning, and a setting buried in user:config to get around it. That's exactly what is happening in the latest beta, and seems like a reasonable compromise - only advanced users would be mucking around in there. But FF is going to take away any ability to choose risky behavior, and I think that blows.
Anyway, Pale Moon is recommended - actively developed and supports most extensions.
posted by Chrysostom at 8:03 PM on August 22, 2015 [3 favorites]
If your Firefox is taking up too much memory, open a tab and put "about:memory" in the address bar and find out why, or just flush the memory altogether.
Thanks for that. I had no idea it existed.
posted by brennen at 8:03 PM on August 22, 2015 [8 favorites]
Thanks for that. I had no idea it existed.
posted by brennen at 8:03 PM on August 22, 2015 [8 favorites]
Version 33.0.3, and all updates are turned off.
I can't stress enough how dangerous this is. There are a number of security vulnerabilities in your browser (e.g. this one, this one, this one, among others). Some of these have been actively exploited (the first one basically means that if you open a specially crafted PDF file, an attacker can read or write any file on your computer, yikes!).
Browsers take in huge amounts of untrusted data from all over the internet. The internet being what it is, some proportion of that data will want to do you harm. I don't care what browser you choose to use, but please keep it up to date.
posted by zachlipton at 8:04 PM on August 22, 2015 [31 favorites]
I can't stress enough how dangerous this is. There are a number of security vulnerabilities in your browser (e.g. this one, this one, this one, among others). Some of these have been actively exploited (the first one basically means that if you open a specially crafted PDF file, an attacker can read or write any file on your computer, yikes!).
Browsers take in huge amounts of untrusted data from all over the internet. The internet being what it is, some proportion of that data will want to do you harm. I don't care what browser you choose to use, but please keep it up to date.
posted by zachlipton at 8:04 PM on August 22, 2015 [31 favorites]
I stopped using Firefox when it stopped respecting my about:config settings. The Firefox browser needs to be dragged out into the street and shot.
All I really want is a pre-panic Firefox browser, maintained to keep up with the latest display standards. Stop fucking with the interface, stop fucking with the plugin paradigm, stop turning it into bloatware.
Give me Firefox 11 with only standards support and security updates.
posted by chimaera at 8:05 PM on August 22, 2015 [4 favorites]
All I really want is a pre-panic Firefox browser, maintained to keep up with the latest display standards. Stop fucking with the interface, stop fucking with the plugin paradigm, stop turning it into bloatware.
Give me Firefox 11 with only standards support and security updates.
posted by chimaera at 8:05 PM on August 22, 2015 [4 favorites]
On the one hand, the Pocket integration was a terrible choice from a philosophical standpoint that I hated. On the other hand, it made me fall in love with Pocket.
posted by Going To Maine at 8:07 PM on August 22, 2015 [1 favorite]
posted by Going To Maine at 8:07 PM on August 22, 2015 [1 favorite]
I had the same reaction to the addition of Pocket to Kobo. The last thing I need is social media poisoning my reading device. Oh wait, this is awesome. By the time it was added to Firefox I don't think I even noticed.
posted by Lorin at 8:10 PM on August 22, 2015
posted by Lorin at 8:10 PM on August 22, 2015
I remember the other big reason I dropped Firefox like a horribly smelly thing: One of the big updates completely wrecked my profile and I lost all of my bookmarks. A couple days later, they posted somewhere on the Mozilla website that basically said "lol that can happen, here's how to fix that." That did me a lot of good when I had already ragequit and uninstalled TWO DAYS EARLIER.
posted by chimaera at 8:13 PM on August 22, 2015 [1 favorite]
posted by chimaera at 8:13 PM on August 22, 2015 [1 favorite]
I can't stress enough how dangerous this is.
Oh man, I overlooked that. Yeah, please don't do that.
I'm sorry current Firefox isn't meeting your needs but please don't keep relying on a months- or years-old version. I'd honestly rather you switched to any other browser if it means you can stay current for security updates than stick with an outdated, known-vulnerable version of our product.
posted by mhoye at 8:15 PM on August 22, 2015 [18 favorites]
Oh man, I overlooked that. Yeah, please don't do that.
I'm sorry current Firefox isn't meeting your needs but please don't keep relying on a months- or years-old version. I'd honestly rather you switched to any other browser if it means you can stay current for security updates than stick with an outdated, known-vulnerable version of our product.
posted by mhoye at 8:15 PM on August 22, 2015 [18 favorites]
I do think it lost it's sense of why it existed in the first place. Of course come to think of it much of the Web has as well.
Yeah! Bring back the ARPANET!
Seriously, I don't understand this sentiment on a general basis. The web exists to be the web people want., and many people want to buy things and have a good time. Besides, if you're using the English-speaking internet you're already in the minority, so…
posted by Going To Maine at 8:18 PM on August 22, 2015 [2 favorites]
Yeah! Bring back the ARPANET!
Seriously, I don't understand this sentiment on a general basis. The web exists to be the web people want., and many people want to buy things and have a good time. Besides, if you're using the English-speaking internet you're already in the minority, so…
posted by Going To Maine at 8:18 PM on August 22, 2015 [2 favorites]
Opera already became another Chrome clone, and Firefox is moving in the same direction. Safari is Mac-only. And of those four major browsers, only Firefox allows add-ons to radically change the UI, which is necessary for two of my favorite extensions, Tree Style Tab (for tabs on the left side) and All-in-One Sidebar (for bookmarks, history, extensions, page info, console, etc on the right). Other extensions let me fit a lot of functionality into two top toolbars, which includes combining the menu bar and title bar.
Vivaldi is an in-development browser that actually includes all of those features I like. However, it's far from complete, and will eventually include more than I really need, like an email client. (Zawinski's Law: "Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.") It's also not open-source, and after seeing how Windows 10 sends what you type in the Start menu to bing.com even with all those features "disabled", I don't want to just trust that the developers aren't leaking my data anywhere.
So yesterday I decided to make my own browser. How hard can it be, right? Fifth and NetRider are both single-developer browsers made with the FLTK toolkit, and Fifth even has some pretty distinctive features for privacy and security (a lot of which basically involves disabling modern web features; e.g. don't bother playing media in the browser with plugins or HTML 5, just open the file in your preferred program). But FLTK is a lightweight toolkit that doesn't include a web rendering engine, and both of those devs had to integrate WebKit with it themselves.
Thus I'm using Qt, which not only comes with WebKit, but should work cross-platform without looking non-native. Of course, this means learning a new toolkit, and fiddling with all its interacting components until I can get things working the way I want. So who knows if this will ever get beyond a learning experience. I may just play with the code for a while and ultimately go with Vivaldi. Still, if this becomes a usable product, I'll release its source and see if anyone else likes my idiosyncratic UI and feature set.
posted by Rangi at 8:31 PM on August 22, 2015 [10 favorites]
Vivaldi is an in-development browser that actually includes all of those features I like. However, it's far from complete, and will eventually include more than I really need, like an email client. (Zawinski's Law: "Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can.") It's also not open-source, and after seeing how Windows 10 sends what you type in the Start menu to bing.com even with all those features "disabled", I don't want to just trust that the developers aren't leaking my data anywhere.
So yesterday I decided to make my own browser. How hard can it be, right? Fifth and NetRider are both single-developer browsers made with the FLTK toolkit, and Fifth even has some pretty distinctive features for privacy and security (a lot of which basically involves disabling modern web features; e.g. don't bother playing media in the browser with plugins or HTML 5, just open the file in your preferred program). But FLTK is a lightweight toolkit that doesn't include a web rendering engine, and both of those devs had to integrate WebKit with it themselves.
Thus I'm using Qt, which not only comes with WebKit, but should work cross-platform without looking non-native. Of course, this means learning a new toolkit, and fiddling with all its interacting components until I can get things working the way I want. So who knows if this will ever get beyond a learning experience. I may just play with the code for a while and ultimately go with Vivaldi. Still, if this becomes a usable product, I'll release its source and see if anyone else likes my idiosyncratic UI and feature set.
posted by Rangi at 8:31 PM on August 22, 2015 [10 favorites]
Ad Block Plus is notoriously bad: 9 times out of 10, when someone says Firefox is slow they're talking about ABP.
And yet, Ad Block Plus has slowly become an essential part of web browsing. It's one big reason I couldn't get into MS Edge -- it has no extensions yet, and this no ad blocking, and so YouTube became unusable as well as many other sites.
mhoye: You're using a lot of CPU and memory because what you're asking for is a lot.
When you click the back button and the page you're coming back to snaps back immediately, with all the forms filled out or other changes you made to it right there in perfect condition without making a single round trip across the network, some of that 900MB of RAM is where they're coming from. And when your CPU maxes out because a compiler is trying to make 200,000 lines of javascript to do whatever it does before you can lift your finger off the mouse, that's because that's what you've asked it for.
And it's worth it, because you're worth it. Your CPU and RAM is way, way cheaper than your time.
But hold on there, I don't quite buy this. "CPU and RAM" isn't always easily upgradable, and not everyone can afford to buy new systems frequently. Some of these features that take a huge amount of memory should be disable-able. I want to get back to where Firefox takes less than a gigabyte of RAM. Nothing else on my system takes that much. At the very least make a Firefox-for-Firefox, that strips out the most memory-hungry features, and let us poor users with "only" 4 GB of RAM and extremely limited incomes play on the internet too.
Not that I'm completely unsympathetic to the problem. I am completely in favor of the code cleanup you guys are working on. And web pages have gotten more and more bloated over time, mostly because web coders have allowed themselves to not care as much about the requirements their pages individually consume, because hey the browser is going to take the crap for bad performance, so go ahead and write a web page that consumes over 100MB of RAM! (I have seen both Gmail and Asana [a work messaging solution] consume that much. On Edge, I've seen individual page processes consume 300MB.)
I think the web browser that makes it a point to point out, in the tabs, by default, which web pages are the worst browser citizens, will be doing the Internet, and themselves, a huge favor. Shade tabs orange or red if they exceed 50 or 100 MB. Do it! I, at least, will thank you.
posted by JHarris at 8:33 PM on August 22, 2015 [25 favorites]
And yet, Ad Block Plus has slowly become an essential part of web browsing. It's one big reason I couldn't get into MS Edge -- it has no extensions yet, and this no ad blocking, and so YouTube became unusable as well as many other sites.
mhoye: You're using a lot of CPU and memory because what you're asking for is a lot.
When you click the back button and the page you're coming back to snaps back immediately, with all the forms filled out or other changes you made to it right there in perfect condition without making a single round trip across the network, some of that 900MB of RAM is where they're coming from. And when your CPU maxes out because a compiler is trying to make 200,000 lines of javascript to do whatever it does before you can lift your finger off the mouse, that's because that's what you've asked it for.
And it's worth it, because you're worth it. Your CPU and RAM is way, way cheaper than your time.
But hold on there, I don't quite buy this. "CPU and RAM" isn't always easily upgradable, and not everyone can afford to buy new systems frequently. Some of these features that take a huge amount of memory should be disable-able. I want to get back to where Firefox takes less than a gigabyte of RAM. Nothing else on my system takes that much. At the very least make a Firefox-for-Firefox, that strips out the most memory-hungry features, and let us poor users with "only" 4 GB of RAM and extremely limited incomes play on the internet too.
Not that I'm completely unsympathetic to the problem. I am completely in favor of the code cleanup you guys are working on. And web pages have gotten more and more bloated over time, mostly because web coders have allowed themselves to not care as much about the requirements their pages individually consume, because hey the browser is going to take the crap for bad performance, so go ahead and write a web page that consumes over 100MB of RAM! (I have seen both Gmail and Asana [a work messaging solution] consume that much. On Edge, I've seen individual page processes consume 300MB.)
I think the web browser that makes it a point to point out, in the tabs, by default, which web pages are the worst browser citizens, will be doing the Internet, and themselves, a huge favor. Shade tabs orange or red if they exceed 50 or 100 MB. Do it! I, at least, will thank you.
posted by JHarris at 8:33 PM on August 22, 2015 [25 favorites]
Ad Block Plus is notoriously bad: 9 times out of 10, when someone says Firefox is slow they're talking about ABP.
And yet, Ad Block Plus has slowly become an essential part of web browsing. It's one big reason I couldn't get into MS Edge -- it has no extensions yet, and this no ad blocking, and so YouTube became unusable as well as many other sites
µBlock and uBlock Origin are markedly more memory & CPU efficient than Adblock Plus. (One comparison.) Less well known, which is too bad, but still better.
posted by Going To Maine at 8:45 PM on August 22, 2015 [58 favorites]
And yet, Ad Block Plus has slowly become an essential part of web browsing. It's one big reason I couldn't get into MS Edge -- it has no extensions yet, and this no ad blocking, and so YouTube became unusable as well as many other sites
µBlock and uBlock Origin are markedly more memory & CPU efficient than Adblock Plus. (One comparison.) Less well known, which is too bad, but still better.
posted by Going To Maine at 8:45 PM on August 22, 2015 [58 favorites]
Less well known, which is too bad, but still better.
If learning about 'something better' is all I get from this thread, it's enough...
posted by oneswellfoop at 8:51 PM on August 22, 2015 [3 favorites]
If learning about 'something better' is all I get from this thread, it's enough...
posted by oneswellfoop at 8:51 PM on August 22, 2015 [3 favorites]
> The first one basically means that if you open a specially crafted PDF file, an attacker can read or write any file on your computer, yikes!).
Well, I deactivated the in-browser PDF reader the first chance I got, so I've got that going for me.
And I do understand the point about keeping automatic updates on -- it's the advice I give most people. But FireFox includes functionality changes in with security updates. (I understand that that makes sense -- it's an amazing and amazingly complex piece of software, it'd make no sense to add the complexity of supporting more than a single release line, or packaging updates individually.) So when I updated FF and all of a sudden the Esc no longer stopped all the animations on a page, and I had to spend half an hour tracking down how to get that back, I said "to hell with it". (This happened along with a major UI redesign. I spent a goo half a day getting FF back to where it could work as efficiently as it had before.) I know some really talented people put a lot of work into that PDF reader, but for me there's much more value in being able to quiet down a web page.
I honestly don't expect Mozilla to support my way of interacting with the internet; I'm sure I represent a rounding error's worth of the potential user base. I'm just going to sit here and complain about it on this text-centric Web 1.0-style forum.
posted by benito.strauss at 8:57 PM on August 22, 2015 [7 favorites]
Well, I deactivated the in-browser PDF reader the first chance I got, so I've got that going for me.
And I do understand the point about keeping automatic updates on -- it's the advice I give most people. But FireFox includes functionality changes in with security updates. (I understand that that makes sense -- it's an amazing and amazingly complex piece of software, it'd make no sense to add the complexity of supporting more than a single release line, or packaging updates individually.) So when I updated FF and all of a sudden the Esc no longer stopped all the animations on a page, and I had to spend half an hour tracking down how to get that back, I said "to hell with it". (This happened along with a major UI redesign. I spent a goo half a day getting FF back to where it could work as efficiently as it had before.) I know some really talented people put a lot of work into that PDF reader, but for me there's much more value in being able to quiet down a web page.
I honestly don't expect Mozilla to support my way of interacting with the internet; I'm sure I represent a rounding error's worth of the potential user base. I'm just going to sit here and complain about it on this text-centric Web 1.0-style forum.
posted by benito.strauss at 8:57 PM on August 22, 2015 [7 favorites]
but it came down to a decision that the freedom of our users _to_ do anything they want with Firefox is outweighed by their right to be free _from_ the harassment,
I get this, but while we may debate their methods and the purity of their motives, everybody else is making the same decision. And some days I need a tool that will give me enough rope to hang myself with in order to get a job done, maintain a vital workflow, etc. If I could safely hang back on the last release that let me fiddle with the clipboard from JavaScript (to name one dangerous but very useful thing that Firefox no longer lets me do - I still haven't fully recovered from the loss), then I would do that. But since I have to upgrade to get general security fixes, the loss of these dangerous but powerful tools gives me the creeping dread.
posted by wotsac at 8:58 PM on August 22, 2015 [3 favorites]
I get this, but while we may debate their methods and the purity of their motives, everybody else is making the same decision. And some days I need a tool that will give me enough rope to hang myself with in order to get a job done, maintain a vital workflow, etc. If I could safely hang back on the last release that let me fiddle with the clipboard from JavaScript (to name one dangerous but very useful thing that Firefox no longer lets me do - I still haven't fully recovered from the loss), then I would do that. But since I have to upgrade to get general security fixes, the loss of these dangerous but powerful tools gives me the creeping dread.
posted by wotsac at 8:58 PM on August 22, 2015 [3 favorites]
But hold on there, I don't quite buy this. "CPU and RAM" isn't always easily upgradable, and not everyone can afford to buy new systems frequently. Some of these features that take a huge amount of memory should be disable-able
Yeah, I didn't mean for that to come across as "hey just get more computer" - I mean, if you can you should get more computer, more computer is pretty great! - just that whatever RAM and processor you have, if you're not using it for other things Firefox will definitely borrow that for a few moments, thanks.
That said, even if we don't talk about upgradeability what I made there is a very desktop-centric argument. While it's not in my wheelhouse so I can't really speak to it, from what I understand the decision-making process around performance, battery life and user intent is pretty complicated.
At the very least make a Firefox-for-Firefox, that strips out the most memory-hungry features, and let us poor users with "only" 4 GB of RAM and extremely limited incomes play on the internet too.
Firefox-current still supports WinXP and runs on 2GB of RAM, for what it's worth, and Firefox for Android will run pretty well on Android devices with worse processors and less memory than that. So we're doing a better job of supporting Windows users on XP than Microsoft, and a better job of supporting older-Android users than Google, which is kind of amazing.
posted by mhoye at 9:01 PM on August 22, 2015 [9 favorites]
Yeah, I didn't mean for that to come across as "hey just get more computer" - I mean, if you can you should get more computer, more computer is pretty great! - just that whatever RAM and processor you have, if you're not using it for other things Firefox will definitely borrow that for a few moments, thanks.
That said, even if we don't talk about upgradeability what I made there is a very desktop-centric argument. While it's not in my wheelhouse so I can't really speak to it, from what I understand the decision-making process around performance, battery life and user intent is pretty complicated.
At the very least make a Firefox-for-Firefox, that strips out the most memory-hungry features, and let us poor users with "only" 4 GB of RAM and extremely limited incomes play on the internet too.
Firefox-current still supports WinXP and runs on 2GB of RAM, for what it's worth, and Firefox for Android will run pretty well on Android devices with worse processors and less memory than that. So we're doing a better job of supporting Windows users on XP than Microsoft, and a better job of supporting older-Android users than Google, which is kind of amazing.
posted by mhoye at 9:01 PM on August 22, 2015 [9 favorites]
When I tried switching from AdBlock Plus to uBlock Origin, Firefox started crashing every few days. I doubt it was directly uBlock's fault (probably due to interaction between multiple extensions), but I haven't had any problems since I switched back. I'm using all of the default filter lists (EasyList, EasyPrivacy, Fanboy's Social Blocking, Malware Domains), and according to about:addons-memory, it's still just using 25 MB. I have plenty of memory anyway, so CPU usage is my main concern, and neither AdBlock nor uBlock was noticeably faster for me. YMMV, of course, so if uBlock works for you that's just great.
What I'd really like is something like RequestPolicy built into the browser, so you can say "allow trustedsite.com to connect to anything, don't allow newspaper.com to connect to facebook.com, never connect to ads.com". Also make it easy to apply user styles and user scripts to any domain or URL pattern; I have a white-on-black style which I can toggle for all sites that makes them easier to read at night. Oh, and a free pony with every download.
posted by Rangi at 9:01 PM on August 22, 2015 [7 favorites]
What I'd really like is something like RequestPolicy built into the browser, so you can say "allow trustedsite.com to connect to anything, don't allow newspaper.com to connect to facebook.com, never connect to ads.com". Also make it easy to apply user styles and user scripts to any domain or URL pattern; I have a white-on-black style which I can toggle for all sites that makes them easier to read at night. Oh, and a free pony with every download.
posted by Rangi at 9:01 PM on August 22, 2015 [7 favorites]
This is kinda funny. I quit using Firefox a couple of years ago because it had become bloated and slow and Chrome was just so damn quick in comparison. Nevertheless, Firefox has remained installed on my computer, dutifully updating itself every time a new version is released despite my only opening it a couple of times a year when I want to use its dev tools.
A couple of months back I was finding Chrome to be bloated and slow and happened to load Firefox to do something or other and was shocked at how quick it was. Inertia has kept me mostly using Chrome, but in the last few weeks I've been using Firefox more and more. I hope to $DIETY that going multiprocess doesn't make it go back to a damn crawl.
posted by wierdo at 9:06 PM on August 22, 2015
A couple of months back I was finding Chrome to be bloated and slow and happened to load Firefox to do something or other and was shocked at how quick it was. Inertia has kept me mostly using Chrome, but in the last few weeks I've been using Firefox more and more. I hope to $DIETY that going multiprocess doesn't make it go back to a damn crawl.
posted by wierdo at 9:06 PM on August 22, 2015
I think the web browser that makes it a point to point out, in the tabs, by default, which web pages are the worst browser citizens, will be doing the Internet, and themselves, a huge favor. Shade tabs orange or red if they exceed 50 or 100 MB. Do it! I, at least, will thank you.
You've seen about:memory mentioned above, but E10S is bringing about:performance along with it. Might be what you're looking for!
Funny story, but in a fit of annoyance a few weeks ago as I was trying to figure out what "about" pages we have around I typed in "about:about", and... there they were.
posted by mhoye at 9:08 PM on August 22, 2015 [16 favorites]
You've seen about:memory mentioned above, but E10S is bringing about:performance along with it. Might be what you're looking for!
Funny story, but in a fit of annoyance a few weeks ago as I was trying to figure out what "about" pages we have around I typed in "about:about", and... there they were.
posted by mhoye at 9:08 PM on August 22, 2015 [16 favorites]
I've been using uBlock with default-deny rules lately. 3p-frames and 3p-scripts seem to be a good balance between security and breaking most pages.
I fear vivaldi will go the way of a lot of earlier webkit browsers that are not Safari or Chrome.
posted by CBrachyrhynchos at 9:12 PM on August 22, 2015
I fear vivaldi will go the way of a lot of earlier webkit browsers that are not Safari or Chrome.
posted by CBrachyrhynchos at 9:12 PM on August 22, 2015
And I do understand the point about keeping automatic updates on -- it's the advice I give most people.
I'm not sure you do. Disabling the PDF viewer means you're probably not vulnerable to one particularly bad vulnerability, but there are dozens more you're exposed to, many of them serious and in features you can't turn off so easily. And there will inevitably be another serious one soon enough. It's not safe to run a browser (or really, any piece of software that deals with untrusted data from the internet) without regular updates from a responsible vendor.
Keep in mind that, if your machine is compromised, it's not just a bummer for you; it will likely be used to send spam and phishing emails, attack other computers, and spread malware. Whatever browser you want to use, please keep it up to date.
posted by zachlipton at 9:14 PM on August 22, 2015 [7 favorites]
I'm not sure you do. Disabling the PDF viewer means you're probably not vulnerable to one particularly bad vulnerability, but there are dozens more you're exposed to, many of them serious and in features you can't turn off so easily. And there will inevitably be another serious one soon enough. It's not safe to run a browser (or really, any piece of software that deals with untrusted data from the internet) without regular updates from a responsible vendor.
Keep in mind that, if your machine is compromised, it's not just a bummer for you; it will likely be used to send spam and phishing emails, attack other computers, and spread malware. Whatever browser you want to use, please keep it up to date.
posted by zachlipton at 9:14 PM on August 22, 2015 [7 favorites]
I've been using uBlock for quite a while now and vastly prefer it. It just feels so less bloated.
That said - I hated the change to Chrome style tabs, but got used it, and now actually prefer it (from a usability standpoint of "fling to top of screen and click tab").
I don't mind needing a change in the plugin mechanism, but I *reallllllllly* fucking hope they let us power users have *some* freedom to choose certain installations. The LJ client I use (Deepest Sender) hasn't been updated for ages. I hopped onto the beta program and got 40. whatever and suddenly it stopped working, wouldn't allow any shit to run (privacy badger, either, and that's from the EFF FFS!) I twiddled into about:config and found a setting that let me run them, but if I can't?
I understand the need to protect joe and jane doe from themselves. The more I work with computers, the more I see even people who have been online for a long time who STILL do things so poorly and badly (why the FUCK are you just clicking random links from strange people? How the FUCK are you constantly getting viruses/malware? You should know better by now!) Yes - we do need to make sure we can have a secure infrastructure.
I recall, I think it was Scott Hanselman, talking about an addon he was using (I think it was for Chrome, though), and how it seemed to do what it claimed then one day, he noticed he kept getting ads and all sorts of sketchy shit, and he tracked it down to an automatic update of this addon. Here's his post on that...
Like Livejournal, Firefox is one thing you're going to have to work really hard to pry from my cold dead hands. I understand that mistakes can and will be made, and I won't be happy with all decisions taken, ever... But there are certain principles and ways of doing things that I love and want, and neither Facebook or Twitter or Chrome or Opera or even Vivaldi (really not impressed with that when I tried it, really) can match my needs.
I don't mind if people don't like it, but please don't say it should be taken out and shot. Some of us still love FF and want it to stick around for a good long while (so long as it doesn't break itself too much in the process). Maybe it's just that the point it got broken for you is earlier than what I would consider broken. But I still wouldn't begrudge anyone else the right to use it for themselves. Which is what "take it out and shoot it" sounds like and it's kinda shitting on a lot of people's really hard work at trying to make an open source browser from a foundation whose goal isn't to make mad amounts of cash. That alone is worth a lot, IMO.
posted by symbioid at 9:16 PM on August 22, 2015 [8 favorites]
That said - I hated the change to Chrome style tabs, but got used it, and now actually prefer it (from a usability standpoint of "fling to top of screen and click tab").
I don't mind needing a change in the plugin mechanism, but I *reallllllllly* fucking hope they let us power users have *some* freedom to choose certain installations. The LJ client I use (Deepest Sender) hasn't been updated for ages. I hopped onto the beta program and got 40. whatever and suddenly it stopped working, wouldn't allow any shit to run (privacy badger, either, and that's from the EFF FFS!) I twiddled into about:config and found a setting that let me run them, but if I can't?
I understand the need to protect joe and jane doe from themselves. The more I work with computers, the more I see even people who have been online for a long time who STILL do things so poorly and badly (why the FUCK are you just clicking random links from strange people? How the FUCK are you constantly getting viruses/malware? You should know better by now!) Yes - we do need to make sure we can have a secure infrastructure.
I recall, I think it was Scott Hanselman, talking about an addon he was using (I think it was for Chrome, though), and how it seemed to do what it claimed then one day, he noticed he kept getting ads and all sorts of sketchy shit, and he tracked it down to an automatic update of this addon. Here's his post on that...
Like Livejournal, Firefox is one thing you're going to have to work really hard to pry from my cold dead hands. I understand that mistakes can and will be made, and I won't be happy with all decisions taken, ever... But there are certain principles and ways of doing things that I love and want, and neither Facebook or Twitter or Chrome or Opera or even Vivaldi (really not impressed with that when I tried it, really) can match my needs.
I don't mind if people don't like it, but please don't say it should be taken out and shot. Some of us still love FF and want it to stick around for a good long while (so long as it doesn't break itself too much in the process). Maybe it's just that the point it got broken for you is earlier than what I would consider broken. But I still wouldn't begrudge anyone else the right to use it for themselves. Which is what "take it out and shoot it" sounds like and it's kinda shitting on a lot of people's really hard work at trying to make an open source browser from a foundation whose goal isn't to make mad amounts of cash. That alone is worth a lot, IMO.
posted by symbioid at 9:16 PM on August 22, 2015 [8 favorites]
Well, it's kind of past my bedtime here, so I'm going to call it a night. Thanks, everyone; memail me if you like.
Seriously though, keep your browser up to date, whatever you use. That's kind of a big deal.
posted by mhoye at 9:16 PM on August 22, 2015 [8 favorites]
Seriously though, keep your browser up to date, whatever you use. That's kind of a big deal.
posted by mhoye at 9:16 PM on August 22, 2015 [8 favorites]
As a naked install, Firefox's opening speeds, memory usage, etc is as good or better than all the major browsers. You can check this out yourself; people regularly test them (here's one from last year, for example). This isn't a ding on the other major browsers, either; they are all really close from day to day.
The plugins, the great strength - and weakness - of firefox, are what slow it down, but that can be worth it sometimes, no doubt.
I dunno, I love Firefox. I've been using it since it was Mozilla with my beloved Charles Lindbergh theme. I work with a lot of content management systems, so I always have several browsers on my computers, but Firefox is my first love.
I have recently started relying on it for my Android phone for tabbed browsing - after Google did away with tabs in Lollilop (soooooooooooo annoying). It does render some things a little funny - most notably, gmail is utter shite on Android Firefox but smooth as silk with Chrome. Annoying. But I suspect that's more on Google than Firefox.
posted by smoke at 9:18 PM on August 22, 2015 [5 favorites]
The plugins, the great strength - and weakness - of firefox, are what slow it down, but that can be worth it sometimes, no doubt.
I dunno, I love Firefox. I've been using it since it was Mozilla with my beloved Charles Lindbergh theme. I work with a lot of content management systems, so I always have several browsers on my computers, but Firefox is my first love.
I have recently started relying on it for my Android phone for tabbed browsing - after Google did away with tabs in Lollilop (soooooooooooo annoying). It does render some things a little funny - most notably, gmail is utter shite on Android Firefox but smooth as silk with Chrome. Annoying. But I suspect that's more on Google than Firefox.
posted by smoke at 9:18 PM on August 22, 2015 [5 favorites]
Me, I reckon Chrome is hot garbage -- it feels to me, every time I'm forced to use it to test sites I'm working on, like the Internet Explorer of 2015. I kind of hate it. It's a mystery to me why something that feels so rickety and janky (to me, at least) has proven so popular. It's hard to explain the very subjective 'feel' of things, but the feel of it (to me, again) is just... off. (It's like Quake 3 versus Unreal Tournament back in the day, but better not to go there, perhaps.)
Firefox, on the other hand, is just a rocksolid pleasure to use, faster and more responsive than Chrome by far on every PC I use it on, and with a small suite of extensions that I have run for years now, all I want from a browser (and, with Firebug and Notepad++, everything I want for a webdev toolset in my admittedly old school way).
I am strongly worried that some of my beloved must-have FF extensions, particularly Gmail Manager (the NG version, which along with the original fork, has been abandoned but still works fine with a few changes to the code) will disappear with this new direction Firefox is taking. If that is so, I may find myself becoming one of those crotchety old farts that refuses to update their software because getoffmylawn. I hope not, but so it might go.
This is kinda funny. I quit using Firefox a couple of years ago because it had become bloated and slow and Chrome was just so damn quick in comparison [...] A couple of months back I was finding Chrome to be bloated and slow and happened to load Firefox to do something or other and was shocked at how quick it was...
I see talk often about FF being slow -- even in this thread -- and so it must be true for those folks. Me, I just don't see it. Firefox, on everything from my souped-up gaming PC to my aging work laptop, loads up faster and renders pages quicker (and prettier, but again, that's one of those subjective things it's hard to quantify) than Chrome.
I think it was true for a while -- back maybe 3 or 4 years ago -- that FF was getting sluggish. These days, it's anything but, in my experience. Ah well, de gustibus etc.
posted by stavrosthewonderchicken at 9:18 PM on August 22, 2015 [7 favorites]
Firefox, on the other hand, is just a rocksolid pleasure to use, faster and more responsive than Chrome by far on every PC I use it on, and with a small suite of extensions that I have run for years now, all I want from a browser (and, with Firebug and Notepad++, everything I want for a webdev toolset in my admittedly old school way).
I am strongly worried that some of my beloved must-have FF extensions, particularly Gmail Manager (the NG version, which along with the original fork, has been abandoned but still works fine with a few changes to the code) will disappear with this new direction Firefox is taking. If that is so, I may find myself becoming one of those crotchety old farts that refuses to update their software because getoffmylawn. I hope not, but so it might go.
This is kinda funny. I quit using Firefox a couple of years ago because it had become bloated and slow and Chrome was just so damn quick in comparison [...] A couple of months back I was finding Chrome to be bloated and slow and happened to load Firefox to do something or other and was shocked at how quick it was...
I see talk often about FF being slow -- even in this thread -- and so it must be true for those folks. Me, I just don't see it. Firefox, on everything from my souped-up gaming PC to my aging work laptop, loads up faster and renders pages quicker (and prettier, but again, that's one of those subjective things it's hard to quantify) than Chrome.
I think it was true for a while -- back maybe 3 or 4 years ago -- that FF was getting sluggish. These days, it's anything but, in my experience. Ah well, de gustibus etc.
posted by stavrosthewonderchicken at 9:18 PM on August 22, 2015 [7 favorites]
but I *reallllllllly* fucking hope they let us power users have *some* freedom to choose certain installations
My understanding is that with developer edition you'll still be able to install whatever unsigned things you want.
posted by Pyry at 9:21 PM on August 22, 2015 [2 favorites]
My understanding is that with developer edition you'll still be able to install whatever unsigned things you want.
posted by Pyry at 9:21 PM on August 22, 2015 [2 favorites]
I use Firefox mainly because of Pipelight, which is basically the only way to watch Netflix/Hulu/Amazon Prime on Linux anymore -- since Chrome's switch to PPAPI, it's incompatible with Pipelight (and from what the devs said it would basically be impossible to make a Chrome version). I'm guessing that this would also break that?
posted by en forme de poire at 9:28 PM on August 22, 2015 [1 favorite]
posted by en forme de poire at 9:28 PM on August 22, 2015 [1 favorite]
I'm stuck with Firefox as every other browser (at least on the Mac) cannot or will not allow you to fully theme the UI dark - Chrome comes the closest, but you cannot change the colours of the Address Bar, which (as silly as it sounds) is a dealbreaker for me. Firefox + FT DeepDark is the only acceptable UI colourscheme.
posted by namewithoutwords at 9:32 PM on August 22, 2015 [3 favorites]
posted by namewithoutwords at 9:32 PM on August 22, 2015 [3 favorites]
OK, I just checked and Firefox is using 4GB on my system. That's a lot! So I ran the garbage collection routines in about:memory. Down to 3.5GB. Hmm.
On the positive side, Firefox's automatic garbage-collection routines seem to be working pretty well, and manually activating them isn't especially useful. On the negative side ... that's a lot of memory.
posted by Joe in Australia at 9:33 PM on August 22, 2015 [1 favorite]
On the positive side, Firefox's automatic garbage-collection routines seem to be working pretty well, and manually activating them isn't especially useful. On the negative side ... that's a lot of memory.
posted by Joe in Australia at 9:33 PM on August 22, 2015 [1 favorite]
OK, I just checked and Firefox is using 4GB on my system. That's a lot! So I ran the garbage collection routines in about:memory. Down to 3.5GB. Hmm.
Free Memory Button is a nice little add-on that gives you push-button access to the garbage collectors.
posted by Going To Maine at 9:43 PM on August 22, 2015 [5 favorites]
Free Memory Button is a nice little add-on that gives you push-button access to the garbage collectors.
posted by Going To Maine at 9:43 PM on August 22, 2015 [5 favorites]
Love me some Firefox sync.
posted by oceanjesse at 9:44 PM on August 22, 2015 [1 favorite]
posted by oceanjesse at 9:44 PM on August 22, 2015 [1 favorite]
If only there were some mechanism for people to collaboratively maintain a list of misbehaving FF extensions / themes / add-ons etc.
Oh well. A person can dream and all that.
posted by motty at 9:49 PM on August 22, 2015 [1 favorite]
Oh well. A person can dream and all that.
posted by motty at 9:49 PM on August 22, 2015 [1 favorite]
OK, I just checked and Firefox is using 4GB on my system.
I just did the same, and I'm at 366Mb. So, extensions, I guess, maybe? Then again, I'm running 29 extensions, which seems non-trivial, so: shrug. Maybe they're all well-behaved.
(Also, and it's come up in another thread recently -- unless you are RAM limited, and the O/S is swapping out to a page file (ie one application using 4Gb on a machine that only has 4Gb of physical RAM), you *want* to be utilizing your system memory. 'Freeing' memory probably means you're just forcing to O/S to write to the page file, which means you're defeating the purpose, if the purpose is to speed things up.)
posted by stavrosthewonderchicken at 9:53 PM on August 22, 2015 [3 favorites]
I just did the same, and I'm at 366Mb. So, extensions, I guess, maybe? Then again, I'm running 29 extensions, which seems non-trivial, so: shrug. Maybe they're all well-behaved.
(Also, and it's come up in another thread recently -- unless you are RAM limited, and the O/S is swapping out to a page file (ie one application using 4Gb on a machine that only has 4Gb of physical RAM), you *want* to be utilizing your system memory. 'Freeing' memory probably means you're just forcing to O/S to write to the page file, which means you're defeating the purpose, if the purpose is to speed things up.)
posted by stavrosthewonderchicken at 9:53 PM on August 22, 2015 [3 favorites]
On about:memory and about:performance, yes, that's well and good for me. But the point isn't to show it to users knowledgable enough to know about about: pages. It's to show it to everyone. I am effectively saying to publically shame the web pages that slow everyone's web browsers down the most.
posted by JHarris at 9:57 PM on August 22, 2015 [3 favorites]
posted by JHarris at 9:57 PM on August 22, 2015 [3 favorites]
The LJ client I use (Deepest Sender) hasn't been updated for ages. I hopped onto the beta program and got 40. whatever and suddenly it stopped working, wouldn't allow any shit to run (privacy badger, either, and that's from the EFF FFS!) I twiddled into about:config and found a setting that let me run them, but if I can't?
That sort of thing is always annoying on an individual level, but on a broader scale, do you understand why that can't be a primary concern? I've got games that don't run on my modern machine, either, and it's always a little sad to discover that, but I can't expect it to be Microsoft's job to keep them working with each new release of Windows. Whether it's this or something else, if nobody is ever going to come back and update Deepest Sender, how long do you expect Firefox to make sure it still works if the dev won't? Another year? Five years? Twenty years? How long does it stay their responsibility to maintain interoperability with code that's been abandoned?
I'd say, personally, that even though I actually use a lot of programs in that category on a regular basis, the time period that I expect that to be the responsibility of anybody other than the developer is very short. If Firefox doesn't give the devs enough time to reasonably update their projects, that's Mozilla's issue. If the extension developer is functionally gone, that's not Mozilla's responsibility.
posted by Sequence at 10:03 PM on August 22, 2015 [1 favorite]
That sort of thing is always annoying on an individual level, but on a broader scale, do you understand why that can't be a primary concern? I've got games that don't run on my modern machine, either, and it's always a little sad to discover that, but I can't expect it to be Microsoft's job to keep them working with each new release of Windows. Whether it's this or something else, if nobody is ever going to come back and update Deepest Sender, how long do you expect Firefox to make sure it still works if the dev won't? Another year? Five years? Twenty years? How long does it stay their responsibility to maintain interoperability with code that's been abandoned?
I'd say, personally, that even though I actually use a lot of programs in that category on a regular basis, the time period that I expect that to be the responsibility of anybody other than the developer is very short. If Firefox doesn't give the devs enough time to reasonably update their projects, that's Mozilla's issue. If the extension developer is functionally gone, that's not Mozilla's responsibility.
posted by Sequence at 10:03 PM on August 22, 2015 [1 favorite]
I switched to Chrome about a week ago. I hadn't significantly changed Firefox extensions or anything for years, but the browser itself has gotten almost unusably slow. That, combined with continual Flash and Silverlight updates that wouldn't take right and that thing where Sync forgets your login and nags you with a laggy yellow bar every time you open a new window, brought me to the point where I was willing to consider Chrome, even though I didn't actually want to use a Google Web browser on top of all the other Google stuff I use.
It takes a lot of open tabs to slow down Chrome—now I know just how many!—but it can be done. But overall, I'm much happier with Chrome, and I've found extensions that replicate almost everything my old add-ons did in Firefox. The only thing killing Firefox is Firefox itself.
posted by limeonaire at 10:16 PM on August 22, 2015
It takes a lot of open tabs to slow down Chrome—now I know just how many!—but it can be done. But overall, I'm much happier with Chrome, and I've found extensions that replicate almost everything my old add-ons did in Firefox. The only thing killing Firefox is Firefox itself.
posted by limeonaire at 10:16 PM on August 22, 2015
P.S. Mozilla lost its way when it moved away from focusing on its two core lightweight products, Firefox and Thunderbird, in favor of deprecating Thunderbird and making bizarre core product moves that in the timeline above read like a series of Apple-style predictions about the future that function as ultimatums to the world. As others have alluded to above, every new release, even if it's ostensibly for security, now leads to the inevitable game of "OK, now where's my shit?" Removing the RSS button was just one of the bolder moves in that regard.
posted by limeonaire at 10:34 PM on August 22, 2015 [3 favorites]
posted by limeonaire at 10:34 PM on August 22, 2015 [3 favorites]
I love Firefox so much more than Chrome, but the memory issues since its inception have not gone away for me, and it has made it unusable. However, I'm on a Mac, so I use the most evil browser, Safari, instead :(
posted by yueliang at 10:49 PM on August 22, 2015
posted by yueliang at 10:49 PM on August 22, 2015
Like a lot of people here, I keep using Firefox for one plugin I just can't live without. In my case, it's Save Image In Folder, which lets you right click on an image and easily choose a destination folder from a pre-set list. (As opposed to downloading all images to one folder and then sorting them out manually.)
Other folks are in the same situation as me, apparently: search results for the plugin is full of people asking if there are any similar plugins for other browsers: 1, 2.
posted by Ian A.T. at 11:07 PM on August 22, 2015 [2 favorites]
Other folks are in the same situation as me, apparently: search results for the plugin is full of people asking if there are any similar plugins for other browsers: 1, 2.
posted by Ian A.T. at 11:07 PM on August 22, 2015 [2 favorites]
Without AdBlock Plus and Nuke Anything Enhanced, the web would be intolerable.
posted by carping demon at 12:01 AM on August 23, 2015 [3 favorites]
posted by carping demon at 12:01 AM on August 23, 2015 [3 favorites]
It's crazy fast now, there's a developer-tools edition that's excellent if that's what you need, it's really a good time.
Leaks memory like a sumbitch though.
posted by MartinWisse at 12:04 AM on August 23, 2015
Leaks memory like a sumbitch though.
posted by MartinWisse at 12:04 AM on August 23, 2015
It takes a lot of open tabs to slow down Chrome—now I know just how many!—but it can be done. But overall, I'm much happier with Chrome, and I've found extensions that replicate almost everything my old add-ons did in Firefox. The only thing killing Firefox is Firefox itself.
The Great Suspender can help with this. My impression is that there's no similar Firefox add-on that works as well, but I’d love to be wrong.
posted by Going To Maine at 12:07 AM on August 23, 2015 [2 favorites]
The Great Suspender can help with this. My impression is that there's no similar Firefox add-on that works as well, but I’d love to be wrong.
posted by Going To Maine at 12:07 AM on August 23, 2015 [2 favorites]
You're using a lot of CPU and memory because what you're asking for is a lot.
Not so much when I'm starting a new browser session under Android and bloody Firefox insists on loading all that user taiolered crap in its new tab template first rather than letting me type in the URL I actually need.
posted by MartinWisse at 12:17 AM on August 23, 2015 [1 favorite]
Not so much when I'm starting a new browser session under Android and bloody Firefox insists on loading all that user taiolered crap in its new tab template first rather than letting me type in the URL I actually need.
posted by MartinWisse at 12:17 AM on August 23, 2015 [1 favorite]
But really, despite my griping, Firefox is still the browser that suits me the best: all others are worse and more obnoxious in their own ways. I do miss the old Opera though.
posted by MartinWisse at 12:24 AM on August 23, 2015
posted by MartinWisse at 12:24 AM on August 23, 2015
I can't speak for people with different experiences with it and Chrome. All I can say is, I've had reason lately to use Firefox, Chrome and Edge on Windows, and Firefox has been the best for general use. None of them are particularly great as it stands, though. The market is ripe for one browser to surge forward with great basic browsing.
posted by JHarris at 12:29 AM on August 23, 2015 [1 favorite]
posted by JHarris at 12:29 AM on August 23, 2015 [1 favorite]
Regarding AdBlock - I've stopped using it because of their paid whitelist and have started using uBlock Origin instead. Far less footprint, too.
posted by GallonOfAlan at 12:48 AM on August 23, 2015 [2 favorites]
posted by GallonOfAlan at 12:48 AM on August 23, 2015 [2 favorites]
I don't know if AdBlock's whitelist is paid, but I'm actually not opposed to non-intrusive advertising. Nearly everything up to and including non-animated banner ads I can put up with. But popups (both traditional and using floatover elements), interstitial pages, video, audio, and ANYTHING INVOLVING FLASH!!! are against my idea of a just universe.
posted by JHarris at 12:55 AM on August 23, 2015 [7 favorites]
posted by JHarris at 12:55 AM on August 23, 2015 [7 favorites]
Browsers should start notifying users about performance issues caused by addons and individual tabs. It wouldn't solve the performance issues but it would make users more conscious of the root causes of their performance issues rather than thinking that the browser itself it bloated. It might end up making the web much faster as an user will know that site X's fifty-eleven social media widgets and poorly optimized page requests are the reasons why the browser is so slow, and that's something they can discuss with the site owner.
Ok maybe the last part can become really obnoxious for site owners but it's ridiculous that in 2015 we have all these sites that can't even bother with basic speed optimization like using the browser cache better, minifying requests, optimizing images, enabling compression, using CDNs for common web libraries, etc.
posted by Foci for Analysis at 1:03 AM on August 23, 2015 [5 favorites]
Ok maybe the last part can become really obnoxious for site owners but it's ridiculous that in 2015 we have all these sites that can't even bother with basic speed optimization like using the browser cache better, minifying requests, optimizing images, enabling compression, using CDNs for common web libraries, etc.
posted by Foci for Analysis at 1:03 AM on August 23, 2015 [5 favorites]
I do think it lost it's sense of why it existed in the first place. Of course come to think of it much of the Web has as well.
It existed because IE was bundled with Windows, and thus began Mozilla open source initiative. Or arguably, Firefox existed because a teenager and a Netscape engineer forked the Communicator Suite and removed the email, newsgroups, calendars, and address books Netscape was bundling at the time to sell to corporations. The underlying principle of the fork was that it would be faster and use less RAM without the bloat.
But Mozilla should focus not on why it used to exist, those conditions no longer hold true. The open source Webkit framework enables plenty of browsers on a variety of platforms. The thing Mozilla needs to focus on is its continued existence. I.e. how can Firefox afford continue existing? What revenues support over a thousand employees at Mozilla?
Easily 90 percent of Mozilla's revenue comes from a single UI component: the search bar. Search engines pay for inclusion in the browser, and bid for prominent (default) placement. And those bids are dependant on a variety of factors, ranging from how easy it is to search, how difficult it is to switch search engines, how effectively search engines can convert searches to ad clicks, and how valuable that click stream is. So the magic formula that justifies their existence is:
But even the TenFourFox dev is correct: this change alone is not enough. Becoming identical to Chrome down to Blink compatible plugins won't bring users back. Mozilla can either cling to the die FOSS fans and extreme edge cases and slowly fade away, or it can start pushing features to users before Chrome does. This announcement is entirely about catching up to where Chrome is right now. Killing XUL allows process per tab, and the Rust based Servo layout engine into the mix, and adding WebExtensions gets you back many of the same things you're losing by killing XUL. It's probably necessary to do this to recover ground, but not sufficient.
I hope they have something better up their sleeve than constantly delaying LetsEncrypt.
posted by pwnguin at 1:20 AM on August 23, 2015 [5 favorites]
It existed because IE was bundled with Windows, and thus began Mozilla open source initiative. Or arguably, Firefox existed because a teenager and a Netscape engineer forked the Communicator Suite and removed the email, newsgroups, calendars, and address books Netscape was bundling at the time to sell to corporations. The underlying principle of the fork was that it would be faster and use less RAM without the bloat.
But Mozilla should focus not on why it used to exist, those conditions no longer hold true. The open source Webkit framework enables plenty of browsers on a variety of platforms. The thing Mozilla needs to focus on is its continued existence. I.e. how can Firefox afford continue existing? What revenues support over a thousand employees at Mozilla?
Easily 90 percent of Mozilla's revenue comes from a single UI component: the search bar. Search engines pay for inclusion in the browser, and bid for prominent (default) placement. And those bids are dependant on a variety of factors, ranging from how easy it is to search, how difficult it is to switch search engines, how effectively search engines can convert searches to ad clicks, and how valuable that click stream is. So the magic formula that justifies their existence is:
Total user base * Default search bar rate * Advert click rate * CPM rateAs Rhaomi points out in the post, Chrome has steadily taken over FF's user base. It's somewhat ironic: the two main reasons people switch to Chrome are because it's faster, and because it integrates with all the calendars, Gmail, and contacts lists with Google. But the reality is that hardware is cheap now. Process per tab undoubtedly uses more RAM. But that's not the modern problem, when the cheapest laptop you can buy from Dell come with 4GB. My problem is when one tab's shitty javascript freezes the entire browser. My problem is not having my bookmarks on my phone and my laptop. My problem is emphatically not 'How do I run a modern browser on a ten year old powerbook,' but if I did, I'd still be concerned about security.
But even the TenFourFox dev is correct: this change alone is not enough. Becoming identical to Chrome down to Blink compatible plugins won't bring users back. Mozilla can either cling to the die FOSS fans and extreme edge cases and slowly fade away, or it can start pushing features to users before Chrome does. This announcement is entirely about catching up to where Chrome is right now. Killing XUL allows process per tab, and the Rust based Servo layout engine into the mix, and adding WebExtensions gets you back many of the same things you're losing by killing XUL. It's probably necessary to do this to recover ground, but not sufficient.
I hope they have something better up their sleeve than constantly delaying LetsEncrypt.
posted by pwnguin at 1:20 AM on August 23, 2015 [5 favorites]
Process per tab undoubtedly uses more RAM. But that's not the modern problem, when the cheapest laptop you can buy from Dell come with 4GB. My problem is when one tab's shitty javascript freezes the entire browser.
Well, I certainly do have problems when single tab memory usage balloons -- and actually, everyone does, when they start opening lots of tabs at once.
I regularly have over 20 tabs open, or even more. It's a consequence of the way I browse the web, which is hyper-parallel. It used to be that this was quite okay, but not anymore, despite having much better hardware now.
posted by JHarris at 1:28 AM on August 23, 2015 [4 favorites]
Well, I certainly do have problems when single tab memory usage balloons -- and actually, everyone does, when they start opening lots of tabs at once.
I regularly have over 20 tabs open, or even more. It's a consequence of the way I browse the web, which is hyper-parallel. It used to be that this was quite okay, but not anymore, despite having much better hardware now.
posted by JHarris at 1:28 AM on August 23, 2015 [4 favorites]
I use firefox on my desktop machine as the primary browser because it works well, generally, and supports the extensions I want: ublock, umatrix (which I still think is pretty amazing), keefox, greasemonkey and "right to click".*
I don't use Chrome because I don't trust google, at all. There is no way in the world Chrome isn't phoning home everything it can.Google is absolutely made of the same cloth MS is.
* "Right to Click" allows you to take back control of the right-click on web pages; for example, I sometimes visit photography sites where the link to a gallery is an image...all I want to do is right click and open that gallery in a new tab, but instead the photography site gives you a sanctimonious "images copyright..." popup instead of the usual context menu. Fuck that noise.
posted by maxwelton at 1:29 AM on August 23, 2015 [5 favorites]
I don't use Chrome because I don't trust google, at all. There is no way in the world Chrome isn't phoning home everything it can.Google is absolutely made of the same cloth MS is.
* "Right to Click" allows you to take back control of the right-click on web pages; for example, I sometimes visit photography sites where the link to a gallery is an image...all I want to do is right click and open that gallery in a new tab, but instead the photography site gives you a sanctimonious "images copyright..." popup instead of the usual context menu. Fuck that noise.
posted by maxwelton at 1:29 AM on August 23, 2015 [5 favorites]
@JHarris
Adblock absolutely has a paid whitelist.
posted by GallonOfAlan at 1:46 AM on August 23, 2015 [2 favorites]
Adblock absolutely has a paid whitelist.
posted by GallonOfAlan at 1:46 AM on August 23, 2015 [2 favorites]
Like many, I've started using Firefox when it had features such as tabs (as opposed to taskbar stacking in WinXP + IE), but bloat made me abandon it in favor of Chrome. Then, sometime last year, Chrome for some reason stopped playing videos (tried everything, no good), and went back to FF.
Out of the box it was a lot better than I remembered, but I needed a few extensions to make the web more usable and the browsing experience closer to what I'd experienced in the previous years with Chrome. And that's where the problems began, and returned to Chrome after noticing it played videos again a few months later (changed nothing in between).
Chrome isn't more lightweight than Firefox, it does seem to have the same memory usage. The main difference is that I've never had Chrome hold the whole system hostage for minutes because Tumblr has dashboard endless scrolling (should have been called "bottomless pit of memory usage"), and after closing it in Chrome, memory goes right back to normal, while in Firefox I had to kill it using task manager twice a day (at least).
posted by lmfsilva at 2:12 AM on August 23, 2015
Out of the box it was a lot better than I remembered, but I needed a few extensions to make the web more usable and the browsing experience closer to what I'd experienced in the previous years with Chrome. And that's where the problems began, and returned to Chrome after noticing it played videos again a few months later (changed nothing in between).
Chrome isn't more lightweight than Firefox, it does seem to have the same memory usage. The main difference is that I've never had Chrome hold the whole system hostage for minutes because Tumblr has dashboard endless scrolling (should have been called "bottomless pit of memory usage"), and after closing it in Chrome, memory goes right back to normal, while in Firefox I had to kill it using task manager twice a day (at least).
posted by lmfsilva at 2:12 AM on August 23, 2015
Well, let's go into more detail--
The exact text of the article says that 90% of the whitelist is not paid. It then says that of the remaining 10%, they would have been whitelisted anyway, but said to the companies that they would also have to pay to be whitelisted. That sounds like extortion. And, by introducing an additional factor to the question, it means that Eyeo also doesn't completely have its users' best interests at heart. It suggests that, if the company's ads were to suddenly not be acceptable, that Eyeo would likely continue letting them through rather than give up that cash.
posted by JHarris at 2:14 AM on August 23, 2015 [2 favorites]
The exact text of the article says that 90% of the whitelist is not paid. It then says that of the remaining 10%, they would have been whitelisted anyway, but said to the companies that they would also have to pay to be whitelisted. That sounds like extortion. And, by introducing an additional factor to the question, it means that Eyeo also doesn't completely have its users' best interests at heart. It suggests that, if the company's ads were to suddenly not be acceptable, that Eyeo would likely continue letting them through rather than give up that cash.
posted by JHarris at 2:14 AM on August 23, 2015 [2 favorites]
Version 33.0.3, and all updates are turned off.
And a nice collection of security holes. I know all changes suck, but any software connected to Internet needs to be continuously updated.
posted by effbot at 3:41 AM on August 23, 2015 [3 favorites]
And a nice collection of security holes. I know all changes suck, but any software connected to Internet needs to be continuously updated.
posted by effbot at 3:41 AM on August 23, 2015 [3 favorites]
In my case, it's Save Image In Folder, which lets you right click on an image and easily choose a destination folder from a pre-set list.
That works out of the box in at least Chrome on Ubuntu and all browsers on Windows, via features provided by the operating system. Maybe it's not the browser that's the problem with your setup? :-)
posted by effbot at 3:49 AM on August 23, 2015
That works out of the box in at least Chrome on Ubuntu and all browsers on Windows, via features provided by the operating system. Maybe it's not the browser that's the problem with your setup? :-)
posted by effbot at 3:49 AM on August 23, 2015
stavrosthewonderchicken: It's a mystery to me why something [Chrome] that feels so rickety and janky (to me, at least) has proven so popular.
For me and probably a fair number of others I've found that webpages almost always look fine and readable in Chrome, without adjustment. In Firefox I kept having to putz with zoom settings, until I found an extension that remembers zoom settings per site which is just okay as a solution, and even then there are still pages that don't look right. Safari, which I use at the moment (but I might switch back to Firefox) is the absolute worst about zooming; I don't know why its implementation is so bad.
posted by Peter J. Prufrock at 4:26 AM on August 23, 2015
For me and probably a fair number of others I've found that webpages almost always look fine and readable in Chrome, without adjustment. In Firefox I kept having to putz with zoom settings, until I found an extension that remembers zoom settings per site which is just okay as a solution, and even then there are still pages that don't look right. Safari, which I use at the moment (but I might switch back to Firefox) is the absolute worst about zooming; I don't know why its implementation is so bad.
posted by Peter J. Prufrock at 4:26 AM on August 23, 2015
Quite pleased with this news. Firefox is my default browser. Never crashes, renders every page, nice development browser as well. Thunderbird lately has been giving me some issues, have to reindex my email so that is shows the correct email I've selected rather than the last one I read.
posted by juiceCake at 5:02 AM on August 23, 2015 [1 favorite]
posted by juiceCake at 5:02 AM on August 23, 2015 [1 favorite]
Browsers should start notifying users about performance issues caused by addons and individual tabs.This is definitely an area for improvement but the task is complicated for extensions – Ad Block Plus might not look so bad because it only uses a modest amount of memory directly but it injects code into every page which increases the resource requirements for that page. If you look at the stats, the page will get the blame for ABP's bloat; this is a very hard problem to solve in general.
posted by adamsc at 6:02 AM on August 23, 2015 [3 favorites]
I ended up switching to Chrome because of the bookmark and password syncing that actually worked. Now I mostly use a Chromebook at home so I guess that I've locked myself inside Google's walled garden but ChromeOS just works so much better than any other OS.
posted by octothorpe at 6:03 AM on August 23, 2015 [1 favorite]
posted by octothorpe at 6:03 AM on August 23, 2015 [1 favorite]
The next question: how does one block (or click-to-play) autoplaying HTML5 video on sites like Facebook in Chrome? I didn't ask them to download and play hundreds of megabytes of video assets every time I check what my frenemies are up to.
posted by acb at 6:12 AM on August 23, 2015 [1 favorite]
posted by acb at 6:12 AM on August 23, 2015 [1 favorite]
GallonOfAlan: "I've stopped using it because of their paid whitelist and have started using uBlock Origin instead. Far less footprint, too"
Anyone know of a replacement for ABP's blockable item list? I've moved to UBlock origin which is way less memory hogging and crashy but I really miss the blockable item list to the point that I'm considering installing both and enabling/disabling ABP as needed.
I use the blockable items list to download images that are somehow magically blocked on Photobucket/Flickr/others I can't think of now.
*The paid whitelist doesn't bother me because I always turn the whitelist off anyways.
posted by Mitheral at 6:35 AM on August 23, 2015
Anyone know of a replacement for ABP's blockable item list? I've moved to UBlock origin which is way less memory hogging and crashy but I really miss the blockable item list to the point that I'm considering installing both and enabling/disabling ABP as needed.
I use the blockable items list to download images that are somehow magically blocked on Photobucket/Flickr/others I can't think of now.
*The paid whitelist doesn't bother me because I always turn the whitelist off anyways.
posted by Mitheral at 6:35 AM on August 23, 2015
(Re: the turning off updates conversation... According to a recent google survey, security professionals say that keeping your software up-to-date is the most important online safety practice.)
I have used Firefox for years now and I really hope they get this right. Having a viable (better!) alternative to Google and Microsoft is so important not just to me but the internet.
posted by callmejay at 6:38 AM on August 23, 2015 [5 favorites]
I have used Firefox for years now and I really hope they get this right. Having a viable (better!) alternative to Google and Microsoft is so important not just to me but the internet.
posted by callmejay at 6:38 AM on August 23, 2015 [5 favorites]
Anyone know of a replacement for ABP's blockable item list?
Won't the resource view on the programmer tools do the trick?
posted by lmfsilva at 6:55 AM on August 23, 2015
Won't the resource view on the programmer tools do the trick?
posted by lmfsilva at 6:55 AM on August 23, 2015
(and if you meant on FF, there's one similar on developer/inspector, then network. reload the page, click "images" on the bottom and it will list all images the browser loads)
posted by lmfsilva at 7:00 AM on August 23, 2015 [1 favorite]
posted by lmfsilva at 7:00 AM on August 23, 2015 [1 favorite]
Sequence: "The LJ client I use (Deepest Sender) hasn't been updated for ages. I hopped onto the beta program and got 40. whatever and suddenly it stopped working, wouldn't allow any shit to run (privacy badger, either, and that's from the EFF FFS!) I twiddled into about:config and found a setting that let me run them, but if I can't?
I've got games that don't run on my modern machine, either, and it's always a little sad to discover that, but I can't expect it to be Microsoft's job to keep them working with each new release of Windows. Whether it's this or something else, if nobody is ever going to come back and update Deepest Sender, how long do you expect Firefox to make sure it still works if the dev won't?
While I certainly agree with you on that front, the fact that it works just fine and FF won't, by default, ALLOW ME to choose to install (I mean, since I can set a flag in about:config - fine. again ... let power users have that choice). If it deprecated itself? Fine. But if it works and I'm not even given the choice of running it, well... that's what bothers me. I mean - it's not like many people would expect me to be using LJ in the first place in this day and age, if you want to use an abandoned platform analogy... ;)
Now - it's clear that with these proposals, DS will have to go the way of the Dodo unless someone rewrites it, and at that point, OK, fine, that's how it is, but don't disallow me from using it altogether. I suppose having a flag in about:config is probably the best way to do it, but there was certainly no warning when it happened which was a bit of a shock.
Security, usability and power-use are going to be 3 things that collide, and I just hope they're able to get the balance right.
posted by symbioid at 7:14 AM on August 23, 2015
I've got games that don't run on my modern machine, either, and it's always a little sad to discover that, but I can't expect it to be Microsoft's job to keep them working with each new release of Windows. Whether it's this or something else, if nobody is ever going to come back and update Deepest Sender, how long do you expect Firefox to make sure it still works if the dev won't?
While I certainly agree with you on that front, the fact that it works just fine and FF won't, by default, ALLOW ME to choose to install (I mean, since I can set a flag in about:config - fine. again ... let power users have that choice). If it deprecated itself? Fine. But if it works and I'm not even given the choice of running it, well... that's what bothers me. I mean - it's not like many people would expect me to be using LJ in the first place in this day and age, if you want to use an abandoned platform analogy... ;)
Now - it's clear that with these proposals, DS will have to go the way of the Dodo unless someone rewrites it, and at that point, OK, fine, that's how it is, but don't disallow me from using it altogether. I suppose having a flag in about:config is probably the best way to do it, but there was certainly no warning when it happened which was a bit of a shock.
Security, usability and power-use are going to be 3 things that collide, and I just hope they're able to get the balance right.
posted by symbioid at 7:14 AM on August 23, 2015
The next question: how does one block (or click-to-play) autoplaying HTML5 video on sites like Facebook in Chrome? I didn't ask them to download and play hundreds of megabytes of video assets every time I check what my frenemies are up to.
The closest I've gotten is an extension called Disable HTML5 Autoplay. It doesn't actually block the download of videos, but it's the only thing I've found for any web browser that actually stops all autoplaying HTML5 videos.
posted by dirigibleman at 7:16 AM on August 23, 2015 [2 favorites]
The closest I've gotten is an extension called Disable HTML5 Autoplay. It doesn't actually block the download of videos, but it's the only thing I've found for any web browser that actually stops all autoplaying HTML5 videos.
posted by dirigibleman at 7:16 AM on August 23, 2015 [2 favorites]
Oh dear. I hope my default browser, which is SeaMonkey, won't be affected negatively. I really love my SeaMonkey and would hate to have to switch. I suppose I could switch back to K-Meleon... but the same worry applies there.
posted by Too-Ticky at 7:18 AM on August 23, 2015
posted by Too-Ticky at 7:18 AM on August 23, 2015
I have recently started relying on it for my Android phone for tabbed browsing - after Google did away with tabs in Lollilop (soooooooooooo annoying).
FYI, in Chrome for Android, Settings->Merge tabs and apps (set to "off") to get your tabs back the way they were before. Can still swipe at the top to change tabs and get the number of tabs icon that you can click to view all tabs. Basically the same as it was before.
posted by czytm at 7:22 AM on August 23, 2015 [3 favorites]
FYI, in Chrome for Android, Settings->Merge tabs and apps (set to "off") to get your tabs back the way they were before. Can still swipe at the top to change tabs and get the number of tabs icon that you can click to view all tabs. Basically the same as it was before.
posted by czytm at 7:22 AM on August 23, 2015 [3 favorites]
lmfsilva: "(and if you meant on FF, there's one similar on developer/inspector, then network. reload the page, click "images" on the bottom and it will list all images the browser loads)"
Yes, yes that will. Thank you very much.
posted by Mitheral at 7:27 AM on August 23, 2015
Yes, yes that will. Thank you very much.
posted by Mitheral at 7:27 AM on August 23, 2015
It doesn't help that the web is now unusable without JavaScript. I installed NoScript, since people say it's a good idea, but most websites only half worked, and in the best cases, there would be terrible display errors.
But you also see simple news articles on sites like the Verge loading dozens of ad network and tracking scripts. uBlock and Firefox's built in privacy options help, but there's still overhead with having a script filter out those scripts.
This kind of behavior was unacceptable in early 2000s software, back when more computing stayed on the desktop. But now it's okay for reposted press releases to spy on you.
posted by mccarty.tim at 7:33 AM on August 23, 2015 [8 favorites]
But you also see simple news articles on sites like the Verge loading dozens of ad network and tracking scripts. uBlock and Firefox's built in privacy options help, but there's still overhead with having a script filter out those scripts.
This kind of behavior was unacceptable in early 2000s software, back when more computing stayed on the desktop. But now it's okay for reposted press releases to spy on you.
posted by mccarty.tim at 7:33 AM on August 23, 2015 [8 favorites]
Oh - another thing that has saved me plenty of resources and such is getting rid of flashblock and instead just going into my extension options and set the flash extension to "ask to activate".
The main issue with that is it's not per-flash-item, but for the whole page. Also - it doesn't block the flash like flashblock and you click the item, but will drop a message from the address bar area saying flash is disabled, would you like to enable it? It is per tab, at least.
I feel like once I got rid of flashblock and used this method the browser ran faster. I think the reason I got rid of it was because netflix was acting like a dick with flash block and it was the only way I could get netflix to work (and yes, this was after whitelisting and even not blocking silverlight).
posted by symbioid at 7:37 AM on August 23, 2015 [1 favorite]
The main issue with that is it's not per-flash-item, but for the whole page. Also - it doesn't block the flash like flashblock and you click the item, but will drop a message from the address bar area saying flash is disabled, would you like to enable it? It is per tab, at least.
I feel like once I got rid of flashblock and used this method the browser ran faster. I think the reason I got rid of it was because netflix was acting like a dick with flash block and it was the only way I could get netflix to work (and yes, this was after whitelisting and even not blocking silverlight).
posted by symbioid at 7:37 AM on August 23, 2015 [1 favorite]
But you also see simple news articles on sites like the Verge loading dozens of ad network and tracking scripts. uBlock and Firefox's built in privacy options help, but there's still overhead with having a script filter out those scripts.
The only way I read articles on sites like The Verge is using Readability from a RSS reader (FeedBin on the desktop or Reeder on iOS). On the 95% or so of sites it works on, not only does it mean not putting up with obnoxious ads and several layers of trackers, but also not having to wait 30 seconds staring at a mostly blank page because their site is too good to be rendered in Verdana or Times New Roman or whatever.
posted by acb at 7:44 AM on August 23, 2015 [3 favorites]
I feel like Firefox is just suffering a marketing problem right now. When Firefox first launched, it was THE Alternative To That Horrible IE Browser That Everyone Hates So Much. It slowly morphed into The Web Developers Browser with it's support of semantic code and developer essential add-ons. What web nerds love gets recommended to the masses and becomes popular.
But then Chrome came along as a lighter, faster alternative... and Firefox hasn't found it's new niche yet. It's still a decent browser, and it still has some features I prefer as a developer, but that's not quite enough to compel me to switch back.
I feel like if Firefox could just focus on becoming really good at one thing - being lightweight, being super fast, catering to developers, being stealthy and ultra private/secure, whatever - it wouldn't be that hard to get me to switch back to FF as my main browser.
posted by geeky at 7:45 AM on August 23, 2015 [2 favorites]
But then Chrome came along as a lighter, faster alternative... and Firefox hasn't found it's new niche yet. It's still a decent browser, and it still has some features I prefer as a developer, but that's not quite enough to compel me to switch back.
I feel like if Firefox could just focus on becoming really good at one thing - being lightweight, being super fast, catering to developers, being stealthy and ultra private/secure, whatever - it wouldn't be that hard to get me to switch back to FF as my main browser.
posted by geeky at 7:45 AM on August 23, 2015 [2 favorites]
I gotta say I don't understand the Firefox hate. I've had nothing but minor issues since Day One - and I've been using Firefox since it first came out. I used to do web design, so I have a lot of browsers installed - Firefox, Chrome, Opera, IE and, now, Edge. I think, as a total package, Firefox just STOMPS the rest of them ( Opera has stupendous rendering, though). Firefox has gotten a bit bloated, unfortunately, and Firefox for Android isn't great, but I continue to rely on it as my go-to browser. It's solid, dependable, familiar, and configurable. What else do you need?
posted by Benny Andajetz at 7:46 AM on August 23, 2015 [6 favorites]
posted by Benny Andajetz at 7:46 AM on August 23, 2015 [6 favorites]
But you also see simple news articles on sites like the Verge loading dozens of ad network and tracking scripts.
Ghostery is your friend.
posted by Thorzdad at 7:49 AM on August 23, 2015 [5 favorites]
Ghostery is your friend.
posted by Thorzdad at 7:49 AM on August 23, 2015 [5 favorites]
I'm sorry current Firefox isn't meeting your needs but please don't keep relying on a months- or years-old version.
So my options are "have a usable browser that fulfills my needs" or "be secure and up to date", and I can only pick one?
God, this is the Australis garbage fire all over again.
posted by Pope Guilty at 8:07 AM on August 23, 2015 [4 favorites]
So my options are "have a usable browser that fulfills my needs" or "be secure and up to date", and I can only pick one?
God, this is the Australis garbage fire all over again.
posted by Pope Guilty at 8:07 AM on August 23, 2015 [4 favorites]
I gotta say I don't understand the Firefox hate. I've had nothing but minor issues since Day One - and I've been using Firefox since it first came out. I used to do web design, so I have a lot of browsers installed - Firefox, Chrome, Opera, IE and, now, Edge. I think, as a total package, Firefox just STOMPS the rest of them ( Opera has stupendous rendering, though). Firefox has gotten a bit bloated, unfortunately, and Firefox for Android isn't great, but I continue to rely on it as my go-to browser. It's solid, dependable, familiar, and configurable. What else do you need?
This accurately mirrors my own history with and current feelings about Firefox, except that I still do web development. I realized a while ago that I once made splash screen images for Firefox back when it was called Phoenix. That was over a decade ago. Chrome I think is a reasonable replacement for Firefox, and I'm especially glad that Firefox is finally stealing Chrome's multi-threaded approach, but it's nice to have a browser not owned by Google and I still have a lot of loyalty to Firefox just for rescuing us from Internet Explorer.
posted by chrominance at 8:13 AM on August 23, 2015 [4 favorites]
This accurately mirrors my own history with and current feelings about Firefox, except that I still do web development. I realized a while ago that I once made splash screen images for Firefox back when it was called Phoenix. That was over a decade ago. Chrome I think is a reasonable replacement for Firefox, and I'm especially glad that Firefox is finally stealing Chrome's multi-threaded approach, but it's nice to have a browser not owned by Google and I still have a lot of loyalty to Firefox just for rescuing us from Internet Explorer.
posted by chrominance at 8:13 AM on August 23, 2015 [4 favorites]
I think I probably say this every time Firefox comes up, but it seems to be relatively unknown: Firefox on Android can run (almost all?) your familiar Firefox addons. Read: you can finally have an excellent mobile browser with uBlock Origin, Ghostery, etc. It revolutionizes mobile browsing if you're on a non-perfect wireless link, on an older device with limited resources, on a plan with a data cap, or just don't want to have every thing you do tracked and logged.
Every so often I run into a page whose javascript doesn't work well in Firefox mobile, but otherwise it is a truly excellent browser. The modern web would be nigh-unusable here in rural Virginia without it. <3 Mozilla
posted by introp at 8:22 AM on August 23, 2015 [3 favorites]
Every so often I run into a page whose javascript doesn't work well in Firefox mobile, but otherwise it is a truly excellent browser. The modern web would be nigh-unusable here in rural Virginia without it. <3 Mozilla
posted by introp at 8:22 AM on August 23, 2015 [3 favorites]
So my options are "have a usable browser that fulfills my needs" or "be secure and up to date", and I can only pick one?
But, hasn't that always been true about pretty much all software, and not exclusive to browsers? I mean, my home set-up is a 5-year-old iMac running 10.6.8. (along with Adobe CS5) It meets my needs just fine, but I'm fully aware that it's woefully out-of-date and vulnerable. But, at the very least, I keep Firefox up-to-date and utilize the add-on/plug-in system as best I can. It's pretty admirable (and appreciated) that they've kept FF backward compatible with my ancient OS, unlike Apple with Safari. That wins my loyalty any day.
posted by Thorzdad at 8:25 AM on August 23, 2015 [1 favorite]
But, hasn't that always been true about pretty much all software, and not exclusive to browsers? I mean, my home set-up is a 5-year-old iMac running 10.6.8. (along with Adobe CS5) It meets my needs just fine, but I'm fully aware that it's woefully out-of-date and vulnerable. But, at the very least, I keep Firefox up-to-date and utilize the add-on/plug-in system as best I can. It's pretty admirable (and appreciated) that they've kept FF backward compatible with my ancient OS, unlike Apple with Safari. That wins my loyalty any day.
posted by Thorzdad at 8:25 AM on August 23, 2015 [1 favorite]
Firefox was my go to for a long time. I had the 3rd party app to import export profiles way back when. Then it got slower, and slower, ok no big deal. Then Chrome came out and using that for mobile and firefox was so bad on mobile for me so I moved to chrome on desktop. The Mozilla incidents regarding gay marriage and gamergate pretty much killed it for me. Why even bother.
I still have FF installed but it seems like every single time I run it it updates 10 extensions and I have to wait 5mins and close 10 tabs before I can do anything.
Chrome is getting bloated now too (tell me google why does 1 instance of chrome require 15 instances of the process running?).
Edge is blazing fast and looks nice but man is it barebones.
What's really getting to me now though is recently I have had to try different browsers to get certain websites to work. It's like the good old days where elements were designed for specific browser compatibility. I really hope we're not heading down that path again.
posted by M Edward at 8:30 AM on August 23, 2015 [1 favorite]
I still have FF installed but it seems like every single time I run it it updates 10 extensions and I have to wait 5mins and close 10 tabs before I can do anything.
Chrome is getting bloated now too (tell me google why does 1 instance of chrome require 15 instances of the process running?).
Edge is blazing fast and looks nice but man is it barebones.
What's really getting to me now though is recently I have had to try different browsers to get certain websites to work. It's like the good old days where elements were designed for specific browser compatibility. I really hope we're not heading down that path again.
posted by M Edward at 8:30 AM on August 23, 2015 [1 favorite]
This is definitely an area for improvement but the task is complicated for extensions – Ad Block Plus might not look so bad because it only uses a modest amount of memory directly but it injects code into every page which increases the resource requirements for that page. If you look at the stats, the page will get the blame for ABP's bloat; this is a very hard problem to solve in general.
The page should absolutely get the blame for the bloat. When a webpage takes 4 times as long to load because of all the ads served up, don't blame ABP for making that page usable and reader-friendly.
posted by cynical pinnacle at 9:01 AM on August 23, 2015 [3 favorites]
The page should absolutely get the blame for the bloat. When a webpage takes 4 times as long to load because of all the ads served up, don't blame ABP for making that page usable and reader-friendly.
posted by cynical pinnacle at 9:01 AM on August 23, 2015 [3 favorites]
> if you use Google, Gmail, Chrome and 23andMe, Google will know literally
> everything about you.
Frankly I think I'd just as soon use one of the Chinese browsers as Chrome. I recently downloaded (but have not yet started using) Maxthon portable version. Is it worse for Xi Jinping to know everything there is to know about me than Sergey and Larry? At least secret U.S. government subpoenas to reveal user info don't mean a thing to Xi. What's "Don't be evil" in Mandarin?
posted by jfuller at 9:02 AM on August 23, 2015 [2 favorites]
> everything about you.
Frankly I think I'd just as soon use one of the Chinese browsers as Chrome. I recently downloaded (but have not yet started using) Maxthon portable version. Is it worse for Xi Jinping to know everything there is to know about me than Sergey and Larry? At least secret U.S. government subpoenas to reveal user info don't mean a thing to Xi. What's "Don't be evil" in Mandarin?
posted by jfuller at 9:02 AM on August 23, 2015 [2 favorites]
I have been a pretty die hard Firefox user since it was just a twinkle in Mozilla's eye. Or rather, since it was called Phoenix.
I am pretty loyal to software. I am still using Winamp (actually, that has more to do with my passive aggressive hatred of iTunes).
But it turned out that Chrome has The Killer Feature.
I open zillions of tabs at once. I try and restrain myself to sub-20 numbers. I regularly fail.
It turns out Chrome, will show me which tab is suddenly making the Horrible, Horrible Noises so I can go make them Die, or even mute tab. It is just a little speaker icon that appears!
It gave me my life back! OK, no, but nails on the chalkboard? I can cope with that. Pausing my music and frantically searching for the hideous autoplaying video or ad? Stresses me out badly.
I haven't noticed Chrome being a better browser in any other respect. It could be worse. It wouldn't matter.
If the change to the Firefox internals enables this same feature, I would probably swap back.
posted by Elysum at 9:42 AM on August 23, 2015 [6 favorites]
I am pretty loyal to software. I am still using Winamp (actually, that has more to do with my passive aggressive hatred of iTunes).
But it turned out that Chrome has The Killer Feature.
I open zillions of tabs at once. I try and restrain myself to sub-20 numbers. I regularly fail.
It turns out Chrome, will show me which tab is suddenly making the Horrible, Horrible Noises so I can go make them Die, or even mute tab. It is just a little speaker icon that appears!
It gave me my life back! OK, no, but nails on the chalkboard? I can cope with that. Pausing my music and frantically searching for the hideous autoplaying video or ad? Stresses me out badly.
I haven't noticed Chrome being a better browser in any other respect. It could be worse. It wouldn't matter.
If the change to the Firefox internals enables this same feature, I would probably swap back.
posted by Elysum at 9:42 AM on August 23, 2015 [6 favorites]
I have a question for you "zillions of tabs" users: How? Why? Tabs to me are useful precisely because I can see what is in them at a glance at the top of my browser. If you have a huge number open, that is taken away, and they might as well be bookmarks. Not saying you're wrong or whatever, but I fail to see the point.
(I keep my browser bookmarks toolbar empty except for half a dozen top-level folders with very short names, and use it to drag sites I might want to reference again soon without just keeping said site open in another tab.)
Anything else just seems like a list of bookmarks to me. What am I missing?
posted by maxwelton at 10:06 AM on August 23, 2015 [1 favorite]
(I keep my browser bookmarks toolbar empty except for half a dozen top-level folders with very short names, and use it to drag sites I might want to reference again soon without just keeping said site open in another tab.)
Anything else just seems like a list of bookmarks to me. What am I missing?
posted by maxwelton at 10:06 AM on August 23, 2015 [1 favorite]
Elysum, based on the commits at bug 486262, you could probably grab a nightly build and set pref browser.tabs.showAudioPlayingIcon to true to try them out early. A brief skim of the bug offers no concrete launch date, but it looks like there's some hopeful thinking around them turning it on by default in Firefox 42 - a couple releases from now. (:atoll)
posted by crysflame at 10:07 AM on August 23, 2015 [1 favorite]
posted by crysflame at 10:07 AM on August 23, 2015 [1 favorite]
Firefox recently gained that feature in the "nightly" pre-release builds, Elysum. It should appear in the stable builds sometime soon.
posted by mbrubeck at 10:07 AM on August 23, 2015
posted by mbrubeck at 10:07 AM on August 23, 2015
I'm a loyal FF user. I have occasionally had issues with FF bogging down or apparently sucking up all resources but currently it's quite passable on my main PC (newish, Win 8.1). As yet another dev on Mefi, I very much depend on Firebug and other dev plugins.
As discussed, browser software need to keep ahead of constantly improving threats, but let's still reserve some hate for the OSs that themselves have had poor sandboxing of untrusted apps, especially downloaded stuff running in the browser. (Yes this has been getting better. Does anyone know if Windows 10 has more improvements for app security, or is it mostly a new beachhead for DRM and monetizing the user?)
Unless the FF migration is horribly botched, I will be staying with it.
posted by Artful Codger at 10:16 AM on August 23, 2015 [2 favorites]
As discussed, browser software need to keep ahead of constantly improving threats, but let's still reserve some hate for the OSs that themselves have had poor sandboxing of untrusted apps, especially downloaded stuff running in the browser. (Yes this has been getting better. Does anyone know if Windows 10 has more improvements for app security, or is it mostly a new beachhead for DRM and monetizing the user?)
Unless the FF migration is horribly botched, I will be staying with it.
posted by Artful Codger at 10:16 AM on August 23, 2015 [2 favorites]
(tell me google why does 1 instance of chrome require 15 instances of the process running?)
It runs all bits and pieces in separate processes, to make sure that a vulnerability in one component doesn't give the attacker access to everything, or that a bug in one site kills the entire browser (see page 3 onwards in the chrome comic for more). The operating system's task manager cannot always tell them apart, but you can use the built-in one to see what's what.
posted by effbot at 10:18 AM on August 23, 2015
It runs all bits and pieces in separate processes, to make sure that a vulnerability in one component doesn't give the attacker access to everything, or that a bug in one site kills the entire browser (see page 3 onwards in the chrome comic for more). The operating system's task manager cannot always tell them apart, but you can use the built-in one to see what's what.
posted by effbot at 10:18 AM on August 23, 2015
But, hasn't that always been true about pretty much all software, and not exclusive to browsers?
You say this like it somehow changes things.
posted by JHarris at 10:18 AM on August 23, 2015
You say this like it somehow changes things.
posted by JHarris at 10:18 AM on August 23, 2015
I used to use zillions of tabs back when tabs shrunk, and then used multi-row tabs, so I'd have like 3-4 tabs of like 20-30 or whatever per row. I used to do a ton of research by clicking a lot of related links on wikipedia or whatever, and just refer as needed.
I really fucking hated when the switched to the scrolling tabs (wasn't that one of those "let's copy chrome" things? Can't remember). I've succumbed, but it means I don't have the tabs open like I used to. But then - when I used to do it, tabs didn't suck so much juice, because we didn't have these massive jquery, yada yada pages.
I do use the addon that can allow you to make it more like the old FF (mostly so I can have proper reload/stop button, not that ... copycat chrome in the URL bar bullshit). But I think that might allow for multi-row tabs. I just never felt the need to go back to it since I don't generally keep the tabs open that much anymore.
There definitely is a need for good tab management for research. I know there's the sort of mini-instances you can open with tabsets in FF, but it's always felt unwieldy and mode-switchy so I just never used it. The web is a lot different than it used to be, now everyone's on fuck all the same sites over and over refreshing. There used to be so much more variety and exploration, but now I'm derailing so I'll shut up.
posted by symbioid at 10:51 AM on August 23, 2015 [2 favorites]
I really fucking hated when the switched to the scrolling tabs (wasn't that one of those "let's copy chrome" things? Can't remember). I've succumbed, but it means I don't have the tabs open like I used to. But then - when I used to do it, tabs didn't suck so much juice, because we didn't have these massive jquery, yada yada pages.
I do use the addon that can allow you to make it more like the old FF (mostly so I can have proper reload/stop button, not that ... copycat chrome in the URL bar bullshit). But I think that might allow for multi-row tabs. I just never felt the need to go back to it since I don't generally keep the tabs open that much anymore.
There definitely is a need for good tab management for research. I know there's the sort of mini-instances you can open with tabsets in FF, but it's always felt unwieldy and mode-switchy so I just never used it. The web is a lot different than it used to be, now everyone's on fuck all the same sites over and over refreshing. There used to be so much more variety and exploration, but now I'm derailing so I'll shut up.
posted by symbioid at 10:51 AM on August 23, 2015 [2 favorites]
Anything else just seems like a list of bookmarks to me. What am I missing?
I basically stopped saving bookmarks regularly some 10 years ago because the things I was saving were so ephemeral that my bookmarks database ended up just piling up with things I'd probably never want to pull up again. Right now if I save a bookmark, it's probably going to be a thing I see myself visiting daily, otherwise, I'll just search for it when I need it. (I tried the cloud/social bookmarking services but couldn't quite fall in love with them.)
With tabs, the page is there in my browser until I close it, which is a blessing and a curse. Yes, the tabs are going to hog some resources, but that's an incentive to go back and read them so I can close them. The things I keep in tabs fall into a few categories:
1. Pages I visit daily, or several times a day. e.g. the MeFi My Activity page, my fantasy baseball roster, etc.
2. Pages that are being updated with new content, e.g. MeFi posts. The MeFi activity page is great, but with threads I'm actively reading, I find it's better to keep the thread open and use the unread comment notification in the title bar to follow the threads. Once the thread isn't being as actively updated, I close it and follow it with My Activity.
3. "Read It Later"-esque storage area for long articles that I started reading but got sidetracked.
I'm sure it sounds crazy to have that many tabs open, but Firefox's Panorama makes it much more manageable. Here is what my Panorama looks like right now. You'll notice the different groupings of tabs -- I use a couple of extensions (AutoGroup and Tab Groups Helper) to automatically put tabs matching certain criteria into one of those groups, along with a catch-all "Unsorted" group.
Not shown in the Panorama view* are my pinned App Tabs -- Firefox lets you pin tabs, and a couple other extensions (App Tabs Plus and Better App Tab Shortcuts) augment that functionality, including letting me switch to them with hotkeys Cmd-Shift-1, Cmd-Shift-2, etc. So Cmd-Shift-1 gives me my Google+ page, Cmd-Shift-2 gives me forecast.io, etc.
Anyway, it all works for me, and not having these things in my browser would make me sad.
* You can see them as little icons that show up in all of the tab groups, but the thumbnails aren't shown.
posted by tonycpsu at 10:54 AM on August 23, 2015 [5 favorites]
I basically stopped saving bookmarks regularly some 10 years ago because the things I was saving were so ephemeral that my bookmarks database ended up just piling up with things I'd probably never want to pull up again. Right now if I save a bookmark, it's probably going to be a thing I see myself visiting daily, otherwise, I'll just search for it when I need it. (I tried the cloud/social bookmarking services but couldn't quite fall in love with them.)
With tabs, the page is there in my browser until I close it, which is a blessing and a curse. Yes, the tabs are going to hog some resources, but that's an incentive to go back and read them so I can close them. The things I keep in tabs fall into a few categories:
1. Pages I visit daily, or several times a day. e.g. the MeFi My Activity page, my fantasy baseball roster, etc.
2. Pages that are being updated with new content, e.g. MeFi posts. The MeFi activity page is great, but with threads I'm actively reading, I find it's better to keep the thread open and use the unread comment notification in the title bar to follow the threads. Once the thread isn't being as actively updated, I close it and follow it with My Activity.
3. "Read It Later"-esque storage area for long articles that I started reading but got sidetracked.
I'm sure it sounds crazy to have that many tabs open, but Firefox's Panorama makes it much more manageable. Here is what my Panorama looks like right now. You'll notice the different groupings of tabs -- I use a couple of extensions (AutoGroup and Tab Groups Helper) to automatically put tabs matching certain criteria into one of those groups, along with a catch-all "Unsorted" group.
Not shown in the Panorama view* are my pinned App Tabs -- Firefox lets you pin tabs, and a couple other extensions (App Tabs Plus and Better App Tab Shortcuts) augment that functionality, including letting me switch to them with hotkeys Cmd-Shift-1, Cmd-Shift-2, etc. So Cmd-Shift-1 gives me my Google+ page, Cmd-Shift-2 gives me forecast.io, etc.
Anyway, it all works for me, and not having these things in my browser would make me sad.
* You can see them as little icons that show up in all of the tab groups, but the thumbnails aren't shown.
posted by tonycpsu at 10:54 AM on August 23, 2015 [5 favorites]
It turns out Chrome, will show me which tab is suddenly making the Horrible, Horrible Noises so I can go make them Die, or even mute tab. It is just a little speaker icon that appears! [...]
If the change to the Firefox internals enables this same feature, I would probably swap back.
That landed in our nightly builds about two weeks ago. It's not far away.
posted by mhoye at 11:25 AM on August 23, 2015 [4 favorites]
If the change to the Firefox internals enables this same feature, I would probably swap back.
That landed in our nightly builds about two weeks ago. It's not far away.
posted by mhoye at 11:25 AM on August 23, 2015 [4 favorites]
Sorry to keep on popping in here, but, well - I really love Deepest Sender, as noted above. It seems like the plumbing itself should be able to stay the same and it's more the hooks into the browser that would need to change (hopefully, though maybe security authentication stuff needs fixin')...
How, exactly would I learn to go about updating (if it's open source, I think it is, but I should double check) and making it usable with the new setup? Are there any tutorials? Do I just go use whatever the Google Tutorials for their extensions are (since you say it's intended to be like Chromes?)
posted by symbioid at 11:40 AM on August 23, 2015
How, exactly would I learn to go about updating (if it's open source, I think it is, but I should double check) and making it usable with the new setup? Are there any tutorials? Do I just go use whatever the Google Tutorials for their extensions are (since you say it's intended to be like Chromes?)
posted by symbioid at 11:40 AM on August 23, 2015
I've been using the ESR version of Firefox for ages now. All of the security updates, none of the weird "we changed this behaviour just because". The only change I've noticed recently was the search bar behaviour altering, which was easily solved with a bit of startpage.com-ing.
The only time I've known it crash repeatedly when I'm browsing tumblr.
posted by Solomon at 11:42 AM on August 23, 2015 [1 favorite]
The only time I've known it crash repeatedly when I'm browsing tumblr.
posted by Solomon at 11:42 AM on August 23, 2015 [1 favorite]
Copland 2017
posted by Apocryphon at 1:15 PM on August 23, 2015
posted by Apocryphon at 1:15 PM on August 23, 2015
That works out of the box in at least Chrome on Ubuntu and all browsers on Windows, via features provided by the operating system. Maybe it's not the browser that's the problem with your setup? :-)
Wow, smug ill-informed condescension from a Linux user...the 90s really are back!
posted by Ian A.T. at 1:32 PM on August 23, 2015 [3 favorites]
Wow, smug ill-informed condescension from a Linux user...the 90s really are back!
posted by Ian A.T. at 1:32 PM on August 23, 2015 [3 favorites]
Frankly I think I'd just as soon use one of the Chinese browsers as Chrome. I recently downloaded (but have not yet started using) Maxthon portable version. Is it worse for Xi Jinping to know everything there is to know about me than Sergey and Larry? At least secret U.S. government subpoenas to reveal user info don't mean a thing to Xi. What's "Don't be evil" in Mandarin?
The future of online privacy: surveillance regime arbitrage. Soon, activists and paranoids in America will be communicating on LiveJournal via their YotaPhones and betting that the FSB doesn't have any plans for them.
posted by acb at 2:34 PM on August 23, 2015 [5 favorites]
The future of online privacy: surveillance regime arbitrage. Soon, activists and paranoids in America will be communicating on LiveJournal via their YotaPhones and betting that the FSB doesn't have any plans for them.
posted by acb at 2:34 PM on August 23, 2015 [5 favorites]
Thanks for the Ghostery mentions everyone. I installed this on a lark and it's amazing how much faster it makes browsing, even on a really fast connection.
posted by selfnoise at 2:43 PM on August 23, 2015 [1 favorite]
posted by selfnoise at 2:43 PM on August 23, 2015 [1 favorite]
I've been using the ESR version of Firefox for ages now. All of the security updates,
That's just not the case: "Maintenance of each ESR, through point releases, is limited to high-risk/high-impact security vulnerabilities and in rare cases may also include off-schedule releases that address live security vulnerabilities."
To be 100% clear, best-effort backporting is not "all" the security fixes, and if security is mission-critical to you you absolutely need to be on mainline release. The TOR Browser people use ESR instead of mainline for their releases, for example, and some of their users have gotten burned by this in the past.
If you're not doing enteprise deployments, please use regular Firefox. If you are, also please use regular Firefox, but I understand where you're coming from.
posted by mhoye at 2:53 PM on August 23, 2015 [4 favorites]
That's just not the case: "Maintenance of each ESR, through point releases, is limited to high-risk/high-impact security vulnerabilities and in rare cases may also include off-schedule releases that address live security vulnerabilities."
To be 100% clear, best-effort backporting is not "all" the security fixes, and if security is mission-critical to you you absolutely need to be on mainline release. The TOR Browser people use ESR instead of mainline for their releases, for example, and some of their users have gotten burned by this in the past.
If you're not doing enteprise deployments, please use regular Firefox. If you are, also please use regular Firefox, but I understand where you're coming from.
posted by mhoye at 2:53 PM on August 23, 2015 [4 favorites]
I jumped off of the Firefox boat a couple a months ago when I kept having issues with it freezing up on me during regular use after using it for a good 10 years. I tried Opera for a little bit, and now have been using Chromium for about 2 months, and it's been working fine for me. I think the only thing I really miss are the vertical tabs add-on, which I don't think exists with any of the chrome-based web browsers, but I have been able to port most of the add-on features I like between browsers or find replacements that do a similar thing.
When browsers essentially are all doing the same thing anyway (especially with firefox trying to be more like chrome at times), I'm not sure how much a browser choice really matters anymore, at least to us who aren't super knowledgeable about the technical details.
posted by tealNoise at 2:53 PM on August 23, 2015
When browsers essentially are all doing the same thing anyway (especially with firefox trying to be more like chrome at times), I'm not sure how much a browser choice really matters anymore, at least to us who aren't super knowledgeable about the technical details.
posted by tealNoise at 2:53 PM on August 23, 2015
I couldn't quite figure this out; will Java be unusable like in Chrome and Edge? I wanna know how long before I can begin licking the tears of the USPTO's web team.
posted by charred husk at 3:38 PM on August 23, 2015 [1 favorite]
posted by charred husk at 3:38 PM on August 23, 2015 [1 favorite]
Breaking plugins is unfortunate, but if that's the price to pay for a reasonably modern threading model it's way beyond time.
The reason I switched to Chrome was to some extent because it was just faster (JS engine and rendering both seemed faster), but mostly because it doesn't let one badly-behaved webpage slow down either the overall UI or the contents of other tabs. (Also because FF didn't support multiple processors until like ... 2011? 2012?) If some stupid page starts going out of control in Chrome, you can just close the tab. In Firefox, it seemed pretty common to have pages slow the whole damn thing to a crawl, leaving you with no choices except to either sit back and wait (irritating) or kill the entire application (also irritating, although it has the immediate satisfaction of at least producing an immediate result).
Firefox has been architecturally behind the 8-ball for years, and mobile architectures just make it worse. Whatever they have to break to get the threading/process model unfucked is just going to be what needs to happen.
posted by Kadin2048 at 4:18 PM on August 23, 2015 [1 favorite]
The reason I switched to Chrome was to some extent because it was just faster (JS engine and rendering both seemed faster), but mostly because it doesn't let one badly-behaved webpage slow down either the overall UI or the contents of other tabs. (Also because FF didn't support multiple processors until like ... 2011? 2012?) If some stupid page starts going out of control in Chrome, you can just close the tab. In Firefox, it seemed pretty common to have pages slow the whole damn thing to a crawl, leaving you with no choices except to either sit back and wait (irritating) or kill the entire application (also irritating, although it has the immediate satisfaction of at least producing an immediate result).
Firefox has been architecturally behind the 8-ball for years, and mobile architectures just make it worse. Whatever they have to break to get the threading/process model unfucked is just going to be what needs to happen.
posted by Kadin2048 at 4:18 PM on August 23, 2015 [1 favorite]
I think the web browser that makes it a point to point out, in the tabs, by default, which web pages are the worst browser citizens, will be doing the Internet, and themselves, a huge favor.
Hey, there's an app for that -- or add on. Tab Memory Usage seems to do what you want. I haven't tried it myself so I won't link to it but you can easily find it.
That's one of the nice things about Firefox. No sooner do I think "what if I could ..." and I can usually always find an add on.
posted by JackFlash at 6:37 PM on August 23, 2015
Hey, there's an app for that -- or add on. Tab Memory Usage seems to do what you want. I haven't tried it myself so I won't link to it but you can easily find it.
That's one of the nice things about Firefox. No sooner do I think "what if I could ..." and I can usually always find an add on.
posted by JackFlash at 6:37 PM on August 23, 2015
I couldn't quite figure this out; will Java be unusable like in Chrome and Edge? I wanna know how long before I can begin licking the tears of the USPTO's web team.
Kind of depends what you mean? Android is ubiquitous at this point. Client side java as in applets, if that's what you mean, is pretty much dead. Server-side Java will be with us for decades.
That said, don't underestimate - or undervalue - what organizations like the USPTO are mandated to deliver, particularly considering the budget, timeline, scale and constraints they need to deliver on. Valley people talk about companies like Snapshat "operating at scale", but Snapchat is two tin cans and some twine compared to the USPTO, or any major shipping company. Moving physical things safely and cost effectively to hundreds of millions of geographically disparate people every single day forever is a few hard levels up from twiddling the knobs on your S3 page.
There's a reason that when you look over the USPS or FedEx guy's shoulder you see a vanilla WinXP client running a terminal emulator, and why every time they ask you to sign their scanner you're poking at a resistive touchscreen running Windows CE - the scale of these operations are _so_ vast, and change - and the concomitant risk - is complex and expensive beyond reason. Where you see "old and outdated", they see "understood and proven".
posted by mhoye at 6:45 PM on August 23, 2015 [5 favorites]
Kind of depends what you mean? Android is ubiquitous at this point. Client side java as in applets, if that's what you mean, is pretty much dead. Server-side Java will be with us for decades.
That said, don't underestimate - or undervalue - what organizations like the USPTO are mandated to deliver, particularly considering the budget, timeline, scale and constraints they need to deliver on. Valley people talk about companies like Snapshat "operating at scale", but Snapchat is two tin cans and some twine compared to the USPTO, or any major shipping company. Moving physical things safely and cost effectively to hundreds of millions of geographically disparate people every single day forever is a few hard levels up from twiddling the knobs on your S3 page.
There's a reason that when you look over the USPS or FedEx guy's shoulder you see a vanilla WinXP client running a terminal emulator, and why every time they ask you to sign their scanner you're poking at a resistive touchscreen running Windows CE - the scale of these operations are _so_ vast, and change - and the concomitant risk - is complex and expensive beyond reason. Where you see "old and outdated", they see "understood and proven".
posted by mhoye at 6:45 PM on August 23, 2015 [5 favorites]
I have a question for you "zillions of tabs" users: How? Why? Tabs to me are useful precisely because I can see what is in them at a glance at the top of my browser. If you have a huge number open, that is taken away, and they might as well be bookmarks.
Hey, there's an app for that -- or add on. I often have 50 tabs open. It's stuff I want to keep up on, sometimes a to-do list of various pages, things I plan to read later. I'll leave my browser up for weeks at a time.
So I use "Side Tabs". It puts all the tabs in a scrollable side bar next to my bookmark sidebar. I can adjust the width of the sidebar so that I can read the titles of all 50 tabs. I use it similarly to bookmarks but I can manage it more easily dynamically, adding and removing tabs as needed, and toggle back and forth between various tabs to compare, copy and paste, etc.
posted by JackFlash at 6:51 PM on August 23, 2015 [1 favorite]
Hey, there's an app for that -- or add on. I often have 50 tabs open. It's stuff I want to keep up on, sometimes a to-do list of various pages, things I plan to read later. I'll leave my browser up for weeks at a time.
So I use "Side Tabs". It puts all the tabs in a scrollable side bar next to my bookmark sidebar. I can adjust the width of the sidebar so that I can read the titles of all 50 tabs. I use it similarly to bookmarks but I can manage it more easily dynamically, adding and removing tabs as needed, and toggle back and forth between various tabs to compare, copy and paste, etc.
posted by JackFlash at 6:51 PM on August 23, 2015 [1 favorite]
A whole lot of people here seem to be missing the point that XUL is a dinosaur that never really worked right in the first place, sitting right next to XPCOM at the table of overcomplicated early-2000s technologies that Mozilla have (rightfully) been trying to jettison for well over a decade.
User experience aside, it's a huge pain in the butt to write plugins for Firefox. Transitioning away from XUL and towards JavaScript and HTML isn't forcing a Google-centric monoculture on anybody. Rather, it's an embrace of existing web standards to power and augment the browser itself.
When Mozilla built SeaMonkey, they built an entire cross-platform UI Toolkit. Huge blunder. Ultimately, this resulted in bloated applications with a "non-native" user experience that didn't feel quite right on any platform. Eventually, a few developers figured out how extract a usable browser from the mess, and Phoenix/Firebird/Firefox was born as a very basic (but fast!) browser, utilizing as little XUL and XPCOM as they dared to.
Fast forward 12 years, and Mozilla have learned their lesson, and quietly abandoned their quest to create a cross-platform application toolkit. However, Firefox is still cursed with these underpinnings, and worse still, HTML, CSS, and JS have evolved to the point where developers can build awesome "native-feeling" user interfaces without needing another UI toolkit.
At best, XUL is unnecessary in 2015. At worst, it's a hugely complicated layer of cruft that's difficult to maintain.
Yes, this is a major breaking change, but we're getting tons of advance warning, and there are really good reasons for it happening. You're not going to find a single extension author who look at you with a straight face and say "XUL is great and Mozilla should support it forever."
Talk of Mozilla's death is greatly premature and exaggerated. If Mozilla can't make a breaking change for the betterment of its users (and trust me, this is a change for the better), they're already dead.
Seriously. "Build a cross-platform UI toolkit" is the "Start a land war in Asia" of the software world. It never works out.
posted by schmod at 6:52 PM on August 23, 2015 [13 favorites]
User experience aside, it's a huge pain in the butt to write plugins for Firefox. Transitioning away from XUL and towards JavaScript and HTML isn't forcing a Google-centric monoculture on anybody. Rather, it's an embrace of existing web standards to power and augment the browser itself.
When Mozilla built SeaMonkey, they built an entire cross-platform UI Toolkit. Huge blunder. Ultimately, this resulted in bloated applications with a "non-native" user experience that didn't feel quite right on any platform. Eventually, a few developers figured out how extract a usable browser from the mess, and Phoenix/Firebird/Firefox was born as a very basic (but fast!) browser, utilizing as little XUL and XPCOM as they dared to.
Fast forward 12 years, and Mozilla have learned their lesson, and quietly abandoned their quest to create a cross-platform application toolkit. However, Firefox is still cursed with these underpinnings, and worse still, HTML, CSS, and JS have evolved to the point where developers can build awesome "native-feeling" user interfaces without needing another UI toolkit.
At best, XUL is unnecessary in 2015. At worst, it's a hugely complicated layer of cruft that's difficult to maintain.
Yes, this is a major breaking change, but we're getting tons of advance warning, and there are really good reasons for it happening. You're not going to find a single extension author who look at you with a straight face and say "XUL is great and Mozilla should support it forever."
Talk of Mozilla's death is greatly premature and exaggerated. If Mozilla can't make a breaking change for the betterment of its users (and trust me, this is a change for the better), they're already dead.
Seriously. "Build a cross-platform UI toolkit" is the "Start a land war in Asia" of the software world. It never works out.
posted by schmod at 6:52 PM on August 23, 2015 [13 favorites]
MetaFilter: A whole lot of people here seem to be missing the point
posted by Going To Maine at 6:57 PM on August 23, 2015 [2 favorites]
posted by Going To Maine at 6:57 PM on August 23, 2015 [2 favorites]
Ghostery seems to be pretty nice. I am having trouble, though, with uBlock, ensuring that ads show up on Metafilter and other websites that I know have unobtrusive ones and want to see do well. Does anyone here have any tips on how to properly exempt them?
posted by JHarris at 10:23 PM on August 23, 2015
posted by JHarris at 10:23 PM on August 23, 2015
Ah! Literally just after I wrote that I found that putting metafilter.com in the Whitelist tab causes The DECK ads to start appearing again. Got it, filed, stored.
posted by JHarris at 10:25 PM on August 23, 2015
posted by JHarris at 10:25 PM on August 23, 2015
As a school netadmin, my main qualm about the way Mozilla appears to be headed is that I think deprecating HTTP in favour of HTTPS everywhere is wrong-headed.
Every school and most workplace IT departments will have some kind of web request inspection and filtering in place, as part of their overall responsibility to keep their workstations free of porn and malware. For sites reachable via HTTP, this is easily done; also, for HTTP sites, users have no reasonable expectation of privacy.
HTTPS is different. It's supposed to guarantee end-to-end encryption, so that the server the browser is connected to is the one the user believes it's connected to, and traffic between browser and server can't be intercepted or tampered with. But because HTTPS encrypts the entire stream between browser and server, it's inherently incompatible with workplace request filtering: there is no way to look at traffic on a properly functioning HTTPS connection and determine what requests are being made. As a netadmin, the only filtering I can do for HTTPS sites without breaking end-to-end encryption is at the level of the entire domain the initial connection is made to.
Once the browser has made an encrypted connection, there is not even a guarantee that all the requests carried over it will be to that same server. For example, it's completely feasible to nail up an encrypted connection to www.google.com and then fire requests over that for pages from www.youtube.com. This works. I've done it.
The only way anything connected to my school's district-provided VPN to get out to the wider Internet is via a web gateway provided by Zscaler, a Security-As-A-Service provider. Zscaler has a feature that does allow per-request and content-based filtering for HTTPS sites. If that's turned on, then a Zscaler root certificate needs to be installed on every web-connected device so that Zscaler can spoof the server certificate for any arbitrary HTTPS site; in effect, Zscaler is running a man-in-the-middle attack against the user's end-to-end encrypted traffic, aided and abetted by a cert installed by the local netadmin. With Zscaler HTTPS inspection turned on, and that cert not installed, every HTTPS site appears to be broken because they will all (quite rightly!) generate scary browser certificate warnings.
I have refused to turn on this feature for the Zscaler instance that services my school because I have strong objections to allowing a third party that my users have no business relationship with to decrypt all their secure traffic. Instead, I maintain a whitelist of HTTPS sites reachable using student Internet credentials, and I use assorted horrible proxying hacks to provide local HTTP versions of sites like YouTube that are now generally available only over HTTPS. Staff credentials give users HTTPS access restricted only by a small domain blacklist.
If the whole web goes HTTPS, this approach will simply not be sustainable and I will be faced with a choice between allowing users' encrypted connections to be broken into via spoofed certs, or retiring. And I will pick retiring, because I still think snooping on traffic that clearly carries an expectation of privacy is unethical.
I am not the only netadmin in this position. I am sure, though, that I am in the minority when it comes to refusing to tamper with HTTPS. Many netadmins will simply roll over and implement corporate security policy, user privacy be damned. And if the whole web goes HTTPS, most netadmins won't be retiring. They will simply be making the installation of an certificate-spoofing root certificate mandatory for any device that wants Internet access via a corporate connection.
And users, being the endlessly trusting souls that they are, will simply come to accept that every other connection they make will require its own special package installed before they can get to Grumpy Cat over it. And it will not be too long before this becomes so normal that it's even normal for the free wifi at the local Chew'n'Spew, at which point it's Game Over for HTTPS.
As things stand at present, HTTPS is for stuff you have a reasonable expectation of privacy on, and HTTP is for everything else. That distinction is valuable. Destroying it by forcing the Web to use HTTPS everywhere will end up making it secure nowhere.
Encryption != security. Mozilla ought to rethink its HTTPS everywhere direction.
posted by flabdablet at 12:15 AM on August 24, 2015 [10 favorites]
Every school and most workplace IT departments will have some kind of web request inspection and filtering in place, as part of their overall responsibility to keep their workstations free of porn and malware. For sites reachable via HTTP, this is easily done; also, for HTTP sites, users have no reasonable expectation of privacy.
HTTPS is different. It's supposed to guarantee end-to-end encryption, so that the server the browser is connected to is the one the user believes it's connected to, and traffic between browser and server can't be intercepted or tampered with. But because HTTPS encrypts the entire stream between browser and server, it's inherently incompatible with workplace request filtering: there is no way to look at traffic on a properly functioning HTTPS connection and determine what requests are being made. As a netadmin, the only filtering I can do for HTTPS sites without breaking end-to-end encryption is at the level of the entire domain the initial connection is made to.
Once the browser has made an encrypted connection, there is not even a guarantee that all the requests carried over it will be to that same server. For example, it's completely feasible to nail up an encrypted connection to www.google.com and then fire requests over that for pages from www.youtube.com. This works. I've done it.
The only way anything connected to my school's district-provided VPN to get out to the wider Internet is via a web gateway provided by Zscaler, a Security-As-A-Service provider. Zscaler has a feature that does allow per-request and content-based filtering for HTTPS sites. If that's turned on, then a Zscaler root certificate needs to be installed on every web-connected device so that Zscaler can spoof the server certificate for any arbitrary HTTPS site; in effect, Zscaler is running a man-in-the-middle attack against the user's end-to-end encrypted traffic, aided and abetted by a cert installed by the local netadmin. With Zscaler HTTPS inspection turned on, and that cert not installed, every HTTPS site appears to be broken because they will all (quite rightly!) generate scary browser certificate warnings.
I have refused to turn on this feature for the Zscaler instance that services my school because I have strong objections to allowing a third party that my users have no business relationship with to decrypt all their secure traffic. Instead, I maintain a whitelist of HTTPS sites reachable using student Internet credentials, and I use assorted horrible proxying hacks to provide local HTTP versions of sites like YouTube that are now generally available only over HTTPS. Staff credentials give users HTTPS access restricted only by a small domain blacklist.
If the whole web goes HTTPS, this approach will simply not be sustainable and I will be faced with a choice between allowing users' encrypted connections to be broken into via spoofed certs, or retiring. And I will pick retiring, because I still think snooping on traffic that clearly carries an expectation of privacy is unethical.
I am not the only netadmin in this position. I am sure, though, that I am in the minority when it comes to refusing to tamper with HTTPS. Many netadmins will simply roll over and implement corporate security policy, user privacy be damned. And if the whole web goes HTTPS, most netadmins won't be retiring. They will simply be making the installation of an certificate-spoofing root certificate mandatory for any device that wants Internet access via a corporate connection.
And users, being the endlessly trusting souls that they are, will simply come to accept that every other connection they make will require its own special package installed before they can get to Grumpy Cat over it. And it will not be too long before this becomes so normal that it's even normal for the free wifi at the local Chew'n'Spew, at which point it's Game Over for HTTPS.
As things stand at present, HTTPS is for stuff you have a reasonable expectation of privacy on, and HTTP is for everything else. That distinction is valuable. Destroying it by forcing the Web to use HTTPS everywhere will end up making it secure nowhere.
Encryption != security. Mozilla ought to rethink its HTTPS everywhere direction.
posted by flabdablet at 12:15 AM on August 24, 2015 [10 favorites]
"Build a cross-platform UI toolkit" is the "Start a land war in Asia" of the software world. It never works out.
Dunno about that. Qt is pretty decent.
posted by flabdablet at 12:16 AM on August 24, 2015 [2 favorites]
Dunno about that. Qt is pretty decent.
posted by flabdablet at 12:16 AM on August 24, 2015 [2 favorites]
Schools have always has the dumbest, most heavy-handed security policies around. As an adult internet user, I really couldn't give two shits if widespread encryption makes their job harder. All your students can see as much porn as they want on their phones, so who really cares?
And I hope robust cert pinning breaks your local CA cert trick, too, although I suspect it won't.
(Not meant to attack you personally, flabdablet, but I hope you can see how holding back ubiquitous encryption because schools like web filtering is kinda crazy.)
posted by ryanrs at 2:09 AM on August 24, 2015 [11 favorites]
And I hope robust cert pinning breaks your local CA cert trick, too, although I suspect it won't.
(Not meant to attack you personally, flabdablet, but I hope you can see how holding back ubiquitous encryption because schools like web filtering is kinda crazy.)
posted by ryanrs at 2:09 AM on August 24, 2015 [11 favorites]
flabdablet: why won't you set up a secure proxy? Ubiquitous HTTPS makes it hard to run network-level tampering proxies but from what I've followed of that effort and the mandatory HTTPS in HTTP/2 push, everyone has been quite aware of the need for legitimate proxies in certain industries (financial companies need this for compliance monitoring, too).
Setting it up using the legitimate service offered in every client is easily deployed and avoids training users to ignore HTTPS errors. The only downside is that it requires a change on unmanaged clients (at least the ones which don't use the DHCP proxy option) and in an environment where this is important those either should be blocked or segregated by policy.
posted by adamsc at 4:07 AM on August 24, 2015 [1 favorite]
Setting it up using the legitimate service offered in every client is easily deployed and avoids training users to ignore HTTPS errors. The only downside is that it requires a change on unmanaged clients (at least the ones which don't use the DHCP proxy option) and in an environment where this is important those either should be blocked or segregated by policy.
posted by adamsc at 4:07 AM on August 24, 2015 [1 favorite]
why won't you set up a secure proxy?
I have one. The way HTTPS via proxy works is that the browser recognizes that it's supposed to use a proxy and issues an HTTP CONNECT request to the proxy, which then issues further HTTP CONNECT requests to its upstream proxies until the one furthest upstream makes a direct TCP connection to the desired website. The chain of proxies then relays that TCP connection all the way downstream to the browser. Now that the browser has (effectively) a direct and stable TCP connection to the target server, it initiates TLS over that connection, then runs all its HTTP traffic over the encrypted connection the same way it would had it made a direct TCP connection to the target server without needing to involve the proxies.
The point is that as a netadmin all I get to see is the name of the domain the browser makes its initial CONNECT request to, and that this is not granular enough to e.g. allow students to play pre-approved YouTube videos while denying them access to others, or to enforce the use of adult content filtered mode for Google, Bing and so forth.
Any HTTPS proxy I set up that can filter web requests by URL as opposed to connections by domain has to work the same way Zscaler does, i.e. by running MITM attacks against SSL/TLS encryption by means of certificate spoofing, made possible by having my own root cert installed on end users' devices. I'm not willing to do that.
If by "secure proxy" you mean a local web page that user connect to explicitly, then enter the actual target HTTPS URL in a web form and have the page embed the secure site so accessed in an iframe or somesuch: Nope. Not doing that. I have absolutely no desire to play whack-a-mole with the completely legitimate iframe-escaping scripts that any decently secured site is going to deploy against that very pattern.
All your students can see as much porn as they want on their phones
This is a primary school (age range equivalent to a US K-6). Most of the students do not have phones.
so who really cares?
Their parents do, and therefore so does my employer. And yes I've given them the rah rah about how no filtering system is ultimately reliable and how every filter ever invented can be worked around and how this is a social problem not a technical problem and how the best protection we can have is screens in public spaces with supervising eyeballs on them at all times. Doesn't change a thing.
I hope robust cert pinning breaks your local CA cert trick, too, although I suspect it won't.
It's not my trick, it's Zscaler's. I've got it turned off at my site because I dislike it intensely and consider it to be the Wrong Thing. Proper cert pinning undoubtedly would break it. But that is not going to stop school parents expecting and demanding a filtered Web at school and it's not going to stop the kind of manager who would choose Zscaler in the first place from demanding a filtered Web in the workplace.
posted by flabdablet at 5:54 AM on August 24, 2015 [3 favorites]
I have one. The way HTTPS via proxy works is that the browser recognizes that it's supposed to use a proxy and issues an HTTP CONNECT request to the proxy, which then issues further HTTP CONNECT requests to its upstream proxies until the one furthest upstream makes a direct TCP connection to the desired website. The chain of proxies then relays that TCP connection all the way downstream to the browser. Now that the browser has (effectively) a direct and stable TCP connection to the target server, it initiates TLS over that connection, then runs all its HTTP traffic over the encrypted connection the same way it would had it made a direct TCP connection to the target server without needing to involve the proxies.
The point is that as a netadmin all I get to see is the name of the domain the browser makes its initial CONNECT request to, and that this is not granular enough to e.g. allow students to play pre-approved YouTube videos while denying them access to others, or to enforce the use of adult content filtered mode for Google, Bing and so forth.
Any HTTPS proxy I set up that can filter web requests by URL as opposed to connections by domain has to work the same way Zscaler does, i.e. by running MITM attacks against SSL/TLS encryption by means of certificate spoofing, made possible by having my own root cert installed on end users' devices. I'm not willing to do that.
If by "secure proxy" you mean a local web page that user connect to explicitly, then enter the actual target HTTPS URL in a web form and have the page embed the secure site so accessed in an iframe or somesuch: Nope. Not doing that. I have absolutely no desire to play whack-a-mole with the completely legitimate iframe-escaping scripts that any decently secured site is going to deploy against that very pattern.
All your students can see as much porn as they want on their phones
This is a primary school (age range equivalent to a US K-6). Most of the students do not have phones.
so who really cares?
Their parents do, and therefore so does my employer. And yes I've given them the rah rah about how no filtering system is ultimately reliable and how every filter ever invented can be worked around and how this is a social problem not a technical problem and how the best protection we can have is screens in public spaces with supervising eyeballs on them at all times. Doesn't change a thing.
I hope robust cert pinning breaks your local CA cert trick, too, although I suspect it won't.
It's not my trick, it's Zscaler's. I've got it turned off at my site because I dislike it intensely and consider it to be the Wrong Thing. Proper cert pinning undoubtedly would break it. But that is not going to stop school parents expecting and demanding a filtered Web at school and it's not going to stop the kind of manager who would choose Zscaler in the first place from demanding a filtered Web in the workplace.
posted by flabdablet at 5:54 AM on August 24, 2015 [3 favorites]
I hope you can see how holding back ubiquitous encryption because schools like web filtering is kinda crazy.
Kinda crazy is the world that netadmins are fully accustomed to working in, and I know how that world operates. So I can absolutely assure you, with copper-bottomed certainty, that managers will find ways to break end-to-end encryption in the workplace by policy hook or by policy crook, and that doing so will involve users being required to agree to something indistinguishable from an EULA that they will never even bother to read in order that some kind of end-to-end encryption breaking mechanism gets installed on their devices, and that this kind of thing will become ubiquitous at about the same rate that encryption does, leaving 95% of users less secure as a result.
What we have now is imperfect to say the least, but it's better than what we will get if the distinction between ordinary bulk Web traffic and secure private traffic is lost.
posted by flabdablet at 6:00 AM on August 24, 2015 [1 favorite]
Kinda crazy is the world that netadmins are fully accustomed to working in, and I know how that world operates. So I can absolutely assure you, with copper-bottomed certainty, that managers will find ways to break end-to-end encryption in the workplace by policy hook or by policy crook, and that doing so will involve users being required to agree to something indistinguishable from an EULA that they will never even bother to read in order that some kind of end-to-end encryption breaking mechanism gets installed on their devices, and that this kind of thing will become ubiquitous at about the same rate that encryption does, leaving 95% of users less secure as a result.
What we have now is imperfect to say the least, but it's better than what we will get if the distinction between ordinary bulk Web traffic and secure private traffic is lost.
posted by flabdablet at 6:00 AM on August 24, 2015 [1 favorite]
Anybody who thinks I'm just talking out of my arse needs to go and have a look at Zscaler's web page, then reflect on exactly what kind of mind such a thing could possibly have been designed to appeal to (hint: not mine).
posted by flabdablet at 6:02 AM on August 24, 2015
posted by flabdablet at 6:02 AM on August 24, 2015
Meanwhile in Amsterdam.
Additionally, the next version of Chrome will become significantly more selective about the SSL certificates that it chooses to accept, and will straight-up refuse to communicate with dangerously-misconfigured SSL servers, even refusing to let users configure exemptions in the most egregious cases. The backlash to this has been kind of scary.
[Note that a few of the people complaining have a legitimate gripe. If you're an admin trying to fix a router/server with a bad cert, you probably need to be able to configure an exemption. However, a lot of other admins seem to be complaining that they can't be arsed to configure SSL correctly, which is completely inexcusable.]
posted by schmod at 6:54 AM on August 24, 2015 [1 favorite]
Additionally, the next version of Chrome will become significantly more selective about the SSL certificates that it chooses to accept, and will straight-up refuse to communicate with dangerously-misconfigured SSL servers, even refusing to let users configure exemptions in the most egregious cases. The backlash to this has been kind of scary.
[Note that a few of the people complaining have a legitimate gripe. If you're an admin trying to fix a router/server with a bad cert, you probably need to be able to configure an exemption. However, a lot of other admins seem to be complaining that they can't be arsed to configure SSL correctly, which is completely inexcusable.]
posted by schmod at 6:54 AM on August 24, 2015 [1 favorite]
Meanwhile in Amsterdam
...it begins!
See also: Lenovo (Superfish).
posted by flabdablet at 7:18 AM on August 24, 2015
...it begins!
See also: Lenovo (Superfish).
posted by flabdablet at 7:18 AM on August 24, 2015
I asked a question recently that is sort of relevant here.
I too have stuck with Firefox even though I frequently use Chrome, because for me Chrome has never been the killer browser that it's been hyped up to be. Even if I needed to install a bunch of different add-ons to bring back the features and the button placements that I preferred, Firefox has always been the more comfortable and complete experience. KeePass integration in particular just works better on Firefox.
The impression that I'm getting is that unless I start coding my own browser there's nothing that I as a user can do about this.
posted by koucha at 7:26 AM on August 24, 2015
I too have stuck with Firefox even though I frequently use Chrome, because for me Chrome has never been the killer browser that it's been hyped up to be. Even if I needed to install a bunch of different add-ons to bring back the features and the button placements that I preferred, Firefox has always been the more comfortable and complete experience. KeePass integration in particular just works better on Firefox.
The impression that I'm getting is that unless I start coding my own browser there's nothing that I as a user can do about this.
posted by koucha at 7:26 AM on August 24, 2015
koucha, Firefox will almost certainly continue to work as you want it. Some old add-ons won't be updated by their authors to adjust to the new plugin model. Likely all popular ones will. Old unmaintained add-ons breaking isn't entirely new in the browser universe, though, so if you've made it this far you'll continue to be able to use FF as you like.
posted by introp at 7:30 AM on August 24, 2015
posted by introp at 7:30 AM on August 24, 2015
Anybody who thinks I'm just talking out of my arse needs to go and have a look at Zscaler's web page, then reflect on exactly what kind of mind such a thing could possibly have been designed to appeal to (hint: not mine)
For what it's worth, it's not only Zscaler. Cisco - and, AFAIK, all the major network gear vendors - have been selling gear that will do this transparently for a decade. It's pretty awful from a privacy perspective, but relatively few countries have robust privacy laws or laws about how employers are permitted to monitor their employees. Most places go the other way, and insist on minimizing liability and facilitating access for private or state surveillance.
For what it's worth, I strongly support HTTPS-Everywhere. Specifically, I think the "distinction between ordinary bulk Web traffic and secure private traffic" you're arguing for doesn't actually exist in any practical sense. Searches for medical conditions or treatment options, financial advice, therapists, counseling hotlines, crisis shelters, an awful lot of that happens over unencrypted HTTP these days, and you can infer an awful lot about who someone is, where somebody lives, what their life is like, and how they're vulnerable without event getting into the part where some of their passwords are exposed and maybe they use the same ones in a few different places. All that information is flying through the air in your local coffeeshop right now, and the sooner we can minimize or eliminate that that the better.
posted by mhoye at 7:46 AM on August 24, 2015 [6 favorites]
For what it's worth, it's not only Zscaler. Cisco - and, AFAIK, all the major network gear vendors - have been selling gear that will do this transparently for a decade. It's pretty awful from a privacy perspective, but relatively few countries have robust privacy laws or laws about how employers are permitted to monitor their employees. Most places go the other way, and insist on minimizing liability and facilitating access for private or state surveillance.
For what it's worth, I strongly support HTTPS-Everywhere. Specifically, I think the "distinction between ordinary bulk Web traffic and secure private traffic" you're arguing for doesn't actually exist in any practical sense. Searches for medical conditions or treatment options, financial advice, therapists, counseling hotlines, crisis shelters, an awful lot of that happens over unencrypted HTTP these days, and you can infer an awful lot about who someone is, where somebody lives, what their life is like, and how they're vulnerable without event getting into the part where some of their passwords are exposed and maybe they use the same ones in a few different places. All that information is flying through the air in your local coffeeshop right now, and the sooner we can minimize or eliminate that that the better.
posted by mhoye at 7:46 AM on August 24, 2015 [6 favorites]
Their parents do, and therefore so does my employer. And yes I've given them the rah rah about how no filtering system is ultimately reliable and how every filter ever invented can be worked around and how this is a social problem not a technical problem and how the best protection we can have is screens in public spaces with supervising eyeballs on them at all times. Doesn't change a thing.
Well, then the fact that HTPS everywhere is making your Rube Goldberg mechanism for facilitating this horrible requirement being imposed on you would seem to be a net positive, at least in the long run, because at some point, you'll going to hit the wall of what you can do with the tools you have, and you can throw your hands up and tell the parents and your employer to go piss up a rope. It's just a bad idea to be doing what you're doing with peoples' traffic, full stop. I feel bad for you being in the position you're in of having to make it all work, but HTTPS everywhere would seem to be the solution, not the problem.
posted by tonycpsu at 8:26 AM on August 24, 2015 [2 favorites]
Well, then the fact that HTPS everywhere is making your Rube Goldberg mechanism for facilitating this horrible requirement being imposed on you would seem to be a net positive, at least in the long run, because at some point, you'll going to hit the wall of what you can do with the tools you have, and you can throw your hands up and tell the parents and your employer to go piss up a rope. It's just a bad idea to be doing what you're doing with peoples' traffic, full stop. I feel bad for you being in the position you're in of having to make it all work, but HTTPS everywhere would seem to be the solution, not the problem.
posted by tonycpsu at 8:26 AM on August 24, 2015 [2 favorites]
throw your hands up and tell the parents and your employer to go piss up a rope.
I won't be doing that, but I believe I already mentioned the likelihood of retirement.
When I retire I'll grow vegetables, and raise chooks, and do my level best to ignore the howls and groans of ICT-caused frustration and rage that are currently keeping my own little technological ministry in operation. And I'll muse on my friend Don's wise maxim (those who fail to understand networking protocols are doomed to re-implement them - badly - over port 80) and chuckle ruefully as I rock on the back deck and sip my tea. Because the world is filling with amazing new technologies at an astounding rate, and all of them are really fucking complicated, and quite frankly we're already well past the point where anybody really has a fucking clue.
Anybody who thinks HTTPS everywhere is actually going to fix the present Web's omnipresent privacy incursions is fooling themselves. All that will happen is that HTTPS as a mechanism will get pounded into dust by a million little hotspots offering a million little spoofing certs on a million little logon pages and getting a million little kickbacks from the exact same class of data-hoovering organization operating now. And I expect we'll even start to see folks arguing for the moral necessity of accepting those spoofing certs, just as already happens with regard to advertising.
HTTPS, as it stands today in contrast to HTTP, offers enough security to make it commercially useful. If browsers stop supporting I-don't-care-at-all-about-security traffic, it will be less than a decade before HTTPS is reduced to nothing more than TSA-grade security theatre.
And then what? Webs of trust? Please. If you think the present CA oligopoly is a nightmare, you ain't seen nothing yet.
Encryption is not security. Encryption plus key distribution is part of security. And key distribution is hard.
Privacy breaches are ultimately a social problem, just like keeping porn off school computer screens is ultimately a social problem. Technical countermeasures will not prevent privacy incursions, merely create a technical counter-countermeasures arms race, and the Web will continue down the present path of becoming a bizarre and arcane thing that only the technological priesthood even pretends to understand.
The web is not broken, and I really, really wish that browser developers would stop trying to fix it. It's ugly as sin. It will never be tidy. And that's fine.
When I was a much younger software developer, I completely revamped a proprietary networking protocol in order to fix a couple of perceived warts. But I wasn't as clever as I thought I was, so the new protocol was much much worse than the old one in several important respects; in fact it needed to keep most of the old one running alongside itself in order to work at all. So instead of cleaning up a mess, I ended up building a messier mess. And it shipped.
Again and again I see software developers - really smart people about the age I was when I did that - doing exactly the same kind of thing with exactly the same kind of overconfident tunnel vision, except on a huge scale that messes with literally billions of lives. I wish they wouldn't. I know there's no way to stop them. But I can sit here with my onion on my belt and yell at their stupid broken cloud, and dadgummit if that's all I can do then I'm blamed well gonna do it.
posted by flabdablet at 9:10 AM on August 24, 2015 [8 favorites]
I won't be doing that, but I believe I already mentioned the likelihood of retirement.
When I retire I'll grow vegetables, and raise chooks, and do my level best to ignore the howls and groans of ICT-caused frustration and rage that are currently keeping my own little technological ministry in operation. And I'll muse on my friend Don's wise maxim (those who fail to understand networking protocols are doomed to re-implement them - badly - over port 80) and chuckle ruefully as I rock on the back deck and sip my tea. Because the world is filling with amazing new technologies at an astounding rate, and all of them are really fucking complicated, and quite frankly we're already well past the point where anybody really has a fucking clue.
Anybody who thinks HTTPS everywhere is actually going to fix the present Web's omnipresent privacy incursions is fooling themselves. All that will happen is that HTTPS as a mechanism will get pounded into dust by a million little hotspots offering a million little spoofing certs on a million little logon pages and getting a million little kickbacks from the exact same class of data-hoovering organization operating now. And I expect we'll even start to see folks arguing for the moral necessity of accepting those spoofing certs, just as already happens with regard to advertising.
HTTPS, as it stands today in contrast to HTTP, offers enough security to make it commercially useful. If browsers stop supporting I-don't-care-at-all-about-security traffic, it will be less than a decade before HTTPS is reduced to nothing more than TSA-grade security theatre.
And then what? Webs of trust? Please. If you think the present CA oligopoly is a nightmare, you ain't seen nothing yet.
Encryption is not security. Encryption plus key distribution is part of security. And key distribution is hard.
Privacy breaches are ultimately a social problem, just like keeping porn off school computer screens is ultimately a social problem. Technical countermeasures will not prevent privacy incursions, merely create a technical counter-countermeasures arms race, and the Web will continue down the present path of becoming a bizarre and arcane thing that only the technological priesthood even pretends to understand.
The web is not broken, and I really, really wish that browser developers would stop trying to fix it. It's ugly as sin. It will never be tidy. And that's fine.
When I was a much younger software developer, I completely revamped a proprietary networking protocol in order to fix a couple of perceived warts. But I wasn't as clever as I thought I was, so the new protocol was much much worse than the old one in several important respects; in fact it needed to keep most of the old one running alongside itself in order to work at all. So instead of cleaning up a mess, I ended up building a messier mess. And it shipped.
Again and again I see software developers - really smart people about the age I was when I did that - doing exactly the same kind of thing with exactly the same kind of overconfident tunnel vision, except on a huge scale that messes with literally billions of lives. I wish they wouldn't. I know there's no way to stop them. But I can sit here with my onion on my belt and yell at their stupid broken cloud, and dadgummit if that's all I can do then I'm blamed well gonna do it.
posted by flabdablet at 9:10 AM on August 24, 2015 [8 favorites]
In other words, power prevails because it is the nature of power to prevail. Or, no matter how subtle a wizard may be, a dagger between the shoulder blades will cramp his style.
posted by acb at 9:39 AM on August 24, 2015 [2 favorites]
posted by acb at 9:39 AM on August 24, 2015 [2 favorites]
Anybody who thinks HTTPS everywhere is actually going to fix the present Web's omnipresent privacy incursions is fooling themselves.
Nobody serious thinks that it is going to fix everything. Just look at the number of major vulnerabilities breaking HTTPS in the last two years for a good hint that it's not a magic bullet. But what's the alternative? When I check my bank statement online, I really need that to stay between me and my bank, not to be intercepted by the eavesdropping school network administrator who's doing it "for the children" (not to be too harsh, I get that you're between a rock and a hard place).
For an experiment, go back and re-read your comment, substituting "put locks on our front doors" for HTTPS. Residential door locks are pretty insecure, but the vast majority of us still use a couple. Why? Because it's better security than not having one at all. It's also highly patronizing to assume that a user's attitude toward a piece of traffic is "I-don't-care-at-all-about-security." The YouTube video she's watching could be anything from cats playing with yarn to advice on how to get out of an abusive relationship. Why shouldn't we assume as a default that the user wants the best security we can provide?
I do think there's a valid question of how much assurance to give users when using HTTPS. The message, if it's understood at all, tends to be "oh the S stands for secure so I'm ok," and obviously the real world is nowhere near that simple.
posted by zachlipton at 10:09 AM on August 24, 2015 [6 favorites]
Nobody serious thinks that it is going to fix everything. Just look at the number of major vulnerabilities breaking HTTPS in the last two years for a good hint that it's not a magic bullet. But what's the alternative? When I check my bank statement online, I really need that to stay between me and my bank, not to be intercepted by the eavesdropping school network administrator who's doing it "for the children" (not to be too harsh, I get that you're between a rock and a hard place).
For an experiment, go back and re-read your comment, substituting "put locks on our front doors" for HTTPS. Residential door locks are pretty insecure, but the vast majority of us still use a couple. Why? Because it's better security than not having one at all. It's also highly patronizing to assume that a user's attitude toward a piece of traffic is "I-don't-care-at-all-about-security." The YouTube video she's watching could be anything from cats playing with yarn to advice on how to get out of an abusive relationship. Why shouldn't we assume as a default that the user wants the best security we can provide?
I do think there's a valid question of how much assurance to give users when using HTTPS. The message, if it's understood at all, tends to be "oh the S stands for secure so I'm ok," and obviously the real world is nowhere near that simple.
posted by zachlipton at 10:09 AM on August 24, 2015 [6 favorites]
I had a bug on my mac a while ago. After installing security updates many https sites did not work anymore in Chrome and I got scary security warnings in other browsers. The App Store (including Software Update) did not work, and Apple forums also did not work. It was really hard to fix this problem (it took a while to find out what the problem was in the first place). I was grateful that another browser let me work around this so that I could at least search for a solution otherwise my computer would have been effectively bricked.
More https is a good thing, but companies have to be really careful because apparently it is easy to just break that functionality, and break Software Update (for an easy fix) in the process.
posted by blub at 10:38 AM on August 24, 2015 [1 favorite]
More https is a good thing, but companies have to be really careful because apparently it is easy to just break that functionality, and break Software Update (for an easy fix) in the process.
posted by blub at 10:38 AM on August 24, 2015 [1 favorite]
For an experiment, go back and re-read your comment, substituting "put locks on our front doors" for HTTPS. Residential door locks are pretty insecure, but the vast majority of us still use a couple.
But if you put identical locks on every door in the house, eventually it becomes too much of a hassle and you come up a workaround that lets you navigate your house quickly but which also makes that lock on the front door worthless.
posted by straight at 12:58 PM on August 24, 2015
But if you put identical locks on every door in the house, eventually it becomes too much of a hassle and you come up a workaround that lets you navigate your house quickly but which also makes that lock on the front door worthless.
posted by straight at 12:58 PM on August 24, 2015
Or how about your house has a low rent but you only have locks on your bathroom and closet and your landlord feels free to let themselves in through any unlocked doors and paw through your stuff while you're away and you pretend not to notice because the rent is low. Then you put locks on all your doors so your landlord demands the master key and now it's worse because now they're getting into all your stuff and watching you while you sleep but what are you going to do-- certainly not pay more for something as trivial as privacy.
posted by Pyry at 2:53 PM on August 24, 2015 [1 favorite]
posted by Pyry at 2:53 PM on August 24, 2015 [1 favorite]
I'm beginning to regret that analogy...
posted by zachlipton at 3:05 PM on August 24, 2015 [2 favorites]
posted by zachlipton at 3:05 PM on August 24, 2015 [2 favorites]
Even if you lock your house’s doors, a rat can still climb up your toilet…
posted by Going To Maine at 3:25 PM on August 24, 2015 [2 favorites]
posted by Going To Maine at 3:25 PM on August 24, 2015 [2 favorites]
am i the only person who finds chrome & all chrome based browsers crash constantly whereas firefox doesn't and is faster? For years, forever - and i've rarely had less than ten browsers installed, i ain't no 'it's better, that's why i use nothing else' person
posted by maiamaia at 3:44 PM on August 24, 2015
posted by maiamaia at 3:44 PM on August 24, 2015
i’ve rarely had less than ten browsers installed
Wait - you’re saying that ten web browsers exist?
posted by Going To Maine at 3:46 PM on August 24, 2015
Wait - you’re saying that ten web browsers exist?
posted by Going To Maine at 3:46 PM on August 24, 2015
NB isn't the whole point of firefox the extensions? I use the fox because i can have everything i want, exactly as a i want, and nothing at all that i don't want. Which is due to extensions. Even in Opera (the best chrome fork) extensions are limited in what they can do mostly, in chrome itself and variants they're total rubbish. Stuff like noscript, bottom ui, self-destructing cookies, just doesn't exist in chrome fork stuff
posted by maiamaia at 3:46 PM on August 24, 2015 [1 favorite]
posted by maiamaia at 3:46 PM on August 24, 2015 [1 favorite]
Can you make chrome put just one x-er out-er tab-closer to the right (or wherever) of all the tabs instead of one on each tab?
posted by ROU_Xenophobe at 3:50 PM on August 24, 2015
posted by ROU_Xenophobe at 3:50 PM on August 24, 2015
@ going to maine
oh boy.... okay, some browsers are just fake forks - new name, new logo - some are close to that but are ongoing genuinely separate projects, and some are totally new. Basic stuff: opera, chrome/chromium, srware iron, iridium, coolnovo (discontinued but works fine), xombrero, kylo, midori, vivaldi,
avant, k-meleon, palemoon, firefox,
dillo, links, links 2, ... my memory is so bad, there are so many and always changing. There's one you compile yourself in javascript that's beyond my capabilities
posted by maiamaia at 3:50 PM on August 24, 2015 [2 favorites]
oh boy.... okay, some browsers are just fake forks - new name, new logo - some are close to that but are ongoing genuinely separate projects, and some are totally new. Basic stuff: opera, chrome/chromium, srware iron, iridium, coolnovo (discontinued but works fine), xombrero, kylo, midori, vivaldi,
avant, k-meleon, palemoon, firefox,
dillo, links, links 2, ... my memory is so bad, there are so many and always changing. There's one you compile yourself in javascript that's beyond my capabilities
posted by maiamaia at 3:50 PM on August 24, 2015 [2 favorites]
and i forgot nightingale. I love it so much, although i never use it now it doesn't work with soundcloud any more, but so beautiful when it did
posted by maiamaia at 3:53 PM on August 24, 2015
posted by maiamaia at 3:53 PM on August 24, 2015
When I check my bank statement online, I really need that to stay between me and my bank, not to be intercepted by the eavesdropping school network administrator who's doing it "for the children"
And I am right with you on that, which is, again, why at my school the Zscaler SSL-bump spoofing nonsense is turned off.
If you're connecting via SSL at my school, you don't need any extra certs installed and you're getting (as far as I'm able to determine) end-to-end encryption. My point is that the considerable amount of work I've put into implementing alternative filtering approaches in order to make sure this happens, which I hope and believe I am not the only netadmin willing to do, will become useless if browsers stop supporting unsecured HTTP. If you force netadmins to switch on SSL bump in order to comply with corporate policy, they will do so, and the net effect will be mass training of users to say yes to god-knows-what as a normal and expected part of the network connection process.
The other thing that grinds my gears about all this HTTPS-everywhere stuff is that it falls squarely in the "something must be done; this is something; therefore we must do this" category; it's like the drunk searching for his keys under the streetlamp even though he knows he dropped them on the other side of the street because the light on this side is better. The overwhelming bulk of actual privacy incursions that happen on today's web are not mediated by traffic interception, but by sites deliberately running advertiser-supplied scripts in browsers. HTTPS-everywhere is not going to make a lick of difference to that. Security is about responding intelligently to actual threats, not flinging crypto primitives everywhere as if they were on-farm antibiotics.
posted by flabdablet at 6:39 PM on August 24, 2015 [8 favorites]
And I am right with you on that, which is, again, why at my school the Zscaler SSL-bump spoofing nonsense is turned off.
If you're connecting via SSL at my school, you don't need any extra certs installed and you're getting (as far as I'm able to determine) end-to-end encryption. My point is that the considerable amount of work I've put into implementing alternative filtering approaches in order to make sure this happens, which I hope and believe I am not the only netadmin willing to do, will become useless if browsers stop supporting unsecured HTTP. If you force netadmins to switch on SSL bump in order to comply with corporate policy, they will do so, and the net effect will be mass training of users to say yes to god-knows-what as a normal and expected part of the network connection process.
The other thing that grinds my gears about all this HTTPS-everywhere stuff is that it falls squarely in the "something must be done; this is something; therefore we must do this" category; it's like the drunk searching for his keys under the streetlamp even though he knows he dropped them on the other side of the street because the light on this side is better. The overwhelming bulk of actual privacy incursions that happen on today's web are not mediated by traffic interception, but by sites deliberately running advertiser-supplied scripts in browsers. HTTPS-everywhere is not going to make a lick of difference to that. Security is about responding intelligently to actual threats, not flinging crypto primitives everywhere as if they were on-farm antibiotics.
posted by flabdablet at 6:39 PM on August 24, 2015 [8 favorites]
By the way, the "proper" Zscaler way to deal with the bank privacy issue is to give site admins the ability to whitelist a set of HTTPS sites that Zscaler will then not intercept and decrypt. Your particular bank isn't on my whitelist? Sucks to be you.
I loathe and detest the whole thing, and I really honestly will retire rather than switch it on.
posted by flabdablet at 6:42 PM on August 24, 2015 [2 favorites]
I loathe and detest the whole thing, and I really honestly will retire rather than switch it on.
posted by flabdablet at 6:42 PM on August 24, 2015 [2 favorites]
Residential door locks are pretty insecure, but the vast majority of us still use a couple. Why? Because it's better security than not having one at all.
To my way of thinking, HTTPS everywhere looks like a determined and principled attempt to fit residential door locks to every garden gate and public park.
posted by flabdablet at 6:45 PM on August 24, 2015
To my way of thinking, HTTPS everywhere looks like a determined and principled attempt to fit residential door locks to every garden gate and public park.
posted by flabdablet at 6:45 PM on August 24, 2015
Intercepting HTTP is the "something must be done; this is something" in this conversation. MitMing your users at the network level is cheap but its requirement of plaintext traffic has so many unpleasant side-effects that it makes it a horrible solution. If you want filtering on a client, you implement it with client policies.
posted by introp at 8:26 PM on August 24, 2015 [1 favorite]
posted by introp at 8:26 PM on August 24, 2015 [1 favorite]
Which sounds all fine and dandy, but completely fails to work in the increasingly BYOD real world.
posted by flabdablet at 8:56 PM on August 24, 2015
posted by flabdablet at 8:56 PM on August 24, 2015
Which sounds all fine and dandy, but completely fails to work in the increasingly BYOD real world.
This is considered by everybody who doesn't work in a corporate IT department to be a feature, not a bug.
posted by zachlipton at 9:09 PM on August 24, 2015 [3 favorites]
This is considered by everybody who doesn't work in a corporate IT department to be a feature, not a bug.
posted by zachlipton at 9:09 PM on August 24, 2015 [3 favorites]
TLS certificate spoofing, even in its most legitimate case, is a pretty ugly hack, and possible only because HTTPS is only slightly less naive in its architecture than HTTP is. The sooner it gets closed off as an avenue for that sort of snooping, the better.
And it would seem that in the next few major browser revisions, we're finally going to get some sort of meaningful certificate pinning and Zscaler et al's creeptastic job is going to get harder, as it should, because what they're doing is functionally indistinguishable from what China or Iran does at their national firewalls, and so we can use the amount of howling coming from their direction as a good barometer for whether we're making the Internet robust in general. I have no pity and am glad that in general most major browser developers haven't, either. Interestingly, despite a lot of differences of opinion between the Chromium and FF camps, there seems to be basically widespread agreement that TLS is broken as hell and needs to be fixed.
Looking past HPKP, DNSSEC + TLS keys in DNS is really the optimal medium-term solution (the best long-term solution probably being some sort of distributed, voting-driven trust database; I'm not sure I'll see it in my lifetime), and one that would pretty much mean that if you want to snoop on connections, you need endpoint control. That is as it should be, since it means that the ability to censor is linked to the physical control over the endpoint, which implies if not legitimacy, then at least a pre-existing mechanism for control.
That the future of HTTP(S) doesn't allow easy censorship of BYOD is a feature, not a bug; if you let people bring their own devices in, then you can't expect to control what they do on them. Doubtless some morons will try, but the requirements of trying to push bogus certs or nannyware out to everyone's laptop + tablet + phone + smartwatch + whatever will be crippling; you end up in a Moff Tarkin Problem where the more you tighten control (i.e. blocking everything that doesn't go through the proxy), the more people will just slip through your fingers, routing around you by using cellular and their own hotspots or whatever.*
Whether a Google-dominated or Firefox-dominated browser environment is more likely to expedite getting to this point is an open question in my mind; Google seems more likely to do things that require widespread changes to Internet infrastructure like DNS, because Google owns a big chunk of it (including some really popular public DNS resolvers), but on the other hand Firefox tends to be better about broad consensus-building. If Firefox really does fade away, I wonder about that consensus fragmenting on key web issues.
* If it weren't for the obstinacy of the cellular companies with regards to tethering, every smartphone would probably be emitting its own little PAN bubble of Internet for the rest of your devices, and we'd have both a lot more networked crap (since a full WiFi chipset and web-browser stack to negotiate the inevitable WiFi landing pages wouldn't be necessary) and also be less reliant on WiFi. Eventually, one of the major carriers in each market is going to crack and start allowing free tethering and then we'll finally be off to the personal-area-network races.
posted by Kadin2048 at 10:17 PM on August 24, 2015 [2 favorites]
And it would seem that in the next few major browser revisions, we're finally going to get some sort of meaningful certificate pinning and Zscaler et al's creeptastic job is going to get harder, as it should, because what they're doing is functionally indistinguishable from what China or Iran does at their national firewalls, and so we can use the amount of howling coming from their direction as a good barometer for whether we're making the Internet robust in general. I have no pity and am glad that in general most major browser developers haven't, either. Interestingly, despite a lot of differences of opinion between the Chromium and FF camps, there seems to be basically widespread agreement that TLS is broken as hell and needs to be fixed.
Looking past HPKP, DNSSEC + TLS keys in DNS is really the optimal medium-term solution (the best long-term solution probably being some sort of distributed, voting-driven trust database; I'm not sure I'll see it in my lifetime), and one that would pretty much mean that if you want to snoop on connections, you need endpoint control. That is as it should be, since it means that the ability to censor is linked to the physical control over the endpoint, which implies if not legitimacy, then at least a pre-existing mechanism for control.
That the future of HTTP(S) doesn't allow easy censorship of BYOD is a feature, not a bug; if you let people bring their own devices in, then you can't expect to control what they do on them. Doubtless some morons will try, but the requirements of trying to push bogus certs or nannyware out to everyone's laptop + tablet + phone + smartwatch + whatever will be crippling; you end up in a Moff Tarkin Problem where the more you tighten control (i.e. blocking everything that doesn't go through the proxy), the more people will just slip through your fingers, routing around you by using cellular and their own hotspots or whatever.*
Whether a Google-dominated or Firefox-dominated browser environment is more likely to expedite getting to this point is an open question in my mind; Google seems more likely to do things that require widespread changes to Internet infrastructure like DNS, because Google owns a big chunk of it (including some really popular public DNS resolvers), but on the other hand Firefox tends to be better about broad consensus-building. If Firefox really does fade away, I wonder about that consensus fragmenting on key web issues.
* If it weren't for the obstinacy of the cellular companies with regards to tethering, every smartphone would probably be emitting its own little PAN bubble of Internet for the rest of your devices, and we'd have both a lot more networked crap (since a full WiFi chipset and web-browser stack to negotiate the inevitable WiFi landing pages wouldn't be necessary) and also be less reliant on WiFi. Eventually, one of the major carriers in each market is going to crack and start allowing free tethering and then we'll finally be off to the personal-area-network races.
posted by Kadin2048 at 10:17 PM on August 24, 2015 [2 favorites]
if you let people bring their own devices in, then you can't expect to control what they do on them.
You've not met many school parents, I see.
posted by flabdablet at 3:56 AM on August 25, 2015
You've not met many school parents, I see.
posted by flabdablet at 3:56 AM on August 25, 2015
Eventually, one of the major carriers in each market is going to crack and start allowing free tethering and then we'll finally be off to the personal-area-network races.
Free tethering is the norm in Australia, but PANs are still fairly niche because data costs an absolute fortune over mobile phone networks compared to any other kind of Internet connection.
posted by flabdablet at 4:22 AM on August 25, 2015
Free tethering is the norm in Australia, but PANs are still fairly niche because data costs an absolute fortune over mobile phone networks compared to any other kind of Internet connection.
posted by flabdablet at 4:22 AM on August 25, 2015
The other thing that grinds my gears about all this HTTPS-everywhere stuff is that it falls squarely in the "something must be done; this is something; therefore we must do this" category; it's like the drunk searching for his keys under the streetlamp even though he knows he dropped them on the other side of the street because the light on this side is better. The overwhelming bulk of actual privacy incursions that happen on today's web are not mediated by traffic interception, but by sites deliberately running advertiser-supplied scripts in browsers.I think this is too quick a conclusion because it conflates two related but separate concerns: a site owner can resell your data and that's hard to prevent but it also fits with the people's mental model, just like they know the magazines which they buy resell marketing data. In contrast, most people were surprised to learn that MITM attacks are a routine business for many large ISPs where companies like AT&T and Verizon were injecting a user-specific tracking header into every HTTP request your device made or that some ISPs inject their own ads into the pages you visit.
Similarly, while bad publicity got many ISPs to stop hijacking actual search queries, Mozilla's then-CTO Andreas Gal confirmed earlier this year that ISPs routinely sell unencrypted Google search queries to competing search engines:
Search engines with small user bases can acquire search traffic by working with large Internet Service providers (also called ISPs, think Comcast, Verizon, etc.) to capture searches that go from users’ browsers to competing search engines. This is one option that was available in the past to Google’s competitors such as Yahoo and Bing as they attempted to become competitive with Google’s results.(Google is clearly not promoting HTTPS Everywhere out of pure altruism but in this case their interests are well aligned with ours)
I work on a free, international website hosting historic documents. My front-end JavaScript error collector receives errors every second caused by code injected into our pages by ISPs around the world. Some of that fails harmlessly – the 90s never died for ad network JavaScript – but some of those visitors are clearly having their experience degraded by ISPs who inject ads or, in some ways worse, attempt to “optimize” images by downsampling them into oblivion. Some of that can be disabled by setting
Cache-Control: no-transform
but thousands our users still see a broken page or low quality images and there's nothing which we can to even tell them that their ISP is actively making their experience worse.To a certain extent, I share the desire for basic HTTP to work – the web is supposed to be public – but I think we're seeing yet another tragedy of the commons unfold. If you want anyone to blame, I'd start with the companies trying to squeeze more revenue out of their customers.
Finally, everything I wrote is the rosy developed-world-democracy version where your greatest concern is advertisers and members of the public can tell themselves that their government won't use HTTP MITM attacks to install tracking malware to monitor activists, weaponize your computer to attack someone else, or when it's proven that they actually do so, you can pretend it's only to go after terrorists like Belgian telecom engineers. Even if you personally do not believe you're at risk of being targeted, deploying HTTP-based services provides a possible “trustworthy” point to attack people who are. That sucks but there's nothing we can do to change it other than deploying HTTPS so we're at least not making it easier for the spies.
posted by adamsc at 6:03 AM on August 25, 2015 [14 favorites]
By disappointing coincidence, I just saw this post written earlier today describing how AT&T is now exploiting HTTP to inject advertising:
http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/
posted by adamsc at 11:51 AM on August 25, 2015 [3 favorites]
http://webpolicy.org/2015/08/25/att-hotspots-now-with-advertising-injection/
posted by adamsc at 11:51 AM on August 25, 2015 [3 favorites]
adamsc, your comments are fantastic, and have been flagged as such.
posted by JHarris at 3:04 PM on August 25, 2015 [3 favorites]
posted by JHarris at 3:04 PM on August 25, 2015 [3 favorites]
Oh, and personal vouch time, I have used Wifi on Greyhound buses that have injected floating popover ads into sites. Viva HTTPS.
posted by JHarris at 3:07 PM on August 25, 2015 [1 favorite]
posted by JHarris at 3:07 PM on August 25, 2015 [1 favorite]
Scenario: you're on the bus. You pull out your device and connect to what looks like the bus's SSID. You're taken to a landing page. There is a box in the middle with a bunch of boilerplate legalese and a big Agree button. You click the Agree button. Your browser prompts you for permission to install a new certificate.
What do you do?
posted by flabdablet at 7:15 AM on August 26, 2015 [1 favorite]
What do you do?
posted by flabdablet at 7:15 AM on August 26, 2015 [1 favorite]
Select one of the following:
[ ] Uncheck the 'permenantly store this exception' option, then close the browser after submitting the form
[ ] click the agree button then destroy the virtualbox image you used to submit
[ ] craft a wget url to submit the form
[ ] tether to my phone instead
[ ] connect to my work's VPN
[ ] dns tunnelling
[ ] fire up wireshark, and pick someone else's mac address to spoof
posted by pwnguin at 9:04 AM on August 26, 2015 [2 favorites]
[ ] Uncheck the 'permenantly store this exception' option, then close the browser after submitting the form
[ ] click the agree button then destroy the virtualbox image you used to submit
[ ] craft a wget url to submit the form
[ ] tether to my phone instead
[ ] connect to my work's VPN
[ ] dns tunnelling
[ ] fire up wireshark, and pick someone else's mac address to spoof
posted by pwnguin at 9:04 AM on August 26, 2015 [2 favorites]
[ ] route all your traffic through Tor, as a means of proactive defence
Tor: it's not just for paedoterrorists any more.
posted by acb at 9:27 AM on August 26, 2015
Tor: it's not just for paedoterrorists any more.
posted by acb at 9:27 AM on August 26, 2015
I hope robust cert pinning breaks your local CA cert trick, too, although I suspect it won't.
Certificate pinning deliberately defers to local CA certs. HTTPS has been common for a while now. Admins should be aware of it and it's not a big obstacle. Please go ahead and protect users from their ISP etc.
Your browser prompts you for permission to install a new certificate.
It's kinda worse. Browsers don't support that, so you'd have to run an EXE. Fortunately public wifi wants to support various non-Windows devices nowadays... and they would not really allow that sort of hack.
posted by sourcejedi at 4:58 PM on August 26, 2015
Certificate pinning deliberately defers to local CA certs. HTTPS has been common for a while now. Admins should be aware of it and it's not a big obstacle. Please go ahead and protect users from their ISP etc.
Your browser prompts you for permission to install a new certificate.
It's kinda worse. Browsers don't support that, so you'd have to run an EXE. Fortunately public wifi wants to support various non-Windows devices nowadays... and they would not really allow that sort of hack.
posted by sourcejedi at 4:58 PM on August 26, 2015
To continue the de-rail, I'm probably going to enable/see enabled a local CA certificate at a tiny special-needs sixth form. I'm reading this thread carefully for reasons I should feel bad :). I can't find a strong argument, as dodgy as it feels at a technical level.
E.g. It's quite a fine hair to split v.s. a "client-side" ("endpoint") solution. IT have complete control of your device, so they install something to let them monitor it: the CA. The endpoint solutions I've seen use the same fake SSL anyway, just in a different place.
posted by sourcejedi at 5:05 PM on August 26, 2015
E.g. It's quite a fine hair to split v.s. a "client-side" ("endpoint") solution. IT have complete control of your device, so they install something to let them monitor it: the CA. The endpoint solutions I've seen use the same fake SSL anyway, just in a different place.
posted by sourcejedi at 5:05 PM on August 26, 2015
"save your bookmarks etc to the cloud hahaha your email alone isn't enough to get back into it, sorry we're wiping it all"
This right here from their synch is what killed me on Firefox. This. Right. HERE.
posted by mephron at 6:09 PM on August 26, 2015
This right here from their synch is what killed me on Firefox. This. Right. HERE.
posted by mephron at 6:09 PM on August 26, 2015
The original version of Firefox Sync tried very hard to protect your privacy. It encrypted all your data with a long, randomly-generated encryption key that was never sent to Mozilla. This meant that Mozilla can't read your browsing history, passwords, open tabs, form data, etc. (or hand it over to the police, or sell it to advertising companies, or leak it to hackers), even it they wanted to. But it also means that it's only useful for syncing your stuff between multiple computers/phones, not as a replacement for backups. If you lose all your devices, then Mozilla can't give you back the encryption key because they don't have it.
It turns out that a lot of people didn't realize this, and tried to use Firefox Sync as a backup service, and were very surprised that it didn't work.
The new version of Firefox Sync launched last year tries to strike a balance. It still encrypts your synced data with a long, randomly-generated key so that Mozilla/governments/hackers can't read it. But it also uploads a backup of the encryption key to a separate server, encrypted with your Firefox Account password. So if you lose all your computers, you can get your data back as long as you remember your email address and password. It's still impossible to decrypt your data without knowing or guessing your password though, so you still shouldn't consider Firefox Sync a replacement for backing up your stuff!
posted by mbrubeck at 7:49 AM on August 27, 2015 [5 favorites]
It turns out that a lot of people didn't realize this, and tried to use Firefox Sync as a backup service, and were very surprised that it didn't work.
The new version of Firefox Sync launched last year tries to strike a balance. It still encrypts your synced data with a long, randomly-generated key so that Mozilla/governments/hackers can't read it. But it also uploads a backup of the encryption key to a separate server, encrypted with your Firefox Account password. So if you lose all your computers, you can get your data back as long as you remember your email address and password. It's still impossible to decrypt your data without knowing or guessing your password though, so you still shouldn't consider Firefox Sync a replacement for backing up your stuff!
posted by mbrubeck at 7:49 AM on August 27, 2015 [5 favorites]
Ooh. Google tells iOS 9 app devs: Switch off HTTPS if you want that sweet sweet ad money from us
posted by Joe in Australia at 5:08 PM on August 27, 2015 [2 favorites]
posted by Joe in Australia at 5:08 PM on August 27, 2015 [2 favorites]
While Google remains committed to industry-wide adoption of HTTPS, there isn’t always full compliance on third party ad networks and custom creative code served via our systems. To ensure ads continue to serve on iOS9 devices for developers transitioning to HTTPS, the recommended short term fix is to add an exception that allows HTTP requests to succeed and non-secure content to load successfully.
Well, that's a fair point though. Beyond AdWords and AdSense, Google functions as a marketplace for third party ads networks. Those networks don't all work over HTTPS. So it's true, mobile adware developers seeking to maximize revenue shouldn't turn it on.
Of course, It's also true that ad networks seeking to maximize revenues should turn on HTTPS.
posted by pwnguin at 9:09 AM on August 28, 2015 [1 favorite]
As I understand it, most of the ad networks for iOS besides Google are recommending the same thing with regard to ATS. However, the setting Google is recommending doesn't stop developers from using HTTPS for all non-ad traffic. It's not like Google is saying your messages and personal data have to go over cleartext; you could encrypt that data in iOS 8 and still will be able to do so in iOS 9, with or without ads. While this can be a potential security problem for apps that rely on HTML for their UI, native apps don't have the same kinds of mixed content problems as web apps too.
The advertising industry has been slow to the party and needs to get faster though.
posted by zachlipton at 3:00 PM on August 29, 2015
The advertising industry has been slow to the party and needs to get faster though.
posted by zachlipton at 3:00 PM on August 29, 2015
Firefox creator writes an unofficial, on-point episode of 'Silicon Valley' - "Firefox co-creator Blake Ross has posted [pdf] an unofficial Silicon Valley screenplay that starts where the second season finished, and it's clearly the result of someone who's witnessed startup shenanigans first-hand. Richard has to hire his own CEO replacement, and grapples with the prospect of open-sourcing Pied Piper's code."
posted by kliuless at 10:04 AM on September 9, 2015 [1 favorite]
posted by kliuless at 10:04 AM on September 9, 2015 [1 favorite]
« Older The quiet death of the Human Terrain System | Guitars? We don't need no steely Guitars. Newer »
This thread has been archived and is closed to new comments
posted by double block and bleed at 5:37 PM on August 22, 2015 [16 favorites]