Mozilla is becoming evil - be careful with Firefox

Posted on 2020-01-26. Last updated on 2020-02-20.
I have always supported Mozilla and promoted Firefox, but Mozilla has made some pretty controversial decisions as of late, and I no longer feel that Mozilla is an organization that deserves any support.

Update 2020-02-13: I have changed the title of the original post from "Mozilla is becoming evil - don't use Firefox" to "Mozilla is becoming evil - be careful with Firefox" because currently it is still possible to control some of the controversial aspects of Firefox. However, it is getting more and more difficult and I suspect in the future the only solution is to patch Firefox.

Update 2020-02-01: I have added the controlling Firefox section which describes how you can use a policies.json file to gain some control over how Firefox works, including the DNS over HTTPS feature.

Table of contents

Privacy

On Mozillas website we can (as of writing) read the following:

Mozilla puts people over profit in everything we say, build and do.

And they also write:

Walking Our Privacy Talk

When the Facebook breach was revealed, Mozilla had an immediate response – and a Firefox product to support user privacy.

"We put people over profit", and "a product to support user privacy", they say. However, with their decision to make Cloudflare the default DNS provider for DNS over HTTPS, they are definitely not supporting user privacy or putting people over profit.

DNS over HTTPS is by itself bad enough, and highly criticized with good reason, but by combining it with a US based company like Cloudflare makes it even worse.

Cloudflare has made an agreement with Mozilla that when it acts as a DNS resolver for Firefox, that:

Anyone who has worked with DNS servers knows what goes into such logs and in order for Cloudflare to keep their promise, they need to: Delete the DNS requests information, but at the same time somehow still contain "anonymized" logs of the total number of requests, a list of all domain names requested, a so-called "sample" of complete DNS queries along with date and time.

This means that even if Cloudflare could be trusted and they have the best of intentions, they will still log everything the first 24 hours. If Cloudflare is ever compromised, all these logs could be copied and distributed over a period of time.

Furthermore, the actual wording of the agreement is such that the technical procedure for how they actually do this can only be guessed at. How do they plan to anonymize the data? Is the "sample" 99.9% of all the queries, or is it 1%?

Last, but not least, Cloudflare is an American company subject to American law, a law that pretty much undermines the foundation of any kind of privacy.

Cloudflare will not retain or sell or transfer to any third party (except as may be required by law) any personal information, IP addresses or other user identifiers from the DNS queries sent from the Firefox browser to the Cloudflare Resolver for Firefox;

Real privacy means no data retention and no logging. Period!

Mozilla should be ashamed! They are promoting Firefox as a product to support user privacy, yet at the same time they make Google the default search engine in the browser and Cloudflare the default DNS over HTTPS resolver.

Firefox in itself has long been submitting data to the Mozilla foundation via its "Data Collection and Use" gathering. Even though this data is "technical and interaction data", the data collection is opt-out, meaning that you have to remember to disable it rather than enable it. This also means that the very first time you start up Firefox, it may already have connected to the Mozilla foundation before you can disable the data collection.

If you forget to disable the data collection and later disable it, you'll get the following information from Firefox:

You're no longer allowing Mozilla to capture technical and interaction data. All past data will be deleted within 30 days.

There is no option in the browser to delete the last 30 days of data gathering.

That is why when Snowden blew the whistle and revealed that we were all being watched, he didn't recommend Firefox, he suggested the Tor browser instead.

Mozilla: No thank you!

It is difficult to get a privacy respecting alternative to Firefox as Google's Chromium browser isn't any better, and most other projects are either forks of Firefox or Chromium, or patched versions where you have to be careful that you're still getting security updates as frequently as the upstream counter parts, or smaller browsers that have a limited support for miscellaneous use cases.

Personally I always browse the Internet with JavaScript disabled as it is not only more secure, but it also provides a much improved browsing experience as everything becomes much faster. I generally don't use websites that don't work without JavaScript, except a very few, in which case I use the Falkon browser, which is one of the better alternatives that also supports blocking ads.

Controlling Firefox

Mozilla has removed the option of disabling automatic updates, forcing users to get automatic updates, which if you're in the middle of some important work, will make Firefox stop opening up any new URLs until you have restarted the browser. Windows 10 anyone?

While this exists in order to protect users, most users are quite capable of just letting Firefox remind them of an upgrade and then upgrade manually.

Because many corporations need extensive control Mozilla has created a something called "policy support" which can be implemented using a JSON file called policies.json. This file is a cross-platform compatible file that makes it the preferred method for enterprise environments to control Firefox in different environments.

By using the policies.json file you can control a great amount of how Firefox works, including the DNS over HTTPS feature.

On Arch Linux Firefox gets installed in /usr/lib/firefox/.

On FreeBSD Firefox gets installed in /usr/local/lib/firefox/.

If a subdirectory called distribution doesn't exist you need to manually create it. Then create the policies.json file in that directory.

On the README for the policies templates you can find a list of options to control.

I have created a policies.json that looks like this:

{
  "policies": {
    "DisableAppUpdate": true,
    "DisableFirefoxAccounts": true,
    "DisableTelemetry": true,
    "DNSOverHTTPS": {
      "Enabled": false,
      "Locked": true        
    },
    "DontCheckDefaultBrowser": true,
    "NetworkPrediction": false,
    "PromptForDownloadLocation": true,
    "SearchEngines": {
      "PreventInstalls": true
    },
    "SearchSuggestEnabled": false
  }
}

You need to restart Firefox in order for the settings to take place. You can view your settings by typing about:policies in the address bar.

As long as the option to control Firefox, you should make sure that you have created the policies.json file before you open up Firefox for the first time after a fresh installation in order to prevent the telemetry from working the first time you use the browser.

Also notice that not all options are working on the lasest edition of Firefox, some only work on the ESR edition.

Blocking DoH via a firewall

No matter what kind of firewall you're running, you can at least block the known public DoH servers.

A good list with both domain names (for DNS blocking) and IP addresses (for firewall blocking) is available at: https://github.com/oneoffdallas/dohservers

Please consider making a pull request if you know something is missing.

If you use the Packet Filter (PF) firewall from OpenBSD, which is also available on FreeBSD, you can drop packages without any delay in the response time.

Alternative browsers

Alternative browsers (in no particular order):

There exist other browsers such as Epiphany and Eolie from GNOME, but both are very slow and tends to crash and freeze.

Some other browsers I haven't tried:

Wikipedia has a Comparison of web browsers.

The Brave browser is often recommended, but the "anonymously monitoring of user attention" and "rewards publishers accordingly with Basic Attention Token (BAT) crypto currency" is not something I can recommend.