A util to make it easier to work with large firefox and thunderbird prefs files https://codeberg.org/konform-browser/diffprefs

It’s Thursday as I reply but I guess it’s Wednesday somewhere in the world (:

I prefer my devices without any malware at all but you do you I guess.

you’re data is safe with small hackers

wat

Yes let’s make sure everyone’s on the exact same provider. What could possibly go wrong. “Just use X” bandwagonning is shortsighted and lazy.

Or factory reset and then don’t install SmartTube. Fool me once?

That is interesting!

BTW in case you’re not aware, direct links to fedia.io like the one you posted just lead to a loginwall so you probably don’t want to share those publicly. This one via beehaw.org works for everyone, though: https://beehaw.org/post/24563411

Would be cool to hear how it goes if you do!

Thank you for kind words!

Ah, then the hope is that this curiosity will trigger you to dig into it yourself (for example using the provided tool or taking inspiration from it) so that it starts making sense! I know it’s an unconventional format to refrain from laying out my own opinions and analysis but that’s my thing today. So much “everyone knows” and vapid third-hand takes flying around these days that I think we would do well to actually verify (and pick up related knowledge in the process) rather than take forum comments and blog posts for gospel.

OK, all right, I can try. I guess I can point at one thing in the Mozilla telemetry at the very end, doesn’t that look very fine-grained if you look at the URLs (addresses) listed?

We can tell that many of the actions I took were communicated to the mothership for analysis and product improvement. Is this data really anonymized (or anonymizable)? Is it a reasonable amount for a user that has not opted in? My professional and personal opinion is: It is not.

But! That’s just one isolated example. And an extremely limited view. What about Zen? Chrome, Edge and Safari weren’t included here at all. And it’s not at all looking at what happens for a user who probably cares about this: when you go to settings and disable all the telemetry. See I just said that one thing about Mozilla Telemetry and now I’m going to have to run some new tests and write reports about them for days just to set that record straight!

Maybe I’m odd but I think it’s many (100?) times easier and quicker to gain understanding of the kinds of stuff we’re looking at here by getting hands-on than to communicate it verbally. And I’m concerned with this limited attention span so many people are afflicted with these days, and look at how long this comment is already, no we’re done with me telling you how it is, let’s wrap this one up and get on to the juicy stuff.

There’s an expandable section Basic test environment usage under Testing procedure but I realize now that might be easy to miss…

Anyway, to start it: Install podman, docker-compose (v2) and MITM_BROWSER=firefox-esr podman compose up --build. That should be it.

Then the browser pops up (hopefully), you do your thing, and after you Ctrl+C in the console, it will quit and the proxy will dump the recorded .har file which contains all HTTP and websocket traffic that went through the proxy in cleartext, in JSON format. There’re tools online that can help visualize I think but nothing I can recommend off the bat. Simply cating it to the terminal or opening it in a text editor can be educative. Also playing around with variations of the jq snippets and see if you can come up with questions of your own to answer. Or if anything in my numbers make you scratch your head or say “wait a minute” dig there.

In case you want to take a look at what the thing does before running it (trust me bro), these are the files involved when you run that compose up command:

• entrypoint compose.yml
• imported compose/proxy.compose.yml for mitmproxy
• The browser Containerfile (aka Dockerfile)

Available browser images

What about gwenview?

The author seems to think Mozilla should have protected our privacy by having someone act as the proxy for the request.

On the proxy part, they actually already have that and using it for some other parts:

https://support.mozilla.org/en-US/kb/ohttp-explained

TL;DR: Imagine an HTTPS-over-HTTPS proxy. Try to explain it like something groundbreaking without referencing existing tech. Now you have OHTTP.

https://firefox-source-docs.mozilla.org/browser/components/mozcachedohttp/docs/index.html

https://www.fastly.com/blog/firefox-fastly-take-another-step-toward-security-upgrade

It makes me scratch my head a bit why I’ve never see it enabled for DNS-over-HTTP in default stock Firefox config despite it being supported for years - the endpoints are just not configured. You have to know about it and configure the barely documented URL in about:config for that. Unlike for newtabpage and the FF shopping feature where OHTTP is used by default. Infra costs?

Yes?

Hi, I’m new here, first time posting to this community, was hoping this could be well-received here.

I see this starting to attract downvotes - is this considered breaking any rule, are cross-posts frowned upon in general, is the content too basic for you 1337 h4xx0rz, title not serious enough, or some other issue with the post? Feedback appreciated.

What are you curious about with Dillo And Netsurf? Isn’t it safe to assume at this point they will both be 0 across the board for all the queries in the report?

I think we need a different testing protocol for them to be interesting to include. AFAIK they don’t have add-ons that could be interesting to test either? Do you have any suggestion for step(s) you think could be added to the test in order to make those meaningful to include? Or is my assumption about Dillo and Netsurf out of date?

Oh, thanks for reminding me of Trivalent, I realize now I’ve come across it before but totally slipped my mind. If/when testing for chromium in place I think this can be interesting to sample next.

Assuming you mean the Mullvad extension (which is installed by default in MB) and not the Mullvad VPN app (which also exists but never came close to these machines) :)

That will indeed likely make a difference on Mullvad Browser numbers. However for now I’m not changing the “keep addons at stock defaults” invariant or the test matrix might get really out of hand… Should we disable uBlock Origin in LibreWolf? How about uBO or NoSccript in Mullvad then? Konform Browser loads uBO but only if its apt package is installed; should we do that? What happens when we try to explicitly opt out of everything under Preferences in Firefox? I guess the last one is something to actually consider but for now not touching the addons.

(Would be super cool if anyone else tries this out and reports back though! The compose should hopefully be straight forward and easy to get started with if you are on Linux and have podman available. The report mentions it TL;DR we had to work around the oBO install in LW not properly utilizing the proxy (?) like this and I think same approach could be used to Uninstall Mullvad extension from Mullvad Browser and prevent it from even loading)

Disclaimer: Am konform dev so shouldn’t be a surprise that it’s working well for ourselves I guess. Eager to hear to what extent it’s overfitted for our usage or really as great as I think it is ;)

BTW if you, dear reader, think queries in report of results are cherry-picked in a way that favors it (I don’t think they are but hey, fair), I’m also eagerly accepting input and especially PRs for queries (still have the raw dumps so I can add this quickly) or steps to test procedure (this means I have to rerun all of them so might take longer to update) that could illustrate different tradeoffs and show a more complete picture. Bring it on <3

Daily-driving it now. I think it’s great. If you’re somewhat familiar with the landscape otherwise I think readme explains how it’s different and why. If you don’t mind losing out on some "safety"¹ and latest upstream features² for the sake of a more stable and predictable base, not having reliance on proprietary integrations or even internet, and really removing all non-essential network integrations, then definitely worth a try!

¹: A surprising amount of people think (or at least write online) that a browser that doesn’t block user requests completely aligned with the Google SafeBrowsing blocklists is unsafe and that doing those syncs is an essential feature. If you think this is the only safe default option in 2026 I’m sorry but please consider uBlock Origin. See how opinions on who to trust can affect what “most secure” means. Konform Browser removes many assumptions of trust. But not all; Everyone still comes with an assumed PKI after all and there exists a default for DNS.

²: Since it’s ESR base it means new feature updates from Mozilla ~yearly instead of ~monthly. Still receiving security updates on the rapid schedule. No AI features out of the box.

You were literally asking for “trustworthy websites with recommendations”. GP is telling you to stop looking or even believing in such things existing. I’d agree.

The harder you search for just that, the more targeted you will be be scammers and cybercriminals. Whatever is a credible resource today may turn bad next month and public perception taking years to catch up. It’s not like that’d be a first.

That said, lots of good stuff and leads in codeberg.org/pluja/awesome-privacy. And +1 on EFF.

List of public DoT/DoH providers

DM me if you’d like to discuss further consulting on this project. I do think I could help you. However, reaching a proper design for this that is actually appropriate for your situation is non-trivial, goes beyond the scope of lemmy thread and would likely be paid.

I would also like these things to be easier and just be able to point you to something existing but the reality is they currently aren’t and such solution isn’t. But if you do push ahead and are open to sharing (potential security tradeoffs there too), maybe you’re in a position to be part of improving that situation.

Because it’s not something people commonly do. Because the GPG authors wanted to design for and encourage what they consider appropriate use and discourage and make difficult (but not impossible) what they consider inappropriate use. Removing a footgun for people not fully understanding the trust model of PGP or just slipping up doing that and then ending up in situations they didn’t account for. In general I could have a lot of criticism of the UI/UX of GPG but in this case I can see where they’re coming from and find this thread supporting it as working as intended so far.

That you need to have deep knowledge of obscure GPG internals to pull this off is by design. It’s not considered part of intended use. Similar thinking to why in Chromium you don’t have a button to bypass HSTS validation error but need to type in the cheat code “thisisunsafe”. It nudges users to stop and think more consciously about what’s going on.

The trust comes from the association. You can’t remove (or keep private) the association and expect to not have to separately rebuild the trust as a consequence. That what you are trying to do is made is inconvenient in GPG is quite intentional I believe. Or maybe I misunderstand your motivations, it’s a bit ambiguous and you leave a lot open for interpretation.