I have observed a big anti-waterfox and anti-fork atmosphere in the Firefox Community. I don't think the criticism of Waterfox is honest, because the browser has been doing exceptionally well (always including critical bugs) for a one-man project and every Firefox Fork should be welcomed.
The official response by Mozilla has always been to avoid ALL forks and ALL old versions like the plaque. I know why Mozilla wants to suppress them, but the community shouldn't. Waterfox is basically the result of the decision by Mozilla to abandon a part of their most loyal userbase.
In theory a diverse set of browsers actually increases security due to the lack of attack surfaces with which you can target a wide audience.
Because basically all attacks that you have to fear from normal browsing as an average user are actually non-targeted attacks, and those attacks usually focus on a large user-base, in order to be financially viable. Also a script-blocker is probably the only thing needed to reduce attack surface to basically zero for non-targeted attacks.
The security argument is actually the only case one can make against Waterfox. While it is partially valid, there are many other reasons why people use a browser, which is exactly why Waterfox has so many users. Not everyone wants to focus on high level and mostly theoretical security.
By the way, the founder of Waterfox has published an alpha-version based on Firefox 86 ESR.
> GNU IceCat is the GNU version of the Firefox browser. Its main advantage is an ethical one: it is entirely free software. While the Firefox source code from the Mozilla project is free software, they distribute and recommend non-free software as plug-ins and addons.
EDIT: removed a clause about the relationship with IceWeasel, thanks for the historical context @quadrangle and @war1025
Note that Gnu IceCat, formerly Gnu IceWeasel, is a completely separate project from Debian Iceweasel, which was just a redistribution of Firefox without copyrighted icons.
> In theory a diverse set of browsers actually increases security due to the lack of attack surfaces with which you can target a wide audience.
This is intellectually dishonest and the root of the reductive thinking that a target is too small to matter so why should the target invest in security.
The topic we are talking about doesn't imply the question of no security vs. high security, it is way more nuanced, and most Waterfox users probably enjoy a very high level of security due to the content blockers they use.
Also I think my claim that browser diversity actually increases security of the bigger system as a whole is correct, because I did mention it is only valid for non-targeted attacks.
There would be no financially viable way I can think of of targeting waterfox users with code on a website, because there are basically no waterfox users. Even if you manage to include some malware code somewhere on the most used websites, you will probably not get more than a handful of waterfox users to compromise their system.
The project started as a 64-bit version for Windows (was supposed to be faster). Then, when Firefox changed the add-on framework, it became the "Firefox" version you can use to keep all your old add-ons working. They are merging all relevant security issues quickly, as well as bug fixes.
If people just wanted to use the old addon system then all that requires is changing a few options when building Firefox (in official Firefox builds, only moz can deploy such addons). So keeping up with security updates shouldn't be hard at all if that's the only difference.
Of course the old type of addons may break from time to time as the browser's internals change but that was always a problem with the old addon system.
If I understand [1] correctly, the XUL code that those old addons use as an interface into the browser is nearly gone. And that's the entire point of deprecating the old addons: to be able to refactor Firefox internals away from XUL towards pure HTML/CSS/JS-based UI.
As jusob noted, "They are merging all relevant security issues quickly, as well as bug fixes." So why does "12 versions out of date" matter?
The advantage of Waterfox is more freedom to use extensions that increase privacy and security. And sure, also extensions that totally pwn you. But that's just how it is, when you have autonomy.
I'm not arguing, however, that the Waterfox approach is best. Tor browser adds lots of great stuff to increase privacy and security, and they stay ~up to date with Firefox releases.
> As jusob noted, "They are merging all relevant security issues quickly, as well as bug fixes." So why does "12 versions out of date" matter?
If you're retaining code that has since been ripped out upstream, that means that there are no security fixes for you to uptake, but you still contain the same potential for security issues. This isn't an idle concern--the NSA used an exploit in code that was ripped out of Firefox to attack the Tor Browser, which was (at the time) stuck on an older version that retained code generally known to be much more poorly secured (E4X, specifically).
Security is also orthogonal to privacy concerns. For privacy, what matters most is how similar or dissimilar you are to the normal crowd. Using an unorthodox web browser that is observably different from the mainstream browsers is going to reduce your privacy more than any actual benefit you get from extra features.
That's a good point. So Tor Project's approach, starting from the latest release, is overall better.
I still miss some old extensions, though. Especially RefControl, which let me supply a site's root as referer to it. Smart Referer just drops referer, with some whitelist exceptions where sites break. RefControl never broke sites.
This is the part i find interesting, IF waterfox has greater privacy by design, then what has mozilla been doing since version 57? Im also thinking that even if its a clone its not the same application so higher version numbers for uptodate firefox may not correlate to reduced qualities for an application with lower uptodate version numbers.
It seems that Firefox has taken the "we know best, and want to protect you from threats, including threats from your own ignorance" approach. Much like Apple, I'd say. It's a defensible approach, but it doesn't work for me.
I do not get why ppl are so obsessed about this legacy extensions, by now there is almost a extension for everything and I do not need that much consolidation of the UI.
Tab mix plus is basically now a light extension that just points you to about:config setting that are more then enough for me. The most important setting for me is to open all popups in tabs.
Also Mozilla has deprecated that old APIs for security purposes! Maintaining it with a small team of volunteers or some little donations is not gonna cut it. I am not "Anti" everything its just that I do not see the point of this AT ALL.
// Ok its not even a team its a one man project, makes it even worse. And isn't ESR now also build on a version without the old APIs? If not already that day will come and especially then the using it will be a big security risk.
What extensions are people using that they’re so dependent on that haven’t been able to migrate to webextensions? Genuinely curious. I used to use an old version of Firefox in order to use vimperator, but since tridactyl became available, I have been on Firefox stable.
I've switched to waterfox when firefox broke my extensions with their API, particular VimFx.
The vim extensions for firefox don't really work for me - I've not been able to navigate in pdfs and firefox own dialogs at all and the worst thing is that switching to a tab like that and you're stuck.
Even having 1 pdf open next to a couple of html tabs breaks the flow as soon as you change to the pdf tab you're stuck, no more gt or gT for you.
Your comment gave me hope and I tried tridactyl, but they still have the same issues. Sidenote: they actually have a hack in place that works around that problem when you spawn a new tab - it just loads a website so that the extension at least works.
AFAIK this is because of Mozillas design so there is no way this can be fixed by an extension, it has to be a fork. Or do you have a workaround for those problems?
I am big fan of mozilla's mdn but they broke my setup with the firefox api changes and the second time (with the expired extension cert) I was glad I had an alternative.
> No Telemetry
Waterfox does not collect ANY telemetry, meaning you don't have to worry about any tracking or usage information about what you do inside YOUR browser.
> Limited Data Collection
The only thing that Waterfox sends back is your OS and browser version to check for updates.
I mean, of course the browser knows its own version, this is totally not dependent on user data. And you already give away your OS when you download it, right? Of course it knows what OS it's executing on.
I honestly think that can still be truthfully called "No data or telemetry."
> "You don't have to worry about any tracking or usage information about what you do inside YOUR browser"
That still holds up, if all it sends is info the browser already knows about itself.
It's still telemetry. It's irrelevant what the browser "knows about itself", because the browser is not the organization receiving the data. You do not automatically "give away your OS" when you download. User agent strings can be set to whatever you like, and you can run the software on a different system from the one used to download it. If the Waterfox developers want to track usage they should request the user's permission, like Debian does with their opt-in Popularity Contest software.
