• 25 Posts
Joined 2Y ago
Cake day: Oct 26, 2021


a summary of our recent activity
hello! as you might have noticed I haven't been able to post the changelog lately, so I figured I'd write a news thread: * as usual we released a new LW version for each FF stable. * I just added a bunch of documentation entries, most notably: * accessibility and why you might want to disable it, even though we don't by default. * how to use KeePassXC when you install both it and LibreWolf as Flatpak. * how to install uBO if you're in a country where the addons store is blocked. * [full list](https://gitlab.com/librewolf-community/website/-/commit/3a4594f0048f0bd8d533903e46600720a527793c). * WebRTC should work a bit better now, you should experience less breakage. * we maintained our usual set of patches across each release. * [this epic](https://gitlab.com/groups/librewolf-community/-/epics/4) contains a bunch of solved issue we have been ironing out during the past few release cycles. * in the next release we finally expect to fix the weird new tab issue on linux and the unresponsive window issue on macos; this was possible thanks to a contributor from the community who found a typo in one of our patches :-) * there's a [known issue](https://gitlab.com/librewolf-community/browser/windows/-/issues/310) with Firefox Sync logins. if you have any question just ask 🐟

your browser finger print will change

it’s about the traffic fingerprint more than anything IMO; for example, to an external observer it would be very obvious that some domains are not being loaded.

it’s worth noting that all Tails users look (looked? IDK if they still ship uBO with TB) the same as they all had uBO included, so Tails had their own user bucket.

Dark Reader can be detected, if not from the injection at very least from the fetching behavior. the creator of the extension states this very clearly on Github:

as you already said, extension that alter the traffic fingerprint (eg. ad-blocker or things like LocalCDN) are rather easy to identify. however I wouldn’t go as far as saying that’s an actual issue with the ad-blockers themselves: they do their job, they are just not adequate when you try to fit into a crowd hence when using tor browser; I guess the same can be said about Dark Reader: the extension is doing it’s job, there’s just no way for it to hide.

tldr: extensions can be detected and there’s no way around it. while it doesn’t make them bad in general, maybe don’t use them with TB.

librewolf v107 rollout
hello folks, v107.0 is rolling out on all platforms, if it already hasn't :-) main changes: - rebased to latests firefox; - updated patches. very minimal but enjoy!

from that issue: > I'll be stopping providing new LibreWolf builds, and it's possible I'll abandon the port altogether in the near future. So, unless I'll find someone who will take care of the port, it would be better to remove the instructions. more details inside, and many thanks to the person who provided the port during these months!

librewolf v106 rollout
hello! v106.0.1 is rolling out on all platforms. some might have already got a v106.0 update, others will be upgraded directly to the newer version as the releases were condensed into one, since they occurred within 48 hrs from each other upstream. main changes: - rebased to latests firefox; - updated settings: there have been many minor changes in the past few releses, I suggest looking at the [changelog](https://gitlab.com/librewolf-community/settings/-/blob/master/docs/Changelog.md) of the past few versions; - hide firefox view for now, we will eventually patch it and re-introduce it in a revisited form later on! enjoy and be safe :-)

FYI: if you prefer to use a different instance, [mickie](https://jeremmy.ml/u/mickie) created a librewolf community of at https://jeremmy.ml. I will try my best to keep an eye on stuff posted over there too :-)

librewolf v104 rollout
a bit late to the party, but v104 has been released in the past few days, depending on your platform. the changelog is very small this time, I blame august: - all changes from firefox v104; - updated some patches that broke; - updated settings to v6.9, which is mostly a cleanup. look I said it wasn't that much..but enjoy it :-)

librewolf v103 rollout
I forgot the changelog for v102 but here's the one for v103 instead. * all upstream fixes from FF103 * updated, fixed and deprecated patches. * in particular you might have noticed an issue with uBO disappearing, it's now fixed. * add release for OpenSuse Tumbleweed. * updated build documentation. * updated base macOS SDK to 11+. * updated settings to v6.7. * as the upstream cookie pref migration is finished you should no longer experience lost cookies. * IPv6 is no longer disabled by default. * updated some description in the UI. * fix printing in flatpak. an even more detailed issue and merge request overview is available in the [meta for v103](https://gitlab.com/groups/librewolf-community/-/epics/3). if you want to contribute check our gitlab, follow the labels and the epic for the next release. if you want to report something please use gitlab, follow the guidelines and check known issues.

I still think enumerating badness (eg. blocking trackers) is not a final solution. it’s nice to have, but it should be only an initial level of protection.

also, strict mode blocks known fping scripts so arguably you don’t need extensions for that, a nice plus :-)

one of the most important changes for privacy that firefox ever made, I hope people realize this. huge win for all the users!

when did you last use it? it hasn’t been that way for me in ages.

also -> https://blog.torproject.org/congestion-contrl-047/

a reminder from our FAQ, for anyone doing it wrong.

interesting read from arkenfox's wiki.

I don’t have the same issue and I update daily as I’m using Nightly, weird.

librewolf v101 rollout
we back again with a new release, out on some platforms, building on others. main changes: - all upstream fixes from firefox v101.0. - settings v6.5, mostly a minor cleanup. - multi-language support in the UI for all versions of the browser, all fully rebranded. - windows releases and source tarballs are now signed. enjoy, and as always feedback is appreciated :-)

relevant -> https://lemmy.ml/post/209597

I would also argue that the about config changes he points to are a bit…meh

librewolf v100 rollout
hello, the new release is out on all platforms. main changes: - all upstream fixes from firefox v100.0, happy birthday! - easter egg to celebrate v100 :-) - settings v6.4, meaning: - improved robustness of certificate revocation false positives, in case of corner cases. - UI for cookie clearing is now more consistent. - updated uBO. - patched new theme UI if RFP is enabled. - rebased some patches. - remapped some more links in the UI. ~~we also have a known issue that causes the main page to display as empty. we worked on a fix and it will be included in the next release.~~ the content of our website has also been updated, including [the faq](https://librewolf.net/docs/faq/) and the [addons](https://librewolf.net/docs/addons/) sections. peace 🐠

other than websites that return a score I argue that websites that return values are not of much value if you do not know how much entropy they carry (eg. are they the same for all the people on the same OS?) or how they are handled in the browser with various mitigations. it’s one thing to read a value, but it’s a whole different thing to understand if and how it can be used, leave alone against a specific tool.

everything is documented on TB’s official gitlab btw, people working on it know their stuff.

Firefox has a bigger userbase than Tor Browser users, and it is a pretty uncontested claim logically. Firefox has Tor Project’s code for anti fingerprinting and per site data isolation upstreamed to Firefox’s private browsing mode since the past 15-20 or so versions now.

Firefox does not have the crowd that Tor Browser has, it does not have the Tor network, RFP is not enabled by default and users will make changes to their settings. even if Firefox has the larger user base there’s no argument for Firefox having a better crowd, sadly there’s no linear correlation in this case.

yes, you can harden it, but the crowd is so small that you will not defeat advanced scripts, nor you should expect to. hardened setups are also not equal as projects like arkenfox and librewolf are going to be tweaked by users post hardening (as they very much should).

applying stylometry analysis

this is opsec and it does not strictly apply to the tool you’re using so I don’t think it’s a valid argument for any of the points explained above.

as for the list you wrote:

  • OS Core -> as I said above it can be bypassed even without JS, see TZP and others. that’s why TB has different crowds for different OSes and you just fit in.
  • multiple nameserver -> I’m not educated on how the nameserver test works, so I will just shut up on this one.
  • resolved and unresolved connections -> traffic analysis does not require JS and using something like uBO or even tracking protection will manipulate your traffic, which is why stock TB does not use any ad blocker. there was a TB issue where LocalCDN was discussed and a dev said it was easy with the proper traffic analysis to detect the extension.
  • private mode -> it is detectable but one can just avoid using it even if he has JS on. I’ve never seen it recommended to use always-on incognito so I don’t see the issue.
  • tracking protection on or off -> it is off and you cannot enable it in TB (edit: issue).
  • browser window size -> rounded values protect the real window size hence you fit in the crowd.
  • monitor colour -> iirc it simply doesn’t carry entropy, there were some TB tickets where this was discussed.
  • cursor, mouse, last click, caps lock etc -> these are all volatile and fuzzy fping wise. if you can provide a PoC or a paper where these are used to successfully fingerprint a browser then ok, otherwise I don’t see the issue here as well (edit: I found this issue about mouse movement which is 6yo, it’s very low priority apparently and it suggests no JS as only mitigation).
  • various estimations and timing -> they are all mitigated, try to run a test and watch TB or Firefox with RFP always return rounded ms values. not to mention Tor circuits provide further protection against everything you mention network wise (edit: in case I’m missing something floating out there I’m ready to stand corrected and I would love a link).

“TB should cover all metrics” (I know you haven’t said it, I just didn’t know how to phrase it better lol) is not a safe assumption: not all metrics are equal, they do not all carry entropy nor they are all valuable fping methods. this brings us back to the initial part of this comment.

the rest of the stuff you discussed, like typing in the wrong tab etc, is mostly opsec and as I said I also value the added peace of mind, but it doesn’t make logins on Tor bad per-se. keyloggers are also a bit out of scope for this discussion imo.

tldr: TB covers enough metrics for most threat models even with JS on - naive scripts swallow the pill, advanced ones are defeated by the crowd, and don’t forget the network -, and the benefits of disabling JS are not that big.

ps thanks for getting back despite the lengthy comments, I added some edits for completeness on both sides of the discussion :-)

I just ran TBB and used deviceinfo.me to verify

ironic how this is posted below an article that says that testing websites are not reliable and that you should not read into the results unless you understand them. I don’t think this is the case, sorry about being painfully honest but I don’t want people to freak out over tests instead of reading a well written article:

  • all of the metrics you mention as spoofed (plus a lot more, even ones that you mention in your list like navigator UA, window size, TP on/off, color depth, private mode…) carry close to no entropy. that’s because Tor Browser has a crowd and users fit in that crowd, so even if the script was advanced to go over all the metrics covered by TB (which most of the time isn’t the case), the crowd would allow you to fit in.
  • the spoofed UA in the http-header is actually for passive fingerprinting. generally speaking, your actual OS cannot be spoofed and even with JS disabled it can be bypassed by using CSS/fonts. while it’s true that TB safest mode restricts the font list and it will probably defeat most PoC out there (I think? I don’t remember but it should) it’s a big sacrifice in terms of usability when you could simply fit in with the crowd of people using TB on your same OS: arguably that’s good enough for almost everyone.
  • timing attacks are mitigated.
  • stuff like position in page, last item clicked, cursor position etc is fuzzy, how do you fingerprint based on that? plus https://github.com/arkenfox/TZP#-fingerprints-are-always-loose

You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.

that’s simply not true. TB has further enhancement and code changes, it is based on ESR plus it’s not the same as a private window at all since private mode does not write to disk for example. most importantly tho: TB has crowd and the Tor network, that’s vital and a huge difference. a traffic analysis would also probably identify Firefox + uBO in medium mode vs TB. also, arkenfox does not try to make Firefox turn into TB, that’s clearly stated in the wiki and I would know as I am a repo admin :-)

Can the author explain me why keeping JS on is so helpful

usability, a browser with JS disabled by default is not a good everyday browser for most. the more people use Tor Browser daily and have a good experience with it, the larger the crowd gets.

All the above information I mentioned is trackable for…

I mean once you are subscribed, why would they want to fingerprint you? they already know who you are. when facebook operates as third party it will be isolated plus on a different circuit and with fingerprinting protection, plus (from arkenfox’s wiki):

if a fingerprinting script should run, it would need to be universal or widespread (i.e it uses the exact same canvas, audio and webgl tests among others - most aren’t), shared by a data broker (most aren’t), not be naive (most are) and not be just first party or used solely for bot detection and fraud prevention (most probably are)

I also don’t get what the difference between typing private stuff on facebook on tor or behind a vpn or on your ISP’s network is. however I must say that I still understand why from a “peace of mind” perspective it makes sense to keep stuff isolated, so as I said above mine is not really a strong opinion here.

sorry about typing a lot, but I figured this was valuable information to share, despite being nothing new.

I will start by saying that the author of the article was a tor researcher and dev so this gives some context on the content and me posting this.

which is a very risky thing to do for someone not familiar

may I ask why? I generally agree with the sentiment of the article but I don’t have a very strong opinion on this and maybe I’m missing something.

PS I don’t think the usual “I will end up in a list of people who use Tor” argument is a valid one.

Preferring JavaScript stay disabled is a better choice, the next best is only allowing JavaScript when needed momentarily.

I disagree with this, it’s simply overkill for 99% of the people with arguably no benefit at all. what’s there to gain?

About to use Tor. Any security tips?
a great post that was published a few years ago on Matt Traudt's blog with some tips for people using Tor and the Tor Browser. it also addresses common misconceptions like disabling JS and using fingerprinting tests, which unfortunately I see floating around every other day on the internet.

You should certainly export your passwords from Bitwarden so they can’t keep them hostage.

imo your tone is a bit blowing this out of proportion, you can stay on the free tier, pay regularly for a very good service or even self-host. they are not keeping your password “hostage”.

librewolf v99 rollout
hello, the new release should be out on all platforms. sorry for the delay we had some slowdowns with the settings and then a good portion of our patches needed a rebase. we should have done stuff earlier but personal life got in the way, but well here we are in the end :-) main changes: - based on firefox 99. - settings v6.1, which means: - removed some settings that became deprecated in v99. - general cleanup to remove some redundant prefs. - updated librewolf specific UI: - we had to fully rebase it. - new option to enable firefox sync. requires a restart atm. - new option to harden cross origin referrers even further. I noticed it looks slightly broken, it might need a fix during the next few days. - updated uBO. - remapped a bunch of UI links. - fixed more patches. - increased security of the build process by checking mozilla's signature on the source code. again sorry it took 4-5 days rather than the usual 1 to 3 days. enjoy!

One usually sees only articles introducing new extensions and prompting to install them, not the other way around.

yup, plus I recognize the average user can easily keep track of how built-in protections and extensions might overlap. nowadays once hardened firefox makes most of them useless, nice to see.

a portion of the [arkenfox wiki](https://github.com/arkenfox/user.js/wiki) where a bunch of popular, yet unnecessary, extensions are discussed. make good use of it :-)

librewolf v98 rollout
hello :-) as usual the new librewolf release is on its way or already out, depending on your platform. main changes: - based on firefox 98. - settings [v6.0](https://gitlab.com/librewolf-community/settings/-/blob/master/docs/Changelog.md#anchor-60), which means: - OCSP is now enabled for cases in which CRL cannot check a certificate and we need a fallback. OCSP will be stapled and in hard-fail mode, so that privacy and security are as good as they can be. - as a nice side effect this fixed OCSP's UI. - force custom mode for history. - always on private browsing and other modes are also hidden in the UI as they provide no benefit. - tracking protection UI is now also hidden as we decided to got for strict mode and nothing else. we noticed most users were flipping it as they wrongly assumed it caused breakage so we figured it was best to hide it to avoid confusion. a nice disclaimer was added instead. - update uBO and its assets. - windows portable can now be run everywhere and the folder where it resides can also be moved around. the MR that updates the documentation is also done and waiting to be merged soon. I hope y'all stay safe during these difficult times in europe, enjoy the release.

librewolf v97 rollout
hello everyone, new librewolf release on the way or already out, depending on your platform. main changes: * based on firefox 97. * thanks to [bsys5](https://gitlab.com/librewolf-community/browser/bsys5) it is now possible to build librewolf inside a docker container on all platforms and for all platforms. two of our core members have done a terrific job with this. * the source repo has received some more love as we added and documented more stuff. building should be easier than ever. * settings [v5.5](https://gitlab.com/librewolf-community/settings/-/blob/master/docs/Changelog.md#anchor-55) which means: * history is no longer disabled but just cleared on close. * stripping of tracking elements from urls, both natively and by fetching and enabling [an extra list in uBO](https://github.com/DandelionSprout/adfilt/discussions/163) when a new profile is created. * some of you might have noticed how this was introduced a release ago. * the uBO lists will not be changed for new profiles to avoid changing users settings. * TLS downgrades are now session-only. * for user convenience it is now possible to enable firefox sync in librewolf with one click. * the settings list has been reordered and some more documentation has been added. * the about menu and the librewolf specific UI have received some minor cosmetic changes. next step is probably updating the website to reflect the changes in this release. as usual feedback is appreciated but do not get issue happy as we just closed 150+ old ones where users didn't provide details for, or where they simply didn't read the faq. joking, but not completely. enjoy!

librewolf v96 rollout
hi everyone! the new release is either out or on the way, and this is a pretty big one for us. main changes: - based on firefox v96. - built with a new semi-unified build process: - librewolf now has its own [source repo](https://gitlab.com/librewolf-community/browser/), meaning that building from source is now overall easier. - unified patches and build options across releases. - all releases now include a librewolf-specific section of the settings, where you can control different aspects of the browser. this UI has updated and improved from its old version, which was present only on windows releases. - settings [v5.1](https://gitlab.com/librewolf-community/settings/-/blob/master/docs/Changelog.md), which mainly means: - extensions auto-updates. - push notifications are back, as we now isolate service workers instead of disabling them. - some behavioral preferences were reverted to their original firefox value. - the selection of search engines has changed a bit. **important fixes**: - when RFP is disabled the user agent does no longer present the browser as LibreWolf, but instead it shows as Firefox. this solves a number of compatibility issues, in particular on streaming services and on mozilla extension store. if you were spoofing your user agent to access these websites you should stop doing it. - users are no longer forced to use `en-US` as the language for the UI of the browser, as finally librewolf allows to use different language packs, while still spoofing everything to `en-US` for websites. you can control this aspect like you would in firefox, with no overrides involved. good update y'all!

Only the last two categories are impacted by using an adblocker, in fact they are probably the less important ones.

what do you use as a search engine?
I'm currently working on re-evaluating our search engine selection (reading privacy policies and all that good stuff), to see what to keep, remove, maybe add. I figured I might use some input from lemmy. - what do you use out of the ones we include? is anyone actually using search engines like qwant and metager? - do you add any search engine to librewolf? if you're curious bout my notes on this -> https://gitlab.com/librewolf-community/settings/-/issues/111

librewolf v95 rollout
back again with another major release (and yes I only post for major releases but every minor firefox release equals to a new librewolf release). osx is out, linux and windows are getting worked on, you can expect them soon. main changes: - based on firefox v95. - there's an issue (see [my comment](https://lemmy.ml/post/107249/comment/96990) and the [firefox ticket](https://bugzilla.mozilla.org/show_bug.cgi?id=1741233)) with the build process that does not allow to successfully compile with the new wasm sandboxing, hence we had to use the "old sandboxing" for now. as soon as an upstream fix is delivered or we find a workaround we will immediately release a new update. edit: **FIXED**. - new uBO version. - updated settings. for more details see [the changelog and the reference issues linked in it](https://gitlab.com/librewolf-community/settings/-/blob/master/docs/Changelog.md#anchor-40), but in short: - larger but still rfp compliant window size, to improve usability. - webrtc is no longer disabled (but the private IP is still protected so no worries), which should mean less breakage by default. - the geo API is no longer disabled as it can be fingerprinted and location aware browsing is behind a per-site and per-session prompt. - in this release you shouldn't experience logouts when allowing exceptions. - rfp dark mode override was deprecated. - we are moving towards CRL finally. there were also some updates in the addons section of the website, and I will update the faq as soon as I can. if you want to contribute we are working on a librewolf-specific setting page, more details have been shared in the matrix room. peace 🐠

as the title says, the new website is live and fully functional. with the help of a very skilled contributor we updated the design, it looks sweet. we also rephrased a lot of stuff and rewrote some docs, in particular: - [the FAQ](https://librewolf.net/docs/faq/) is looking better than ever imo (it also has a link to this community yay). - [recommended addons](https://librewolf.net/docs/addons/) changed a bit. - there's a detailed [feature list](https://librewolf.net/docs/features/) finally. btw, head over to [the repo](https://gitlab.com/librewolf-community/website) if you want to help. ps: the old website is dead and so is the wiki on gitlab, we might delete them at some point I guess.

it is likely that the app is not actually damaged, on M1 macs gatekeeper is far more aggressive and apple really wants devs to pay for notarization.

see a comment on the issue from the devs, and a possible workaround (the quarantine part for M1). as the maintainer of a project on osx I share their sentiment, it’s fucked up…

a good suggestion would also be to enable dFPI, so that cookies and website data is separated without needing an extension.

librewolf v94 rollout
hello everyone. I released librewolf v94 on osx, it should be coming very soon for linux and windows. main changes: - based on firefox v94 obviously. - new uBO version, which now also runs in private mode by default. - updated settings. the main highlights being that we enabled fission and we brought back mozilla tracking protection in strict mode by default. the ability to use a master password is also back, and the hidden letterboxing pref is exposed in about:config. I also made some patches that change the default settings UI a bit, by hiding some locked settings, improving some description and removing the annoying "your browser is manged by your organization banner". some old firefox references are also patched away in the process. I'm not sure if other maintainers will want to include these changes in this release tho, so don't quote me. for those who don't know, the configuration has a [changelog](https://gitlab.com/librewolf-community/settings/-/blob/master/docs/Changelog.md#anchor-30) that you can check to see how prefs evolve. the FAQ will be updated soon, once the rollout is complete. also the new website might be ready soon as well :-)

one of the maintainers says hi.
hello everyone, I'm one of the maintainers, mostly involved with osx and the settings. just joined the community with a fresh account. I will try to be active so that we can get this community going, it would be nice to be present on a federated service such as lemmy. it seems like the creator is not around anymore so that might become a pain at some point, but we'll see.