I published an article last week that explained how Mozilla deceived their audience. The article described how Mozilla broke a security feature built into Firefox. I would recommend reading that post before reading this one. This post continues to elaborate on my previous post and provide further reasoning on why I uninstalled Firefox.
Before we go any further after the uninstall I left Mozilla very detailed feedback explaining why I am uninstalling Firefox. I even attached a copy of my full blog post. I hope that someone at Mozilla takes the time to read it. That being said I don’t hate the team at Mozilla nor do I hate Firefox. As a user I feel betrayed and no longer trust Mozilla and it’s products. They have some explaining to do before I consider changing my position.
My concerns started because they removed the anti-censorship capabilities that DNS over HTTPS has to offer. With TLS 1.3 and the Encrypted SNI beta that Cloudflare participates in, we would’ve had a browser highly resistant to censorship. You would have to perform a downgrade attack and block DNS over HTTPS as a protocol. (You can’t do this without Mozilla’s cooperation because it looks like standard HTTPS traffic). As Mozilla continues to give into pressure by governments, ISPs, and corporate network administrators I question what will happen next. Below is a few things I believe could happen if we’re not careful:
- Allowing a network administrator to remotely inject their certificate authority into Firefox’s store of trust.
- Sending browser history periodically to a network administrator defined endpoint.
- Sending stored passwords to a network administrator defined endpoint.
The security changes would not be limited to Firefox Enterprise. These changes would affect all users. It’s not okay to use corporate spyware without telling users. It’s possible that like with DNS over HTTPS, these features would not generate a warning for the user. This could be abused by ISPs, Governments, and malicious hackers. I see Firefox as too great of a risk to continue using. The question I keep asking myself is what pressure will Mozilla give into next?
I am keeping a close eye on what happens next. The people at Tor Project are probably keeping a close eye on Mozilla and working to keep Tor Browser safe. I will probably still use Tor Browser when I need private and anonymous web browsing. My decision may change if Tor Browser makes risky decisions.
Since Tor Browser is a fork of Firefox ESR, their developers can see and exclude any change to Firefox they believe is dangerous. There is a possibility that the public release builds of Firefox have a secret bugdoor#Politics_and_attribution) added to them. (I guess you could say the same about Tor Browser, although I hear that there’s work on making the builds reproducible to avoid this situation!) Since Tor Project Developers pull the Firefox Source Code and apply their patches to it I believe this situation is less likely.
Now that I’ve uninstalled Firefox I think it’s time to go back to our beloved Internet Explorer 8 the classic web browser that started it all. Just kidding! I will be switching to Brave Browser, a relatively new privacy focused web browser built on-top of the Chromium Web Browser, the open source project that powers Google Chrome. An article by ZDNet showed that Brave Browser “phones home” less than Firefox or Chrome. Is Mozilla still the most trustworthy browser vendor? I do not believe they are anymore. I hope that Brave can provide a better level of transparency and security than Mozilla could.
After Mozilla breached trust I uninstalled Firefox and switched to Brave Browser. I am closely watching the security of the web browser ecosystem. I am skeptical of Mozilla.