Set the browser.ml.chat.enabled and browser.ml.enabled to false as they intensively use the processor and drain the battery. All that to just find the best name for your tab groups. I prefer to have my laptop last one more hour instead.
yunruse · 5m ago
I took a brief gander at its code [0] and saw it mainly focusses on k-means clustering algorithms (in JS, no less). To my ken this is likely for suggesting new tabs, something a user is even less likely to use than renaming them.
Its constant drain even when not 'in use' seems to imply it's classifying tabs as they change page (though it might be telemetry or uncommented testing). If so, it's an example of premature optimisation gone very wrong.
It's a shame, because it overshadows the fact that naming tab groups is a perfect use case for an LLM, alongside keyboard suggestions and reverse dictionaries [1]. I'm ardently distrustful of LLMs for many, many purposes, but for the tiny parameter and token usage needed it's hard to not like. Which is a shame it's (somehow) such a drain.
[1] https://www.onelook.com/thesaurus/
Can be helpful in a pinch when a word's on the tip of your tongue, though its synonyms aren't always perfect.
temp0826 · 1h ago
I just want something (config or extension or instructions or whatever) to give me the best (rather, most common/average) fingerprint possible according to that EFF tool. Does that exist?
olivergregory · 51m ago
That’s the extension Privacy Badger.
amarder · 6h ago
This checklist is a work in progress, would love to hear your feedback.
Good work. There are some hardening options that you may be able to glean from ArkenFox [1] and Betterfox [2]. Another addon to consider listing is CSS Exfil protection [3a] CSS Exfil Test Site [3b].
This is quite a rudimentary checklist, and it won't provide much in terms of privacy protections, but it will break a number of sites.
The current state of browser-fingerprinting is off-the-rails, where they deny service if they don't get those fingerprints, and the browser to a lesser degree has had its securities/privacy protections gradually degraded.
Stock Firefox will not be able to provide any sufficient guarantees. There are patches that need to be re-compiled in, because there have been about:config options removed.
I highly suggest you review Arkenfox's work, most of the hardening feature he recommends will provide a better defense than nothing. He regularly also contributes to the Mullvad browser which implements most of his hardening and then some but also has some differentiation from the Tor Browser, but many of the same protections.
The TL;DR of the problemscope is that there are artifacts that must be randomized within a certain range. There are also artifacts that must be non-distinct so as to not provide entropy for identification (system fonts and such that are shared among many people in a cohort).
JS, and several other components, if its active will negate a lot of the defenses that have been developed to-date.
Additionally, it seems that in some regional localities Eclipse attacks may be happening (multi-path transparent MITM), by terminating encryption early or through Raptor.
At a bare minimum, there seem to be some bad actors that have mixed themselves into the root pki pool. I've seen valid issued Google Trust certs floating around that were not authorized by the owner of the SAN being visited, and it was transparent and targeted to that blog, but its also happened with vendors (providing VOIP related telco services).
It seems Some ISPs may be doing this to collect sensitive data for surveillance capitalism or other unknown malign purposes. In either case TLS can't be trusted.
ranger_danger · 1h ago
> JS, and several other components, if its active will negate a lot of the defenses that have been developed to-date.
I thought if you disabled JS, then that would greatly narrow down which user on the internet you are, since very few people (in comparison to everyone else in the world) actually do this.
> not authorized by the owner of the SAN being visited
Source?
> TLS can't be trusted
Do you have more info on this? Why are more people not worried about it?
mixmastamyk · 1h ago
There are things I also do like removing sponsored links on the about page and url bar.
My understanding is that Privacy Badger no longer learns by default. I never wanted that, just block known things, like search engine click hijacks.
I’m not sure what to do about the user agent header. Changing or simplifying it tends to break sites. Also I’d like to promote Linux there but that’s at odds with privacy.
dotcoma · 6h ago
Shouldn’t Firefox come hardened out of the box ?
jdlshore · 38m ago
There’s tradeoffs between privacy and convenience. Mozilla makes a particular set of tradeoffs, based on their judgment of what the average user will put up with; checklists like this allow you to make more aggressive tradeoffs.
Its constant drain even when not 'in use' seems to imply it's classifying tabs as they change page (though it might be telemetry or uncommented testing). If so, it's an example of premature optimisation gone very wrong.
It's a shame, because it overshadows the fact that naming tab groups is a perfect use case for an LLM, alongside keyboard suggestions and reverse dictionaries [1]. I'm ardently distrustful of LLMs for many, many purposes, but for the tiny parameter and token usage needed it's hard to not like. Which is a shame it's (somehow) such a drain.
[0] https://github.com/mozilla-firefox/firefox/blob/7b42e629fdef... exports a SmartTabGroupingManager, though how or why that is used without being asked eludes me
[1] https://www.onelook.com/thesaurus/ Can be helpful in a pinch when a word's on the tip of your tongue, though its synonyms aren't always perfect.
https://codeberg.org/librewolf/settings/src/branch/master/li...
[1] - https://github.com/arkenfox/user.js
[2] - https://github.com/yokoffing/Betterfox
[3a] - https://addons.mozilla.org/en-US/firefox/addon/css-exfil-pro...
[3b] - https://www.mike-gualtieri.com/css-exfil-vulnerability-teste...
The current state of browser-fingerprinting is off-the-rails, where they deny service if they don't get those fingerprints, and the browser to a lesser degree has had its securities/privacy protections gradually degraded.
Stock Firefox will not be able to provide any sufficient guarantees. There are patches that need to be re-compiled in, because there have been about:config options removed.
I highly suggest you review Arkenfox's work, most of the hardening feature he recommends will provide a better defense than nothing. He regularly also contributes to the Mullvad browser which implements most of his hardening and then some but also has some differentiation from the Tor Browser, but many of the same protections.
The TL;DR of the problemscope is that there are artifacts that must be randomized within a certain range. There are also artifacts that must be non-distinct so as to not provide entropy for identification (system fonts and such that are shared among many people in a cohort).
JS, and several other components, if its active will negate a lot of the defenses that have been developed to-date.
Additionally, it seems that in some regional localities Eclipse attacks may be happening (multi-path transparent MITM), by terminating encryption early or through Raptor.
At a bare minimum, there seem to be some bad actors that have mixed themselves into the root pki pool. I've seen valid issued Google Trust certs floating around that were not authorized by the owner of the SAN being visited, and it was transparent and targeted to that blog, but its also happened with vendors (providing VOIP related telco services).
It seems Some ISPs may be doing this to collect sensitive data for surveillance capitalism or other unknown malign purposes. In either case TLS can't be trusted.
I thought if you disabled JS, then that would greatly narrow down which user on the internet you are, since very few people (in comparison to everyone else in the world) actually do this.
> not authorized by the owner of the SAN being visited
Source?
> TLS can't be trusted
Do you have more info on this? Why are more people not worried about it?
My understanding is that Privacy Badger no longer learns by default. I never wanted that, just block known things, like search engine click hijacks.
I’m not sure what to do about the user agent header. Changing or simplifying it tends to break sites. Also I’d like to promote Linux there but that’s at odds with privacy.