Nope, so far as I can tell they are invested in their current approach. In fairness, I will admit that it trades security in order to get a slight improvement in usability.

If they'd just make it impossible to log in via JavaScript, and only through the browser UI, then they could increase the security. But they won't do it.

Actually you aren't. It's quite easy to build your own Firefox and use that, or use say Ubuntu's build if you trust them more. You wouldn't want to audit the Firefox source code yourself, but if Mozilla was intentionally sneaking backdoors into the source code, someone could (and probably would) eventually find that out and you'd be able to verify it by examining your source archives... which means Mozilla would have to be stupid/crazy to try that.

Well, apparently that is a line that vendors are not prepared to cross.

> There is also a known risk of the user's security or privacy being compromised by visiting malicious websites that exploit weaknesses or vulnerabilities in Firefox.

When it comes to actual weaknesses or vulnerabilities, it seems clear to me that Mozilla should not rely on add-ons for patching those. But yes, blocker extensions still provide value; luckily, they are also still allowed.

> as I and others have explained, there are tried and tested ways they could do so that are no more vulnerable than the current approach yet would not suddenly remove all protection offered by addons against the latter threat without warning in the middle of a browsing session. The current heavy-handed approach is like building a secure home by making a concrete bunker with no doors and windows: the efforts to secure the addon system ultimately rendered the entire system useless.

You've said this before, so to prevent getting into a loop, I won't repeat my response :)

> Worse than that, though, the current strategy violates the basic principles that attract some users to Firefox in the first place, specifically its extensibility through addons and its relative respect for users' privacy and control of their own systems.

This I understand, and I wish it wasn't necessary too. I do think Mozilla has not shown little understanding - they've repeatedly explained how they are caught between a rock and hard place, and reached a different conclusion than you did, after weighing the pros and cons. That does not mean a lack of understanding of the cons, but merely that they did not outweigh the cons of the alternatives in their view.

This might simply be the result of different valuations of the pros and cons between you and Mozilla; given the amount of data and insight Mozilla has on the use of Firefox, I would also suggest to be open to the idea that there might be a lack of understanding on our side about the scale of the problem of malicious extensions.

Only a server which you physically control — if it's in the cloud, it could be tampered with without your knowledge. And you must still use a high-entropy, unmemorable password.

> But hey, you'd still be running Mozilla's code in and as your browser.

There's a difference between trusting code at a point in time and trusting every single response ever. Sneaking a trojan into code which is visible to the world is hard; sneaking a trojan into a single targeted response is easy.

> But at least Mozilla has a history of standing for the consumer and protecting user rights.

Sure, but that doesn't protect you against a single bad employee or against any government which Mozilla is subject to.

> And Firefox is perhaps the only browser that allows hosting your own sync and auth servers without having build your own copies of the browser.

Yes, and I appreciate that. What really hurts is that Firefox used to have great sync security. I ran my own sync server for years, and was very happy with it. But when they revised the protocol they destroyed its security. Firefox Sync is unacceptable for password storage (as is every other sync system of which I'm aware).

It's a distressing situation.

They were positioned that way, but ever since they gutted the security of Sync[1], it's really hard to take them seriously.

[1] First, your data is now 'secured' on their servers solely by your password, which for most people is memorable and thus breakable; previously it was secured with a high-entropy key, which was secured on your system with a memorable password, if desired. Second, login to their services (which uses that same God password) is performed by downloading JavaScript (and perhaps HTML and/or chrome; I forget now) from their servers, which means that they can at any time choose to intercept as few or as many user passwords as they wish—or as someone with legal authority wishes them to.

> Had it not been proposed as a joke, I would already be looking forward to those Emacs-patches incorporating Webkit as the new embedded browser.

I thought that there was a serious effort to do that. It'd be great IMHO.

For now, yes. Until someone finds a way to push a "study" through which is not from someone "trusted".

> If someone distrusts their add-ons, why trust their browser at all?

Well, trust is rather simple to break, and this - remote installing things - was not part of my original trust I put in Firefox 1.0. I know things change. This is not one I tolerate, and you are right: I will not trust a browser after a step like this.

Besides the trust, it's unexpected data. Probably don't effect many on big data plans, and is probably a tiny extension this time, but it's still data I have not asked for.

They seem to be willing to break compatibility as illustrated by them ditching their massive library of legacy extensions.

He seems to somewhat contradict himself by saying Mozilla won't do things to improve security then describes a security feature they have implemented for JIT that Chrome has yet to provide.

I'm very happy with the work they do to make a better rendering and styling engine. However I'd like to add that it wasn't that bad kn the first place as someone like to say: I could have hundreds of tabs open back in 2014 with no problems.

> I don't know that I'd go that far, but the issue seems to be that most of the user facing changes have been the kind of pointless changes for the sake of change,

Yep. Also I'm not against a facelift but don't let ux-ers run the show alone. When everyone cries out: stop and think! And if you cannot hear the cries: fix your feedback system! Like the one that Google has the feedback system at Mozilla makes it clear to me that my voice doesn't matter at all.

> and side projects most people don't use or want in their browser.

I'm fine with side projects as long as they don't come at the expense of the main product.

> A sibling comment mentions breaking the addon API. If the addons I want to use are broken for months at a time, that's going to get me to consider using a different browser, even one with less capabilities. (This doesn't have to be a rational process; ideally you want your users to never think "ugh, why isn't this working, hmm I haven't checked out Chrome in a while". Even if Chrome is worse, some of them are going to switch.)

Exactly.

> Then there's Pocket, which (let's admit) exists only because it's a direct source of revenue for Mozilla via advertisements placed in the browser chrome.

I even don't have the problem with pocket that certain other people have, but couldn't they've been honest about it from the start? Trust was the one thing that differentiates Mozilla from tbe crowd.

> Then there's the pointless change to the URL bar, which drew an absurd amount of outrage. That much anger over a small UI change is not justified of course, but that's not the point. Stuff like this breaks the cardinal rule of not pointlessly pissing off your dwindling user base.

IMO the problem is they want to get us to think it is a community project and at same time ignore the community.

[...]

> Then there are the fiascos, like the time Mozilla broke all users' addons, the hotfix sideloading scandal, the Mr Robot thing...

Yep. It shows how they completely doesn't understand that their main asset is user trust.

Firefox sync really is neat, but be aware that for the last several years it has had a security flaw, one which the Firefox team has no interest in fixing (in fact, they consider it a feature!): your passwords and other private data are encrypted with your Firefox Account password. That would be fine so long as a) your Firefox Account password is truly secure and b) Mozilla can never see it. Unfortunately, they can: they serve an HTML page to log in to your Firefox account, which loads JavaScript from their servers. At any point they can start serving JavaScript which sends all passwords to their servers.

What is so very, truly disappointing is that they used to have a great, easy-to-use Sync security system which was immune to this sort of attack, but they removed it.

Anyway, I cannot advise using Firefox Sync for private information anymore.

An appropriate response here would be to decide that you no longer trust their browser at all.

It's hard to quantify trust exactly. I'm fine with trusting the partly-closed-source Google Chrome build, including the proprietary Chromecast, Hangouts, etc., plugins, because I believe that the people writing them are generally reasonable. I don't have a good formal proof that they're generally reasonable people, and I never will - that's why it's trust. If they start installing marketing gimmicks, certainly they have the technical ability to do that, but I will lose my trust that they're reasonable people.

Here's an analogy: I trust a small number of my friends with keys to my apartment because I think they'll make reasonable use of that access. If they decide to show up at 3 AM with a keg and three tubas without telling (let alone asking) in advance, I technically have no grounds to complain that they abused their access - but I'll certainly not be calling them friends any more.

Mozilla's browser is shipped out to everyone; their JavaScript is served to me every time I use it. A compromised browser could be caught; compromised JavaScript sent one time only to a targeted user is highly unlikely to ever be noticed.

I get my browser via a distribution; it's far less likely than Mozilla and Debian would collaborate to expose all of Debian's users' passwords than that Mozilla would target — or be compelled by law, blackmail or violence to target — a single user or handful of users.

You were talking about API surface though. Neither of these things are API surface in itself. They are after the fact, informing the user what it can do and what it did with those APIs.

> It's just pointless to have the most advanced content blocking mechanisms when you allow browser extensions to circumvent them all.

I don't think so. It's not pointless. It just means you need to trust more than mozilla, you ALSO need to trust the extensions, just like you need to trust many other things in your system. The error here is assuming that everything should be reducible or can be reduced to a single source of trust.

> There are countless studies that show most non-expert users don't know what is happening with their data and are not able to judge the risks they're taking when installing software like browser extensions.

Perhaps. But if you follow that argument then you end up with a locked-down system with little flexibility, which I was referring to as apple-style walled garden. Some people may value such a thing, but I wouldn't use or recommend firefox if it became something like that. I would flee in terror.

Also consider that privacy is not an exclusive goal for mozilla: https://www.mozilla.org/en-US/about/manifesto/details/#princ...

Principles 2, 5 and 6 would be endangered by a single global actor (no matter how benevolent) being in control of your software.

It's had that for years, and I'm yet to have a problem with it.

> As an aside, one silly thing that tarnished Mozilla's brand for me was the treatment of Brendan Eich. I may not agree with his donation of money but I think impinging on his rights is a far more fundamental immorality than what he was accused of.

I can't decide if what they did was wrong or not, but I'm not totally comfortable with that issue either... no person or company is perfect though.

He kind of lost me when he said

> I doubt firefox will ever focus on security.

This just seems ridiculous. They just spent years working Firefox into a multiprocess design, in no small part for security. And the same for completely dropping the entrenched extension legacy model (thereby frustrating lots of devs and users). There are other past and current examples where Mozilla is focusing on and improving security in Firefox.

Mozilla does everything in the open, if you care to look at their bugtracker you will probably find all the conversation there, pros and cons, etc.

Mozilla's motives alone for creating a web browser are why I trust FF. I don't like the idea of Chrome subsisting (to the point it's their actual business model) on my personal info

Well, some of our priorities with WebExtensions are (not necessarily in this order):

- stable, documented, future-proof API;

- improving security;

- improving performance;

- improving privacy.

You are, of course, free to consider these things "not anything technical", but they were impossible as long as add-ons weren't based on an API at all.

So, again, while I fully realize that there is a cost, I believe that we're moving from something unsustainable to something sane, which makes it better in the long run.

I agree that that is a good thing. However, the more firefox breaks compatibility with sites people use, the harder it will be to regain marketshare. And if Firefox keeps losing marketshare it will have less ability to influence web standards, and could potentially die altogether, which would be bad for privacy and security in the long run.

Fortunately, state partitioning isn't enabled by default on Firefox yet (it is part of "strict" ETP), so only people who are ok with it potentially breaking sites will turn it on.

This is just wrong. For example, major changes have been made to the internal architecture over the last couple of years to support process-per-site "site isolation". See https://bug1523072.bmoattachments.org/attachment.cgi?id=9061... for the new architecture.

It's true that Firefox is still behind Chrome in this area, but there is a lot of effort going into it.