fishonthenet

joined 3 years ago
MODERATOR OF
[–] fishonthenet@lemmy.ml 1 points 1 year ago

Your browser engine is very easy to identify, it would be useless to lie and it would also cause a lot of breakage.

[–] fishonthenet@lemmy.ml 1 points 1 year ago

What do you mean by this? It already reports Linux in the navigator UA, are you talking about the HTTP header? If so, I agree with you and I'm hoping to see a change as it is overkill (although there are reasons against namely passive fping protection in some rare cases).

It causes breakage too, ideally reporting this could influence a change in RFP but there are some blocking issues (things to discuss) at the moment and it is low priority. We could anticipate the change with a patch but we haven't thought about this yet as we are usually against changing RFP.

[–] fishonthenet@lemmy.ml 1 points 1 year ago

I shared this a while ago in the Firefox community --> https://lemmy.ml/post/209597

[–] fishonthenet@lemmy.ml 1 points 1 year ago

see y'all there, I updated the lemmy sidebar already :-)

[–] fishonthenet@lemmy.ml 4 points 1 year ago (1 children)

Mull is super nice and its dev does a lot of good open source stuff, recommended!

[–] fishonthenet@lemmy.ml 1 points 1 year ago

2mo later I gotta say I'm sorry that I haven't been able to keep up with lemmy (or even worse with reddit where I haven't logged in ages) lately, I've been pretty busy to the point where even release announcements disappeared.

[–] fishonthenet@lemmy.ml 1 points 1 year ago

indeed it does, but most people wouldn't really care in 2023.

[–] fishonthenet@lemmy.ml 2 points 1 year ago

https://librewolf.net/docs/testing/ says:

These tests are not intended to be used as oracles, but rather as a way to check your setup and verify that your changes are applied. You should not read too much into the results unless you are sure you understand them, as explained in this article.

https://blog.pastly.net/posts/2019-01-19-about-to-use-tor/#testing-your-fingerprint

BTW I commented about this in the past, see https://gitlab.com/librewolf-community/browser/windows/-/issues/276#note_1137125815

[–] fishonthenet@lemmy.ml 1 points 2 years ago

it's covered, yes. we enable a built-in list that strips some query params and we also add an extra one that strips more stuff (courtesy of the great https://github.com/DandelionSprout).

btw Firefox also has native query stripping now, so there's one extra layer of protection! see https://privacytests.org/

 

hello! as you might have noticed I haven't been able to post the changelog lately, so I figured I'd write a news thread:

  • as usual we released a new LW version for each FF stable.
  • I just added a bunch of documentation entries, most notably:
    • accessibility and why you might want to disable it, even though we don't by default.
    • how to use KeePassXC when you install both it and LibreWolf as Flatpak.
    • how to install uBO if you're in a country where the addons store is blocked.
    • full list.
  • WebRTC should work a bit better now, you should experience less breakage.
  • we maintained our usual set of patches across each release.
  • this epic contains a bunch of solved issue we have been ironing out during the past few release cycles.
  • in the next release we finally expect to fix the weird new tab issue on linux and the unresponsive window issue on macos; this was possible thanks to a contributor from the community who found a typo in one of our patches :-)
  • there's a known issue with Firefox Sync logins.

if you have any question just ask 🐟

1
submitted 2 years ago* (last edited 2 years ago) by fishonthenet@lemmy.ml to c/librewolf@lemmy.ml
 

hello folks, v107.0 is rolling out on all platforms, if it already hasn't :-)

main changes:

  • rebased to latests firefox;
  • updated patches.

very minimal but enjoy!

 

from that issue:

I'll be stopping providing new LibreWolf builds, and it's possible I'll abandon the port altogether in the near future. So, unless I'll find someone who will take care of the port, it would be better to remove the instructions.

more details inside, and many thanks to the person who provided the port during these months!

 

hello! v106.0.1 is rolling out on all platforms.

some might have already got a v106.0 update, others will be upgraded directly to the newer version as the releases were condensed into one, since they occurred within 48 hrs from each other upstream.

main changes:

  • rebased to latests firefox;
  • updated settings: there have been many minor changes in the past few releses, I suggest looking at the changelog of the past few versions;
  • hide firefox view for now, we will eventually patch it and re-introduce it in a revisited form later on!

enjoy and be safe :-)

1
submitted 2 years ago* (last edited 2 years ago) by fishonthenet@lemmy.ml to c/librewolf@lemmy.ml
 

FYI: if you prefer to use a different instance, mickie created a librewolf community of at https://jeremmy.ml. I will try my best to keep an eye on stuff posted over there too :-)

 

a bit late to the party, but v104 has been released in the past few days, depending on your platform.

the changelog is very small this time, I blame august:

  • all changes from firefox v104;
  • updated some patches that broke;
  • updated settings to v6.9, which is mostly a cleanup.

look I said it wasn't that much..but enjoy it :-)

 

I forgot the changelog for v102 but here's the one for v103 instead.

  • all upstream fixes from FF103
  • updated, fixed and deprecated patches.
    • in particular you might have noticed an issue with uBO disappearing, it's now fixed.
  • add release for OpenSuse Tumbleweed.
  • updated build documentation.
  • updated base macOS SDK to 11+.
  • updated settings to v6.7.
    • as the upstream cookie pref migration is finished you should no longer experience lost cookies.
    • IPv6 is no longer disabled by default.
  • updated some description in the UI.
  • fix printing in flatpak.

an even more detailed issue and merge request overview is available in the meta for v103.

if you want to contribute check our gitlab, follow the labels and the epic for the next release. if you want to report something please use gitlab, follow the guidelines and check known issues.

 

a reminder from our FAQ, for anyone doing it wrong.

 

we back again with a new release, out on some platforms, building on others.

main changes:

  • all upstream fixes from firefox v101.0.
  • settings v6.5, mostly a minor cleanup.
  • multi-language support in the UI for all versions of the browser, all fully rebranded.
  • windows releases and source tarballs are now signed.

enjoy, and as always feedback is appreciated :-)

1
submitted 2 years ago* (last edited 2 years ago) by fishonthenet@lemmy.ml to c/librewolf@lemmy.ml
 

hello, the new release is out on all platforms.

main changes:

  • all upstream fixes from firefox v100.0, happy birthday!
  • easter egg to celebrate v100 :-)
  • settings v6.4, meaning:
    • improved robustness of certificate revocation false positives, in case of corner cases.
    • UI for cookie clearing is now more consistent.
  • updated uBO.
  • patched new theme UI if RFP is enabled.
  • rebased some patches.
  • remapped some more links in the UI.

~~we also have a known issue that causes the main page to display as empty. we worked on a fix and it will be included in the next release.~~

the content of our website has also been updated, including the faq and the addons sections.

peace 🐠

[–] fishonthenet@lemmy.ml 0 points 2 years ago* (last edited 2 years ago) (5 children)

I just ran TBB and used deviceinfo.me to verify

ironic how this is posted below an article that says that testing websites are not reliable and that you should not read into the results unless you understand them. I don't think this is the case, sorry about being painfully honest but I don't want people to freak out over tests instead of reading a well written article:

  • all of the metrics you mention as spoofed (plus a lot more, even ones that you mention in your list like navigator UA, window size, TP on/off, color depth, private mode..) carry close to no entropy. that's because Tor Browser has a crowd and users fit in that crowd, so even if the script was advanced to go over all the metrics covered by TB (which most of the time isn't the case), the crowd would allow you to fit in.
  • the spoofed UA in the http-header is actually for passive fingerprinting. generally speaking, your actual OS cannot be spoofed and even with JS disabled it can be bypassed by using CSS/fonts. while it's true that TB safest mode restricts the font list and it will probably defeat most PoC out there (I think? I don't remember but it should) it's a big sacrifice in terms of usability when you could simply fit in with the crowd of people using TB on your same OS: arguably that's good enough for almost everyone.
  • timing attacks are mitigated.
  • stuff like position in page, last item clicked, cursor position etc is fuzzy, how do you fingerprint based on that? plus https://github.com/arkenfox/TZP#-fingerprints-are-always-loose

You want to know what a JS enabled Tor Browser looks like? A standard Firefox private mode tab with uBlock Origin medium mode and arkenfox user.js applied.

that's simply not true. TB has further enhancement and code changes, it is based on ESR plus it's not the same as a private window at all since private mode does not write to disk for example. most importantly tho: TB has crowd and the Tor network, that's vital and a huge difference. a traffic analysis would also probably identify Firefox + uBO in medium mode vs TB. also, arkenfox does not try to make Firefox turn into TB, that's clearly stated in the wiki and I would know as I am a repo admin :-)

Can the author explain me why keeping JS on is so helpful

usability, a browser with JS disabled by default is not a good everyday browser for most. the more people use Tor Browser daily and have a good experience with it, the larger the crowd gets.

All the above information I mentioned is trackable for...

I mean once you are subscribed, why would they want to fingerprint you? they already know who you are. when facebook operates as third party it will be isolated plus on a different circuit and with fingerprinting protection, plus (from arkenfox's wiki):

if a fingerprinting script should run, it would need to be universal or widespread (i.e it uses the exact same canvas, audio and webgl tests among others - most aren't), shared by a data broker (most aren't), not be naive (most are) and not be just first party or used solely for bot detection and fraud prevention (most probably are)

I also don't get what the difference between typing private stuff on facebook on tor or behind a vpn or on your ISP's network is. however I must say that I still understand why from a "peace of mind" perspective it makes sense to keep stuff isolated, so as I said above mine is not really a strong opinion here.

sorry about typing a lot, but I figured this was valuable information to share, despite being nothing new.

[–] fishonthenet@lemmy.ml 0 points 2 years ago* (last edited 2 years ago) (7 children)

I will start by saying that the author of the article was a tor researcher and dev so this gives some context on the content and me posting this.

which is a very risky thing to do for someone not familiar

may I ask why? I generally agree with the sentiment of the article but I don't have a very strong opinion on this and maybe I'm missing something.

PS I don't think the usual "I will end up in a list of people who use Tor" argument is a valid one.

Preferring JavaScript stay disabled is a better choice, the next best is only allowing JavaScript when needed momentarily.

I disagree with this, it's simply overkill for 99% of the people with arguably no benefit at all. what's there to gain?

2
submitted 2 years ago* (last edited 2 years ago) by fishonthenet@lemmy.ml to c/privacy@lemmy.ml
 

a great post that was published a few years ago on Matt Traudt's blog with some tips for people using Tor and the Tor Browser.

it also addresses common misconceptions like disabling JS and using fingerprinting tests, which unfortunately I see floating around every other day on the internet.

1
submitted 2 years ago* (last edited 2 years ago) by fishonthenet@lemmy.ml to c/librewolf@lemmy.ml
 

hello, the new release should be out on all platforms. sorry for the delay we had some slowdowns with the settings and then a good portion of our patches needed a rebase. we should have done stuff earlier but personal life got in the way, but well here we are in the end :-)

main changes:

  • based on firefox 99.
  • settings v6.1, which means:
    • removed some settings that became deprecated in v99.
    • general cleanup to remove some redundant prefs.
  • updated librewolf specific UI:
    • we had to fully rebase it.
    • new option to enable firefox sync. requires a restart atm.
    • new option to harden cross origin referrers even further. I noticed it looks slightly broken, it might need a fix during the next few days.
  • updated uBO.
  • remapped a bunch of UI links.
  • fixed more patches.
  • increased security of the build process by checking mozilla's signature on the source code.

again sorry it took 4-5 days rather than the usual 1 to 3 days. enjoy!

view more: next ›