Firefox

How to stick with a decent version of Firefox (pre-Quantum)

Friday, June 1, 2018 

Firefox (52) remains my browser of choice – entirely because of plug-ins. When Firefox completely destroyed the UI/UX with “Australis,” a horrific UI change that basically made Firefox into a crappy clone of Chrome, the only thing that made Firefox usable was “Classic Theme Restorer.” Apparently, unsatisfied with the damage Mozilla had managed to wreak on their user-base with idiotic UI decisions, over the past year or so, a new version called “Quantum” (57) was rolled out that broke the functionality of almost every important plug-in.

This utterly disastrous and truly unforgivable transgression against the user-base was only slightly mitigated by sustaining 52-ESR, at least until the Sept of this year. After that, everyone who cares about having a decent alternative to Chrome will have to migrate to Waterfox.

In the mean time, one really important thing you have to remember to do if you stuck reinstalling your system on Linux (e.g. Linux Mint) is to immediately uninstall Firefox before using it even once.  Then change your install version to ESR and install. If you let Quantum run even once, it will mark all your good plugins as disabled and you need to reinstall them one at a time to get them working again.

sudo add-apt-repository ppa:jonathonf/firefox-esr
sudo apt-get update
sudo apt-get install firefox-esr

Well, that’s the end of Firefox….  Sad to see it go after all these years, but the new plugin concept has made Firefox a subordinate version of Chrome rather than a powerful, customizable tool.

 

I followed these fine directions and now have waterfox running.

echo 'deb https://web.archive.org/web/20190207094152/https://dl.bintray.com/hawkeye116477/waterfox-deb/ release main' | sudo tee /etc/apt/sources.list.d/waterfox.list
curl https://web.archive.org/web/20200209091904/https://bintray.com/user/downloadSubjectPublicKey?username=hawkeye116477 | sudo apt-key add -
sudo apt-get update
sudo apt upgrade
sudo apt install waterfox

Just import your firefox preferences on starup and walla, you instant happiness with all the plugins that Quantum broke restored, including such absolute essentials as “Classic Theme Restorer” (which undoes the absolutely horrible UI changes that Mozilla adopted) and downthemall, privacy plugins, etc. If you’ve updated some plugins to be Quantum compatible, you’ll have to back those up (for me that’s things like FoxClocks and Noscript, which managed to hack together semi-viable Quantum compatible plugins after slogging through Mozilla’s buggy WebExtensions API and HTML5 quirks).

This whole translation is quite unfortunate. Waterfox is dependent on the Firefox code base, so this solution may have a finite lifespan, but for now it works and undoes the horror of Firefox 57+/Quantum.

Posted at 11:43:58 GMT-0700

Category: NeutralReviewsTechnology

Making Chrome Less Horrible

Saturday, June 13, 2015 

Google’s Chrome is  a useful tool to have around, but the security features have gotten out of hand and make it increasingly useless for real work without actually improving security.

After a brief rant about SSL, there’s a quick solution at the bottom of this post.


 

Chrome’s Idiotic SSL Handling Model

I don’t like Chrome nearly as much as Firefox,  but it does do some things better (I have a persistent annoyance with pfSense certificates that cause slow loading of the pfSense management page in FF, for example). Lately I’ve found that the Google+ script seems to kill firefox, so I use Chrome for logged-in Google activities.

But Chrome’s handling of certificates is abhorrent.  I’ve never seen anything so resolutely destructive to security and utility.  It is the most ill-considered, poorly implemented, counter-productive failure in UI design and security policy I’ve ever encountered.  It is hateful and obscene.  A disaster.  An abomination. The ill-conceived excrement of ignorant twits.  I’d be happy to share my unrestrained feelings privately.

It is a private network, you idiots

I’ve discussed the problem before, but the basic issues are that:

  • The certificate authority is NOT INVALID, Chrome just doesn’t recognize it because it is self-signed.  There is a difference, dimwits.
  • This is a private network (10.x.x.x or 192.168.x.x) and if you pulled your head out for a second and thought about it, white-listing private networks is obvious.  Why on earth would anyone pay the cert mafia for a private cert?  Every web-interfaced appliance in existence automatically generates a self-signed cert, and Chrome flags every one of them as a security risk INCORRECTLY.
  • A “valid” certificate merely means that one of the zillions of cert mafia organizations ripping people off by pretending to offer security has “verified” the “ownership” of a site before taking their money and issuing a certificate that placates browsers
  • Or a compromised certificate is being used.
  • Or a law enforcement certificate is being used.
  • Or the site has been hacked by criminals or some country’s law enforcement.
  • etc.

A “valid” certificate doesn’t mean nothing at all, but close to it.

So one might think it is harmless security theater, like a TSA checkpoint: it does no real harm and may have some deterrent value.  It is a necessary fiction to ensure people feel safe doing commerce on the internet.  If a few percent of people are reassured by firm warnings and are thus seduced into consummating their shopping carts, improving ad traffic quality and thus ensuring Google’s ad revenue continues to flow, ensuring their servers continue sucking up our data, what’s the harm?

The harm is that it makes it hard to secure a website.  SSL does two things: it pretends to verify that the website you connect to is the one you intended to connect to (but it does not do this) and it does actually serve to encrypt data between the browser and the server, making eavesdropping very difficult.  The latter useful function does not require verifying who owns the server, which can only be done with a web of trust model like perspectives or with centralized, authoritarian certificate management.

How to fix Chrome:

The damage is done. Millions of websites that could be encrypted are not because idiots writing browsers have made it very difficult for users to override inane, inaccurate, misleading browser warnings.  However, if you’re reading this, you can reduce the headache with a simple step (Thanks!):

Right click on the shortcut you use to launch Chrome and modify the launch command by adding the following “--ignore-certificate-errors

Unfuck chrome a bit.

Once you’ve done this, chrome will open with a warning:

zomg: ignore certificate errors? who doesn't anyway?

YAY.  Suffer my ass.

Java?  What happened to Java?

Bonus rant

Java sucks so bad.  It is the second worst abomination loosed on the internet, yet lots of systems use it for useful features, or try to.  There’s endless compatibility problems with JVM versions and there’s the absolutely idiotic horror of the recent security requirement that disables setting “medium” security completely no matter how hard you want to override it, which means you can’t ever update past JVM 7.  Ever.  Because 8 is utterly useless because they broke it completely thinking they’d protect you from man in the middle attacks on your own LAN.

However, even if you have frozen with the last moderately usable version of Java, you’ll find that since Chrome 42 (yeah, the 42nd major release of chrome. That numbering scheme is another frustratingly stupid move, but anyway, get off my lawn) Java just doesn’t run in chrome.  WTF?

Turns out Google, happy enough to push their own crappy products like Google+, won’t support Oracle’s crappy product any more.  As of 42 Java is disabled by default.  Apparently, after 45 it won’t ever work again.  I’d be happy to see Java die, but I have a lot of infrastructure that requires Java for KVM connections, camera management, and other equipment that foolishly embraced that horrible standard.  Anyhow, you can fix it until 45 comes along…

To enable Java in Chrome for a little while longer, you can follow these instructions to enable NPAPI for chrome <42 (which enables Java).  Type “chrome://flags/#enable-npapi” in the browser bar and click “enable.”

Enable NAPI

Posted at 13:24:37 GMT-0700

Category: HowToSecurityTechnology

Undoing the Job Justifying Efforts of UX Kids

Saturday, June 6, 2015 

If you’re a UX designer on a mature project, you have to justify your pay somehow – design refreshes become a requirement.  If tool companies had UX designers on staff, hammers would look like porcupines.

a person in pain wielding a porcupine like a hammer

One of the most annoying features of FireFox V34 was the pop-down search menu.  Nice concept, but if your mouse drifts, you end up searching on twitter or amazon or some other useless thing, or just calling up the idiotic “add search options” dialog.  Srsly.  The search bar is a nice thing, thank you, leave it be.

Fortunately, FF offers a way to undo most of the horrible changes visited on the UI and you can keep it functional and efficient by undoing the damage that treating a program like a fashion plate rather than a tool has wrought.  Classic Theme Restorer is a good example.

Fixing the drop down search menu barf is easy: enter “about:config” in the URL bar and search for “browser.search.showOneOffButtons”  Set the value to “False” and stop being delayed by random search destinations.

Dear dev teams: your first responsibility is to the users who have adopted your product.  If you want to change the use case, fork.

Posted at 11:37:13 GMT-0700

Category: Technology

Google APIs Suck

Friday, January 4, 2013 

Off-Site scripts are annoying and privacy invasive. They are a vector for malware, waste your computer’s resources, and generally add limited capability.  They’re a shortcut for developers but rarely add real value that can’t be replaced by locally-hosted, open-source scripts and always compromise your privacy (or the privacy of your site’s visitors).

To explain – I use noscript (as everyone should) with Firefox (it doesn’t work with Chrome: I might consider trusting Google’s browser for some mainstream websites when it does, but I don’t really like that Chrome logs every keystroke back to Google and I’m not sure why anyone would tolerate that).  NoScript enables me to give per-site permission to execute scripts.

The best sites don’t need any scripts to give me the information I need.  It is OK if the whizzy experience is degraded somewhat for security’s sake, as long as that is my choice. Offsite scripting can add useful functionality, but the visitor should be able to opt out.

Most sites use offsite scripting for privacy invasion – generally they have made a deal with some heinous data aggregator who’s business model is to compile dossiers of every petty interest and quirk you might personally have and sell them to whoever can make money off them: advertisers, insurance companies, potential employers, national governments, anyone who can pay.  In return for letting them scrounge your data off the site, they give the site operator some slick graphs (and who doesn’t love slick graphs). But you lose.  Or you block google analytics with noscript.  This was easy – block offsite scripts if you’re not using private browsing or switch to private browsing (and Chrome’s private browsing mode is probably fine) and enjoy the fully scripted experience.

But I’ve noticed recently a lot of sites are borrowing basic functionality from Google APIs.  Simple things, for which there are plenty of open source scripts to use like uploading images – this basic functionality is being sold to them in an easy to integrate form in exchange for your personal information: in effect, you’re paying for their code with your privacy. And you either have to temporarily allow Google APIs to execute scripts in your browser and suck up your personal information or you can’t use the site.

If you manage a website, remove as many calls as you can, including removing calls back to wordpress and fonts.  These are all data collection mechanisms that seem to make it easy in exchange for aggregating data on users.  I recommend three browser plugins to significantly improve privacy and reduce data collection.  They break some sites, but those sites are so privacy violating that you shouldn’t be visiting them anyway.

LocalCDN

Local CDN redirects CDN calls to locally cached copies, which improves performance and protects privacy.  CDNs make good money off your private data without your consent and the features they provide are easily replaced with local delivery.  This seems to have zero impact on browsing experience.

For firefox, you might try Decentraleyes.

Privacy Badger

EFF’s privacy badger is great.  It can be your only ad blocker if you, say, support ad-monetized content but just don’t want to be tracked.  EFF’s goal isn’t so much to end advertising but to give the user a tool to reject the more privacy invasive elements of such advertising or other mechanisms of tracking.  The “learning” mode is disabled by default because using it is, itself, trackable.

uBlock Origin

The ur-privacy plugin, uBlock Origin is by default fairly agressive in blocking and so not only protects privacy, but blocks scripts that slow your computer down, waste your costly energy doing free work for advertisers, and speeds up browsing.  It does, however, break some pages including things like logins and redirects, so become familiar with the mechanisms for selectively disabling blocking of scripts or sites that are important.

Posted at 07:34:36 GMT-0700

Category: PoliticsPrivacySecurityTechnology