Saving Firefox

So once again the topic of Firefox’s decline has shown up on Hacker News. I want to give my opinion on the topic as a long-time Firefox user who switched to Chrome about a decade ago. I’m not an expert on browsers, and really I don’t think my opinion is that worthwhile - my relevant credentials are “someone who has thought a bit about browsers and one of billions who uses a browser”.

So, with that said, here’s some stuff.

Why do I use Chrome? Why do others?

The main reason I switched to Chrome is pretty straightforward. It was, by far, the safest browser on the market. It wasn’t even close. When Chrome got decent market share the entire web had a shift in its threat landscape. I personally had a computer basically destroyed by a Java 0-click drive by as a teenager and I was not happy about it.

Besides introducing the now-commonplace “auto updater”, Chrome implemented Click To Play for Java and Flash and it sandboxed Flash, so you could run it and still be safe from all but the advanced attackers. Again, this was an absolute game changer. Black Hole and Poison Ivy, the big pay-to-play exploit kits at the time, would detect if you were a Chrome user and fall back to trying to just convince you to download and run malware. Drive-By exploits went from being pretty commonplace to basically dead - when was the last time you heard about a massive, publicly used, spray-and-pray 0-click exploit against users browsing the internet? It just doesn’t happen anymore, attacks are far more targeted because they are radically more expensive.

So, yeah, I chose to move to Chrome.

Why did I stick with Chrome, and why do I suspect many others do? Well…. at least for me, that’s pretty simple - it’s what I, and many others, use at work.

There’s one major reasons why companies centralize on Chrome, other than that it’s the most common browser; SOC2 and Compliance.

The vast majority of companies need to attain some kind of certification, such as SOC2. One thing that you’ll need to do in that process is answer questions like “how do you make sure that your computers are patched? how do you authenticate clients?”. These are good questions for every company to answer, but many companies don’t have a choice in the matter - they have to answer them.

First of all, answering questions about one browser is much easier than answering questions about two or arbitrary numbers of browsers. Just by saying “use only this browser” a company now only has to monitor a single User Agent to determine if the client is up to date. They only have to track CVEs for one browser. They only have to manage one browser. So then, the question is which browser? Well, obviously many will choose whatever is the majority - if you have to pick one, pick the one that most people use, right? Right.

But, also, there’s real merit to choosing Chrome for SOC2/Compliance, as well as actual security.

  1. IT can manage your Chrome profile, enforcing versioning and extension policies.
  2. IT can enforce Endpoint Verification when you SSO, if you have GSuite as your SSO provider.

I’m not saying every company is solving their SOC2 problems this way, but I bet a lot of them are. And you don’t need all of them to, just enough that Chrome becomes the “obvious” choice for the others who just need to pick whatever’s popular.

So, if you’re going to work every day and using Chrome, do you want to come home and use Firefox? Maybe you do, but I think the vast majority of people would prefer to use the same browser that they use every single day for work at home as well - after all, even minor UX differences between the two will be painful.

Lack of Motivation The reality is that Firefox’s message hasn’t been very compelling for a long time.

  1. Firefox is funded almost exclusively by Google. So they can say “wow Google is so evil!” but idk, it just isn’t really doing it for me when you’re taking their money. What’s the long term plan here? Firefox suddenly takes a ton of market share, and Google just pays for that? It’s kind of shocking that Google still bothers to pay Firefox as much as they do given the lack of market share. I don’t think Mozilla is the basket for me eggs, personally.

  2. I’m not convinced that Mozilla is the horse to bet on. Brave seems far more interesting to me. I’m not going to try to plug Brave, but integrating TOR (and donating lots of TOR nodes) is actually a genius move that seriously moves the needle with regards to privacy. Brave is also willing to actually answer the question “how would the internet look if we removed advertising?” and whether you’re happy with their answer or not, Mozilla wouldn’t exist without ad revenue at all. Mozilla can safely target user privacy while its market share dwindles, but the reality is that ads still pay their bills. I know Mozilla sort of half tried to do something about this and failed, I can’t even remember what that was called, but it was some sorta alt-funding for the web idea. I don’t know, try harder.

  3. A lot of Privacy conversations are… bad. People used to talk about all of these things Chrome did that just do not matter. One example is that people freaked out about LLMNR poisoning detection - Chrome sends out a bunch of LLMNR packets to your local broadcast network when it starts up (or it used to at least, idk if it still does). So people would see this in wireshark and be like “oh my god Chrome is sending out packets when I didn’t do anything”. The thing is, the packets never even left your local network, and they were there to protect you - if those LLMNR requests received responses it means someone on your network is fucking with you. This is just one example of literally well over a dozen where “omg Chrome is talking over the network” was just… not a problem at all. “Chrome collects every website you visit” welllllll, uh, kinda?

    The Google Safebrowsing API collects partial hashes of websites you visit and, if the partial hash collides with a suspicious site, the full hash is provided (which obviously can be reversed on Google’s end). Is that really bad? I mean it’s not great, but how would you have implemented that feature? It’s actually avoiding sending the full hash in the vast majority of cases, only a partial hash, which I don’t think is nearly as easy to reverse (and certainly always leaves plausible deniability). I think V3, which requires an Opt In (for enhanced protection) actually collects full URLs in order for Google to visit the site, analyze it dynamically, and then make a judgment - hey, look, that’s definitely not great for privacy… but it’s opt in and it’s also clearly a win for security (even if we say it’s a loss for privacy!). So, idk, is Chrome super evil?

    But wait, Manifest V3! OK, yeah, Manifest V3 is kind of annoying, although I think for reasons that are not exactly mainstream. I wish that Chrome would handle it differently and I’ll elaborate further in a minute. I believe that the problem of malicious extensions are legitimate and need to be addressed - extensions absolutely have too many privileges. I’ve been told by others (experts) that they’ve encountered malicious/ spam extensions and they track this sort of thing and believe it’s a real issue. Manifest V3 is an attempt to limit a malicious extension’s abilities. Many people have been saying, for years, that this is evil and will break ad-blockers. The reality is not that straightforward - Google has implemented many changes in Manifest V3 expressly to allow for adblockers to continue. Really, what annoys me about Manifest V3 the most is that Google isn’t coming out and giving us more data on malicious extensions and how V3 will stop them. Like, just do that please, it would be super interesting.

    Manifest V3 is in no way the “death” of adblockers, as far as I can tell. Adblockers will still be largely functional, and certainly 30,000 dynamic rules should be enough to block Google’s trackers, right? Again, let me know if I’m just totally off here. In fact, here’s a version of uBlock Origin that is using Manifest V3 features exclusively: https://github.com/gorhill/uBlock/commit/a559f5f2715c58fea4de09330cf3d06194ccc897

    The point is that these discussions tend to be extremely hyperbolic, low in technical content, and refuse to acknowledge that there are real issues with the way things work right now. I could continue on and discuss WEI but this section is already obscenely long (and I cut out a whole bunch of extra V3 content about the APIs just to keep it shorter!).

Suffice to say that, while I am a privacy advocate, I am just not swayed by the majority of conversations I have about Chrome versus Firefox.

So what’s to be done?

Well, it may surprise you to learn that my preference is actually for Firefox to “win”. Or, at least, for Chrome to “lose”. I don’t like a browser monopoly and as much as I think the privacy conversation around Chrome is mostly noise, Google’s interests in the web don’t align well with mine, longer term. If Google diversified more and stopped being an ad company that could change, but while I think advertising should always be a part of the internet it should never be the sole driver of it - and Google as it exists today will always benefit from a web that is driven exclusively by advertising.

Anyways, if I had to put a plan together for Mozilla, here’s what I’d do. (Of course, if I were actually the CEO I’d spend a hell of a lot of time talking to internal teams about what to do, but I’m not getting paid millions of dollars a year, unlike someone else….)

  1. Focus on enterprise. There should be a trivial way for companies to manage Firefox in an enterprise, integrate it with their SSO provider (GSuite, Okta, O365), and answer key compliance questions using Firefox. Firefox already has an LTS, which is cool and helpful. You can also manage it via GPO, but I’m talking about a web interface with integrations to other service providers, not just “get it installed”. IDK, maybe that exists? Mozilla marketing is terrible, see my next point…

  2. Firefox should emphasize other features that align well with the organization. Do you know how many ads I see a day for ExpressVPN and NordVPN? Dozens. They advertise on Youtube like crazy - a perfect demographic for Firefox users, in my opinion. Do you know how often I hear about Mozilla’s VPN? Literally never. I had to DDG it to make sure it hadn’t shut down or something. Mozilla needs to put tertiary integrations like a VPN front and center. Opera has been doing a very good job of this lately with OperaGX - meeting their users where they are and getting their brand out there.

  3. Honestly, fire the CEO. Absolute disaster and an abject, repeated failure. The board needs to get serious and get them out of there yesterday. I don’t think anything else matters more than this.

  4. Focus on core values. That means privacy (VPN, TOR), security, and performance. Firefox is in such an interesting position. Mozilla has Rust (and then fucked up incredibly by firing the entire team - again, fucking fire that joke of a CEO) and a unique engine to compete with. These are assets. Chrome is suffering from 0-day exploits very consistently now, it’s a real problem; a browser with significant use of a memory safe language would be a major marketing tool for users and organizations. And as for performance, things may have changed a lot over the last decade, but plenty of websites are still damn slow - I find it hard to believe that there isn’t more work to be done on performance. I remember when Mozilla put out this blog post and people lost their minds at how good it was - both in terms of the focused efforts and the way the content was presented. Of course, as I recall, the CEO fired the authors. Brilliant.

Anyways, I could go on and on about how the CEO of Mozilla absolutely has to be fired, but I won’t bother. This post is already way longer than I had intended. I think that Firefox has a path to success and I’d like to see it do so. Until then, switching to Firefox feels like a purely symbolic gesture with zero impact - me choosing Firefox won’t change the fact that companies aren’t, the fact that their marketing is disastrous, that their CEO is aggressively unfit for the role, etc.

I also want to note that it’s OK to disagree. I tried to make this clear in my first paragraph - I’m not an expert. I might make different value judgments, but I also might just be wrong. I’m also definitely not advocating that you switch to Chrome or something like that - if anything, it’s the opposite. Go make that symbolic gesture if you want to, or hell, use Firefox because for you it’s the better browser, by all means. I have just seen this conversation go on for years and I feel like throwing some of my thoughts out there.

If I’ve made an incorrect statement here or you think I’ve missed something important you can point it out to me, I would be happy to learn more.



blog comments powered by Disqus

Published

05 December 2023

Categories