[Dev] [consensus] Features vs. Privacy in nonprism repo

Luke g4jc at openmailbox.org
Mon Oct 3 23:30:44 GMT 2016

As many of you know there were various hardening patches to IceWeasel
and IceDove recently. These patches were done by myself and gleaned from
other reliable sources such as TBB and PrivacyTools.io[1], as well as
consulting the Mozilla wiki.

Unfortunately, it has caused breakage on some websites[2][3] and
degraded user experience. This is to be expected, as the web becomes
less privacy-friendly, and more centralized/data-centric.

A quick run down of notable patches[4]:

1) Disable Telemetry for good (it was previously storing all the
telemetry data and probing your OS ever 2 minutes or so, including open
tabs and websites for 'analytical purposes')

2) Disable Balrog/AUS5, Mozilla's new non-transparent remote update
mechanism that fingerprints the user.

3) Disable Facial Recognition, Speech Recognition, and Virtual Reality API.

4) Disable various data leaks and remote updates, attempt to completely
stop Google from being queried and downloading their "safe-browsing"
list for every page you visit.

5) Stop IP leaks caused by WebRTC, WebSockets, and Captive Portal Detection.

6) Disable DOM Storage due to many privacy concerns and it being off in
all modern versions of TBB.

7) Disable weak hash and broken SSL implementation which do not prevent
eaves droppers from reading the page.

_- So this puts the nonprism projects at a crossroads. Do we want to
favour accessibility and "features" over "privacy"?_

From my personal opinion, nonprism should provide security and privacy
by default. Users can choose to opt-out of nonprism if they wish. This
is easily done by A) not using nonprism, or B) using about:config and/or
user.js to override the settings.

Meanwhile, some users have questioned why nonprism is not on by
default[5], and I think this is a valid point from a security
standpoint. Users may be using Parabola under the impression they are
experiencing the safest possible defaults, and this is currently not the

1. https://www.privacytools.io/#about_config

2. https://labs.parabola.nu/issues/1113

3. https://labs.parabola.nu/issues/1114

https://git.parabola.nu/abslibre.git/tree/nonprism/iceweasel/vendor.js /

5. https://labs.parabola.nu/issues/1093#note-3

Now that everyone is aware of the issues, please discuss. I do not feel
[nonprism] should become "privacy-lite" and libre become "no protection
at all".


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161003/34e54fd6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20161003/34e54fd6/attachment.sig>

More information about the Dev mailing list