Return to Security and Privacy

News update on Firefox

Firefox is carving out a spot on the Internet as a privacy-respecting alternative to Google Chrome. As I write this, they have published a Web Page under the title 2019 Firefox Flashback. This is making fun of Google’s many offers to show you what you did all year because, of course, that is how Google operates. They keep all of the data, but give you a chance every once in a while to look at it. But what is Firefox doing here? If you click on the page (https://www.mozilla.org/en-US/firefox/flashback/) The text that comes up reads:

We actually have no idea what you did online this year, and it’s gonna stay that way. It’s kind of our whole thing.

There’s a picture of a red panda below, though, if you want to scroll down for it.

In the meantime, this seems like an opportunity to mention that we’ve made a privacy promise: Take less. Keep it safe. No Secrets. Learn more about what privacy means to us.

So, what does Privacy mean to Firefox? If you click through, you see that there are three principles:

  • Take Less
  • Keep It Safe
  • No Secrets

OK, that is nice, and I have always found Firefox more privacy respecting than Google. But then I got my latest updated version of Firefox (I went from 70.0.0.1 to 71.0) , and it showed me a page called What’s New With Firefox, which talked about creating a Sync account with them. So what is this about? I know Chrome is constantly pushing me to log in to a Chrome account (which I resist), and why is Firefox any better? I decided it was time to take a look. First, they say:

No account required. But you might want one.

The Firefox browser collects so little data about you, we don’t even require your email address. But when you use it to create a Firefox account, we can protect your privacy across more of your online life.

Under that they list five items:

Firefox Monitor

Have at least one company looking out for your data, instead of leaking it.

Firefox Lockwise

Never forget, reset or travel without your passwords again.

Facebook Container

Get a container to keep Facebook out of your business.

Pocket

Trade clickbait and fake news for quality content.

Firefox Send

Send huge files to anyone you want, with self-destructing links.

OK, now on to what all of this means. First, what we need to understand is that there is an inescapable tension between privacy and convenience. Google has been successful with many users because it is so convenient to use. It uses what it learns about you to customize your search results to show the things it believes you are most likely to be looking for, as an example. It adds to this data by providing you with very convenient e-mail. A lot of people appreciate the convenience and don’t care too much about Google having all of this data. For Firefox, competing with Google means that it has to offer some degree of convenience, and that requires collecting some data, and they are quite open about it. To read more about what they collect, there is a privacy policy page at https://www.mozilla.org/en-US/privacy/firefox/, and the one I am looking at right now is dated October 31, 2019. And the claim they make there is:

We strive to collect only what we need to improve Firefox for everyone.

Personally, I think this is a responsible disclosure, and the page goes on to detail what data it collects, though I won’t repeat all of that here. You can look it up for yourself if you are so inclined. The point is that any usable browser is probably collecting some kinds of information, and you need to find a trade-off you can accept.

Now as to the account, here is more detailed information at https://support.mozilla.org/en-US/kb/firefox-accounts-managing-account-data. There are only three things required to set up an account: an e-mail address, a password, and your age. I suspect the age part is because of laws limiting the ages at which you can legally collect information so as to protect young children. But that is all that is necessary. Optional data includes a picture, a display name, a secondary e-mail, and two-step authentication. What do you get for doing this? The ability to have things like your bookmarks, open tabs, and so on follow you from device to device when you sign in. That is where the convenience part of the tradeoff comes. Now you don’t need to do any of this, but having it can make your life easier, and if you are a multiple device person (I have several desktops, a couple of laptops, and a phone) it can be quite handy. I set up my account as advertised, which then took me to a screen where I could sign in to different Firefox products.

Note that this is called Firefox Sync. To get the maximum benefit you need to go to each of your devices, open Firefox, and log in to your account. Here is what they will Sync between your different devices by default:

  • Bookmarks
  • History
  • Open Tabs
  • Logins and Passwords
  • Addresses
  • Add-ons
  • Preferences

But note that there is a Change button that let’s you remove any of these that you don’t want Firefox to Sync.

Firefox Monitor

As you might guess from the name, this is a monitoring service. You log in with your Firefox Sync credentials, and it reports back with how many e-mail addresses are being monitored, how many times those addresses showed up in breaches of other sites, and whether or not the password was also obtained. I created my account with one of my e-mail addresses, so it only showed one being monitored. And that one was involved in three breaches. The worst of course was the Adobe breach from 2013, which exposed my password as well (which of course has since been changed), but there were a couple of 2019 breaches. For each, you can click through to get more information, and when I did the source of the data was the “Have I Been Pwned” web site. In addition, I received an e-mail with the same information.

At the bottom of the page there is a place to enter additional e-mail addresses, so I did. This triggers the sending of an authentication e-mail to the added address, which means I cannot monitor someone else’s address unless they have given me access to it. Once you click the link to verify the address you added, you will get an e-mail back telling you about any breaches that new address has been involved in. All in all, this adds convenience since you get an e-mail if you are involved in a breach, and that is preferable to having to remember to go somewhere and check.

Firefox Lockwise

This is a password manager that is built-in to Firefox. So it is a competitor to applications liked OnePass and LastPass, though at this point it is still pretty much a work-in-progress. As someone who is happily using a paid Family account for LastPass, I won’t be switching any time soon. If you don’t already have a password manager, using this is at least an improvement. Password managers are the key to having long and strong passwords that provide essential security, so you should really be using one of some kind. And since this comes free with your Sync account, it is a great way to get started.

Facebook Container

This is actually an add-on for Firefox to help you avoid being tracked all over the web by Facebook. You see, Facebook loves to put a cookie into your browser that will report back to Facebook on any Web page you visit, which should get them on Santa’s naughty list. But how do you stop them? Install the Facebook Container add-on, and it will first log you out of all Facebook pages. Then, when you open Facebook again you will be in a “container”, i.e. a tab that is isolated from other tabs. So if you visit some other site, that information will not get back to Facebook. Note that anything you do while on Facebook will of course be visible to Facebook, so any of those Like buttons will still be noted. But this does improve your privacy somewhat.

Pocket

This was a useful independent product that got bought up by Mozilla, and integrates nicely into the browser. It lets you save web pages to read later, basically, and that can be handy if you run across something interesting but are busy with a project. Just save it to Pocket, and read it later at your leisure. You can get a free account if you don’t already have one, but they also offer premium accounts. My guess is that most people will be fine with the free account even though it will have ads. Just click on the Pocket button in the Address bar to add a page, and add a tag or two to help find it later. Then you can click the Library icon on the Bookmark bar when you want to read it.

Firefox Send

This can be very handy. You can upload a file of up to 2.5GB and in turn get a link you can send to your recipient. The file is encrypted, and you can set a password and how long before the link expires. The obvious use case is sending a file that is too large for e-mail when you don’t have a site of your own to upload it to. This does look useful.

Listen to the audio version of this post on Hacker Public Radio!