Add IceCat to Browser Recommendations #916

jonah · 2019-05-09T04:59:34Z

asddsaz commented

2019-05-09 04:59:34 +00:00

(Migrated from github.com)

Basic Description: Add IceCat to browser recommendations
Has this been brought up on privacytools.io before? Numerous times: https://github.com/privacytoolsIO/privacytools.io/issues?utf8=%E2%9C%93&q=IceCat

Why? Unlike Firefox, IceCat includes many privacy enhancing extensions preinstalled including Https-Everywhere, SpyBlock, and a variety of fingerprinting countermeasures.1

This is significantly different than FireFox where generally users must manually preform many about:config changes.1

Plus, IceCat is developed by a non-profit.
FireFox is developed mostly by their for-profit corporation and has had some challenges before (remember Mr. Robot?).

Edit:
Differences Between IceCat and FireFox ESR:
https://directory.fsf.org/wiki/Gnuzilla#Differences%20between%20IceCat%20and%20Firefox%20ESR

**Basic Description**: Add [IceCat](https://www.wikipedia.org/wiki/GNU_IceCat) to browser recommendations **Has this been brought up on privacytools.io before?** Numerous times: https://github.com/privacytoolsIO/privacytools.io/issues?utf8=%E2%9C%93&q=IceCat **Why?** Unlike [Firefox](https://www.wikipedia.org/wiki/Firefox), [IceCat](https://www.wikipedia.org/wiki/GNU_IceCat) includes many privacy enhancing extensions preinstalled including Https-Everywhere, SpyBlock, and a variety of fingerprinting countermeasures.[1](https://archive.fo/fIXVg) This is significantly different than [FireFox](https://www.wikipedia.org/wiki/Firefox) where generally users must manually preform many [about:config](about:config) changes.[1](https://www.privacytools.io/browsers/#about_config) Plus, [IceCat](https://www.wikipedia.org/wiki/GNU_IceCat) is developed by a [non-profit](https://www.wikipedia.org/wiki/GNU_Project). [FireFox](https://www.wikipedia.org/wiki/Firefox) is developed mostly by their [for-profit corporation](https://www.wikipedia.org/wiki/Mozilla_Corporation) and has had some challenges before ([remember Mr. Robot?](https://www.theverge.com/2017/12/16/16784628/mozilla-mr-robot-arg-plugin-firefox-looking-glass)). **Edit:** Differences Between IceCat and FireFox ESR: https://directory.fsf.org/wiki/Gnuzilla#Differences%20between%20IceCat%20and%20Firefox%20ESR

👍 2

privacytoolsIO (Migrated from github.com) reviewed 2019-05-09 04:59:34 +00:00

netlify[bot] commented

2019-05-09 05:06:37 +00:00

(Migrated from github.com)

Deploy preview for privacytools-io ready!

Built with commit 456475c657

https://deploy-preview-916--privacytools-io.netlify.com

Deploy preview for *privacytools-io* ready! Built with commit 456475c6571c37e23f284ec1bb708f14646f26b6 https://deploy-preview-916--privacytools-io.netlify.com

beerisgood commented

2019-05-09 05:30:46 +00:00

(Migrated from github.com)

Addon "SpyBlock"
Why not uBlock Origin?

Addon "LibreJS" will break a lot of sites. Recommend for normal users? Doesn't think so.

"Fingerprinting countermeasure" what exactly?

Also you can do a lot more and better with Firefox
Just use gHacks user.js

Addon "SpyBlock" Why not uBlock Origin? Addon "LibreJS" will break a lot of sites. Recommend for normal users? Doesn't think so. "Fingerprinting countermeasure" what exactly? Also you can do a lot more and better with Firefox Just use gHacks user.js

Mikaela commented

2019-05-09 09:34:23 +00:00

(Migrated from github.com)

Is IceCat based on Firefox ESR, how up-to-date are they with the upstream and how big security team do they have? I understood Waterfox to be a single person project with potential bus factor issue and I wouldn't recommend something that could not be updated tomorrow.

👍 2

asddsaz commented

2019-05-09 19:21:25 +00:00

(Migrated from github.com)

Addon "SpyBlock"
Why not uBlock Origin?

UBlock blocks advertisements.
SpyBlock blocks trackers.
It is based on AdBlock Plus:
https://www.wikipedia.org/wiki/Adblock_Plus

Addon "LibreJS" will break a lot of sites. Recommend for normal users? Doesn't think so.

LibreJS like other extensions including NoScript are very easy to use.
You can easily whitelist sites or disable it altogether. Most will still work just without non-free or non-trivial JS functionality. :)

Also you can do a lot more and better with Firefox
Just use gHacks user.js

I remember trying to get my family and friends to bulk up their FireFox security.
Asking somebody to change config files isn't just difficult. They are afraid to do it.

Is IceCat based on Firefox ESR, how up-to-date are they with the upstream and how big security team do they have? I understood Waterfox to be a single person project with potential bus factor issue and I wouldn't recommend something that could not be updated tomorrow.

IceCat is backed by GNU and generally represented as having more security functionality that FireFox 1.

According to Wikipedia it is based on the 60.3.0 ESR release.
https://lists.gnu.org/archive/html/bug-gnuzilla/2018-11/msg00000.html

This is relatively close to the current popular release 60.6.1.

> Addon "SpyBlock" > Why not uBlock Origin? [UBlock](https://www.wikipedia.org/wiki/UBlock_Origin) blocks advertisements. SpyBlock blocks trackers. It is based on AdBlock Plus: https://www.wikipedia.org/wiki/Adblock_Plus > Addon "LibreJS" will break a lot of sites. Recommend for normal users? Doesn't think so. [LibreJS](https://www.wikipedia.org/wiki/GNU_LibreJS) like other extensions including [NoScript](https://www.wikipedia.org/wiki/NoScript) are very easy to use. You can easily whitelist sites or disable it altogether. Most will still work just without [non-free](https://www.wikipedia.org/wiki/Non-free_software) or [non-trivial](https://www.wikipedia.org/wiki/Trivia_(disambiguation)) JS functionality. :) > Also you can do a lot more and better with Firefox Just use gHacks user.js I remember trying to get my family and friends to bulk up their [FireFox](https://www.wikipedia.org/wiki/Firefox) security. Asking somebody to change config files isn't just difficult. They are afraid to do it. > Is IceCat based on Firefox ESR, how up-to-date are they with the upstream and how big security team do they have? I understood Waterfox to be a single person project with potential bus factor issue and I wouldn't recommend something that could not be updated tomorrow. [IceCat](https://www.wikipedia.org/wiki/GNU_IceCat) is backed by [GNU](https://www.wikipedia.org/wiki/GNU_Project) and generally represented as having more security functionality that [FireFox](https://www.wikipedia.org/wiki/Firefox)[1](https://www.wikipedia.org/wiki/GNU_IceCat#Additional_security_features). According to Wikipedia it is based on the 60.3.0 ESR release. https://lists.gnu.org/archive/html/bug-gnuzilla/2018-11/msg00000.html This is relatively close to the current popular release 60.6.1.

beerisgood commented

2019-05-09 19:51:27 +00:00

(Migrated from github.com)

UBlock blocks advertisements.
SpyBlock blocks trackers.
It is based on AdBlock Plus:
https://www.wikipedia.org/wiki/Adblock_Plus

So IcaCat use a addon which is based on a adblocker from a company which make money with ads and allow "not-annoying-ads". Nice!
Also uBlock Origin block trackers too!

> > > [UBlock](https://www.wikipedia.org/wiki/UBlock_Origin) blocks advertisements. > SpyBlock blocks trackers. > It is based on AdBlock Plus: > https://www.wikipedia.org/wiki/Adblock_Plus > So IcaCat use a addon which is based on a adblocker from a company which make money with ads and allow "not-annoying-ads". Nice! Also uBlock Origin block trackers too!

👎 1

asddsaz commented

2019-05-09 20:06:36 +00:00

(Migrated from github.com)

UBlock blocks advertisements.
SpyBlock blocks trackers.
It is based on AdBlock Plus:
https://www.wikipedia.org/wiki/Adblock_Plus

So IcaCat use a addon which is based on a adblocker from a company which make money with ads and allow "not-annoying-ads". Nice!
Also uBlock Origin block trackers too!

I come from a philosophical standpoint that advertising is not immoral and a valid way to make income.

The issues come into play when companies forcibly track users by not accepting Do Not Track headers.

Nothing is wrong with IceCat's SpyBlock.

> > [UBlock](https://www.wikipedia.org/wiki/UBlock_Origin) blocks advertisements. > > SpyBlock blocks trackers. > > It is based on AdBlock Plus: > > https://www.wikipedia.org/wiki/Adblock_Plus > > So IcaCat use a addon which is based on a adblocker from a company which make money with ads and allow "not-annoying-ads". Nice! > Also uBlock Origin block trackers too! I come from a [philosophical](https://www.wikipedia.org/wiki/Philosophical) standpoint that [advertising](https://www.wikipedia.org/wiki/Advertisment) is not [immoral](https://www.wikipedia.org/wiki/immoral) and a valid way to make income. The issues come into play when companies forcibly track users by not accepting [Do Not Track](https://www.wikipedia.org/wiki/Do_Not_Track) headers. Nothing is wrong with IceCat's SpyBlock.

👍 1 👎 1 😕 1 😆 1

jonah commented

2019-05-11 21:20:32 +00:00

I come from a philosophical standpoint that advertising is not immoral and a valid way to make income.

While I agree with this, I'm not sure if adblockers operating a mafia-esque protection racket is the best way to promote change among advertisers. It's a "pay us money and tweak your ads a bit or we'll cut off your income" type of operation at AdBlock Plus from what I can tell.

> I come from a philosophical standpoint that advertising is not immoral and a valid way to make income. While I agree with this, I'm not sure if adblockers operating a mafia-esque protection racket is the best way to promote change among advertisers. It's a "pay us money and tweak your ads a bit or we'll cut off your income" type of operation at AdBlock Plus from what I can tell.

asddsaz commented

2019-05-12 01:48:33 +00:00

(Migrated from github.com)

@JonahAragon yes, I'm not agreeing with Adblock Plus's funding model.
Ad blockers that only block ads that track you is fine. It can help incentivize change.

Their maifa-like corporate style isn't right.1
However, SpyBlock isn't Adblock Plus.

@JonahAragon yes, I'm not agreeing with Adblock Plus's funding model. Ad blockers that only block ads that track you is fine. It can help incentivize change. Their maifa-like corporate style isn't right.[1](https://www.wikipedia.org/wiki/Adblock_Plus#Acceptable_Ads) However, [SpyBlock](https://directory.fsf.org/wiki/Gnuzilla_SpyBlock) isn't Adblock Plus.

👍 1

jonah commented

2019-05-13 20:35:43 +00:00

My bad, I didn't even realize we were talking about SpyBlock, I just focused on ABP, whom I dislike a lot :)

blacklight447 (Migrated from github.com) reviewed 2019-05-28 10:33:47 +00:00

blacklight447 (Migrated from github.com) left a comment

I myself would be against making it one of the top recommendations, but as it seems to be kept fairly up to date, I guess it would be okay to add it to worth mentioning.

nitrohorse (Migrated from github.com) requested changes 2019-07-20 01:00:56 +00:00

nitrohorse (Migrated from github.com) left a comment

Primarily I'm concerned that it's based on Firefox ESR and the security implications of that. The latest version of IceCat is 60.7.0 (2 June 2019; 46 days ago). Looking at Mozilla's latest Advisories there are one "high" and two "critical" vulnerabilities unfixed in IceCat at the moment from what I can tell.

There's also the further concern of unpatched 0-days in IceCat.

Primarily I'm concerned that it's based on Firefox ESR and the security implications of that. The latest version of IceCat is 60.7.0 (2 June 2019; 46 days ago). Looking at [Mozilla's latest Advisories](https://www.mozilla.org/en-US/security/advisories/) there are one "high" and two "critical" vulnerabilities unfixed in IceCat at the moment from what I can tell. ![moz-advisories](https://user-images.githubusercontent.com/1514352/61507008-997fe480-a9d3-11e9-918b-6173e3f62169.png) There's also the further concern of [unpatched 0-days](https://www.reddit.com/r/privacy/comments/cbxrvb/what_do_the_unfixed_zerodays_mean_for_icecat/) in IceCat.

five-c-d commented

2019-07-21 17:06:46 +00:00

(Migrated from github.com)

concerned that it's based on Firefox ESR and the security implications of that

TorBrowser (top3 listing) is also based on Firefox ESR. And for that matter, BraveBrowser is based on Chromium. Being based on an upstream project is not in and of itself a dealbreaker, it is just, the downstream people need to be prompt when a security-fix arrives upstream, in getting that security hole plugged in their downstream soft-fork.

unpatched 0-days

Believe that the term for that nowadays is "0ld-days" ...something that, at one point, was a zero-day... but now is so well know that it ought to have been patched (but was not in a particular codebase or spinoff thereof).

> concerned that it's based on Firefox ESR and the security implications of that TorBrowser (top3 listing) is also based on Firefox ESR. And for that matter, BraveBrowser is based on Chromium. Being based on an upstream project is not in and of itself a dealbreaker, it is just, the downstream people need to be **prompt** when a security-fix arrives upstream, in getting that security hole plugged in their downstream soft-fork. > unpatched 0-days Believe that the term for that nowadays is "0ld-days" ...something that, at one point, was a zero-day... but now is so well know that it ought to have been patched (but was not in a particular codebase or spinoff thereof).

👍 1

nitrohorse commented

2019-07-21 19:50:21 +00:00

(Migrated from github.com)

Being based on an upstream project is not in and of itself a dealbreaker, it is just, the downstream people need to be prompt when a security-fix arrives upstream, in getting that security hole plugged in their downstream soft-fork.

Yeah, you're right. In regards to zero-day exploits I was calling out from that Reddit thread, the ESR with these two exploits patched is 60.7.2 while IceCat is currently at 60.7.0. That means there are currently two, known, unpatched zero-day exploits in IceCat. So from my perspective I'm not sure if IceCat is prompt enough with security fixes to warrant a recommendation on PTIO?

> Being based on an upstream project is not in and of itself a dealbreaker, it is just, the downstream people need to be prompt when a security-fix arrives upstream, in getting that security hole plugged in their downstream soft-fork. Yeah, you're right. In regards to zero-day exploits I was calling out from that Reddit thread, the ESR with these two exploits patched is 60.7.2 while IceCat is currently at 60.7.0. That means there are currently two, known, unpatched zero-day exploits in IceCat. So from my perspective I'm not sure if IceCat is prompt enough with security fixes to warrant a recommendation on PTIO?

WorryTheBirds12 commented

2019-07-26 05:50:07 +00:00

(Migrated from github.com)

@nitrohorse IceCat has kinda started doing their own thing. Implementing features to help software freedom. If you have any issues, I would recommend sending an email out to their mailing list:

http://lists.gnu.org/mailman/listinfo/bug-gnuzilla

If you do end up doing this, go through the archives and post it here. As I understand it, IceCat is still a fairly popular browser and pre-installed in many GNU-recommended OSes.

@nitrohorse IceCat has kinda started doing their own thing. Implementing features to help software freedom. If you have any issues, I would recommend sending an email out to their mailing list: http://lists.gnu.org/mailman/listinfo/bug-gnuzilla If you do end up doing this, go through the [archives](https://lists.gnu.org/archive/html/bug-gnuzilla/) and post it here. As I understand it, IceCat is still a fairly popular browser and pre-installed in many [GNU-recommended](https://www.gnu.org/distros/free-distros.html) OSes.

nitrohorse commented

2019-07-27 01:23:09 +00:00

(Migrated from github.com)

@WorryTheBirds12 I don’t have an issue with IceCat other than their lag-time for fixing 0-days and known vulnerabilities. I’m not planning on reaching out to their mailing list but definitely interested in their response to this.

Mikaela (Migrated from github.com) requested changes 2019-08-01 12:05:02 +00:00

Mikaela (Migrated from github.com) left a comment

I agree with @nitrohorse

I don’t have an issue with IceCat other than their lag-time for fixing 0-days and known vulnerabilities. I’m not planning on reaching out to their mailing list but definitely interested in their response to this.

I agree with @nitrohorse > I don’t have an issue with IceCat other than their lag-time for fixing 0-days and known vulnerabilities. I’m not planning on reaching out to their mailing list but definitely interested in their response to this.

nitrohorse commented

2019-08-03 15:31:27 +00:00

(Migrated from github.com)

@asddsaz I think for now, we'll be closing this PR due to our noted security-related concerns.

This repo is archived. You cannot comment on pull requests.

No reviewers

privacytoolsIO

nitrohorse

Mikaela