Add IceCat to Browser Recommendations #916
No reviewers
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#916
Loading…
Reference in New Issue
No description provided.
Delete Branch "patch-27"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Description: Add IceCat to browser recommendations
Has this been brought up on privacytools.io before? Numerous times: https://github.com/privacytoolsIO/privacytools.io/issues?utf8=%E2%9C%93&q=IceCat
Why? Unlike Firefox, IceCat includes many privacy enhancing extensions preinstalled including Https-Everywhere, SpyBlock, and a variety of fingerprinting countermeasures.1
This is significantly different than FireFox where generally users must manually preform many about:config changes.1
Plus, IceCat is developed by a non-profit.
FireFox is developed mostly by their for-profit corporation and has had some challenges before (remember Mr. Robot?).
Edit:
Differences Between IceCat and FireFox ESR:
https://directory.fsf.org/wiki/Gnuzilla#Differences%20between%20IceCat%20and%20Firefox%20ESR
Deploy preview for privacytools-io ready!
Built with commit
456475c657
https://deploy-preview-916--privacytools-io.netlify.com
Addon "SpyBlock"
Why not uBlock Origin?
Addon "LibreJS" will break a lot of sites. Recommend for normal users? Doesn't think so.
"Fingerprinting countermeasure" what exactly?
Also you can do a lot more and better with Firefox
Just use gHacks user.js
Is IceCat based on Firefox ESR, how up-to-date are they with the upstream and how big security team do they have? I understood Waterfox to be a single person project with potential bus factor issue and I wouldn't recommend something that could not be updated tomorrow.
UBlock blocks advertisements.
SpyBlock blocks trackers.
It is based on AdBlock Plus:
https://www.wikipedia.org/wiki/Adblock_Plus
LibreJS like other extensions including NoScript are very easy to use.
You can easily whitelist sites or disable it altogether. Most will still work just without non-free or non-trivial JS functionality. :)
I remember trying to get my family and friends to bulk up their FireFox security.
Asking somebody to change config files isn't just difficult. They are afraid to do it.
IceCat is backed by GNU and generally represented as having more security functionality that FireFox1.
According to Wikipedia it is based on the 60.3.0 ESR release.
https://lists.gnu.org/archive/html/bug-gnuzilla/2018-11/msg00000.html
This is relatively close to the current popular release 60.6.1.
So IcaCat use a addon which is based on a adblocker from a company which make money with ads and allow "not-annoying-ads". Nice!
Also uBlock Origin block trackers too!
I come from a philosophical standpoint that advertising is not immoral and a valid way to make income.
The issues come into play when companies forcibly track users by not accepting Do Not Track headers.
Nothing is wrong with IceCat's SpyBlock.
While I agree with this, I'm not sure if adblockers operating a mafia-esque protection racket is the best way to promote change among advertisers. It's a "pay us money and tweak your ads a bit or we'll cut off your income" type of operation at AdBlock Plus from what I can tell.
@JonahAragon yes, I'm not agreeing with Adblock Plus's funding model.
Ad blockers that only block ads that track you is fine. It can help incentivize change.
Their maifa-like corporate style isn't right.1
However, SpyBlock isn't Adblock Plus.
My bad, I didn't even realize we were talking about SpyBlock, I just focused on ABP, whom I dislike a lot :)
I myself would be against making it one of the top recommendations, but as it seems to be kept fairly up to date, I guess it would be okay to add it to worth mentioning.
Primarily I'm concerned that it's based on Firefox ESR and the security implications of that. The latest version of IceCat is 60.7.0 (2 June 2019; 46 days ago). Looking at Mozilla's latest Advisories there are one "high" and two "critical" vulnerabilities unfixed in IceCat at the moment from what I can tell.
There's also the further concern of unpatched 0-days in IceCat.
TorBrowser (top3 listing) is also based on Firefox ESR. And for that matter, BraveBrowser is based on Chromium. Being based on an upstream project is not in and of itself a dealbreaker, it is just, the downstream people need to be prompt when a security-fix arrives upstream, in getting that security hole plugged in their downstream soft-fork.
Believe that the term for that nowadays is "0ld-days" ...something that, at one point, was a zero-day... but now is so well know that it ought to have been patched (but was not in a particular codebase or spinoff thereof).
Yeah, you're right. In regards to zero-day exploits I was calling out from that Reddit thread, the ESR with these two exploits patched is 60.7.2 while IceCat is currently at 60.7.0. That means there are currently two, known, unpatched zero-day exploits in IceCat. So from my perspective I'm not sure if IceCat is prompt enough with security fixes to warrant a recommendation on PTIO?
@nitrohorse IceCat has kinda started doing their own thing. Implementing features to help software freedom. If you have any issues, I would recommend sending an email out to their mailing list:
http://lists.gnu.org/mailman/listinfo/bug-gnuzilla
If you do end up doing this, go through the archives and post it here. As I understand it, IceCat is still a fairly popular browser and pre-installed in many GNU-recommended OSes.
@WorryTheBirds12 I don’t have an issue with IceCat other than their lag-time for fixing 0-days and known vulnerabilities. I’m not planning on reaching out to their mailing list but definitely interested in their response to this.
I agree with @nitrohorse
@asddsaz I think for now, we'll be closing this PR due to our noted security-related concerns.