[zzzcpan]

I'm curious about your train of thought, how is Firefox and Mozilla are pro-user? And let's not take their PR into account, just facts of what they actually did so differently from Google to make them noticeably pro-user in your opinion.

[BraveNewCurency]

> I'm curious about your train of thought, how is Firefox and Mozilla are pro-user?

Non-profits are usually more pro-user than for-profits. https://en.wikipedia.org/wiki/Mozilla_Foundation

[kirkdouglas]

[deleted]

[dblohm7]

You've got that backwards. The foundation owns the corporation.

[nickpsecurity]

It's easy to disable the little bit of surveillance they do to make money. Whereas, Google keeps surveilling people in more ways over time in their various platforms. The difference probably comes from whether users or advertisers are primary focus.

What made you think Firefox and Mozilla are so anti-user? I didn't get many claims along those lines back when I was evaluating them.

[drdaeman]

Maybe it's just me being silly, over-critical and nitpickng minor things, but... Various design decisions didn't feel right to me.

Few examples that come to mind:

- Sync is just terrible. It's insecure, awfully overengineered, poorly documented proprietary mess.

- Mandatory addon signing was understandable, but still didn't felt exactly right. Probably because I'm a luddite don't fancy those walled garden app stores, and that somehow resembled those.

- Moving to WebExtensions-only is going to hurt badly. AFAIK it was announced they'll soon stop signing new non-WE addons for Firefox 53 (which is quite real soon). I don't want a Chromium clone with another rendering engine and Firefox Account instead of Google.

- DRM support. Browser market share, user requests, etc, but still - thanks for helping that cancer spread more freely.

- Test Pilot instead of just publishing an experimental addons on AMO feels weird. Especially the fact that those addons self-uninstall after someone says the experiment's over. Well, it's Mozilla work and it's their decision how they want things to be, but it just doesn't feel right to me. FLOSS used to be somehow... different in days back there.

- Pocket integration was sort of controversial. I've used Pocket's extension, but it surely didn't belong to the browser core.

- Some UIs were dumbed down to the extent of being barely usable. Some comments blame Chrome hiding TLS info here, but Mozilla had pioneered that (although to a lesser extent).

[pmontra]

At least Sync can be self hosted https://github.com/mozilla-services/syncserver and is there any open standard for that kind of syncing?

I'm about to self host sync myself so I'm interested in your claim about it being insecure. I won't sync passwords or form fields, because I don't store them in the browser. Only browsing history and maybe tabs, but for sure I don't want to send all my desktop tabs to my phone. Most of them won't make any sense there.

[drdaeman]

In short, the crypto itself looks okay (I'm not a cryptographer!), but the auth form you see is served over the network. It doesn't send password back - just passes it to browser runtime, so it would run KDFs on it - but you won't know what you'll get served next time.

As for the protocol - there is WebDAV. Seriously. It's functionally equivalent to what their blob storage does, except simpler, vendor independent, and doesn't mandate any particular auth schemes. Oh, and their auth protocols are total mess (BrowserID, HAWK _and_ OAuth - three different protocols are necessary to just talk to the damn system!). I get it, three teams were working on different pieces (accounts, tokenserver and the actual sync blob storage), but they could've at least tried to not invent that up, but use something standard. Or, at the very least, settle on a single protocol.

I'm saying this as someone who had spend some time reading docs and reversed engineering the rest, and had implemented almost-working (sans some undocumented oddities and a few lazy omissions leading to glitches, but it mostly works-for-me) standalone sync1.5 server - same functionality could've been done in a much more saner and simpler way.