[ploggingdev]

> Do use antivirus

I think the standard advice from the security community is to not use any antivirus at all and maybe only Windows Defender if you're on windows.

The advice to use Tor browser is also terrible. The Tor browser is based on an older version of Firefox ( currently version 52 vs 57 for upstream Firefox ) and so might contain known bugs.

On a side note what does the security community think about Qubes OS [0]? The approach of security by isolation is interesting.

[0] https://www.qubes-os.org/

[chippy]

Firefox 52 is a special Extended Support Release version and will continue to get security patches.

[tptacek]

ESR releases get a subset of security patches. Don't use Tor Browser.

[fffimem]

Not true. It’s based on the long-term-support version of firefox, called ESR. The ESR branch typically eschews new features for stability but certainly receives any security bug fixes alongside evergreen firefox.

[kuschku]

> The advice to use Tor browser is also terrible.

Mozilla uses tracking scripts in Firefox, which in some versions (such as Firefox Beta, Developer Edition, and Nightly) can not even be disabled (If you go to about:config, you’ll notice that toolkit.telemetry.enabled is "locked:true").

So Mozilla themselves suggests that if you do not trust Google Analytics to hold up their agreements with Mozilla, you should instead use another browser (e.g. Tor Browser).

[drdaeman]

Isn't it datareporting.healthreport.uploadEnabled (still unlocked and visible in the "options" -> "privacy & security" panel) that controls the upload, and toolkit.telemetry.enabled is only about whenever something is collected or not?

Either way, thanks for the pointer. Didn't knew that setting was revamped.

[kuschku]

> Isn't it datareporting.healthreport.uploadEnabled (still unlocked and visible in the "options" -> "privacy & security" panel) that controls the upload, and toolkit.telemetry.enabled is only about whenever something is collected or not?

I’m not actually sure – I’ve heard conflicting reports from Mozilla volunteers and employees in the past, but the general statement is that Beta, Dev, and Nightly contain tracking, and you opt into that when downloading, because the smallprint below the download button tells you that they will track you.

[drdaeman]

I've experimented with changing `toolkit.telemetry.server` to my own server. Not a single request for the last 18 hours (since I've read your comment and changed the settings)

[libertyEQ]

Using nmap, and not changing the destination server, I've seen numerous outbound requests in a given hour.

[robin_reala]

Tor Browser is based on ESR releases of Firefox which have security fixes backported.

[polote]

Why not use antivirus ? they are a good protection against downloaded content (email attachements, downloaded file) no ?

[strictnein]

Non-tech users should antivirus

If you're highly technical and no one else touches your machines, then you may be fine.

The claim that no one should use it is trendy right now. The idea that your in-laws Windows box should be left with nothing on it is misguided. But all you do need is to make sure Windows Defender is running and up to date.

[thx4allthestuff]

The last leg for me was TLS MiTM as an antivirus service. And so I don't use 3rd party antivirus on systems that I care about. I do use active firewalls and connection monitoring though, and I only install software that I've purchased (or open source software) on those systems. Perhaps ironically, I do have antivirus on my old laptop dedicated to watching ahem massage videos.