[tya99]

Honestly I wouldn't go anywhere near Palemoon. Not unless you feel like using an antiquated browser such as Firefox 28 which is where it forked.

I expect their shills will be deployed to this thread shortly.

It's certainly not more secure when you've got all your extensions running at highest level privileged (not WebExtensions), the sandboxing code "removed" because mattatobin a Palemoon developer says that it "doesn't work", without giving any specific use case and their non-compliance with the HSTS spec RFC6797 [0]. There's probably countless other things wrong with it, but that's what I spotted after a cursory look.

Their developers are also toxic https://github.com/privacytoolsIO/privacytools.io/issues/375 that's all the proof you ever needed.

Many of your sentiments there are demonstrated in that very thread. One of the developers (mattatobin) repeatedly avoids answering my questions and just says "fake news" and goes all trumpian on me.

Don't bother trying to ask on their forums about this they will just delete your posts and go on about "the untrue narrative" without addressing your questions.

If you contact them on twitter they will block you. It seemed like their while mode of operation was very "alt-right" if that makes sense. They live in a small "social bubble" it would seem.

I also found it rather lol that a so called "privacy browser" has to resort to using google advertising on their main page.

  15:05:34 www.palemoon.org -- script https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js 3p
  15:05:34 www.palemoon.org -- script https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js 3p
  15:05:34 www.palemoon.org -- script https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js 3p

[0]: https://tools.ietf.org/html/rfc6797#section-8.4

[apostacy]

I'm sorry for your bad experiences with the Palemoon guys. You are obviously not who this software is meant for.

I don't need or want sandboxing for my extensions -- I can take care of my own sandboxing external to the browser profile instance. And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool, Chrome is a toy.

I don't know why you are upset, because the vast majority of the Internet agrees with you. Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset? Why are you threatened by a small group of users who want a browser their own way?

As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.

Besides, Google, Apple, Facebook and Microsoft happily trample on the RFCs when it's convenient for them. Chrome itself was infamous for this when it first came out. I remember seeing Chrome users clobbering webservers and violating protocol to get slightly more speed. Of course, Chrome now sets the standards.

I have to disagree with your characterization of Palemoon users as fascists.

If you don't like Palemoon, then you are more than welcome to not use it and leave the community alone. The Palemoon community represents a dying breed. Soon enough, most hardware will be forced to use their browser, and will only be permitted to go to websites that they approve of. And mandatory DRM. Mozilla also loves DRM.

Anyway, if you have any more questions I'd be happy to answer.

[tya99]

> I'm sorry for your bad experiences with the Palemoon guys. You are obviously not who this software is meant for.

Who is it meant for if it's not meant for users? Are they intentionally trying to turn away certain people?

> I don't need or want sandboxing for my extensions

I think you'll find with all security, it's best to have the "principal of least privilege" https://en.wikipedia.org/wiki/Principle_of_least_privilege at all levels of software. The reason for this is because if something happens to exploit one area of your setup, the hope is that it will be stopped somewhere else.

> I can take care of my own sandboxing external to the browser profile instance.

As do I. I use multiple VLANs (network segregation), Virtual Machines, and other things in addition to browser profiles. Most people however do not. Software should be designed for "most people".

> And I don't want it either, because it makes them less flexible and powerful. XUL based extensions turn my browser into a power tool,

There's plenty of frameworks out there. Perhaps what you're trying to do shouldn't be a browser extension.

> Chrome is a toy.

Okay if you mean high performance web browser with a lot of market share that Mozilla must compete against in order to stay relevant?

> I don't know why you are upset, because the vast majority of the Internet agrees with you.

They do because I am right. I rarely say this as I do often like a good debate, however in this situation I will.

> Most people are happy to have Google control their web browsing experience. Why do you engage with them if they make you so upset? Why are you threatened by a small group of users who want a browser their own way?

I didn't engage with them. They came to our bug tracker and started to push their software on us. I contribute to the privacytools.io website. I was explaining why that particular piece of software did not belong there.

> As for the HSTS thing, I'm sorry nobody explained that, I'd be happy to elaborate a bit more for you. My computer belongs to me, and I get to decide what runs on it. I can choose to use Palemoon how I want to. Not implementing HSTS according to the RFC is harming nobody except potentially myself. The way HSTS is written is self serving for the powers that be. It reenforces the SSL certificate infrastructure, and takes away user choice in the name of "security". For practical reasons, being able to disable HSTS is important for development. And even without Palemoon, there are still plenty of ways to bypass HSTS. All Palemoon is doing is saving users time.

For software that is distributed to the public certain 'sane' defaults are expected for the software to be labeled as secure. These are usually according to spec as I pointed out in https://github.com/privacytoolsIO/privacytools.io/issues/375... there are a number of reasons why software developers should make certain choices for users.

There are a couple of reasons for this:

> 1. Users could be socially engineered into bypassing the warning

> 2. The warning gets "ignored" because lazy users just want to "visit that website", without thinking of or understanding the consequences.

> 3. Advanced users (web developers etc) can simply fix the error server side, do something like this, https://blog.filippo.io/mkcert-valid-https-certificates-for-... or at worst compile their own browser.

> 4. Website owners will fix errors as it will mean their customers, visitors will not be granted access.

The fact is, if Mozilla designed software for "a small group of users who think they know everything" nobody would use their software as the majority would have a poor user experience.

What I mean by that is allowing users to override certain security (they may not understand and may put them at risk) is not a solution to lazy site owners who have TLS errors. It is very good that those site owners must now fix their problems, or the sites simply won't work.

> Besides, Google, Apple, Facebook and Microsoft happily trample on the RFCs when it's convenient for them. Chrome itself was infamous for this when it first came out. I remember seeing Chrome users clobbering webservers and violating protocol to get slightly more speed. Of course, Chrome now sets the standards.

Maybe so, and those are separate issues. Those issues should be constructively criticized when they come.

> I have to disagree with your characterization of Palemoon users as fascists.

I didn't say their users were. I said that certain developers certainly give off that vibe. I also said that they do engage in censorship, on their forums and on Twitter https://news.ycombinator.com/item?id=13395682. I've read about that here on HN and Reddit, ie 'forums' that they do not control. I witnessed it in that thread when one of them attempted to brigade the GitHub issue I was conversing in.

> If you don't like Palemoon, then you are more than welcome to not use it and leave the community alone.

[Insert Leave Britney Alone meme] The point is I only made an argument as to why it would not be added to privacytools.io the "defenders of Palemoon" came there and accused me of spreading "fake news", and spreading "false narrative". They didn't however refute what I said in a technical sense, which is what is expected in technical communities.

If you want to say someone is wrong, then provide proof/examples, or you'll be laughed at.

> The Palemoon community represents a dying breed.

Progress will do that.

> Soon enough, most hardware will be forced to use their browser, and will only be permitted to go to websites that they approve of.

I don't believe that for a minute. The big tech companies have been very active in standards forums like the IETF.

> And mandatory DRM.

That only happens when you want to use content like Netflix, and then it's a part of the user license agreement that Netflix MUST agree to in order to satisfy content creators/rights owners etc.

Mozilla never says that a site must use DRM, but does provide the option should they need to.

> Mozilla also loves DRM.

You mean they implement it so their browser can use things like Netflix? Sure, because if they didn't everyone would just use Chrome.

> Anyway, if you have any more questions I'd be happy to answer.

This is the point, though isn't it. The "Palemoon defenders" never refute what I say with actual evidence.

[apostacy]

lol, my reply to you was too long. http://dpaste.com/3H8SRNZ

[tya99]

> lol, my reply to you was too long. http://dpaste.com/3H8SRNZ

No problems. Simply split your post over multiple replies. There is a 2000 character limit per reply.

[apostacy]

I never got to read your reply. Look I'm sorry for any negativity. I think there is a place for you and what you are doing. But I'd like to make my own software my own way.

I don't agree with your paradigm for how people should use computers, but that's ok. I know I can very vocally disagree with the direction software is going, but I'd very much like for us to coexist peacefully.

[daxterspeed]

Pale Moon's JavaScript support was atrocious last time I checked, indicating that it's not actually keeping pace with Mozilla. I was developing a user script at the time and had to ask a user to stop using what amounts to a copy of Firefox that's several years past it's expiry.

Who knows what kind of issues are lingering around? Given that Pale Moon users advertise themselves as power users they might make quite a valuable target.

[pmoriarty]

"Their developers are also toxic https://github.com/privacytoolsIO/privacytools.io/issues/375 that's all the proof you ever needed."

It's quite ironic that you accuse them of toxicity when in that very thread you call their project "a shitty pointless effort".