Nearly a month has passed, is this not enough time? Ironfox uses Ublock, which is a pretty powerful content blocker compared to brave and cromite’s.
Updates are consistent for now. Latest release was 3 days ago according to their GitLab releases page:
10 Likes
Last release was now 7 hours ago. I think they’re consistent enough but should we wait longer?
My personal take would be wait for around 2 years before PG really recommending it.
Not saying PG should not mention the project at all, but from my experience if a project / team could survive the first 2 years, they have the stability and commitment to stay around for much longer.
If PG has a honorable mention / Candidate list, I would suggest putting them there.
Just to be clear, I used Mull, I am using Ironfox, and I am more than happy to donate when they are ready to receive from Librepay / OpenCollective.
4 Likes
While I am aware that commitment and consistency matter a lot, I think 2 years is overkill for a browser like Ironfox, which is way more secure and private than the current mobile options, excluding Tor of course. I feel personally that a month or just two months should be enough time to judge its consistency in releases.
4 Likes
I think the weight of recommending things from a personal and community / organizational level is different.
As an org or community you cannot sway like a normal person, unless they position themselves as salesman where they just follow and sell hypes.
Everything PG evaluates/ recommends are kind of serious and sensitive in nature, which heavily relies on reputations built upon good track record. I don’t see any benefit that justifies gambling with the hard-earned reputation unnecessarily just to recommend a software that still in evaluation stage.
While I recognize the general critieria as well as Mobile browser criteria do not specify all evaluation details, including probation that could be used to evaluate the stability of the Dev Team, financial sustainability (if applicable), etc. Theses elements should be thoroughly assessed based on the sensitivity level and potential disruption of the tool.
In this case, browser activities are highly sensitive, switching browser could be quite disruptive, imagine if the user does not use Mozilla accounts for syncing, and use Ironfox to install many PWAs.
Edit: In my head, the length of probation could be calculated based on the sensitivity and migration difficulties of the candidate:
Tool Sensitivity: Low (6 Months) / Medium (9 Months) / High (12 Months)
Migration difficulties: No (3 Months) / Low (6 Months) / Medium (12 Months) / High (24 Months)
e.g. For Ironfox, it is highly sensitive and migration difficulties is in medium level, that makes the probation period to be 12 + 12 = 24months
For email services, would be 12+24 = 36months (so Skiff would be failed and not being recommended)
This is only an example.
5 Likes
This simply isn’t true. IronFox is no more private while being less secure than Brave.
1 Like
I don’t think a simple formula and waiting time alone can assess the trust of a software. It depends on the software, how effective is it privacy-wise, security-wise. I don’t really consider migrating to or recommending “IronFox” as sensitive. Security-wise, it’s just better than the current recommendations and I don’t really like repeating but it has uBlock which is a hundred times more effective than brave’s blocker or cromite’s. If you doubt the developer’s dedication or consistency in updates, I can just call them here if you want.
1 Like
How is it less secure? It has RFP.
IronFox is more private than Cromite and Vanadium which have poor trackers and or FP protection.
Easy to come up after the fact, but this is not fool proof. We did recommend DivestOS which had been there for years and it did shutdown.
Nothing’s everlasting but it reduces the chance that PG recommends projects that fail in early stage.
It also provides clarity and support for PG Team and community, to better protect them from being pushed to recommend any projects.
This is my personal take and my practice for recommending products to friends and family, anyway.
4 Likes
RFP has nothing to do with security. Regarding security: Firefox finally rolling out Fission on Android - #6 by sha123
It’s wrong to assume that you provide less fingerprinting information just because there are stronger mitigations in place.
4 Likes
I would rather wait two years than two months! If we recommend Ironfox, then we have to assume that people will download it based on our recommendation. And if it fails to meet the the expectations, we would be screwed.
I think that we should at least AT LEAST wait six months. But better one year. Because who knows if devs will be able to keep the development strong all the year along, even in periods like religious celebrations, Thanksgiving, New Year, Holy weeks, etc ? Are they able to face unforeseen events (health, deaths, births, family issues and events, military conscription) and even to clear some holidays maybe ?
These are things that happen yearly and that could slow down the development so in my view we should wait one year to see how they handle these.
What’s more, there is no urgency as there are alternatives (Firefox/Focus/Klar(?), Brave, Vanadium).
However, this would be a double standard because we are still recommending Stingle photos which no one is trusting I think and which has done a much worse job than Ironfox if we look at the last few months.
1 Like
How so ? That’s the principle of FP protection.
You need a crowd, sane defaults and little room for adjustments through the users, so they don’t stick out from the crowd through their adjustments (including extensions, extension settings and so on). FP mitigations on Ironfox are not strong enough to hide all hardware information, so you also need enough people on the same hardware information to blend in. There are also other factors which could play a role, but these should be the most significant.
4 Likes
I don’t disagree with most of what you said. It does hide most hardware information though. The only thing I can think of is it doesn’t hide screen size, but no browser on Android does (even Tor on Android doesn’t have letter-boxing).
But you aren’t wrong that the pool is small, and you could definitely sort users by screen size, which would then give you maybe a few possible devices. Then combined with using IronFox, and potentially the IP (even if it’s a VPN, the point is this will reduce the pool - and many people always connect to the same VPN City), and you have a pretty good FP.
That being said, this is advanced FP, and most websites probably have more rudimentary techniques. That’s why FP protection isn’t black and white, it’s a radiant.
Just to be clear, only Brave and Tor do not suffer from the problems of the small pool. Cromite has less FP protection, and Vanadium is only for Pixel GOS users, and with screen size you can know the exact Pixel model.
Hey guys, so what’s the consensus on Ironfox? Is it a private and secure browser? Is uBlock Origin installed by default? Can I install a few extensions? I still don’t get how it’s more private and secure than Firefox after it’s been configured with hardened settings.
It’s a good, secure browser. Right now, we’re just inspecting its release consistency.
1 Like
Private yes, but security is many years behind Chromium-based browsers. Ignore the people who claim it is secure without providing a technical basis. FF still lacks features which Chromium has had for 10 years on Android. Read the other comments I wrote about FF’s security for technical arguments.
5 Likes
I love Mull and therefore I’ve start using IronFox from its very early stage. But it’s not for extreme privacy or smth, just my personal favor. For example I value their practice to have presets of doh providers set to Quad9, DNS0, Mullvad, AdGuard and NextDNS. These options are better than FF default. But it doesn’t really matter to me because I’m using my own NextDNS account anyway, it’s just the spirit to make default better for average user that win my heart 
Btw their repo is at GitLab, and available with Obtanium or Accrescent. I like this but I have to admit these trivials have nothing to do with privacy or security…
4 Likes