Actually, JXL only available in the Firefox Nightly. In LibreWolf, this is the default and it is enabled.
So what? Are all the Tor patches now fully added to Firefox?
You could just use the lastest version of FireFox (so no security fix delay ➞ in that terms better than MullvadBrowser), configure it with MullvadBrowser’s configs before the first startup of FireFox, install uBlock Origin and configure it the exact same way MullvadBrowser does, don’t log in anywhere, don’t change any setting, use it with MullvadVPN and don’t install any extension more than uBlock Origin and you would look in the web exactly like any other MullvadBrowser user, wouldn’t you?
Did you even try to test this nonsense yourself? Even the link to your config is already outdated. When using this config, or an updated one, in Firefox, some fingerprints are not hidden, but that’s for later. First, you’ll need to edit this config because Firefox doesn’t know which fonts to use and everything appears as squares. So, Firefox most likely doesn’t have all the Tor patches, right?
I think you need to start personally testing things and showing the results. Right now it looks like you’re not even sure of your own words. Personally, I haven’t seen a single reason to mention it in recommendations, except for far-fetched personal preferences.
I am pretty sure that that was a problem only with Arch/AUR since I didn‘t had that problem and I‘m using LibreWolf over half an year. I use the AppImage
So FireFox Nightly is not FireFox? And FireFox ESR is probably also not FireFox, right?
Didn‘t said that. I just wanted to point out that the way isn‘t always TOR-Project adds a Feature - Mozilla ports it into ForeFox, but also often Mozilla adds a privacy feature - TOR-Project ports it into the TOR-Browser, so arguing just one way around doesn‘t makes sense.
I am pretty sure that that was a problem only with Arch/AUR since I didn‘t had that problem and I‘m using LibreWolf over half an year. I use the AppImage
My mistake. The catastrophic LibreWolf dev mess up I was referring to actually happened exactly a year ago with the 132< -– >133 upgrades. I was on Windows then and it affected all platforms. Read more about it here if you want: Reddit - The heart of the internet
Here is a reason to avoid using it: a patch added nine months ago turned the remote settings into a whitelist. Not much was added to this whitelist.
Take a look at my PR and see what is missing that is actively making LibreWolf have worse security compared to just using Firefox. You are actively missing protections against add-ons that are insecure or malicious, and this is just one of the missing remotes.
This is just from quickly looking at what is being blocked, there probably are more that need to be added.
I also don‘t think this argument is valid. Time to time, there‘s always big mess ups in browsers. (FireFox also had those things (example) and it is still recommended.)
Just because they don’t recommend installing more add-ons doesn’t mean that users will listen, and does not justify not having these protections.
What about these that are missing?
main/hijack-blocklists — Supplies remote blocklists used to detect and block known malicious or hijacking domains and protect against address/URL hijacking.
main/addons-data-leak-blocker-domains — Remote list of domains where extensions are prevented from accessing or exfiltrating data to stop known data-leak destinations.
blocklists/gfx — Remote blocklist of graphics/driver-related entries used to disable or alter graphics features for problematic GPUs/drivers to improve stability.
@any1 Are you working on Librewolf now? Is it something you feel comfortable recommending now? Is it better now? Better (more private and secure) than FF with PG’s recommended settings and UBO?
I remember you (I think) saying something akin to…the project seems held together with duct tape or is running on a wing and prayer or something like that anyway, and that scared me away from using it. I moved to MB then back to FF now. I just scrolled through the thread and could not find the exact quote though.
If you rely on FPP (what the PG guide recommends and what arkenfox now defaults to), you’ll get better protection by using FPP with the default RFPTargets in LibreWolf. Security would currently be about the same as what you get with Firefox + arkenfox.
I think working on a fast-moving, large codebase such as Firefox as a fork will always involve things constantly breaking and requiring hacky workarounds. All you can really do is test the next release early enough to fix issues so you don’t have to delay the release when something breaks.
In general I would say the situation has vastly improved
Releases are made within a day after Firefox makes a release, often within a few hours.
We moved the CI/releases from GitLab to Codeberg.
We test against the beta of the next release so we can fix regressions earlier and avoid delaying new releases.
We are the only fork, AFAIK, that supports the new XDG functionality.
We fixed a regression in the FPP canvas protections.
I have open PRs to move to MOZILLA_OFFICIAL.
I finished a WebGL per-site permission, which will be included soon after some testing.
Moving from RFP to FPP is currently in progress.
The settings have been cleaned up.
A lot of other small fixes.
I would suggest installing it alongside Firefox to see how you like it and whether you have any usability concerns. Other than getting MOZILLA_OFFICIAL merged (which should happen soon), I don’t see anything that would prevent me from recommending it.
Obviously, the following isn’t that relevant anymore as the more or less only argument, the bad security, is now fixed. But, to end the discussion…
Yes, I was wrong in that point; this misunderstanding from me was based on an unaccuracy that Privacy Guides wrote itself (so no, not bad research, or being dumb [at least not that time ] or something like that which @anon59300808 was heavily implying).
An attempted summary of the discussion (+ new arguments)
Please note that “ProLW” or “ConLW” (Pro LibreWolf / Contra LibreWolf) isn’t always something on which all Pro- or ConLW “Team members” agree. Sometimes when I write a ProLW bullet point, I’m even myself unsure whether it’s valid.
Whenever there are numbers in the reply (1., 2. etc.) it means that these are completely separate arguments which are valid even if you refute one of them. If you want to challenge that LibreWolf should not be recommended, you would have to refute every point separately, otherwise LibreWolf should still be recommended.
Against LibreWolf
Security fix delay
ConLW: LibreWolf has a dangerous security fix delay which makes it insecure.
ProLW: MullvadBrowser has a just very slightly differing security fix delay; recommending LibreWolf not because it has an average security fix delay approximately 0.4 days longer than MullvadBrowser (which is recommended) is ridiculous.
ConLW: LibreWolf had a 9 days security fix delay which could have been even longer if @any1 didn’t went ahead and fix it. Until LibreWolf manages to have consistent updates, it shouldn’t be recommended; until then, persistent mode is probably already released anyway.
ProLW (partially NEW): MullvadBrowser was not that much faster there; 6 days is also very worrying. And we don’t know what would’ve happened if @any1 didn’t fix it; maybe someone else new to the LibreWolf project or ohfp (LibreWolf project admin) would’ve done it.
ConLW: You can’t compare MullvadBrowser and LibreWolf because they are completely different and serve different purposes; MullvadBrowser adds the TOR browser patches and LibreWolf does not and that can’t be achieved with FireFox. LibreWolf can only be compared to FireFox or Brave.
(Here is one dumb argument (mine) and its reply missing; see for that beginning of this post)
ProLW (partially NEW): 1. With @any1 being a new maintainer of LibreWolf, the updates are now confirmed to be within one day. 2. If “consistent updates” is enough as one single criteria to throw something out of “even possible to recommend”, then MullvadBrowser shouldn’t be recommended as through your own logic. However, it would be logical if you’d say “Until LibreWolf manages to have consistent updates or to add real privacy, security or usability improvements compared to FireFox or Brave, it shouldn’t be recommended; until then, persistent mode is probably already released anyway.” But then I could say: Yes, it does add real privacy and usability improvements, see the next section of „Against LibreWolf“. 3. In every way, you are making Privacy-, Security- and Convenience trade-offs, so the only question should be:
Outweighs the convenience and additional privacy features of LibreWolf compared to FireFox & ArkenFox the security fix delay of LibreWolf? You can‘t say objectively if all the additional features of LibreWolf compared to FireFox outweighs this one security disadvantage, so the User should choose for himself. That’s why we should mention LibreWolf.
Offering additional value compared to FireFox / Brave
ConLW: LibreWolf doesn’t add any value compared to FireFox or Brave.
ProLW: This is not true, you don’t have to configure and maintain ArkenFox; checking & eventually adopting new changes from a potential new ArkenFox release, which is necessary to disable fingerprinting. For many settings, you don’t have to use about:config but can use the convenient GUI extra settings category. Making per-site cookie deleting exceptions is much faster and easier.
ConLW: You don’t necessarily have to, in your definition, “maintain” ArkenFox because there is no crowd for ArkenFox users - ArkenFox can only, if anything, fool naive fingerprinting scripts.
ProLW: You should still update ArkenFox to avoid being tracked by a potentially new tracking method.
ConLW: Liking not configuring anything is a valid personal preference, but not a valid basis for a Privacy Guides recommendation.
ProLW: 1. This is absolutely not true, usability is a big criteria when recommending something, otherwise only the TOR browser would be recommended as it is the most private one. In every way, you are making Privacy-, Security- and Convenience trade-offs, so the only question should be:
Outweighs the convenience and additional privacy features of LibreWolf compared to FireFox & ArkenFox the security fix delay of LibreWolf? You can‘t say objectively if all the additional features of LibreWolf compared to FireFox outweighs this one security disadvantage, so the User should choose for himself. That’s why we should mention LibreWolf. 2. I found 10 things more which can’t be achieved with FireFox, but can be achieved / are implemented in LibreWolf (reply 322) – so in total there are 13 things which can’t be achieved with FireFox, but can be achieved with LibreWolf.
Target audience
ConLW: For not technical users, LibreWolf is not recommendable because they can’t diagnose and especially don’t fix site breakage. For intermediate and technical users, including a - in case of LibreWolf, (in the past) unreliable - third party is not worth configuring the handful releases ArkenFox does every year which only takes 5 of the 526,000 minutes every year, except on the initial learning curve.
ProLW: 1. Now, the updates are fast and consistent (thanks to @any1), so it is at least at this point already recommendable for intermediate and technical users. 2. (Further argument that it’s recommendable for intermediate and technical users) In every way, you are making Privacy-, Security- and Convenience trade-offs, so the only question should be:
Outweighs the convenience and additional privacy features of LibreWolf compared to FireFox & ArkenFox the security fix delay of LibreWolf? You can‘t say objectively if all the additional features of LibreWolf compared to FireFox outweighs this one security disadvantage, so the User should choose for himself. That’s why we should mention LibreWolf. 3. LibreWolf is recommendable for not technical users, but see for that „Beginner friendliness“ in the section „For LibreWolf“.
JXL
ConLW: LibreWolf enables JXL by default which is another C++ decoder with „who knows who‘s responsible for it“ state and therefore a security risk.
ProLW: 1. JXL is also available in FireFox. 2. FireFox is recommended which requires changing far more preferences than LibreWolf.
ConLW: JXL is only available in FireFox Nightly.
ProLW: 1. FireFox Nightly is still FireFox and Mozilla is for both (regular FireFox and FireFox Nightly) responsible. JXL is maintained by Mozilla. 2. The second point from the previous response is still unanswered.
Missing blocklists
ConLW: In LibreWolf, you have worse security compared to FireFox as there are blocklists missing; you are actively missing protections against add-ons that are insecure or malicious, and this is just one of the missing remotes.
ProLW: This is fixed now, the three mentioned missing blocklists are now added to LibreWolf (LibreWolf‘s about:config librewolf.services.settings.allowedCollections value).
For LibreWolf
Trade-Offs on Privacy, Security and Convenience
ProLW: In every way, you are making Privacy-, Security- and Convenience trade-offs, so the only question should be:
Outweighs the convenience and additional privacy features of LibreWolf compared to FireFox & ArkenFox the security fix delay of LibreWolf? You can‘t say objectively if all the additional features of LibreWolf compared to FireFox outweighs this one security disadvantage, so the User should choose for himself. That’s why we should mention LibreWolf.
Beginner friendliness
ProLW: LibreWolf is more user-friendly and easy to use; beginners and less-technical people can benefit from this. You also have to read the entire ArkenFox wiki (at least it says so) which takes lots of time and can be hard to understand.
ConLW: LibreWolf has settings and disables much things which breaks functionality of many sites; LibreWolf is therefore not recommendable for beginners or less technical users. If you are comfortable not reading the LibreWolf docs, you can be even more comfortable not reading the ArkenFox wiki as you will encounter less breakage with ArkenFox compared to LibreWolf.
ProLW: Some are skeptical due to personal experience that LibreWolf breaks sites.
ConLW: LibreWolf uses RFP currently as default (this will probably be soon changed) and ArkenFox FPP which breaks much lesser sites; therefore, our argument stands and LibreWolf is not recommendable to less technical people because they can‘t fix site breakage (this would apply also when LibreWolf switches to FPP).
JXL used to be enabled by default, but it seems this was changed some time ago (before I got involved). Now the build only includes JXL support, and it needs to be enabled manually in about:config. As far as I can tell, no JXL-related code is reachable when the pref to use it is off.
Every time the user opens up their librewolf browser it phones home that , started using the browser to servers like mozzila, github, global sign and other.
Leading to creating patterns based on your behavior. IP, TIME, GEOlocation. each time you are about to browse and open up the browser, it phones user just open up their browser
The feature LibreWolf IJWY or (I Just Want You To Shut Up) was completely removed a couple of years ago; a feature its predecessor librefox and old librewolf had, basically don’t phone home each time you start the browser giving out unnecessary metadata
And FireFox ESR is probably also not FireFox, right? 
] or something like that which 
, started using the browser to servers like mozzila, github, global sign and other.