Got it. Thanks!

Excited to switch back.

Would recommend keeping Firefox as a backup browser, since some sites perform heuristic checks that LibreWolf can trigger in certain cases. We had reports of this happening with Yahoo Mail, which I could reproduce with LibreWolf and Mullvad VPN, but another team member couldn’t.

Obviously, the following isn’t that relevant anymore as the more or less only argument, the bad security, is now fixed. But, to end the discussion…

Yes, I was wrong in that point; this misunderstanding from me was based on an unaccuracy that Privacy Guides wrote itself (so no, not bad research, or being dumb [at least not that time ] or something like that which @Hank was heavily implying).

An attempted summary of the discussion (+ new arguments)

Please note that “ProLW” or “ConLW” (Pro LibreWolf / Contra LibreWolf) isn’t always something on which all Pro- or ConLW “Team members” agree. Sometimes when I write a ProLW bullet point, I’m even myself unsure whether it’s valid.

Whenever there are numbers in the reply (1., 2. etc.) it means that these are completely separate arguments which are valid even if you refute one of them. If you want to challenge that LibreWolf should not be recommended, you would have to refute every point separately, otherwise LibreWolf should still be recommended.

Against LibreWolf

Security fix delay

• ConLW: LibreWolf has a dangerous security fix delay which makes it insecure.

• ProLW: MullvadBrowser has a just very slightly differing security fix delay; recommending LibreWolf not because it has an average security fix delay approximately 0.4 days longer than MullvadBrowser (which is recommended) is ridiculous.

• ConLW: LibreWolf had a 9 days security fix delay which could have been even longer if @any1 didn’t went ahead and fix it. Until LibreWolf manages to have consistent updates, it shouldn’t be recommended; until then, persistent mode is probably already released anyway.

• ProLW (partially NEW): MullvadBrowser was not that much faster there; 6 days is also very worrying. And we don’t know what would’ve happened if @any1 didn’t fix it; maybe someone else new to the LibreWolf project or ohfp (LibreWolf project admin) would’ve done it.

• ConLW: You can’t compare MullvadBrowser and LibreWolf because they are completely different and serve different purposes; MullvadBrowser adds the TOR browser patches and LibreWolf does not and that can’t be achieved with FireFox. LibreWolf can only be compared to FireFox or Brave.

• (Here is one dumb argument (mine) and its reply missing; see for that beginning of this post)

• ProLW (partially NEW): 1. With @any1 being a new maintainer of LibreWolf, the updates are now confirmed to be within one day. 2. If “consistent updates” is enough as one single criteria to throw something out of “even possible to recommend”, then MullvadBrowser shouldn’t be recommended as through your own logic. However, it would be logical if you’d say “Until LibreWolf manages to have consistent updates or to add real privacy, security or usability improvements compared to FireFox or Brave, it shouldn’t be recommended; until then, persistent mode is probably already released anyway.” But then I could say: Yes, it does add real privacy and usability improvements, see the next section of „Against LibreWolf“. 3. In every way, you are making Privacy-, Security- and Convenience trade-offs, so the only question should be:
  Outweighs the convenience and additional privacy features of LibreWolf compared to FireFox & ArkenFox the security fix delay of LibreWolf?
  You can‘t say objectively if all the additional features of LibreWolf compared to FireFox outweighs this one security disadvantage, so the User should choose for himself. That’s why we should mention LibreWolf.

Offering additional value compared to FireFox / Brave

• ConLW: LibreWolf doesn’t add any value compared to FireFox or Brave.

• ProLW: This is not true, you don’t have to configure and maintain ArkenFox; checking & eventually adopting new changes from a potential new ArkenFox release, which is necessary to disable fingerprinting. For many settings, you don’t have to use about:config but can use the convenient GUI extra settings category. Making per-site cookie deleting exceptions is much faster and easier.

• ConLW: You don’t necessarily have to, in your definition, “maintain” ArkenFox because there is no crowd for ArkenFox users - ArkenFox can only, if anything, fool naive fingerprinting scripts.

• ProLW: You should still update ArkenFox to avoid being tracked by a potentially new tracking method.

• ConLW: Liking not configuring anything is a valid personal preference, but not a valid basis for a Privacy Guides recommendation.

• ProLW: 1. This is absolutely not true, usability is a big criteria when recommending something, otherwise only the TOR browser would be recommended as it is the most private one. In every way, you are making Privacy-, Security- and Convenience trade-offs, so the only question should be:
  Outweighs the convenience and additional privacy features of LibreWolf compared to FireFox & ArkenFox the security fix delay of LibreWolf?
  You can‘t say objectively if all the additional features of LibreWolf compared to FireFox outweighs this one security disadvantage, so the User should choose for himself. That’s why we should mention LibreWolf. 2. I found 10 things more which can’t be achieved with FireFox, but can be achieved / are implemented in LibreWolf (reply 322) – so in total there are 13 things which can’t be achieved with FireFox, but can be achieved with LibreWolf.

Target audience

• ConLW: For not technical users, LibreWolf is not recommendable because they can’t diagnose and especially don’t fix site breakage. For intermediate and technical users, including a - in case of LibreWolf, (in the past) unreliable - third party is not worth configuring the handful releases ArkenFox does every year which only takes 5 of the 526,000 minutes every year, except on the initial learning curve.

• ProLW: 1. Now, the updates are fast and consistent (thanks to @any1), so it is at least at this point already recommendable for intermediate and technical users. 2. (Further argument that it’s recommendable for intermediate and technical users) In every way, you are making Privacy-, Security- and Convenience trade-offs, so the only question should be:
  Outweighs the convenience and additional privacy features of LibreWolf compared to FireFox & ArkenFox the security fix delay of LibreWolf?
  You can‘t say objectively if all the additional features of LibreWolf compared to FireFox outweighs this one security disadvantage, so the User should choose for himself. That’s why we should mention LibreWolf. 3. LibreWolf is recommendable for not technical users, but see for that „Beginner friendliness“ in the section „For LibreWolf“.

JXL

• ConLW: LibreWolf enables JXL by default which is another C++ decoder with „who knows who‘s responsible for it“ state and therefore a security risk.

• ProLW: 1. JXL is also available in FireFox. 2. FireFox is recommended which requires changing far more preferences than LibreWolf.

• ConLW: JXL is only available in FireFox Nightly.

• ProLW: 1. FireFox Nightly is still FireFox and Mozilla is for both (regular FireFox and FireFox Nightly) responsible. JXL is maintained by Mozilla. 2. The second point from the previous response is still unanswered.

Missing blocklists

• ConLW: In LibreWolf, you have worse security compared to FireFox as there are blocklists missing; you are actively missing protections against add-ons that are insecure or malicious, and this is just one of the missing remotes.

• ProLW: This is fixed now, the three mentioned missing blocklists are now added to LibreWolf (LibreWolf‘s about:config librewolf.services.settings.allowedCollections value).

For LibreWolf

Trade-Offs on Privacy, Security and Convenience

• ProLW: In every way, you are making Privacy-, Security- and Convenience trade-offs, so the only question should be:
  Outweighs the convenience and additional privacy features of LibreWolf compared to FireFox & ArkenFox the security fix delay of LibreWolf?
  You can‘t say objectively if all the additional features of LibreWolf compared to FireFox outweighs this one security disadvantage, so the User should choose for himself. That’s why we should mention LibreWolf.

Beginner friendliness

• ProLW: LibreWolf is more user-friendly and easy to use; beginners and less-technical people can benefit from this. You also have to read the entire ArkenFox wiki (at least it says so) which takes lots of time and can be hard to understand.

• ConLW: LibreWolf has settings and disables much things which breaks functionality of many sites; LibreWolf is therefore not recommendable for beginners or less technical users. If you are comfortable not reading the LibreWolf docs, you can be even more comfortable not reading the ArkenFox wiki as you will encounter less breakage with ArkenFox compared to LibreWolf.

• ProLW: Some are skeptical due to personal experience that LibreWolf breaks sites.

• ConLW: LibreWolf uses RFP currently as default (this will probably be soon changed) and ArkenFox FPP which breaks much lesser sites; therefore, our argument stands and LibreWolf is not recommendable to less technical people because they can‘t fix site breakage (this would apply also when LibreWolf switches to FPP).

• ProLW (NEW): According to the ArkenFox wiki, 99 % of site breakage can be fixed with setting a temporarily or permanent Canvas exception. Doing so is very easy; just click on the image icon at the URL bar and select if you want to allow it once or every time. This could be said with an easy information if we recommend LibreWolf.

Well this reply is the nails in the coffin as we say.

AMAZING job @SYST3M_D3STR0YER

Also, just to add to this

I have yet to encounter any website breakages 6 months in.

JXL used to be enabled by default, but it seems this was changed some time ago (before I got involved). Now the build only includes JXL support, and it needs to be enabled manually in about:config. As far as I can tell, no JXL-related code is reachable when the pref to use it is off.

Does LW even have a changelog? How am I supposed to know what they changed in my browser?

The mastodon account posts changes. I could add a changelog to the site/releases.

This is not a changelog. If you don’t think the “Goodbye 32-bit Windows” change belongs in the changelog, then I don’t even know what to tell you.
Just another reason why LW shouldn’t be recommended. I don’t understand why we have to point out the obvious and ask for it to be fixed. The browser itself just looks like a school project.

Unfortunately, we’ve also had to drop 32bit builds for Windows starting with this release.

Not sure what you mean by this. Unless we’re made aware of an issue, we can’t try to fix it.

It is a browser maintained by volunteers in their free time in the hope of adding value for users. You don’t have to like or use it. It’s simply another option. If you want a corporate-backed browser, use Firefox.

He means that a changelog is the obvious thing missing.

All changes from FireFox can be viewed in the FireFox Release Notes and all changes from LibreWolf can be viewed through the Mastodon account you linked.

I mean, the changelog is missing details, some major changes just aren’t there. Some changes are literally “we added a couple of bugs, we fixed those bugs.” What? Which ones?

For comparison, you can take a look at the Mullvad changelog and compare it with LW.

What major changes are missing?

For example, most of the prefs? (If not all, I haven’t checked them all). Some patches were added and removed, but they aren’t in the changelog.

What’s up with privacy.spoof_english true. Is this AI slop? What’s the point of disabling this pref while using RFP? It’s a system Intl leak. You’re just plugging one hole and opening another. It’s expected, though. Like I said, the browser isn’t safe or private. There’s no point in using it.

There really hasn’t been anything notable that has changed there. At some point, the changelog you want is just the commits being made, and you can simply look at the commit history.

Forcing English for everyone is a major usability concern. Since we are not Tor/Mullvad Browser, there is no need to make the browser unusable for many users who cannot or prefer not to have everything in English.

RFP also does not make sense to use. That is why we are in the process of moving to FPP.

I would be the first to tell you the flaws of LibreWolf. Just look earlier in the thread. Your points aren’t things we’re actually doing wrong. They’re more about finding things you dislike and calling them flaws.

For you, maybe, but there may be value to others. There really is nothing we are doing that makes us worse than Firefox, so if Firefox can be used, LibreWolf should be usable too.

Release notes are added here now too

I’ll just leave this here: #1779 - Feature Request: Radio Silence by Default for Browser Startup and Background Connections aka "Disable Phone Home" - librewolf/issues - Codeberg.org

Every time the user opens up their librewolf browser it phones home that , started using the browser to servers like mozzila, github, global sign and other.

Leading to creating patterns based on your behavior. IP, TIME, GEOlocation. each time you are about to browse and open up the browser, it phones user just open up their browser

The feature LibreWolf IJWY or (I Just Want You To Shut Up) was completely removed a couple of years ago; a feature its predecessor librefox and old librewolf had, basically don’t phone home each time you start the browser giving out unnecessary metadata

Last time this issue was brought up to some devs they dismissed it

Here’s how they can use this information against you

@any1 Would love your thoughts on this Sword of Light’s post -

I think it is just beating a dead horse at this point, and this comes up every so often.

I don’t see the point in adding a feature that allows users to worsen their security for a supposed privacy benefit. If this gets introduced, someone will make a Reddit post titled “How to make LibreWolf actually private and solve world hunger by doing this,” which will recommend various backwards steps where less knowledgeable users end up not receiving updates to the actually useful features that have a purpose and aren’t just “connections = bad.” It seems like these people want Tor Browser without using Tor Browser, given the kinds of threats they list.

Thanks for replying!

I am just an average tech savvy-ish privacy focused/aware user, not a coder working on an open source browser like you, so excuse my ignorance but…isn’t zero telemetry a good thing? Something a user would want in a browser? I pretty sure Mullvad Browser mentions it about their browser and that is a big thing the Orion browser dev talks about or hypes.

From a user perspective, when I open my browser I want no one to know but me ideally.

What connections/phoning home is Librewolf making and for what purpose? And if I turn them off are you saying I won’t get updates? Even if update via terminal and the repo?

Is there a way to turn off the telemetry?

Seems like you missed my link in the post above: Frequently Asked Questions – LibreWolf

Telemetry is already turned off during the build.