Waterfox: Popular Firefox Fork But Never Discussed Here?

Good morning,

I’m looking at the Reddit communities for Librewolf and Waterfox on Reddit and Waterfox has more than double the amount of users. However, I couldn’t find any discussion of Waterfox at all on here???

Librewolf gets plenty of attention on here.

I know Waterfox was maligned because it was linked “System1” but Waterfox claims to be independent now and doesn’t send back any telemetry.

This article is the most clear article I’ve been able to find for this community to get a solid understanding: Review: Can We Trust the Waterfox Browser? (Updated 2023) | Avoid the Hack (avoidthehack!)

Thank you for reading my question!

I cover the mobile version here: Browsers - DivestOS Mobile

It basically has two features afaict:

  • configured the Firefox built-in resolver to use oblivious HTTP through their own proxy server to Cloudflare DNS
  • added their search engine defaults

edit: the desktop version appears to make some (about:config) settings easily accessible. also supposedly still supports npapi, which is horrifying if true

everything else seems to be Firefox defaults
their docs are sparse and the Android version is often behind like a week

it used to be popular long ago as it was the first fully 64-bit build like a decade+ ago

disclosure: note my obvious bias

  • really Mullvad Browser on desktop and my Mull on Android are great if you want Gecko
  • Brave on either if you want Chromium
  • if you need Tor use Tor Browser
    • other browsers routed through Tor have severe issues
  • the rest are meh
9 Likes

My (fairly uniformed) opinion on why Waterfox is rarely if ever discussed in privacy and security communities is less about there being anything egregiously wrong with it, and more just that their isn’t much reason to pay attention to it. It doesn’t really seem to have any clear comparative advantages, and it isn’t particularly focused on privacy or security.

I remember being briefly interested in Waterfox back in the day (10-15 years ago). My recollection is Waterfox was originally someone’s college project which added 64 bit support for Firefox at a time that Firefox was 32 bit only. But that stopped being the case many years ago, and since that time it hasn’t been clear to me what Waterfox actually offers that would justify using it instead of recommended alternatives, it doesn’t seem to have a clear reason for being.

One thing that is cool about Waterfox at the current moment is they’ve configured Waterfox to use a DNS over oblivious HTTP by default. But this isn’t a browser to browser difference, in fact it was Firefox that developed and built-in the functionality that is used by Waterfox. What Waterfox provides is a proxy server that can be used in combination with a DNS provider that supports the proposed standard But I believe the same can be accomplished with vanilla Firefox, you’d just need to point it to the right servers (which would require modifying 2-3 settings in about config I believe) or by any other browser supported DNS over oHTTP.

Librewolf arguably also doesn’t provide anything unique not already possible with Firefox. Technically speaking, I think this is true. BUT Librewolf does have one important non-technical comparative advantage over Firefox. It provides really strong privacy out of the box. It doesn’t really provide any technical features that are not already present in Firefox and Librewolf’s default config was largely just adapted from Arkenfox, but it eliminates most of the learning curve and the stress, which ca be a big barrier to less tech savvy or less DIY minded users.

3 Likes

does the main browser support NPAPI, or just waterfox classic (which is primarily based on pre v57 version of Firefox)? I’m fairly sure Firefox completely removed NPAPI completely several years ago, so unless they manually re-add support, Waterfox non-classic shouldn’t support it either.

Still though, they don’t exactly do many if any privacy or security focused patches. seems to be a UX focused browser.

Librewolf is clearly more privacy friendly though

Security issues of Firefox:

lack of site isolation (Project Fission - MozillaWiki)
CFI, (510629 - (cfi) [meta] Ship Control Flow Integrity (CFI))
ACG (https://bugzilla.mozilla.org/show_bug.cgi?id=1381050)
CIG (1378417 - [meta] Support Binary Signature Policy and eventually Code Integrity Guard on Windows)
win32k lockdown (https://bugzilla.mozilla.org/buglist.cgi?quicksearch=win32k)
lack of Linux/macOS gpu isolation (Security/Sandbox/Process model - MozillaWiki) ???
lack of a hardened malloc (PartitionAlloc Design)
complete lack of any sandboxing whatsoever on Android (https://bugzilla.mozilla.org/show_bug.cgi?id=1565196)

Most of these issues are decade old which is really concerning.

desktop has had fission enabled for years

all apps on android are always sandboxed

7 Likes

Classic is the only one that supports NPAPI

1 Like