Home SECURITY Review: Can We Trust the Waterfox Browser? (Updated 2023)

Review: Can We Trust the Waterfox Browser? (Updated 2023)

0
Review: Can We Trust the Waterfox Browser? (Updated 2023)

[ad_1]

Waterfox came into the browser scene in 2011, coming right out the box with official x64 support (a rarity among browsers at the time) and promoted itself as an “ethical browser.”

However, many things have changed in the browser landscape, and even the Waterfox project as whole since 2011.

With these changes, can Waterfox be a viable privacy-focused browser?

Let’s do our best to find out.

Here’s Waterfox at a glance…

  • Light on System Resources ()
  • Compatible with most Firefox Extensions ()
  • “No telemetry” and “Limited Data Collection” (this could change, given the first con below)

  • Bought by analytics/adverising company, System1, which is the same company that bought search engine StartPage. More info
  • Still needs
    about:config tweaks
    found in Mozilla Firefox to be a more “true” privacy browser
  • Nonexistent mobile support (this may be a con for some people)

Waterfox has changed some since publishing this post. Most notably, Waterfox has returned to its previous independent status and has streamlined its lineup.


the official waterfox logo

As of July 2023, Waterfox announced it has returned to its former status as an independent project – presumably, shedding their association with System1. For the unaware, System1 had invested in Waterfox in late 2019, and while they did nothing explicitly violating user privacy, their “backing” of Waterfox wasn’t well-received by many (including myself in the initial version of this review)

This association with System1 was the primary con associated with Waterfox; Waterfox had been partnered with System1 for roughly 1 year when the initial post was published. At the time it seemed deliver on its promises of an optimized and more private experience for users, despite its association with System1.

As noted later in the review, System1 had never (overtly) did anything to be labeled as “untrustworthy,” but suspicions persisted because of its analytics/advertising connections. As such, because of this association, it appeared the greater privacy community (and myself included) lost trust in Waterfox – or confidence was shaken up enough not to widely recommend it over other privacy-oriented browsers.

Waterfox still downloads and installs quickly. The website has been overall simplified. It is far easier to find relevant information and download the appropriate version of Waterfox.


waterfox website home page

Since the publication of the initial version of this post, Waterfox has moved into release of its 4th generation. Waterfox Classic is still around, though it appears to no longer share the same code repository or immediate resources with the newest generation of Waterfox.

With the 4th generation of Waterfox, users on substantially older systems may find difficulty running the browser. However, users are still able to download older, stable releases of Waterfox if desired. though isn’t expressly recommended due to older versions (including Waterfox Classic) missing security patches from upstream Gecko.

While Waterfox still does not have an official release on Android or iOS as of this update, users can download the older Android version if desired – though this isn’t recommended because the Android version is ridiculously old and missing years’ worth of security fixes and updates. Running extremely outdated software, such as a browser, undermines basic security and negatively affects your privacy due to needless exposure to vulnerabilities.

First Launch

Waterfox launches quickly, which was also noted in the initial post. Nothing’s changed there.


waterfox initial launch showing the latest patch notes and announcement

Upon first launch of this new, independent-from-System1 Waterfox version, I used Portmaster to capture DNS queries made:

Domain Description
waterfox.net The official Waterfox website.
location.services.mozilla.com Mozilla’s geolocation service.
content-signature-2-cdn.mozaws.net Service validating data sent between client and other Mozilla services
firefox.settings.services.mozilla.com Latest login breach information from Mozilla.
ocsp.digicert.com Well known + valid OCSP service
r3.0.lencr.org Let’s Encrypt domain for providing OCSP data
shavar.services.mozilla.org Mozilla updater service for its tracking protection project
ciscobinary.openh264.org OpenH264 Video Codec download server

Background connections made by Waterfox on initial launch

A little bit to unpack here for the initial launch, but nothing too bad. On my first launch since last installing this browser, Waterfox took me to its patch notes hosted on its website waterfox.net – so this is not really a background connection.

The server hosting Waterfox.net has OCSP stapling enabled, which checks websites’ certificates revocation status; Digicert is perhaps the most well-known provider of this service. Lencr.org is owned by Let’s Encrypt, which provides free TLS certificates for websites (so you connect via HTTPS instead of HTTP).

Like Firefox, on the first launch after install, Waterfox fetches and downloads Cisco’s OpenH264 video codec from ciscobinary.openh264.org. This video codec encodes and decodes in real-time, which makes it great for use in other real-time browser applications (ex: WebRTC).

The other domains are connections to various Mozilla services, as noted in the table.

Similar to vanilla Firefox, Waterfox can be configured using the about:config settings to be more privacy-friendly. It is also compatible with add-ons designed for vanilla Firefox as well; Waterfox still comes with uBlock Origin, an open-source wide spectrum ad/tracker blocker, by default. Additionally, the default search remains Bing.

By default, Waterfox still does not have the opt-out telemetry (“Firefox Data Collection and Use”) in its settings, signaling this has been removed in the source code – which is a good thing. Waterfox still uses some Mozilla services, though.

While using Waterfox, I noticed regardless of the sites I visited, it usually made background connections to:

Domain Description
bing.com Bing is a search engine by Microsoft.
firefox.settings.services.mozilla.com Latest login breach information by Mozilla
push.services.mozilla.com Web Push notifications service by Mozilla
aus1.waterfox.net Automatic update service for Waterfox

Background queries made by Waterfox while browsing

Connecting to Bing (bing.com) in the background concerned me. But I relatively quickly found that in the preferences/settings pane, Waterfox enables search suggestions by default; since Bing is the default search provider, connections to Bing pull search suggestions as you type them in the URL bar.

However, the issue with this is the forwarding of your search queries to the selected default search engine in real-time, before ever hitting Enter. Disabling search suggestions fixed this issue altogether. Though, if you prefer search suggestions, then its best to use a private search engine as the default browser search instead.

Of course, some may find the initial and default connections Waterfox makes concerning. However, let’s remember vanilla default Firefox is just as “chatty” – many, if not at all, of the connections to Mozilla can be addressed by editing the settings in about:config (this is also true for Firefox).

The automatic update service for Waterfox can’t be disabled within Waterfox itself.

As an aside, I noticed Waterfox doesn’t totally disable the entirety of Firefox’s pre-fetching service by default. Users will still have to disable DNS prefetching in the about:config settings.

Bing is not a privacy-friendly search provider, but this can be easily changed within Waterfox’s settings:


waterfox preferences page for setting default search engine

Waterfox remains optimized for speed and privacy-friendly. It is also flexible and highly customizable, much like Firefox itself. Even in my initial notes on this browser, there was nothing to really dislike about the browser itself (except, perhaps its lack of support for mobile platforms) – most of my concern came from its association with System1 and what could have happened.

With some time put between the choice to end the associated with System1, perhaps Waterfox would grow to be widely recommended in the privacy community again!

The bulk of the original review text will remain easily available here for users to read without referring to the web archive. 🙂

Waterfox was a project started in 2011 by Alex Kontos. Waterfox is free and open source. While it has received contributions from multiple developers over the years, the main driving force for maintaining the project seemed to be the founder himself.

Waterfox initially gained a lot of traction because, at the time, it was one of the only browsers available for x64 bit systems. Even Firefox, from which Waterfox was forked, only officially supported 32-bit back then.

Interestingly, Waterfox never took a definitive “privacy browser stance.” While it did aim to strip Mozilla’s telemetry and other somewhat questionably default features, Waterfox was primarily built for speed.

However, in doing all of this, its goal was to be an “ethical browser,” and you can reasonably argue that this makes it a privacy focused browser.

To me, it seems to just be a game of semantics, but I digress.


official waterfox site

Nowadays, it seems Waterfox’s biggest draws are still its speed and its support for legacy plugins (ext) – especially those that are no longer supported since the introduction of Firefox Quantum in 2016.

Currently, Waterfox comes in two flavors: Waterfox Current and Waterfox Classic. This review will focus on Waterfox Current (G3).

System1 Acquisition

Waterfox was acquired by System1 in December 2019.

System1 is an advertising company that takes a “privacy-focused” position in what it does. As noted previously, it is also the same company that purchased private search engine, Startpage (ext), sometime in Q4 of 2018.


official system1 logo

However, so far, it appears that System1 hasn’t done anything overt to warrant being “untrustworthy” – outside of being a for-profit advertising company. Granted, some might say that near back-to-back acquisitions of independent and privacy-focused projects seems a little out of place…

Download Waterfox

Availability

Waterfox is available on Windows, macOS, and specified Linux distros.

On mobile platforms, it seems that Waterfox was available on Android, but appears that development has since stalled.

Requirements

There are minimum system requirements for running this browser. These requirements slightly differ across different operating systems:

Windows Linux macOS
OS ver Windows 7
or newer
Requires Glib 2.28+ macOS 10.10+
CPU x64 processor

w/ SSSE3 support

x64 processor

w/ SSSE3 support

Intel x64 processor
RAM 512 MB 512 MB 512 MB
Disk Space 200 MB 200 MB 200 MB

First launch and set up

Once the installation finished up, Waterfox launched very quickly.

My immediate first impression is that it looked like a Firefox clone.


waterfox first launch page

And it makes since… after all it is a fork of Firefox.

Like many other desktop browsers, there was no guide for set up before using Waterfox. Power users may be thankful for this, but the average user could be a little offput.

The lack of “handholding” is most likely due to the browser being geared towards “power users,” and to people who value choice when it comes to privacy focused (or, in Waterfox’s specific case, “ethical”) browsers.

We’ll dive into the privacy and security features of Waterfox here. We’ll also explore any other unique features this browser has.

uBlock Origin

As a neat little “default,” Waterfox comes with uBlock Origin already installed. This is the same uBlock Origin found in its GitHub, and that you can find in either the Chrome Web Store or Mozilla’s official subdomain for Fiefox Add-ons.

If you’re not familiar with uBlock Origin, then here’s a quick rundown:

  1. It’s a wide spectrum tracker blocker that is highly configurable and light on system resources.
  2. It’s practically the “gold standard” for free, privacy-respecting and privacy-enhancing browser plugins.

If you don’t understand the importance of blocking trackers – not just ads – then
learn more about the importance of tracker blocking here.

No Mozilla Telemetry

One thing that Waterfox boasts is that it’s stripped of the telemetry Mozilla puts into Firefox’s source code.

From what I could find, that appears to be… mostly true.

For starters, Waterfox has the Firefox Data Collection and Use removed from the Privacy & Security section of the options menu:


telemetry comparison waterfox firefox

(Firefox is on the left, Waterfox on the right)

What’s also important is that Waterfox doesn’t appear to collect its own telemetry either.

When I let Waterfox idle for a few minutes on the standard homepage, it didn’t do anything overtly suspicious, according to Sysmon.

Just to note, it did connect to a number of different CDNs, and also AWS. But it seems everything runs off CDNs and to a slightly lesser extent, AWS, these days.

However, it does look like Waterfox did perform a DNS query for mozilla.org and detectportal.firefox.com:


mozilla sysmon log


detectportal sysmon log

When I did some digging, it looks like Waterfox uses Firefox’s service at detectportal.firefox.com for detecting captive portals (if they exist on a connected Wi-Fi network.)

The Firefox “detectportal” service streamlines the captive portal process. A lot of users might miss a captive portal when trying to use a less familiar (usually public) network, such as a hotel’s Wi-Fi network.

Some users may not like this option being enabled default (external), because that means Waterfox is “talking” with Mozilla, and I can understand that. After all, Waterfox’s claim can be interpreted as the browser not “talking” with Mozilla servers.

Fortunately, you can disable this service by visiting about:config and changing network.captive-portal-service.enabled to false.

Usually if you don’t go through the established captive portal, the network will not let your device connect. This can cause a lot of needless frustration for users as they try to diagnose any issues.

If a captive portal detection service is so user-friendly, some might ask why didn’t the developer(s) behind Waterfox implement their own

No Phoning Home

Piggybacking off of the no telemetry “feature”… Waterfox also claims that it does not collect data on its users, nor does it continously phone home, like other less privacy-focused browsers have a tendency to do.

As I noted above, Waterfox does initiate a couple of connections to Mozilla. This is especially true if you are using it on a device connected wirelessly (AKA, you’re on a Wi-Fi network, as opposed to using an ethernet connection).

On each start up, Waterfox does a DNSquery for aus.waterfox.net. This is Waterfox’s automatic update service, which you can’t totally disable. At most, you can tell Waterfox not to automatically install updates. but it will still check for updates anyway.


automatic updates waterfox option

Other than the few CDN connections – of which some are tied to connection to waterfox.net and mozilla.org – Waterfox doesn’t seem to phone home a lot. This is a good thing, especially when you compare it other browsers that constantly phone home.

about:config / Reimagined Settings

about:config

Unlike Firefox, Waterfox does come with some privacy friendly about:config settings tweaked. However, not all of the privacy-related options are enabled. This isn’t necessarily a bad thing.

Fortunately, if wanted, you can follow an advanced Firefox privacy set-up guide because the about:config options for Firefox are extremely similar to Waterfox:



Configure Firefox/Waterfox for privacy

Main settings

The standard options and settings pages for Waterfox are noticeably different from, let’s say, the likes of Firefox.

For example, you can enable/disable JavaScript from the main options in Waterfox. (In Firefox, disabling JavaScript can only be accomplished via about:config.):


javascript waterfox

You can also adjust WebRTC settings from the main options in Waterfox too. However, it doesn’t look like you can outright disable WebRTC without utilizing about:config…


webrtc config waterfox

Also, you can configure referer header settings straight from the Waterfox’s main options as well:


referer config waterfox

Incorporating these options/functions directly into the main options was a good call, in my opinion. Doing so makes them readily accessible for quick configuring, and also accessible to “non-power” users that aren’t super comfortable fiddling around in about:config for whatever reason.

Browser Engine

Waterfox uses the same Gecko engine that Firefox uses.

Updates

Waterfox is updated very frequently. Updates seem to happen not long after the Firefox’s source code is updated – this is important since Waterfox runs on Gecko.

These regular updates fix known bugs, exploits, and add new features.

Legacy Firefox Add-on Support

One of the biggest draws for Waterfox is that it’s compatible with the vast majority of Firefox add-ons.

What’s more is that the “Classic” version of Waterfox is compatible with legacy Firefox add-ons – specifically, from the pre-quantum (2016) days.

Chrome Extension Support

A February 2021 update to Waterfox enabled Chrome Extension Support. This enabled the adding of Chrome extensions from the Chrome Web Store directly to Firefox.

I would say this is a double-edged sword. While you now have access to Chromium-only extensions without necessarily using a Chromium browser, this feature is 1) still very buggy and 2) requires a signed-in Google account to download extensions.

Stripped of Telemetry

Many users don’t like telemetry. Many users also don’t like being opted into software telemetry by default.

Unfortunately, Mozilla Firefox does both. However, what’s good is that Waterfox does neither.

As I noted earlier, Waterfox claims that it does not collect telemetry and that it disables Mozilla’s telemetry. Admittedly, this is a tall order – made even taller by the fact that ad/analytics company System1 acquired Waterfox.

In my findings, I found that Waterfox doesn’t appear to collect its own telemetry. Additionally, it doesn’t appear to phone home a lot – which is great!

Compatible with Firefox Add-ons

The easy compatibility with Firefox add-ons makes installing and configuring browser plugins, such as uBlock Origin, a breeze. There is no real need for a “work-around” to utilize Firefox add-ons.

Therefore, for users that wish to ditch Firefox, the migration is made far less painful.

Note: As noted previously, a February 2021 update made Waterfox G3 compatible with Chrome extensions as well. However, at the time of this review, this new feature is still buggy.

Majority owned by an advertising company

As of July 2023, Waterfox has returned to its former status as an independent project and has ended its association with System1.

As stated previously, as of December 2019 Waterfox is now majority owned by advertising/analytics company, System1.

And honestly, this is the biggest con I could find for this browser.

However, it is a con that needs to be considered heavily, especially for users that may have more sensitive threat models.

Internet advertising/analytics companies have been more on the dubious side since the dawn of the public Internet. That’s not to say all ad and analytics companies are terrible – but let’s face it… many are. In fact, I can probably argue until I’m blue in the face that the majority of ad and analytics companies are terrible for reasons than just data slurping and selling.

Many ad and analytics companies out there are no strangers to using shady and underhanded tactics to drive sales, get leads, and generate profit. They often work hand-in-hand with Big Data (and even Big Tech), gathering, purchasing, and sharing user data.

A lot of the data gathered is done so via highly privacy intrusive ways and sometimes contains sensitive data that becomes highly identifying when correlated with other data points. The purchasing and sharing of this user data is largely unregulated in the US.

Unfortunately, System1 does fall under the broad umbrella of ad/analytic companies. However, from what I could find they haven’t done anything that explicitly says “We are tracking you,” via the Waterfox browser as of writing

This is definitely a good signal and all, but given the ever-changing environment of browsers (and computer software in general) this doesn’t mean that this can’t happen in the future. Plainly speaking, an update could be pushed that theoretically enables this worst-case scenario to happen.

What’s more is that this doesn’t mean this can’t happen – without users being made explicitly aware – in the future either.

System1 is a company based in the US, which does not have friendly data privacy laws. So, if System1 were to collect telemetry/user data, nothing would really stop them from storing and using (selling, trading, etc) this data indefinitely.

Additionally, companies get acquired all the time. The acquiring company doesn’t always follow the same user privacy practices that the asset company had in place — case in point is the Facebook acquisition of Oculus. Non-profits, such as Mozilla, can’t be bought in such a manner.

Ultimately, before committing to using Waterfox, you’ll need to evaluate if you’re willing to trust System1 in the first place. This is especially true for users looking to move away from Mozilla Firefox due to the amounts of telemetry that can be found within the browser’s source code as a default.

No mobile support

This could be a deal-breaker for some users. For others, not so much.

Allegedly, Waterfox was once available on Android. However, as we noted before, it looks like development for it has stalled.

There is no iOS version of Waterfox and there doesn’t seem to be any development plans for iOS in the near future. At least, for now.

Additionally, the lack of mobile support makes the “Sync” feature of Waterfox kind of lackluster.

Requires many “privacy” tweaks

This could be a deal-breaker for some users. For others, not so much.

For users that are more interested in an easy and “out-of-the-box” privacy browser experience, Waterfox doesn’t fit that bill.

However this isn’t a con unique to Waterfox. Many other notable privacy browsers, such as Firefox itself and Ungoogled Chromium don’t come totally configured for privacy without tweaks or the help of browser plugins.

Ultimately, this means that you’ll need to run through the main options menu(s), perform some about:config tweaks, and download trusted privacy-friendly browser plugins.

Overall, the Waterfox browser as a piece of software itself is respectable and not a “bad” pick as far as privacy goes.

It has humble roots, and has been around as an “ethical” browser for over 10 years. It has proven trustworthy as an alternative browser – at least, in the past. Its classic version is a favorite among users that want to utilize legacy Firefox add-ons and NPAPI plugins.

It’s also worthy mentioning one of the better maintained Firefox forks available out there, since it receive regular updates as the team behind Firefox rolls them out.

(This differs from other forks such as Pale Moon, which has effectively become its own browser because it runs on a separate engine.)

While the lack of mobile development can be a big issue for some users, I would say that the core of the issue with Waterfox is the company, System1, that is now behind it.

Can we trust them? Will they try to pull the wool over our eyes? Will they slowly-but-surely attempt to integrate telemetry/user data collection into the browser over time? Only time will tell… and I think that this relative “unknown” doesn’t play well in Waterfox’s favor among many users in the privacy community.

I do not blame anyone for not wanting to use Waterfox if their reason is because of the company that’s now behind it. After all, in that specific area and in some cases, you can certainly argue that this new ownership makes Waterfox not too different from Brave.

Download Waterfox

As always, stay safe out there!

[ad_2]

Source link

avoidthehack.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here