My Waterfox Classic installation is becoming increasingly broken because of not updating it in a very long time, and since I’m pretty much forced to upgrade I decided to take some time to analyze what the new version is doing since everything that’s happened with it has made me a bit uncomfortable. I thought I’d post my analysis for others to see since I always see other Waterfox Classic users here so maybe it’ll be useful to other people. The TL;DR is that the browser doesn’t seem to do anything that the original Firefox wouldn’t do and that Waterfox (and the company that it’s now a part of) doesn’t seem to have added anything new and invasive to it, which is something that I’m happy to report. Overall, the biggest problem with the browser is some of its defaults and some of the things it’ll do while updating, but I haven’t seen it connect anywhere shady while browsing or when doing actions inside the browser like Google Analytics for example. As mentioned, one of the biggest problems with the browser is updating. There’s a shitload of things the browser “needs” to update, among them the browser itself, blocklists for several types of content such as webpages with malware and malicious addons, anti-tracking stuff, language packs, search engines, DRM (as in anti-piracy) video libs, and probably other stuff I’m forgetting. I’m going to go over these in bullets.
* The browser will come with self-update enabled, but disabling it seems to completely disable the version check, which is what’s expected. Honestly, this is the least of the problems as it seems to just send a request to waterfox.com without any parameters or cookies, so it really is the minimum information required to update your browser, and again it can easily be disabled. * Playback of DRM media can be configured through the preferences pages, but even if you have it disabled the browser will still try to “update” these features for you, which involves downloading a pointless closed source anti-piracy shared library from Google for no good reason. I think disabling general updates will also disable this request. The domain that gets accessed for this is redirector.gvt1.com. * Similar to the previous bullet, Waterfox will go fetch an h264 shared library that I imagine doesn’t come with the browser. I didn’t really dig further on this library because it’s probably required by the browser for videos to work properly, but it’s not a nice way of distributing libraries, and apparently, this also gets disabled when you disable updating. The domain gets the library from is ciscobinary.openh264.org.
* Waterfox also comes with “safebrowsing” like every other browser but unfortunately even if you disable “deceptive content” filtering and regular updates, it will still go check with Mozilla (or Google if something goes wrong with the first alternative) for updated domain blocklists. Even if you turn everything related to this feature off in about:config, it’ll still go check. The only workaround I found was removing the domains for the safe browsing service so it literally has nowhere to go check (look up safe browsing on about:config). * Moreover, Waterfox will go check for “tracking protection” updates even if you asked it never to use tracking protection and turn off everything related to this and the updates in the GUI and about:config. It makes a lot of requests for this, seemingly to block plugins and flash stuff, but it’s not very evident as the response is just binary stuff. The domain it accesses is tracking-protection.cdn.mozilla.net. It seems for some reason that this can actually be turned off by removing the safe browsing domains as mentioned in the previous bullet, even if the domain it goes to check for this isn’t in any of those keys. Go figure.
* Because you can never have enough blocklists, there’s an additional blocklist it requests which seems to be related to drivers, certificates, extensions, devices, and other stuff. There’s no option in the GUI to disable this, but you can do it through about:config if you wish through the extensions.blocklist.enabled key. The domain it checks for this is blocklists.settings.services.mozilla.com, which you can also remove from about:config for extra safety. * In addition, Waterfox will check with Mozilla where your IP hails from, and it doesn’t matter whether you have “Enable Geolocation” enabled. The information it gets is just your country’s name and country code, but it still shouldn’t be making that request. The domain uses for this is location.services.mozilla.com. There doesn’t seem to be any way to deactivate this. * As if this wasn’t enough, Waterfox sends a shitton of requests to Mozilla to update every language pack that exists for Firefox, even if you don’t have any of them installed, which is retarded but such is life. Much like previously, there’s no option to configure this check, so the only option is to add the domain to hosts (versioncheck-bg.addons.mozilla.org). * On top of all this, Waterfox does the captive portal check against Mozilla, where it basically makes a dummy request to a service to see if the browser has access to the internet, and this is done pretty often. This can easily be disabled in about:config though (network.captive-portal-service.enabled).
Finally, search suggestions also come enabled by default so everything you type (no, seriously, everything) on your navigation bar gets sent to Microsoft (by default), however, there’s an option to disable this in the GUI. While this is less than an ideal list of issues, it doesn’t seem out of the ordinary considering where this browser comes from, and as previously mentioned Waterfox hasn’t added any spyware of its own. Most of the stuff it requests are lists so hopefully, the real work with your information happens in your browser and doesn’t go anywhere else, especially if you have configured the browser to not use those services, but at least safe browsing I think does go query with the real URL to a Mozilla or Google service when it gets a hit on a local list “just to be safe”, which is bullshit.
To summarize, if you:
* Disable search suggestions
* Disable Geolocation
* Disable Waterfox updates
* Disable updating search engines
* Remove urls for safebrowsing from about:config
* Disable captive portal from about:config
* Disable blocklists from about:config
You’re left with just the requests to the location service and language pack update service. You can then add those two URIs to your hosts if you wish, and then the browser doesn’t make any requests whatsoever outside of those that are necessary to load the pages you ask it to.
This is the release I tested: 99afdad5fdf3f82884e9f626e3de08392adbade6924d7292062745cacef68fdc waterfox-classic-2021.04.2.en-US.linux-x86_64.tar.bz2