[Raion]

I had somebody arguing with me about my use of Pale Moon the other day. I stopped for a second and I asked him, "why does it concern you so much what risks I take?"

He promptly ignored the question and continue to lecture me on security in this that and the other and then start masturbating to rust. People don't seem to understand that it's your choice to choose security and that if everybody was really that security conscious the internet itself would probably look very different. The fact is the majority of people are already taking measured risks going on porno sites and clicking on ads they see that are obviously sending you to terrible places on the internet full of malware; so maybe you can lay off someone who uses a less common browser out of personal preference and maybe understand that they are not idiots they just have no other option and are willing to take a measured risk in that.

[robespierre]

A principled stance on security requires the web browser to be deleted entirely.

[Raion]

Exactly

[vishnu]

I feel like I'm pretty safe, sitting behind a firewall that is NOT a commercial router (don't ever use a commercial router to connect to the Internet, there's no such thing as a safe commercial router), it's a Linux computer that has two NICS, running a kernel I configured and compiled myself, with an IP Tables configuration script that I wrote myself. Also, my /etc/hosts file currently blocks 9991 known blipvert/malware sites. Not sure what else I can do other than robespierre's suggestion not to use any browser at all...

[Raion]

But anyways using any kind of browser is risk management and as the code base of Pale Moon has diverged I don't think any browser based on it has as much to worry about because nobody is directly targeting it. Is it 100% safe? No. No browser is.

Risk management is a problem but ultimately considering Mozilla no longer allows a pure C++ build and how hard rust is to bootstrap, there's not much I can do in some systems. And as I have said, Mozilla is a slimeball company. Neither Google nor Microsoft nor Apple nor Mozilla have consumer interest in mind.

[vishnu]

And as I have said, Mozilla is a slimeball company. Neither Google nor Microsoft nor Apple nor Mozilla have consumer interest in mind.

I wholeheartedly concur with that sentiment, but even agreeing with that I do think the coders who are in the guts of Firefox are doing their best to create a safe product. I do keep an eye on what's going on at hg.mozilla.org - and unless they have a secret way of adding code that's nefarious, I've never seen anything get added that looked sketchy...

[Raion]

I'm working on an updated guide, this thread will be locked when it comes out. But I did want to give an official retort to people who want to trash Pale Moon:

https://forum.palemoon.org/viewtopic.php...65#p229998

"There are a few Pale Moon specific CVEs but in general any sec bugs reported are simply fixed and not submitted/requested as a CVE. I could, if I wanted to, report all theoretical vulnerabilities like Mozilla is doing whenever I find a UAF or missing null check or race condition or lock issue, but I really don't see the point in putting my time into it when I have a lot better use for that time. 95% of Mozilla's CVEs are found through fuzzing or code inspection or because someone ran into odd behaviour, and not because it's actually exploited in the wild, anyway."

His response is relatively professional and makes a lot of sense. It also makes sense for a smaller development team.

That's not to say that fuzzing or inspection is bad. It's absolutely not but there's a difference.

Of course I invite any Firefox developers that might have had history on it to chime in (e.g. vvuk?).