Back

@dalias You should provide http://detectportal.firefox.com (though replacing it with a local version is sensible), and it looks like https://tracking-protection.cdn.mozilla.net is just an S3 bucket full of hashes. The others, though, I could do without.

@dalias Mozilla could simply modify the source code of Firefox to do that. Your threat model should be data exfiltration, imo, not remote reconfiguration.

Check the source, to see if tracking protection is applied to extensions. I doubt it would be.

@wizzwizz4 No, they cannot modify the source code on my machines *after I compiled it* (or rather after the distro I trust did). The whole violation is them having power to retroactively change things after I got it.

@dalias This is only relevant if you (or the distro) are reviewing all the changes, which is unlikely to be the case. Big browser engines like Firefox and Chromium are so buggy that you pretty much have to keep them “up to date”, for security reasons.

If someone were reviewing all the changes, then the code in Firefox that allows Mozilla to retroactively change things would, surely, have been identified and removed (because, as you say, it's greatly undesirable), meaning there's no problem.