Wandering Thoughts archives

2018-03-30

My current set of Firefox Quantum (57+) addons

It turns out that I use way more instances of Firefox than I really expected, between my work laptop (in Linux and Windows), the ones I maintain for Twitter (on two machines), test builds to track Firefox development, and so on. Although I'm still using Firefox 56 as my primary Firefox, I've upgraded all of these other instances to Firefox Quantum, which has caused me to converge on a more or less final set of addons that I'm going to use when I switch my primary Firefox over, which is getting increasingly tempting for various reasons (but not for the last reason; switching from NoScript to uMatrix has basically eliminated my memory issues).

(My current excuse for not switching over is that I'm waiting for this bug to be fixed.)

Partly because I keep setting up Firefox Quantum instances and I want a central reference, here's my list of current addons along with some notes on my experience with alternatives and how I configure them. I have more extensive notes on some of these addons in my previous entry on likely Quantum addons.

  • uBlock Origin is my standard block-bad-stuff extension. I turn on advanced mode, disable WebRTC, and enable uBlock's 'Annoyances' filter list.

    (I don't use the advanced mode so far, but turning it on makes it available and gives me easily available information on what the page uses and what's blocked.)

  • uMatrix is what I now use to block JavaScript and cookies (and other bad stuff). I disable showing the number of blocked resources on the icon because it tends to be too noisy (and uBlock Origin basically does that too) and I turn off spoofing <noscript> tags, spoofing the HTTP referer for third party requests, and regularly clearing the browser cache.

    (Possibly I should allow uMatrix to spoof the HTTP referer, but I have complicated feelings about this in general because of how the HTTP referer is useful to site operators.)

  • Foxy Gestures is the best replacement for FireGestures that I've found. Mozilla's 'find a replacement for your old addon' stuff recommends Gesturefy, but for me it's an inferior replacement; I don't like parts of its UI, it doesn't appear to have export and import of your changes in gesture bindings, and it doesn't allow for user custom gestures which is important to me because I hack some new WebExtensions APIs into my personal Firefox build in order to add gestures that are important to me.

  • Disable Autoplay for Youtube is the best addon I've found for this purpose; it's very close to how FlashStopper works. The one flaw I've found with it, which I suspect is generic to how WebExtensions work, is that if I restart the browser with one or more YouTube windows active, one of them will start to play for a bit as the browser starts before this addon activates and stops it. I'm going to experiment with setting Firefox's media.autoplay.enabled preference to False to see if this is a tolerable solution that doesn't stop too many things or have other undesirable side effects, and it's possible that in the end this preference will be all that I need and I don't need (or want) an addon for this.

    (I can imagine some people wanting to stop autoplay only on YT, but this isn't my situation; I don't want video to autoplay anywhere. It's just that YT is one of the few places that I have configured to play video at all.)

    I configure the addon to also stop autoplay of Youtube playlists; basically I never want Youtube to autoplay things. Sometimes the video or piece of music that I want to play on YT is part of a playlist, which makes it very irritating when YT autoplays the next one on me. I didn't come to YT to listen to the playlist, I came for one thing.

  • Cookie AutoDelete is my current replacement for Self-Destructing Cookies (which I adopted in my primary Firefox due to switching to uMatrix). I enable autocleaning, turn off showing the number of cookies for the domain and notification, and turn on cleaning Localstorage.

    (I wish Cookie AutoDelete had something similar to SDC's 'recently self-destructed cookies' information because it's reassuring to know, but genuine notifications are too obtrusive.)

  • Cookie Quick Manager is a great addon for checking in on what cookies the browser is hanging on to and to peer inside them. I installed it basically to keep an eye on Cookie AutoDelete, but I feel it's handy in general. Because of how my window manager is set up, I configure it to start in a tab.

    (I've looked at Cookie Manager but I didn't like its interface as much.)

  • Textern is my replacement for It's All Text and I like it. In my primary Firefox, I'll be sideloading a hacked version that adds a context menu item for it.

  • Open in Browser is a traditional extension that I use because some websites try to have you download things that I can perfectly well view in the browser instead (for example, some bug trackers want you to download attachments to bug reports even for things like patches or logs that I could perfectly well view in the browser).

  • My Google Search URL Fixup addon, for the obvious reason. It turns out that Don't track me Google (written by the author of Open in Browser) will also do this (and for more Google search domains), but it's a lot more heavyweight so I'm sticking with my own addon.

  • HTTPS Everywhere, basically just because.

(Some of these addons work best on the most recent version of Firefox that you can get, because they use WebExtensions APIs and the like that weren't in Firefox 57. This is especially important for Foxy Gestures, due to issues with the middle mouse button on Linux in Firefox 57. Fortunately you shouldn't be running Firefox 57 anyway. I expect and hope that Firefox's WebExtensions APIs keep improving in new releases (and I have at least one bug that I should file sometime, because about:home currently doesn't work too well in my setup).)

In general there are some limitations and irritations in the new WebExtensions world but I can basically get something equivalent to my current Firefox environment, Firefox Quantum appears to have real performance improvements, and like it or not Quantum is my future. I know I don't sound too enthused here, but I kind of am. At this point I've put Firefox Quantum through a reasonable amount of use (primarily due to Twitter) and it's left me reasonably enthused about eventually switching.

I don't bother to use all of these extensions in every Firefox instance I have (and I can't sideload my hacked Textern version in anything except my own builds, since only 'developer' versions of Firefox can load unsigned addons), but this is the full set. Possibly I should use uMatrix more widely than I currently do, since it's not too annoying to set it up to allow only Twitter to use JavaScript and cookies (for example).

web/FirefoxQuantumAddons written at 23:28:57; Add Comment

Sometimes, not trying to reject some sort of spam is the right answer

I've written before about not doing anything about a temporary spate of spam, and it remains a useful guideline. But sometimes you're pretty convinced that certain spam patterns are long-standing, and it turns out that the right answer is still to not do anything, however reluctantly. As it happens, I have an example that we recently decided on.

One of the patterns we observe is that a decent amount of the attachments we get come from IPs listed in the Spamhaus Zen DNSBL. A further pattern we've seen is that a decent amount of those are detected as malware (see eg this), and we've also seen that there are some highly active Zen-listed sources (see this set of numbers from January). Given all of this, I recently put forward the idea of rejecting all messages from Zen-listed IPs that had an attachment, for the same broad reason that we reject some sorts of attachments; we're almost completely sure that these emails are bad and they're often dangerous, but our commercial anti-spam package may not pick the malware up on its own and cause us to reject them.

When I put it that way, this probably sounds good, and certainly that's how I thought of the idea when I proposed it. Then I put together some numbers, based on how many messages we would actually be shielding users from if we did this. It turned out that many of the messages were already being rejected and almost all of the remaining messages were already being scored as spam (and when I say 'almost all', I mean 816 out of 820).

We had a long discussion and decided that we weren't going to reject these messages. There are local reasons for why not that I'm not going to get into, but apart from them there is a larger one that caused me to not argue too hard for the rejections, which is that this doesn't seem like something with a high payoff in practice. It's not just that the volume is not huge; it's also that basically everything is already being detected as bad (and at least some of our users are discarding the email based on that).

There's an almost infinite set of things that you could do to reduce spam, with some payoff (and many with a reasonably worthwhile one). The challenge about anti-spam work is not finding things to do to reduce spam, it is partly in not doing things, because every thing you do has a cost that goes with its benefits. Sometimes that cost is too high relative to the gain, and it's not because the particular sort of spam is temporary; it's because the sort of spam is already being blocked well enough as it is, even though you could do better.

Sure, some of our users could ignore the 'this is probably spam' warnings and fall for malware that we allowed to be delivered to them. There could even be bad stuff in those four email messages that weren't scored as spam (to be honest, there probably was at least spam). But our existing system is doing well enough even though it's not perfect, and it's already complicated enough. So doing nothing this time is the right answer.

(It helps here that in the past I've enthusiastically put in some clever anti-spam trick, only to have it make somewhat less impact than I was hoping for. That's not a good feeling either.)

spam/PassingUpSpamRejections written at 01:44:00; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.