2018-03-30
My current set of Firefox Quantum (57+) addons
It turns out that I use way more instances of Firefox than I really expected, between my work laptop (in Linux and Windows), the ones I maintain for Twitter (on two machines), test builds to track Firefox development, and so on. Although I'm still using Firefox 56 as my primary Firefox, I've upgraded all of these other instances to Firefox Quantum, which has caused me to converge on a more or less final set of addons that I'm going to use when I switch my primary Firefox over, which is getting increasingly tempting for various reasons (but not for the last reason; switching from NoScript to uMatrix has basically eliminated my memory issues).
(My current excuse for not switching over is that I'm waiting for this bug to be fixed.)
Partly because I keep setting up Firefox Quantum instances and I want a central reference, here's my list of current addons along with some notes on my experience with alternatives and how I configure them. I have more extensive notes on some of these addons in my previous entry on likely Quantum addons.
- uBlock Origin is
my standard block-bad-stuff extension. I turn on advanced mode,
disable WebRTC, and enable uBlock's 'Annoyances' filter list.
(I don't use the advanced mode so far, but turning it on makes it available and gives me easily available information on what the page uses and what's blocked.)
- uMatrix
is what I now use to block JavaScript and
cookies (and other bad stuff). I disable showing the number of
blocked resources on the icon because it tends to be too noisy
(and uBlock Origin basically does that too) and I turn off spoofing
<noscript> tags, spoofing the HTTP referer for third party requests,
and regularly clearing the browser cache.
(Possibly I should allow uMatrix to spoof the HTTP referer, but I have complicated feelings about this in general because of how the HTTP referer is useful to site operators.)
- Foxy Gestures is
the best replacement for FireGestures that
I've found. Mozilla's 'find a replacement for your old addon' stuff
recommends Gesturefy, but for
me it's an inferior replacement; I don't like parts of its UI,
it doesn't appear to have export and import of your changes in
gesture bindings, and it doesn't allow for user custom gestures
which is important to me because I hack some new WebExtensions
APIs into my personal Firefox build
in order to add gestures that are important to me.
- Disable Autoplay for Youtube
is the best addon I've found for this purpose; it's very close
to how FlashStopper works.
The one flaw I've found with it, which I suspect is generic to how
WebExtensions work, is that if I restart the browser with one or
more YouTube windows active, one of them will start to play for
a bit as the browser starts before this addon activates and stops
it. I'm going to experiment with setting Firefox's
media.autoplay.enabled
preference to False to see if this is a tolerable solution that doesn't stop too many things or have other undesirable side effects, and it's possible that in the end this preference will be all that I need and I don't need (or want) an addon for this.(I can imagine some people wanting to stop autoplay only on YT, but this isn't my situation; I don't want video to autoplay anywhere. It's just that YT is one of the few places that I have configured to play video at all.)
I configure the addon to also stop autoplay of Youtube playlists; basically I never want Youtube to autoplay things. Sometimes the video or piece of music that I want to play on YT is part of a playlist, which makes it very irritating when YT autoplays the next one on me. I didn't come to YT to listen to the playlist, I came for one thing.
- Cookie AutoDelete is
my current replacement for Self-Destructing Cookies
(which I adopted in my primary Firefox due to switching to
uMatrix). I enable autocleaning, turn
off showing the number of cookies for the domain and notification,
and turn on cleaning Localstorage.
(I wish Cookie AutoDelete had something similar to SDC's 'recently self-destructed cookies' information because it's reassuring to know, but genuine notifications are too obtrusive.)
- Cookie Quick Manager
is a great addon for checking in on what cookies the browser is
hanging on to and to peer inside them. I installed it basically
to keep an eye on Cookie AutoDelete, but I feel it's handy in general.
Because of how my window manager is set up, I configure it to start
in a tab.
(I've looked at Cookie Manager but I didn't like its interface as much.)
- Textern
is my replacement for It's All Text and
I like it. In my primary Firefox, I'll be sideloading a hacked
version that adds a context menu item for it.
- Open in Browser
is a traditional extension that I use because some websites try
to have you download things that I can perfectly well view in the
browser instead (for example, some bug trackers want you to
download attachments to bug reports even for things like patches
or logs that I could perfectly well view in the browser).
- My Google Search URL Fixup
addon, for the obvious reason. It turns
out that Don't track me Google
(written by the author of Open in Browser) will also do this
(and for more Google search domains), but it's a lot more heavyweight
so I'm sticking with my own addon.
- HTTPS Everywhere, basically just because.
(Some of these addons work best on the most recent version of Firefox
that you can get, because they use WebExtensions APIs and the like
that weren't in Firefox 57. This is especially important for Foxy
Gestures, due to issues with the middle mouse button on Linux in
Firefox 57. Fortunately you shouldn't be running Firefox 57 anyway.
I expect and hope that Firefox's WebExtensions APIs keep improving
in new releases (and I have at least one bug that I should file
sometime, because about:home
currently doesn't work too well in
my setup).)
In general there are some limitations and irritations in the new WebExtensions world but I can basically get something equivalent to my current Firefox environment, Firefox Quantum appears to have real performance improvements, and like it or not Quantum is my future. I know I don't sound too enthused here, but I kind of am. At this point I've put Firefox Quantum through a reasonable amount of use (primarily due to Twitter) and it's left me reasonably enthused about eventually switching.
I don't bother to use all of these extensions in every Firefox instance I have (and I can't sideload my hacked Textern version in anything except my own builds, since only 'developer' versions of Firefox can load unsigned addons), but this is the full set. Possibly I should use uMatrix more widely than I currently do, since it's not too annoying to set it up to allow only Twitter to use JavaScript and cookies (for example).
Sometimes, not trying to reject some sort of spam is the right answer
I've written before about not doing anything about a temporary spate of spam, and it remains a useful guideline. But sometimes you're pretty convinced that certain spam patterns are long-standing, and it turns out that the right answer is still to not do anything, however reluctantly. As it happens, I have an example that we recently decided on.
One of the patterns we observe is that a decent amount of the attachments we get come from IPs listed in the Spamhaus Zen DNSBL. A further pattern we've seen is that a decent amount of those are detected as malware (see eg this), and we've also seen that there are some highly active Zen-listed sources (see this set of numbers from January). Given all of this, I recently put forward the idea of rejecting all messages from Zen-listed IPs that had an attachment, for the same broad reason that we reject some sorts of attachments; we're almost completely sure that these emails are bad and they're often dangerous, but our commercial anti-spam package may not pick the malware up on its own and cause us to reject them.
When I put it that way, this probably sounds good, and certainly that's how I thought of the idea when I proposed it. Then I put together some numbers, based on how many messages we would actually be shielding users from if we did this. It turned out that many of the messages were already being rejected and almost all of the remaining messages were already being scored as spam (and when I say 'almost all', I mean 816 out of 820).
We had a long discussion and decided that we weren't going to reject these messages. There are local reasons for why not that I'm not going to get into, but apart from them there is a larger one that caused me to not argue too hard for the rejections, which is that this doesn't seem like something with a high payoff in practice. It's not just that the volume is not huge; it's also that basically everything is already being detected as bad (and at least some of our users are discarding the email based on that).
There's an almost infinite set of things that you could do to reduce spam, with some payoff (and many with a reasonably worthwhile one). The challenge about anti-spam work is not finding things to do to reduce spam, it is partly in not doing things, because every thing you do has a cost that goes with its benefits. Sometimes that cost is too high relative to the gain, and it's not because the particular sort of spam is temporary; it's because the sort of spam is already being blocked well enough as it is, even though you could do better.
Sure, some of our users could ignore the 'this is probably spam' warnings and fall for malware that we allowed to be delivered to them. There could even be bad stuff in those four email messages that weren't scored as spam (to be honest, there probably was at least spam). But our existing system is doing well enough even though it's not perfect, and it's already complicated enough. So doing nothing this time is the right answer.
(It helps here that in the past I've enthusiastically put in some clever anti-spam trick, only to have it make somewhat less impact than I was hoping for. That's not a good feeling either.)