SoylentNews is people
SoylentNews
In Feb/March 2017, we opened a usage survey for anyone to fill out, which was a public request to users, past and present alike, to indicate which parts of Pale Moon should have focus, and to decide in part on development direction. This was done in the spirit of "Your Browser, Your Way"™ -- you, the user, should have a say in what your browser will be shaped like!
This page provides an analysis of the results, and provides our (dev) response to some of the comments our survey respondents left.
[...]
About 80% of the respondents use Pale Moon as their primary web browser to surf the web. The other 20% uses either a different browser or multiple (other) browsers to varying degrees. Of course it is fantastic to see so many users using Pale Moon as their main (or only) web browser of note.
Among our users responding to the survey, the main reasons for not using Pale Moon as their primary browser have been:
1. Extension compatibility with Firefox extensions. Unfortunately, it's not possible for us to provide exact compatibility with Firefox extensions because we are not Firefox. Because of our different application code, we are also not able to provide compatibility with WebExtensions at this time, because those use HTML for user interface elements instead of XUL. We are, however, working on providing an as broad as possible support for the three main extension formats in use: XUL, bootstrapped and SDK (in the form of PMkit); the technologies that Mozilla is going to completely abandon in November 2017 with Firefox 57.
2. Website compatibility. As long as websites keep specifically checking for and catering to (specific versions of) only 3 or 4 "mainstream" browsers, you will always have some sites that will not cooperate with using an independent alternative. On the browser side, there is very little we can do to prevent this. As a user, however, you have the power to convince websites to give this attention by contacting webmasters of troublesome sites and making them aware of their restrictions.
3. "Firefox is more secure". There is still a percentage of people that take arbitrary version numbers as a criterion at face value to determine what is, in their opinion, "outdated" or "insecure". Once more here the affirmation that Pale Moon is most definitely as secure, if not more so, than the current mainstream browsers. Our versioning is also independent of the versioning used by Mozilla. Security vulnerabilities that become known in the Mozilla platform code ar evaluated regularly and ported across if applicable.
4. "Chrome is faster". This may be, depending on what you use to measure "speed"; in our experience though, there is no significant difference between any of the modern browsers when it comes to real-world speed. In fact, Pale Moon has regularly shown to perform very well in comparison on lower-end computers. Your Mileage May Vary in this respect.
[...]
Pretty much a unanimous vote here (even among the 20% who don't use Pale Moon as their main browser) that extensions are essential to the browser. Totally expected, and maybe Mozilla can draw a lesson from this.
This also underwrites the need for what we've been working on to restore: as much compatibility with Jetpack-style extensions as possible through PMkit.
http://www.palemoon.org/survey2017/
(Score: 2) by Runaway1956 on Thursday March 09 2017, @05:31PM
A naked browser is alright - sometimes. A couple extensions are essential - adblockers, and script blockers. Take your choice of several that work well on Firefox or on Chrome, some of them on both. With Palemoon, you are pretty restricted. Other extensions, some of us can just live without. Palemoon would be my primary browser, if only those extensions worked properly.
Another alternative, is Iron browser, which has a similar outlook on life that Palemoon has, but they start with Chrome, and recompile it without all the spy features.
https://www.srware.net/forum/viewforum.php?f=21 [srware.net]
https://www.srware.net/forum/viewtopic.php?t=8987 [srware.net]
Unfortunately, you will also run into issues with extensions on Iron as well.
I keep both browsers on my machine, along with Firefox and Chrome. Sometimes, a site won't load properly on one browser (script block, adblock, or some random reason) so I load that site in another browser. Ehh - sometimes, it's a lot of screwing around, and sometimes I wonder why I do it.
(Score: 3, Interesting) by looorg on Thursday March 09 2017, @05:43PM (2 children)
I didn't even know they had a survey, totally missed that and I use the browser everyday.
They do seem to draw some odd conclusions tho if one is to judge from language and pie-charts such as "we've seen a very big percentage of people primarily using Linux.". OK 31.3%, about a 1/3 users -- still it somewhat pales in comparison to the windows users at 66.4% (64- and 32-bit combined). Perhaps they wanted to say that there was a large increase in Linux users? But then you kind of need to have some previous results to compare to.
Personally I find myself disagreeing with the masses if one is to judge the other questions such as they want massive support for various image, audio and video formats. I don't care about that at all. I don't listen or stream in the browser so that might have something to do with it I guess. I just want my browser to be fast and secure and not crashing or sucking up all my memory.
(Score: 1, Insightful) by Anonymous Coward on Thursday March 09 2017, @08:35PM
Could be that they are comparing themselves with Firefox. And in that case one should not be surprised, as Firefox switched to GTK3 for their Linux variant a while back, leaving many "older" systems in a bind (And now Firefox depends on Pulseaudio, making even more tempting to go Palemoon full time on Linux).
(Score: 1, Insightful) by Anonymous Coward on Friday March 10 2017, @08:43AM
They do seem to draw some odd conclusions tho if one is to judge from language and pie-charts such as "we've seen a very big percentage of people primarily using Linux.". OK 31.3%, about a 1/3 users -- still it somewhat pales in comparison to the windows users at 66.4% (64- and 32-bit combined).
If we set the Linux market share to 3.1% (somewhat on the high side, AFAIK), 31% is ten times as many as expected. That would count as a very big percentage to most people.
(Score: 1, Informative) by Anonymous Coward on Thursday March 09 2017, @05:48PM (9 children)
We are, however, working on providing an as broad as possible support for the three main extension formats in use: XUL, bootstrapped and SDK (in the form of PMkit); the technologies that Mozilla is going to completely abandon in November 2017 with Firefox 57.
So... you're going to be 'behind' even more and get out of sync even more with one of the major browsers in the world and its capabilities? You'll make it even harder for folks to develop extensions for your product?
2. Website compatibility. As long as websites keep specifically checking for and catering to (specific versions of) only 3 or 4 "mainstream" browsers, you will always have some sites that will not cooperate with using an independent alternative. On the browser side, there is very little we can do to prevent this. As a user, however, you have the power to convince websites to give this attention by contacting webmasters of troublesome sites and making them aware of their restrictions.
How about focusing on extensions and creating a default extension which lets you spoof this, I mean, if this is such a big deal, why not allow spoofing right from the get-go with an officially supported extension for this?
Once more here the affirmation that Pale Moon is most definitely as secure, if not more so, than the current mainstream browsers.
Well yeah, you ain't got no extensions which are one of the major attack vectors and weaknesses when privacy is at stake.
All in all, this reads very much like a "we /could/ do this but we don't want to..."
(Score: 5, Insightful) by Anonymous Coward on Thursday March 09 2017, @06:19PM (1 child)
Doesn't being stable (changing slowly) also assist in having sufficient extensions? That's one of the strategies/goals of PM, isn't it? Chasing after the other brands' changes is against that goal. There is a trade-off in being a non-moving target for extension devs versus keeping up with the Jones' in order to borrow their extensions.
I believe it in the spirit of PM to leverage the advantages of stability. I suspect most PM users are PM users because the other browsers change for the sake of change alone, ticking people off.
(Score: 1, Insightful) by Anonymous Coward on Thursday March 09 2017, @07:23PM
Web browsers are capable of so much, I really would prefer a more stable experience that tends not to break functionality.
(Score: 4, Informative) by AndyTheAbsurd on Thursday March 09 2017, @07:14PM (1 child)
How about focusing on extensions and creating a default extension which lets you spoof this, I mean, if this is such a big deal, why not allow spoofing right from the get-go with an officially supported extension for this?
Simply spoofing the user-agent (which seems to be what you're suggesting) wouldn't be sufficient, the browser would have to spoof the behavior of other browsers. That's really, really, REALLY not feasible - especially since many sites are uncooperative about working with what they perceive as "minor league" browser developers, so you can't even figure out where the issue is.
And there's already a built-in way to spoof the user agent, in a site specific way, and which users can add to: In Pale Moon's about:config, there's a series of preferences with names starting with general.useragent.override. followed by the name of the site that it's active for. There's some weird things in there - for example, different overrides are used for gaming.youtube.com and the rest of youtube.com.
Please note my username before responding. You may have been trolled.
(Score: 0) by Anonymous Coward on Friday March 10 2017, @01:40AM
the browser would have to spoof the behavior of other browsers.
You seem to be giving web 'developers' a lot of credit there...
(Score: 5, Informative) by tangomargarine on Thursday March 09 2017, @07:22PM (3 children)
So... you're going to be 'behind' even more and get out of sync even more with one of the major browsers in the world and its capabilities?
Accurate enough.
You'll make it even harder for folks to develop extensions for your product?
No, in fact they'll be the only guys still supporting the way Mozilla *currently* lets people design addons (more or less). It's Mozilla who's jettisoning their entire addon system and making everyone start over.
How about focusing on extensions and creating a default extension which lets you spoof this, I mean, if this is such a big deal, why not allow spoofing right from the get-go with an officially supported extension for this?
Everybody and their brother already lets you spoof the user agent string. They're talking about features web designers expect a browser identifying itself as Mozilla-compatible to have, which PM doesn't since they forked. The changes are too big and fundamental for an addon to be remotely capable of patching over them.
Well yeah, you ain't got no extensions which are one of the major attack vectors and weaknesses when privacy is at stake.
Yes they do. The vast majority of the existing Firefox addons work, and they even have a page [palemoon.org] listing which ones, and hosting fixed builds of many of the ones that don't.
All in all, this reads very much like a "we /could/ do this but we don't want to..."
Your entire comment is woefully uninformed and inaccurate. Maybe if you had spent a minute or two investigating literally any of the points you were complaining about, that would've helped.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Friday March 10 2017, @05:57AM (2 children)
No, in fact they'll be the only guys still supporting the way Mozilla *currently* lets people design addons (more or less). It's Mozilla who's jettisoning their entire addon system and making everyone start over.
If there ever was a case of motivated reasoning, that's it.
Mozilla has 10,000x the number of users as palemoon.
No dev wants to spend the energy to maintain two duplicate source trees.
As soon as they've ported to the new firefox extension API they won't spend another second maintaining a palemoon-compatible version.
You can deny it until you are blue in the face, but unless someone starts paying devs to maintain two forks, they are going to stick to the one that has all the users.
(Score: 0) by Anonymous Coward on Friday March 10 2017, @08:51AM
As soon as they've ported to the new firefox extension API they won't spend another second maintaining a palemoon-compatible version.
Several of the Firefox extensions that a lot of the remaining Firefox users can't live without are currently in the category "will never be supported by the new API", including Classic Theme Restorer.
(Score: 2) by tangomargarine on Friday March 10 2017, @03:45PM
Mozilla has 10,000x the number of users as palemoon.
Well, they're doing their best to solve that 'problem.' graph [wikipedia.org]
I'm not *expecting* the extension developers to jump ship to Pale Moon, but that doesn't mean I can't *hope* some do. And we'll still have the back catalog of extensions that worked up until the Big Jettison. Apparently there are people who've been tweaking problem ones to keep them working, so presumably they'll keep doing that for some length of time, anyway.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by maxwell demon on Friday March 10 2017, @12:54PM
Firefox being about to drop existing extensions is the main reason I'm currently looking into Pale Moon. And the fact that it Currently has so few little working extensions (I don't mind if they are native Pale Moon, ported Firefox or native Firefox extensions, as long as they work on the current browser) is the main reason why I'm not converted yet. Being compatible with the existing extension formats is the fastest way to get many of the essential and not so essential extensions quickly.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by mmh on Thursday March 09 2017, @06:00PM (16 children)
I'm a full-time user of Pale Moon myself, and I'm sorry I missed the survey.
I dislike how they just blew off point 4; "Chrome is faster". Maybe in "tests"
Chrome isn't faster, but it sure as hell "feels" much faster and more
responsive. I use Pale Moon moon for 99% of my browsing, because of extensions,
and I'm willing to take a performance hit for extensions. But to deny there is
any problem is disingenuous.
Which brings up point 1; Extensions. Compatibility with XUL extensions is why
I considered Pale Moon a viable alternative to Firefox once the Firefox
developers decided to ruin their browser. No other browser has the breadth of
extensions that Pale Moon now does. I would really like to see Pale Moon setup
their own add-on page and host a mirror of all the old Firefox XUL add-ons. Maybe
trying working with the now-abandoned XUL authors who made things like Tab Mix
Plus, Request Policy, Uppity, etc, and convince them to develop for Pale
Moon by promising not to pull the rug out from under them.
(Score: 4, Informative) by andersjm on Thursday March 09 2017, @06:33PM (10 children)
Some people are moving from Firefox to Pale Moon because compatibility with XUL extensions matters to them. I'm sticking with Firefox for exactly the same reason.
Mozilla cares enough about security to phase out an old extension protocol that was designed with no thought for security. That's a good thing in my book. If it ends up breaking an extension or two, then so be it.
(Score: 3, Touché) by tangomargarine on Thursday March 09 2017, @07:16PM (4 children)
If it ends up breaking 90% of the extensions, then so be it.
FTFY. "One or two" my ass.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by andersjm on Thursday March 09 2017, @07:43PM (3 children)
Same thing. I have exactly 1.6666... extensions installed.
(Score: 2) by tangomargarine on Thursday March 09 2017, @09:02PM (2 children)
Oh, one or two of *your* extensions. I assumed you were talking about the extension library as a whole since you didn't specify.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by andersjm on Thursday March 09 2017, @10:04PM (1 child)
Mostly I think your 90% figure is bogus. Reference?
(Score: 2) by tangomargarine on Thursday March 09 2017, @10:26PM
Wait and see, I guess. Apparently there are a lot more different extension systems crammed into Firefox than I realized before today.
One big differentiater is the type of extensions that will still work, too--WebExtension ones tend to be simpler widget stuff that isn't deeply integrated into the browser; other stuff like NoScript and significant interface changes relies on the XUL extension system which is getting killed off. Mozilla claims they're working on the API so NoScript and (select) others will continue to work, but I'll believe this when I see it.
There's a reason that there isn't a real NoScript port, or tab bar modifications (aside from the first-party one they did and then axed awhile back) extensions for Chrome. Being more secure means they won't let you touch the interfaces necessary to make deep addons.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 0) by Anonymous Coward on Thursday March 09 2017, @07:40PM (2 children)
They're phasing it out because they're too lazy to support customization. They admitted as much on their bug tracker by saying it's hard (as in time consuming, not hard) to revamp the UI on their end if they have to keep customization in mind.
(Score: 2) by andersjm on Thursday March 09 2017, @08:06PM
Complexity is the enemy of security. Reducing the attack surface is a win, no matter what motivated the decision to do so.
(Score: 2) by maxwell demon on Friday March 10 2017, @12:57PM
What about simple not revamping the UI? Anything that makes it harder for them to break the interface for the newest fad is an advantage.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by inertnet on Thursday March 09 2017, @09:15PM
I've used Pale Moon as my main add free browser for a number of years, with an unblocked Firefox on the side for the rare occasions when I need an unrestricted browser (for banking, government sites and such). But recently I reversed this setup mainly because Pale Moon seems to have an annoying every 5 seconds freeze when watching video's on Youtube and others. My system is fast enough, with its Intel Core i7 and nVidia GTX 960 graphics. And of course abandoning the Firefox plugin compatibility played a role in my decision. So Pale Moon is my secondary browser now.
(Score: 2) by Marand on Friday March 10 2017, @12:07AM
My problem is the "extension or two" that stop working are the ones I rely on most. If they weren't I'd have no need of Firefox at all. Ubiquity is as good as dead, tab groups lost its dev because it needs a complete rewrite and even then will lose functionality, and treestyle tab is in a similar situation. Those three addons directly affect every interaction I have with Firefox, and when I lose them I have no reason to keep it installed. And that is assuming nothing else I have gets broken, which is likely not the case.
(Score: 2) by termigator on Thursday March 09 2017, @06:38PM (2 children)
There is RequestPolicy (continued) that took the base RP extension as a base. I use that now since it has active development.
https://github.com/RequestPolicyContinued [github.com]
I do not use PM, so do not know if the extension is compatible with it.
(Score: 4, Informative) by AndyTheAbsurd on Thursday March 09 2017, @07:02PM
Request Policy Continued is 100% compatible with Pale Moon; I use that combination myself.
Please note my username before responding. You may have been trolled.
(Score: 1) by mmh on Thursday March 09 2017, @07:08PM
Thank you for pointing out RequestPolicy Continued I had no idea there was a version still being actively developed.
(Score: 3, Informative) by AndyTheAbsurd on Thursday March 09 2017, @07:06PM
I would really like to see Pale Moon setup their own add-on page
You mean like the existing Add-Ons site [palemoon.org]?
...and host a mirror of all the old Firefox XUL add-ons
Oh. We'd have to sort through them to see which ones are licensed in a way that makes them freely redistributable and which aren't, and remove the ones that aren't. Given the number of add-ons on AMO, that's not really feasible for the team working on Pale Moon.
Please note my username before responding. You may have been trolled.
(Score: 0) by Anonymous Coward on Thursday March 09 2017, @07:37PM
Chrome (I guess) directly uses native API more often instead of channelling it thru layers of wrappers (which are necessary to keep the UI as extensible as it is with old FF/PM).
(Score: 1, Informative) by Anonymous Coward on Thursday March 09 2017, @06:13PM (3 children)
Did they just assume it was about version numbers?
Being 64-bit matters. Being fully ASLR-compatible matters. (compiler flags on all object files; linked as a shared object on Linux)
Enforcing W^X matters.
JIT randomization matters.
Using the new memory type register feature on Intel matters.
Using the new return-address control on Intel matters.
(Score: 0) by Anonymous Coward on Thursday March 09 2017, @06:52PM (2 children)
As the recent javascript ASLR exploit shows, obfuscation doesn't help solve underlying security issues, and given the false sense of security, programmers are more likely to produce further critical errors which lead to the 'keys to the kingdom' being all the more easy to obtain.
What is really needed isn't fancy and complex and limited availability security features, from NX to current gen, but rather well thought out, well designed, and well implemented codebases that ensure none of those cornercases happen in the first place. Additionally race conditions may allow opportunities to bypass *ALL* of these protections in some circumstances, which is why only input and display routines should be run in secondary threads, with limited communication between browser instance threads and no threading and only synchronous IO inside of browser window processes. Slower sure but security and verifiability always comes at a cost in performance.
(Score: 0) by Anonymous Coward on Thursday March 09 2017, @08:39PM
Your approach is no better than a giant corporation, using unauthenticated telnet and FTP and fileshares, that installs a firewall and expects that to save them.
You are looking for a silver bullet, and there isn't one.
I didn't say you couldn't convert the codebase to Rust or LISP, or that you couldn't wrap the whole thing in hardware virtualization. Go right ahead.
There is however no excuse for not making sure that ASLR and NX are working well, along with so many other things of that nature.
(Score: 2) by andersjm on Thursday March 09 2017, @10:52PM
Pretty weird post. First you lambast mitigation strategies for providing no true profound security. Then you argue for thread compartmentalisation, which, at best, would be the same kind of mitigation strategy.
I say "at best", because that's the first time I ever heard anyone arguing that threading would improve security. If anything, threading reduces security, because it enables additional side-channel attacks.
(Score: 2, Insightful) by Anonymous Coward on Thursday March 09 2017, @06:43PM
The survey results are meaningless if they don't say how many respondents.
Are they hiding that because they got few responses?
(Score: 2) by Scruffy Beard 2 on Thursday March 09 2017, @06:57PM
I did not take the survey, but I wonder what they consider:
I have a policy of giving every organization I interact with a unique e-mail address. This lets me see who is selling my e-mail address (though in practice, it seems to track data breaches instead).
On another topic:
Not hard to beat Chrome on low-end systems: it refuses to run due to lack of SSE3 support.
(Score: 0) by Anonymous Coward on Thursday March 09 2017, @07:40PM (1 child)
Felt like I went back in time. To a simpler time. When browsers used to be terrible.
Not that they aren't now. It's just a different kind of terrible.
(Score: 1, Insightful) by Anonymous Coward on Friday March 10 2017, @12:51AM
I'll take this "different kind of terrible" over the bullshit they call "UX" on all modern browsers these days.
(Score: 5, Interesting) by jdccdevel on Thursday March 09 2017, @08:28PM (2 children)
Palemoon is what Firefox should be, I started switching our work PCs today and I won't be going back.
I need to get real work done, and I can't be constantly having to worry about my browser breaking!
There are three things that Firefox broke recently (or will be breaking) that I cannot work without:
1) SSLv3 support
I have old equipment on my network that uses SSLv3. Firmware updates are not available. IP Cameras, Management interfaces, all kinds of tech that uses SSLv3 cannot be accessed with Firefox. SSLv3 support isn't even an option with Firefox, and cannot be re-enabled without compiling a custom version. Palemoon has the support. Yay! (If they had a IP Whitelist for SSLv3 support, I would be even happier. I need access for some equipment, but I'd rather not have it enabled everywhere!)
2) NPAPI Plugin support
Work has a Video recorder with custom plugins for the web gui, and I have a TON of equipment that uses Java Applets for their web interface. The latest Firefox (Version 52 and Up, new this week!) Doesn't support those plugins any more [mozilla.org]. (Except Flash? WTF! I could not care less about Flash!) I need support for this to keep my network running. Chrome doesn't have support for these plugins, so I can't switch to it, and I refuse to use IE. For this reason alone, Palemoon will be my work browser of choice.
3) Extensions
Firefox is planning on deprecating their extension API, and replacing it with a new one. I've been installing extensions to keep Firefox usable for a while, and now they're breaking the extension API in a way that cannot be fixed. (Functionality the extensions I use require to function is not available in the new API, so the extension authors can't update to the new API even if they want to.) Most of the extensions I use are either Unnecessary (They kept the GUI the way I like it.) or compatible! YAY!.
Firefox has lost all credibility with me by breaking things that I need to get work done.
I understand some of the changes Firefox has made (The SSLv3 thing makes sense for most people on the Internet, it's a big security issue.) but some of the others are just too much, and there needs to be an option to re-enable things. (Seriously, how hard would it have been to create a IP whitelist for SSLv3 ??? WTF!)
You'd think that Mozilla, with all the money they have now (vs when they were called Phoenix 15 years ago), would have matured to the point where they don't pull crap like this, and provide a backwards-compatibility option. The fact they haven't done so, and don't recognize or acknowledge the need to, speaks to a lack of respect for their user base that I cannot tolerate.
Combined with essentially abandoning Thunderbird, I hope they die quickly enough (Like netscape did) that the pieces are salvageable by someone with some vision.
They've lost their way, just like Netscape did. It's time for them to die.
Long live Palemoon!
(Score: 5, Insightful) by acharax on Thursday March 09 2017, @09:11PM
You'd think that Mozilla, with all the money they have now (vs when they were called Phoenix 15 years ago), would have matured to the point where they don't pull crap like this (...)
Oh, they have matured... That's why they're acting like every other large, wretched corporation now and shit all over user choice while having their marketing drones advertise the contrary.
(Score: 2) by dry on Friday March 10 2017, @06:32AM
52ESR (32bit) still supports NPAPI plugins and extensions and will for 16+ months. A reverse proxy is one way around the SSLv3 thing. In a work environment perhaps you should have already been using the ESR channel anyways.
Still the writing is on the wall, good bye Mozilla.
(Score: 2) by Subsentient on Thursday March 09 2017, @10:03PM (1 child)
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 3, Informative) by AndyTheAbsurd on Friday March 10 2017, @01:24AM
The Pale Moon Commander [palemoon.org] extension will let you turn on various outdated (and thus considered insecure by the developers) SSL ciphers. Also, search the Pale Moon forum [palemoon.org] for your bank's name; maybe somebody else had the same problem and came up with a solution (or at least has a list of things to not bother trying).
Please note my username before responding. You may have been trolled.