Hold on your palemoon horses! Danger!

  All new Palemoon 27.9.1 is out (stardate: 20180507)

Did we or did we NOT say that this space is for users, by users, and it would be nobody’s puppet?  WE DID SAY IT!  So no developer/s will coerce this here pen to write supportive statements when they don’t deserve it, we have nothing to gain but everything to lose if we start playing these games.

In LIGHT of this intrusion into our systems’ security Palemoon has decided to utilize its  plug-in update check (which runs at every start and can possibly be disabled in about:config)  to pass a script that will disable a security feature.  That makes palemoon “malicious” in our book!  It is using an acceptable and known feature to do something else!

Read the comments below and those on palemoon’s forum (those that were not blocked by the emperor palemoon himself that is).  We will do research on what is at stake but from this moment we consider palemoon a problem, or at least not a solution.

We shall return where there is more light thrown into the subject and hopefully we are wrong, because we have relied on palemoon for most of our browsing and editing this blog.

https://addons.palemoon.org/skin/palemoon/wordmark-palemoon.png, for those that don’t know, and for those who liked Firefox in the past but thought it got overloaded in recent time, is a great browser.  It avoids some of the nasty dependencies of late popular browsers and does what they all do with less resources.  Meanwhile it keeps current with all the late security concerns.

Read the release notes of this edition to get an idea of how serious of a project this is.  It is all I use so I am recommending it.


To install it in any linux system use the installer script and keep it around as it also does removals, updates, and fixes a broken installation, if that ever happens to anyone.

Pale Moon: Release notes

27.9.1 (2018-05-07)

This is a maintenance release.


  • Removed the unused/incomplete places protocol handler.
  • Worked around an issue with MSE media without a Track ID. This should help with the playability of some live streams.
  • Ported across jemalloc improvements from UXP.
  • Ported across cairo mutex improvements from UXP.
  • Added support for FFmpeg 4.0/libavcodec 58.
  • Added a fix for Windows 10’s “isAlpha()” not being what one would expect in v1803.

 27.9.0 (2018-04-17)

This is the last major development update for the v27 milestone (codenamed “Tycho”).
After this, we will be focusing our efforts for new features entirely on UXP and the new v28 milestone building on it. We will continue to support v27.9 with security and stability updates for a while, but no major new features will be added from this point forward.


  • Fixed a number of spec compliance issues in our media subsystem.
  • Added a trailing slash to referrers when policy is set to fix some web compatibility issues.
  • Fixed the property order in Object.getOwnPropertyNames(string) and others for web compatibility.
  • Updated RegExp(RegExp object, flags) to the ES6 standard specification.
  • Changed the embedded font from the no longer free EmojiOne to the open-licensed Twemoji (with additional fixes). This also further extends unicode support to Unicode 10 emoji(s). Please note that as a result, color emoji(s) will look different than before.
  • Adjusted some things in our memory allocator code to provide, among other things, better allocation alignment on Windows.
  • Made the attempt to migrate people from the old sync server domain name to the current one more aggressive. We will be retiring the old pmsync.palemoon.net Sync server address shortly to remove the need for us to maintain a security certificate for it; this preference migration should automatically put everyone on the correct server address (pmsync.palemoon.org) when upgrading.
  • Made reading of the sessionstore synchronous, to speed up startup and prevent the homepage from being loaded when restoring a session.
  • Added a fix to switch to the correct window/tab when a web notification is clicked.
  • Changed the placeholder text to not include “Search” when all search functions from the address bar are disabled.
  • Enabled the use of Skia for canvas on Linux and OSX.
  • Worked around a potential cause for some non-standard bitmapped fonts ending up with incorrect line heights (I’m looking at you, Noto fonts!).
  • Added a workaround for incorrectly-encoded JPEG-XR images with planar alpha. Ultimately, the jxrlib reference implementation should be fixed to encode according to spec.
  • Aligned XCTO:nosniff allowed script MIME types with the updated spec.
  • Improved the logic for storing vector images in the surface cache.
  • Fixed character set handling for XMLHttpRequests.

27.8.3 (2018-03-28)

This is a small update to address a pervasive crashing issue.


  • Backed out some responsive layout code that caused intermittent but not uncommon crashes in the browser depending on window sizes and page content.

27.8.2 (2018-03-22)

This is a security update.


  • Privacy fix: prevented update checks for the default theme.
  • Added a user-agent override for Dropbox to improve compatibility with their service.
  • Fixed an issue with mouseover handling related to (CVE-2018-5103). DiD
  • Disabled the Mac OSX Nano allocator. DiD
  • Fixed (CVE-2018-5129) OOB Write.
  • Updated the lz4 library to 1.8.0 to solve potential issues. DiD
  • Fixed (CVE-2018-5137) Path traversal on chrome:// URLs
  • Fixed several memory safety an synchronicity hazards.

DiD This means that the fix is “Defense-in-Depth”: It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

27.8.1 (2018-03-06)

This is a small update to address some breaking issues.


  • Backed out the NSPR/NSS update from 27.8.0 for causing crashes, general operational instability and handshake issues.
  • Disabled TLS 1.3 draft support by default, because with the NSS backout we only support an older draft right now that is no longer current and may cause connectivity issues. You can manually re-enable it at your own risk in about:config by setting security.tls.version.max to 4.

Latest version: 27.8.1

If you prefer not to use the installer, you can download a tar.bz2 here instead. To use, simply extract the tarball anywhere you like and execute the “palemoon” file inside it, or follow the instructions here if you want to install manually. Please be sure to download the correct archive that matches the architecture of your OS.

Download links:

Download x64 tar.bz2 (direct download)
Size: 41.13 MB
SHA-256 checksum: a33dcdf4d03d05ec3d634e94411c72ad300cf1c16d69247ce831071b378a7938
PGP signature: [Sig]

Download x86 tar.bz2 (direct download)
Size: 41.91 MB
SHA-256 checksum: d4c518cffc362e361b3ddf930a8f542fade24b1578b6a73b997bbf783061decd
PGP signature: [Sig]

27.8.0 (2018-03-02)

This is a development update with new and improved features and bugfixes.


  • Added support for emojis on Windows systems that have relatively poor support for them with standard font sets by including our own font (EmojiOne based for now).
  • Added a setting in preferences to select the use of tab previews with Ctrl+Tab.
  • Added Eyedropper menu entry to the AppMenu.
  • Added a preference to control whether the text cursor (caret) should be thicker when dealing with CJK characters or not (default = yes).
  • Added URL fix-ups for schemes (mis-typed “ttp://” etc.).
  • Added support for ES6 “Symbol species”.
  • Updated our TLS 1.3 support to the latest (probably final) draft.
  • Fixed gap inconsistency in the tabstrip.
  • Fixed a number of browser crashes.
  • Fixed a crash with the exponentiation operator “**
  • Set the performance timer granularity to 1 ms.
  • Updated the kiss-fft library to our forked 1.4.0 version.
  • Disabled a potentially problematic optimization on Win 8+ with high contrast themes in use.
  • Removed the notification bar when in full screen to prevent unwanted visible screen elements.
  • Removed unmaintained and insecure WebRTC code – building with WebRTC enabled is no longer an option.
  • Removed redundant checks for “Vista or later” since that is all we support.
  • Added display of the http status to raw request displays.
  • Added a workaround for cloned videos not retaining their muted state.
  • Added a temporary workaround to avoid crashes on trackless media.
  • Removed some superfluous ellipses from menu labels.
  • Fixed undesired shrinking of line heights as a result of setting minimum font size in preferences.
  • Fixed some issues with setting the new tab preference (regression).


Installation, uninstallation and updates can be managed using the pminstaller tool. You can also download Pale Moon for Linux as a bzipped tarball that can be extracted and run from any location on your system.

Additionally, you can install one of these fully-endorsed third-party builds of Pale Moon for Linux:

Pale Moon: Release notes

Latest version: 27.7.2

If you prefer not to use the installer, you can download a tar.bz2 here instead. To use, simply extract the tarball anywhere you like and execute the “palemoon” file inside it, or follow the instructions here if you want to install manually. Please be sure to download the correct archive that matches the architecture of your OS.

Download links:

Download x64 tar.bz2 (direct download)
Size: 41.13 MB
SHA-256 checksum: 8ab2ee9fac45cd0804c0922bb599b46652a213efc203add4992aa4f4ba0f0ff0
PGP signature: [Sig]

Download x86 tar.bz2 (direct download)
Size: 41.91 MB
SHA-256 checksum: 6dded8cb96db38a7a418e9bb491ab8ae681275b4ceef636a0afae3ea85ebb3fd
PGP signature: [Sig]

For more information, please read the release notes.

27.7.1 (2018-01-18)

This is a minor emergency update to address website breakage and a theme issue.


  • Added support for Array.prototype[@@unscopables].
    Unfortunately, the addition of Javascript’s ES6 Unscopables in 27.7.0 was incomplete, which caused a number of websites (e.g. Chase on-line banking, some Russian government sites) to display blank or not complete loading after updating to that version of the browser. This update should fix the problem by adding the missing part of the feature.
  • Fixed an issue with the default theme causing tab borders to be drawn too thick at higher settings for visual element scaling (125%/150%) in Windows.

 27.7.0 (2018-01-15)

This is a stability and bugfix release, as well as adding a number of new features to further improve web compatibility.


  • Reorganized access to preferences (moved to the Tools menu on Linux, and renamed from “Options” to “Preferences” on Windows).
  • Renamed “Restart with add-ons disabled” to “Restart in Safe Mode” to better reflect what it does.
  • Worked around an issue with some improperly-encoded PNG files not decoding after our libpng update.
  • Fixed an issue on Mac builds not properly populating the application menu.
  • Added “My home page” as an option for new tabs.
  • Added an option to disable the 4th and 5th mouse buttons (Windows).
    (mouse.button4.enabled and mouse.button5.enabled, respectively)
  • Improved the resetting of non-default profiles.
  • Fixed an issue with details/summary having the incorrect height if floated, breaking layouts.
  • Made several more improvements to the details/summary tags to align them with the current spec and fix some additional bugs.
  • Implemented support for flex/columnset contents inside buttons to align its behavior with other browsers.
    (this should fix layout issues with Twitch’s new web interface)
  • Fixed an issue where CSS clone operations would draw a border.
  • Changed the way fractional border widths are rounded to provide more natural behavior.
  • Fixed an issue where number inputs would incorrectly be flagged as read-only.
  • Added assets for tile display in the Windows start panel.
  • Finished sync infra swapover by adding a one-time pref migration for server used.
  • Improved WebAudio API: Return the connected audio node from AudioNode.connect()
  • Added support for a default playback start position in media elements.
  • Fixed an assert in cubeb-alsa code (Linux).
  • Added support for media cue-change events (e.g. subtitles).
  • Updated SQLite to 3.21.0.
  • Fixed a crash when trying to use the platform embedded.
  • Fixed devtools (gcli) screenshots on vertical-text pages.
  • Fixed devtools copy as cURL for POST requests.
  • Improved the HTML editor component (several bugfixes).
  • Added support for ES7’s exponentiation a ** b operator.
  • Fixed an issue with arrow functions incorrectly creating an ‘arguments’ binding.
  • Added Javascript’s ES6 “unscopables”.

Security/privacy fixes:

  • Disabled automatic filling in of log-in details by default to prevent potential risks of credentials being abused (e.g. for tracking) or stolen.
  • Added a preference (in the category security) to easily enable or disable automatic filling in of log-in data.
  • Removed the sending of referrers when opening a link in a new private window.
  • Added an option to disable the page visibility Web API (dom.visibilityAPI.enabled), allowing users to prevent pages from knowing whether they are being actively displayed to the user or not.
  • Removed the “ask every time” policy for cookies. For granular control, please use any of the excellent available extensions to regulate cookie use on a per-site or per-url basis.
  • Added support for X-Content-Type-Options: nosniff (for scripts).
  • Changed the resolution of performance timers to a level where any future potential abuse for hardware-timing attacks becomes impractical. DiD

DiD This means that the fix is “Defense-in-Depth”: It is a fix that does not apply to a (potentially) actively exploitable vulnerability in Pale Moon, but prevents future vulnerabilities caused by the same code, e.g. when surrounding code changes, exposing the problem, or when new attack vectors are discovered.

25 thoughts on “Hold on your palemoon horses! Danger!

  1. i originally liked this post, but i have unliked it through no fault of the post itself.

    the arrogance and ignorance and hubris of the pale moon developer has crashed through the ceiling, the roof and the stratosphere– you could say it has set course for its own logo!

    this is the end of pale moon, i am seriously considering a very angry return to firefox. please understand, i f—ing hate firefox. the only reason we have so few (viable) choices of web browser is that the design of the web itself is a f—ing crap. http://gentooexperimental.org/~patrick/weblog/archives/2013-10.html#e2013-10-29T13_39_32.txt

    users are pissed off, i am unable to post to the forum because the pissant dictator in charge requires posts to be approved before they show, and he is responding to very legitimate protests with the same arrogance shown by the systemd cabal.

    i very much want pale moon to be better than this– thats the only reason i switched to it– because i thought it was better than exactly this sort of thing!

    but i am left without one single browser i can recommend to anybody!

    firefox– a terrible browser!
    chrome and chromium– worse than firefox!
    pale moon– not sure its really better than firefox

    given that pale moon is trying to blacklist the security i added to it, i am considering a move to firefox WITH aggressive changes to about:config provided by these wonderful people: https://github.com/pyllyukko/user.js/blob/master/user.js

    i still hate firefox, but if pale moon devs are going to behave this way then they do not deserve to be set apart from firefox devs. go work for mozilla, if this is your attitude.

    i woke up to my web browser telling me it was disabling noscript. at least it gave me the chance to override. but it was poised to restart without noscript– if i were using windows, just a spacebar touch could have installed ransomware, it is not unfair to say this.

    pure arrogance! i do not have any reason to believe this will be a wakeup call. the pale moon dev has never listened to reason, nor cared what users think, and he is not about to start.

    — posted furiously from pale moon (probably soon to be uninstalled.)

    note ive tried for months to convince fsr to switch refracta to pale moon and ive considered making it the default for fig os with or without him. thats certainly not happening now! i withdraw my recommendation– stay away from this browser.


  2. One thing I have noticed in PM since 2.9 is that while I use pminstaller to do an update, it does not propose I should restart, it just shuts down my running palemoon. I wonder if this happens so the active setup doesn’t overwrite their new installation’s default. This may fall a bit in your claim of the way of changes.

    I am writing at this moment from PM 2.9.1 and NoScript is active and working, so is UBlock. So please elaborate on your disabling of this “firefox” plugin. We have to accept the reality of the market and the market demands for an FF alternative that all the FF plugins would work on PM, and this was the primary reason people would abandon PM and go back to FF. Ok, that is not a good excuse, a developer should have some “backbone” and do what he believes right and not always cater to market forces like s/he is selling something. 99% of plugins are developed for FF not palemoon. Palemoon has to make concessions to be like FF so they would work.

    There is also Dillo, Midori, Qupzilla, and many others to consider. Why not? I preferred Qupzilla for a while because it was independently developed from FF/chrome development. Then I tried Palemoon on VuuDo (a Devuan derivative) and while Qupzilla on Debian derivatives was having issues as Debian would slow down QT5 development, Qupzilla on Debian was really old news. Meaning that Debian was sentencing Qupzilla to be a dysfunctional old browser (even when in reality it was developing but was being blocked by Debian – as not adequately debianized). Ever since the Ice*** to Mozilla crap, Debian seemed to “sell” and promote this Foxy stuff, even when Icedove that had worked for years was running aground as TB and refused to work.

    Ok, not to get sidetracked and talk about Debian’s influence on browsing and email, let’s keep talking about PM. Does PM get anywhere as much funding “and” support as Mozilla? No! To me that is a good thing that exists without all this funding. Do I trust the “open source” of either? Not really because I am incapable of auditing it. But I distrust Mozilla more than palemoon. Firefox and Mozilla are not identified as “spelling errors” in this spelling dictionary plugin, but Palemoon is a spelling error. 🙂 (here I am trying to drive mr.Spok crazy with my irrelevant unreasonable surreal arguments :).

    What is the issue? I believe it is the web. The web is driven by major corporation servers and trends they implement everywhere they can. The worst offenders of my intelligence are “mass media corporations”, then are marketing/commercial sites like ebay, amazon, yahoo, ..etc. They are horrible and keep squeezing more and more scripts and gadgets for every paragraph of news and information you ask for. Then come the social media and all their latest fiascos of malpractice. Poor FB didn’t know what Cambridge was doing; give us a break! The chromes, the FFs, the Explorers, are driving this madness with them. Your average idiot blames the browser for being unable to reach a “popular” site. They don’t care what a browser developer does, they want to get to the party and fast. Did I forget they expect security on top of being drunk and naked at the party? What a way to go through life, drunk, naked, stupid, and ignorant, but “secure”.

    Please tell us, what is your opinion, on TorBrowser if you have hated firefox so long? Is ESR any better? Hey?

    PS1 The good thing about PM and an intentionally kept lean and small distro image is that you can include the pminstaller instead of the browser. Make it an easy choice rather than have to hunt down the link, download from a link, then install in probably a less than ideal part of your system.

    PS2 If the web continues the way it does, dictated by a handful of profiting corporations, just like tv and radio, it will only be accessible by using non-open-source non-free browsers. That is for the “fast track” 90% of web traffic. That means that “self respecting” linux users will be locked out of the web! We might still get wikipedia if we are lucky. How many “self respecting” linux users do you really see left to carry on? What will they do? Run windows in a VM and use explorer or “the new MS-firefox MS-chrome” to satisfy their web-fix?

    PS3 And why is GnuNet receiving so little attention? So the above 1984 scenarios become reality? What are we doing so they don’t? Who? Why? How? We are becoming a cult even for the smallest insignificant defense of freedom. We are becoming anti-social and cornered in a little hidden alley so the people on the street will no longer be able to hear us, let alone listen to us.

    PS4 At least we tried!


  3. what i mean is that a dialog appeared, which im sure i can find a copy of, and told me it wanted to disable noscript. it had a checkbox to disable it, which i unchecked, and the options were

    restart later — restart palemoon

    i unchecked and hit esc and it went away. later i will confirm if possible, that this was a real pale moon feature. posting from firefox.


  4. I had seen some issues like this in the past where it would tell me that the plugin was incompatible and was disabled, then it would work again. Ever since I started using the pminstaller it seems as those problems stopped. All the active plugins become immediately active on the updated browser. As you may be able to tell I keep track of PM and post of new versions as it never alerts you of new versions or does updates on its own “as others do”.

    Are you, by any chance, using the same $home for 2 or more installations? Meaning the $home might stay the same, 1 installation has pm 2.8.5 and the other has 2.9.1? This may be causing problems if you do.


  5. pminstaller does not interest me.

    i was able to easily reproduce this in a fresh run of fig os in qemu with the latest palemoon tarball and the noscript. here is the dialog i encountered:


  6. here is what appears to be a new report of this from yesterday: https://www.dslreports.com/forum/r31955899-Pale-Moon-PM-dissing-NoScript

    i am DONE with pale moon. instantly. no more. f— this. in the past, i was bothered by the forum policy– now im livid about it– i was bothered by the attitude of the developer– now im done with it.

    you can kill pale moon with fire, and thats one problem down. firefox is still a problem, though pale moon is a non-solution. this is outrageous, i woke up to this dialog– one person told it not to disable it and it did it regardless– i spent the next several hours trying not to be pissed off. its that dialog, its the wording, its the fud, its the arrogance, its the misinformation, its the dishonesty, its the terrible idea of the whole thing– but if you want to sabotage your own browser hey– our fault for trusting you? pale moon– never ever again! i will do my own browser before that happens.


  7. update, i made three posts–

    one was blocked and i got a warning for it “the first ever!” because i said the developer was a control freak (he is, he is disabling peoples security extensions in an unacceptably sloppy way, proclaiming complete fud about noscript, and how many forums have you gone to where you found individual posts needed to be approved before your google-captchad, email-confirmed account could post on a support forum?)

    i dont care about this:

    i care about the rest of it. funnily enough, the one that wasnt approved wasnt the one i posted here but apart from what is quoted i cant recover the post. which is peanuts compared to the rest of this.

    this is “dont trust us, weve got root!” all over again, except less clever than what shuttleworth said. this is just pure stupid, like the developer doesnt even know what this will do to noscript users because hes judging the inconvenience based on the fact that he hasnt installed it himself. pm, no way, no how…


  8. This must be what you are talking about, and it has nothing to do with an updated palemoon, it comes on on older palemoon. I started this installation just so I can check on this. Somehow through the update plugins hook when palemoon starts it receives this notice to disable noscript as an update.
    If you unclick the disable box and hit restart later it keep working. That is if you trust noscript more than you trust palemoon telling you to disable it.

    I never got into palemoon forum so I have no opinion on them, but your reaction seems fair to most developers who eventually become little dictators over their own followers.
    To point to a good developer would make the news these days, like fsmithred or obarun-eric, or artix-nous, cromnix, void-Duncaen.
    The rest are products of this sick society.

    Oh well!! Can we take the palemoon code and fork it to what we like? I can’t, if you would care to show me what to do I’d be glad to help.


  9. Oh well!! Can we take the palemoon code and fork it to what we like? I can’t, if you would care to show me what to do I’d be glad to help.

    i would be more likely to just fork esr. compiling it is the fun part. then you have to patch code written in c++.

    if i were going to spend that sort of time its more reasonable to build something using python and webkit. “fork pale moon” is too much work to keep up and was sort of tongue in cheek. by the way: i absolutely trust noscript more than pale moon. thats why this whole thing is rotten. pm author says (with actions, not words) “its me or its noscript, pick one!” i chose. you can have noscript and palemoon, just like you can have debian and not-systemd.

    as for which version this is:

    the screencap is the latest pale moon. pminstaller is the exact opposite of how a web browser should ever be installed. pminstaller is the kind of stuff adobe does. why would anybody copy that?


  10. just so you know, im blocking all palemoon sites over on this side. i like your idea but if im going to chase anything from someone elses schedule, its going to come straight from esr– not 3rd party.


  11. I can’t seem to locate any technical details of why is noscript considered problematic or malicious or in what way does it mess with a browser. Like someone said on that pm forum, I have used it for years, it is the first thing I install after I install a browser. I’ve never had a problem with it (with what it does) and when a page does not work because of it I always blame the page’s requirements to run secret scripts on my system so it can display a menu or an ad or some non-free non-open audio-visual file.
    F– them, F— them all and their scripts.
    By the way, in my obarun installation the largest blob in /usr/bin is js52, which is required by polkit! How do we send this crap back to where it came from.
    I like Steve Litt’s website. His whole webspace probably fits in 3.5″ floppy .. and it is tremendous in quality and quantity of information. Why has the internet turned to such crap?

    I am about 90% done downloading https://cloveros.ga and I am ready to shut it down and not look at this distro because its web page will not work EVEN WHEN I TURNED SCRIPTS ON!!!! This is Gentoo … for the lazy and their java crap is mulfunctioning or not abiding by basic W3 standards.

    Now I am getting mad too!!


  12. “I can’t seem to locate any technical details of why is noscript considered problematic or malicious or in what way does it mess with a browser.”

    it “breaks websites.” specifically it breaks javascript (stops it from running, like its supposed to) in the sense that anti-virus “breaks” viruses or condoms will “break” the chances of some pregnancies and stds.

    compare this ridiculous nonsense with alex limis justification of removing the “turn off javascript” option in the firefox dialogs:

    this guy is an giant douche: http://lucumr.pocoo.org/2013/7/1/say-yes-to-javascript/

    and THIS GUY is one of the biggest douches on earth: https://limi.net/checkboxes-that-kill/ hes no longer with mozilla, though today i was immediately reminded of this. i stopped taking firefox seriously around this time (very few full replacements exist.)

    “Like someone said on that pm forum, I have used it for years, it is the first thing I install after I install a browser. I’ve never had a problem with it (with what it does) and when a page does not work because of it I always blame the page’s requirements to run secret scripts on my system so it can display a menu or an ad or some non-free non-open audio-visual file.”



  13. “Why has the internet turned to such crap?”

    i dunno, but at this point if you got rid of html 4.x, xhtml . and html5, i would not care. and you can take adobe/crapromedia along with it. and im not f—ing joking.

    css is a not-so-terrible idea thats bloated beyond repair. the web specifications need a f—ing atkins diet. we should have “html-LITE” and i would click the box that says [x] DISABLE FULL HTML (rock the f— on!)


  14. The topic/post has changed, please read the post again.
    I can’t locate yet any justification for why is this guy trying to prohibit noscript while he is allowing anyone to make alternative recommendations of questionable plugins,
    He is providing no evidence or specific information of why would noscript be insecure, while browsing without it is secure.
    The way he passed the notice and call for action into peoples’ browsers is abuse of power.

    Liked by 1 person

  15. ah, bit of an update there.

    the funny thing is, there was a way to this (probably several) that was not so egregious, but instead they chose to destroy trust and then use a heavy hand when they really should be heavy-hearted over this.

    this is a fiasco, a debacle, and for me at least, the end of pale moon. note that i dont have nice things to say about firefox. theres just no real advantage to pale moon anymore. i switched to it, specifically to get away from crap like this. with this, it serves no purpose at all! it was always single developer, not based terribly on GOOD Listening, and once that goes far enough south, its time to get out. im out!


  16. The pop-up regarding NoScript has a link in it to “more information”. The link is to http://blocklist.palemoon.org/info/?id=pm112

    Which reads, in part:
    Severity level 1: You will be warned and recommended to disable this extension, but can continue to use it if you so wish after confirmation

    If that is true and isn’t “elevated”, I don’t see a big problem.

    In the meantime, I run about 12 browsers, including PM, all for specific purposes. Half-ass security through silos.

    The one really nice one I haven’t seen mentioned here so far is Waterfox, which would be a direct replacement for PM.



  17. Welcome back kK, your other comment of last week did get some responses.

    Thanks for your input, I will try waterfox and write about it.
    One idea of more secure browsing is firejail the browser, or containerize it (lxc which I am still trying to learn how to do)

    This fiasco reminds me of the story with facebook getting a tor address but you had to enable scripts and login to see that braindead-website … 🙂

    Also another idea is to continue running palemoon and noscript and add palemoon and moonchild productions on a blacklist so they can not alert me of any more of their unsubstantiated advise. I wonder if some ms-win users reported a crash and blamed noscript for them.


  18. So I read down through the forum thread, following the advice to disable the blocklist in about:config as I went.
    At the end, the head honcho waves a big red flag about not disabling the blocklist. That part I ignored.
    On browser reboot, everything seems fine. The message in Addons is gone, even. End of story, I hope.

    It seems to me that this entire thing has been about saving dev time from answering thousands of questions from noobs who install NoScript and then complain their browser doesn’t work.

    I have a certain sympathy for that. It was handled imperfectly, but in the end (and for now), I’ve got another decent browser that isn’t nagging me any more. I can get back to work. Moonchild can too. Onward.


  19. Thanks bro. I’m staying up with the responses. I wrote another long post about the whole corporate homogenizing Redhatifcation thing. WordPress ate it, I think, but your post today covered the same ground.

    There’s a thread in r/linux that’s vaguely related to all that, about a fight between LVFS and System76. Related in the sense that it’s the same RH/Gnome/LinuxFoundation/OpenSource/freedesktop.org/systemd goons doing what they do. System76 comes out of it looking pretty good to me.

    Liked by 1 person

  20. Sadly, you’ve been deceived by a “snake oil” project – i.e. a rebranded legacy firefox released under a proprietary freeware licence.

    But all the worry about noscript seems needless…


    (I tend not to trust script blocking extensions which arrive with a ready made whitelist which includes, google et al.)

    At the moment Raymond Hill’s uMatrix looks like a much safer bet, but time will tell…

    The hard lesson here is that you can’t trust the major “free” web browser projects (never mind some chancer who creates a rebranded fork and a cult of personality). You can’t trust them to do the right thing, nor act in the best interests of the user and their privacy/security. This is nothing new and firefox has been bundling google “safe browsing” tracking for well over a decade, as well as google geolocation. You can disable that via user.js or by going into about:config and disabling it there. The other changes to the UI, the changes introduced by “Quantum” we just have to live with, but it’s infinitely preferable to blindly trusting some rebranded product to do it for you.

    This particular fork was around for quite some time, around 10 years as I recall, but was conceived as an MS Windows project by a developer who knew little or nothing of Linux. The Linux port only arrived about 5 or so years ago.

    You can forget “SRWare Iron”: http://neugierig.org/software/chromium/notes/2009/12/iron.html

    It was proven to be a “snake oil” product, it was clear that it wasn’t really FOSS.

    When all is said and done, you’re lumbered with what’s available – chromium or firefox or maybe opera and vivaldi. You can use these alongside an independently developed “minor” browser project. But it’s wise to steer clear of frauds rebranding and marketing the same product with minor changes, preying on the gullible.


  21. I know many people go by the logic “if it is open code and people audit the code if there was anything malicious about it we would have known by now”. I don’t think ANYONE really goes over suge huge pieces of code everytime there is an update, unless they are paid specifically to do so or they have malicious intent against the author to publicize weaknesses or worse.
    Waterfox has been around for a while and some people test memory/traffic leakage of browsers to see if there is anything to worry about. But why should I trust Mozilla? Google I wouldn’t touch with a ten foot pole, they are admitted offenders.

    NoScript – unsafe mode weaknesses. If you start by blocking everything and specifically and temporarily unblock what you perceive as safe, and temporarily sometimes, or in private-mode even allow temp. some of the bad guys like googleapis, I think it works fine. Many thinks work fine as long as you are conscious of the risk and the extent of which you are willing to take. I don’t think tor or its browser is absolute anonymity either. I wouldn’t trust private vpn (paid service) much either. I may test things and if I have nothing to hide anyway I can take risks. I wouldn’t recommend anything outside a Faraday cage deep inside a cave 🙂

    I am not a Maoist, but there is this Maoist tactic that relates to fish and swimming along them .. if you know what I mean. In which case why not Ubuntu or Mint Cinnamon 😉


  22. I know many people go by the logic “if it is open code and people audit the code if there was anything malicious about it we would have known by now”

    If it is open source, it make possible to spot any vulnerability/malicious inside the code. Without saying you can study, edit, remove add any part of it…

    But anyway, regarding any browser today, the best is to run it inside a virtual system qemu and not directly from your OS.
    If is is closed source, you have no possibility to known what’s going, you are at the mercy of the developer/corporate behind it.


  23. Have you ever noticed the difference in gfx quality within a virtualized display, although resolution lists as being the same, do your eyes get tired faster/easier on it? I have.

    There is also ways to run such windows inside a container, a jail (firejail), bubblewrap, etc.

    But mozilla’s “private” window is not to be trusted as a solution, private from 3rd parties maybe, from them, no!


If your comment is considered off-topic a new topic will be created with your comment to continue a different discussion. This community is based on open and free communication, meaning we must all respect all in minimizing the exercise of freedom to disrupt such communication. Feel free to post what you think but keep in mind the subject matter discussed. It is just as easy to start a new topic as it is to dilute the content of an existing discussion.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.