Review: Can We Trust the Waterfox Browser? (Updated 2023)
Waterfox came into the browser scene in 2011, coming right out the box with official x64 support (a rarity among browsers at the time) and promoted itself as an “ethical browser.”
However, many things have changed in the browser landscape, and even the Waterfox project as whole since 2011.
With these changes, can Waterfox be a viable privacy-focused browser?
Let’s do our best to find out.
Overview
Here’s Waterfox at a glance…
PROS
- Light on System Resources ()
- Compatible with most Firefox Extensions ()
- “No telemetry” and “Limited Data Collection” (this could change, given the first con below)
CONS
Bought by analytics/adverising company, System1, which is the same company that bought search engine StartPage.More info- Still needs
about:config tweaks
found in Mozilla Firefox to be a more “true” privacy browser- Nonexistent mobile support (this may be a con for some people)
Revisiting Waterfox in 2023
Waterfox has changed some since publishing this post. Most notably, Waterfox has returned to its previous independent status and has streamlined its lineup.
Waterfox is independent
As of July 2023, Waterfox announced it has returned to its former status as an independent project – presumably, shedding their association with System1. For the unaware, System1 had invested in Waterfox in late 2019, and while they did nothing explicitly violating user privacy, their “backing” of Waterfox wasn’t well-received by many (including myself in the initial version of this review)
This association with System1 was the primary con associated with Waterfox; Waterfox had been partnered with System1 for roughly 1 year when the initial post was published. At the time it seemed deliver on its promises of an optimized and more private experience for users, despite its association with System1.
As noted later in the review, System1 had never (overtly) did anything to be labeled as “untrustworthy,” but suspicions persisted because of its analytics/advertising connections. As such, because of this association, it appeared the greater privacy community (and myself included) lost trust in Waterfox – or confidence was shaken up enough not to widely recommend it over other privacy-oriented browsers.
A refreshed download/install experience
Waterfox still downloads and installs quickly. The website has been overall simplified. It is far easier to find relevant information and download the appropriate version of Waterfox.
Since the publication of the initial version of this post, Waterfox has moved into release of its 4th generation. Waterfox Classic is still around, though it appears to no longer share the same code repository or immediate resources with the newest generation of Waterfox.
With the 4th generation of Waterfox, users on substantially older systems may find difficulty running the browser. However, users are still able to download older, stable releases of Waterfox if desired. though isn’t expressly recommended due to older versions (including Waterfox Classic) missing security patches from upstream Gecko.
While Waterfox still does not have an official release on Android or iOS as of this update, users can download the older Android version if desired – though this isn’t recommended because the Android version is ridiculously old and missing years’ worth of security fixes and updates. Running extremely outdated software, such as a browser, undermines basic security and negatively affects your privacy due to needless exposure to vulnerabilities.
First Launch
Waterfox launches quickly, which was also noted in the initial post. Nothing’s changed there.
Upon first launch of this new, independent-from-System1 Waterfox version, I used Portmaster to capture DNS queries made:
| Domain | Description |
|---|---|
| waterfox.net | The official Waterfox website. |
| location.services.mozilla.com | Mozilla’s geolocation service. |
| content-signature-2-cdn.mozaws.net | Service validating data sent between client and other Mozilla services |
| firefox.settings.services.mozilla.com | Latest login breach information from Mozilla. |
| ocsp.digicert.com | Well known + valid OCSP service |
| r3.0.lencr.org | Let’s Encrypt domain for providing OCSP data |
| shavar.services.mozilla.org | Mozilla updater service for its tracking protection project |
| ciscobinary.openh264.org | OpenH264 Video Codec download server |
A little bit to unpack here for the initial launch, but nothing too bad. On my first launch since last installing this browser, Waterfox took me to its patch notes hosted on its website waterfox.net – so this is not really a background connection.
The server hosting Waterfox.net has OCSP stapling enabled, which checks websites’ certificates revocation status; Digicert is perhaps the most well-known provider of this service. Lencr.org is owned by Let’s Encrypt, which provides free TLS certificates for websites (so you connect via HTTPS instead of HTTP).
Like Firefox, on the first launch after install, Waterfox fetches and downloads Cisco’s OpenH264 video codec from ciscobinary.openh264.org. This video codec encodes and decodes in real-time, which makes it great for use in other real-time browser applications (ex: WebRTC).
The other domains are connections to various Mozilla services, as noted in the table.
Waterfox appears to still uphold its no telemetry claim
Similar to vanilla Firefox, Waterfox can be configured using the about:config settings to be more privacy-friendly. It is also compatible with add-ons designed for vanilla Firefox as well; Waterfox still comes with uBlock Origin, an open-source wide spectrum ad/tracker blocker, by default. Additionally, the default search remains Bing.
By default, Waterfox still does not have the opt-out telemetry (“Firefox Data Collection and Use”) in its settings, signaling this has been removed in the source code – which is a good thing. Waterfox still uses some Mozilla services, though.
While using Waterfox, I noticed regardless of the sites I visited, it usually made background connections to:
| Domain | Description |
|---|---|
| bing.com | Bing is a search engine by Microsoft. |
| firefox.settings.services.mozilla.com | Latest login breach information by Mozilla |
| push.services.mozilla.com | Web Push notifications service by Mozilla |
| aus1.waterfox.net | Automatic update service for Waterfox |
Connecting to Bing (bing.com) in the background concerned me. But I relatively quickly found that in the preferences/settings pane, Waterfox enables search suggestions by default; since Bing is the default search provider, connections to Bing pull search suggestions as you type them in the URL bar.
However, the issue with this is the forwarding of your search queries to the selected default search engine in real-time, before ever hitting Enter. Disabling search suggestions fixed this issue altogether. Though, if you prefer search suggestions, then its best to use a private search engine as the default browser search instead.
Of course, some may find the initial and default connections Waterfox makes concerning. However, let’s remember vanilla default Firefox is just…
*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/review-waterfox-browser
