When the service went from unlimited open access to being put behind a login wall, I assumed they were using this tool to pull more users into the Firefox ecosystem (like what google does). I stopped using the service at that point since it effectively lost the privacy aspect.
Too bad. I really enjoyed using it while it was up. The code is open source, and they have docs on how to set it up for self hosting. I wonder if there is a chance some active forks might live on?
"We" as in "the people who knows how to use the command line". Unfortunately very few of the people I send files to knows that.
There's https://webwormhole.io/ and https://file.pizza/ , but can I know what they really do behind the scenes? Native open-source software for this would be a dream come true. It's 2020 and I still wrestle with sending files between devices. And no, don't take this as a wish for creating just another service. :)
File.pizza is great! It uses WebTorrent[1] to seed files right in the browser. The downside to this is, you have to have your browser open the whole time you're sending the file, as it's direct peer-to-peer. Firefox Send was an "upload it, get the link, and they can download later" kind of service.
Also they're not very reliable. I tried to use both of those a couple weeks ago and it just didn't work. File.pizza crashed during initialization on a large file from a friend, and they both failed when I was trying to send a file that was only about 3GB.
Looks neat. I guess one could send an SHA-512 or something through a different channel like email or sms to at least mitigate partially MITM attacks. Obviously encrypting the files before hand. Seems like it needs another layer on top :) . NAT transversal is sweet though via webrtc
I've used File Pizza to share files with friends, but it feels like the upload speed is being bottlenecked by something that isn't my ISP (I have synchronous upload) - is there an inherent speed issue with using WebRTC for this?
Hmmm. Several of the listed feature seem like valuable improvements over Magic Wormhole. That leads me to think that maybe several people should go to the bother of an IETF working group so everybody's platform gets at least a baseline interoperable thing in this class (PAKE driven single file transfer) like with TLS or SecSH, rather than all having their own preferred option that's incompatible.
Seems like the relay server does do file transfer?? Seems like it kills the purpose of it for me, or at least is a major negative compared to say webwormhole
I used it for a while but I found the docker setup strangely over-complicated in comparison to next/owncloud.
Also, the basic options to set up file link TTL and max number of downloads... If I remember correctly, it's one or the other. Not enough tweaking options for something with so much moving parts.
Nearly all their "side projects" look like greenfields used by the project teams to boost their CVs so they can land better jobs. Those teams know very well that those projects have no use case, but they dont care. Foundation does not care either, since it is busy with increasing own remuneration and politics.
Meanwhile their core product lost around 10 percentage points of market share (from 15% marketshare to 5%):
1) Nobody works on Firefox any more. From 1000 people in Mozilla and how many working on Firefox? 50? and 950 doing various (useless) side projects?
2) they don't understand their own product and its user base: they killed extensions, killed ability to customize anything. Basically they rebranded to a "worse Chrome".
3) They dont care about quality and ship a half baked product. Recently they shipped Firefox for android that feels like alpha version. It is even unclear why did they ship it, they could have waited.
4) Countless bugs and problems caused by their own decisions (e.g. all extensions need to be signed - they forget to sign them so they stopped working..)
5) Not caring about the product at all because some people inside are stubborn dinosaurs. Firefox didnt have proper installers for business, just because someone inside didnt want to provide them. It's like sabotage.
Their tech savy user base gets alienated every day: no more extensions, no more customization, constant broken workflow (changes for the sake of doing changes, while old things are never repaired - greenfileds are easier). At some point you start to wonder, why use a Chrome clone that is worse than Chrome?
I expect that the marketshare will go from 5% to 0.% What will be terrible for everyone. We are already losing the address bar due to Google AMP. [on a sidenote: when Chrome pushed for Google AMP, Firefox didnt capitalize on it - in fact Firefox also changed the address bar as if the Firefox team wanted to secretly support AMP..]
Those teams probably know very well that Firefox is a sinking ship, since development teams are not working on core product; but they dont care, they will jump. Meanwhile those few who worked on Firefox are left holding the bag, while they were "paying" for all those side projects, that just siphoned money / development time from core product that is Firefox.
If you think Firefox has stagnated you clearly aren't aware of the substantial and complex improvements that have been made to the firefox core over the last couple of years:
I honestly don't see these as a good sign for a browser as a tool, instead of some software development adventure.
Firefox has a much smaller team than Chrome to begin with, and they can only work on so many things. If they keep spending time in "re-inventing the wheel" (in addition to what you listed, they also revamp their mobile client quite a few times in my recent memory), what left behind is attention to details in UX and UI that users can feel, which is what Firefox was famous for.
I'm not a developer, but I've submitted or engaged in many bug tickets on Bugzilla. What I can tell from my experience is that the response to bugs (critical or not) are getting slower and slower. Not just patches, sometimes you will have tickets that took years to have someone even looking at it. My feeling is most of developers are more likely to spend their time on Mozilla's "big goals" than maintenance.
Just to give one example, there is still no full range video support in Firefox in the era of video game streaming. This alone lets me to have to use Chrome to watch Twitch.
Performance isn't the only thing people care when choosing a browser. If it is, they probably abandoned Fx for a Blink based browser long time ago. Also does Firefox really have significant performance issue after 57?
Clearly it’s a rhetorical device, presenting a reasonable speculation that matches the evidence (number of projects, and quality), as part of the natural flow of the writer making their point.
From experience, what happens internally in an organization is quite different from what is visible from the outside. Making up numbers like that is just a terrible insult to the people who work on a lot of useful stuff in Mozilla.
You can question the waste (which is obvious; Mozilla was bloated, and has no evolutionary pressure as long as the money keeps flowing in from Google deals) without it denigrating what’s useful.
You criticised their guess as baseless just to follow up by denying their numbers without sources. Only one of you two chose to present a fact without backing it up.
There's also this gesture of assuming that the opponent is motivated by evil intentions, which is almost always wrong.
On topic though: Our conversation could really benefit from some actual numbers. I made a quick search but didn't find anything.
Is it? I feel that people vastly overestimate the actual number of competent programmers (not managers, CxOs, etc) many projects need.
Consider that even here on HN we have one person who wrote their own HTML5 renderer, JS-like scripting language, CSS, etc from scratch (csmile). How do you figure that to go from that to what is needed to make a browser that renders sites properly you need to add more than 49 additional programmers?
Its not just about the code though. Somehow that code needs to keep up with the latest standards and magically be delivered to my client device. To think that a project as complex as the Firefox ecosystem can be maintained with less than 50 engineers doesn't match my experience working on large product teams.
Here's my estimate:
* A dozen build engineers to support development and builds for X client platforms
* A dozen engineers for the Javascript VM
* Dozens of engineers to support ongoing javascript and CSS standards
* A dozen engineers or more to support the firefox core
* Dedicated teams for Android, MacOS, Windows and Linux targets
* Dozens of Team/Programme/Project managers to _enable_ devs to do their best. These folks aren't optional.
You work on large teams, so your estimates are for large teams. Smaller teams work faster and can get more done with less. Basic "Mythical Man Month" stuff.
I'm not saying you're wrong. Just that you might not be right.
Sciter doesn't even come close to a fraction of what Gecko or WebKit offers or does, and it still took the author many years to get to that point, so I'm not sure what you're trying to get at. The "JS-like engine" is an excellent example. It turns out, you need an actual JS engine to run real websites, not a "JS-like" engine. The difference between 80% and 100% of that problem is massive, and it also turns out running that fast is a ridiculously complex project on its own. (And, unsurprisingly, the recent Sciter FOSS Kickstarter announced that it would pivot to QuickJS instead. It might be educational to think about why they would do that.)
This doesn't even get into things like translations, technical writing (manuals, help pages, etc), infrastructure needed to actually deliver updates and downloads, collaboration on web standards, etc.
> Sciter doesn't even come close to a fraction of what Gecko or WebKit offers or does
It is close enough to show that a web engine can be made by a single person even if it doesn't fully adhere to the standards and its functionality is certainly not less than 1/49th of what you'd need to go there.
> The "JS-like engine" is an excellent example. It turns out, you need an actual JS engine to run real websites, not a "JS-like" engine.
Fabrice Bellard has written (among many other things) a full modern JavaScript interpreter, again showing you do not need a "dozen" people (like another commented mentioned) to make such an interpreter.
Yeah, as someone who wrote a good chunk of a CSS layout engine (Servo) I can confidently say that this comment demonstrates a huge lack of appreciation of what the scale of work involved is.
The comment was not asking out of curiosity, because when you do that you don't frame it in a way (50 out of 1000) that matches the larger point you're trying to make.
Tab ordering is messed up. Tab scrolling is bugged. Everything from before requires more taps than before. Pages randomly render blank. Normal and private mode gets stuck and next intent tab is opened on whatever mode was explicitly opened before.
I would count the bullshit extension whitelist as the single biggest regression. But it is not new, so its not counted as such anymore?
The worst part, I will still be using Firefox because of my principles. Mozilla knows that userbase like me isn't leaving, and those unlike me aren't staying. It doesn't matter how big of a screwup they cause next time. The writing is already on the wall.
They made simple workflows more complicated, removed features and move UI elements around for no apparent reason.
Weirdest thing is how they moved the address bar to the bottom of the screen. You can put it back to the top of the screen but it's like - why?
There was a useful list of most frequently visited sites on the homepage, which they've decided to remove.
Opening a new tab or a favourite now requires at least two taps (one on top of the screen, and the second at the bottom), or one long press, while it required only one tap before.
With their experience in software development, Mozilla should now that users mostly hate changes, although we can be fine with it when there are improvements too. But in this case, there's no improvements as far as I could see, just random changes to the UI, a few things worse, a few things different for no reason, but nothing better.
Overall it gives very little confidence in what they're doing. It seems there's no leadership or overall vision at Mozilla, just random teams making random changes just for fun.
UI is significantly changed for the worse - things like tab handling (tabs go to the top of the list which may be hidden from view), swipe controls (close tab requires some weird "must swipe across 40% of the screen" motion to be recognised) and graphical issues have all suffered badly. It's not just a case of getting used to the new design, usability is an afterthought.
But yeah, the ability to use extensions on mobile was the key feature for me switching to firefox. Now I would just like to find a non-sucky-non-chromium browser.
> Apart from extensions requiring whitelisting, how is it worse than the old mobile FF?
This is the most important point by far. First-class add-on support was the one differentiating feature that Firefox for Android had over every other browser on the platform. There are a handful of other browsers with add-ons on Android, like Kiwi, but they aren't nearly as seamless as Firefox was.
I'm using Fennec to write this comment because of Refined HN, I just turned off auto-updates. Not going to switch (at least for now) and I love Firefox but who knows where we'll be in a year? If we're in the same spot then I'll have to switch to Kiwi for these use cases.
I have Nightly installed and it's faster - whitelisted uBlock Origin alone solves a lot of problems in addition to GeckoView's massive speed improvements - but it doesn't fit every use case, so I have to keep Fennec installed.
The devs seem obstinate about ever allowing non-whitelisted add-ons outside of Nightly, which is... odd, it's the one feature they have over the competition. They seem similarly obstinate regarding about:config on stable.
There are other grievances (I actually disagree with the detractors on the default position of the address bar - it's far easier to use on tall devices) but this is the one thing that can't be found elsewhere, and it's gone now.
To reiterate, this feedback comes from a position of love, not hate, and I think most other people here feel the same. The devs are getting a lot of heat on places like reddit though, and the Play Store reviews for another. My limited understanding is that Fennec had to go eventually.
Bookmarks and top sites are only visible when opening a new tab, not when placing focus in the URL bar. If I want to go to a new site I have to either type the address, or open a new tab leading to a lot of old unused tabs that need to be cleaned up.
I've had many bugs since the URL bat went to the bottom -- it crashes on some websites and often has multi-second hangs. I had to go back to chrome (I will try it again in a month, and hope it has improved, as I prefer Firefox).
No tab queuing means I can't open a bunch of tabs from another app without constantly having to switch back and forth (Open link in another app -> Auto-opens firefox with that tab -> switch back to origin app).
> Those teams know very well that those projects have no use case, but they dont care.
This seems like a case of "hindsight is 20/20". There are tons of successful projects that had people saying things like this about them at the start. When it works, we call it bold risk-taking. But when it doesn't work, we feel like we always knew it wasn't going to work.
Regarding 2) ...evidently focusing on their existing userbase isn't viable.
So often these comments like "they are ignoring their user base" and "why won't they let us donate to firefox" miss the point (even if true / beneficial)...they don't want to double down on their existing user base; they want to expand their userbase to go with their mission of bringing more trust to the web
Firefox was the better extension platform for years, and that wasn't enough to entice users away from Google and Chrome. They are trying, and failing, to find a differentiator that will give market share. Trust, privacy, and security on the web so far hasn't got to consumers' hearts, and extensibility and donations are basically just pandering to those few users that remain.
> evidently focusing on their existing userbase isn't viable.
I disagree.
First of all: their strategy to ignore the requests of existing users in order to focus on some potential new users doesn't work. Firefox lost around 10 percentage points of market share in last few years.
Second of all: the whole "strategy" of alienating current user base in hope of finding new users is batshit insane.
Browsers are a mature product: it is much easier to keep current users happy and grow organically. This is not some start-up that will come up with a killer feature - you evolve the product.
You can scroll a bit up, even in this thread to see people complaining about the terrible user experience in last Firefox for Android roll out. Do you see a single person praising it? Long gone are the days when tech-savy users would recommend Firefox to their friends and family. Also, why did they even roll out a half baked product? Couldnt they fix it before rolling it out?
As an user, at this point you might start to wonder if it is even worth it to update Firefox. How will the new patch break your workflow? Will some useful features be cut? It's not even about the bugs and the project seems to have them.
People go to Chrome because it is stable. No batshit insane changes to UI or workflow. [and yes, I am aware that Chrome wants to kill the address bar to introduce "AMP" - what is a terrible thing for whole internet]
To self quote, "Firefox was the better extension platform...and didn't entice users away".
Firefox's share has been declining for years, and I wouldn't say it's become a significantly worse browser in that time. They aren't showing any signs of growing organically. They are trying to get away from Google, and for that, they need to grow their base and bring in much more revenue from users, or just accept being a small side player in the browser market.
You mention tech-savy...but is 'tech savy' what the public wants, or needs? Firefox has always been the more tech-savvy browser I would say, and yet they are losing ground to Chrome. The tech-savy browser is the one that's trying to push the boundaries; they are trying to do more technical stuff, which gives more opportunity for problems, such as workflow breaking.
I don't know if Firefox _can_ compete with Google, given how badly their market share is declining. I think a lot of that isn't even due to Firefox, it's in my view partly driven by Web Devs no longer caring about ensuring Firefox is supported, and also just that "Google" is the average users' doorway to the internet. I think it's also partly because the Chrome way just works for your average consumer...click the browser, search, job done. Again, the HN crowd seems to conflate 'what I want' and 'the reviews I see', and fail to really think about what _the market_ wants, or how the average consumer interacts in ways that may be wildly different than the way a current firefox user interacts. Chrome is stable because they don't really seem to do much from release to release, and that _works_ for the average user.
The loss of users happened when Chrome came out. At that time Firefox was eating tons of memory and getting buggy with more tabs open. Chrome was also marketed very aggressively by Google.
Firefox partially removed those problems with later versions: it stopped eating so much RAM.
Sadly after version 56 the "batshit insane" strategy started. It's like a set of terrible decision after terrible decision. (1) alienating users by killing extensions (2) constant changes to UI, workflow (3) 1 year later forgetting to sign extensions so everything stopped working (4) patching everything via strange side-channels that shouldn't exist (5) even more batshit insane changes to browser, killing extensions AGAIN and chaing extensions again
If all those things simply did not happen and Firefox was simply maintained like a normal program, their unique selling point would be "our product is similar, but offers you your favorite extensions and also we don't spy on you". That would be their secure niche, from which they can expand and which they cannot lose.
But they do everything they can to lose their users.
> Chrome is stable because they don't really seem to do much from release to release, and that _works_ for the average user.
What is the value add of constant shifts of Firefox? Definitely not security.
I hesitate to reply to this, because it's such a caricature of negativity. It's kind of a rollup of all of the crap that HN comes up with to fling at Mozilla. Everything has some kernel of truth in it, but it's pretty heavily buried.
1) The majority of developers at Mozilla are working on Firefox. Many more than 50. It is true that we have fewer staff than Google has working on Chrome (Mozilla is less than half, I heard rumoured?).
3) Anyone who's had to make a decision of when to ship a product will be familiar with the things you need to juggle. There was a much earlier alpha that got close to shipping and then held back. You would have been less happy with that. There are later versions that would have been more complete, at the cost of maintaining two separate code bases longer. Massive opportunity cost. Was it shipped at exactly the right point? Almost certainly not.
1000 might seem like a large number to you, but we are a small organization relative to others in the same space; we can't keep a lot of extra bets going.
4) Superficially: uh, isn't that what bugs are? The only way to prevent your decisions from causing problems is to not make decisions, and then that's a bigger problem. Specifically with the signing, nobody forgot to sign anything, a cert expired. We screwed up.
The decision to sign addons had consequences, yes. A decision to not sign addons would have consequences as well -- which we knew intimately, because they were very, very real and growing rapidly. But I can't make anyone believe that if the starting point is the assumption of incompetence.
5) Shifting resources away from enterprise does not equal "not caring about the product at all". I've long taken issue with that particular (now changed) decision too, but I never assumed that I had enough of the full picture to be confident that I was right and the decision makers were wrong. Contrary to prevailing opinion, just "providing" something is not free. Enterprise support costs resources. Throwing something over the wall and saying "patches welcome!" when it doesn't work for people is worse than not pretending to support it in the first place.
Your beef with side projects is a little bizarre to me. Why do you think they take up such a huge percent of resources? Assuming 95% is not a good faith argument that I can even respond to. Maybe we could agree that 0% would be unhealthy and shortsighted?
I'll stop there. I will suggest that you at least stop repeating things like "development teams are not working on core product" since I know that to be objectively false.
(I'll admit that at present there is one fewer developer working on core product right now, but that'll be fixed as soon as I close this tab.)
2) I'll concede the technical reasons. But it's been something like four years now, and you still haven't caught up with what the previous extensions could do. There's still no way to remap keys without waiting for the current tab to load, for example. This is a very important UX feature!
4) The problem is, when you force users to go through the Mozilla gatekeeper, it's all the more important to get this right and not have that gatekeeper sleeping on the job.
Second, the failure behavior was not fail-safe. Users had their previously-signed addons disabled when this struck. Many of these were necessary to protect their privacy, which was then compromised.
(Proper fail-safe behavior would have been to allow already-signed addons to keep working or put up a warning, so don't tell me it would have needed a huge investment of resources to avoid that catastrophe.)
How many other browsers have had a sudden global feature outage like that?
And, to make it worse, your leadership thought it was somehow reassuring to say, "Oh, don't worry, we broke the promises of the user experiments feature to push out a forced update that fixed this!"
>A decision to not sign addons would have consequences as well -- which we knew intimately, because they were very, very real and growing rapidly.
Mozillians keep insisting this but I have yet to see evidence. Has there been even one case of a user a) who is technically adept enough to enable unsigned add-ons, and b) sideloaded an extension, and c) suffered a security catastrophe that merited Mozilla intervention? Most of the naive users you're claiming to protect can't even get past a).
Chrome allows unsigned addons just by toggling developer mode. Where are their massive security breaches from that?
The original promise of Firefox was to give me back control of my machine. Having to go through Mozilla for my custom extension just feels like the days of getting software from shrinkwrap at Best Buy again.
1) When I write about people working on Firefox I mean people fixing old bugs and working on the features that USERS want. Users are the most interested in the core product: the browser. They also want the browser to get the functionality that was removed (extensions!).
When you write about Firefox, you seem to write about various side projects like Firefox-Send, or Pocket that barely add any value to the actual users. Users don't want them (or even ask for them) - yet the teams are very happy to start and make some half-baked greenfield product [after all Firefox Send is a project failure - couldn't stop malware + nobody used it].
This might be a blasphemy, but IMHO even creating Rust is a bad side project. [maybe good for the world, but definitely bad for Firefox - resources are removed from browser development team]
2) Your comment makes me lose hope. Users are very clear: they want extensions. Yet you act as if XUL extensions is the only way to make extensions. Ever.
Do you mean that the whole Firefox team (probably 1000 people) cannot invent a new and secure extension model that allows to adjust the browser per user needs? I get it - creating it is hard. But it is literally your job. When you are a Firefox programmer you should work on the core product. Not on some easy side-project.
From outside perspective it looks that nobody wanted to deal with the difficult problems. Management just let the developers to ignore them and create new, sexy, greenfield side projects.
Another user pointed out that the new extension model does not even allow to remap keys immediately (personally haven't tested it) - most computer games allow this, so don't act as if this was some impossible programming challenge.
3) When you release unfinished, buggy products you alienate your user base. Most users understand that software can have bugs. But why does Mozilla constantly release things that break the users' work-flow? From user perspective it feels like change for the sake of change. You start to wonder what feature will the new patch remove or break.
At the same time your competitor is reliable. They can change the inside, but they don't touch the outside: the user interface stays constant.
4) The problems with extension signatures is a complete fiasco of the Firefox project management. It shows that inside you have zero control over the process - no tools to track workflow, critical tasks and what needs to be done? (are you still stuck on mailing lists?)
This one is 100% on Mozilla and please dont come up with some excuses, because they sounds pathetic.
I repeat: from user perspective it looks like a very small part of Mozilla deals with the actual Firefox and everyone deals with other, random stuff. Some gatekeeper had one job: sign the extensions once per year - and failed.
Also when you sign the extensions using some strange side channels, you sound like hypocrites when you claim that Firefox does not spy on its users.
5) Instead of focusing on core product, old bugs, user requests - the teams prefer to make "sexy" greenfield projects.
Proving proper Firefox installers to companies, means higher market share and consequently more money from Google. It's like someone at Mozilla was sabotaging the company from inside. Sorry, your argument that providing installers cost money is just absurd.
Why you dont use the same argument about Firefox-Send, Pocket, or 20 other side-projects that are leeching development time/money from the actual browser? Browser is the one that earns money, but it is stripped from resources that are used for "adventures" of developers.
Like the Firefox Send "adventure" that was a failed idea from the start, failed at the end. That money could have been spent working on your core product.
Also, when we speak about installers for corporate multiple people claim that inside Mozilla, there was a stubborn idiot that didnt want it to happen. It is a complete failure of management who didnt identify that person and fire on the spot.
You assume that "side projects" are taking up a substantial proportion of development resources. They really, really aren't. Experimental projects are mainly small groups exploring possibilities. Initially 1-2 people, growing when (and if) they seem to be getting somewhere. At various points in the history of the project, it's been more developers vs product people who come up with the initial ideas.
The rest of us are working on stuff like: Fission (process-per-tab, roughly). Pageload performance. Memory usage. Printing. Moving stuff to the GPU. The never-ending treadmill of new web APIs. Porting to new platforms. Fixing bugs.
As for extensions: there is no intention to regain 100% of the power of XUL extensions. Never has been. Many extensions used to get the source code of an internal function, search and replace to update the code, and reinstall it. We're not going to return to that level of power. (Yes, XUL extensions don't have to do it this way; I'm using an extreme example to illustrate the former power.)
But that's not to say that Mozilla doesn't want to increase the power of WebExtensions. I'm not really privy to the decisionmaking there, but look -- we just laid off 250 people. I hope that's adequate proof that we have to make some hard resourcing decisions. And most of the "why don't you just..." requests are not as trivial as they seem, even when the requester's exact use case would be fine. Any extension API that allows deceiving the user or subverting their intentions must be handled carefully to maintain the security of users, and people are pretty darn good at finding unexpected ways to exploit seemingly innocuous capabilities.
I'm not going to debate the history or correctness of all the decisions that bother people. I agree with some, disagree with some, and aligning my views with yours or anyone else's isn't going to have much of an effect on anything. We've screwed up. I'm sure we haven't properly admitted to some screwups. People's experiences and workflows are different, and I know I'm always surprised to discover that 99% of users are not seeing something that bothers me. My intuition of what is or isn't important is not as good as I expect it to be.
I assume they expected some use to spread illegal content, but the ratio of illegal use to accepted use was far different than their expectations. Presumably the reason to launch it was to advertise Firefox by providing a useful tool that encourages linking to others.
I assume this is more of a political miscalculation.
Advocates of freedom of speech & from government oversight could argue that this sort of service is a good thing regardless. As in, yes people will share illegal content but enforcement of that should happen outside of the encrypted transfer, and the right to encrypted transfer for everyone should be protected. I assume this is broadly what Mozilla believe.
They may have miscalculated their ability to ideologically separate the service from the content, legally or in popular opinion.
If you were being cynical (and to be honest I don't think this is exclusively what happened here), you could view it purely as a short term marketing campaign.
It generated lots of positive reporting about Firefox, associating them with: launching a new product, encryption, freedom and ease of use. It also had an element of virality, in that a passionate Firefox user could use the service to send to someone who doesn't use Firefox and forcibly introduce the brand to them.
All of this helps to build brand and mindshare, which, in an ideal world, leads to more installations and more ad revenue.
There are some comments about how they should focus on their browser. As much as I'd like to say otherwise, I'd argue that activities like this have a much better chance of pulling people over from Chrome than ticking off a few bug reports, or improving the certificate workflow for extensions.
Heh. The marketing campaign idea does sound plausible, but I don't buy it. It's much easier to burn goodwill than generate it. People hate to lose existing stuff a lot more than they like to get new stuff. "There's no such thing as bad PR" only works when you can lock in your customers.
That does seem incredibly naive. Maybe the problem is not so much that it was used to spread malware/illegal content but that it failed to reach mainstream adoption and as such was mainly used to host malware/illegal content that would be rejected by other hosts, while not generating a lot of good publicity and new users for Firefox?
Google is giving them so much money, for such a long time, that it is hard to replace. Golden handcuffs. Donations and $10/mo "Firefox subscriptions" aren't going to make up for it.
There are ways they could make money and leverage their browser, such as becoming a certificate authority (they're literally outsourcing profit) or making their own search engine (which would probably be a bad idea for other reasons). Nothing else is going to replace $400m/year.
Their real problem is not "making money." It's too much easy money making them go soft, and then wasting it.
Google has already given them such a huge amount of money that if Mozilla managed it well and ran a lean organization they could coast decades without further payments. Instead they seem to spend it as fast as they get it.
They've burned up billions with little to show for it (their declining market share is the proof of this) and now wonder how they will survive.
Half the things people criticize them for are attempts to find revenue. The criticisms are often reasonable but you can't say they're content to rely on Google.
And couldn't they have added a malware scanner to deal with the problem directly?
As for illegal content that's true with any private communication but maybe DCMA or similar got involved. I can accept that fighting for private large file transfer detracts from the main goal.
Mozilla Foundation, as owner of Mozilla Corp, is a non-profit. Thus the second argument is not that important. Also a single feature can be unprofitable if it helps to drive the related products.
First argument is more relevant, I see it as underestimated the risk there and coming out of a technical experiment ...
That all said: Mozilla Corp's "focussing" doesn't convince me.
I've built `ffsend` as CLI tool for Send to securely share files from the command line. It has been a great success! Thanks Mozilla, for building and providing this amazing service!
I'm currently hosting a public Send instance myself so ffsend keeps working. Let's see how long I can keep this going (and funded). It's available at send.vis.ee .
Pretty much. They suddenly took it down for 'maintenance'. The relaunch was delayed. Mozilla released a statement on laying off 250 employees. That's when I figured it wouldn't come back online again.
I don't have any specific knowledge, but my general impression was that malware was a very real issue that nobody could come up with a realistic response to. Other than that, it seems like Send was a breakout success.
(I work for Mozilla, but mostly on the JS engine.)
With the utmost respect, can somebody please tell if anyone thought of requiring a Firefox account? Or charge $2/mo and go from there? Products usually iterate on design and security, no? Not just give up right away?
Some of us recommended a Firefox+ service that bundles Firefox Send, the VPN, etc. and charge a monthly premium. I would've paid a lot of money. Nothing makes any sense looking from outside!
I can't quite see how malware would be sent with this? An exploiter uploads a file, then gets someone to download it - where's the secret sauce, why does this work better than hosting the file; each file is only downloadable once IIRC?
Next, how were Mozilla able to determine the contents of files shared (but not able to just drop by hash known malware, or run antivirus heuristics)?
The sending of malware part might be to get files served from a somewhat more trusted (and less likely to be blocked) domain. No matter how many files you sent through it, it was much less likely to get blocked at the DNS level by Quad9, OpenDNS, DNSFilter, etc. than some random compromised website. There's also a real incentive to having files retrievable only once, because if someone downloads the file and AV kills it, that email can't be passed along to someone so they can get their own clean copy for analysis.
As for how to identify it, because files were being encrypted before sending that probably was being done by seeing how much the service ended up in spam/phishing attempts - they may well have been able to get that information from filtering software vendors.
I didn't think about exfiltration - good point. I guess they could just host their own instance on <insert compromised server here> like the good old days.
On other projects, we solved this by incorporating virustotal checking. Sure, a 0day or custom malware may get through, but thats a small number at the end of the day.
I mean... Were they really suprised by this? An encrypted file sharing service, of course it's going to be used for sharing malware and illegal content.. I'm not sure what would've been the solution for this issue, but it was pretty clear that that was gonna happen...
Exactly. Most definitely bad actors would use this free encrypted file-sharing service. But I suspect that this wasn't even sustainable for Mozilla to begin with.
The road to hell is paved with good intentions here.
Only allowing one time downloads seemed reasonable to stop 1 and 2 stage payloads. Doesn't help exfiltration, but theres so many options for that anyway. One time downloads may be annoying for non-web savvy people, but seemed like a reasonable tradeoff.
This seems like a feature, not a bug. People can send things privately to you. It's important, therefore, to verify who you're talking to. Maybe instead of blaming it on the lack of server-side malware scans (which are always easily defeated) they could blame it on lack of an appropriate way to build a framework of trust between endpoints?
But it tarnishes their name. People who get malware through Firefox Send will associate Firefox or Mozilla with viruses because that's where it's being served from. It doesn't matter to them that it's fully the fault of the person sharing the malware, they expect that if a site is serving them content then that site can ensure that it's safe.
You're assuming the good case of people sending naive users a virus. But think of two consenting parties sharing cp or something else. It's a legal hell hole.
WeTransfer has been abused the exact same way for as long as they existed even though I don't think they have the e2e encryption. They are still operational.
That is, it's an issue with the file transfer services as a class that can be managed, but Mozilla decided against wasting time/resources on that and just nuked it instead.
Terrible shame how lame people somehow always find a way to ruin everything good they find online for everyone else without a second thought about it. :(
Require accounts, tracking, no throwaway emails, heavily logged, no anon uploads, fingerprinting clients on register to prevent multiple-account freeloading, making money off plans to have full time abuse team
Either Send is more long lived than I realized, or I have a very different definition of "legacy"
From the Mozilla Blog: ... we are announcing the end of life for two legacy services that grew out of the Firefox Test Pilot program: Firefox Send and Firefox Notes.
They're calling the two programs something that was carried on after the discontinuation of Firefox Test Pilot, not saying it's outdated software. Like the "legacy of our forefathers."
For transferring large files between machines that don’t necessarily have the same clients installed I find file.pizza quite convenient.
My understanding is it basically loads a JavaScript BitTorrent client and let’s you transfer using that protocol, so both ends needs to be online, but there is no file size limit, and good support on flaky connections.
There’s a few services like this, but I always find file.pizza to be the one that I remember the name of :)
Has been shared a lot on hn and i always find it funny that it is simply not working for me. I can't even transfer files between tabs in a single browser nor between browsers on the same host.
I really want this to work, but every time I tried to actually use it the connection broke a few megabytes into the transfer process. When transferring larger files (>6Gb) it hogs all of my computers 16Gb memory, at which point the oom killer eventually manages to end firefox.
To be honest, I think some form of abuse was bound to happen. Your files are encrypted client-side with JavaScript before uploading, so to the server it's just an opaque blob.
Out of curiosity, I did some technical analysis¹ of how your files were being encrypted to see if they were really secure and as a side-effect, also wrote a Go client for it.
An interesting property I did discover about the way the encryption keys are derived is that the scheme allows you to delegate an oblivious third-party to download the blob for you, without actually revealing the file contents to them.
Might be a stupid question, but why server can't see the secret key?
You said that "note that URL fragments are never sent to the server", which is true when uploading the file. But when someone is downloading the file, they need to use this full URL with secret key right? By then, the server will get the key and can decrypt the file themselves.
This was a great service for transferring 1 off files between 2 people (such as 500mb wav files for podcast episodes which is what I used it for).
As it turns out, you can get similar behavior with Dropbox. The person sending the file doesn't need a Dropbox account either. You just send them a URL and then they have permission to upload the file.
The only extra step vs Firefox Send is you as the receiver need to delete the file after you've downloaded it. Technically that's optional but in my case that's what I wanted to do.
Tangentially, I wonder what's happening with Lockwise. [1] It also seems to be languishing without significant improvements. I was expecting it to be a competitor, at least on mobile, to the likes of Bitwarden, 1Password, and other solutions.
I once again don't have a good solution for 'how do I email a large file' but https://webwormhole.io/ is useful and simple, particularly for sending something big to someone you're video chatting with.
Do we trust them and their security approach? Genuine question - it was a major selling point to me that Mozilla were operating Firefox Send. I was happy to give some trust to them and their approach to encryption.
I used to work there, security was mostly decent with the exception of not encrypting files client side. We advocated for it many times but the founders wanted to keep the UI as simple as possible for users, which means that forcing users to send the encryption keys to the receiver via a secondary channel (ie not via WeTransfer, which would defeat the purpose as we would be able to MITM it) was a no-go. You can always encrypt the files yourself with the method of your choice and then send the encryption key over Telegram/Signal/whatever. The company has existed for over 10 years now and is profitable, so it's not going to disappear overnight or anything.
That said, the thing that apparently killed Mozilla Send (becoming a hub for spam and child abuse material) was much easier to handle. The last big project I was involved in was an automated photoDNA scanner to detect suspected child abuse material. It would pull in various lists of hashes of known bad material and flag any matches for manual verification by the department of the Dutch police that handles such things.
AFAIK they don't have a "security" approach. Files are stored on their servers unencrypted. It's a completely different situation than Firefox Send was - you need to be encrypting the files yourself if keeping your files secure from WeTransfer is important to you.
I'm not sure about any audits or anything they might have had, but they're not a random fly by night. Used pretty heavily by a lot of people involved in media production.
Keep in mind that if security is important, you can still self host Send.
Ultimately the problem of "how do I email a large file" isn't a technical issue, it is a political issue. It's like famine in the modern world.
Once you have built a secure and easy to use way to transfer large files to multiple people you have built a piracy enabling tool and you're eventually going to be sued by various media cartels for trillions of dollars and your tool will be blocked by network operators who also don't want to be sued.
I switched to croc (https://github.com/schollz/croc) to send large files. Works great across macOS and Windows. It's synchronous, one-time, so not a fire-and-forget system. But quick for large files (sending custom disk images for Raspberry Pi).
This was really funny because I tried to use it for the first time just after it was taken down, but before the announcement. At that time, it loaded a page that made it seem like it was just offline temporarily.
Android Beam looked promising but Google killed it for something proprietary. Samsung had an updated version that used WiFi Direct, but I don't know if it was open.
It seems that something that was somewhat plugable would be very useful.
- NFC or bluetooth for setup.
- Bluetooth, Wifi Direct or Internet for transfer.
Mesh networking would be cool as well but I don't think it is actually needed for the MVP.
I was under the impression Firefox Send was one of the upcoming paid service offerings. At least, that we were seeing the free service and waiting some premium features to be released later on. It will be missed, it was a really easy and intuitive solution for file sharing,
I was really hoping this would be the case. Sync + Send + Lockwise would be a bundle of services worth paying a subscription for. Provided that they also made them available on Chrome rather than using them as lock-in features.
But there seems to be zero plans towards financial independence for Mozilla Corp. The management board appears to be all too cozy with Google funds lining their pockets. A financially independent Mozilla Corp. would probably mean less money for them.
I have used it a few times in the past for the classic task "move large file between two computers that are next to each other, how the hell do I do this simply", but yeah, I can't see how that would be cost-effective for Firefox.
Looks like you've got the receiver and sender commands reversed. The sender should use input redirection (< file) to read the file and the receiver should use output redirection (> file) to save the file.
-h, --help show this help message and exit
--cgi Run as CGI Server
--bind ADDRESS, -b ADDRESS
Specify alternate bind address [default: all interfaces]
--directory DIRECTORY, -d DIRECTORY
Specify alternative directory [default:current directory]
Can also tack on an optional `-d directory_name` to be specific on where to serve from. It's my go to when developing my blog which consists of just HTML+CSS.
yeah it's not hard hard problem, but sometimes it's like "oh this computer is Windows and this is macOS or somehting" and I don't want to spend 50 minutes on debugging things
Magic Wormhole is a security disaster. Do not use if you have other options.
1) By default, authentication key has only 16 bits of entropy. (I wish I was making this up…)
2) There's no good UI to make the key stronger: you can either use, say, "--code-length 16", which makes the receiving code ridiculously long, or provide your own code with "--code", in which case it's visible to other local users via ps(1).
3) Between "wormhole send" and "wormhole receive" on the other side, anyone on the Internet can attempt to intercept the transfer. Conveniently, you can list all currently valid channel ids (nameplates).
4) If the interception succeeds, the attacker can immediately run "wormhole send" with the same code, so that the intended side wouldn't notice anything is off.
5) If the interception fails, the attacker still ruined the transfer. (DoS)
All of this would be fixable, if not the maintainer's bizarre insistence on using weak crypto.
> By default, authentication key has only 16 bits of entropy. (I wish I was making this up…)
It's a PAKE being used for Socialist Millionaire-style interactive authentication. So that key needs to be successfully guessed by the attacker. If they guess wrong they don't get any further attempts, game over, all three participants (the sender, receiver and this attacker) learn it didn't work. That's just not an attractive attack.
I've written on HN before that I think this is too few bits on balance, but that's because of social effects (a million people use it, one person gets very unlucky, that impacts take up for the same reason people don't review products that were fine, they're either 5/5 best in class or 0/5 this product killed my cat)
Setting code length 16 means you want a 128-bit PAKE. You've noticed that 128-bit secrets aren't very convenient for humans. But you don't seem to have thought any further than that, just convinced it should be "fixable" without introspecting about the core problem.
> You've noticed that 128-bit secrets aren't very convenient for humans.
Meh. Even if you have to retype the secret, 128 bits in not a big deal. The time spent on typing is trivial in comparison to the time you're gonna waste when you fall victim to DoS. I'm speaking from experience.
Does magic wormhole do firewall poking or just pass traffic through a 3rd party host? I couldn’t tell exactly what happens if the direct connection doesn’t work.
>The wormhole send file mode shares the IP addresses of each client with the other (inside the encrypted message), and both clients first attempt to connect directly. If this fails, they fall back to using the transit relay.
I used this service fairly often with clients to send me large files... pretty much drag and drop and send me the link to the file. I thought it was great.
I guess I'll check out some of the alternatives listed in the comments here now.
Making a protocol for connecting to another machine and sending (or requesting) a file is easy. We solved that a couple decades ago.
But how do you do it when both ends are behind NAT? UPNP was supposed to solve this problem, but not everyone uses UPNP, and it's pain in the ass to deal with port forwarding, also, good luck trying to walk grandma through setting up a port forward on her router.
Oh dear. A stunning failure of another Firefox product which was hyped to hot air: [0]
Looks like Mozilla really needs to find something to actually be more competitive than their current offerings of 'VPNs', 'File Sharing' and 'Web Browsers'.
I mean, Send was probably the non-browser product that was useful and solved a problem its users have (sendingfiles.xkcd), and of course they had to axe it. Meanwhile I still have to remove that stupid little Pocket icon every time I do a fresh upgrade
Hahahaha. I have always thought this looked like a great product but never really had a need for it.
I had a file slightly too large to email last night and thought I'd try FF Send for the first time ever, only to be greeted with `Service Unavailable`.
It's a real bummer this is going away, and I hope this isn't a sign of more to come.
Hows firefox doing these days?
I've not really used it since it used to run out of memory every few hours, did try it again after they rewrote everything but it was really buggy with half the sites I frequent not working.
Check your extensions and privacy settings. Firefox is more aggressive in blocking trackers and that does break some authentication flows that involve trackers. You can always disable some of those protections to get the website to work, though I haven't had to do that in ages.
Other than that, Firefox on the Mac is consistently easier on the fans than Chrome, and unlike Chrome, I almost never get runaway processes.
Web pages are also as snappy as Chrome. If a page feels slow, I often open it in Chrome to compare, just out of curiosity. It used to be that Chrome would struggle less with these pages, but FF seems to have caught up in the past year or so.
Pro-tip: if you have uBlock Origin installed, disable all other extensions that are using EasyList, because they undermine uBO and visibly slow down the page. In Chrome too.
N.b Firefox’s built in tracking protections don’t interfere.
I've never had any such problems in my life with FF... not even when opening over a thousand tabs (of course not all active at the same time, lol)...
sux they removed actually useful extention format, but otherwise it's great, even if it's only on google's and cloudflare's life support, pretty much...
Tragically I installed it recently on mac and it "froze up" after awhile. Chrome never freezes for me. I like FF but dislike instability. Maybe it's just me...
The desktop version is fine. The mobile one they recently decided to blow up with an ill-advised switch to a new architecture. In the process they have pretty much ruined the UI for no good or apparent reason, and have neutered key selling points like the addon support by only allowing the installation of pre-approved addons. The app is borderline unusable now. I truly do wonder who signed off on this, because this may very well be one of the worst redesigns of any peice of software ever.
Could you explain what you mean by this? Firefox does have profiles, and more than one can be active at a time. (There's also the newer containers feature which allows further compartmentalization.)
Chrome style profiles that are a 1st class feature; that isn't accessed with a secret url, doesn't require multiple instances of Firefox in my dock, can be toggled between profiles easily, can be easily identified with a icon in the top corner of the browser.
I heavily use the firefox containers feature which is awesome.
> that isn't accessed with a secret url, doesn't require multiple instances of Firefox in my dock, can be toggled between profiles easily
I think Firefox can do at least these three. You can permanently enable the profile manager on application startup (it's not in an about: page). You can also make shortcuts on your desktop / taskbar / etc directly to a profile with "firefox -p ProfileName". All Firefox instances are grouped into the same icon on the taskbar for me (Linux / KDE).
Granted, it could certainly be more user friendly, but it's proved rock solid for me for years now.
Interesting. I thought it was discontinued due to malware and hackers using it. I wonder if they were ever able to successfully mitigate these threats with an encrypted file sharing service. If they did, the community ought to know so other projects in the future can learn from Mozilla's efforts.
I run a similar project like this, I have for the last 8 years, it's pretty bare bones but you can build on top of it: https://github.com/abemassry/wsend
> Unfortunately, some abusive users were beginning to use Send to ship malware and conduct spear phishing attacks. This summer we took Firefox Send offline to address this challenge.
Mozilla sucks at software. They are prescriptive, and always changing. They practice the worst of open source (give today, take tomorrow, user no choice, auto-updates), and they cannot keep up with enterprise in their own domain.
