Pale Moon is a fork of an old <ahref="../articles/firefox.html">Firefox</a> version, before the user interface change that put off many people. But is it a worthy alternative to FF in terms of privacy? Versions 27.7.2 and 28.1.0 were both tested for this article.
Connects to a MASSIVE amount of trackers, and these requests can <b>only be avoided on subsequent runs</b>. Has geolocation, search suggestions, and auto-updates. Sends SSL certificates from the sites you visit. Together made 169 unsolicited requests upon my first run of it, but again, most of them can be avoided on subsequent runs. Pale Moon, in the end, has less privacy issues than Firefox, aside from its terrible start page, so the rating is Medium.
</p>
<h3>First run</h3>
<p>
If this is your first run of Pale Moon, it will automatically connect to its first run webpage (http://palemoon.org/firstrun.html), which in turn will make a bunch of requests for location-aware Google Ads.
By default, Pale Moon's start page is set to https://palemoon.start.me, and it will automatically make a connection to it upon its first run. That page will then (again) make a bunch of requests for various trackers — here is a list:
<li>Facebook (so if you're logged in, they know who you are)</li>
<li>Quantserve ("Quantcast is an American technology company, founded in 2006, that specializes in audience measurement and real-time advertising.")</li>
<li>Amazon Ads</li>
<li>Criteo ("Criteo is a personalized retargeting company that works with Internet retailers to serve personalized online display advertisements to consumers who have previously visited the advertiser's website.")</li>
<li>Scorecardresearch ("ScorecardResearch conducts research by collecting Internet web browsing data and then uses that data to help show how people use the Internet")</li>
<li>HubSpot ("HubSpot is an inbound marketing and sales platform that helps companies attract visitors, convert leads, and close customers.")</li>
All these requests contain the Pale Moon start page referrer, so they know where you came from. They also all set uniquely identifying cookies, so if you come across another website with these trackers included, they will know you're the person from the Pale Moon's start page, and could start building a profile from your browsing habits. You can easily delete the cookies and change the start page so that it never appears again, but <b>there is no way to avoid the requests being made upon Pale Moon's first run.</b>
blocking such an imporant addon: <i>"NoScript is known to cause severe issues with a large (and growing) number of websites. Unless finely tuned for every website visited,
NoScript will cause display issues and functional issues. "</i><sup><ahref="#1">[1]</a></sup> So, it looks like Pale Moon's developers are actively working against the interests of its
privacy-concerned users, and would rather allow websites to execute malicious ECMAScript programs on unsuspecting user's machines, than to be blamed for a broken website.
<b><fontcolor=yellow>To disable this blocklist, set extensions.blocklist.enabled to false in about:config.</font></b>
</p>
<h3>Auto-updates</h3>
<p>
Pale Moon will automatically update itself, addons and search engines, as well as its blocklist.xml file with the addons it considers "malicious". Some of these can be turned off from the GUI, and some only from about:config.
</p>
<h3>Search Suggestions</h3>
<p>The default search engine is the privacy-respecting DuckDuckGo, however search suggestions are enabled by default, which could send a request for every letter you've typed, all while you think it stays in-browser until you press Enter. Can be turned off by right-clicking the search bar.
</p>
<h3>Geolocation</h3>
<p>Pale Moon connects to Mozilla's geolocation services.</p>
<h3>OCSP querying</h3>
<p>Will automatically check every site's SSL certificate to see if it is valid, which necessitates sending it to a third party. Can be turned off from the GUI.</p>
If you want to edit this article, or contribute your own article(s), contact us on XMPP over in spyware@conference.nuegia.net, or visit us at the git repo on <ahref="https://codeberg.org/shadow/SpywareWatchdog">Codeberg</a>. All contributions must be licensed under the CC0 license to be accepted.
