Pale Moon

Note: This article is outdated. Here is the updated version.

Pale Moon is a fork of an old Firefox version, before the user interface change that put off many people. But is it a worthy alternative to FF in terms of privacy? Versions 27.7.2 and 28.1.0 were both tested for this article.

Spyware Level: Medium

After following the mitigation guide, this software is Not Spyware.

Connects to a MASSIVE amount of trackers, and these requests can only be avoided on subsequent runs. Has geolocation, search suggestions, and auto-updates. Sends SSL certificates from the sites you visit. Together made 169 unsolicited requests upon my first run of it, but again, most of them can be avoided on subsequent runs. Pale Moon, in the end, has less privacy issues than Firefox, aside from its terrible start page, so the rating is Medium.

First run

If this is your first run of Pale Moon, it will automatically connect to its first run webpage (http://palemoon.org/firstrun.html), which in turn will make a bunch of requests for location-aware Google Ads.

Pale Moon's start page

By default, Pale Moon's start page is set to https://palemoon.start.me, and it will automatically make a connection to it upon its first run. That page will then (again) make a bunch of requests for various trackers - here is a list:

Google Ads (location-aware)
Facebook (so if you're logged in, they know who you are)
Quantserve ("Quantcast is an American technology company, founded in 2006, that specializes in audience measurement and real-time advertising.")
Amazon Ads
Criteo ("Criteo is a personalized retargeting company that works with Internet retailers to serve personalized online display advertisements to consumers who have previously visited the advertiser's website.")
Scorecardresearch ("ScorecardResearch conducts research by collecting Internet web browsing data and then uses that data to help show how people use the Internet")
HubSpot ("HubSpot is an inbound marketing and sales platform that helps companies attract visitors, convert leads, and close customers.")
Alexa Metrics
Twitter Ads and Analytics
A few others

All these requests contain the Pale Moon start page referrer, so they know where you came from. They also all set uniquely idenfifying cookies, so if you come across another website with these trackers included, they will know you're the person from the Pale Moon's start page, and could start building a profile from your browsing habits. You can easily delete the cookies and change the start page so that it never appears again, but there is no way to avoid the requests being made upon Pale Moon's first run.

Blocking privacy-enhancing addons

Pale Moon blocks privacy enhancing addons like noscript, citing this rationale for blocking such an imporant addon: "NoScript is known to cause severe issues with a large (and growing) number of websites. Unless finely tuned for every website visited, NoScript will cause display issues and functional issues. "^[1] So, it looks like Pale Moon's developers are actively working against the intrests of its privacy-concerned users, and would rather allow websites to execute malicious ECMAScript programs on unsuspecting user's machines, than to be blamed for a broken website. To disable this blocklist, set extensions.blocklist.enabled to false in about:config.

Auto-updates

Pale Moon will automatically update itself, addons and search engines, as well as its blocklist.xml file with the addons it considers "malicious". Some of these can be turned off from the GUI, and some only from about:config.

Search Suggestions

The default search engine is the privacy-respecting DuckDuckGo, however search suggestions are enabled by default, which could send a request for every letter you've typed, all while you think it stays in-browser until you press Enter. Can be turned off by right-clicking the search bar.

Geolocation

Pale Moon connects to Mozilla's geolocation services.

OCSP querying

Will automatically check every site's SSL certificate to see if it is valid, which necessitates sending it to a third party. Can be turned off from the GUI.

Sources

1. This Add-on to your browser has been blocked or disabled. [web.archive.org] [archive.is]

Credits

This article was written by digdeeper.neocities.org
Formatting changes and some sections were written by the site maintainer.

This article was created on 6/7/2018
This article was last updated on 10/14/2018

If you want to edit this article, or contribute your own article(s), contact us on XMPP over in spyware@conference.nuegia.net, or visit us at the git repo on Codeberg. All contributions must be licensed under the CC0 liscence to be accepted.

Back to catalog