Kelson Reviews Stuff - Page 12

I was surprised to find that NetSurf is still around and being developed! It’s another independent browser like Dillo that goes waaaay back (as you might guess from its website), but never caught on outside a small niche.

It is, however, fast and light – and while it doesn’t support the full range of website capabilities that a modern Chromium, Gecko or WebKit browser does, it’s got some minimal JavaScript support (off by default) and can handle enough CSS to display older websites and sites that aren’t too complex. (And unlike Dillo, it seems to handle emoji consistently on Linux!)

For the most part, sites that are still mainly documents tend to be readable at least (even if they don’t look right), while sites that are mainly applications…well, I can’t even log into Nextcloud, Dropbox, or GMail even after enabling JavaScript. I can log into Wallabag and read saved articles, but can’t add new ones. Flickr confuses it terribly, and it doesn’t even know where to start with OpenStreetMap. My WordPress/ClassicPress theme (SemPress) displays fine, but I can’t log into the dashboard.

Ironically, I couldn’t sign up for the NetSurf users mailing list using NetSurf. The list provider thought I was a bot!

There are a few incomplete features that can be frustrating. For example, you can edit the name of a bookmark, but I haven’t found a way to edit where it points to. I was really hoping I could use bookmarklets for a few things since there aren’t any extensions.

Overall it’s a little more capable than Dillo, but a bit slower. Either would be good to keep on hand for low-spec hardware, with a more “mainstream” browser when you need it. (Falkon’s a good choice, since it’s light for a Chromium browser and available on most of the same platforms.)

The web would be more usable overall if more developers tested their sites in a browser like this one.

Availability

NetSurf started out on RISC-OS, and the ports to Linux/Unix, AmigaOS and Haiku are all active, though the Haiku port is missing a few features like being able to change settings (which means you can’t turn on JavaScript). Debian still includes it in their native repository, and there’s a Flatpak with the latest version for other Linux distros.

Customized Firefox, with an eye toward security and privacy. Follows the stable release channel so it’s usually up to date. (Waterfox follows the extended-support releases.) Differences seem to mostly be in default settings (like clearing site data when you close the browser), pre-installed uBlock Origin, plus some security hardening: primarily disabling or altering features that can leak data usable to identify your browser.

Upside: better privacy! From what I can tell, LibreWolf and Brave are comparable in terms of browsing privacy, but of course LibreWolf doesn’t have Brave’s crypto, ads and AI bloat.

Downside: Sites that rely on, say, WebGL, or DRM’d video, or reading Canvas, may not work right (or at all). I’ve only had trouble so far with Panoramax (which needs WebGL) and uploading to Flickr (which might be a Flatpak thing since it also happens with Waterfox). I do find it annoying that anti-fingerprinting blocks auto-switching between light and dark mode. (It’s also worth considering your threat model and the fact that small projects still depend on Mozilla for finding and fixing vulnerabilities, and not all the documentation has been updated to refer or link to LibreWolf.)

Otherwise the experience is very much like using Firefox.

Sync and Extensions

LibreWolf can sync settings and bookmarks through Firefox Sync. That seems like a weird choice for a privacy-focused fork, but the data is encrypted before uploading, so Mozilla shouldn’t be able to read your sync data even if they wanted to. Though if you use other Firefox-based browsers and sync through the same account, you might end up with a weird mix of settings. I already use Floccus (which lets you bring your own storage) to sync bookmarks with other browsers (including Chromium ones), and it works just fine on here.

LibreWolf is compatible with all Firefox Add-ons, but they recommend just installing a password manager and nothing else. Extensions can increase your attack surface, and sites can look for specific add-ons and use the list of which ones they find to identify you.

As for password managers, they recommend KeePassXC-Browser or BitWarden. I use KeePassXC, but it takes a little effort to get it working with KeePassXC-Browser. I’ve been able to get natively-installed packages on Linux and macOS to talk to KeePass just by linking the user config files mentioned there. But Flatpak makes it more complicated, and I haven’t managed to get it to work yet.

Availability and Updates

Windows has an installer with an optional auto-updater.

For macOS they actually recommend HomeBrew. (There’s a disk image too, but it doesn’t auto-update.) Even then, you need to add --no-quarantine when installing or upgrading the cask, or else the system will decide the new version is “damaged” and refuse to run it. (It’s a small team, and the app isn’t signed with a paid Apple Developer account.) Yes, this does limit the audience that might want to run LibreWolf on macOS to those who are also comfortable with installing and running an extra command-line based package manager.

For Linux they have a few repositories you can add for systems based on Fedora, Debian, Arch etc., plus a Flatpak.

And it’s available for all three platforms on both Intel and ARM.

There’s no mobile version, though they recommend IronFox for Android.

This is not a review of the web browser. This is an attempt to explain, as succinctly as possible, what the controversy was, why it was a controversy, and why people might still be leery of the situation. Unfortunately, I’ve had to work mostly from memory, because a lot of it happened on the Fediverse where full-text search is also a controversial idea.

The Facts

In June-July 2024, SerenityOS head Andreas Kling stepped down to focus on Ladybird, the OS’s independent web browser. He subsequently announced a non-profit to build it into a cross-plaform alternative not dependent on the Gecko or WebKit/Blink codebases, to a great deal of appreciation from people who want a break from the Google (with a little Mozilla and Apple on the side) hegemony.

A few days later, someone pointed out an issue in SerenityOS where a new contributor offered to update the documentation to include gender-neutral language instead of always assuming the person building the project was a man. Kling rejected it with the statement: “This project is not an appropriate arena to advertise your personal politics.”

The Controversy

This stirred up a lot of discussion, much of it heated, both on the Fediverse and on GitHub, as there are a lot of people in programming whose presence in the industry – or presence in general – is considered “personal politics.” Transgender individuals especially have often seen this sort of statement used as cover for deliberately excluding them from one sphere or another.

Kling and the Ladybird project doubled down on rejecting active inclusion in the name of being “apolitical.” Others tried to explain that rejecting inclusivity is inherently a political decision.

If you’ve watched enough of these things play out, it’s usually the doubling down that causes a lasting split, more than the original disagreement.

The Policy

As of March 2025, the Ladybird contributing documentation contains the following statements regarding “neutrality”

The project will not be used as a platform to advertise or promote causes unrelated to browser development or web standards.

To maintain a focused and productive environment, discussions on societal politics and other divisive topics are discouraged in project spaces.

and “bad-faith contributions and brigading”

We reserve the right to reject issues and pull requests that appear to be motivated by bad faith.

Additionally, anyone found participating in social media brigading of Ladybird will be permanently banned from the project.

The Fallout

Taken together, and combined with the fact that the pull request that set it all off was simply trying to indicate through language that the project is open to more than just men, the implication is that anyone attempting to include someone whose legal existence or safety is under attack right now by, say, the executive branch of the United States Government, should not bring up anything in the project that might be relevant to their continued existence – like say, privacy features that might be more important to them than for a team largely made up of people who don’t face the same risks.

Here’s the problem: You can say “we strive to set our differences aside and focus on the shared goal of building the browser.” But those differences can (and likely will) include some people on the team thinking other people on the team shouldn’t be alive, or shouldn’t be allowed to participate, or their concerns shouldn’t be taken as seriously based on who they are. Add the explicit promise to reject “bad faith” PRs and ban people permanently? It at least looks like exactly what people were worried about in the first place:

Using the language of neutrality to keep people out.

Brave advertises itself as a privacy-focused browser, but for every cool privacy feature I look at there’s a reminder of how deeply enmeshed it is in the exploitative venture capital side of Silicon Valley, with cryptocurrency features and a core business model that blocks ads on websites and replaces them with its own ads.

So I’ve never really trusted Brave, looking at them with the same kind of skepticism as post-acquisition Opera. But I figured since I’m evaluating (or re-evaluating) a bunch of other browsers, I should upgrade my skeptical opinion to an informed one.

On first run it showed me an ad for a bitcoin credit card.

So there’s that.

Moving on. It also wanted me to opt into a “web discovery project” that would share anonymous search activity to help build up their index. To me it seems like the kind of thing that could be de-anonymized with a little context, but at least it’s opt-in.

I remembered reading that they’d added IPFS support to the browser a while back, which I thought was a good idea. I’ve experimented with it from time to time using an extension with Firefox and Vivaldi, and wanted to try it out in a browser with native support. It turns out Brave just removed IPFS in the second half of 2024. But hey, it’ll still detect NFTs!

As for privacy: it comes with an ad blocker and a bunch of anti-fingerprinting measures (comparable to those in LibreWolf). It can use placeholders for embedded posts like Privacy Badger does, but only supports Facebook, X and LinkedIn. Its sync service uses a single client-side key (in the form of a long pass phrase) instead of an account. There’s also a Tor mode, which is nice if you don’t want to download yet another browser to access onion sites, though it’s still not as private as the official Tor Browser.

But I don’t need a crypto wallet or an AI chatbot built into the browser, and things like Brave Rewards and the Basic Attention Token are basically letting Brave track you itself instead of the sites you visit. And they’ve been known to claim they’ll pay creators who hadn’t actually signed up, and silently add affiliate codes to links using autocomplete. Even some of its fans are complaining about bloat and increased attack surface. (That’s not even getting into the CEO’s unpleasant parting with Mozilla.)

The upshot is that while it does seem the browser is a bit tighter, privacy-wise, than LibreWolf where the sites I visit are concerned…I don’t trust the rest of the application. So now it’s my informed opinion that it’s comparable to post-acquisition Opera. For now I’m sticking with Vivaldi for Chromium compatibility, LibreWolf for a little more privacy, and when I want to use Tor, I’ll just use Tor.

Software developer Brendan Eich invented JavaScript while working on Netscape, and went on to co-found Mozilla. In 2014 he was promoted to CEO, and within days people pointed out that he had made a large-sum donation to the campaign for California’s anti-marriage-equality Proposition 8 in 2008.

A fierce debate ensued as to whether he should be trusted to handle teams that might include people whose lives had been impacted by that campaign – the proposition had passed (though it would later be overturned by the courts, and in 2024 voters elected to repeal it outright and replace it with a clause affirming marriage rights). He resigned after less than two weeks, and not long after co-founded Brave Software.

Legacy

Now, in 2025, barely a week out from the Firefox ToS debacle and looking back at Mozilla over the past decade, I see this episode as a turning point.

• They lost the trust of people who were alarmed to see him promoted.
• They lost the trust of people who were alarmed to see him resign.
• They lost his technical skills.

It’s easy to imagine an alternate timeline in which they put a little more effort into choosing a new CEO, promoted into leadership someone who hadn’t actively campaigned against civil rights, and kept Eich on in a technical role.

Maybe Mozilla would have held onto more support in 2014. Maybe Firefox would have gotten some of the features Brave experimented with. Maybe they would have spent less on C-suite salaries and more on development. And sure, maybe Eich would still have left at some point to build a “Web3” browser, but without the bad blood from the split as it happened here.

And while Brave in our reality launched as an ad company masquerading as a browser company, and Mozilla has turned itself into one over the last couple of years, it’s also easy to imagine a world in which Mozilla didn’t spend the last decade chasing every last trend that might turn up an alternative revenue stream, and instead focused on making the browser as good as possible.

Or maybe it would have played out largely the same, just at a different speed. It’s impossible to know for sure.