this post was submitted on 23 Mar 2025
249 points (100.0% liked)
Technology
69867 readers
2517 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I agree, it also has some serious security issues: https://github.com/zen-browser/desktop/pull/927
The developer's comment reveals that it has been there since the inception of the project. And there are even more privacy / security issues mentioned in the comments.
Unfortunately Zen browser gets a big fat no from me. ๐ซค
It's not a backdoor, it just enabled Firefox's remote debugging tool by default, which is necessary if you want to modify the chrome of the browser on your own computer.
At the time it was in one of its first alpha, sure it was naive to ship a browser with it enabled because it was convenient for development, but it was fixed 1 week after the issue was raised, and has been for months.
They use the release candidate to test upcoming Firefox releases and see if it breaks anything, to be able to ship the update on the same day as FF (just like the majority of other forks do). None of the patches they make require extra telemetry except for their "mod" system. Most of the criticism Zen gets about "security" applies to every browser except librewolf and tor. Zen is as secure as firefox is.
All this is coming from someone who doesn't use Zen, as my workflow is constantly broken by their UI changes and bugs (which is the main problem with the browser).
Just? I'm sorry but that's just a terrible mistake to make, especially for a browser that people use to surf the world wild web. I don't know if you've ever used a remote debugger (I do), but depending on the debugger, it can be a very powerful tool, you can do a lot of things with it. I don't think calling it a backdoor is a massive exaggeration. I don't doubt the developer's good intention, but this issue shouldn't be dismissed as an insignificant issue.
To add insult to the injury, it didn't even prompt the user for it.
Unless you tweak the default Firefox settings in the code base, e.g. https://github.com/zen-browser/desktop/blob/dev/src/browser/app/profile/zen-browser.js#L258 (allow unsigned extensions by default).
xpinstall.signature.required was set back to true, seems like complaining works well