Is Pale Moon Safe?

[george9559]

Hello

I recently downloaded Pale Moon replacing Google Chrome which i know it's based on Firefox even though its layout is for the really old builds. Anyway, i went on about: and it showed me that its based on Firefox 68.0 which is from July 9th 2019 and when I go to Firefox release notes, it says to update my browser meaning Pale Moon uses a year and a half year old build and latest Firefox is 86.0.1. Is it still safe to use despite it uses an old build of Firefox? Please let me know.

Thanks
-George.

[therube]

This is rumor control, here are the facts - Summer 2019 edition

Rumor: "Pale Moon is just a rebranded rebuild of an old Firefox version"
Rumor: "Pale Moon is an obsolete and insecure version of Firefox"
Rumor: "Pale Moon is based on old and unmaintained code"
Rumor: "Pale Moon is based on Firefox 28/38/52/56 (or just "an old Firefox version")" ...

[vannilla]

Is Pale Moon safe?

It is, yes.
In fact, no outstanding exploit has been disclosed during the past year, unlike Firefox or Chrome.

Yes, I know that that doesn't mean much... but then again, the proponents of the "old and insecure" meme failed to provide real proof of lack of security over the years.

[Pentium4User]

about: shows the User agent string that contains FF 68. Is that what you mean?

[Pentium4User]

Is Pale Moon safe?

In fact, no outstanding exploit has been disclosed during the past year, unlike Firefox or Chrome.

I also think it is secure, but I also believe (don't know) that because of the marketshare it isn't so interesting for security analysis.

[Tharthan]

george9559, Pale Moon was forked from Firefox back in 2009.

It has been a separate browser for a long time now.

Where on Earth did you get the idea that Pale Moon is just a rebranded old and insecure version of Firefox? Whoever told you that is lying to you.

[New Tobin Paradigm]

Please before you try and simplify history please actually READ https://www.palemoon.org/history.shtml.

[Tharthan]

Off-topic:
I get that the details are significantly more complicated than I laid out, but I am sure that you would agree that this whole "Is Pale Moon just a rebranded old and insecure Firefox version?" nonsense that people are still somehow being told is incredibly annoying, and (if people take it seriously) can damage public perception of the browser.

[george9559]

george9559, Pale Moon was forked from Firefox back in 2009.

It has been a separate browser for a long time now.

Where on Earth did you get the idea that Pale Moon is just a rebranded old and insecure version of Firefox? Whoever told you that is lying to you.

nah no one did. its just that on about it said that its firefox client was 68.0 when latest is 86.0.1 and they say that older browsers are more unsafe and its true because one time i logged in on my stuff on my windows xp vm in 2017 and then two months later one of my accounts got compromised out of nowhere and im glad that idiot did not change the email and successfully reset it.

[george9559]

about: shows the User agent string that contains FF 68. Is that what you mean?
Bildschirmfoto vom 2021-03-24 16-29-44.png

yes

[New Tobin Paradigm]

Off-topic:
That ship sailed a long time ago. Best to just link it. It is important to understand WHAT it actually is.

[disconect]

I recently downloaded Pale Moon replacing Google Chrome which i know it's based on Firefox even though its layout is for the really old builds. Anyway, i went on about: and it showed me that its based on Firefox 68.0 which is from July 9th 2019 and when I go to Firefox release notes, it says to update my browser meaning Pale Moon uses a year and a half year old build and latest Firefox is 86.0.1. Is it still safe to use despite it uses an old build of Firefox? Please let me know.

I think you are referring to the User Agent string, which references Firefox version 68. On my Pale Moon installation, I have the following User Agent string from the about: screen:

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Goanna/4.8 Firefox/68.0 PaleMoon/29.1.0

As I understand it, Pale Moon doesn't actually have anything to do with Firefox version 68. That is only put there so that websites that you visit see it and will think that you are using Firefox. They look at that string, some of them have different Firefox and Chrome versions. So, Pale Moon is generally compatible with Firefox, so Pale Moon sort of "tricks" the website into thinking that we are using Firefox version 68, although that isn't true at all. As was explained by others, Pale Moon separated from Firefox a long time before version 68 and is a totally separate browser now. I hope that helps!

[Stronerstron32]

I want to believe it's completely safe for usage.

[Tharthan]

Well, it is, Stronerstron32. I don't know what the hold up is here.

it said that its firefox client was 68.0 when latest is 86.0.1

You're misunderstanding something.

As disconnect noted above, for certain websites that discriminate against browsers other than Firefox and Google Chrome, Pale Moon has a user agent override that tricks the sites into thinking that it is Mozilla Firefox, even though it isn't. That is what it was that you were looking at.

Pale Moon itself is not Mozilla Firefox, however. That number used for that has nothing to do with Pale Moon.

Pale Moon is currently on version 29.1.1.

[jobbautista9]

I want to believe it's completely safe for usage.

Software are tools. No tool is completely safe. Just like a knife that is used for cutting carrots and potatoes has the risk of it hurting you, you can be attacked by malicious entities while using Pale Moon. Pale Moon doesn't make any guarantees, per section 6 and 7 of the Mozilla Public License.

However, Pale Moon should be relatively safe, if you have good web browsing habits and keep your software up to date. And in case you're using Windows, having an up to date anti-malware scanner.

[jobbautista9]

Btw, is there a reason why we still pretend to be Firefox 68 by default? 68 is no longer supported by Mozilla since August last year, so maybe we should be proactive and use 78 for the default Firefox Compatibility Mode, and create SSUAOs when we find problems.

[New Tobin Paradigm]

Indeed, we get more and more secure every day because we patch all applicable Mozilla identified vulnerabilities without opening up new ones by constantly refactoring code.

This cycle in particular had a minor security patch that applied to a bit of Basilisk localized toolkit code due to said refactoring because the person who rewrote the chunk of code did not understand why it was written the way it was so broke security in the process while the older code retained in global toolkit remained secure and invulnerable in Pale Moon and other UXP Applications.

As for the Firefox UA Slice we determin the most broadly working version number as a reationary choice depending on evaluation of how the web acts. So for the moment yes.

[Moonraker]

I would say it is as safe as houses.
I have used pale moon for many years with no security concern to declare.

[Night Wing]

When I was using Windows 7, I found windows Pale Moon back in the summer of 2011. I liked it and made it my default browser in Windows 7. I "never" had a safety issues using Pale Moon.

When linux Pale Moon was first released to the public back in January of 2014, I started using it in linux Mint and I'm still using linux Pale Moon in Mint to this day.

Keep in mind I'm not a power user either. Just a non-technical user who has never had any safety issues in Windows 7 and now in linux Mint (or any other linux distro I experiment with).

[Keirnoth]

Pale Moon looks like older FF, but the Pale Moon devs follow and implement security fixes from the ESR. If you understand how the ESR works, the ESR is a feature frozen version of Firefox, but it still gets security fixes, but what's great about the Pale Moon dev team is that they're very *proactive* in identifying things before they happen.

In fact, Pale Moon IMO is safer than Firefox because the dev takes proactive measures to remove unnecessary/largely unused features that could result in giant security vulnerabilities - i.e. stuff that's been "leftover" from older versions of Firefox that they may have removed from the front end for the common user/web dev but is still hanging around and could potentially be a backdoor for security vulnerabilities.

They also implement "DiD" (Defense in Depth) fixes that are more or less their version of applying a fix on something they may think would be exploited in the future. It's part of the reason why despite the issues I have with certain poorly coded websites (Twitter, Facebook, etc) I still use it as my daily driver.

If you want an example of why you should use Pale Moon as your daily driver - I vaguely remember that that there was a huge security exploit that affected FF, Chrome, and what was then Internet Explorer, but PM was already hardened against it because of their proactive dev cycle. I'm trying to remember what the exploit is but I believe it was in the news either last year or the year before then and I remember going directly to the PM frontpage to see an announcement about it and the devs proudly stating that they already took care of it a long time ago.

Take note the PM team is smaller than these well funded organizations, so that should tell you something about PM's security over other browsers.