Disable 'safebrowsing' by default,

[Moritz Naumann]

Hi,

first of all, I'd likes my deep appreciation for the work you spent in
forking this web browser and in maintaining the source and Debian binary
packages for it.

$ dpkg -l iceweasel | grep ^ii
ii  iceweasel      2.0.0.1+dfsg-2 lightweight web browser based on Mozilla

I'd like to recommend to change the default setting for
browser.safebrowsing.enabled (defaults to 'true') in future releases.
As, with it activated by default, it makes IceWeasel regularly connect
to URLs such as

http://sb.google.com/safebrowsing/update?client=navclient-auto-ffox2.0.0.1&mozver=1.8.1.1-2006120502&version=goog-white-domain:1:19,goog-white-url:1:371,goog-black-url:1:8576,goog-black-enchash:1:18099


which means that your web browser 'phones home' and tells Google more
than they need to know about you, such as when a user on a certain IP
address started her web browsing session, which firefox version she was
using and possibly more. Also, future content on this URL cannot be
predicted (ok, it's Google, they want to stay big and can't afford bad
press, but still...). Whether or not Google is evil doesn't matter, what
matters is that it's never good to give too much power into a single
hand. This, however, is done by having every single installation of a
software connect to a given fixed URL on startup.

In future versions, I consider it desirable to, if licensing terms
allow, add a single copy of the malicious sites list to the IceWeasel
distribution and to offer (through debconf or similar) the user to
optionally use this list (which will get outdated, but is better than
nothing).

I also very much recommend to make the description text in the IceWeasel
preferecnes say "Check against a regularly updated (background) list of
suspected sites" instead of "Check using a downloaded list of suspected
sites" which it currently says, and which could be misunderstood as a
one time download.

Personally, in the long run, I would very much prefer a completely
non-trademarked web browser which, to me, also means removing all the
google service references found in the source code, or making them
optional and inactive by default at least. I'm referring to the address
bar 'i feel lucky search' type of things. Also, removing all or all
commercial search engines off the search box by default (but providing
an option to easily add them later) would be much nicer way in my opinion.

On another note, the "search as you type" function, while it works well
for searching text on the current page, won't display any buttons (the
"find next" etc.) when it is first triggered (by typing some characters)
on a newly loaded web page.

I'm not currently subscribed to the mailing list, please CC me or
contact me directly if needed.

Thanks for reading,

Moritz