Why You Shouldn’t Use Firefox Forks Like Waterfox, Pale Moon, or Basilisk

Mozilla Firefox is an open source project, so anyone can take its code, modify it, and release a new browser. That’s what Waterfox, Pale Moon, and Basilisk are—alternative browsers based on the Firefox code. But we recommend against using any of them.

If You Don’t Like Firefox Quantum, Use Firefox ESR Instead

We like Firefox Quantum, which is faster and more modern than previous releases of Firefox. If you want to keep using your old add-ons that no longer work in Firefox Quantum, we recommend Mozilla’s Firefox Extended Support Release (ESR) instead.

Firefox ESR is based on Firefox 52, supports traditional XUL Firefox add-ons and NPAPI plug-ins, and will continue receiving security updates directly from Mozilla until July 2, 2018.

Yes, Mozilla has done some things we’re not crazy about. The Mr. Robot  “Looking Glass” add-on was ridiculous, and we’re not thrilled about what they’re doing with Cliqz in Germany. But, after taking some deserved public heat, they’ve made policy changes and we’re hopeful they’ll do better in the future.

Even if you don’t completely trust some of Mozilla’s business decisions, your browser is just too important to be left to a small community of enthusiasts. We think it’s best to go with a big project with a large number of developers that receives a lot of attention to security. That’s why we recommend against using these smaller Firefox-based browsers, and why we also recommend against using alternative browsers based on Google Chrome. Here are our concerns with some of the more popular Firefox alternatives.

Waterfox Is Firefox ESR, But With Slower Security Updates

Waterfox is based on Mozilla Firefox, and it’s probably the most popular alternative browser based on the Firefox code. It made a name for itself by being a 64-bit browser based on the Mozilla Firefox code when Mozilla only offered 32-bit versions. However, Mozilla Firefox is now a 64-bit browser on 64-bit versions of Windows, so that’s not a reason to use Waterfox anymore.

Today, Waterfox is based on Firefox ESR. It advertises support for traditional XUL Firefox extensions and NPAPI plug-ins like Java and Silverlight. These are both features of Firefox ESR, so you don’t need to switch to Waterfox to get them. After Firefox ESR reaches end of Life, “a “new” browser will be developed to follow the ethos of Waterfox of customisation and choice”, according to the Waterfox blog.

Waterfox also has some other different features. It disables Pocket by default, but you can disable Pocket yourself in Firefox. It won’t send telemetry data to Mozilla, but you can disable that from Options > Privacy & Security > Firefox Data Collection and Use in Firefox. Encrypted Media Extensions (EME), which are required for sites like Netflix, are also disabled by default—and, again, you can disable them yourself in Firefox, if you like.

Overall, using Waterfox is basically just like using Firefox ESR and changing a few settings…with one big difference: security updates arrive in Firefox ESR much faster than they do in Waterfox. Whenever Mozilla releases security updates for Firefox ESR, the Waterfox developers have to integrate those updates into Waterfox before delivering them to users.

Let’s look at the most recent major release: Mozilla released Firefox 57 on November 14, 2017. Waterfox’s developers released Waterfox 56 that incorporated the security updates found in Firefox 57 on November 30, 2017. We don’t think waiting more than two weeks for security updates is a good idea!

Here’s a more recent example from a minor release: On January 23, 2018, Mozilla released Firefox 58 and Firefox ESR 52.6 with a variety of security fixes. Three days later, the Waterfox project said it was working on integrating these patches on Twitter. On February 1, 2018, Waterfox 56.0.4 was released with these patches. That means Waterfox users waited nine days for a security patches from a minor release, compared to if they were just using Firefox. We don’t think it’s a good idea to wait that long.

In the future, this will only get more complicated as the Waterfox developers try to make their own browser. We recommend staying away and just using Firefox ESR.

Pale Moon Is Based on Very Outdated Firefox Code

Pale Moon is based on older Firefox code. The current version of Pale Moon is based on Firefox 38 ESR, which was originally released in 2015. The prior release was based on Firefox 24 ESR, which was released in 2013. The project uses an older Firefox interface created before the Australis theme, and still supports XUL add-ons.

Rather than being based on Mozilla’s Gecko rendering engine, Pale Moon is based on “Goanna“, an open-source browser engine that’s a fork of gecko. (In open-source software, a “fork” is when someone takes the existing code of a project, copies it, and develops it themselves from that point forward, going in a different direction.)

While Waterfox is based on code that’s currently supported by Mozilla, Pale Moon is based on much older code. It won’t have the new web features or performance improvements of modern versions of Firefox, nor does it support watching certain kinds of video with DRM.

More importantly, basing a browser on such old code makes security patches harder. Pale Moon’s developer tries to keep up with Firefox security patches, but he’s maintaining old code that Mozilla has abandoned. Mozilla reportedly has over a thousand employees, while Pale Moon has one primary developer, trying to maintain a huge amount of code that’s becoming increasingly outdated. The older code also omits features that help make modern browsers so secure, like the multi-process sandboxing features that have finally arrived in Firefox Quantum.

Besides, Pale Moon tends to perform worse on browser benchmarks compared to modern browsers, which isn’t surprising given its age. The developer disagrees with browser benchmarking, but it’s not surprising a browser based on four year old code might be slower than a modern one.

Basilisk Is a More Modern, But More Unstable Pale Moon

Basilisk is a new browser from the creator of Pale Moon. While Pale Moon is based on Firefox 38 ESR, Basilisk is based on newer Firefox code. The developer is working on the “Unified XUL Platform (UXP)”, which is a fork of Mozilla’s code without the new Servo and Rust code that makes Firefox Quantum so fast. It also doesn’t enable any multi-process features.

A future version of Pale Moon will be based on this code, but right now the developer considers Basilisk an unstable development platform.

This fits Pale Moon’s kind of weird history. The first major version of Pale Moon was based on Firefox 24 ESR, due to a disagreement about where Firefox was headed. But the developer eventually had to switch to Firefox 38 ESR to get more modern features. Now, the developer is doing the same thing again, basing this new version largely on the pre-Quantum Firefox code. We don’t see the point of resisting new features only to make a major leap to them every few years anyway. Just stick with a browser that’s continually updated, like Firefox.

As for why you shouldn’t use this browser, aside from the same security and usability concerns inherent with Pale Moon, even the developer says it’s “development software” that should be considered beta.

These aren’t the only Firefox-based browsers out there, but they are the most popular—and most others will likely come with similar issues. It’s best to stick with a browser that has a big team behind it so security problems can be caught, fixed, and patched as fast as possible.

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Twitter.