Review: Is Pale Moon a viable privacy browser?
Pale Moon is a Firefox fork that has rightfully developed into its own product.
While its main emphasis appears to be customizability, Pale Moon also places a fair amount of emphasis on being a smooth, secure, and private browser.
Today, we do our best to find out whether Pale Moon can be considered a viable privacy browser for your average user.
Without further, let's get to it!
This is the Pale Moon browser at a glance...
- No telemetry, data collection, or phoning home ()
- Free, open source, and truly independent product ()
- NPAPI and XUL Plugin support (may be a pro for some users)
- Not compatible with either Firefox or Chromium extensions
- Excludes support for some common modern browser features () More info
- No Mobile or dedicated macOS support (may be a con for some users)
What is Pale Moon?
Pale Moon is a very interesting browser with a very long history.
But first, I should clarify: Pale Moon is not just another "outdated and insecure Firefox fork." Sources that claim this about Pale Moon are probably, at least for the most part, misinformed.
Moving on, let's establish that Pale Moon is a hard fork of pre-Australis Firefox. Truthfully, you can say that Pale Moon is its own independent product, completely separated from Mozilla Firefox despite its origin.
Somewhat similar to the Waterfox browser, Pale Moon has very humble beginnings. (But that's probably where the similarities end!) Pale Moon is an older fork than Waterfox and has completely moved in a different direction than other Firefox forks; it currently uses its own engine, Goanna and its own platform, UXP.
Pale Moon forked from Firefox as early as Firefox 1.5.x, however it took years for it to grow and mature to the project it is currently.
It seems that Pale Moon's independence, customizability, and a belief in its UXP platform remain its main draws.
Pale Moon is available on Windows and most Linux platforms. It also features a portable version (not to be confused with a mobile version - there is no mobile support for Pale Moon as of writing) that can be run from removable media such as a USB stick.
What's more is that Pale Moon need not be formally "installed" to run on Linux systems. It can run from an extracted tarball, much like an appimage.
Requirements There are minimum system requirements for running this browser. These requirements differ slightly across different operating systems:
|Windows 7 SP1
|A "modern Linux
|CPU||SSE2 support||SSE2 support|
|RAM||1 GB||1 GB|
|Libraries||N/A||GTK 2.24 OR GTK 3.22
GLib 2.22 or higher
Pango 1.14 or higher
libstdc++ 4.6.1 or higher
|Disk Space||300 MB uncompressed||40 MB|
Launch and set up
NOTE: For this Pale Moon review, I am using Windows 10.
Installing Pale Moon on my Windows 10 machine was simple and easy. I chose the Standard installation method:
Everything went smooth and quick. I launched the browser immediately post-install, where two tabs greeted me:
On this initial start of Pale Moon, it also initiated quite a series of DNS queries. These were captured by the Sysmon tool on my Windows machine:
Additionally, after allowing Pale Moon to idle for approximately 10 minutes, it also made these queries:
Some of these queries were made multiple times each. And to be honest, that's... a lot of queries for just a first launch.
Naturally, I did my best to dig deeper and figure out more information about them.
To start, aus.palemoon.org is Pale Moon's automatic update service. The browser queries this domain to check for updates to the browser.
blocklist.palemoon.org is queried to check for updates to the browser's built-in extension/plugin/driver block list and dua.palemoon.org is for "high priority" updates to the user-agent override (which gives Pale Moon the ability to change the user agent string when connecting with different domains).
www.palemoon.org is queried because on Pale Moon's first launch, it takes you to the dedicated page for first launches on Pale Moon's official website. Funny enough, you can visit that page on any other browser.
start.palemoon.org is the default home page for Pale Moon. It redirects to palemoon.start.me. You can actually visit both domains from any other browser and be presented with the same home page.
This is because palemoon.start.me is a third-party service Pale Moon uses to give you its default start page that features all those easy to click shortcuts to common web apps, web services, and social media. Therefore, the start.me domains Pale Moon queries (such as f.start.me, c.start.me, whatismylocale.start.me, and api.start.me) are services used and queried to render this home page.
Depending on you and your threat model, this may not sit quite right with some users as start.me is a third-party service. Fortunately, disabling/not using start.me is as easy as changing Pale Moon's homepage within its settings. Doing so should stop the queries to the various start.me services and domains.
We'll dive into the privacy and security features of Pale Moon here. We'll also cover any special and/or unique features this browser has.
Claims no telemetry or data collection
Pale Moon boasts a no telemetry or data collection claim.
Pale Moon features a unique permissions manager.
The permissions manager allows you to set permissions for the unique domains you've visited:
As you can see in the above screenshot, for each domain you can determine whether to:
- Store passwords
- Load images
- Allow pop-ups
- Store cookies/site data
- Display notifications
- Install extensions/themes
- Share location
I found this permissions manager really well designed and surprisingly convenient, especially when when it came to managing cookies and site data for each domain.
Most people might say, "Well geez, avoidthehack, you can do that in just about any browser," which is true - you can easily set global cookie preferences in Pale Moon. However, most browsers won't allow you to micromanage settings for individual sites to this same degree.
Pale Moon allows you to:
Which is pretty neat and handy.
Encrypted Sync Service
Pale Moon has its own sync-ing capabilities.
In order to use the sync service, you must create an account. Fortunately, you only need to provide an email address and password in order to create an account.
Pale Moon receives and uses your IP address, login credentials, date & time of device, your OS, browser version, and host names your device. It doesn't look like this data is stored or permanently logged.
All data is end-to-end encrypted. Furthermore, the data is encrypted on the client (read: your) side prior to upload to the server.
Pale Moon doesn't sell/disclose information to any third parties. However, they will comply with orders from government and law enforcement within reason, which isn't a deal breaker.
Despite being a fork of pre-Australis Firefox, Pale Moon does not run on Firefox's Gecko engine.
Instead, unlike most other Firefox forks, Pale Moon runs on its own browser engine called Goanna. This engine itself is hard forked from Mozilla's own Gecko engine.
The Goanna engine is based on the now independently developed UXP (Unified XL Platform), which is yet another fork of Mozilla's defunct XUL language.
Please be aware, the fork (UXP) is well-maintained as of writing, however Mozilla's discontinued XUL _is not_! Additionally, UXP is the platform for other applications as well.
It is Pale Moon's usage of this Goanna engine that makes it more than just an outdated version of Firefox, despite being forked from "old Firefox" or "old Gecko" code.
Pale Moon receives frequent updates. The same can be said for its engine (Goanna) as well.
Pale Moon's updates fix bugs, improve overall quality of life, and periodically adds/builds on new feature within both the browser and the engine.
Additionally, Pale Moon has an active community of developers and users who seem dedicated to keeping the project alive with these frequent updates.
NPAPI and XUL plugin support
Interestingly, Pale Moon still supports various NPAPI (Netscape Plugin Application Programming Interface) plugins. "Still," because most modern browsers do not support these plugins. Some of these supported albeit deprecated plugins include:
- Adobe Flash
- Microsoft Silverlight
- Java applet
- Unity Web Player
Please note that despite Pale Moon's compatibility with these plugins, that doesn't necessarily mean the plugins themselves are "safe" or well maintained. In fact, many NPAPI plugins have reached their respective end of life.
Independent Add-on "Store"
Pale Moon has its own plugins/add-ons/extensions website. This is independent of Mozilla Add-ons website for Firefox and the Chrome Web Store for Chromium-powered browsers:
Additionally, Pale Moon also has the option for custom themes.
It's worth nothing that newer versions of Pale Moon no longer support legacy Firefox add-ons that aren't specifically ported to Pale Moon.
Pale Moon is an impressive project that continues to grow in independence.
The Pale Moon project has forked so forked so much from the pre-Australis Firefox source code that it has become something "new" entirely. Essentially, it's its very own product that has a near zero reliability on anything that Mozilla or even Google is doing currently.
Remember, while the Pale Moon browser is in itself this totally independent fork, so is:
- Goanna, the rendering engine of Pale Moon
- UXP, the underlying platform that powers other applications (in addition to Pale Moon)
- Pale Moon's plugins
Additionally, this project has spawned other browser forks:
- White Star
All in all, Pale Moon is a shining example of why open source software is amazing!
No telemetry/phoning home
As previously mentioned, Pale Moon has a no telemetry and no data collection claim.
Long story short, I did find this to be true. More specifically, I didn't notice any particularly excessive DNS requests from Pale Moon logged in Sysmon.
However, I did want to note that if you keep the default homepage (from start.me), it does consistently make a number of requests to variations of the start.me domain. These are the same domains found in the First Launch section of this review.
The easiest way to mitigate this, if desired, is to simply change the default homepage.
Additionally, the browser does make periodic requests to:
As noted previously, aus.palemoon.org is Pale Moon's automatic update service. blocklist.palemoon.org is the browsers default blocklist and dua.palemoon.org is a critical update service for modifying Pale Moon's user agent string it shares with domains you connect to.
From my use of this browser, I feel confident in saying that Pale Moon doesn't collect data nor telemetry. The number of connections it initiates may be of some concern to some users, however, many of these connections are not cause for concern - and can be easily mitigated.
Doesn't use Google Location Data
Interestingly, Pale Moon doesn't use Google's Location Service API for location reliant tasks within the browser.
This is a big deal because, well, a ton of browsers use Google's Location Service - even if the service is proxied or otherwise augmented to hopefully improve the end user's privacy. Even Firefox makes use of Google Location Service, albeit it's modified and can be disabled within Firefox's about:config settings.
Instead, Pale Moon appears to use ipapi for its location services.
Lack of some modern features
Pale Moon lacks smooth capability with a lot of modern features found within browsers today.
This is also the biggest con I could find about this browser, but it's one that users should weigh in accordance with their personal needs, and to an extent, threat model.
These are some of the more notable modern in-browser features not supported in Pale Moon:
No WebRTC Support
Put simply, WebRTC enables P2P (Peer-to-Peer) sharing from inside the browser. For example, it allows users the ability to voice and/or video chat without an intermediary server or downloading any other extensions/add-ons.
So, in other words, performing P2P related tasks like video chatting would not be possible within Pale Moon without the help of some sort of compatible add-on.
The upside to a lack of WebRTC support is that you don't have to deal with the likes of WebRTC leaks , which can leak your IP address even from behind a VPN and can be easily leveraged as a unique identifier in fingerprinting methods.
No Integrated PDR reader
You know how most browsers will open a
Pale Moon doesn't do that - because it doesn't have an in-browser PDF reader.
So, if you plan on openings a ton of PDFs, then you'll either need a secondary browser that has an integrated PDF reader (which, naturally does come with some security risks) or a dedicated PDF reader installed on your machine.
No in-browser DRM
The Pale Moon browser doesn't support in-browser DRM ("Digital Rights Management") software.
DRM software has a long, complicated history. There have been many advocates against DRM software due to its privacy invasiveness and questionable effectiveness in preventing piracy, but alas it has only proliferated in the past few years.
Therefore, Pale Moon isn't the ideal browser for using streaming services that make use of in-browser DRMs. For example: Spotify uses DRM software for its Spotify Web Player. Because of this, it won't play within Pale Moon:
Pale Moon also features a few more "modern browser features" that have been removed .
While I can both understand and respect the developers' decisions to not include these features, I do feel a lot of users may disagree.
I also feel that these lack of "modern browser features," don't resonate well with a lot of users, which ultimately hurts the browser's ability to make a sizable impact in the desktop browser market share, which also in turn keeps the browser in sort of a "niche browser" box.
Granted, it could be that the developers don't necessarily care about this, but I feel it's an important topic to bring up concerning Chromium's absolute domination of the browser market share in recent years.
No mobile or macOS support
This could be a deal-breaker for some users. For others, not so much.
There does not appear to be any plans for actively developing a Pale Moon mobile version on either Android or iOS.
For what it's worth, Pale Moon does feature a portable version of the browser for Linux environments. This portable version is not to be confused with a mobile version. The portable version allows users to launch and use the browser from removable media such as a USB stick.
Also, it's worthy to note that there seems to be some community members that attempt to maintain releases of Pale Moon for macOS. However, none of this is "official." Additionally, there is a fork of Pale Moon called White Star, with a heavy focus on macOS users.
It needs to be reiterated that Pale Moon is an excellent example of the power of true free and open source software.
So, now the question, "is Pale Moon a viable privacy browser?" still stands.
I say it is. After all, you can find it on avoidthehack's best browser picks for Windows.
But even without our recommendation, Pale Moon is set up to be fairly private and/or secure by design - or at least as close you can get to it, given the status and complexity of the modern browser.
However, on the flip side, Pale Moon's rejection of some common modern in-browser features such as can be looked at as a double-edged sword.
While the rejection of some of these commonly incorporated browser features allows Pale Moon to stay true to its "mission," I feel it also makes it less of a direct competitor to browsers such as Firefox, Safari, and Chromium-powered browsers. Especially so in the eyes of the more "average" user whose expectations may hold different than the expectations of a true "power" user.
In other words, its lack of support for some of these features can make wide spread adoption hard(er), which consequently affects its ability to nab market share.
This concludes avoidthehack's Pale Moon browser review. Hopefully you've found it an informative read.
As always, stay safe out there!