"Starting today, there's a VPN on the market from a company you trust," Mozilla announced Wednesday.

Mozilla VPN is now officially available for Windows and Android in six countries: the U.S., Canada, the U.K., Singapore, Malaysia, and New Zealand, and it'll be coming to even more countries later this year, reports the Verge: The service is available for $4.99 a month, and, like other VPNs, it's designed to make your web-browsing more private and secure. As part of the move, the service is being rebranded from Firefox Private Network to Mozilla VPN, a change that was announced last month.

Mozilla argues that its VPN service has a couple of advantages over its many competitors. It says it should offer a faster browsing experience in many cases because it's based on a protocol with less than a third of the lines of code of an average VPN service provider. The company is also banking on the reputation it's built up with its privacy-focused browser, and it adds that it only collects the information it needs to run a service and doesn't keep user data logs.

The VPN's launch follows beta trials in the US, which also included tests of a VPN built directly into the Firefox browser. Last month, Mozilla announced that it would be testing asking users to pay $2.99 a month for unlimited usage of the extension, which is designed to mask your traffic within the browser rather than at a system-wide level.

Mozilla says it's working on fixing a bug in Firefox for Android that keeps the smartphone camera active even after users have moved the browser in the background or the phone screen was locked. From a report: A Mozilla spokesperson told ZDNet in an email this week that a fix is expected for later this year in October. The bug was first spotted and reported to Mozilla a year ago, in July 2019, by an employee of video delivery platform Appear TV. The bug manifests when users chose to video stream from a website loaded in Firefox instead of a native app. Mobile users often choose to stream from a mobile browser for privacy reasons, such as not wanting to install an intrusive app and grant it unfettered access to their smartphone's data. Mobile browsers are better because they prevent websites from accessing smartphone data, keeping their data collection to a minimum. The Appear TV developer noticed that Firefox video streams kept going, even in situations when they should have normally stopped.

The new lightweight and royalty-free AVIF image format is coming to web browsers. Work is almost complete on adding AVIF support to Google Chrome and Mozilla Firefox. From a report: The new image format is considered one of the lightest and most optimized image compression formats, and has already gained praise from companies such as Netflix, which considers it superior to existing image formats such as JPEG, PNG, and even the newer WebP. The acronym of AVIF stands for AV1 Image File Format. As its name hints, AVIF is based on AV1, which is a video codec that was developed in 2015, following a collaboration between Google, Cisco, and Xiph.org (who also worked with Mozilla). At the time, the three decided to pool their respective in-house video codecs (VPX, Thor, and Daala) to create a new one (AV1) that they planned to offer as an open-source and royalty-free alternative to all the commercial video codecs that had fragmented and clogged the video streaming market in the late 2000s and early 2010s.

An anonymous reader writes: Mozilla has temporarily suspended the Firefox Send file-sharing service as the organization investigates reports of abuse from malware operators and while it adds a "Report abuse" button. The browser maker took down the service today after ZDNet reached out to inquire about Firefox Send's increasing prevalence in current malware operations. Since last year, several malware operations have hosted payloads on the service. This includes ransomware gangs like REvil/Sodinokibi, financial crime crews like FIN7, the Zloader and Ursnif banking trojans operations, and government surveillance groups targeting human rights defenders. Reasons include the fact that Firefox Send doesn't have an Report Abuse mechanism, all file uploads are encrypted (useful to dodge malware scanners), and the Firefox URL is whitelisted in most orgs (useful for bypassing email filters).

Long-time Slashdot reader dhammabum writes: As reported in the recent slashdot story, starting in September we system admins will be forced into annually updating TLS certificates because of a decision by Apple, abetted by Google and Mozilla. Supposedly this measure somewhat rectifies the current ineffective certificate revocation list system by limiting the use of compromised certificates to one year... But in an attempt to prevent this pathetic measure, could we instead use DNS to replace the current certificate revocation list system?

Why not create a new type of TXT record, call it CRR (Certificate Revocation Record), that would consist of the Serial Number (or Subject Key ID or thumbprint) of the certificate. On TLS connection to a website, the browser does a DNS query for a CRR for the Common Name of the certificate. If the number/key/thumbprint matches, reject the connection. This way the onus is on the domain owner to directly control their fate. The only problem I can see with this is if there are numerous certificate Alternate Names — there would need to be a CRR for each name. A pain, but one only borne by the hapless domain owner.

Alternatively, if Apple is so determined to save us from ourselves, why don't they fund and host a functional CRL system? They have enough money. End users could create a CRL request via their certificate authority who would then create the signed record and forward it to this grand scheme.

Otherwise, are there any other ideas?

Mozilla today released the latest version of Common Voice, its open source collection of transcribed voice data for startups, researchers, and hobbyists to build voice-enabled apps, services, and devices. Common Voice now contains over 7,226 total hours of contributed voice data in 54 different languages, up from 1,400 hours across 18 languages in February 2019. From a report: Common Voice consists not only of voice snippets, but of voluntarily contributed metadata useful for training speech engines, like speakers' ages, sex, and accents. It's designed to be integrated with DeepSpeech, a suite of open source speech-to-text, text-to-speech engines, and trained models maintained by Mozilla's Machine Learning Group. Collecting the over 5.5 million clips in Common Voice required a lot of legwork, namely because the prompts on the Common Voice website had to be translated into each language. Still, 5,591 of the 7,226 hours have been confirmed valid by the project's contributors so far. And according to Mozilla, five languages in Common Voice -- English, German, French, Italian, and Spanish -- now have over 5,000 unique speakers, while seven languages -- English, German, French, Kabyle, Catalan, Spanish, and Kinyarwandan -- have over 500 recorded hours.

williamyf shares a report from The Register: Mozilla has released Firefox 78 with a new Protections Dashboard and a bunch of updates for web developers. This is also the last supported version of Firefox for macOS El Capitan (10.11) and earlier. Firefox is on a "rapid release plan," which means a new version every four to five weeks. This means that major new features should not be expected every time. That said, Firefox 78 is also an extended support release (ESR), which means users who stick with ESR get updates from this and the previous 10 releases. The main new user-facing feature in Firefox 78 is the Protections Dashboard, a screen which shows trackers and scripts blocked, a link to the settings, a link to Firefox Monitor for checking your email address against known data breaches, and a button for password management.

Developers get a bunch of new features. The Accessibility inspector is out of beta -- this is a tab in the developer tools that will check a page for accessibility issues when enabled. Source maps are a JavaScript feature that map minified code back to the original code to make debugging easier. Firefox has a Map option that lets you use source maps in the debugger, and this now works with logpoints, a type of breakpoint that writes a message to the console rather than pausing execution, so that you see the original variable names. Mozilla has also worked on debugging JavaScript promises, so you can see more detail when exceptions are thrown.

A big feature for debugging web applications when running on mobile is the ability to connect an Android phone with USB, and navigate and refresh mobile web pages from the desktop. Patience is required though, since this will only work with a forthcoming new version of Firefox for Android. Mozilla has been working on a new Regular Expression (RegExp) evaluator and this is included in SpiderMonkey (Mozilla's JavaScript engine) in Firefox 78. This brings the evaluator up to date with the requirements of ECMAScript 2018.

A decision that Apple unilaterally took in February 2020 has reverberated across the browser landscape and has effectively strong-armed the Certificate Authority industry into bitterly accepting a new default lifespan of 398 days for TLS certificates. From a report: Following Apple's initial announcement, Mozilla and Google have stated similar intentions to implement the same rule in their browsers. Starting with September 1, 2020, browsers and devices from Apple, Google, and Mozilla will show errors for new TLS certificates that have a lifespan greater than 398 days. The move is an important one because it not only changes how a core part of the internet works -- TLS certificates -- but also because it breaks away from normal industry practices and the cooperation between browsers and CAs. Known as the CA/B Forum, this is an informal group made up of Certificate Authorities (CAs), the companies that issue TLS certificates used to support HTTPS traffic, and browser makers. Since 2005, this group has been making the rules on how TLS certificates should be issued and how browsers are supposed to manage and validate them.

Apple said last week that it declined to implement 16 new web technologies (Web APIs) in Safari because they posed a threat to user privacy by opening new avenues for user fingerprinting. Technologies that Apple declined to include in Safari because of user fingerprinting concerns include: Web Bluetooth - Allows websites to connect to nearby Bluetooth LE devices.
Web MIDI API - Allows websites to enumerate, manipulate and access MIDI devices.
Magnetometer API - Allows websites to access data about the local magnetic field around a user, as detected by the device's primary magnetometer sensor.
Web NFC API - Allows websites to communicate with NFC tags through a device's NFC reader.
Device Memory API - Allows websites to receive the approximate amount of device memory in gigabytes.
Network Information API - Provides information about the connection a device is using to communicate with the network and provides a means for scripts to be notified if the connection type changes.

Battery Status API - Allows websites to receive information about the battery status of the hosting device. Web Bluetooth Scanning - Allows websites to scan for nearby Bluetooth LE devices.
Ambient Light Sensor - Lets websites get the current light level or illuminance of the ambient light around the hosting device via the device's native sensors.
[...]
The vast majority of these APIs are only implemented in Chromium-based browsers, and very few on Mozilla's platform. Apple claims that the 16 Web APIs above would allow online advertisers and data analytics firms to create scripts that fingerprint users and their devices.

Some of America's biggest brands — Coca-Cola, The Hershey Company and the Levi Strauss & Co. — "are among the latest in pledging to halt advertising on Facebook as part of a growing boycott," reports USA Today: Despite Facebook CEO Mark Zuckerberg outlining several steps the social network will take to combat hate speech ahead of the 2020 presidential election Friday, the companies joined Unilever, Honda, Verizon and others in the protest... Jen Sey, chief marketing officer of Levi's, said in a statement late Friday the company was pausing all paid Facebook and Instagram advertising globally at least through the end of July across all of its brands. "When we re-engage will depend on Facebook's response," Sey said. The ad boycott on Facebook focuses on advertising for the month of July and also includes Eddie Bauer and Ben & Jerry's... Patagonia, REI, Mozilla and Upwork in addition to about 100 smaller companies also have said they are committed.

Nearly all of the social media company's revenue comes from advertising on Facebook and Instagram. Shares of Facebook dropped more than 8% on Friday.
Business Insider notes that the 8% drop in Facebook's stock price meant that Mark Zuckerberg's fortune dropped $7.21 billion in a single day.

And then Sunday Starbucks announced they were also taking action, suspending advertising on all social media because "we believe both business leaders and policy makers need to come together to affect real change."

UPDATE: It's also now being reported that even Pepsi is joining the boycott.

Both Edge and Chrome already allow users to try unreleased, experimental features (by typing about:flags in the address bar). Soon there'll be a similar "Firefox Experiments" option starting in Firefox 79.

Slashdot reader techtsp shares this report from the Windows Club: Mozilla has a dedicated Experimental Features page on MDN just for that. But limiting experimental features to Firefox's Nightly channel has a limitation: A fairly limited number of "curious" users. Now, extending some of these experimental features to stable releases will increase the scope of "Firefox Experiments" as a whole... This option will allow users to enable/disable experimental features under Preferences...

[In Firefox 79] Navigate to Preferences by entering about:preferences in the browser's address bar or click the gear icon and got to "Preferences." Discover and set browser.preferences.experimental to True. Now, you should be able to see the "Firefox Experiments" menu under Firefox 79 Preferences.

Comcast has joined Cloudflare and NextDNS in partnering with Mozilla's Trusted Recursive Resolver program, which aims to make DNS more trusted and secure. Neowin reports: Commenting on the move, Firefox CTO Eric Rescorla, said: "Comcast has moved quickly to adopt DNS encryption technology and we're excited to have them join the TRR program. Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs."

With its TRR program, Mozilla said that encrypting DNS data with DoH is just the first step in securing DNS. It said that the second step requires companies handling the data to have appropriate rules in place for handling it. Mozilla believes these rules include limiting data collection and retention, ensuring transparency about any retained data, and limiting the use of the resolver to block access or modify content. Ars Technica notes that joining Mozilla's program means that Comcast agreed that it won't "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser," along with other requirements.

When the change happens, it'll be automatic for users unless they've chosen a different DoH provider or disabled DoH altogether. Comcast told Ars yesterday that "Firefox users on Xfinity should automatically default to Xfinity resolvers under Mozilla's Trusted Recursive Resolver program, unless they have manually chosen a different resolver, or if DoH is disabled. The precise mechanism is still being tested and the companies plan to document it soon in an IETF [Internet Engineering Task Force] Draft."

With Safari on iOS 14, MacOS Big Sur and iPadOS 14, you'll be able to log in to websites using Apple's Face ID and Touch ID biometric authentication. That's a powerful endorsement for technology called FIDO -- Fast Identity Online -- that's paving the way to a future without passwords. From a report: Apple disclosed the biometric authentication support in Safari on Wednesday at WWDC, its annual developers conference. "It's both much faster and more secure," Apple Safari programmer Jiewen Tan said during one of the WWDC video sessions Apple offered after the coronavirus pandemic pushed the conference online. The change is a big boost for browser technology called Web Authentication, aka WebAuthn, developed by the FIDO consortium allies. Apple's not the first supporter -- it's already in Mozilla Firefox, Google Chrome and Microsoft Edge, and works with Windows Hello facial recognition and Android fingerprint authentication.

Some Firefox users have discovered that the new default Windows 10 browser, which is shipped to their devices via Windows Update, sometimes imports the data from Mozilla's application even if they don't give their permission. Softpedia reports: Some of these Firefox users decided to kill the initial setup process of Microsoft Edge, only to discover that despite the wizard shutting down prematurely, the browser still copied data stored by Mozilla's browser. Several users confirmed on reddit that this behavior happened on their computers too. Microsoft has remained tight-lipped on this, so for the time being, it's still not known why Edge imports Firefox data despite the initial wizard actually killed off manually by the user. Users who don't want to be offered the new Edge on Windows Update can turn to the dedicated toolkit that Microsoft released earlier this year, while removing the browser is possible by just uninstalling the update from the device.

An anonymous reader quotes a report from ZDNet: Mozilla has announced today that its highly anticipated VPN (virtual private network) service will launch later this summer, "in the next few weeks." The product has also been renamed from its original name of Firefox Private Network to its new brand of the "Mozilla VPN." The name change came after Mozilla expanded the VPN product from the initial Firefox extension to a full-device VPN, capable of routing traffic for the entire OS, including other browsers. Currently, the Mozilla VPN offers clients for Windows 10, Chromebooks, Android, and iOS devices. Mozilla said beta testers also requested a Mac client, which they plan to provide, along with a Linux app.

Mozilla, Electronic Frontier Foundation (EFF), and more than 19,000 internet users today urged Zoom CEO Eric Yuan to reverse his decision to deny end-to-end encryption to users of its free service end-to-end encryption, saying it puts activists and other marginalized groups at risk. Earlier this month, Zoom announced it will offer end-to-end encryption, but only to those who pay. From a statement: The pressure to reverse the decision comes as racial justice activists are using tools like Zoom to organize protests. Without end-to-end encryption, information shared in their online meetings could be intercepted -- a concern that has been legitimized by both recent actions by law enforcement and a long-term history of discriminatory policing. Mozilla and EFF today are presenting an open letter to Yuan, co-signed by 19,000 people, maintaining that privacy and best-in-class security should be the default, not something that only the wealthy or businesses can afford.

Last month Techcrunch reported that Mozilla had gone "full incubator" by holding a startup lab called Fix the Internet, followed by "a formal program dangling $75,000 investments in front of early-stage companies..."

Fix the Internet had many key themes, including collaboration and decentralization (as well as user-controlled data and privacy-protecting social networks). That event "drew the interest of some 1,500 people in 520 projects, and 25 were chosen to receive the full package and stipend during the development of their minimum viable product (MVP). Below that, as far as pecuniary commitment goes, is the 'MVP Lab,' similar to the spring program but offering a total of $16,000 per team."

And one of those MVP Lab teams is Meething, a new video conferencing and collaboration platform from the innovation lab ERA. Meething "aims to be more secure than existing video conferencing tools and run on a decentralized database engine and leverage peer-to-peer networking" according to ZDNet.

In their video interview with CEO Mark Nadal, he outlined the following selling points:

• Browser based video conferencing gives customers better options for security as well as branding.
• Open source architecture is a win and the peer-to-peer networking is more efficient on compute costs.
• Meething doesn't require downloads or apps that increase the security attack surface.
  
  The total addressable market for video conferencing is large and can support multiple players.

Their press release quotes Mark Mayo, a former Chief Product Officer at Mozilla who served as Meething's mentor, arguing that video conferencing on the web "has long promised to enable a whole new world of online collaboration. Frankly, it hasn't delivered. It's been way too hard to build cool products with video and Meething aims to be the zero-barrier-to-entry platform that realizes this future. Soon, video conferencing won't suck!"

An anonymous reader writes: Mozilla today launched Firefox 77 for Windows, Mac, and Linux. Firefox 77 includes faster JavaScript debugging, optional permissions for extensions, and Pocket recommendations in the U.K. You can download Firefox 77 for desktop now from Firefox.com, and all existing users should be able to upgrade to it automatically. According to Mozilla, Firefox has about 250 million active users, making it a major platform for web developers to consider. [...] Other than Pocket recommendations arriving in the U.K. (they've been in Canada, Germany, and the U.S. since April 2018), this is primarily a developer release. Firefox's Debugger is now better at handling large web apps with all their bundling, live reloading, and dependencies. Mozilla is promising performance improvements that speed up pausing and stepping, as well as cutting down on memory usage over time. Source maps should also see performance boosts -- some inline source maps load 10 times faster -- and improved reliability for many configurations. The debugger will now also respect the currently selected stack when stepping, which is useful when you've stepped into a function call or paused in a library method further down in the stack.

While reinstating the PATRIOT Act, the U.S. Senate blocked an amendment which would've shielded Americans' browsing and search histories from warrantless searches.

But that fight may not be over, reports TechSpot: [S]everal tech companies including Mozilla, Reddit, Twitter, and Patreon have co-signed a letter asking the House of Representatives to tidy up this mess. The House still needs to pass the bill for it to become law, and they can force the inclusion of the amendment. They vote this week.

"Our users demand that we serve as responsible stewards of their private information, and our industry is predicated on that trust," says the letter. "Americans deserve to have their online searches and browsing kept private, and only available to the government pursuant to a warrant."

The amendment has also received support from dozens of civil rights and liberties groups, including the NAACP, the American Civil Liberties Union, and the Human Rights Watch. They co-signed a separate letter last week...
"[S]upport for the underlying policy is now abundantly clear," argues the second letter, "both within Congress and among thepublic: the FBI should not be allowed to use the PATRIOT Act to surveil Americans' online activity without a warrant."

"Around 70% of our serious security bugs are memory safety problems," the Chromium project announced this week. "Our next major project is to prevent such bugs at source."

ZDNet reports: The percentage was compiled after Google engineers analyzed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a "high" or "critical" severity rating. The number is identical to stats shared by Microsoft. Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70% of all security updates for Microsoft products addressed memory safety vulnerabilities. Both companies are basically dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are "unsafe" languages....

Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a "critical" severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem... Half of the 70% are use-after-free vulnerabilities, a type of security issue that arises from incorrect management of memory pointers (addresses), leaving doors open for attackers to attack Chrome's inner components...

While software companies have tried before to fix C and C++'s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox... Microsoft is also heavily investing in exploring C and C++ alternatives⦠But this week, Google also announced similar plans as well... Going forward, Google says it plans to look into developing custom C++ libraries to use with Chrome's codebase, libraries that have better protections against memory-related bugs. The browser maker is also exploring the MiraclePtr project, which aims to turn "exploitable use-after-free bugs into non-security crashes with acceptable performance, memory, binary size and minimal stability impact."

And last, but not least, Google also said it plans to explore using "safe" languages, where possible. Candidates include Rust, Swift, JavaScript, Kotlin, and Java.