Mozilla announces in a blog post: We typically ship a major Firefox browser (Desktop and Android) release every 6 to 8 weeks. Building and releasing a browser is complicated and involves many players. To optimize the process, and make it more reliable for all users, over the years we've developed a phased release strategy that includes 'pre-release' channels: Firefox Nightly, Beta, and Developer Edition. With this approach, we can test and stabilize new features before delivering them to the majority of Firefox users via general release.

And today we're excited to announce that we're moving to a four-week release cycle! We're adjusting our cadence to increase our agility, and bring you new features more quickly. In recent quarters, we've had many requests to take features to market sooner. Feature teams are increasingly working in sprints that align better with shorter release cycles. Considering these factors, it is time we changed our release cadence. Starting Q1 2020, we plan to ship a major Firefox release every 4 weeks. Firefox ESR release cadence (Extended Support Release for the enterprise) will remain the same. In the years to come, we anticipate a major ESR release every 12 months with 3 months support overlap between new ESR and end-of-life of previous ESR. The next two major ESR releases will be ~June 2020 and ~June 2021.

An anonymous reader shares a report: Funding online content with small consumer payments rather than intrusive and privacy-compromising ads has for years been a goal for many internet theorists and publishers. "We're at a point where it's clear there's kinds of negative side effects for people and even for democracy of the data-driven ad economy that funds the internet," says Mark Surman, executive director of the Mozilla Foundation. Now, Mozilla, Creative Commons, and a new micropayment startup have announced a $100 million grant program to finally bring that dream to fruition.

The program, called Grant for the Web, will give roughly $20 million per year for five years to content sites, open source infrastructure developers, and others building around Web Monetization, a proposed browser standard for micropayments. "When we started Coil, Coil was essentially the first Web Monetization provider," says founder and CEO Stefan Thomas. Coil users pay a fixed monthly fee that's distributed among sites they visit that have Web Monetization enabled, such as the web development site CSS-Tricks, based on how long they visit the sites. The underlying technology supports other providers routing user funding as well.

Mozilla has quietly launched a new product for enterprise customers: Ability to buy paid premium support for Firefox. From a report: The premium enterprise support for Firefox costs $10 per supported installation and offers customers the ability to submit bugs privately, get critical security bug fixes, get access to a private customer portal, get access to the enterprise critical issues distribution list, and have the ability to contribute to Firefox and its roadmap. According to Mozilla, it will support Firefox installations as long as they are running on machines that meet the system requirements. Windows, Mac, and Linux based operating systems are listed in the systems requirements so all platforms should be covered by the premium support.

Google has announced plans to test the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year. From a report: The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53. This hides DoH requests in the unending stream of HTTPS traffic that moves across the web at any moment of the day and prevents third-party observers from tracking users' browsing histories by recording and looking at their unencrypted DNS data. The news that Google is looking into testing DoH in Chrome comes just as Mozilla announced plans over the weekend to gradually enable DoH by default for a small subset of users in the US later this month.

Mozilla is resurrecting its recently expunged Test Pilot program with a renewed focus on privacy-focused tools and products. The Firefox developer today lifted the lid on the first product to emerge from the new Test Pilot, and it appears to be something akin to a virtual private network (VPN) in all but name. From a report: Firefox Private Network, as the new tool is called, is available in beta today for logged-in Firefox desktop users in the U.S. only, and is accessible through a browser extension. By way of a quick recap, Mozilla debuted Firefox Test Pilot a decade ago but then relaunched it back in 2016. Test Pilot went on to attain an average of 100,000 daily users, each looking to test Mozilla's latest developments -- including a price-tracking feature for online shoppers, content recommendations based on browsing activity, and more.

Some of these became full-fledged features within Firefox and others did not, but back in January Mozilla announced it was killing its Test Pilot program altogether. This came as something of a surprise given Mozilla's own statements about the success of the program. At the time, Mozilla said it was "evolving" its approach to experimentation and suggested it was looking to ideate more widely across the company. Fast-forward nine months, and Firefox Test Pilot is back for a third time.

This month Firefox will make DNS over encrypted HTTPS the default for the U.S., with a gradual roll-out starting in late September, reports Engadget: Your online habits should be that much more private and secure, with fewer chances for DNS hijacking and activity monitoring.

Not every request will use HTTPS. Mozilla is relying on a "fallback" method that will revert to your operating system's default DNS if there's either a specific need for them (such as some parental controls and enterprise configurations) or an outright lookup failure. This should respect the choices of users and IT managers who need the feature turned off, Mozilla said. The team is watching out for potential abuses, though, and will "revisit" its approach if attackers use a canary domain to disable the technology.
Users will be given the option to opt-out, explains Mozilla's official announcement. "After many experiments, we've demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic."

"We feel confident that enabling DNS-over-HTTPS by default is the right next step."

New submitter q4Fry writes: When Google released its changes to the Chrome WebExtensions API for comment, many groups criticized them for cutting off ad-blockers at the knees. Now, Mozilla has released its plan for following (and departing from) the APIs that Chrome may adopt.

Mozilla has switched on Firefox's tracking protection feature for everyone on Windows and Android, dialing up its effort to protect privacy from website publishers and advertisers that would like to keep tabs on your online behavior. From a report: Mozilla enabled tracking protection for new Firefox users in June, but now it's on for everyone, the nonprofit said Tuesday. Tracking protection is all the rage among browser makers, including Apple's Safari, Brave Software's Brave and Microsoft's new Chromium-based Edge. Even Google's Chrome, long the laggard among major browsers, is starting to tackle the problem. It's a thorny issue for websites and advertisers that seek to improve advertising revenue by targeting ads based on their assessment of your interests. "Currently over 20% of Firefox users have Enhanced Tracking Protection on. With today's release, we expect to provide protection for 100% of ours users by default," Mozilla said in a blog post Tuesday.

Mozilla teased today an upcoming update for Firefox on macOS that it says will reduce power consumption by a factor of up to three. From a report: The primary beneficiaries of this upcoming update are Macbook users, who can now expect longer battery lives while using Firefox. Firefox's increased battery consumption has been a problem for Mozilla, and a black stain on the Firefox Quantum release -- a revamped, performance-centric version of the older Firefox browser. While Firefox Quantum has received praises for its increased page loading speeds, Macbook users haven't been that delighted, especially when they're mobile and have to rely on the notebook's battery as long as possible.

An EFF analysis looks at the problems with some of Google's new "Privacy Sandbox" proposals, a few of which it calls "downright dangerous": Perhaps the most fleshed-out proposal in the Sandbox is the conversion measurement API. This is trying to tackle a problem as old as online ads: how can you know whether the people clicking on an ad ultimately buy the product it advertised....? Google's ID field can contain 64 bits of information -- a number between 1 and 18 quintillion. This will allow advertisers to attach a unique ID to each and every ad impression they serve, and, potentially, to connect ad conversions with individual users. If a user interacts with multiple ads from the same advertiser around the web, these IDs can help the advertiser build a profile of the user's browsing habits.

Even worse is Google's proposal for Federated Learning of Cohorts (or "FLoC").... FLoC would use Chrome users' browsing history to do clustering. At a high level, it will study browsing patterns and generate groups of similar users, then assign each user to a group (called a "flock"). At the end of the process, each browser will receive a "flock name" which identifies it as a certain kind of web user. In Google's proposal, users would then share their flock name, as an HTTP header, with everyone they interact with on the web. This is, in a word, bad for privacy. A flock name would essentially be a behavioral credit score: a tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate...

If the Privacy Sandbox won't actually help users, why is Google proposing all these changes? Google can probably see which way the wind is blowing. Safari's Intelligent Tracking Prevention and Firefox's Enhanced Tracking Protection have severely curtailed third-party trackers' access to data. Meanwhile, users and lawmakers continue to demand stronger privacy protections from Big Tech. While Chrome still dominates the browser market, Google might suspect that the days of unlimited access to third-party cookies are numbered. As a result, Google has apparently decided to defend its business model on two fronts. First, it's continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers' access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.

At the same time, Google seems to be hedging its bets. The "Privacy Sandbox" proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google's targeting business will continue as usual.

The Sandbox isn't about your privacy. It's about Google's bottom line. At the end of the day, Google is an advertising company that happens to make a browser.

Chris Beard announced today his plans to step down as Mozilla Corporation CEO at the end of 2019. Beard joined the web software company in 2004, remaining an employee since then, with the exception of 2013, when he left to become Greylock's "executive-in-residence," while remaining on as an advisor. From a report: Beard was appointed interim CEO for Mozilla in April 2014, coming on as full time chief executive in July of that same year. The company has seen a bit of a resurgence in recent years, after having ceded much of its browser marketshare to the likes of Google and Apple. Firefox has undergone something of a renaissance over the past year, as have the company's security tools. "Today our products, technology and policy efforts are stronger and more resonant in the market than ever, and we have built significant new organizational capabilities and financial strength to fuel our work," Beard said in the blog post. "From our new privacy-forward product strategy to initiatives like the State of the Internet we're ready to seize the tremendous opportunity and challenges ahead to ensure we're doing even more to put people in control of their connected lives and shape the future of the internet for the public good."

Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic. From a report: Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates. This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise. Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats." But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.

"Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company's name in the address bar," reports Bleeping Computer. When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks. One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser's address bar. This allegedly makes the site feel more trustworthy to a visitor.

In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.

With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead.
AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.

An anonymous reader shares a report: For the better part of two years, the folks at Mozilla have been diligently chipping away at Mozilla WebThings, an open implementation of the World Wide Web Consortium's (W3C) Web of Things standard for monitoring and controlling connected devices. In April, it gained a number of powerful logging, alarm, and networking features, and this week, a revamped component of WebThings -- WebThings Gateway, a privacy- and security-focused software distribution for smart home gateways -- formally debuted. Experimental builds of WebThings Gateway 0.9 are available on GitHub for the Turris Omnia router, with expanded support for routers and developer boards to come down the line. (Separately, there's a new build compatible with the recently announced Raspberry Pi 4.) Mozilla notes that it currently only offers "extremely basic" router configuration and cautions against replacing existing firmware, but the company says that it's a noteworthy milestone in its path to creating a full software distribution for wireless routers.

Starting in Firefox 70, Mozilla aims to have the browser report when any of your saved logins were found in data breaches. This will be done through their partnership with the Have I Been Pwned data breach site. From a report: Mozilla is slowly integrating their independent Firefox Monitor service and the new Firefox Lockwise password manager directly into Firefox. Mozilla is also considering premium services based around these features in the future. As part of this integration, Firefox will scan the saved login names and passwords and see if they were exposed in a data breach listed on Have I been Pwned. If one is found, Firefox will alert the user and prompt them to change their password. This new feature will only work, though, for data breaches that exposed passwords and when the password was saved prior to an associated data breach.

Mozilla today launched Firefox 68 for Windows, Mac, Linux, Android, and iOS. Firefox 68 includes a darker reader view, recommended extensions, IT Pro customizations, and more. From a report: As part of this release, Mozilla has curated a list of recommended extensions "that have been thoroughly reviewed for security, usability, and usefulness." You can find the list on the Get Add-ons page in the Firefox Add-ons Manager (about:addons). While Firefox has had dark mode for months, the Reader View's dark contrast only covered the text area. Now, when you change the contrast to dark, all sections of the site (including sidebars and toolbars) will be immersed in dark mode.

With Firefox 60, Mozilla introduced an enterprise version of the browser that employers can customize. This let IT professionals configure Firefox for their organization, either using Group Policy on Windows or a JSON file that works across Windows, Mac, and Linux. With Firefox 68, Mozilla has added more enterprise policies -- to configure or remove the new tab page, turn off search suggestions, and so on.

Firefox browser maker Mozilla is blocking the United Arab Emirates' government from serving as one of its internet security gatekeepers, citing Reuters reports on a UAE cyber espionage program. From a report: Mozilla said in a statement on Tuesday it was rejecting the UAE's bid to become a globally recognized internet security watchdog, empowered to certify the safety of websites for Firefox users. Mozilla said it made the decision because cybersecurity firm DarkMatter would have administered the gatekeeper role and it had been linked by Reuters and other reports to a state-run hacking program. Reuters reported in January that Abu Dhabi-based DarkMatter provided staff for a secret hacking operation, codenamed Project Raven, on behalf of an Emirati intelligence agency. The unit was largely comprised of former U.S. intelligence officials who conducted offensive cyber operations for the UAE government. Former Raven operatives told Reuters that many DarkMatter executives were unaware of the secretive program, which operated from a converted Abu Dhabi mansion away from DarkMatter's headquarters.

Security researcher Jonathan Leitschuh has publicly disclosed a serious zero-day vulnerability for the Zoom video conference app on Macs that could allow websites to turn on user cameras without permission. The Verge reports: He has demonstrated that any website can open up a video-enabled call on a Mac with the Zoom app installed. That's possible in part because the Zoom app apparently installs a web server on Macs that accepts requests regular browsers wouldn't. In fact, if you uninstall Zoom, that web server persists and can reinstall Zoom without your intervention. Leitschuh details how he responsibly disclosed the vulnerability to Zoom back in late March, giving the company 90 days to solve the problem. According to Leitschuh's account, Zoom doesn't appear to have done enough to resolve the issue. The vulnerability was also disclosed to both the Chromium and Mozilla teams, but since it's not an issue with their browsers, there's not much those developers can do. The report notes that you can "patch" the vulnerability by making sure the Mac app is up to date and also disabling the setting that allows Zoom to turn your camera on when joining a meeting. "Again, simply uninstalling Zoom won't fix this problem, as that web server persists on your Mac," reports The Verge. "Turning off the web server requires running some terminal commands, which can be found at the bottom of the Medium post."

Mozilla is funding a project for bringing the Julia programming language to Firefox and the general browser environment. From a report: The project received funding part of the Mozilla Research Grants for the first half of 2019, which the browser maker announced on Friday. In April, when Mozilla opened this year's submissions period for research grants, the organization said it was looking for a way to bring data science and scientific computing tools to the web. It said it was specifically interested in receiving submissions about supporting R or Julia at the browser level. Both R and Julia are programming languages designed for high-performance numerical, statistical, and computational science.

Mozilla engineers have worked in previous years to port data science tools at the browser level, as part of Project Iodide. Previously, as part of this project, Mozilla engineers ported the Python interpreter to run in the browser using WebAssembly. "This project, Pyodide, has demonstrated the practicality of running language interpreters in WebAssembly," Mozilla engineers said.

As previously announced, Mozilla has started to tease the launch of a new $5 monthly subscription to a variety of online news publishers that involves no ads. The idea is that a single, low subscription fee gives you access to a number of sites with the ads removed. From a report: You pay a monthly fee to Mozilla, and this money is shared with its partners to help fund an ad-free internet experience. More than this, Mozilla says that the subscription fee will also grant access to audio versions of articles, article synchronization and more. In a page which promises people the chance to "support the sites you love, avoid the ads you hate", Mozilla says: "We've partnered with some of the world's greatest publishers to bring you a better journalism experience. We share your payment directly with the sites you read. They make more money which means they can bring you great content without needing to distract you with ads just to keep the lights on.