Mozilla

Firefox 79 Stable Will Let Users Test Unreleased Features Using 'Experiments' (thewindowsclub.com) 22

Both Edge and Chrome already allow users to try unreleased, experimental features (by typing about:flags in the address bar). Soon there'll be a similar "Firefox Experiments" option starting in Firefox 79.

Slashdot reader techtsp shares this report from the Windows Club: Mozilla has a dedicated Experimental Features page on MDN just for that. But limiting experimental features to Firefox's Nightly channel has a limitation: A fairly limited number of "curious" users. Now, extending some of these experimental features to stable releases will increase the scope of "Firefox Experiments" as a whole... This option will allow users to enable/disable experimental features under Preferences...

[In Firefox 79] Navigate to Preferences by entering about:preferences in the browser's address bar or click the gear icon and got to "Preferences." Discover and set browser.preferences.experimental to True. Now, you should be able to see the "Firefox Experiments" menu under Firefox 79 Preferences.

Mozilla

Comcast Becomes the First ISP To Join Mozilla's TRR Program (neowin.net) 85

Comcast has joined Cloudflare and NextDNS in partnering with Mozilla's Trusted Recursive Resolver program, which aims to make DNS more trusted and secure. Neowin reports: Commenting on the move, Firefox CTO Eric Rescorla, said: "Comcast has moved quickly to adopt DNS encryption technology and we're excited to have them join the TRR program. Bringing ISPs into the TRR program helps us protect user privacy online without disrupting existing user experiences. We hope this sets a precedent for further cooperation between browsers and ISPs."

With its TRR program, Mozilla said that encrypting DNS data with DoH is just the first step in securing DNS. It said that the second step requires companies handling the data to have appropriate rules in place for handling it. Mozilla believes these rules include limiting data collection and retention, ensuring transparency about any retained data, and limiting the use of the resolver to block access or modify content.
Ars Technica notes that joining Mozilla's program means that Comcast agreed that it won't "retain, sell, or transfer to any third party (except as may be required by law) any personal information, IP addresses, or other user identifiers, or user query patterns from the DNS queries sent from the Firefox browser," along with other requirements.

When the change happens, it'll be automatic for users unless they've chosen a different DoH provider or disabled DoH altogether. Comcast told Ars yesterday that "Firefox users on Xfinity should automatically default to Xfinity resolvers under Mozilla's Trusted Recursive Resolver program, unless they have manually chosen a different resolver, or if DoH is disabled. The precise mechanism is still being tested and the companies plan to document it soon in an IETF [Internet Engineering Task Force] Draft."
Privacy

Safari 14 Will Let You Log in To Websites With Your Face or Finger (cnet.com) 42

With Safari on iOS 14, MacOS Big Sur and iPadOS 14, you'll be able to log in to websites using Apple's Face ID and Touch ID biometric authentication. That's a powerful endorsement for technology called FIDO -- Fast Identity Online -- that's paving the way to a future without passwords. From a report: Apple disclosed the biometric authentication support in Safari on Wednesday at WWDC, its annual developers conference. "It's both much faster and more secure," Apple Safari programmer Jiewen Tan said during one of the WWDC video sessions Apple offered after the coronavirus pandemic pushed the conference online. The change is a big boost for browser technology called Web Authentication, aka WebAuthn, developed by the FIDO consortium allies. Apple's not the first supporter -- it's already in Mozilla Firefox, Google Chrome and Microsoft Edge, and works with Windows Hello facial recognition and Android fingerprint authentication.
Firefox

Microsoft Edge Accused of Sneakily Importing Firefox Data In Windows 10 (softpedia.com) 48

Some Firefox users have discovered that the new default Windows 10 browser, which is shipped to their devices via Windows Update, sometimes imports the data from Mozilla's application even if they don't give their permission. Softpedia reports: Some of these Firefox users decided to kill the initial setup process of Microsoft Edge, only to discover that despite the wizard shutting down prematurely, the browser still copied data stored by Mozilla's browser. Several users confirmed on reddit that this behavior happened on their computers too. Microsoft has remained tight-lipped on this, so for the time being, it's still not known why Edge imports Firefox data despite the initial wizard actually killed off manually by the user. Users who don't want to be offered the new Edge on Windows Update can turn to the dedicated toolkit that Microsoft released earlier this year, while removing the browser is possible by just uninstalling the update from the device.
Firefox

Mozilla To Launch VPN Product 'in the Next Few Weeks' (zdnet.com) 73

An anonymous reader quotes a report from ZDNet: Mozilla has announced today that its highly anticipated VPN (virtual private network) service will launch later this summer, "in the next few weeks." The product has also been renamed from its original name of Firefox Private Network to its new brand of the "Mozilla VPN." The name change came after Mozilla expanded the VPN product from the initial Firefox extension to a full-device VPN, capable of routing traffic for the entire OS, including other browsers. Currently, the Mozilla VPN offers clients for Windows 10, Chromebooks, Android, and iOS devices. Mozilla said beta testers also requested a Mac client, which they plan to provide, along with a Linux app.
Mozilla

Mozilla, EFF, 19,000 Citizens Urge Zoom To Reverse End-to-End Encryption Decision 44

Mozilla, Electronic Frontier Foundation (EFF), and more than 19,000 internet users today urged Zoom CEO Eric Yuan to reverse his decision to deny end-to-end encryption to users of its free service end-to-end encryption, saying it puts activists and other marginalized groups at risk. Earlier this month, Zoom announced it will offer end-to-end encryption, but only to those who pay. From a statement: The pressure to reverse the decision comes as racial justice activists are using tools like Zoom to organize protests. Without end-to-end encryption, information shared in their online meetings could be intercepted -- a concern that has been legitimized by both recent actions by law enforcement and a long-term history of discriminatory policing. Mozilla and EFF today are presenting an open letter to Yuan, co-signed by 19,000 people, maintaining that privacy and best-in-class security should be the default, not something that only the wealthy or businesses can afford.
Mozilla

Mozilla Eyes Decentralized Web-Based Videoconferencing Platform 'Meething' (zdnet.com) 40

Last month Techcrunch reported that Mozilla had gone "full incubator" by holding a startup lab called Fix the Internet, followed by "a formal program dangling $75,000 investments in front of early-stage companies..."

Fix the Internet had many key themes, including collaboration and decentralization (as well as user-controlled data and privacy-protecting social networks). That event "drew the interest of some 1,500 people in 520 projects, and 25 were chosen to receive the full package and stipend during the development of their minimum viable product (MVP). Below that, as far as pecuniary commitment goes, is the 'MVP Lab,' similar to the spring program but offering a total of $16,000 per team."

And one of those MVP Lab teams is Meething, a new video conferencing and collaboration platform from the innovation lab ERA. Meething "aims to be more secure than existing video conferencing tools and run on a decentralized database engine and leverage peer-to-peer networking" according to ZDNet.

In their video interview with CEO Mark Nadal, he outlined the following selling points:
  • Browser based video conferencing gives customers better options for security as well as branding.
  • Open source architecture is a win and the peer-to-peer networking is more efficient on compute costs.
  • Meething doesn't require downloads or apps that increase the security attack surface.

    The total addressable market for video conferencing is large and can support multiple players.

Their press release quotes Mark Mayo, a former Chief Product Officer at Mozilla who served as Meething's mentor, arguing that video conferencing on the web "has long promised to enable a whole new world of online collaboration. Frankly, it hasn't delivered. It's been way too hard to build cool products with video and Meething aims to be the zero-barrier-to-entry platform that realizes this future. Soon, video conferencing won't suck!"


Firefox

Firefox 77 Arrives With Faster JavaScript Debugging and Optional Permissions (venturebeat.com) 30

An anonymous reader writes: Mozilla today launched Firefox 77 for Windows, Mac, and Linux. Firefox 77 includes faster JavaScript debugging, optional permissions for extensions, and Pocket recommendations in the U.K. You can download Firefox 77 for desktop now from Firefox.com, and all existing users should be able to upgrade to it automatically. According to Mozilla, Firefox has about 250 million active users, making it a major platform for web developers to consider. [...] Other than Pocket recommendations arriving in the U.K. (they've been in Canada, Germany, and the U.S. since April 2018), this is primarily a developer release. Firefox's Debugger is now better at handling large web apps with all their bundling, live reloading, and dependencies. Mozilla is promising performance improvements that speed up pausing and stepping, as well as cutting down on memory usage over time. Source maps should also see performance boosts -- some inline source maps load 10 times faster -- and improved reliability for many configurations. The debugger will now also respect the currently selected stack when stepping, which is useful when you've stepped into a function call or paused in a library method further down in the stack.
United States

Tech Companies Urges US House to Protect the Privacy of Americans' Browsing and Search History (techspot.com) 49

While reinstating the PATRIOT Act, the U.S. Senate blocked an amendment which would've shielded Americans' browsing and search histories from warrantless searches.

But that fight may not be over, reports TechSpot: [S]everal tech companies including Mozilla, Reddit, Twitter, and Patreon have co-signed a letter asking the House of Representatives to tidy up this mess. The House still needs to pass the bill for it to become law, and they can force the inclusion of the amendment. They vote this week.

"Our users demand that we serve as responsible stewards of their private information, and our industry is predicated on that trust," says the letter. "Americans deserve to have their online searches and browsing kept private, and only available to the government pursuant to a warrant."

The amendment has also received support from dozens of civil rights and liberties groups, including the NAACP, the American Civil Liberties Union, and the Human Rights Watch. They co-signed a separate letter last week...

"[S]upport for the underlying policy is now abundantly clear," argues the second letter, "both within Congress and among thepublic: the FBI should not be allowed to use the PATRIOT Act to surveil Americans' online activity without a warrant."
Chrome

Chromium Project Finds 70% of Its Serious Security Bugs Are Memory Safety Problems (chromium.org) 154

"Around 70% of our serious security bugs are memory safety problems," the Chromium project announced this week. "Our next major project is to prevent such bugs at source."

ZDNet reports: The percentage was compiled after Google engineers analyzed 912 security bugs fixed in the Chrome stable branch since 2015, bugs that had a "high" or "critical" severity rating. The number is identical to stats shared by Microsoft. Speaking at a security conference in February 2019, Microsoft engineers said that for the past 12 years, around 70% of all security updates for Microsoft products addressed memory safety vulnerabilities. Both companies are basically dealing with the same problem, namely that C and C++, the two predominant programming languages in their codebases, are "unsafe" languages....

Google says that since March 2019, 125 of the 130 Chrome vulnerabilities with a "critical" severity rating were memory corruption-related issues, showing that despite advances in fixing other bug classes, memory management is still a problem... Half of the 70% are use-after-free vulnerabilities, a type of security issue that arises from incorrect management of memory pointers (addresses), leaving doors open for attackers to attack Chrome's inner components...

While software companies have tried before to fix C and C++'s memory management problems, Mozilla has been the one who made a breakthrough by sponsoring, promoting and heavily adopting the Rust programming language in Firefox... Microsoft is also heavily investing in exploring C and C++ alternatives⦠But this week, Google also announced similar plans as well... Going forward, Google says it plans to look into developing custom C++ libraries to use with Chrome's codebase, libraries that have better protections against memory-related bugs. The browser maker is also exploring the MiraclePtr project, which aims to turn "exploitable use-after-free bugs into non-security crashes with acceptable performance, memory, binary size and minimal stability impact."

And last, but not least, Google also said it plans to explore using "safe" languages, where possible. Candidates include Rust, Swift, JavaScript, Kotlin, and Java.

Firefox

Firefox 78 To Prevent Websites From Forcing Users To Save PDF Documents (thewindowsclub.com) 69

"Firefox will prevent websites from forcing users to directly save PDFs without opening them in the web browser window," reports The Windows Club.

"Mozilla is rolling out this feature to the masses with the stable release of Firefox 78." Right now, Mozilla has added this feature to Firefox 78 in the Nightly channel.

The issue was first raised in 2011, and it took Mozilla 9 years to fix it. Many websites host and offer PDF documents with the following HTTP header:

Content-Disposition: attachment; filename="whatever.pdf."

This is an indication to the web browser that the PDF file should be saved with the specified name rather than try opening it in the web browser window. But since Firefox has a built-in PDF viewer, it should be for users to decide whether they want to view or save PDF documents.

Programming

Microsoft: Here's Why We Love Programming Language Rust and Kicked off Project Verona (zdnet.com) 171

Microsoft has explained why it's pursuing 'safe systems programming' through efforts like its experimental Rust-inspired Project Verona language and its exploration of the Rust programming language for Windows code written in C++. From a report: The short answer is that Microsoft is trying to eliminate memory-related bugs in software written in languages like C++, according to Microsoft Rust expert Ryan Levick. These bugs cost a lot to fix and make up a large share of Patch Tuesday hassles. Levick has now offered more insights into Microsoft's efforts behind safe systems programming. Systems programming includes coding for platforms like Windows, Xbox, and Azure, as opposed to programming applications that run on them.

Key systems programming languages include C++, Google-backed Go, and Mozilla-created Rust, but Rust and Go are 'memory-safe' languages while C++ is not. Other languages are memory safe, such as Swift and Kotlin, but they aren't for systems programming. The thing for Microsoft is that it writes a lot of its platform software in C++ and sometimes still in C. While it works hard to address memory issues, the company says it has "reached a wall". "We can't really do much more than we already have. It's becoming harder and harder and more and more costly to address these issues over time," says Levick, who joined Microsoft via its acquisition of Wanderlist, which has become Microsoft To Do. He gave a rundown of Microsoft's safe systems programming efforts in a session at Build 2020 this week.

Mozilla

Mozilla Goes Full Incubator With 'Fix The Internet' Startup Lab and Early-Stage Investments (techcrunch.com) 43

After testing the waters this spring with its incubator-esque MVP Lab, Mozilla is doubling down on the effort with a formal program dangling $75,000 investments in front of early-stage companies. From a report: The focus on "a better society" and the company's open-source clout should help differentiate it from the other options out there. Spurred on by the success of a college hackathon using a whole four Apple Watches in February, Mozilla decided to try a more structured program in the spring. The first test batch of companies is underway, having started in April an 8-week program offering $2,500 per team member and $40,000 in prizes to give away at the end. Developers in a variety of domains were invited to apply, as long as they fit the themes of empowerment, privacy, decentralization, community and so on. It drew the interest of some 1,500 people in 520 projects, and 25 were chosen to receive the full package and stipend during the development of their MVP. The rest were invited to an "Open Lab" with access to some of Mozilla's resources.
Firefox

Firefox 76 Arrives With Password Management and Zoom Improvements (venturebeat.com) 75

Mozilla today launched Firefox 76 for Windows, Mac, and Linux. Firefox 76 includes new Firefox Lockwise password functionality, Zoom improvements, and a handful of developer features. From a report: Lockwise, the password management service formerly known as Firefox Lockbox, is getting smarter. The Firefox feature already lets you generate, manage, and protect all those passwords for streaming services, grocery deliveries, and anything else that helps during the pandemic. If you share your device with family or roommates, Lockwise in Firefox 76 can now protect your saved passwords. When you try to view or copy a password from your "Logins and Passwords" page, you will be prompted for your device's account password.

[...] Firefox 76 adds support for Audio Worklets, which run custom JavaScript audio processing code for applications like VR and gaming on the web. Unlike their predecessor, ScriptProcessorNode, worklets run off the main thread in a similar way to web workers. Mozilla also notes Audio Worklets are "being adopted by some of your favorite software programs." The company specifically called out Zoom, which has become a phenomenon of its own during the pandemic. In short, you now join Zoom calls in Firefox without having to download or install the Zoom client.

Firefox

New Firefox Service Will Generate Unique Email Aliases To Enter In Online Forms (zdnet.com) 70

An anonymous reader writes: Browser maker Mozilla is working on a new service called Private Relay that generates unique aliases to hide a user's email address from advertisers and spam operators when filling in online forms. The service entered testing last month and is currently in a closed beta, with a public beta currently scheduled for later this year, ZDNet has learned. Private Relay will be available as a Firefox add-on that lets users generate a unique email address -- an email alias -- with one click. The user can then enter this email address in web forms to send contact requests, subscribe to newsletters, and register new accounts. "We will forward emails from the alias to your real inbox," Mozilla says on the Firefox Private Relay website. "If any alias starts to receive emails you don't want, you can disable it or delete it completely," the browser maker said.
Mozilla

Firefox Raises Its Bug Bounties to $10,000 (mozilla.org) 5

"We're updating our bug bounty policy and payouts to make it more appealing to researchers and reflect the more hardened security stance we adopted after moving to a multi-process, sandboxed architecture," reports the Mozilla security blog: Besides rewarding duplicate submissions, we're clarifying our payout criteria and raising the payouts for higher impact bugs. Now, sandbox escapes and related bugs will be eligible for a baseline $8,000, with a high quality report up to $10,000. Additionally, proxy bypass bugs are eligible for a baseline of $3,000, with a high quality report up to $5,000...

Additionally, we'll be publishing more posts about how to get started testing Firefox — which is something we began by talking about the HTML Sanitization we rely on to prevent UXSS. By following the instructions there you can immediately start trying to bypass our sanitizer using your existing Firefox installation in less than a minute...

Lastly, we would like to let you know that we have cross-posted this to our new Attack & Defense blog. This new blog is a vehicle for tailored content specifically for engineers, security researchers, and Firefox bug bounty participants.

They point out that Firefox has one of the world's oldest bug bounty programs, dating back to 2004 -- and it's still going strong. "From 2017-2019, we paid out $965,750 to researchers across 348 bugs, making the average payout $2,775 — but as you can see in the graph below, our most common payout was actually $4,000!"
Programming

Why Aren't More Developers Using Rust? (zdnet.com) 341

An anonymous reader quotes ZDNet: Rust has been voted the "most-loved" programming language by developers on Stack Overflow for four years in a row. But the Rust project now admits it has an adoption problem among developers and organizations. Rust's adoption issue surfaced in January's Stack Overflow's 2019 survey, which revealed that despite developers' positive feelings toward Rust, 97% of them hadn't actually used it.

Rust maintainers have now explored the adoption challenges in their latest annual survey of nearly 4,000 developers across the world...

Asked why developers have stopped using Rust, the most common response is that the respondent's company doesn't use it, suggesting an adoption issue. Other common reasons are the learning curve, a lack of necessary libraries, and a lack of integrated development environment (IDE) support. The top issues that respondents say the Rust project could do to improve adoption of the language are better training and documentation, followed by better libraries, IDE integration, and improved compile times... "Most indicated that Rust maturity — such as more libraries and complete learning resources and more mature production capabilities — would make Rust more appealing," the project noted....

"The results show the overriding problem hindering use of Rust is adoption. The learning curve continues to be a challenge — we appear to most need to improve our follow-through for intermediate users — but so are libraries and tooling."

The article also notes that Rust is popular with some developers at Microsoft, "who are experimenting with Rust to reduce memory-related bugs in Windows components written in C and C++."
Firefox

Mozilla Installs Scheduled Telemetry Task On Windows With Firefox 75 (ghacks.net) 102

Ghacks writes: Observant Firefox users on Windows who have updated the web browser to Firefox 75 may have noticed that the upgrade brought along with it a new scheduled tasks. The scheduled task is also added if Firefox 75 is installed on a Windows device. The task's name is Firefox Default Browser Agent and it is set to run once per day...
Mozilla says:
  • "We're collecting information related to the system's current and previous default browser setting, as well as the operating system locale and version. This data cannot be associated with regular profile based telemetry data..."
  • "We'll respect user configured telemetry opt-out settings by looking at the most recently used Firefox profile."
  • "We'll respect custom Enterprise telemetry related policy settings if they exist. We'll also respect policy to specifically disable this task."

"Collecting telemetry is one way we're able to ensure we can understand default browser trends in a way that helps us improve Firefox. It's our hope that by better understanding more about our users and their choices around browser preferences, we can continue to build a better Firefox."

Long-time Slashdot reader AmiMoJo writes, "Opting out can be done via the Privacy & Security section of the preferences screen. You can view collected telemetry and view your current settings at about:telemetry."

Bleeping Computer also notes that by default, "For some time, Firefox has been collecting telemetry data about how you use the browser, such as the number of web pages you visit, safebrowsing information, the number of open tabs and windows, what add-ons are installed, and more. This telemetry data is kept for 13 months and IP addresses listed in server logs are deleted every 30 days.

"On my computer, Firefox has collected over 400KB of information."


Open Source

People Are Open-Sourcing Their Patents and Research To Fight Coronavirus (vice.com) 17

An anonymous reader quotes a report from Motherboard: A global group of scientists and lawyers announced their efforts to make their intellectual property free for use by others working on coronavirus pandemic relief efforts -- and urged others to do the same -- as part of the "Open Covid Pledge." Mozilla, Creative Commons, and Intel are among the founding members of this effort; Intel contributed to the pledge by opening up its portfolio of over 72,000 patents, according to a press release. Participants are asked to publicly take the pledge by announcing it on their own websites and issuing a press release.

"Immediate action is required to halt the COVID-19 Pandemic and treat those it has affected," the pledge states. "It is a practical and moral imperative that every tool we have at our disposal be applied to develop and deploy technologies on a massive scale without impediment. We therefore pledge to make our intellectual property available free of charge for use in ending the COVID-19 pandemic and minimizing the impact of the disease." From there, people and companies are asked to adopt a license detailing the terms and conditions their intellectual property will be available; while pledgers are permitted to write their own license based on their needs, the organizers wrote "Open COVID License 1.0" as a template for immediate use, which grants usage rights to anyone working toward "minimizing the impact of the disease, including without limitation the diagnosis, prevention, containment, and treatment of the COVID-19 Pandemic." The license is effective until one year after the World Health Organization declares the pandemic to be over.
Other participants include Berkeley and UCSF's Innovative Genomics Institute, Fabricatorz Foundation, and United Patents.
Mozilla

Longtime Mozilla Leader Mitchell Baker is Now CEO (cnet.com) 34

On Wednesday, Mozilla chair and longtime leader Mitchell Baker was named permanent CEO of the company that makes the Firefox web browser. From a report: Mitchell became interim CEO of Mozilla in December 2019, after former CEO Chris Beard resigned. The company conducted an external candidate search over the last eight months, and concluded the Mitchell is the right leader for Mozilla at this time, according to a company blog post published Wednesday. "Increasingly, numbers of people recognize that the internet needs attention," Baker said in another Mozilla blog post Wednesday. "Mozilla has a special, if not unique role to play here. It's time to tune our existing assets to meet the challenge. It's time to make use of Mozilla's ingenuity and unbelievable technical depth and understanding of the "web" platform to make new products and experiences. It's time to gather with others who want these things and work together to make them real."

Slashdot Top Deals