An anonymous reader quotes CNET: "Mozilla on Sunday began distributing new Firefox updates to fix a problem that broke extensions for many browser users on Friday," reports CNET: Mozilla had released an update Saturday, but Sunday's fix should help more people who were still affected. "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday," Mozilla said in a tweet Sunday... "No active steps need to be taken to make add-ons work again. In particular, please do not delete and/or reinstall any add-ons as an attempt to fix the issue," Kev Needham, Mozilla's product manager for add-ons, said in a blog post about the problem.

Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working? You're not alone, and it's nothing you did. From a report: Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions. Each extension is now being listed as a "legacy" extension, alongside a warning that it "could not be verified for use in Firefox and has been disabled." A ticket submitted to Mozilla's Bugzilla bug tracker first hit at around 5:40 PM Pacific, and suggests the sudden failure is due to a code signing certificate built into the browser that expired just after 5 PM (or midnight on May 4th in UTC time). Because the glitch stems from an underlying certificate, re-installing extensions won't work -- if you try, you'll likely just be met with a different error message. Getting extensions back for everyone is going to require Mozilla to issue a patch.
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."

DarkRookie2 writes: As Mozilla continues to try to make it safer than ever to use Firefox, the organization has updated its Add-on Policy so that any updates that include obfuscated code are explicitly banned. Mozilla has also set out in plain terms its blocking process for add-ons and extensions. While there is nothing surprising here, the clarification should mean that there are fewer causes for disputes when an add-on is blocklisted. The updated Add-on policy comes into force on June 10, so add-on developers have a little more than a month to take note of the changes and comply. Mozilla says that the move is designed to help it better deal with malicious extensions. Mozilla also plans to be more aggressive towards taking down extensions that break its policies, with a heavy focus on security issues. ZDNet adds: [...] Starting with June 10, Mozilla's team will also be more aggressive in blocking and disabling Firefox add-ons in users' browsers that are found to be violating one of the company's policies."We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control," Nieman said.

An anonymous reader shares a report: Firefox browser made by the non-profit Mozilla Foundation, was born as "Phoenix." It rose from the ashes of Netscape Navigator, slain by Microsoft's Internet Explorer. In 2012 Mozilla created Firefox OS, to rival Apple's iOS and Google's Android mobile operating systems. Unable to compete with the duopoly, Mozilla killed the project. Another phoenix has arisen from it [Editor's note: the link may be paywalled]. KaiOS, an operating system conjured from the defunct software, powered 30m devices in 2017 and another 50m in 2018. Most were simple flip-phones sold in the West for about $80 apiece, or even simpler ones which Indians and Indonesians can have for as little as $20 or $7, respectively.

Smartphones start at about $100. The company behind the software, also called KaiOS and based in Hong Kong, designed it for smart-ish phones -- with an old-fashioned number pad and long battery life, plus 4G connectivity, popular apps such as Facebook and modern features like contactless payments, but not snazzy touchscreens. Most such devices are found in India. Reliance Jio, a network that has upended the local mobile industry with heavily discounted 4G data plans, sells subsidised, Jio-branded phones that use KaiOS software. Google, which invested $22m in Kaios last year, prioritises getting people in emerging markets online, where it can sell their attention to advertisers, over getting them onto Android smartphones. Smart-ish phones help with this.

Mozilla this week released the 2019 Internet Health Report, an analysis that brings together insights from 200 experts to examine issues central to the future of the internet. From a report: This year's report chose to focus primarily on injustice perpetuated by artificial intelligence; what NYU's Natasha Dow Schull calls "addiction by design" tech, like social media apps and smartphones; and the power of city governments and civil society "to make the internet healthier worldwide." The Internet Health Report is not designed to issue the web a bill of health, rather it is intended as a call to action that urges people to "embrace the notion that we as humans can change how we make money, govern societies, and interact with one another online."

[...] The modern AI agenda, the report's authors assert, is shaped in part by large tech companies and China and the United States. The report calls particular attention to Microsoft and Amazon's sale of facial recognition software to immigration and law enforcement agencies. The authors point to the work of Joy Buolamwini, whom Fortune recently named "the conscience of the AI revolution." Through audits published by Buolamwini and others in the past year, facial recognition software technology from Microsoft, Amazon's AWS, and other tech companies was found to be less capable of recognizing people with dark skin, particularly women of color.

Alex Gaynor is a software engineer at Mozilla working on Firefox, after previously serving as a director of both the Python Software Foundation and the Django Software Foundation.

In a new blog post today, he argues that memory unsafe languages, "principally C and C++," induce an exceptional number of security vulnerabilities, and that the industry needs to migrate to memory-safe languages like Rust and Swift by default. One of the responses I frequently receive is that the problem isn't C and C++ themselves, developers are simply holding them wrong. In particular, I often receive defenses of C++ of the form, "C++ is safe if you don't use any of the functionality inherited from C" or similarly that if you use modern C++ types and idioms you will be immune from the memory corruption vulnerabilities that plague other projects. I would like to credit C++'s smart pointer types, because they do significantly help. Unfortunately, my experience working on large C++ projects which use modern idioms is that these are not nearly sufficient to stop the flood of vulnerabilities...

Modern C++ idioms introduce many changes which have the potential to improve security: smart pointers better express expected lifetimes, std::span ensures you always have a correct length handy, std::variant provides a safer abstraction for unions. However modern C++ also introduces some incredible new sources of vulnerabilities: lambda capture use-after-free, uninitialized-value optionals, and un-bounds-checked span.

My professional experience writing relatively modern C++, and auditing Rust code (including Rust code that makes significant use of unsafe) is that the safety of modern C++ is simply no match for memory safe by default languages like Rust and Swift (or Python and JavaScript, though I find it rare in life to have a program that makes sense to write in either Python or C++). There are significant challenges to migrating existing, large, C and C++ codebases to a different language -- no one can deny this. Nonetheless, the question simply must be how we can accomplish it, rather than if we should try.
The post highlights what he describes as "completely modern C++ idioms which produce vulnerabilities" -- including an example of dangling pointers "despite our meticulous use of smart pointers throughout..."

"Even with the most modern C++ idioms available, the evidence is clear that, at scale, it's simply not possible to hold C++ right."

Firefox's former VP accused Google of sabotaging Firefox -- for example, when Gmail and Google Docs "started to experience selective performance issues and bugs on Firefox" and demo sites "would falsely block Firefox as 'incompatible'... There were dozens of oopses. Hundreds maybe... [W]hen you see a sustained pattern of 'oops' and delays from this organization -- you're being outfoxed."

Now Nightingale's accusations have stirred up some follow-up from technology reporters. An anonymous reader shares a blog post by ZDNet security reporter Catalin Cimpanu: Nightingale is not the first Firefox team member to come forward and make such accusations. In July 2018, Mozilla Program Manager Chris Peterson accused Google of intentionally slowing down YouTube performance on Firefox. He revealed that both Firefox and Edge were superior when loading YouTube content when compared to Chrome, and in order to counteract this performance issue, Google switched to using a JavaScript library for YouTube that they knew wasn't supported by Firefox.

At this point, it's very hard not to believe or take Nightingale's comments seriously. Slowly but surely, Google is becoming the new Microsoft, and Chrome is slowly turning into the new IE, an opinion that more and more users are starting to share. On Twitter, a senior editor at the Verge added "Google did a lot of 'oops' accidents to Windows Phone, too. Same pattern of behavior with its services and Edge. Oopsy this, oopsy that." The site MSPowerUser also shares a similar story from former Microsoft Edge intern, Joshua Bakita. "I very recently worked on the Edge team, and one of the reasons we decided to end EdgeHTML was because Google kept making changes to its sites that broke other browsers, and we couldn't keep up."

Meanwhile, Computerworld argues that data "backs up Nightingale's admission, to a point." [I]f Google monkey business contributed to Firefox's fall, it must have really damaged Microsoft's IE. During the time it took Chrome to replace Firefox as the No. 2 browser, Firefox lost just 9% of its user share, while IE shed 22%. And Chrome's most explosive growth - which began in early 2016 - didn't come at Firefox's expense; instead, it first hollowed out IE, then suppressed any potential enthusiasm for the follow-on Edge.

Chrome didn't reach its current place -- last month capturing nearly 68% of all browser activity -- by raiding Firefox. It did it by destroying IE.

Oops.

The Verge explains what all the commotion is about: AMP stands for "Accelerated Mobile Pages," and you've probably noticed that those pages load super quickly and usually look much simpler than regular webpages. You may have also noticed that the URL at the top of your browser started with "www.google.com/somethingorother" instead of with the webpage you thought you were visiting. Google is trying to fix that by announcing support for something called "Signed Exchanges." What it should mean is that when you click on one of those links, your URL will be the original, correct URL for the story. Cloudflare is joining Google in supporting the standard for customers who use its services.

In order for this thing to work, every step in the chain of technologies involved in loading the AMP format has to support Signed Exchanges, including your browser, the search engine, and the website that published the link. Right now, that means the URL will be fixed only when a Chrome browser loads a Google search link to a published article that has implemented support.
Mozilla'a official position on signed exchanges is they're "harmful," arguing in a 51-page position paper that there's both security and privacy considerations. Pierre Far, a former Google employee, posted on Twitter that the change "breaks many assumptions about how the web works," and that in addition, "Google is acting too quickly. Other browsers and internet stakeholders have well-founded concerns, and the correct mechanism to address them is the standardization process. Google skipped all that. Naughty." Jeffrey Yaskin, from Chrome's web platform team, even acknowledged that criticism with a tweet of his own. "I think it's fair to say we're pushing it. The question is our motives, which I claim is to improve the web rather than to 'all your base' it, but I would say that either way."

Search Engine Land cited both tweets, and shared some concerns of their own. "The compromise we have to consider before getting on board with Signed HTTP Exchanges is whether we're willing to allow a third party to serve up our content without users being able to tell the difference.

"If we, as digital marketers, want to influence the conventions of our future work environment, we'll have to decide if the gains are enough to disrupt long-standing assumptions of how websites are delivered. If so, we'll also have to cede the ability to judge user intent over to Google and swallow the fact that it skipped over the standardization process to implement a process that one of its own created."

An anonymous reader quotes a report from VentureBeat: In a step toward its goal of building out a data science development stack for web browsers, Mozilla today detailed Pyodide, an experimental Python project that's designed to perform computation without the need for a remote kernel (i.e., a program that runs and inspects code). As staff data engineer Mike Droettboom explained in a blog post, it's a standard Python interpreter that runs entirely in the browser. And while Pyodide isn't exactly novel -- projects like Transcrypt, Brython, Skulpt, and PyPyJs are among several efforts to bring Python to browsers -- it doesn't require a rewrite of popular scientific computing tools (like NumPy, Pandas, Scipy, and Matplotlib) to achieve adequate performance, and its ability to convert built-in data types enables interactions among browser APIs and other JavaScript libraries.

Pyodide is built on WebAssembly, a low-level programming language that runs with near-native performance, and emscripten (specifically a build of Python for emscripten dubbed "cpython-emscripten"), which comprises a compiler from C and C++ to WebAssembly and a compatibility layer. Emscripten additionally provides a virtual file system (written in JavaScript) that the Python interpreter can use, in which files disappear when the browser tab is closed. To use Pyodide, you'll need the compiled Python interpreter as WebAssembly, JavaScript from emscripten (which provides the system emulation), and a packaged file system containing the files required by the Python interpreter. Once all three components are downloaded, they'll be stored in your browser's cache, obviating the need to download them again. The report notes that "the Python interpreter inside the JavaScript virtual machine runs between one to 12 times slower in Firefox and up to 16 times slower on Chrome."

Mozilla has launched a petition today to get Apple to rotate the IDFA unique identifier of iOS users every month. From a report: The purpose of this request is to prevent online advertisers from creating profiles that contain too much information about iOS users. IDFA stands for "IDentifier For Advertisers" and is a per-device unique ID. Apps running on a device can request access to this ID and relay the number to advertising SDKs/partners they use to show ads to their users. As experts from Singular, a mobile marketing firm explain, "IDFAs take the place of cookies in mobile advertising delivered to iOS devices because cookies are problematic in the mobile world." IDFAs are different from UDIDs, which stand for "unique device identifiers," which are permanent and unchangeable device identifiers. Apple added support for IDFAs specifically to replace UDIDs, which many apps were collecting for all sorts of shady reasons, enabling pervasive tracking of iOS users.

Sidewalk Labs, the urban innovation arm of Google's parent company Alphabet, plans to build a $1 billion high-tech neighborhood in Toronto. The problem? It is facing an opposition from residents who have called for its demise. As the backlash gains momentum, it could force Sidewalk Labs to abandon or alter its vision. On paper, Sidewalk Labs' idea arguably has some merits: It wishes to "set new standards" for how cities are designed and built. But some are apprehensive of Google's plans, because the company has a knack for assuming more control over things and killing local competition.

Johnathan Nightingale, a former VP of Firefox, has seen such behavior first hand. He draws some parallels: I spent 8 years at Mozilla working on Firefox and for almost all of that time Google was our biggest partner. Our revenue share deal on search drove 90% of Mozilla's income. When I started at Mozilla in 2007, there was no Google Chrome and most folks we spoke with inside were Firefox fans. They were building an empire on the web, we were building the web itself. I think our friends inside Google genuinely believed that. At the individual level, their engineers cared about most of the same things we did. Their product and design folks made many decisions very similarly and we learned from watching each other.

But Google as a whole is very different than individual Googlers. Google Chrome ads started appearing next to Firefox search terms. Gmail and Google Docs started to experience selective performance issues and bugs on Firefox. Demo sites would falsely block Firefox as "incompatible." All of this is stuff you're allowed to do to compete, of course. But we were still a search partner, so we'd say "hey what gives?" And every time, they'd say, "oops. That was accidental. We'll fix it in the next push in 2 weeks." Over and over. Oops. Another accident. We'll fix it soon. We want the same things. We're on the same team. There were dozens of oopses. Hundreds maybe? I'm all for "don't attribute to malice what can be explained by incompetence" but I don't believe Google is that incompetent.

This is not a thread about blaming Google for Firefox troubles though. We at Mozilla wear that ourselves, me more than anyone for my time as Firefox VP. But I see the same play happening here in my city and I don't like it. And for me it means two things: The question is not whether individual Sidewalk Labs people have pure motives. I know some of them, just like I know plenty on the Chrome team. They're great people. But focus on the behavior of the organism as a whole. At the macro level, Google/Alphabet is very intentional. When Google wants to get a thing done, it is very effective. Mistakes happen, but when you see a sustained pattern of "oops" and delays from this organization -- you're being outfoxed. Get there faster than I did.

An anonymous reader shares a report: However much you love your chosen web browser, you have probably enhanced its capabilities through the use of add-ons. Finding decent, reliable add-ons can be tricky, and this is why Mozilla is launching the Recommended Extensions program. This editor-curated program will surface the very best vetted extensions for Firefox, and it is due to roll out in stages later this summer.

Mozilla says that any extensions it recommends through the program will be highlighted across its portfolio of websites and products, including addons.mozilla.org (AMO) and on Firefox's Get Add-Ons page. The company is already identifying extensions it likes the look of, and will soon be reaching out to developers. Changes should be seen on AMO around June.

Twelve years after it was first notified of the issue, Mozilla has finally shipped a fix this week that will prevent abusive websites -- usually tech support scam sites -- from flooding users with non-stop "authentication required" login popups and prevent users from leaving or closing their browsers. From a report: The fix has been shipped in Firefox v68, the current Nightly release, and will hit the browser's stable branch sometimes in early July. According to Firefox engineer Johann Hofmann, starting with Firefox 68, web pages won't be allowed to show more than two login prompts. Starting with the third request, Firefox will intervene to suppress the authentication popup.

Mozilla previously shipped a fix for this issue, but it was incomplete, as it blocked authentication prompts that originated from subresources, such as iframes. This latest patch completes the fix by blocking all types of authentication required prompts -- including those generated by the site's main domain.

Mozilla said this week that it intends to run two experiments over the course of this month to determine the most adequate way of dealing with push notification spam, a growing problem that is slowly deteriorating the web experience for everyone. From a report: The experiments will run in Firefox Nightly (v68) and Firefox Beta (v67). The Firefox Nightly experiment will run from April 1 to April 29. During this time, Mozilla said Firefox Nightly would only allow websites to show a push notification permission only after the user has clicked or pressed a key while on a website. All attempts to show a push notification permission request before a click or key press will be blocked by default. [...] In the last two weeks of the experiment, Firefox will show an icon in the URL bar, but with no visible popup on the page. Users can click this icon and accept any push notification permission requests if they wish so. Further reading: Mozilla and Scroll Partner To Test Alternative Funding Models for the Web.

Remember when Microsoft announced they'd be switching to Google's open source Chromium browser for developing their own Edge browser? At the time Google announced "We look forward to working with Microsoft and the web standards community to advance the open web, support user choice, and deliver great browsing experiences."

Now MSPoweruser reports Microsoft has indeed started collaborating on Chromium -- making suggestions like caret browsing and a native high-contrast mode -- and at least one of Microsoft's suggestions is already coming to Chrome. it looks like there is one feature that Chromium approved which will be making its way to Chrome soon. According to a new bug (via Techdows) filing on Chromium, Google is working on bringing text suggestions for hardware keyboard to Chrome soon. The feature will allow users to get suggestions as they type which is currently available on Windows 10 and on Microsoft Edge.

Google has just started working on the feature and has set the priority to 2 which suggests that the feature should be available sooner than later.

If you're a Firefox true believer, or even just a Firefox user, your password struggles just got a little easier with the release of Firefox Lockbox for Android devices. From a report: The password manager, based on login information already in Firefox, makes it easier to sign into apps as well. It integrates with login autocomplete systems in both Apple's iOS and Google's Android software, Mozilla said. It's not as fancy as password managers like LastPass, BitWarden, 1Password and Dashlane, and the only browser it works with is Firefox. On the other hand, if you're already in the Firefox world, it's basically already set up for you. There's no migration process as with dedicated password managers.

A research duo who hacked a Tesla were the big winners at the annual Pwn2Own white hat security contest, reports ZDNet. "The duo earned $375,000 in prize money, of the total of $545,000 awarded during the whole three-day competition... They also get to keep the car." Team Fluoroacetate -- made up of Amat Cama and Richard Zhu -- hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car's firmware and show a message on its entertainment system... Besides keeping the car, they also received a $35,000 reward. "In the coming days we will release a software update that addresses this research," a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability.

Not coincidentally, Team Fluoroacetate also won the three-day contest after earning 36 "Master of Pwn" points for successful exploits in Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10... [R]esearchers also exploited vulnerabilities in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10.

An anonymous reader writes: Mozilla today launched Firefox 66 for Windows, Mac, Linux, and Android. The release includes autoplaying content (audio and video) blocked by default, smoother scrolling, better search, revamped security warnings, WebAuthn support for Windows Hello, and improved extensions. The company says its main goal with this release is to reduce irritating experiences such as auto-playing videos, pop-ups, and page jumps. Firefox 66 for desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. The Android version is trickling out slowly on Google Play.

In 2017, Mozilla experimented with a service that let you transfer 1GB files by sharing a web address with the recipient. Firefox Send is now out of testing and boasts a magnified 2.5GB file-size limit if you log into your Firefox account. From a report: Firefox Send is handy for those moments when you need to share video, audio or photo files that can be too big to squeeze into an email attachment. [...] Firefox Send, which will also be available as an Android app, illustrates one of Mozilla's efforts to diversify beyond the Firefox browser. Mozilla touts Firefox Send as focusing on privacy and uses encryption to protect files. Firefox Send files are available for up to seven days and can be password-protected. You can also limit the number of times they're downloaded.

Mozilla is scheduled to add a new user anti-fingerprinting technique to Firefox with the release of version 67, scheduled for mid-May this year. "Called 'letterboxing,' this new technique adds 'gray spaces' to the sides of a web page when the user resizes the browser window, which are then gradually removed after the window resize operation has finished," reports ZDNet. From the report: Advertising networks often sniff certain browser features, such as the window size to create user profiles and track users as they resize their browser and move across new URLs and browser tabs. The general idea is that "letterboxing" will mask the window's real dimensions by keeping the window width and height at multiples of 200px and 100px during the resize operation -- generating the same window dimensions for all users -- and then adding a "gray space" at the top, bottom, left, or right of the current page.

The advertising code, which listens to window resize events, then reads the generic dimensions, sends the data to its server, and only after does Firefox remove the "gray spaces" using a smooth animation a few milliseconds later. In other words, letterboxing delays filling the newly-resized browser window with the actual page content long enough to trick the advertising code into reading incorrect window dimensions. The feature was first developed for the Tor Browser, and can be seen in action here. In order to enable the feature in Firefox, "users will first need to visit the about:config page, enter 'privacy.resistFingerprinting' in the search box, and toggle the browser's anti-fingerprinting features to 'true,'" reports ZDNet.