Mozilla

Mozilla Removes Avast and AVG Extensions From Add-on Portal Over Snooping Claims (zdnet.com) 26

Mozilla today removed four Firefox extensions made by Avast and its subsidiary AVG after receiving credible reports that the extensions were harvesting user data and browsing histories. From a report: The four extensions are Avast Online Security, AVG Online Security, Avast SafePrice, and AVG SafePrice. The first two are extensions that show warnings when navigating to known malicious or suspicious sites, while the last two are extensions for online shoppers, showing price comparisons, deals, and available coupons. Mozilla removed the four extensions from its add-ons portal after receiving a report from Wladimir Palant, the creator of the AdBlock Plus ad-blocking extension. Palant analyzed the Avast Online Security and AVG Online Security extensions in late October and found that the two were collecting much more data than they needed to work -- including detailed user browsing history, a practice prohibited by both Mozilla and Google.
Programming

Microsoft is Creating a New Rust-Based Programming Language For Secure Coding (zdnet.com) 69

Under Project Verona, Microsoft is working to make Windows 10 more secure by integrating Mozilla-developed Rust for low-level Windows components. "'Memory safety' is the term for coding frameworks that help protect memory space from being abused by malware," reports ZDNet. "Project Verona at Microsoft is meant to progress the company's work here to close off this attack vector." From the report: Microsoft's Project Verona could turn out to be just an experiment that leads nowhere, but the company has progressed far enough to have detailed some of its ideas through the UK-based non-profit Knowledge Transfer Network. Matthew Parkinson, a Microsoft researcher from the Cambridge Computer Lab in the UK who's dedicated to "investigating memory management for managed programming languages," gave a talk last week focusing on what the company is doing to address these memory issues.

In the talk, Parkinson discussed the work Microsoft has done with MemGC, which is short for Memory Garbage Collector, for Internet Explorer (IE) and Edge. MemGC addressed vulnerabilities in the standard browser feature known as a Document Object Model (DOM), a representation of the data used by browsers to interpret web pages. Google's elite Project Zero hackers were impressed with Microsoft's MemGC after canvassing major browsers. [...] The other class of bugs Microsoft is working on to address relates to uninitialized memory in a way that also doesn't kill performance. [...] Parkinson said Microsoft is rewriting some "targeted" components in Rust. His talk focused on language design and compartmentalization. "If we want compartments, and to carve up the legacy bits of our code so [attackers'] exploit code can't get out, what do we need in the language design that can help with that?" This is Project Verona and Parkinson said it was the first time he'd discussed the project, which will be made open source "soon". It is a new language for what Microsoft is calling "safe infrastructure programming."
"The challenge for Microsoft is dealing with the 'application spectrum,' which spans from C# for desktop apps through to C and C# for Exchange, ASP.NET, Azure, and device drivers, to deep Windows components like memory management and boot loaders and the Windows kernel hardware abstraction layer (HAL)," the report says.

"The ownership model in Verona is based on groups of objects, not like in Rust where it's based on a single object," said Parkinson. "In C++ you get pointers and it's based on objects and it's pretty much per object. But that isn't how I think about data and grammar. I think about a data structure as a collection of objects. And that collection of objects as a lifetime. So by taking ownership at the level of ownership of objects, then we get much closer to the level of abstraction that people are using and it gives us the ability to build data structures without going outside of safety."
Businesses

Mozilla's Annual Buyer's Guide Rates Amazon and Google Security Cameras 'Very Creepy' (which.co.uk) 40

"Be Smart. Shop Safe," warns Mozilla's annual buyer's guide for secure connected products. Based on their conversations with developers and dozens of privacy experts, they've awarded smiley faces with different expressions to rate products from "Not Creepy" up to "Super Creepy".

"While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures..." notes the editor of Mozilla's Internet Health Report. "Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it's worrying that more are not upfront about the privacy and security of their products."

Or, as The Next Web writes, "god bless Mozilla for having our lazy backs." And, well, if you're a user of any Ring cameras⦠we're sorry. Basically, there are five things that every product must do:

- Have automatic security updates, so they're protected against the newest threats

- Use encryption, meaning bad actors can't just snoop on your data

- Include a vulnerability management pathway, which makes reporting bugs easy and, well, possible

- Require users to change the default password (if applicable), because that makes devices far harder to access

- Privacy policies -- ones that relate to the product specifically, and aren't just generic

Doesn't seem too much to ask right...? Well, of the 76 devices Mozilla selected, 60 of them passed this test... And what devices didn't meet the criteria?

There were nine of them overall (including the Artie 3000 Coding Robot and the Wemo Wifi Smart Dimmer), but the real loser in this test is the Amazon-owned Ring. Three of the company's products (which is effectively all of their major devices) didn't meet Mozilla's criteria. Yes, that's right, the Ring Video Doorbell, Ring Indoor Cam, and Ring Security Cam all didn't meet minimum standards for security.... The main reasons for not meeting this criteria is due Ring's history with poor encryption policies, and vulnerability management.

To be fair, Nest Cam's Indoor and Outdoor Security Cameras and Google Home also fell into the "Very Creepy" category -- and so did Amazon's Echo smart speakers. (The Amazon Echo Show even made it into Mozilla's highest "Super Creepy" category, where the only other product was Facebook Portal.) But at least the Nest Hello Video doorbell only appears in Mozilla's "Somewhat Creepy" category.

"Just because something on your wishlist this year connects to the internet, doesn't mean you have to compromise on privacy and security..." warns the editor of Mozilla's Internet Health Report. And in addition, "Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal." Going forward, they suggest that we push for better privacy regulations -- and that whenever we rate products on performance and price, we should also rate them on their privacy and security.

But in the meantime, as Mozilla explained on Twitter, "Friends don't let friends buy creepy gifts."
Firefox

Why Firefox Fights for the Future of the Web (theguardian.com) 57

"Mozilla is no longer fighting for market share of its browser: it is fighting for the future of the web," writes the Guardian, citing Mozilla Project co-founder Mitchell Baker: Baker's pitch is that only Mozilla is motivated, first and foremost, to make using the web a pleasurable experience. Google's main priority is to funnel user data into the enormous advertising engine that accounts for most of its revenue. Apple's motivation is to ensure that customers continue to buy a new iPhone every couple of years and don't switch to Android...."

Firefox now runs sites such as Facebook in "containers", effectively hiving the social network off into its own little sandboxed world, where it can't see what's happening on other sites. Baker says: "It reduces Facebook's ability to follow you around the web and track you when you're not on Facebook and just living your life...." Mozilla has launched Monitor, a data-breach reporting service; Lockwise, a password manager; and Send, a privacy-focused alternative to services such as WeSendit. It's also beta-testing a VPN (virtual private network) service, which it hopes to market to privacy-conscious users...

Apple's iOS (mobile operating system) is an acknowledged disaster for Mozilla. Safari is the default and, while users can install other browsers, they come doubly hindered: they can never be set as the default, meaning any link clicked in other applications will open in Safari; and they must use Safari's "rendering engine", a technical limitation that means that even the browsers that Firefox does have on the platform are technically just fancy wrappers for Apple's own browser, rather than full versions of the service that Mozilla has built over the decades... "Even if you do download a replacement, iOS drops you back into the default. I don't know why that's acceptable. Every link you open on a phone is the choice of the phone maker, even if you, as a user, want something else."

Summarizing Baker's concerns, the Guardian writes that "It is perfectly possible to build a browser that prevents advertising companies from aggregating user data. But it is unlikely that any browser made by an advertising company would offer such a feature..."

And an activist for the Small Technology Foundation tells them that Google "wants the web to go through Google. It already mostly does: with eyes on 70% to 80% of the web."
Firefox

Mozilla, Intel, and More Form the Bytecode Alliance To Take WebAssembly Beyond Browsers (neowin.net) 91

slack_justyb writes: Mozilla has been heavily invested in WebAssembly with Firefox, and today, the organization teamed up with a few others to form the new Bytecode Alliance, which aims to create "new software foundations, building on standards such as WebAssembly and WebAssembly System Interface (WASI)." Mozilla has teamed up with Intel, Red Hat, and Fastly to found the alliance, but more members are likely to join over time. The goal of the Bytecode Alliance is to create a new runtime environment and language toolchains which are secure, efficient, and modular, while also being available on as many platforms and devices as possible. The technologies being developed by the Bytecode Alliance are based on WebAssembly and WASI, which have been seen as a potential replacement for JavaScript due to more efficient code compiling, and the expanded capabilities of being able to port C and C++ code to the web. To kick things off, the founding members have already contributed a number of open-source technologies to the Bytecode Alliance, including Wasmtime, a lightweight WebAssembly runtime; Lucet, an ahead-of-time compiler; WebAssembly Micro Runtime; and Cranelift.
Programming

Python Finally Overtakes Java on GitHub (zdnet.com) 61

"The hit programming language Python has climbed over once-dominant Java to become the second most popular language on Microsoft-owned open-source code-sharing site GitHub," reports ZDNet: Python now outranks Java based on the number of repository contributors, and by that metric Python is now second only to JavaScript, which has been in top spot since 2014, according to GitHub's 'State of the Octoverse' report for 2019...

Another interesting aspect of GitHub's report is its ranking of fastest-growing languages. Google's Dart programming language and Flutter, for building UIs for iOS and Android apps, are getting major traction with developers on GitHub. Dart was the fastest-growing language between 2018 and 2019, with usage up a massive 532%. It was followed by the Mozilla-developed Rust, which grew a respectable 235%. Microsoft is experimenting with Rust in its Windows code base because it was designed to address memory-related security bugs -- the dominant flaw-type in Microsoft software over the past decade.

Last year Kotlin, the Google-endorsed programming language for Android app development, was the fastest-growing language on GitHub. It's not a top-10 language yet, but it still grew 182% over the year. Microsoft-backed TypeScript, its superset of JavaScript, is also growing fast, up 161% over the past year as more developers use it to grapple with large-scale JavaScript apps.

Other languages making up the top 10 fastest-growing category are HCL, PowerShell, Apex, Python, Assembly, and Go.

Firefox

Scammers Are Actively Exploiting A Firefox Bug (arstechnica.com) 26

Long-time Slashdot reader slack_justyb shares this story from Ars Technica: Scammers are actively exploiting a bug in Firefox that causes the browser to lock up after displaying a message warning the computer is running a pirated version of Windows that has been hacked... The message then advises the person to call a toll-free number in the next five minutes or face having the computer disabled...

Jérôme Segura, head of threat intelligence at security provider Malwarebytes, said the Firefox bug is being exploited by several sites... On Monday, Segura reported the bug to the Bugzilla forum. He said he has since received word Mozilla is actively working on a fix. In a statement sent seven hours after this post went live, a Mozilla representative wrote: "We are working on a fix to the authentication prompt bug that we expect to land in the next couple of releases (either in Firefox 71 or 72)."

Advertising

Mozilla Hits Google, Facebook For 'Microtargeting' Political Ads (thehill.com) 31

Mozilla is calling on Google and Facebook to stop "microtargeting" political ads. "Political speech is critical to democratic discourse, but against the very real circumstances of organized disinformation and organic misinformation today, microtargeting keeps ideas from being debated in the open, and fiction parades as fact," Ashley Boyd, Mozilla's advocacy vice president, said in a statement. "Online platforms can take the important step toward quelling the manipulation by limiting political ads to a scale where they facilitate a public discourse." The Hill reports: Microtargeting, a method which uses consumer data and demographics to narrowly segment audiences, is used by political campaigns to specialize ads for different voting groups. The practice's critics include Federal Election Commission Chairwoman Ellen Weintraub, who wrote in a Washington Post op-ed that microtargeting makes it "easy to single out susceptible groups and direct political misinformation to them with little accountability, because the public at large never sees the ad." Mozilla's call follows reports that Facebook has considered restricting politicians' access to microtargeting.
Firefox

Firefox Turns 15 (fastcompany.com) 50

harrymcc writes: On November 9 2004, a new version of Mozilla's browser called Firefox shipped. It was taking on one of the most daunting monopolies in tech: Microsoft's Internet Explorer, which had more than 90 percent market share. But Firefox was really good, and it became an instant hit, ending Microsoft's dominance of the web. Over at Fast Company, Sean Captain took a look at the browser's original rise, the challenges it faced after Google's Chrome arrived on the scene, and the moves it's currently making to put user privacy first.
Security

DNS-over-HTTPS Will Eventually Roll Out in All Major Browsers, Despite ISP Opposition (zdnet.com) 119

All major browsers -- including Chrome, Firefox, Safari, Opera, Microsoft Edge, Vivaldi, Brave -- have plans to support DNS-over-HTTPS (or DoH), a protocol that encrypts DNS traffic and helps improve a user's privacy on the web. From a report: The DoH protocol has been one of the year's hot topics. It's a protocol that, when deployed inside a browser, it allows the browser to hide DNS requests and responses inside regular-looking HTTPS traffic. Doing this makes a user's DNS traffic invisible to third-party network observers, such as ISPs. But while users love DoH and have deemed it a privacy boon, ISPs, networking operators, and cyber-security vendors hate it. A UK ISP called Mozilla an "internet villain" for its plans to roll out DoH, and a Comcast-backed lobby group has been caught preparing a misleading document about DoH that they were planning to present to US lawmakers in the hopes of preventing DoH's broader rollout. However, this may be a little too late. ZDNet has spent the week reaching out to major web browser providers to gauge their future plans regarding DoH, and all vendors plan to ship it, in one form or another.
Firefox

ISPs Lied To Congress To Spread Confusion About Encrypted DNS, Mozilla Says (arstechnica.com) 70

An anonymous reader quotes a report from Ars Technica: Mozilla is urging Congress to reject the broadband industry's lobbying campaign against encrypted DNS in Firefox and Chrome. The Internet providers' fight against this privacy feature raises questions about how they use broadband customers' Web-browsing data, Mozilla wrote in a letter sent today to the chairs and ranking members of three House of Representatives committees. Mozilla also said that Internet providers have been giving inaccurate information to lawmakers and urged Congress to "publicly probe current ISP data collection and use policies." DNS over HTTPS helps keep eavesdroppers from seeing what DNS lookups your browser is making. This can make it more difficult for ISPs or other third parties to monitor what websites you visit.

"Unsurprisingly, our work on DoH [DNS over HTTPS] has prompted a campaign to forestall these privacy and security protections, as demonstrated by the recent letter to Congress from major telecommunications associations. That letter contained a number of factual inaccuracies," Mozilla Senior Director of Trust and Security Marshall Erwin wrote. This part of Erwin's letter referred to an Ars article in which we examined the ISPs' claims, which center largely around Google's plans for Chrome. The broadband industry claimed that Google plans to automatically switch Chrome users to its own DNS service, but that's not what Google says it is doing. Google's publicly announced plan is to "check if the user's current DNS provider is among a list of DoH-compatible providers, and upgrade to the equivalent DoH service from the same provider." If the user-selected DNS service is not on that list, Chrome would make no changes for that user.

Firefox

Firefox To Hide Notification Popups By Default Starting Next Year (zdnet.com) 48

An anonymous reader quotes ZDNet: In a move to fight spam and improve the health of the web, Firefox will hide those annoying notification popups by default starting next year, with the release of Firefox 72, in January 2020, ZDNet has learned from a Mozilla engineer.

The move comes after Mozilla ran an experiment back in April this year to see how users interacted with notifications, and also looked at different ways of blocking notifications from being too intrusive. Usage stats showed that the vast majority (97%) of Firefox users dismissed notifications, or chose to block a website from showing notifications at all...

As a result, Mozilla engineers have decided to hide the notification popup that drops down from Firefox's URL bar, starting with Firefox 72. If a website shows a notification, the popup will be hidden by default, and an icon added to the URL bar instead. Firefox will then animate the icon using a wiggle effect to let the user know there's a notification subscription popup available, but the popup won't be displayed until the user clicks the icon.

Mozilla is the first browser vendor to block notification popups by default, according to the article. It's already available in Firefox Nightly versions, but will be added to the stable branch in January.

"I think Mozilla's decision is good for the health of the web," Jérôme Segura, malware analyst at Malwarebytes tells ZDNet.
Facebook

Facebook, Mozilla, and Cloudflare Announce New TLS Delegated Credentials Standard (zdnet.com) 25

Facebook, Mozilla, and Cloudflare announced today a new technical specification called TLS Delegated Credentials, currently undergoing standardization at the Internet Engineering Task Force (IETF). From a report: The new standard will work as an extension to TLS, a cryptographic protocol that underpins the more widely-known HTTPS protocol, used for loading websites inside browsers via an encrypted connection. The TLS Delegate Credentials extension was specifically developed for large website setups, such as Facebook, or for website using content delivery networks (CDNs), such as Cloudflare. For example, a big website like Facebook has thousands of servers spread all over the world. In order to support HTTPS traffic on all, Facebook has to place a copy of its TLS certificate private key on each one. This is a dangerous setup. If an attacker hacks one server and steals the TLS private key, the attacker can impersonate Facebook servers and intercept user traffic until the stolen certificate expires. The same thing is also valid with CDN services like Cloudflare. Anyone hosting an HTTPS website on Cloudflare's infrastructure must upload their TLS private key to Cloudflare's service, which then distributes it to thousands of servers across the world. The TLS Delegate Credentials extension allows site owners to create short-lived TLS private keys (called delegated credentials) that they can deploy to these multi-server setups, instead of the real TLS private key.
Firefox

Mozilla To Stop Supporting Sideloaded Extensions In Firefox (zdnet.com) 34

An anonymous reader quotes a report from ZDNet: Mozilla has announced today plans to discontinue one of the three methods through which extensions can be installed in Firefox. Starting next year, Firefox users won't be able to install extensions by placing an XPI extension file inside a special folder inside a user's Firefox directory. The method, known as sideloading, was initially created to aid developers of desktop apps. In case they wanted to distribute a Firefox extension with their desktop app, the developers could configure the app's installer to drop a Firefox XPI extension file inside the Firefox browser's folder.

This method has been available to Firefox extension developers since the browser's early days. However, today, Mozilla announced plans to discontinue supporting sideloaded extensions, citing security risks. Mozilla plans to stop supporting this feature next year in a two-phase plan. The first will take place with the release of Firefox 73 in February 2020. Firefox will continue to read sideloaded extensions, but they'll be slowly converted into normal add-ons inside a user's Firefox profile, and made available in the browser's Add-ons section. By March 2020, with the release of Firefox 74, Mozilla plans to completely remove the ability to sideload an extension. By that point, Mozilla hopes that all sideloaded extensions will be moved inside users' Add-ons section.

Oracle

Should JavaScript Be Renamed? (kieranpotts.com) 170

Software engineer Kieran Potts asks: does JavaScript need to be renamed? There's no doubt there are problems with JavaScript's branding...

- Correctly, "JavaScript" refers to a subset of ECMAScript specified by Mozilla, but the word is used interchangeably to refer to multiple different ECMAScript supersets, depending on context.

- JavaScript is a trademark of Oracle Corporation, which doesn't fit comfortably with the language's position as a central component of the web platform, which is meant to be built entirely from open technologies and standards.

- There isn't even an official logo for JavaScript, let alone a cute mascot like Go's gopher or PHP's elephant.

- And famously, JavaScript is unrelated to Java. This has confused the hell out of non-technical managers and recruiters for decades.

The article also suggests "a standard convention" to identify the runtime's host system (for example, "WebJS" or "ServerJS").

But in response to the question of rebranding JavaScript, "the most common, knee jerk reaction was a quick guffaw and an exclaimed 'no!'" notes tech columnist Mike Melanson, "while others offered that the simple contraction to JS would suffice."
Mozilla

Mozilla: Cloudflare Doesn't Pay Us For Any DoH Traffic (zdnet.com) 93

An anonymous reader writes: Mozilla said today that "no money is being exchanged to route DNS requests to Cloudflare" as part of the DNS-over-HTTPS (DoH) feature that is currently being gradually enabled for Firefox users in the US. The browser maker has been coming under heavy criticism lately for its partnership with Cloudflare. Many detractors say that by using Cloudflare as the default DoH resolver for Firefox, Mozilla will help centralize a large chunk of DNS traffic on Cloudflare's service. Critics of this decision include regular users, but also ISP-backed lobby groups, according to a recent report citing leaked documents. But according to Mozilla, they're not getting paid for this, and are only doing it for Firefox user privacy.
Programming

The Iranian Developer Deadlock: Stuck Between Censorship and US Sanctions (thenextweb.com) 52

In July, GitHub blocked several accounts to prevent users in Iran from accessing several portions of its service. A few days later Amazon Web Services followed suite. With major cloud services pulling support for developers in the country, many lost their academic work and several apps ceased to function. A solution for these developers now is to cut reliance on American giants and build their own services. But there's a catch: Internet in Iran is heavily censored, so they can't rely on local networks.

After Trump backed away from the nuclear deal, there's been a tremendous pressure on tech companies to block IPs from Iran. Plus, Mozilla decided to omit a whole transparency section in its report on the country succumbing to the government pressure. With sanctions on one side and censorship on the other, there's a tough road ahead for developers. Ivan Mehta, a journalist at The Next Web, looks at the issue.
Businesses

Comcast Is Lobbying Against Encryption That Could Prevent it From Learning Your Browsing History (vice.com) 79

Internet giant Comcast is lobbying U.S. lawmakers against plans to encrypt web traffic that would make it harder for internet service providers (ISPs) to determine your browsing history, Motherboard reported Wednesday, citing a lobbying presentation. From the report: The plan, which Google intends to implement soon, would enforce the encryption of DNS data made using Chrome, meaning the sites you visit. Privacy activists have praised Google's move. But ISPs are pushing back as part of a wider lobbying effort against encrypted DNS, according to the presentation. Technologists and activists say this encryption would make it harder for ISPs to leverage data for things such as targeted advertising, as well as block some forms of censorship by authoritarian regimes.

Mozilla, which makes Firefox, is also planning a version of this encryption. "The slides overall are extremely misleading and inaccurate, and frankly I would be somewhat embarrassed if my team had provided that slide deck to policy makers," Marshall Erwin, senior director of trust and safety at Mozilla, told Motherboard in a phone call after reviewing sections of the slide deck. "We are trying to essentially shift the power to collect and monetize peoples' data away from ISPs and providing users with control and a set of default protections," he added, regarding Mozilla's changes.

Firefox

Firefox To Get Page Translation Feature, Like Chrome (zdnet.com) 50

An anonymous reader writes: Mozilla developers are working on adding an automatic page translation feature to Firefox, similar to the one included in Google Chrome. However, Firefox's page translation feature will be different from the one supported in Google Chrome. Instead of relying on cloud-based text translation services (like Google Translate, Bing Translator, or Yandex.Translate), Firefox will use a client-side, machine learning-based translation library, currently being developed part of the Bergamot Project, which received $3.35 million in EU funding from the European Union's Horizon 2020 research and innovation programme.

Slashdot Top Deals