Firefox

Firefox 70 Arrives With Social Tracking Blocked By Default (venturebeat.com) 40

An anonymous reader writes: Mozilla today launched Firefox 70 for Windows, Mac, Linux, Android, and iOS. Firefox 70 includes social tracking protection, a Privacy Protections report, new Lockwise features, and performance improvements on Windows and macOS. Firefox 70 for desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. The Android version is trickling out slowly on Google Play and the iOS version is on Apple's App Store. According to Mozilla, Firefox has about 250 million active users, making it a major platform for web developers to consider. With Firefox 70, Mozilla now also includes social tracking protection under the Standard setting. It blocks cross-site tracking cookies from sites like Facebook, Twitter, and LinkedIn.
Privacy

Privacy-Respecting Smart Home System Can Work Offline and Sends Fake Data (www.ddw.nl) 40

A publicly-funded group of designers, artists and privacy experts from Amsterdam have designed a smart home system prototype to "prove it's technically possible to build a privacy respecting smart home while maintaining convenience."

Its controller uses an Arduino Nano to disconnect the system from the internet during times when it's not in use. They're building everything on Mozilla's open smart home gateway software. The system's microphone is a separate USB device that can be easily unplugged. For extra security, the devices don't even use wifi to communicate.

"The Candle devices offer the advantages of a smart home system -- such as voice control, handy automations and useful insights -- without the downsides of sending your data to the cloud and feeling watched in your own home," explains their blurb for Dutch Design Week, where they're launching their prototypes of trust-worthy smart locks, thermostats, and other Internet of Things devices: Most smart devices promises us an easier life, but they increasingly disappoint; they eavesdrop, share our data with countless third parties, and offer attractive targets to hackers. Candle is different. Your data never leaves your home, all devices work fine without an internet connection, and everything is open source and transparent.
One of the group's members is long-time Slashdot reader mrwireless, who shares an interesting observation: Smart homes track everything that happens inside them. For developing teenagers, this makes it more difficult to sneak in a date or break the rules in other subtle ways, which is a normal, healthy part of growing up. Candle is a prototype smart home that tries to mitigate these issue. It has given its sensors the ability to generate fake data for a while. In the future, children could get a monthly fake data allowance.

Some of the devices have "skirts", simple fabric covers that can be draped over the devices to hide their screen. If you own a dust sensor, this can be useful if your mother in law comes over and you haven't vacuumed in a while.

Google

Mozilla is Sharing YouTube Horror Stories To Prod Google For More Transparency (cnet.com) 58

CNET reports on a new crowdsourced public awareness campaign: Mozilla is publishing anecdotes of YouTube viewing gone awry -- anonymous stories from people who say they innocently searched for one thing but eventually ended up in a dark rabbit hole of videos. It's a campaign aimed at pressuring Google's massive video site to make itself more accessible to independent researchers trying to study its algorithms. "The big problem is we have no idea what is happening on YouTube," said Guillaume Chaslot, who is a fellow at Mozilla, a nonprofit best known for its unit that makes and operates the Firefox web browser.

Chaslot is an ex-Google engineer who has investigated YouTube's recommendations from the outside after he left the company in 2013. (YouTube says he was fired for performance issues.) "We can see that there are problems, but we have no idea if the problem is from people being people or from algorithms," he said....

Mozilla is publishing 28 stories it's terming #YouTubeRegrets; they include, for example, an anecdote from someone who who said a search for German folk songs ended up returning neo-Nazi clips, and a testimonial from a mother who said her 10-year-old daughter searched for tap-dancing videos and ended up watching extreme contortionist clips that affected her body image.

Firefox

Germany's Cybersecurity Agency Recommends Firefox As Most Secure Browser (arstechnica.com) 52

An anonymous reader quotes a report from ZDNet: Firefox is the only browser that received top marks in a recent audit carried out by Germany's cyber-security agency -- the German Federal Office for Information Security (or the Bundesamt fur Sicherheit in der Informationstechnik -- BSI). The BSI tested Mozilla Firefox 68 (ESR), Google Chrome 76, Microsoft Internet Explorer 11, and Microsoft Edge 44. The tests did not include other browsers like Safari, Brave, Opera, or Vivaldi. The audit was carried out using rules detailed in a guideline for "modern secure browsers" that the BSI published last month, in September 2019. The BSI normally uses this guide to advise government agencies and companies from the private sector on what browsers are safe to use. The article includes a list of all the minimum requirements required for the BSI to consider a browser "secure." It also lists the areas where the other browsers failed, such as: Lack of support for a master password mechanism (Chrome, IE, Edge); No built-in update mechanism (IE), and No option to block telemetry collection (Chrome, IE, Edge).
OS X

Critical Remote Code Execution Flaw Fixed In Popular Terminal App For MacOS (csoonline.com) 15

itwbennett shares a report from CSO: iTerm2 users: It's time to upgrade. A security audit sponsored by the Mozilla Open Source Support Program uncovered a critical remote code execution (RCE) vulnerability in the popular open-source terminal app for macOS. ITerm2 is an open-source alternative to the built-in macOS Terminal app, which allows users to interact with the command-line shell. Terminal apps are commonly used by system administrators, developers and IT staff in general, including security teams, for a variety of tasks and day-to-day operations.

The iTerm2 app is a popular choice on macOS because it has features and allows customizations that the built-in Terminal doesn't, which is why the Mozilla Open Source Support Program (MOSS) decided to sponsor a code audit for it. The MOSS was created in the wake of the critical and wide-impact Heartbleed vulnerability in OpenSSL with the goal of sponsoring security audits for widely used open-source technologies. The flaw, which is now tracked as CVE-2019-9535, has existed in iTerm2 for the past seven years and is located in the tmux integration. Tmux is a terminal multiplexer that allows running multiple sessions in the same terminal window by splitting the terminal screen. The flaw was fixed in iTerm2 version 3.3.6, which was released today.

Encryption

Thunderbird Announces OpenPGP Support (mozilla.org) 40

doconnor writes: On the Mozilla Thunderbird blog it was announced that for the future Thunderbird 78 release, planned for summer 2020, they will add built-in functionality for email encryption and digital signatures using the OpenPGP standard. This addresses a feature request opened on Bugzilla almost 20 years ago and has been one of the top voted bugs for most of that period.
Mozilla

Mozilla Developer Network Launches a YouTube Channel (youtube.com) 20

An anonymous reader writes: The Mozilla Developer Network just launched their own video channel on YouTube this week. There's currently seven videos, offering tutorials like "The Secret Button to get Three Panels of Developer Tools" and "Coding a Dark Mode for your web site."

And tweets from a Mozilla Community Lead suggest it may soon feature something from the View Source Conference in Amsterdam.

Google

Google's DNS-Over-HTTPS Plans Scrutinized By US Congress (engadget.com) 130

Google's plans to implement DNS over HTTPS in Chrome are being investigated by a committee in the U.S. House of Representatives, while the Justice Department has "recently received complaints" about the practice, according to the Wall Street Journal.

An anonymous reader quotes Engadget: While Google says it's pushing for adoption of the technology to prevent spying and spoofing, House investigators are worried this would give the internet giant an unfair advantage by denying access to users' data. The House sent a letter on September 13th asking if Google would use data handled through the process for commercial purposes... Internet service providers are worried that they may be shut out of the data and won't know as much about their customers' traffic patterns. This could "foreclose competition in advertising and other industries," an alliance of ISPs told Congress in a September 19th letter...

Mozilla also wants to use the format to secure DNS in Firefox, and the company's Marshall Erwin told the WSJ that the antitrust gripes are "fundamentally misleading." ISPs are trying to undermine the standard simply because they want continued access to users' data, Erwin said. Unencrypted DNS helps them target ads by tracking your web habits, and it's harder to thwart DNS tracking than cookies and other typical approaches.

United Kingdom

Firefox Promises UK Government DNS-Over-HTTPS Won't Be Default in UK (gizmodo.co.uk) 118

"Despite looking to make DNS-over-HTTPS the default for its American users, Mozilla has assured culture secretary Nicky Morgan that this won't be the case in the UK," reports Gizmodo: DNS-over-HTTPS has been fairly controversial, with the Internet Services Providers Association nominating Mozilla for an 'Internet Villain' over the whole thing, saying it will "bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK."

In his letter to Morgan, Mozilla vice president of global policy, trust and security, Alan Davidson, stressed that the company "has no plans to turn on our DNS-over-HTTPS feature by default in the United Kingdom and will not do so without further engagement with public and private stakeholders". He did add that Mozilla does "strongly believe that DNS-over-HTTPS would offer real security benefits to UK citizens. The DNS is one of the oldest parts of the internet's architecture, and remains largely untouched by efforts to make the web more secure.

"Because current DNS requests are unencrypted, the road that connects your citizens to their online destination is still open and used by bad actors looking to violate user privacy, attack communications, and spy on browsing activity. People's most personal information, such as their health-related data, can be tracked, collected, leaked and used against people's best interest. Your citizens deserve to be protected from that threat."

Firefox

Cloudflare, Google Chrome, and Firefox Add HTTP/3 Support (zdnet.com) 48

HTTP/3, the next major iteration of the HTTP protocol, is getting a big boost today with support added in Cloudflare, Google Chrome, and Mozilla Firefox. From a report: Starting today, Cloudflare announced that customers will be able to enable an option in their dashboards and turn on HTTP/3 support for their domains. That means that whenever users visit a Cloudflare-hosted website from an HTTP/3-capable client, the connection will automatically upgrade to the new protocol, rather than being handled via older versions. On the browser side, Chrome Canary added support for HTTP/3 earlier this month. Users can enable it by using the Chrome command-line flags of "--enable-quic --quic-version=h3-23". In addition, Mozilla too announced it would roll out support for HTTP/3. The browser maker is scheduled to ship HTTP/3 in an upcoming Firefox Nightly version later this fall.
Firefox

Firefox Moving To a Faster 4-Week Release Cycle (mozilla.org) 50

Mozilla announces in a blog post: We typically ship a major Firefox browser (Desktop and Android) release every 6 to 8 weeks. Building and releasing a browser is complicated and involves many players. To optimize the process, and make it more reliable for all users, over the years we've developed a phased release strategy that includes 'pre-release' channels: Firefox Nightly, Beta, and Developer Edition. With this approach, we can test and stabilize new features before delivering them to the majority of Firefox users via general release.

And today we're excited to announce that we're moving to a four-week release cycle! We're adjusting our cadence to increase our agility, and bring you new features more quickly. In recent quarters, we've had many requests to take features to market sooner. Feature teams are increasingly working in sprints that align better with shorter release cycles. Considering these factors, it is time we changed our release cadence. Starting Q1 2020, we plan to ship a major Firefox release every 4 weeks. Firefox ESR release cadence (Extended Support Release for the enterprise) will remain the same. In the years to come, we anticipate a major ESR release every 12 months with 3 months support overlap between new ESR and end-of-life of previous ESR. The next two major ESR releases will be ~June 2020 and ~June 2021.

Businesses

Mozilla and Creative Commons Want To Reimagine the Internet Without Ads, and They Have $100M To Do It (fastcompany.com) 146

An anonymous reader shares a report: Funding online content with small consumer payments rather than intrusive and privacy-compromising ads has for years been a goal for many internet theorists and publishers. "We're at a point where it's clear there's kinds of negative side effects for people and even for democracy of the data-driven ad economy that funds the internet," says Mark Surman, executive director of the Mozilla Foundation. Now, Mozilla, Creative Commons, and a new micropayment startup have announced a $100 million grant program to finally bring that dream to fruition.

The program, called Grant for the Web, will give roughly $20 million per year for five years to content sites, open source infrastructure developers, and others building around Web Monetization, a proposed browser standard for micropayments. "When we started Coil, Coil was essentially the first Web Monetization provider," says founder and CEO Stefan Thomas. Coil users pay a fixed monthly fee that's distributed among sites they visit that have Web Monetization enabled, such as the web development site CSS-Tricks, based on how long they visit the sites. The underlying technology supports other providers routing user funding as well.

Firefox

Mozilla Launches Paid Premium Support for Enterprise Customers (neowin.net) 19

Mozilla has quietly launched a new product for enterprise customers: Ability to buy paid premium support for Firefox. From a report: The premium enterprise support for Firefox costs $10 per supported installation and offers customers the ability to submit bugs privately, get critical security bug fixes, get access to a private customer portal, get access to the enterprise critical issues distribution list, and have the ability to contribute to Firefox and its roadmap. According to Mozilla, it will support Firefox installations as long as they are running on machines that meet the system requirements. Windows, Mac, and Linux based operating systems are listed in the systems requirements so all platforms should be covered by the premium support.
Chrome

Google To Run DNS-over-HTTPS (DoH) Experiment in Chrome (zdnet.com) 104

Google has announced plans to test the new DNS-over-HTTPS (DoH) protocol inside Google Chrome starting with v78, scheduled for release in late October this year. From a report: The DNS-over-HTTPS protocol works by sending DNS requests to special DoH-compatible DNS resolvers. The benefit comes from the fact that DNS requests are sent via port 443, as encrypted HTTPS traffic, rather than cleartext, via port 53. This hides DoH requests in the unending stream of HTTPS traffic that moves across the web at any moment of the day and prevents third-party observers from tracking users' browsing histories by recording and looking at their unencrypted DNS data. The news that Google is looking into testing DoH in Chrome comes just as Mozilla announced plans over the weekend to gradually enable DoH by default for a small subset of users in the US later this month.
Mozilla

Mozilla Launches VPN as Part of Resurrected Firefox Test Pilot Program (venturebeat.com) 11

Mozilla is resurrecting its recently expunged Test Pilot program with a renewed focus on privacy-focused tools and products. The Firefox developer today lifted the lid on the first product to emerge from the new Test Pilot, and it appears to be something akin to a virtual private network (VPN) in all but name. From a report: Firefox Private Network, as the new tool is called, is available in beta today for logged-in Firefox desktop users in the U.S. only, and is accessible through a browser extension. By way of a quick recap, Mozilla debuted Firefox Test Pilot a decade ago but then relaunched it back in 2016. Test Pilot went on to attain an average of 100,000 daily users, each looking to test Mozilla's latest developments -- including a price-tracking feature for online shoppers, content recommendations based on browsing activity, and more.

Some of these became full-fledged features within Firefox and others did not, but back in January Mozilla announced it was killing its Test Pilot program altogether. This came as something of a surprise given Mozilla's own statements about the success of the program. At the time, Mozilla said it was "evolving" its approach to experimentation and suggested it was looking to ideate more widely across the company. Fast-forward nine months, and Firefox Test Pilot is back for a third time.

Firefox

Firefox Will Soon Encrypt DNS Requests By Default (engadget.com) 147

This month Firefox will make DNS over encrypted HTTPS the default for the U.S., with a gradual roll-out starting in late September, reports Engadget: Your online habits should be that much more private and secure, with fewer chances for DNS hijacking and activity monitoring.

Not every request will use HTTPS. Mozilla is relying on a "fallback" method that will revert to your operating system's default DNS if there's either a specific need for them (such as some parental controls and enterprise configurations) or an outright lookup failure. This should respect the choices of users and IT managers who need the feature turned off, Mozilla said. The team is watching out for potential abuses, though, and will "revisit" its approach if attackers use a canary domain to disable the technology.

Users will be given the option to opt-out, explains Mozilla's official announcement. "After many experiments, we've demonstrated that we have a reliable service whose performance is good, that we can detect and mitigate key deployment problems, and that most of our users will benefit from the greater protections of encrypted DNS traffic."

"We feel confident that enabling DNS-over-HTTPS by default is the right next step."
Mozilla

Mozilla Outlines Plan For Manifest V3 Extensions API (mozilla.org) 13

New submitter q4Fry writes: When Google released its changes to the Chrome WebExtensions API for comment, many groups criticized them for cutting off ad-blockers at the knees. Now, Mozilla has released its plan for following (and departing from) the APIs that Chrome may adopt.

Will Mozilla follow Google with these changes? In the absence of a true standard for browser extensions, maintaining compatibility with Chrome is important for Firefox developers and users. Firefox is not, however, obligated to implement every part of v3, and our WebExtensions API already departs in several areas under v2 where we think it makes sense.


Mozilla

Firefox 69 Ratchets Up Tracking Protection, Switching it On by Default (cnet.com) 31

Mozilla has switched on Firefox's tracking protection feature for everyone on Windows and Android, dialing up its effort to protect privacy from website publishers and advertisers that would like to keep tabs on your online behavior. From a report: Mozilla enabled tracking protection for new Firefox users in June, but now it's on for everyone, the nonprofit said Tuesday. Tracking protection is all the rage among browser makers, including Apple's Safari, Brave Software's Brave and Microsoft's new Chromium-based Edge. Even Google's Chrome, long the laggard among major browsers, is starting to tackle the problem. It's a thorny issue for websites and advertisers that seek to improve advertising revenue by targeting ads based on their assessment of your interests. "Currently over 20% of Firefox users have Enhanced Tracking Protection on. With today's release, we expect to provide protection for 100% of ours users by default," Mozilla said in a blog post Tuesday.
Firefox

Upcoming Firefox Update Will Decrease Power Usage on macOS by Up To Three Times (zdnet.com) 84

Mozilla teased today an upcoming update for Firefox on macOS that it says will reduce power consumption by a factor of up to three. From a report: The primary beneficiaries of this upcoming update are Macbook users, who can now expect longer battery lives while using Firefox. Firefox's increased battery consumption has been a problem for Mozilla, and a black stain on the Firefox Quantum release -- a revamped, performance-centric version of the older Firefox browser. While Firefox Quantum has received praises for its increased page loading speeds, Macbook users haven't been that delighted, especially when they're mobile and have to rely on the notebook's battery as long as possible.
Google

EFF Warns: 'Don't Play in Google's Privacy Sandbox' (eff.org) 52

An EFF analysis looks at the problems with some of Google's new "Privacy Sandbox" proposals, a few of which it calls "downright dangerous": Perhaps the most fleshed-out proposal in the Sandbox is the conversion measurement API. This is trying to tackle a problem as old as online ads: how can you know whether the people clicking on an ad ultimately buy the product it advertised....? Google's ID field can contain 64 bits of information -- a number between 1 and 18 quintillion. This will allow advertisers to attach a unique ID to each and every ad impression they serve, and, potentially, to connect ad conversions with individual users. If a user interacts with multiple ads from the same advertiser around the web, these IDs can help the advertiser build a profile of the user's browsing habits.

Even worse is Google's proposal for Federated Learning of Cohorts (or "FLoC").... FLoC would use Chrome users' browsing history to do clustering. At a high level, it will study browsing patterns and generate groups of similar users, then assign each user to a group (called a "flock"). At the end of the process, each browser will receive a "flock name" which identifies it as a certain kind of web user. In Google's proposal, users would then share their flock name, as an HTTP header, with everyone they interact with on the web. This is, in a word, bad for privacy. A flock name would essentially be a behavioral credit score: a tattoo on your digital forehead that gives a succinct summary of who you are, what you like, where you go, what you buy, and with whom you associate...

If the Privacy Sandbox won't actually help users, why is Google proposing all these changes? Google can probably see which way the wind is blowing. Safari's Intelligent Tracking Prevention and Firefox's Enhanced Tracking Protection have severely curtailed third-party trackers' access to data. Meanwhile, users and lawmakers continue to demand stronger privacy protections from Big Tech. While Chrome still dominates the browser market, Google might suspect that the days of unlimited access to third-party cookies are numbered. As a result, Google has apparently decided to defend its business model on two fronts. First, it's continuing to argue that third-party cookies are actually fine, and companies like Apple and Mozilla who would restrict trackers' access to user data will end up harming user privacy. This argument is absurd. But unfortunately, as long as Chrome remains the most popular browser in the world, Google will be able to single-handedly dictate whether cookies remain a viable option for tracking most users.

At the same time, Google seems to be hedging its bets. The "Privacy Sandbox" proposals for conversion measurement, FLoC, and PIGIN are each aimed at replacing one of the existing ways that third-party cookies are used for targeted ads. Google is brainstorming ways to continue serving targeted ads in a post-third-party-cookie world. If cookies go the way of the pop-up ad, Google's targeting business will continue as usual.

The Sandbox isn't about your privacy. It's about Google's bottom line. At the end of the day, Google is an advertising company that happens to make a browser.

Slashdot Top Deals