Apple, Google, and Mozilla Block Kazakhstan's HTTPS Intercepting Certificate (zdnet.com) 80
Chrome and Firefox Changes Spark the End of 'Extended Validation' Certificates (bleepingcomputer.com) 56
In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name.
With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead.
AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.
Mozilla Debuts Implementation of WebThings Gateway Open Source Router Firmware (venturebeat.com) 57
Firefox To Warn When Saved Logins are Found in Data Breaches (bleepingcomputer.com) 134
Firefox 68 Arrives With Darker Reader View, Recommended Extensions, and IT Customizations (venturebeat.com) 69
With Firefox 60, Mozilla introduced an enterprise version of the browser that employers can customize. This let IT professionals configure Firefox for their organization, either using Group Policy on Windows or a JSON file that works across Windows, Mac, and Linux. With Firefox 68, Mozilla has added more enterprise policies -- to configure or remove the new tab page, turn off search suggestions, and so on.
Mozilla Blocks UAE Bid To Become an Internet Security Guardian After Hacking Reports (reuters.com) 21
Serious Zoom Security Flaw Could Let Websites Hijack Mac Cameras (theverge.com) 54
Mozilla is Funding a Way To Support Julia in Firefox (zdnet.com) 95
Mozilla engineers have worked in previous years to port data science tools at the browser level, as part of Project Iodide. Previously, as part of this project, Mozilla engineers ported the Python interpreter to run in the browser using WebAssembly. "This project, Pyodide, has demonstrated the practicality of running language interpreters in WebAssembly," Mozilla engineers said.
Mozilla Set To Offer Ad-Free News Consumption Capability on Firefox For $5 Per Month (betanews.com) 94
Privacy-First Browsers Look To Take the Shine Off Google's Chrome (nbcnews.com) 56
And in something of a poetic role reversal, Microsoft is positioning itself to pick up the slack from people who may be fed up with Google's Chrome browser and its questionable privacy practices. Microsoft is expected to release an overhaul of its latest browser, called Edge, in the coming months. Microsoft is just one of a number of companies and organizations looking to take a piece out of Google -- some using the company's own open-source software. One name that might be familiar to most consumers -- Mozilla's Firefox browser -- is also a veteran of the "browser wars" of two decades ago. The nonprofit Mozilla, which has been biting at the heels of leading browsers for most of its existence, is introducing more aggressive privacy settings to try to stand out and take advantage of the privacy stumbles by Google and other tech giants.
Internet Group Brands Mozilla 'Internet Villain' For Supporting DNS Privacy Feature (techcrunch.com) 273
Whenever you visit a website -- even if it's HTTPS enabled -- the DNS query that converts the web address into an IP address that computers can read is usually unencrypted. The security standard is implemented at the app level, making Mozilla the first browser to use DNS-over-HTTPS. By encrypting the DNS query it also protects the DNS request against man-in-the-middle attacks, which allow attackers to hijack the request and point victims to a malicious page instead. DNS-over-HTTPS also improves performance, making DNS queries -- and the overall browsing experience -- faster. But the ISPA doesn't think DNS-over-HTTPS is compatible with the U.K.'s current website blocking regime.
Brave Browser Claims 69x Better Performance For Its Ad-Blocker After Switching From C++ To Rust (zdnet.com) 337
They cite a blog post by Brave performance researcher Dr. Andrius Aucinas and Brave's chief scientist Dr. Ben Livshits: The improvements can be experienced in its experimental developer and nightly channel releases... "We implemented the new engine in Rust as a memory-safe, performant language compilable down to native code and suitable to run within the native browser core as well as being packaged in a standalone Node.js module," the two Brave scientists said. The new engine means the Chromium-based browser can cut the average request classification time down to 5.6 microseconds, a unit of time that's equal to a millionth of one second.
Aucinas and Livshits argue that the micro-improvements in browser performance might not seem significant to end users but do translate to good things for a computer's main processor. "Although most users are unlikely to notice much of a difference in cutting the ad-blocker overheads, the 69x reduction in overheads means the device CPU has so much more time to perform other functions," the pair explain.
Their blog post notes that loading a web page today can be incredibly complex. "Since loading an average website involves 75 requests that need to be checked against tens of thousands of rules, it must also be efficient."
Ask Slashdot: What's Your 'Backup' Browser? (komando.com) 237
But Slashdot reader koavf asks an interesting follow-up question: "What's everyone's go-to Plan B browser and why?"
To start the conversation, here's how James Gelinas (a contributor at Kim Komando's tech advice site) recently reviewed the major browsers:
- He calls Chrome "a safe, speedy browser that's compatible with nearly every page on the internet" but also says that Chrome "is notorious as a resource hog, and it can drastically slow your computer down if you have too many tabs open."
"Additionally, the perks of having your Google Account connected to your browser can quickly turn into downsides for the privacy-minded among is. If you're uncomfortable with your browser knowing your searching and spending behaviors, Chrome may not be the best choice for you."
- He calls Firefox "the choice for safety".
"Predating Chrome by 6 years, Firefox was the top choice for savvy Netizens in the early Aughts. Although Chrome has captured a large segment of its user base, that doesn't mean the Fox is bad. In fact, Mozilla is greatly appreciated by fans and analysts for its steadfast dedication to user privacy... Speedwise, Firefox isn't a slouch either. The browser is lighter weight than Chrome and is capable of loading some websites even faster."
- He calls Apple's Safari and Microsoft Edge "the default choice...because both of these browsers come bundled with new computers."
"Neither one has glaring drawbacks, but they tend to lack some of the security features and extensions found in more popular browsers. Speedwise, however, both Edge and Safari are able to gain the upper hand against their competition. When it comes to startup time and functions, the apps are extremely lightweight on your system's resources. This is because they're part of the Mac and Window's operating systems, respectively, and are optimized for performance in that environment."
Finally, he gives the Tor browser an honorable mention. ("It's still one of the best anonymous web browsers available. It's so reliable, in fact, that people living under repressive governments often turn to it for their internet needs -- installing it on covert USB sticks to use on public computers.") And he awards a "dishonorable mention" to Internet Explorer. ("Not only is the browser no longer supported by Microsoft, but it's also vulnerable to a host of malware and adware threats.")
But what do Slashdot's readers think? Putting aside your primary desktop browser -- what's your own go-to "Plan B" web browser, and why? Leave your best answers in the comments.
What's your "backup" browser?
Firefox To Get a Random Password Generator, Like Chrome and Safari (zdnet.com) 51
Mozilla Launches GeckoView-Powered Firefox Preview For Android (venturebeat.com) 62
On desktop, Firefox is the second most popular browser after Chrome. Firefox holds about 10% desktop market share, according to Net Applications. On mobile, however, Firefox has less than 0.5% share. Despite regular releases alongside the desktop browser over the years, Firefox's mobile share has not improved.
Firefox Will Give You a Fake Browsing History To Fool Advertisers (vice.com) 177
Firefox Zero-Day Was Used In Attack Against Coinbase Employees, Not Its Users (zdnet.com) 40
The question here is how an attacker managed to get hold of the details for the RCE vulnerability and use it for his attacks after the vulnerability was privately reported to Mozilla by Google. The attacker could have found the Firefox RCE on his own, he could have bribed a Mozilla/Google insider, hacked a Mozilla/Google employee and viewed details about the RCE, or hacked Mozilla's bug tracker, like another attacker did in 2015.
Google Launches Chrome Extension For Flagging Bad URLs To the Safe Browsing Team (zdnet.com) 26
A New Hidden Way of Web Browser Profiling, Identification and Tracking (theregister.co.uk) 72
The researchers recently presented a paper titled "JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits," which The Register says "calls into question the effectiveness of anonymized browsing and browser privacy extensions... "
Long-time Slashdot reader Artem S. Tashkinov shared their report: One of the side-channel attacks developed for JavaScript Template Attacks involve measuring runtime differences between two code snippets to infer the underlying instruction set architecture through variations in JIT compiler behavior. The other involves measuring timing differences in the memory allocator to infer the allocated size of a memory region.
The boffins' exploration of the JavaScript environment reveals not only the ability to fingerprint via browser version, installed privacy extension, privacy mode, operating system, device microarchitecture, and virtual machine, but also the properties of JavaScript objects. And their research shows there are far more of these than are covered in official documentation. This means browser fingerprints have the potential to be far more detailed -- have more data points -- than they are now.
The Mozilla Developer Network documentation for Firefox, for example, covers 2,247 browser properties. The researchers were able to capture 15,709. Though not all of these are usable for fingerprinting and some represent duplicates, they say they found about 10,000 usable properties for all browsers.