Mozilla

Mozilla Debuts Its New Firefox Logos (venturebeat.com) 90

An anonymous reader writes: Mozilla today introduced a new Firefox family of logos, a rebranding effort it kicked off more than 18 months ago. For most people, Firefox refers to a browser, but the company now wants the brand to encompass the entire Firefox family of apps and services. "The 'Firefox' you've always known as a browser is stretching to cover a family of products and services united by putting you and your privacy first," Mozilla explained. "Firefox is a browser AND an encrypted service to send huge files. It's an easy way to protect your passwords on every device AND an early warning if your email has been part of a data breach. Safe, private, eye-opening. That's just the beginning of the new Firefox family."
Firefox

A 'Premium' Firefox Is Coming This Fall (i-programmer.info) 269

An anonymous reader quotes I Programmer: In an interview by Jan Vollmer for the German online magazine site t3n, Mozilla CEO Chris Beard has confirmed plans to launch Firefox Premium later this year. Answering Vollmer's questions about how Mozilla is currently monetized Beard answered:

We are working on three sources of income and we want to rebalance them: We have Search, but we also make content. We have a company called Pocket that discovers and curates content. There is also sponsored content. This is the content business. And the third one we are working on and developing as we think about products and services are premium levels for some of these offerings. You can imagine something like a secure storage solution.

Prompted to say more about a premium offer, he continued:

We also tested VPN. We can tell if you're on a public Wi-Fi network and want to do online banking and say, "Wow, you really should use VPN." You can imagine we'll offer a solution that gives us all a certain amount of free VPN Bandwidth and then offer a premium level over a monthly subscription. We want to add more subscription services to our mix and focus more on the relationship with the user to become more resilient in business issues.

Later in the interview, when asked when the subscription services might start Beard tries to be reassuring, saying:

So, what we want to clarify is that there is no plan to charge money for things that are now free. So we will roll out a subscription service and offer a premium level. And the plan is to introduce the first one this year, towards fall. We aim for October.

Firefox

Firefox Starts Blocking Third-Party Cookies By Default (venturebeat.com) 51

An anonymous reader quotes a report from VentureBeat: Mozilla today announced a slew of privacy improvements. The company has turned on Enhanced Tracking Protection, which blocks cookies from third-party trackers in Firefox, by default. Mozilla has also improved its Facebook Container extension, released a Firefox desktop extension for its rebranded Lockwise password keeper, and updated Firefox Monitor with a dashboard for multiple email addresses.

If you download a fresh copy of Firefox today, Enhanced Tracking Protection will be on by default as part of the Standard setting. That means third-party tracking cookies are blocked without users having to change a thing. You will notice Enhanced Tracking Protection working if there is a shield icon in the address bar. If you click on the shield icon and open the Content Blocking section and then Cookies, you'll see a Blocking Tracking Cookies section. There you can see the companies listed as third-party cookies and trackers that Firefox has blocked. You can also turn off blocking for a specific site. The feature focuses on third-party trackers (the ad industry) while allowing first-party cookies (logins, where you last left off, and so on). Mozilla says it is enabling Enhanced Tracking Protection by default because most users don't change their browser settings.

Firefox

Firefox Starts Blocking Third-Party Cookies By Default (venturebeat.com) 69

An anonymous reader writes: Mozilla today announced a slew of privacy improvements. The company has turned on Enhanced Tracking Protection, which blocks cookies from third-party trackers in Firefox, by default. Mozilla has also improved its Facebook Container extension, released a Firefox desktop extension for its rebranded Lockwise password keeper, and updated Firefox Monitor with a dashboard for multiple email addresses. Mozilla added basic Tracking Protection to Firefox 42's private browsing mode in November 2015. The feature blocked website elements (ads, analytics trackers, and social share buttons) based on Disconnect's tracking protection rules. With the release of Firefox 57 in November 2017, Mozilla added an option to enable Tracking Protection outside of private browsing. (Tracking Protection was not turned on by default because it can break websites and cut off revenue streams for content creators who depend on third-party advertising.)
Chrome

Google's Chrome Becomes Web 'Gatekeeper' and Rivals Complain (bloomberg.com) 207

Few home-grown Google products have been as successful as Chrome. Launched in 2008, it has more than 63% of the market and about 70% on desktop computers, according to StatCounter data. Mozilla's Firefox is far behind, while Apple's Safari is the default browser for iPhones. Microsoft's Internet Explorer and Edge browsers are punchlines. From a report: Google won by offering consumers a fast, customizable browser for free, while embracing open web standards. Now that Chrome is the clear leader, it controls how the standards are set. That's sparking concern Google is using the browser and its Chromium open-source underpinnings to elbow out online competitors and tilt entire industries in its favor. Most major browsers are now built on the Chromium software code base that Google maintains. Opera, an indie browser that's been used by techies for years, swapped its code base for Chromium in 2013. Even Microsoft is making the switch this year. That creates a snowball effect, where fewer web developers build for niche browsers, leading those browsers to switch over to Chromium to avoid getting left behind.

This leaves Chrome's competitors relying on Google employees who do most of the work to keep Chromium software code up to date. Chromium is open source, so anyone can suggest changes to it, but the majority of programmers who approve contributions are Google employees, and any major disagreements get settled by a small circle of senior Google employees. Chrome is so ascendant these days that web developers often don't bother to test their sites on competing browsers. Google services including YouTube, Docs and Gmail sometimes don't work as well on rival browsers, sending frustrated users to Chrome. Instead of just another ship slicing through the sea of the web, Chrome is becoming the ocean.

Firefox

Firefox 67 Arrives With New Performance and Privacy Features, Voice Search Widget on Android (venturebeat.com) 121

Mozilla today launched Firefox 67 for Windows, Mac, Linux, and Android. From a report: The 10th release since Mozilla's big Firefox Quantum launch in November 2017 doubles down on performance and privacy. Firefox 67 includes deprioritizing least commonly used features, suspending unused tabs, faster startup, blocking of cryptomining and fingerprinting, Private Browsing improvements, voice input in the Android search widget, and more. [...] Firefox 67 is better at performing tasks at the optimal time, resulting in faster "painting" of the page. Specifically, the browser deprioritizes least commonly used features and delays set Timeout to prioritize scripts for things you need. Mozilla says Instagram, Amazon, and Google searches now execute between 40% and 80% faster. Firefox also now scans for alternative style sheets after page load and doesn't load the auto-fill module unless there is a form to complete. Next, Firefox 67 detects if your computer's memory is running low (under 400MB) and suspends unused tabs. If you do click on a tab that you haven't used or looked at in a while, it will reload where you left off. Finally, Firefox 67 promises faster startup for users that customized their browser with an add-on.
Java

Mozilla, Cloudflare, Facebook and Others Propose BinaryAST For Faster JavaScript Load Times 125

Developers at Mozilla, Facebook, Cloudflare, and elsewhere have been drafting "BinaryAST" as a new over-the-wire format for JavaScript. From a report: BinaryAST is a binary representation of the original JavaScript code and associated data structures to speed-up the parsing of the code at the page load time compared to the JavaScript source itself. The binary abstract syntax tree format should lead to faster script loading across all web devices. Numbers related today by CloudFlare range from a 4% to 13% drop in load times compared to parsing conventional JavaScript source. Or if taking a "lazified" approach to skip unused functions, it can be upwards of 98% less time necessary. You can read more about it here.
Firefox

Mozilla To Track Infrastructure Time-Bombs in Wake of Recent Firefox Armagadd-on (zdnet.com) 123

In the wake of the mass disablement of Mozilla Firefox's add-on ecosystem last weekend, Mozilla has committed to improving its asset tracking and developing a mechanism that can quickly push updates to users when needed. From a report: Due to an intermediate certificate expiring on May 4 at 1AM UTC, users found their browser add-ons were switched off and could not be re-enabled. Thanks to timezones and the rotation of the planet, users on the western side of the Pacific were the first hit. Writing in a blog post, Firefox CTO Eric Rescorla detailed some initial thoughts and announced a formal post-mortem would be published next week. "First, we should have a much better way of tracking the status of everything in Firefox that is a potential time bomb and making sure that we don't find ourselves in a situation where one goes off unexpectedly. We're still working out the details here, but at minimum we need to inventory everything of this nature," Rescorla wrote. "Second, we need a mechanism to be able to quickly push updates to our users even when -- especially when -- everything else is down.
Chrome

Google Chrome To Support Same-Site Cookies, Get Anti-Fingerprinting Protection (zdnet.com) 57

Google plans to add support for two new privacy and security features in Chrome, namely same-site cookies and anti-fingerprinting protection. From a report: The biggest change that Google plans to roll out is in regards to how it treats cookie files. These new controls will be based on a new IETF standard that Chrome and Mozilla developers have been working on for more than three years. This new IETF specification describes a new attribute that can be set inside HTTP headers. Called "SameSite," the attribute must be set by the website owner and should describe the situations in which a site's cookies can be loaded.

[...] Google engineers also announced a second major new privacy feature for Chrome. According to Google, the company plans to add support for blocking certain types of "user fingerprinting" techniques that are being abused by online advertisers. Google didn't go into details of what types of user fingerprinting techniques it was planning to block. It is worth mentioning that there are many, which range from scanning locally installed system fonts to abusing the HTML5 canvas element, and from measuring a user's device screen size to reading locally installed extensions.

Google

Google Prepares To Launch New Privacy Tools To Limit Cookies (wsj.com) 48

Google is set to launch new tools to limit the use of tracking cookies, a move that could strengthen the search giant's advertising dominance and deal a blow to other digital-marketing companies, WSJ reported Monday, citing people familiar with the matter. [Editor's note: the link may be paywalled; alternative source.] From the report: After years of internal debate, Google could as soon as this week roll out a dashboard-like function in its Chrome browser that will give internet users more information about what cookies are tracking them and offer options to fend them off, the people said. This is a more incremental approach than less-popular browsers, such as Apple's Safari and Mozilla's Firefox, which introduced updates to restrict by default the majority of tracking cookies in 2017 and 2018, respectively. Google's move, which could be announced at its developer conference in Mountain View, Calif., starting Tuesday, is expected to be touted as part of the company's commitment to privacy -- a complicated sell, given the torrent of data it continues to store on users -- and press its sizable advantage over online-advertising rivals.
Firefox

Second Firefox Fix Repairs Broken Browser Extensions For More People (cnet.com) 158

An anonymous reader quotes CNET: "Mozilla on Sunday began distributing new Firefox updates to fix a problem that broke extensions for many browser users on Friday," reports CNET: Mozilla had released an update Saturday, but Sunday's fix should help more people who were still affected. "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday," Mozilla said in a tweet Sunday... "No active steps need to be taken to make add-ons work again. In particular, please do not delete and/or reinstall any add-ons as an attempt to fix the issue," Kev Needham, Mozilla's product manager for add-ons, said in a blog post about the problem.
Firefox

A Glitch Is Breaking All Firefox Extensions (techcrunch.com) 311

Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working? You're not alone, and it's nothing you did. From a report: Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions. Each extension is now being listed as a "legacy" extension, alongside a warning that it "could not be verified for use in Firefox and has been disabled." A ticket submitted to Mozilla's Bugzilla bug tracker first hit at around 5:40 PM Pacific, and suggests the sudden failure is due to a code signing certificate built into the browser that expired just after 5 PM (or midnight on May 4th in UTC time). Because the glitch stems from an underlying certificate, re-installing extensions won't work -- if you try, you'll likely just be met with a different error message. Getting extensions back for everyone is going to require Mozilla to issue a patch.
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."
Firefox

Mozilla Says It Will Ban Firefox Add-ons With Obfuscated Code (betanews.com) 148

DarkRookie2 writes: As Mozilla continues to try to make it safer than ever to use Firefox, the organization has updated its Add-on Policy so that any updates that include obfuscated code are explicitly banned. Mozilla has also set out in plain terms its blocking process for add-ons and extensions. While there is nothing surprising here, the clarification should mean that there are fewer causes for disputes when an add-on is blocklisted. The updated Add-on policy comes into force on June 10, so add-on developers have a little more than a month to take note of the changes and comply. Mozilla says that the move is designed to help it better deal with malicious extensions. Mozilla also plans to be more aggressive towards taking down extensions that break its policies, with a heavy focus on security issues. ZDNet adds: [...] Starting with June 10, Mozilla's team will also be more aggressive in blocking and disabling Firefox add-ons in users' browsers that are found to be violating one of the company's policies."We will continue to block extensions for intentionally violating our policies, critical security vulnerabilities, and will also act on extensions compromising user privacy or circumventing user consent or control," Nieman said.
Android

KaiOS Takes on the iOS-Android Mobile Duopoly (economist.com) 58

An anonymous reader shares a report: Firefox browser made by the non-profit Mozilla Foundation, was born as "Phoenix." It rose from the ashes of Netscape Navigator, slain by Microsoft's Internet Explorer. In 2012 Mozilla created Firefox OS, to rival Apple's iOS and Google's Android mobile operating systems. Unable to compete with the duopoly, Mozilla killed the project. Another phoenix has arisen from it [Editor's note: the link may be paywalled]. KaiOS, an operating system conjured from the defunct software, powered 30m devices in 2017 and another 50m in 2018. Most were simple flip-phones sold in the West for about $80 apiece, or even simpler ones which Indians and Indonesians can have for as little as $20 or $7, respectively.

Smartphones start at about $100. The company behind the software, also called KaiOS and based in Hong Kong, designed it for smart-ish phones -- with an old-fashioned number pad and long battery life, plus 4G connectivity, popular apps such as Facebook and modern features like contactless payments, but not snazzy touchscreens. Most such devices are found in India. Reliance Jio, a network that has upended the local mobile industry with heavily discounted 4G data plans, sells subsidised, Jio-branded phones that use KaiOS software. Google, which invested $22m in Kaios last year, prioritises getting people in emerging markets online, where it can sell their attention to advertisers, over getting them onto Android smartphones. Smart-ish phones help with this.

Mozilla

Mozilla Highlights AI Bias and 'Addiction by Design' Tech in Internet Health Report (venturebeat.com) 42

Mozilla this week released the 2019 Internet Health Report, an analysis that brings together insights from 200 experts to examine issues central to the future of the internet. From a report: This year's report chose to focus primarily on injustice perpetuated by artificial intelligence; what NYU's Natasha Dow Schull calls "addiction by design" tech, like social media apps and smartphones; and the power of city governments and civil society "to make the internet healthier worldwide." The Internet Health Report is not designed to issue the web a bill of health, rather it is intended as a call to action that urges people to "embrace the notion that we as humans can change how we make money, govern societies, and interact with one another online."

[...] The modern AI agenda, the report's authors assert, is shaped in part by large tech companies and China and the United States. The report calls particular attention to Microsoft and Amazon's sale of facial recognition software to immigration and law enforcement agencies. The authors point to the work of Joy Buolamwini, whom Fortune recently named "the conscience of the AI revolution." Through audits published by Buolamwini and others in the past year, facial recognition software technology from Microsoft, Amazon's AWS, and other tech companies was found to be less capable of recognizing people with dark skin, particularly women of color.

Programming

Why Modern C++ Still Isn't As Safe As Memory-Safe Languages Like Rust and Swift (alexgaynor.net) 463

Alex Gaynor is a software engineer at Mozilla working on Firefox, after previously serving as a director of both the Python Software Foundation and the Django Software Foundation.

In a new blog post today, he argues that memory unsafe languages, "principally C and C++," induce an exceptional number of security vulnerabilities, and that the industry needs to migrate to memory-safe languages like Rust and Swift by default. One of the responses I frequently receive is that the problem isn't C and C++ themselves, developers are simply holding them wrong. In particular, I often receive defenses of C++ of the form, "C++ is safe if you don't use any of the functionality inherited from C" or similarly that if you use modern C++ types and idioms you will be immune from the memory corruption vulnerabilities that plague other projects. I would like to credit C++'s smart pointer types, because they do significantly help. Unfortunately, my experience working on large C++ projects which use modern idioms is that these are not nearly sufficient to stop the flood of vulnerabilities...

Modern C++ idioms introduce many changes which have the potential to improve security: smart pointers better express expected lifetimes, std::span ensures you always have a correct length handy, std::variant provides a safer abstraction for unions. However modern C++ also introduces some incredible new sources of vulnerabilities: lambda capture use-after-free, uninitialized-value optionals, and un-bounds-checked span.

My professional experience writing relatively modern C++, and auditing Rust code (including Rust code that makes significant use of unsafe) is that the safety of modern C++ is simply no match for memory safe by default languages like Rust and Swift (or Python and JavaScript, though I find it rare in life to have a program that makes sense to write in either Python or C++). There are significant challenges to migrating existing, large, C and C++ codebases to a different language -- no one can deny this. Nonetheless, the question simply must be how we can accomplish it, rather than if we should try.

The post highlights what he describes as "completely modern C++ idioms which produce vulnerabilities" -- including an example of dangling pointers "despite our meticulous use of smart pointers throughout..."

"Even with the most modern C++ idioms available, the evidence is clear that, at scale, it's simply not possible to hold C++ right."
Chrome

Did Google Sabotage Firefox and IE? (zdnet.com) 231

Firefox's former VP accused Google of sabotaging Firefox -- for example, when Gmail and Google Docs "started to experience selective performance issues and bugs on Firefox" and demo sites "would falsely block Firefox as 'incompatible'... There were dozens of oopses. Hundreds maybe... [W]hen you see a sustained pattern of 'oops' and delays from this organization -- you're being outfoxed."

Now Nightingale's accusations have stirred up some follow-up from technology reporters. An anonymous reader shares a blog post by ZDNet security reporter Catalin Cimpanu: Nightingale is not the first Firefox team member to come forward and make such accusations. In July 2018, Mozilla Program Manager Chris Peterson accused Google of intentionally slowing down YouTube performance on Firefox. He revealed that both Firefox and Edge were superior when loading YouTube content when compared to Chrome, and in order to counteract this performance issue, Google switched to using a JavaScript library for YouTube that they knew wasn't supported by Firefox.

At this point, it's very hard not to believe or take Nightingale's comments seriously. Slowly but surely, Google is becoming the new Microsoft, and Chrome is slowly turning into the new IE, an opinion that more and more users are starting to share.
On Twitter, a senior editor at the Verge added "Google did a lot of 'oops' accidents to Windows Phone, too. Same pattern of behavior with its services and Edge. Oopsy this, oopsy that." The site MSPowerUser also shares a similar story from former Microsoft Edge intern, Joshua Bakita. "I very recently worked on the Edge team, and one of the reasons we decided to end EdgeHTML was because Google kept making changes to its sites that broke other browsers, and we couldn't keep up."

Meanwhile, Computerworld argues that data "backs up Nightingale's admission, to a point." [I]f Google monkey business contributed to Firefox's fall, it must have really damaged Microsoft's IE. During the time it took Chrome to replace Firefox as the No. 2 browser, Firefox lost just 9% of its user share, while IE shed 22%. And Chrome's most explosive growth - which began in early 2016 - didn't come at Firefox's expense; instead, it first hollowed out IE, then suppressed any potential enthusiasm for the follow-on Edge.

Chrome didn't reach its current place -- last month capturing nearly 68% of all browser activity -- by raiding Firefox. It did it by destroying IE.

Oops.

Google

'Some Cheers, A Few Sneers For Google's URL Solution For AMP' (theverge.com) 104

The Verge explains what all the commotion is about: AMP stands for "Accelerated Mobile Pages," and you've probably noticed that those pages load super quickly and usually look much simpler than regular webpages. You may have also noticed that the URL at the top of your browser started with "www.google.com/somethingorother" instead of with the webpage you thought you were visiting. Google is trying to fix that by announcing support for something called "Signed Exchanges." What it should mean is that when you click on one of those links, your URL will be the original, correct URL for the story. Cloudflare is joining Google in supporting the standard for customers who use its services.

In order for this thing to work, every step in the chain of technologies involved in loading the AMP format has to support Signed Exchanges, including your browser, the search engine, and the website that published the link. Right now, that means the URL will be fixed only when a Chrome browser loads a Google search link to a published article that has implemented support.

Mozilla'a official position on signed exchanges is they're "harmful," arguing in a 51-page position paper that there's both security and privacy considerations. Pierre Far, a former Google employee, posted on Twitter that the change "breaks many assumptions about how the web works," and that in addition, "Google is acting too quickly. Other browsers and internet stakeholders have well-founded concerns, and the correct mechanism to address them is the standardization process. Google skipped all that. Naughty." Jeffrey Yaskin, from Chrome's web platform team, even acknowledged that criticism with a tweet of his own. "I think it's fair to say we're pushing it. The question is our motives, which I claim is to improve the web rather than to 'all your base' it, but I would say that either way."

Search Engine Land cited both tweets, and shared some concerns of their own. "The compromise we have to consider before getting on board with Signed HTTP Exchanges is whether we're willing to allow a third party to serve up our content without users being able to tell the difference.

"If we, as digital marketers, want to influence the conventions of our future work environment, we'll have to decide if the gains are enough to disrupt long-standing assumptions of how websites are delivered. If so, we'll also have to cede the ability to judge user intent over to Google and swallow the fact that it skipped over the standardization process to implement a process that one of its own created."
Python

Mozilla To Bring Python To Browsers (venturebeat.com) 111

An anonymous reader quotes a report from VentureBeat: In a step toward its goal of building out a data science development stack for web browsers, Mozilla today detailed Pyodide, an experimental Python project that's designed to perform computation without the need for a remote kernel (i.e., a program that runs and inspects code). As staff data engineer Mike Droettboom explained in a blog post, it's a standard Python interpreter that runs entirely in the browser. And while Pyodide isn't exactly novel -- projects like Transcrypt, Brython, Skulpt, and PyPyJs are among several efforts to bring Python to browsers -- it doesn't require a rewrite of popular scientific computing tools (like NumPy, Pandas, Scipy, and Matplotlib) to achieve adequate performance, and its ability to convert built-in data types enables interactions among browser APIs and other JavaScript libraries.

Pyodide is built on WebAssembly, a low-level programming language that runs with near-native performance, and emscripten (specifically a build of Python for emscripten dubbed "cpython-emscripten"), which comprises a compiler from C and C++ to WebAssembly and a compatibility layer. Emscripten additionally provides a virtual file system (written in JavaScript) that the Python interpreter can use, in which files disappear when the browser tab is closed. To use Pyodide, you'll need the compiled Python interpreter as WebAssembly, JavaScript from emscripten (which provides the system emulation), and a packaged file system containing the files required by the Python interpreter. Once all three components are downloaded, they'll be stored in your browser's cache, obviating the need to download them again.
The report notes that "the Python interpreter inside the JavaScript virtual machine runs between one to 12 times slower in Firefox and up to 16 times slower on Chrome."
Mozilla

Mozilla Wants Apple To Change Users' iPhone Advertiser ID Every Month (zdnet.com) 101

Mozilla has launched a petition today to get Apple to rotate the IDFA unique identifier of iOS users every month. From a report: The purpose of this request is to prevent online advertisers from creating profiles that contain too much information about iOS users. IDFA stands for "IDentifier For Advertisers" and is a per-device unique ID. Apps running on a device can request access to this ID and relay the number to advertising SDKs/partners they use to show ads to their users. As experts from Singular, a mobile marketing firm explain, "IDFAs take the place of cookies in mobile advertising delivered to iOS devices because cookies are problematic in the mobile world." IDFAs are different from UDIDs, which stand for "unique device identifiers," which are permanent and unchangeable device identifiers. Apple added support for IDFAs specifically to replace UDIDs, which many apps were collecting for all sorts of shady reasons, enabling pervasive tracking of iOS users.

Slashdot Top Deals