An anonymous reader shares a report: Mozilla is not happy with Facebook. Not happy at all. Having already started a petition to try to force the social network to do more about user privacy, the company has now decided to withdraw its advertising from the platform. The organization is voting with its money following the misuse of user data by Cambridge Analytica, as it tries to force Facebook into taking privacy more seriously. Mozilla says that it is not happy to financially support a platform that does not do enough to protect user privacy. But the company is not severing ties completely. It says that advertising is being "paused" and that if the right steps are taken by Facebook "we'll consider returning."

An anonymous reader shares a report: After it was revealed that the personal data of 50 million Facebook users was shared without consent, Mozilla is calling on the social network to ensure that user privacy is protected by default, particularly when it comes to apps.

Ashley Boyd, Mozilla's vice president of advocacy, says that billions of Facebook users are unknowingly at risk of having their data passed on to third parties. He says: "If you play games, read news or take quizzes on Facebook, chances are you are doing those activities through third-party apps and not through Facebook itself. The default permissions that Facebook gives to those third parties currently include data from your education and work, current city and posts on your timeline."

Catalin Cimpanu, writing for BleepingComputer: For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client. Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer. But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced. "I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."

Firefox is working on a blocker for annoying in-page alerts that often ask you to input your email address to receive a newsletter from the site. "The feature is still in the planning stages, but Mozilla is asking users for any examples of sites with annoying pop-ups," reports Android Police. "Mozilla wants to make Firefox automatically detect and dismiss the popups." From the report: If you know of sites that use in-page popups (whether it be newsletter signups, surveys, or something else), you can fill out the survey here. There are also Firefox and Chrome extensions that make the process easier. I'll be interested to see how Mozilla pulls this off, it will no doubt be difficult to detect the difference between helpful and not-helpful popups.

Stack Overflow has released the results of its annual survey of 100,000 developers, revealing the most-popular, top-earning, and preferred programming languages. ArsTechnica: JavaScript remains the most widely used programming language among professional developers, making that six years at the top for the lingua franca of Web development. Other Web tech including HTML (#2 in the ranking), CSS (#3), and PHP (#9). Business-oriented languages were also in wide use, with SQL at #4, Java at #5, and C# at #8. Shell scripting made a surprising showing at #6 (having not shown up at all in past years, which suggests that the questions have changed year-to-year), Python appeared at #7, and systems programming stalwart C++ rounded out the top 10.

These aren't, however, the languages that developers necessarily want to use. Only three languages from the most-used top ten were in the most-loved list; Python (#3), JavaScript (#7), and C# (#8). For the third year running, that list was topped by Rust, the new systems programming language developed by Mozilla. Second on the list was Kotlin, which wasn't even in the top 20 last year. This new interest is likely due to Google's decision last year to bless the language as an official development language for Android. TypeScript, Microsoft's better JavaScript than JavaScript comes in at fourth, with Google's Go language coming in at fifth. Smalltalk, last year's second-most loved, is nowhere to be seen this time around. These languages may be well-liked, but it looks as if the big money is elsewhere. Globally, F# and OCaml are the top average earners, and in the US, Erlang, Scala, and OCaml are the ones to aim for. Visual Basic 6, Cobol, and CoffeeScript were the top three most-dreaded, which is news that will surprise nobody who is still maintaining Visual Basic 6 applications thousands of years after they were originally written.

An anonymous reader shares a VentureBeat report: Mozilla today launched Firefox 59 for Windows, Mac, Linux, and Android. The release builds on Firefox Quantum, which the company calls "by far the biggest update since Firefox 1.0 in 2004." Version 59 brings faster page load times, private browsing mode that strips path information, and Android Assist. In related news, Mozilla is giving Amazon Fire TV owners a new design later this week that lets them save their preferred websites by pinning them to the Firefox home screen. Enterprise users also have something to look forward to: On Wednesday, Firefox Quantum for Enterprise is entering the beta phase. Firefox 59 for the desktop is available for download now on Firefox.com, and all existing users should be able to upgrade to it automatically. As always, the Android version is trickling out slowly on Google Play.

Stating with Firefox 60 -- expected to be released in May 2018 -- websites won't be able to use Firefox to access data from sensors that provide proximity distances and ambient light information. From a report: Firefox was allowing websites to access this data via the W3C Proximity and Ambient Light APIs. But at the start of the month, Mozilla engineers decided to disable access to these two APIs by default. The APIs won't be removed, but their status is now controlled by two Firefox flags that will ship disabled by default. This means users will have to manually enable the two flags before any website can use Firefox to extract proximity and ambient light data from the device's underlying sensors. The two flags will be available in Firefox's about:config settings page. The screenshot below shows the latest Firefox Nightly version, where the two flags are now disabled, while other sensor APIs are enabled.

CNET reports: Mozilla launched the faster Quantum version of its Firefox browser last fall in a bid to restore the nonprofit's reach and influence. Now, the leader of that effort has been promoted to oversee all Mozilla products. Mark Mayo, formerly senior vice president of Firefox, is now Mozilla's chief product officer, CNET has learned. That means he's taking over more projects, including the Pocket tool and mobile app. Pocket lets people save websites they'd like to revisit, but Mozilla also plans to use the resulting data to help recommend interesting or useful sites to Firefox users. In addition, Mozilla has promoted Denelle Dixon, formerly head of business and legal work, to chief operations officer. She's overseen an effort to diversify Mozilla revenue sources, including through the Pocket acquisition in February 2017.

An anonymous reader quotes a report from The Hill: Six technology companies, including Kickstarter, Foursquare and Etsy, have launched a lawsuit against the Federal Communications Commission (FCC) in an effort to preserve net neutrality rules. The companies, which also include Shutterstock, Expa and Automattic, on Monday filed their petition with the U.S. Court of Appeals for the District of Columbia Circuit. The companies join Vimeo and Mozilla, as well as several state attorneys general who have also filed lawsuits against the FCC in support of the net neutrality rules. Like the other lawsuits, their new case hinges on the Administrative Procedure Act, which they argue prevents the FCC from "arbitrary and capricious" redactions to already existing policy. "Already, over 30,000 Etsy sellers participated in the FCC's public comment process, and tens of thousands more reached out to Congress in support of net neutrality. Now we're bringing their stories and experiences to the courts," said Althea Erickson, head of advocacy and impact at Etsy.

An anonymous reader quotes Ars Technica: A major dust-up on an Internet discussion forum is touching off troubling questions about the security of some browser-trusted HTTPS certificates when it revealed the CEO of a certificate reseller emailed a partner the sensitive private keys for 23,000 TLS certificates. The email was sent on Tuesday by the CEO of Trustico, a UK-based reseller of TLS certificates issued by the browser-trusted certificate authorities Comodo and, until recently, Symantec...

In communications earlier this month, Trustico notified DigiCert that 50,000 Symantec-issued certificates Trustico had resold should be mass revoked because of security concerns. When Jeremy Rowley, an executive vice president at DigiCert, asked for proof the certificates were compromised, the Trustico CEO emailed the private keys of 23,000 certificates, according to an account posted to a Mozilla security policy forum. The report produced a collective gasp among many security practitioners who said it demonstrated a shockingly cavalier treatment of the digital certificates that form one of the most basic foundations of website security... In a statement, Trustico officials said the keys were recovered from "cold storage," a term that typically refers to offline storage systems. "Trustico allows customers to generate a Certificate Signing Request and Private Key during the ordering process," the statement read. "These Private Keys are stored in cold storage, for the purpose of revocation."
"There's no indication the email was encrypted," reports Ars Technica, and the next day DigiCert sent emails to Trustico's 23,000+ customers warning that their certificates were being revoked, according to Bleeping Computer.

In a related development, Thursday Trustico's web site went offline, "shortly after a website security expert disclosed a critical vulnerability on Twitter that appeared to make it possible for outsiders to run malicious code on Trustico servers."

Martin Brinkmann, writing for Ghacks: The most recent version of Firefox Nightly, currently at version 60, comes with changes to Firefox's cookie management. Mozilla merged cookie settings with site data in the web browser which impacts how you configure and manage cookie options. If you run Firefox 59 or earlier, you can load about:preferences#privacy to manage privacy related settings in Firefox. If you set the history to "use custom settings for history" or "remember history", you get an option manage cookie settings and to remove individual cookies from Firefox. A click on the link or button opens a new browser window in which all set cookies are listed. You can use it to find set cookies, look up information, remove selected or all cookies. Mozilla engineers changed this in recent versions of Firefox 60 (currently on the Nightly channel).

An anonymous reader quotes a report from Reuters: A coalition of 22 state attorneys general and the District of Columbia on Thursday refiled legal challenges intended to block the Trump administration's repeal of landmark rules designed to ensure a free and open internet from taking effect. The Federal Communications Commission officially published its order overturning the net neutrality rules in the Federal Register on Thursday, a procedural step that allows for the filing of legal challenges. The states, along with web browser developer Mozilla and video-sharing website Vimeo, had filed petitions preserving their right to sue in January, but agreed to withdraw them last Friday and wait for the FCC's publication. The attorneys general argue that the FCC cannot make "arbitrary and capricious" changes to existing policies and that it misinterpreted and disregarded "critical record evidence on industry practices and harm to consumers and businesses." The White House Office of Management and Budget still must sign off on some aspects of the FCC reversal before it takes legal effect. That could take months.

The most recent Linux Questions poll results are in. Steven J. Vaughan-Nichols, writing for ZDNet: LinuxQuestions, one of the largest internet Linux groups with 550,000 members, has just posted the results from its latest survey of desktop Linux users. In the always hotly-contested Linux desktop environment survey, the winner was the KDE Plasma Desktop. It was followed by the popular lightweight Xfce, Cinnamon, and GNOME. If you want to buy a computer with pre-installed Linux, the Linux Questions crew's favorite vendor by far was System76. Numerous other computer companies offer Linux on their PCs. These include both big names like Dell and dedicated small Linux shops such as ZaReason, Penguin Computing, and Emperor Linux. Many first choices weren't too surprising. For example, Linux users have long stayed loyal to the Firefox web browser, and they're still big fans. Firefox beat out Google Chrome by a five-to-one margin. And, as always, the VLC media player is far more popular than any other Linux media player. For email clients, Mozilla Thunderbird remains on top. That's a bit surprising given how Thunderbird's development has been stuck in neutral for some time now. When it comes to text editors, I was pleased to see vim -- my personal favorite -- win out over its perpetual rival, Emacs. In fact, nano and Kate both came ahead of Emacs.

An anonymous reader quotes Quartz: A new alliance made up of former Silicon Valley cronies has aseembled to challenge the technological Frankenstein they've collectively created. The Center for Humane Technology is a group comprising former employees and pals of Google, Facebook, and Mozilla. The nonprofit launches today (Feb. 4) in the hopes that it can raise awareness about the societal tolls of technology, which its members believe are inherently addictive. The group will lobby for a bill to research the effects of technology on children's health... On Feb. 7, the group's members will participate in a conference focused on digital health for kids, hosted by the nonprofit Common Sense.
The group also plans an anti-tech addiction ad campaign at 55,000 schools across America, and has another $50 million in media airtime donated by partners which include Comcast and DirecTV.

The group's co-founder, a former Google design ethicist, told Quartz that tech companies "profit by drilling into our brains to pull the attention out of it, by using persuasion techniques to keep [us] hooked." And the group's web page argues that "What began as a race to monetize our attention is now eroding the pillars of our society: mental health, democracy, social relationships, and our children."

Firefox 59 will reduce how much information websites pass on about visitors in an attempt to improve privacy for users of its private browsing mode. From a report: When you click a link in your browser to navigate to a new site, the site you go on to visit receives the address of the site you came from, via the so-called "referrer value." While this helps websites understand where visitors are coming from, it can also leak data about the individual browsing, because it tells the site the exact page you were looking at when you clicked the link, said Mozilla. Browsers also send a referrer value when requesting other details like ads, or other social media snippets integrated in a modern website, which means these embedded content features also know exactly what page you're visiting.

Mozilla released on Tuesday a new version of its Firefox Quantum browser, boosting its graphics speed and improving a couple of new technologies designed to make the web more powerful. From a report: The browser, version 58, is the first major update since Mozilla's recovery plan hit full stride in November with the debut of Firefox Quantum. Speed is of the essence in Mozilla's recovery plan, and Firefox 58 does better than its predecessor in some graphics tasks by splitting work better across the multiple processor cores that computer chips have these days. The result should be scrolling that's smooth, uninterrupted by the stuttering that in computing circles goes by the disparaging term "jank." [...] Firefox 58 helps with two new web technologies. One, called WebAssembly, provides for dramatically faster web apps. Firefox 58 can get WebAssembly software running faster so you don't have to twiddle your thumbs waiting as long after clicking a link. Another is progressive web apps (PWAs), an initiative that came out of Google to help make the web a better match for the apps we all drop on our phones.

Got lossless compression? An anonymous reader quotes CNET: Google, Mozilla and others in a group called the Alliance for Open Media are working on a rival photo technology. In testing so far, the images are 15 percent smaller than Apple's HEIC photo format, said Tim Terriberry, a Mozilla principal research engineer working on the project. But smaller sizes are just the beginning... it's got a strong list of allies, an affinity for web publishing and modern features that could make it the best contender yet for overcoming JPEG's 1990s-era shortcomings... JPEG isn't just limited by needlessly large file sizes. It's also weak when it comes to supporting a wider range of bright and dark tones, a broader spectrum of colors, and graphic elements like text and logos...

The HEIC's new rival is from the Alliance for Open Media, a group whose top priority is a video compression technology called AV1 that's free of patent licensing requirements. It's got heavy hitters on board, including top browser makers Google, Microsoft, Mozilla and the most recent new member, Apple -- though Apple's plans haven't been made public. And it's got major streaming-video companies, too: Netflix, Amazon, Hulu, Facebook, videoconferencing powerhouse Intel and Google's YouTube. And with the support of chip designers Intel, Nvidia and Arm, AV1 should get the hardware acceleration that's crucial to making video easy on our laptop and phone batteries.
To use Apple's HEIC, "makers of software, processors and phones must jump through a lot of hoops to license patents," which CNET predicts "means HEIC will have trouble succeeding on the web: patent barriers are antithetical to the web's open nature."

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.

Catalin Cimpanu, reporting for BleepingComputer: Mozilla is currently testing a new feature called "Tab Warming" that engineers hope will improve the tab switching process. According to a description of the feature, Tab Warming will watch the user's mouse cursor and start "painting" content inside a tab whenever the user hovers his mouse over one. Firefox will do this on the assumption the user wants to click and switch to view that tab and will want to keep a pre-rendered tab on hand if this occurs. "Those precious milliseconds are used to do the rendering and uploading, so that when the click event finally comes, the [tab] is ready and waiting for you," said Mike Conley, one of the Firefox engineers who worked on this feature.

Catalin Cimpanu, writing for BleepingComputer: Mozilla said last week it would delete all telemetry data collected because of a bug in the Firefox crash reporter. According to Mozilla engineers, Firefox has been collecting information on crashed background tabs from users' browsers since Firefox 52, released in March 2017. Firefox versions released in that time span did not respect user-set privacy settings and automatically auto-submitted crash reports to Mozilla servers. The browser maker fixed the issue with the release of Firefox 57.0.3. Crash reports are not fully-anonymized.