Mozilla

Mozilla Debuts Firefox Extension that Recommends Content Based on Your Browsing Activity (venturebeat.com) 102

Mozilla on Tuesday began testing a Firefox extension that shows you its best guesses for what you want to see on the web. From a report: The Advance web extension is available for anyone from today and can analyze content on current active web pages to recommend related tidbits you may want to "read next" from other websites. It will also surface recommendations based on your recent browsing history in a "for you" section. With the extension installed, you just browse the web as you normally would and the little sidebar will show things that are relevant to what you've been looking at. The extension is powered by Laserlike, a VC-funded, machine learning-powered "interest search engine" that delivers personalized content. As such, Laserlike will receive users' browsing history -- something Mozilla wants people to understand before they install the extension. But the company has also built in some tools to boost control and data transparency.
Security

Let's Encrypt Is Now Officially Trusted by All Major Root Certificates (bleepingcomputer.com) 92

Let's Encrypt has announced that it is now directly trusted by all major root certificates including those from Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry. With this announcement, Let's Encrypt is now directly trusted by all major browsers and operating systems. From a report: While Let's Encrypt has already been trusted by almost all browsers, it was done so through intermediate certificate that were cross-signed by IdenTrust. As IdenTrust was directly trusted by all major browser vendors and operating systems, it also allowed Let's Encrypt to be trusted as well. With Let's Encrypt now being directly trusted, if there is ever a problem with IdenTrust and they themselves become untrusted, Let's Encrypt users will still be able to function properly.
Security

Security Researchers Express Concerns Over Mozilla's New DNS Resolution For Firefox (ungleich.ch) 301

With their next patch Mozilla will introduce two new features to their Firefox browser they call "DNS over HTTPs" (DoH) and Trusted Recursive Resolver (TRR). Mozilla says this is an additional feature which enables security. Researchers think otherwise. From a report: So let's get to the new Firefox feature called "Trusted Recursive Resolver" (TRR). When Mozilla turns this on by default, the DNS changes you configured in your network won't have any effect anymore. At least for browsing with Firefox, because Mozilla has partnered up with Cloudflare, and will resolve the domain names from the application itself via a DNS server from Cloudflare based in the United States. Cloudflare will then be able to read everyone's DNS requests.

From our point of view, us being security geeks, advertising this feature with slogans like "increases security" is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don't know, it is not true that this increases security in general. It is true when you are somewhere in a network you don't know, i. e. a public WiFi network, you could automatically use the DNS server configured by the network. This could cause a security issue, because that unknown DNS server might have been compromised. In the worst case it could lead you to a phishing site pretending to be the website of your bank: as soon as you enter your personal banking information, it will be sent straight to the attackers.

But on the other hand Mozilla withholds that using their Trusted Recursive Resolver would cause a security issue in the first place for users who are indeed in a trustworthy network where they know their resolvers, or use the ISP's default one. Because sharing data or information with any third party, which is Cloudflare in this case, is a security issue itself.

The Internet

Can We Decentralize the Web? (computing.co.uk) 131

This week the Internet Archive hosted an amazing Decentralized Web Summit, which united the makers who want to build a web "that's locked open for good." [Watch the videos here.] Vint Cerf was there, as was the technical product development leader for Microsoft's own decentralized identity efforts, several companies building the so-called punk rock Internet, "along with a handful of venture capitalists looking for opportunities." One talk even included Mike Judge, the creator of HBO's Silicon Valley, which recently included the decentralized web in its ongoing storyline.

Computing highlighted remarks by Brewster Kahle, the founder of the Internet Archive, and Mitchell Baker, the chairperson of the Mozilla Foundation. The ideology of the web's early pioneers, according to Baker, was free software and open source. "Money was considered evil," she said. So when companies came in to commercialize the internet, the original architects were unprepared. "Advertising is the internet's original sin," Kahle told the packed room. "Advertising is winner-take-all, and that's how we've ended up with centralization and monopolies."

At the conference, attendees presented utopian visions of how the future of the internet could look. Civil, a new media startup, proposed crowd-supported journalism using cryptocurrency micro-payments. Mastodon, a decentralized and encrypted social network, was commonly referenced as an alternative to Twitter. As Facebook and Google continue to monopolize the digital advertising ecosystem -- recent estimates say that the two companies control over 70% of digital advertising spending globally -- the promise of a decentralized web, free from the shackles of advertiser demands is fun to imagine.

Tristan Harris, who leads the Center for Humane Technology, "just hopes the pioneers of the new internet turn around to face the potential negative externalities of their products before it's too late," arguing that "If we decentralize the systems we already have without an honest recognition of the social harms that are being created -- mental health [issues], loneliness, addiction, polarization, conspiracy theories... then we've decentralized social harms and we can't even track them." But Tim Berners-Lee "remains hopeful".

"There's massive public awareness of the effects of social networks and the unintended consequences," he told Computing. "There's a huge backlash from people wanting to control their own data"... Meanwhile, there's the rise of "companies which respect user privacy and do not do anything at all with user data" (he namechecks social network MeWe to which he acts as an advisor), open-source collaborations like the data portability project (DTP) led by tech giants, and his own project Solid which is "turning from an experiment into a platform and the start of a movement".

"These are exciting times," said Berners-Lee.

Mozilla

Mozilla Is Rebranding Firefox and Wants Your Feedback (venturebeat.com) 269

An anonymous reader writes: Mozilla is rebranding Firefox. The company is asking for feedback on the new look, which will try to cover the various Firefox offerings. For most people, Firefox refers to a browser, but the company wants the brand to encompass all the various apps and services that the Firefox family of internet products cover, "from easy screenshotting and file sharing to innovative ways to access the internet using voice and virtual reality." The fox with a flaming tail "doesn't offer enough design tools to represent this entire product family," Mozilla believes.
Mozilla

Mozilla Is Working On a Chrome-Like 'Site Isolation' Feature For Firefox (bleepingcomputer.com) 57

An anonymous reader writes: "The Mozilla Foundation, the organization behind the Firefox browser, is working on adding a new feature to its browser that is similar to the Site Isolation feature that Google rolled out to Chrome users this year," reports Bleeping Computer. "[Chrome's] Site Isolation works by opening a new browser process for any domain/site the user loads in a tab." The feature has been recently rolled out to 99% of the Chrome userbase. "But Chrome won't be the only browser with Site Isolation," adds Bleeping Computer. "Work on a similar feature also began at Mozilla headquarters back in April, in a plan dubbed Project Fission." Mozilla engineers say that before rolling out Project Fission (Site Isolation), they need to optimize Firefox's memory usage first. Work has now started on shaving off 7MB of RAM from each Firefox content process in order to bring down per-process RAM usage to around 10MB, a limit Mozilla deems sustainable for rolling out Site Isolation.
Firefox

Mozilla to Remove Support for Built-In Feed Reader From Firefox (bleepingcomputer.com) 161

An anonymous reader shares a report: Mozilla engineers are preparing to remove one of the Firefox browser's oldest features -- its built-in support for RSS and Atom feeds, and inherently, the "Live Bookmarks" feature. All Firefox users are probably well accustomed to this feature, albeit not many have ever used it. This feature powers the browser's ability to detect when users are accessing an RSS/Atom feed and then show a special page that lets them subscribe to the feed with a custom feed reader or the browser's built-in "Live Bookmarks" feature. [...] In a recent discussion on the company's bug tracker, Mozilla engineers said they plan to remove feed support sometime later this year, with the release of Firefox 63 or Firefox 64 --scheduled for October and December, respectively.
Firefox

Google Has Made YouTube Slower on Edge and Firefox, Mozilla Alleges (neowin.net) 145

Usama Jawad, writing for Neowin: Early last year, YouTube received a design refresh with Google's own Polymer library which enabled "quicker feature development" for the platform. Now, a Mozilla executive is claiming that Google has made YouTube slower on Edge and Firefox by using this framework. In a thread on Twitter, Mozilla's Technical Program Manager has stated that YouTube's Polymer redesign relies heavily on the deprecated Shadow DOM v0 API, which is only available in Chrome. This in turn makes the site around five times slower on competing browsers such as Microsoft Edge and Mozilla Firefox. Further reading: Safari Users Unable to Play Newer 4K Video On YouTube in Native Resolution.
Firefox

Firefox Blocks Autoplaying Web Audio (engadget.com) 121

Mozilla's latest Nightly builds for Firefox now include an option to mute autoplaying audio. The feature was recently added to the Chrome browser, but Mozilla's update offers a few more options. According to Engadget, "You can turn the feature off entirely, force it to ask for permission, and make exceptions for specific sites." Keep in mind that these are nightly releases, so you will most likely run into some bugs. The "polished version" is likely weeks away.
Chrome

Chrome Beats Edge and Firefox in 'Browser Benchmark Battle: July 2018' -- Sometimes (venturebeat.com) 157

An anonymous reader quotes VentureBeat: It's been more than 20 months since our last browser benchmark battle, and we really wanted to avoid letting two years elapse before getting a fresh set of a results. Google Chrome, Mozilla Firefox, and Microsoft Edge have all improved significantly over the past year and a half, and as I've argued before, the browser wars are back. You can click on the individual test to see the results:

SunSpider: Edge wins!
Octane: Chrome wins!
Kraken: Firefox wins!
JetStream: Edge wins!
MotionMark: Edge wins!
Speedometer: Chrome wins!
BaseMark: Chrome wins!
WebXPRT: Firefox wins!
HTML5Test: Chrome wins!

Chrome looks to be ahead of the pack according to these tests. That said, browser performance was solid across all three contestants, and it shouldn't be your only consideration when picking your preferred app for consuming internet content.

Chrome wins in four tests, beating Edge's three wins, and Firefox's two wins.
Media

AV1 is Well On Its Way To Becoming a Viable Alternative To Patented Video Codecs, Mozilla Says (mozilla.org) 66

Here's a surprising fact: It costs money to watch video online, even on free sites like YouTube. That's because about 4 in 5 videos on the web today rely on a patented technology called the H.264 video codec. From a report: It took years for companies to put this complex, global set of legal and business agreements in place, so H.264 web video works everywhere. Now, as the industry shifts to using more efficient video codecs, those businesses are picking and choosing which next-generation technologies they will support. The fragmentation in the market is raising concerns about whether our favorite web past-time, watching videos, will continue to be accessible and affordable to all.

Over the last decade, several companies started building viable alternatives to patented video codecs. Mozilla worked on the Daala Project, Google released VP9, and Cisco created Thor for low-complexity videoconferencing. All these efforts had the same goal: to create a next-generation video compression technology that would make sharing high-quality video over the internet faster, more reliable, and less expensive. In 2015, Mozilla, Google, Cisco, and others joined with Amazon and Netflix and hardware vendors AMD, ARM, Intel, and NVIDIA to form AOMedia. As AOMedia grew, efforts to create an open video format coalesced around a new codec: AV1. AV1 is based largely on Google's VP9 code and incorporates tools and technologies from Daala, Thor, and VP10.

Mozilla loves AV1 for two reasons: AV1 is royalty-free, so anyone can use it free of charge. Software companies can use it to build video streaming into their applications. Web developers can build their own video players for their sites. The second reason we love AV1 is that it delivers better compression technology than even high-efficiency codecs -- about 30% better, according to a Moscow State University study.

Security

BlackTech Threat Group Steals D-Link Certificates To Spread Backdoor Malware (bleepingcomputer.com) 25

Security researchers have discovered a new malicious campaign that utilizes stolen D-Link certificates to sign malware. From a report: A lesser-known cyber-espionage group known as BlackTech was caught earlier this month using a stolen D-Link certificate to sign malware deployed in a recent campaign. "The exact same certificate had been used to sign [official] D-Link software; therefore, the certificate was likely stolen," says Anton Cherepanov, a security researcher for Slovak antivirus company ESET, and the one who discovered the stolen cert. Cherepanov says BlackTech operators used the stolen cert to sign two malware payloads -- the first is the PLEAD backdoor, while the second is a nondescript password stealer. According to a 2017 Trend Micro report, the BlackTech group has used the PLEAD malware in the past. Just like in previous attacks, the group's targets for these most recent attacks were again located in East Asia, particularly in Taiwan. The password stealer isn't anything special, being capable of extracting passwords from only four apps -- Internet Explorer, Google Chrome, Mozilla Firefox, and Microsoft Outlook.
Firefox

Firefox and the 4-Year Battle To Have Google To Treat It as a First-Class Citizen (zdnet.com) 319

Web monoculture is well and truly alive when Google cannot be bothered to make a full-featured cross-browser mobile search page. From a report: It has been over five years since Firefox really turned a corner and started to morph from its bloated memory-munching ways into the lightning-quick browser it is today. Buried in Mozilla's issue tracker is a bug that kicked off in February 2014, and is yet to be resolved: Have Google treat Firefox for Android as a first-class citizen and serve up comparable content to what the search giant hands Chrome and Safari. After years of requests, meetings, and to and fro, it has hit a point where the developers of Firefox are experimenting by manipulating the user agent string in its nightly development builds to trick Google into thinking that Firefox Mobile is a Chrome browser. Not only does Google's search page degrade for Firefox on Android, but some new properties like Google Flights have occasionally taken to outright blocking of the browser.
Chrome

Firefox and Chrome Pull Popular Browser Extension Stylish From Their Stores After Report Claimed It Logs and Shares Browsing History, Credentials 68

sombragris writes: Stylish, a popular extension available for Chrome and Firefox which allows for easy customization of any website, now phones home and shares its users' browser history with its corporate parent, according to blogger Robert Heaton. This prompted Firefox to ban the extension from its addons site and prompt all users to disable it. The discussion can be seen in the relevant bug report. In Heaton's words:

Stylish is no longer a well-meaning product with your best interests at heart. If you use and like Stylish, please uninstall it and switch to an alternative like Stylus, an offshoot from the good old version of Stylish that works in much the same way, minus the spyware.

Google too has pulled the extension from its extension store. This is not the first time Stylish is at the centre of a privacy debacle

Android

Google Invests $22 Million In Feature Phone Operating System KaiOS (techcrunch.com) 28

An anonymous reader quotes a report from TechCrunch: Google is turning startup investor to further its goal of putting Google services like search, maps, and its voice assistant front and center for the next billion internet users in emerging markets. It has invested $22 million into KaiOS, the company that has built an eponymous operating system for feature phones that packs a range of native apps and other smartphone-like services. As part of the investment, KaiOS will be working on integrating Google services like search, maps, YouTube and its voice assistant into more KaiOS devices, after initially announcing Google apps for KaiOS-powered Nokia phones earlier this year.

KaiOS is a U.S.-based project that started in 2017, built on the ashes of Mozilla's failed Firefox OS experiment, as a fork of the Linux codebase. Firefox OS was intended to be the basis of a new wave of HTML-5, low-cost smartphones. And while those devices and the wider ecosystem never really took off, KaiOS has fared significantly better. KaiOS powers phones made by OEMs including Nokia (HMD), Micromax and Alcatel, and it works with carriers including Sprint and AT&T -- it counts offices in North America, Europe and Asia. But its most significant deployment to date has been with India's Reliance Jio, the challenger telco that disrupted the Indian market with affordable 4G data packages.
"This funding will help us fast-track development and global deployment of KaiOS-enabled smart feature phones, allowing us to connect the vast population that still cannot access the internet, especially in emerging markets," said KaiOS CEO Sebastien Codeville in a statement.
Firefox

Firefox 61 Arrives With Better Search, Tab Warming, and Accessibility Tools Inspector (venturebeat.com) 287

On Tuesday, Mozilla released Firefox 61, the newest version of its web browser for Windows, Mac, Linux, and Android platforms. The release builds on Firefox Quantum, which the company calls "by far the biggest update since Firefox 1.0 in 2004." VentureBeat: Version 61 brings TLS 1.3, the ability to add custom search engines to the location bar, tab warming, retained display lists, WebExtension tab management, and the Accessibility Tools Inspector. Mozilla doesn't break out the exact numbers for Firefox, though the company does say "half a billion people around the world" use the browser. In other words, it's a major platform that web developers have to consider.
Firefox

'Have I Been Pwned' Is Being Integrated Into Firefox, 1Password (troyhunt.com) 111

Troy Hunt, web security expert and creator of the website Have I Been Pwned (HIBP), wrote a blog post announcing his partnerships with Firefox and 1Password. For those unfamiliar with the site, Have I Been Pwned allows you to search across multiple data breaches to see if your email address has been compromised. The service is especially handy now that data breaches are becoming a daily occurrence. Hunt writes: Last November, there was much press about Mozilla integrating HIBP into Firefox. I was a bit surprised at the time as it was nothing more than their Breach Alerts feature which simply highlighted if the site being visited had previously been in a data breach (it draws this from the freely accessible breach API on HIBP). But the press picked up on some signals which indicated that in the long term, we had bigger plans than that and the whole thing got a heap of very positive attention. I ended up fielding a heap of media calls just on that one little feature - people loved the idea of HIBP in Firefox, even in a very simple form. As it turns out, we had much bigger plans and that's what I'm sharing here today. Over the coming weeks, Mozilla will begin trialling integration between HIBP and Firefox to make breach data searchable via a new tool called "Firefox Monitor." Here's what Hunt has to say about 1Password: As of now, you can search HIBP from directly within 1Password via the Watchtower feature in the web version of the product. This helps Watchtower become "mission control" for accounts and introduces the "Breach Report" feature. If you're a 1Password user you can use this feature right now, just head on over to the 1Password login page.
Firefox

NYT: 'Firefox Is Back. It's Time to Give It a Try.' (nytimes.com) 355

Another high-profile endorsement for Firefox -- this time from the lead consumer technology writer for The New York Times. (Alternate link here). The web has reached a new low. It has become an annoying, often toxic and occasionally unsafe place to hang out. More important, it has become an unfair trade: You give up your privacy online, and what you get in return are somewhat convenient services and hyper-targeted ads. That's why it may be time to try a different browser.

Remember Firefox...? About two years ago, six Mozilla employees were huddled around a bonfire one night in Santa Cruz, Calif., when they began discussing the state of web browsers. Eventually, they concluded there was a "crisis of confidence" in the web. "If they don't trust the web, they won't use the web," Mark Mayo, Mozilla's chief product officer, said in an interview.... After testing Firefox for the last three months, I found it to be on a par with Chrome in most categories. In the end, Firefox's thoughtful privacy features persuaded me to make the switch and make it my primary browser.

The Times cites privacy features like Firefox's "Facebook Container," which prevents Facebook from tracking you after you've left their site.

While both Chrome and Firefox have tough security (including sandboxing), Cooper Quintin, a security researcher for the Electronic Frontier Foundation, tells the Times that Google "is fundamentally an advertising company, so it's unlikely that they will ever have a business interest in making Chrome more privacy friendly."
Firefox

Firefox's Pocket Tries to Build a Facebook-Style Newsfeed That Respects Your Privacy (theverge.com) 104

An anonymous reader quotes Ars Technica: Pocket, which lets you save articles and videos you find around the web to consume later, now has a home inside Firefox as the engine powering recommendations to 50 million people a month. By analyzing the articles and videos people save into Pocket, [Pocket founder and CEO Nate] Weiner believes the company can show people the best of the web -- in a personalized way -- without building an all-knowing, Facebook-style profile of the user.

"We're testing this really cool personalization system within Firefox where it uses your browser history to target personalized [recommendations], but none of that data actually comes back to Pocket or Mozilla," Weiner said. "It all happens on the client, inside the browser itself. There is this notion today... I feel like you saw it in the Zuckerberg hearings. It was like, 'Oh, users. They will give us their data in return for a better experience.' That's the premise, right? And yes, you could do that. But we don't feel like that is the required premise. There are ways to build these things where you don't have to trade your life profile in order to actually get a good experience."

Pocket can analyze which articles and videos from around the web are being shared as well as which ones are being read and watched. Over time, that gives the company a good understanding of which links lead to high-quality content that users of either Pocket or Firefox might enjoy.

I use Firefox, but I don't use Pocket. Are there any Slashdot readers who want to share their experiences with read-it-later services, or thoughts about what Firefox is attempting?
The Internet

CSS Is Now So Overpowered It Can Deanonymize Facebook Users (bleepingcomputer.com) 92

An anonymous reader writes: Some of the recent additions to the Cascading Style Sheets (CSS) web standard are so powerful that a security researcher has abused them to deanonymize visitors to a demo site and reveal their Facebook usernames, avatars, and if they liked a particular web page of Facebook. Information leaked via this attack could aid some advertisers linking IP addresses or advertising profiles to real-life persons, posing a serious threat to a user's online privacy. The leak isn't specific to Facebook but affects all sites which allow their content to be embedded on other web pages via iframes.

The actual vulnerability resides in the browser implementation of a CSS feature named "mix-blend-mode," added in 2016 in the CSS3 web standard. Security researchers have proven that by overlaying multiple layers of 1x1px-sized DIV layers on top of iframes, each layer with a different blend mode, they could determine what's displayed inside it and recover the data, to which parent websites cannot regularly access. This attack works in Chrome and Firefox, but has been fixed in recent versions.

Slashdot Top Deals