Privacy

Thousands of Email Addresses Accidentally Disclosed By Let's Encrypt (letsencrypt.org) 81

An anonymous reader writes "Let's Encrypt, the certificate authority best known for offering free SSL/TLS certificates, has reported that it accidentally disclosed thousands of user email addresses due to a bug with an automated emailing system." Executive Director Josh Aas posted this announcement: On June 11 2016 (UTC), we started sending an email to all active subscribers who provided an email address, informing them of an update to our subscriber agreement. This was done via an automated system which contained a bug that mistakenly prepended between 0 and 7,618 other email addresses to the body of the email... The problem was noticed and the system was stopped after 7,618 out of approximately 383,000 emails (1.9%) were sent. Each email mistakenly contained the email addresses from the emails sent prior to it, so earlier emails contained fewer addresses than later ones.

We take our relationship with our users very seriously and apologize for the error... If you received one of these emails we ask that you not post lists of email addresses publicly.

Mozilla

Mozilla Will Fund Code Audits For Open Source Software (helpnetsecurity.com) 39

Reader Orome1 writes: The Mozilla Foundation has set up the Secure Open Source (SOS) Fund, whose aim is to help open source software projects get rid their code of vulnerabilities. Projects that want Mozilla's help must be open source/free software and must be actively maintained, but they have a much better probability to being chosen if their software is commonly used and is vital to the continued functioning of the Internet or the Web. Three open source projects -- PCRE, libjpeg-turbo, and phpMyAdmin -- have already gone through the process, and the result was removal of 43 vulnerabilities (including one critical).
Firefox

Firefox Finally Confirms 'Largest Change Ever' Featuring Electrolysis In v48 (zdnet.com) 187

Firefox is finally getting multi-process support. Mozilla has announced that Electrolysis (e10s) will be available to users starting Firefox 48. The foundation finds it the most significant Firefox change since the browser's inception. From a ZDNet report: With Electrolysis, Firefox can use child processes for content (tabs), media playback and legacy plug-ins. This is some way short of Google Chrome, which uses a different process for each tab. However, the result is that Chrome is a huge resource hog: Chrome uses roughly twice as much memory as Firefox on Windows and Linux. Eric Rahm has run some browser tests with Electrolysis, and says: "Overall we see a 10-20 percent increase in memory usage for the 1 content process case (which is what we plan on shipping initially). This seems like a fair trade-off for potential security and performance benefits." With 8 content processes, Rahm says: "we see roughly a doubling of memory usage on the TabsOpenSettled measurement. It's a bit worse on Windows, a bit better on OS X, but it's not 8 times worse."The aforementioned feature will be available in Firefox 48 Beta shortly.
Firefox

Firefox 47 Arrives With Synced Tabs Sidebar, Better YouTube Playback (venturebeat.com) 129

An anonymous reader quotes a report from VentureBeat: Mozilla today launched Firefox 47 for Windows, Mac, Linux, and Android. The browser has gained a sidebar for synced tabs from other devices, improvements to YouTube playback and HTML5 support, and is seeing the end of support for Android Gingerbread. [If you're logged in with your Firefox Account, the sidebar will show all your open tabs from your smartphone and other computers. The sidebar even lets you search for specific tabs. Next, Firefox 47 supports the open source VP9 video codec on machines with powerful multiprocessors. VP9 is the successor to VP8, both of which fall under Google's WebM project of freeing web codecs from royalty constraints.] Firefox 47 is available for download on Firefox.com, and will be slowly released on Google Play. You can view the full Firefox 47 changelog here. If you're a developer, Firefox 47 for developers offers more details for you.
Firefox

Firefox Tops Microsoft Browser Market Share For First Time (arstechnica.com) 141

An anonymous reader writes from a report via Ars Technica: For the first time, Firefox has pulled ahead of Microsoft's Internet Explorer and Edge browsers. Mozilla's Firefox grabbed 15.6 percent of worldwide desktop browser usage in April, according to the latest numbers from Web analytics outfit StatCounter. Google Chrome continues to dominate two thirds of the market. StatCounter, which analyzed data from three million websites, found that Firefox's worldwide desktop browser usage last month was 0.1 percent ahead of the combined share of Internet Explorer and Edge at 15.5 percent. Firefox has reportedly been losing market share over the last three months, but Microsoft's Edge and Internet Explorer browsers appear to be declining faster. Last week, Mozilla launched Test Pilot, a program for trying out experimental Firefox features. They've also been fighting the FBI in court for details about a vulnerability in the Tor Browser hack, which may affect the company since the Tor browser is partially based on the Firefox browser code.
Government

Mozilla Fights FBI In Court For Details On Tor Browser Hack (helpnetsecurity.com) 58

An anonymous reader writes from a report on Help Net Security: Mozilla has asked a Washington State District Court to compel FBI investigators to provide details about a vulnerability in the Tor Browser hack with them, before they share it with the defendant in a lawsuit, so that they could fix it before the knowledge becomes public. The lawsuit in question is against Jay Michaud, a Vancouver (Wa.) teacher that stands accused of accessing and downloading child pornography from a website on the Dark Web. The FBI used a "network investigative technique" (NIT) to discover the IP address and identity of the defendant, which was only possible from a vulnerability in the Tor Browser. Why does Mozilla care to learn about the vulnerability? "The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser," Denelle Dixon-Thayer, Chief Legal and Business Officer at Mozilla Corporation, explained.
Firefox

Mozilla Launches Test Pilot, A Firefox Add-On For Trying Experimental Features (thenextweb.com) 53

An anonymous reader writes: Mozilla today launched Test Pilot, a program for trying out experimental Firefox features. To try the new functionality Mozilla is offering for its browser, you have to download a Firefox add-on from testpilot.firefox.com and enable an experiment. The main caveat is that experiments are currently only available in English (though Mozilla promises to add more languages "later this year"). Test Pilot was first introduced for Firefox 3.5, but the new program has been revamped since then, featuring three main components: Activity Stream, Tab Center and Universal Search. Activity Stream is designed to help you navigate your browsing history faster, surfacing your top sites along with highlights from your browsing history and bookmarks. Tab Center displays open tabs vertically along the side of your screen. Mozilla says Universal Search "combines the Awesome Bar history with the Firefox Search drop down menu to give you the best recommendations so you can spend less time sifting through search results and more time enjoying the web."
Security

GCHQ Has Disclosed Over 20 Vulnerabilities This Year (vice.com) 29

Joseph Cox, reporting for Motherboard: Earlier this week, it emerged that a section of Government Communications Headquarters (GCHQ), the UK's signal intelligence agency, had disclosed a serious vulnerability in Firefox to Mozilla. Now, GCHQ has said it helped fix nearly two dozen individual vulnerabilities in the past few months, including in highly popular pieces of software like iOS. "So far in 2016 GCHQ/CESG has disclosed more than 20 vulnerabilities across a number of software products," a GCHQ spokesperson told Motherboard in an email. CESG, or the National Technical Authority for Information Assurance, is the information security wing of GCHQ. Those issues include a kernel vulnerability in OS X El Captain v10.11.4, the latest version, that would allow arbitrary code execution, and two in iOS 9.3, one of which would have done largely the same thing, and the other could have let an application launch a denial of service attack.
Microsoft

Microsoft Limits Cortana Search Box In Windows 10 To Bing and Edge Only (venturebeat.com) 361

An anonymous reader quotes a report from VentureBeat: Microsoft has announced a big change for how the Cortana search box in Windows 10 will work going forward: all searches will be powered by Bing and all links will open with the Edge browser. This is a server-side change going into effect today. Once it takes effect on your Windows 10 computer, Cortana will no longer be able to serve up results from third-party search providers, like Google or Yahoo, nor take you to a third-party browser, such as Google Chrome or Mozilla Firefox. Ryan Gavin, Microsoft's general manager of search and Cortana, said in a Windows blog post announcing the change, "Unfortunately, as Windows 10 has grown in adoption and usage, we have seen some software programs circumvent the design of Windows 10 and redirect you to search providers that were not designed to work with Cortana. The result is a compromised experience that is less reliable and predictable. The continuity of these types of task completion scenarios is disrupted if Cortana can't depend on Bing as the search provider and Microsoft Edge as the browser. The only way we can confidently deliver this personalized, end-to-end search experience is through the integration of Cortana, Microsoft Edge and Bing -- all designed to do more for you."
Mozilla

Mozilla Seeks New Home For Email Client Thunderbird 294

Reader chefmonkey writes: In a report commissioned by Mozilla to explore the next home for Thunderbird, two potential new hosts have been offered: the Software Freedom Conservancy (host to git, boost, QEMU, and a host of other projects) and The Document Foundation (home of LibreOffice). At the same time, the report discusses completely uncoupling Thunderbird from the rest of the Mozilla codebase and bringing in a dedicated technical architect to chart the software's roadmap.

Given that the two named organizations are already on board with taking Thunderbird under their wing, is this a new lease on life for the email program Mozilla put out to pasture four years ago?
In December last year, Mozilla Foundation chairperson Mitchell Baker had argued that the organization should disentangle itself from the Thunderbird email client in order to focus on Firefox. It appears the Firefox-maker is all set to part ways with Thunderbird.
Security

Turns Out That Snaps Are Not Secure In Ubuntu With X11 (softpedia.com) 133

prisoninmate quotes a report from Softpedia: According to Matthew Garrett, a renowned CoreOS security developer, and Linux kernel contributor, Canonical's new snap package format is not secure at all when it is used under X.Org Server (X Window System), which, for now, it is still the default display server of the Ubuntu 16.04 LTS (Xenial Xerus) operating system. The fact of the matter is that X11's old design is well-known for being insecure, and Matthew Garrett took the time to demonstrate this by writing a simple snap package that can steal data from any other X11 software, in this case anything you type on the Mozilla Firefox web browser. As more developers will provide snaps for their apps, Canonical needs to do something about the security of snaps in Ubuntu when using X11 or switch to the Mir display server. In the meantime, the security of snaps remains unaffected for the Ubuntu Server operating system, which is usually used without a display server. Canonical has officially released Ubuntu 16.04 LTS, which is now available to download for those interested.
Mozilla

Ubuntu 16.04 LTS Available To Download; Mozilla To Offer 0-Day Firefox Releases Via Snaps 74

Reader prisoninmate writes: The latest, and hopefully, the greatest version of Ubuntu is now available to download. On the sidelines, Mozilla today announced the availability of future releases of its popular Firefox web browser in the snap package format for Ubuntu 16.04 LTS. Earlier today, Canonical unleashed the final release of the highly anticipated Ubuntu 16.04 LTS (Xenial Xerus) operating system, bringing users a great set of new features and improvements. Also today, it looks like Canonical has renewed its partnership with Mozilla to offer Firefox as the default web browser on Ubuntu 16.04 LTS and upcoming releases of the Linux kernel-based operating systems. As part of the new partnership, Mozilla is committed to distributing future versions of Firefox as a snap package. Having Firefox distributed in the snap format means that you'll have 0-day releases in Ubuntu 16.04. Yes, just like Windows and Mac OS X, users are enjoying their 0-day releases of Mozilla Firefox and don't have to wait for package maintainers of a particular GNU/Linux distribution to update the software in the main repositories. For Mozilla, having Firefox as a snap package means that they'll be able to continually optimize it for Ubuntu.
Chrome

The Future of Firefox is Chrome (theregister.co.uk) 243

An anonymous reader writes: Mozilla seems to think a new future for Firefox [lies in Chrome]. While they claim that it is only about new ways of browser design, it is also an open secret that they are running into more and more problems lately with web compatibility. [Senior VP Mark Mayo caused a storm by revealing that the Firefox team is working on a next-generation browser that will run on the same technology as Google's Chrome browser. The project, named Tofino, will not use Firefox's core technology, Gecko, but will instead plumb for Electron, which is built on the technology behind Google's rival Chrome browser, called Chromium.] The benefit of Chromium/Electron would be that it is a solution they could pull much faster forward than their own Servo plans [Servo being Mozilla's Rust-based web engine]. What the real outcome of all this will be, only Mozilla knows so far. But inside Mozilla there is much resistance against such plans... Interesting times are ahead.
Security

Popular Firefox Add-Ons Open Millions To New Attack (slashgear.com) 54

An anonymous reader writes: Security researchers claim that NoScript and other popular Firefox add-on extensions are exposing millions of end users to a new type of vulnerability which, if exploited, can allow an attacker to execute malicious code and steal sensitive data. The vulnerability resides in the way Firefox extensions interact with each other. From a report on SlashGear, "The problem is that these extensions do not run sandboxed and are able to actually access data or functions from other extensions that are also enabled. This could mean, for example, that a malware masquerading as an add-on can access the functionality of one add-on to get access to system files or the ability of another add-on to redirect users to a certain web page, usually a phishing scam page. In the eyes of Mozilla's automated security checks, the devious add-on is blameless as it does nothing out of the ordinary." Firefox's VP of Product acknowledged the existence of the aforementioned vulnerability. "Because risks such as this one exist, we are evolving both our core product and our extensions platform to build in greater security. The new set of browser extension APIs that make up WebExtensions, which are available in Firefox today, are inherently more secure than traditional add-ons, and are not vulnerable to the particular attack outlined in the presentation at Black Hat Asia. As part of our electrolysis initiative -- our project to introduce multi-process architecture to Firefox later this year -- we will start to sandbox Firefox extensions so that they cannot share code."
Businesses

Newspapers Try To Stop Ad-blocking Browser Brave From 'Stealing Content' 112

New reader DarkLordBelial writes: The newspaper Association of America (NAA) has sent a letter to Brave Software, makers of the Brave browser, detailing how little they think of Brave's proposed solution. In the letter, NAA says Brave Software "should be viewed as illegal and deceptive by the courts." The letter suggests that replacing adverts with their own selected ads is no different to republishing the content and therefore copyright infringement. In response, Brave Software says all such assertions are false and that the NAA has misunderstood their business model. Founded by Mozilla's co-founder, Brave pays its users in bitcoin to watch ads. According to the company's plan, a website gets 55 percent of the money, whereas rest is distributed among users and Brave.
Android

Mozilla Co-Founder's Ad-blocking Brave Browser Will Pay You Bitcoin To See Ads (pcworld.com) 159

An anonymous reader writes: Brave, a new privacy and speed focused web browser for Windows, Mac, Linux, iOS, and Android, backed by Mozilla co-founder Brendan Eich, will pay its users in bitcoin to watch ads. From a PCWorld article, 'Under this plan, advertisers pay for a certain number of impressions, and Brave aggregates those payments into one sum. Websites that participate in the scheme get 55 percent of the money, weighted by how many impressions are served on their sites. For both users and publishers, Brave deposits the money into individual bitcoin wallets, and both parties must verify their identity to claim the funds. This requires an email and phone number for users, and more stringent identification steps for publishers. Users who don't verify will automatically donate their share of the funds back to the sites they visit most.' It appears Brave's strategy hinges on, among other things, collecting your browsing data to display relevant ads. The aforementioned article also says that users will have an option to block all ads by paying a monthly subscription to Brave. Not sure how many people would want to buy that.
Advertising

Microsoft Denies Edge Is Getting A Native Ad Blocker (venturebeat.com) 62

An anonymous reader quotes a report from VentureBeat: On top of the slew of news coming out of Microsoft's Build 2016 developer conference, a story broke yesterday that Microsoft was building an ad blocker into its Microsoft Edge browser. While this would be a big deal, it apparently isn't true. "We have no plans to build a native ad blocker into Microsoft Edge," a Microsoft spokesperson told VentureBeat. Microsoft was originally referencing the extension support it is building into Edge, which would allow ad blocking to work exactly like any other desktop browser. For those hoping for an Edge browser with built-in ad blocking, well, you're stuck with 'niche browsers' like Brave from Mozilla cofounder Brendan Eich and Adblock Browser.
Encryption

Apple's Lack of Bug Bounty Program May Explain Why Hackers Would Help FBI 73

On Wednesday, it was reported that FBI has contracted Cellebrite, an Israeli software provider specializing in mobile phone forensics, for $15,000 to break into the iPhone. It is believed that Cellebrite knows of a flaw in the iPhone which could allow circumvention of iOS' built-in security layers. Cellebrite could have worked with Apple on this flaw, but it chose to help FBI instead. It doesn't take rocket science to understand why Cellebrite chose to take the other route. The New York Times says that many security firms and hackers would love to work with Apple to further improve its products, but they don't because of a lack of incentive. There's little to no monetary incentive in helping the company with finding loopholes in its products. Apple -- unlike a number of Silicon Valley giants including Facebook, Microsoft, Google, Mozilla, and recently added to the list, Uber -- doesn't maintain a Bug Bounty program. Nicole Perlroth and Katie Benner report for the Times: When hackers do find flaws in Apple's code, they have little incentive to turn them over to the company for fixing. [...] Apple, which has had relatively strong security over the years, has been open about how security is a never-ending cat-and-mouse game and how it is unwilling to engage in a financial arms race to pay for code exploits. The company has yet to give hackers anything more than a gold star. When hackers do turn over serious flaws in its products, they may see their name listed on the company's website -- but that is it. That is a far cry from what hackers can expect if they sell an Apple flaw on the thriving underground market where a growing number of companies and government agencies are willing to pay hackers handsomely.
Security

Pwn2Own Day 1: Hackers Earn $280k For Hacking Chrome, Flash, Safari (securityweek.com) 39

wiredmikey writes: Pwn2Own 2016 contestants hacked Apple's Safari Web Browser, Adobe Flash Player and Google Chrome, and earned more than $280,000 on the first day of the competition taking place this week alongside the CanSecWest conference in Vancouver, Canada. This is the first edition of Pwn2Own where contestants have been invited to escape a VMware virtual machine for a bonus of $75,000, though there has not been a successful exploit yet in this class by any contestant this week. It remains to be seen if contestants manage to surpass last year's total payout, when white hat hackers earned $552,000 at Pwn2Own.
Software

Major Browsers Add Experimental Support For WebAssembly (thestack.com) 118

An anonymous reader writes: Four major web browsers have announced support for the near-native compiling technology WebAssembly, and collaborated to bring an initial common game demo of Angry Bots, running via Unity and WebAssembly, to experimental builds of Chrome, Firefox, Microsoft Edge and, shortly, Safari. WebAssembly was launched last year in a joint project between Microsoft, Mozilla, Apple and Google as a potentially more efficient route to assembly-level performance than asm.js, which is in itself a low-level subset of JavaScript.

Slashdot Top Deals