Mozilla

Mozilla Restricts All New Firefox Features To HTTPS Only (bleepingcomputer.com) 243

An anonymous reader shares a report: In a groundbreaking statement earlier this week, Mozilla announced that all web-based features that will ship with Firefox in the future must be served on over a secure HTTPS connection (a "secure context"). "Effective immediately, all new features that are web-exposed are to be restricted to secure contexts," said Anne van Kesteren, a Mozilla engineer and author of several open web standards. This means that if Firefox will add support for a new standard/feature starting tomorrow, if that standard/feature carries out communications between the browser and an external server, those communications must be carried out via HTTPS or the standard/feature will not work in Firefox. The decision does not affect already existing standards/features, but Mozilla hopes all Firefox features "will be considered on a case-by-case basis," and will slowly move to secure contexts (HTTPS) exclusively in the future.
Firefox

Mozilla Tests Firefox 'Tab Warming' (bleepingcomputer.com) 170

Catalin Cimpanu, reporting for BleepingComputer: Mozilla is currently testing a new feature called "Tab Warming" that engineers hope will improve the tab switching process. According to a description of the feature, Tab Warming will watch the user's mouse cursor and start "painting" content inside a tab whenever the user hovers his mouse over one. Firefox will do this on the assumption the user wants to click and switch to view that tab and will want to keep a pre-rendered tab on hand if this occurs. "Those precious milliseconds are used to do the rendering and uploading, so that when the click event finally comes, the [tab] is ready and waiting for you," said Mike Conley, one of the Firefox engineers who worked on this feature.
Firefox

Mozilla Will Delete Firefox Crash Reports Collected by Accident (bleepingcomputer.com) 38

Catalin Cimpanu, writing for BleepingComputer: Mozilla said last week it would delete all telemetry data collected because of a bug in the Firefox crash reporter. According to Mozilla engineers, Firefox has been collecting information on crashed background tabs from users' browsers since Firefox 52, released in March 2017. Firefox versions released in that time span did not respect user-set privacy settings and automatically auto-submitted crash reports to Mozilla servers. The browser maker fixed the issue with the release of Firefox 57.0.3. Crash reports are not fully-anonymized.
Mozilla

Mozilla Patches Critical Bug in Thunderbird (threatpost.com) 76

Mozilla has issued a critical security update to its popular open-source Thunderbird email client. From a report The patch was part of a December release of five fixes that included two bugs rated high and one rated moderate and another low. Mozilla said Thunderbird, which is also serves as a news, RSS and chat client, the latest Thunderbird 52.5.2 version released last week fixes the vulnerabilities. The most serious of the fixes is a critical buffer overflow bug (CVE-2017-7845) impacting Thunderbird running on Windows operating system. The bug is present when "drawing and validating elements with angle library using Direct 3D 9," according to the Mozilla Foundation Security Advisory. US-Cert said it encourages users and administrators to review the patch and apply the necessary update.
Mozilla

Thunderbird Will Phase Out Legacy Add-Ons, Will Support WebExtensions (bleepingcomputer.com) 171

Catalin Cimpanu, writing for BleepingComputer: Mozilla announced last week plans to modernize Thunderbird's codebase, plans that include fixing some "technical debt" by incorporating the recent changes in the Mozilla engine into Thunderbird, adding a new user interface (UI), and phasing out old legacy add-ons that are built on the XUL and XPCOM APIs. The changes are part of Mozilla's new plan for Thunderbird development, a project that it left for dead in 2012, but later decided to reinvigorate in 2016.
Firefox

Firefox 57's Speed Secret? Delaying Requests from Tracking Domains (zdnet.com) 119

An anonymous reader quotes ZDNet: A Mozilla engineer has revealed one of the hidden techniques that Firefox 57 -- known as Quantum -- is using to improve page load times... It delays scripts from tracking domains, such as www.google-analytics.com. The technique was developed by Mozilla engineer Honza Bambas, who calls it "tailing". It works by delaying scripts from tracking domains when a page is actively loading and rendering...

Tailing only briefly prevents the tracking scripts loading, rather than disabling them entirely. Page load performance is improved by saving on network bandwidth and computing resources while loading a page, in a way that prioritizes site requests over tracking requests. "Requests are kept on hold only while there are site sub-resources still loading and only up to about 6 seconds. The delay is engaged only for scripts added dynamically or as async. Tracking images are always delayed. This is legal according all HTML specifications and it's assumed that well built sites will not be affected regarding functionality," explains Bambas.

Mozilla

Rust Blog Touts 'What We Achieved' in 2017 (rust-lang.org) 153

An anonymous reader quotes the official Rust blog: Rust's development in 2017 fit into a single overarching theme: increasing productivity, especially for newcomers to Rust. From tooling to libraries to documentation to the core language, we wanted to make it easier to get things done with Rust. That desire led to a roadmap for the year, setting out 8 high-level objectives that would guide the work of the team. How'd we do? Really, really well.
Aaron Turon, part of the core developer team for Rust, wrote the blog post, and specifically touts this year's progress on lowering the learning curve with books and curriculum, as well as actual improvements in the language and a faster edit-compile-debug cycle. He also notes new support for Rust in IntelliJ and Atom (as well as preview versions for Visual Studio and Visual Studio Code) in 2017 -- and most importantly, mentoring. I'd like to specifically call out the leaders and mentors who have helped orchestrate our 2017 work. Leadership of this kind -- where you are working to enable others -- is hard work and not recognized enough. So let's hand it to these folks...! Technical leaders are an essential ingredient for our success, and I hope in 2018 we can continue to grow our leadership pool, and get even more done -- together.
Firefox

Firefox Is Now Available On Amazon's Fire TV, Bringing YouTube Access With It (techradar.com) 49

Mozilla has announced that its Firefox web browser is now available on all Fire TV devices. While navigating web browsers on televisions isn't the most user-friendly experience, it could be the only way users can access YouTube. Earlier this month, Google pulled YouTube off the Fire TV and Echo Show since Amazon stopped selling several Google products. TechRadar reports: Though there's no explicit 'hey, this is a convenient workaround' section in Mozilla's announcement of the news, there is a section of the blog post which states that users can "go to YouTube and other sites directly from the Firefox for Fire TV home screen" and another which promises access to videos from "YouTube and other popular sites." While the companies are currently in talks to resolve their disagreements, Google's threat to pull YouTube access from the Fire TV line on January 1, 2018, is still hanging over Amazon. This threat is, however, now carries slightly less menace if Firefox browser access remains a workaround.
Security

Firefox Prepares To Mark All HTTP Sites 'Not Secure' After HTTPS Adoption Rises (bleepingcomputer.com) 244

An anonymous reader quotes a report from Bleeping Computer: The increased adoption of HTTPS among website operators will soon lead to browsers marking HTTP pages as "Not Secure" by default, and Mozilla is taking the first steps. The current Firefox Nightly Edition (version 59) includes a secret configuration option that when activated will show a visible visual indicator that the current page is not secure. In its current form, this visual indicator is a red line striking through a classic lock that's normally used to signal the presence of encrypted HTTPS pages. According to Let's Encrypt, 67% of web pages loaded by Firefox in November 2017 used HTTPS, compared to only 45% at the end of last year.
Microsoft

Do More People Use Firefox Than Edge and IE Combined? (computerworld.com) 152

A funny thing happened when Net Applications' statistics began excluding fake traffic from ad-defrauding bots. Computerworld reports: Microsoft's Edge browser is less popular with Windows 10 users than earlier thought, if revised data from a U.S. analytics vendor can be believed. According to Net Applications of Aliso Viejo, Calif., Edge has been designated the primary browser by fewer than one in six Windows 10 users for more than a year and a half. That's a significant downgrading of Edge's user share statistics from the browser's portrayal before this month...

By comparing Edge's old and new shares, it was evident that as much as half of the earlier Edge traffic had been faked by bots. The portion of Edge's share credited to bots fluctuated month to month, but fell below 30% in only 4 of the 19 months for which Net Applications provided data... Microsoft's legacy browser, Internet Explorer (IE) also was revealed as a Potemkin village. Under the old data regime, which included bots, IE's user share was overblown, at times more than double the no-bots reality. Take May 2016 as an example. With bots, Net Applications pegged IE at 33.7%; without bots, IE's user share dwindled to just 14.9%. Together, IE and Edge - in other words, Microsoft's browsers - accounted for only 16.3% of the global user share last month using Net Applications' new calculations... In fact, the combined IE and Edge now face a once unthinkable fate: falling beneath Mozilla's Firefox.

StatCounter's stats on browser usage already show more people have already been using Firefox than both of Microsoft's browsers combined -- in 12 of the last 13 months.
Mozilla

Mozilla Slipped a 'Mr. Robot'-Promo Plugin Into Firefox and Users Are Pissed (gizmodo.com) 307

MarcAuslander shares a report from Gizmodo: Mozilla sneaked a browser plugin that promotes Mr. Robot into Firefox -- and managed to piss off a bunch of its privacy-conscious users in the process. The extension, called Looking Glass, is intended to promote an augmented reality game to "further your immersion into the Mr. Robot universe," according to Mozilla. It was automatically added to Firefox users' browsers this week with no explanation except the cryptic message, "MY REALITY IS JUST DIFFERENT THAN YOURS," prompting users to worry on Reddit that they'd been hit with spyware. Without an explanation included with the extension, users were left digging around in the code for Looking Glass to find answers. Looking Glass was updated for some users today with a description that explains the connection to Mr. Robot and lets users know that the extension won't activate without explicit opt-in.

Mozilla justified its decision to include the extension because Mr. Robot promotes user privacy. "The Mr. Robot series centers around the theme of online privacy and security," the company said in an explanation of the mysterious extension. "One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy."

Operating Systems

ReactOS 0.4.7 Released (reactos.org) 94

jeditobe writes: OSNews reports that the latest version of ReactOS has been released: "ReactOS 0.4.7 has been released, and it contains a ton of fixes, improvements, and new features. Judging by the screenshots, ReactOS 0.4.7 can run Opera, Firefox, and Mozilla all at once, which is good news for those among us who want to use ReactOS on a more daily basis. There's also a new application manager which, as the name implies, makes it easier to install and uninstall applications, similar to how package managers on Linux work. On a lower level, ReactOS can now deal with Ext2, Ext3, Ext4, BtrFS, ReiserFS, FFS, and NFS partitions." General notes, tests, and changelog for the release can be found at their respective links. A less technical community changelog for ReactOS 0.4.7 is also available. ISO images are ready at the ReactOS Download page.
Firefox

Yahoo Sues Mozilla For Breach of Contract -- So Mozilla Counter Sues Yahoo (betanews.com) 112

Mark Wilson writes: Mozilla and Yahoo have started a legal spat about the deal that existed between the two companies regarding the use of the Yahoo search engine in the Firefox browser. On December 1, Yahoo fired the first shot filing a complaint that alleges Mozilla breached a contract that existed between the two companies by terminating the arrangement early. In a counter complaint, Mozilla says that it was not only justified in terminating the contract early, but that Yahoo Holdings and Oath still have a bill that needs to be settled.
Security

StartCom Will Stop Issuing Certificates, Revoking Them All in 2020 (startcomca.com) 42

thegarbz writes: Startcom, a certificate authority which as we covered previously has been distrusted by Mozilla, by Google, and recently also by Microsoft, has announced that it will cease trading as a Certificate Authority. While their website currently shows no indication that their certificates have any problems, a news posting has announced their intentions to stop providing certificates as of January 2018, and to revoke all remaining certificates in 2020.
The original submission also says StartCom sent an email to all their former customers -- including customers of their free StartSSL certificates -- announcing their intentions. As you are surely aware, the browser makers distrusted StartCom around a year ago and therefore all the end entity certificates newly issued by StartCom are not trusted by default in browsers.

The browsers imposed some conditions in order for the certificates to be re-accepted. While StartCom believes that these conditions have been met, it appears there are still certain difficulties forthcoming. Considering this situation, the owners of StartCom have decided to terminate the company as a Certification Authority as mentioned in Startcoms website.

StartCom will stop issuing new certificates starting from January 1st, 2018 and will provide only CRL and OCSP services for two more years. StartCom would like to thank you for your support during this difficult time.

Firefox

How Converting A C++ Game to JavaScript Gave Us WebAssembly (ieee.org) 139

Slashdot reader Beeftopia shares "a detailed history of WebAssembly...from one of the developers." IEEE Spectrum reports that "Like a lot of stories about tech innovation, this one started with video games." [Mozilla's Alon Zakai] wanted to take a game he had helped write in C++ and convert it to JavaScript code that would run well on the Web. This was in 2010, and back then, converting C++ to JavaScript was unthinkable... so he started working to adapt an open-source tool that could translate C++ code into JavaScript automatically. He called his project Emscripten... we were able to formalize the permitted JavaScript patterns, to make the contract between Emscripten and the browser completely clear. We named the resulting subset of JavaScript asm.js... I would optimize the JavaScript engine in Firefox to run the resulting code even faster...

This brings us to the present... Emscripten can take code written in C++ and convert it directly into WebAssembly. And there will be ways in time to run other languages as well, including Rust, Lua, Python, Java, and C#. With WebAssembly, multimillion-line code bases can now load in a few seconds and then run at 80 percent of the speed of native programs. And both load time and execution speed are expected to improve as the browser engines that run the code are made better.

They'd started with a C++ game because "If we could make games run well on the Web, other computationally intensive applications would soon follow."

The article -- by Mozilla software engineer Luke Wagner -- remembers that the name Emscripten was a "a mash-up of 'script' from JavaScript and 'embiggen' from the TV show The Simpsons."
Mozilla

Mozilla Releases Open Source Speech Recognition Model, Massive Voice Dataset (mozilla.org) 58

Mozilla's VP of Technology Strategy, Sean White, writes: I'm excited to announce the initial release of Mozilla's open source speech recognition model that has an accuracy approaching what humans can perceive when listening to the same recordings... There are only a few commercial quality speech recognition services available, dominated by a small number of large companies. This reduces user choice and available features for startups, researchers or even larger companies that want to speech-enable their products and services. This is why we started DeepSpeech as an open source project.

Together with a community of likeminded developers, companies and researchers, we have applied sophisticated machine learning techniques and a variety of innovations to build a speech-to-text engine that has a word error rate of just 6.5% on LibriSpeech's test-clean dataset. vIn our initial release today, we have included pre-built packages for Python, NodeJS and a command-line binary that developers can use right away to experiment with speech recognition.

The announcement also touts the release of nearly 400,000 recordings -- downloadable by anyone -- as the first offering from Project Common Voice, "the world's second largest publicly available voice dataset." It launched in July "to make it easy for people to donate their voices to a publicly available database, and in doing so build a voice dataset that everyone can use to train new voice-enabled applications." And while they've started with English-language recordings, "we are working hard to ensure that Common Voice will support voice donations in multiple languages beginning in the first half of 2018."

"We at Mozilla believe technology should be open and accessible to all, and that includes voice... As the web expands beyond the 2D page, into the myriad ways where we connect to the Internet through new means like VR, AR, Speech, and languages, we'll continue our mission to ensure the Internet is a global public resource, open and accessible to all."
Mozilla

Mozilla Revenue Jump Fuels Its Firefox Overhaul Plan (cnet.com) 127

Well, now we know what paid for all those programmers cranking out the overhauled Firefox Quantum browser: a major infusion of new money. From a report: Mozilla, the nonprofit behind the open-source web browser, saw its 2016 revenue increase 24 percent to an all-time high of $520 million, it said Friday. Expenses grew too, but not as much, from $361 million to $337 million, so the organization's war chest is significantly bigger now. Mozilla, which now has about 1,200 employees, releases prior-year financial results in conjunction with tax filings. Most of Mozilla's money comes from partnerships with search engines like Google, Yahoo, DuckDuckGo, Baidu and Yandex. When you search through Firefox's address bar, those search engines show search ads alongside results and share a portion of the revenue to Mozilla. Mozilla in 2014 signed a major five-year deal with Yahoo to be the default search engine in the US, but canceled it only three years in and moved back to Google instead in November. Mozilla's mission -- to keep the internet open and a place where you aren't in the thrall of tech giants -- may seem abstract. But Mozilla succeeded in breaking the lock Microsoft's Internet Explorer had on the web a decade ago, and now it's fighting the same battle again against Google's Chrome.
Firefox

Firefox Quantum Is 'Better, Faster, Smarter than Chrome', Says Wired (wired.com) 383

Wired's senior staff writer David Pierce says Firefox Quantum "feels like a bunch of power users got together and built a browser that fixed all the little things that annoyed them about other browsers." The new Firefox actually manages to evolve the entire browser experience, recognizing the multi-device, ultra-mobile lives we all lead and building a browser that plays along. It's a browser built with privacy in mind, automatically stopping invisible trackers and making your history available to you and no one else. It's better than Chrome, faster than Chrome, smarter than Chrome. It's my new go-to browser.

The speed thing is real, by the way. Mozilla did a lot of engineering work to allow its browser to take advantage of all the multi-core processing power on modern devices, and it shows... I routinely find myself with 30 or 40 tabs open while I'm researching a story, and at that point Chrome effectively drags my computer into quicksand. So far, I haven't been able to slow Firefox Quantum down at all, no matter how many tabs I use... [But] it's the little things, the things you do with and around the web pages themselves, that make Firefox really work. For instance: If you're looking at a page on your phone and want to load that same page on your laptop, you just tap "Send to Device," pick your laptop, and it opens and loads in the background as if it had always been there. You can save pages to a reading list, or to the great read-it-later service Pocket (which Mozilla owns), both with a single tap...

Mozilla has a huge library of add-ons, and if you use the Foxified extension, you can even run Chrome extensions in Firefox. Best I can tell, there's nothing you can do in Chrome that you can't in Firefox. And Firefox does them all faster.

I've noticed that when you open a new tab in Chrome's mobile version, it forces you to also see news headlines that Google picked out for you. But how about Slashdot's readers? Chrome, Firefox -- or undecided?
Firefox

Firefox Will Warn Users When Visiting Sites That Suffered a Data Breach (bleepingcomputer.com) 64

An anonymous reader writes: Mozilla engineers are working on a notifications system for Firefox that shows a security warning to users visiting sites that have suffered data breaches. The notifications system will use data provided by Have I Been Pwned?, a website that indexes public data breaches and allows users to search and see if their details have been compromised in any of these incidents. Work on this project has only recently started. The code to show these warnings is not even in the Firefox codebase but managed separately as an add-on available (on GitHub). The alert also includes an input field. In the add-ons current version this field doesn't do anything, but we presume it's there to allow users to search and see if their data was exposed during that site's security breach. Troy Hunt, Have I Been Pwned's author has confirmed his official collaboration with Mozilla on this feature.
Firefox

Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation (bleepingcomputer.com) 93

An anonymous reader writes: Unbeknown to most users, Mozilla added a privacy-enhancing feature to the Firefox browser over the summer that can help users block online advertisers from tracking them across the Internet. The feature is named First-Party Isolation (FPI) and was silently added to the Firefox browser in August, with the release of Firefox 55. FPI works by separating cookies on a per-domain basis.

This is important because most online advertisers drop a cookie on the user's computer for each site the user visits and the advertisers loads an ad. With FPI enabled, the ad tracker won't be able to see all the cookies it dropped on that user's PC, but only the cookie created for the domain the user is currently viewing. This will force the ad tracker to create a new user profile for each site the user visits and the advertiser won't be able to aggregate these cookies and the user's browsing history into one big fat profile. This feature was first implemented in the Tor Browser, a privacy-focused fork of the Firefox browser managed by the Tor Project, where it is known as Cross-Origin Identifier Unlinkability. FPI was added to Firefox as part of the Tor Uplift project, an initiative to bolster the Firefox codebase with some of the Tor Browser's unique privacy-focused features. The feature is not enabled by default. Information on how to enable it is in the linked article.

Slashdot Top Deals