Encryption

Google Warns Webmasters About Insecure HTTP Web Forms (searchengineland.com) 87

In April Chrome began marking HTTP pages as "not secure" in its address bar if the pages had password or credit card fields. They're about to take the next step. An anonymous reader quotes SearchEngineLand: Last night, Google sent email notifications via Google Search Console to site owners that have forms on web pages over HTTP... Google said, "Beginning in October 2017, Chrome will show the 'Not secure' warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode."
Google warned in April that "Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we're ready to take the next steps..."

"Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites."
Google

Google Allo For Chrome Finally Arrives, But Only For Android Users (engadget.com) 88

Google Allo, the chat app that arrived on the iPhone and Android devices last year, now has a web counterpart. Head of product for Allo and video chat app Duo, Amit Fulay, tweeted: "Allow for web is here! Try it on Chrome today. Get the latest Allo build on Android before giving it a spin." Engadget reports: To give it a go, you'll need to open the Allo app on your device and use that to scan a QR code you can generate at this link. Once you've scanned the code, Allo pulls up your chat history and mirrors all the conversations you have on your phone. Most of Allo's key features, including smart replies, emoji, stickers and most importantly the Google Assistant are all intact here. In fact, this is the first time you can really get the full Google Assistant experience through the web; it's been limited to phones and Google Home thus far.
Chrome

Chrome Extension Developers Under a Barrage of Phishing Attacks (bleepingcomputer.com) 40

An anonymous reader quotes Bleeping Computer: Google's security team has sent out warnings via email to Chrome extension developers after many of them have been the targets of phishing attacks, some of which have been successful and resulted in crooks taking over extensions. These phishing attacks have come into the limelight this past week when phishers managed to compromise the developer accounts for two very popular Chrome extensions -- Copyfish and Web Developer. The phishers used access to these developer accounts to insert adware code inside the extensions and push out a malicious update that overlaid ads on top of web pages users were navigating.

According to new information obtained by Bleeping Computer, these attacks started over two months ago and had been silently going on without anyone noticing. All phishing emails contained the same lure -- someone posing as Google was informing extension developers that their add-on broke Chrome Web Store rules and needed to be updated. The extension developer was lured onto a site to view what was the problem and possibly update the extension. Before seeing the alert, the site asked extension developers to log in with their Google developer account, a natural step when accessing a secure backend.

Safari

Safari Should Display Favicons in Its Tabs (daringfireball.net) 189

Favicon -- or its lack thereof, to be precise -- has remained one of the longest running issues Safari users have complained about. For those of you who don't use Safari, just have a look at this mess I had earlier today when I was using Safari on a MacBook. There's no way I can just have a look at the tabs and make any sense of them. John Gruber, writing for DaringFireball: The gist of it is two-fold: (1) there are some people who strongly prefer to see favicons in tabs even when they don't have a ton of tabs open, simply because they prefer identifying tabs graphically rather than by the text of the page title; and (2) for people who do have a ton of tabs open, favicons are the only way to identify tabs. With many tabs open, there's really nothing subjective about it: Chrome's tabs are more usable because they show favicons. [...] Once Safari gets to a dozen or so tabs in a window, the left-most tabs are literally unidentifiable because they don't even show a single character of the tab title. They're just blank. I, as a decade-plus-long dedicated Safari user, am jealous of the usability and visual clarity of Chrome with a dozen or more tabs open. And I can see why dedicated Chrome users would consider Safari's tab design a non-starter to switching. I don't know what the argument is against showing favicons in Safari's tabs, but I can only presume that it's because some contingent within Apple thinks it would spoil the monochromatic aesthetic of Safari's toolbar area. [...] And it's highly debatable whether Safari's existing no-favicon tabs actually do look better. The feedback I've heard from Chrome users who won't even try Safari because it doesn't show favicons isn't just from developers -- it's from designers too. To me, the argument that Safari's tab bar should remain text-only is like arguing that MacOS should change its Command-Tab switcher and Dock from showing icons to showing only the names of applications. The Mac has been famous ever since 1984 for placing more visual significance on icons than on names. The Mac attracts visual thinkers and its design encourages visual thinking. So I think Safari's text-only tab bar isn't just wrong in general, it's particularly wrong on the Mac.
Mozilla

Firefox 55 Arrives With WebVR on Windows, Performance Panel, and Click-to-Play Flash (venturebeat.com) 129

Mozilla today made available a new update to Firefox for Windows to introduce support for WebVR, that the company says, will enable desktop VR users to dive into web-based experiences with ease. Firefox 55 also includes performance panel, faster startup when restoring multiple tabs, a quicker way to search across various search engines, and click-to-play Flash by default. From a report: WebVR is an experimental JavaScript API that provides support for virtual reality devices, such as the HTC Vive, Oculus Rift, and Google Cardboard. As its name implies, the technology is meant for browsers. If you find a web game or app that supports VR, just click the VR goggles icon visible on the web page to experience it using your VR headset. WebVR supports navigating and controlling VR experiences with handset controllers or your movements in physical space. [...] Firefox 55 also allows users to adjust the number of processes and how much resources they want to allocate to any of them. This setting is at the bottom of the General section in Options. In fact, if your computer has more than 8GB of RAM, Mozilla recommends "bumping up the number of content processes that Firefox uses" because it will make Firefox faster, though at the expense of using more memory. In its own tests on Windows 10, the company found that Firefox uses less memory than Chrome, even with eight content processes running.
Debian

OpenSSL Support In Debian Unstable Drops TLS 1.0/1.1 Support (debian.org) 76

An anonymous reader writes: Debian Linux "sid" is deprecating TLS 1.0 Encryption. A new version of OpenSSL has been uploaded to Debian Linux unstable. This version disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version. This will likely break certain things that for whatever reason still don't support TLS 1.2. I strongly suggest that if it's not supported that you add support for it, or get the other side to add support for it. OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don't need to enable them again. This move caused some concern among Debian users and sysadmins. If you are running Debian Unstable on server tons of stuff is going to broken cryptographically. Not to mention legacy hardware and firmware that still uses TLS 1.0. On the client side (i.e. your users), you need to use the latest version of a browser such as Chrome/Chromium and Firefox. The Older version of Android (e.g. Android v5.x and earlier) do not support TLS 1.2. You need to use minimum iOS 5 for TLS 1.2 support. Same goes with SMTP/mail servers, desktop email clients, FTP clients and more. All of them using old outdated crypto.

This move will also affect for Android 4.3 users or stock MS-Windows 7/IE users (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto.

Chrome

Browser Extensions Are Undermining Privacy (vortex.com) 82

pizzutz writes: Chrome's popular Web Developer plugin was briefly hijacked on Wednesday when an attacker gained control of the author's Google account and released a new version (0.49) which injected ads into web pages of more than a million users who downloaded the update. The version was quickly replaced with an uncompromised version (0.5) and all users are urged to update immediately.
Lauren Weinstein has a broader warning: While the browser firms work extensively to build top-notch security and privacy controls into the browsers themselves, the unfortunate fact is that these can be undermined by add-ons, some of which are downright crooked, many more of which are sloppily written and poorly maintained. Ironically, some of these add-on extensions and apps claim to be providing more security, while actually undermining the intrinsic security of the browsers themselves. Others (and this is an extremely common scenario) claim to be providing additional search or shopping functionalities, while actually only existing to silently collect and sell user browsing activity data of all sorts.
Lauren also warns about sites that "push users very hard to install these privacy-invasive, data sucking extensions" -- and believes requests for permissions aren't a sufficient safeguard for most users. "Expecting them to really understand what these permissions mean is ludicrous. We're the software engineers and computer scientists -- most users aren't either of these. They have busy lives -- they expect our stuff to just work, and not to screw them over."
Mozilla

Inside Mozilla's Fight To Make Firefox Relevant Again (cnet.com) 276

News outlet CNET has a big profile on Firefox today, for which it has spoken with several Mozilla executives. Mozilla hopes to fight back Chrome, which owns more than half of the desktop market share, with Firefox 57, a massive overhaul due November 14. From the report: "It's going to add up to be a big bang," Mozilla Chief Executive Chris Beard promises, speaking at the company's Mountain View, California, headquarters. "We're going to win back a lot of people." "Some of the stuff they're doing from a technology perspective is amazing," says Andreas Gal, who became CEO of startup Silk Labs after leaving the Mozilla chief technology officer job in 2015. "I just don't think it makes a difference." [...] You may not care which browser you use, but the popularity of Firefox has helped keep browsers competitive and build the web into a foundation for online innovations over the last decade. Are you a fan of Google Maps, Facebook, Twitter or YouTube? That's partly thanks to Firefox. Mozilla's mission is to keep the web vibrant enough for the next big innovation even as companies offer mobile apps instead of websites, dump privacy-invading ads on you or try to confine your activity to their own walled gardens. [...] To Mozilla, each tap or click on a webpage in Firefox is more than you browsing the internet. It's a statement that you'd prefer a more open future where online services can start up on their own. The alternative, as Mozilla sees it, is a future where everyone kowtows to Apple's app store, Google's search results, Facebook's news feed or Amazon's Prime video streaming. That's why Mozilla bought billboard ads saying "Browse against the machine" and "Big browser is watching you," a jab at Google. [...] Improvements within a project called Quantum are responsible for much of the difference. One part, Stylo, accelerates formatting operations. Quantum Flow squashes dozens of small slowdown bugs. Quantum Compositor speeds website display. And Firefox 57 also will lay the groundwork for WebRender, which uses a computing device's graphics chip to draw webpages on the screen faster. "You can do user interface and animation and interactive content that you simply can't do in any other browser," says Firefox chief Mayo, speaking from his office in Toronto -- over video chat technology Firefox helped make possible. It all adds up to a very different engine at the core of Firefox. That kind of speedup can really excite web developers -- an influential community key to Firefox's success in taking on IE back in 2004.
Chrome

Google Chrome Starts Testing a Built-in Ad Blocker on Windows, Android (mspoweruser.com) 236

An anonymous reader shares a report: Earlier this year, Google was rumored to be working on a built-in ad blocker for its Chrome browser. The new ad blocker inside Chrome won't block every ad you see on the web -- instead, it'll only block ads that are considered intrusive and go against the standards set by the Coalition for Better Ads. Google has started testing the new built-in ad blocker for Chrome today on the desktop and Android devices. The latest canary release for Google Chrome includes a new option under Chrome's Settings where you can enable the new ad blocker inside Chrome. Users can enable the new feature by going to the Content options inside Chrome's settings page (chrome://settings/content/ads). The built-in ad blocker should automatically block ads that are considered "intrusive." But Google Chrome also lets you strictly block ads on certain sites, and you can also choose to allow ads on certain sites if you'd like.
Apple

'Apple's Refusal To Support Progressive Web Apps is a Detriment To Future of the Web' (medium.com) 302

From a blog post: Progressive Web Applications (PWAs) are one of the most exciting and innovative things happening in web development right now. PWAs enable you to use JavaScript to create a "Service Worker", which gives you all sorts of great features that you'd normally associate with native apps, like push notifications, offline support, and app loading screens -- but on the web! Awesome. Except for is one major problem -- While Google has embraced the technology and added support for it in Chrome for Android, Apple has abstained from adding support to mobile Safari. All they've done is say that it is "Under Consideration." Seemingly no discussion about it whatsoever.
Ubuntu

Ask Slashdot: Ubuntu 18.04 LTS Desktop Default Application Survey 298

Dustin Kirkland, Ubuntu Product and Strategy at Canonical, writes: Howdy all- Back in March, we asked the HackerNews community, "What do you want to see in Ubuntu 17.10?": https://ubu.one/AskHN. A passionate discussion ensued, the results of which are distilled into this post: http://ubu.one/thankHN. In fact, you can check that link, http://bit.ly/thankHN and see our progress so far this cycle. We already have a beta code in 17.10 available for your testing for several of those:

- GNOME replaced Unity
- Bluetooth improvements with a new BlueZ
- Switched to libinput
- 4K/Multimonitor/HiDPI improvements
- Upgraded to Network Manager 1.8
- New Subiquity server installer
- Minimal images (36MB, 18% smaller)

And several others have excellent work in progress, and will be complete by 17.10:

- Autoremove old kernels from /boot
- EXT4 encryption with fscrypt
- Better GPU/CUDA support

In summary -- your feedback matters! There are hundreds of engineers and designers working for *you* to continue making Ubuntu amazing! Along with the switch from Unity to GNOME, we're also reviewing some of the desktop applications we package and ship in Ubuntu. We're looking to crowdsource input on your favorite Linux applications across a broad set of classic desktop functionality. We invite you to contribute by listing the applications you find most useful in Linux in order of preference.


Click through for info on how to contribute.
Chrome

Chromium To Get Support For MP3 (browsernative.com) 54

An anonymous reader shares a post: Chromium, the open source project behind Google Chrome, Opera and several other browsers, is going to support MP3. This would enable users and websites to play MP3 files in Chromium browser. A Chromium contributor informed about this, "We have approval from legal to go ahead and move MP3 into non-proprietary codecs list." The MP3 support in Chromium is targeted for version 62.
Google

Google Bolsters Security To Prevent Another Google Docs Phishing Attack (zdnet.com) 25

Google is adding a set of features to its security roster to prevent a second run of last month's massive phishing attack. From a report: The company is adding warnings and interstitial screens to warn users that an app they are about to use is unverified and could put their account data at risk. This so-called "unverified app" screen will land on all new web apps that connect to Google user accounts to prevent a malicious app from appearing legitimate. Any Google Chrome user landing on a hacked or malicious website will recognize the prompt as the red warning screen. Some existing apps will also have to go through the same verification process as new apps, Google said. Google also said it will add those warnings to its Apps Scripts, which let Google use custom macros and add-ons for its productivity apps, like Google Docs.
Chrome

Popular Chrome Extension Sold To New Dev Who Immediately Turns It Into Adware (bleepingcomputer.com) 187

An anonymous reader writes: A company is going around buying abandoned Chrome extensions from their original developers and converting these add-ons into adware. The latest case is the Particle for YouTube Chrome extension, a simple tool that allows users to change the UI and behavior of some of YouTube's standard features. Because Google was planning major changes to YouTube's UI, the extension's original author decided to retire it and create a new one. This is when the a mysterious company approached the original author and offered to buy the extension from him for a price of his choosing. The original dev says he gave them a high price, but the company agreed to pay right away, but only after the dev signed an non-disclosure agreement preventing him from talking about the company or the transaction. Soon after the sale, the company issued an update that included code for injecting rogue ads on websites such as Google, Yahoo, Bing, Amazon, eBay, and Booking.com. Users also found other Chrome extensions that were also bought by the same company and had also been turned into adware, such as "Typewriter Sounds" and "Twitch Mini Player." According to some other Chrome extension devs, there are many companies willing to pay large sums of money for taking over legitimate Chrome extensions.
Bug

24 Cores and the Mouse Won't Move: Engineer Diagnoses Windows 10 Bug (wordpress.com) 352

Longtime Slashdot reader ewhac writes: Bruce Dawson recently posted a deep-dive into an annoyance that Windows 10 was inflicting on him -- namely, every time he built Chrome, his extremely beefy 24-core (48-thread) rig would begin stuttering, with the mouse frequently becoming stuck for a little over one second. This would be unsurprising if all cores were pegged at 100%, but overall CPU usage was barely hitting 50%. So he started digging out the debugging tools and doing performance traces on Windows itself. He eventually discovered that the function NtGdiCloseProcess(), responsible for Windows process exit and teardown, appears to serialize through a single lock, each pass through taking about 200 microseconds each. So if you have a job that creates and destroys a lot of processes very quickly (like building a large application such as Chrome), you're going to get hit in the face with this. Moreover, the problem gets worse the more cores you have. The issue apparently doesn't exist in Windows 7. Microsoft has been informed of the issue and they are allegedly investigating.
Google

Google Guillotine Falls on Certificate Authorities WoSign, StartCom (zdnet.com) 57

Google has warned that all certificates issued by Chinese company WoSign and subsidiary StartCom will be distrusted with the release of Chrome 61. From a report: According to a Google Groups post published by Chrome security engineer Devon O'Brien, due to "several incidents" involving the certificate authority which has "not [been] in keeping with the high standards expected of CAs," Google Chrome has already begun phasing out WoSign and StartCom by only trusting certificates issued prior to October 21, 2016. The tech giant is soon to go further and will completely distrust any certificate issued by the companies within a matter of months. The Chrome development team have restricted trust through a whitelist of hostnames which are based on the Alexa Top one million sites, and this list has been pruned down over the course of Chrome releases. Once version 61 is ready for public release, this will fully distrust any existing WoSign and StartCom root certificates and all certificates they have issued.
EU

Google May Face Another Record EU Fine, This Time Over Android (itwire.com) 192

troublemaker_23 shares a report from ITWire: The EU is contemplating another record fine against Google over how it pays and limits mobile phone providers who use the search company's Android mobile operating system and app store. Reuters reported that a decision could be expected by the end of the year if the opinion of a team of experts, set up by the EU to obtain a second opinion, agree with the decisions reached by the team that has worked on the case. The report quoted Richard Windsor, an independent financial analyst, as saying that the Android fine was likely to hurt Google more than the search fine or the verdict in a third EU probe over AdSense. "If Google was forced to unbundle Google Play from its other Digital Life services, handset makers and operators would be free to set whatever they like by default potentially triggering a decline in the usage of Google's services," he said.

In the chargesheet, issued on April 20, 2016, the European Commission said Google had breached EU anti-trust rules by:
-Requiring manufacturers to pre-install Google Search and Google's Chrome browser and requiring them to set Google Search as default search service on their devices, as a condition to license certain Google proprietary apps;
-Preventing manufacturers from selling smart mobile devices running on competing operating systems based on the Android open source code;
-Giving financial incentives to manufacturers and mobile network operators on condition that they exclusively pre-install Google Search on their devices.

Chrome

While Chrome Dominates, Microsoft Edge Struggles To Attract New Users (neowin.net) 172

An anonymous reader quotes Neowin's report on the newest browser-usage figures from NetMarketShare: Microsoft Edge only commands a market share of 5.65% -- which is an increase of only 0.02 percentage points compared to last month... it only grew by 0.56% year-over-year. On the other hand, Google Chrome has continued its dominance with a market share of 59.49%. As a point of reference, this is a sizeable growth of 10.84 percentage points year-over-year... Data from another firm, StatCounter, depicts an even more depressing situation for Microsoft. According to the report, Edge sits at 3.89%... Chrome is the king of all browsers according to these statistics as well, with a market share of 63.21% -- a decrease of 0.14 percentage points compared to last month. Firefox, Internet Explorer, and Safari command 14%, 9.28%, and 5.16% respectively.
The firm also calculates that when it comes to desktop operating systems, Windows has 91.51% of all users, followed by MacOS at 6.12 and Linux at 2.36%.
Microsoft

Google Chrome Bests Microsoft Edge, Mozilla Firefox, Opera In Independent Battery Life Tests (betanews.com) 114

An anonymous reader shares a report: YouTuber Linus Tech Tips has pitted Microsoft Edge against Google Chrome, Mozilla Firefox and Opera and discovered that it does not deliver as strong a performance as Microsoft claims. Linus Tech Tips took four Dell Inspiron laptops, with the same specs, and found that Microsoft Edge trails Chrome and Opera in battery life tests. It would seem that it still beats Firefox, after all. However, the results are much, much closer than what Microsoft's own tests indicate. On average, the difference between Chrome, which offers the best battery life, and Microsoft Edge is under 40 minutes. Opera comes closer to Microsoft Edge than Chrome in this test. Even Creators Update, which based on Microsoft's test should help Microsoft Edge obliterate the competition, didn't help make it faster than Chrome. Linus says he used the same methodology that Microsoft used in its set of battery tests earlier this year, in which it declared Edge as the winner.
Firefox

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com) 80

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

Slashdot Top Deals