Mozilla Testing an Opt-Out System For Firefox Telemetry Collection ( 193

An anonymous reader writes: "Mozilla engineers are discussing plans to change the way Firefox collects usage data (telemetry), and the organization is currently preparing to test an opt-out clause so they could collect more data relevant to the browser's usage," reports Bleeping Computer. "In a Google Groups discussion that's been taking place since Monday, Mozilla engineers cite the lack of usable data the Foundation is currently receiving via its data collection program. The problem is that Firefox collects data from a very small fraction of its userbase, and this data may not be representative of the browser's real usage." Mozilla would like to fix this by flipping everyone's telemetry setting to enabled and adding an opt-out clause. Engineers also plan to embed Google's RAPPAR project [1, 2] for anonymous data collection.

64-bit Firefox is the New Default on 64-bit Windows ( 178

An anonymous reader shares a blog post: Users on 64-bit Windows who download Firefox will now get our 64-bit version by default. That means they'll install a more secure version of Firefox, one that also crashes a whole lot less. How much less? In our tests so far, 64-bit Firefox reduced crashes by 39% on machines with 4GB of RAM or more.

'See the Future Firefox Right Now' ( 292

"Mozilla is prepping a new version of Firefox in an effort to rally in the race for browser supremacy," writes CNET's Matt Elliott, who decided to test drive a new nightly build of Firefox 57 which "promises fast speeds and a new look." An anonymous reader quotes their report: Firefox 57 has added a screenshot button in the top-right corner... It highlights different elements on a page as you mouse over them, or you can just click-and-drag the old-school way to take a screenshot of a portion of a page. Screenshots are saved within Firefox. Click the scissors button and then click the little My Shots window to open a new tab of all of your saved screenshots. From here you can download them or share them... The bookmark and Pocket buttons have been moved from the right of the URL bar to inside it, but the Page Actions button is new. Click it and you'll get a small menu to Copy URL, Email Link and Send to Device. The Page Actions menu also has bookmark and Pocket buttons, which seems redundant at first but then I realized you can remove those items from the URL bar by right-clicking them. You can't remove the new, triple-dot Page Actions button...

As with any prerelease software, Firefox Nightly 57 is meant for developers and will likely exhibit strange and unstable behavior from time to time. Also, there is no guarantee that the final release will look like what you see in the current version of Nightly. For example, I have read reports that the search box next to Firefox's URL bar may be on the chopping block. It's part of the design of the current Nightly build but I wouldn't be surprised if it gets dropped between now and November since most web users have grown accustomed to entering their search queries right in the URL bar. Just as you can with the current version of Firefox, however, you can customize which elements are displayed at the top of Firefox Nightly 57, including the search box.

Debian Test-Drives Linux Distros From 1993 To 2003 ( 80

An anonymous reader quotes A unique trait of open source is that it's never truly EOL (End of Life). The disc images mostly remain online, and their licenses don't expire, so going back and installing an old version of Linux in a virtual machine and getting a precise picture of what progress Linux has made over the years is relatively simple... Whether you're new to Linux, or whether you're such an old hand that most of these screenshots have been more biographical than historical, it's good to be able to look back at how one of the largest open source projects in the world has developed. More importantly, it's exciting to think of where Linux is headed and how we can all be a part of that, starting now, and for years to come.
The article looks at seven distros -- Slackware 1.01 (1993), Debian 0.91 (1994), Jurix/S.u.S.E. (1996), SUSE 5.1 (1998), Red Hat 6.0 (1999), Mandrake 8.0 (2001), and Fedora 1 (2003). Click through for some of the highlights.

Microsoft Dumps Notorious Chinese Secure Certificate Vendor ( 57

Soon, neither Internet Explorer nor Edge will recognize new security certificates from Chinese Certificate Authorities WoSign and its subsidiary StartCom. ZDNet reports: A CA is a trusted entity that issues X.509 digital certificates that verify a digital entity's identity on the internet. Certificates include its owner's public key and name, the certificate's expiration date, encryption method, and other information about the public key owner. Typically, these are used to secure websites with the https protocol, lock down internet communications with Secure Sockets Layer and Transport Layer Security (SSL/TLS), and secure virtual private networks (VPNs). A corrupted certificate is barely better than no protection at all. It can be used to easily hack websites and "private" internet communications.

Microsoft has joined [Mozilla, Google and Apple] in abandoning trust in their certificates. A Microsoft representative wrote: "Microsoft has concluded that the Chinese CAs WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed unacceptable security practices include back-dating SHA-1 certificates, mis-issuances of certificates, accidental certificate revocation, duplicate certificate serial numbers, and multiple CAB Forum Baseline Requirements (BR) [issuance and management rules for public certificates] violations." Microsoft will start "the natural deprecation of WoSign and StartCom certificates by setting a 'NotBefore' date of 26 September 2017. This means all existing certificates will continue to function until they self-expire. Windows 10 will not trust any new certificates from these CAs after September 2017."


Firefox 55 Arrives With WebVR on Windows, Performance Panel, and Click-to-Play Flash ( 129

Mozilla today made available a new update to Firefox for Windows to introduce support for WebVR, that the company says, will enable desktop VR users to dive into web-based experiences with ease. Firefox 55 also includes performance panel, faster startup when restoring multiple tabs, a quicker way to search across various search engines, and click-to-play Flash by default. From a report: WebVR is an experimental JavaScript API that provides support for virtual reality devices, such as the HTC Vive, Oculus Rift, and Google Cardboard. As its name implies, the technology is meant for browsers. If you find a web game or app that supports VR, just click the VR goggles icon visible on the web page to experience it using your VR headset. WebVR supports navigating and controlling VR experiences with handset controllers or your movements in physical space. [...] Firefox 55 also allows users to adjust the number of processes and how much resources they want to allocate to any of them. This setting is at the bottom of the General section in Options. In fact, if your computer has more than 8GB of RAM, Mozilla recommends "bumping up the number of content processes that Firefox uses" because it will make Firefox faster, though at the expense of using more memory. In its own tests on Windows 10, the company found that Firefox uses less memory than Chrome, even with eight content processes running.

Inside Mozilla's Fight To Make Firefox Relevant Again ( 276

News outlet CNET has a big profile on Firefox today, for which it has spoken with several Mozilla executives. Mozilla hopes to fight back Chrome, which owns more than half of the desktop market share, with Firefox 57, a massive overhaul due November 14. From the report: "It's going to add up to be a big bang," Mozilla Chief Executive Chris Beard promises, speaking at the company's Mountain View, California, headquarters. "We're going to win back a lot of people." "Some of the stuff they're doing from a technology perspective is amazing," says Andreas Gal, who became CEO of startup Silk Labs after leaving the Mozilla chief technology officer job in 2015. "I just don't think it makes a difference." [...] You may not care which browser you use, but the popularity of Firefox has helped keep browsers competitive and build the web into a foundation for online innovations over the last decade. Are you a fan of Google Maps, Facebook, Twitter or YouTube? That's partly thanks to Firefox. Mozilla's mission is to keep the web vibrant enough for the next big innovation even as companies offer mobile apps instead of websites, dump privacy-invading ads on you or try to confine your activity to their own walled gardens. [...] To Mozilla, each tap or click on a webpage in Firefox is more than you browsing the internet. It's a statement that you'd prefer a more open future where online services can start up on their own. The alternative, as Mozilla sees it, is a future where everyone kowtows to Apple's app store, Google's search results, Facebook's news feed or Amazon's Prime video streaming. That's why Mozilla bought billboard ads saying "Browse against the machine" and "Big browser is watching you," a jab at Google. [...] Improvements within a project called Quantum are responsible for much of the difference. One part, Stylo, accelerates formatting operations. Quantum Flow squashes dozens of small slowdown bugs. Quantum Compositor speeds website display. And Firefox 57 also will lay the groundwork for WebRender, which uses a computing device's graphics chip to draw webpages on the screen faster. "You can do user interface and animation and interactive content that you simply can't do in any other browser," says Firefox chief Mayo, speaking from his office in Toronto -- over video chat technology Firefox helped make possible. It all adds up to a very different engine at the core of Firefox. That kind of speedup can really excite web developers -- an influential community key to Firefox's success in taking on IE back in 2004.

Mozilla's Send is Basically the Snapchat of File Sharing ( 107

Mozilla has launched a new website that makes it really easy to send a file from one person to another. From a report: The site is called Send, and it's basically the Snapchat of file sharing: after a file has been downloaded once, it disappears for good. That might sound like a gimmick, but it underscores what the site is meant for. It's designed for quick and private sharing between two people -- not for long-term hosting or distributing files to a large group. It supports files up to 1GB, and after uploading something, it'll give you a link to send to someone else. That link will expire once they've downloaded it or once 24 hours have passed.

Mozilla Launches Experimental Voice Search, File-Sharing and Note-Taking Tools For Firefox ( 74

Firefox has just launched three new Test Pilot experiments that bring voice search, built-in note taking and a tool for sending large files to the browser. From a report: While the new voice search, which currently works on the Google, Yahoo and DuckDuckGo homepages, and note-taking features are browser plugins, the new Send tool is web-based and allows anybody -- no matter which browser they use -- to send files up to 1GB in size. It encrypts the file as it is uploaded and gives you a link you can share with your friends and co-workers. Files are automatically deleted after one download or after one day. That's not exactly the most novel concept (and Mozilla has often been criticized for diverting its attention from its core competencies), but the built-in encryption and the open-source nature of the tool do make up for that.

How Rust Can Replace C In Python Libraries ( 304

An anonymous reader quotes InfoWorld: Proponents of Rust, the language engineered by Mozilla to give developers both speed and memory safety, are stumping for the language as a long-term replacement for C and C++. But replacing software written in these languages can be a difficult, long-term project. One place where Rust could supplant C in the short term is in the traditionally C libraries used in other languages... [A] new spate of projects are making it easier to develop Rust libraries with convenient bindings to Python -- and to deploy Python packages that have Rust binaries.
The article specifically highlights these four new projects:
  • Rust-CPython - a set of bindings in Rust for the CPython runtime
  • PyO3 - a basic way to write Rust software with bindings to Python in both directions.
  • Snaek - lets developers create Rust libraries that are loaded dynamically into Python as needed, but don't rely on being linked statically against Python's runtime.
  • Cookiecutter PyPackage Rust Cross-Platform Publish - simplifies the process of bundling Rust binaries with a Python library.


Adobe Announces that in 2020, Flash Player Will Reach Its 'End-of-Life' in Light of Newer Technologies ( 154

Adobe said on Tuesday it will stop distributing and updating Flash Player at the end of 2020 and is encouraging web developers to migrate any existing Flash content to open standards. Apple is working with Adobe, industry partners, and developers to complete this transition. From a blog post: Apple users have been experiencing the web without Flash for some time. iPhone, iPad, and iPod touch never supported Flash. For the Mac, the transition from Flash began in 2010 when Flash was no longer pre-installed. Today, if users install Flash, it remains off by default. Safari requires explicit approval on each website before running the Flash plugin.

Mozilla's New Open Source Voice-Recognition Project Wants Your Voice ( 55

An anonymous reader quotes Mashable: Mozilla is building a massive repository of voice recordings for the voice apps of the future -- and it wants you to add yours to the collection. The organization behind the Firefox browser is launching Common Voice, a project to crowdsource audio samples from the public. The goal is to collect about 10,000 hours of audio in various accents and make it publicly available for everyone... Mozilla hopes to hand over the public dataset to independent developers so they can harness the crowdsourced audio to build the next generation of voice-powered apps and speech-to-text programs... You can also help train the speech-to-text capabilities by validating the recordings already submitted to the project. Just listen to a short clip, and report back if text on the screen matches what you heard... Mozilla says it aims is to expand the tech beyond just a standard voice recognition experience, including multiple accents, demographics and eventually languages for more accessible programs. Past open source voice-recognition projects have included Sphinx 4 and VoxForge, but unfortunately most of today's systems are still "locked up behind proprietary code at various companies, such as Amazon, Apple, and Microsoft."

Let's Encrypt Criticized Over Speedy HTTPS Certifications ( 207

100 million HTTPS certificates were issued in the last year by Let's Encrypt -- a free certificate authority founded by Mozilla, Cisco and the Electronic Frontier Foundation -- and they're now issuing more than 100,000 HTTPS certificates every day. Should they be performing more vetting? msm1267 shared this article from Kaspersky Lab's ThreatPost blog: [S]ome critics are sounding alarm bells and warning that Let's Encrypt might be guilty of going too far, too fast, and delivering too much of a good thing without the right checks and balances in place. The primary concern has been that while the growth of SSL/TLS encryption is a positive trend, it also offers criminals an easy way to facilitate website spoofing, server impersonation, man-in-the-middle attacks, and a way to sneak malware through company firewalls... Critics do not contend Let's Encrypt is responsible for these types of abuses. Rather, because it is the 800-pound gorilla when it comes to issuing basic domain validation certificates, critics believe Let's Encrypt could do a better job vetting applicants to weed out bad actors... "I think there should be some type of vetting process. That would make it more difficult for malicious actors to get them," said Justin Jett, director of audit and compliance at Plixer, a network traffic analytics firm...

Josh Aas, executive director of the Internet Security Research Group, the organization that oversees Let's Encrypt, points out that its role is not to police the internet, rather its mission is to make communications secure. He added that, unlike commercial certificate authorities, it keeps a searchable public database of every single domain it issues. "When people get surprised at the number of PayPal phishing sites and get worked up about it, the reason they know about it is because we allow anyone to search our records," he said. Many other certificate authorities keep their databases of issued certificates private, citing competitive reasons and that customers don't want to broadcast the names of their servers... The reason people treat us like a punching bag is that we are big and we are transparent. "

The criticism intensified after Let's Encrypt announced they'd soon offer wildcard certificates for subdomains. But the article also cites security researcher Scott Helme, who "argued if encryption is to be available to all then that includes the small percent of bad actors. 'I don't think it's for Signal, or Let's Encrypt, to decide who should have access to encryption."

The New Firefox and Ridiculous Numbers of Tabs ( 210

An anonymous reader shares a blog post: I've got a Firefox profile with 1691 tabs. As you would expect, Firefox handled this profile quite poorly for a long time. I got used to multi-minute startup time, waiting 15-30 seconds for tabs from external apps to show up, and all manner of non-responsive behavior. And then, quite recently, everything changed. Right now, more effort is being put into making Firefox fast than I've seen since... well, since I've been working on Firefox. And I've been at Mozilla for more than a decade. Part of this effort is a project called Quantum Flow -- a bunch of engineers making changes that directly impact Firefox responsiveness. A lot of the improvement in this particular scenario is from Kevin Jones' work on bringing the overall cost of unloaded tabs as close to zero as possible. While the major work has landed, the work continues in Bug 906076. Test scenario: I took my 1691 tab browser profile, and did a wall-clock measurement of start-up time and memory use for Firefox versions 20, 30, 40, and 50 through 56. In the result, the person found that Firefox startup time has gotten worse over time... until Firefox 51.

Mozilla Employee Denied Entry To the United States ( 420

Reader Artem Tashkinov writes: Daniel Stenberg, an employee at Mozilla and the author of the command-line tool curl, was not allowed to board his flight to the meeting from Sweden—despite the fact that he'd previously obtained a visa waiver allowing him to travel to the US. Stenberg was unable to check in for his flight, and was notified at the airport ticket counter that his entry to the US had been denied. Although Mozilla doesn't believe that the incident is related to Trump's travel ban, the incident stirred fears among international tech workers, who fear they'll miss out on work and research opportunities if they're not allowed to travel to the US. The situation even caught the eye of Microsoft's chief legal officer Brad Smith, who tweeted at Stenberg to offer legal assistance.

Google Chrome Bests Microsoft Edge, Mozilla Firefox, Opera In Independent Battery Life Tests ( 114

An anonymous reader shares a report: YouTuber Linus Tech Tips has pitted Microsoft Edge against Google Chrome, Mozilla Firefox and Opera and discovered that it does not deliver as strong a performance as Microsoft claims. Linus Tech Tips took four Dell Inspiron laptops, with the same specs, and found that Microsoft Edge trails Chrome and Opera in battery life tests. It would seem that it still beats Firefox, after all. However, the results are much, much closer than what Microsoft's own tests indicate. On average, the difference between Chrome, which offers the best battery life, and Microsoft Edge is under 40 minutes. Opera comes closer to Microsoft Edge than Chrome in this test. Even Creators Update, which based on Microsoft's test should help Microsoft Edge obliterate the competition, didn't help make it faster than Chrome. Linus says he used the same methodology that Microsoft used in its set of battery tests earlier this year, in which it declared Edge as the winner.
The Internet

If You Can Decentralize the Internet, Mozilla Has $2 Million For You ( 127

Mozilla and the National Science Foundation want a new internet. And they want it to be free and accessible for everybody. From a report: They'll pay $2 million for it. On Wednesday, the two organizations issued a call to action for "big ideas that decentralize the web" as part of the "Wireless Innovation for a Networked Society" challenges. The challenges include getting the internet to communities off the grid, with proposals like a backpack with a computer and Wi-Fi router inside.

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics ( 80

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.

Mozilla Launches Privacy-Minded 'Firefox Focus' Browser For Android ( 58

An anonymous reader quotes a report from VentureBeat: Mozilla today launched a new browser for Android. In addition to Firefox, the company now also offers Firefox Focus, a browser dedicated to user privacy that by default blocks many web trackers, including analytics, social, and advertising. You can download the new app now from Google Play. Because Google isn't as strict as Apple, Android users can set Firefox Focus as their default browser. There are many use cases for wanting to browse the web without being tracked, but Mozilla offers a common example: reading articles via apps "like Facebook." On iOS, Firefox Focus is basically just a web view with tracking protection. On Android, Firefox Focus is the same, with a few additional features (which are still "under consideration" for iOS):
  • Ad tracker counter -- Lists the number of ads that are blocked per site while using the app.
  • Disable tracker blocker -- For sites that are not loading correctly, you can disable the tracker blocker to fix the issues.
  • Notification reminder -- When Firefox Focus is running in the background, a notification will remind you so you can easily tap to erase your browsing history.


Cisco Subdomain Private Key Found in Embedded Executable ( 53

Earlier this month, a developer accidentally discovered the private key of a Cisco subdomain. An anonymous reader shares the post: Last weekend, in an attempt to get Sky's NOW TV video player (for Mac) to work on my machine, I noticed that one of the Cisco executables contains a private key that is associated with the public key in a trusted certificate for a sub domain. This certificate is used in a local WebSocket server, presumably to allow secure Sky/NOW TV origins to communicate with the video player on the users' local machines. I read the Baseline Requirements document (version 1.4.5, section, but I wasn't entirely sure whether this is considered a key compromise. I asked Hanno Bock on Twitter, and he advised me to post the matter to this mailing list. The executable containing the private key is named 'CiscoVideoGuardMonitor', and is shipped as part of the NOW TV video player. In case you are interested, the installer can be found here (SHA-256: 56feeef4c3d141562900f9f0339b120d4db07ae2777cc73a31e3b830022241e6). I would recommend to run this installer in a virtual machine, because it drops files all over the place, and installs a few launch items (agents/daemons). The executable 'CiscoVideoGuardMonitor' can be found at '$HOME/Library/Cisco/VideoGuardPlayer/VideoGuardMonitor/ VideoGuardMonitor.bundle/Contents/MacOS/CiscoVideoGuardMonitor'. Certificate details: Serial number: 66170CE2EC8B7D88B4E2EB732E738FE3A67CF672, DNS names:, Issued by: HydrantID SSL ICA G2. The issuer HydrantID has since communicated with the certificate holder Cisco, and the certificate has been revoked.

Slashdot Top Deals